[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fw: Crypto Law Question

To: <klug@xxxxxxxxxxxxxxxx>
Subject: Fw: Crypto Law Question
From: "Steve Poling" <sdp@xxxxxxx>
Date: Sun, 12 Dec 1999 16:35:43 -0500
Reply-To: klug@xxxxxxxxxxxxxxxx
Resent-Date: Sun, 12 Dec 1999 16:35:55 -0500
Resent-From: klug@xxxxxxxxxxxxxxxx
Resent-Message-ID: <0STL3D.A.cBC.7UBV4@klug.armintl.com>
Resent-Sender: klug-request@xxxxxxxxxxxxxxxx
i sent this out yesterday and it didn't make it thru listserv...


>One Former Cryptomathematician's opinions follow:
>
>The "law" on export of strong crypto is fuzzy, because it isn't really a
law
>as much as it's an administrative ruling determined by agencies of the
>federal government (executive branch), interpreting older and vaguer laws
by
>the congress (legislative branch), where the line really falls is a matter
>of the courts to decide (judicial branch) and courts are slow and
expensive.
>The inventor of PGP posted his source on the internet and foreigners just
>happened to download it and sent it all over the world. The feds got mad
and
>persecuted him for years. Lately, a federal court has ruled that
>cryptographic codes are "free speech" protected by the 1st amendment. The
>feds are appealing it.
>
>Now, let's suppose we have an unbreakable code, a one-time-pad ferinstance.
>If I journey to Moscow and buy two CD-ROMs of identical one-time-pad bits,
>and send one to my girlfriend in London (i don't really have such a
>girlfriend, i'm happily married, but supposing i wasn't happily married),
>and bring another one back to the states. Then we could email encrypted
mash
>notes between us without breaking any laws. (though in this parallel
>universe, Mrs. Poling would no doubt have something non-cryptographic to
say
>about the conversation.)
>
>The law is such an ass on this point that i could do break the law by doing
>the following:
>
>1. buy a shareware PGP disk at a flea market in Moscow.
>
>2. fly to NYC with the disk in hand
>
>3. then drive home to Michigan through Canada.
>
>The point where i'd break the law is where i cross the border into Canada.
>At that point, i'd be guilty of exporting "muitions" to a foreign country
>without a license. This despite the fact that the foreign country is a
close
>ally and the "munition" was originally obtained from Russia.
>
>
>>The exportation of "strong" cryptographic methods in general is
>>prohibited
>>by U.S. law. Any technique which circumvents the letter of the law but
>>violates its intent would likely be prosecuted, if detected. You
>>should be
>>aware that the U.S. gov't intends that none of us has access to
>>COMMERCIALLY AVAILABLE cryptographic methods beyond the means of the
>
>note that you're talking about export of strong crypto methods. not export
>of encrypted bits, completely different things. moreover, PGP is strong
>crypto and it's generally available world-wide.
>
>I'm a trained cryptomathematician (thank you, NSA) and i have good reason
to
>believe PGP is secure.
>
>
>>gov't
>>to "break." There is/(has been) legislation initiated by the gov't to
>>force the communications industry to "enhance" their cryptographic
>>methods
>>by the introduction of various "backdoors" to permit law enforcement
>>agencies to decrypt anything any time (with appropriate supervision by
>>the
>>courts, of course). The nice people at FBI, NSA, etc., in cooperation
>>with
>>their counterparts in other nations, would closely guard those
>>backdoors
>>from "the unscrupulous" (read "everybody but themselves"). The
>>"Clipper
>>Chip" was one such proposal - you can read more about  such
>>"protections"
>>at various cryptography interest groups on the web.
>
>the clipper chip and like "backdoor" systems have been soundly denounced by
>the international security community, so much so that the prospect of
>backdoors in MS software has caused many to insist upon open source
>alternatives. this was old news a couple years ago.
>
>at present, "key escrow" in a trusted 3rd party seems to be the approach
the
>feds are pushing today. basically, all the crypto keys you use are
>registered with a 3rd party that the feds trust to give to them when they
>get a court order.
>
>RMS (Richard M Stallman) has claimed that if the feds demand the crypto
>keys, i can be arrested with some kind of presumption of guilt if i fail to
>give them the keys. (see the article on LinuxToday.com)
>
>
>>If you intend to offer this as a SERVICE, I doubt that there is any
>
>don't.
>
>if you intend to offer crypto as a SERVICE, become a foreign national.
>
>relocate to somewhere crypto friendly like Norway. right now there are a
>number of public servers in crypto-friendly countries where you can get all
>your crypt codes downloaded w/o government interference.
>
>
>>(U.S.)
>>legal way to do what you suggest from the perspective of secure socket
>>layer handling of the encryption. The "big-number" methods, based on
>>models such as Rivest-Shamir-Adelman are useful mainly for public key
>>management. Using them for the encryption/decryption of entire
>>documents
>>is too expensive in processing rescources. RSA methods are based on a
>>key-pair, one public and one private. If you encrypt with my public
>>key,
>>which I post with a "trustworthy" authority, only I can easily decrypt
>
>the only reason to post my public key with a trusted 3rd party is to
prevent
>someone from spoofing messages with a bogus public key. the spoofing attack
>is pretty convoluted:
>
>the way it should work:
>- Al posts his public key someplace public.
>- Betty picks up his public key and encrypts a note to Al with it.
>- Al uses his private key to decrypt the message.
>
>the spoofing attack works this way:
>- Al posts his public key someplace public
>- Eve substitues Eve's public key
>- Betty picks up the wrong public key and encrypts a note to Al
>- Eve intercepts Betty's message,
>   decrypts with Eve's private key,
>   re-encrypts with Al's public key and
>   fowards the messge to Al.
