Slashdot Mirror

Pretty big rumor!

I seem to remember hearing that a lot of Third World countries carried on using the German cryptosystems for a long time after the war, and that was why all the Bletchley technology was kept black - we rather liked being able to read everyone's mail. Don't know how true that is, though...

Well, there is something related here; Dennis Ritchie dabbles in cryptography. He talks about cryptanalysis of the hagelin m-209b crypto device (I bought one on ebay :)). They submitted their findings for voluntary review by the NSA before publishing, and Ritchie was visited by a "Retired Man" from the NSA. The relevant bit:

He got a bit more specific about two things: the agency didn't particularly care about the M-209. What they did care about was that the method that Reeds had discovered was applicable to systems that were in current use by particular governments, and that even though it was hard to imagine that these people would find the paper and relate it to their own operations (which used commercially-available crypto machines), still... perhaps we should exercise discretion? It was certainly legal to publish, but publication might cause difficulties for some people in the agency.

So, even though this has nothing to do with the UK and colossus/enigma/lorenz directly, it still is a similar story.

Anyone know if there's a paper on this? This news came up on another site a couple of days ago, but they didn't even mention the researchers name, only implied it was presented at EuroCrypt'2004 in Switzerland. I looked though the list of accepted papers, but nothing stood out.

A search on IACR will give a single hit on the author, but it isn't this report/paper/work.

Why should it be illegal to perform a mathematical transform on the EM passing through your own head?

IANAL, but I think this is illegal in the US. Why? Because it is decrypting something intentionally encrypted.

Yes, it is a stupid, senseless law, but it is still a law. I am all for breaking it, but know that if you do, you are still susceptible to punishment, despite the stupidity of the law.

What you have to do in these circumstances is publish your cryptanalysis (which I assume this was) in the JOC. Then you don't get arrested for scientific research. You could even take out a patent (software-patent style) and make semi-legitimate money until such decryption devices are specifically regulated.

Very long, but worth the time to read. I've been a big fan of Schneier since i read his book a few years ago.

Best Article quote: "Cryptophiles, Schneier among them, had been so enraptured by the possibilities of uncrackable ciphers that they forgot they were living in a world in which people can't program VCRs.

Perfect timing as I'm gearing up for CRYPTO 2002 at UCSB, YAY!

-Nick

On related news, a basic security flaw in the SSH protocol was recently analyzed by Mihir Bellare et al.

The attack requires a carefully timed chosen-plaintext attack, but seems quite realistic in the setting of IP-over-SSH tunneling. Changes in the SSH protocol appear necessary.

Does anybody have any other reference to show if this is legit? C'mon posters, let's get some signal through the noise here. We all know what it means if it's legit. (switch to Linux? No shit! The answer to everything at /.) The question at hand is whether it's legit.