From prunesquallor@proproco.co.uk Mon, 1 Nov 1999 07:55:42 -0000 Date: Mon, 1 Nov 1999 07:55:42 -0000 From: John R T Brazier prunesquallor@proproco.co.uk Subject: FIPR Consultation Library Submissions This is a multi-part message in MIME format. ------=_NextPart_000_0001_01BF243E.878250A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Gus, Please find attached my submission (sorry for the delay, one damn thing after another!). It's in HTML format, but generated by MS Office so it will be horrible if you look at the code. By the way, how are things? Saw you at SFS3.5, but I had to flee early and couldn't stay. Hope things are going well. All the best, John B -----Original Message----- From: owner-ukcrypto@maillist.ox.ac.uk [mailto:owner-ukcrypto@maillist.ox.ac.uk] On Behalf Of Gus Hosein Sent: 09 October 1999 11:49 To: ukcrypto@maillist.ox.ac.uk Subject: FIPR Consultation Library Submissions Call for Submissions to the Draft Electronic Commerce Bill 1999 Library by the Foundation for Information Policy Research (http://www.fipr.org) In line with previous consultation initiatives, the Foundation for Information Policy Research is offering its web site as a library of submissions to the UK Draft Electronic Commerce Bill 1999. Previous archiving has resulted in 11 responses to the IOCA review consultation paper (library can be reviewed at http://www.fipr.org/ioca/library.html); and 40 responses to the April "Building Confidence in Electronic Commerce" consultation report (available at http://www.fipr.org/library/library.html). In continuing its efforts to promote openness and discourse in developing policies that may affect the landscape for electronic commerce, and technology policy in general, FIPR welcomes the opportunity to publish the contributions of individuals, organisations, and companies to the government consultation process. If you are interested in submitting your own response, we request that the submitted document is in ascii text or html format (but we can also accept Postscript, PDF, and MS-Word), and sent to Gus Hosein, at ecomm99@fipr.org. If you would prefer us to link to a document on your own site, just send us the URL. Relevant Links: FIPR Draft E-Commerce Bill Call for Submissions (this message): http://www.fipr.org/ecomm99/call.html FIPR Draft E-Commerce Bill Library: http://www.fipr.org/ecomm99/library.html Analysis of the (draft) Electronic Communications Bill 1999 -- A summary of opinions from UKCrypto and elsewhere, by Richard Clayton: http://www.fipr.org/ecomm99/index.html gus. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ PGP ElGamal 2048/1024-bit key ID: 0x35502083 PGP RSA 2048-bit key ID: 0x6019F689 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Gus Hosein Tutorial Fellow Department of Information Systems The London School of Economics and Political Science Houghton Street, London WC2A 2AE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: PGP Personal Edition 6.0.2 iQA/AwUBOB1HfTYZ46XY1JH9EQKH+wCgiu8vUNEjv8FXRyRGxJ6J1byQwwsAoLCP FrZGzZz37hYC2oCG2Px0k69c =SROJ -----END PGP SIGNATURE----- ------=_NextPart_000_0001_01BF243E.878250A0 Content-Type: text/html; name="Electronic Communications Bill.htm" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Electronic Communications Bill.htm" TITLE

RESPONSE TO THE = DRAFT LEGISLATION

=91ELECTRONIC = COMMUNICATIONS BILL=92

 

Date:=A0=A0=A0=A0=A0=A0=A0=A0 7 October = 1999

Version:=A0=A0 1.0

 

John R T = Brazier

Professional = Projects Co Ltd

19 Barttelot = Rd

Horsham

West = Sussex

RH12 = 1DQ

 

Table of = Contents

 

Summary.................................................................= .........................................................................= ................................ 3

Introduction.................................................................= .........................................................................= ..................... 4

Acknowledgements.................................................................= .........................................................................= ...... 4

1.=A0=A0=A0=A0=A0=A0=A0=A0=A0 Process = Overview.................................................................= ...................................................................... = 5

2.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The = Registration of Approved Suppliers and Their Regulation................................ 5

a)=A0=A0=A0=A0=A0=A0 = There is not a need for this legislation (at present).......................................................... = 5

b)=A0=A0=A0=A0=A0=A0 = The voluntary scheme will not be used.................................................................= ..................... 5

c)=A0=A0=A0=A0=A0=A0 = The powers taken are too extensive and ill-defined......................................................... = 5

d)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ..................................................................... = 5

3.=A0=A0=A0=A0=A0=A0=A0=A0=A0 = Facilitation of Electronic Commerce.................................................................= ........................ 5

a)=A0=A0=A0=A0=A0=A0 = Electronic signatures should be identical to normal written

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 signatures in law.................................................................= ...................................................................... = 6

b)=A0=A0=A0=A0=A0=A0 = The facilitation of electronic documents should be more radical...................... 6

c)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ..................................................................... = 6

4.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The = Investigation of Protected Electronic Data................................................................ = 6

a)=A0=A0=A0=A0=A0=A0 = Part III is inappropriate for the Bill.................................................................= ............................. 6

b)=A0=A0=A0=A0=A0=A0 = There is an attack on civil liberties within the Bill.......................................................... = 7

c)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ..................................................................... = 8

5.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The = Miscellaneous and Supplemental Provisions............................................................... = 8

6.=A0=A0=A0=A0=A0=A0=A0=A0=A0 The Effects = of Technology.................................................................= .................................................. 8

a)=A0=A0=A0=A0=A0=A0 = The development of concealment.................................................................= .................................. 8

b)=A0=A0=A0=A0=A0=A0 = The enhancement of key management.................................................................= ........................ 8

c)=A0=A0=A0=A0=A0=A0 = Perfect systems.................................................................= .........................................................................= . 9

d)=A0=A0=A0=A0=A0=A0 = Conclusions.................................................................= .........................................................................= .......... 9

7.=A0=A0=A0=A0=A0=A0=A0=A0=A0 Other = Ideas.................................................................= .........................................................................= ............. 9

a)=A0=A0=A0=A0=A0=A0 = Tax reduction incentives.................................................................= ..................................................... 9

b)=A0=A0=A0=A0=A0=A0 = Government use of electronic commerce.................................................................= ................. 9

c)=A0=A0=A0=A0=A0=A0 = Review.................................................................= .........................................................................= ....................... 9

d)=A0=A0=A0=A0=A0=A0 = Recommendations.................................................................= ................................................................... = 10

8.=A0=A0=A0=A0=A0=A0=A0=A0=A0 = Conclusions.................................................................= .........................................................................= ....... 10

 

Summary

 

This document is a response to a request for = comments to the Electronic Communications = Bill, a piece of draft legislation that is expected to appear before Parliament = in the near future. This is the latest in a series of responses that aim to = support the DTI and the Government in meeting their target to make the UK the = best place for electronic commerce in the world while meeting the needs of = law enforcement.

 

The document proposes the following:

=B7           = ;     That Part I of the Bill should be dropped as the Government has no current intention of using it. Its powers are also = currently too wide.

=B7           = ;     Part II should be simplified and strengthened, = making electronic signatures and documents identical in law as rapidly as = possible.

=B7           = ;     Part III should also be removed, as it does not = belong in the Bill. After a number of issues have been dealt with the redraft = should be placed within the appropriate parts of the Police and Criminal = Evidence Act (PACE) and the Interception of Communications Act (IOCA).

=B7           = ;     It is believed that developments in technology = will undermine the aims of Part III in the Bill, so reinforcing the = suggestion that it should be removed.

=B7           = ;     It is suggested that Part IV may belong within = the Telecommunications Act, rather than this Bill.

=B7           = ;     It is proposed that electronic commerce could be further facilitated by adjustment in the taxation regime, by leadership = of the Government in its own use of electronic commerce, and by a review in = three years of the Bill=92s function.

 

We would like to thank the DTI for the opportunity = of responding to the Bill.

 

Introduction

 

This document is a response to the Electronic Communications Bill. It aims to assist the = Government in its aims of making the UK the world's best place to trade = electronically.

 

Acknowledgements

 

This document would not = have been possible without the help from a large number of people, especially at = FIPR and on the UKCRYPTO mail list, and we would like to take the opportunity of thanking them.

 

1.    = Process Overview

 

Before going into the detailed responses to the = Bill, of which there are a number, we would like to make the comment that the = process of development of the Bill has been a model of open democracy. This will = now be the third set of comments from this party going into the Bill=92s = formulation, and it is clear that the combined comments from all parties have had a significant effect on the contents of the Bill. Thus a true conversation = has been held with all interested groups, and such openness can only speak = well of our democratic systems. We earnestly hope that such openness will = continue.

 

2.    = The Registration of Approved Suppliers and Their Regulation

 

These comments refer to = Part I of the Bill, Clauses 1 to 5.

 

a)     = There is not a need for this legislation (at present)

The Government itself has stated that it is looking = to industry to provide self-regulation; thus powers are being taken which = are not intended to be used. It would seem better to leave such powers out of = the Bill, and legislate for them if and when they are needed =96 when it will also = be clearer what sort of powers will be required.

 

b)     = The voluntary scheme will not be used

The scheme will be voluntary. We believe that it is = unlikely that most service providers will register, because (i) they do not need = it, (ii) it will cost money for registration and (iii) many service = providers may feel that such a license will carry a stigma, and deter customers. This = is because of the history of this Bill; some customers may believe that = Government accreditation will in practical terms be a license to leak customer data = to assorted Governmental agencies (no doubt a misapprehension, but this = view may well exist).

 

These reasons will reduce the likelihood of uptake = of a voluntary licensing scheme. However, this is not a call for a mandatory = scheme: the Government should support all the steps taken to allow industry self-regulation.

 

c)      = The powers taken are too extensive and ill-defined

Because Part I is trying to cover all possible = future eventualities, the power it takes are far too wide. Thus Clause 5 = generally seems to give the Secretary of State powers to do almost anything under = this Bill for licensing purposes. (It should also be noted that Clauses 8, = 9.5 and 9.6 also seem to give Ministers generally considerable freedom of scope = under this Bill, extending the powers further.) For example, it would appear = that the Secretary of State could impose mandatory key escrow at any time under = this Bill =96 something that has been shown to be not workable by many past submissions from many groups.

 

This also has an effect of reducing the likelihood = of the voluntary scheme being used: how can anybody, as a service provider = seeking licensing, sign up to Clauses 2.3.b and 2.3.c, which require him or her = to meet any and all possible requirements that may come into existence in the = future?

 

d)     = Recommendations

It is recommended that Part I be removed from the = Bill, and appropriate powers taken if they are shown to be needed at some point in = the future.

 

3.    = Facilitation of Electronic Commerce

 

These comments refer to Part II of the Bill, = Clauses 7 to 9. This Part is =96 or should be =96 the core of the Bill, in that it = intends to facilitate Electronic Commerce.

 

a)     = Electronic signatures should be identical to normal written signatures in = law

Clause 7 discusses electronic signatures in terms = of their use for =91authentication=92 and confirmation of =91integrity=92. Whilst = electronic signatures do have such uses (which are extremely valuable), there is no mention of their use as =91signatures=92.

 

In general, a signature is used for many things, = such as giving approval, agreement or permission by the act of signing. Or = indicating the truth of some statement, such as in the signing of a witness = declaration. Clause 7 does not actually ascribe any of these uses to electronic = signatures.

 

In this case, it would appear that the simplest way = to deal with the issue is to redraft Clause 7 to state that anything that = purports to be an electronic signature is, at least, identical in law to anything = that purports to be a written signature. An electronic signature may then = have extra capabilities in terms of authentication and integrity, and these could = be covered by a slight modification of Clause 7.1, to indicate that these = are an extra property of electronic signatures.

 

This would clarify the definition and usage of = electronic signatures in law, although we believe that the Courts already have a = very good practical idea of what an electronic signature is, and how it should = function.

 

b)     = The facilitation of electronic documents should be more radical

Clauses 8 and 9 seem to be a method by which = Ministers will be allowed to move to electronic rather than paper documents by = statutory instrument, where those documents currently must exist and be dealt with = in paper form. The comment here is that whilst it does not have a = time-table (which although beneficial, might not have a place in legislation), = there does not seem to be any indication as to when the move will take place, if = ever.

 

Perhaps the Bill would have a more far-reaching = effect if it were to announce that all electronic documents were the same as paper = ones in law. It might say that the Ministers must define a format for an = electronic document where a format for a paper one exists, and might have to = provide rules for handling and recording of electronic documents where they exist for = paper ones. However, the date of enactment of this provision could be fixed in = the Bill (giving perhaps 12 months=92 grace). The onus would then be on the Ministries to drive through the required instruments as rapidly as = possible.

 

c)      = Recommendations

It is recommended that Clause 7 be clarified to = make electronic signatures identical to written ones, and the rest of this = part simplified to state that all electronic documents will be regarded in = law as equivalent to written ones within a twelve month period. The onus must = be placed on Ministries to bring in any required provisions for formatting = and handling in that time.

 

4.    = The Investigation of Protected Electronic Data

 

These comments cover Part III of the Bill, Clauses = 10 to 19. There are a large number of concerns about this section.

 

a)     = Part III is inappropriate for the Bill

This Part is dealing with matters that are not = appropriate for a Bill that is meant to be about the enhancement of electronic = commerce. In fact, given some of the somewhat Draconian provisions outlined below, it = is likely to hinder the development of such commerce.

 

This Part should be redrafted and placed into PACE = and IOCA (which is currently under review). This is because it deals with how = evidence is obtained (either by interception or entry =96 Clause 10.1), what = evidence may be obtained (Clauses 10 and 11), what offences exist in relation to such = evidence-gathering (Clauses 12 to 14) and what safeguards there are (Clauses 15 to 18, with = Clause 19 being definitions).

 

These points would seem better dealt with in PACE = and IOCA, both from general principles and because they can be better integrated = into the legislation that way.

 

b)     = There is an attack on civil liberties within the Bill

We believe that the Bill does form an attack on = civil liberties, in that it contravenes the European Convention on Human = Rights. Thus arrests and prosecutions carried out under Part III will lead to cases = coming before the European court: not something that is likely to enhance the = use of electronic commerce within the UK. The following are a number of = concerns (some of which are more clearly against the ECHR than others):

 

=B7           = ;     Clauses 10 and 12 may well be = self-incriminatory. Under Clauses 10.1.c and 10.1.d, encrypted material may well come into police possession. Divulgence of the key by operation of a Clause 10 notice may = lead to material being decrypted that is the sole basis of a case against the = person who owned the key; this may have nothing to do with the reason the = police came into possession of the encrypted material. The operation of Clause 12 = removes the protection against self-incrimination. There is no such provision as = in the case of fraud investigations, where a person may be compelled to give = evidence but gains immunity from the use of that evidence against him or her in = court.

=B7           = ;     Clauses 10 and 12 have the effect of reversing = the onus of proof, and so are against the presumption of innocence of the = accused. Under Clause 10.2 an appropriate person only needs a belief that one has a key = to serve a notice on that person. Under Clause 12 the person must prove = they do not have a key - a logical impossibility. All the prosecution has to = show in court is that a Clause 10 notice has been served, which is a mere matter = of form. Under clause 12, the simple serving of the notice criminalizes = someone who does not have a key. It would appear that Clause 13.8 is similar: a = third party needs to prove they do not know something; again impossible, and = reverses the burden of proof.

=B7           = ;     Clause 13 would appear to provide scope for a = large number of future problems. The =91tipping off=92 offence as defined has = no latitude in it at all. We can easily envisage the following four problems (representative of many possible cases), all of which will generate long drawn-out appeals that will not promote the cause of electronic = commerce:

=A7         As written, it would appear that the Clause = could force a person to commit perjury in court if evidence about information = leakage (as in the divulgence of a key) was pertinent to another case.

=A7         The Clause does not even allow a person to query = or challenge a Clause 10 notice, as the challenge would have to go to a = third party (and involve =91tipping off=92). This is likely to have unforeseen consequences, especially where a Clause 10 notice was, in fact, either fraudulent or served wrongfully.

=A7         When allied with Clauses 10 and 12, Clause 13 = could force Companies to dishonour commercial contracts involving = confidentiality, without even being able to warn their contractual partners about = information breaches.

=A7         The three Clauses could even directly contradict = other Government legislation: it is easy to envisage a situation where a Civil = Servant who had signed the Official Secrets Act being required to give up a key = under Clause 10 (and thus would breach one of the two laws). Under Clause 13, = this Civil Servant could not even go to his or her manager =96 or even = Minister =96 for help and advice.

Clause 13 needs to be rewritten, and = properly formed in relation to Clauses 10 and 12.

=B7           = ;     The safeguards are too weak. In fact, if the = Clause 10 notice has not been signed by the Secretary of State (Clause 18.1.a) = then there would appear to be no safeguards at all. The tribunal provisions do not = seem to be in force for Clause 10 notices served under 10.1.c and 10.1.d, and it = is unclear how a complaint could be made against a notice signed by a judge = (given the provisions in Clause 13). In addition, Clause 16 appears to remove = many of the safeguards, in that the Secretary of State may do anything he or she = wishes with the code of practice, and Clause 16.10 seems to undermine any = redress even against a flagrant contravention of any such code of practice.

=B7           = ;     Clause 11 should have much higher prominence. It = states that decrypted text may be provided instead of a key, where a Clause 10 = notice provides for this. In the real world, we believe that Clause 10 notices = will never provide for this, and will always insist on the key. This will = mean that innocent parties (see below) are likely to be placed in a position of considerable expense, once the notice has expired, in replacing all = their compromised keys. Section 11 should always allow for the provision of = text rather than the key.

=B7           = ;     It seems to have been missed that most of the = Clause 10 notices will be served on the innocent (especially if the operation of = public key cryptography is considered). Yet the whole thrust of Part III is to = deal with all recipients of Clause 10 notices effectively as criminals. This = does not seem a way to enhance the use of electronic commerce within the = UK.

 

c)      = Recommendations

It is recommended that this entire part be dropped = from the Bill. After a considerable piece of redrafting, it should be used to = make any required modifications to PACE and IOCA.

 

5.    = The Miscellaneous and Supplemental Provisions

 

We are not telecommunications providers, so have = little to say on this section except to observe that (1) the powers given to the = Director General seem to be quite extensive, and (2) perhaps this Part would be = more suitable as a modification to the Telecommunications Act.

 

One minor point is that the Bill may be helped by = having one location for definitions (i.e. there is no need for Clauses 19 and 23 to = be separate). Of course, this is subject to the considerable modifications proposed to the Bill elsewhere in this document.

 

6.    = The Effects of Technology

 

An extra comment should be made on the effects of technology. A number of the provisions in the Bill (especially Part III) = are liable to fail because of the considerable and continuing technological developments. The provisions are likely to foment this rapid = technological development to ensure that users of electronic commerce will not be open = to the severe provisions of Clause 14.

 

a)     = The development of concealment

Part III of the Bill will give considerable impetus = to concealment technologies such as steganography (for both storage and transmission). This technology effectively hides the encrypted = information so that it is not obvious; in fact, with the correct technologies it can be = hidden to be effectively undetectable. One cannot serve a Clause 10 notice if = one cannot detect the protected information.

 

b)     = The enhancement of key management

Improved Key management technologies are likely to = be incorporated into software and hardware products:

=A7         All systems will move to the use of session = keys, which are immediately destroyed on message reception. This means that the = session key will not be recoverable.

=A7         In public-key infrastructures, systems will = appear that immediately and automatically make public alerts on the compromise of = the person=92s private key (as envisaged in Clause 13.3.a).

=A7         In real-time systems, the use of key negotiation = (as in Diffie-Hellman) of the temporary key will come into greater use. Again, = this will mean that no key is ever recoverable.

=A7         Important keys will be part of threshold schemes = (where perhaps three out of five people must come together for the key to be divulged). This will undermine the point of the Clause 13 notice, as = people will be =91tipped off=92 to get the key. It should also be noted that a = person might cheat under such a scheme (deliver the wrong information so the = key is not, in fact, recovered), yet it would be impossible to show who cheated = or be able to prove conspiracy.

 

c)      = Perfect systems

Lastly, the use of one time pads may well become = more common, as they have two strengths: (1) they are theoretically = unbreakable, and (2) any text may be demonstrated as being produced by the ciphertext = (unless one can prove what was the original one time pad). In a legal sense, = they allow doubt to be thrown on any given decryption of any piece of =91protected information=92. Whilst their use will always be limited (even with the development of technologies like quantum cryptography, which allows for = one time pad generation without the parties meeting), they are the ultimate = defence against recovery and decryption.

 

d)     = Conclusions

All these technologies will have the effect of = reducing the value of the Part III provisions, and underline the fact that this Part = needs to be reconsidered (as a part of other Acts). In addition, it shows that = the law enforcement agencies need to rethink their strategies and accept = that the =91magic bullet=92 of covert interception may not be as readily = available any more, whatever legislation is passed. They need to tackle the problem of sophisticated criminals in depth, using multiple techniques and new ways = of approach.

 

7.    = Other Ideas

 

The purpose of this Bill is to enhance electronic = commerce, as stated by the Government. Aside from the suggestions already made, = there are offered here a couple of suggestions that we believe would help to = develop such commerce:

 

a)     = Tax reduction incentives

If the Government were to allow, for a start-up = period of perhaps five years, complete tax relief on the profits from all new = electronic transactions, there would be an extraordinarily large uptake in = electronic commerce usage. The deflationary effect of such a policy would also be beneficial to the economy as a whole.

 

This would be a distortion on the economy, but all = tax regimes distort their economies to a greater or lesser extent. Tax = adjustment is perhaps the most effective way Governments can provide incentives to corporations; such a liberal policy would bring electronic = commerce-based businesses to the UK in droves, and would probably pay for itself in the expansion of the economy and the derived increase in other taxes.

 

b)     = Government use of electronic commerce

The Government has now an =91E-Minister=92 and = there is also an =91E-Envoy=92 becoming active next year (although the delay in the = appointment and uptake of this post is disappointing). However, the Government should be = much more proactive in this area, and actually take leadership in everything = it can do itself.

 

It should be seen to be exploiting electronic = commerce. Government departments should preferentially use electronic commerce in purchasing. All government business should be moved to electronic = systems within a period of twelve months. In 1998 the Government had a gross = disposable income of almost exactly =A3146 billion (www.statist= ics.gov/stats/ukinfigs/natac.htm): how it uses this income can have huge effects on the uptake of = electronic commerce in the UK.

 

c)      = Review

If this Bill were to be pruned of the inappropriate = sections (and perhaps effectively become just Part II, in an improved form), then = it would be worthwhile for a provision to be added to the Bill for a review = after three years. This would see if further incentives could be provided for = the development of electronic commerce in the UK and would also allow = Parliament to gauge what the effects of the Bill had been.

 

d)     = Recommendations

The recommendations may be stated that the = Government should allow tax incentives for all electronic commerce transactions, use = electronic commerce to the maximum effect itself and allow for a review of the Bill = in Parliament.

 

8.    = Conclusions

 

A number of recommendations have been made with = regard to the Bill. In essence, they attempt to remove inappropriate sections, and clarify and strengthen those provisions that will support electronic = commerce. Some other ideas have also been presented on how to support electronic commerce, and we look forward to the development of the legislation with interest.

 

 

