the party is getting rough Chipper (see note 2 and 3) from RISKS

[Dave Farber <farber () central cis upenn edu>]

------ Forwarded Message

Date: Wed, 19 May 93 10:17:16 PDT
From: jim () RSA COM (Jim Bidzos)
Subject: Re: Clipper (Denning, RISKS-14.63)

Dorothy Denning wrote in RISKS-14.63, with respect to the key management
advantage of RSA over DSS, that the Capstone chip makes the key management
advantage "disappear."

I believe that trust is a very significant part of the advantage RSA enjoys
over DSS/Capstone, whether for signatures or key management.  The scrutiny RSA
has withstood in the 17 years since its discovery contributes to that trust.
The only way to make that advantage "disappear" is to publish everything about
Capstone, including the algorithm that the keys you manage are used with, and
wait a few years and a few hundred papers before proposing it as a standard.
(Since DES has withstood similar scrutiny, RSA and triple-DES have an
advantage to users both in and out of the US that is likely never to disappear
as it appears the government will never publish Clipper/Capstone details.)

------------------------------

Date: Wed, 19 May 1993 16:32:46 -0400 (EDT)
From: esr () snark thyrsus com (Eric S. Raymond)
Subject: Re: Clipper (Denning, RISKS-14.60; Rotenberg, RISKS-14.62)

In <CMM.0.90.1.737688970.risks () chiron csl sri com> Marc Rotenberg wrote:
> Denning has to be kidding.  The comments on the proposed DSS were uniformly
> critical.  Both Marty Hellman and Ron Rivest questioned the desirability of
> the proposed standard.

Mr. Rotenberg, as a public figure operating in the political arena, has to
exercise a certain diplomatic restraint in responding to Ms. Denning's claims.
I am, thankfully, under no such requirement.

As a long-time RISKS reader and contributor, I observe that that this is not
the first time that Ms. Denning has apparently operated as a mouthpiece for
the NSA's anti-privacy party line on DES and related issues.

I believe Ms. Denning's remarks must be understood as part of a continuing
propaganda campaign to marginalize and demonize advocates of electronic
privacy rights.  Other facets of this campaign have attempted to link privacy
advocates to terrorists and drug dealers by suggesting that only criminals
need fear wiretapping.

These are serious charges.  I make them because, in the wake of the Clipper
proposal, I do not believe civil libertarians can afford any longer to assume
that their opponents are persons of good will with whom they can simply debate
minor differences of institutional means in a collegial way.

It's time for someone to say, in public and on this list, what I know many
of us have been thinking.  The future is *now*.  Electronic privacy issues
are no longer a parlor game for futurologists; they are the focus of a
critical political struggle, *and the opponents of privacy are fighting their
war with all the tools of force, deception, and propaganda they can command*.

The histories of the DES, the FBI wiretap proposal, and now the Clipper
proposal must be considered against a wider background of abuses including
the Steve Jackson case, "Operation Longarm", and the routine tapping of U.S.
domestic telecommunications by NSA interception stations located outside the 
geographic borders of the United States.

These form a continuing pattern of attempts by agencies of the U.S. government
to pre-empt efforts to extend First and Fourth Amendment privacy protections
to the new electronic media.  In each case, the attempt was made to present
civil libertarians with a fait accompli, invoking "national security" (or the
nastiness of "kiddie porn") to justify legislative, judicial and practical
precedents prejudicial against electronic privacy rights.

While I would not go so far as to claim that these efforts are masterminded by
a unitary conspiracy, I believe that the interlocking groups of spies,
bureaucrats and lawmen who have originated them recognize each other as
cooperating fellow-travelers in much the same way as opposing groups like the
EFF, CPSR and the Cypherpunks do.  Their implicit agenda is to make the new
electronic communications media transparent to government surveillance and
(eventually) pliant to government control.

One of the traits of this culture of control is the belief that manipulative
lying and dissemblage can be justified for a `higher good'.  

I believe that Ms. Denning's disingenuous claim that the DSS "is now
considered to be just as strong as RSA" is no mere technical misapprehension.
I believe it is propaganda aimed at making objectors non-persons in the
debate.  I cannot know whether Ms. Denning actually believes this claim, but
it reminds me all too strongly of the classic "Big Lie" technique.

It is important for us to recognize that the propaganda lie is not an
aberration, but a routine tool of the authoritarian mindset.  And the
authoritarian mindset is, ultimately, what we are confronting here --- the
mindset that regards the fighting of elastically-defined `crime' as more
important than privacy, that presumes guilt until innocence is proven, that
demands for government a license to override any individual's natural rights
at political whim.

We cannot trust representatives of an institutional culture that was
*constructed* to deal in information control, lies, secrecy, paranoia and
deception to tell us the truth.

We cannot accept the authoritarians' unverified assurances that the sealed
interior of the Clipper chip contains no `trapdoor' enabling the NSA to
eavesdrop at will.

We cannot trust the authoritarians' assertions that they have no intention of
outlawing cryptographic technologies potentially more secure than the Clipper
chip.

We cannot believe the authoritarians' claims that `independent' key registries
will prevent abuse of decryption keys by government and/or corrupt 
individuals.

