gnu@hoptoad.uucp (John Gilmore) (01/02/91)
hnewstro@x102c.harris-atd.com (Harvey Newstrom) wrote: > What about keeping data encrypted with a secret password? It seems like > one could ``take the fifth'' and refuse to divulge the password on the > grounds that it might incriminate. This is OK as long as you really know your rights. One person who is currently under indictment had some data encrypted on his (searched and seized) machine. Under interrogation, they threatened to charge him with espionage unless he revealed the key. He broke down and revealed it. The charge of espionage would be pure fabrication, of course, but so are two thirds of the charges in all the indictments I have ever seen. They are thrown in as a legal maneuver, to scare you into admitting guilt (whether or not you are guilty) so they don't have to spend a lot of time actually proving that you broke some small law. So, if you encrypt information to hide it this way, stiffen your backbone NOW and resolve to tell them to go to hell no matter what they threaten. It's still 100% legal to use encryption in this "free" country. I encourage you to use it often to protect your privacy. (PS: don't use the Unix "crypt" command though - even I can break it. Use DES, or Khufu, or RSA, or one of the other cryptosystems that are not publicly known to be breakable.) -- John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com Just say no to thugs. The ones who lock up innocent drug users come to mind.
duerr@motcid.UUCP (Michael L. Duerr) (01/05/91)
From article <14474@hoptoad.uucp>, by gnu@hoptoad.uucp (John Gilmore): > It's still 100% legal to use encryption in this "free" > country. I encourage you to use it often to protect your privacy. > (PS: don't use the Unix "crypt" command though - even I can break it. > Use DES, or Khufu, or RSA, or one of the other cryptosystems that are > not publicly known to be breakable.) Is DES Safe? I vaguely recall a comment that a ( very expensive ) machine exists that can crack it in about 10 minutes ... I also seem to recall that the length of the key was cut in half, at the urging of the NSA. Can anyone verify this?
res@cbnews.att.com (Robert E. Stampfli) (01/05/91)
In article <4579@apricot30.UUCP>, duerr@motcid.UUCP (Michael L. Duerr) writes: > > Is DES Safe? I vaguely recall a comment that a ( very expensive ) machine > exists that can crack it in about 10 minutes ... I also seem to recall > that the length of the key was cut in half, at the urging > of the NSA. Can anyone verify this? Even if you don't believe in the security of DES, ask yourself: Would the NSA choose to reveal -- even to another government agency -- that it could break DES, just to aid that agency or the courts in the prosecution of what it would most likely consider a minor criminal? I suspect your data would be quite safe in any event. PS: Let's not turn this thread into a discussion of the strength of DES. It has been discussed in great detail in sci.crypt. -- Rob Stampfli 614-860-4268 (work) 614-864-9377 (home) kd8wk@n8jyv.oh (ham) stampfli@att.com osu-cis!kd8wk!res
jim@baroque.Stanford.EDU (James Helman) (01/05/91)
If in fact the right against self-incrimination does protect an individual from being forced to reveal encryption keys for searches of data, how about physical searches of locked goods? For example, if X has a safe to which only he knows the combination, and without the combination, the safe cannot be opened without destroying the contents. A court issues a search warrant for the contents of the safe. If X refuses to provide the combination citing his right against self-incrimination, does this protect him from being held in contempt of court? Jim Helman Department of Applied Physics Durand 012 Stanford University FAX: (415) 725-3377 (jim@KAOS.stanford.edu) Work: (415) 723-9127
shiva@pro-smof.cts.com (System Smof) (01/06/91)
In-Reply-To: message from gnu@hoptoad.uucp I had heard that DES was breakable and it was designed to be that way; all you need is enough supercomputer horsepower. ---- The SMOF-BBS 512-467-7317 The World's First Online Science Fiction Convention ProLine: shiva@pro-smof UUCP: crash!pro-smof!shiva Internet: shiva@pro-smof.cts.com ARPA: crash!pro-smof!shiva@nosc.mil
cosell@bbn.com (Bernie Cosell) (01/06/91)
