Slashdot Mirror
What's Now State of the Art in Encryption Technology?
One thing about encryption: the easier it is to do, the more people there will be using it. For the non-tech user, encrypting messages on a day-to-day should be no more complex than 3 steps.
JPMH asks:"First journalists and now even relatively clued-up politicians in the UK are talking about making it an offence to use strong encryption in email and web-pages. An obvious counter is that this won't work, because the messages can easily be hidden using Steganography (Slashdot Jan 2, May 8). But that assumes that the steganography itself is good enough not to be detected. Is this true? How good is the state of the art?
To be undetectable, the properties of the 'message' bits you are putting in must be statistically indistinguishable from the 'image' bits you are overwriting. According to a paper by Neils Provos and Peter Honeyman of U. Michigan (highlighted today in the Register) the simplest common programs, such as JSteg and JPHide, fail this test badly and are easily detected. But they failed to nail any confirmed steganographic content in 2 million images on EBay.
Other programs (eg Provos's Outguess 0.2) are more sophisticated at hiding the messages (and other media eg MP3s give a bigger haystack to hide them in); but on the other hand, more sophisticated statistical models of images (eg Slashdot 16 Aug) may be better at making the 'hidden' content stand out.
So, can messages reliably be hidden? Or will people trying to hide their messages in a reliable manner get caught?"
Of course encryption is a "tool of terrorism." It falls squarely into the same category as other tools:
Concentrate on the terrorists and not on their tools. Starting down the road of outlawing inanimate objects that can be used for multiple purposes is the beginning of an ultimately unfulfilling and unsatisfying journey.
Laws affecting technology will always be bad until enough techies become lawyers.
Bush's Orwellian Address
Happy New Year: It's 1984
by Jacob Levich
Seventeen years later than expected, 1984 has arrived. In his address to Congress Thursday, George Bush effectively declared permanent war -- war without temporal or geographic limits; war without clear goals; war against a vaguely defined and constantly shifting enemy. Today it's Al-Qaida; tomorrow it may be Afghanistan; next year, it could be Iraq or Cuba or Chechnya. No one who was forced to read 1984 in high school could fail to hear a faint bell tinkling. In George Orwell's dreary classic, the totalitarian state of Oceania is perpetually at war with either Eurasia or Eastasia. Although the enemy changes periodically, the war is permanent; its true purpose is to control dissent and sustain dictatorship by nurturing popular fear and hatred.
The permanent war undergirds every aspect of Big Brother's authoritarian program, excusing censorship, propaganda, secret police, and privation. In other words, it's terribly convenient.
And conveniently terrible. Bush's alarming speech pointed to a shadowy enemy that lurks in more 60 countries, including the US. He announced a policy of using maximum force against any individuals or nations he designates as our enemies, without color of international law, due process, or democratic debate.
He explicitly warned that much of the war will be conducted in secret. He rejected negotiation as a tool of diplomacy. He announced starkly that any country that doesn't knuckle under to US demands will be regarded as an enemy. He heralded the creation of a powerful new cabinet-level police agency called the "Office of Homeland Security." Orwell couldn't have named it better.
By turns folksy ("Ya know what?") and chillingly bellicose ("Either you are with us, or you are with the terrorists"), Bush stepped comfortably into the role of Big Brother, who needs to be loved as well as feared. Meanwhile, his administration acted swiftly to realize the governing principles of Oceania:
WAR IS PEACE. A reckless war that will likely bring about a deadly cycle of retaliation is being sold to us as the means to guarantee our safety. Meanwhile, we've been instructed to accept the permanent war as a fact of daily life. As the inevitable slaughter of innocents unfolds overseas, we are to "live our lives and hug our children."
FREEDOM IS SLAVERY. "Freedom itself is under attack," Bush said, and he's right. Americans are about to lose many of their most cherished liberties in a frenzy of paranoid legislation. The government proposes to tap our phones, read our email and seize our credit card records without court order. It seeks authority to detain and deport immigrants without cause or trial. It proposes to use foreign agents to spy on American citizens. To save freedom, the warmongers intend to destroy it.
IGNORANCE IS STRENGTH. America's "new war" against terrorism will be fought with unprecedented secrecy, including heavy press restrictions not seen for years, the Pentagon has advised. Meanwhile, the sorry history of American imperialism -- collaboration with terrorists, bloody proxy wars against civilians, forcible replacement of democratic governments with corrupt dictatorships -- is strictly off-limits to mainstream media. Lest it weaken our resolve, we are not to be allowed to understand the reasons underlying the horrifying crimes of September 11.
