Path: gmdzi!unido!mcsun!uunet!zaphod.mps.ohio-state.edu!mips!pacbell.com!
ucsd!ucbvax!hoptoad!gnu
From: gnu@hoptoad.uucp (John Gilmore)
Newsgroups: sci.crypt
Subject: NSA focus on authentication?
Message-ID: <14473@hoptoad.uucp>
Date: 2 Jan 91 03:19:28 GMT
Organization: Cygnus Support, Palo Alto
Lines: 84

A small trend I think I have noticed is that as the NSA gradually loses its
battle to control encryption technology, they are shifting the battle so that
authentication technology is deployed before data hiding technology.

Since they really couldn't stop encryption from deployment, it's worth
examining what they get out of such a shift.  If they can't determine
the content of a message, they seem to prefer to upgrade the quality
of the addressing information, which *is* visible to them.

The export control loosening of two Augusts ago, in which export of
certain kinds of crypto was moved to the Commerce Dept., allowed four
categories of crypto to be loosened:  authentication of messages or
users; access control such as passwords or PINs; decryption-only of
proprietary software; and ATM machines.  However, the controls are as
tight as ever on the export of software that provides general-purpose
information hiding.  NSA is happy to see Kerberos exported, since
if they intercept traffic that uses Kerberos, they can confirm the
identities of the parties involved.

The second example is the design of "Privacy-Enhanced Mail", or PEM,
in the Internet world.  The overall design is quite nice; messages
can be encrypted or just signed, it operates in the text part of any
messaging system; private-key is supported though public-key is expected
to be the major use; it doesn't require that you be online (e.g. uucp
mail works); it tends to scale pretty well.  Public keys are disseminated
in "certificates", signed with another public key, so that all you need
to start off is the PK of one or two "top-level" organizations, and you
can accumulate all the public keys you need to verify and decrypt traffic
from other users.  The design is documented in RFC 1113-1115, which 
are mostly up to date, and in the PEM-DEV mailing list archives on
TIS.COM.

The catch is that the committee designing and deploying this technology
is going to require that people identify themselves physically before
being able to participate in the system.  You must go to a notary and
show ID before you can get a certificate from RSA Data Security that
proves your public key really belongs to you.  Your identifying
information appears in the certificate along with your public key.
Since your certificate appears in every message from you, your
legal name, physical address, and other as yet undecided identifying
info will appear in every email message -- if you want your email to
be private and un-forgeable.  Do you smell the same rat I do?

From a name and address, it's trivial to get a social security number,
driving record, credit history, and all the rest.   This information
is not currently available from email *unless the sender includes the
information voluntarily*.  Some of the people on PEM-DEV are seriously
advocating putting social insecurity numbers, date of birth, phone
numbers, etc directly into the certificate, where the user cannot
control its appearance.

They deliberately plan to exclude interoperation with any organization
that uses different rules for who it gives out certificates to.  I
would like to create one that would issue a certificate to anyone, with
any pseudonym.  The certificate would contain only the public key and
the pseudonym; all I would guarantee is that I hadn't given out the
same pseudonym twice.  Exchanging email with such a pseudonym, you
could not tell who the person was, but could verify that you are
talking to the same person as you did last time.  (This is all the
security that PEM *actually* provides, given the ease of forging
identifying information to a notary; and note that even that is
conditional on the person's choosing not to reveal their secret key.
When it's in the person's interest to spread their secret key around,
PEM does not guarantee even continuity of identity.)

Now, you might ask what the NSA has to do with PEM.  Well, I don't
think they are listed on the committee.  But it would be suicidal for
them to turn a blind eye on a DARPA program that will deploy usable
public key cryptography to hundreds of thousands of users all around
the world.  (Not only is the key-generation, encryption, and
decryption, and database software going to be freely available, but a
whole infrastructure is being set up to distribute keys, etc.)  My
assumption is that NSA has influenced the design so that as each user
adopts PEM, the messages of one more identifiable individual become
fully traceable, even if the contents of the messages are protected.

