Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 May 1999 11:03:55 -0400 (EDT)
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        easmith@beatrice.rutgers.edu (Allen Smith)
Cc:        peter.jeremy@auss2.alcatel.com.au, nick@shibumi.feralmonkey.org, freebsd-security@FreeBSD.ORG
Subject:   Re: Blowfish/Twofish
Message-ID:  <199905031503.LAA21305@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <9905030214.ZM6494@beatrice.rutgers.edu> from Allen Smith at "May 3, 99 02:14:40 am"

next in thread | previous in thread | raw e-mail | index | archive | help
Allen Smith wrote,
> On May 3,  2:09am, Peter Jeremy (possibly) wrote:
> > 0x1c <nick@shibumi.feralmonkey.org> wrote:
> > >On a similar note, is there any restriction on one-way hashing algorithms?
> > >I forget.
> > AFAIK, there isn't.  MD4, MD5, SHA-1 etc appear to be all be freely
> > exportable.  The export restrictions appear to be on crypto for
> > `secrecy', whilst crypto for `authentication' is unrestricted.
> > (This does suggest that some lessons in basic cryptography are
> > needed around the US State Department).
> 
> Actually, no... as long as you assume their basic motivation is to
> limit _convenient_ cryptography. Remember the "cryptographic hooks"
> nonsense? They're pretty obviously trying to make it as hard as
> possible/practical for private citizens to use cryptography that the US
> government can't break.

I've always accepted the point of view from Press, Flannery,
Teukolsky, and Vettering from _Numerical Recipes in C_ when they talk
about DES,

"A key controversial question is whether the NSA purposefully weakened
the algorithm [DES], so that is had vulnerabilities significant enough
to be exploited by NSA's own multi-billion dollar resources, but not
so significant as to be exploitable by someone else. For our purposes
we hardly need to know the answer to this: A random number generator
whose deviations from randomness can be discerned only by concerted
attack with resources comparable to NSA -- that random number
generator should surely be contender for "World's Best" title."

The moral of the story being, if the US governement, wants your data
bad enough... they _are_ going to get it. Just as the government can
only make it inconvenient for private citizens (in the US or foreign,
the ones NSA is interested in) to use encryption; the private citizens
(or again, NSA is most concerned with foreign governements) can really
only make it inconvenient for the US governement to decrypt it.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905031503.LAA21305>