The defining speech of Bush's presidency points toward an Orwellian future of endless war, expedient lies, and ubiquitous social control. But unlike 1984's doomed protagonist, we've still got plenty of space to maneuver and plenty of ways to resist.
It's time to speak and to act. It falls on us now to take to the streets, bearing a clear message for the warmongers: We don't love Big Brother.
Jacob Levich (jlevich@earthlink.net) is an writer, editor, and activist living in Queens, New York.
Folks, in this discussion, please keep "algorithm" and "protocol" seperated. An algorith is a mathematical method, such as the public key algorithms, or, as described rather roughly above, bits being indistinguishable from the statistical properties of the pixels.
Protocol, on the other hand, is roughly speaking the way you use the algorithms - everything required to get the message from Alice to Bob, including key exchange, agreements on which pictures to use and how to identify them, etc,e tc. I strongly urge you all to read Bruce Schneier excellent works on this subject, both his Applied Cryptography books and his less theoretical and for most of us far more interesting book Secrets and Lies.
Also, whenever I hear "state of the art cryptography" I feel I hear somebody who doesn't understand that creating cryptography takes years and years. Peer review, taking apart actual implementations, etc, etc, and if after x years there's still no good attack known, then perhaps the cryptography is acceptable.. "state of the art" usually implies "the newest and the latest", and that's not what you're looking for when you select cryptography.
Prohibition almost never works. And certainly not when you are prohibiting something that anyone with even a tiny bit of smarts can do on their own.
Cryptography does not even require computers, the ultimate encryption, one time pads, does not require a computer and is utterly secure as long as you maintain pad seccurity.
There are caveats to everything, oh well. Enforcing cryptographic limits on your citizens is of no value at all. If a criminal wishes to transact their business using encryption technology then there is nothing law enforcement can do about it. Period.
Only deep ignorance prevents these people from seeing the truth.
Besides embedding your message in an image, there are dozens upon dozens of ways of passing messages in plain text. Some famous examples from the past use poetry.
Enough for now, I might go off on real rant, then we'd all be unhappy.
Later . . . . . . WebBug
If you're that worried about being tracked and monitored on your computer, don't use one. Don't use a PC, use credit cards as little as possible, and stay away from any "networked technology". Join the manual labor work force, and dig a ditch. That's probably the only way you'll be able to avoid the upcoming onslaught of "anti-"privacy issues and legislation from Ashcroft and Congress. Oh yeah, don't get your picture taken, and especially don't commit any crimes, cuz then you're mugshot will be plastered across face recognition software everywhere.
Th
Same for all the rest of us.
Then so are
airplanes
cars
pens
kitchen knives
bank accounts
credit cards
water (Hey they use it to drink you know)
kitchen sinks
I supose these people also want to pass laws saying what time we should get up in the morning and when to go to the toilet.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Anyone who wishes to advocate legislation requiring backdoors in encryption products must first write a paper showing how this would prevent terrorists from secretly communicating with each other. Explain the term "steganography" and show how your legislation would prevent terrorists from using it. Explain why terrorists would be unable to fall back on codebooks full of innocuous phrases, hidden in apparent music CDs. Explain how your legislation would be enforced outside the U.S. Prove that your legislation would not have any serious impact on banking, credit card transactions, or internet commerce. Be prepared to defend your thesis to a panel selected by Philip Zimmermann and the Electronic Frontier Foundation.
Chatting has been insecure for ages and still people just don't understand to use chat protocols that are secure. People should try for example Secure Internet Live Conferencing (silcnet.org). There's constant development in the cryptology but suggestion 10MB keys are just stupid. People should use existing tools, free tools to be more exact and be done with the problem.
Too many people seem to be automatically against anything that Ashcroft might call for, without actually knowing what the specific proposals are. For example, one of the new powers that Ashcroft has called for is that when a surveillance warrant is granted, it be tied to the individual rather than a specific phone, which seems totally reasonable to me.
In future discussions, how about if we discuss specific proposals and make specific criticisms rather than general statements about how the government is just looking for the chance to turn the country is a police state?
Just a thought.
Sometimes it's best to just let stupid people be stupid.