I'm exploring the privacy issues in other realms, though contributions
here in sci.crypt are welcome.  What I am interested in here, is your
thoughts on what uses NSA, or other spooks, could have for traffic analysis
of electronic mail.  All my fantasies revolve around totalitarianism
and police states; perhaps you have some gentler ones?
-- 
John Gilmore      {sun,pacbell,uunet,pyramid}!hoptoad!gnu        g...@toad.com
Just say no to thugs.  The ones who lock up innocent drug users come to mind.

Path: gmdzi!unido!mcsun!uunet!wuarchive!rex!ukma!s.ms.uky.edu!sean
From: se...@ms.uky.edu (Sean Casey)
Newsgroups: sci.crypt
Subject: Re: NSA focus on authentication?
Message-ID: <sean.662836756@s.ms.uky.edu>
Date: 2 Jan 91 17:19:16 GMT
References: <14473@hoptoad.uucp>
Organization: The Leaning Tower of Patterson Office @ The Univ. of KY
Lines: 24

We will probably have to wait for a free public key system or wait
till the RSA patent expires--in 1997?--before we have good privacy
enhanced email.

The former will probably not happen, because such schemes are known to
be patentable and cryptography experts seem to be more interested in
making money than advancing public email technology.

We'll probably have to wait for the latter because RSA Data
Securities' licensing scheme isn't really viable for the Internet.
They want $25 from each user to license a key for two years, and like
John said, they put personal information into the certificate.

Both present problems. The former makes it unlikely that it will get
widespread use, and the latter will make many others extremely
uncomfortable. Plus there is the inconvenience of having to deal with
RSA if your private key is compromised.

What I'd like to see is the government buy all rights to the RSA
scheme and then release it into the public domain.

Sean
-- 
***  Sean Casey <se...@s.ms.uky.edu>

Path: gmdzi!unido!mcsun!uunet!samsung!olivea!apple!bbn.com!kenr
From: ke...@bbn.com (Ken Rossen)
Newsgroups: sci.crypt
Subject: Re: NSA focus on authentication?
Message-ID: <61829@bbn.BBN.COM>
Date: 2 Jan 91 21:51:24 GMT
References: <14473@hoptoad.uucp> <sean.662836756@s.ms.uky.edu>
Sender: ne...@bbn.com
Reply-To: ke...@bbn.com (Ken Rossen)
Organization: Don't Push Snow Over Here
Lines: 73

This is to correct some mistakes among assertions about
Privacy-Enhanced Mail (PEM) in a previous followup.

In article <sean.66...@s.ms.uky.edu> se...@ms.uky.edu (Sean Casey) writes:
>We'll probably have to wait for the latter because RSA Data
>Securities' licensing scheme isn't really viable for the Internet.
>They want $25 from each user to license a key for two years, and like
>John said, they put personal information into the certificate.

You are certainly free to make your own judgement as to the viability
for the Internet of the certificate-issuing infrastructure being
established for PEM, but as expressed in your article, the judgement
is based on several claims which are simply wrong and, with few
exceptions, are easily disspelled by reading RFC 1114.

RSADSI doesn't "license a key," nor does it "put" any "personal
information into the certificate."  Certificates are issued by your
organization or a public notary.

What RSADSI is offering to do in exchange for the $25 is, as a
surrogate holder of your organization's private key, affix your
organization's signature to your certificate and maintain a data base
of certificates.  (In X.500 terminology, this means that RSADSI is the
Certification Authority, but not the Issuer.)

I hasten to add that this $25 fee applies ONLY in the case where such
a "co-issuing" arrangement exists.  Crypto devices will be available
which would reduce this incremental fee significantly and allow
organizations to retain their own private keys (on a crypto ignition
key) and thus act on their own behalf as Certification Authorities.
These "Certificate Postage Meters" (CPMs) will attach by serial port
to Organizational Notaries' workstations and perform the RSA crypto
functions necessary to sign certificates.