shiva@pro-smof.cts.com (System Smof) writes: }I had heard that DES was breakable and it was designed to be that way; all you }need is enough supercomputer horsepower. Can you substantiate this? From what I know about what's been happening in the ongoing efforts to study DES, this is almost certainly incorrect in the sense that you intend it. The best known techniques still require searches on the order of 2^52 or so [which is a hair faster than a brute force 2^56 key search, but not much...]. There has been no evidence of any 'trap doors' in the S boxes [in fact, quite the contrary: recent inforrmation seems to indicated that the algorithm IS sensitive to the choice of S boxes, and the ones actuall used are apparently as strong as any that have been found [in the wake of a host of them that are quite weak]. And, in fact, it appears that DES has had virtually all of its operational parameters tuned to be about as strong as the basic underlying algorithm will allow, with no evidence of anything fishy [and certainly nothing that looks like a trap door.] All of this has been discussed in detail on sci.crypt. /Bernie\
lear@turbo.bio.net (Eliot) (01/07/91)
In comp.org.eff.talk there has been some question as to whether DES
has been tampered with. I would appreciate someone from sci.crypt
explaining in laymen's terms the various issues involved.
I might also add that there is a fascinating book on the NSA written
by James Bamford who has something to say on the matter.
See _The Puzzle Palace_; James Bamford; Penguin Books, (c) 1982,1983;
ppg 436-440.
The book is an extremely well written history of the National Security
Agency, its predecessors, and its staff starting just before the end
of WW1, going up to 1980. When considering such literature, one must
evaluate how much is to be believed, because the government will
generally deny much of it. Bamford supports his case extremely well
with 80 pages of footnotes to his 650 page tome.
Although the people in sci.crypt probably have a better handle on it
than he did, Bamford claims that the NSA convinced IBM to shorten the
key from 128 bits to 56. Apparently in exchanged the NSA helped IBM
strengthen the S-box structures before DES was released as a standard.
Also, this was brought up in Senate Intelligence Committee hearings in
1977.
--
Eliot Lear
[lear@turbo.bio.net]jmc@DEC-Lite.Stanford.EDU (John McCarthy) (01/07/91)
The Bamford book struck me as somewhat biased by the fact that because it didn't consider the job NSA has to do as important, he concentrated on matters of form and procedure. If indeed NSA has been keeping secret for 15 years a way of cracking DES, they are not likely to give away the fact for the trivial purpose of helping the Secret Service prosecute a Sysop.
setzer@matagh.ncsu.edu (William Setzer) (01/07/91)
lear@turbo.bio.net (Eliot) writes:
:In comp.org.eff.talk there has been some question as to whether DES
:has been tampered with. I would appreciate someone from sci.crypt
:explaining in laymen's terms the various issues involved.
I will assume that everyone knows how DES works, ie. you have some
text and a key, and you encrypt the text with the key via DES. Ok,
you send it to a "friendly", and he wants to know if you actually sent
it. Well, the easiest way is for the friendly to decode the message
with the key. If he gets gibberish (which he is almost certain to get
if the key is wrong), then the message is bogus. But what if he gets
an understandable message? Someone _might_ have discovered the key,
and sent a bogus message. Or even worse, the "friendly" may have
decided to fake a message from you, and since he knows the key, it's
trivial. How do we protect you _and_ the friendly from forgery or
denial? What needs to be done is "authentification". There are many
ways to do this. Here is one described in Konheim, _Cryptography, A
Primer_ (not really a primer, BTW):
In some secure way, person A and person B exchange a long list of
"signatures". Think of them as functions, so A gets a big list of
functions f(b_i, C), and B gets a big list of functions g(a_j, C),
where C is some message that both A and B know. Given the a_j's and
b_i's, both A and B know how to calculate f and g, but only A knows
the a_j's and only B knows the b_i's. (And, in practice, it's hard to
find the a_j's and b_i's, even if you know C, f, and g.) In front of
some trusted third party, they sign that the lists each receives is
identical (ie. A acknowledges that the g(a_i, C)'s are correct in
front of B and a witness, and vice versa.) Let's call this the
contract. Now, suppose A wants to send message M to B. When A sends
M to B, A calculates 21 signatures, say g(a_k1, M), ..., g(a_k21, M)
and appends them to the message. B then asks A for 10 of the a_j's,
in the range of a_k1, ..., a_k21, *B's choice,* say a_m0,...,a_m9. B
calculates g(a_m0, C), ...,g(a_m9, C) and checks to see that they are
in the contract. He also calculates g(a_m0, M),...,g(a_m9, M) and
checks them against A's signature in the message. If everything
matches, then B says "OK, I believe you".