You don't want to ask ``what's the state of the art?'', you want to ask ``what's a decade old or more?''
State-of-the-art would be something like the NSA's Dual Counter Mode for AES, which was recently successfully cryptanalyzed. Or the NSA's SKIPJACK algorithm, which has had 31 of 32 rounds broken. Or RC6, which has had 15 of 20 rounds broken. Or... you get the idea. Of all the really neat and nifty things being developed right now, perhaps only one percent of them--and I may be optimistic here--will survive the test of time.
Once something's survived five years of hard cryptanalysis, it might be worth using. Ten years, it's probably worth using. More than that, and you should probably be using it already.
The state-of-the-art is found in quantum computation and quantum cryptography (which are based on different principles, BTW--I'd rather people call them "superposition computation" and "Heisenberg key exchange", or somesuch), and to a slightly lesser extent in elliptical-curve cryptography. I don't trust any of the three worth a damn.
I don't trust QC of either sort because it depends on so much knowledge of physics and technical savvy that, were it to be fielded today, it would be hideously insecure by virtue of its implementation being so difficult to get right. I don't trust ECC, even though the Taniyama-Shimura Conjecture has been proven, because all of the good elliptic curves have been patented by Certicom and the remainder are either untrustworthy or too slow for practical use.
This means I'm going to be stuck using my old standbys of El Gamal and 3DES. I'm not at all concerned. El Gamal has had some savagely intense cryptanalysis (almost as much as RSA) and is built on a more difficult problem than RSA; and 3DES has driven good cryptographers to the brink of madness trying to find some exploitable flaw in it.
Consider this message:
From: yourself
To: ussama.bin@hilltop.af
jkwehgfkwgfbwrgjerhvgbejrgwefuwefwiugfelvbdskv
wefuweifbkjdsvblsifehvbsibnpweijrbqbzdfgoifhgi
The easiest way for an intelligence service to monitor e-mails is to chart the communication networks. Who is talking to whom (and when and how often, etc)? This is also very easy to do automatically and continously with a computer. Archiving networks costs just a fraction of the resources needed to archive the entire messages (you can keep several years worth of network info on line). This method also expands very easily to other modes of communication, such as telephony, where content deciphering is difficult to do automatically anyway.
Why do people still believe that encryption guarantees privacy? Ridiculous!
And when the government finds the message above and REALLY wants to learn its contents, what decryption method do you think is easiest for them? Brute force analysis of the message or brute force analysis on yourself? How is a fancy 128-bit or "state-of-the-art" cryptography going to help you?
)9TSS
It's was pointed out by Larry Ellison that the only privacy remaining is the illusion of privacy. Face it, if you have a SSN, a bank account, a credit card, a job, and access the net/email, chances are your privacy is already screwed. Is this good or bad? Who knows, but it's the world we live in.
In reality, if our "privacy is compromised", the worst thing that usually happens is our inbox is flooded with SPAM. Credit cards are rarely hacked (never happened to me), and when it does happen, CC company usually fixes is. Oh sure, some folks get their SSN taken and their lives screwed with, but really, how many people has this happened to??
For those folks using Encryption in their day to day email......why? What are you keeping secret? What do you do that is so bloody important? Just curious....
...and what are the legitimate uses of box cutters for those without something they want to cut?
It's a daft question. There's nothing implictly wrong in having something to hide, most of us, those who are human and live normal lives, have many things we don't want in the wrong hands, such as our credit card numbers, for instance.
If I had to email my bank, and transfer confidential information that could be misused, or had to communicate with some group I wanted to trade with, again by email, and needed to pass on confidential information, I'd use PGP or not use email at all. I don't regard that as illegitimate.
KMSMA (WWBD?)
What is the point of fighting it any more? This is due to a fundamental flaw in our system of government. Representatives are allowed to bundle too much un-related stuff into one bill. Who in the hell are we going to be able to convince not to vote for this? Obviously, if it were a bill that only existed to criminalize secure communications everyone would be outraged. It's not that. It's an "anti-terrorism" bill with a zillion individial provisions inside. My congressman isn't taking anyone seriously who calls and askes him to vote against an anti-terrorism bill and I guarantee yours isn't either.
Step out into the street and hand over your guns to the police and don't even think about complaining about it because you could be tried for treason.
