Cryptome DVDs. Donate $25 for two DVDs of the Cryptome collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of,,,, and, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

8 June 1999: Add Mr. Gladman's updated text.

7 June 1999

From: "Brian Gladman" <>
To: <>
Subject: Re: Germany Frees Crypto
Date: Sun, 6 Jun 1999 19:30:07 +0100

> As someone working on an Echelon story asked elsewhere, just what
> strength of crypto can NSA crack these days.

[Updated by Mr. Gladman 8 June 1999]

In my view this question has to be posed and answered carefully.  The
reality is that most crypto cracks are not done by breaking the algorithms
but by exploiting weaknesses in their implementation.  It fairly clear that
we are already using algorithms that would be way beyond NSA's ability to
break by brute force if they were implemented perfectly and operated in a
perfect environment.    We already use 128+ bit keys in many of our
algorithms and yet it is very clear that few if any applications come even
close to the levels of security that such key lengths offer.

In the work on AES several papers show how easy it is to get at keys on
smartcards and Markus Kuhn at Cambridge has recently published an excellent
paper on this (see:  And, 
of course, software is several orders of magnitude easier to subvert so we 
can see that we really do not have to worry about algorithm strength but 
rather the strength of implementations.  These have a ***LONG*** way to go 
before they even come close to matching the security offered by current 
algorithms and key lengths.

Having worked on military systems the one thing that I can with confidence
is that the only area in crypto where the 'government machine' remains ahead
of the open world is in the issue of implementation assurance.  Governments
have learnt from a lot of practical experience how easy it is to undermine
algorithm security during implementation. The open world still has to learn
much of this.  I believe that this will happen at a rapidly increasing rate
so I don't think this advantage will last much more than a few more years
but it is there now and it means that key length just gives an unlikely
upper limit on the security that applications offer.

But a wider issue is that the question has to be asked in a context.  If NSA
conducts a targeted attack on a specific message it can clearly break keys a
great deal longer than 56 bits (using DES as a benchmark).  But if we
achieved a situation in which all email was truly protected to even 40 bits
then much of the internet would be instantly out of NSA's reach since to do
'keyword' searches and the like requires a huge volume of traffic to be
decrypted and here even 40 bit encryption would pose an insurmountable

So if we could find ways of achieving, as a matter of routine, ***ACTUAL***
cryptographic security at even DES strength, much of the 'State Sponsored
Information Piracy' we currently hear about would not be possible.

IMHO this won't happen, not because it cannot be done, but rather because
most users prefer functionality over security and, given the chance to put
processor and software improvements into one or the other, the market will,
for the present at least, continue to be driven by functionality. Of course
there are applications that, used properly, give good security but they are
used by a very small fraction of the user community, most of whom will
continue to be content to exchange email in the clear.  This is made worse
by the fact that most large companies don't seem to be aware of the need for
good implementation assurance in offering security solutions and hence
provide solutions that seem to offer security performance but which, in
reality, are worse than useless because they give user's a comfortable
feeling while offering no real protection.

My own hope is that a convergence of the open source software and
cryptographic communities will now bring a rapid change in this situation.
The technical community can offer the world good protection and government's
are powerless to stop this happening if we choose to do it.

Frankly I have stopped short of pushing this line vigorously in public but I
am fed up with the UK government's protestations of being positive about
crypto whilst doing all it can 'behind the scenes' to prevent its spread.

Good evidence of this is the UK government's stance in Wassenaar, an
arrangement that states clearly that it cannot be used to used to justify
actions which impede genuine commercial transactions.  Yet despite this
clear statement, the UK government - the DTI no less - has continued to use
this agreement to seek restrictions on the export of civil cryptographic
products that cannot even remotely be considered to fall within its

And if anyone doubts the UK government's desire to hide its
actions in Wassenaar from the public eye, just look at the recent paper on
'Encryption and Law Enforcement' issued by the PIU
(see: Here export controls on
cryptography are ***not even mentioned*** even though it is very clear that
they fall at the heart of the study remit as a major consideration in the
relationship between encryption and e-commerce.  But worse than simply
not covering export controls, this paper actually ***LIES*** about
government actions by saying:

"However, apart from the OECD Guidelines on Cryptography Policy,
there has been remarkably little co-ordination of policy on encryption

when almost everyone on this list knows very well that the government has
had a long standing role in a host of international efforts designed to
restrict the spread of cryptography.