Now let's see what happens if either A or B cheat.
Suppose A tries to deny sending the message. Then B gives the message
M, his list of g(a_j, C)'s, and the 10 revealed keys a_m0, ..., a_m9
to that trusted third party. The third party requires A to give him
the 21 keys, a_k1, ..., a_k21. Then the third party calculates
g(a_k1, C), ..., g(a_k21, C) and checks them against the contract. If
they don't match, then A has obviously cheated by not coughing up the
right keys. Well, suppose they did match. Then the third party uses
a_k1,...,a_k21 to calculate g(a_k1, M), ...,g(a_k21, M). If they
match, A has to fess up, since A was the only one who knew the 21
keys, so is the ony one who could have calculated the 21 signatures at
the end of M. (Since B has a_m0,...,a_m9, and they match g(a_m0, C),
...,g(a_m9, C), and only A knows the a_j's, only A could have given
B the a_m0,...,a_m9. Thus A can't deny that a message was sent.)
Now suppose B forged a message, and tried to forge the 21 signatures.
A just gives his 21 keys a_k1,...,a_k21 to the trusted third party.
The third party gets B's a_m0,...,a_m9 and calculates g(a_m0, C),
...,g(a_m9, C) to see if they match. If not, then B gets caught since
he doesn't have 10 of A's keys. Suppose they match. Then the third
party will verify that A's keys are correct by calculating g(a_k1,C),
...,g(a_k21, C). He then calculates g(a_k1, M),..., g(a_21, M) and
compares them to the signatures on M. Since B didn't know but 10 of
the 21 keys, there is a very high probability (over 999999 in 10^6 for
the curious) that 11 of the signatures won't match. B gets caught.
Whew! Maybe I said way too much. Anyway, this is a typical method
of authenticating DES transmissions. Of course, the hard part is
exchanging the f's and g's, because you can't reuse them safely.
(And the game is over if an "unfriendly" obtained either the list
of a_j's or b_i's). But, it protects both A and B from tampering,
since there is a way to verify the participation of both A and B.
In a fairly unrelated statement, Eliot mentions:
:Although the people in sci.crypt probably have a better handle on it
:than he did, Bamford claims that the NSA convinced IBM to shorten the
:key from 128 bits to 56.
A cryptosystem is at most as strong as its keys. You can break DES in
2^56 tries, by trying all the keys. Recently, two people (Shamir and
Binam?) developed a method of cryptanalyzing "standard" DES that took
at most 2^56 tries. So it turns out that a larger key does you no
good, since there is a better method available than trying all the
keys. These two people also discovered that any tampering with the
S-boxes actually helps the method break DES faster. (This indicates
to some people, including myself, that the NSA knew about this method,
and adjusted DES accordingly. They strengthened the S-boxes against
it, and shortened the key to 56 bits, since they knew more did no
good. Of course, all this in parentheses is all IMHO.)
I'm afraid I don't read comp.org.eff.talk, so I won't be around to
answer any followups. However, I would be glad to answer any questions
you may have via e-mail.