When certificates are signed under this arrangement, the incremental
charge will be a LOT less.  Something like $1 for certificates issued
by educational institutions (like U of KY) and $2.50 for commercial
organizations.  CPMs would come authorized to sign some number of
certificates, and they could be "refilled" with authorizations, much
like a Pitney Bowes postage meter gets refilled (hence the name), by a
signed message sent to the device via Internet mail.

Personal information about you is in your certificate is there only if
it is part of your Distinguished Name.  How your distinguished name is
constructed is entirely up to you and your issuer, as long as it falls
within guidelines in RFC 1114 concerning which X.500 attributes can be
used (the intention is that all reasonable naming attributes defined
in X.521 will fall within the guidelines).  If someone has suggested
to you that any detailed information about like (like your SSN or the
like) will be in every PEM certificate, you heard wrong.

>Plus there is the inconvenience of having to deal with
>RSA if your private key is compromised.

This too is wrong.  If your private key is compromised, you advise
your Organizational Notary, who is responsible for putting your
certificate on a revocation list (a CRL).  If your organization have a
CPM, they can issue and disseminate an updated CRL immediately.  They
only have to deal with RSADSI if they don't have the capability to
sign the CRL themselves (by virtue of not having the organization's
private key locally).

Going back and checking the RFC -- all the corrections I made herein
could have been found in it, with the exception of those pertaining to
the CPM -- will help you make a better assessment of PEM's viability.
If you really are interested in this topic, send a message to
pem-dev...@tis.com and join the mailing list.  I am interested in
your comments, and am happy to provide pointers to further
information. 
--
KE...@BBN.COM
IRTF Privacy and Security Research Group
Editor, RFC 1114

Path: gmdzi!unido!mcsun!uunet!wuarchive!hsdndev!husc6!ukma!s.ms.uky.edu!sean
From: se...@ms.uky.edu (Sean Casey)
Newsgroups: sci.crypt
Subject: Re: NSA focus on authentication?
Message-ID: <sean.663182423@s.ms.uky.edu>
Date: 6 Jan 91 17:20:23 GMT
References: <14473@hoptoad.uucp> <sean.662836756@s.ms.uky.edu> 
<61829@bbn.BBN.COM>
Organization: The Leaning Tower of Patterson Office @ The Univ. of KY
Lines: 23

Thanks to Ken Rossen for that extremely informative article.

I had talked to Jim Bidzos of RSA just before the PEM RFC came out. I
have an internet-based teleconferencing system under development that
is freeware, and I wanted to see if we could work out some way for me
to use RSA to insure privacy.

He talked about the $25 fee, and what was going to be in the RFC, but
didn't mention any of the plans that you describe. I'm glad they
decided to license out certificate making capability in a fashion that
can reduce end-user cost.

Do you know if these certificates may only be used for PEM, or if they
may be used for other services? I think few people would pay $25 to
insure privacy with my software, but most would have no trouble
spending $1 or $2, especially if it gives them a more general ability
to use privacy and authentication features of other software too.

Thanks for the info and for the corrections.

Sean
-- 
***  Sean Casey <se...@s.ms.uky.edu>

Path: gmdzi!unido!mcsun!uunet!cs.utexas.edu!sdd.hp.com!ucsd!ucbvax!hoptoad!gnu
From: gnu@hoptoad.uucp (John Gilmore)
Newsgroups: sci.crypt
Subject: RSADSI PEM certificates only usable for PEM
Message-ID: <14629@hoptoad.uucp>
Date: 8 Jan 91 21:32:32 GMT
References: <14473@hoptoad.uucp> <sean.662836756@s.ms.uky.edu> 
<61829@bbn.BBN.COM> <sean.663182423@s.ms.uky.edu>
Organization: Cygnus Support, Palo Alto
Lines: 37

se...@ms.uky.edu (Sean Casey) wrote:
> Do you know if these certificates may only be used for PEM, or if they
> may be used for other services? I think few people would pay $25 to
> insure privacy with my software, but most would have no trouble
> spending $1 or $2, especially if it gives them a more general ability
> to use privacy and authentication features of other software too.