I am amazed (maybe I shouldn't be) that the government would tell such
deliberate and shameful lies in a document with a preface signed by the
Prime Minister. In fact I have been so taken aback by this that I have been
at a loss about how best to react to it - it is hard to know where UK
citizens can turn when there is such deliberate dishonesty and lack of
ethics right at the heart of government.

It will be interesting to find out whether the Prime Minister and the Head
of the PIU are aware of the fact that a document put out in their name
contains such deliberate distortions of the truth.  I hope that journalists
on the ukcrypto list will do what they can to discover the level within
government at which this attempt to mislead the UK public has been

      Brian Gladman

Date: Sun, 6 Jun 1999 16:36:31 -0400 From: Nigel Hickson <> Subject: Re: Germany Frees Crypto To: Brian Just seen; the PIU document was talking about coordination on encryption policy; not on export controls.  Why should we lie about Wassenaar?  We were simply trying to make point (something I thought you wd be in favour of) that there has been little coordination on broad encryption policies in the round. Nigel Hickson [DTI]
Hi Nigel, [Snip Nigel Hickson message.] Thank you for your quick reaction to my flame. The remit given to the PIU was: * to study the needs of law enforcement agencies and of business; * to examine the merits of the current encryption policy (and in particular key escrow, which is explained in chapter 5); and, if necessary, * to identify proposals that would satisfy both the need to promote encryption for electronic commerce and the Government's duty to ensure that public safety is not jeopardised. Although there is clearly an emphasis on key escrow, it says 'current encryption policy' and here it is not sensible to omit coverage of export controls when many of us have been saying for years that these are impeding the development of e-commerce.  I am also very confident that one of the arguments used in promoting Wassenaar crypto controls has been law enforcement requirements so this again shows the relevance of Wassenaar within the remit of the PIU study. I hence maintain my surprise that the document makes ***no mention*** of the crypto export control issue, something that is quite amazing given the study remit. In terms of international co-ordination of encryption policy, various arms of the UK government machine, especially GCHQ, have a long standing set of international relationships within which policies on encryption are discussed.  Moreover within Europe, the Senior Officials Group on Informaton Security and the EU Cryptography Working Group are attended by the UK.  The UK has been heavily involved in continuing discussions with the US (Aaron et al) on the topic of encryption controls.  And the GCHQ/NSA axis continues to discuss in detail the issues involved in trying to limit the spread of cryptography.  Moreover a number of nations co-operate 'behind the scenes' in such bodies as ETSI to limit the strength of the encryption technologies deployed within telecommunications systems. But despite this extensive international coordination of encryption policy the PIU document claims that there is "remarkably little international co-ordination"!  I don't often accuse the government of barefaced lies but on this occasion there is no other word to describe what the PIU document has said. I would certainly support a statement that said "there has been remarkably little ***open and publicly accountable *** international co-ordination of encryption polices" and this might be what was meant but this is NOT what the PIU report says. Most often I believe that these situations are the result of mistakes rather than conspiracies but on this occassion I find it ***VERY*** hard to see this as anything but a deliberate attempt to divert attention from one of the key issues in the development of e-commerce. When someone is stamping on your toes (crypto export controls) and beating you over the head with a sledge hammer (key escrow), it is a relief when they give up the sledge hammer but it is important not to forget that they are still stamping on your toes!   Key escrow can be seen as an excellent way of diverting attention from the export control issue and the PIU study provides a clear insight into this intention. Those of us who want these controls removed should not allow our attention to be diverted in this way. Perhaps you or David can explain why you consider encryption export controls to be outside the remit of this PIU study?       Brian
