|
Cryptome DVDs. Donate
$25 for two DVDs of the Cryptome collection of 47,000 files from June 1996
to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John
Young, 251 West 89th Street, New York, NY 10024. The collection includes
all files of cryptome.org, cryptome.info, jya.com, cartome.org,
eyeball-series.org and iraq-kill-maim.org, and
23,100 (updated)
pages of counter-intelligence dossiers declassified by the US Army Information
and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere
worldwide without extra cost. |
|
8 June 1999: Add Mr. Gladman's updated text.
7 June 1999
From: "Brian Gladman" <gladman@seven77.demon.co.uk>
To: <ukcrypto@maillist.ox.ac.uk>
Subject: Re: Germany Frees Crypto
Date: Sun, 6 Jun 1999 19:30:07 +0100
> As someone working on an Echelon story asked elsewhere, just what
> strength of crypto can NSA crack these days.
[Updated by Mr. Gladman 8 June 1999]
In my view this question has to be posed and answered carefully. The
reality is that most crypto cracks are not done by breaking the algorithms
but by exploiting weaknesses in their implementation. It fairly clear that
we are already using algorithms that would be way beyond NSA's ability to
break by brute force if they were implemented perfectly and operated in a
perfect environment. We already use 128+ bit keys in many of our
algorithms and yet it is very clear that few if any applications come even
close to the levels of security that such key lengths offer.
In the work on AES several papers show how easy it is to get at keys on
smartcards and Markus Kuhn at Cambridge has recently published an excellent
paper on this (see: http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf). And,
of course, software is several orders of magnitude easier to subvert so we
can see that we really do not have to worry about algorithm strength but
rather the strength of implementations. These have a ***LONG*** way to go
before they even come close to matching the security offered by current
algorithms and key lengths.
Having worked on military systems the one thing that I can with confidence
is that the only area in crypto where the 'government machine' remains ahead
of the open world is in the issue of implementation assurance. Governments
have learnt from a lot of practical experience how easy it is to undermine
algorithm security during implementation. The open world still has to learn
much of this. I believe that this will happen at a rapidly increasing rate
so I don't think this advantage will last much more than a few more years
but it is there now and it means that key length just gives an unlikely
upper limit on the security that applications offer.
But a wider issue is that the question has to be asked in a context. If NSA
conducts a targeted attack on a specific message it can clearly break keys a
great deal longer than 56 bits (using DES as a benchmark). But if we
achieved a situation in which all email was truly protected to even 40 bits
then much of the internet would be instantly out of NSA's reach since to do
'keyword' searches and the like requires a huge volume of traffic to be
decrypted and here even 40 bit encryption would pose an insurmountable
barrier.
So if we could find ways of achieving, as a matter of routine, ***ACTUAL***
cryptographic security at even DES strength, much of the 'State Sponsored
Information Piracy' we currently hear about would not be possible.
IMHO this won't happen, not because it cannot be done, but rather because
most users prefer functionality over security and, given the chance to put
processor and software improvements into one or the other, the market will,
for the present at least, continue to be driven by functionality. Of course
there are applications that, used properly, give good security but they are
used by a very small fraction of the user community, most of whom will
continue to be content to exchange email in the clear. This is made worse
by the fact that most large companies don't seem to be aware of the need for
good implementation assurance in offering security solutions and hence
provide solutions that seem to offer security performance but which, in
reality, are worse than useless because they give user's a comfortable
feeling while offering no real protection.
My own hope is that a convergence of the open source software and
cryptographic communities will now bring a rapid change in this situation.
The technical community can offer the world good protection and government's
are powerless to stop this happening if we choose to do it.
Frankly I have stopped short of pushing this line vigorously in public but I
am fed up with the UK government's protestations of being positive about
crypto whilst doing all it can 'behind the scenes' to prevent its spread.
Good evidence of this is the UK government's stance in Wassenaar, an
arrangement that states clearly that it cannot be used to used to justify
actions which impede genuine commercial transactions. Yet despite this
clear statement, the UK government - the DTI no less - has continued to use
this agreement to seek restrictions on the export of civil cryptographic
products that cannot even remotely be considered to fall within its
provisions.
