Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Encryption Security

What's Now State of the Art in Encryption Technology? 483

With the events of September 11, 2001 still vividly etched into our conscious minds, it was only a matter of time before the US Government would paint the crosshairs on their next target after Bin Laden: encryption. With Ashcroft's declaration of computers as tools of terrorism, and law-enforcement pushing for enhanced surveillance, it appears that one of the first victims of America's new war may be the privacy of her citizens. Of course, if you are concerned about privacy, you're probably wondering how to improve what protections you have in place, if any. So what are the leading-edge innovations on the encryption front right now, and how easily can such tech be adapted to everyday communications? C :In an interesting display of synchronicity, Timothy posted this article, earlier today, which notes that Steganography use isn't as wide-spread as previously thought.
Deagol asks: "With the Feds pushing for encryption back-doors, and even more domestic surveillance, how can we resist this? I mean in a practical way, but at the same time taking a stand for our rights to privacy and assembly. What's the current state of the art in hard disk encryption? Email encryption? Steganography? There are many tools out there, as well as many link-farms, (I looked at many today), but many pages seem dated, and it's hard to tell who's using what in a useful implementation. So, who is using PGP or GPG? Who is using BestCrypt or Loopback Encryption, Freenet or Steganography? A privacy weenie wants to know what your daily-use setup is!"

One thing about encryption: the easier it is to do, the more people there will be using it. For the non-tech user, encrypting messages on a day-to-day should be no more complex than 3 steps.

JPMH asks:"First journalists and now even relatively clued-up politicians in the UK are talking about making it an offence to use strong encryption in email and web-pages. An obvious counter is that this won't work, because the messages can easily be hidden using Steganography (Slashdot Jan 2, May 8). But that assumes that the steganography itself is good enough not to be detected. Is this true? How good is the state of the art?

To be undetectable, the properties of the 'message' bits you are putting in must be statistically indistinguishable from the 'image' bits you are overwriting. According to a paper by Neils Provos and Peter Honeyman of U. Michigan (highlighted today in the Register) the simplest common programs, such as JSteg and JPHide, fail this test badly and are easily detected. But they failed to nail any confirmed steganographic content in 2 million images on EBay.

Other programs (eg Provos's Outguess 0.2) are more sophisticated at hiding the messages (and other media eg MP3s give a bigger haystack to hide them in); but on the other hand, more sophisticated statistical models of images (eg Slashdot 16 Aug) may be better at making the 'hidden' content stand out.

So, can messages reliably be hidden? Or will people trying to hide their messages in a reliable manner get caught?"

This discussion has been archived. No new comments can be posted.

What's Now State of the Art in Encryption Technology?

Comments Filter:
  • by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Wednesday September 26, 2001 @11:11AM (#2352872) Homepage Journal
    I haven't been able to reliably read my own handwriting for years. Given a small government grant, I could develop this even further into a true, secure, incommunication system of one-way cryptos. If I could be bothered to learn Navajo, I'd be set for life.
  • Tools of Terrorism (Score:4, Insightful)

    by Compulawyer ( 318018 ) on Wednesday September 26, 2001 @11:12AM (#2352878)
    Dear Mr. Ashcroft:

    Of course encryption is a "tool of terrorism." It falls squarely into the same category as other tools:

    • Airplanes;
    • Dynamite;
    • Plastic Explosives;
    • Fertilizer chemicals;
    • Telephones and other communication equipment;
    • Knives; and
    • Boxcutters.

    Concentrate on the terrorists and not on their tools. Starting down the road of outlawing inanimate objects that can be used for multiple purposes is the beginning of an ultimately unfulfilling and unsatisfying journey.
    • by melquiades ( 314628 ) on Wednesday September 26, 2001 @11:20AM (#2352930) Homepage
      You've summed it up marvelously. Please, if you haven't already done it, take a moment to call or write Ashcroft; otherwise, your articulate message will make no impact on policy.

      John Ashcroft,Attorney General

      United States Department of Justice
      950 Pennsylvania Avenue, NW
      Washington, DC, 20530-0001
      Phone: (202) 514-2001
      Fax:(202) 307-6777


      Same for all the rest of us.
    • by Karmageddon ( 186836 ) on Wednesday September 26, 2001 @11:35AM (#2353028)
      you're getting all sorts of plaudits for what you wrote, but it's a piece of crap. you clearly support the majority opinion on slashdot, that's why the slashbots modded you up, but I'm not clear on what exactly is your point. Aircraft, plastic explosives, and several of the other "inanimate objects" on your list are currently heavily regulated, precisely because they are believed by legislative majorities to be unsafe if used improperly. What are you saying?
      • Are you saying these things should have no regulation?
      • or are you saying that encryption should be regulated the way these things are?
      • or are you saying that everything is just fine the way it is with a mix of regulated and unregulated.
      I ask because you didn't actually say anything at all as it applies to reality. "Starting down the road of outlawing inanimate objects that can be used for multiple purposes"... is exactly where we've been for hundreds of years, and I kind of like living here so I'm finding it a very satisfying experience. Sure, I don't agree with all regulations, but I can't figure out what you are proposing...
      • What I am stating is this: Anything can be a weapon. Outlaw encryption, then terrorists will find another tool (assuming the law makes it so difficult to obtain encryption devices that it is impractical to do so). Outlaw that second tool, they will find a third. It will be a never-ending spiral of feel-good legislation that does NOTHING to stop the problem and has the collateral effect of hindering progress in areas that contribute to society.

        By focusing on the PEOPLE USING THE TOOLS, you get to the root of the problem. Eliminate the problem at its source by bringing these people to meaningful justice, and it will not matter what their tools of choice are - you will have eliminated the problem, not the symptom.

        Remember - if terrorists followed laws, we wouldn't have to worry about them.

      • We need to regulate the following items from getting on a plane, as they clearly can be used to hijack a plane:

        1. Box of kleenex
        2. Scotch tape
        3. Brown wrapping paper
        4. LED Panel with big red numbers
        5. (optional) Garage door opener with big red button
        6. Human to assemble "bomb" and wave it around in threatening fashion once plane airborne

        Regulating above does nothing to solve the root of the problem [ucpress.edu].

        • We need to regulate the following items from getting on a plane, as they clearly can be used to hijack a plane

          MacGyver and any combination of six airline pillows, two movie headsets, a flight-size bloody mary and a stick of gum is enough to blow a 747 out of the sky.

          KEEP MacGYVER OFF OUR PLANES!

      • There's a huge difference between banning something outright, and outlawing its woeful misuse.

        Guns are a VERY important tool that every American should not be afraid to own. However, those idiots that woefully misuse it to attack other people (animals don't count in that category you PETA lovers) who have not endangered the immediate life of the gun owner, deserve to be dealt swift justice. But that's very different from taking away the responsibilities and freedoms that every generally law-abiding citizen should be allowed.

        The previous poster is simply saying that completely disallowing anyone but the proper 'authorities' to own and use those tools which technology has given us is folly. Simply removing a tool from the general public because of the *risk* of one person misusing it is not worth the absolute destruction of the freedom and responsibility that you give up for a *little* added security (if any at all).



      • Regulation or not, they still are used for purposes other that what they were designed.

        I think what he means, is that regulation of inanimate objects doesn't nearly go all the way toward stopping the people that actually carry out these acts of terrorism. The government too often focuses on the wrong part of the issue. It's so easy to ban and regulate objects instead of banning or regulating behavior, or changing behavior, if you like.

        The root problem of the issue is always people. All of the inamimate objects are useless without the people to make use of them. Guns don't shoot themselves. Dynamite doesn't blow itself up. Planes don't fly themselves. People do!

