30 October 1997
Source: Mail list cypherpunks@cyberpass.net
Date: Thu, 30 Oct 1997 09:52:07 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Subject: PGP5.5 = Clipper
There are some remarkable similarities between PGP5.5 and the hugely
unpopular original Clipper chip design. Both encrypt the
communication key so it can be snooped by third parties thus creating
a backdoor.
I suspect that part of the reason there has been less outcry over
PGP5.5 than for Clipper is that people have a high regard for PGP Inc,
and allow this to lull their fears -- "if PGP Inc have done it, it
can't be evil." This is really insidious, and it is reprehensible for
PGP Inc to use their reputation capital to give clipper like systems a
positive spin.
PGP5.5 is basically a software implementation of Clipper:
In PGP the backdoor is the second crypto recipient -- the message key
encrypted to the CMRK (Corporate Message Recovery Key) as requested by
the ARR (Additional Recipient Request); in Clipper the backdoor is the
LEAF (Law Enforcement Access Field).
Both systems make attempts to enforce the presense of this backdoor
field: PGP Inc's policy enforcer can be configured to bounce mail not
encrypted to the corporate backdoor key; in Clipper it is the checksum
included in the LEAF which allows the receiving chip to reject LEAFs
which have been tampered with.
Both systems are "optional" -- you don't have to use clipper chips,
they will be "voluntary" (or so the politicians claim), and
governments aren't currently using the backdoor feature of PGP5.5, and
PGP Inc argue this won't happen (we'll see how this works out).
Both systems can be bypassed in very analogous ways:
They can both be bypassed by super encrypting traffic.
With PGP5.5 the sender can send garbage in the CMRK encrypted field;
with Clipper Matt Blaze found you could brute force the checksum and
send garbage in the LEAF field.
Both systems can be improved to make them harder to bypass, something
one suspects may happen if too many people routinely bypass them, and
law enforcement views this as a problem (which they surely will if
their snooping attempts are foiled -- don't forget Freeh is already on
record calling for mandatory key escrow, and outlawing of non-escrowed
crypto).
Clipper can be made harder to bypass by increasing the size of the
checksum.
PGP5.5 can be made harder to bypass by using binding cryptography
(allows untrusted agents to be deputised as policemen in ensuring the
same key is included inside the CMRK field as in the recipients PKE
field).
It is easy for the government snoop to detect cheating with either
system -- they attempt to decrypt the traffic, and find the LEAF/CMRK
field is tampered with, or find the contained message is super
encrypted.
One suspects that an additional 5-year sentence will be given to
people who are detected tampering with snoop fields. (This is not far
fetched I don't think -- already we have heard proposals for 5-year
additional sentencing for "use of encryption in a crime". If
non-escrowed encryption is outlawed, surely this is the logical next
step on the part of Freeh, and cohorts).
PGP Inc cries: "oh but we have to meet corporate user requirements".
For corporate disaster recovery of stored data? For corporate message
snooping? For either requirement many of us have documented far less
dangerous techniques to enable corporate message snooping, and storage
recovery. Techniques which aren't likely to be adopted by governments
as their snooping architecture.
PGP should fix this quickly before the reputational damage is
increased by more government statements about the usefulness of
PGP5.5. and CMR.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Date: Thu, 30 Oct 1997 10:11:51 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Subject: PGP Inc PR cover-up
I wonder about the sudden lull in the PGP5.5 CMR argument: have PGP
Inc enforced a blanket ban on participation in list discussion of the
topic by their employees?
Even our anonymous PGP employees posting via remailers on cypherpunks
seem to have stopped.
PGP Inc seemed to me to be heavily losing the argument where ever
employees have spoken on the topic.
Unfortunately this doesn't seem to be translating into rejection of
the CMR feature, nor of adoption of less dangerous alternatives such
as forward secret transport level security, shorter lived encryption
keys, and separate storage keys.
Perhaps it will take an official government snoop endorsement of
PGP5.5 before the danger is acknowledged; by then the damage will have
been done.
Meanwhile over on ietf-open-pgp:
The ietf-open-pgp forum for discussion of development of the now IETF
controlled OpenPGP standard seems to have undergone a coup. Cypherpunk
Lutz Donnerhacke had pre-empted Rodney Thayer and PGP's Jon Callas
draft which had been slow coming by producing a competing draft before
them. Lutz's draft was not sympathetic with PGP Inc's CMR, and even
included SHOULD features encouraging separate storage keys.
John Noerenberg (appointed IETF chair) over-ruled Lutz, and wrested
editing of the draft from him, and demonstrated some petty power
wielding in over ruling a vote on terminology Lutz had set up -- Lutz
had already said he didn't care about the outcome, and just called the
vote as a quick way to resolve argument. Now we are waiting for Jon
Callas to release the new draft. Wonder whether it will include CMR
or not :-)
Join in the battle: subscribe by sending email with body
"subscribe ietf-open-pgp" to <majordomo@imc.org>. The list address
for posting articles is <ietf-open-pgp@imc.org>
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`