by Mary Ellen Zurko

This issue's highlights are from risks, tls, cypherpunks, dcsb, spki, tbtf, e-carm, e$, and digsig.

Commerce Secretary William M. Daley said that the current controls on encryption technology are hurting America's ability to compete with other countries. "There are solutions out there. Solutions that would meet some of law enforcement's needs without compromising the concerns of the privacy and business communities. But I fear our search has thus far been more symbolic than sincere..." One rumored industrial compromise is to hold the line on transmitted data, but to give some on stored data in exchange for concensions on export controls.

The digital cellular phone encryption system, GSM, was cracked by two researchers at UC Berkeley. They managed to crack the code on the SIM or smart card, which does not seem to be radio-transmitted information. They repeatedly asked the card to identify itself, and so cracked it by brute force. See the web site for more information. The Time article says: ``What was even more intriguing than the security threat, however, was that cracking the code yielded a tantalizing hint that a digital key used by GSM may have been intentionally weakened during the design process to permit government agencies to eavesdrop on cellular telephone conversations.'' The 64 bit key seems to have 10 bits that are always zero. A Risks contributer stated that that was no news; the use of GSM in Australia was blocked on the day of the official launch because the security and police services wanted an easier code to break. One of the Berkeley researchers indicated that he thought it was the choice of algorithm, not the key length, that had been weakened in the design phase.

On the TLS working group list, there is a discussion (again) of whether to allow the null ciphersuite (no security) as a negotiable option. The motivating example is a printer available with and without security, and the desire to list it on only one port. The protocol is susceptable to an active downgrade attack, and if both parties support this option they could be coerced to communicate in the clear.

Rivest sparked discussion on spki on the topic of revocations, by proposing certificates carry an issue ("not before") date, a "good until" date (guarantted; no revocation before then), and an expiration date.

An S/MIME Freeware Library was announced. More information can be found at

Within 15 hours of Netscape's release of the freeware source for their browser, the Austrailian-led Mozilla Crypto Group ( had put the crypto back into the source code. The reports are unclear about just how functional the first pass of this was, but the intent of the group is clear.

An anonymous poster to cypherpunks announced "Weaken" for Netscape, inspired by the Fortify efforts that strengthen a Netscape browser's security capabilities. Their points seemed to be: it's hard to verify that Fortify works and that weakening the browser makes a great virus.

While the technical content of the latest discussion on e-carm on determining whether a public key signature is valid (not compromised) is probably familiar to many readers, I found it interesting that proponents of electronic commerce didn't bat an electronic eye when a poster stated that the issue of who is responsible for the losses incurred from a forgery would probably get resolved over time, by case law. There's been a lot of talk in the e-commerce community about making users feel comfortable (secure, if you will :-) with electronic commerce. Statements like that will keep consumers away in droves.

Seiko is going to start selling wristwatch PC's in June. They can exchange data with each other through infrared signals. The first version seems targeted at games, which seems like a good market to go after if you aren't ready to deal with the security implications. I'd love to see these start appearing as personal calendaring appliances, particularly when funders visit :-).

A rumor from the crypto import trenches in Russia: while importing crypto requires a license, there are serveral license authorities, and at least one of them gives license freely. I wonder if they make more money that way.

A European ecommerce developer stated that he had been frustrated in his efforts to deploy ecommerce for European banks because they insist on waiting for SET.

There is an interesting dicussion on e-carm about whether there is a business for CAs. Interestingly, some participants claim that having a business in the middle only weakens security. My discussions with acquaintances at businesses selling CA services indicate to me that they pay enormous attention to security, and have the ability to attrack and keep top talent in that area because of the concentration of interesting security issues. Discussion also included other issues such as investment. At about the same time, participants on digsig where discussing whether a hierarchical CA model could work (for banks) at all, with Bob Hettinga championing more geodesic structures.

A New York Times article announced a weakness in 3DES ( Schneier pointed out that the attack is only against a particular mode in the standard and requires something like 2^64 texts. It is not a practical attack.

Rivest announced a new notion in encryption, Chaffing and Winnowing (, which uses authentication only to hide information. The basic notion is that multiple reasonable versions of each packet of information are sent, but only the one that authenticates properly is the right one. Taking packets down to communicating one bit each gives excellent privacy, at the expense of a great deal of bandwidth. As Rivest and other point out, this technique has a lot in common with steganography. It's raison d'etre is to indicate the futility of restrictions on cryptography, in part because the adding of chaff (extra packets) can be done by any party between the sender and receiver. Several discussants pointed out that similar schemes had been suggested in the past.

Cypherpunks continued to consider what Network Associates (NAI) will do with PGP and TIS, two companies who security philosophy seems diametrically opposed (NAI announced its plans to buy TIS since the last issue of Cipher). Opinions range from those who believe PGP will be milked of its good name and disposed of, to those that believe TIS will be used as a firewall and sop to government customers. No one has proposed a specific innovative blending of the two companies' products. Zimmerman issued a strong yet vague statement, saying that NAI does not plan to put key escrow in PGP, that his political views on crypto and privacy have not changed, and that he did not sell his company to see it buried.

Network Associates in Europe is said to be shipping strong PGP. It claims to not have broken US laws, since its US operations did not do anything to help the european effort (which was accomplished by having Cnlab Software in Switzerland produce the code). It was unclear if Cnlab started with the book-form scannable version of PGP that was legally exported.

Sun's efforts to sell strong crypto overseas by using the code that the Russian firm Elvis developed, are officially stalled due to "ongoing scrutiny by the US Commerce Department" (Wired). I'm sure this resonates with anyone who's been involved with attempting to export crypto.