    • by monkeydo ( 173558 ) on Wednesday September 26, 2001 @11:37AM (#2353033) Homepage
      You make a very intersting point that will no doubt be lost on most of the Slashdot audience (as well as yourself I suppose)

      Airplanes;
      Dynamite;
      Plastic Explosives;
      Fertilizer chemicals;
      Telephones and other communication equipment;
      Knives; and
      Boxcutters


      Are all heavily regulated already. Some directly like explosives and airplanes, and others indirectly like phones and knives.

      Why should strong encryption be different? Just about any tool you can think of has good uses and bad uses. That doesn't mean we should ban the tools, but we should try to minimize their use for purposes contrary to the common good.

      Does it violate some inalienable right that you cannot walk into walmart and by C-4 off the shelf? Certainly you have some harmless use for it. Should convicted felons be allowed to carry firearms on the street?

      Wake up to the real world people. The fact that we live in a society means that we voluntarily give up certain freedoms for the common good. That is the decision that groups of people make when they get together and form governing bodies.

      You cannot simple say banning==bad freedom==good unless your definition of good is anarchy. Do we all agree that the ban on murder is good? Even though it takes away my right to express myself with creative killing?
      • Apparently you yourself have lost one of the finer points of my post: Not that regulation is bad, but that focusing efforts on regulation of THINGS, instead of regulating people's CONDUCT (which is the entire body of criminal law) you waste resources on activities that do not have a direct effect on the source of the problems.

        It is a little like taking cough syrup to clear up your cough from emphysema. The cough may go away for a little while, but it will be back - and worse.

    • by Maldivian ( 264175 ) on Wednesday September 26, 2001 @11:54AM (#2353115)
      Ofcourse, this was like the time when Rudy put the "umlaut" inside Alan. :)

      For the techinically impaired and anally retentive moderators, please find clues enclosed within this sentence.
    • by Speare ( 84249 ) on Wednesday September 26, 2001 @11:54AM (#2353117) Homepage Journal

      Playing Devils' advocate here (because I agree with your sentiment and your logic, but feel you've missed something):

      • Airplanes;
        The government licenses airplanes and their licensed pilots. Yes, mistakes and oversights exist, but the government has always revised its operations to avoid repeat risk exposure.
      • Dynamite;
        The government licenses dynamite manufacturers and explosives-licensed contractors. Yes, mistakes and oversights exist, but the government has always revised its operations to avoid repeat risk exposure.
      • Plastic Explosives;
        The government licenses military-grade weapon manufacturers, military contractors, and the military itself. Yes, mistakes and oversights exist, but the government has always revised its operations to avoid repeat risk exposure.
      • Fertilizer chemicals;
        Synthetic fertilizers and fuels are unlicensed commodities. That does not stop the FBI from wanting to require the introduction of taggants to provide more latent evidence at crime scenes, much as the FBI requires the paints of every year and model of automotive to be unique and registered.
      • Telephones and other communication equipment;
        Covert wiretapping via Echelon? Overt wiretapping statutes via courts? Mandated specific reporting information on all local telco connections even if the carrier does not need this for billing or cost analysis?
      • Knives; Boxcutters;
        Many functional handheld edge weapons are legislated as forbidden in many cities, counties, states: nunchaku, shuriken, swords, stiletto knives, switchblade knives, butterfly-handled knives. Weapon checks and security measures at high-risk facilities such as courtrooms and airports and now even schools and themeparks are controlled by legislation, law enforcement and private policies.

      I think Ashcroft's answer would be, the government always has focused on the tools, because focusing on otherwise innocent individuals impinges on their constitutional rights. He would even quote the fourth amendment back at you, suggesting that while you argue for "security in your papers", it also guarantees the right to be "secure in your persons", not just from some theoretical government torture, but from the deranged psychopathy that makes up the dangerous terrorist element.

      That said, I feel it's not the people nor the tools, but the actions that are to be focused upon. But there's another catch-22 there: you can't legislate effectively against actions; they're already committed by someone who doesn't care about the consequences for those illegal actions. The government is thus stuck focusing on the tools.

      Airplanes, explosives, chemicals, private communications, and defensive weapons are all useful things for the peaceful, and all useful things for the wrathful. Our liberties are hard-won, and hard-kept, both from enemies abroad and within. The Constitution is a work of art and a work of power, and I respect it. Will you? Will our leaders?

      • People seem to be taking my first post (fp? -- nah...) as advocating for NO regulation. I AM NOT. I agree with you (and have said so in another post in this thread) that the focus must be on ACTIONS. That is what the entire body of criminal law does.

        As for the right to be secure in your person - that means from having your person searched and seized (arrested) by the Gov't. It is not a right to be free from crime.

        I cannot take the space to go into detail, but one of the central goals of criminal law is to deter - thus effectively legislating away bad acts before they are prevented. Also, it is to incapacitate - to take those people out of society who do bad acts so they can do no future harm.

        As for respecting the Constitution . . . I took an oath to uphold the Constitution on several occasions, most recently as an attorney. Respect it? I fight to keep it a living document every day.

    • by malkavian ( 9512 )
      Taking it one step more. Encryption is just a layer added over the root method of communication.
      Now, if you wanted to prevent terrorists communicating, you'd outlaw language.
      Nobody could learn to read/write/otherwise gain meaning from any language.
      Once this was done, then, we'd all be safe, no?
      In this, I'm including mathematics too, as it's easy to get meaning from mathematical formulae, and so glean meaning.
      If you think that's silly, just think:
      Encryption is just a form of mathematical formulae. Banning that is in essence banning a form of mathematics.
      There's a good piece on The Register [theregister.co.uk] about this, that's worth a look at too.
      And I wholeheartedly agree with your view. Making a tool illegal which can in some extremely rare situations, be used for illegal purposes will do nothing. The illegal activity will continue, and as they're already doing illegal things, adding one more won't make them lose any sleep. However, all the usual law abiding people now can't use that tool for anything beneficial.
      In fact, it's making certain that the tool will now largely be used against society rather than for it, which, in my view, is about 10 steps backwards.

      Malk
    • This is one that I'm sure will cause me to get a visit from some friendly FLEAs, but I'll post it anyway.

      A truly determined terrorist, wanting to bring down a plane, can do so far too easily. Consider these ideas:

      • Get a glass water bottle. Empty it. Fill with acid. With plane in flight, empty bottle near or on window or floor. With strong enough acid, you will open the plane sooner or later, exposing it to explosive decompression.
      • Continuing on this thread, once the bottle is empty, break it, and you've got an instant weapon with much the same effectiveness as a knife in most people's minds.
      • Get any old bottled water, and dissolve (if memory serves) phosphor in it. When in flight, empty water bottle on floor. As water dries, phosphor will burn.
      • There is a chemical (or element), but I can't remember the name of it right now, which will have an explosive reaction on contact with water. Again, get bottled water. Now, get this chemical/element, and put it into a capsule form. To get it on board the plane, claim it's heart medication, or antibiotic, or some such. Instant bomb is now available.

      Now, how are you going to regulate that?
  • by Anonymous Coward on Wednesday September 26, 2001 @11:12AM (#2352885)

    Bush's Orwellian Address

    Happy New Year: It's 1984

    by Jacob Levich

    Seventeen years later than expected, 1984 has arrived. In his address to Congress Thursday, George Bush effectively declared permanent war -- war without temporal or geographic limits; war without clear goals; war against a vaguely defined and constantly shifting enemy. Today it's Al-Qaida; tomorrow it may be Afghanistan; next year, it could be Iraq or Cuba or Chechnya. No one who was forced to read 1984 in high school could fail to hear a faint bell tinkling. In George Orwell's dreary classic, the totalitarian state of Oceania is perpetually at war with either Eurasia or Eastasia. Although the enemy changes periodically, the war is permanent; its true purpose is to control dissent and sustain dictatorship by nurturing popular fear and hatred.