------=_NextPart_000_0001_01BF243E.878250A0-- From Q.G.Campbell@newcastle.ac.uk Mon, 1 Nov 1999 08:00:08 +0000 (GMT) Date: Mon, 1 Nov 1999 08:00:08 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: The Evils of MLS (Was: Another online service misleads) On Sat, 30 Oct 1999, David Hansen wrote: [snip] > > If someone involved in say social security was to ask for details of > security systems protecting a relatively minor military figure then > they may well have an appropriate security clearance to obtain the > information, but they would not do so without providing a very > convincing explanation. > The problem is that this does not operate with the same rigour in both directions. A "minor military figure" in MI5 can obtain information from Social Security but not vice-versa. This situation is even more serious if the access is illegal and in breach of normal security practices. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From Postmaster@scientia.com Mon, 01 Nov 1999 11:37:42 +0000 Date: Mon, 01 Nov 1999 11:37:42 +0000 From: System Administrator Postmaster@scientia.com Subject: The Evils of MLS (Was: Another online service misleads) At 15:26 30/10/99 +0100, David Hansen wrote: >On 30 Oct 99, at 10:05, Ross Anderson wrote: > >> Classifying information the way the civil service does - top secret, >> secret, confidential and so on - is usually a grievous error. > >It is if it is implemented in a rigid way. If common sense is used in >the implementation then it works reasonably well. The problem is that if it is an automatic retrieval system then implementing "common sense" in software is way beyond current AI technology. Security in automated system is more or less by definition "rigid". Ian From roger.hird@argonet.co.uk Mon, 01 Nov 1999 10:30:52 +0000 (GMT) Date: Mon, 01 Nov 1999 10:30:52 +0000 (GMT) From: Roger Hird roger.hird@argonet.co.uk Subject: The Evils of MLS (Was: Another online service misleads) On 01 Nov, Quentin Campbell wrote: > The problem is that this does not operate with the same rigour in both > directions. A "minor military figure" in MI5 can obtain information from > Social Security but not vice-versa. Oh dear - do they really think, up there at Newcastle University, that MI5 is a military organisation ? RogerH -- Roger Hird roger.hird@argonet.co.uk Running Voyager 2.01 and RISCOS 3.70 on an Acorn StrongARM RiscPC From Q.G.Campbell@newcastle.ac.uk Mon, 1 Nov 1999 17:41:33 +0000 (GMT) Date: Mon, 1 Nov 1999 17:41:33 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: The Evils of MLS (Was: Another online service misleads) On Mon, 1 Nov 1999, Roger Hird wrote: > On 01 Nov, Quentin Campbell wrote: > > > The problem is that this does not operate with the same rigour in both > > directions. A "minor military figure" in MI5 can obtain information from > > Social Security but not vice-versa. > > Oh dear - do they really think, up there at Newcastle University, that MI5 > is a military organisation ? > > RogerH > > -- > Roger Hird Roger I am sorry that you do not understand irony and figures of speech. Read the original message and you will see where the quoted text came from and why it was used. Cheers Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From cb@fipr.org Mon, 1 Nov 1999 19:43:31 -0000 Date: Mon, 1 Nov 1999 19:43:31 -0000 From: Caspar Bowden cb@fipr.org Subject: FT 27/10/99: "Government U-turn on e-commerce bill" Financial Times, 27-Oct-1999 ] NATIONAL NEWS: Government U-turn on e-commerce bill The government is set to strip from the electronic communications bill controversial clauses giving the police powers to unscramble encoded e-mail. Instead, the measures are expected be tagged on to a Home Office bill updating existing law regulating phone tapping by the police and security services. Stephen Byers, the trade and industry secretary, is concerned that the contentious measures would overshadow the more positive elements of the bill designed to promote the development of e-commerce. Industry and the Conservatives have lobbied strongly for the latest move. Leading human rights lawyers this week argued that the powers given to law enforcement agencies could breach the European Convention on Human Rights. Alan Duncan, the Conservatives' e-commerce spokesman, said the proposed powers of intrusion were "obscene" and should not be in the electronic communications bill. "I have been demanding that this sort of provision should be totally excised from the bill and stuck into a new Interception of Communications Act if that is what they really want to do." The government has already been forced to water down the bill after lobbying from business. It dropped a proposal requiring users of encryption technology to lodge decryption keys with third parties after the industry demonstrated it was unworkable. The government had been proposing a licensing scheme for companies providing encryption services. Instead, it agreed to support an industry accreditation scheme, but reserved the right to introduce a statutory regime if this proved inadequate. The changes mean the bill is limited largely to measures giving legal status to electronic signatures. The government's e-commerce strategy also came under attack in a critical report by the Commons trade and industry select committee in August. In its response to the committee yesterday, the government agreed UK internet charges, including telephone call rates, had to fall further if e-commerce was to take off. Editorial Comment, Page 22 Procurement on web 'must rise' UK companies are lagging behind their overseas rivals in exploiting an expected Dollars 360bn (216.8bn) global boom in internet procurement, according to a survey by A T Kearney, the management consultancy, writes Carlos Grande. The report estimates that by 2001, 20 per cent of all external business supplies worldwide - some Dollars 400bn in orders - will be bought via the internet, compared with less than 2 per cent now. But it warns that over the next two years the top 100 UK businesses are planning to increase internet procurement by only 400 per cent - well below its estimated global average rise of 1,100 per cent From cb@fipr.org Mon, 1 Nov 1999 19:44:20 -0000 Date: Mon, 1 Nov 1999 19:44:20 -0000 From: Caspar Bowden cb@fipr.org Subject: FT 27/10/99: "LEADER: Cybercops" LEADER: Cybercops Financial Times, 27-Oct-1999 Big Brother is watching your e-mails. At least, he wants to be able to read them if he suspects you are up to no good. The obvious defence against intrusion is to encrypt internet transactions. The authorities want to make complete privacy impossible. It is true that the US and other western governments have abandoned proposals to restrict the sale of encryption software and to require keys to the code to be lodged in an official escrow file. Quite apart from the libertarian objections, new technologies could quickly outflank such measures. Serious criminals would refuse to co-operate or avoid the internet. But governments are still looking for ways to give the police the right to access encrypted material where crimes are suspected. Such powers must be strictly controlled. Under the UK's draft electronic communications bill, it would be an offence to refuse a police demand for an encryption key. Anyone who resisted in order to protect material that was confidential for personal, political or commercial reasons could become a criminal even if they were otherwise innocent. If the police were all-wise and incorruptible, the danger might not be great. But in an imperfect world, citizens need to be armed against the intrusions of the state. That is why the objections of human rights lawyers must be taken seriously. They believe the UK draft bill may conflict with the European Declaration of Human Rights. The government must ensure that there is no question of such a conflict. And the police powers must be more narrowly defined. The proposed restrictions on decoding follow broadly those on phone tapping and searching properties. In addition, the police must be required to get court authority for decryption of material obtained by other means, such as internet searches. Excessive police snooping could undermine legitimate use of the internet. But it will catch few crooks: they will sell their modems and buy more runners. From cb@fipr.org Mon, 1 Nov 1999 19:47:22 -0000 Date: Mon, 1 Nov 1999 19:47:22 -0000 From: Caspar Bowden cb@fipr.org Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) Financial Times 30-Oct-1999 NATIONAL NEWS: Internet minister sets example: E-COMMERCE GOVERNMENT COLLEAGUES URGED TO USE NEW ONLINE CHAT ROOM: Patricia Hewitt talks to Rosemary Bennett and David Wighton on her first 'year' in office "Patricia Hewitt, promoted to minister for e-commerce in July, has just finished her first "internet year" in the job. .... (snip) Regarding the electronic communications bill, Ms Hewitt confirmed she was in discussions about removing controversial clauses giving the police powers to unscramble encoded e-mail. These measures would be tagged on to a Home Office bill updating existing law regulating phone tapping." From roger.hird@argonet.co.uk Mon, 01 Nov 1999 20:05:37 +0000 (GMT) Date: Mon, 01 Nov 1999 20:05:37 +0000 (GMT) From: Roger Hird roger.hird@argonet.co.uk Subject: The Evils of MLS (Was: Another online service misleads) On 01 Nov, Quentin Campbell wrote: > I am sorry that you do not understand irony and figures of speech. I think I did. > Read the original message and you will see where the quoted text came > from and why it was used. I had - but I guess I must just be quite incredibly thick and stupid and quite incapable of using the English language. Sigh. Perhaps I should have gone to newcastle.ac. -- Roger Hird roger.hird@argonet.co.uk Running Voyager 2.01 and RISCOS 3.70 on an Acorn StrongARM RiscPC From Ross.Anderson@cl.cam.ac.uk Mon, 01 Nov 1999 20:46:23 +0000 Date: Mon, 01 Nov 1999 20:46:23 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Serpent John Young asks: > Bruce Schneier says in a SlashDot interview yesterday: > > http://slashdot.org/interviews/99/10/29/0832246.shtml > > I like designs that have long and detailed documents > that discuss how the designers have attacked their > own design. You can see this in the submissions for > Twofish, and for Mars, RC6, and E2. I worry about a > cipher like Serpent that does not come with any > analysis. Either the designers didn't do any, which is > bad -- or they did it and are hiding it, which is worse. > > If the Serpent designers have answered this we'd appreciate > a pointer. Any comment here on Bruce's tough talk? Serpent was the first of the AES candidates to be published, at FSE 98; our paper there has a bit over four pages of cryptanalysis (proceedings pp 227-231; online version pp 7-11). This set the standard of cryptanalysis expected of the other candidates. The full specification which we submitted to NIST has got over five pages of cryptanalysis (pp 7-12). List members may check for themselves via the Serpent home page: http://www.cl.cam.ac.uk/~rja14/serpent.html One reason why our paper is not as long as some other submissions is that our design is simpler and more transparent, which makes analysis easier. Once we have shown that none of the currently known attacks work against Serpent, there is nothing more to add. In fact, after Eli and I came up with the first version of Serpent in September 1997, we asked Lars to join us specifically so that we would have a fresh mind to do nothing but attack it. I don't think any of the other teams did this. Lars's contributions have been significant - the most obvious being the improved S-boxes. He also did a lot of work on tying down the differential and linear bounds. So the comment attributed to Bruce is wierd. But I have been misquoted so often myself by journalists that I'm not going to assume that he actually said it. Ross From gladman@seven77.demon.co.uk Mon, 1 Nov 1999 22:32:04 -0000 Date: Mon, 1 Nov 1999 22:32:04 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: Serpent From: Ross Anderson To: Cc: John Young Sent: Monday, November 01, 1999 8:46 PM Subject: Serpent > John Young asks: > [snip] > > Twofish, and for Mars, RC6, and E2. I worry about a > > cipher like Serpent that does not come with any > > analysis. Either the designers didn't do any, which is > > bad -- or they did it and are hiding it, which is worse. > > > > If the Serpent designers have answered this we'd appreciate > > a pointer. Any comment here on Bruce's tough talk? It would be truly amazing if Bruce had said this since the Serpent AES paper itself contains several pages of analysis. If Bruce had said 'insufficient analysis' instead of 'any analysis' he might have had a point (although Ross's post answers this) but if he really did say the words as given above then I fear that he has let his bias show through in a major way. If these really are Bruce's words they can only mean that he has either not bothered to read the Serpent AES paper or, alternatively, that he is trying to cast Serpent in a bad light in public. Sadly, the latter seems more likely since it is very hard to believe that he is unaware of the content of the paper. But I share Ross's hope that this report will prove to be inaccurate. Brian From jya@pipeline.com Mon, 01 Nov 1999 20:03:31 -0500 Date: Mon, 01 Nov 1999 20:03:31 -0500 From: John Young jya@pipeline.com Subject: Serpent Bruce's remarks on Serpent are still at the slashdot URL provided: http://slashdot.org/interviews/99/10/29/0832246.shtml We've excerpted the particular Q&A in which Serpent is mentioned: http://cryptome.org/bruce-bite.htm And, yes, it's possible Bruce did not write what he there appears to have written: it was an online interview, with him answering e-mail questions by e-mail, I believe, along with other ruminations on the state of cryptography. It's quite possible he was speaking and someone was transcribing his comments for forwarding to slashdot. It was a combative statement, got my attention. And made me wonder why. Bruce is usually a level-headed gent toward his peers. As, to be sure, is Ross. Ross's response only mesmers the gentlemen's enigma. We've forwarded Ross's counterhex to Bruce. And dread getting savagely voodooed by both. From donald@ramsbottom.co.uk Tue, 02 Nov 1999 06:44:57 +0000 Date: Tue, 02 Nov 1999 06:44:57 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Snippets From, "Bytes n Briefs", for those that do not know the Bernstein case is to be re heard, in view of the "New regulations" ( to be published circa 15th Dec 1999). There is a URL for the pleadings for those that want a peek. >NINTH CIRCUIT WILL REHEAR BERNSTEIN ENCRYPTION CASE > >On September 30th, the Ninth Circuit Court of Appeals granted >the government's request to rehear the case of Bernstein v. >U.S. Department of Justice en banc. Previously, the case had >been decided in Professor Bernstein's favor by a three-judge >panel of the court. By granting the government's request, the >court has withdrawn the panel's earlier decision and has >agreed to have all 21 members of the court rehear the case. >The government filed a motion seeking to push forward any >rehearing of the case in light of the new federal regulations >loosening the encryption rules. The motion was granted on >October 28th and oral arguments were rescheduled for March 21, >2000. Both parties are to file supplemental briefs addressing >the impact of revised encryption export regulations 21 days >after they are issued. Currently, the revisions are expected >to be issued on December 15, 1999. The pleadings in the >Bernstein case may be found at http://www.eff.org/bernstein/ And some more from the same publication >U.S. SUGGESTS FOREIGN Y2K FIXES MAY COMPROMISE SECURITY > >Throughout October, reports have been circulating that Israel >and India may have used the Y2K crisis to make malicious >modifications in U.S. computer program codes. Officials in >both countries have denied the allegations. The FBI's number >one cybercop, Michael Vatis, reported to Reuters that >malicious code changes under the guise of Y2K modifications >had begun to surface in some U.S. work undertaken by foreign >contractors, representing possible economic and security threats. >Vatis heads the National Infrastructure Protection Center. >Indian firms have done more than $2 billion worth of Y2K >remediation coding work and Vadis expressed concern that >malicious coding could expose a company to denial of service >attacks or leave it vulnerable to the altering of data. Further >information may be found at: >http://www.herald.com:80/content/tue/news/national/digdocs/ >058182.htm and finally some privacy issues >FTC SUED FOR ACCESS TO PRIVACY COMPLAINTS > >On October 12th, the Electronic Privacy Information Center >(EPIC) filed suit against the FTC to force it to disclose >records of privacy complaints it has received. The suit was >filed in the U.S. District Court in Washington, and alleges >that the FTC has failed to act upon many privacy complaints >that it has received from consumers. EPIC filed an initial >information request under the Freedom of Information Act >(FOIA) on June 10,1999, requesting "copies of all records >concerning the FTC's investigation of privacy complaints." >EPIC said the FTC has responded only informally by telephone, >though the Freedom of Information Act requires government >agencies to respond to requests within 20 working days. EPIC >said it has been told by the FTC that it doesn't have a system >in place for tracking privacy complaints, making it difficult >to respond to the FOIA request. A copy of the complaint may be >found, in PDF format, at >http://www.epic.org/privacy/internet/ftc_foia_comp.pdf > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Tue, 02 Nov 1999 07:23:59 +0000 Date: Tue, 02 Nov 1999 07:23:59 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Regina V DPP ex Parte Kebilene I posted the first instance hearing (report) of this case some months ago. That decision has now been reversed. Read S:16A CJaPO Act (below) with S10-13 EC Bill Report from Times Law Reports >Regina v Director of Public Prosecutions, Ex parte > Kebilene and Others > > Before Lord Slynn of Hadley, Lord Steyn, Lord Cooke > of Thorndon, Lord Hope of Craighead and Lord > Hobhouse of Woodborough > > [Speeches October 28, 1999] > > A decision by the Director of Public Prosecutions to > consent to the prosecution of persons suspected of > involvement with terrorism was not, in the absence of > dishonesty, bad faith, or some exceptional circumstance, > amenable to judicial review. > > The House of Lords so held in allowing an appeal by the > DPP from the order of the Queen's Bench Divisional > Court (Lord Bingham of Cornhill, Lord Chief Justice, > Lord Justice Laws and Mr Justice Sullivan) (The Times > March 31, 1999; [1999] 3 WLR 175) to grant > declaratory relief on applications by Sofiane Kebilene, > Ferine Boukemiche and Sofiane Souidi that the continuing > decision of the DPP in each case under section 19(1)(aa) > of the Prevention of Terrorism (Temporary Provisions) > Act 1989, as amended by the Criminal Justice and Public > Order Act 1994, to continue their prosecutions under > section 16A of the 1989 Act, as inserted by section 82 of > the Criminal Justice and Public Order Act 1994, was > unlawful > > Section 16A, as inserted, provides: "(1) A person is guilty > of an offence if he has any article in his possession in > circumstances giving rise to a reasonable suspicion that the > article is in his possession for a purpose connected with > the commission ... of acts of terrorism... > > "(3) It is a defence for a person charged with an offence > under this section to prove that ... the article in question > was not in his possession for such a purpose..." > > Mr John Morris, QC, Mr David Pannick, QC, Mr > Ronald Weatherup, QC of the Northern Ireland Bar, Mr > Philip Sales, Mr David Perry and Miss Jane Mulcahy for > the prosecution; Lord Lester of Herne Hill, QC, Mr Ben > Emmerson and Mr Gordon Nardell for the applicants. > > LORD STEYN said that in 1997 officers of the > anti-terrorist squad arrested the applicants, who were all > Algerian nationals, and charged them with offences under > section 16A. > > Section 16A was directed to the possession of articles > innocent in themselves but capable of forming part of the > paraphernalia or operational intelligence of the terrorist. > > The purpose of requiring the DPP's consent [under > section 19(1)(aa)] to prosecutions under section 16A was > to ensure that the decision to prosecute was taken at a > very senior level following a careful consideration of all > relevant matters including the public interest, and to > protect defendants from the risk of oppressive > prosecutions. > > At the applicants' trial, at the close of the case for the > prosecution, the defence sought a ruling from the judge > that section 16A reversed the burden legal of proof and > was therefore in breach of article 6(2) of the Convention > for the Protection of Human Rights and Fundamental > Freedoms (1953)(Cmd 8969): "Everyone charged with a > criminal offence shall be presumed innocent until proved > guilty according to law". > > The judge ruled that section 16A was in conflict with > article 6(2). The DPP, after taking legal advice, indicated > that it was his intention to proceed with the prosecution. > > The jury was subsequently discharged because the > prosecution had not fully complied with its disclosure > obligations. A new trial date had to be fixed. > > The applicants sought a declaration that "the decision of > the DPP to give his continued consent to the prosecution > ... involves an error of law, namely an erroneous > conclusion that the prosecution is compatible with article > 6(2)". > > The Divisional Court granted the declaration, taking the > view that section 16A undermined in a blatant and > obvious way the presumption of innocence. > > The Lord Chief Justice held that section 29(3) of the > Supreme Court Act 1981 did not preclude the granting of > relief. He accepted that it was not for the DPP to disapply > legislative provisions which Parliament had enacted but > held that it was appropriate for the court to review the > soundness of the legal advice on which the DPP had > acted. > > Parliamentary sovereignty > > The Human Rights Act 1998 would, when its substantive > provisions came into force on October 2, 2000, give > effect to Convention rights in domestic law. > > Section 3 provided: "(1) So far as it is possible to do so, > primary legislation ... must be read and given effect in a > way which is compatible with the Convention rights." > > It was crystal clear that the carefully and subtly drafted > 1998 Act preserved the principle of parliamentary > sovereignty. In a case of incompatibility, which could not > be avoided by interpretation under section 3(1), the courts > could not disapply the legislation but could merely issue a > declaration of incompatibility. > > It had been submitted that the effect of the Divisional > Court judgment was to invite the DPP to disapply primary > legislation. That failed to do justice to the reasoning of the > Divisional Court. > > The Lord Chief Justice had pointed out that in the present > case the DPP had wished to know where he stood on the > issue of compatibility of the legislation. He had sought and > relied on legal advice on that issue. > > The Lord Chief Justice said that if the advice was wrong, > the DPP should have the opportunity to reconsider the > confirmation of his advice on a sound legal basis. There > was no infringement of the principle of parliamentary > sovereignty. > > Legitimate expectation > > The applicants had submitted that they had a legitimate > expectation that pending the coming into force of the > central provisions of the 1998 Act, the DPP would not > give his consent to a prosecution which would violate > article 6. > > The Divisional Court had rejected that submission and > counsel for the applicants did not press it in oral argument. > > His Lordship said that there was a clear statutory intent to > postpone the coming into effect of central provisions of > the Act. A legitimate expectation which treated > inoperative statutory provisions as having immediate effect > was contradicted by the language of the statute. The > argument had to be rejected. > > Section 29(3) of the 1981 Act > > Section 29 provided: "(3) In relation to the jurisdiction of > the Crown Court, other than its jurisdiction in matters > relating to trial on indictment, the High Court shall have all > such jurisdiction to make orders of mandamus, prohibition > or certiorari as the High Court possesses in relation to the > jurisdiction of an inferior court." > > The purpose of section 29(3), as explained in In re > Smalley ([1985] AC 622, 642-643), was that to allow > "judicial review of any decision affecting the conduct of a > trial on indictment, whether given in the course of the trial > or by way of pre-trial directions ... might ... seriously > delay the trial..." > > His Lordship said that the plain language of the subsection > was only apt to exclude the High Court's jurisdiction in > respect of orders directed to and affecting the crown > court's exercise of its jurisdiction in matters relating to trial > on indictment. > > However, Mr Pannick had argued that if section 29(3) > was not applicable, the matter was covered by a common > law principle which limited the High Court's exercise of > discretion to entertain judicial review proceedings of a > decision to prosecute. > > The starting point had to be the analogical force of the > statute which excluded the High Court's power to review > decisions of the crown court. > > The policy underlying the statute would be severely > undermined if it could be outflanked by framing the case > as a challenge to the prosecutor's decision to enforce the > law rather than as a challenge to the decision of the crown > court judge to apply the law. > > Given that reverse legal burden provisions appeared in > other legislation, the entertaining of such challenges outside > the trial and appeal process might seriously disrupt the > criminal justice system. > > The applicants were free to submit when the trial was > continued that section 16A should not be interpreted as > reversing the legal burden, but as placing only an evidential > burden on a defendant. > > His Lordship expressed no view on the likely outcome of > any such arguments, but it was not right to say that the > applicants were entirely without remedy in the criminal > process. > > There was also an implausibility at the heart of the > applicants' case. They had sought judicial review on the > ground that the DPP's consent involved an error of law. > But the DPP might sometimes not have a concluded view > of any kind. > > He might nonetheless be persuaded that, despite some > uncertainty about the law, a prosecution was justified as > being in the public interest. There could then be no > question of reviewing his decision for error of law. > > His Lordship would rule that absent dishonesty or mala > fides or an exceptional circumstance, the decision of the > DPP to consent to the prosecution of the applicants was > not amenable to judicial review. The present case fell on > the wrong side of that line. > > While the passing of the 1998 Act marked a great > advance for our criminal justice system it was vitally > important that, so far as the courts were concerned, its > application in our law should take place in an orderly > manner which recognised the desirability of all challenges > taking place in the criminal trial or on appeal. > > The effect of the judgment of the Divisional Court was to > open the door too widely to delay in the conduct of > criminal proceedings. Such satellite litigation should rarely > be permitted in our criminal justice system. > > Interpretation and compatibility of section 16A with > article 6(2) > > Given the conclusion his Lordship had arrived at it would > be wrong to express concluded views on the question > whether, as a matter of interpretation, section 16A > created a reverse legal burden and, if so, whether the > reverse legal burden was incompatible with article 6(2). > > But he regarded the issues as arguable. The effect was > that those issues were undecided and entirely open at all > levels in the criminal proceedings. > > Lord Cooke and Lord Hope delivered opinions > concurring with Lord Steyn and Lord Slynn agreed. > > LORD HOBHOUSE said that the Divisional Court > should have held that section 29(3) was applicable, either > expressly or inferentially, that judicial review was not > available and that the applicants should exercise the > remedies open to them within the criminal justice system. > > His Lordship stated that criminal statutes which in certain > circumstances partially reversed the burden of proof were > not uncommon, nor were they confined to the United > Kingdom. > > The judgments and decisions of the European Court of > Human Rights and the Commission showed that they were > not necessarily incompatible with the Convention. > > Similarly, there were clearly arguable questions as to the > breadth to be ascribed to the construction of statutes > which would be required of the courts by section 3(1). > > These were not matters which it was necessary or proper > to enter upon on the present appeal. But the position was > not as clear cut as the Divisional Court seem to have > thought. > > Solicitors: Treasury Solicitor; Birnberg & Co. > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From Postmaster@scientia.com Mon, 01 Nov 1999 11:37:42 +0000 Date: Mon, 01 Nov 1999 11:37:42 +0000 From: System Administrator Postmaster@scientia.com Subject: The Evils of MLS (Was: Another online service misleads) At 15:26 30/10/99 +0100, David Hansen wrote: >On 30 Oct 99, at 10:05, Ross Anderson wrote: > >> Classifying information the way the civil service does - top secret, >> secret, confidential and so on - is usually a grievous error. > >It is if it is implemented in a rigid way. If common sense is used in >the implementation then it works reasonably well. The problem is that if it is an automatic retrieval system then implementing "common sense" in software is way beyond current AI technology. Security in automated system is more or less by definition "rigid". Ian From cb@fipr.org Mon, 1 Nov 1999 19:43:31 -0000 Date: Mon, 1 Nov 1999 19:43:31 -0000 From: Caspar Bowden cb@fipr.org Subject: FT 27/10/99: "Government U-turn on e-commerce bill" Financial Times, 27-Oct-1999 ] NATIONAL NEWS: Government U-turn on e-commerce bill The government is set to strip from the electronic communications bill controversial clauses giving the police powers to unscramble encoded e-mail. Instead, the measures are expected be tagged on to a Home Office bill updating existing law regulating phone tapping by the police and security services. Stephen Byers, the trade and industry secretary, is concerned that the contentious measures would overshadow the more positive elements of the bill designed to promote the development of e-commerce. Industry and the Conservatives have lobbied strongly for the latest move. Leading human rights lawyers this week argued that the powers given to law enforcement agencies could breach the European Convention on Human Rights. Alan Duncan, the Conservatives' e-commerce spokesman, said the proposed powers of intrusion were "obscene" and should not be in the electronic communications bill. "I have been demanding that this sort of provision should be totally excised from the bill and stuck into a new Interception of Communications Act if that is what they really want to do." The government has already been forced to water down the bill after lobbying from business. It dropped a proposal requiring users of encryption technology to lodge decryption keys with third parties after the industry demonstrated it was unworkable. The government had been proposing a licensing scheme for companies providing encryption services. Instead, it agreed to support an industry accreditation scheme, but reserved the right to introduce a statutory regime if this proved inadequate. The changes mean the bill is limited largely to measures giving legal status to electronic signatures. The government's e-commerce strategy also came under attack in a critical report by the Commons trade and industry select committee in August. In its response to the committee yesterday, the government agreed UK internet charges, including telephone call rates, had to fall further if e-commerce was to take off. Editorial Comment, Page 22 Procurement on web 'must rise' UK companies are lagging behind their overseas rivals in exploiting an expected Dollars 360bn (216.8bn) global boom in internet procurement, according to a survey by A T Kearney, the management consultancy, writes Carlos Grande. The report estimates that by 2001, 20 per cent of all external business supplies worldwide - some Dollars 400bn in orders - will be bought via the internet, compared with less than 2 per cent now. But it warns that over the next two years the top 100 UK businesses are planning to increase internet procurement by only 400 per cent - well below its estimated global average rise of 1,100 per cent From davidh@spidacom.co.uk Tue, 2 Nov 1999 15:34:56 -0000 Date: Tue, 2 Nov 1999 15:34:56 -0000 From: David Hansen davidh@spidacom.co.uk Subject: The Evils of MLS (Was: Another online service misleads) On 1 Nov 99, at 11:37, System Administrator wrote: > The problem is that if it is an automatic retrieval system then > implementing "common sense" in software is way beyond current AI > technology. Security in automated system is more or less by definition > "rigid". The difference between computerised and manual file retrieval is even more complex than that. For instance stealing information from somewhere else with a paper system involves walking in and taking the file, there are social protections and so on against that. With computers different means are needed to achieve the same result. Not easy; but then why should it be, that's what the implementors are being paid for:-) David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From chl@clw.cs.man.ac.uk Tue, 2 Nov 1999 17:06:33 +0000 (GMT) Date: Tue, 2 Nov 1999 17:06:33 +0000 (GMT) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Regina V DPP ex Parte Kebilene On Tue, 02 Nov 1999 07:23:59 +0000 Donald Ramsbottom said... > > Section 16A, as inserted, provides: "(1) A person is guilty > > of an offence if he has any article in his possession in > > circumstances giving rise to a reasonable suspicion that the ^^^^^^^^^^ > > article is in his possession for a purpose connected with > > the commission ... of acts of terrorism... > > > > "(3) It is a defence for a person charged with an offence > > under this section to prove that ... the article in question > > was not in his possession for such a purpose..." The operative word there is "reasonable". If that word had appeared in the corresponding place in the EC Bill, then we should have been arguing in a wholly different ballpark. Charles H. Lindsey ---------At Home, doing my own thing------------------------ Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From 101544.3054@compuserve.com Tue, 2 Nov 1999 12:29:12 -0500 Date: Tue, 2 Nov 1999 12:29:12 -0500 From: Rainer Fahs 101544.3054@compuserve.com Subject: The Evils and MLS Whoever has sent this message to the list, The part: is definately misleading and is judjing the book by its cover. Yes, Ross was at the conference, but he was not present when I presented my paper. What he does not seem to know, is the fact, that I have recommended to leave the Titanic (MLS) where it is and do more research to find solution= s that can be applied to contemporary environments - and the paper does in deed give some examples. B. t. w. I am the autor and it is not a DERA paper. Simon Wisman (though from DERA) is co-author. Rainer Fahs = From albert@achtung.com Tue, 2 Nov 1999 13:22:08 -0800 Date: Tue, 2 Nov 1999 13:22:08 -0800 From: Albert Yang albert@achtung.com Subject: Serpent in Feistel form My basic question was if Serpent in a Feistel form was considered. (Ross' reply to me below...) Now I ask you all, has anybody else considered Serpent in a Feistel form? I am particularly interested in the speed gain, and possible savings due to not having to invert everything as in SP-network.. Albert. "As for your question as to whether there isn't a Feistel version of Serpent, the answer is in the early (FSE98) version of our paper: we considered it, as a means of supporting 256 and 512 bit block sizes. However it didn't appear in the final submission, and the reason was that we just didn't have the time to devote to analysing it properly and providing all the reference implementations, test data and so on that would have been needed. So a Feistel Serpent is a definite possibility - some time in the future.." From schneier@counterpane.com Tue, 02 Nov 1999 08:00:43 -0600 Date: Tue, 02 Nov 1999 08:00:43 -0600 From: Bruce Schneier schneier@counterpane.com Subject: Serpent At 05:58 PM 11/1/99 -0600, you wrote: > > John Young asks: > > >[snip] > > > Twofish, and for Mars, RC6, and E2. I worry about a > > > cipher like Serpent that does not come with any > > > analysis. Either the designers didn't do any, which is > > > bad -- or they did it and are hiding it, which is worse. > > > > > > If the Serpent designers have answered this we'd appreciate > > > a pointer. Any comment here on Bruce's tough talk? > >It would be truly amazing if Bruce had said this since the Serpent AES paper >itself contains several pages of analysis. If Bruce had said 'insufficient >analysis' instead of 'any analysis' he might have had a point (although >Ross's post answers this) but if he really did say the words as given above >then I fear that he has let his bias show through in a major way. You pegged the problem exactly. And it was my fault. I wrote the words above, although you are definitely correct in what I meant to write. I didn't proofread as carefully as I should have. It's unfortunate, to make an understatement. Ross was right to be annoyed. >If these really are Bruce's words they can only mean that he has either not >bothered to read the Serpent AES paper or, alternatively, that he is trying >to cast Serpent in a bad light in public. Sadly, the latter seems more >likely since it is very hard to believe that he is unaware of the content of >the paper. I really wasn't. The Twofish team had recently spent a week together trying to analyze the various algorithm. In the discussions about Serpent, we were continually frustrated by the lack of detail in the analysis section of the paper. What is the best differential attack? What does a differential attack against two rounds look like? What are the avalanche properties of the linear mixing section? These, and others, were all questions we would have expected to be in the Serpent submission documentation. Certainly the designers did the analysis; certainly they knew the answers. I felt that details of the analysis work they did were being withheld. I know that both Eli and Lars like to keep unfinished or inconclusive results to themselves. They both said as much some years ago when I had the naive thought that we could somehow "rate" algorithms based on the number of hours smart cryptographers have spent analyzing them. It's a perfectly reasonable position, but I think the AES process is a special case. In the Twofish submission, we tried to put everything in the cryptanalysis section: attacks--attacks that don't work, observations that we can't turn into attacks--everything. We felt this was the right thing to do. In our analysis of Serpent, we probably will end up covering a lot of ground that the designers covered already. This seems inefficient, if the goal is to choose a good AES standard. This is very different from the RC6 and Mars submissions, which contain dozens of pages of analysis work. Of course this doesn't prove that any algorithms are better than any others, but at least when you're working on Mars you can see what the designers were thinking when they included the various pieces they included. To me, it means that as an analyst you can start covering new ground quicker. In retrospect, the comment was unfair and I should never have made it. But I do think I have a valid point. >But I share Ross's hope that this report will prove to be inaccurate. It's inaccurate. But I have to take the blame for the inaccuracy. I typed the words and didn't pay enough attention while proofing. Bruce ************************************************************************** Bruce Schneier, CTO, Counterpane Internet Security, Inc. Ph: 612-823-1098 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128 Fax: 612-823-1590 Free Internet security newsletter. See: http://www.counterpane.com From dave@xemu.demon.co.uk Tue, 2 Nov 1999 12:46:45 +0000 Date: Tue, 2 Nov 1999 12:46:45 +0000 From: Dave Bird dave@xemu.demon.co.uk Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In article <000e01bf24a1$eaee65d0$0100a8c0@director>, Caspar Bowden writes >Financial Times 30-Oct-1999 > >NATIONAL NEWS: Internet minister sets example: E-COMMERCE GOVERNMENT >COLLEAGUES URGED TO USE NEW ONLINE CHAT ROOM: Patricia Hewitt talks to >Rosemary Bennett and David Wighton on her first 'year' in office > >"Patricia Hewitt, promoted to minister for e-commerce in July, has just >finished her first "internet year" in the job. >.... >(snip) > >Regarding the electronic communications bill, Ms Hewitt confirmed she was in >discussions about removing controversial clauses giving the police powers to >unscramble encoded e-mail. > >These measures would be tagged on to a Home Office bill updating existing >law regulating phone tapping." Sorry I was so tied up in many other issues that personally I didn't get a response in but left it to wiser heads on the list. This is largely what we expected and demanded "postopne it and get it right in IOCA". But it is **only** postponed to IOCA -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. From donald@ramsbottom.co.uk Wed, 03 Nov 1999 07:42:31 +0000 Date: Wed, 03 Nov 1999 07:42:31 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Regina V DPP ex Parte Kebilene SNIP >> > Section 16A, as inserted, provides: "(1) A person is guilty >> > of an offence if he has any article in his possession in >> > circumstances giving rise to a reasonable suspicion that the > ^^^^^^^^^^ >> > article is in his possession for a purpose connected with >> > the commission ... of acts of terrorism...=20 >> > >> > "(3) It is a defence for a person charged with an offence >> > under this section to prove that ... the article in question >> > was not in his possession for such a purpose..."=20 > >The operative word there is "reasonable". If that word had appeared in >the corresponding place in the EC Bill, then we should have been arguing >in a wholly different ballpark. While I agree with Charles' statement above, on a related topic of unlawful collection of evidence, David Pannick QC, had an interesting article in yesterdays Times. It relates to wiretaps but the analogy with email and computer communications are clear. Sometimes, just sometimes you want some US law to applicable here!! If, which seems likely, this line of thinking is followed then it really does not matter what is in the EC bill (or any successor), as long as the alleged crime is serious enough the LEA will be able to use whatever means it wants to obtain eveidence and rely on it in Court. >Last week the European Court of Human Rights heard > argument on an issue of much importance: is it a breach of > the right to a fair trial of a criminal charge for the > prosecution to rely on evidence obtained by illegal means? > > In January 1993 Sultan Khan visited a house in Sheffield. > Unknown to him, the police were bugging the premises. > They obtained a tape-recording of a conversation in which > Khan admitted that he had been involved in the import > into the United Kingdom of heroin with a street value of > =A3100,000.=20 > > Khan was charged with the offence of being knowingly > concerned in the fraudulent evasion of the prohibition on > the import of a class A drug. He argued that the > tape-recording was inadmissible evidence because the > bugging was not authorised by law, it involved trespass to > the property, and there was no other evidence against > him. But the judge decided that the unlawful means used > to obtain the evidence did not prevent the prosecution > from relying on it. In the light of that ruling, Khan pleaded > guilty and was sentenced to three years' imprisonment.=20 > > In 1996 the House of Lords dismissed Khan's appeal. > Lord Nolan commented that it was "astonishing" that there > was no statutory system regulating the use of surveillance > devices by the police, a defect in English law that has > since been remedied by the Police Act 1997. But, Lord > Nolan concluded, the fact that the police had breached > the privacy of Khan and acted unlawfully did not make the > evidence obtained inadmissible. Whether the evidence > could be used depended upon its effect on the fairness of > the trial, and not on the irregular or illegal steps taken by > the police.=20 > > The trial judge was entitled to rule that the use of the > evidence did not make the trial unfair.=20 > > Lord Nolan added that he had reached these conclusions > "with relief", as it would be "a strange reflection on our > law" if a man who admitted his participation in the illegal > importation of a large quantity of heroin should have his > conviction set aside on the ground that his privacy had > been invaded.=20 > > Khan has considerable difficulty in seeking to persuade > the judges of the European Court to take a different view. > In Schenk v Switzerland in 1988, the Court dismissed a > complaint that it was a breach of the right to a fair criminal > trial, as guaranteed by Article 6 of the European > Convention on Human Rights, for the prosecution to rely > on an unlawfully obtained recording of a telephone > conversation.=20 > > The court said that Article 6 does not lay down any rules > on the admissibility of evidence, which is primarily a > matter for regulation under national law. Therefore, there > is no general principle that unlawfully obtained evidence > must be excluded. The task of the European Court is > simply to ascertain whether the trial as a whole was fair. It > sufficed that the defendant knew, at the time of the trial, > that the recording was unlawful and had an opportunity to > challenge its admissibility in the domestic court.=20 > > Three main arguments are being advanced on behalf of > Khan for departing from Schenk and finding a breach of > Article 6. First, that English law provides no effective > procedure for challenging the admissibility of evidence > obtained in breach of the right to privacy as guaranteed by > Article 8 of the Convention. Secondly, the present case > involved a fundamental defect in that there was, at the > time, no statutory regulation of listening devices. And > thirdly, that the tape-recording was the only evidence > against Khan.=20 > > None of these arguments is likely to succeed unless the > European Court is persuaded to adopt the "exclusionary > rule" that applies, subject to exceptions, in American law: > that evidence obtained by the Government in violation of a > defendant's constitutional rights may not be used by the > prosecution in a criminal trial. The principle is based on > the theory that it is a central function of the courts to > encourage lawful action by the State. Or as Mr Justice > Holmes suggested in 1928, it is "a less evil that some > criminals should escape than that the Government should > play an ignoble part".=20 > > The European Court is unlikely to adopt that approach. > Article 6 is concerned with a fair trial, not with ensuring > the achievement of other objectives, however laudable > they may be. The means by which evidence was obtained > is relevant to the fairness of the trial, but is not the only > relevant factor.=20 > > As Mr Justice Cardozo explained for the US Supreme > Court in 1933, the rules of evidence are framed "for > ordinary minds, and not for psychoanalysts". They usually > have their source "in considerations of administrative > convenience, of practical expediency, and not in rules of > logic".=20 > > It will be a surprise if, on this occasion, the expediency of > English law is found to violate human rights.=20 > > The author is a practising barrister and a Fellow of > All Souls College, Oxford. He is the editor, with Lord > Lester of Herne Hill, QC, of the textbook Human > Rights Law and Practice (Butterworths).=20 > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From gladman@seven77.demon.co.uk Wed, 3 Nov 1999 08:39:56 -0000 Date: Wed, 3 Nov 1999 08:39:56 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: Regina V DPP ex Parte Kebilene From: Donald Ramsbottom To: Sent: Wednesday, November 03, 1999 7:42 AM Subject: Re: Regina V DPP ex Parte Kebilene [snip] While I agree with Charles' statement above, on a related topic of unlawful collection of evidence, David Pannick QC, had an interesting article in yesterdays Times. It relates to wiretaps but the analogy with email and computer communications are clear. Sometimes, just sometimes you want some US law to applicable here!! If, which seems likely, this line of thinking is followed then it really does not matter what is in the EC bill (or any successor), as long as the alleged crime is serious enough the LEA will be able to use whatever means it wants to obtain eveidence and rely on it in Court. [snip details of case in which a conviction results from evidence the police obtain by illegal means] Its hard to see the result in this case being wrong in isolation but, as you suggest, it does seem to have serious wider implications that deserve careful study. Just how far can the police descend into illegality before the evidence they collect becomes inadmissable? Is everything short of fabricating evidence fair game? Brian From Ian_Miller@scientia.com Wed, 03 Nov 1999 10:14:03 +0000 Date: Wed, 03 Nov 1999 10:14:03 +0000 From: Ian Miller Ian_Miller@scientia.com Subject: Regina V DPP ex Parte Kebilene At 07:42 03/11/99 +0000, Donald Ramsbottom wrote: >If, which seems likely, this line of thinking is followed then it really >does not matter what is in the EC bill (or any successor), as long as the >alleged crime is serious enough the LEA will be able to use whatever means >it wants to obtain eveidence and rely on it in Court. > I beg to differ. There is a world of difference between the police being able to bug, burgle and still use the evidence, and what Part III is proposing. The former gives the police licence for their own actions, the latter gives them the power to coerse action amounting to a breach of trust in innocent parties and to lock them up for talking about it. The precedent you quote, while worrying, is mild in comparison with the powers of Part III. Ian From donald@ramsbottom.co.uk Wed, 03 Nov 1999 12:08:28 +0000 Date: Wed, 03 Nov 1999 12:08:28 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Regina V DPP ex Parte Kebilene At 10:14 03/11/99 +0000, you wrote: >At 07:42 03/11/99 +0000, Donald Ramsbottom wrote: >>If, which seems likely, this line of thinking is followed then it really >>does not matter what is in the EC bill (or any successor), as long as the >>alleged crime is serious enough the LEA will be able to use whatever means >>it wants to obtain eveidence and rely on it in Court. >> >I beg to differ. There is a world of difference between the police being >able to bug, burgle and still use the evidence, and what Part III is >proposing. The former gives the police licence for their own actions, the >latter gives them the power to coerse action amounting to a breach of trust >in innocent parties and to lock them up for talking about it. > >The precedent you quote, while worrying, is mild in comparison with the >powers of Part III. > There is a proper distinction here quite properly pointed out by Ian. However the combination of the line of thinking propounded by the eminent QC and the proposals in part III, are very worrying. The conceivable situation is that illegal means are used to obtain "evidence" against you, and then by virtue of the illegally obtained "evidence", a S:10 notice is served on you and your associates with attached gagging orders, requiring mass decryptionof HDDs etc and the divulging of keys. Which in turn it is possible will lead to possible self incrimination and a snowballing effect of "evidence" and notices upon you and all your associates, whether innocent or not, all arising from the first illegal act of the state. >Or as Mr Justice >> Holmes suggested in 1928, it is "a less evil that some >> criminals should escape than that the Government should >> play an ignoble part". This quotation from the US judge is particulary apposite here. Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From owen.blacker@pres.co.uk Wed, 3 Nov 1999 12:51:35 -0000 Date: Wed, 3 Nov 1999 12:51:35 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) But at least IoCA is the right place for it! :o) O x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a -----Original Message----- From: Dave Bird [mailto:dave@xemu.demon.co.uk] Sent: Tuesday, November 02, 1999 12:47 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) [deletia] Sorry I was so tied up in many other issues that personally I didn't get a response in but left it to wiser heads on the list. This is largely what we expected and demanded "postopne it and get it right in IOCA". But it is **only** postponed to IOCA [deletia] From lawya@lucs-01.novell.leeds.ac.uk Wed, 3 Nov 1999 13:09:28 +0000 Date: Wed, 3 Nov 1999 13:09:28 +0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: HC Report on Draft Electronic Communications Bill is available HC Select Committee on Trade and Industry today released its report on the Draft Electronic Communications Bill. The report is at: http://www.parliament.the-stationery- office.co.uk/pa/cm199899/cmselect/cmtrdind/862/86202.htm In relation to the Human Rights issue, the Committee recommended that: "the Government publish a detailed analysis to substantiate its confidence that part III of the draft Bill does not contravene the European Convention on Human Rights, dealing with the points made to the contrary." In relation to the Law Enforcement issues (Part III of the Draft Bill), the Committee stated that they accept "that there is a need for a new power to enable law enforcement agencies to have access to encrypted material, but questions the urgency with which the proposal is being introduced." The Committee recommends "early publication of the criteria by which law enforcement agencies will decide whether to require a private encryption key or plain text of an encrypted message........" In relation to IOCA, the Committee "expects the Government to take account of the dissatisfaction expressed about the IOCA and recommends that the costs incurred on ISPs as a result of extending the scope of the Act should be shared on a proportionate basis." In relation to the export controls, the Committee "recommend that, in the light of recent and unexpected changes in US policy on the export of cryptographic products, the Government look again at the case for a review into the rationale of export controls on such products." The Summary of the Conclusions of the Committee is at: http://www.parliament.the-stationery- office.co.uk/pa/cm199899/cmselect/cmtrdind/862/86212.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) URL: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Read the CR&CL (UK) Reports at: http://www.cyber-rights.org/reports/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From David.Goodenough@dga.co.uk Wed, 3 Nov 1999 13:27:41 +0000 Date: Wed, 3 Nov 1999 13:27:41 +0000 From: David.Goodenough@dga.co.uk David.Goodenough@dga.co.uk Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) Right place? I would have thought the only "right place" is the dustbin! Owen Blacker on 03-11-99 12:51:35 PM Please respond to ukcrypto@maillist.ox.ac.uk To: "'ukcrypto@maillist.ox.ac.uk'" cc: (bcc: David Goodenough/DGA/GB) Subject: RE: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) But at least IoCA is the right place for it! :o) O x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a -----Original Message----- From: Dave Bird [mailto:dave@xemu.demon.co.uk] Sent: Tuesday, November 02, 1999 12:47 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) [deletia] Sorry I was so tied up in many other issues that personally I didn't get a response in but left it to wiser heads on the list. This is largely what we expected and demanded "postopne it and get it right in IOCA". But it is **only** postponed to IOCA [deletia] From MBacon@snci.co.uk Wed, 3 Nov 1999 13:45:25 -0000 Date: Wed, 3 Nov 1999 13:45:25 -0000 From: Michael Bacon MBacon@snci.co.uk Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) But, as I've worried here before, what is the liklihood of true consultation and 'concerned party' influence over IOCA? Streaky _____ ~(_____)> " " The opinions stated herein are my own and do not necessarily reflect those of my employer. -----Original Message----- From: Owen Blacker [mailto:owen.blacker@pres.co.uk] Sent: 03 November 1999 12:52 To: 'ukcrypto@maillist.ox.ac.uk' Subject: RE: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) But at least IoCA is the right place for it! :o) O x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a -----Original Message----- From: Dave Bird [mailto:dave@xemu.demon.co.uk] Sent: Tuesday, November 02, 1999 12:47 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) [deletia] Sorry I was so tied up in many other issues that personally I didn't get a response in but left it to wiser heads on the list. This is largely what we expected and demanded "postopne it and get it right in IOCA". But it is **only** postponed to IOCA [deletia] From cb@fipr.org Wed, 3 Nov 1999 14:12:33 -0000 Date: Wed, 3 Nov 1999 14:12:33 -0000 From: Caspar Bowden cb@fipr.org Subject: BBC Online 2/10/99: "Global spy network revealed" http://news.bbc.co.uk/hi/english/world/newsid_503000/503224.stm Global spy network revealed Listening in to your phone calls and reading your emails By Andrew Bomford of BBC Radio 4's PM programme Imagine a global spying network that can eavesdrop on every single phone call, fax or e-mail, anywhere on the planet. It sounds like science fiction, but it's true. Two of the chief protagonists - Britain and America - officially deny its existence. But the BBC has confirmation from the Australian Government that such a network really does exist and politicians on both sides of the Atlantic are calling for an inquiry. On the North Yorkshire moors above Harrogate they can be seen for miles, but still they are shrouded in secrecy. Around 30 giant golf balls, known as radomes, rise from the US military base at Menwith Hill. Linked to the NSA Inside is the world's most sophisticated eavesdropping technology, capable of listening-in to satellites high above the earth. Facility is said to be capable of 2m intercepts per hour The base is linked directly to the headquarters of the US National Security Agency (NSA) at Fort Mead in Maryland, and it is also linked to a series of other listening posts scattered across the world, like Britain's own GCHQ. The power of the network, codenamed Echelon, is astounding. Every international telephone call, fax, e-mail, or radio transmission can be listened to by powerful computers capable of voice recognition. They home in on a long list of key words, or patterns of messages. They are looking for evidence of international crime, like terrorism. Open Oz The network is so secret that the British and American Governments refuse to admit that Echelon even exists. But another ally, Australia, has decided not to be so coy. The man who oversees Australia's security services, Inspector General of Intelligence and Security Bill Blick, has confirmed to the BBC that their Defence Signals Directorate (DSD) does form part of the network. "As you would expect there are a large amount of radio communications floating around in the atmosphere, and agencies such as DSD collect those communications in the interests of their national security", he said. Asked if they are then passed on to countries like Britain and America, he said: "They might be in certain circumstances." But the system is so widespread all sorts of private communications, often of a sensitive commercial nature, are hoovered up and analysed. Journalist Duncan Campbell has spent much of his life investigating Echelon. In a report commissioned by the European Parliament he produced evidence that the NSA snooped on phone calls from a French firm bidding for a contract in Brazil. They passed the information on to an American competitor, which won the contract. "There's no safeguards, no remedies, " he said, "There's nowhere you can go to say that they've been snooping on your international communications. Its a totally lawless world." Breaking the silence Both Britain and America deny allegations like this, though they refuse to comment further. But one former US army intelligence officer has broken the code of silence. Colonel Dan Smith told the BBC that while this is feasible, it is not official policy: "Technically they can scoop all this information up, sort through it, and find what it is that might be asked for," he said. "But there is no policy to do this specifically in response to a particular company's interests." Legislators on both sides of the Atlantic are beginning to sit up and take notice. Republican Congressman Bob Barr has persuaded congress to open hearings into these and other allegations. In December he is coming to Britain to raise awareness of the issue. In an interview with the BBC he accused the NSA of conducting a broad "dragnet" of communications, and "invading the privacy of American citizens." He is joined in his concerns by a small number of politicians In Britain. Liberal Democrat MP Norman Baker has tabled a series of questions about Menwith Hill, but has been met with a wall of silence. "There's no doubt it's being used as a listening centre," he said, "There's no doubt it's being used for US interests, and I'm not convinced that Britain's interests are being best served by this." From ACR@als.co.uk Wed, 3 Nov 1999 15:04:48 -0000 Date: Wed, 3 Nov 1999 15:04:48 -0000 From: Alan Ramsbottom ACR@als.co.uk Subject: FW: ICX/DTI/Home Office - London December 9 Just found this on Cypherpunks ( aka "UK Crypto Punks" :) -----Original Message----- From: Freddie Dawkins [mailto:freddied@compuserve.com] Sent: 03 November 1999 14:06 To: UK Crypto Punks Subject: ICX/DTI/Home Office - London December 9 Dear list members - May I draw your attention to the next ICX conference in London on December 9, which will include speakers from both the Department of Trade & Industry and The Home Office. The conference is titled "The E-communications Bill: Helping British Business to Trade Securely and with Confidence". The UK Government is very determined to make the UK the "best place to do E-business". But the E-communications Bill has been heavily criticised for more than a year now and has been constantly revised and postponed. So we are very fortunate to have been able to persuade two different Government departments to present their views at the conference and agree to a moderated question and answer session during the afternoon. Please take a look at the full programme at www.icx.org and I look forward to seeing some of you there. rgds Freddie Dawkins ICX Co-ordinator From albert@achtung.com Wed, 3 Nov 1999 08:55:44 -0800 Date: Wed, 3 Nov 1999 08:55:44 -0800 From: Albert Yang albert@achtung.com Subject: Rijndael weaknesses? Tom St. Denis posted in sci.crypt that he found a Rijdael Key Schedule weakness? Anybody have additional details? From david@swarb.freeuk.com Wed, 3 Nov 1999 06:54:27 +0000 Date: Wed, 3 Nov 1999 06:54:27 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In message , Dave Bird wrote: >In article <000e01bf24a1$eaee65d0$0100a8c0@director>, Caspar Bowden > writes >>Financial Times 30-Oct-1999 >> >>NATIONAL NEWS: Internet minister sets example: E-COMMERCE GOVERNMENT >>COLLEAGUES URGED TO USE NEW ONLINE CHAT ROOM: Patricia Hewitt talks to >>Rosemary Bennett and David Wighton on her first 'year' in office >> >>"Patricia Hewitt, promoted to minister for e-commerce in July, has just >>finished her first "internet year" in the job. >>.... >>(snip) >> >>Regarding the electronic communications bill, Ms Hewitt confirmed she was in >>discussions about removing controversial clauses giving the police powers to >>unscramble encoded e-mail. >> >>These measures would be tagged on to a Home Office bill updating existing >>law regulating phone tapping." > > Sorry I was so tied up in many other issues that personally I didn't > get a response in but left it to wiser heads on the list. This is > largely what we expected and demanded "postopne it and get it right > in IOCA". > > But it is **only** postponed to IOCA Perhaps Nigel could indicate if there would be any purpose in constructive proposals from here? I assume the postponement will allow a rethink? -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From Ross.Anderson@cl.cam.ac.uk Thu, 04 Nov 1999 09:11:56 +0000 Date: Thu, 04 Nov 1999 09:11:56 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: New Scientist piece on crypto policy See the interview at: http://www.newscientist.com/ns/19991106/confidenti.html This issue also has an article on Soft Tempest at: http://www.newscientist.com/ns/19991106/newsstory6.html Ross From dave@xemu.demon.co.uk Thu, 4 Nov 1999 00:56:02 +0000 Date: Thu, 4 Nov 1999 00:56:02 +0000 From: Dave Bird dave@xemu.demon.co.uk Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In article , David Swarbrick writes >>>Regarding the electronic communications bill, Ms Hewitt confirmed she was in >>>discussions about removing controversial clauses giving the police powers to >>>unscramble encoded e-mail. >>> >>>These measures would be tagged on to a Home Office bill updating existing >>>law regulating phone tapping." >> >> Sorry I was so tied up in many other issues that personally I didn't >> get a response in but left it to wiser heads on the list. This is >> largely what we expected and demanded "postopne it and get it right >> in IOCA". >> >> But it is **only** postponed to IOCA > >Perhaps Nigel could indicate if there would be any purpose in >constructive proposals from here? > >I assume the postponement will allow a rethink? I take it you are an optimist :-> and HOW MUCH CONSULTATION PERIOD WILL WE GET THIS TIME, NIGEL? MORE THAN 14 DAYS? Fifteen perhaps?? (six to eight weeks would be more appropriate). -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. From chl@clw.cs.man.ac.uk Thu, 4 Nov 1999 19:52:21 +0000 (GMT) Date: Thu, 4 Nov 1999 19:52:21 +0000 (GMT) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Getting at parliament Has anybody had difficulty in accessing the website for the DTI Select Committee website? =03chl% traceroute www.parliament.the-stationery-office.co.uk traceroute to www.parliament.the-stationery-office.co.uk (194.128.65.4), 30= hops=20 max, 40 byte packets 1 pm3a.mcc.ac.uk (194.66.22.252) 167.731 ms 156.210 ms 159.605 ms 2 194.66.22.250 (194.66.22.250) 175.118 ms 157.188 ms 159.468 ms 3 gw-owens.mcc.ac.uk (130.88.253.250) 179.434 ms 168.358 ms 169.451 ms 4 194.66.23.250 (194.66.23.250) 159.364 ms 156.665 ms 159.489 ms 5 146.97.255.177 (146.97.255.177) 159.695 ms 165.434 ms 159.463 ms 6 193.62.157.81 (193.62.157.81) 169.477 ms 166.770 ms 169.568 ms 7 uk-gw.ja.net (128.86.1.240) 169.301 ms 168.338 ms 169.499 ms 8 fddi1-1-0.br2.doc.london.pipex.net (193.128.43.125) 169.301 ms 168.26= 5 ms =20 169.454 ms 9 fe1-0-0.ar1.lnd6.gbb.uk.uu.net (158.43.195.1) 169.397 ms 168.331 ms = =20 169.343 ms 10 fe1-0-0.ar2.lnd6.gbb.uk.uu.net (158.43.195.2) 169.399 ms 168.394 ms = =20 169.479 ms 11 pos0-0.cr2.lnd6.gbb.uk.uu.net (158.43.193.237) 169.252 ms 168.306 ms = =20 169.388 ms 12 pos0-2.cr2.cbg1.gbb.uk.uu.net (158.43.254.1) 169.415 ms 168.201 ms = =20 169.646 ms 13 pos6-0-0.sr2.cbg1.gbb.uk.uu.net (158.43.129.134) 169.289 ms 166.819 m= s =20 169.558 ms 14 fe0-0-0.gw6.cbg1.gbb.uk.uu.net (158.43.129.6) 179.260 ms 178.218 ms = =20 189.600 ms 15 158.43.1.18 (158.43.1.18) 179.414 ms 187.168 ms 179.645 ms 16 * * * 17 * * * 18 * * * Charles H. Lindsey ---------At Home, doing my own thing--------------------= ---- Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, = U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 A= B A5 From donald@ramsbottom.co.uk Fri, 05 Nov 1999 06:55:05 +0000 Date: Fri, 05 Nov 1999 06:55:05 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Tunnelling Remember the tunnelling software I mentioned a few weeks back, well there is not a lot on it but firewall Guru PJ has a little more on it see below. He has mentioned if any one is having difficulty they can email him. His email is paul_jennings@vnet.ibm.com. I know its off topic but it is a security risk which has the potential to bypass conventional security, and is therefore legitimate. It appears from the last post that BT may be one of the culprits! Some of the posts have been repeated. >Hi - this is the 4th occurrence of this sort of tech I've seen in the last >month. It happens because of the fact that http isn't really a protocol like >all those other ones (ftp or whatever). It's actually more of a 'sheepdip' in >that you can wrap http round ANY other sort of traffic and effectively tunnel it >through a firewall. > >At the moment, it's pretty much impossible to stop, without some detailed >INSPECT script writing on a Checkpoint-style firewall. I'd expect the next >generation of firewalls to stop this sort of stuff, though. > > >For info, this is a stream of notes that myself and Donald (my >networking-crypto-techie lawyer pal) exchanged on the subject... The guy >posting near the bottom (Bellovin) is one of the Gods of Internet Security. > SNIP > >What this one does is allow a user to "synchronize" his/her regular >(company) e-mail with his/her visto mail, calendar, etc., such that, >whenever a new message arrives in the corporate mailbox, you see it in the >visto mailbox. The users download an app from visto which runs in the >background on the office desktop machine, and which then tunnels data back >to visto inside of HTTP. So, on the surface of things, it just looks like a >regular browser session. > > > >We're finding increasing numbers of users availing themselves of this >"service" .... word spreads like wildfire among the masses .... our >firewalls work harder, longer, require more disk space to log all this >stuff, there is additional traffic on the Internet T-1 (which is not there >for the exclusive use of employees ... we actually do e-business ! ), etc. > >I've rebuilt my kernel and added more disk space since I posted to the list, >but I'm seriously considering putting an access-list on the serial interface >of my internet edge router and be done with it, once and for all. > > SNIP > >I'll be the first to say I've not looked at this 'visto' till just >now, and I only took a peek at it. I can't figure much about them >From their web site, but I would have a REAL SERIOUS CONCERN with >users having their (sometimes sensitive) company e-mail sent to an >outside location, where it can be hacked/read/snooped/sniffed (blah >blah) by anyone. Have you looked at this 'background' job your users >run to see what ELSE it might be sending out? How secure is it? Has >anyone looked at the code to see what it is really doing? > >You spend a lot of money maintaining firewalls to keep the outside >world at bay. You try to ensure that your confidential internal >e-mail's regarding the complany business STAY confidential. Are you >sure policy allows this? It SEEMS like this would not be a good thing >to me. Call me wild and crazy...not to mention just plain paranoid! > >JSK > > > > >Sender: owner-firewall-wizards@lists.nfr.net >Reply-To: "Steven M. Bellovin" > >In message <3.0.3.32.19991017232841.0093d5d0@pop.sprynet.com>, JSK writes: > >> I'll be the first to say I've not looked at this 'visto' till just >> now, and I only took a peek at it. I can't figure much about them >> from their web site, but I would have a REAL SERIOUS CONCERN with >> users having their (sometimes sensitive) company e-mail sent to an >> outside location, where it can be hacked/read/snooped/sniffed (blah >> blah) by anyone. > >Yup, absolutely right. > >And if you use technical mechanisms to bar use of visto, people who need (or >think they need) that sort of functionality will just forward their mail to >hotmail or yahoo or any of the other free mail services. > >There are really only two choices: either persuade your users that *they* >don't want to do this, because *they* understand the security risks, or find a >mechanism that provides the necessary functionality as securely as possible. >You can't ban everything; some things, you have to manage. I'll quote Ranum's >Law: "You can't solve social problems with software". > >Btw, what is your corporate policy on discussing sensitive business matters via >cell phones? > > --Steve Bellovin > >Cheers, PJ > >-------------------------------ooOOoo------------------------------- >Paul Jennings, Team Leader, Security Analysis - Network Design Team >AT&T Global Network Services, C2E North Harbour, UK >Tel: +44 (0)1705 564106 (254106 internal) > >Notes mail: Paul Jennings@IBMGB | e-mail: paul_jennings@uk.ibm.com > > >Kelly Clavey >04/11/99 18:53 > >To: Paul Jennings/UK/IBM@IBMGB, Joe Dauncey/UK/IBM >cc: >From: Kelly Clavey/UK/IBM@IBMGB >Subject: yahoo news > > >Paul, Joe, >Guess you've seen this... > >http://uk.news.yahoo.com/991104/22/akgu.html >News Burst: BT develops tunnelling tech, beats firewalls > >A representative from BT's research labs has revealed the Telecommunications >giant has developed a new wave >of HTTP tunnelling technology capable of bypassing conventional firewall >security. > >Full story to follow > >Kelly > >Special Bid Team, BPBS, AT&T Global Network Services. >Tel: + 44 (0) 23 92561099 Int: 25-1099 Notes: CLAVEYK@IBMGB >Internet : claveyk@uk.ibm.com. Mail Point: CGA, NHBR. >Loc: C2E, North Harbour, Portsmouth, Hampshire, P08 6AU. > > > > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From donald@ramsbottom.co.uk Fri, 05 Nov 1999 07:36:50 +0000 Date: Fri, 05 Nov 1999 07:36:50 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Precision Just a snippet from the headnote of a civil case in CA. Would it not be nice if the DTI/HO had to be this precise when drafting Part III EC, and notices (by LEA) served pursuant to S:10 >Morgans (a Firm) v Needham > > Before Lord Justice Stuart-Smith and Lord Justice Evans > > Judgment October 28, 1999 > > Where a claimant was threatened with the striking-out of > his claim unless he complied with an order for discovery > of documents, it was imperative that the order should > specify precisely what documents had to be disclosed so > that it was possible for him to know whether he had > complied with it. > > An "unless order" which required a defendant to disclose > all documents relating to his financial and tax affairs which > are necessary to prove his counterclaim, was hopelessly > unclear and imprecise and ought never to have been > enforced. > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From chris.amery@net.ntl.com Fri, 05 Nov 1999 09:59:30 +0000 Date: Fri, 05 Nov 1999 09:59:30 +0000 From: Chris Amery chris.amery@net.ntl.com Subject: Tunnelling Donald Ramsbottom wrote: > > I know its off topic but it is a security risk which has the potential to > bypass conventional security, and is therefore legitimate. > That is a non sequitur, surely? Please can I vote for keeping to the original ukcrypto objectives. Otherwise, where will it all end? Sorry to be a party-pooper, but perhaps you can discuss it somewhere else? Rgds, Chris. From alan@kable.co.uk Fri, 5 Nov 1999 10:14:16 -0000 Date: Fri, 5 Nov 1999 10:14:16 -0000 From: Alan Burkitt-Gray alan@kable.co.uk Subject: Getting at parliament Charles H. Lindsey said: "Has anybody had difficulty in accessing the website for the DTI Select Committee website?" Start with http://www.parliament.uk/ It took me about five clicks (via House of Commons > Select Committees of the House of Commons > Trade and Industry > Select Committee Publications on the Internet ... etc ... to get to the report: http://www.publications.parliament.uk/pa/cm199899/cmselect/cmtrdind/862/8620 2.htm Alan - ALAN BURKITT-GRAY, Editor, Government Computing The independent magazine about information age public service, for the people who are going to make it happen See Signposts to Government: http://www.kable.co.uk Published monthly by Kable Ltd The Courtyard, 55 Charterhouse Street, London EC1M 6HA, UK tel (direct) 020 7608 8403, (switchboard) 020 7608 0900; fax 020 7608 8420 e-mail alan@kable.co.uk Where's Kable? Look at http://www.streetmap.co.uk/streetmap.dll?grid2map?X=531650&Y=181750&arrow=Y From gladman@seven77.demon.co.uk Fri, 5 Nov 1999 11:03:20 -0000 Date: Fri, 5 Nov 1999 11:03:20 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: Confidence in AES (was Serpent) From: Bruce Schneier To: Brian Gladman ; Sent: Tuesday, November 02, 1999 2:00 PM Subject: Re: Serpent [snip] > >It would be truly amazing if Bruce had said this since the Serpent AES paper > >itself contains several pages of analysis. If Bruce had said 'insufficient > >analysis' instead of 'any analysis' he might have had a point (although > >Ross's post answers this) but if he really did say the words as given above > >then I fear that he has let his bias show through in a major way. > > You pegged the problem exactly. And it was my fault. I wrote the words > above, although you are definitely correct in what I meant to write. I didn't > proofread as carefully as I should have. It's unfortunate, to make an > understatement. Ross was right to be annoyed. [snip] > I know that both Eli and Lars like to keep unfinished or inconclusive results > to themselves. They both said as much some years ago when I had the > naive thought that we could somehow "rate" algorithms based on the number > of hours smart cryptographers have spent analyzing them. It's a perfectly > reasonable position, but I think the AES process is a special case. In the > Twofish submission, we tried to put everything in the cryptanalysis section: > attacks--attacks that don't work, observations that we can't turn into > attacks--everything. We felt this was the right thing to do. In our analysis > of Serpent, we probably will end up covering a lot of ground that the designers > covered already. This seems inefficient, if the goal is to choose a good > AES standard. > > This is very different from the RC6 and Mars submissions, which contain > dozens of pages of analysis work. Of course this doesn't prove that any > algorithms are better than any others, but at least when you're working on > Mars you can see what the designers were thinking when they included > the various pieces they included. To me, it means that as an analyst you > can start covering new ground quicker. [snip] >From this clarification it is clearer that the issue that Bruce was trying to raise is that of the level of detail provided for the cryptanalysis of AES candidates by the respective design teams. I certainly consider this an issue worth considering and, as a first cut, I have looked at each of the five *** round 1 *** specifications for the AES finalists to see how much coverage of cryptanalysis was provided. I know this is not a sensible measure but we have to start somewhere. The number of pages covering cryptanalysis in each of these specifications are: RC6 - 2.5 pages Serpent - 5 pages Rijndael - 8 pages Twofish - 15 pages MARS - 27 pages This shows a very large variation but actually suggests that the criticism of 'insufficent cryptanalysis' could be levelled at RC6 even more than Serpent. In this light, the suggestion by Bruce above, that the RC6 submission contains 'dozens of pages of analysis work', must be based on other documents (round 2 publications?). My own conclusion here is that Bruce was wrong to single out Serpent for this criticism but that he was right to raise the issue of the scope of the published cryptanalsysis results and the extent to which details have been provided for each of the five finaliasts. I certainly would not want to see the world's secure data depend on an algorithm for which the only published cryptanalysis work was descibed in 2.5 pages! In any event, given that MARS only makes 27 pages, it is worth asking the question "do we want much of the world's secure data to depend on an algorithm (or algorithms) for which there is so little published cryptanalysis?". So, while Bruce was wrong to 'have a go' at Serpent in particular, I do believe that he has a valid general point. In my view NIST should now publish a full list of all published cryptanalysis work for each of the five AES finalsists so that we can then assess whether we know enough about any of the algorithms here. I doubt that we do and this must make it sensible to ask that NSA crytanalsysis work in support of the NIST AES effort is now published. Without this it is hard to see that we will be in good shape to select a winner in April next year. Moreover such action on the part of NSA would be a continuation of their welcome moves to greater opennesss and a recognition of the vital role that they can (and need to) play in ensuring that the cyberspace on which we will all depend critically in the next century is truly safe and secure. Brian Gladman From donald@ramsbottom.co.uk Fri, 05 Nov 1999 11:35:22 +0000 Date: Fri, 05 Nov 1999 11:35:22 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Tunnelling Fair enough. At 09:59 05/11/99 +0000, you wrote: >Donald Ramsbottom wrote: >> >> I know its off topic but it is a security risk which has the potential to >> bypass conventional security, and is therefore legitimate. >> >That is a non sequitur, surely? Please can I vote for keeping to the >original ukcrypto objectives. Otherwise, where will it all end? Sorry >to be a party-pooper, but perhaps you can discuss it somewhere else? >Rgds, >Chris. > > > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From khushil.dep@cyberlife.co.uk Fri, 5 Nov 1999 12:01:46 -0000 Date: Fri, 5 Nov 1999 12:01:46 -0000 From: khushil.dep@cyberlife.co.uk khushil.dep@cyberlife.co.uk Subject: Tunnelling If this thread goes somewhere else can someone let me know where as I'm intrested in it. Thanks! :-p -----Original Message----- From: owner-ukcrypto@maillist.ox.ac.uk [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of Donald Ramsbottom Sent: Friday, November 05, 1999 12:01 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: Tunnelling Fair enough. At 09:59 05/11/99 +0000, you wrote: >Donald Ramsbottom wrote: >> >> I know its off topic but it is a security risk which has the potential to >> bypass conventional security, and is therefore legitimate. >> >That is a non sequitur, surely? Please can I vote for keeping to the >original ukcrypto objectives. Otherwise, where will it all end? Sorry >to be a party-pooper, but perhaps you can discuss it somewhere else? >Rgds, >Chris. > > > Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From schneier@counterpane.com Tue, 02 Nov 1999 08:00:43 -0600 Date: Tue, 02 Nov 1999 08:00:43 -0600 From: Bruce Schneier schneier@counterpane.com Subject: Serpent At 05:58 PM 11/1/99 -0600, you wrote: > > John Young asks: > > >[snip] > > > Twofish, and for Mars, RC6, and E2. I worry about a > > > cipher like Serpent that does not come with any > > > analysis. Either the designers didn't do any, which is > > > bad -- or they did it and are hiding it, which is worse. > > > > > > If the Serpent designers have answered this we'd appreciate > > > a pointer. Any comment here on Bruce's tough talk? > >It would be truly amazing if Bruce had said this since the Serpent AES paper >itself contains several pages of analysis. If Bruce had said 'insufficient >analysis' instead of 'any analysis' he might have had a point (although >Ross's post answers this) but if he really did say the words as given above >then I fear that he has let his bias show through in a major way. You pegged the problem exactly. And it was my fault. I wrote the words above, although you are definitely correct in what I meant to write. I didn't proofread as carefully as I should have. It's unfortunate, to make an understatement. Ross was right to be annoyed. >If these really are Bruce's words they can only mean that he has either not >bothered to read the Serpent AES paper or, alternatively, that he is trying >to cast Serpent in a bad light in public. Sadly, the latter seems more >likely since it is very hard to believe that he is unaware of the content of >the paper. I really wasn't. The Twofish team had recently spent a week together trying to analyze the various algorithm. In the discussions about Serpent, we were continually frustrated by the lack of detail in the analysis section of the paper. What is the best differential attack? What does a differential attack against two rounds look like? What are the avalanche properties of the linear mixing section? These, and others, were all questions we would have expected to be in the Serpent submission documentation. Certainly the designers did the analysis; certainly they knew the answers. I felt that details of the analysis work they did were being withheld. I know that both Eli and Lars like to keep unfinished or inconclusive results to themselves. They both said as much some years ago when I had the naive thought that we could somehow "rate" algorithms based on the number of hours smart cryptographers have spent analyzing them. It's a perfectly reasonable position, but I think the AES process is a special case. In the Twofish submission, we tried to put everything in the cryptanalysis section: attacks--attacks that don't work, observations that we can't turn into attacks--everything. We felt this was the right thing to do. In our analysis of Serpent, we probably will end up covering a lot of ground that the designers covered already. This seems inefficient, if the goal is to choose a good AES standard. This is very different from the RC6 and Mars submissions, which contain dozens of pages of analysis work. Of course this doesn't prove that any algorithms are better than any others, but at least when you're working on Mars you can see what the designers were thinking when they included the various pieces they included. To me, it means that as an analyst you can start covering new ground quicker. In retrospect, the comment was unfair and I should never have made it. But I do think I have a valid point. >But I share Ross's hope that this report will prove to be inaccurate. It's inaccurate. But I have to take the blame for the inaccuracy. I typed the words and didn't pay enough attention while proofing. Bruce ************************************************************************** Bruce Schneier, CTO, Counterpane Internet Security, Inc. Ph: 612-823-1098 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128 Fax: 612-823-1590 Free Internet security newsletter. See: http://www.counterpane.com From dave@xemu.demon.co.uk Thu, 4 Nov 1999 00:56:02 +0000 Date: Thu, 4 Nov 1999 00:56:02 +0000 From: Dave Bird dave@xemu.demon.co.uk Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In article , David Swarbrick writes >>>Regarding the electronic communications bill, Ms Hewitt confirmed she was in >>>discussions about removing controversial clauses giving the police powers to >>>unscramble encoded e-mail. >>> >>>These measures would be tagged on to a Home Office bill updating existing >>>law regulating phone tapping." >> >> Sorry I was so tied up in many other issues that personally I didn't >> get a response in but left it to wiser heads on the list. This is >> largely what we expected and demanded "postopne it and get it right >> in IOCA". >> >> But it is **only** postponed to IOCA > >Perhaps Nigel could indicate if there would be any purpose in >constructive proposals from here? > >I assume the postponement will allow a rethink? I take it you are an optimist :-> and HOW MUCH CONSULTATION PERIOD WILL WE GET THIS TIME, NIGEL? MORE THAN 14 DAYS? Fifteen perhaps?? (six to eight weeks would be more appropriate). -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses happy as a clam at high tide -. <_" .-._.-. From daw@cs.berkeley.edu 5 Nov 1999 10:02:34 -0800 Date: 5 Nov 1999 10:02:34 -0800 From: David Wagner daw@cs.berkeley.edu Subject: Confidence in AES (was Serpent) In article <003301bf277d$c716aad0$966adec2@fortytwo>, Brian Gladman wrote: > I certainly consider this an issue worth considering and, as a first cut, I > have looked at each of the five *** round 1 *** specifications for the AES > finalists to see how much coverage of cryptanalysis was provided. I know > this is not a sensible measure but we have to start somewhere. > > The number of pages covering cryptanalysis in each of these specifications > are: > > RC6 - 2.5 pages > Serpent - 5 pages > Rijndael - 8 pages > Twofish - 15 pages > MARS - 27 pages > > This shows a very large variation but actually suggests that the criticism > of 'insufficent cryptanalysis' could be levelled at RC6 even more than > Serpent. In this light, the suggestion by Bruce above, that the RC6 > submission contains 'dozens of pages of analysis work', must be based on > other documents (round 2 publications?). The RC6 folks have, to their credit, published _tons_ of analysis work on RC6. `The Security of the RC6 Block Cipher' is 65 pages long, and then there's also their 15-page FSE'99 paper. I think the RC6 and MARS teams (and, I like to believe, the Twofish team) have set an excellent standard in this regard. One might attempt to fault RC6 or MARS for some other reason, but not for lack of documentation of their design & analysis work. So in this case, yes, I do think that your decision to look at just the round one documents might have produced an unrepresentative result here. I would be interested to see how the results differ if one takes into account material published by the design teams after the submission. From cmt@btinternet.com Sat, 6 Nov 1999 01:57:05 -0000 Date: Sat, 6 Nov 1999 01:57:05 -0000 From: Tom Thomson cmt@btinternet.com Subject: Precision > Just a snippet from the headnote of a civil case in CA. Would it not be nice > if the DTI/HO had to be this precise when drafting Part III EC, and notices > (by LEA) served pursuant to S:10 > > >Morgans (a Firm) v Needham > > > > Before Lord Justice Stuart-Smith and Lord Justice Evans > > > > Judgment October 28, 1999 > > > > Where a claimant was threatened with the striking-out of > > his claim unless he complied with an order for discovery > > of documents, it was imperative that the order should > > specify precisely what documents had to be disclosed so > > that it was possible for him to know whether he had > > complied with it. > > > > An "unless order" which required a defendant to disclose > > all documents relating to his financial and tax affairs which > > are necessary to prove his counterclaim, was hopelessly > > unclear and imprecise and ought never to have been > > enforced. It would indeed be nice, but I imagine that the requirements for an "unless order" which, if not complied with, will result in the striking out of a civil case will be somewhat stricter than anything in English criminal law. After all, in civil cases one of the the primary considerations is equity - the court will (eventually, at some level) throw out anything which is manifestly unfair or unreasonable, unless there is some very clear statute that explicitly prohibits it from doing so. In criminal cases the court has much less discretion (despite the common beliefs about "beyond reasonable doubt" and "innocent until proven guilty", which are nothing but mythology so far as English law is concerned - - maybe Morgans vs Needham would be relevant in Socttish criminal Law, which is a little more civilised, but it couldn't imaginably apply inn a criminal case in England). From bruce@counterpane.com Sat, 06 Nov 1999 00:56:29 -0600 Date: Sat, 06 Nov 1999 00:56:29 -0600 From: Bruce Schneier bruce@counterpane.com Subject: Confidence in AES (was Serpent) At 09:24 AM 11/5/99 -0600, Brian Gladman wrote: >I certainly consider this an issue worth considering and, as a first cut, I >have looked at each of the five *** round 1 *** specifications for the AES >finalists to see how much coverage of cryptanalysis was provided. I know >this is not a sensible measure but we have to start somewhere. > >The number of pages covering cryptanalysis in each of these specifications >are: > >RC6 - 2.5 pages >Serpent - 5 pages >Rijndael - 8 pages >Twofish - 15 pages >MARS - 27 pages > >This shows a very large variation but actually suggests that the criticism >of 'insufficent cryptanalysis' could be levelled at RC6 even more than >Serpent. In this light, the suggestion by Bruce above, that the RC6 >submission contains 'dozens of pages of analysis work', must be based on >other documents (round 2 publications?). To be fair, the RC6 team published a separate document containing all of their analysis about the algorithm a month or so after the submission deadline. That document should certainly count towards that algorithm's total. Bruce From nigelhickson@compuserve.com Sat, 6 Nov 1999 04:14:23 -0500 Date: Sat, 6 Nov 1999 04:14:23 -0500 From: Nigel Hickson nigelhickson@compuserve.com Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) Colleagues = Whether Part III is on the EC bill or somewhere else; constructive commen= ts on text re sections 10 - 14 (and there have already been some) are always= welcome. = Nigel = From georgefoot@oxted.demon.co.uk Sat, 6 Nov 1999 11:34:26 +0000 Date: Sat, 6 Nov 1999 11:34:26 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem November 6th. 1999 To the ukcrypto mailing list: The following document has been posted with the permission and the approval of the owner of this mailing list. The document may be distributed at will if reproduced in its entirety and attributed to its authors who are George H. Foot and Michael J.D. Brown The document is in three parts which should not be separated as they are interrelated. (1) The Employment of Encryption in E-Commerce and A Presentation of the BCF Cryptosystem: by George H. Foot. (2) An Informal Description of the BCF Symmetric Key Process: by Michael J.D. Brown (3) A Critique of Public Key Cryptosystems: by George H. Foot Comments would be much appreciated: Contact: georgefoot@oxted.demon.co.uk THE EMPLOYMENT OF ENCRYPTION IN E-COMMERCE A PRESENTATION OF THE BCF CRYPTOSYSTEM (1) INTRODUCTION. Cryptosystems are available for the encryption of commercial and personal message traffic transmitted via electronic media and are satisfactory for present purposes: But the prospect is that encryption will be employed increasingly for the furtherance of E-Commerce introducing an environment in which business attitudes will prevail and new conditions of use will be encountered. What is the present situation ? We accept cryptosystems which we are told are secure because they have an adequate key length but which in reality may be totally insecure for reasons of which we are ignorant: We accept cryptosystems which use much greater computational power than is truly necessary because of a lurking fear that otherwise security may be less than we require: We accept the creed that the security of the cryptosystems we use is threatened by the growth of hostile computer power and that to employ a progressively greater and greater computing power ourselves in retaliation is our only protection: We fail to protest at the squandering of computer power to achieve an ill-defined security which in many circumstances will exceed commercial needs and will impose unjustified costs on commercial transactions: We fail to classify the security of various cryptosystems with respect to the degree of vigilance each may demand of human operators working under the stress of a commercial environment. (2) DESIGN CONSIDERATIONS. Suppose that we were to design a cryptosystem with emphasis on its suitability for E-commerce, what factors would influence our ideas ? We have had this question under study for a long period during which we have been searching for the best answer keeping in mind the following precepts: (a) There is no basic difference between E-Commerce and traditional Commerce in the manner in which trust and confidence can only grow gradually as a result of successful business relationships between two parties over a period of time. (b) A business man may receive a letter in an envelope which has not been opened and which may have been further protected in transit by registration or may have been delivered by courier. An electronic message in its encryption-cocoon provides an equivalent service and the busy business man requires nothing else to continue his activities. He is alert to suspicious circumstances because of his business training and experience irrespective of the manner in which his correspondence may have been transported. (c) The identity of the parties in contact is rarely in doubt in conventional business transactions and in any case is verifiable by regular business methods -- for example the telephone (in future the video-telephone), notarization of documents, bank references, mutual acquaintances and personal contacts. The anonymity of the Internet lends itself to fraud and imposes a burden of vigilance on businessmen which to some extent offsets its advantages. (d) Experience and common sense indicate that the only way to ensure that no third party has tampered with Keys is to ensure that no third party (certified or otherwise) ever has access to those Keys. Keys should be kept securely in-house and preferably discarded or modified after every occasion they are employed. (e) It is only a minority of documents which need encryption and it is a needless complication and in practice also a waste of resources and an additional expense to encrypt everything. Furthermore a reduced level of security may sometimes be entirely adequate for commercial purposes when security is required only for a short period. (f) The derivation of security by means of a mathematical algorithm is common practice but the underlying fear which can never be removed is that security may have been breached by cryptoanalysis and that this success may have been concealed. (g) The idea that the authenticity of a message can be verified by an electronic signature which combines elements of the Keys of both sender and receiver is ingenious but has neither been tested in practice nor at law. It should be regarded as a separate feature to be added to a Cryptosystem at an appropriate time when international agreement has been reached. (3) THE BCF CRYPTOSYSTEM The outcome of our studies and experiments over a considerable period is a proposal for a Cryptosystem for commercial use (that is for non- military applications) which for convenience we call BCF. BCF is a Cryptosystem in which a key stream generator produces a random sequence of data which is combined character by character with the text of the message to be processed. The Exclusive-OR operator (commonly denoted by EOR or XOR) is used for the combining process. BCF is a practical embodiment of Maurer‘s Randomized Stream Cipher: (See U.M. Maurer "A Provable-Secure Strongly-Randomized Cipher": EUROCRYPT 1990). As BCF is intended for general use with all types of computer data, the 'characters‘ introduced by its bit stream generator have been chosen to be 8-bit bytes which can assume values between 0 and 255 decimal. (3.1) The BCF NUMBER PAD The distinguishing feature of our proposal is the creation of a Pad of Random 8-bit Numbers which is intended to be made freely available throughout the world at low cost and which itself needs no security protection. A BCF Number Pad is available as a single file of approximately 600 Megabytes on a Compact Disc of the type which is now universal. The Pad may be used from a CD Drive or alternatively it can be transferred to a Hard Disc. The Number Pad we use ourselves has been prepared with elaborate care. It passes all known tests for randomness and as it incorporates an element of physical randomness it is unique. To ensure that everybody has exactly the same Number Pad we offer to make available the Number Pad which we employ which is known as X2. This is copyrighted and authentic copies will carry the BCF Trade Mark for protection against illicit imitations. It is of critical importance that only BCF Number Pads prepared and approved by us and bearing the BCF Trade Mark should be employed to maintain a high and uniform standard of security for BCF. (3.2) THE BCF MESSAGE PAD. A necessary step to BCF encryption is the construction of a Message Pad. For this purpose a string of numbers equal to the length of the message to be transmitted is downloaded from the BCF Number Pad (which is in a CD Drive or on a Hard Disc) starting at an arbitrary position within the Number Pad indicated by a Pointer. A second similar number string is obtained commencing at another position in the Number Pad (chosen randomly and indicated by a second Pointer) taking care that the two strings do not overlap. A third number string is then obtained in similar fashion and the process continues until the required number of strings is available =- typically using about twelve Pointers to obtain twelve number strings, none of which overlap. All these number strings are then EORed together to form a Message Pad which is unique to the particular Message for which it is has been created. The Message itself is then encrypted by EORing the Message with the Message Pad. (3.3) SECURITY OF THE BCF CRYPTOSYSTEM There are approximately 6*10^8 positions in the Pad from which to choose the start of each string of numbers. With two strings the number of different Message Pads possible is 36*10^16: With twelve strings, the number of different Message Pads theoretically possible becomes about 2 * 10^105 but is reduced by the need to avoid overlapping and by other considerations to about 10^100 which is truly a very formidable and impressively large Message Pad space to explore. Anyone new to the concept of such large numbers will begin to realize its size and significance by writing "1" and following this by writing "0" one hundred times . Note that the degree of security can be adjusted by the software as circumstances require from an adequate but relatively low level to an enormously high value merely by changing the number of strings employed to form the Message Pad. This facility to adjust security is of assistance to the business user in circumstances where lower levels of security are adequate or where governments impose limitations on the level of security which can be employed. Paradoxically the facility to adjust the level of security can in some circumstances effectively increase security. Message Pads produced by different numbers of Pointers are entirely different although they are always the same length as the message in plaintext. It follows that anyone attempting to decrypt an intercepted message without knowledge of the number of Pointers is at a serious disadvantage. With so many Message Pads available it is highly unlikely that the same Message Pad would ever be used twice even if the cryptosystem were in continuous use worldwide. This high degree of security can be obtained without employing algorithmic complexity. Moreover it is demonstrably evident that there are no Back Doors ! Note that the disclosure of any Message Pad (for example by carelessness or stealth) will reveal only the one message using that Pad but will not reveal anything else. No messages transmitted either earlier or later are compromised. Man-in-the Middle activity requires elaborate preparations which are more probably encountered in political intrigue than in business correspondence. Without full knowledge of BCF Keys and BCF Message Pads such as might be obtained by commercial espionage it would be difficult