[7168] in cryptography@c2.net mail archive
Re: NSA back doors in encryption products
daemon@ATHENA.MIT.EDU (Alan Olsen)
Wed May 24 15:39:01 2000
To: John Gilmore <gnu@toad.com>
Cc: Rick Smith <rick_smith@securecomputing.com>, cryptography@c2.net,
gnu@cygnus.com, alano@pcx.ncd.com
In-Reply-To: Message from John Gilmore <gnu@toad.com>
of "Tue, 23 May 2000 15:48:08 PDT." <200005232248.PAA16609@cygint.cygnus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 23 May 2000 23:23:27 -0700
From: Alan Olsen <alano@pcx.ncd.com>
Message-Id: <20000524062327.C5E6C1D62A@summanulla.pcx.ncd.com>
John Gillmore wrote:
> Turning down the offer on verifiability grounds left them wondering
> whether they really would have done it if it'd been possible to keep
> the whole thing secret. The quid pro quo offered by NSA would be that
> their products would have no trouble getting through the (at the time)
> draconian export controls. Of course, there was no way to enforce the
> deal either; "blowing the whistle" if NSA refused export permission
> would have revealed the company's security products as untrustworthy,
> probably kicking it out of the security market.
>
> Anybody tested the primes in major products lately?
Actually you do not even need that. All you have to do is make sure that the passphrase never reaches the level of entropy of the encryption algorithm.
An example of this is V-go. It claims to use 128 bit Blowfish, but it is very difficult to generate a passphrase that contains 128 bits of entropy. (They also include a module for something called "cobra". Sounds like homebrew snake-oil to me, but I have not reverse engineered that one yet.)
V-Go uses a "graphical passphrase". Not only does it contain a small number of combinations per "character", but it allows you to enter the elements in any order! (I have been trying to determine the total number of combinations involved, but I have not been able to determine a good formula for this and no standard statistics reference has given me any reasonable formula for this sort of combination problem. If you have a formula, send it to me off-line.) You are given the option of which passphrase generation screen you want to use. The "cards" screen can only generate 54 bits of entropy. The "timeclock" screen can only generate less than 800,000 combinations.
The program is distributed by passlogix, but it has Intel's name all over it. It seems to be used by a number of high profile sites. Seems that it you put a well trusted name on it, people will use just about anything!