    The permanent war undergirds every aspect of Big Brother's authoritarian program, excusing censorship, propaganda, secret police, and privation. In other words, it's terribly convenient.

    And conveniently terrible. Bush's alarming speech pointed to a shadowy enemy that lurks in more 60 countries, including the US. He announced a policy of using maximum force against any individuals or nations he designates as our enemies, without color of international law, due process, or democratic debate.

    He explicitly warned that much of the war will be conducted in secret. He rejected negotiation as a tool of diplomacy. He announced starkly that any country that doesn't knuckle under to US demands will be regarded as an enemy. He heralded the creation of a powerful new cabinet-level police agency called the "Office of Homeland Security." Orwell couldn't have named it better.

    By turns folksy ("Ya know what?") and chillingly bellicose ("Either you are with us, or you are with the terrorists"), Bush stepped comfortably into the role of Big Brother, who needs to be loved as well as feared. Meanwhile, his administration acted swiftly to realize the governing principles of Oceania:

    WAR IS PEACE. A reckless war that will likely bring about a deadly cycle of retaliation is being sold to us as the means to guarantee our safety. Meanwhile, we've been instructed to accept the permanent war as a fact of daily life. As the inevitable slaughter of innocents unfolds overseas, we are to "live our lives and hug our children."

    FREEDOM IS SLAVERY. "Freedom itself is under attack," Bush said, and he's right. Americans are about to lose many of their most cherished liberties in a frenzy of paranoid legislation. The government proposes to tap our phones, read our email and seize our credit card records without court order. It seeks authority to detain and deport immigrants without cause or trial. It proposes to use foreign agents to spy on American citizens. To save freedom, the warmongers intend to destroy it.

    IGNORANCE IS STRENGTH. America's "new war" against terrorism will be fought with unprecedented secrecy, including heavy press restrictions not seen for years, the Pentagon has advised. Meanwhile, the sorry history of American imperialism -- collaboration with terrorists, bloody proxy wars against civilians, forcible replacement of democratic governments with corrupt dictatorships -- is strictly off-limits to mainstream media. Lest it weaken our resolve, we are not to be allowed to understand the reasons underlying the horrifying crimes of September 11.

    The defining speech of Bush's presidency points toward an Orwellian future of endless war, expedient lies, and ubiquitous social control. But unlike 1984's doomed protagonist, we've still got plenty of space to maneuver and plenty of ways to resist.

    It's time to speak and to act. It falls on us now to take to the streets, bearing a clear message for the warmongers: We don't love Big Brother.

    Jacob Levich (jlevich@earthlink.net) is an writer, editor, and activist living in Queens, New York.

    • sigh (Score:2, Insightful)

      by mc2Kleen ( 190152 )
      Yes yes yes, we all understand the implications and comparisons of and to Big Brother, Orwell, "1984," "We," "Anthem," "Brave New World" and any other dystopian novel or piece of rhetoric out of the mouths of the alarmists and into the minds of the gullible and naive. But does anyone honestly think it is possible for all of that to happen? Big Brother serves as a symbol rather than a specific person. This legend was propogated by ignorance and apathy and held in place by tyranny. I don't believe anyone who has read 1984 is any of these things and none of are about to let these things happen. I think that Bush's speech is more indicative of the fact of the fact that he is a nimrod (a national tragedy doesn't change that, sorry), doesn't know what to do and is finding out that gee gosh, it's hard being prezudent.

      Luckily there are smart people in Washington who have raised an eyebrow or two about what is being proposed in his new policies. For one, Colin Powell, who seems the wisest of Bush's cabinet members isn't one for rushing out and conducting long drawn out conflicts without first weighing the consequences. This Big Brother argument, while compelling, only fuels more fears and suspicions, it is hardly the truth, in fact most of Big Brother arguments are based upon a work of fiction and while 1984 gives us all reason to pause, in any case, it is still just that.

      Ashcroft is the one who scares me.
    • by geekoid ( 135745 ) <dadinportland.yahoo@com> on Wednesday September 26, 2001 @12:26PM (#2353304) Homepage Journal
      If you had read the book you would know its 1984 whenever they say its 1984. THATS THE POINT OF THE BOOK!
    • by jd ( 1658 ) <imipak@yaGIRAFFEhoo.com minus herbivore> on Wednesday September 26, 2001 @12:53PM (#2353579) Homepage Journal
      A double-plus-good post, friend citizen.


      Seriously, this is a scenario which (although maybe a -little- OTT) is unfortunately all too believable. Certainly, we're seeing increased restrictions and laws designed to control through fear, rather than through a mutual wish to live in a complex society.


      As for information... ...the good citizens of the US ain't getting any. For a country that has no freedom of information act, where the Government uses D-Notices with abandon, and until recently even denied it had any kind of intelligence department, the UK's news outlets have been covering the growing conflict in far more depth than the US media.


      (Hands up all who know where the first NATO battle was fought, in the current conflict, in Afghanistan? You didn't even know there -had- been one? Wow, talk about being kept up-to-date!)


      The US COnstitution is severely weakened, through current spin-doctoring. I would fully expect that polls would show more than 50% of US Citizens would be willing to have the Constitution suspended, at a time of extreme national crisis.


      After that, it wouldn't be too difficult to simply modify how "extreme national crisis" is defined, to make it indefinite. Once that happens, you'd think the current state of things was paradise.


      The British aren't innocent of this, either. Carefully-worded polls, with sufficient spin on the results, has all but convinced the British Parliament to establish national ID cards. Something rejected almost unanimously by both politicians and public since the 1950's. There has been no threat imaginable or imagined that could overshadow the deep understanding the British had of how dictatorships, such as the Nazis, rose to power.


      (Absolute control of the media is a big one. Cable "broadcasts" were prohibited by Parliament, from the mid 1940's, because of the danger it would pose if a dictator were ever able to sieze control of it. The listening to alternative views would be impossible. Resistance of any kind would be impossible.)


      But what's happening in the US? We have two types of news coverage - the semi-neutral, with some US bias, and the screaming fanatics. Opposition view points, including those of the Pope, barely get a mention, even in the most neutral of coverage. Remember, this is the Pope we're talking about, not Art Bell. He's the leader of one of the largest Christian organizations in the world, and he's probably more important to Catholics everywhere than any political leader.


      Yet President Bush has effectively made the Pope an enemy of the state. After all, he's obviously not "with us", so he -must- be against us. Doesn't it follow? Bush said so, so it must! President Bush has also effectively declared war on the Vatican, since it certainly harbours people who have commited acts of terror, and it's not going to stop doing so, simply because some wannabe superstar says they should.


      Switzerland is also a prime target. It defends its neutrality fiercely, and it has almost certainly made for a good refuge for those who have, ummm, outstayed their welcome in other countries.


      Argentina is a third. There's no question that many Nazi war criminals fled there, after the war, and those who haven't died of old age are probably still there.


      Invading the Vatican might cause jitters only to those with a Christian mind-set, though given that this allegedly includes George Bush, some might question who's the boss, in his mind.


      Invading Argentina probably won't bother anyone much. The British would probably help.


      Invading Switzerland might have caused an outcry, under normal times. But if the US successfully overthrows at least two other countries first, I suspect that nobody will really notice or care. The endless war will be "part of life" and "the way things are".


      I honestly don't know which is scarier - to contemplate how the future could be on the home front, or how it could end up internationally. Both futures are gloomy.


      What I want to know is this -- We've found Carpathia, and he seems to be doing as well in real life as he did in the books, both in manipulation and in starting wars. No disappearances, though, which is a bit worrying, if you think about it, and no opposition. How long before the rest of the series starts to hit? MINUS any "good guys"?