To: Subject: `Germany Frees Crypto' - do you believe it? Date: Mon, 07 Jun 1999 11:34:51 +0100 From: Ross Anderson <> Some people are under the impression that France and Germany have freed crypto. However, export controls look like being tightened. Guess who organised that? As Brian eloquently puts it: > Moreover within Europe, the Senior Officials Group on Informaton > Security and the EU Cryptography Working Group are attended by the UK. > The UK has been heavily involved in continuing discussions with the US > (Aaron et al) on the topic of encryption controls.  And the GCHQ/NSA > axis continues to discuss in detail the issues involved in trying to > limit the spread of cryptography.  Moreover a number of nations > co-operate 'behind the scenes' in such bodies as ETSI to limit the > strength of the encryption technologies deployed within > telecommunications systems. After last year's DTI white paper on export controls proposed to control `intangible exports' as in the USA (but worse), there was an explosion of outrage; a report from the Trade and Industry Select Committee trashed the idea. Officials said that we shouldn't worry as there was no parliamentary time for a bill this century. However the relationships to which Brian refers above seem to have been exploited to cause the EU to issue a draft regulation in much the same terms as the bill (see for details). When speaking to the relevant DTI wallahs, I detect a distinct note of gloating to the effect that `we outsmarted you by doing this through Europe - you can't stop us now'. GCHQ's agenda is obviously to stop people like Brian and me having crypto source code on our web pages. They don't seem to have understood that: (a) the public domain exemption will apply to the Serpent home page     which will still be there. If the exemption is removed, the Serpent     home page will still be available in Norway, Israel, Taiwan ...; (b) there will be enormous harm done to industrial R&D and to     university teaching <>.     Essentially everything we do in the School of Technology, and     much of what's done in the School of Medicine, will fall under the     net, so we'll have to get personal export licences for an awful     lot of foreign students. The system may just collapse unless we     take our courses fully public domain (I have done this: check out But fully     public domain research would undermine the DTI's efforts to make     us do all our research in collaboration with industry; (c) the absurdity and chaos will bring the arms control regime into     disrepute. At present, judges confronted with an arms smuggler     throw away the key; but given a couple of years of confrontation     with RSA T-shirts and newspaper stories of ludicrous official     decisions, the DTI will be laughed out of court; (d) even with an EU regulation, they can't create a new criminal     offence - of unlicensed talking to a foreigner - without primary     legislation. However, with an EU regulation in place, the UK     government will find itself compelled to introduce this. Those clever people at the DTI clearly hoped that, in going via Europe rather than sponsoring UK legislation directly, they could avoid a confrontation that might embarrass ministers. But they have merely ensured that the confrontation will happen on the worst possible terms. Once the regulation is passed, the government will have been painted into a corner by Brussels; they will have to legislate; they won't be able to delay and obfuscate, as with crypto policy, in the hope that the problem will go away somehow; the apparent `European' source of the stupidity will ensure that the Tories savage it; its intrusive and disproportionate nature will get the Lib Dems up in arms; the DTI's finesse of the select committee will upset Labour back benchers (who are divided anyway because the hard left want all arms exports banned); and the furore will be even worse than with crypto policy as it will affect many more people. For example, the metallurgy people next door to us use a focussed ion beam machine to prepare samples for electron microscopy. This is an export controlled device (you can also use it to break smartcards); until now all that meant was filling a form when you bought it and another when you put it in a skip seven years later. But under the new regime, every foreigner with access to the software will need a personal export licence - that's most of the research students and some of the undergrads. Also, the current practice of swapping programs with metallurgists in other countries will be choked off. Stand by for some very unhappy materials scientists (and engineers and chemists and physicists and medics and botanists and ...). Nigel, you used to be at export control before you moved to crypto policy. I bet you're glad you escaped in time! Ross