And if anyone doubts the UK government's desire to hide its
actions in Wassenaar from the public eye, just look at the recent paper on
'Encryption and Law Enforcement' issued by the PIU
(see: www.cabinet-office.gov.uk/Innovation). Here export controls on
cryptography are ***not even mentioned*** even though it is very clear that
they fall at the heart of the study remit as a major consideration in the
relationship between encryption and e-commerce. But worse than simply
not covering export controls, this paper actually ***LIES*** about
government actions by saying:
"However, apart from the OECD Guidelines on Cryptography Policy,
there has been remarkably little co-ordination of policy on encryption
matters."
when almost everyone on this list knows very well that the government has
had a long standing role in a host of international efforts designed to
restrict the spread of cryptography.
I am amazed (maybe I shouldn't be) that the government would tell such
deliberate and shameful lies in a document with a preface signed by the
Prime Minister. In fact I have been so taken aback by this that I have been
at a loss about how best to react to it - it is hard to know where UK
citizens can turn when there is such deliberate dishonesty and lack of
ethics right at the heart of government.
It will be interesting to find out whether the Prime Minister and the Head
of the PIU are aware of the fact that a document put out in their name
contains such deliberate distortions of the truth. I hope that journalists
on the ukcrypto list will do what they can to discover the level within
government at which this attempt to mislead the UK public has been
orchestrated.
Brian Gladman
Date: Sun, 6 Jun 1999 16:36:31 -0400
From: Nigel Hickson <nigelhickson@compuserve.com>
Subject: Re: Germany Frees Crypto
To: ukcrypto@maillist.ox.ac.uk
Brian
Just seen; the PIU document was talking about coordination on encryption
policy; not on export controls. Why should we lie about Wassenaar? We were
simply trying to make point (something I thought you wd be in favour of)
that there has been little coordination on broad encryption policies in the
round.
Nigel Hickson [DTI]
Hi Nigel,
[Snip Nigel Hickson message.]
Thank you for your quick reaction to my flame.
The remit given to the PIU was:
* to study the needs of law enforcement agencies and of business;
* to examine the merits of the current encryption policy (and in particular
key escrow, which is explained in chapter 5); and, if necessary,
* to identify proposals that would satisfy both the need to promote
encryption for electronic commerce and the Government's duty to ensure that
public safety is not jeopardised.
Although there is clearly an emphasis on key escrow, it says 'current
encryption policy' and here it is not sensible to omit coverage of export
controls when many of us have been saying for years that these are impeding
the development of e-commerce. I am also very confident that one of the
arguments used in promoting Wassenaar crypto controls has been law
enforcement requirements so this again shows the relevance of Wassenaar
within the remit of the PIU study.
I hence maintain my surprise that the document makes ***no mention*** of the
crypto export control issue, something that is quite amazing given the study
remit.
In terms of international co-ordination of encryption policy, various arms
of the UK government machine, especially GCHQ, have a long standing set of
international relationships within which policies on encryption are
discussed. Moreover within Europe, the Senior Officials Group on Informaton
Security and the EU Cryptography Working Group are attended by the UK. The
UK has been heavily involved in continuing discussions with the US (Aaron et
al) on the topic of encryption controls. And the GCHQ/NSA axis continues to
discuss in detail the issues involved in trying to limit the spread of
cryptography. Moreover a number of nations co-operate 'behind the scenes'
in such bodies as ETSI to limit the strength of the encryption technologies
deployed within telecommunications systems.
But despite this extensive international coordination of encryption policy
the PIU document claims that there is "remarkably little international
co-ordination"! I don't often accuse the government of barefaced lies but
on this occasion there is no other word to describe what the PIU document
has said.
I would certainly support a statement that said "there has been remarkably
little ***open and publicly accountable *** international co-ordination of
encryption polices" and this might be what was meant but this is NOT what
the PIU report says.
Most often I believe that these situations are the result of mistakes rather
than conspiracies but on this occassion I find it ***VERY*** hard to see
this as anything but a deliberate attempt to divert attention from one of
the key issues in the development of e-commerce.
When someone is stamping on your toes (crypto export controls) and beating
you over the head with a sledge hammer (key escrow), it is a relief when
they give up the sledge hammer but it is important not to forget that they
are still stamping on your toes! Key escrow can be seen as an excellent
way of diverting attention from the export control issue and the PIU study
provides a clear insight into this intention.
