29 January 1998
Date: Wed, 28 Jan 1998 22:14:38 -0600 To: firstname.lastname@example.org From: Bruce Schneier <email@example.com> Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998 A bunch of us cryptographers would really like to attack RPK, but the documents on the website are slippery enough to make it difficult. There is enough unspecified for them to sneak away from any analysis. If someone were to reverse engineer the RPK cryptosystem from this product, I would really appreciate it. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis,MN 55419 Fax: 612-823-1590 http://www.counterpane.com
From: Jack Oswald <firstname.lastname@example.org> To: "'John Young'" <email@example.com>, "firstname.lastname@example.org" <email@example.com> Date: Wed, 28 Jan 1998 10:27:59 -0800 Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998 It seems that there is some confusion WRT to the origin of this product. The encryption technology was developed in New Zealand. The application itself was developed on the Isle of Man (British Isles). As a result, the US gov't has had nothing to do with the product and therefore none of the "concerns" represented in the previous message have any merit. What was meant by use of "honey" is that if you pick a fight with a government official, they will be happy to fight back. If you complement them on their farsighted visionary non-meddling approach you get a very different response. Our experience has been that we get a reasonable response from the NZ government that does not restrict the security that our products offer nor in the way that we choose to do business. Jack
Date: Tue, 27 Jan 1998 19:02:07 -0500 To: firstname.lastname@example.org From: John Young <email@example.com> Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998 Cc: Jack Oswald <firstname.lastname@example.org> On "using honey not vinegar" rationale of RPK InvisiMail for obtaining crypto export licenses: Applied Cryptography, Bruce Schneier, 2nd Edition, pp. 215-16 Algorithms for Export Algorithms for export out of the United States must be approved by the U.S. government (actually, by the NSA--see Section 25.1) It is widely believed that these export-approved algorithms can be broken by the NSA. Although no one has admitted this on the record, these are some of the things the NSA is rumored to privately suggest to companies wishing to export their cryptographic products: - Leak a key bit once in a while, embedded in the ciphertext. - "Dumb down" the effective key to something in the 30-bit range. For example, while the algorithm might accept a 100-bit key, most of those keys might be equivalent. - Use a fixed IV, or encrypt a fixed header at the beginning of each encrypted message. This facilitates a known-plaintext attack. - Generate a few random bytes, encrypt them with the key, and then put both the plaintext and the ciphertext of those random bytes at the beginning of the encrypted message. This also facilitates a known-plaintext attack. NSA gets a copy of the source code, but the algorithm's details remain secret from everyone else. Certainly no one advertises any of these deliberate weaknesses, but beware if you buy a U.S. encryption product that has been approved for export. ----- Bruce added the last "beware" phrase to the 2nd edition.
From: Jack Oswald <email@example.com> To: "'Bill Stewart'" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org> SEMS/RPK/PKYN: Jack Oswald SEMS/RPK/PKYI: email@example.com SEMS/RPK/PKYE: 2099/1/1 SEMS/RPK/PKYR: OEOLAPFB SEMS/RPK/PKY1: IAAACAAAAAAACICALPPPPPAADAAAMAAAABAAAAAAPCAAFOOJBHGKNEBGHJFHDIHAMJEDBLKNFGCPJMKDHPMNNABNBDBOIKLCMJPEALNIHGDNLKKFEHOIEBHOJCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA SEMS/RPK/PKY2: CAAAAAAAAAAAAAFFEFFFFFAAAAAABAAAAAAAAAAAFAAADJEOGNADKJENIGGMHMGGNIKNBFAMOBJEJOGOBJCNGMJOAHIJAALDPCOCOIFLJBKDMMCGCHGCEBDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAAA Date: Mon, 26 Jan 1998 16:59:49 -0800 Organization: RPK Inc. Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998 Bill - The technology that we export as part of RPK InvisiMail, is world-class strong crypto. Key size options are 607 bits and 1279. The math behind the system is based on the same as that of D-H. There is no snake oil. There was no intentional or unintentional attempt to mislead any government authority. We also did not request an export license, because there is no need to do so in New Zealand as long as the export is by means of the Internet. Peter G. knows this as well. The story may be different for physical export on disk, disc or tape, although we cannot concur with Peter's personal experience. Our experience is that we get pretty good treatment from the NZ authorities. We also may use a different approach. I have often heard that you can often get a better response when using honey than vinegar. Therein may explain differences in our respective experiences. I have personally met with the Minister of Trade for New Zealand. His views and those of his staff seemed to be acceptable to us and have not imposed any undue restrictions of our business or our ability to operate. Jack Oswald President and CEO RPK Fast Public Key Encryption RPK New Zealand Ltd. 4750 Capitola Road Capitola, CA 95010 firstname.lastname@example.org www.rpk.co.nz www.InvisiMail.com +1 408.479.7874 phone +1 408.479.1409 fax +1 800.475.4509 pager