I dont have anything to hide, but nothing gives them the right to read my email. It's a breach of my being as a American. I pay taxes to live to here, I pay for the military, I pay the salaries. Part of that is to the end of keeping us safe. That doesn't mean tag me like a wild animal, and read everything about my life. I dont want them to know who and when I converse. Because its information that is mine. They don't have a right to it.
Of course, you are exactly right! How could I ever have thought I had things to hide! Encryption of, aka hiding, information must be used only by those with a nefarious purpose. So I guess I will staple my checks to postcards the next time I pay a bill. And I will post all of my login names and passwords on a public website, since I have nothing to hide about who I am, and I am sure that no one would want to fake my identity online. And I will set up a loudspeaker outside, attached to my phone, so everyone can listen to my every phone call, since I have nothing to hide. And then there's the webcam, and ....
*sarcasm off*
There are a million things wedon't want to make public about ourselves, especially about economic activity. The encryption issue is one of the biggest, if not THE biggest thing that prevents the internet from being the primary way we do business. You want encryption so you can be sure who I am on the other end of a transaction. I want encryption so that the script kiddie next door can't steal my credit card with just a packet sniffer.
-John Van Voorhis
I believe the point that was being made was that while you may have something to hide, your privacy would not be significantly decreased by allowing the justice department to have an escrow key.
It is a valid question, and there is no slashdot friendly answer. The fact is that if you trust the government with that escrowed key, you have nothing to fear. If you have an essential mistrust of the government and administration, then its probably in your interest to archive PGP right now, distribute it to your friends, and get it into use before they ban such warez.
My question is this: If they ban encryption that does not use an escrowed key, but allow it if you use the escrowed type encryption, will anyone be able to tell that you used illegal technology to encrypt a message? I mean its encrypted, and how different can it be from another algorithms output?
Troll Like a Champion Today
I recently read an article about the Executive Branch overextending it's power during times of war. Lincoln and Roosevelt were heavy offenders, but the limitations didn't last beyond the war.
And what's scary about that are Bush's comments that essentially say that this is an ongoing war, until terrorism is eradicated. Which would mean that the war would never end, so the overextension of power would also continue indefinitely.
Yes yes yes, we all understand the implications and comparisons of and to Big Brother, Orwell, "1984," "We," "Anthem," "Brave New World" and any other dystopian novel or piece of rhetoric out of the mouths of the alarmists and into the minds of the gullible and naive. But does anyone honestly think it is possible for all of that to happen? Big Brother serves as a symbol rather than a specific person. This legend was propogated by ignorance and apathy and held in place by tyranny. I don't believe anyone who has read 1984 is any of these things and none of are about to let these things happen. I think that Bush's speech is more indicative of the fact of the fact that he is a nimrod (a national tragedy doesn't change that, sorry), doesn't know what to do and is finding out that gee gosh, it's hard being prezudent.
Luckily there are smart people in Washington who have raised an eyebrow or two about what is being proposed in his new policies. For one, Colin Powell, who seems the wisest of Bush's cabinet members isn't one for rushing out and conducting long drawn out conflicts without first weighing the consequences. This Big Brother argument, while compelling, only fuels more fears and suspicions, it is hardly the truth, in fact most of Big Brother arguments are based upon a work of fiction and while 1984 gives us all reason to pause, in any case, it is still just that.
Ashcroft is the one who scares me.
The Government are immoral to use this as excuse to spy on their citizens.
You should be aware, communication interception will not work on terrorists.
NSA experts even admit it.
Excerpt from USATODAY article, 'Bin Laden's cybertrail proves elusive'
WASHINGTON (AP) -- Despite warnings from top government officials that terrorists would use exotic technology to communicate, suspected terrorist mastermind Osama bin Laden instead has used "no-tech" methods, foiling efforts to track him, former U.S. intelligence officials said.
Intelligence agents once could keep tabs on bin Laden when he used a satellite phone that could be picked up by U.S. spy gear and matched to his voiceprint. That capability leaked to bin Laden, so he swore off talking on the phone, according to Marc Enger, former director of operations at the Air Intelligence Agency, the Air Force's intelligence arm.
Madsen said the hijackers could have communicated by means of seemingly innocuous messages on Web sites, impervious to the most vaunted surveillance tools in use by U.S. intelligence.
All the Carnivores and all the Echelons in the world would do very little to hamper that kind of operation," referring to the FBI's e-mail surveillance box and a widely suspected NSA surveillance network.
