News Items from Security-Related Mailing Lists (8/8/97)

by Mary Ellen Zurko, The Open Group Research Institute (

This edition's listwatch items come from the email lists e$pam, cryptography, cypherpunks, fight-censorship, oxdeadbeef, tbtf, and dcsb.

There was some speculation and rumors on the cryptography list that DoD interest in Fortezza is waning. This included stories of a contract that was killed and the evolution of Fortezza being stalled in the context of the Defense Messaging System, as well as lack of requests for Fortezza from federal contractors.

Intel's BIOS Update technology enables bug fixes to its microprocessors to be downloaded to the chips. A story discussing the security of this feature include claims that the microcode patch is encrypted, and after its header is examined "there are two levels of encryption in the processor that must occur before it will successfully load the update" (integrity and authentication? or just doubly-encrypted for confidentiality?). My favorite security measure for this protocol is that "There is no documentation. ... It's actually in the heads of less than 10 people in the whole of Intel."

Mitsubishi has developed a software program which evaluates symmetric-key encryption algorithms, displaying the amount of computing power required to deduce the key, based on Shamir's differential decryption method and Mitsubishi's proprietary linear decryption method. The program uses "simple approximations of the encryption algorithm" to determine "the minimal volume of computations needed to crack the code."

AOL has announced a telemarketing plan that would include selling memebers' telephone numbers. They have decided not to do that, based on the reaction from customers and other intersted parties. See for the story.

There was a lot of discussion of government access to keys on cypherpunks. A policy brief from the Brookings Institution takes the line that "there are reasonable compromises" in the debate about government access to keys. The contents of most of the brief are familiar to those following the debate. The author believes that recent government trends towards listening to critics and evolving a more flexible policy based on that feedback may lead to a workable compromise. The author acknowledges that one of the problems with the approach is its potential for abuse, and recommends a permanent, verifiable audit trail of any government interception of electronic communications. Other key escrow discussion on cypherpunks suggested that keys should be split and held by the following parties, so that all of them had to agree for a valid key to be returned:

  1. ACLU
  2. NRA
  3. Republican Nat'l Committee
  4. Democratic Nat'l Committee
  5. N Y Times
  6. Washington Post
  7. Christian Coalition
  8. Libertarian Party
  9. FBI
  10. NSA
  11. Speaker of the House of Representatives
  12. U S Supreme Court
Another suggestion was that the government go through a judge and/or the key holders to get the content as well as the key. Another subscriber suggested that the FBI and most other secret security agencies should also be forced to use key escrow. It was pointed out that the McCain-Kerrey bill does not require a court order to get keys, even though reports on the bill have implied that it does.

A variety of mailing lists and individuals associated with an imprisoned member of cypherpunks got an email message that looks like it came from the IRS reporting on how that member pled guilty. There was speculation on just how the IRS got that list of email addresses to send to, including a question on whether it would violate the Electronic Communications Privacy Act if the email records had been obtained from a seized computer.

An entertaining, unattributed story appeared on 0xdeadbeef:

'At a recent Sacramento PC User's Group meeting, a company was demonstrating its latest speech-recognition software. A representative from the company was just about ready to start the demonstration and asked everyone in the room to quiet down. Just then someone in the back of the room yelled, "Format C: Return."
Unfortunately, the software worked.'

Dorothy Denning and William Baugh have completed a study called "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," which is to be published by the National Strategy Information Center. See for an excerpt. The study was unable to find any incident where cryptography significantly harmed an investigation.

At DefCon 5, the hacker's convention in Las Vegas, Bruce Schneier is quoted as saying of cryptosystems, "The math is perfect. The computers are bad. The networks hideous. The people worse."

The last piece of the puzzle of how general purpose web browsers and servers would be allowed to export 128-bit cryptography that could only be used by approved institutions (financial or US corporation) fell into place with the announcement that Verisign had gotten government approval to be the sole exportor of the "magic certificates". Discussion on cypherpunks included what would happen if the government decided those certificates should be revoked, or not renewed after their one year expiration date. The good news (as it were) is that most browsers can't deal with Certificate Revocation Lists yet.

A Canadian-based firm, Entrust, is offering an encryption tool for personal use for free, over the Web (see It seems to include 128-bit symmetric key encryption, which is not generally available for export from the US. On a related note, an AP story states that a senior official of the NSA was overheard at a White House press conference saying "It would not take any twelve times the age of the universe to decrypt a 128-bit message. Thirty-three minutes is more like it."

A quote from the July '97 "Computer Design" describing a Pentium-compatible microprocessor redefines the phrase "proof of correctness" by stating "IDT claims to have tested the C6 with most modern PC operating systems, including WIndows 95, Windows 3.1, NetWare, and Solaris for Intel. The complexity and pervasiveness of the Windows operating system generally are considered to make up an exacting proof of correctness...".