  • by DreamerFi ( 78710 ) <johnNO@SPAMsinteur.com> on Wednesday September 26, 2001 @11:13AM (#2352888) Homepage
    Folks, in this discussion, please keep "algorithm" and "protocol" seperated. An algorith is a mathematical method, such as the public key algorithms, or, as described rather roughly above, bits being indistinguishable from the statistical properties of the pixels.
    Protocol, on the other hand, is roughly speaking the way you use the algorithms - everything required to get the message from Alice to Bob, including key exchange, agreements on which pictures to use and how to identify them, etc,e tc. I strongly urge you all to read Bruce Schneier excellent works on this subject, both his Applied Cryptography books and his less theoretical and for most of us far more interesting book Secrets and Lies.

    Also, whenever I hear "state of the art cryptography" I feel I hear somebody who doesn't understand that creating cryptography takes years and years. Peer review, taking apart actual implementations, etc, etc, and if after x years there's still no good attack known, then perhaps the cryptography is acceptable.. "state of the art" usually implies "the newest and the latest", and that's not what you're looking for when you select cryptography.
  • Prohibition (Score:5, Insightful)

    by WebBug ( 178944 ) on Wednesday September 26, 2001 @11:16AM (#2352904) Homepage Journal
    Prohibition almost never works. And certainly not when you are prohibiting something that anyone with even a tiny bit of smarts can do on their own.

    Cryptography does not even require computers, the ultimate encryption, one time pads, does not require a computer and is utterly secure as long as you maintain pad seccurity.

    There are caveats to everything, oh well. Enforcing cryptographic limits on your citizens is of no value at all. If a criminal wishes to transact their business using encryption technology then there is nothing law enforcement can do about it. Period.

    Only deep ignorance prevents these people from seeing the truth.

    Besides embedding your message in an image, there are dozens upon dozens of ways of passing messages in plain text. Some famous examples from the past use poetry.

    Enough for now, I might go off on real rant, then we'd all be unhappy.
    • The US military still uses them for secure communication, and ID verification, over insecure channels. And it's easy to build them. Get a word list (from "spell" perhaps) and assign each word in the list a value from AAAAAA to 999999, Roughly 2 billion strings to assign. Assign strings to words, letters, numbers, and punctuation via a good randomizer (a cheap a/d card with a noisy thermocouple makes a great random number generator). The strings can be reused, as long as they are not assigned to the same words.
      • It is much simpler just to xor a random OTP pool to the plaintext - and doesn't restrict what you can say.
        The difficult part of OTP is not the crypto (you can do that on a *watch* these days) but getting the random pad data safely to the recipient before sending the message, and keeping it secure until it needs to be used (after which it should be destroyed of course)
        What you are describing is a codebook - and codebooks CAN be broken given enough data.
        • It's a one time pad. The pad for the day is only used once, for one message. And, yeah, it wouldn't work if you wanted to encode War and Peace. Be great for e-mail though.
    • Prohibition almost never works. And certainly not when you are prohibiting something that anyone with even a tiny bit of smarts can do on their own.
      When you said this, it reminded me of a quote [wired.com] that I'd read in reference to the MP3/Napster brewhaha last year:

      No law can be successfully imposed on a huge population that does not morally support it and possesses easy means for its invisible evasion.
      - John Perry Barlow, a former lyricist for the Grateful Dead, and co-founder of the Electronic Frontier Foundation.

      This is also pertinent here. How exactly does the government intend to enforce this law? Are they planning on trying to intercept and decrypt absolutely everything that goes by? It's just too easy to be able to violate this law w/out getting caught. So maybe I'm naive but I don't think that any such law can be effectively enforced.

  • If you're that worried about being tracked and monitored on your computer, don't use one. Don't use a PC, use credit cards as little as possible, and stay away from any "networked technology". Join the manual labor work force, and dig a ditch. That's probably the only way you'll be able to avoid the upcoming onslaught of "anti-"privacy issues and legislation from Ashcroft and Congress. Oh yeah, don't get your picture taken, and especially don't commit any crimes, cuz then you're mugshot will be plastered across face recognition software everywhere.
  • Easy steganography (Score:2, Interesting)

    by Anonymous Coward
    > > Hey dude, I just computed Pi with some
    > > home-brewed code, can you check if I got it right?
    > >
    > > Pi = 3.149018493227539874383983749210025
    >
    > Hey pal, I think that you need some code tweaking, I get:
    >
    > Pi = 3.14151747701120741294729382749277
    >

    I did some tweaking. Now I get:

    Pi = 3.141649287392847283785938472901018401

    Am I making progress?
  • by the_other_one ( 178565 ) on Wednesday September 26, 2001 @11:21AM (#2352935) Homepage

    ROT 13. Plus DMCA. Plus Attack Lawyers.

    Nobody will hack this right?


    • >ROT 13. Plus DMCA. Plus Attack Lawyers.

      >Nobody will hack this right?

      Not true, it will just be like sex in the old days - everyone does it but everybody's afraid to talk about it.
  • by Paradox !-) ( 51314 ) on Wednesday September 26, 2001 @11:22AM (#2352943) Homepage
    Well, the best stand you can make for your rights to privacy and assembly is probably two fold:

    1. Exercise them, by encrypting everything you send until they either make it illegal or engage in the debate effectively and attending assemblies of like minded citizens lawfully petitioning their government for redress.

    2. Write a check to the ACLU or your favorite civil-rights group (EFF, whatever). Face it folks, Dollars Vote . Nothing expresses your opinion like purchasing power. So I would recommend, in effect, "purchasing" more advocacy and voice in the system. This is not to say this system is right, it is to say this system is reality. We can complain that it shouldn't be this way all we want, but unless we show a force (read: $$) that those with power respect, we're pissing in the wind.

    Personally, I use PGP and have been for a while now. (My Public Key [mindspring.com]) I probably don't use it as much as I should, but it's definitely used for some conversations at work I wouldn't otherwise want seen. So far, none of my employers have had an issue. I don't - yet - encrypt everything on my home computer, but I'll probably buy something to do that in the near future. (Recommendations welcome!)

    My company actually mandated everyone get encryption (in our case, Entrust) on our laptops before we went on a project in Asia last year. Turns out, the clients we were doing the work for would attempt to hack into our computers while we we're using their network. They dove into some folks' laptops and read/copied email, files, etc. and then used the information when negotiating with us! We started encrypting everything related to the project before going on site and the client became a bit easier to deal with. (No comments on why they remained our client, please, I still don't know the answer to that one! Decision not in my hands.)

    I mention this because I think there's a possibility to make privacy at an personal level a common cause between corporations and individuals. We just need to make the case loudly and effectively. (which brings me back to my support your local civil rights organization point :)

    • My company actually mandated everyone get encryption (in our case, Entrust) on our laptops before we went on a project in Asia last year. Turns out, the clients we were doing the work for would attempt to hack into our computers while we we're using their network. They dove into some folks' laptops and read/copied email, files, etc. and then used the information when negotiating with us!

      Interesting. In a world where backdoors are required, I suppose that the h4x0rs (like your clients, or the PRC govt, say) would find them pretty easily.