********
You could ask those that deny above this:
Do you not think - once back doors and greater surveillance are introduced, when not planning face to face, terrorists will just have to send personal couriers?
Perhaps give mobile for single message when required - just using message - go with plan a / b or abort.:
Government say about surveillance - "you've nothing to fear - if you are not breaking the law"
This argument is made to pressure people into acquiesce - else appear guilty.
It does not address the real reason, why they want this information - they want a surveillance society.
They wish to invade your basic human right to privacy.
This is like having somebody watching everything you do - all your thoughts, hopes and fears will be open to them.
All your finances for them to scrutinize - heaven help you if you cannot account for every cent when they check on your taxes.
Do not believe the lies of Government - even more money spent on Carnivore will not protect you.
IT IS A LIE - TERRORISTS WILL GET AROUND IT
1. Mutt does not recognize (by default, anyway) a PGP message that is not PGP/MIME. A plain old text-encrypted message has to be saved to a file and decrypted. IMO, that's broken.
2. Outlook does not recognize PGP/MIME and handles it as an attachment. This means, if I encrypt a message using Mutt and send it to someone who is using Outlook, that person again has to save it to a file to decrypt. That's broken.
3. Out of a half-dozen or so options which I examined, there is a single functional plugin for Outlook that enables you to easily encrypt/decrypt mail. That's from a site in Germany. It seems like a good product, but since Outlook's handling of PGP/MIME is broken, it's not useful for incoming mail.
4. This plugin produces the old-fashioned text-encrypted message that Mutt won't handle correctly.
I would love to be able to get together with my friends and help them set up encrypted mail. But the plain fact is, there is no "easy" way to do it. Going from one type of mail client to another is a pain in the ass. And what about Eudora, fatal OE, Pine, Pegasus and all the other clients?
Like it or not, mail encryption is the geek equivalent of "classic" books -- those books "everybody talks about and nobody reads."
mp
"The secret to strong security: less reliance on secrets." -- Whitfield Diffie
The funny thing is that most of the people urging caution and restraint are far from peaceniks: They're just intelligent, reasonable, and rational. To ask "What is the point of doing this? What will it achieve? What will best achieve our goals?" apparently is "left wing" to the whackos in these times of crisis.
Let me put it this way: If the US goes and bombs the hell out of whereever-land, and that pushes 100 more fanatics to join the anti-US crusade, and they come over and poison the water and blow up some aircraft, I hope every looney that pushed for instant reaction no matter what the results should be tried for murder. The simple reality is that it is a vicious cycle of cause and effects, and it's a sad day that so many people don't try whatsoever to understand the situation or how to solve it. I don't know myself, but I do know that declaring war on the world isn't the solution.
I heard a funny caller on a call-in show last night (here in Ontario) that proclaimed "Nuke em all and shoot em when they glow", and while that is funny and humorous and all, when their children come back and kill YOU are partly responsible for it. As the old saying goes: "If it was an eye for an eye then everyone would be blind" and that's 100% true. When some wanker US politicians proclaims that this is "retaliation" he should realize that his words could just as likely be coming out of terrorist's mouths for the many atrocities doled out to their people.
BTW: I am not a peacenik, and if it solved things then warm up the nukes and send in the M1A1s: IF IT SOLVES ANYTHING. If it's just to stroke yourself and show you might while continuing the hate then lay off.
There would be a lot more support for your position were it actually the case that banning crypto, or inserting backdoors would prevent a single terrorism act.
It wont.
Apart from the numerous ways anyone who wanted to could continue to use crypto anyway, apart from the problem that one time pads are extremely secure and wouldnt be caught in any encryption law, apart from the problem that there are thousands of ways to encrypt that nobody would even notice, apart from all that, nobody can even say wether they're using crypto over the internet or friggin homing pidgeons.
You are asked to give up your right to privacy for nothing at all.
Just because some opportunistic politicians want to use this tragedy to further their own political agenda.
Oh what a bunch of bullshit. It's funny how no one cared about the women of Afghanistan until it was pertinent for propaganda reasons (and if you don't realize how obviously you're being played...). Just like the Kuwaiti babies. The reality is that there are a lot of nasty places on the Earth where a lot of nasty things happen and the US and other Western nations are blind to it...until it serves their purposes propaganda wise at which point suddenly everyone cares. How very 1984.