in the extreme to substitute or modify messages (especially in a switched network with packet transmission) and early suspicion would arise in the normal course of the exchange of business messages. The high security provided with BCF ensures the safety and privacy of a message during transmission. (See also "One-Time-Pads" below). (3.4) THE BCF KEYS Contact between two parties at different locations wishing to communicate securely with each other is made initially by means of a Diffie-Hellman exchange. Either party may initiate the exchange between them of Part Keys with the outcome that a complete BCF Key becomes available for the use of both parties. BCF Keys are known as Part1-Keys and Part2-Keys. A Part1-Key has no value unless combined with a Part2-Key to constitute a complete BCF Key. The Key size must be sufficiently large to ensure that the Key itself does not constitute a weakness to security. This is an area where standardization becomes important and we propose that BCF Keys should always be 2048 bit size. (3.5) BCF ENCRYPTION AND DECRYPTION. The BCF cryptosystem can be adapted to all computer platforms by writing appropriate software and can provide secure encrypted message transmission between one computer terminal and any other computer terminal interconnected by any transmission medium. The BCF cryptosystem can also be used for encrypting computer data for storage. When a message is to be encrypted an additional Key is generated. This is the Message Key and it may be derived in many ways. The method used in the BCF prototype software has been to employ the output obtained after processing the computer‘s real time calendar and clock. The secret BCF Key and the Message Key are then mixed to form a Session Key which is unique to every message or to the messages despatched during one transmission session. The Session Key is used to determine the initial values of the BCF Number Pad Pointers taking care that no two Pointers have the same initial value. The number of Pointers is determined by the operator-specified level of security in conjunction with the length of the message. Strings of numbers are downloaded from the BCF Number Pad starting at each Pointer position with verification that the strings do not overlap. The BCF Message Pad is created by EORing the strings of numbers and the encrypted message is then obtained by EORing the message and the Message Pad. The decryption process is essentially the reverse of encryption. (3.6) KEY LOCATION Public Key Cryptosystems are a vaunted solution for the problems anticipated if encryption were employed extensively for privacy in E- Commerce and in personal E-Mail. But there are associated difficulties in Key Distribution, Key Revocation and Key Authentication which have not been solved and which are the subject currently of much discussion and controversy. (See "A Critique of Public Key Cryptosystems" by George H. Foot which appears below). The BCF Cryptosystem rejects the principle of advance publication of Keys by third parties whether in electronic or in printed form. A far better approach is to consult the Web Page of the party with whom it is desired to communicate in a secure manner. Web Pages have become so commonplace that it is now exceptional to find a commercial company of importance which does not publicize its activities in its Web Page. There are already a vast range of Web Pages owned by organizations of every character and by private individuals and the number of Web Pages is growing at a phenomenal rate. Most Web Pages list ways in which a company or other organisation can be contacted and contact is possible in many cases from the Web Page itself. A message to the company from its Web Page will on request produce a reply supplying the current KEY for whatever cryptosystem that company is employing for secure transmissions. A Key obtained from a public Web Page inspires more confidence that a Key obtained from more shadowy sources and deservedly so. Furthermore the Web Page has the inestimable advantage that it can carry information instantly on Keys revoked because they are no longer secure -- a severe problem otherwise. In fact the advent of Web Pages can be held to make obsolete other proposals for Key distribution and certification which are controversial and have not yet been brought into use. Lastly do not forget the remedy for many business problems: A simple telephone call will in 99.9% of cases provide the correct answer. (3.7) BUSINESS FEATURES OF BCF A BCF Key is available for the exclusive use of the two parties which have created that Key. However, if desired, a Group BCF Key can be created very easily and distributed to members of the Group. Note that a messages not intended for all members of a Group can continue to be sent securely between any two members of the Group. In fact some members of one Group can be included in another Group without Group messages going astray. Such facilities are valuable for communication between companies with branches at many locations. BCF software may be written as two separate programs: The first is Administrative and the second is Messaging. This arrangement allows Key creation and storage to be restricted to designated company personnel. Such features and many others can be provided by software writers at the discretion of the business management. BCF is well suited to E-Commerce and to a business environment generally, (4) BCFX Another mode is available for the transmission of encrypted messages between two parties and this is known as BCFX. The first step is to establish a BCF Key between two parties if such a BCF Key does not exist already. Let us call the parties A and B. A Message Pad is then created using the number of Pointers appropriate to the level of security desired and of a length which is convenient -- for example a 1 Megabyte or a 10 Megabytes Message Pad could be chosen. But at this stage no Message is concerned. The Pointer values are then transmitted from A to B as a BCF encrypted message enabling an identical Message Pad to be created at B. The Message Pads at A and B being identical can be utilised as a One-Time-Pad by EORing the message with the Message Pad at A to produce ciphertext which is decrypted on arrival at B by EORing the cipher text with the Message Pad at B. That part of the Message Pad employed at A and at B for encrypting and decrypting a message is then expunged as it must be used once only. The procedure for the next message is similar but the starting byte is the byte following the last byte used by the previous message. A similar but different Message Pad is created for transmission in the return direction B to A. It is to be noted particularly that encryption and decryption with BCFX are simple EOR operations which can take place at the maximum speed of which the processor and transmission link is capable -- which means in practice that bandwidth is the only limit to speed of message transmission and neither encryption nor decryption reduces that speed. When all of a BCFX Message Pad has been exhausted it must be renewed. (6) ONE-TIME-PADS It will be observed that with BCFX the Message Pads are used in the same manner as One-Time-Pads. But a distinction is necessary and it should be noted that BCFX is not identical with a One-Time-Pad system in the usual meaning of that description. A step closer to One-Time -Pad operation is possible if the Number Pads employed with BCFX are not universal but are created for the sole use of two parties or of a particular Group of parties. But such restrictions bring the penalty that the Number Pads must be held under secure conditions. Nevertheless BCF cannot be out-classed in matters of security because BCF software can also include true One-Time_Pad working. In that mode of operation BCF Number Pads must be used once-only and must be held securely at all times -- a considerable inconvenience. Nevertheless in the circumstances that a company representative were travelling abroad with his laptop computer it would be no hardship to place a set of ten specially prepared BCF CDs in his jacket pocket before leaving his home base which would provide him with 6000 MBytes of true One-Time_Pad communication with his company -- without restriction on his use of BCF or BCFX for other communications. (7) CONCLUSIONS BCF is a secure Cryptosystem of attractive simplicity suitable for universal application and with design features such as a Variable Level of Security, Group Control of Keys, etc. is well suited to E-Commerce. An advantage of BCF is that its security does not depend on the use of a mathematical algorithm. It is demonstrably evident that there are no "Back Doors". BCF can be used without restrictions on all computer platforms and will work satisfactorily with older as well as fast modern computers without the necessity of any hardware modifications. A CD Drive is required. The principal features of BCF and particularly its encryption/decryption processes have been tested with appropriate software and function well with surprising speed. A BCF encrypted message has the same length as the plaintext before encryption and no extra loading of traffic circuits occurs. A new form of BCF called BCFX encrypts and decrypts messages instantly obviating any delay in transmission or any loss of transmission circuit capacity. BCFX destroys its Keys and other evidence of encryption after each message is decrypted. This is a security provision but is also a defence to a subsequent demand by any authority to produce information about Keys inasmuch as Keys cannot be produced because no Keys remain. BCF and BCFX facilities can be provided in software at little cost and no new hardware is required. It is hoped that this description of BCF and BCFX will generate sufficient interest to make it possible to produce BCF as a commercial package. AN INFORMAL DESCRIPTION OF THE BCF SYMMETRIC KEY PROCESS by Michael J D Brown Basic Principles ---------------- The functional requirement for the BCF secret key process is to provide initial values for the pointers indicating the positions within the Number Pad from which key stream data is to be extracted. Every message must, with a high degree of confidence, employ a different set of initial values than messages sent previously. A legitimate recipient must be able to determine the initial values easily, whilst an adversary intercepting the message must employ brute force searching of their possible combinations until readable plaintext emerges from a trial decryption. BCF derives the initial pointer values from an array which contains a proper permutation of all possible byte values. The permutation is generated under the control of keys, both secret and overt, to the privacy of each encrypted message and guard agaist repeated use of the same permutation array for subsequent messages. The use of a permutation array as a source of data for establishing an encryption process is evidently of quite general application. Permutation under Key Control ----------------------------- On completion of the initial setup process the permutation array consists of 256 entries containing a disordered set S of one each of the decimal values 0..255. As already stated, disordering the permutation array is controlled by keys, each consisting of a string of byte values, repeated if necessary to fill an array K of 256 byte entries. In the prototype BCF software the secret keys are of a standardised length, 256 bytes or 2048 bits. Since the number of possible permutations of byte values is a number of around 1680 bits in length, it is evident that the standardised secret key length is more than adequate to allow the full range of permutations to be generated. The disordering is performed by the setup stage of the algorithm employed by the ArcFour cipher (which is reputedly identical to the widely-used commercial RC4 system): initialise permutation S-array: FOR i=0 TO 255 S(i)=i NEXT permute the S-array: j=0 FOR i=0 TO 255 j=(j + S(i) + K(i)) MOD 256 SWAP(S(i),S(j)) NEXT In passing it is worth observing that, in spite of some assertions to the contrary, RC4 (and thus ArcFour) is not subject to any third party intellectual property rights, since would be many hundreds of older generation programmers who could testify that the algorithm was common knowledge and practice in the mid-1960s for the production of sampling arrays for Monte Carlo simulations. This fact may be the reason why the company chose to protect RC4 by simple trade secrecy, rather than attempting to obtain patent protection. Secret and Message Keys ----------------------- Each pair or closed group of authorised users share a secret key, consisting of 256 bytes of data which are generated and distributed as computer data files under a physical and procedural security regime appropriate to the user application. No specific method is prescribed, though the prototype software is capable of generating an exchange of email messages to perform a Diffie Hellman exchange using the 2048-bit modulus prescribed at Section 5.3.3 of the IETF IPSEC Working Group Simple Key-Management for Internet Protocols (SKIP) draft document dated 21st December 1995. Within a commercial company environment we would expect that central generation and physical distribution to the various departments would be preferred. When a message is to be encrypted an additional key, intended to be unique to that message is generated. This, the message key, may be derived in many different ways: an algorithmic sequence generator, or the outcome of processing the computer's real time calendar and clock immediately suggest themselves, the latter being employed in the BCF prototype software. The message key is inserted in plain view in the header of the encrypted message. The secret and message keys are then mixed as follows: 1. Perform the normal "initialise permutation S-array" process, as defined above. 2. Perform the "permute the S-array" process as defined above with the K-array containing the secret key. 3. Perform the "permute the S-array" process as defined above with the K-array containing the message key 4. Perform the "permute the S-array" process as defined above again with the K-array containing the secret key. One important advantage of this method is that both the secret key and the session key can be of any length up to 265 bytes. A second, and probably more significant advantage is that an adversary's knowledge of the message key is of no assistance to him, since its effect is cloaked in both directions by the permutation of the S-array under the control of the secret key. The final outcome of the permuting of the S-array is equivalent to a session key in common cryptographic practice because it is used to determine the initial values of the BCF pad file pointers for the encryption of a single message further work is evidently necessary in contemplation of the proposed UK E-commerce legislation to avoid the necessity of disclosing the secret key to a LEA serving a decryption notice upon a BCF user. The fact that the now scrambled contents of the S-array are a proper permutation is of particular value in ensuring not only that no two pointers ever receive an identical initial value (which would cancel out both their contributions to the security level, but also significantly reduces the chance of parts of the encrypting key streams coming from overlapping parts of the pad file if the initial pointer values lie too closely together. The user-specified degree of required message security and the length of the pad file to be employed determine the number of pointers required. Initial values are determined by taking bytes in their permuted order from the S-array and depositing them in turn into the pointer variables. A number of schemes are possible, but in the BCF prototype software each pointer is initially formed as a 4-byte integer, their most significant bytes being a single byte taken from the S-array (and thus guaranteed different for each pointer), the next most significant bytes are formed by EORing together more bytes from the S-array taken in pairs, and so forth. After the pointers have received their complete complement of bytes their values are right-shifted to bring scale them to suit the size of the pad file. Further development of the secret key process described above is possible, including the employment of a multiplicative congruential sequence generator to distribute the secret and message keys into the K-array in a pseudo-random fashion. Such enhancement could be a significant benefit if the keys are short. However, as it was decided to use full-length 256-byte secret keys as standard practice in the prototype BCF software, the merits of such an enhancement have not been a material issue and hence have not yet been subjected to a detailed evaluation. A additional enhancement of the process of disordering the permutation array is to replace the single secret key file with the option of specifying a secret key directory, containing a number of individual key files, which would be applied in canonical order at Steps 2 and $ of the mixing process outlined previously. This idea offers the prospect of representing a large number of secret keys employed within an organisation by a relatively small number of actual key files. For example, with a set of 8 individual key files, 256 different key sets could be constructed by the omission or inclusion of the files in a key folder. Key sets of this type could be structured to provide disjoint sub-group keys for controlling access to multiple address encrypted email messages. A CRITIQUE OF PUBLIC KEY CRYPTOSYSTEMS by George H, Foot SUMMARY: A presentation of the drawbacks inherent in Public Key Cryptosystems and the difficulties and hazards which can be expected to arise in practice from the point of view of an operator in a commercial environment. The reader needs to be familiar with the concept of Public Key Cryptography. (1) INTRODUCTION Public Key Cryptography employs two Keys one of which (The Public Key) is published and the other (The Private Key) is kept secret, The Public Key is available to anyone who wishes to communicate securely with the owner of the Private Key. Although Public Key Cryptography is a brilliant invention there are several problems which have appeared for which no good solutions have been found. (2) THE PRIVATE KEY: The owner is expected to keep his Private Key secret for all-time for otherwise deception is possible by anyone who becomes possessed of that Private Key. It is very difficult to keep something secret for an extended period of time when it has to be employed every day and guarded every night -- the more so obviously when the owner of a Private Key is a company or other organization engaged in large scale business at numerous locations. In daytime the Private Key has to be employed in encrypting messages during which it is present and accessible from computers or possibly it can be extracted from connecting cables or magnetic fields. The secret is probably shared amongst employees some of whom may become disaffected with the company for which they work and maliciously reveal the Private Key to competitors and some of whom may have been planted within the company by a competitor for the sole purpose of learning its secrets. Apart from other considerations the considerable vigilance which is necessary to operate any security system cannot be maintained at a sufficiently high level and be continued ceaselessly over long periods by human beings who are concerned with day-to-day problems relating to their duties and distracted not infrequently by various personal worries. Lapses on the part of operators are the commonest weaknesses in any security system. It is the vulnerability of the Private Key which is the inherent weakness of a Public Key Cryptosystem. The loss of a Private Key for whatever reason is a disaster which in practice is likely to occur and almost impossible to prevent. (3) THE PUBLIC KEY: If Public Key Cryptography were in common use worldwide, the number of Public Keys required would be very large. It has been suggested that a Central Register should be established which would hold Public Keys and issue them on request with a certificate of authenticity. Who is responsible for losses incurred if the Key issued is not valid ? Will there be separate Registers in each country ? Will they hold Keys of nationals of other countries ? Will they charge for their services ? Will they advertise ? Will the need for commercial viability affect their integrity ? Will they maintain the accuracy of their records on a daily basis ? An hourly basis ? Continuously ? Most countries are loath to surrender any of their traditional powers to monitor covertly all electronic communications between their citizens. In large part this attitude stems from the desire of clandestine intelligence agencies within government to retain their privileges. It is a legitimate fear that a tolerant attitude by government initially will be followed by legislation which progressively restricts the free use of cryptography in the civil sector. (4) THE DANGEROUS KEY A major weakness in a Public Key Cryptosystem is the difficulty of withdrawing a Public Key which is no longer valid. The problem is simple to explain but an effective solution does not exist and possibly is impossible to find. The difficulty is that a Public Key which has been in use for some time will exist in many forms: On the computers of the numerous customers of a company some of whom trade with the company regularly, some spasmodically and some no longer: On the computers of lawyers, government departments, trade associations, competitors, and endless other organisations with which the company has contacted in the past: On newspapers, TV advertisements and other publicity material used by the company at any time. On storage media of which there is no record. It follows that there is no way in which a Public Key can be withdrawn with assurance that it will cease to be employed. It is also to be remembered that security considerations require that Keys should be changed frequently which implies that worldwide use of Public Key Cryptography would require that thousands of Keys be changed every day for one reason or another -- which in fact may be infeasible. It is significant and disconcerting that current discussion centres on establishing methods for Key Distribution without consideration of the much more intractable problem of Key Annulment. (5) REALITY Why use a Public Key Cryptosystem ? There is an appeal in the idea of Public Keys which can be published by everybody and become available to everyone else but the idea is more romantic than sensible. Our need is for a simple method of encrypting those portions of our electronic communications which need protection from other eyes. For that purpose Public Key Cryptosystems are subject to all the drawbacks which have been described above. Cryptosystems which are practical and satisfactory for use in a commercial environment should not require the publication and distribution of Keys in advance of message transmission. Cryptosystems are available which generate new Keys at the time of message despatch and discard those Keys immediately after use: Such cryptosystems should be preferred. George Foot. -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From david@swarb.freeuk.com Sat, 6 Nov 1999 09:18:33 +0000 Date: Sat, 6 Nov 1999 09:18:33 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In message , Dave Bird wrote: >In article , David Swarbrick > writes >>>>Regarding the electronic communications bill, Ms Hewitt confirmed she was in >>>>discussions about removing controversial clauses giving the police powers to >>>>unscramble encoded e-mail. >>>> >>>>These measures would be tagged on to a Home Office bill updating existing >>>>law regulating phone tapping." >>> >>> Sorry I was so tied up in many other issues that personally I didn't >>> get a response in but left it to wiser heads on the list. This is >>> largely what we expected and demanded "postopne it and get it right >>> in IOCA". >>> >>> But it is **only** postponed to IOCA >> >>Perhaps Nigel could indicate if there would be any purpose in >>constructive proposals from here? >> >>I assume the postponement will allow a rethink? > > > I take it you are an optimist :-> Well, I think there are things which could be done. The real problem is that the government talks only to the police, GCHQ and one or two big companies. Each has their own agenda, and they might have learnt by now that the current list of preferred consultees has misled them every time. Even now, the implication of one of the comments I heard this week was that the government will still bring back escrow through the use of the standards for the 'approvals' system. One can then expect government contracts only to go to 'approved/quality' companies, and everyone who deals with those companies will have to become part of the same system. > and HOW MUCH CONSULTATION PERIOD WILL WE GET THIS TIME, NIGEL? > MORE THAN 14 DAYS? Fifteen perhaps?? (six to eight weeks > would be more appropriate). I think that much longer is needed. The present proposals are spitting into the wind of fundamental and inescapable logical attributes of encryption. I do believe that any cosmetic tinkering with what is now on offer will, in five or so years, come to be seen as having crippled electronic commerce before it starts. It is the equivalent of first tying together the back legs of your horse, before jumping on its back and looking ahead keenly to the race ahead, reassuring supporters that the chaps at GCHQ have given their personal promise that horses do not in fact use those particular legs much when running. We must start again. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From adam@homeport.org Sat, 6 Nov 1999 18:43:19 -0500 Date: Sat, 6 Nov 1999 18:43:19 -0500 From: Adam Shostack adam@homeport.org Subject: Serpent Bruce, While its tiresome, having a fresh set of people look at the cipher serves the valuable purpose of ensuring that the authors didn't make mistakes, and allows an analyst to come at the cipher with a fresh perspective. Reading the twofish papers taught me a lot about block cipher analysis, but prejudiced me beyond ever being able to look at and attack the cipher. By leaving out that analysis, does the Serpent team leave the outside analyst more free of the assumptions that the authors made? Adam On Tue, Nov 02, 1999 at 08:00:43AM -0600, Bruce Schneier wrote: | | I know that both Eli and Lars like to keep unfinished or inconclusive results | to themselves. They both said as much some years ago when I had the | naive thought that we could somehow "rate" algorithms based on the number | of hours smart cryptographers have spent analyzing them. It's a perfectly | reasonable position, but I think the AES process is a special case. In the | Twofish submission, we tried to put everything in the cryptanalysis section: | attacks--attacks that don't work, observations that we can't turn into | attacks--everything. We felt this was the right thing to do. In | our analysis | of Serpent, we probably will end up covering a lot of ground that | the designers covered already. This seems inefficient, if the goal is | to choose a good AES standard. | | This is very different from the RC6 and Mars submissions, which contain | dozens of pages of analysis work. Of course this doesn't prove that any | algorithms are better than any others, but at least when you're working on | Mars you can see what the designers were thinking when they included | the various pieces they included. To me, it means that as an analyst you | can start covering new ground quicker. -- Resistance is futile! http://jobs.zeroknowledge.com From hcorn@cix.co.uk Sun, 7 Nov 1999 8:18 +0000 (GMT Standard Time) Date: Sun, 7 Nov 1999 8:18 +0000 (GMT Standard Time) From: Peter Sommer hcorn@cix.co.uk Subject: LSE/CSRC Nov 16: Critical National Infrastructure Posted here because CNI issues are often raised as a reason for having restrictive national crypto policies: CSRC/LSE Information Security Colloquium 1999-2000 series Protecting the Critical National Infrastructure: Differing National Responses Dr Andrew Rathmell International Centre for Security Analysis Department of War Studies, King's College London November 16 1999, 1700 hrs Room D602 Clement Building London School of Economics Aldwych, London WC2 It is now a commonplace that nations need to protect, not only their geographic boundaries and essential trading routes but also their critical national infrastructure of telecommunications, computers, electricity and supplies of food, water and fuel. This new military doctrine is one of the key features of "information warfare". But different countries have very different approaches: in the United States there are one or more specific agencies, lead by the National Infrastructure Protection Center. In the United Kingdom activity takes place in semi-secret. Other European nations and Australia have yet different responses. Andrew Rathmell will present recent research which discuss the reality of the threats and the comparative advantages of the varying national responses. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The purpose of the security colloquia is to allow practitioners and academics the opportunity to discuss current topics in information security and related subjects at greater depth than is possible within the confines of the regular commercial conference. Practitioners can consider long term trends and review some of the newer ideas emerging from academic research. Academics can discover new concerns emerging within the industry. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Admission is free this academic year, but non-LSE members are asked to notify their intention to attend either by e-mail to csrc@lse.ac.uk (not to the originator of this message) or by phone to 0171-955 6619 or fax: 0171-955 6607. The Clement Building is located on the Aldwych, London WC2A 2AE, close by the Courts of Justice and St Clement Dane Church. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Next Meeting: November 30: Chris Sundt, CBI: "Selling Information Security to Board Level" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |-> Peter Sommer --------------------------------------------->| |-> hcorn@cix.co.uk P.M.Sommer@lse.ac.uk -------------------->| |-> Academic URL: http://csrc.lse.ac.uk/Sommer/sommer.htm ---->| |-> Commercial URL: http://www.virtualcity.co.uk ------------->| From gladman@seven77.demon.co.uk Sun, 7 Nov 1999 11:29:28 -0000 Date: Sun, 7 Nov 1999 11:29:28 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: The BCF Cryptosystem From: George Foot To: ukcrypto Sent: Saturday, November 06, 1999 11:34 AM Subject: The BCF Cryptosystem [snip description of the BCF cryptosystem] I was interested to read about BCF. At this stage I have not looked at the proposal in great detail but I was especially surprised to find that it uses a public key scheme for key distribution (Diffie-Hellman). It seems strange to criticise such methods to the point of rejection but then to employ them for a critical aspect of the proposed system. It is also desirable to compare BCF, the proposed symmetric cipher, with 'state of the art' alternatives such as those proposed for AES. The five AES finalsists offer key lengths of 128, 192 and 256 bits and throughputs of between 25 and 100 Million bits per second on a 200 MHz Pentium family machine. SInce each BCF pointer offers less than 32 bits of key space, the AES key lengths require BCF equivalents of about 4, 6 and 8 pointers respectively. For the sake of comparison it would be helpful to know what performance BCF can achieve with these numbers of pointers so that we can compare it with other ciphers on offer. At first sight the cipher looks very resource intensive. It either ties up a CD-ROM drive (or requires a CD to be repeatedly loaded and unloaded) or 600+ Mbytes of hard disc space. In addition it seems likely that the runtime cost of CD or disc access (seek times etc) will be high and this will make the cipher very slow when compared with other symmetric ciphers such as those designed for AES. But it would be useful to have figures here since I am just guessing. And, of course the heavy reliance on disc input and the memory buffers this involves will create many opportunities for discovering those parts of the primary key space that may have been used in compiling message keys. Even if the exact pointers cannot be found, the ability to recover a few sequences from disc buffers would massively reduce the search required in looking for the precise key pointers used. And since most ciphers are NOT broken by breaking the algorithm but rather by exploiting implementation weaknesses I suspect that BCF will compare poorly with other ciphers in this respect. All software based ciphers are vulnerable to being undermined by weaknesses in the underlying operating system of the machines on which they are run. Such weaknesses are difficult to remove but most ciphers seek to limit their dependence on the underlying OS to the issues involved in memory allocation and in the operation of critical code sections. But BCF, by its very nature, depends on the OS for disc input operations where disc access positions are critical to its security (anyone who knows these positions knows many bits of the corresponding keys). I will be interested to hear how the designers have prevented attacks on BCF based on the logging of the disc accesses that their cipher makes during key generation. While all software ciphers inevitably depend on OS security, it is not a good idea to make this dependence any larger than it needs to be. Making cipher security dependent on the security of the underlying disc and file access system does not seem to me to be a sound approach to cipher design. Brian From georgefoot@oxted.demon.co.uk Sun, 7 Nov 1999 12:48:02 +0000 Date: Sun, 7 Nov 1999 12:48:02 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem Dear Brian, Thank you for your close interest in the BCF Cryptosystem which is much appreciated. Your questions are reasonable but there are some very good answers. I do not wish to reply off-the-cuff as your comments must be studied carefully. So please expect a reply shortly. All cryptosystems are defective in one respect or another and all will thrive and then wither; but endless complication to plug leaks is not the business man's point of view when seeking a system which suits his immediate purposes and his convenience. George In message <001d01bf2913$639156d0$966adec2@fortytwo>, Brian Gladman writes >From: George Foot >To: ukcrypto >Sent: Saturday, November 06, 1999 11:34 AM >Subject: The BCF Cryptosystem > >[snip description of the BCF cryptosystem] > >I was interested to read about BCF. > >At this stage I have not looked at the proposal in great detail but I was >especially surprised to find that it uses a public key scheme for key >distribution (Diffie-Hellman). It seems strange to criticise such methods >to the point of rejection but then to employ them for a critical aspect of >the proposed system. > >It is also desirable to compare BCF, the proposed symmetric cipher, with >'state of the art' alternatives such as those proposed for AES. The five >AES finalsists offer key lengths of 128, 192 and 256 bits and throughputs of >between 25 and 100 Million bits per second on a 200 MHz Pentium family >machine. SInce each BCF pointer offers less than 32 bits of key space, the >AES key lengths require BCF equivalents of about 4, 6 and 8 pointers >respectively. >For the sake of comparison it would be helpful to know what performance BCF >can achieve with these numbers of pointers so that we can compare it with >other ciphers on offer. > >At first sight the cipher looks very resource intensive. It either ties up a >CD-ROM drive (or requires a CD to be repeatedly loaded and unloaded) or 600+ >Mbytes of hard disc space. >In addition it seems likely that the runtime cost of CD or disc access (seek >times etc) will be high and this will make the cipher very slow when >compared with other symmetric ciphers such as those designed for AES. But >it would be useful to have figures here since I am just guessing. > >And, of course the heavy reliance on disc input and the memory buffers this >involves will create many opportunities for discovering those parts of the >primary key space that may have been used in compiling message keys. Even if >the exact pointers cannot be found, the ability to recover a few sequences >from disc buffers would massively reduce the search required in looking for >the precise key pointers used. > >And since most ciphers are NOT broken by breaking the algorithm but rather >by exploiting implementation weaknesses I suspect that BCF will compare >poorly with other ciphers in this respect. > >All software based ciphers are vulnerable to being undermined by weaknesses >in the underlying operating system of the machines on which they are run. >Such weaknesses are difficult to remove but most ciphers seek to limit their >dependence on the underlying OS to the issues involved in memory allocation >and in the operation of critical code sections. > >But BCF, by its very nature, depends on the OS for disc input operations >where disc access positions are critical to its security (anyone who knows >these positions knows many bits of the corresponding keys). > >I will be interested to hear how the designers have prevented attacks on BCF >based on the logging of the disc accesses that their cipher makes during key >generation. > >While all software ciphers inevitably depend on OS security, it is not a >good idea to make this dependence any larger than it needs to be. Making >cipher security dependent on the security of the underlying disc and file >access system does not seem to me to be a sound approach to cipher design. > > Brian > > > -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From david@swarb.freeuk.com Sun, 7 Nov 1999 19:55:11 +0000 Date: Sun, 7 Nov 1999 19:55:11 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In message <199911060414_MC2-8BFA-6C35@compuserve.com>, Nigel Hickson wrote: >Colleagues > >Whether Part III is on the EC bill or somewhere else; constructive comments >on text re sections 10 - 14 (and there have already been some) are always >welcome. I will happily put forward constructive criticism when I can believe that the people listening have any intention of giving what is said an honest ear. I heard Patricia Hewitt on the radio this lunch-time. Her description of the effect of these sections was so far from the truth that one must question either her honesty, or her intelligence and the honesty of those advising her. She had the bare faced cheek to claim that she the powers only set out to achieve similar powers as for non-computer based police activity. I am not a civil libertarian with a commitment to freedom at all costs. I want the police to have proper and effective powers - but this is nothing at all like that. Nigel, please explain why it should be that the bill as drafted makes no attempt to justify its extraordinary powers by even a suggestion that they might be used only for offences serious enough to justify an ordinary search warrant. The constructive criticism is to dump the sections entirely and start again. Anything else will lead to huge embarrassment in the courts. The Justice report was written by people who had only a superficial understanding of what the Home office is trying to achieve. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From daw@cs.berkeley.edu 5 Nov 1999 10:02:34 -0800 Date: 5 Nov 1999 10:02:34 -0800 From: David Wagner daw@cs.berkeley.edu Subject: Confidence in AES (was Serpent) In article <003301bf277d$c716aad0$966adec2@fortytwo>, Brian Gladman wrote: > I certainly consider this an issue worth considering and, as a first cut, I > have looked at each of the five *** round 1 *** specifications for the AES > finalists to see how much coverage of cryptanalysis was provided. I know > this is not a sensible measure but we have to start somewhere. > > The number of pages covering cryptanalysis in each of these specifications > are: > > RC6 - 2.5 pages > Serpent - 5 pages > Rijndael - 8 pages > Twofish - 15 pages > MARS - 27 pages > > This shows a very large variation but actually suggests that the criticism > of 'insufficent cryptanalysis' could be levelled at RC6 even more than > Serpent. In this light, the suggestion by Bruce above, that the RC6 > submission contains 'dozens of pages of analysis work', must be based on > other documents (round 2 publications?). The RC6 folks have, to their credit, published _tons_ of analysis work on RC6. `The Security of the RC6 Block Cipher' is 65 pages long, and then there's also their 15-page FSE'99 paper. I think the RC6 and MARS teams (and, I like to believe, the Twofish team) have set an excellent standard in this regard. One might attempt to fault RC6 or MARS for some other reason, but not for lack of documentation of their design & analysis work. So in this case, yes, I do think that your decision to look at just the round one documents might have produced an unrepresentative result here. I would be interested to see how the results differ if one takes into account material published by the design teams after the submission. From bruce@counterpane.com Sat, 06 Nov 1999 00:56:29 -0600 Date: Sat, 06 Nov 1999 00:56:29 -0600 From: Bruce Schneier bruce@counterpane.com Subject: Confidence in AES (was Serpent) At 09:24 AM 11/5/99 -0600, Brian Gladman wrote: >I certainly consider this an issue worth considering and, as a first cut, I >have looked at each of the five *** round 1 *** specifications for the AES >finalists to see how much coverage of cryptanalysis was provided. I know >this is not a sensible measure but we have to start somewhere. > >The number of pages covering cryptanalysis in each of these specifications >are: > >RC6 - 2.5 pages >Serpent - 5 pages >Rijndael - 8 pages >Twofish - 15 pages >MARS - 27 pages > >This shows a very large variation but actually suggests that the criticism >of 'insufficent cryptanalysis' could be levelled at RC6 even more than >Serpent. In this light, the suggestion by Bruce above, that the RC6 >submission contains 'dozens of pages of analysis work', must be based on >other documents (round 2 publications?). To be fair, the RC6 team published a separate document containing all of their analysis about the algorithm a month or so after the submission deadline. That document should certainly count towards that algorithm's total. Bruce From david@swarb.freeuk.com Sat, 6 Nov 1999 09:18:33 +0000 Date: Sat, 6 Nov 1999 09:18:33 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: FT reports decryption powers to be dropped from E-Comms Bill (30/10/99) In message , Dave Bird wrote: >In article , David Swarbrick > writes >>>>Regarding the electronic communications bill, Ms Hewitt confirmed she was in >>>>discussions about removing controversial clauses giving the police powers to >>>>unscramble encoded e-mail. >>>> >>>>These measures would be tagged on to a Home Office bill updating existing >>>>law regulating phone tapping." >>> >>> Sorry I was so tied up in many other issues that personally I didn't >>> get a response in but left it to wiser heads on the list. This is >>> largely what we expected and demanded "postopne it and get it right >>> in IOCA". >>> >>> But it is **only** postponed to IOCA >> >>Perhaps Nigel could indicate if there would be any purpose in >>constructive proposals from here? >> >>I assume the postponement will allow a rethink? > > > I take it you are an optimist :-> Well, I think there are things which could be done. The real problem is that the government talks only to the police, GCHQ and one or two big companies. Each has their own agenda, and they might have learnt by now that the current list of preferred consultees has misled them every time. Even now, the implication of one of the comments I heard this week was that the government will still bring back escrow through the use of the standards for the 'approvals' system. One can then expect government contracts only to go to 'approved/quality' companies, and everyone who deals with those companies will have to become part of the same system. > and HOW MUCH CONSULTATION PERIOD WILL WE GET THIS TIME, NIGEL? > MORE THAN 14 DAYS? Fifteen perhaps?? (six to eight weeks > would be more appropriate). I think that much longer is needed. The present proposals are spitting into the wind of fundamental and inescapable logical attributes of encryption. I do believe that any cosmetic tinkering with what is now on offer will, in five or so years, come to be seen as having crippled electronic commerce before it starts. It is the equivalent of first tying together the back legs of your horse, before jumping on its back and looking ahead keenly to the race ahead, reassuring supporters that the chaps at GCHQ have given their personal promise that horses do not in fact use those particular legs much when running. We must start again. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From lists@notatla.demon.co.uk Sun, 7 Nov 1999 21:28:54 GMT Date: Sun, 7 Nov 1999 21:28:54 GMT From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: The BCF Cryptosystem George Foot : > Man-in-the Middle activity requires elaborate preparations which are > more probably encountered in political intrigue than in business > correspondence. Without full knowledge of BCF Keys and BCF Message Pads > such as might be obtained by commercial espionage it would be difficult > in the extreme to substitute or modify messages (especially in a > switched network with packet transmission) and early suspicion would > arise in the normal course of the exchange of business messages. This being a stream cypher your active adversary can flip bits in a message and increase and decrease the message length. In the absence of some integrity check (MAC) you are reliant on the recipient to recognise faulty traffic. Not all traffic has this property (passing X-ray photos between hospitals for example). Larger messages (approaching 600 Mb /12) seem to have greatly reduced keyspaces. And where are you for encrypting a backup of several Gb ? From cb@fipr.org Sun, 7 Nov 1999 22:00:57 -0000 Date: Sun, 7 Nov 1999 22:00:57 -0000 From: Caspar Bowden cb@fipr.org Subject: History of DTI "Crypto Working group" (was RE: FT reports decryption powers.... > [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of David Swarbrick > Sent: 06 November 1999 09:19 ... > ..The real problem is > that the government talks only to the police, GCHQ and one or two big > companies. Each has their own agenda, and they might have > learnt by now > that the current list of preferred consultees has misled them every > time. With the next meeting of the DTI's "Crypto Working Group" coming up on Friday (John.Smith@CIID.dti.gov.uk for details), I thought list members might be interested in the reply I received to an Open Government request on the composition and activities of the WG during its life (as far as I am aware the existence of the WG was only publicly divulged in an e-mail to the ukcrypto mailing list by Nigel Hickson on 13th December 1998). I would draw your attention to the statements that: *) "the group originated some time in 1992 but we have not been able to track down any papers...nor whether there were ever any agreed terms of reference" *) "group has met occasionally but records do not appear to have been kept of discussions..." *) "I do not feel the lack of records on the meetings of the group in any way undervalues its role..." I have never come across any "Working Group" that doesn't keep minutes (how did it do its "work" ?), yet the DTI's position is that the only records surviving from an unknown number of meetings, between unknown parties, with unknown terms of reference, are three short written agendas. This seems unusual civil service practice. I would further suggest that this position is not reasonably consistent with the rebuttal of the criticism of the T&I Select Committee (Tenth Report HC 648, Para 105) that the DTI had not worked "with all interested parties" in developing its cryptography policy over a lengthy period. The DTI defended itself (para.43) by saying : "On the contrary, the Government has worked with industry (users, technology providers and potential TSPs) in developing its policy on encryption. Over the last five years the DTI has hosted regular meetings of its Cryptography Working Group." Does all this past grief matter ? I think so. Nigel claims periodically on this list that there WAS significant support for key escrow at some stage. It's important for the historical record that the truth can eventually be ascertained - and repairing lapses of record keeping may prove impossible at the time when records finally become eligible for public disclosure. -- Caspar Bowden http://www.fipr.org Director, Foundation for Information Policy Research Tel: +44(0)171 354 2333 Fax: +44(0)171 827 6534 ================================= Department of Trade and Industry 151 Buckingham Palace Road London SWlW 9SS Enquiries 0171-215 5000 Fax 931 7194 Direct line 215 2940 Date 24 September 1999 Dear Mr Bowden In the course of our discussions with the Parliamentary Commissioner for Administration about your complaint against this Department, we were informed that you had been dissatisfied at the information we had given you on the DTI's Cryptographic Working Group. I have therefore reviewed the action and correspondence taken in response to your request on this subject. I have looked at Nigel Hickson's e-mail to you of 22 December 1998 and concluded that this was a reasonable summary of the purpose and membership of the group. I note that Nigel Hickson subsequently invited you to join the group and that you attended the meeting held earlier this year. You will be invited to future meetings as a matter of course. I have, however, looked at the files and for the sake of completeness can offer the following additional information about the group. Our files indicate that the group originated some time in 1992 but we have not been able to track down any papers relating to the early meetings of the group nor whether there were ever any agreed terms of reference. There is reference in 1995 to the Group in the context of identifying Industry groups who might enter into a dialogue with Government on the cryptographic policy options being debated at that time. That note referred to the input made by the group to the development of ideas about TTPs in 1993. Over recent years, the group has met occasionally but records do not appear to have been kept of discussions. The only record 1 can find is of a discussion in September 1995 which, pursuant to the consultation process referred to above, the group were asked their views on the Royal Holloway College's paper which had recently been put to the Brisbane conference. The participants at that meeting argued that there was an urgent need for a Government statement on key escrow to allow a rational debate to take place. The meeting also discussed TTPs with a minority of participants proposing that Government agencies should take on the role. There was general agreement on the need to licence TTPs but no consensus on what role "non approved" forms of encryption might have in the market place. There was general disagreement with the policy options being proposed in the US at that time. Nigel Hickson recalls that at a meeting in 1996, the Group discussed the Government statement on encryption and the general situation on export controls on encryption. I attach copies of the draft agendas we have found for meetings in 1995, 1997 and 1998. I do not feel that the lack of records on the meetings of the group in any way undervalues its role. We have used the group as an informal sounding board for policy developments relating to cryptography and the meetings have, as such, acted as a more interactive adjunct to the extensive formal consultations which have taken place. We have sought representation from those who have the closest interest in cryptography in the business community: both suppliers of hardware and services and key users of those technologies. Participants from such companies have been invited largely on the basis of their personal knowledge and ability to contribute in such a forum. Because the group meets "by invitation only" we have not sought to broadcast its existence and it has been made clear to Nigel Hickson that, from the earliest meetings, there has been a desire of the business members not to have their names and affiliations made available to third parties. I believe we must continue to respect that wish although you are perfectly free to revisit this at the next meeting of the group. I am copying this letter to the Office of the Parliamentary Commissioner for Administration. I hope this is helpful. Yours sincerely Geoff Smith =========================== Draft Agenda (7th Sept 1995) 1. Welcome Introduction 2. UK Developments: DTI Digital Signature Workshop HMG Policy on Confidentiality Services Associated legal issues Royal Holloway - Architecture for TTPs 3. US Developments: US policy developments TIS - Commercial Key Escrow Bankers Trust - Private Key Escrow System 4. European Developments: Infosec Decision Dual Use Regulation Medical Informatics Infosec TTP Digital Signature Programmes 5. AOB =============================== DTI Cryptographic Working Group 6th/8th May 1997 1 Victoria Street, London DRAFT AGENDA 1. Introduction 2. DTI Consultation Document - Overview - Industry presentations Robert Bond (Hobson Audley Hopkins & Wood) Chris Sundt (ICL) Peter Dare (IBM) Alan Liddle (TIS) - Open discussion 3. International Developments - OECD Cryptography Guidelines - EU IUS 4. Export Controls 5. A.O.B =============================== DTI Cryptographic Working Group 28th May 1998 09.30- 1300 1 Victoria Street, London DRAFT AGENDA 1. INTRODUCTIONS AND ADMINISTRION ARRANGEMENTS 2. OBJECTIVES OF MEETING explain HMG Policy table statement, and draft directive determine actions allocate jobs ? comments on draft Directive 3. HMG ENCRYPTION POLICY & DIGITAL SIGNATURES (practical implications, potential Bill timing and content) 4. EUROPEAN ASPECTS (EU Communication on Digital Signatures and Encryption, Potential Directive and implications) 5. INTERNATIONAL ASPECTS (OECD, UNCITRAL, US) 6. AOB. From daw@cs.berkeley.edu 7 Nov 1999 13:55:34 -0800 Date: 7 Nov 1999 13:55:34 -0800 From: David Wagner daw@cs.berkeley.edu Subject: The BCF Cryptosystem First, I should mention that I have serious reservations about whether it is a good idea to be designing your own symmetric-key ciphers for your own application in an age where we already have Triple-DES and the AES, ciphers that have received much more scrutiny than your proposal has received so far (or, I venture to guess, is likely to receive in the near future). But I'll assume you are already aware of those issues and have decided, for some (presumably) especially compelling reasons, to press ahead anyway. That said, I've looked at proposals for symmetric ciphers much like this one at least three times before (sometimes in collaboration with others), and so have some small thoughts on potential weaknesses in your design. Those previous cipher proposals were never published (much like your proposal), and as a result, I've never had any luck publishing the resulting attacks (and rightly so, I would imagine). Moreover, as an academic (or, at least, an aspiring student), the incentive structure discourages spending time on work that can't be published. Consequently, I'm not terribly motivated to spend any _more_ time on these types of systems. All of this makes me think that it might be unwise for me to devote too much time on your proposal before it has been published. Nonetheless, I'll take the time to briefly describe one weak point in this type of system, despite my reservations. See below. Please accept my apologies for not spending more time on your proposal. In the meantime, I'd strongly encourage you to publish the proposal. Unpublished proposals often don't receive the scrutiny they perhaps would otherwise merit; and even if readers do find attacks on the proposed system, you may not hear about them if the attacks cannot be published. Certainly there are many others much better qualified than I to analyze your system, but I expect them to be governed by the same limitations of the academic environment, just as much as (if not more than) I am. Perhaps the incentive structure ought to be improved somehow, but in the meantime, as I've mentioned in private email, I suspect that the best way to receive adequate scrutiny may be to to find a way to publish the proposal somewhere. I hope this isn't off-topic for ukcrypto, but I wanted to respond where you originally posted. The observation is that related-key cryptanalysis is deadly here. When the adversary may obtain the answer to a few related-key queries, he can recover the entire key value with very little work. Moreover, there are active attacks which allow the adversary (under favorable conditions) to obtain the answer to a few related-key queries, using only the ability to tamper with transmitted ciphertexts. Consider your BCFX protocol, where a BCF session key (consisting of twelve pointers) is encrypted by xor-ing it with a one-time pad, like this: Alice -> Bob: `Bob, our encrypted session key is K xor P' where K is the random BCF session key, and P is the one-time pad. But now, if I am not mistaken, an active adversary may flip a bit in the resulting ciphertext, and then a corresponding bit will be flipped in the decrypted BCF key that Bob obtains after xor-ing out P. In this way, an active adversary may mount related-key attacks against BCF using only chosen-text queries against the BCFX protocol. Now suppose we have two BCF keys K and K' that differ only in one pointer, and suppose that the adversary knows this fact, and suppose moreover that some known plaintext is encrypted under K and then the resulting ciphertext is subsequently decrypted under K', and finally suppose that the adversary is able to obtain access to the incorrectly-decrypted text. Then the incorrectly-decrypted text will differ from the correct plaintext only in the application of a _two-pointer_ BCF system! (Here is the basis for that observation: if we modify the j-th pointer in K to obtain K', then the two-pointer BCF system contains just the j-th pointer of K as well as the j-th pointer of K'.) This provides an easy way to recover partial information about K and K': we simply need to break a two-pointer BCF system, which is easy. A malicious party may use this idea to obtain a simple active attack on the BCF/BCFX system. The malicious party, Mallet, simply tampers with the BCFX protocol in the manner described above: when Alice initiates a connection with Bob, Mallet interferes as follows, Alice -> Mallet: `Bob, our encrypted session key is K xor P' Mallet -> Bob: `Bob, our encrypted session key is K xor P xor D' where D is a key-difference chosen by Mallet to ensure that exactly one BCF-pointer is modified. Bob will decrypt K xor P xor D using his one-time pad P to obtain a BCF session key, call it K'. We have K' = (K xor P xor D) xor P = K xor D. Thus Alice thinks the BCF session key is K, and Bob thinks it is K'. Now when Alice encrypts a message M under the BCF session key K, we allow the ciphertext C to proceed to Bob unmodified; after Bob decrypts C under his view of the session key K', he will obtain an incorrectly-decrypted message M', which appears to be garbage. Therefore it is natural to expect that Bob might well respond to Alice, saying "your message decrypted to the following garbage; any idea what went wrong?". At this point, the adversary Mallet will have both M and M', which (using the observations of the previous paragraph) will allow him to recover part of the session key K. If the session key is used several times, and we repeat this attack for each pointer of the key K, we obtain a relatively straightforward way to recover the entire session key and thus read encrypted traffic, using only active attacks against the key-exchange protocol. This attack does require favorable conditions, but might be reasonably be expected to be practical to carry out in real life if the endpoints Alice and Bob represent automated processes rather than humans (who presumably might eventually notice the funny business and sound the alarm). See the following paper for an introduction to this style of related-key cryptanalysis: `Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES.' John Kelsey, Bruce Schneier, and David Wagner. CRYPTO '96. http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps I hope I described that clearly enough to make sense; and I hope I did not make any mistakes in my understanding of the BCF system. Please take this as a provisional comment, taken with a grain of salt, and allowing for the possibility that I may be misunderstanding your cipher proposal. From daw@cs.berkeley.edu 7 Nov 1999 14:10:40 -0800 Date: 7 Nov 1999 14:10:40 -0800 From: David Wagner daw@cs.berkeley.edu Subject: The BCF Cryptosystem In article <001d01bf2913$639156d0$966adec2@fortytwo>, Brian Gladman wrote: > It is also desirable to compare BCF, the proposed symmetric cipher, with > 'state of the art' alternatives such as those proposed for AES. The five > AES finalsists offer key lengths of 128, 192 and 256 bits and throughputs of > between 25 and 100 Million bits per second on a 200 MHz Pentium family > machine. SInce each BCF pointer offers less than 32 bits of key space, the > AES key lengths require BCF equivalents of about 4, 6 and 8 pointers > respectively. > For the sake of comparison it would be helpful to know what performance BCF > can achieve with these numbers of pointers so that we can compare it with > other ciphers on offer. It's worth mentioning that BCF does not attain the security one might expect from just looking at its keylength (there are shortcut attacks), so this would probably not be a fair comparison. For example, I believe that the 4-pointer version of BCF can be attacked with ~ 2^58 workfactor using meet-in-the-middle techniques, since each pointer is only 29 bits long. There are probably better attacks, too. Moreover, one may not use the same key to generate more than 2^29 bytes of output (no matter how many pointers one uses), since the period is small. And so on. Meanwhile, the AES candidates are expected to provide security against attacks using up to 2^128 workfactor and huge numbers of chosen texts (in excess of 2^64, certainly), when used with a 128-bit key. It is still an interesting intellectual challenge to try to understand the level of security afforded by a Maurer-like (BCF-like) system. If this discussion is off-topic for ukcrypto, please let me know (via private email!). From georgefoot@oxted.demon.co.uk Sun, 7 Nov 1999 22:55:16 +0000 Date: Sun, 7 Nov 1999 22:55:16 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem November 7th. 1900 To Brian Gladman. Dear Brian, I am returning to your message received earlier to-day with comments on the BCF Cryptosystem. Thank you for your interest: In message <001d01bf2913$639156d0$966adec2@fortytwo>, Brian Gladman writes >I was surprised to find that it uses a public key scheme for key >distribution (Diffie-Hellman). It seems strange to criticise such methods >to the point of rejection but then to employ them for a critical aspect of >the proposed system. Diffie-Hellman as employed in BCF has no resemblance to a "public key system" in which keys are published in advance and stored long term; it is a complete misnomer to refer to it in this manner. Let me explain: The establishment of a BCF Key is a process confined to two parties and neither requires any previous communication between them nor the acquisition of any previously published Key. When concluded the BCF Part1 and Part2 Keys (see the text of the BCF Presentation) serve no further purpose and are not stored but discarded. The transaction is private to the two parties and certainly cannot be called public. Moreover BCF is a very flexible system and if the parties wish they can use any protocol they prefer for the initial exchange of Keys -- although the Diffie- Hellman method used in the prototype BCF software and described in the BCF Presentation is perfectly adequate. >It is also desirable to compare BCF, the proposed symmetric cipher, with >'state of the art' alternatives such as those proposed for AES. The five >AES finalists offer key lengths of 128, 192 and 256 bits and throughputs of >between 25 and 100 Million bits per second on a 200 MHz Pentium family >machine. Since each BCF pointer offers less than 32 bits of key space, the >AES key lengths require BCF equivalents of about 4, 6 and 8 pointers >respectively. >For the sake of comparison it would be helpful to know what performance BCF >can achieve with these numbers of pointers so that we can compare it with >other ciphers on offer. The construction of a Message Pad with up to 8 Pointers is virtually instantaneous on a computer of the type you mention and for messages of, say, a few KBytes in length. A long message might require a couple of seconds to construct the Message Pad. but whether or not this is a restriction depends on the circumstances; to handle the information received probably takes much longer. BCFX operates differently inasmuch as the Message Pad is constructed in advance whereupon the message is encrypted and despatched with a simple EOR operation at the maximum speed the processor can operate and the transmission bandwidth permits. However it is a mistake, in our opinion, to compete with a Cryptosystem which may be encrypting multi-megabytes/second data continuously. Such a system serves a different purpose entirely. BCF in a simple package with features specifically designed for the business man and available at a very low cost but without compromise with the one attribute which is essential which is very high security. The idea that a cryptosystem has to be universal in its applications is surely untenable and a relic of an earlier outlook. >At first sight the cipher looks very resource intensive. It either ties up a >CD-ROM drive (or requires a CD to be repeatedly loaded and unloaded) or 600+ >Mbytes of hard disc space. You asked for figures: I am looking at a Dell advertisement in the UK which offers a complete PC computer for UKP 899 including 17.5% sales tax (about US$1300) which includes a 13.6 GBytes hard disc. A slightly more expensive model is fitted with 30 GBytes of hard disc. These are representative sizes to-day and 600 MBytes required for the BCF Number Pad looks rather insignificant in comparison. I know because in trials various people have stressed this point. And since most ciphers are NOT broken by breaking the algorithm but rather >by exploiting implementation weaknesses I suspect that BCF will compare >poorly with other ciphers in this respect. This is too vague for comment and does appear to have political bias. But breaking the algorithm is something you will find difficult -- we do not have an algorithm. Our security is exactly the problem of finding a small nugget of gold buried in the middle of the Sahara Desert. The remaining points you make appear to be speculation on your part. But there are possibilities of discovering something from the intensive study of the process you suggest will take place -- eventually you will obtain clues to the Number Pad which of course is public from the start. Please look at the INTRODUCTION and DESIGN CONSIDERATIONS in our Presentation. I do not think we need any excuse for examining cryptosystems from a new angle. Kind Regards and thank you again for your interest and your useful contribution to a debate on BCF. George -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From georgefoot@oxted.demon.co.uk Sun, 7 Nov 1999 23:41:26 +0000 Date: Sun, 7 Nov 1999 23:41:26 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem Thank you for your contribution to a debate on BCF. Some of your questions I believe are answered in a reply I have made to Brian Gladman, See for example the point about seeking a universal cryptosystem, To encrypt a backup of several Gbytes would be a challenge for BCF and would need multiple BCF Number Pads. That's something we have not mentioned but BCF Number Pads can be combined usually or just temporarily for greater capacity-- without limit in theory. It's a fair question although we do not think the need will arise very often in regular business transactions. It's really the same problem as sending a graphic as a bit map of several gigabytes in size and not many computers can handle that. But we shall certainly take your comment into consideration. Thank you. In message <199911072128.VAA05926@notatla.demon.co.uk>, lists@notatla.demon.co.uk writes >George Foot : >This being a stream cypher your active adversary can flip bits in a message >and increase and decrease the message length. In the absence of some >integrity check (MAC) you are reliant on the recipient to recognise faulty >traffic. Not all traffic has this property (passing X-ray photos >between hospitals for example). As mentioned the software writer can add features to BCF and in one application the requirements may be more onerous than in another. It's not a system presented in hardware as a commercial package and immutable. George -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From daw@cs.berkeley.edu 7 Nov 1999 13:55:34 -0800 Date: 7 Nov 1999 13:55:34 -0800 From: David Wagner daw@cs.berkeley.edu Subject: The BCF Cryptosystem First, I should mention that I have serious reservations about whether it is a good idea to be designing your own symmetric-key ciphers for your own application in an age where we already have Triple-DES and the AES, ciphers that have received much more scrutiny than your proposal has received so far (or, I venture to guess, is likely to receive in the near future). But I'll assume you are already aware of those issues and have decided, for some (presumably) especially compelling reasons, to press ahead anyway. That said, I've looked at proposals for symmetric ciphers much like this one at least three times before (sometimes in collaboration with others), and so have some small thoughts on potential weaknesses in your design. Those previous cipher proposals were never published (much like your proposal), and as a result, I've never had any luck publishing the resulting attacks (and rightly so, I would imagine). Moreover, as an academic (or, at least, an aspiring student), the incentive structure discourages spending time on work that can't be published. Consequently, I'm not terribly motivated to spend any _more_ time on these types of systems. All of this makes me think that it might be unwise for me to devote too much time on your proposal before it has been published. Nonetheless, I'll take the time to briefly describe one weak point in this type of system, despite my reservations. See below. Please accept my apologies for not spending more time on your proposal. In the meantime, I'd strongly encourage you to publish the proposal. Unpublished proposals often don't receive the scrutiny they perhaps would otherwise merit; and even if readers do find attacks on the proposed system, you may not hear about them if the attacks cannot be published. Certainly there are many others much better qualified than I to analyze your system, but I expect them to be governed by the same limitations of the academic environment, just as much as (if not more than) I am. Perhaps the incentive structure ought to be improved somehow, but in the meantime, as I've mentioned in private email, I suspect that the best way to receive adequate scrutiny may be to to find a way to publish the proposal somewhere. I hope this isn't off-topic for ukcrypto, but I wanted to respond where you originally posted. The observation is that related-key cryptanalysis is deadly here. When the adversary may obtain the answer to a few related-key queries, he can recover the entire key value with very little work. Moreover, there are active attacks which allow the adversary (under favorable conditions) to obtain the answer to a few related-key queries, using only the ability to tamper with transmitted ciphertexts. Consider your BCFX protocol, where a BCF session key (consisting of twelve pointers) is encrypted by xor-ing it with a one-time pad, like this: Alice -> Bob: `Bob, our encrypted session key is K xor P' where K is the random BCF session key, and P is the one-time pad. But now, if I am not mistaken, an active adversary may flip a bit in the resulting ciphertext, and then a corresponding bit will be flipped in the decrypted BCF key that Bob obtains after xor-ing out P. In this way, an active adversary may mount related-key attacks against BCF using only chosen-text queries against the BCFX protocol. Now suppose we have two BCF keys K and K' that differ only in one pointer, and suppose that the adversary knows this fact, and suppose moreover that some known plaintext is encrypted under K and then the resulting ciphertext is subsequently decrypted under K', and finally suppose that the adversary is able to obtain access to the incorrectly-decrypted text. Then the incorrectly-decrypted text will differ from the correct plaintext only in the application of a _two-pointer_ BCF system! (Here is the basis for that observation: if we modify the j-th pointer in K to obtain K', then the two-pointer BCF system contains just the j-th pointer of K as well as the j-th pointer of K'.) This provides an easy way to recover partial information about K and K': we simply need to break a two-pointer BCF system, which is easy. A malicious party may use this idea to obtain a simple active attack on the BCF/BCFX system. The malicious party, Mallet, simply tampers with the BCFX protocol in the manner described above: when Alice initiates a connection with Bob, Mallet interferes as follows, Alice -> Mallet: `Bob, our encrypted session key is K xor P' Mallet -> Bob: `Bob, our encrypted session key is K xor P xor D' where D is a key-difference chosen by Mallet to ensure that exactly one BCF-pointer is modified. Bob will decrypt K xor P xor D using his one-time pad P to obtain a BCF session key, call it K'. We have K' = (K xor P xor D) xor P = K xor D. Thus Alice thinks the BCF session key is K, and Bob thinks it is K'. Now when Alice encrypts a message M under the BCF session key K, we allow the ciphertext C to proceed to Bob unmodified; after Bob decrypts C under his view of the session key K', he will obtain an incorrectly-decrypted message M', which appears to be garbage. Therefore it is natural to expect that Bob might well respond to Alice, saying "your message decrypted to the following garbage; any idea what went wrong?". At this point, the adversary Mallet will have both M and M', which (using the observations of the previous paragraph) will allow him to recover part of the session key K. If the session key is used several times, and we repeat this attack for each pointer of the key K, we obtain a relatively straightforward way to recover the entire session key and thus read encrypted traffic, using only active attacks against the key-exchange protocol. This attack does require favorable conditions, but might be reasonably be expected to be practical to carry out in real life if the endpoints Alice and Bob represent automated processes rather than humans (who presumably might eventually notice the funny business and sound the alarm). See the following paper for an introduction to this style of related-key cryptanalysis: `Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES.' John Kelsey, Bruce Schneier, and David Wagner. CRYPTO '96. http://www.cs.berkeley.edu/~daw/papers/keysched-crypto96.ps I hope I described that clearly enough to make sense; and I hope I did not make any mistakes in my understanding of the BCF system. Please take this as a provisional comment, taken with a grain of salt, and allowing for the possibility that I may be misunderstanding your cipher proposal. From daw@cs.berkeley.edu 7 Nov 1999 14:10:40 -0800 Date: 7 Nov 1999 14:10:40 -0800 From: David Wagner daw@cs.berkeley.edu Subject: The BCF Cryptosystem In article <001d01bf2913$639156d0$966adec2@fortytwo>, Brian Gladman wrote: > It is also desirable to compare BCF, the proposed symmetric cipher, with > 'state of the art' alternatives such as those proposed for AES. The five > AES finalsists offer key lengths of 128, 192 and 256 bits and throughputs of > between 25 and 100 Million bits per second on a 200 MHz Pentium family > machine. SInce each BCF pointer offers less than 32 bits of key space, the > AES key lengths require BCF equivalents of about 4, 6 and 8 pointers > respectively. > For the sake of comparison it would be helpful to know what performance BCF > can achieve with these numbers of pointers so that we can compare it with > other ciphers on offer. It's worth mentioning that BCF does not attain the security one might expect from just looking at its keylength (there are shortcut attacks), so this would probably not be a fair comparison. For example, I believe that the 4-pointer version of BCF can be attacked with ~ 2^58 workfactor using meet-in-the-middle techniques, since each pointer is only 29 bits long. There are probably better attacks, too. Moreover, one may not use the same key to generate more than 2^29 bytes of output (no matter how many pointers one uses), since the period is small. And so on. Meanwhile, the AES candidates are expected to provide security against attacks using up to 2^128 workfactor and huge numbers of chosen texts (in excess of 2^64, certainly), when used with a 128-bit key. It is still an interesting intellectual challenge to try to understand the level of security afforded by a Maurer-like (BCF-like) system. If this discussion is off-topic for ukcrypto, please let me know (via private email!). From bruce@counterpane.com Sun, 07 Nov 1999 23:24:33 -0600 Date: Sun, 07 Nov 1999 23:24:33 -0600 From: Bruce Schneier bruce@counterpane.com Subject: Serpent At 12:11 AM 11/7/99 -0600, you wrote: >Bruce, > >While its tiresome, having a fresh set of people look at the cipher >serves the valuable purpose of ensuring that the authors didn't make >mistakes, and allows an analyst to come at the cipher with a fresh >perspective. Reading the twofish papers taught me a lot about block >cipher analysis, but prejudiced me beyond ever being able to look at >and attack the cipher. By leaving out that analysis, does the Serpent >team leave the outside analyst more free of the assumptions that the >authors made? I think fresh eyes and fresh minds will always have a fresh perspective. Seeing what the authors thought can only help. If, for example, you notice something about Twofish that you know the designers didn't notice, it is likely an interesting avenue of analysis. If, however, you notice something that the designers spent three pages discussing, you can at least look at their analysis and see if they forgot something. Bruce From georgefoot@oxted.demon.co.uk Mon, 8 Nov 1999 09:17:36 +0000 Date: Mon, 8 Nov 1999 09:17:36 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem To David Wagner: The remarkable feature of your outburst is that it emerges as an instruction to us as to what we should or should not be doing. For our justification please read the INTRODUCTION and the DESIGN CONSIDERATIONS included in our Presentation. We are sorry that you have had the personal failures you mention but suggest that your animosity is off-topic for this mailing list. George In message <804sgm$gov$1@blowfish.isaac.cs.berkeley.edu>, David Wagner writes >First, I should mention that I have serious reservations about whether it >is a good idea to be designing your own symmetric-key ciphers for your >own application in an age where we already have Triple-DES and the AES, >ciphers that have received much more scrutiny than your proposal has >received so far (or, I venture to guess, is likely to receive in the >near future). -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From bruce@counterpane.com Sun, 07 Nov 1999 23:24:33 -0600 Date: Sun, 07 Nov 1999 23:24:33 -0600 From: Bruce Schneier bruce@counterpane.com Subject: Serpent At 12:11 AM 11/7/99 -0600, you wrote: >Bruce, > >While its tiresome, having a fresh set of people look at the cipher >serves the valuable purpose of ensuring that the authors didn't make >mistakes, and allows an analyst to come at the cipher with a fresh >perspective. Reading the twofish papers taught me a lot about block >cipher analysis, but prejudiced me beyond ever being able to look at >and attack the cipher. By leaving out that analysis, does the Serpent >team leave the outside analyst more free of the assumptions that the >authors made? I think fresh eyes and fresh minds will always have a fresh perspective. Seeing what the authors thought can only help. If, for example, you notice something about Twofish that you know the designers didn't notice, it is likely an interesting avenue of analysis. If, however, you notice something that the designers spent three pages discussing, you can at least look at their analysis and see if they forgot something. Bruce From Q.G.Campbell@newcastle.ac.uk Mon, 8 Nov 1999 10:13:56 +0000 (GMT) Date: Mon, 8 Nov 1999 10:13:56 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Straws in the wind... Observer or Sunday Times (left papers at aiport so have no precise reference), Sunday 7 November, reported important Judicial Review decision against Nottinghamshire Police(?). Decision may also have relevance to scope of disclosure of encrypted documents, encryption keys, etc, although these not mentioned in report in paper. Perhaps lawyers on list can find actual decision that was reported on. Gist of report was that the scope of various Acts allowing search and confiscation of documents as part of Police and SFO investigations are now seriously circumscibed. Police, Customs and Excise, etc, lay themselves open to "significant" claims for damages if they take documents not covered by the search warrant or other order. Requirement for LEAs to be very precise and limited in what they may take in seach for evidence. Report said that effect of the judgment can now only be overturned by the House of Lords or legislation. Police had warrant to search premises and seize documents as part of a fraud enquiry. Target claimed that Police had simply scooped up everything without trying to determine what was relevant to the warrant and what was not. In particular that papers taken included privileged corresepondence between himself and his solicitor. Police later admitted that they had acted wrongly, returned some documents and paid damages (approx. 1,100 pounds). Both sides agreed that circumstances raised important issues and that judicial review should be sought. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From proff@iq.org 08 Nov 1999 21:17:00 +1100 Date: 08 Nov 1999 21:17:00 +1100 From: Julian Assange proff@iq.org Subject: The BCF Cryptosystem George Foot writes: > We are sorry that you have had the personal failures you mention but > suggest that your animosity is off-topic for this mailing list. > > George What animosity? David's post was exemplary in every way. -- Stefan Kahrs in [Kah96] discusses the notion of completeness--programs which never go wrong can be type-checked--which complements Milner's notion of soundness--type-checked programs never go wrong [Mil78]. From ben@algroup.co.uk Mon, 08 Nov 1999 11:19:33 +0000 Date: Mon, 08 Nov 1999 11:19:33 +0000 From: Ben Laurie ben@algroup.co.uk Subject: The BCF Cryptosystem George Foot wrote: > > To David Wagner: > > The remarkable feature of your outburst is that it emerges as an > instruction to us as to what we should or should not be doing. > > For our justification please read the INTRODUCTION and the DESIGN > CONSIDERATIONS included in our Presentation. > > We are sorry that you have had the personal failures you mention but > suggest that your animosity is off-topic for this mailing list. I didn't see any animosity in David's posting, merely what looks to me like a pretty good attack against BCF and an expression of regret that his job makes it difficult for him to publish such attacks (because of the lack of published systems to attack). I'd say his posts were as on-topic as any discussion of actual crypto. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From nbohm@ernest.net Mon, 08 Nov 1999 12:16:19 +0000 Date: Mon, 08 Nov 1999 12:16:19 +0000 From: Nicholas Bohm nbohm@ernest.net Subject: Straws in the wind... At 10:13 AM 11/8/1999 +0000, Quentin Campbell wrote: >Observer or Sunday Times (left papers at aiport so have no precise >reference), Sunday 7 November, reported important Judicial Review decision >against Nottinghamshire Police(?). > >Decision may also have relevance to scope of disclosure of encrypted >documents, encryption keys, etc, although these not mentioned in report in >paper. > >Perhaps lawyers on list can find actual decision that was reported on. My alerter service has the following brief note: POLICE: High Court; Police powers; Search warrants Search ruling Times, November 6, 1999, 2. Also reported in DTel, November 6, 1999, 2; Guar, November 6, 1999, 6 The High Court has curbed police powers by ruling that they cannot remove material from premises for which a search warrant has been obtained for the purposes of ascertaining whether it is legally privileged without the owners consent. [snip] Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From Q.G.Campbell@newcastle.ac.uk Mon, 8 Nov 1999 13:03:42 +0000 (GMT) Date: Mon, 8 Nov 1999 13:03:42 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Straws in the wind... On Mon, 8 Nov 1999, Nicholas Bohm wrote: > My alerter service has the following brief note: > > POLICE: High Court; Police powers; Search warrants > > Search ruling Times, November 6, 1999, 2. Also reported in DTel, November > 6, 1999, 2; Guar, November 6, 1999, 6 > > The High Court has curbed police powers by ruling that they cannot remove > material from premises for which a search warrant has been obtained for the > purposes of ascertaining whether it is legally privileged without the > owners consent. [snip] Nicholas Many thanks for your quick reply. If the Home Office had wind of this adverse judgement might it be part of the reason that the Government seem likely to move Part III from the Electronic Communications Bill to the new IOCA? It would certainly give them a chance to re-draft those sections so that they are proof against any restrictions on access to collections of encrypted material that the High Court ruling above might have imposed. If the Home Office has indeed anticipated the implications of this judgement then that might also suggest that legal points you and others have raised in this list and elsewhere are now getting through, particularly in regard to possible challenges through the ECHR? Of course all this could simply result in a new IOCA that is even more objectionable and also more "bullet proof" to legal challenge from whichever court! Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From whgiii@openpgp.net Mon, 08 Nov 1999 08:22:04 -0600 Date: Mon, 08 Nov 1999 08:22:04 -0600 From: William H. Geiger III whgiii@openpgp.net Subject: [Off-Topic] UK Political Censorship? Hi, Sorry for the off-topic post. I came across the following article: http://www.independent.co.uk/news/Digital/Features/legalmediawebirvine071199.shtml "The Lord Chancellor, Lord Irvine of Lairg, has shut down a website because it was being used to criticize judges. " Dose the UK government have the power to shut down websites at will without a judical order? I find this quite shocking that in a Western Democracy a government official is able to wield this type of unilateral power and indiscriminantly infringe on the rights of the citizens. -- --------------------------------------------------------------- William H. Geiger III http://www.openpgp.net Geiger Consulting Data Security & Cryptology Consulting Programming, Networking, Analysis PGP for OS/2: http://www.openpgp.net/pgp.html --------------------------------------------------------------- From ben@algroup.co.uk Mon, 08 Nov 1999 14:49:41 +0000 Date: Mon, 08 Nov 1999 14:49:41 +0000 From: Ben Laurie ben@algroup.co.uk Subject: [Off-Topic] UK Political Censorship? "William H. Geiger III" wrote: > > Hi, > > Sorry for the off-topic post. I came across the following article: > > http://www.independent.co.uk/news/Digital/Features/legalmediawebirvine071199.shtml > > "The Lord Chancellor, Lord Irvine of Lairg, has shut down a website > because it was being used to criticize judges. " > > Dose the UK government have the power to shut down websites at will > without a judical order? I find this quite shocking that in a Western > Democracy a government official is able to wield this type of unilateral > power and indiscriminantly infringe on the rights of the citizens. Did you read the article? The website was shut down by the ISP because "the material contravened the company's terms and conditions". That's not to say that the Lord Chancellor (who isn't the government, anyway) didn't abuse his powers or influence, but he didn't exercise any legal power at all. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From lawya@lucs-01.novell.leeds.ac.uk Mon, 8 Nov 1999 14:58:30 +0000 Date: Mon, 8 Nov 1999 14:58:30 +0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: [Off-Topic] UK Political Censorship? > Dose the UK government have the power to shut down websites at will > without a judical order? I find this quite shocking that in a Western > Democracy a government official is able to wield this type of unilateral > power and indiscriminantly infringe on the rights of the citizens. The cyber-rights-uk list may be more appropriate to discuss this issue (details at http://www.cyber-rights.org/mailing.htm) but it looks like the Lord Chancellor used his personal power rather than anything else and the ISP in question was forced to remove the pages rather than was required to do so. The article does not say how "offensive" the pages were, and maybe the ISP was served with a notice under section 1 of the Defamation Act but the article does not use the word defamatory and uses the word offensive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) URL: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Read the CR&CL (UK) Reports at: http://www.cyber-rights.org/reports/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From J.N.Bain@newcastle.ac.uk Mon, 8 Nov 1999 15:10:18 +0000 Date: Mon, 8 Nov 1999 15:10:18 +0000 From: Jason Bain J.N.Bain@newcastle.ac.uk Subject: [Off-Topic] UK Political Censorship? On Mon, Nov 08, 1999 at 02:49:41PM +0000, Ben Laurie wrote: > "William H. Geiger III" wrote: > > > > Hi, > > > > Sorry for the off-topic post. I came across the following article: > > > > http://www.independent.co.uk/news/Digital/Features/legalmediawebirvine071199.shtml > > > > "The Lord Chancellor, Lord Irvine of Lairg, has shut down a website > > because it was being used to criticize judges. " > > > > Dose the UK government have the power to shut down websites at will > > without a judical order? I find this quite shocking that in a Western > > Democracy a government official is able to wield this type of unilateral > > power and indiscriminantly infringe on the rights of the citizens. > > Did you read the article? The website was shut down by the ISP because > "the material contravened the company's terms and conditions". That's > not to say that the Lord Chancellor (who isn't the government, anyway) The Lord Chancellor wears a number of hats: * He is a Cabinet Minister (ie. he IS a member of the Government) with ministerial responsibility for the administration of justice (in England and Wales only). * Presiding chairman of the Appellate Committee of the House of Lords and of the Judicial Committee of the Privy Council. * President of the Supreme Court of England and Wales (Court of Appeal, the High Court and the Crown Court). * He is the Speaker of the House of Lords > didn't abuse his powers or influence, but he didn't exercise any legal > power at all. Jason. -- Jason N. Bain, Networks & Development, Computing Service, Newcastle University, Newcastle upon Tyne, NE1 7RU. Telephone: (0191) 222 8461, Fax: (0191) 222 8765. From sibyl@cumae.demon.co.uk Mon, 08 Nov 1999 14:14:19 +0000 Date: Mon, 08 Nov 1999 14:14:19 +0000 From: Gilead Cooper sibyl@cumae.demon.co.uk Subject: Precision > that explicitly prohibits it from doing so. In criminal cases the court has > much less discretion (despite the common beliefs about "beyond reasonable > doubt" and "innocent until proven guilty", which are nothing but mythology > so far as English law is concerned ???? Really? -- Gilead Cooper 11 New Square Lincoln's Inn From nbohm@ernest.net Mon, 08 Nov 1999 16:19:18 +0000 Date: Mon, 08 Nov 1999 16:19:18 +0000 From: Nicholas Bohm nbohm@ernest.net Subject: Straws in the wind... At 01:03 PM 11/8/1999 +0000, Quentin Campbell wrote: >On Mon, 8 Nov 1999, Nicholas Bohm wrote: > >> My alerter service has the following brief note: >> >> POLICE: High Court; Police powers; Search warrants >> >> Search ruling Times, November 6, 1999, 2. Also reported in DTel, November >> 6, 1999, 2; Guar, November 6, 1999, 6 >> >> The High Court has curbed police powers by ruling that they cannot remove >> material from premises for which a search warrant has been obtained for the >> purposes of ascertaining whether it is legally privileged without the >> owners consent. >[snip] > >Nicholas > >Many thanks for your quick reply. > >If the Home Office had wind of this adverse judgement might it be part of >the reason that the Government seem likely to move Part III from the >Electronic Communications Bill to the new IOCA? I doubt it. There's no reason to think they had wind of the decision, nor that moving Part III would give them any advantage (they are no doubt still thinking about it now). >It would certainly give them a chance to re-draft those sections so that >they are proof against any restrictions on access to collections of >encrypted material that the High Court ruling above might have imposed. > >If the Home Office has indeed anticipated the implications of this >judgement then that might also suggest that legal points you and others >have raised in this list and elsewhere are now getting through, >particularly in regard to possible challenges through the ECHR? I think the HO is coming to see that objectors comprise more than the lunatic fringe. >Of course all this could simply result in a new IOCA that is even more >objectionable and also more "bullet proof" to legal challenge from >whichever court! That tends to be the way it goes. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From roger.hird@argonet.co.uk Mon, 08 Nov 1999 15:26:21 +0000 (GMT) Date: Mon, 08 Nov 1999 15:26:21 +0000 (GMT) From: Roger Hird roger.hird@argonet.co.uk Subject: [Off-Topic] UK Political Censorship? On 08 Nov, William H. Geiger III wrote: > Sorry for the off-topic post. I came across the following article: > http://www.independent.co.uk/news/Digital/Features/legalmediawebirvine0711 > .shtml > "The Lord Chancellor, Lord Irvine of Lairg, has shut down a website > because it was being used to criticize judges. " > Dose the UK government have the power to shut down websites at will > without a judical order? I find this quite shocking that in a Western > Democracy a government official is able to wield this type of unilateral > power and indiscriminantly infringe on the rights of the citizens. Well, the text of the article shows that he didn't use a "power" - he - or one of his officials - just wrote to the ISP complaining that the site was offensive. He is of course the head of the judiciary in England (where the ISP is based) and, by the way, in UK terminology, he is himself not "an official" but a minister. RogerH -- Roger Hird roger.hird@argonet.co.uk Running Voyager 2.01 and RISCOS 3.70 on an Acorn StrongARM RiscPC From whgiii@openpgp.net Mon, 08 Nov 1999 11:07:23 -0600 Date: Mon, 08 Nov 1999 11:07:23 -0600 From: William H. Geiger III whgiii@openpgp.net Subject: [Off-Topic] UK Political Censorship? In <3826E305.4AE25A8D@algroup.co.uk>, on 11/08/99 at 02:49 PM, Ben Laurie said: >"William H. Geiger III" wrote: >> >> Hi, >> >> Sorry for the off-topic post. I came across the following article: >> >> http://www.independent.co.uk/news/Digital/Features/legalmediawebirvine071199.shtml >> >> "The Lord Chancellor, Lord Irvine of Lairg, has shut down a website >> because it was being used to criticize judges. " >> >> Dose the UK government have the power to shut down websites at will >> without a judical order? I find this quite shocking that in a Western >> Democracy a government official is able to wield this type of unilateral >> power and indiscriminantly infringe on the rights of the citizens. >Did you read the article? The website was shut down by the ISP because >"the material contravened the company's terms and conditions". That's not >to say that the Lord Chancellor (who isn't the government, anyway) didn't >abuse his powers or influence, but he didn't exercise any legal power at >all. Yes I did read the article and the ISP's terms & conditions, the relevant section is below: 6.2 You must not use or allow the Service or your web space to be used for storing, sending or receiving any material which is obscene, menacing, threatening, offensive, abusive, indecent, defamatory, fraudulent, criminal or which infringes the rights of any other party including any intellectual property rights. 6.3 If We suspect that any material stored or disseminated by You may be in contravention of clause 6.2 We reserve the right at all times to inspect the material and if it is found to be in contravention of clause 6.2 to remove the material from Your web space and/or to suspend part or all of the Service and/or terminate this Agreement immediately without any further obligation to You. This is standard ISP boilerplate that basically says they can do anything anytime they want. Practically every ISP in the world has the same or similar clause in their terms & conditions. The basic situation we have here is that a government official can write a letter and get a website shut down because he doesn't like the political speech content. To classify this as a libel or a "terms and conditions" issue is disingenuous. This is pure, raw, political censorship at it's finest. The Lord Chancellor, and the UK government as a whole, should be ashamed of such actions. I have provided a mirror of Mr. Hulbert's website with commentary at: http://www.openpgp.net/censorship.html -- --------------------------------------------------------------- William H. Geiger III http://www.openpgp.net Geiger Consulting Data Security & Cryptology Consulting Programming, Networking, Analysis PGP for OS/2: http://www.openpgp.net/pgp.html --------------------------------------------------------------- From ben@algroup.co.uk Mon, 08 Nov 1999 17:43:47 +0000 Date: Mon, 08 Nov 1999 17:43:47 +0000 From: Ben Laurie ben@algroup.co.uk Subject: [Off-Topic] UK Political Censorship? "William H. Geiger III" wrote: > > In <3826E305.4AE25A8D@algroup.co.uk>, on 11/08/99 > at 02:49 PM, Ben Laurie said: > > >"William H. Geiger III" wrote: > >> > >> Hi, > >> > >> Sorry for the off-topic post. I came across the following article: > >> > >> http://www.independent.co.uk/news/Digital/Features/legalmediawebirvine071199.shtml > >> > >> "The Lord Chancellor, Lord Irvine of Lairg, has shut down a website > >> because it was being used to criticize judges. " > >> > >> Dose the UK government have the power to shut down websites at will > >> without a judical order? I find this quite shocking that in a Western > >> Democracy a government official is able to wield this type of unilateral > >> power and indiscriminantly infringe on the rights of the citizens. > > >Did you read the article? The website was shut down by the ISP because > >"the material contravened the company's terms and conditions". That's not > >to say that the Lord Chancellor (who isn't the government, anyway) didn't > >abuse his powers or influence, but he didn't exercise any legal power at > >all. > > Yes I did read the article and the ISP's terms & conditions, the relevant > section is below: > > 6.2 You must not use or allow the Service or your web space > to be used for storing, sending or receiving any material > which is obscene, menacing, threatening, offensive, abusive, > indecent, defamatory, fraudulent, criminal or which infringes > the rights of any other party including any intellectual > property rights. > > 6.3 If We suspect that any material stored or disseminated by > You may be in contravention of clause 6.2 We reserve the > right at all times to inspect the material and if it is found to be > in contravention of clause 6.2 to remove the material from > Your web space and/or to suspend part or all of the Service > and/or terminate this Agreement immediately without any > further obligation to You. > > This is standard ISP boilerplate that basically says they can do anything > anytime they want. Practically every ISP in the world has the same or > similar clause in their terms & conditions. > > The basic situation we have here is that a government official can write a > letter and get a website shut down because he doesn't like the political > speech content. To classify this as a libel or a "terms and conditions" > issue is disingenuous. This is pure, raw, political censorship at it's > finest. My point was simply that he did not use any legal power. Furthermore, there are plenty of other cases of ISPs censoring stuff at the behest of perfectly ordinary members of the public. I think that even the Lord Chancellor is allowed to complain if he thinks something is offensive. I don't think the ISP should have paid any attention, however. > The Lord Chancellor, and the UK government as a whole, should be ashamed > of such actions. Indeed. > I have provided a mirror of Mr. Hulbert's website with commentary at: > > http://www.openpgp.net/censorship.html Yeah, well, the Lord Chancellor probably shouldn't have complained, I agree. I still say he has the right to do so, though. Naturallly, as always in these cases, he has shot himself in the foot. Now everyone will read this stuff. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From lawya@lucs-01.novell.leeds.ac.uk Mon, 8 Nov 1999 17:54:34 +0000 Date: Mon, 8 Nov 1999 17:54:34 +0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: [Off-Topic] UK Political Censorship? > This is standard ISP boilerplate that basically says they can do anything > anytime they want. Practically every ISP in the world has the same or > similar clause in their terms & conditions. I agree with your conclusion. The decision on what is "offensive" remains subjective and the decision to take down content was taken by the ISP in question following a letter by the LCD as far as I understand from the story. > speech content. To classify this as a libel or a "terms and conditions" > issue is disingenuous. This is pure, raw, political censorship at it's > finest. I agree with what you are saying but we do not know or have seen the letter which was sent to the ISP and I was assuming the possibility of a threat for a libel action under the Defamation Act 1996 by the LCD and that may be the reason why the ISP took down that pages. However LCD should not use such tactics for silencing dissent and protest and they should have gone after the original publisher and in this case, Mr. Hulbert if they are not happy about his statements. > The Lord Chancellor, and the UK government as a whole, should be ashamed > of such actions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) URL: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Read the CR&CL (UK) Reports at: http://www.cyber-rights.org/reports/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From bdm@fenrir.demon.co.uk Mon, 08 Nov 1999 17:42:10 Date: Mon, 08 Nov 1999 17:42:10 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: [Off-Topic] UK Political Censorship? On Mon, 08 Nov 1999 17:43:47 +0000, Ben Laurie wrote: >Naturallly, as always in these cases, he has shot himself in the foot. >Now everyone will read this stuff. Which is very densely written and is thus rather difficult to determine exactly what the man is alleging. It appears to be that court transcripts are inaccurate, but since he states that he was conducting his own defence and could not write notes during his cross-examinations he only his memory to fall back on. Not sensible of Irvine to ask for it to be removed though, as you say. