1995-09-17 - planning for life during the crypto night (was Re: CYPHERPUNK considered harmful.)

Header Data

From: aba@dcs.exeter.ac.uk
To: unicorn@polaris.mindport.net
Message Hash: 343034e973fb51afafed6d580627b68e8d1f1ed6199419391becfaa4a2c261c2
Message ID: <20045.9509171928@exe.dcs.exeter.ac.uk>
Reply To: N/A
UTC Datetime: 1995-09-17 19:28:43 UTC
Raw Date: Sun, 17 Sep 95 12:28:43 PDT

Raw message

From: aba@dcs.exeter.ac.uk
Date: Sun, 17 Sep 95 12:28:43 PDT
To: unicorn@polaris.mindport.net
Subject: planning for life during the crypto night (was Re: CYPHERPUNK considered harmful.)
Message-ID: <20045.9509171928@exe.dcs.exeter.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain



Black Unicorn <unicorn@polaris.mindport.net> writes:
>
> 3. Unescrowed crypto banned, with advanced stego, panic passwords, 
> stealth PGP, incorporated remailers all across international borders 
> making offenders impossible to identify or catch.
> 
> [...] I believe the goal is to propogate crypto far enough to at
> least have a salient "underground" participants.
> 
> Some months ago I called for advanced stego and stealth PGP as well
> as larger keys in the event we all had to go "into the crypto
> closet" for a time.
> 
> I call for them again.

Guess you're saying that a future underground cypherpunk group is
going to need tools to continue if the US plummets into cryptographic
darkness.  And you'd like to see these tools available now, as it will
be difficult to distribute, and set up if the big ban is already on
us.  A pre-emptive safety precaution in the event that it happens.

So what threat model do you envisage tools being needed to withstand?

A couple of the things you list are realisable with little effort, one
is a PGP with large keys, I am using a doctored to go to 16k keys (I
did this to amuse myself with getting timings for how long encrypt /
decrypt & keygen take for varying key sizes).  The patch is small, and
easy to figure out, just a couple of #ifdefs, various people posted
their patches to do this to alt.security.pgp some time ago.  I think
there was at least one patched version of PGP distributed
(unofficially of course - PGPs largest allowed key size being 2048
bits), though I don't have any URLs for such a beast.  Part of the
problem is people seem to frown on distributing PGPs with larger keys,
or alternate versions of PGP, due to version control issues, and such.
Technically easy to do tho.

Adding stealth features to PGP, or even as standalone, aren't hard
either.  I've been trying to add Hal's improved stealth algorithm to
Henry Hastur's stealth program.  It's basically finished, except for
the problem that I am unsure about the security of the construct:

	x' = f(MD5(x)) * N + x

where 0 < x < N
and   0 < x' < M where M is a power of 2, and M > 2^64 * N
and f is just a scaling function

If that is secure I'd be happy to release an updated version of
stealth, but without assurance, it is necessary to include random
numbers, and the best way I see to achieve that is to build it in to
PGP, and use PGP's ran no utils directly.

If you're talking about a different version of PGP, perhaps this
wouldn't be a big deal anyway.

So that's big key PGP, and stealth PGP.  I'm presuming most people
figure 128 bit IDEA is suitably unassailable, but RSA keys are a
moving target, and less predictable due to improvements in factoring
algorithms.  Already people are talking about an academic RSA129 like
attempt on a 512 bit PGP key.

What are views about creating Yet Another version of PGP.  I've read a
few discussions of this kind of thing in the past on alt.security.pgp,
and most people were against it.  But I think some useful things could
come out of it.

The other problem is working with pgp2.x when there is a version 3.0
being worked on, not sure what stage 3.0 is at, any coding.. perhaps
if a stealth capable pgp2.x was worked on, and a few features
demonstrated, the 3.0 folks would be willing to take a look at it to
evaluate the features for possible version 3.0 inclusion.

Just don't want to go do a of work, and then get a polite cease and
desist from those with interests in managing the version control of
PGP.

Good stego tools are the other main problem.

My understanding is that all of the stego programs to date do it by
just ripping out the LSB of an audio or graphic image, and replacing
that with the bits from a message with a stealthed message.

Sending masses of pictures around is kind of suspicious tho, I mean
several a day, each freshly scanned from what?  I guess if video
conferencing gets here, it would be fun to add the stego into that
noisy stream, same for internet phone.

Text stego, with bits hidden in the entropy of english text seems a
harder objective, but a useful one.

I'm presuming that plausible deniability, and facilities for anonimity
are essentials.  How does one go about doing that?  Using newsgroups
to carry on a two level communication might be a good way of
maintaining plausible deniability.  Either a stego interface to
remailers in other countries, so that the stego gateway to remailers
scans it's newspool, decrypts messages addressed to it, and forwards
that off to the anon remailers.  The outcome could be a further text
or graphics stegoed message for posting to a suitably high noise news
group.  The recipient is also scanning his news spool for stego
messages addressed to him.

Sounds feasible.  Perhaps a proof of concept would be easy to knock
up, if a place holder is inserted for the 'good text stego' program
should go.  There was a 'texto' posted a while ago which did something
suitable.

Adam






Thread