crypto stuff

  • To: apops at apnic dot net
  • Subject: crypto stuff
  • From: "David R. Conrad" <davidc at apnic dot net>
  • Date: Thu, 20 Feb 1997 15:35:24 +0900
  • Sender:
    • Not sure if this is appropriate for APOPs, but as the list is a
      bit dead... :-)
      P.S. 3.5 hours to crack 40 bit?  48 bits in 13 days?  Not sure using
      internationalized SSL from the US is actually worth the effort...
      ------- Forwarded Message
      Date:    Wed, 19 Feb 1997 23:31:11 -0500
      From:    Vin McLellan <vin at shore dot net>
      To:      firewalls@GreatCircle.COM
      cc:      Steve Gaarder <gaarder at actech dot com>, jk at stallion dot ee
      Subject: Re: ACE/SecurID and the Big Agenda
             After I  posted a little summary of  SDTI's strategy for integrating
      PKI and encryption into the classic SecurID-based I&A features of the
      ACE/Server,  Juri Kaljundi <jk at stallion dot ee> responded with a bitter plaint
      about how US GOV restrictions on the export of strong crypto limit the
      quality of US products he can offer his clients:
      >Until now SecurID was a solution that could be used all over the world,
      >because there are no big restrictions on exporting OTP systems from USA.
      >Now that encryption will be included, there is only one thing to say to
      >people considering using the new products: forget it. It's will be weak,
      >it will be breakable, don't use it. Same applies to using any RSADSI
      >products outside the US.
              We all live under civil law, and the US isn't the only (nor the most
      restrictive) nation trying to control the use and export of strong
      cryptography. (See Bert-Jaap's thought-provoking crypto law survey at:
      <>) That said, neither SDTI
      nor RSA has been meek or passive in the political struggle to make strong
      and safe cryptography widely available in the US and for their international
      customers (the better to allow civilized society to defend itself against
      hoodlums and infowar warriors, in uniform and out!) 
              One of my first contract assignments from SDTI, maybe 7 years ago,
      was to help IT professional groups forge policy statements in response to
      CCEP, the NSA's predecessor to Clipper, etc. RSADSI spites the spooks by its
      success; still generates state of the art public-key, secret-key, and MD
      tech; and fights for access to the int'l market with great flair. Just in
      recent weeks, the RSA Challenge contest effectively demolished the myths
      that supported 40-bit key-length restrictions on exportable crypto (with Ian
      Goldberg's one-man, college-lab, 3.5-hour crack) Now, after Germano
      Coronna's DIC attack model proved itself by cracking a 48-bit key in 13 days
      in another RSA Challenge, the hallowed 56-bit key could be publicly toppled
      by the computational might of a big urban computer club in Bombay,  Boston,
      Shanghai, or Tallinn.
              (This isn't the place for a discussion of crypto controls and nation
      states, but the politics of privacy is not just a commercial interest for
      many of us. 25 years ago I gave a legendary US Constitutionalist, US Sen.
      Sam Ervin, the classified docs he used to dismantle the US Army's huge
      Vietnam and Civil Rights-era Civilian Surveillance Program. Our lessons
      aren't as recent as yours, Juri -- but many remember how easily power and a
      siege mentality currupted the Guardians. And crypto is like literacy in the
      Dark Ages; dangerous stuff, doubtless.  Most American IT pros want to be
      both good citizens and suppliers of honest  technology designed to
      effectively secure your computers, not prime them for intrusions. So Ok --
      be smart and cautious, but don't give up on us Yanks just yet! ) 
              <Beg pardon the digression, Fwallers.>
              Back on ESS, Steve Gaarder <gaarder at actech dot com> asked:
      >Where can I get more info? There does not seem to be any on Securid's
      >web site. 
              Yo, all I know is what I read in the papers;-) My post  was a
      slightly interpretive summary of a strategy doc SDTI recently passed out to
      the media, with little hoopla, then posted on page one of their website.
      Look under, What's new? or somesuch.
              (Today, btw, SDTI dropped another shoe as it announced a development
      partnership with Gemplus, which I believe is the world's largest smart card
      vemdor.  The first generation won't confuse anyone: "By inserting a SecurID
      smart card into a reader and entering a PIN (personal identification
      number), an authorized user will be provided with immediate network access.")
              Steve Gaarder also noted: <snip>
      >What I would love to see is a Securid-type PCMCIA card, with the
      >browser automagically using it to authenticate each https request.
              Note the distinction between the PCMCIA cards you want and the
      Gemplus smartcards.  Smartcard readers,  in volume, are much cheaper than
      PCMCIA ports of the sort commonly found in laptops.  My guess is that  a lot
      of vendors have bet on keyboards with cheap built-in smartcard readers to
      redefine the US market over the next couple of years. (Some believe the
      availability of those inexpensive readers is what will pace the adoption of
      cert-based smartcards in the US.)  
              Distributed ACE/Server networks are already being put through stress
      tests by a number of large SDTI customers, and the ESS strategy will
      doubtless unfold apace -- but (contrary to the belief of some folk who
      called and mailed me) smartcards are surely _not_ going to transform the
      hand-held authenticator market this year!  Savvy vendors unfold transitions
      gradually, with backward compatability to protect their customers'
      investments. I'm sure all the established OTP token providers will do that.  
              As for full Public Key Infrastructures -- hey; SDTI  (like everyone
      else, including those with CAs on the market today)  has a lot of work yet
      to do.
      (Obiter dictum:  I regularly, and with great delight, accept barrels of cash
      from SDTI, among other clients, which has doubtless biased my POV. Needless
      to say, none of my clients are willing to accept any responsibility for what
      are my words, and mine alone.)
      ------- End of Forwarded Message
      To unsubscribe: send "unsubscribe" to apops-request at apnic dot net