>- Al uses his private key to decrypt the message unaware of the
>interception.
>
>Note how hard it is for Al's public key to be spoofed. If Al posts his
>public key in a zillion places on the net, its up to Eve to find them all
>and substitute them all in such a way that Al will never detect the
>substitution. This is a lot of trouble for Eve. Thus its reasonable to
>assume Eve unwilling to exert that much work unless the Al-Betty
>conversation is someone very special. And if Al & Betty are having a very
>special conversation, they'll likely meet once in person to exchange keys
>face to face.
>
>RSA isn't the only public key crypto method.
>
>
>>(with my private key). What you encrypt with the RSA method is usually
>>just another key that will be used to encrypt the real message. The
>>message encryption, however, is probably carried out using some fast
>>method, e.g., one-time pad (bitwise x-or against a pseodo-random
>
>one-time pads are best generated from thermal (boltzmann) noise. My friend
>the hardware type tells me a circuit that generates nice clean boltzmann
>noise is pretty easy. i once thought of starting a company to generate OTPs
>on CD-ROM and sell pairs of disks to privacy freaks. and for the truly
>paranoid, i'd sell just the computers with a boltzmann noise random bit
>generator wired in to let them roll their own OTP CD-ROMs.
>
>i figured that the law be damned, the feds would find a way to screw me if
i
>tried, so i didn't pursue the idea.
>
>
>>number
>>set seeded from a key value which is then encrypted by the RSA method,
>>using my public key and passed along with the ciphertext). RSA
>>provides
>>for public key exchange and authentication at great processing expense
>>for
>>a little (key) information (so the total overhead remains small for
>>that
>>step) and then "normal" (fast, process-inexpensive) methods are used
>>for
>>the encryption of the plaintext of the actual message. The
>>key-exchange
>>and authentication have long been major problems in cryptography, and
>>the
>>ease of managing these issues provided by RSA (or any equivalent
>>one-way
>>modular mathematical method derived from Diffie-Hellman) is what
>>provides
>>the threat addressed by U.S. law. Easy-to-use, strong cryptography for
>>everybody is the result, and Uncle Sugar is nervous about it.
>
>PGP uses a public key system to exchange a session key that's in turn used
>to key a BLOWFISH algorithm, that's pretty darned good. and the feds are
>only nervous because they're used to being able to intercept domestic
>communications with nothing more than a court order.
>
>
>>The short answer is that, if you want to provide a service to/from
>>extranational points with the full ease and power of totally modern
>>commercial methods, you can't do it legally.
>
>you can't do it unless you want to somehow figure out howto get the feds to
>cooperate. good luck. how good are you at bribing Arkansas politicians?
>
>
>>> So, irrespective of the local laws of the far end (for the sake of
>>> argument),  I'm curious if such a service would be legal
>>> even in the US?
>>
>>If limited to use from servers within the U.S. to points (other
>>servers)
>>within the U.S., maybe so under the letter of the law. The first time
>>a
>>Khazak uses his e-mail account on a U.S. server (to which he direct
>>connects at long-distance rates) to apply this method to retrieve
>>information from an Albanian whose e-mail account is also on a U.S.
>>server, however...
>>
>>Finally, what you do to ensure the secure exchange of messages between
>>yourself and friends without using a commercially available technology
>>or
>>providing commercial access to any methods that you create is another
>>matter. If you're going to ask a lawyer about something, check whether
>>you
>>can do what you want as a private citizen communicating with your
>>friends
>>in some "obscure way" that you just "whipped up."  Anybody can write a
>>one-time pad cipher algorithm (C is great for it - it likes numbers
>
>wrong wrong wrong wrong wrong wrong.
>wrong wrong wrong wrong wrong wrong.
>wrong wrong wrong wrong wrong wrong.
>wrong wrong wrong wrong wrong wrong.
>
>you can't do a one-time pad using pure software. and don't try. all you'll
>do is fail because amateurs are the butt of every cryptanalyst's joke.
>amateur arrogance is the bread and potatoes of the cryptanalysis business.
>if you're Bruce Schneier, yeah, you can write a pseudo-random number
>generator that'll probably work, but you ain't. and until you are, forget
>it. use a professional's algorithm.
>
>>and
>>has bitwise x-or as a primitive operator on bytes). I mention one-time
>>padding in particular, because the same algorithm "undoes" itself
>>(x-or is
>>its own inverse) - so, only one program is required for enciphering
>>and
>>deciphering.
>
>you have confused a pseudo-random number generator with a one-time-pad. a
>pseudo-random number generator generates a key-stream using an algorithm,
>the key-stream is then xor-ed with the plaintext-stream to create the
>ciphertext-stream. The algorithm will always generate exactly the same
>key-stream unless you use a "seed" to have it work differently. If you use
>the algorithm twice with the same seed, you're screwed.
>
>I can simply subtract the first message from the second message to
eliminate
>the key-stream, then its a simple matter of getting the two messages by
>figuring out plain1 and plain2 from plain1-plain2.
>
>msg1 = key1 + plain1
>msg2 = key1 + plain2
>
>then
>
>msg1-msg2 = plain1-plain2
>
>I can get plain1 and plain2 by guessing one or the other, and seeing if the
>other makes sense. if you want to know howto do that, read up on how NSA
>performed the decrypts for Venona. or just take my word that for it that
the
>proposed system isn't secure.
>
>i'm sorry i wasn't as diplomatic as i should have been.
>
>smiles and cheers,
>
>steve
>
Prev by Date: CDROM File Systems
Next by Date: Re: Special Linux IPO Announcement.
Prev by thread: Re: Crypto Law Question
Next by thread: Re: Corel Linux OS
Index(es):
- Date
- Thread