[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wrap Up: Conference on Law Enforcement and Intelligence



On Sun, 20 Oct 1996, Bill Frantz wrote:

> At  1:03 PM 10/20/96 +0000, James Morris wrote:
> >On Sat, 19 Oct 1996, Black Unicorn wrote:
> >
> >> 4.  Might be a good idea to review implementations of crypto.
> >> 
> >> Both James Woolsey and Stewart Baker made sly remarks about the
> >> reliability of crypto in the public domain. [...]
> >
> >There was also an interesting comment made in session three of the 
> >Joint Australian/OECD Conference on Security, Privacy and Intellectual 
> >Property Protection in theGlobal Information Infrastructure,
> >(Canberra, 7 - 8 February 1996), reportedly by a representative of 
> >the DSD:
> >
> >"... PGP may not survive as a viable option for private security."
> >
> >For the full quote, see:
> > http://www.nla.gov.au/gii/sess3.html
> 
> (1) If I were faced with an opponent who had a crypto system I couldn't
> break, I would attempt to make him think I could break it so he would stop
> using it.  AKA FUD.

Don't think I didn't consider it.  The conference was not attended by the
type on whom FUD would make much difference.  i.e., it was mostly law
enforcement and intelligence.  These were either quite sincere snickerings
among professionals, or EXCEEDINGLY well laid misinformation put into the
wrong circles to be of any effect.

Again, nothing specific, but implementation seemed to be the key.  I would
also note that I don't typically pay such ramblings much mind.  When
Stewart Baker tells someone IDEA and 3DES are indeed strong but
implementation weaknesses can cripple them, and this in the context of a
law enforcement ban, I tend to listen carefully.

I'm not saying panic, I'm saying perhaps another careful review is in
order.

> (2) If I could break his system, I would want him to continue using it.  I
> would have to be very careful about how I used the material so he didn't
> catch on to the break.  There are some wonderful examples of this logic in
> "The Code Breakers".

Then the absolute wrong thing to do would be to suggest something that
might spur on review.  (Such as to draw attention to potential
implementation problems)

When both Stewart Baker and R. James Woolsey make similar comments, one
can't help but think that they were not pre-arranged.

Again, don't panic, just review.

> (3) The devil is in the details.  I still am not convinced that MacPGP has
> enough sources of entropy for its IDEA key generation.  (But I am not
> convinced that it doesn't either.)  I put integrating Jon Callas's entropy
> manager into MacPGP as a high priority.

Couldn't hurt, not one bit.

--
I hate lightning - finger for public key - Vote Monarchist
[email protected]