Date: Sun, 25 Jan 1998 18:44:13 -0700 To: RPK New Zealand Ltd <email@example.com>, firstname.lastname@example.org From: Bill Stewart <email@example.com> Subject: Re: Announcement: RPK InvisiMail released on 12 Jan, 1998 I was amused to receive two mail messages back-to-back, one from Peter Gutmann talking about New Zealand having one of the strictest formal export controls in the world, and one from RPK New Zealand talking about how their encryption product is not export-controlled because it's from NZ, not the US, and how their RPK Fast Public Key Encryptonite(tm) Engine is the strongest crypto in the world. Either they haven't bothered asking for export permission, or they asked in such a way that the export bureaucrats didn't notice it was crypto and regulated by their crypto export preventers, or their crypto somehow falls through the cracks, e.g. by using an algorithm with public keys shorter than 512 bits (works for ECC, not RSA) and private keys shorter than 40 bits (or 41 on a good day), or perhaps passes the "snake oil test" for export permission. I suppose it's possible that the NZ Export Bureaucrats have lightened up since Peter's last dealings with them, but it's not likely. >--------------- The mail, referencing www.invisimail.com >RPK New Zealand Ltd. in a joint venture with Virtually Online Ltd. >has released RPK InvisiMail, a standards-based e-mail security >application for use with Internet mail software (SMTP/POP3). >The product offers the strongest encryption available anywhere in >the world. Since it was built outside the United States, >it is also available all over the world with strong encryption. >RPK InvisiMail is also the easiest product of its type >to setup and use which makes it quite unique. ========= From Peter Gutmann's web page This policy has resulted in New Zealand enjoying the dubious distinction of having the strictest export controls on earth, with everything ranging from crypto hardware down to software, library books, computer magazines, and journals being restricted from export. It's not even possible for a university to publish academic research without prior permission from a government agency, and the requirements for obtaining this permission are structured to ensure that they can never be fulfilled. You can find the information on: http://www.cs.auckland.ac.nz/~pgut001/policy/ ============================== Thanks! Bill Bill Stewart, firstname.lastname@example.org PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Date: Sat, 24 Jan 1998 07:28:09 -0500 To: email@example.com From: Robert Hettinga <firstname.lastname@example.org> Subject: Announcement: RPK InvisiMail released on 12 Jan, 1998 --- begin forwarded text From: RPK New Zealand Ltd <email@example.com> Date: Fri, 23 Jan 1998 15:24:28 Subject: Announcement: RPK InvisiMail released on 12 Jan, 1998 You have received this message because at some time during the past two years you have requested to be put on the RPK New Zealand Ltd. company mailing list. (We're the Fast Public Key Encryption company). If you wish to be removed from the list, please forward this message to firstname.lastname@example.org -------------------------------- RPK New Zealand Ltd. in a joint venture with Virtually Online Ltd. has released RPK InvisiMail, a standards-based e-mail security application for use with Internet mail software (SMTP/POP3). The product offers the strongest encryption available anywhere in the world. Since it was built outside the United States, it is also available all over the world with strong encryption. RPK InvisiMail is also the easiest product of its type to setup and use which makes it quite unique. You can learn more about this product by reading the press release below or by visiting the web site at www.InvisiMail.com. We are also offering FREE downloads of the RPK InvisiMail Intro product. Please give it a try and pass it along to anyone you like. -------------------------------- For Immediate Release Contact: Sal Cataldi, Cataldi PR +1 212.941.9464, email@example.com, www.InvisiMail.com RPK InvisiMail(tm), secure Internet e-mail with globally available strong encryption for Microsoft, Netscape platforms SAN FRANCISCO, Jan. 12, 1998 - InvisiMail Ltd (www.InvisiMail.com) announced today immediate worldwide availability of RPK(tm) InvisiMail(tm), a standards-based e-mail security add-in for Microsoft, Netscape and other POP3/SMTP Internet e-mail clients and gateway servers. Tested and certified by the International Computer Security Association (www.ncsa.com), RPK InvisiMail automatically and transparently encrypts e-mail messages and attachments, authenticates the sender and verifies the contents of each message have not been changed in transit. RPK InvisiMail is globally available with high strength encryption. InvisiMail and the underlying RPK encryption algorithm were developed outside the United States. Therefore, InvisiMail is not subject to restrictive U.S. export policies. RPK InvisiMail is as easy to set up and use as anti-virus software, and just as important. While Microsoft and Netscape battle each other with incompatible and difficult to use security offerings, InvisiMail seamlessly integrates with ALL popular POP3/SMTP e-mail products including Netscape, Microsoft, Eudora, Pegasus, Calypso -- more than any other solution available today -- making it the preferred e-mail security product for multi-platform use, worldwide. All InvisiMail users can send the FREE InvisiMail Intro version to anyone worldwide, providing compatibility without requiring others to purchase anything, making InvisiMail unique among e-mail security offerings. "Most people don't realize that their e-mail can be forged, altered or read by anyone, any time, without any evidence," said Jack Oswald, President and CEO of RPK Ltd. "Without products like RPK InvisiMail, communications on the Internet are untrustworthy." InvisiMail uses the RPK Fast Public Key Encryptonite(tm) Engine, the strongest cryptography available worldwide today. RPK is dramatically faster than the well-known RSA algorithm, yet just as secure. RPK has been analyzed by world class cryptographers who have issued reports on the security and integrity of the technology. "InvisiMail is the easiest, fastest, most transparent e-mail security product I have seen," said Kevin Shannon, President of net*Gain, a specialist in launching Internet companies. "This is the product we've all been waiting for." As part of its official launch, InvisiMail Professional is available FREE to all New Zealand residents for ninety days. RPK InvisiMail is available in two desktop versions: Intro (FREE) and Professional (introductory price $29.95). RPK InvisiMail Enterprise Gateway Server will be available Q2 1998. InvisiMail can be downloaded from: www.InvisiMail.com. All trademarks and registered trademarks are those of their respective companies. *** --- end forwarded text ----------------- Robert Hettinga (firstname.lastname@example.org), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>