Index Home About Blog
Newsgroups: comp.risks
X-issue: 7.77
Date: Sat, 12 Nov 88 22:49:54 EST
From: smb@research.att.com <Steven Bellovin>
Subject: Re: NSA attempts to restrict virus information

The situation is rather worse than the Times and AP have reported.  The NSA is
exerting a great deal of pressure to have disassembler output from the virus
(to say nothing of C source) available to as few people as possible.  When they
learn of a copy in a repository (say, available for anonymous FTP), they ask
their contact -- perhaps an administrator, perhaps a name they happen to know
at that school to remove it.  If that person hesitates, or expresses a wish to
contact the person who made it available, they immediately contact the
president of the university, who calls the dean, who calls, etc.  As best I can
tell, they have no legal authority to order the removal.  But they are not
hesitating to bring as much pressure to bear as they can, to try to scare folks
into complying.
                            		--Steve Bellovin


Newsgroups: comp.risks
X-issue: 12.34
Date: Sun, 15 Sep 91 23:21:36 EDT
From: "Steven M. Bellovin" <smb@ulysses.att.com>
Subject: RSA vs. NIST (digital security standards) (Slone, RISKS-12.33)

What NIST has proposed is not an encryption standard, but a digital signature
standard.  Digital signatures provide authentication but not secrecy.  That, to
my mind, is the major reason this scheme was proposed instead of RSA.  Dating
back at least to the adoption of the Data Encryption Standard, it's been
obvious that (at least some part of) NSA is hostile to the widespread
deployment of encryption technology.  RSA inherently provides secrecy as well
as authentication; the NIST scheme provides only the latter.  (Incidentally,
discrete logarithms are logarithms in a finite field, such as the integers
modulo some prime.  For example, given that c = (a^b mod p), b would be the
discrete logarithm.  It is indeed a hard problem to find b, though not as hard
as had once been thought.  Put another way, p needs to be much larger than was
realized a few years ago.  At least one important authentication system based
on the discrete log problem has been cracked.)

Numerous aspects of the NIST proposal are controversial, including the claim
that it is free from (other) patents.  Other oddities: signing a message in
this scheme is less expensive than verifying a signature.  That seems strange;
for many applications, very many parties will need to validate a message that
will be signed only once.  (I doubt that there is any real RISK to forged RISKS
messages, but most people I know would be much happier if they could validate
security fix announcements from CERT.)

The claim has also been made that the scheme either has a trapdoor, or is
insufficiently secure against a determined attack.  Without going into details,
the nature of the standard is such that an attack on the system per se would
permit solution of everyone's key; with RSA, on the other hand, each
public/private key pair must be attacked individually.  Note, though, that this
is a signature mechanism, not a privacy mechanism; finding a party's private
key allows you to impersonate that party in network communications, but does
not disclose their secrets without an active attack.  We can all imagine the
kinds of mischief that can result from forgeries -- but NSA is generally more
interested in listening than in speaking.
                                            	--Steve Bellovin


Index Home About Blog