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From mjsion@earthlink.net Mon, 08 Nov 1999 12:59:48 +0000 Date: Mon, 08 Nov 1999 12:59:48 +0000 From: Max mjsion@earthlink.net Subject: The story of a small boy ... - sealed envelops ... About twenty years ago, there was a small boy (9-11 years old or so), who had his penpals around the world - the Soviet Union, the United Kingdom, Australia, Germany and many other European nations. He wrote his letters on a paper and then mailed these letters in sealed envelops and he received letters from his international friends in sealed envelops. He did not use postcards. In today's world, there are many executives in governments, businesses and other organizations, who email their secrets in postcards. How has the world changed? Or was this young child just smarter than many today's executives? From jya@pipeline.com Mon, 08 Nov 1999 13:25:27 -0500 Date: Mon, 08 Nov 1999 13:25:27 -0500 From: John Young jya@pipeline.com Subject: [Off-Topic] UK Political Censorship? Just about anyone who operates a Web site offering controversial information -- even if only mildly offensive -- gets requests for removals. At our site, we remove if an individual asks for removal of his or her own personal information, say, as in one case, an employment resume which listed past jobs on intelligence-related activities and quite informative description of the work done and skills employed. We agreed with the protestor that the resume was private property and removed it -- though it had come from the owner's own public web site. In another case we removed a lowly classified document which had been mistakenly posted to a public site. The person who did it wrote to politely ask that it be removed, that a mistake had been made, and that he had been reprimanded. Fair enough, we figured, so off it came. We get mild to nasty threats from lawyers pretty regularly. Those are our wall trophies, certificates that we're doing wrong rightly. If a site is not getting removal requests, demands for censorship, warnings of retribution, for what's offered, why then it must be a craven commercial site or one managed by a fainthearted educational institution, an anxious bureaucracy or self-policing body way down on the lower scale of bloodworthiness. From gladman@seven77.demon.co.uk Mon, 8 Nov 1999 22:09:29 -0000 Date: Mon, 8 Nov 1999 22:09:29 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: The BCF Cryptosystem From: George Foot To: Sent: Sunday, November 07, 1999 10:55 PM Subject: Re: The BCF Cryptosystem [snip] > >I was surprised to find that it uses a public key scheme for key > >distribution (Diffie-Hellman). It seems strange to criticise such methods >to > the point of rejection but then to employ them for a critical aspect of >the > proposed system. > > Diffie-Hellman as employed in BCF has no resemblance to a "public key system" > in which keys are published in advance and stored long term; it is a complete > misnomer to refer to it in this manner. Let me explain: The term 'public key system' is generally applied to systems involving one key that has to be kept secret and a related key that can be, but does not have to be, public. The fact that someone uses RSA or Diffie Hellman in a form in which the 'public key' is not published does not change the fact that they are using a public key system. > The establishment of a BCF Key is a process confined to two parties and neither > requires any previous communication between them nor the acquisition of any > previously published Key. When concluded the BCF Part1 and Part2 Keys (see the > text of the BCF Presentation) serve no further purpose and are not stored but > discarded. The transaction is private to the two parties and certainly cannot > be called public. This is key negotiation prototol based on a public key system. I feel comforted by the fact that you have had to resort to just the methods you criticise to make your approach work. > Moreover BCF is a very flexible system and if the parties wish they can use any > protocol they prefer for the initial exchange of Keys -- although the Diffie- > Hellman method used in the prototype BCF software and described in the BCF > Presentation is perfectly adequate. Not any method surely, only methods that allow a common secret key to be negotiated. > >It is also desirable to compare BCF, the proposed symmetric cipher, with > >'state of the art' alternatives such as those proposed for AES. The five > >AES finalists offer key lengths of 128, 192 and 256 bits and throughputs of > >between 25 and 100 Million bits per second on a 200 MHz Pentium family > >machine. Since each BCF pointer offers less than 32 bits of key space, the > >AES key lengths require BCF equivalents of about 4, 6 and 8 pointers > >respectively. > >For the sake of comparison it would be helpful to know what performance BCF > >can achieve with these numbers of pointers so that we can compare it with > >other ciphers on offer. > > The construction of a Message Pad with up to 8 Pointers is virtually > instantaneous on a computer of the type you mention and for messages of, say, a > few KBytes in length. The AES ciphers achieve maximum speeds of between 26 and 100 Mbits per second on a 200 MHz Pentium family machine. In order to aid comparison what is the expected encryption speed of BCF? > A long message might require a couple of seconds to construct the Message Pad. > but whether or not this is a restriction depends on the circumstances; to > handle the information received probably takes much longer. > > BCFX operates differently inasmuch as the Message Pad is constructed in advance > whereupon the message is encrypted and despatched with a simple EOR operation > at the maximum speed the processor can operate and the transmission bandwidth > permits. This depends on what 'in advance' means. If this means that it is constructed and placed on a storage device such as a hard disc, then it may well be disc system that will determine how fast the cipher can operate. > However it is a mistake, in our opinion, to compete with a Cryptosystem which > may be encrypting multi-megabytes/second data continuously. Such a system > serves a different purpose entirely. BCF in a simple package with features > specifically designed for the business man and available at a very low cost > but without compromise with the one attribute which is essential which is very > high security. IMHO it is very unlikely that BCF will come even close in security terms to the performance of other cipher systems intended for general or widespread application. [snip] > I am looking at a Dell advertisement in the UK which offers a complete PC > computer for UKP 899 including 17.5% sales tax (about US$1300) which includes a > 13.6 GBytes hard disc. A slightly more expensive model is fitted with 30 GBytes > of hard disc. These are representative sizes to-day and 600 MBytes required > for the BCF Number Pad looks rather insignificant in comparison. I know > because in trials various people have stressed this point. I did not ask for cost figures - I gave speed figures for AES algorithms and asked for the equivalent figures for BCF. > And since most ciphers are NOT broken by breaking the algorithm but rather > >by exploiting implementation weaknesses I suspect that BCF will compare > >poorly with other ciphers in this respect. > > This is too vague for comment and does appear to have political bias. But > breaking the algorithm is something you will find difficult -- we do not have > an algorithm. Our security is exactly the problem of finding a small nugget of > gold buried in the middle of the Sahara Desert. Please explain what political motives I would have for such a comment. I gave precise reasons why I felt that BCF was likely to prove difficult to implement in a way that maintains its security, namely, because its security is totally dependent on the security of the disc and file access system that it uses as an inherent part of its operation. Other applications running on the same machine could easily discover details of these disc accesses unless you have taken very great care in the way you implement your system. Perhaps even worse, the sort of things you would have to do to hide such details (e.g. flushing and restarting the file system after each operation) are likely to have a huge, detrimental impact on systems performance more generally. Brian From gladman@seven77.demon.co.uk Mon, 8 Nov 1999 22:18:22 -0000 Date: Mon, 8 Nov 1999 22:18:22 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: The BCF Cryptosystem David Wagner wrote in message news:804td0$grc$1@blowfish.isaac.cs.berkeley.edu... > In article <001d01bf2913$639156d0$966adec2@fortytwo>, > Brian Gladman wrote: > > It is also desirable to compare BCF, the proposed symmetric cipher, with > > 'state of the art' alternatives such as those proposed for AES. The five > > AES finalsists offer key lengths of 128, 192 and 256 bits and throughputs of > > between 25 and 100 Million bits per second on a 200 MHz Pentium family > > machine. SInce each BCF pointer offers less than 32 bits of key space, the > > AES key lengths require BCF equivalents of about 4, 6 and 8 pointers > > respectively. > > For the sake of comparison it would be helpful to know what performance BCF > > can achieve with these numbers of pointers so that we can compare it with > > other ciphers on offer. > > It's worth mentioning that BCF does not attain the security one might > expect from just looking at its keylength (there are shortcut attacks), > so this would probably not be a fair comparison. I agree totally but I wanted to give BCF 'the benefit of the doubt' because I am confident that it will not compare favourably in performance terms even with such a highly charitable assumption. [snip] > If this discussion is off-topic for ukcrypto, please let me know (via > private email!). No, its nice to discuss technical things on the list from time to time! Brian From gladman@seven77.demon.co.uk Mon, 8 Nov 1999 22:32:41 -0000 Date: Mon, 8 Nov 1999 22:32:41 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: The BCF Cryptosystem From: George Foot To: Sent: Monday, November 08, 1999 9:17 AM Subject: Re: The BCF Cryptosystem > To David Wagner: > > The remarkable feature of your outburst is that it emerges as an > instruction to us as to what we should or should not be doing. I did not see anything objectionable in what David said. As far as I can see he was simply pointing out several potential flaws that systems of the BCF type might exhibit if such systems are not carefully designed with these sorts of flaws in mind. He then requested that more details be published in order to determine whether or not these (or other) attacks are a real threat to the security that BCF seeks to provide. Brian From georgefoot@oxted.demon.co.uk Mon, 8 Nov 1999 23:16:40 +0000 Date: Mon, 8 Nov 1999 23:16:40 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem Antonomasia: You make a very reasonable observation but what does it amount to in practice. In the first place a choice limited to 4 Pointers would be foolish unless only exceptionally short-lived security were required. Secondly a reduction by four times takes on a different aspect if it means a 100 year search instead of 400 years. In theory one can make exotic calculations to decide the most likely numbers to appear in the National Lottery but that is not a great deal of practical use in making certain of the first prize in the lifetime of one person. But what I would ask you to realize is that if doubts ever enter your mind concerning the level of security provided by BCF in particular circumstances, then add another Pointer. One more Pointer adds so little to encryption time that you will not be aware of the difference but it adds 6 * 10^8 times additional security. Thank you for writing and if any doubts remain please write again. George In message <199911082035.UAA01523@notatla.demon.co.uk>, Antonomasia writes > >George, > >David Wagner writes: > >> For example, I believe that the 4-pointer version of BCF can be attacked >> with ~ 2^58 workfactor using meet-in-the-middle techniques, since each >> pointer is only 29 bits long. There are probably better attacks, too. > >I reckon that with 6/16 probability 2 pointers will lie in the first half >of the search space and 2 in the second, reducing the space and time >requirements about x 4. > >-- >############################################################## ># Antonomasia ant@notatla.demon.co.uk # ># See http://www.notatla.demon.co.uk/ # >############################################################## -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From gladman@seven77.demon.co.uk Mon, 8 Nov 1999 23:40:42 -0000 Date: Mon, 8 Nov 1999 23:40:42 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: [Off-Topic] UK Political Censorship? From: John Young To: Sent: Monday, November 08, 1999 6:25 PM Subject: Re: [Off-Topic] UK Political Censorship? [snip] > We get mild to nasty threats from lawyers pretty regularly. Those > are our wall trophies, certificates that we're doing wrong rightly. > > If a site is not getting removal requests, demands for censorship, > warnings of retribution, for what's offered, why then it must be > a craven commercial site or one managed by a fainthearted > educational institution, an anxious bureaucracy or self-policing > body way down on the lower scale of bloodworthiness. Congratulations, John, on a sensible level headed policy and one that provided a site that has made, and continues to make, a remarkable contribution to the open debate about intelligence and encryption issues. Brian Gladman From lists@notatla.demon.co.uk Tue, 9 Nov 1999 02:32:52 GMT Date: Tue, 9 Nov 1999 02:32:52 GMT From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: The BCF Cryptosystem George Foot (replying on-list to an off-list email) writes: > You make a very reasonable observation but what does it amount to in > practice. A> I reckon that with 6/16 probability 2 pointers will lie in the first half A> of the search space and 2 in the second, reducing the space and time A> requirements about x 4. On reflection I think I got those figures wrong. I now make it a saving x8 for space and time. Here's my working: 1) Pointers are called a,b,c,d having random values up to 600*2^20. 2) Assume 2 pointers in 1st half of space and 2 in 2nd half (with 6/16 prob.). 3) Assume a < b < 300*2^20 < c < d without loss of generality. 4) Building the store of mid-texts takes (300*2^20) * (300*2^20) /2 trials (looks like a triangular distance-between-two-cities chart). This is where we save a factor of 8 in storage and a factor of 8 in time compared to a (600*2^20) * (600*2^20) search. 5) On the other side a search of size (300*2^20) * (300*2^20) /2 (max) finds a match in the results from 5, saving a factor of 8 in time on this half too. Work factor ~ (300M)^2 instead of 2*(600M)^2 for a plain meet in the middle and vastly less than (600M)^4 as hoped for from the keysize. (All a bit rough as I omitted the sorting step and the many table lookups in step 5.) > In the first place a choice limited to 4 Pointers would be foolish > unless only exceptionally short-lived security were required. People have come to expect significant security for 116 bits. > But what I would ask you to realize is that if doubts ever enter your > mind concerning the level of security provided by BCF in particular > circumstances, then add another Pointer. One more Pointer adds so > little to encryption time that you will not be aware of the difference > but it adds 6 * 10^8 times additional security. The first pointer adds 6*10^8 times security and all others are weaker. The effective keysize is divided by N! for N pointers, and later pointers constrained not to overlap the used parts of the number pad have less entropy. I don't think you've provided the detail to know how much because it depends how you proceed when an overlap does arise in the calculation and this will affect the appearance of unusable (too-short) parts of the pad. You wrote originally > With twelve strings, the number of different Message Pads theoretically > possible becomes about 2 * 10^105 but is reduced by the need to avoid > overlapping and by other considerations to about 10^100 which is truly a > very formidable and impressively large Message Pad space to explore. What "other considerations" did you have in mind ? From owen.blacker@pres.co.uk Tue, 9 Nov 1999 10:50:05 -0000 Date: Tue, 9 Nov 1999 10:50:05 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: Silicon.com: PKI and the birth of online commerce -----Original Message----- From: NMTV.WebMaster@www.nmtv.net [mailto:NMTV.WebMaster@www.nmtv.net] Sent: Tuesday, November 09, 1999 10:45 AM News in View: PKI and the birth of online commerce PUBLISHED: 0:15am on Tuesday 9 November 1999 Public Key Infrastructure (PKI) technology is increasingly becoming the widely accepted way to secure online transactions and progress ecommerce. This is according to speakers and users at security vendor Baltimore Technologies' annual conference held this month in Dublin. Peter Wilson, assistant commissioner in IT services at the Australian Tax Office doesn't believe there is a better technology on the market to support secure transactions over the Internet. He said: "PKI provides authentication, non-repudiation, ensures privacy and offers all the elements required for establishing that the parties involved, are who they say they are. These are all essential for ecommerce." PKI includes the technology and procedures that establish a secure method for exchanging information across the Net. It also involves the use of certification authorities (CAs) and digital signatures and hardware and software used to manage the process. Fran Rooney, CEO of Baltimore Technologies, said the number of clients taking PKI seriously is growing. "A number of our customers have spent well over a million dollars on the infrastructure and technology in PKI and they don't spend that sort of money unwisely -- they've obviously decided it's worth doing," he said. Rooney added that the main driver behind the decision to invest heavily in PKI -- despite the risk that it's still an immature technology -- is the perceived high returns on investment. "They see that the potential savings down to the low cost per transaction on the Internet are worth the investment," he said. You can watch the full News in View programme on our E-business Security Channel: see http://www.silicon.com/a33876 Copyright 1998, 1999 NMTV/Silicon.com. All rights reserved. From georgefoot@oxted.demon.co.uk Tue, 9 Nov 1999 11:42:07 +0000 Date: Tue, 9 Nov 1999 11:42:07 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem November 8th. 1999 In reply to lists@notatla.demn.co.uk Thank you for your message: Your interest is much appreciated and your comments most helpful. We have said that Pointers are chosen so that number strings do not overlap and we have done so because that is an extra precaution which can be taken very simply when messages are relatively short as in business correspondence -- which is the type of E-Commerce application we have in mind for BCF. The one condition which is essential is that Pointers do not coincide. The BCF Number Pad consists of random numbers and any string of numbers is valid if the Pointers have different locations even if the strings overlap. But if two Pointers were to coincide then two strings which are exactly the same would be produced and they would cancel. If there are more than four Pointers (and it would be foolish not to use more than four Pointers) all is well even if number strings overlap. With this additional explanation I hope that you can see that our calculation of security level has justification. But there is more. The use of a permutation array to determine Pointer positions has the result that Pointer positions will not coincide as well as having other benefits. Let me answer another point which has arisen in several postings although not included in yours. The BCF Cryptosystem calculates a Session Key and never uses the same Key twice. Thus there is no opportunity for the type of attack (flipping bits and the like) which arises in more traditional cryptosystem. I hope this information is helpful but please write again if anything is not clear. George In message <199911090232.CAA03160@notatla.demon.co.uk>, lists@notatla.demon.co.uk writes >George Foot >(replying on-list to an off-list email) writes: > >> You make a very reasonable observation but what does it amount to in >> practice. > > A> I reckon that with 6/16 probability 2 pointers will lie in the first half > A> of the search space and 2 in the second, reducing the space and time > A> requirements about x 4. > >On reflection I think I got those figures wrong. I now make it a saving >x8 for space and time. Here's my working: > >1) Pointers are called a,b,c,d having random values up to 600*2^20. > >2) Assume 2 pointers in 1st half of space and 2 in 2nd half (with 6/16 prob.). > >3) Assume a < b < 300*2^20 < c < d without loss of generality. > >4) Building the store of mid-texts takes (300*2^20) * (300*2^20) /2 > trials (looks like a triangular distance-between-two-cities chart). > This is where we save a factor of 8 in storage and a factor of 8 > in time compared to a (600*2^20) * (600*2^20) search. > >5) On the other side a search of size (300*2^20) * (300*2^20) /2 (max) > finds a match in the results from 5, saving a factor of 8 in > time on this half too. > >Work factor ~ (300M)^2 instead of 2*(600M)^2 for a plain meet in the >middle and vastly less than (600M)^4 as hoped for from the keysize. >(All a bit rough as I omitted the sorting step and the many table >lookups in step 5.) > > >> In the first place a choice limited to 4 Pointers would be foolish >> unless only exceptionally short-lived security were required. > >People have come to expect significant security for 116 bits. > > >> But what I would ask you to realize is that if doubts ever enter your >> mind concerning the level of security provided by BCF in particular >> circumstances, then add another Pointer. One more Pointer adds so >> little to encryption time that you will not be aware of the difference >> but it adds 6 * 10^8 times additional security. > >The first pointer adds 6*10^8 times security and all others are weaker. >The effective keysize is divided by N! for N pointers, and later pointers >constrained not to overlap the used parts of the number pad have less >entropy. I don't think you've provided the detail to know how much because >it depends how you proceed when an overlap does arise in the calculation >and this will affect the appearance of unusable (too-short) parts of the pad. > > >You wrote originally > >> With twelve strings, the number of different Message Pads theoretically >> possible becomes about 2 * 10^105 but is reduced by the need to avoid >> overlapping and by other considerations to about 10^100 which is truly a >> very formidable and impressively large Message Pad space to explore. > >What "other considerations" did you have in mind ? > > -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From Q.G.Campbell@newcastle.ac.uk Tue, 9 Nov 1999 12:07:21 +0000 (GMT) Date: Tue, 9 Nov 1999 12:07:21 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: Students attempt to "break" ECHELON? We deprecate chain letters at this site but one I came across recently caused me a wry smile. It appears that even students are becoming aware of ECHELON. The message that I saw said in part: "Apparantely it's Break Echelon Day. Echelon is the US/UK email monitoring system." This text was followed by a list of 100 or more "key words" that it is supposed would trigger the system into action. With further touching naivety the recipient was urged to forward copies on to friends in the hope, I assume, that a snowballing flood of e-mail through the system would cause ECHELON to blink. Sadly, if ever such a flood of e-mail was generated then I suspect that large e-mail recipient/generator sites like us would suffer far more than ECHELON sites! Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From pleyland@microsoft.com Tue, 9 Nov 1999 04:24:32 -0800 Date: Tue, 9 Nov 1999 04:24:32 -0800 From: Paul Leyland pleyland@microsoft.com Subject: The BCF Cryptosystem > The BCF Cryptosystem calculates a Session Key and never uses the same > Key twice. Thus there is no opportunity for the type of attack > (flipping bits and the like) which arises in more traditional > cryptosystem. I think this claim is unsupportable under the following threat model which, I believe, is a reasonable one. Many ecommerce applications use very stylized messages, in which specific data fields occur in specific bit positions of every message. This is a not unreasonable requirement in practice. If I intercept one of your messages in transit, something which I can undoubtedly do if I'm an intermediate site between customer and vendor, I can flip specific bits because I know where they are. I don't know the initial or final bit, except that they are opposite. Suppose now that one bit is a credit/debit instruction. Most ecommerce transactions will normally be debit instructions. A vendor is going to get very upset at paying out... Your scheme is not proof against such denial of sevice attacks, or others which exploit blind bit-twiddling, without adding additional protective mechanisms such as a MAC. This point was made by an earlier poster but you didn't seem to appreciate it, so I spelled it out in greater detail above. Paul Paul From pleyland@microsoft.com Tue, 9 Nov 1999 04:24:32 -0800 Date: Tue, 9 Nov 1999 04:24:32 -0800 From: Paul Leyland pleyland@microsoft.com Subject: The BCF Cryptosystem > The BCF Cryptosystem calculates a Session Key and never uses the same > Key twice. Thus there is no opportunity for the type of attack > (flipping bits and the like) which arises in more traditional > cryptosystem. I think this claim is unsupportable under the following threat model which, I believe, is a reasonable one. Many ecommerce applications use very stylized messages, in which specific data fields occur in specific bit positions of every message. This is a not unreasonable requirement in practice. If I intercept one of your messages in transit, something which I can undoubtedly do if I'm an intermediate site between customer and vendor, I can flip specific bits because I know where they are. I don't know the initial or final bit, except that they are opposite. Suppose now that one bit is a credit/debit instruction. Most ecommerce transactions will normally be debit instructions. A vendor is going to get very upset at paying out... Your scheme is not proof against such denial of sevice attacks, or others which exploit blind bit-twiddling, without adding additional protective mechanisms such as a MAC. This point was made by an earlier poster but you didn't seem to appreciate it, so I spelled it out in greater detail above. Paul Paul From lawya@lucs-01.novell.leeds.ac.uk Tue, 9 Nov 1999 13:12:27 +0000 Date: Tue, 9 Nov 1999 13:12:27 +0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: An Open Letter to the IETF - on eavesdropping An Open Letter to the Internet Engineering Task Force November 8, 1999 IETF Secretariat c/o Corporation for National Research Initiatives 1895 Preston White Drive, Suite 100 Reston, VA, USA 20191-5434 +1 703 620 9071 (fax) Dear IETF Members, We are writing to urge the IETF not to adopt new protocols or modify existing protocols to facilitate eavesdropping. Based on our expertise in the fields of computer security, cryptography, law, and policy, we believe that such a development would harm network security, result in more illegal activities, diminish users' privacy, stifle innovation, and impose significant costs on developers of communications. At the same time, it is likely that Internet surveillance protocols would provide little or no real benefit for law enforcement. o Protocols to allow surveillance will undermine network security. Ensuring adequate security on the Internet is extremely difficult. The President's Commission on Critical Infrastructure Protection identified the Internet as a critical but vulnerable infrastructure. Any protocol that requires backdoors or other methods of ensuring surveillance will create new security holes that can be exploited. In addition, the increased complexity of the systems will further undermine security and increase costs of development and implementation. The National Research Council "Trust in Cyberspace" report identified increasing complexity as a core cause of decreasing security. The new security holes will likely cause more economic and personal harm than any interceptions facilitated will prevent. o The proposed protocols will stifle development of new communications technologies. Any requirement to ensure that every new communications system includes eavesdropping capabilities will limit the ability of companies and individuals to fully develop and deploy new communications technologies. In the United States, the Communications Assistance for Law Enforcement Act (CALEA) has delayed the development of new telephone, cellular and satellite communications technologies as conflicts over the surveillance standards have continued. o There are no legal requirements for the IETF to develop surveillance protocols. There are no current requirements under U.S. law requiring that computer networks facilitate surveillance. The U.S. Congress, when enacting CALEA, specifically rejected the inclusion of computer networks in the statutory mandate. In addition, it is inconsistent with laws in other jurisdictions, such as the European Union Directive 97/66/EC of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, requiring that every provider of telecommunications services "must take appropriate technical and organisational measures to safeguard security of its services." o Surveillance protocols will not prevent crime. Even if the IETF were to develop protocols that facilitated surveillance, it would not prevent crime as most significant criminal enterprises (i.e., those important enough to warrant being placed under surveillance in the first place) would be sophisticated enough to use end-to-end encryption products to prevent decoding of the intercepted communications. Indeed, almost all national governments have rejected calls for mandatory key-escrow encryption because they recognize that it would not be effective. o Building in surveillance protocols is inconsistent with the previous activities of the IETF. The IETF has long attempted to increase the reliability, security, and privacy of computer networks. The August 1996 Internet Advisory Board (IAB) and Internet Engineering Steering Group (IESG) Statement on Cryptographic Technology and the Internet (RFC 1984) called for the availability and development of stronger tools to protect security and privacy of network users and rejected limitations on computer security based on country requirements for interception. More recently, the IETF agreed to incorporate encryption into IPv6, even in the face of domestic and export controls in some countries. It would be a dramatic change in policy for the IETF to now begin work on developing surveillance capabilities for IP Voice. o The proposal will have severe consequences in many non-democratic countries. Privacy of communications is a fundamental human right recognized in the United National Declaration of Human Rights, the International Covenant on Civil and Political Rights and many other international human rights agreements that have been signed by nearly every nation in the world. However, in many nations, those fundamental rights are routinely violated by the national governments and others. The U.S. State Department reported in its 1998 survey of human rights that governments in over 90 countries were conducting illegal surveillance of their citizens. The protocols would continue and likely expand that surveillance. In conclusion, we urge the IETF to reject the development and inclusion of these protocols. Sincerely, Austin Hill Zero-Knowledge Systems Steven Aftergood Federation of American Scientists Yaman Akdeniz Cyber-Rights & Cyber-Liberties (UK) David Banisar Attorney and author, The Electronic Privacy Papers Steve Bellovin AT&T Labs- Research Matt Blaze AT&T Labs - Research Caspar Bowden Foundation for Information Policy Research Jean Camp Harvard University Jason Catlett Junkbusters Inc. Roger Clarke Xamax Consultancy Pty Ltd Lance Cottrell Anonymizer Inc. Rick Crawford UC Davis Computer Security Group Professor George Davida University of Wisconsin - Milwaukee Alan Davidson Center for Democracy and Technology Simon Davies Privacy International Lisa S. Dean Free Congress Foundation Whitfield Diffie Sun Microsystems Brian K. Durham Dave Farber University of Pennsylvania Clinton Fein ApolloMedia Corporation Leonard N. Foner MIT Media Lab Michael Froomkin University of Miami School of Law Emily Frye esq. iWitness, Inc. John Gilmore co-founder, Electronic Frontier Foundation Brian R. Gladman Information Security Consultant Ellen Hanratty Medicine Hawk Publications Roger Harrison Independent security consultant Mark W. Heaphy Wiggin & Dana Paul Hoffman Internet Mail Consortium and VPN Consortium Gus Hosein London School of Economics Eric Hughes Signet Assurance Company IEEE USA Joichi Ito Neoteny, Inc. Jerry Kang UCLA School of Law Phil Karn Qualcomm Susan Landau Sun Microsystems Inc. Ben Laurie - Apache Software Foundation, OpenSSL Group and A.L. Digital Ltd Bill Lemieux Technical Alchemy Lawrence Lessig Harvard Law School Ralph Mackiewicz SISCO, Inc. Russell McOrmond FLORA Community WEB William Hugh Murray, CISSP Peter Neumann SRI Grover G. Norquist Americans for Tax Reform Richard Payne Dinah PoKempner Human Rights Watch Jean-Jacques Quisquater UCL Crypto Group and Math RiZK Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Michael Richardson Sandelman Software Works Ronald L. Rivest MIT Marc Rotenberg Electronic Privacy Information Center Pamela Samuelson, Professor of Information Management and of Law, UC Berkeley William L. Schrader Chairman, CEO and Founder PSINet Inc. Bruce Schneier Counterpane Systems Barbara Simons Association for Computing Machinery Tim Skorick Technical Security Contractor Richard M. Smith Independent security consultant David Sobel Electronic Privacy Information Center Shari Steele Electronic Frontier Foundation Barry Steinhardt American Civil Liberties Union David Wagner University of California, Berkeley Coralee Whitcomb Computer Professionals for Social Responsibility Philip R. Zimmermann Network Associates Affiliations for identification purposes only. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) URL: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Read the CR&CL (UK) Reports at: http://www.cyber-rights.org/reports/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Caspar.Addyman@natwestgfm.com Tue, 9 Nov 1999 14:15:54 -0000 Date: Tue, 9 Nov 1999 14:15:54 -0000 From: ADDYMAN, Caspar, GFM Caspar.Addyman@natwestgfm.com Subject: An Open Letter to the IETF - on eavesdropping Is this online anywhere? (I couldn't find it at the URL in the .sig) If so, has anyone sent a link to slashdot et al ? Caspar -----Original Message----- From: Yaman Akdeniz [mailto:lawya@lucs-01.novell.leeds.ac.uk] Sent: 09 November 1999 13:12 To: ukcrypto@maillist.ox.ac.uk Subject: An Open Letter to the IETF - on eavesdropping [snip] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) URL: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Read the CR&CL (UK) Reports at: http://www.cyber-rights.org/reports/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From lawya@lucs-01.novell.leeds.ac.uk Tue, 9 Nov 1999 16:29:37 -0000 Date: Tue, 9 Nov 1999 16:29:37 -0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: An Open Letter to the IETF - on eavesdropping > Is this online anywhere? > (I couldn't find it at the URL in the .sig) See http://www.cyber-rights.org/interception/ietf-letter.htm for a copy. > If so, has anyone sent a link to slashdot et al ? I did not. Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) Url: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Tel: +44 (0) 498 865116 PGP Fingerprint: 075A 1640 8F7A 0273 6C24 B9C3 551F A9F1 0397 F663 From gladman@seven77.demon.co.uk Tue, 9 Nov 1999 18:14:21 -0000 Date: Tue, 9 Nov 1999 18:14:21 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: The BCF Cryptosystem From: George Foot To: Sent: Tuesday, November 09, 1999 11:42 AM Subject: Re: The BCF Cryptosystem [snip] > The BCF Cryptosystem calculates a Session Key and never uses > the same Key twice. Thus there is no opportunity for the type of > attack (flipping bits and the like) which arises in more traditional > cryptosystem. Wrong I'm afraid, as already pointed out on this list. You are using a stream cipher in which your key stream is XOR'd with the plaintext. This means that the bits in the original message maintain their positions within the encrypted text and are only mixed with one key bit - they are not mixed with other message or key bits as would occur with a block cipher. This means that when the plaintext has a known structure a 'man in the middle' can invert bits at particular points in the encrypted text and hence cause the corresponding bits in the received message to be inverted. And since the structure of electronic commerce messages will often be known, such an opponent can invert the bits that he or she knows have critical functions. You have said that you don't consider such 'man in the middle' attacks to be a serious threat in electronic commerce but I have to disagree with you. Many of the most potent and difficult attacks in terms of defence are insider attacks where someone in a company - for example, an employee in the IT department - intercepts and changes messages intended for other company employees. SInce such employees will often have direct access to company firewalls, networks etc., they are in an ideal position to mount a 'man in the middle attack. Moreover they will often have just the expertise needed to do this in a highly covert way. I really cannot see any encryption system that fails to protect message integrity having a future in electronic commerce. Brian From az096@freenet.toronto.on.ca Tue, 9 Nov 1999 11:59:20 -0500 Date: Tue, 9 Nov 1999 11:59:20 -0500 From: Robert Guerra az096@freenet.toronto.on.ca Subject: Rex's view on the breakup of Microsoft.. Last night the Canadian evening news aired a segment on the recent Microsoft court ruling. It was an excellent piece which no doubt others would like to hear. The segments are available in real audio/video format at the following location: (last night's item will be there in a day or so) http://cbc.ca/news/national/rex/ Let me know what you think... ps. Perhaps Newfoundland's best-known journalist, Rex Murphy presents an occasional column on The Magazine, focusing on a topic in the news. Rex's Point of View is invariably sharp, provocative and well-written. And whether or not you agree with him, he makes you think. From albert@achtung.com Tue, 9 Nov 1999 11:14:18 -0800 Date: Tue, 9 Nov 1999 11:14:18 -0800 From: Albert Yang albert@achtung.com Subject: Enigma I was watching a PBS special on the Enigma cipher, and how WWII was dependent on breaking it. Gripping documentary, I'm waiting to finish watching the second part. It was a british Documentary called "Breaking the Codes". My question was, is there any documentaries out there that presents other ciphers? If so, please let me know, I'd be interested in watching it. Seeing the actual enigma machines was great. Albert From J.Goldberg@Cranfield.ac.uk Tue, 9 Nov 1999 20:33:01 +0000 (GMT) Date: Tue, 9 Nov 1999 20:33:01 +0000 (GMT) From: Jeffrey Goldberg J.Goldberg@Cranfield.ac.uk Subject: Enigma On Tue, 9 Nov 1999, Albert Yang wrote: > I was watching a PBS special on the Enigma cipher, [...] I will take the opportunity to post one of my aperiodic reminders of the existence of a mailing list for the discussion of all things Bletchley Park related. Follow links from http://www.cranfield.ac.uk/ccc/bpark/ -j -- Jeffrey Goldberg +44 (0)1234 750 111 x 2826 Cranfield Computer Centre FAX 751 814 J.Goldberg@Cranfield.ac.uk http://WWW.Cranfield.ac.uk/public/cc/cc047/ Relativism is the triumph of authority over truth, convention over justice. Disclaimer: Unless indicated otherwise, opinions are my own. Whose else? From daw@cs.berkeley.edu 9 Nov 1999 13:04:27 -0800 Date: 9 Nov 1999 13:04:27 -0800 From: David Wagner daw@cs.berkeley.edu Subject: The BCF Cryptosystem In article <10j+jCAPiAK4EwMM@oxted.demon.co.uk>, George Foot wrote: > The BCF Cryptosystem calculates a Session Key and never uses the same > Key twice. Thus there is no opportunity for the type of attack > (flipping bits and the like) which arises in more traditional > cryptosystem. Ahh, good point. Another person has also pointed this out to me in private email; thanks. So the related-key attack I proposed does not work, and moreover, this seems (as far as I can see) to prevent the possibility of other related-key attacks. Good. I'm sorry. I realize I should have seen that requirement in your original proposal and noticed that it prevents the related-key attack; I overlooked it, and I apologize for any confusion it may have caused. From daw@cs.berkeley.edu 9 Nov 1999 13:04:27 -0800 Date: 9 Nov 1999 13:04:27 -0800 From: David Wagner daw@cs.berkeley.edu Subject: The BCF Cryptosystem In article <10j+jCAPiAK4EwMM@oxted.demon.co.uk>, George Foot wrote: > The BCF Cryptosystem calculates a Session Key and never uses the same > Key twice. Thus there is no opportunity for the type of attack > (flipping bits and the like) which arises in more traditional > cryptosystem. Ahh, good point. Another person has also pointed this out to me in private email; thanks. So the related-key attack I proposed does not work, and moreover, this seems (as far as I can see) to prevent the possibility of other related-key attacks. Good. I'm sorry. I realize I should have seen that requirement in your original proposal and noticed that it prevents the related-key attack; I overlooked it, and I apologize for any confusion it may have caused. From georgefoot@oxted.demon.co.uk Tue, 9 Nov 1999 22:47:39 +0000 Date: Tue, 9 Nov 1999 22:47:39 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem David Wagner I have no way of recovering the message just received from you which I inadvertently erased. Apologies. Please repeat. George -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From padgett@gdi.net Wed, 10 Nov 1999 00:39:46 -0500 Date: Wed, 10 Nov 1999 00:39:46 -0500 From: Padgett 0sirius padgett@gdi.net Subject: Regina V DPP ex Parte Kebilene >[snip details of case in which a conviction results from evidence the police >obtain by illegal means] I believe it would have been thrown out in the US but even if admissable it would still seem that if the evidence was illegally obtained, a crime was committed by the arresting officers. So my question is not of the conviction but rather how were the investigators involved subsequently disciplined ? A. Padgett Peterson, P.E. Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From paulfordh@uk.ibm.com Wed, 10 Nov 1999 10:53:14 +0000 Date: Wed, 10 Nov 1999 10:53:14 +0000 From: paulfordh@uk.ibm.com paulfordh@uk.ibm.com Subject: Enigma > Seeing the actual enigma machines was great. They have a couple in the Smithsonian National Museum of American History in Washington DC if you want to see one "in the flesh" as it were. (Along with a Bombe, a Jefferson cylinder and a US ENIGMA-a-like (whose name escapes me) etc...) See http://photo2.si.edu/infoage/infoage.html Cheers, Paul -- Paul Ford-Hutchinson : EMEA eCommerce application security : paulfordh@uk.ibm.com OSU-1, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5YR +44 (0)1926 462005 From owen.blacker@pres.co.uk Wed, 10 Nov 1999 11:10:22 -0000 Date: Wed, 10 Nov 1999 11:10:22 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: Silicon.com: The draft Ecommerce Bill: an infringement of human r ights? -----Original Message----- From: NMTV.WebMaster@www.nmtv.net [mailto:NMTV.WebMaster@www.nmtv.net] Sent: Wednesday, November 10, 1999 11:03 AM The draft Ecommerce Bill: an infringement of human rights? PUBLISHED: 0:01am on Wednesday 10 November 1999 The government's Electronic Communications Bill has courted its fair share of controversy ever since its original consultation paper in March. Pressure from industry leaders and campaigners defeated plans for perhaps the most controversial proposal -- key escrow -- but according to a legal audit of the draft Bill, lobbyists may have relaxed a bit too soon. The legislation in question belongs to Part III of the Bill -- proposals put in place by the Home Office for the investigation of protected electronic data. On one side of the argument, the government has always been afraid that the development of strong encryption technology will leave it powerless to track criminal activity. On the other side, industry has always argued that privacy is essential for electronic business to thrive. The Home Office thought it had come up with an acceptable compromise when it dropped key escrow in favour of the current proposal to leave encryption keys in the hands of the user unless they refuse to decrypt messages. But now an independent audit, written by former law commissioner and Cambridge professor, Jack Beatson QC, and fellow barrister Tim Eicke, states there are "serious concerns" about that policy's compliance with the European Convention on Human Rights (see 'Ecommerce Bill in trouble over human rights' http://www.silicon.com/a33577 ). The Home Office has answered the allegations (see 'Home Office fights back against human rights allegations' http://www.silicon.com/a33613 ) and said the Bill is still under review. But campaigners are unsatisfied and doubt the government will make the necessary adjustments. Nicholas Bohm, lawyer and legal officer at the Foundation for Information Policy Research (FIPR), would like to see the government take a completely different approach. "We need a plain, straightforward approach. Adopting extremely complicated legislation is profoundly counterproductive. It would be relatively easy to extend existing civil laws. "The whole area is a mess legislatively. The Home Office really needs to step back and tidy it up," Bohm added. Many industry groups would like to see Part III removed from the Bill altogether. Tim Conway, director of the Information Age Unit at the CSSA, accepted there are serious law enforcement requirements -- but argued they should be kept together with other police powers. "As a general principle, Part III sits awkwardly with the government's aim to encourage ecommerce," he said. The worry is that the argument could delay the already long-overdue Bill even further. "From our point of view it is critical to have laws in place which recognise e-signatures, etc. We don't want this to cause further delays," Conway said. The Bill will be introduced into Parliament during the next session. At the CBI's annual conference in Birmingham at the beginning of this month, Tony Blair underlined its importance as one of the "centre pieces" of the Queen's Speech. Jonathan Steele, chairman of the Bathwick Group, warned that Part III could easily be voted through. "Ninety per cent of MPs don't understand the issues and there isn't one unified industry voice telling them what should replace it -- everyone has a different opinion." But it will be difficult for the government to dismiss opinions such as that of Jack Beatson. His position as a former law commissioner will carry weight with many MPs. And only this week a Select Committee Report called on the government to provide more clarification of Part III. Campaigners at Justice and FIPR are warning that if Part III does go through unchanged it could face an early legal challenge. According to Beatson the category of potential "victims" is very wide, and anyone threatened by the legislation "could bring a case against the United Kingdom government directly before the Court in Strasbourg". And the complainants are lining up already. Copyright 1998, 1999 NMTV/Silicon.com. All rights reserved. From I.Brown@cs.ucl.ac.uk Wed, 10 Nov 1999 12:20:38 +0000 Date: Wed, 10 Nov 1999 12:20:38 +0000 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: List use Robert Guerra wrote: >Last night the Canadian evening news aired a segment on the recent >Microsoft court ruling. >It was an excellent piece which no doubt others would like to hear. And the relevance to UK crypto policy is... I'm sure there is one, but it would be nice to know... George Foot wrote: >David Wagner > >I have no way of recovering the message just received from you which I >inadvertently erased. Apologies. Please repeat. Did the entire list need to see this? Ian. From whgu0007@ermine.ox.ac.uk Wed, 10 Nov 1999 12:56:07 +0000 (GMT) Date: Wed, 10 Nov 1999 12:56:07 +0000 (GMT) From: Ian Goodyer whgu0007@ermine.ox.ac.uk Subject: List use I agree with Ian Brown. Please try and stay on topic. I have had a couple of queries about the BCF cryptosystem topic being off-topic. I think that it was fine to post the original proposals but maybe now the detailed criticisms could be carried out via private email. Many thanks, ian On Wed, 10 Nov 1999, Ian BROWN wrote: > Robert Guerra wrote: > >Last night the Canadian evening news aired a segment on the recent > >Microsoft court ruling. > >It was an excellent piece which no doubt others would like to hear. > > And the relevance to UK crypto policy is... I'm sure there is one, but it > would be nice to know... > > George Foot wrote: > >David Wagner > > > >I have no way of recovering the message just received from you which I > >inadvertently erased. Apologies. Please repeat. > > Did the entire list need to see this? > > Ian. > > > From proff@iq.org 11 Nov 1999 00:39:54 +1100 Date: 11 Nov 1999 00:39:54 +1100 From: Julian Assange proff@iq.org Subject: List use Ian BROWN writes: > Did the entire list need to see this? > > Ian. No, Ian, it did not. -- Stefan Kahrs in [Kah96] discusses the notion of completeness--programs which never go wrong can be type-checked--which complements Milner's notion of soundness--type-checked programs never go wrong [Mil78]. From owen.blacker@pres.co.uk Wed, 10 Nov 1999 14:06:30 -0000 Date: Wed, 10 Nov 1999 14:06:30 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: Straws in the wind... Much though we might not like the idea, the Civil Servants would be particularly bad at their jobs if that weren't the case... :o/ O x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a -----Original Message----- From: Nicholas Bohm [mailto:nbohm@ernest.net] Sent: Monday, November 08, 1999 4:19 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: Straws in the wind... At 01:03 PM 11/8/1999 +0000, Quentin Campbell wrote: > [deletia] >Of course all this could simply result in a new IOCA that is even more >objectionable and also more "bullet proof" to legal challenge from >whichever court! That tends to be the way it goes. [deletia] From grenouf@msn.com Wed, 10 Nov 1999 15:23:14 -0000 Date: Wed, 10 Nov 1999 15:23:14 -0000 From: Greg Renouf grenouf@msn.com Subject: DVD News... This is a multi-part message in MIME format. ------=_NextPart_000_0000_01BF2B8F.817465B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit The powers are starting to pound down on the authors of DeCSS: http://www.wired.com/news/politics/0,1283,32449,00.html ------=_NextPart_000_0000_01BF2B8F.817465B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
The=20 powers are starting to pound down on the authors of DeCSS:
 