    • by DaveHowe ( 51510 ) on Wednesday September 26, 2001 @11:44AM (#2353060)
      I have three (well, a base of three) crypto-capable packages installed right now.
      1. PGP - obvious, the de-facto standard for email encryption, but unless you can handle GPG is expensive closed source payware.
      2. Scramdisk - powerful, OTF encryption with steganographic capabilities, but requires that the host file be created and formatted before use - pretty useless for email, but very good indeed for local storage
      3. S/Mime - built into Netscape, Outlook and Outlook Express for free; lusers can get a free key from www.thawte.com for the effort of going there, and the system is transparent. I generate my own keys using OpenSSL, but the big name packages mentioned above don't like that - it isn't in their hierachical trust structure...
      What do other people here use?
  • Spot the message (Score:4, Interesting)

    by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Wednesday September 26, 2001 @11:23AM (#2352947) Homepage Journal
    The Bad Guys(TM) could just use www.spammimic.com [spammimic.com] to hide their messages in what looks like regular spamscum.

    Or, you could hide steg messages in what looks like Sircam virii - just change the words a bit, move a space or two or even mess with the attached files.

    There's so much data on the Net today that it's not even funny anymore and lots of it is metadata (Napster login names, tcp packet TTLs, file lengths and the naming of cats on personal homepages spring to mind) so you wouldn't even have to bother using a book cipher or pre-set code phrases like "Buy two quarts of milk on the way home, dear" which of course means "ram two commercial jets into tall buildings before breakfast".

    I don't really understand why anyone bothers, unless it's to catch the really stupid terrorists, the ones that failed Terrorism 101 by not being able to scare the kindergarten kids next door out of their lunch money. Or, to watch over the general populace...

    The point is that you can find hidden messages, faces on Mars and backwards satanic messages everywhere if you look hard enough, but it's impossible to find real messages that's been hidden good enough. Just deal with it.

  • Quantum Cryptography (Score:4, Informative)

    by Trinition ( 114758 ) on Wednesday September 26, 2001 @11:24AM (#2352956) Homepage
    In my informal investigation into quantum computing (which has the power to render useless existing cryptographic ideas), I stumbled across quantum cryptography [qubit.org]. It's actually a variety of ideas that rely on the quantum mechanics and the laws of physics.

    However, I'm not one to suggest it would be undefeatable!

  • Proposed law (Score:5, Insightful)

    by return 42 ( 459012 ) on Wednesday September 26, 2001 @11:24AM (#2352958)
    Proposed law:

    Anyone who wishes to advocate legislation requiring backdoors in encryption products must first write a paper showing how this would prevent terrorists from secretly communicating with each other. Explain the term "steganography" and show how your legislation would prevent terrorists from using it. Explain why terrorists would be unable to fall back on codebooks full of innocuous phrases, hidden in apparent music CDs. Explain how your legislation would be enforced outside the U.S. Prove that your legislation would not have any serious impact on banking, credit card transactions, or internet commerce. Be prepared to defend your thesis to a panel selected by Philip Zimmermann and the Electronic Frontier Foundation.

    • Re:Proposed law (Score:3, Insightful)

      by DaveHowe ( 51510 )
      And show how you will force all terrorists to use your new backdoored software.

      Come to think of it - if you can do that, just force THEM to use it and leave us alone :)

  • There is a form of encryption that will always be secure with one exception. Conversations that are based on prior conversation will always be secure, unless the prior conversation was recorded.

    Because computers have such a difficult time with semantics this means that a human will have had to have heard the original conversation in order for detection of the "encryption" and its meaning. This is why tracking criminals is such a difficult task. Until we can get computers to understand and infer semantics, and then record ALL conversations, there will be no way to decode all transmissions. As I am sure that many on this forum will agree, this is most likely not going to happen in the near future. This is why undercover work is so important.

    To give an example, if I were to say the word "Fjornborgi" to a complete stranger (as most of you are) he would have no idea what I was talking about. On the other hand, if I say that to my brother-in-law, he knows exactly what I am saying and why. This is because we have a history of conversations where the word "Fjornborgi" has been discussed and defined.

    As for computed encryption, with RSA no longer under patent and many very good mathemeticians coming up with interesting functions everyday, I see it being more and more difficult for government to monitor and control information. I don't see this as a bad thing, since it gives the citizens of the world more freedom to express their ideas to their audiences in a secure way. There is little fear of being overheard when not desired. Of course, many will abuse the priviledge, but that has been the case for centuries and not a new problem that has shown up just because of encryption.
    • It'll keep a twelve-year old from figuring out what you're talking about. It won't keep a sophisticated attacker from figuring out what you're talking about. English is a terribly redundant language; whenever you use a sentence with Fjornborgi in it, you're encoding that word in the rest of your sentence, too. A cryptanalyst would study the environment in which you use the word; the time of day; after what activity; with who else around.

      In time, the cryptanalyst would be able to figure out what "Fjornborgi" means--even if you didn't tell him directly, he'd know to a surprising degree of accuracy.

      These are people who recreate the internal mechanisms of cipher algorithms just by watching a string of nearly completely random numbers flow out of it. Compared to that, human conversation is trivial.

    • To give an example, if I were to say the word "Fjornborgi" to a complete stranger (as most of you are) he would have no idea what I was talking about.

      No, not tonight dear, I have a headache!

  • by ajs ( 35943 ) <ajs @ a js.com> on Wednesday September 26, 2001 @11:28AM (#2352983) Homepage Journal
    Ok, I'll admit I'm biased, but I think the next phase in the developing landscape of encryption is universal access to cryptography. I'm not talking about putting PGP on FTP servers, I'm talking about making hard crypto available to my mother.

    To this end, I've started the PPS [sourceforge.net], which is a project devoted to transparent, universal email encryption. The goals are complex, since they are aimed at so many audiences, but you can browse the site and get an idea. If you find it to your liking, please drop me a line and sign up to help.

    You don't have to have technical skills. I need proof-readers, coders, researchers, and more. The reference code is not nearly as important as getting the specification done and doing all of the research needed to get the various MUA vendors to sign on.
  • by DaveHowe ( 51510 ) on Wednesday September 26, 2001 @11:28AM (#2352986)
    Best application for StegCrypto I know of is Scramdisk - it only supports 16 bit WAV files (for now) but for ease of use it is unbeatable. the lower four bits of each sample are "formatted" to form a virtual disk drive (a bit like a floppy disk).
    To open this virtual disk, you drag and drop the wav file on top of the scramdisk app (there are other ways, but that is the simplest) and type in your password. unless you know the password, the volume won't open, and if you examine the file you can't even prove the scramdisk is there (yes, the file's lower four bits will be statistically at random, but this is true of anything but a pure CD rip anyhow - sound cards just can't sample accurately enough to get a clean lower four bits) Scramdisk is free (with source) from www.scramdisk.clara.net [clara.net]
    • Thanks for the comments Dave. A free, open source (GPL'd) version of Scramdisk is in final Alpha testing and a Beta version will be released soon. This version will support just Blowfish and 3DES to begin with, but will certainly support WAV steganography out of the box.



      Keep an eye on www.scramdisk.eu.org [eu.org] for details.



      Suddenly my .sig seems in fashion again!

  • Too many people seem to be automatically against anything that Ashcroft might call for, without actually knowing what the specific proposals are. For example, one of the new powers that Ashcroft has called for is that when a surveillance warrant is granted, it be tied to the individual rather than a specific phone, which seems totally reasonable to me.

    In future discussions, how about if we discuss specific proposals and make specific criticisms rather than general statements about how the government is just looking for the chance to turn the country is a police state?

    Just a thought.

    • by DaveHowe ( 51510 ) on Wednesday September 26, 2001 @11:56AM (#2353128)
      For example, one of the new powers that Ashcroft has called for is that when a surveillance warrant is granted, it be tied to the individual rather than a specific phone, which seems totally reasonable to me.
      It *sounds* reasonable, until you try to impliment it - and realise there is no way to wiretap a person, you have to wiretap any device he might *possibly* use.

      Taken to extremes, it would justify tapping every phone line at a hotel because he stopped off for a meal there....