We cannot --- we *must not* --- cede control of encryption technology to
the authoritarians.  To do so would betray our children and their descendants,
who will work and *live* in cyberspace to an extent we can barely imagine.

We cannot any longer afford the luxury of treating the authoritarians as 
honest
dealers with whom compromise is morally advisable, or even possible.  Whatever
their own valuation of themselves, the thinly-veiled power grab represented by
the Clipper proposal reveals a desire to institutionalize means which a free
society, wishing to remain free, *cannot tolerate*.  

Big Brother must be stopped *here*.  *Now.*  While it is still possible.

                                Eric S. Raymond <esr () snark thyrsus com>

------------------------------

Date: Wed, 19 May 93 18:37:24 EDT
From: denning () cs cosc georgetown edu (Dorothy Denning)
Subject: Re: Clipper (Raymond, RISKS-14.64)

Eric Raymond has accused me of being part of a propaganda campaign and
a "Big Lie." Among his wild speculations, he wrote:

  I believe that Ms. Denning's disingenuous claim that the DSS "is now
  considered to be just as strong as RSA" is no mere technical 
misapprehension.
  I believe it is propaganda aimed at making objectors non-persons in the
  debate.  I cannot know whether Ms. Denning actually believes this claim, but
  it reminds me all too strongly of the classic "Big Lie" technique.

Frankly, I don't know how to respond his allegations other than by saying that
I am not and have never been on the payroll of NIST, NSA, or the FBI and that
every word I have published has been completely on my own initiative.  While I
frequently speak with people in these agencies (mainly to ask them questions
so that I can be informed) and have considerable respect for them, I am
operating on my own initiative and making my own independent evaluations based
on all the evidence I can find.  I try to avoid pure speculation as much as
possible.

My objective in responding to Sobel in the first place was to point out that,
in my best judgement, the DSS as revised is as secure as RSA.  I did that so
that readers would not be led to believe the contrary.  Let me elaborate more.

The security of the DSS is based on the difficulty of computing the discret
log.  (The Diffie-Hellman key exchange, invented in 1976, is likewise so
based.)  The security of the RSA is based on factoring.  My understanding is
that the computational difficulty of these two problems is about the same for
comparable key lengths, and indeed, the fastest solutions with both come using
the same basic technique, namely the number field sieve.  If I'm wrong here, I
am happy to be corrected by someone who knows more than I do about this.

There are other factors, of course, that must be taken into account.  With
both schemes, you have to make sure you get good primes.  In the case of the
DSS, you want really random ones so that you don't get ones with "trapdoors."
This is readily done and the chances of getting a trapdoor one are minuscule.
For a reference, see Daniel Gordon's paper from Crypto '92.

I still remember the day when George Davida called me up to say that he had
cracked RSA.  It turned out that he had found a way of exploiting the digital
signatures to get access to plaintext (but not keys).  I generalized his
mathematics and published a paper in CACM (April 84).  The solution is to hash
messages before they are signed, which has other advantages anyway.  I also
remember various articles by people pointing other potential vulnerabilities
with RSA if the primes weren't picked right.

There are potential weaknesses in all of these public-key methods, but they
can be resolved.  As near as I can tell, NIST has resolved the potential
problems with the DSS, and I am confident that if new ones are found, they
will resolve them too.

Dorothy Denning

------------------------------

Date: Tue, 18 May 93 22:06:24 -0700
From: UUCP () pyramid pyramid com (Pyramid UUCP Manager)
Subject: Re: Clipper (Raymond, RISKS-14.64)

The histories of the DES, the FBI wiretap proposal, and now the Clipper
proposal must be considered against a wider background of abuses including
the Steve Jackson case, "Operation Longarm", and the routine tapping of U.S.
domestic telecommunications by NSA interception stations located outside the 
geographic borders of the United States.

These form a coherent pattern of attempts by agencies of the U.S. government
to pre-empt efforts to extend First and Fourth Amendment privacy protections
to the new electronic media.  In each case, the attempt was made to present
civil libertarians with a fait accompli, invoking "national security"

------------------------------

Date: Mon, 17 May 93 17:55:43 EDT
From: drand () osf org
Subject: Clipper chip

I've just read one of the longer tirades in risks about the clipper chip and
feel like putting my foot into the whirling blades :)

Have the naysayers totally forgotten the point of making crypto gear available
to individuals?  Right now I cannot lift my portable phone without assuming
I'm talking to several people aside from the person I call.  I treat it as I
would a contact on ham radio.

The crooks can listen to us, the government has always been able to.  Now, for
the first time, there would be some control.  Perhaps it isn't perfect.  This
is irrelevant.  It is so many orders of magnitude more secure than any phone
system today.

Without the chip being ubiquitous, we cannot have this capability in every one
of perhaps a billion phones (guesstimate) in the country.  It would be too
expensive and totally useless.  Both parties must have the same gear.

That the crooks could always create more effective crypto gear is also a red
herring.  Maybe they could.  But the law is being structured so that this
itself would be considered probable cause of a crime.  We'll have to see if
(how much) this is abused.  One hopes that just the unlicensed crypto gear
would not be sufficient to indict honest people.

Doug Rand drand () osf org
------ End of Forwarded Message