LISTWATCH (October 29, 1999)

by Mary Ellen Zurko

This issue's highlights are from cypherpunks, dcsb, crypto-gram, tbtf, and risks.

There's been a lot of discussion on cypherpunks about the file encryption in MAC OS 9 <>. It's 56 bits, though they say they're working towards having a domestic version with longer key length. It uses an Apple patented algorithm called Apple Secure Compression, aka ComCryption, which has not been made public.

Adoption of W3C's privacy work (P3P) has been stalled lately due to Intermind's claim that its patent covers P3P. The results of an analysis by W3C's patent lawyer are in <>. The analysis states that Intermind's technology requires OO communications objects as control structures, which are not required by P3P. This level of detail does not come across in the claims of Intermind's patent; it's covered in the front matter.

Source code for the encryption algorithm for DVD movies (CSS) was release through an anoymous remailer. Beyond having just a 40 bit key, there is a claim that it is vulnerable to a 2^16 attack with as little as 6 bytes of known plaintext. <>

A pretty thorough looking crypto law page is at <>.

The IETF is a topic of conversation in security circles again. This time they plan on taking up the issue of wiretap standards in their telephony over IP work, at the plenary session during their meetings the week of November 8. The key questions are:

"should the IETF develop new protocols or modify existing protocols to support mechanisms whose primary purpose is to support wiretapping or other law enforcement activities"


"what should the IETF's position be on informational documents that explain how to perform message or data-stream interception without protocol modifications".

An FBI spokesperson said it would be "wise and prudent". Representative Bob Barr (R-Georgia) says it would be "dangerous". Jeff Schiller, head of the security area, says "We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state."

October 21 was "jam Echelon" day. I doubt most people noticed (and that includes Echelon). The idea was to lard email that day with terms likely to mark them as suspect by Echelon. However, words like "kill" are found in many computer contexts and the use of "Active X" and "Bubba" left me mystified. And just what is CANSLO? This idea has been discussed several times on cypherpunks. The Emacs command "Spook" will accomplish the same thing. More sophisticated suggestions included crafting messages with the same n-gram distribution as regular English text (perhaps using a Mad Libs style template), and not juxtaposing keywords that don't fit together (like Bill Gates and bio warfare).

A5/2, the "weaker" of the GSM voice privacy ciphers, along with A5/1, is now available for download by North American citizens only at The poster (Lucky Green <>) says "Should this code, against all precautions and despite our strongest hopes, become available on a site outside North America, I would like to hear about it."

In an article about subpoenas to web sites being on the upswing <>: Web sites that have been subpoenaed for user information aren't legally able to resist. They can warn customers, however -- and some do, but many don't. Silicon Investor, a popular stock site, says it simply doesn't have the resources to notify all the users whose information they are required to provide. "It's just not practical for us," said Ethan Caldwell, general counsel for the site's parent company, Go2Net, in the WSJ article. "We would need an entire subpoena staff to handle something like that." He said the site gets about one subpoena every day, and that they are able to notify users about half the time that their information is being given out.

That does sound like a lot to me.

The FTC announced its rule (effective April 2000) for parental consent on commercial web sites aimed at children <>. They must have a privacy policy and obtain verifiable parental consent. Methods like postal mail or facsimile, use of a credit card or toll-free telephone number, digital signature, or e-mail accompanied by a PIN or password will be required only if the information is to be shared externally. For internal information, for the next two years, operators will be permitted to use e-mail with a confirmation solicited via email, regular mail, or phone.

California has authorized Verisign to issue digital signature certificates for use in communications involving state agencies <>.

The government asked the 9th Circuit en banc panel for further briefing and a delay in the oral argument date (currently set for December 16, 1999) based upon the fact that it will issue revised encryption regulations on December 15, 1999. They state that the changes may or may not effect the treatment of crypto source code <>.