http://w= ww.wired.com/news/politics/0,1283,32449,00.html
 
 
 
 
------=_NextPart_000_0000_01BF2B8F.817465B0-- From pgut001@cs.auckland.ac.nz Thu, 11 Nov 1999 05:17:53 (NZDT) Date: Thu, 11 Nov 1999 05:17:53 (NZDT) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: DVD News... "Greg Renouf" writes: >The powers are starting to pound down on the authors of DeCSS: > >http://www.wired.com/news/politics/0,1283,32449,00.html There's been a discussion about this on the Livid (DVD developers) list, there's a strong argument that it can be fought on the basis that CSS isn't a copy-protection system (which is accurate, it isn't) but a means of preventing fair use by consumers. Because of a quirk of NZ law it's legal here to sell players which have been modified to bypass the region coding (which is what CSS was designed to enforce, it means we can buy cheap region 1 DVD's now instead of having to wait months for the expensive region 4 versions of the same thing to appear), so trying to defend CSS in NZ would make for a tricky case. In addition the only threats so far have been cease and desist letters, which don't really mean much apart from showing that your lawyers aren't asleep at the wheel. Whether the content providers will risk a court case trying to defend a system which was designed to prevent fair use (and therefore violates at least some European, if not US, trading laws which address differential pricing) is another matter. Having said that, the content providers have effectively infinite amounts of funding available for frivolous lawsuits and everyone else doesn't, so it's not going to be pleasant performing an empirical evaluation of this. Peter. From georgefoot@oxted.demon.co.uk Wed, 10 Nov 1999 16:51:05 +0000 Date: Wed, 10 Nov 1999 16:51:05 +0000 From: George Foot georgefoot@oxted.demon.co.uk Subject: The BCF Cryptosystem November 10th. 1999 To Brian Gladman: Dear Brian, Thank you for your message: The time has come to make a more robust defence of BCF: But as a preliminary I hasten to say that this will be directed to a generality of our critics and not to you personally. The outstanding features of your message are the observations which do not appear. We present you with a Cryptosystem designed with business and the businessman in mind and created with knowledge of business procedures and business concerns. You make no assessment or even mention of the value of BCF from this point of view and say nothing concerning the weaknesses of other systems to which we draw attention in our Presentation of BCF. It is only reasonable that we should arrive at a conclusion that you have made no appraisal whatever of BCF as a business system. It has been suggested that it is unsuitable that we should be studying alternative cryptosystems. Do you think that such as activity should be limited to a cartel of academics citing and applauding each other's work but remaining isolated from the real business of E-Commerce ? We have a great respect for the brilliance of mathematicians and available ourselves of their results but feel free to make contributions as we feel appropriate. An academic outlook prevails in the discussion of the merits of rival cryptosystems and is an understandable continuation of intelligence and counterintelligence concerns -- but the business man needs a simple and reliable and low-cost delivery vehicle for correspondence and not an expensive armoured juggernaut providing far higher security over a longer period than anything in which he is interested. The attacks on BCF have dwindled to concern over "middle-man" intervention: Some people are so sure of their ground in this respect that they declare I do not understand such things. They are wrong. Middle-man activity directed to substitution of misleading messages for good information is no doubt justifiable for an "enemy" notwithstanding the considerable expense and complexity of such an operation. But if carried out without tangible result or benefit to the perpetuator it becomes absurd and nothing but a pin-pricking nuisance to the businessman. Business communications are commonly narrative and differ one from another. A random alteration to the text of a single business letter is an irritant easily recognised but entirely without harm to security. The person responsible gains nothing because BCF uses different Keys for every message. He gets nothing but pleasure in his own malice; he would do much better by introducing a virus or any other weapon of spite. Objections by critics of BCF have been reduced to postulating weakness if business forms exactly alike were transmitted -- not very likely to occur but even so there are ways to stop such a nuisance. BCF is a software package and additional features can be added readily. However this is an application similar to ATM traffic and other financial transactions for which BCF would not be recommended. We make the point strongly that BCF is not put forward as a universal solution to be suitable in all possible circumstances. In fact we do not support the notion that a single all-purpose cryptosystem is tenable or desirable or sensible. A sledge hammer system should not be used to insert drawing pins and conversely a tack hammer is not suitable for driving fence posts. BCF is a simple, low-cost, flexible, business orientated cryptosystem of a general purpose character having the all-important attribute that it offers higher security than other systems and the valuable property that the security is adjustable to suit business convenience and political edict. You make no reference to the doubts which must continue to exist in traditional cryptosystems of all types not withstanding their pedigree. We could make the declaration that you would be safer to use BCF which demonstrably has no back doors but which offers higher security NOW than can be obtained from the elite of other cryptosystems (including some pregnant with promise but not yet born) and none of which operate perfectly and all of which will as time passes suffer the indignity of being cracked one-by-one without this fact necessarily being disclosed to you so that all are latently hazardous. We do make this declaration but we add that in some circumstances (for example continuous high speed data links) other cryptosystems may suit your purpose better. At which point we remind you that BCF costs nothing and that suitable software for BCF can be written by any competent software writer. The businessman representing his company and travelling abroad on business of a critical importance will have the comfort that he can use BCF to communicate with his head office with security in which he has confidence -- and he is imperturbable if his lap-top computer gets stolen and the BCF Number Pad and software are "removed" from his person as these items do not need protection. So he obtains another perfectly standard laptop and a BCF Number Pad from a local supplier and carries on as before and as a dramatic gesture dumps everything in the river when his mission is complete. BCF is not everything to all men but it is a redoubtable asset to business and a very practical method of protection against business espionage. It pursues its function in self-contained fashion seeking no contact with any third party and requiring none. And let me repeat, it is simple and cheap. With kind regards and thanks for your interest. George In message <004301bf2ade$47eacde0$966adec2@fortytwo>, Brian Gladman writes >From: George Foot >To: >Sent: Tuesday, November 09, 1999 11:42 AM >Subject: Re: The BCF Cryptosystem > >[snip] >> The BCF Cryptosystem calculates a Session Key and never uses >> the same Key twice. Thus there is no opportunity for the type of >> attack (flipping bits and the like) which arises in more traditional >> cryptosystem. > >Wrong I'm afraid, as already pointed out on this list. You are using a >stream cipher in which your key stream is XOR'd with the plaintext. This >means that the bits in the original message maintain their positions within >the encrypted text and are only mixed with one key bit - they are not mixed >with other message or key bits as would occur with a block cipher. > >This means that when the plaintext has a known structure a 'man in the >middle' can invert bits at particular points in the encrypted text and hence >cause the corresponding bits in the received message to be inverted. And >since the structure of electronic commerce messages will often be known, >such an opponent can invert the bits that he or she knows have critical >functions. > >You have said that you don't consider such 'man in the middle' attacks to be >a serious threat in electronic commerce but I have to disagree with you. >Many of the most potent and difficult attacks in terms of defence are >insider attacks where someone in a company - for example, an employee in the >IT department - intercepts and changes messages intended for other company >employees. SInce such employees will often have direct access to company >firewalls, networks etc., they are in an ideal position to mount a 'man in >the middle attack. Moreover they will often have just the expertise needed >to do this in a highly covert way. > >I really cannot see any encryption system that fails to protect message >integrity having a future in electronic commerce. > > Brian > > > -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From gladman@seven77.demon.co.uk Wed, 10 Nov 1999 19:01:49 -0000 Date: Wed, 10 Nov 1999 19:01:49 -0000 From: Brian Gladman gladman@seven77.demon.co.uk Subject: The BCF Cryptosystem From: George Foot To: Sent: Wednesday, November 10, 1999 4:51 PM Subject: Re: The BCF Cryptosystem I will answer the issues you raise in a private email since Ian is right to point out that this is no longer an issue for ukcrypto. If anyone else would like to be involved in the continuing exchange about BCF would they please let me know using an ***off-list*** email message. Brian From mjsion@earthlink.net Wed, 10 Nov 1999 14:15:56 +0000 Date: Wed, 10 Nov 1999 14:15:56 +0000 From: Max mjsion@earthlink.net Subject: The story of a small boy - sealed envelops - continues -- Surely no communication system is 100 % trustworthy. However, by encrypting your email messages (personal and business), you shall be able to have these sealed envelops. Of course, depending on algorithms, key lenghts, internal security arrangements (plain files prior to encryptions etc. .. and so on) among other things (the whole crypto system), these seals may be weaker or stronger, but they would enable people to have these sealed envelops. Often executives and other professionals perceive the cryptography "strangely" and hesitate using it. And new information technologies make it so convenient for people to write and send messages that they often forget their own security. Back in 1994, I wrote an article. See below. --- Security Precautions in Communicating Audit Results using Information Networks May, 1994 The new technology has had and will have in the future a tremendous impact on the privacy of individuals and corporations. Laws and regulations can not keep up with the speed of the technological development. The information technology - especially so called highways - have enabled everyone to communicate faster and more conveniently with each other cross-organizationally. However, this has also increased risks involved in communicating sensitive and confidential information such as intelligence audit results. Different network applications have different security risks; many networks can be very accessible to any competent Information Technology (IT) specialist. Would you like to share your private nonconformities with everyone without your own authorization? Or would you like to be the person who is responsible for a confidential audit, but who then shares this information with everyone unknowingly and possibly faces some legal problems? Truly speaking, I would not want to be this person. So the information technology, if it is used improperly and without proper precautions, may create threats to all parties involved in the intelligence system audit: auditee, auditor and client. These problems may exist in the facility's Local Area Networks (LANs), inter-organizational networks (WANs), cross- organizational networks such as Internet - and even any wireless networks such as cellular telephone networks. The security risks may materialize in an unauthorized and improper use of user accounts or in unethical monitoring and surveillance of the communication channels. The level of the security risk depends on the communication system. If your organization has a very flexible system and all individuals have access to all information - be aware that your audit reports may be read by anyone in this system. Also if you are sharing your audit findings via Internet or via other cross- organizational networks, be aware that someone may read your confidential e-mail messages, files and any other communication between you (auditor), client and auditee. Every intelligence system auditor should make every effort to ensure that the audit stays confidential and should take the following precautions, when the information technology is used for planning, performing and then reporting the intelligence audit: 1. Make certain that you know which parts of the audit information is confidential and sensitive; this may depend on the audit - sometimes the whole audit may be confidential including the scope. 2. Find out who has access to your user account or computer and then determine if persons having access to your information are ethical and not using the audit information for their own political purposes; if necessary perform or request a security audit. 3. Find out who can monitor your audit communication in the network. 4. Make certain that there are policies for the information technology personnel that prevent the wrong use of any network information. 5. Be certain that your passwords are well protected - and change your passwords frequently. 6. If you are not satisfied with the information security arrangements, do not communicate via networks, do not store confidential information in the network or in your computer; store your audit results in your own private disks, and only provide hard copies of these results as it is necessary. 7. If you need to communicate via networks, but you are not satisfied with the security arrangements, use proper encryption software to protect your information. 8. Avoid communicating any confidential and sensitive audit information via Internet, if you are not using any encryption software. From padgett@gdi.net Wed, 10 Nov 1999 19:13:02 -0500 Date: Wed, 10 Nov 1999 19:13:02 -0500 From: Padgett 0sirius padgett@gdi.net Subject: Silicon.com: The draft Ecommerce Bill: an infringement of human rights? Once again a will make the same comment I have since Clipper/Capstone: E-business *requires* strong cryptography. It will not work without it. This is a "first generation" effect and in combination with strong authentication (a natural corrolary) will prevent many electronic crimes from being committed. It is already available to anyone who uses the Internet & cannot be put "back in the box". Ubiquitous strong cryptography *may* cause difficulties for law enforcement investigation of those crimes which remain. This would be a "second generation" effect. One question I have never seen even discussed is this: if the total incidence of crime goes down but the difficulty of investigation goes up, then did the total effort required go up. down, or stay the same ? The answer is one we will only discover once strong encryption is pervasive. A second corollary is one that the US politicians have discovered already (but are waiting for a politically auspicious time to announce): attempting to control crypto is already like King Canute ordering the sea back, it just results in dampened spirits. Politicians do not back no-win situations (at least not the ones who have been around for a while). This is just my perception of the political climate, your milage may vary. A. Padgett Peterson, P.E. Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From cb@fipr.org Thu, 11 Nov 1999 07:23:46 -0000 Date: Thu, 11 Nov 1999 07:23:46 -0000 From: Caspar Bowden cb@fipr.org Subject: New Statesman 8/11/99:"Losing the key" http://www.consider.net/forum_new.php3?newTemplate=OpenObject&newTop=1999110 80046&newDisplayURN=199911080046 Internet - Losing the key Andrew Brown Monday 8th November 1999 Internet- Andrew Brown on the perils of encryption In Baudelaire's time you had to be a poet to be an albatross, but today anyone with a computer can leave his clumsy land-bound self behind and soar in a space where we are truly graceful. For those of us who stumble through our flesh-bound lives, computers are the gate to a cleaner, better world, in which we never forget our keys or even letters, dates and names. On a well-regulated computer, I could never find myself gazing with mournful stupefaction at the door of a newly purchased flat, shut and with my only keys behind it. Or so I thought until I tried PGP. Phil Zimmerman, who wrote PGP, is the only programmer ever to have been arrested for his work. It's generally agreed that the FBI shouldn't have done this, even by those of us who feel that not nearly enough programmers are punished for their crimes against humanity. His purported crime was to release the program so that anyone with sufficient energy and application could use it to make their computer files completely and utterly secure from prying eyes. PGP has further side effects, such as making it possible to be reasonably certain that a document has been signed by the purported originator and that it has not been tampered with since it was written. In other words, it makes trust easier and betrayal more difficult, which sounds wonderful except that the people who most need to trust each other and to be secure against betrayal are those engaged on conspiracies against the rest of us, which is why the spooks believe they should have a monopoly on this stuff. But it's out now, and this kind of trust and secrecy is the foundation of the electronic commerce that is going to make us all rich. It is sensible to be picky about encryption where money is concerned. It's one reason I use the Norwegian browser Opera: it handles credit card information in transit much more safely than the European versions of either Netscape or Internet Explorer. But egged on by a friend, I decided to put version six on my computer in case anyone wants to send me any secret documents and so that the incredibly important e-mails I send can be properly identified. I published my key and waited. Nothing happened for six weeks. Apparently no one cares enough about my opinions to demand an assurance that they are unequivocally mine. Then I decided to fiddle with it a little, and discovered that I had forgotten my passphrase. PGP encrypts everything three or four times, using keys hundreds of digits long, which is why it is so safe; but no one can remember these digits, so they are in turn summoned into existence with a tiny passphrase that humans can remember and must never write down, or else the whole exercise becomes rather self-defeating. That is what I have forgotten. If anyone reads my key and sends me a confidential message, I will be unable to read it. This has unfortunate consequences. For one thing, I could be jailed for my bad memory. The e-commerce bill, as it stands at present, means that if the police demand that I decrypt the contents of my hard disk, I am committing an offence if I have forgotten the passphrase. Actually, the bill says that I could be jailed even if I never knew the passphrase in the first place. This would appear to contravene the European Convention on Human Rights, but it is not clear yet whether Patricia Hewitt will alter it before it the courts have to, and I have no wish to be a martyr. The only consolation is that I am unlikely to be alone in jail if this goes through. Demon Internet, the original British ISP, is preparing a new release of its Turnpike software that will have PGP built in, so that anyone who wants to use secure e-mail will be able to do so. Demon has always been a fairly libertarian organisation. When the software goes out, hundreds of thousands of people will have simple access to encryption and tens of thousands will actually use it. There are lots of non-techie people who find Demon's software much easier to use and understand than any of the alternatives. And the thing will be set up so that replies to encrypted incoming mail are themselves encrypted by default, so it may spread rapidly among Demon users who correspond with each other. I just hope they can all remember their passphrases, because whatever is encrypted under a forgotten password really is completely irrecoverable, and if the courts don't believe you have forgotten it, you could sit in jail until the heat-death of the universe or until Jack Straw learns to care about civil liberties, whichever comes quicker. From alloneword@dial.pipex.com Thu, 11 Nov 1999 10:34:12 +0000 Date: Thu, 11 Nov 1999 10:34:12 +0000 From: Andrew Brown alloneword@dial.pipex.com Subject: New Statesman 8/11/99:"Losing the key" On Thursday, November 11, 1999, at 7:23:46 AM, Caspar Bowden wrote: CB> http://www.consider.net/forum_new.php3?newTemplate=OpenObject&newTop=1999110 CB> 80046&newDisplayURN=199911080046 CB> Internet - Losing the key CB> Andrew Brown Monday 8th November 1999 CB> Internet- Andrew Brown on the perils of encryption [long boring article snipped] after I had filed, I did in fact remember the passphrase. I had thought that I had used something monumentally secure and different; in fact I simply used a moderately secure string that I use as my password to several other things. It is a problem, though. I expect to be able to remember, say, three random password strings that I don't need to write down. But these, if known, give access to all my digital secrets. Are we supposed to have one master password? or to remember fifteen or more? And, if I die suddenly, how are my next of kin meant to get at stuff if it is not written down? -- Andrew mailto:alloneword@dial.pipex.com From I.G.Batten@ftel.co.uk Thu, 11 Nov 1999 11:16:03 GMT Date: Thu, 11 Nov 1999 11:16:03 GMT From: Ian G Batten I.G.Batten@ftel.co.uk Subject: New Statesman 8/11/99:"Losing the key" This is a multi-part message in MIME format... ------------=_942318956-3755-0 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Md5: JYHjGm9MpvfckI/z1Xn4qA== > And, if I die suddenly, how are my next of kin meant to get at stuff if > it is not written down? It's a shame that the whole concept of key escrow and trusted third parties has become mired in the nasty world of government funded mass observation (sorry, ``vital law enforcement interests'': the light is _terrible_ here). For the case of recovering from ``I forgot'' and ``He's dead'', key escrow is actually the correct technology. ian ------------=_942318956-3755-0 Content-Type: application/pgp-signature Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Description: PGP Information -----BEGIN PGP MESSAGE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: fhHdyCdqYQGxB2RHEfW5x/TNI6IfTR7e iQB1AwUBOCqlbMoy0yij3IvtAQE5xwMAp21eWnLBK+IaXqUhiRDjYsl4eoccM4Fa i1xpbiFO4QO4Srmc6VAKoWiRGrCZ+uQBWNkexMf5PMMyri7+22W/j5IIR5tXv/+3 za0MVf36KZOK8cP9kdmVB+gndXKlrAEm =yExQ -----END PGP MESSAGE----- ------------=_942318956-3755-0-- From owen.blacker@pres.co.uk Thu, 11 Nov 1999 11:14:50 -0000 Date: Thu, 11 Nov 1999 11:14:50 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: Silicon.com: US makes digital signatures legally binding Sounds very similar to a lot of what the latest DTI Select Cttee report said (qv http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrd ind/862/86202.htm -- this URI may have wrapped in transmission) The only thing I noticed mentioned by the Select Cttee relevant to this, but missed by the House is that the Cttee was concerned about the possible marginalization of non-wired citizens if stuff goes online for cheaper than is available offline. My take on this would be that online transactions are, on the whole, cheaper than offline transactions and at least some of that saving should be passed on to the customer, simply by way of encouragement to go online, though I can very much understand the Cttee's concerns about further marginalizing people who may already been suffering some of the effects of social exclusion. Could anyone who knows a little more about the specifics of the House Bill expand upon whether Congress addressed this concern in any way? Owen x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a -----Original Message----- From: NMTV.WebMaster@www.nmtv.net [mailto:NMTV.WebMaster@www.nmtv.net] Sent: Thursday, November 11, 1999 9:45 AM US makes digital signatures legally binding PUBLISHED: 0:20am on Thursday 11 November 1999 Industry experts are today welcoming the move by the US House of Representatives to recognise digital signatures as legally binding. Voted in earlier this week by 356 votes to 66, the legislation means legally binding contracts will no longer have to be written and signed on paper. It states: "In any commercial transaction affecting interstate commerce, a contract shall not be denied legal effect or enforceability solely because an electronic signature or record was used in its formation." The move means businesses can make binding commercial arrangements electronically and consumers can sign up for bank accounts or receive bills online. But the Bill may still face opposition from The White House, which has been under pressure to veto the legislation following claims from consumer groups that it erodes consumer rights. But according to Dave Birch, director of IT management consultancy, Consult Hyperion, the provisions for consumers to give their consent should be enough. "Of course a gas company shouldn't be able to force you to accept a bill by email. But in principal, if consumers give informed consent I really don't see a problem." Mark Reeves, VP EMEA at RSA Security, said the importance of digital signatures should not be underestimated. "Digital signatures are vital if ecommerce is going to take off. They counter one of the biggest concerns and bind identity to a user. "This legislation endorses the strategy of Public Key Infrastructure (PKI). There is very little point having an electronic commerce community if everything has to be copied into writing -- it defeats the point," said Reeves. Hyperion's Birch added that the move towards electronic documentation could benefit consumers financially. "If companies find it cheaper and easier to put out, for example, bank statements in electronic form, then they may well offer incentives to consumers to accept them electronically." Copyright 1998, 1999 NMTV/Silicon.com. All rights reserved. From bdm@fenrir.demon.co.uk Thu, 11 Nov 1999 11:31:39 Date: Thu, 11 Nov 1999 11:31:39 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: New Statesman 8/11/99:"Losing the key" On Thu, 11 Nov 1999 11:16:03 GMT, Ian G Batten wrote: >> And, if I die suddenly, how are my next of kin meant to get at stuff if >> it is not written down? > >It's a shame that the whole concept of key escrow and trusted third >parties has become mired in the nasty world of government funded mass >observation (sorry, ``vital law enforcement interests'': the light is >_terrible_ here). For the case of recovering from ``I forgot'' and >``He's dead'', key escrow is actually the correct technology. > Nothing to prevent us from escrowing our own keys with our own trusted party. It's just a case of making sure that the party chosen is really worthy of our trust and is not aware of what they hold to help with legalities. A sealed envelope, together with instructions on the outside saying "Open only in the event of my death or return to me on my demand" and further instructions inside saying "These keys are for [insert purpose here]. In the event of an approach by other than my nominees [insert names here], destroy these media by fire" There has to be a limit to one's paranoia somewhere, it is then a case of trying to ensure that the location of the material and the identity of one's 'keyholder' is not known to anyone else. -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From richard@turnpike.com Thu, 11 Nov 1999 12:14:21 +0000 Date: Thu, 11 Nov 1999 12:14:21 +0000 From: Richard Clayton richard@turnpike.com Subject: New Statesman 8/11/99:"Losing the key" -----BEGIN PGP SIGNED MESSAGE----- In article <0440.991111@dial.pipex.com>, Andrew Brown writes >On Thursday, November 11, 1999, at 7:23:46 AM, Caspar Bowden wrote: > >CB> http://www.consider.net/forum_new.php3?newTemplate=OpenObject&newTop=1999110 >CB> 80046&newDisplayURN=199911080046 >CB> Internet - Losing the key > >CB> Andrew Brown Monday 8th November 1999 > >CB> Internet- Andrew Brown on the perils of encryption > >[long boring article snipped] > >after I had filed, I did in fact remember the passphrase. I had thought >that I had used something monumentally secure and different; in fact I >simply used a moderately secure string that I use as my password to >several other things. It is a problem, though. I expect to be able to >remember, say, three random password strings that I don't need to write >down. But these, if known, give access to all my digital secrets. You can of course write down your passphrase, just as you might write down your PIN for your plastic (whatever the bank might say about the naughtiness of doing this). It might be as well to keep the piece of paper safe - locked filing cabinets and signs saying "beware of the leopard" might be a Good Idea, writing it onto a yellow sticky piece of paper is obviously Bad. Keeping the paper in your wallet might be a half-way house where risk exists but will be limited -- provided that you stay home at nights. It is, of course, best not to write a passphrase down, but I do think that distinguishing essential and best practice would make it a little easier for people to start using encryption! If you start PGP signing every email you send then you'll find yourself typing in your passphrase a lot - this will eventually ingrain it into your fingers and you can then find the paper and play with some matches. Of course, once you enter into an agreement with your bank (or someone) that your PGP signature actually _means_something_, then revisit the advice above and destroy the paper. In the meantime, your risk if the paper is lost is of being impersonated, not of losing your assets. Some common sense about what is being protected will not go amiss. > Are we >supposed to have one master password? or to remember fifteen or more? As to how many passwords you should have - my advice would be just three (though use some common sense when looking at all advice, however well- meaning). Use one piece of text for your passphrase and NEVER use it for anything else. Use another password for stuff you want to be secure from day to day and use a third for anything third party (like a web site) where the owners of that site will be able to see what you have chosen. A theme does no harm so you might use "P0stcards have n0 privacy @ all!" "P0stcards!" and "pqrst" If you want to get serious then you can buy hardware that will generate strong passwords for you and you use a single passphrase to access the hardware - but I'm drifting towards the paranoid end of the spectrum rather than the sensible end where most of us live :) >And, if I die suddenly, how are my next of kin meant to get at stuff if >it is not written down? There is, as Nicholas Bohm once pointed out, no necessity for you to assist your heirs - and few enough people do. If you did want to be nice then a file in the filing cabinet listing your bank accounts and insurance policies would probably be of far more use than access to your computer files! However, you could bequeath them the piece of paper mentioned above - or you could use standard technology for splitting keys and deposit them with trusted people - your solicitor, your bank manager, even your kith and kin. The technology will do things like allowing any of to be sufficient to unlock your secrets... look at "split key" in the PGP help for assistance on this. As Ian has already indicated, it's not key escrow which was ever objectionable, it's Compulsory Key Escrow that made us all hot and bothered ! - -- richard writing to inform and not as company policy fewer than 20 MPs still need adopting: http://www.stand.org.uk/ "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.5.2 (C) 1997-1998 Network Associates, Inc. and its affiliated companies. iQCVAwUBOCqzHalbUjjcq7SFAQGJqQP+NHc/ywykt48buzGRIjRfjaQGiXcsjoj2 MZhVUB17z6yu/7xEMoZ28XpiNnXPchHkVcRieHVzTKXfkXpxwOvvyAxT/L7GnFT6 5I9yKdF9tlv7uVVwsv8gY78Cmk8vBfsywUkutkkWnYWUd08m8VJ89dEXkyMiM1Yf 62rYBUU2jB4= =Rs6y -----END PGP SIGNATURE----- From nbohm@ernest.net Thu, 11 Nov 1999 12:19:00 +0000 Date: Thu, 11 Nov 1999 12:19:00 +0000 From: Nicholas Bohm nbohm@ernest.net Subject: New Statesman 8/11/99:"Losing the key" At 10:34 AM 11/11/1999 +0000, Andrew Brown wrote: >after I had filed, I did in fact remember the passphrase. I had thought >that I had used something monumentally secure and different; in fact I >simply used a moderately secure string that I use as my password to >several other things. It is a problem, though. I expect to be able to >remember, say, three random password strings that I don't need to write >down. But these, if known, give access to all my digital secrets. Are we >supposed to have one master password? or to remember fifteen or more? >And, if I die suddenly, how are my next of kin meant to get at stuff if >it is not written down? As others have suggested, the problem is fairly easily solved by low tech means when the material is on your own PC and you can choose the passphrases. Where it gets bad is providing passwords and other security information for multiple external service providers. If you use the same passwords and information for all of them, you multiply risks of fraudulent use. If you do something different every time, you have no chance of remembering without writing it all down quite carefully, which provides a different risk exposure. A possible approach is to use different security information each time, and keep a careful database of it all, but encrypt the database. Then you only have one passphrase to remember. It's all eggs in one decently secure basket. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From adam.atkinson@etl.ericsson.se Thu, 11 Nov 1999 13:26:46 +0100 Date: Thu, 11 Nov 1999 13:26:46 +0100 From: Adam Atkinson (ETL) adam.atkinson@etl.ericsson.se Subject: New Statesman 8/11/99:"Losing the key" > There has to be a limit to one's paranoia somewhere, it is then a case > of trying to ensure that the location of the material and the identity > of one's 'keyholder' is not known to anyone else. And/or distribute the information between a variety of locations / keyholders in such a way that 7 out of 10 (or whatever) are needed. Slow the MIB down. From pete@sorted.org Thu, 11 Nov 1999 12:38:12 +0000 Date: Thu, 11 Nov 1999 12:38:12 +0000 From: Pete Bentley pete@sorted.org Subject: New Statesman 8/11/99:"Losing the key" At Thu, 11 Nov 1999 10:34:12 GMT, Andrew Brown writes: It is a problem, though. I expect to be able to >remember, say, three random password strings that I don't need to write >down. But these, if known, give access to all my digital secrets. Are we >supposed to have one master password? or to remember fifteen or more? I tend to go with the master password approach and keep the rest in an encrypted data file on my PDA (which in turn has an access password). It's never really a problem for passwords you use regularly, but as a contractor I tend to move from employer to employer and am often presented with a swathe of new access passwords each time. This approach doesn't really help with things like PGP though. Well, you can save your passphrase on the PDA, but I'd much rather save my private keyring there (along with my ssh private keys) instead of having to leave them in home directories on shared Unix boxes (no matter how secure I *think* those boxes are). There's a definite niche for a product suite that can be hosted on multiple OS's (Unix, Mac, Windows etc) and talk to a 'key repository' on a PDA (for multiple types of PDA) or to a local file as a fallback. Then when a program needs a private key (whether it's PGP, ssh or whatever), it asks the agent, and the agent asks the PDA after performing any necessary inetraction with the user. Obviously this is non-trivial (consider, for example the risks to key privacy if the agent is running on a multi-user OS, or if the agent itself cannot be trusted). But if it could be done, and done properly, it could provide a platform to let people manage all these large keys securely, without having to remember passphrases,...after all, how many people have a passphrase on their ssh private keys? Even in some Very Large Financial Institutions it is common (and documented) practice to have 'null' passphrases on ssh private keys, even when these may provide privelaged access to business critical servers... >And, if I die suddenly, how are my next of kin meant to get at stuff if >it is not written down? Leave an instruction with your solicitors? Cumbersome if you change the passwords regularly. Leave them with a next of kin? Definitely an issue though... the only other person who knows the password to my PDA doesn't know the password to my password datafiles. Plus we tend to travel together, often in dodgy third world counties, so have a higher than avergae chance of *both* dying suddenly. Pete. From Ross.Anderson@cl.cam.ac.uk Thu, 11 Nov 1999 12:40:58 +0000 Date: Thu, 11 Nov 1999 12:40:58 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: New Statesman 8/11/99:"Losing the key" The military of one of the UK's allies has the following approach. Standing orders require every soldier to write down his passphrase on a piece of paper, put it in a brown envelope, seal it, stamp it `secret', and hand it to his superior officer who puts it in the safe. This has the advantage of not changing the trust relationships very much; the keys are kept in more or less the same place as the paper plaintext is. You don't centralise (and thus aggregate) your risks. Indeed I asked my informant, mischievously, whether they had ever considered key escrow. He asked me what was the point. Well, I said (pretending to be called Dorothy) what would happen if a soldier were to encrypt some valuable information and try to blackmail you for the key, and when you went to the safe it turned out that he'd written down garbage. He thought I'd gone mad! Soldiers don't behave like that, and even if they ever did they would do it differently (i.e., take away the paper and blackmail you over that) This approach struck me as being thoroughly sensible and practical, Ross From Nigel.Metheringham@VData.co.uk Thu, 11 Nov 1999 13:02:40 +0000 Date: Thu, 11 Nov 1999 13:02:40 +0000 From: Nigel Metheringham Nigel.Metheringham@VData.co.uk Subject: New Statesman 8/11/99:"Losing the key" bdm@fenrir.demon.co.uk said: > Nothing to prevent us from escrowing our own keys with our own trusted > party. It's just a case of making sure that the party chosen is really > worthy of our trust and is not aware of what they hold to help with > legalities. Additionally there are means of splitting keys so that m of the n pieces are required to make a complete set - so you distribute 3 chunks of key fragments, and need 2 chunks to make a complete keyset. [if there is any freely available software to do this split function I would love to know of it] Nigel. -- [ Nigel Metheringham Nigel.Metheringham@VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From I.G.Batten@ftel.co.uk Thu, 11 Nov 1999 13:15:47 GMT Date: Thu, 11 Nov 1999 13:15:47 GMT From: Ian G Batten I.G.Batten@ftel.co.uk Subject: New Statesman 8/11/99:"Losing the key" This is a multi-part message in MIME format... ------------=_942326140-1338-0 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Md5: JYytN8jiNkmYIKIzwsIuKQ== You write: >=20 > bdm@fenrir.demon.co.uk said: > > Nothing to prevent us from escrowing our own keys with our own trusted > > party. It's just a case of making sure that the party chosen is really > > worthy of our trust and is not aware of what they hold to help with > > legalities.=20 >=20 > Additionally there are means of splitting keys so that m of the n=20 > pieces are required to make a complete set - so you distribute 3 chunks= =20 > of key fragments, and need 2 chunks to make a complete keyset. >=20 > [if there is any freely available software to do this split function I=20 > would love to know of it] I've written some horrid Perl to do that, taking my algorithm from Schneier. If people promise not to laugh, they can have what I've done. ian ------------=_942326140-1338-0 Content-Type: application/pgp-signature Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Description: PGP Information -----BEGIN PGP MESSAGE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: LiK/Gwipei1kOkiHGmdhPOyIrgf1QWvF iQB1AwUBOCrBfcoy0yij3IvtAQEi/wL+OJT/Ay02cwgrRrAl0eqDCNLS/WJcucTM URoGtShfYggrndoCH5xxGRIt5SZODaAfXkS+eqquq61dmWXxhcm7OHExwBJgvwTr UmQvtZeCZcx+LdrBYn7kS8t7AviW09LJ =YeaG -----END PGP MESSAGE----- ------------=_942326140-1338-0-- From owen.blacker@pres.co.uk Thu, 11 Nov 1999 13:15:55 -0000 Date: Thu, 11 Nov 1999 13:15:55 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: New Statesman 8/11/99:"Losing the key" It's still quite inconvenient, though. I think part of the problem we face in promoting the mass use of new technologies such as crypto is that they are not yet even slightly transparent to the user (the new version of Turnpike notwithstanding). Once the software is so easy to use such that I can explain it to my mum (always a good yardstick for if technology is too complex :o) *then* we have passed the biggest hurdle yet to mass use of crypto, IMHO. Owen x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a ----- DISCLAIMER: These views are mine own and do not represent those of any other organisation I may seem to represent including, but not limited to, pres.co, Primecom or any of their clients. ----- -----Original Message----- From: Nicholas Bohm [mailto:nbohm@ernest.net] Sent: Thursday, November 11, 1999 12:19 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: New Statesman 8/11/99:"Losing the key" [deletia] A possible approach is to use different security information each time, and keep a careful database of it all, but encrypt the database. Then you only have one passphrase to remember. It's all eggs in one decently secure basket. [deletia] From i.hosein@lse.ac.uk Thu, 11 Nov 1999 13:42:38 +0000 Date: Thu, 11 Nov 1999 13:42:38 +0000 From: Gus Hosein i.hosein@lse.ac.uk Subject: New Statesman 8/11/99:"Losing the key" At 12:19 PM 11/11/99 , Nicholas Bohm wrote: >A possible approach is to use different security information each time, and >keep a careful database of it all, but encrypt the database. Then you only >have one passphrase to remember. It's all eggs in one decently secure basket. Bruce Schneier has developed such a database, called Password Safe, which uses Blowfish to encrypt the database. See http://www.counterpane.com/passsafe.html Unfortunately, we come to the second obstacle within crypto policy: you can't download it because of US export controls. :) gus. From adam.atkinson@etl.ericsson.se Thu, 11 Nov 1999 13:26:46 +0100 Date: Thu, 11 Nov 1999 13:26:46 +0100 From: Adam Atkinson (ETL) adam.atkinson@etl.ericsson.se Subject: New Statesman 8/11/99:"Losing the key" > There has to be a limit to one's paranoia somewhere, it is then a case > of trying to ensure that the location of the material and the identity > of one's 'keyholder' is not known to anyone else. And/or distribute the information between a variety of locations / keyholders in such a way that 7 out of 10 (or whatever) are needed. Slow the MIB down. From adam.atkinson@etl.ericsson.se Thu, 11 Nov 1999 14:53:29 +0100 Date: Thu, 11 Nov 1999 14:53:29 +0100 From: Adam Atkinson (ETL) adam.atkinson@etl.ericsson.se Subject: New Statesman 8/11/99:"Losing the key" > I think part of the > problem we face > in promoting the mass use of new technologies such as crypto > is that they > are not yet even slightly transparent to the user (the new version of > Turnpike notwithstanding). Is the PGP plugin in Eudora so hard? From adam.atkinson@etl.ericsson.se Thu, 11 Nov 1999 14:53:29 +0100 Date: Thu, 11 Nov 1999 14:53:29 +0100 From: Adam Atkinson (ETL) adam.atkinson@etl.ericsson.se Subject: New Statesman 8/11/99:"Losing the key" > I think part of the > problem we face > in promoting the mass use of new technologies such as crypto > is that they > are not yet even slightly transparent to the user (the new version of > Turnpike notwithstanding). Is the PGP plugin in Eudora so hard? From owen.blacker@pres.co.uk Thu, 11 Nov 1999 14:05:47 -0000 Date: Thu, 11 Nov 1999 14:05:47 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: New Statesman 8/11/99:"Losing the key" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Windows versions of PGP (and the command line versions, AFAIAA) have in built functionality to split DSS/DH (and RSA?) keys like this. As for other keys, I'm not sure... O x - ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a - ----- DISCLAIMER: These views are mine own and do not represent those of any other organisation I may seem to represent including, but not limited to, pres.co, Primecom or any of their clients. - ----- - -----Original Message----- From: Nigel Metheringham [mailto:Nigel.Metheringham@VData.co.uk] Sent: Thursday, November 11, 1999 1:03 PM To: ukcrypto@maillist.ox.ac.uk Subject: Re: New Statesman 8/11/99:"Losing the key" [deletia] Additionally there are means of splitting keys so that m of the n pieces are required to make a complete set - so you distribute 3 chunks of key fragments, and need 2 chunks to make a complete keyset. [if there is any freely available software to do this split function I would love to know of it] Nigel. [deletia] -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOCrOiM024CF+PI6rEQINIACg10KfkoraHZClmwlkPyAxQaKubIwAoKjv nU/lyU+rDfHHHP60fAgcF49w =uy46 -----END PGP SIGNATURE----- From owen.blacker@pres.co.uk Thu, 11 Nov 1999 14:40:05 -0000 Date: Thu, 11 Nov 1999 14:40:05 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: New Statesman 8/11/99:"Losing the key" No, the plugins for Outlook, Outlook Express, Eudora and so on aren't that hard, but they're not transparent. They're not as good (from what I've heard) as the Turnpike integration, and they're not the sort of thing I'd want to explain to my Mum! :o) Just to clarify my thoughts... O x ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a ----- DISCLAIMER: These views are mine own and do not represent those of any other organisation I may seem to represent including, but not limited to, pres.co, Primecom or any of their clients. ----- -----Original Message----- From: Adam Atkinson (ETL) [mailto:adam.atkinson@etl.ericsson.se] Sent: Thursday, November 11, 1999 1:53 PM To: 'ukcrypto@maillist.ox.ac.uk' Subject: RE: New Statesman 8/11/99:"Losing the key" > I think part of the > problem we face > in promoting the mass use of new technologies such as crypto > is that they > are not yet even slightly transparent to the user (the new version of > Turnpike notwithstanding). Is the PGP plugin in Eudora so hard? ----------------------------------------------------------------------- This message has been checked for all known viruses by UUNET in conjunction with the StarLab Virus Control Centre. From bdm@fenrir.demon.co.uk Thu, 11 Nov 1999 15:01:41 Date: Thu, 11 Nov 1999 15:01:41 From: Brian Morrison bdm@fenrir.demon.co.uk Subject: New Statesman 8/11/99:"Losing the key" On Thu, 11 Nov 1999 14:05:47 -0000, Owen Blacker wrote: >The Windows versions of PGP (and the command line versions, AFAIAA) >have in built functionality to split DSS/DH (and RSA?) keys like this. > As for other keys, I'm not sure... Interesting, is this true for v 5.0i? I must look at the help output..... -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From pgut001@cs.auckland.ac.nz Fri, 12 Nov 1999 04:09:44 (NZDT) Date: Fri, 12 Nov 1999 04:09:44 (NZDT) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: New Statesman 8/11/99:"Losing the key" "Brian Morrison" writes: >Nothing to prevent us from escrowing our own keys with our own trusted party. >It's just a case of making sure that the party chosen is really worthy of >our trust and is not aware of what they hold to help with legalities. The way to do this is to use a threshold scheme to split your secret(s) and farm them out to people all over the place, along with instructions covering the conditions under which they can release them ("If you see a death notice in the paper, send your share to my solicitor"). You can extend this to make it effectively impossible for a hostile third party to recover a key by choosing shareholders in different countries and giving each one multiple shares to pass on to people they know (so even you don't know all the share holders, and can't be forced to reveal them). I did this during the PGP investigation under the assumption that tracking down unknown third parties in Germany, South Africa, Poland, Russia, ... and persuading them to hand over their shares would be too difficult to make it worthwhile. The downside of this is that it's so complex to manage that it's never going to fly with the average user. I've had code for this in my disk encryption program for ages but have never added it to my crypto library because I can't think of any easy way to make it accessible to users. This is the major failing of threshold schemes, they're a technically perfect solution to the problem but don't work in practice because they both require technically competent users (or non-technical ones capable of following complex instructions) and users who are willing to put in some effort to manage them. Given that most users can't be bothered doing something as simple as running a backup every now and then, I can't see people getting enthusiastic over managing keys through threshold schemes. I'll post a writeup on threshold schemes which I did ages ago in the next message, it's probably somewhat off-topic so just delete the next message if you're not interested in it. Nicholas Bohm writes: >As others have suggested, the problem is fairly easily solved by low tech >means when the material is on your own PC and you can choose the passphrases. > >Where it gets bad is providing passwords and other security information for >multiple external service providers. If you use the same passwords and >information for all of them, you multiply risks of fraudulent use. If you >do something different every time, you have no chance of remembering >without writing it all down quite carefully, which provides a different >risk exposure. You can use programs like Counterpane's Password Safe to manage your passwords (available via http://www.counterpane.com/passsafe.html, or places like replay.com for those outside the US), there are others available as well from shareware archives but I'd trust the Counterpane one a lot more. Peter. From pgut001@cs.auckland.ac.nz Fri, 12 Nov 1999 04:12:11 (NZDT) Date: Fri, 12 Nov 1999 04:12:11 (NZDT) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: [Long] Safeguarding Cryptographic Keys [Disclaimer: This was meant as an introductory tutorial and I haven't looked at it for years since I wrote it. It may contain errors] Safeguarding Cryptographic Keys A threshold scheme divides a message (in this case the key to be protected) into `n' pieces, or shares, so that any `m' of these shares can be used to reconstruct the key, but `m-1' or less cannot reconstruct it. This is called an (m,n) threshold scheme. A simple all-or-nothing scheme would break a key into `n' parts such that the key could be recovered by taking the exclusive-or of these parts. However this method allows no margin of error, since even a single missing share will destroy the ability to recreate the key. This method allows for a limited form of key safeguarding, but is not a true threshold scheme. SFS uses a true threshold scheme, namely the one presented in "How to Share a Secret" by Adi Shamir, Communications of the ACM, Vol.22, No.11 (November 1979), p.612. This involves chosing a prime `p' which is larger than the number of shares required, and an arbitrary polynomial of degree `m-1', where `m' is the number of shares necessary to reconstruct the secret. To distribute the secret data, we generate a polynomial: ax^(m-1) + bx^(m-2) ... + cx + M (mod p) where `a' ... `c' are random secret coefficients which are discarded once the data has been distributed, `p' is a prime number larger than any of the coefficients, and `M' is the secret to be distributed. For example if we wanted to create a (3,n) threshold scheme in which three shares out of the total number would be necessary to reconstruct the secret data, we would generate the quadratic polynomial: ax^2 + bx + M (mod p) The shares themselves are obtained by evaluating the polynomial at `n' different points, where `n' is the total number of shares distributed. In this case for our polynomial f() we evaluate it at x = 1, x = 2, ... x = n, and distribute the resulting f( 1 ), f( 2 ), ... f( n ) values as the share data. Since the polynomial has `m' unknown coefficients a, b, ... c and M, any `m' shares can be used to create `m' equations, after which linear algebra can be used to solve for M. `m-1' shares can't recreate the secret. More than `m' shares are redundant. For example, suppose we wish to create a (3,5) threshold scheme in which any 3 of a total of 5 shares are sufficient to reconstruct the secret M. Assuming M = 5 and taking two random coefficients a = 4 and b = 6 and a prime p = 13, we have: f(x) = 4x^2 + 6x + 5 (mod 13) Evaluating this at x = 1...5 gives: f(1) = 4 + 6 + 5 (mod 13) = 2 f(2) = 16 + 12 + 5 (mod 13) = 7 f(3) = 36 + 18 + 5 (mod 13) = 7 f(4) = 64 + 24 + 5 (mod 13) = 2 f(5) = 100 + 30 + 5 (mod 13) = 5 To reconstruct `M' from three of these shares (for example share 1, 3, and 5), we need to solve the set of linear equations: 2 = a.1^2 + b.1 + M (mod 13) 7 = a.3^2 + b.3 + M (mod 13) 5 = a.5^2 + b.5 + M (mod 13). We can do this using Lagrange interpolation to recover the values a = 4, b = 6, and M = 13, giving us the original secret. A single share therefore consists of an X coordinate 1, 2, ... n, and however many Y coordinates f( 1 ), f( 2 ), ... f( n ) are needed. The total set of shares is a set of X coordinates X[] and a corresponding number of Y coordinates Y[]. To reconstruct the secret, we first calculate the coefficients C[]: for( i = 0; i < m; i++ ) C[ i ] = 1; for( j = 0; j < m; j++ ) if( i != j ) C[ i ] *= X[ j ] / ( X[ i ] - X[ j ] ); Once we have the coefficients, we can reconstruct the secret from the rest of the share, namely the Y coordinates: secret = 0; for( i = 0; i < m; i++ ) secret += C[ i ] * Y[ i ]; To make the secret-sharing task easier, we use a finite field for all our work. An exact explanation of the theory involved is beyond the scope of this document, anyone interested in more background details should refer to the references in the "Recommended Reading" section below, however the following brief overview should provide a general idea of what's involved. In number theory, we have a thing called a group, comprised of a collection of numbers and an operation, usually written as addition or multiplication. The properties of a group are: Closure : For each a and b in the group, a + b is also in the group Identity: There is an identity element, often written 0, such that for each a in the group: a + 0 = 0 + a = a Inverse : For each a in the group, there is an inverse -a so that: a + -a = 0 This allows us to define another property, subtraction, which is the opposite of addition. Associative law: For all a, b and c in the group: ( a + b ) + c = a + ( b + c ) Commutative or Abelian groups have an additional property: Commutative law: For each a and b in the Abelian group: a + b = b + a An example of a group is the integers, or the integers modulo 10 with normal addition: 5 + 5 = 0 => -5 = 5, and so on. A group is called cyclic when all the elements of the group can be generated from one element of the group in the form a, a + a, a + a + a, .... For example, the additive group mod N is cyclic because it is generated by the integer 1. The next step up from a group is a ring (actually a commutative ring with identity, but we'll just call it a ring), which has addition and multiplication. A ring has the same properties as a group (except that they now extend to multiplication as well as addition), and adds the distributive law: Closure : For each a and b in the ring, a + b and a * b are also in the ring Identity: There is an additive identity element, often written 0, such that for each a in the ring: a + 0 = 0 + a = a There is a multiplicative identity element, often written 1, such that for each a in the ring: a * 1 = 1 * a = a Inverse : For each a in the ring, there is an inverse -a so that: a + -a = 0 This allows us to define another property, subtraction, which is the opposite of addition. This also gives us the concept of negative numbers, for example if there are three people in a room and five people leave it, then two more people have to enter the room for it to become empty. However, only for some elements a in the ring are there inverses a' such that a * a' = 1. Associative law: For all a, b and c in the ring: ( a + b ) + c = a + ( b + c ) ( a * b ) * c = a * ( b * c ) Distributive law: For all a, b, and c in the ring: a * ( b + c ) = ( a * b ) + ( a * c ) An example of a ring is, again, the integers, or the integers modulo 10. In a ring, the operation of division is usually (but not always) meaningless because the usual problems with dividing by zero must be extended to cover all other divisors as well since it is possible for a * b to be 0 when neither a nor b are 0. The next step after a ring is a field, which adds multiplicative inverses: Inverse: For every a in the field other than 0 (the additive inverse), there is a multiplicative inverse a', such that: a * a' = a' * a = 1 Now we can perform division as well, as a * b can be zero only of a or b are 0. The integers are not a field, although the rationals are, as are the integers modulo any prime number. Modulo 10, 5 does not have a multiplicative inverse - if you multiply it by anything it's either 5 or 0. Modulo 9 (another non-prime), 3 does not have a multiplicative inverse. But modulo 11, everything has a multiplicative inverse. Just as all elements of a cyclic group can be generated by the addition of one element of the group (a, a+a, a+a+a, ...), all elements of a finite field (a field with a finite number of elements, also called a Galois field) except 0 can be generated by the multiplication of one element of the group (a, a*a, a*a*a, ...). This repeated multiplication is usually represented in an exponential notation, so that a * a = a^2, a * a * a = a^3, and so on. Note that while a^n is an element of the field (by closure), n doesn't have to be an element. Computations in a finite field relate to ordinary computations in the following manner: Inputs to Corresponding elements in a ordinary computations -> finite field (eg mod 256 field) | | V V Algorithm with ordinary Algorithm with finite field operators +, -, *, / operators +, -, *, / | | V V Answer in ordinary -> Answer corresponding to answer number system in ordinary system For example computing 17^2 - 15^2 in both systems we get: 17^2 - 15^2 = 289 - 225 = 64 17^2 - 15^2 = ( 17^2 mod 256 ) - ( 15^2 mod 256 ) = ( 33 - 225 ) mod 256 = 64 The answer is correct, even though the intermediate values are incorrect in terms of the ordinary number system. While it may seem strange that the sum of two odd numbers in a finite field is sometimes odd and sometimes even, the results are perfectly consistent, and it is consistency rather than sense which counts in mathematics. Given a ring, we can use it to define primes. A ring, modulo a prime, produces a field. We can now try to create rings of "nice" sizes. 2 is prime, there are no other primes which are a power of 2, and it is easy to work with using computer arithmetic. Unfortunately a field of size 2 isn't big enough to be very useful. This is where Galois fields come in. Given a ring, we can define polynomials such as 3x^2 + 2x + 1 over that ring. We can multiply and add polynomials, we have an additive identity, additive inverses, a multiplicative identity, and so on. Let's take as our basic field the integers modulo 2, ie 0 and 1: 0 + 0 = 1 + 1 = 0 0 + 1 = 1 + 0 = 1 0 * 0 = 0 * 1 = 1 * 0 = 0 1 * 1 = 1 We can now form polynomials over the integers modulo 2, in which each power of x (for example x^8) is either present (with a coefficient of 1) or absent (with a coefficient of 0). These can be expressed as bit strings, so that 10001000000100001 is the polynomial x^16 + x^12 + x^5 + 1. This polynomial can be factored as 1111000000011111 * 11 or x^15 + x^14 + x^13 + x^12 + x^4 + x^3 + x^2 + x + 1 * x + 1. Both of these factors are prime - they cannot be expressed as the product of smaller polynomials. Adding polynomials involves adding corresponding coefficients, modulo 2. This is also known as the XOR operation. Since each polynomial is its own additive inverse, subtracting is the same as adding. Multiplication is the usual shift-and-add operation, except that it's now shift-and-XOR since the addition is performed modulo 2. Given primes we can form the polynomials modulo a prime. Let's take 1011 or x^3 + x + 1, a polynomial which happens to be prime. We can take any given polynomial (say 11111 or x^4 + x^3 + x^2 + x + 1), and subtract multiples of 1011 until it has degree less than 3. First, subtract x times 1011, ie 10 times 1011, or 10110: 11111 - 10110 = 1001 Then subtract 1 times 1011: 1001 - 1011 = 0010 Thus x^4 + x^3 + x^2 + x + 1 modulo x^3 + x + 1 is x. The possible remainders in this process are all the polynomials with degree less than the modulus. So if the modulus is of degree n (with the highest coefficient x^n), then there are 2^n possible remainders, corresponding to all possible combinations of x^0, x^1, ..., x^(n-1). These are written as all possible n-bit strings. The secret sharing scheme used in SFS uses these ideas and works in GF( 2^n ), in which addition, subtraction, multiplication, and division are all well defined as explained above. Galois fields are very convenient to work with since they keep the numbers involved to a finite size, and there are no rounding errors in division. In general a polynomial p(z) of degree n over a finite field looks like: n --- k p(z) = \ a z , z >= 0 / k --- k=0 where the coefficients a[k] are elements of a finite field. A polynomial d(z) is said to divide another polynomial p(z) if there exists another polynomial q(z) such that: p(z) = q(z)d(z) A polynomial whose only divisors are of degree 0 or degree n is called an irreducible polynomial. For example the polynomial z^2 + 1 is reducible over the field of complex numbers, irreducible over the field of rational numbers, and reducible over the finite field GF( 2 ) because 1 + 1 = 0 in GF( 2 ) so that z^2 + 1 = ( z + 1 )^2. Possible factorizations therefore depend on the field chosen in a somewhat haphazard manner. SFS performs all arithmetic modulo an irreducible polynomial of degree n. The characteristics of the Galois fields used are as follows: n Max.no of shares Generator polynomial 4 15 x^4 + x + 1 5 31 x^5 + x^2 + 1 6 63 x^6 + x + 1 7 127 x^7 + x + 1 8 255 x^8 + x^4 + x^3 + x^2 + 1 9 511 x^9 + x^4 + 1 10 1023 x^10 + x^3 + 1 11 2047 x^11 + x^2 + 1 12 4095 x^12 + x^6 + x^4 + x + 1 13 8191 x^13 + x^4 + x^3 + x + 1 14 16383 x^14 + x^5 + x^3 + x + 1 15 32767 x^15 + x + 1 16 65535 x^16 + x^5 + x^3 + x^2 + 1 Although SFS could use any of GF( 2^4 ) ... GF( 2^16 ), the current implementation is restricted to GF( 2^8 ) to allow data to be processed in byte-sized quantities. The use of a threshold scheme can be extended to allow shareholders to be replaced or added at a later point using the techniques given in David Chaum's paper "How to Keep a Secret Alive", presented during Crypto'84 and appearing in volume 196 of the Lecture Notes in Computer Science published by Springer-Verlag (ISBN 3-540-15658-5 and 0-387-15658-5). The replacement of a shareholder requires that a shareholder break his share into subshares and distribute the subshares to the other shareholders, allowing them to recreate his share if it is lost or destroyed. The creation of a new shareholder requires the generation of additional shares which are again broken into subshares and distributed to shareholders. In either case a quorum of shareholders can use their subshares to vote on whether a shareholder should be replaced, or a new shareholder created. The shares can also be periodically renewed during the lifetime of the secret so that not only does an attacker have to acquire enough shares to recreate the secret, but they also have to do it within a given time limit. In addition if it is known that some shares have been disclosed, the shares can be renewed immediately, making any disclosed shares worthless to an attacker. The procedure for doing this is given in Amir Herzberg, Stanislaw Jarecki, Hog Krawczyk, and Moti Yung's paper "Proactive Secret Sharing, or How to Cope with Perpetual Leakage", presented during Crypto'95 and appearing in volume 963 of the Lecture Notes in Computer Science published by Springer-Verlag (ISBN 3-540-60221-6). We dance around a ring and suppose But the Secret sits in the middle and knows -- Robert Frost, "The Secret Sits" From nbohm@ernest.net Thu, 11 Nov 1999 15:13:37 +0000 Date: Thu, 11 Nov 1999 15:13:37 +0000 From: Nicholas Bohm nbohm@ernest.net Subject: New Statesman 8/11/99:"Losing the key" At 02:53 PM 11/11/1999 +0100, Adam Atkinson (ETL) wrote: >> I think part of the >> problem we face >> in promoting the mass use of new technologies such as crypto >> is that they >> are not yet even slightly transparent to the user (the new version of >> Turnpike notwithstanding). > >Is the PGP plugin in Eudora so hard? No, but not very convenient: it can't find a key if the user changes email addresses without amending their key; and (unless I have misunderstood its workings) it doesn't leave the sender with the plaintext in the outbox. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From mjsion@earthlink.net Thu, 11 Nov 1999 10:02:01 +0000 Date: Thu, 11 Nov 1999 10:02:01 +0000 From: Max mjsion@earthlink.net Subject: ... all lions ... "Encryption and many cryptography technologies are very important for any future electronic commerce applications and implementations. It is the recommendation to decline the acceptance of any Wassenaar Agreement (http://www.wassenaar.org) terms on encryption controls and to support the strongest cryptography in all commercial Internet communications globally. The role of the Internet is already critical in most international enterprises and corporations. However, due to the open infrastructure and individuals' principal lack of the security knowledge and consciousness, quite often critical business messages are sent without any encryption protection, which makes corporations extremely vulnerable. It is a common public knowledge that some specific intelligence agencies are using the Internet and other intelligence collection methods to acquire and collect specific technology and business intelligence for specific commercial and business enterprises. Some of most popular encryption applications have backdoors and their development projects have been supported and influenced by certain specific intelligence-interest groups. In the future's electronic commerce environment these encryption methods and technologies shall become even more important for any corporation anywhere around the world and it is highly recommended to avoid using any of the most popular and/or free encryption applications for any business and commercial purposes." ------ The story of M started even before his handshake (1994) with the President of Finland and the current Presidency of the European Union .... so who is M after all? ------ The story of a small boy .... sealed envelops .... About twenty years ago, there was a small boy (9-11 years old or so), who had his penpals around the world - the Soviet Union, the United Kingdom, Australia, Germany and many other European nations. He wrote his letters on a paper and then mailed these letters in sealed envelops and he received letters from his international friends in sealed envelops. He did not use postcards. In today's world, there are many executives in governments, businesses and other organizations, who email their secrets in postcards. How has the world changed? Or was this young child just smarter than many today's executives? ------1 ... it was very fascinating to be in the Diplomat's Club in Moscow, the Soviet Union in 1987 .... been there ... seen that ... and heard many things . ------ After an encryption expert from another continent made some negative statements regarding to the U.S. government's business intelligence activities, M made his lightly positive remark directly to the list. Immediately, after sending his positive message, he received many congratulatory messages from certain individuals supporting his point of view. This was in the summer of 1995 - already more than four years ago. Since that some strange events started occurring. There are more facts than anybody would want to guess. It is very interesting indeed. M has discovered the truth on his own and by himself. So it is no surprise that this list consists many supporters of the U.S. government's business espionage network. And M is just an ordinary man with the capability to make accurate judgments. So who is M? Some stated facts ... * The CIA is operating a wide and deep intelligence network in international businesses in all regions. The objective of this network is to steal economic, business and technological information and data for the benefit of certain U.S. corporations. 031599 * The CIA's former and current agents are promoting their services to certain U.S. companies in order to collect specific business intelligence for these companies (their "clients"). There have been meetings, where some self-acknowledged CIA agents have performed this promoting. 031599 ----- From jharper@bsi2000.com Thu, 11 Nov 1999 09:06:26 -0700 Date: Thu, 11 Nov 1999 09:06:26 -0700 From: Jack Harper jharper@bsi2000.com Subject: Secure Random Number Generation... I feel quite comfortable with the idea of generating secure random numbers with hardware by watching a radioactive decay process -- the thing is governed, of course, by quantum physics which appears completely, as best known, random. But, I am not so sure about watching the 'random' variations of voltage in a reverse biased diode -- which is certainly more practical in use. My limited understanding is that such a diode generates practically white noise -- pass it through an A/D converter to measure the voltage and, apparently, the voltage -vs- time is some sort of a guassian distribution. Run that through a secure hash function and it seems to me that you should be able to generate secure random bits. Question for people stronger in physics than myself: Can you think of any physical reason why a reverse biased diode might not be cryptographically secure? Are there biases that I am unaware of floating about with such a scheme? Regards to the List Jack Harper Evergreen, Colorado USA --------------------------------------------------------------------------- Jack Harper BSI2000, Inc. 303-231-9095 Lakewood, Colorado USA "Optical Cards... A Spectrum of Solutions" Optical Cards for Bank, EBT, and Medical Applications Visit our Web Page: http://www.bsi2000.com (Last Update: 990101) --------------------------------------------------------------------------- From weinmann@rbg.informatik.tu-darmstadt.de 11 Nov 1999 12:08:28 +0100 Date: 11 Nov 1999 12:08:28 +0100 From: weinmann@rbg.informatik.tu-darmstadt.de weinmann@rbg.informatik.tu-darmstadt.de Subject: LaTeX package for drawing protocol diagrams Writing up some lecture notes lately I had to draw some protocol diagrams for cryptographic protocols. These looking very crude I wondered whether there is a latex package for doing this or whether I should hack one together myself. Suggestions anyone ? -Ralf ------------------------------------------------------------------------------ [PGP key available on request. key length/id: 2048/09AEEAA1 Key fingerprint = 46 C7 72 07 8A CB 58 DE F6 EB F8 03 0C BF 17 24] From jya@pipeline.com Thu, 11 Nov 1999 12:21:44 -0500 Date: Thu, 11 Nov 1999 12:21:44 -0500 From: John Young jya@pipeline.com Subject: Flannery on Cayley-Purser/RSA Thanks to Jean-Jacques Quisquater and Jean-Fran=E7ois Misarsky we offer Sarah Flannery's September 1999 paper on the Cayley-Purser=20 Algorithm and her comparison of it to the security and speed of RSA: http://cryptome.org/flannery-cp.htm She concludes that Cayley-Purser is as secure as RSA and some twenty-two times faster. She describes a successful attack on C-P. We have converted excerpts to HTML. Eighteen images of the 17-page paper by Quisquater, heavily loaded with equations, tables=20 and graphs: http://cryptome.org/flannery-cp.zip (TIF format; 1.2MB) From lawya@lucs-01.novell.leeds.ac.uk Thu, 11 Nov 1999 17:46:07 +0000 Date: Thu, 11 Nov 1999 17:46:07 +0000 From: Yaman Akdeniz lawya@lucs-01.novell.leeds.ac.uk Subject: Robin Cook, the Foreign Secretary denies the existence of ECHELON It is not surprising to see the denial of the ECHELON by the UK Foreign Secretary in the House of Commons: Yaman House of Commons Hansard Written Answers for 1 Nov 1999 (pt 9) FOREIGN AND COMMONWEALTH AFFAIRS (Echelon System) Mr. Nigel Jones: To ask the Secretary of State for Foreign and Commonwealth Affairs (1) what assessment he has made of the impact on civil liberties of the Echelon system; [96547] (2) if he will make a statement on the purpose of the Echelon system. [96548] Mr. Robin Cook: As the hon. Gentleman is aware, it is long-standing practice not to respond to speculation on alleged intelligence operations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mr. Yaman Akdeniz, Director, Cyber-Rights & Cyber-Liberties (UK) URL: http://www.cyber-rights.org E-mail: lawya@cyber-rights.org Read the CR&CL (UK) Reports at: http://www.cyber-rights.org/reports/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From alecm@coyote.uk.sun.com Thu, 11 Nov 1999 17:58:31 +0000 Date: Thu, 11 Nov 1999 17:58:31 +0000 From: Alec Muffett alecm@coyote.uk.sun.com Subject: LaTeX package for drawing protocol diagrams >Writing up some lecture notes lately I had to draw some >protocol diagrams for cryptographic protocols. These looking very crude >I wondered whether there is a latex package for doing this or whether I >should hack one together myself. Use XFig which has very good integration with LaTeX - you can save images in TeX format - and/or can also be used to generate encapsulated postscript which may be used as a floated figure in a LaTeX file. -- alec muffett, sun professional services, alec.muffett @ uk.sun.com bananas are not the only fruit From Christiane.Schulzki@t-online.de Thu, 11 Nov 1999 19:03:44 +0100 Date: Thu, 11 Nov 1999 19:03:44 +0100 From: Chr. Schulzki-Haddouti Christiane.Schulzki@t-online.de Subject: call for identification of some crypto devices I am looking for help to identify following three crypto devices, which were presumably used by NATO and Eastern Countries. You can have a look here: http://members.aol.com/infowelt/kdevice.htm At the moment I am preparing an article for the German computer magazine c't (www.heise.de/ct/) on hardware crypto in the 20th century. If you know how they were called, who used them, how they were used or at which time they were used, please contact me. I will publish the results at the same URL. thank you, Christiane Schulzki-Haddouti From owen.blacker@pres.co.uk Thu, 11 Nov 1999 18:29:36 -0000 Date: Thu, 11 Nov 1999 18:29:36 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: PGP key splitting (Was Re: New Statesman ...) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The documentation in front of me (for v5.0i for DOS) makes no mention of the ability to do so. I can't find any reference to it in the 6.5 [DOS] Command Line guide either... The version on my WinNT desktop (6.0.2 with RSA) definitely can, however... HTH, O x - ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a - ----- DISCLAIMER: These views are mine own and do not represent those of any other organisation I may seem to represent including, but not limited to, pres.co, Primecom or any of their clients. - ----- - -----Original Message----- From: Brian Morrison [mailto:bdm@fenrir.demon.co.uk] Sent: Thursday, November 11, 1999 3:02 PM To: ukcrypto@maillist.ox.ac.uk Subject: RE: New Statesman 8/11/99:"Losing the key" On Thu, 11 Nov 1999 14:05:47 -0000, Owen Blacker wrote: >The Windows versions of PGP (and the command line versions, AFAIAA) >have in built functionality to split DSS/DH (and RSA?) keys like this. > As for other keys, I'm not sure... Interesting, is this true for v 5.0i? I must look at the help output..... - -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBOCsMXc024CF+PI6rEQLF/QCfV06TBHFvfufPHdXcDKiRYkrfCA4AoMSq XcRENHUkBfW8XxF31ery0cRU =mnAr -----END PGP SIGNATURE----- From baggers@baggers.com Thu, 11 Nov 1999 10:26:39 -0800 Date: Thu, 11 Nov 1999 10:26:39 -0800 From: Richard Baguley baggers@baggers.com Subject: Robin Cook, the Foreign Secretary denies the existence of ECHELON That's hardly a denial - it's just a standard answer along the lines of "I can neither confirm or deny the existance of my underpants"... At 05:46 PM 11/11/99 +0000, you wrote: >It is not surprising to see the denial of the ECHELON by the UK >Foreign Secretary in the House of Commons: > From ben@algroup.co.uk Thu, 11 Nov 1999 18:27:49 +0000 Date: Thu, 11 Nov 1999 18:27:49 +0000 From: Ben Laurie ben@algroup.co.uk Subject: Robin Cook, the Foreign Secretary denies the existence of ECHELON Yaman Akdeniz wrote: > > It is not surprising to see the denial of the ECHELON by the UK > Foreign Secretary in the House of Commons: What denial? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From rick_smith@securecomputing.com Thu, 11 Nov 1999 13:32:40 -0600 Date: Thu, 11 Nov 1999 13:32:40 -0600 From: Rick Smith rick_smith@securecomputing.com Subject: call for identification of some crypto devices At 07:03 PM 11/11/99 +0100, Chr. Schulzki-Haddouti wrote: >I am looking for help to identify following three crypto devices, which were >presumably used by NATO and Eastern Countries. You can have a look here: >http://members.aol.com/infowelt/kdevice.htm > >At the moment I am preparing an article for the German computer magazine c't >(www.heise.de/ct/) on hardware crypto in the 20th century. .... Wow, that *is* hardware crypto! Those devices were practical right up until people started using automatic devices to crack codes (i.e. WW II). Terrific pictures. First item is a 'code wheel,' though I'd only seen them with 2 or 3 alphabets before that one. The second item looks like a strip cipher. The third looks like some complicated variant of a Jefferson Wheel (pardon my USA & U.Va. bred prejudices). Rick. smith@securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ From klockstone@cix.compulink.co.uk Thu, 11 Nov 1999 19:49 +0000 (GMT) Date: Thu, 11 Nov 1999 19:49 +0000 (GMT) From: Keith Lockstone klockstone@cix.compulink.co.uk Subject: Secure Random Number Generation... In-Reply-To: <4.1.19991111085913.00b4b530@mail.pcisys.net> The noise from semiconductor junctions can be very non-Gaussian - it depends the current, local circuit capacitance and other factors. I have seen zener diodes give out a series of spikes that were well above the expected limits. Over a batch of diodes I have seen noise level variations in excess of 4 to 1. In practical terms, all analogue circuits are non-linear to some extent - even with negative feedback. Also, as the noise is amplified and can possibly approach the circuit power rails, then the effects of transistor saturation will adversely effect the results. Overall, my view is that the design and manufacture of this type of noise generator is a non-trivial task and that the resultant output must be processed by a cryptographic hash function to obtain a satisfactory level of security. Search http://www.dejanews.com in the sci.electronics.design newsgroup using "zener oscillation" and "led matching" as search phrases. (BTW there's a current thread "destroying a hard drive" which is getting quite inventive!) Keith http://www.cix.co.uk/~klockstone ------------------------ 'Unwise a grave for Arthur' -- The Black Book of Carmarthen In article <4.1.19991111085913.00b4b530@mail.pcisys.net>, jharper@bsi2000.com (Jack Harper) wrote: > But, I am not so sure about watching the 'random' variations of voltage > in > a reverse biased diode -- which is certainly more practical in use. > > My limited understanding is that such a diode generates practically > white > noise -- pass it through an A/D converter to measure the voltage and, > apparently, the voltage -vs- time is some sort of a guassian > distribution. > Run that through a secure hash function and it seems to me that you > should > be able to generate secure random bits. > > Question for people stronger in physics than myself: Can you think of > any > physical reason why a reverse biased diode might not be > cryptographically > secure? Are there biases that I am unaware of floating about with such a > scheme? From rick_smith@securecomputing.com Thu, 11 Nov 1999 13:32:40 -0600 Date: Thu, 11 Nov 1999 13:32:40 -0600 From: Rick Smith rick_smith@securecomputing.com Subject: call for identification of some crypto devices At 07:03 PM 11/11/99 +0100, Chr. Schulzki-Haddouti wrote: >I am looking for help to identify following three crypto devices, which were >presumably used by NATO and Eastern Countries. You can have a look here: >http://members.aol.com/infowelt/kdevice.htm > >At the moment I am preparing an article for the German computer magazine c't >(www.heise.de/ct/) on hardware crypto in the 20th century. .... Wow, that *is* hardware crypto! Those devices were practical right up until people started using automatic devices to crack codes (i.e. WW II). Terrific pictures. First item is a 'code wheel,' though I'd only seen them with 2 or 3 alphabets before that one. The second item looks like a strip cipher. The third looks like some complicated variant of a Jefferson Wheel (pardon my USA & U.Va. bred prejudices). Rick. smith@securecomputing.com "Internet Cryptography" at http://www.visi.com/crypto/ From ianbashford@email.com Thu, 11 Nov 1999 22:49:03 -0000 Date: Thu, 11 Nov 1999 22:49:03 -0000 From: Ian Bashford ianbashford@email.com Subject: New Statesman 8/11/99:"Losing the key" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Bruce Schneier has developed such a database, called Password Safe, which > uses Blowfish to encrypt the database. See > http://www.counterpane.com/passsafe.html > Scramdisk is very small (a few hundred Kbytes) windows program that allows an encrypted container file to be mounted as a drive from explorer. I put my PGP keyrings in one, but it would be just as easy to put a plain text file full of passwords in as well. http://www.scramdisk.clara.net/ Cheers Ian Bashford - -------------------------------------------------------------------------- -- ian.bashford@email.com http://keys.pgp.com:11371/pks/lookup?op=get&search=0x56CD4AB8 -DH http://keys.pgp.com:11371/pks/lookup?op=get&search=0xCF7F63D9 -RSA - -------------------------------------------------------------------------- -- "Worrying is meditation carried out by realists" -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: KeyID: 0x56CD4AB8 Comment: Fingerprint: AC18 9DE6 2669 01C9 35B1 C4D9 94AC 7562 56CD 4AB8 iQA/AwUBOCtH3ZSsdWJWzUq4EQJmKwCg+rjWymU1tEsjwG/9FQSdWwluZcMAoLgg qHTtzoEpE4LozWTGy+LRaofK =kV66 -----END PGP SIGNATURE----- From padgett@gdi.net Thu, 11 Nov 1999 17:44:22 -0500 Date: Thu, 11 Nov 1999 17:44:22 -0500 From: Padgett 0sirius padgett@gdi.net Subject: New Statesman 8/11/99:"Losing the key" >Phil Zimmerman, who wrote PGP, He did ? What about Kelly ? >is the only programmer ever to have been arrested for his work. Phil wasn't arrested, was threatened for "illegal export" but the arrest never occurred. Posting does have some elements of truth - a 32 character alphanumeric/uper & lower case plus punctuation passphrase is needed to match a 128 bit symmetric/1024 bit asymmetric key. Few are (in fact many attacks today are against passphrases). If you lose/forget the passphrase, you are SOL unless there is an ADK or a copy is in the safety deposit box (if that is not safe enough then the FBI is probably keeping tabs via Van Eck radiation anyway). Sorry but the rest of it is a bit beyond me - is it that I am an Amurricn ? A. Padgett Peterson, P.E. Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From ianbashford@email.com Thu, 11 Nov 1999 22:49:03 -0000 Date: Thu, 11 Nov 1999 22:49:03 -0000 From: Ian Bashford ianbashford@email.com Subject: New Statesman 8/11/99:"Losing the key" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Bruce Schneier has developed such a database, called Password Safe, which > uses Blowfish to encrypt the database. See > http://www.counterpane.com/passsafe.html > Scramdisk is very small (a few hundred Kbytes) windows program that allows an encrypted container file to be mounted as a drive from explorer. I put my PGP keyrings in one, but it would be just as easy to put a plain text file full of passwords in as well. http://www.scramdisk.clara.net/ Cheers Ian Bashford - -------------------------------------------------------------------------- -- ian.bashford@email.com http://keys.pgp.com:11371/pks/lookup?op=get&search=0x56CD4AB8 -DH http://keys.pgp.com:11371/pks/lookup?op=get&search=0xCF7F63D9 -RSA - -------------------------------------------------------------------------- -- "Worrying is meditation carried out by realists" -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: KeyID: 0x56CD4AB8 Comment: Fingerprint: AC18 9DE6 2669 01C9 35B1 C4D9 94AC 7562 56CD 4AB8 iQA/AwUBOCtH3ZSsdWJWzUq4EQJmKwCg+rjWymU1tEsjwG/9FQSdWwluZcMAoLgg qHTtzoEpE4LozWTGy+LRaofK =kV66 -----END PGP SIGNATURE----- From ben@algroup.co.uk Fri, 12 Nov 1999 10:15:50 +0000 Date: Fri, 12 Nov 1999 10:15:50 +0000 From: Ben Laurie ben@algroup.co.uk Subject: New Statesman 8/11/99:"Losing the key" Padgett 0sirius wrote: > > >Phil Zimmerman, who wrote PGP, > > He did ? What about Kelly ? > > >is the only programmer ever to have been arrested for his work. > > Phil wasn't arrested, was threatened for "illegal export" but the arrest > never occurred. OTOH, Mitnick was arrested for his "work". Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From alloneword@dial.pipex.com Fri, 12 Nov 1999 12:54:50 +0000 Date: Fri, 12 Nov 1999 12:54:50 +0000 From: Andrew Brown alloneword@dial.pipex.com Subject: Re[2]: New Statesman 8/11/99:"Losing the key" On Thursday, November 11, 1999, at 10:44:22 PM, Padgett 0sirius wrote: >>Phil Zimmerman, who wrote PGP, P0> He did ? What about Kelly ? >>is the only programmer ever to have been arrested for his work. P0> Phil wasn't arrested, was threatened for "illegal export" but the arrest P0> never occurred. Whoops. P0> Posting does have some elements of truth Glad to hear it. P0> Sorry but the rest of it is P0> a bit beyond me - is it that I am an Amurricn ? -- Andrew mailto:alloneword@dial.pipex.com From Ross.Anderson@cl.cam.ac.uk Fri, 12 Nov 1999 17:30:38 +0000 Date: Fri, 12 Nov 1999 17:30:38 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Government `consultation' on smartcards I have just learned that CCTA started a `public consultation' on smartcards. Their document proposes that Government regards the deployment of multi-function smart cards as a key enabler to the development of electronic commerce and recognises that government applications can act as a key driver towards 'critical mass'. No-one told us, and the web site which was supposed to have the consultation document (http://www.iagchampions.gov.uk/) is of course broken. I have taken the liberty of posting the text on my own site at http://www.cl.cam.ac.uk/ftp/users/rja14/cardnonsense.txt The deadline for responses is Monday (yes, 15th November) and the address to send them is: cards@ccta.gov.uk Ross From alan@kable.co.uk Fri, 12 Nov 1999 18:00:48 -0000 Date: Fri, 12 Nov 1999 18:00:48 -0000 From: Alan Burkitt-Gray alan@kable.co.uk Subject: Government `consultation' on smartcards This is a multi-part message in MIME format. ------=_NextPart_000_03AA_01BF2D37.D9C857E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Ross wrote: "I have just learned that CCTA started a `public = consultation' on smartcards. ... No-one told us ..."=20 Sorry, Ross, it was stated in September in the e-commerce report = (e.commerce@its.best.uk) which was launched by Tony Blair not a million = miles from your office in Cambridge. Government Computing, October issue, page 4, explicitly highlights one = of the targets: December 1999: policy for smart cards. Alan - ALAN BURKITT-GRAY, Editor, Government Computing The independent magazine about information age public service, for the people who are going to make it happen Signposts to Government: http://kable.co.uk Kable Ltd The Courtyard, 55 Charterhouse Street, London EC1M 6HA, UK direct tel 020 7608 8403 switchboard 020 7608 0900 fax 020 7608 8420 e-mail alan@kable.co.uk Where's Kable? Look at=20 http://www.streetmap.co.uk/streetmap.dll?grid2map?X=3D531650&Y=3D181750&a= rrow=3Dy ------=_NextPart_000_03AA_01BF2D37.D9C857E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Ross wrote: "I have just learned that CCTA started a `public = consultation'=20 on
smartcards. ... No-one told us ..."
 