      • It *sounds* reasonable, until you try to impliment it - and realise there is no way to wiretap a person, you have to wiretap any device he might *possibly* use.

        Which was actually similar to Ashcroft's point that the law has fallen behind technology. We have so much communication technology now that people can switch phones at will, making wiretaps much less effective.

        At some level, we have to assume that government powers won't be abused. The FBI can already tap any phone they want, if they're determined to bypass getting a warrant. I think the key to all this is to make sure we have protections against abuses.

        Not assuming tools can be used for illegal purposes cuts both ways, not just on private citizens.


    • Ever heard the old saw that youre only 7 aquaintances removed from anyone on earth?

      Its very close to true. Its called the network effect.


      Now extrapolate: wiretapping all communication of a few hundred individuals becomes a wiretap of everyone in the entire country.


      Would you still aquiesce to it, knowing what it implies?

  • "State-of-the-art"? (Score:5, Informative)

    by Anonymous Coward on Wednesday September 26, 2001 @11:32AM (#2353008)
    There's always new stuff going on in cryptography, but the state-of-the-art is hard to define...

    Best algorithm? Take your pick. AES/Rijndael, Serpent, Twofish, RC6, Blowfish, MARS, Triple-DES-- all of them are good algorithms.

    Best implementation? OpenSSL has done a great job of implementing most of these algorithms (maybe a few have been left out due to patent considerations) into a simple-to-use library with both high-level and low-level interfaces to the encryption and decryption routines (i.e., you can simply encrypt blocks of memory, or you can have the library format and encrypt the data according to various standards, like SSL).

    Best personal encryption tool? GPG/PGP. I like GPG more, mainly because the source is going to remain available-- NAI is closing up the PGP source. Either one, though, should offer adequate security for e-mail or personal file encryption.

    Best hard-disk encryption system? I'm familiar with encrypted loop-back-- under Linux and OpenBSD. I think that it has some advantages-- it's simple and easy to understand, and it works with ANY filesystem supported by the operating system. However, lots of known header information in file allocation tables and such can give an attacker a lot of information to work with.

    I haven't tried TCFS yet. The OpenBSD support for it is still very young, and is a developers-only sort of thing. I'm thinking that TCFS will be a VERY good choice, once the support for it is stable in most operating systems (I don't know what the status of tcfs is in Linux-- anybody care to let me know?)

    What else? Oh, there's steganography. Still not a lot of stuff out there, but one choice DOES stick out above the rest: OutGuess. OutGuess isn't based simply on a half-baked implementation of a simplistic steganographic algorithm-- it's based on actual research by a respected scientist in the field. OutGuess has a lot of thought put into it, and if you really need steganography (which, I'll admit, is rare), that's the program to use.

    • Best algorithm? Take your pick. AES/Rijndael, Serpent, Twofish, RC6, Blowfish, MARS, Triple-DES-- all of them are good algorithms

      Ack! Not RC6, not RC6. 15 of 20 rounds were broken during the AES selection process.

      In fact, I'd suggest avoiding all of the AES candidates altogether. Even AES itself (nee Rijndael), for that matter--they're simply too new and not enough cryptanalysis has been performed of them.

      The only two on your list which I'd recommend would be Blowfish and 3DES. Both of them have been around for years and have been extensively cryptanalyzed, with no significant results being discovered.
    • and if you really need steganography (which, I'll admit, is rare)

      Needing steganography is rare in the US today, because if somebody asks for your encryption keys you can tell them to fuck off.

      However, that is not the case everywhere. You can be jailed for more than contempt of court in the UK for not handing over your keys, and in some countries merely having what it suspected to be encrypted files is grounds for suspicion. It could get you killed in, say, China, if you piss off the right people.

      Of course, terrorists may use steganography to hide their intentions as well; but then, they've also been using envelopes instead of postcards, and nobody of consequence has proposed doing away with those either.

      As for me, I shall give up my unencumbered crypto when they pry it from my cold, dead fingers, wife and son or no wife and son. They need their liberty more than they need me.
  • by Paranoid ( 12863 ) <my-user-name@meuk.org> on Wednesday September 26, 2001 @11:32AM (#2353009)
    My coworkers and I tend to use a form of steganography, on IRC. Its not typical pixel-in-picture stuff, though... rather, the script encodes messages (the current irssi perlscript implementation is 7-bit clean) in the entropy available in l3eT-babbling carrier text. For instance, "l" could be "l", "L", "|" or "1", meaning you could use an "l" character to store 2 bits of data. The output looks, as I'm sure you can guess, horrible.

    For more important things, we tend to use ssh, but steganography isn't entirely forgotten here =)
  • SSH (Score:2, Informative)

    by Phil Karn ( 14620 )
    How about SSH? It's already one of the most widely used encryption packages out there, second only to the SSL-equipped web browser. It's so easy to install and so utterly transparent to use that there's no excuse for it not to be in universal use on BSD/UNIX/Linux systems.

    Phil
  • Cryptography is a funny field. It's sorta like an intellectual game of chicken. The "best" crypto is almost always the more established algorithms. (These days things like 3DES and RSA) The rational behind this is that the basic principles are sound, leaving only brute force attacks. The nightmare scenario is a "clever" attack. If I dis cover that the WizzBang-2000 scheme is easy to crack if I just divided my cats age, and multiply by 6, then life starts to suck for the WizzBang-2000 users. And quickly.

    So here, we worry about the speed of brute force. With factoring based crypto, it's fairly easy to move the keysize out a tiny amount and reap huge returns. Symmetric based systems are harder, and often need a redesign/re-evaluation. Such as the DES -> AES migration underway now. 56 to 128 bits isn't quite enough for the truely paranoid.
    The chicken part is deciding if someone else has come up with something clever and just not disclosed it. (The big boogy man here is governmental bodies...) Think Engima during WWII.

    Personally, I tend to think that there are enough people working "outside the fence" on crypto that if a major established algorithm was broken, we'd all know shortly thereafter. (And imagine the chaos...)

    More to the point, if an established algorithm is flawed and the parties holding the flaw are governmental, they'd either have to tell almost no one, (because of the danger of a leak) or tell everyone in the government to use some new algorithm. (Which would set off alarm bells for sure.)

    Even the "new" algorithms proposed as canidates for the new AES (now decided as Rija ... whatever) were mostly based on the same old "known hard" problems.

    Along similiar lines, elliptic curves kinda scare me because the math isn't as studied, and I personally think there is more of a chance of an "off the wall" solution to the "hard" problem. With factoring, pretty much everyone since the dawn of math has been hammering on it. (Elliptic has been hammered for a few hundred years I think, but not nearly as intensely.)

    "The Man" wants a backdoor because it's cheaper than a huge beowulf cluster.
  • Getting steg to work (Score:5, Interesting)

    by iabervon ( 1971 ) on Wednesday September 26, 2001 @11:43AM (#2353057) Homepage Journal
    First, share a one-time pad. This is very easy using steganography: you just choose an image on the internet and a time and agree to seed a pseudo-random number generator with that to get your pad. Encrypt your message by XORing it with the one-time pad. Your encrypted message is now indistinguishable from random noise, assuming your PRNG is good.

    Then, you need a data file where noise is expected. Using low-order bits is no good unless you have pictures where the low order bits are actually random, rather than containing no information. One possibility is to take a photograph and make it a GIF or PNG; the lowest order bits that your camera actually produces are probably noise, and will be present in the image.

    Replace the input noise with your special noise. The resulting image is now perfectly plausible (your camera could have taken it if some photons happened to land differently, with the same probability as having taken the photo it did take), and the message cannot be read or distinguished from noise unless the codebreaker knows what image you agreed on.