The US House of Representatives is considering legislation supporting digital signatures. The White House and most Democrats support a bill that would make digital signatures legal only in those states that don't already have laws recognizing the validity of electronic contracts. Republican leaders want legislation that would cover all states and eliminate some of the paper-record keeping and notification requirements that some states impose on financial institutions and insurance companies. Discussion on cypherpunks covers the concern that this is just the first step in mandating not only a particular certificate format, but particular certificate use policies.

Jane's is sponsoring a conference called CyberTerrorism: The Risks and Realities on 16-17 November, 1999 in Washington D.C., which includes participation in a Mock CyberTerrorism attack wargame. Sounds like fun to me!

Maclen Marvit from Disappearing Ink <> spoke at a Cypherpunks meeting. It lets two or more willing, cooperative people have an email conversation with reasonable certainty that there won't be any persistent records kept for more than N days by any intervening servers, where N is set by the participants. All the other issues you can think of, it doesn't address. It sounds like you have to use a separate encryption package (like SSL or PGP) to ensure network protection.

Staples mailed a $20 coupon to some select customers, in the form of a 5 digit code that could be used to order from its web site. Someone posted it on the Internet. By the time Staples discovered the problem, some unauthorized orders had been shipped.

An e-commerce campaign group in the UK ( send an encrypted message to the home secretary which contained the confession to a crime. Then they threw away the keys, and claimed that if the current legislation under consideration were to become law, if the home secretary could not prove to the police that he did not have the keys, he could face two years in prison.

Karsten Sohr at the University of Marburg discovered another security flaw in Microsoft's Java Virtual Machine. A bug in the bytecode verifier allows illegal type casting. Dirk Balfanz and Ed Felton, at Princeton University, have constructed a demonstration applet that exploits this flaw to delete a file.

Yet another industry alliance, the Trusted Computing Platform Alliance (TCPA) <> is attempting to promote a trusted PC platform through standards. It includes Compaq, Hewlett Packard, IBM, Intel, and Microsoft.

Wondering what to put in your privacy policy? You can use the "Privacy Policy Wizard" on the TRUSTe site <>.

The G8 nations are pushing for a multi-national convention to force ISPs to "freeze and preserve" data that an investigator suspects is criminal while a court order is obtained to gain access for evaluation <>.

There was a fair amount of discussion of Stefan Brands book, "Rethinking Public Key Infrastructures and Digital Certificates - Building in Privacy" <>. His methods, like Chaum's, are patented. The book has good coverage on revocation, smart cards, and privacy.

Three articles from TBTF on US crypto export rules, cracking the ECC challenge, and the key called NSA found in CAPI:


..US cryptography export rules eased

Declare defeat, but stay in

On 16 September the administration announced changes in the US cryp- tography export regime. Like numerous other changes in the past, this one was presented as a relaxation of the rules that will bene- fit consumers. It's far from clear that this is the case.

Once the new rules go into effect in December, after a one-time re- view any retail product featuring encryption of any strength will be exportable to individuals and companies -- but not to govern- ments -- in all but 7 countries worldwide. This relaxation is tied to funding for a new FBI research lab and to disturbing loosening of the rules of evidence in court cases that involve encryption.

The Electronic Privacy Information Center links the White House an- nouncement, commentary, and analysis from this page [13]. EPIC re- mains agnostic on the proposals. General counsel David Sobel said, "It appears that the FBI and large computer companies have reached an agreement on encryption, but that is not necessarily in the in- terest of the average computer user."

The legislative vehicle for these new initiatives is the selfsame Cyberspace Electronic Security Act that, in an earlier draft, would have allowed secret police break-ins to alter computer equipment [14]. That provision is gone now; it was probably a trial balloon anyway.

A week after the latest proposals were announced. EPIC's Mark Roten- berg found himself sharing a conference panel with William Reinsch, the administration official tasked with carrying out US crypto ex- port policy. Rotenberg later described his address to the politech mailing list:

> I opened by quoting Senator Aiken's line regarding Vietnam
> that the US should "declare victory and then get out." I
> suggested that with the crypto issue, the Administration
> has decided to "declare defeat, but stay in."



