Return to BSD News archive
Newsgroups: comp.unix.bsd Path: sserve!manuel!munnari.oz.au!news.hawaii.edu!ames!haven.umd.edu!darwin.sura.net!wupost!sdd.hp.com!caen!hellgate.utah.edu!fcom.cc.utah.edu!gateway.univel.com!gateway.novell.com!terry From: terry@npd.Novell.COM (Terry Lambert) Subject: Re: 386bsd security enhancements are needed before using INTERNET! Message-ID: <1992Jul28.164752.7422@gateway.novell.com> Sender: news@gateway.novell.com (NetNews) Nntp-Posting-Host: thisbe.eng.sandy.novell.com Organization: Novell NPD -- Sandy, UT References: <1992Jul27.183548.20598@news.iastate.edu> <1992Jul27.191435.14721@gateway.novell.com> <1992Jul27.214249.1065@news.iastate.edu> Date: Tue, 28 Jul 1992 16:47:52 GMT Lines: 71 In article <1992Jul27.214249.1065@news.iastate.edu> niko@iastate.edu (Nikolaus E Schuessler) writes: > >> >>It isn't that the algorithms are crackable -- it's that they take what the >>NSA considers an unreasonable amount of time to crack, and, as such, >>distribution of a working crypt library represents a perceived threat to >>the national interest (USA). This is, in point of fact, a real problem, >>in that you can encrypt sensitive data in the US and send it out on a public >>channel. By the time it has been decrypted, the damage has already been >>done, as the distribution of the data is no longer taking place and can not >>be thwarted. >> > >So the inherent problem you are worried about is that everyone is using >the same crypt library, right? Because it is far easier to use the one >given as is than to create a new one? Who generated it? Does anyone >know? There must be a way to generate a different one, right? > >I think I may not be understanding something fully. I'm sorry, but you aren't understanding the point; since it's [apparently] counter-intuitive, I'll explain in simple steps: 1) Crypt is fairly secure. 2) The NSA wants to be able to monitor all international data communications to and from the United States. 3) The NSA wants to be able to do this in such a way that they can tell, in a reasonable period of time, what you are saying to foregin nationals, in case it's military secrets. 4) If you crypt things with a fairly secure algorythm, the NSA finds this difficult. 5) "Difficult" means that finding out what you are saying to these foreign nationals would take long enough that, in the NSA's opinion, irreparable damage could be done to national security hours before they find out what's going on and put a stop to it. 6) The government, in the person of the NSA, would find this to be fairly inconvenient (this is quite understandable, if you follow points 3 and 5). 7) You are not allowed to ship non-crippled crypt libraries out of the country, as it would allow you to crypt things with a fairly secure algorithm. The problem is not that your computer wouldn't be secure; the problem is that data transmissions *would* be secure. The NSA could give a damn if your computer is secure or not. If your data transmissions are secure, and they go out-country, then they care (it's their job to). There are exceptions, and it is possible to get an export license for crypt libraries. It is much easier to get an export license for a set of binaries (login, passwd, rshd, rlogind, etc.) than it is to get one for the library itself. Part of the terms of the license include who you are allowed to sell it to. Internet access is restricted in a similar fashion, thus it is likely that a grant of license to distribute binary utilities for 386BSD would be allowed, if requested. But this would mean that not all of 386BSD is publically distributable as source. The current crypt library uses a known modification of the DES (or "Data Encryption Standard") algorithm, as adopted by the National Bureau of Standards. The modification (or "preterbation") of the DES algorithm is to make it less likely DES chips without programmable polonomial sets can be used to crack password files. Those that are programmable are generally as slow as software anyway, as they can not be mathematically optimised for the particular polonomial. Terry Lambert terry_lambert@gateway.novell.com terry@icarus.weber.edu --- Disclaimer: Any opinions in this posting are my own and not those of my present or previous employers.