[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST proposes software key escrow development




Peter Wayner <[email protected]> writes of the NIST announcements to
develop software-based key escrow.

I think it would be utmost folly for software developers to work with the NIST
and NSA on this or invest any time or capital. The fundamental 
requirement for NSA approval is the implementation of Skipjack in 
*software* in such a way that the algorithm is *protected* like it is in 
the booby trapped Clipper chips-- that is, impossible to deduce.

But this appears to be complete *fantasy*. Any such system must rely on
some kind of a hardware approach. But then we're back to where we've
started -- Clipper and Capstone. Only the NSA has enough inbred, insular 
self-delusion to propose that 'secure' software is even a *possibility*.
These companies could better spend their time proving that Fermat's Last
Theorem is FALSE.

(Hey Cypherpunks! I KNOW! what we need is a Secure Clipper Encryption 
Server that handles encryption via Email! Let's get the NSA to run it!
Then it would *really* be secure! <SMIRK>)

Furthermore, anyone who submits to this development is giving the NSA
valuable (free?) development time for the purpose of, fundamentally, 
a KEY ESCROW SYSTEM. Now, perhaps someone can explain to me why a software
system for depriving us of our rights is superior to one in hardware?

Doesn't anyone have the faint glimmer of the idea that NSA, the *premier*
cryptographic agency in the *world*, with unsurpassed technological and
engineering prowess in the area, would have already *figured out* how to do 
this if it was *at all* feasible?

Personally, I think this stinks putridly of an NSA decoy to simply claim or 
suggest that they're responsive to alternative solutions.  This is nothing
but a *cruel mirage* in a *barren desert*.

>At the end, the group owns the intellectual property rights to
>what is discovered. This may be something patentable and it could
>be worth some money. I don't know how likely this is, but it 
>seems possible. In fact, it is probably the reason many of the
>participants are willing to enter into the project. 

yes, that's *exactly* what we need -- another software patent. But this is
just a meaningless dangling carrot. (They damn well *better* have rights to
whatever they develop under private capital.)

>The role of NIST is both gatekeeper and fascilitator. They get 
>everyone together and occasionally push things along. In this
>case, they'll also offer some technical assistance which will
>include feedback from the NSA. Dennis Branstad said that this would
>most likely take the form of Siskel and Ebert-like ratings of the
>systems proposed. The NSA would suggest, "Yes" or "No" but they
>probably wouldn't go into details. This is because the procedure
>would be unclassified and the NSA usually won't relate technical
>details without classifying them. 

Take a LOOK at what you've written, and ask if this project has
ANY CHANCE of succeeding. The NIST is proposing that a lot of companies
put in work into a key escrow system in software, that the NSA has
ultimate overruling veto power with *no explanation* of negative answers.
This all to come up with something that the NSA ultimately must *accept*
under the whole point of the proposal. What's the POINT?! Yes, sign me
up today to do DEVELOPMENT WORK for the NSA on a KEY ESCROW SYSTEM.
Let's put in thousands of man-hours to come up with something as fundamentally
feasible in principle as perpetual motion! All for the sheer joy of the 
thought the NSA *might* pat us on the back! how could this
be anything but the most PRODUCTIVE and REWARDING experience?! A company 
would have to be INSANE to go with this as presented!

>* Is this process intended to fail? Will NIST just keep saying that
>software isn't good enough and that way they'll be able to answer
>the criticism that hardware is too expensive?

you mean the NSA -- and does that answer your question?

>* How selective is the group formation process? Are people really
>out for money? 

I think NIST would be overjoyed to hear that anyone outside of NSA
consultants is interested.

>* There are supposedly several other groups interested in participating.
>Who are they? Is it RSA and PKP? 

RSA, PKP, RSADSI, Bidzos -- that makes at least four, right? the KGB would 
also like a secure software system. Sternlight & Denning would surely sign up.
Just another dangling carrot -- or rather, an apple with a razor blade
inside.

>* Is a software process really that much more insecure than a hardware
>based approach? Sure, it is easier to tamper with software, but given
>that we can always tamper with the software shell around the Clipper
>hardware, it shouldn't be _that_ much different.

is an ASCII text file really that much more pliable than a silicon 
computer chip?!

I'm trying to be gentle, but you simply don't seem to get it! the NSA
wants a software implementation of Clipper that is TAMPERPROOF and 
INVISIBLE. This is like asking for a way to send locked lead safes through
phone lines! it's based on a fundamentally *bizarre* premise!

We *cannot* tamper with Skipjack in its present forms of use -- Clipper and
Capstone -- they would not exist unless the NSA had the tamperproof technology.

And the first rule of software is that it is 'TAMPERLADEN'!

-------------------------------------------------------------------------
To find out more about the anon service, send mail to [email protected].
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to [email protected].