Unfortunately, the answer is no.  RSADSI has so far chosen to dribble out the
capabilities rather than license each user once for "all uses of RSA".

I spoke with Ron Rivest at Crypto '90 about this and he suggested that
RSADSI might be willing to entertain proposals along the lines of a
one-time flat rate for full use of RSA by an individual, something like
$100/person.  I estimated that by the time the patent ran out (*if*
they loosen the current stranglehold on applications), they might have
collected that $100 for half the people in the U.S., e.g. if a major
credit card company adopted RSA.  Even if enforcement was voluntary, I
think that good publicity campaigns would cause people to send in their
$100 to reward the people who brought them freedom from dossier
technology and the accompanying dangers.  E.g. I'd give RSA licenses to my
friends' children as a godfatherly gift.  (I've already offered to one
family to make up the difference between their
taxes-if-they-give-their-kid-a-social-security-number and their taxes
if they refuse to get their one-year-old a number, to let the kid choose
for himself whether he wants to be tracked and dossier'd when he reaches
an age where he understands the issues.)

Even if only 1% of the people in the country ante'd up, that would still
be $200 million.  Split three ways, that's still enough to keep the inventors
going in style for life, and able to put their time into whatever they desire.

I haven't had the time to cons up a proposal and approach RSADSI about
it, though.  Sean?  Sounds like you have an application, though if you
think people won't pay $25/2-years they probably won't pay $100/life either.
-- 
John Gilmore      {sun,pacbell,uunet,pyramid}!hoptoad!gnu        g...@toad.com
Just say no to thugs.  The ones who lock up innocent drug users come to mind.

Path: gmdzi!unido!mcsun!uunet!cs.utexas.edu!usc!ucsd!ucbvax!hoptoad!gnu
From: gnu@hoptoad.uucp (John Gilmore)
Newsgroups: sci.crypt
Subject: Re: NSA focus on authentication?
Message-ID: <14630@hoptoad.uucp>
Date: 8 Jan 91 21:57:33 GMT
References: <14473@hoptoad.uucp> <sean.662836756@s.ms.uky.edu> 
<61829@bbn.BBN.COM> <sean.663182423@s.ms.uky.edu>
Organization: Cygnus Support, Palo Alto
Lines: 32

Steve Kent took exception to my message about NSA and PEM, and felt that
I had defamed the people involved by claiming that the PEM developers
set out to create a system intended to aid NSA in performing traffic
analysis on Internet mail, either as witting or unwitting dupes of NSA.

I apologise for that statement.

Steve has shown me that NSA did not have direct influence over the
development of PEM.  Furthermore, some of the people involved in PEM
have come out in favor of anonymous certificates.  I believe that most
or all of the PEM developers are interested in protecting privacy,
though some believe that privacy should have less priority than other
factors, and others had not considered how the social impacts of their
design might actually decrease privacy.

I still note that NSA could "focus on authentication" by retarding
projects that provide security while leaving alone projects that
provide authentication or authentication-and-security.

In matters concerning large secret agencies and their interaction with
the world, if they do not seem to be doing anything about developments
that threaten their previous goals and motivations, there are two
assumptions one could make.  You could assume they are stupid, or you
could assume they are subtle.  Assuming they are subtle is the only
safe assumption, and it is the one I made.  (A third possible
assumption is that I don't understand their true goals and motivations,
and I'm working on that one too, e.g. by my posting to sci.crypt asking
about motivations on traffic analysis.  I note an unusual lack of
responses on that topic.)
-- 
John Gilmore      {sun,pacbell,uunet,pyramid}!hoptoad!gnu        g...@toad.com
Just say no to thugs.  The ones who lock up innocent drug users come to mind.