..97 >> 512

International group breaks the seventh Certicom challenge

Irish mathematician Robert Harley announced [15] that his team had cracked the seventh and most difficult Certicom ECC Challenge prob- lem to date. Certicom has confirmed the correct result [16]. So far seven Certicomm exercises and challenges have been cracked since December 1997; Harley's growing team has broken each one of them.

The solution required 16,000 MIPS-years -- twice the effort of the recently broken, 512-bit RSA-155 [17]. The team struck it lucky, finding the solution in less than a third of the expected time. The distributed computation was run by 195 volunteers, on a total of 740 computers, over 40 days.

While this result strengthens the case of those who have contended, on theoretical grounds, that a crypto key based on ECDL (Elliptic Curve Discrete Logarithms) is inherently harder to break than an RSA key, it does not prove that assertion. Rather, it indicates that at the current state of the art, the best mathematical tools and algorithms known for cracking ECDL take longer to run than the best tools known for cracking RSA.

On 12 September I posted as a Tasty Bit of the Day Harley's call for more machines to throw at the problem; others, including TechDirt, publicized it as well. This graph [18], adapted from Harley's site, rather dramatically shows the effect of the call for participants.

[17] archive/1999-08-30.html#s01


..Sorting out the Microsoft _NSAkey flap

Did Microsoft build a back door into Windows for the NSA? I'm doubting it

By now you've heard all about the extra signing key found in Micro- soft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the posting by Andrew Fernandes that started all the fuss [6]. The BBC has an annotated screen shot [7] of a debugger session showing the variable named, portentously, _NSAkey. Microsoft's official re- sponse [8] to the flap makes a whole lot more sense than assuming that the National Security Agency had somehow weakened Microsoft's crypto and tagged the fix "_NSAkey." To put a few authoritative nails in this coffin, read the thoughts of Russ Cooper [9], propri- etor of NTBugTraq, and of the noted cryptographer Bruce Schneier [10].

The investigations of Fernandes (building on work last year by Nicko van Someren and Adi Shamir) have publicized a way to disable crypto export control in Windows. Anyone outside the US can replace _NSAkey with their own key, and use that key to sign a crypto module of any strength, and then use that strong crypto under the auspices of Win- dows. But note that this impotence of Microsoft's CryptoAPI to con- trol what crypto gets run is not new news. Bruce Schneier pointed out this Windows weakness in his CRYPTO-GRAM newsletter last April [11], before anybody discovered the name of the replaceable second key.

Over the weekend Brian Gladman posted a note [12] to the UK Crypto list demonstrating that the Microsoft CryptoAPI had been a serious political issue in Bri- tain 3-1/2 years ago. He worked with British authorities to make sure that Microsoft UK was able to sign cryptographic modules sep- arately from the US authority.

The _NSAkey fiasco raises four separate issues, and little of the commentary I've read makes much effort to disentangle them. The is- sues are:

  1. Did Microsoft collude with the NSA? (Answer: who knows? Prob- ably not.)
  2. Will Microsoft's actions allow the NSA to penetrate the compu- ters of Windows users? (Answer: almost certainly not.)
  3. Did the US government, represented by the NSA, work with Mi- crosoft to assure that only weak crypto is exportable in the Windows framework? (Answer: absolutely.)
  4. Does Microsoft's CryptoAPI implementation allow anyone to cir- cumvent the restrictions imposed by US crypto export rules? (Answer: yes, demonstrably.)

What will be the fallout of this tangle? Even more people will be made aware that Microsoft security is porous. Even more people will learn of the utter inability of US controls to stop the export of technology which truly escaped a decade ago. And even fewer people will believe what Microsoft says, even though in the matter of the _NSAkey the company is probably telling the truth. A few years back Nicholas Petreley, the IDG pundit, summed up the common perception this way:

If you threw Microsoft into a room with truth, you'd risk a matter / anti-matter explosion.



Finally, the Open Group's Director of the Security program is leaving. If you're interested, contact