    In order to do this, you and the recipient have to agree on an image you control and another image. Having done this, you can, of course, agree on more images later, for communications in both directions. Make sure you both look at a lot of images, including a lot that everyone looks at (e.g., CNN).

    And then your recipient looks at the message on his CRT, and the spies read it in the EM radiation. Good thing you weren't saying anything they care about, but why did you bother with all the encryption, then?
  • by rjh ( 40933 ) <rjh@sixdemonbag.org> on Wednesday September 26, 2001 @11:44AM (#2353063)
    You don't want to ask ``what's the state of the art?'', you want to ask ``what's a decade old or more?''

    State-of-the-art would be something like the NSA's Dual Counter Mode for AES, which was recently successfully cryptanalyzed. Or the NSA's SKIPJACK algorithm, which has had 31 of 32 rounds broken. Or RC6, which has had 15 of 20 rounds broken. Or... you get the idea. Of all the really neat and nifty things being developed right now, perhaps only one percent of them--and I may be optimistic here--will survive the test of time.

    Once something's survived five years of hard cryptanalysis, it might be worth using. Ten years, it's probably worth using. More than that, and you should probably be using it already.

    The state-of-the-art is found in quantum computation and quantum cryptography (which are based on different principles, BTW--I'd rather people call them "superposition computation" and "Heisenberg key exchange", or somesuch), and to a slightly lesser extent in elliptical-curve cryptography. I don't trust any of the three worth a damn.

    I don't trust QC of either sort because it depends on so much knowledge of physics and technical savvy that, were it to be fielded today, it would be hideously insecure by virtue of its implementation being so difficult to get right. I don't trust ECC, even though the Taniyama-Shimura Conjecture has been proven, because all of the good elliptic curves have been patented by Certicom and the remainder are either untrustworthy or too slow for practical use.

    This means I'm going to be stuck using my old standbys of El Gamal and 3DES. I'm not at all concerned. El Gamal has had some savagely intense cryptanalysis (almost as much as RSA) and is built on a more difficult problem than RSA; and 3DES has driven good cryptographers to the brink of madness trying to find some exploitable flaw in it.
  • Easy Encryption (Score:2, Informative)

    by Dooferlad ( 101535 )
    PGP is still very good encryption, and I use it regularly. I mostly use it on my Win2k box, but GPG will do the same job under Linux.

    As for how easy it is to use, on Windows it is on the file context menu, allowing you to encrypt and erase files in just a couple of clicks. In Outlook you can tell it to encrypt / sign your emails automatically for you.

    This ease of use is not limited to Windows though, GPG plugs into Mutt as well (and if memory serves me correctly KMail), and I am sure many other email programs. I am not sure about file managers under Linux though.

    -- Dooferlad
  • by pesc ( 147035 ) on Wednesday September 26, 2001 @11:46AM (#2353073)
    Consider this message:

    From: yourself
    To: ussama.bin@hilltop.af
    jkwehgfkwgfbwrgjerhvgbejrgwefuwefwiugfelvbdskv
    wefuweifbkjdsvblsifehvbsibnpweijrbqbzdfgoifhgi

    The easiest way for an intelligence service to monitor e-mails is to chart the communication networks. Who is talking to whom (and when and how often, etc)? This is also very easy to do automatically and continously with a computer. Archiving networks costs just a fraction of the resources needed to archive the entire messages (you can keep several years worth of network info on line). This method also expands very easily to other modes of communication, such as telephony, where content deciphering is difficult to do automatically anyway.

    Why do people still believe that encryption guarantees privacy? Ridiculous!

    And when the government finds the message above and REALLY wants to learn its contents, what decryption method do you think is easiest for them? Brute force analysis of the message or brute force analysis on yourself? How is a fancy 128-bit or "state-of-the-art" cryptography going to help you?

    • disclaimer: im not a crypto freak, nor really a privacy either, so i might not know what im talking

      As you describe it, its ofcourse clear that the way you describe it can be used to link people to other people but still the conversations between them can and will remain private.

      Anonymous remailing took a bellypunch when anon.penet.fi got "invated" by scienlogists [thecia.net] so its not as well used as it might have been before.

      But...

      HavenCo [havenco.com] has recently started to host anonymous remailing [havenco.com]. While there's a clear warning on the sites main page:

      • HavenCo operates an anonymous remailer for customers of HavenCo and the general public. No warranty express or implied is given as to the security of this remailer.

      Considering this to the fact whats the business "catch" [slashdot.org] of the Havenco i hardly doupt that there will be any way for any parties to retrive sender/receiver information without physically executing "man-before-and-after" type of attack. (Which might be really hard to execute)

      Anyway, The best thing with cryptographic tools is that you are on controls. 128bit key is a laugh. One not make a key of 4096 bytes or hell, triple that. I would like to see that goverment computer farm which can cruch a bruteforce attack against that kind of cryptokeys.

      • I'm no expert either, but consider this:

        Carnivore intercept: 10-sep-2001 10:11:12
        From: yourself
        To: remailer@havenco.com
        %send-to: kjgwefkgwefhwgef
        qkwjdhqkwdhqkwdhfqkwjfdhqkwfjhqekfjhwef
        kwejfhrgberkwgvbwkjerhfweufhwkejfhwekfj

        --
        Carnivore intercept: 10-sep-2001 10:11:13
        From: remailer@havenco.com
        To: ussama.bin@hilltop.af
        qkwjdhqkwdhqkwdhfqkwjfdhqkwfjhqekfjhwef
        kwejfhrgberkwgvbwkjerhfweufhwkejfhwekfj

        You have to admit that:

        You are trying to protect your privacy not only by encryption, but also by using a remailer

        Some data mining in the network databases defeats that!

        128bit key is a laugh. One not make a key of 4096 bytes or hell, triple that.
        128-bit is not a laugh. It is very difficult to decrypt that. The problem with 128 bits (not to mention 4096!!!) is key management. How do you remember a key with that much entropy without writing it down somewhere?

        • Any good HOWTO on remailing will point out that you should use cypherpunk remailers and chaining ...

          1. encrypt message to Bin Laden.
          2. add "to: laden@hilltop.af" as the first line before the encryption.
          3. encrypt it all to remailer C
          4. add "to: remailerc@somewhere.com" to the top
          5. encrypt it all to remailer B
          6. add "to: remailerb@another.net" to the top
          7. encrypt it all to remailer A
          8. Send it off to remailera@anon.fi

          At each waypoint, the remailers should hold the message for a random amount of time before resending it to the next remailer. Each remailer decrypts who the next point in the chain is off the message and passes the rest of the message to the next remailer until the last remailer sends the encrypted message to Bin Laden.

          If the remailers in question have a fairly high level of E-mail traffic (or generate fake traffic between each other from time to time), tracking messages becomes nearly impossible.

          PS, its more fun if your message says:

          Check out my latest beach photos on webshots.

          The traffic analysis that would have to then be avoided is also the correlation between people who receive lots of E-mail from cypherpunks remailers and which websites they visit frequently ...

          PS, almost nobody actually uses public keys to encrypt messages, they use random 128 bit or 256 bit AES/IDEA/Twofish keys to encrypt messages whose keys are then encrypted with a public key algorithm.

  • by rayd75 ( 258138 ) on Wednesday September 26, 2001 @11:47AM (#2353084)
    What is the point of fighting it any more? This is due to a fundamental flaw in our system of government. Representatives are allowed to bundle too much un-related stuff into one bill. Who in the hell are we going to be able to convince not to vote for this? Obviously, if it were a bill that only existed to criminalize secure communications everyone would be outraged. It's not that. It's an "anti-terrorism" bill with a zillion individial provisions inside. My congressman isn't taking anyone seriously who calls and askes him to vote against an anti-terrorism bill and I guarantee yours isn't either.