Those of us who want these controls removed should not allow our attention
to be diverted in this way.
Perhaps you or David can explain why you consider encryption export controls
to be outside the remit of this PIU study?
Brian
To: ukcrypto@maillist.ox.ac.uk
Subject: `Germany Frees Crypto' - do you believe it?
Date: Mon, 07 Jun 1999 11:34:51 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Some people are under the impression that France and Germany have
freed crypto. However, export controls look like being tightened.
Guess who organised that? As Brian eloquently puts it:
> Moreover within Europe, the Senior Officials Group on Informaton
> Security and the EU Cryptography Working Group are attended by the UK.
> The UK has been heavily involved in continuing discussions with the US
> (Aaron et al) on the topic of encryption controls. And the GCHQ/NSA
> axis continues to discuss in detail the issues involved in trying to
> limit the spread of cryptography. Moreover a number of nations
> co-operate 'behind the scenes' in such bodies as ETSI to limit the
> strength of the encryption technologies deployed within
> telecommunications systems.
After last year's DTI white paper on export controls proposed to
control `intangible exports' as in the USA (but worse), there was an
explosion of outrage; a report from the Trade and Industry Select
Committee trashed the idea. Officials said that we shouldn't worry as
there was no parliamentary time for a bill this century.
However the relationships to which Brian refers above seem to have
been exploited to cause the EU to issue a draft regulation in much the
same terms as the bill (see http://www.cl.cam.ac.uk/users/rja14/#Lib
for details). When speaking to the relevant DTI wallahs, I detect a
distinct note of gloating to the effect that `we outsmarted you by
doing this through Europe - you can't stop us now'.
GCHQ's agenda is obviously to stop people like Brian and me having
crypto source code on our web pages. They don't seem to have
understood that:
(a) the public domain exemption will apply to the Serpent home page
which will still be there. If the exemption is removed, the Serpent
home page will still be available in Norway, Israel, Taiwan ...;
(b) there will be enormous harm done to industrial R&D and to
university teaching <http://www.cl.cam.ac.uk/~rja14/export.html>.
Essentially everything we do in the School of Technology, and
much of what's done in the School of Medicine, will fall under the
net, so we'll have to get personal export licences for an awful
lot of foreign students. The system may just collapse unless we
take our courses fully public domain (I have done this: check out
http://www.cl.cam.ac.uk/Teaching/1998/Security/). But fully
public domain research would undermine the DTI's efforts to make
us do all our research in collaboration with industry;
(c) the absurdity and chaos will bring the arms control regime into
disrepute. At present, judges confronted with an arms smuggler
throw away the key; but given a couple of years of confrontation
with RSA T-shirts and newspaper stories of ludicrous official
decisions, the DTI will be laughed out of court;
(d) even with an EU regulation, they can't create a new criminal
offence - of unlicensed talking to a foreigner - without primary
legislation. However, with an EU regulation in place, the UK
government will find itself compelled to introduce this.
Those clever people at the DTI clearly hoped that, in going via Europe
rather than sponsoring UK legislation directly, they could avoid a
confrontation that might embarrass ministers. But they have merely
ensured that the confrontation will happen on the worst possible
terms. Once the regulation is passed, the government will have been
painted into a corner by Brussels; they will have to legislate; they
won't be able to delay and obfuscate, as with crypto policy, in the
hope that the problem will go away somehow; the apparent `European'
source of the stupidity will ensure that the Tories savage it; its
intrusive and disproportionate nature will get the Lib Dems up in
arms; the DTI's finesse of the select committee will upset Labour back
benchers (who are divided anyway because the hard left want all arms
exports banned); and the furore will be even worse than with crypto
policy as it will affect many more people.
For example, the metallurgy people next door to us use a focussed ion
beam machine to prepare samples for electron microscopy. This is an
export controlled device (you can also use it to break smartcards);
until now all that meant was filling a form when you bought it and
another when you put it in a skip seven years later. But under the new
regime, every foreigner with access to the software will need a
personal export licence - that's most of the research students and
some of the undergrads. Also, the current practice of swapping
programs with metallurgists in other countries will be choked off.
Stand by for some very unhappy materials scientists (and engineers
and chemists and physicists and medics and botanists and ...).
Nigel, you used to be at export control before you moved to crypto
policy. I bet you're glad you escaped in time!
Ross