From nrh@uunet.uu.net Tue Dec 26 09:43:22 1995 Xref: elastic sci.crypt:6215 talk.politics.crypto:2382 Path: elastic!exorcist!lethe!geac!onramp.ca!grumpy.insinc.net!news.sprintlink.net!newsfeed.internetmci.com!in2.uu.net!not-for-mail From: nrh@uunet.uu.net (Nat Howard) Newsgroups: sci.crypt,alt.security.pgp,talk.politics.crypto Subject: Re: Denning vs Sternlight Date: 24 Dec 1995 16:29:13 -0500 Organization: UUNET Technologies Inc, Falls Church VA USA Lines: 167 Message-ID: <4bkgn9$fb4@daimajin.uu.net> References: <49a6qd$sp4@mudraker.mtholyoke.edu> <4bfgrg$efb@daimajin.uu.net> NNTP-Posting-Host: daimajin.uu.net In article , David Sternlight wrote: >In article <4bfgrg$efb@daimajin.uu.net>, nrh@uunet.uu.net (Nat Howard) >wrote a straw-man misrepresentation of my arguments: >> >>DES is also a federal standard, but the government doesn't want it used >>in phones. A friend in the cell-phone business once told me that their >>phones had sufficient compute power & memory to do DES on the fly, but >>that the government had influenced some standards-making body to >>prevent it from being an option. > >No comment on yet another vague and uncheckable assertion. If you had some >specific and checkable details, it might be credible, but this... David, Let's get clear here. Suppose I named my friend, and named the meeting that he or she was talking about. What would it buy us? 1. Do you have any doubt the government has discouraged non-key-escrowed strong crypto in such areas? Would evidence that they had change your mind about anything? If so, let us know, and I'll ask my friend if it's okay to name him or her. Be sure and let us know just exactly what you would concede -- otherwise, why should I bother? (If, on the other hand, this is your way of calling me a liar, or claiming I'm untruthful, please make that explicit). Since you have said that you routinely apologize to those who ask for it, I ask that, if your intent was to suggest that I am lying, you apologize now for that. 2. Do you have any doubt that some modern cell-phones have sufficient extra CPU to run DES-level crypto as well as their current load? If not, what are you complaining about? >>As for scrambler phones not being cheap, that depends on what you mean >>-- as I understand it, the digital cell phones from Sprint Spectrum use >>a kind of weenie algorithm called A5 to prevent eavesdropping. This >>isn't end-to-end of course -- merely phone-to-station. >> >>If the government bought a lot of these, it's news to me -- but they're >>cheap. > >Strong-encryption chips would cause the cost of the phone to be very much >a function of the volume of sales expected. The government won't buy a lot >of crypto phones it doesn't like, and IS buying a lot of Clipper phones. Why bring chips into it? By shifting the ground in this way, you're evading the real issue which is strong crypto in phones, not strong crypto *chips* in phones. Why should the cost of strong encryption phones be much, if any greater than the cost of the A5 phones? If the implementation is software, and the phones already of sufficient power, then the license is what might cost money -- and DES is free. Again, if you seriously want to argue that these phone don't have (or couldn't be cheaply upgraded to have) sufficient extra capacity to do DES, please say that explicitly. I accuse you of sinuosities. Simply arguing that my assertion is uncheckable isn't really to the point if we both agree that the assertion is likely true. If you wish to claim it is false, then please do so, along with how your opinion would change if it *were* true. >>The premise that there's either good cryptography with escrow or bad/no >>cryptography is false. > >That's not the premise. The argument is that Clipper would be cheaper than >other crypto for the rest of us because the government is buying a lot >(thus paying off part of the tooling and up-front costs) and because since >it's a Federal standard, they can be made by many vendors without having >to wrangle with each other to agree on some other interoperable standard. DES is already such a standard. The clipper algorithm could be declassified and made such a standard. Depending, of course, on it's efficiency, software algorithms don't cost much to implement. The cost of the clipper algorithm has already been paid by the taxpayers -- and since you've said in the past that we've denied you access to devices that use the algorithm, I'd think you'd be in favor of its declassification. >> There's also the possibility of good crypto >>without escrow. > >So? So an attempt to argue that by denying you access to clipper (which, of course, we aren't) we are denying you access to good crypto is a false dichotomy. It is bad argumentation, whether deliberate or inadvertant. >>The premise that there's either government standard & escrowed >>cryptography or bad cryptography is likewise false: DES isn't >>bad (for some purposes), and there's no key escrow in it. > >That's not the premise either. The premise is that government crypto >algorithms the government says are secure against rich, smart foreign >competitors are _likely_ more secure than private algorithms about whose >cracking (even by the NSA) we know nothing. If that's your premise, there's a problem: Has the NSA said anything about triple DES or IDEA? If not, why not? I see three scenarios: 1. These algorithms are probably secure, but the NSA doesn't wish to "certify" them, because it would encourage their use. 2. These algorithms are not secure, and therefore the NSA doesn't comment on them in order to spare itself exposure of its methods. Since the whole process is shrouded, I submit that it's only your estimation of government intent that makes 2 more likely than 1. Whatever you may think about other issues, David, it must be clear to you that you are distinctly in the minority (at least here) about the issue of trusting the government. If your premise is based on that trust, then your argument is unlikely to carry with those of us who don't share the premise. >As to DES, we've had special-purpose designs described for a year or so >that would render it vulnerable. It is universally agreed to be "showing >its age". It may once have been fairly secure, but since its release raw >computing power and speed as well as the same per dollar has advanced >dramatically. Why, yes. This is why the government should release and certify the clipper algorithm. >>Triple-DES is kinda on the edge of government-standard, and it seems >>quite adequate... > >Maybe. The same comments apply--we don't know whether the NSA can crack it >or any other rich, smart governments can. That the NSA picked the >algorithm in Clipper rather than going to Triple DES says something, and I >think it's not the paranoid "there's a secret back door in Clipper" >screeching we've heard. What does it say? If you're attempting to suggest that it says triple DES is insecure, you don't (at least here) have enough information, because there's a perfectly obvious alternative explanation: If they'd gone to triple DES, the front door in the clipper algorithm couldn't have been used -- people would simply have made interoperable devices that didn't include the LEAF. Therefore that the NSA chose a different algorithm might merely mean that they wanted the LEAF -- not that there's anything at all wrong with triple-DES. >That they were willing to open up the algorithm in >Clipper to the best and the brightest in the civilian review board, and >that those selfsame reviewers said the algorithm had some advanced >protections against cracking they couldn't discuss in detail (because >they're classified) also inspires confidence that algorithm is more robust >than Triple DES. Not in me. It may mean, for example that they get (say) 78 bits of "real" key vs. (say) 90 bits of "real" key for triple DES, given advanced methods. That is, it may have ways of doing better with the key length it has. Remember -- they're keeping it secret, so you don't get to lead us to any real conclusions about it -- particularly ones that their hand-picked experts might *wish* you to make.