    Step out into the street and hand over your guns to the police and don't even think about complaining about it because you could be tried for treason.
  • I'm getting off on a tangent here, but watching a rebroadcast of Ashcroft addressing Congress last night on C-SPAN change how I felt about the man as well as his proposal.

    I'm not a supporter of him, but his ideas may have some merit, however his writing skills seemed to lack and I noticed him apologizing on the wording of the laws quite a bit, and instead of reading the text, stating what his intentions were. I think he may be getting some much needed criticism and maybe these new laws will not be the end of the tech world after everybody else gets there paws into the exact wording of it.

    This brings up another point: for this man to be in the position of power that he is, shouldn't there have been more though put into his proposal? Obvisouly the confusion I watched last night was just the beginning as several members didn't get a chance to query Ashcroft as he had another appointment. The members that did, all had concerns over the wording of the proposal.

    I guess I'm just glad to see that this wasn't rushed through and passed as law and that some officials are actually reading it and listening to their constituents.

    I wouldn't even really worry about encryption at the moment. It seems that all congressmen aren't idiots.

    Of course, this is just the way I feel at the moment, this is subject to change.
  • Restrictions on use of cryptography by law-abiding citizens is equivalent to unilateral disarmament in the field of computer security. Why is it that both bin Laden and the FBI consider the freedom of Americans to be a problem?
    -russ
  • by SysKoll ( 48967 ) on Wednesday September 26, 2001 @12:10PM (#2353197)

    Back in the '80s, a young police officer (with whom I used to play D&D when we were teens, and no, he wasn't a lawful good ranger) once told me he was facing a ring of drug traffickers. He was bitter about not able to keep up with them. These mobsters knew that they were under constant phonetap surveillance. This didn't stop them from using the (tapped) phone lines for setting up appointments and deliveries. And the law enforcement agencies never knew about these dug deals until way too late.

    Their trick? The mobsters had imported a few natives from a remote North-African village, speaking a dialect that nobody else on Earth spoke. One of these guys on each end of a phone, and even tapped phones become secure! Of course, they used code words for street name and subway stations.

    The Navajo code speakers used by the US transmissions during WWII also used the same principle. Not high-tech at all, but very efficient.

    So I strongly suggest that all these laws against cryptography include an article mandating the use of a State-approved language on a phone line. Just like in the former Eastern European countries. Why, anything less stringent would put freedom itself at risk, right?

    -- SysKoll
    • Ignoring some of the humour value, I hope someone in the media makes a bit of noise about the fact that making strong encryption have backdoors has no effect at all on the use of other methods like pre-exchanged one time pads and the use of little-known languages.

      That aside as well, who's going to force the terrorists to use the state-approved software in the first place? That's what I thought....
  • by ZanshinWedge ( 193324 ) on Wednesday September 26, 2001 @12:20PM (#2353248)
    Seriously though, if you are highly technically savvy (which I will assume since we are speaking about the state of the art) then you can not only create near unbreakable encryption, but near undetectable (or untraceable) encryption. Steganography is a child's toy compared to some of the things that are possible. The internet is a vast 86,400 / 365 information sea, slipping a few megabytes of low profile data into it is going to be hard to notice. By utilizing multiple techniques at the same time (hard encryption, low signal to noise ratio channels, low detectability communications, difficult traceability, etc.) you can be confident that even if someone found your data they would not be able to understand it or extract useful information from it.

    For example, let's say you want to send data to someone else. Let's say it's a short text message, though it could be anything up to gigabytes of data without too much trouble. The sender encrypts the text using public key cryptography with a large key (4096-bits or larger), then breaks the encrypted message into several really small chunks, then uses a program to generate thousands of fake chunks. Then, using a sequence of hacked ISP and shell accounts (preferably spanning the world), the sender embeds this "chunk stream" into some nondescript form of communication. Let's say they use a large number of spam messages, or pornographic multimedia posted to a highly trafficked usenet newsgroup over several days and a simple steganographic technique for the embeddding. The receiver downloads the source files, extracts the "chunk stream", selects out the valid chunks, then decrypts the data.

    Let's say that Los Federales were able to detect that something funky was going on. That alone, in the firehose of the internet, is a significant challenge. They would need to first be able to extract the data from the embedding system. Not impossible, but difficult. Next they would need to cull out the invalid chunks in the pile they now have. This can be made as difficult a problem as breaking hard-encryption in and of itself. If they manage to wade through that mountain of sludge, they end up faced with near unbreakable encryption. For added fun, repeat some of the steps multiple times! (for example, double encryption, double stage steganography, etc.), preferably with different techniques for each iteration (encryption cycle 1 uses RSA, while cycle 2 uses elliptic curves, etc.)

    Or, you could take the route the US has taken since before WWII and use one time pads. One time pads are provably cryptographically secure (if you don't have the key you simply CAN'T break the encryption). The only difficulty is distributing the keys.

    Nevertheless, I would imagine that the main goal these days would be low-detectability rather than pure cryptographic security. If they can't find your pigeon in a flock of wild birds then they very well can't even try to decrypt the message it carries. There is a LOT of noise on the internet, that provides a huge amount of hiding space.
  • I'm not trying to be funny here but I think we should be asking what's state of the art in decryption technology. Isn't that what we're all worried about?

  • The Government are immoral to use this as excuse to spy on their citizens.

    You should be aware, communication interception will not work on terrorists.

    NSA experts even admit it.

    Excerpt from USATODAY article, 'Bin Laden's cybertrail proves elusive'

    WASHINGTON (AP) -- Despite warnings from top government officials that terrorists would use exotic technology to communicate, suspected terrorist mastermind Osama bin Laden instead has used "no-tech" methods, foiling efforts to track him, former U.S. intelligence officials said.

    Intelligence agents once could keep tabs on bin Laden when he used a satellite phone that could be picked up by U.S. spy gear and matched to his voiceprint. That capability leaked to bin Laden, so he swore off talking on the phone, according to Marc Enger, former director of operations at the Air Intelligence Agency, the Air Force's intelligence arm.

    Madsen said the hijackers could have communicated by means of seemingly innocuous messages on Web sites, impervious to the most vaunted surveillance tools in use by U.S. intelligence.

    All the Carnivores and all the Echelons in the world would do very little to hamper that kind of operation," referring to the FBI's e-mail surveillance box and a widely suspected NSA surveillance network.

    ********

    You could ask those that deny above this:

    Do you not think - once back doors and greater surveillance are introduced, when not planning face to face, terrorists will just have to send personal couriers?

    Perhaps give mobile for single message when required - just using message - go with plan a / b or abort.:

    Government say about surveillance - "you've nothing to fear - if you are not breaking the law"

    This argument is made to pressure people into acquiesce - else appear guilty.

    It does not address the real reason, why they want this information - they want a surveillance society.

    They wish to invade your basic human right to privacy.

    This is like having somebody watching everything you do - all your thoughts, hopes and fears will be open to them.

    All your finances for them to scrutinize - heaven help you if you cannot account for every cent when they check on your taxes.

    Do not believe the lies of Government - even more money spent on Carnivore will not protect you.

    IT IS A LIE - TERRORISTS WILL GET AROUND IT
  • ...in a world where terrorists regularly use encryption to fly other people's computers into the sides of tall buildings.
    --G
  • Usually don't you paint a bulls-eye on your target, and leave the crosshairs on your scope where they belong?
  • An encryption algorithm [ciphers.de] has recently appeared where the author makes some extraordinary claims about its strength. The German Government had even threatened the author with prison for trying to create commerical applications with it.
    Comments Please:

Passwords are implemented as a result of insecurity.

Working...