[118071] in Cypherpunks
Re: more re Encryption Technology Limits Eased
daemon@ATHENA.MIT.EDU (Steve Schear)
Sat Sep 18 23:57:36 1999
Message-Id: <4.1.19990918165934.03c070b0@popserver.com21.com>
Date: Sat, 18 Sep 1999 17:12:32 -0700
To: cypherpunks@cyberpass.net
From: Steve Schear <schear@lvcm.com>
In-Reply-To: <199909171741.TAA29883@mail.replay.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Reply-To: Steve Schear <schear@lvcm.com>
At 07:41 PM 9/17/99 +0200, Anonymous wrote:
>Bill Stewart:
>Declan probably hit it on the head here. The intention is to gum up
>the works, monkey the wrench, sabot the tage. It is to make it harder
>to export crypto, so that only companies that really, really want to do
>it will be willing to go through with this. It will discourage adding
>crypto to other products like network interfaces, mail readers, etc.,
>because suddenly you've got to jump through this technical review hoop.
>It is one more barrier to ubiquitous built-in crypto, which is the law
>enforcement nightmare.
>
>Declan McCullagh:
>> Why did the Clinton administration cave on crypto?
>> ...
>> Another answer might lie in a little-noticed section of the legislation
>> the White House has sent to Congress. It says that during civil cases
>> or criminal prosecutions, the Feds can use decrypted evidence in court
>> without revealing how they descrambled it.
>
>Maybe, but there is no guarantee that this new legislation will
>pass. The relaxation is not tied to the legislation. The best the
>administration can do is to push for it, but there will certainly be a
>backlash from privacy advocates. It is questionable whether this measure
>will go anywhere, so it can hardly have been a controlling reason for
>the administration's change of heart.
>
>Greg Broiles:
>> Some (anecdotal) information on this topic is available from Microsoft, as
>> part of their discussion of the NSAKEY discovery - they claim they were
>> forced to adopt that peculiar two-key architecture in order to comply with
>> the NSA's rules for what's exportable.
>>
>> Assuming Microsoft is telling the truth about this - and we've had several
>> big names weigh in on behalf of Microsoft's good faith and credibility - we
>> can conclude that, in some cases, the NSA wants to not only review the
>> technical specs, but make substantitve design modifications with
>> considerable security implications prior to granting their approval.
>
>Keep in mind that this review was done under the old policy. There is
>no reason to believe that the same kind of review will be applied under
>the relaxed rules. The only specifically stated purpose for the review
>so far is to determine whether the product is truly mass market versus
>"custom". If the NSA starts coming back from these reviews and asking
>for back doors or weakened crypto, that will clearly be inconsistent
>with the stated policy:
Now why would the administration care whether the crypto was mass market or
custom. Might one reason be that "custom" software might not provide the
same ease of insertion of backdoors and DIRT-style remote monitoring?
>
>: Any encryption commodity or software of any key length can now be
>: exported under a license exception (i.e., without a license) after a
>: technical review, to commercial firms and other non-government end users
>: in any country except for the seven state supporters of terrorism.
>
>Ben Laurie:
>> Declan McCullagh wrote:
>> > Another answer might lie in a
>> > little-noticed section of the legislation the
>> > White House has sent to Congress. It
>> > says that during civil cases or criminal
>> > prosecutions, the Feds can use
>> > decrypted evidence in court without
>> > revealing how they descrambled it.
>>
>> If you can not reveal how you descramble it, doesn't that mean you can't
>> be asked to show that it actually corresponds to the ciphertext?
>
>The claim is that the prosecutors must still prove to the judge that the
>material was obtained in a reliable fashion, and that the government is
>protected from revealing its original source for the data. Generally,
>judges are in the business of deciding admissibility of evidence. This
>kind of in camera review is not without precedent.
>
>There are two dangers. The more obvious but less important one is that
>the government may simply fabricate evidence. They make up whatever
>incriminating data they want, then go before the judge and lie, claiming
>that it was a valid decryption or intercept. This can't be ruled out
>but it is a risky strategy for a well-paid lawyer to risk prison just
>to win a case.
But even this is not without precedent as witnessed by the recent DA's
under possible indictment
>
>The more subtle danger is simply that this shields the government from
>bending the law in order to get these intercepts. Even though the
>administration has withdrawn its proposal for black bag jobs, it is
>conceivable that a secret executive order could authorize them in some
>cases, on the basis of the various national emergencies which exist.
>This measure eliminates one possible means of oversight into whether
>the intercepted data was gained legally.
>
True, but the courts are unlikely to prevent the defense from bringing in
its own witness to examine if the alleged cyphertext, decryption key and
clear text jibe. Also they'll need to show the defendent was in possesssion
of the keys. How would a defendent be able that the alleged disk of their
seized system didn't contain the cyphertext. Perhaps an automated means of
generating a disk volume hash at frequent intervals, stored on a remote
server, might help.