 
Sorry, Ross, it was stated in September in the e-commerce report = (e.commerce@its.best.uk) which = was=20 launched by Tony Blair not a million miles from your office in = Cambridge.
Government Computing, October issue, page 4, explicitly = highlights=20 one of the targets: December 1999: policy for smart cards.
 
 
Alan
 
 
 
-
ALAN BURKITT-GRAY, Editor, = Government Computing
The independent = magazine about information age public service,
for the people who are = going=20 to make it happen

Signposts to Government: http://kable.co.uk

Kable Ltd
The Courtyard, 55 Charterhouse Street, London = EC1M 6HA,=20 UK
direct tel 020 7608 8403 switchboard 020 7608 0900 fax 020 7608=20 8420
e-mail alan@kable.co.uk

Where's Kable? Look at
http://www.streetmap.co.uk/streetmap.dll?grid2map?X=3D531650&= ;Y=3D181750&arrow=3Dy

------=_NextPart_000_03AA_01BF2D37.D9C857E0-- From jya@pipeline.com Fri, 12 Nov 1999 21:22:49 -0500 Date: Fri, 12 Nov 1999 21:22:49 -0500 From: John Young jya@pipeline.com Subject: HTML of Flannery Paper We've completed an HTML version of Sarah Flannery's paper, except for the Mathematica code; same URL: http://cryptome.org/flannery-cp.htm (48KB with image) William Whyte suggested that the successful attack on Flannery's algorithm carried out by Purser, Flannery and 'Whyte, a post script to the original January 1999 paper, might be of interest. Double check our transcription of equations with the original images. Corrections welcomed. Joe Author prepared a PDF file of Quisquater's original 18 images and cut the total file size by half: http://cryptome.org/flannery-cp.pdf (603KB) From padgett@gdi.net Fri, 12 Nov 1999 22:00:56 -0500 Date: Fri, 12 Nov 1999 22:00:56 -0500 From: Padgett 0sirius padgett@gdi.net Subject: Government `consultation' on smartcards For years have been saying that the only thing holding back smart cards is the cost of the readers. This is changing. AmEx is offering the GemPlus reader (wih their brand apparently) for 25 USDollars with the first one free with a Blue card (http://www.americanexpress.com/blue http://www.gemplus.com ) and Towitoco (http://www.towitoko.com ) apparently has reduced the price on their (nicer IMNSHO - no keyboard power cable) ChipDrive to 17 USDollars in bulk. Am also told VISA is doing something but am not sure what. Suspect we will see a lot of them in the next century. >I have just learned that CCTA started a `public consultation' on >smartcards. Their document proposes that A. Padgett Peterson, P.E. Cybernetic Psychophysicist Anti-Virus, Cryptographics, & Antique Radio Researcher http://www.freivald.org/~padgett/index.html mailto:padgett@gdi.net PGP 6.5 Key on request From david@swarb.freeuk.com Sat, 13 Nov 1999 09:13:56 +0000 Date: Sat, 13 Nov 1999 09:13:56 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: Robin Cook, the Foreign Secretary denies the existence of ECHELON In message <47AAAB5C3A@lucs-01.novell.leeds.ac.uk>, Yaman Akdeniz wrote: >It is not surprising to see the denial of the ECHELON by the UK >Foreign Secretary in the House of Commons: > > >Mr. Nigel Jones: To ask the Secretary of State for Foreign and >Commonwealth Affairs (1) what assessment he has made of the >impact on civil liberties of the Echelon system; [96547] > >(2) if he will make a statement on the purpose of the Echelon system. >[96548] > >Mr. Robin Cook: As the hon. Gentleman is aware, it is long-standing >practice not to respond to speculation on alleged intelligence >operations. Sorry, Yaman, but a refusal to answer questions can now lead to a proper inference (CJPOA 1994) - which must mean that Robin Cook's no comment is an admission. In any event it is not a denial. I share your distaste at government double-speak, but silence is, comparatively speaking, a virtue. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From Ross.Anderson@cl.cam.ac.uk Sat, 13 Nov 1999 10:54:26 +0000 Date: Sat, 13 Nov 1999 10:54:26 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Government `consultation' on smartcards After I pointed this list to the CCTA's extremely low profile `consultation', Alan Brukitt-Gray leapt in to defend CCTA: > Sorry, Ross, it was stated in September in the e-commerce report > (e.commerce@its.best.uk) which was launched by Tony Blair not a > million miles from your office in Cambridge. Government Computing, > October issue, page 4, explicitly highlights one of the targets: > December 1999: policy for smart cards. Firstly, I don't read `Government Computing'; although you and William have occasionally threatened to put me on the distribution list you've never gotten round to it. Secondly, a public statement that there will be a policy by December does not obviously imply that a consultation exercise will take place from the 1st to the 15 November, with nobody other than the DTI's favoured insders being told. This list exercised itself sufficiently over the similarly short consultation period offered at the last round of the e-commerce bill. Here is an example of an even worse abuse; it could easily be interpreted as a deliberate insult to list members from Nigel and friends. I hope that list members will, in their responses to government, be suitably outspoken about the procedure followed in this case Ross From cb@fipr.org Sat, 13 Nov 1999 14:04:56 -0000 Date: Sat, 13 Nov 1999 14:04:56 -0000 From: Caspar Bowden cb@fipr.org Subject: Government `consultation' on smartcards cc: Jeremy Crump, CITU, Chair of Smart Card Working Group [Full exchange of posts appended at end] Alan Burkitt-Gray wrote: > > > Sorry, Ross, it was stated in September in the e-commerce report > > (e.commerce@its.best.uk) ... Government Computing, > > October issue, page 4, explicitly highlights one of the targets: > > December 1999: policy for smart cards. Ross replied: > Secondly, a public statement that there will be a policy by > December does not obviously imply that a consultation exercise will > take place from the 1st to the 15 November, with nobody other than > the DTI's favoured insders being told. I don't want you to feel mugged by FIPR Alan, but I agree with Ross. I don't understand the point. Are you saying that Government Computing knew about this consultation, and reported it? Or GC knew, and didn't publish ! If you didn't know, then surely that argues that this consultation has been done rather quietly ? Although the document says that it's a public consultation, no-one we know had heard of it or mentioned it until yesterday (and we do get around a fair amount). I also find it odd that it's not anywhere on the CCTA Website, although they're s'posedly running it, nor is there a banner or alert on the CITU site (and CITU Chair the group). Can't say whether it shows up in the main Open Gov search engine, because that seems to be broken at the moment. -- Caspar Bowden http://www.fipr.org Director, Foundation for Information Policy Research Tel: +44(0)171 354 2333 Fax: +44(0)171 827 6534 > -----Original Message----- > From: owner-ukcrypto@maillist.ox.ac.uk > [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of Ross Anderson > Sent: 13 November 1999 10:54 > To: ukcrypto@maillist.ox.ac.uk > Subject: Re: Government `consultation' on smartcards > > > > After I pointed this list to the CCTA's extremely low profile > `consultation', Alan Brukitt-Gray leapt in to defend CCTA: > > > Sorry, Ross, it was stated in September in the e-commerce report > > (e.commerce@its.best.uk) which was launched by Tony Blair not a > > million miles from your office in Cambridge. Government Computing, > > October issue, page 4, explicitly highlights one of the targets: > > December 1999: policy for smart cards. > > Firstly, I don't read `Government Computing'; although you and > William have occasionally threatened to put me on the distribution > list you've never gotten round to it. > > Secondly, a public statement that there will be a policy by > December does not obviously imply that a consultation exercise will > take place from the 1st to the 15 November, with nobody other than > the DTI's favoured insders being told. > > This list exercised itself sufficiently over the similarly short > consultation period offered at the last round of the e-commerce > bill. Here is an example of an even worse abuse; it could easily be > interpreted as a deliberate insult to list members from Nigel and > friends. > > I hope that list members will, in their responses to government, be > suitably outspoken about the procedure followed in this case > > Ross > From I.Brown@cs.ucl.ac.uk Sat, 13 Nov 1999 14:42:39 +0000 Date: Sat, 13 Nov 1999 14:42:39 +0000 From: Ian Brown I.Brown@cs.ucl.ac.uk Subject: Whit Diffie lecture at British Museum & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & In connection with the current exhibition 'Cracking codes: the Rosetta Stone and decipherment' T H E B R I T I S H M U S E U M Department of Egyptian Antiquities A SPECIAL LECTURE C R A C K I N G L A T E R C O D E S by D R W H I T F I E L D D I F F I E of Sun Microsystems USA THE BRITISH MUSEUM LECTURE THEATRE Tuesday 23 November 1999 6.00 pm F R E E A D M I S S I O N Please apply for tickets enclosing an S.A.E. to Department of Egyptian Antiquities The British Museum, Great Russell Street, London WC1B 3DG. Tel: 0171.323.8312 & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & From david@swarb.freeuk.com Sat, 13 Nov 1999 09:13:56 +0000 Date: Sat, 13 Nov 1999 09:13:56 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: Robin Cook, the Foreign Secretary denies the existence of ECHELON In message <47AAAB5C3A@lucs-01.novell.leeds.ac.uk>, Yaman Akdeniz wrote: >It is not surprising to see the denial of the ECHELON by the UK >Foreign Secretary in the House of Commons: > > >Mr. Nigel Jones: To ask the Secretary of State for Foreign and >Commonwealth Affairs (1) what assessment he has made of the >impact on civil liberties of the Echelon system; [96547] > >(2) if he will make a statement on the purpose of the Echelon system. >[96548] > >Mr. Robin Cook: As the hon. Gentleman is aware, it is long-standing >practice not to respond to speculation on alleged intelligence >operations. Sorry, Yaman, but a refusal to answer questions can now lead to a proper inference (CJPOA 1994) - which must mean that Robin Cook's no comment is an admission. In any event it is not a denial. I share your distaste at government double-speak, but silence is, comparatively speaking, a virtue. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From Ross.Anderson@cl.cam.ac.uk Sat, 13 Nov 1999 10:54:26 +0000 Date: Sat, 13 Nov 1999 10:54:26 +0000 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Government `consultation' on smartcards After I pointed this list to the CCTA's extremely low profile `consultation', Alan Brukitt-Gray leapt in to defend CCTA: > Sorry, Ross, it was stated in September in the e-commerce report > (e.commerce@its.best.uk) which was launched by Tony Blair not a > million miles from your office in Cambridge. Government Computing, > October issue, page 4, explicitly highlights one of the targets: > December 1999: policy for smart cards. Firstly, I don't read `Government Computing'; although you and William have occasionally threatened to put me on the distribution list you've never gotten round to it. Secondly, a public statement that there will be a policy by December does not obviously imply that a consultation exercise will take place from the 1st to the 15 November, with nobody other than the DTI's favoured insders being told. This list exercised itself sufficiently over the similarly short consultation period offered at the last round of the e-commerce bill. Here is an example of an even worse abuse; it could easily be interpreted as a deliberate insult to list members from Nigel and friends. I hope that list members will, in their responses to government, be suitably outspoken about the procedure followed in this case Ross From cb@fipr.org Sat, 13 Nov 1999 14:04:56 -0000 Date: Sat, 13 Nov 1999 14:04:56 -0000 From: Caspar Bowden cb@fipr.org Subject: Government `consultation' on smartcards cc: Jeremy Crump, CITU, Chair of Smart Card Working Group [Full exchange of posts appended at end] Alan Burkitt-Gray wrote: > > > Sorry, Ross, it was stated in September in the e-commerce report > > (e.commerce@its.best.uk) ... Government Computing, > > October issue, page 4, explicitly highlights one of the targets: > > December 1999: policy for smart cards. Ross replied: > Secondly, a public statement that there will be a policy by > December does not obviously imply that a consultation exercise will > take place from the 1st to the 15 November, with nobody other than > the DTI's favoured insders being told. I don't want you to feel mugged by FIPR Alan, but I agree with Ross. I don't understand the point. Are you saying that Government Computing knew about this consultation, and reported it? Or GC knew, and didn't publish ! If you didn't know, then surely that argues that this consultation has been done rather quietly ? Although the document says that it's a public consultation, no-one we know had heard of it or mentioned it until yesterday (and we do get around a fair amount). I also find it odd that it's not anywhere on the CCTA Website, although they're s'posedly running it, nor is there a banner or alert on the CITU site (and CITU Chair the group). Can't say whether it shows up in the main Open Gov search engine, because that seems to be broken at the moment. -- Caspar Bowden http://www.fipr.org Director, Foundation for Information Policy Research Tel: +44(0)171 354 2333 Fax: +44(0)171 827 6534 > -----Original Message----- > From: owner-ukcrypto@maillist.ox.ac.uk > [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of Ross Anderson > Sent: 13 November 1999 10:54 > To: ukcrypto@maillist.ox.ac.uk > Subject: Re: Government `consultation' on smartcards > > > > After I pointed this list to the CCTA's extremely low profile > `consultation', Alan Brukitt-Gray leapt in to defend CCTA: > > > Sorry, Ross, it was stated in September in the e-commerce report > > (e.commerce@its.best.uk) which was launched by Tony Blair not a > > million miles from your office in Cambridge. Government Computing, > > October issue, page 4, explicitly highlights one of the targets: > > December 1999: policy for smart cards. > > Firstly, I don't read `Government Computing'; although you and > William have occasionally threatened to put me on the distribution > list you've never gotten round to it. > > Secondly, a public statement that there will be a policy by > December does not obviously imply that a consultation exercise will > take place from the 1st to the 15 November, with nobody other than > the DTI's favoured insders being told. > > This list exercised itself sufficiently over the similarly short > consultation period offered at the last round of the e-commerce > bill. Here is an example of an even worse abuse; it could easily be > interpreted as a deliberate insult to list members from Nigel and > friends. > > I hope that list members will, in their responses to government, be > suitably outspoken about the procedure followed in this case > > Ross > From I.Brown@cs.ucl.ac.uk Sat, 13 Nov 1999 14:42:39 +0000 Date: Sat, 13 Nov 1999 14:42:39 +0000 From: Ian Brown I.Brown@cs.ucl.ac.uk Subject: Whit Diffie lecture at British Museum & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & In connection with the current exhibition 'Cracking codes: the Rosetta Stone and decipherment' T H E B R I T I S H M U S E U M Department of Egyptian Antiquities A SPECIAL LECTURE C R A C K I N G L A T E R C O D E S by D R W H I T F I E L D D I F F I E of Sun Microsystems USA THE BRITISH MUSEUM LECTURE THEATRE Tuesday 23 November 1999 6.00 pm F R E E A D M I S S I O N Please apply for tickets enclosing an S.A.E. to Department of Egyptian Antiquities The British Museum, Great Russell Street, London WC1B 3DG. Tel: 0171.323.8312 & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & & From nigelhickson@compuserve.com Sun, 14 Nov 1999 04:11:22 -0500 Date: Sun, 14 Nov 1999 04:11:22 -0500 From: Nigel Hickson nigelhickson@compuserve.com Subject: Smart Card Consultation Ross and colleauges = I dont mind taking blame for DTI documents (or the lack of them) but I do= nt see why I should be blamed for the non-availability of a CCTA document. = I only saw it myself on Friday after Caspar had asked DTI to find it for hi= m - which we did. = Nigel = From donald@ramsbottom.co.uk Sun, 14 Nov 1999 11:37:45 +0000 Date: Sun, 14 Nov 1999 11:37:45 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: Telecoms Just got back from a 4 day conference on Telecoms law and regulation in Brussels. The most interesting thing being, that after 24 speakers over 4 days the word security was used once in passing and encryption was never mentioned at all. While I realise the conference did not concern that, the simple fact that the base unit of currency was a "Billion" whatevers, made you think, do they ever consider these matters. This especially as at every break there was a rush for the lobby and on with the phones for some fairly high powered people, (from the EU Commission, WTO etc.)Whenever the subject was broached by me in conversation there were blank stares and a suspicion that I was either a Kook or a Spook. I mentioned only weaknesses in A5, Cave etc, but still there was a willingness to believe their own marketing departments hype rather than address the fact they were all using potentially very insecure communications. Just thought I'd mention this observation. Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From cb@fipr.org Sun, 14 Nov 1999 15:29:45 -0000 Date: Sun, 14 Nov 1999 15:29:45 -0000 From: Caspar Bowden cb@fipr.org Subject: Smart Card Consultation > -----Original Message----- > [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of Nigel Hickson > but I dont see why I should be blamed for the non-availability of a CCTA > document. I only saw it myself on Friday after Caspar had asked DTI to > find it for him - which we did. Perfectly true - I would hazard that the reference to DTI in Ross's post was a slip. But the point remains - if the IAG champion Working Groups are going to be doing more ad-hoc 2-week "public" consultations, they need to make greater efforts to contact existing communities of interest. > -----Original Message----- > [mailto:owner-ukcrypto@maillist.ox.ac.uk]On Behalf Of Ross Anderson > Sent: 13 November 1999 10:54 .. > Secondly, a public statement that there will be a policy by > December does not obviously imply that a consultation exercise will > take place from the 1st to the 15 November, with nobody other than > the DTI's favoured insders being told. From jya@pipeline.com Sun, 14 Nov 1999 10:51:43 -0500 Date: Sun, 14 Nov 1999 10:51:43 -0500 From: John Young jya@pipeline.com Subject: Bamford Eyes Echelon James Bamford, author of "The Puzzle Palace" on the NSA, has an informative essay today in The Washington Post on whether NSA's use of advanced surveillance technology has outrun intelligence oversight legislated in the 1970s: http://washingtonpost.com/wp-srv/WPcap/1999-11/14/019r-111499-idx.html Bamford reports that the head of NSA recently met with GCHQ to reaffirm arrangements for intelligence sharing -- made necessary by burgeoning communications technology. Menwith Hill a jewel in the crown. He doubts that Echelon is as pervasive as alleged but believes it's time for Congress to take a look at the Agency's activities and assure that high-tech surveillance operations are lawful -- which he suspects is not the case, especially with regard to the Internet. From albert@achtung.com Sun, 14 Nov 1999 09:37:37 -0800 Date: Sun, 14 Nov 1999 09:37:37 -0800 From: Albert Yang albert@achtung.com Subject: Impossible Differential attacks It seems that the crew at Bletchley Park used this against the enigma.. From the documentary, they knew that the way the enigma was setup, no plaintext can be the same as it's ciphertext. That was what, the early 40's? My question is, if they knew about it back then, was the secret just kept hush hush for such a long time, or was it just made famous more recent and had always been there? Albert From david@swarb.freeuk.com Sun, 14 Nov 1999 16:56:26 +0000 Date: Sun, 14 Nov 1999 16:56:26 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: New Statesman 8/11/99:"Losing the key" In message <3.0.5.32.19991111174422.0085a990@gdi.net>, Padgett 0sirius wrote: > >>Phil Zimmerman, who wrote PGP, > >He did ? What about Kelly ? > >>is the only programmer ever to have been arrested for his work. > >Phil wasn't arrested, was threatened for "illegal export" but the arrest >never occurred. and many other programmers certainly have been arrested for their work. Typically, for example, under the Computer Misuse Act, writers of virus programs. -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,000+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From successtalk@home.com Sun, 14 Nov 1999 16:21:25 -0500 (EST) Date: Sun, 14 Nov 1999 16:21:25 -0500 (EST) From: successtalk@home.com successtalk@home.com Subject: Server Refinement and Load Test Your name has been referred to us as someone involved in self-help, personal development and/or motivational and inspirational music. We are launching a new Success TALK Channel (tm) "Live Audio Stream" and would really appreciate your assistance. We need to load test both the new website and live audio feed and ask you to connect onto the Feed to help us load test the server. The Channel Feed is live so you'll be listening to real content from some of your favorite authors, speakers and writers. Please log on as often as you can for the next seven days and pass along this e-mail to as many of your friends and associates as you can asking them to do the same. http://209.35.112.112/whatsonnowframe.htm Success TALK Channel is one of the most comprehensive sites on the Internet for self help, personal growth and life skills information and we really want to provide as reliable an audio feed as we can so your assistance here will aid listeners greatly in the future. To access our live feed you will need the latest Windows Media Player which is available at: http://www.microsoft.com/windows/mediaplayer/en/download/Win32IE4x86.asp Thank you very much for participating in the Server Refinement and Load Test Allan Hunkin Success Talk Channel (tm) Website: http://209.35.112.112 E-mail: stc@netcom.ca To be removed from our list simply reply with nothing but REMOVELOADTEST in the subject area just 'REMOVELOADTEST' and your request will be handled automatically, otherwise your name will remain active. stc@netcom.ca?subject=REMOVELOADTEST From owen.blacker@pres.co.uk Mon, 15 Nov 1999 10:36:35 -0000 Date: Mon, 15 Nov 1999 10:36:35 -0000 From: Owen Blacker owen.blacker@pres.co.uk Subject: Government `consultation' on smartcards Loath though I am to say it, it does say in the paper (s1.3) that it is intended for the public (a/o private) sector, who I guess are more likely to read /Government Computing/ and thus to have been made aware of the consultation. Even so, a statement of intent ("one of the targets: December 1999: policy for smart cards") does not necessarily imply a consultation exercise. That said, (a) I don't see why this consultation is intended solely for members of the public sector, (b) I find it wholly unacceptable that *yet again* the Govt is consulting on something over a period of time substantially shorter than that mandated by Cabinet Office guidelines (two weeks?!!!), (c) I find it equally unacceptable that the government chooses not to inform existing interested communities, particularly one with which it has a reasonably good dialog (such as this list). This third point may be explained in part by the choice of restricted consultation, but I feel also that this in itself is a bad call... Some explanations would be rather intriguing, if you wouldn't mind, Nigel... :o) Owen (trying not to be too hostile :o) ----- Owen Blacker Senior Internet Developer and Information Security Consultant pres.co.interactive www.pres.co.uk DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b DSS: 0xb26b0a3a | 4775 38cb 1f4a 6495 0c81 2264 73c8 0494 b26b 0a3a ----- DISCLAIMER: These views are mine own and do not represent those of any other organisation I may seem to represent including, but not limited to, pres.co, Primecom or any of their clients. ----- -----Original Message----- From: Ross Anderson [mailto:Ross.Anderson@cl.cam.ac.uk] Sent: Saturday, November 13, 1999 10:54 AM To: ukcrypto@maillist.ox.ac.uk Subject: Re: Government `consultation' on smartcards After I pointed this list to the CCTA's extremely low profile `consultation', Alan Brukitt-Gray leapt in to defend CCTA: > Sorry, Ross, it was stated in September in the e-commerce report > (e.commerce@its.best.uk) which was launched by Tony Blair not a > million miles from your office in Cambridge. Government Computing, > October issue, page 4, explicitly highlights one of the targets: > December 1999: policy for smart cards. Firstly, I don't read `Government Computing'; although you and William have occasionally threatened to put me on the distribution list you've never gotten round to it. Secondly, a public statement that there will be a policy by December does not obviously imply that a consultation exercise will take place from the 1st to the 15 November, with nobody other than the DTI's favoured insders being told. This list exercised itself sufficiently over the similarly short consultation period offered at the last round of the e-commerce bill. Here is an example of an even worse abuse; it could easily be interpreted as a deliberate insult to list members from Nigel and friends. I hope that list members will, in their responses to government, be suitably outspoken about the procedure followed in this case Ross ____________________________________________________________________________ ____ This message has been checked for all known viruses by the Star Screening System http://academy.star.co.uk/public/virustats.htm From donald@ramsbottom.co.uk Mon, 15 Nov 1999 12:39:27 +0000 Date: Mon, 15 Nov 1999 12:39:27 +0000 From: Donald Ramsbottom donald@ramsbottom.co.uk Subject: LSG article. Below is the lead article from the current "Law Society Gazette", unfortunately no case references are given.The comments of Lord Justice Kennedy are noteworthy, when read in conjunction with the proposed S:10 notices and their currently proposed wide scope for "trawling" and later sifting. The DTI/HO should also take note of what the learned Judge says about Privacy and the EHCR. Law Society Gazette 10.11.99 >Criminal law practitioners have welcomed a landmark High Court ruling > which imposes new restrictions on the police removing legally privileged > documents from premises when executing a search warrant. > The High Court ruled last week that the police practice of removing > material for sifting will no longer be lawful in relation to documents that fall > outside search warrants or attract privilege. > Criminal law specialists said the ruling would provide much needed > protection for the public and for solicitors holding client documents. > The decision, by a specially convened three-judge divisional court, puts > an end to something which has been common police practice. Removal by > the police of documents outside the scope of the warrant, or protected by > legal professional privilege, could lead to actions for damages in trespass > even if taken in good faith, the court concluded. > In his lead judgment, Lord Justice Kennedy said primary legislation would > be needed to deal with the shortcomings of the existing search and seizure > regime, which could result in officers sifting through thousands of > documents and computer discs on site. While a 'common sense approach' > might suggest that large numbers of documents should be removed for later > sifting, statute did not support that view, he said. > Lord Justice Kennedy also warned that any attempt to extend crime > prevention powers which affect an individual's right to privacy could fall foul > of the European Convention on Human Rights. > The Convention has been incorporated into UK law under the Human > Rights Act 1998, which is scheduled for implementation in October next > year. > The importance of the case, both to preserving the right to claim legal > professional privilege and in the ability of the police to investigate crimes, > led the Law Society and the Attorney General to make submissions to the > court. Until primary legislation can be enacted, it is anticipated that the > police and lawyers will work together to devise a protocol or understanding > to help overcome the practical difficulties presented by the decision. > Malcolm Fowler, chairman of the Law Society's criminal law committee, > said the decision was good news for the profession because 'once again it > bolsters the principle of legal professional privilege and its place in the > justice system'. Andrew Lockley, a partner at Sheffield firm Irwin Mitchell > which represented the applicant, welcomed the decision, which he said > would lead to a 'less intrusive approach' by the police when search > warrants were obtained. > A spokesman for the Association of Chief Police Officers said it was > aware of the case and its implications, and would work with the legal > profession 'to find a way through' at least until primary legislation was > passed. Donald Ramsbottom LL.B, BA (Hons). RAMSBOTTOM & Co. Solicitors Internet Law & Global Cryptology Law Specialists From alan@kable.co.uk Mon, 15 Nov 1999 15:03:48 -0000 Date: Mon, 15 Nov 1999 15:03:48 -0000 From: Alan Burkitt-Gray alan@kable.co.uk Subject: Government `consultation' on smartcards This is a multi-part message in MIME format. ------=_NextPart_000_00AA_01BF2F7A.9EE6BAA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Ross said: "After I pointed this list to the CCTA's extremely low = profile `consultation', Alan Brukitt-Gray leapt in to defend CCTA" Nope, I wasn't defending the CCTA at all. CCTA (part of the Cabinet = Office) is quite able to defend itself. We write about it independently = just like we write about other public sector organisations. I was just = pointing out that the consultation wasn't a surprise to us on Government = Computing. We read the reports, including the small print. However, Government Computing has previously criticised the Cabinet = Office's apparent liking for short consultations. In the November issue = (p4) we pointed out that its consultation over web guidelines was = published in early October and the deadline for feedback was 22 October. = Oftel, by comparison, tends to go for 28-day consultation periods - = which at least gives those of us who publish on monthly cycles the = opportunity to report the issue and generate comment. There are a whole list of targets set out in the e-commerce report, all = with the name of the lead organisation and any other organisations. Many = of them are of clear interest to members of this list. Other targets = include: a.. 31 March 2000: national public key infrastructure for Govt b.. 31 March 2000: identify areas to take advantage of equivalence = between digital and written documents c.. June 2000: first Invest to Save Budget projects on alternative = access to Government electronic delivery mechanisms d.. 30 June 2000: "state of e-commerce" report e.. 30 June 2000: international benchmarking of Government e-commerce = targets f.. July 2000: set up internet crime unit (source: Government Computing, October 1999, page 4) Finally, I have a feeling I asked you to fill in a reader registration = card, Ross, to get a free copy of Government Computing. But no matter, = I'll add you to the list anyway.=20 Alan - ALAN BURKITT-GRAY, Editor, Government Computing The independent magazine about information age public service, for the people who are going to make it happen Signposts to Government: http://kable.co.uk Kable Ltd The Courtyard, 55 Charterhouse Street, London EC1M 6HA, UK direct tel 020 7608 8403 switchboard 020 7608 0900 fax 020 7608 8420 e-mail alan@kable.co.uk Where's Kable? Look at=20 http://www.streetmap.co.uk/streetmap.dll?grid2map?X=3D531650&Y=3D181750&a= rrow=3Dy ------=_NextPart_000_00AA_01BF2F7A.9EE6BAA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Ross said: "After I pointed this list to the CCTA's extremely low = profile=20 `consultation', Alan Brukitt-Gray leapt in to defend CCTA"
 
Nope, I wasn't defending the CCTA at all. CCTA (part of the Cabinet = Office)=20 is quite able to defend itself. We write about it independently just = like we=20 write about other public sector organisations. I was just pointing out = that the=20 consultation wasn't a surprise to us on Government Computing. We read = the=20 reports, including the small print.
 
However, Government Computing has previously criticised the Cabinet = Office's apparent liking for short consultations. In the November issue = (p4) we=20 pointed out that its consultation over web guidelines was published in = early=20 October and the deadline for feedback was 22 October. Oftel, by = comparison,=20 tends to go for 28-day consultation periods - which at least gives those = of us=20 who publish on monthly cycles the opportunity to report the issue and = generate=20 comment.
 
There are a whole list of targets set out in the e-commerce report, = all=20 with the name of the lead organisation and any other organisations. Many = of them=20 are of clear interest to members of this list. Other targets = include:
  • 31 March 2000: national public key infrastructure for Govt
  • 31 March 2000: identify areas to take advantage of equivalence = between=20 digital and written documents
  • June 2000: first Invest to Save Budget projects on alternative = access to=20 Government electronic delivery mechanisms
  • 30 June 2000: "state of e-commerce" report
  • 30 June 2000: international benchmarking of Government e-commerce=20 targets
  • July 2000: set up internet crime unit
(source: Government Computing, October 1999, page 4)
 
Finally, I have a feeling I asked you to fill in a reader = registration=20 card, Ross, to get a free copy of Government Computing. But no matter, = I'll add=20 you to the list anyway.
 
Alan

-
ALAN BURKITT-GRAY, Editor, Government=20 Computing
The independent magazine about information = age=20 public service,
for the people who are going to make it=20 happen

Signposts to Government: http://kable.co.uk

Kable Ltd
The Courtyard, 55 Charterhouse Street, London = EC1M 6HA,=20 UK
direct tel 020 7608 8403 switchboard 020 7608 0900 fax 020 7608=20 8420
e-mail alan@kable.co.uk

Where's Kable? Look at
http://www.streetmap.co.uk/streetmap.dll?grid2map?X=3D531650&= ;Y=3D181750&arrow=3Dy

------=_NextPart_000_00AA_01BF2F7A.9EE6BAA0-- From Alan.Collier@ccta.gsi.gov.uk Mon, 15 Nov 1999 15:41:53 -0000 Date: Mon, 15 Nov 1999 15:41:53 -0000 From: Collier, Alan Alan.Collier@ccta.gsi.gov.uk Subject: UK Government Consultation on Smart Cards >Perfectly true - I would hazard that the reference to DTI in Ross's post was >a slip. But the point remains - if the IAG champion Working Groups are going >to be doing more ad-hoc 2-week "public" consultations, they need to make >greater efforts to contact existing communities of interest. I would like to apologise to readers of this list who were not aware of the consultation on the draft Smart Card Framework. We endeavoured to notify interested parties by a number of means: through the issue of a press release; by addressing a number of conferences; by e-mail to consumer groups, industry bodies and others; and through publication on the IAG champions' website, where all papers on the Information Age Government initiative are published. Nevertheless we acknowledge that a number of people and organisations with an interest in this field were unaware of our work, and very much regret this. It was not our intention either to 'sneak the paper out' or to prevent meaningful responses. I am grateful for the detailed and considered responses already received from subscribers to this list and others. We are currently collating and analysing responses in preparation for the next draft. A number of organisations have already notified us that they will be making submissions over the next few days, and we would very much value any further input over the next week, by e-mail to cards@ccta.gov.uk, so that we can take it into account in time for our publishing deadline. Regards Alan Collier E-Business Manager Central Computer and Telecommunications Agency From ijackson@chiark.greenend.org.uk Mon, 15 Nov 1999 17:05:44 +0000 (GMT) Date: Mon, 15 Nov 1999 17:05:44 +0000 (GMT) From: Ian Jackson ijackson@chiark.greenend.org.uk Subject: New Statesman 8/11/99:"Losing the key" (This is somewhat off-topic, but the listadmin requests all replies to go to the list with a `Reply-To'.) Richard Clayton writes ("Re: New Statesman 8/11/99:"Losing the key""): > fewer than 20 MPs still need adopting: http://www.stand.org.uk/ Tom Loosemore writes ("PRESS RELEASE: HOW THE NEW E-COMMERCE BILL COULD SEND JACK STRAW TO JAIL"): ... > >> >> CONTACT DETAILS FOR STAND.ORG.UK > Stefan Magdalinski / Tom Loosemore > Tel: 07931 376 142 > Fax: 0171 681 2057 > email: mps@stand.org.uk Does anyone have an email address for the people who run stand.org.uk which is not @stand.org.uk ? The incompetent ISP hosting the domain has f*cked up their DNS. I'd be happy to help host the DNS for the domain; someone from Stand should contact me if they want, but they should not do so from their stand.org.uk domain because their broken DNS will stop their mail from getting through. In case they can't get through by email, they should contact a knowledgeable person and tell them that my NIC Handle is IJ204 (the street address is wrong, though). Ian. From andrew.colleran@quercus.co.uk Mon, 15 Nov 1999 17:34:55 +0000 Date: Mon, 15 Nov 1999 17:34:55 +0000 From: Andrew Colleran andrew.colleran@quercus.co.uk Subject: UK Government Consultation on Smart Cards HTTP Error 404 on trying to connect to http://www.iagchampions.gov.uk/ ---------------------------- on searching the CCTA site using http://search2.open.gov.uk/cgi-bin/empower?DB=ccta An error has occurred. An error occurred in Muscat Can't open file d/DB (in enquire) ------------------------------------ by their web services do you know them.... Andrew Colleran "Collier, Alan" wrote: > >Perfectly true - I would hazard that the reference to DTI in Ross's post > was > >a slip. But the point remains - if the IAG champion Working Groups are > going > >to be doing more ad-hoc 2-week "public" consultations, they need to make > >greater efforts to contact existing communities of interest. > > I would like to apologise to readers of this list who were not aware of the > consultation on the draft Smart Card Framework. We endeavoured to notify > interested parties by a number of means: through the issue of a press > release; by addressing a number of conferences; by e-mail to consumer > groups, industry bodies and others; and through publication on the IAG > champions' website, where all papers on the Information Age Government > initiative are published. Nevertheless we acknowledge that a number of > people and organisations with an interest in this field were unaware of our > work, and very much regret this. It was not our intention either to 'sneak > the paper out' or to prevent meaningful responses. > > I am grateful for the detailed and considered responses already received > from subscribers to this list and others. We are currently collating and > analysing responses in preparation for the next draft. A number of > organisations have already notified us that they will be making submissions > over the next few days, and we would very much value any further input over > the next week, by e-mail to cards@ccta.gov.uk, so that we can take it into > account in time for our publishing deadline. > > Regards > Alan Collier > E-Business Manager > Central Computer and Telecommunications Agency -- A message from Andrew Colleran Quercus Information Ltd Tel +44 1865 768902 Fax +44 1865 436670 Andrew.Colleran@quercus.co.uk http://www.quercus.co.uk Vcard: http://www.quercus.co.uk/amc.vcf From ijackson@chiark.greenend.org.uk Mon, 15 Nov 1999 17:05:44 +0000 (GMT) Date: Mon, 15 Nov 1999 17:05:44 +0000 (GMT) From: Ian Jackson ijackson@chiark.greenend.org.uk Subject: New Statesman 8/11/99:"Losing the key" (This is somewhat off-topic, but the listadmin requests all replies to go to the list with a `Reply-To'.) Richard Clayton writes ("Re: New Statesman 8/11/99:"Losing the key""): > fewer than 20 MPs still need adopting: http://www.stand.org.uk/ Tom Loosemore writes ("PRESS RELEASE: HOW THE NEW E-COMMERCE BILL COULD SEND JACK STRAW TO JAIL"): ... > >> >> CONTACT DETAILS FOR STAND.ORG.UK > Stefan Magdalinski / Tom Loosemore > Tel: 07931 376 142 > Fax: 0171 681 2057 > email: mps@stand.org.uk Does anyone have an email address for the people who run stand.org.uk which is not @stand.org.uk ? The incompetent ISP hosting the domain has f*cked up their DNS. I'd be happy to help host the DNS for the domain; someone from Stand should contact me if they want, but they should not do so from their stand.org.uk domain because their broken DNS will stop their mail from getting through. In case they can't get through by email, they should contact a knowledgeable person and tell them that my NIC Handle is IJ204 (the street address is wrong, though). Ian. From david@swarb.freeuk.com Mon, 15 Nov 1999 20:03:54 +0000 Date: Mon, 15 Nov 1999 20:03:54 +0000 From: David Swarbrick david@swarb.freeuk.com Subject: LSG article. In message <1.5.4.32.19991115123927.006ecd9c@192.168.0.65>, Donald Ramsbottom wrote: > >Below is the lead article from the current "Law Society Gazette", >unfortunately no case references are given.The comments of Lord Justice >Kennedy are noteworthy, when read in conjunction with the proposed S:10 >notices and their currently proposed wide scope for "trawling" and later >sifting. The DTI/HO should also take note of what the learned Judge says >about Privacy and the EHCR. > > >Law Society Gazette 10.11.99 > > > >>Criminal law practitioners have welcomed a landmark High Court ruling >> which imposes new restrictions on the police removing legally privileged >> documents from premises when executing a search warrant. >> The High Court ruled last week that the police practice of removing >> material for sifting will no longer be lawful in relation to documents >that fall >> outside search warrants or attract privilege. >From the law-index:- Title Court Series RepDt Ratio Act Criminal Practice R v Chesterfield Justices et al, ex p Bramley QBD Times 10-Nov-99 When officers executed a search warrant, it was not proper to remove articles at large, in order to later sift through them, and then to return material not covered by the warrant. There is no absolute prohibition against removing articles for which legal professional privilege was claimed, provided the officer had reasonable grounds for believing that the material was not so protected. Material removed, but not covered by the warrant, must be returned immediately. Police and Criminal Evidence Act 1984 8(1) -- David Swarbrick, Solicitor 01484 722531 - david@swarb.freeuk.com www.swarb.co.uk - law-index of 10,100+ uk case summaries and uk.legalFQA The Law Society regulates our investment business. IP / IT Law and Contracts. From davidh@spidacom.co.uk Tue, 16 Nov 1999 08:18:59 -0000 Date: Tue, 16 Nov 1999 08:18:59 -0000 From: David Hansen davidh@spidacom.co.uk Subject: UK Government Consultation on Smart Cards On 15 Nov 99, at 15:41, Collier, Alan wrote: > It was not our intention > either to 'sneak the paper out' or to prevent meaningful responses. "Apologies" after the event are a favourite trick of those who wish to manipulate so-called consultations by only advising those they wish to get responses from. "It was a cock up, not a conspiracy." I for one don't believe there are as many cockups as people claim. They are a useful defence mechanism. The whole of government involvement in encryption and related matters has been a cynical exercise in manipulation by vested interests. David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E From Q.G.Campbell@newcastle.ac.uk Tue, 16 Nov 1999 08:32:30 +0000 (GMT) Date: Tue, 16 Nov 1999 08:32:30 +0000 (GMT) From: Quentin Campbell Q.G.Campbell@newcastle.ac.uk Subject: The Law and reverse engineering encrypted systems If it is now illegal in the UK to reverse engineer an encryption system devised to protect copyright and if (as Bruce Schneier claims) it is "illegal [in the UK] to engage in scientific research about the encryption used in these systems" [CRPTO-GRAM, 15 November 1999] could I be arrested for "going equipped" because I have a debugger and other tools on a computer system that has a DVD player incorporated in it? If the E-Commerce Bill can send me to gaol for two years for something I _do not_ have, I would expect some penalty for manifestly having the means to reverse engineer DVD player software. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------- "Any opinions expressed above are mine. The University can get its own." From alan@kable.co.uk Tue, 16 Nov 1999 10:11:42 -0000 Date: Tue, 16 Nov 1999 10:11:42 -0000 From: Alan Burkitt-Gray alan@kable.co.uk Subject: Re; Government 'consultation' on smartcards This is a multi-part message in MIME format. ------=_NextPart_000_002D_01BF301A.FAE72B00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Caspar wrote: "I don't want you to feel mugged by FIPR Alan, but I agree = with Ross. I don't understand the point. Are you saying that Government Computing knew = about this consultation, and reported it? ... Or GC knew, and didn't publish = !" We knew, and published, on page 4 of the October issue, that there was a = specific commitment in the e.commerce report = (http://www.cabinet-office.gov.uk/innovation/1999/ecommerce/index.htm) = to consult on a smart card policy and publish that policy by December. = We as a magazine have probably been remiss that we didn't follow up in = the November issue and ask how that consultation was being carried out.=20 Perhaps there ought to be some guidelines (after an appropriate period = of consultation of course) on how Govt departments consult on policy = developments. In the old, pre-information age, world then the usual = laborious process of green paper > white paper > bill > parliamentary = debates > act was fairly OK. But there are so many information age type = initiatives, coming so thick and fast, that it appears to be a = temptation to consult and decide before people have responded or even = seen that there is a consultation going on.=20 I suggest - as I said in a posting earlier this afternoon - that the = Oftel site www.oftel.gov.uk is a model that is worth studying by all = govt organisations (Oftel won a Campaign for Freedom of Information = award a couple of years ago for its web-based consultations). Oftel = consultation documents are posted in full; there's usually a 28-day = period for comments; responses by other organisations are almost always = posted in full at http://www.oftel.gov.uk/response.htm (the default is = that they are); Oftel then publishes its decision, revised version of = the policy or whatever. It seems extremely open.=20 The smartcard consultation is probably not on the CCTA website because = the consultation is for the Cabinet Office and CCTA is a supplier not a = policymaker. The Cabinet Office does have some consultation documents on = its website at http://www.cabinet-office.gov.uk/index/guidcons.htm - but = not the smartcard consultation, even under "previous consultation = documents" http://www.cabinet-office.gov.uk/index/other/prev.htm Alan - ALAN BURKITT-GRAY, Editor, Government Computing The independent magazine about information age public service, for the people who are going to make it happen Signposts to Government: http://www.kable.co.uk Kable Ltd The Courtyard, 55 Charterhouse Street, London EC1M 6HA, UK direct tel 020 7608 8403 switchboard 020 7608 0900 fax 020 7608 8420 e-mail alan@kable.co.uk Where's Kable? Look at=20 http://www.streetmap.co.uk/streetmap.dll?grid2map?X=3D531650&Y=3D181750&a= rrow=3Dy ------=_NextPart_000_002D_01BF301A.FAE72B00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Caspar wrote: "I don't want you to feel mugged by FIPR Alan, but I = agree=20 with Ross. I don't
understand the point. Are you saying that = Government=20 Computing knew about
this consultation, and reported it? ... Or GC = knew, and=20 didn't publish !"
 
 
 
We knew, and published, on page 4 of the October issue, that there = was a=20 specific commitment in the e.commerce report (http://www.cabinet-office.gov.uk/innovation/1999/ecommerce/index.htm= )=20 to consult on a smart card policy and publish that policy by December. = We as a=20 magazine have probably been remiss that we didn't follow up in the = November=20 issue and ask how that consultation was being carried out.
 
Perhaps there ought to be some guidelines (after an appropriate = period of=20 consultation of course) on how Govt departments consult on policy = developments.=20 In the old, pre-information age, world then the usual laborious process = of green=20 paper > white paper > bill > parliamentary debates > act was = fairly=20 OK. But there are so many information age type initiatives, coming so = thick and=20 fast, that it appears to be a temptation to consult and decide before = people=20 have responded or even seen that there is a consultation going on. =
 
I suggest - as I said in a posting earlier this afternoon - that = the Oftel=20 site www.oftel.gov.uk is a model = that is=20 worth studying by all govt organisations (Oftel won a Campaign for = Freedom of=20 Information award a couple of years ago for its web-based = consultations). Oftel=20 consultation documents are posted in full; there's usually a 28-day = period for=20 comments; responses by other organisations are almost always posted in = full at=20 http://www.oftel.gov.uk/res= ponse.htm=20 (the default is that they are); Oftel then publishes its decision, = revised=20 version of the policy or whatever. It seems extremely open.

The smartcard consultation is probably not on the CCTA website = because=20 the consultation is for the Cabinet Office and CCTA is a supplier not a=20 policymaker. The Cabinet Office does have some consultation = documents on=20 its website at http://www.c= abinet-office.gov.uk/index/guidcons.htm -=20 but not the smartcard consultation, even under "previous consultation = documents"=20 http://www= .cabinet-office.gov.uk/index/other/prev.htm
 
Alan

-
ALAN BURKITT-GRAY, = Editor,=20 Government Computing
The independent = magazine about information age public service,
for the people who are = going=20 to make it happen

Signposts to Government: http://www.kable.co.uk

Kable Ltd
The Courtyard, 55 Charterhouse Street, London = EC1M 6HA,=20 UK
direct tel 020 7608 8403 switchboard 020 7608 0900 fax 020 7608=