William Setzer
setzer@matagh.ncsu.edulear@turbo.bio.net (Eliot) (01/08/91)
jmc@DEC-Lite.Stanford.EDU (John McCarthy) writes: >The Bamford book struck me as somewhat biased by the fact that >because it didn't consider the job NSA has to do as important, >he concentrated on matters of form and procedure. Which questions do you leave to the reader to decide? Bamford did consider the NSA important or he would not have gone to great efforts to write the book, and to demonstrate the lesson we learned when ``gentlemen do not read other people's mail.'' (I've heard previous discussion about how the NSA attempted to keep the book from being published.) Also, in order to understand the significance of the NSA, one must understand what that agency does, who it reports to, and what type of politics have driven it in the past. Bamford presented just that information and let the reader draw conclusions based on that information. -- Eliot Lear [lear@turbo.bio.net]
jmc@DEC-Lite.Stanford.EDU (John McCarthy) (01/08/91)
Bamford considered NSA important, but he didn't consider the job it has to do as important, i.e. acquiring Soviet secrets and protecting our own.
shiva@pro-smof.cts.com (System Smof) (01/09/91)
In-Reply-To: message from lear@turbo.bio.net >Although the people in sci.crypt probably have a better handle on it >than he did, Bamford claims that the NSA convinced IBM to shorten the >key from 128 bits to 56. Apparently in exchanged the NSA helped IBM >strengthen the S-box structures before DES was released as a standard. >Also, this was brought up in Senate Intelligence Committee hearings in >1977. That the crux of what I had heard (about the unreliability of the DES). ---- The SMOF-BBS 512-467-7317 The World's First Online Science Fiction Convention ProLine: shiva@pro-smof UUCP: crash!pro-smof!shiva Internet: shiva@pro-smof.cts.com ARPA: crash!pro-smof!shiva@nosc.mil
cosell@bbn.com (Bernie Cosell) (01/09/91)
lear@turbo.bio.net (Eliot) writes: }Although the people in sci.crypt probably have a better handle on it }than he did, Bamford claims that the NSA convinced IBM to shorten the }key from 128 bits to 56. Apparently in exchanged the NSA helped IBM }strengthen the S-box structures before DES was released as a standard. }Also, this was brought up in Senate Intelligence Committee hearings in }1977. Well, what happened 'back then' is still classified, far as I know, and so you'll only be able to really get speculation, even from the sci.crypt folk. On the other hand, there was a recently discovered technique for cracking DES that requires work on the order of 2^52, and does *NOT* attack the key. Thus, this technique is _independent_ of the key length. Thus, the 128 bit key was *always* an illusion; you could have made the key 500 bits long and still not strengthened the system. What to make of this? Well, I happen to be willing to give NSA the benefit of the doubt: I think that they *knew* this technique for attacking DES and so *knew* that the key-length was an illusion. And so without [publicly] justifying it, they reduced the key length to be the _correct_ length [that is, instead of making it unnecessarily long, they made it be of a length so that attacking the key was basically the same amount of work as attacking other weaknesses in the system] --- and then strengthed the S boxes so that, overall, the entire system was a well tuned, balanced, order-of-2^50-strong system. /Bernie\
spm2d@newton.acc.Virginia.EDU (Steven P. Miale) (01/15/91)
In article <14474@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >hnewstro@x102c.harris-atd.com (Harvey Newstrom) wrote: >> What about keeping data encrypted with a secret password? It seems like >> one could ``take the fifth'' and refuse to divulge the password on the >> grounds that it might incriminate. > >So, if you encrypt information to hide it this way, stiffen your >backbone NOW and resolve to tell them to go to hell no matter what they >threaten. It's still 100% legal to use encryption in this "free" >country. I encourage you to use it often to protect your privacy. >(PS: don't use the Unix "crypt" command though - even I can break it. >Use DES, or Khufu, or RSA, or one of the other cryptosystems that are >not publicly known to be breakable.) Well, DES is not known "publicly" to be breakable, but I believe that the various government law enforcement organizations have figured it out. I wrote my own proprietary system, hidden somewhere in my system, so they will never be able to decrypt without my cooperation. This I highly suggest if you put any information that may be, er, harmful to you.