From: pcw@access.digex.net (Peter Wayner)
To: tcmay@got.net (Timothy C. May)
Message Hash: 3ddf61d1c264f7e116401c8c5dd502562610de9b8fe60ca34948903722c8c03b
Message ID: <aca849e3050210043eb7@[199.125.128.5]>
Reply To: N/A
UTC Datetime: 1995-10-16 17:42:27 UTC
Raw Date: Mon, 16 Oct 95 10:42:27 PDT
From: pcw@access.digex.net (Peter Wayner)
Date: Mon, 16 Oct 95 10:42:27 PDT
To: tcmay@got.net (Timothy C. May)
Subject: Re: The NSA Visits Compendium
Message-ID: <aca849e3050210043eb7@[199.125.128.5]>
MIME-Version: 1.0
Content-Type: text/plain
I don't know anything about uninvited visits, but I did once interview the
designer of a major product about getting an export license. He said that
the NSA were fairly thorough in their review of the product. The most
interesting thing that he mentioned was thatthe company had to guarantee
that the data would never be encrypted sequentially by two _different_
algorithms. Apparently double encryption by 40-bit RC-4 was okay, but using
different algorithms was
verboten. This seemed odd to me at the time and I asked him twice about it.
He agreed that it was weird, but they had no problem with guaranting it.
This led me to these notions:
*) Maybe double or triple DES isn't that great an idea. Maybe the NSA knows
some neat algorithms that can create group-like actions even if the
encryption process isn't a group.
*) Maybe there was a communications problem and no one knew what was being
asked.
*) Maybe the cryptanalysis boys never really talked that much to the folks
who go around regulating export. After all, denying export licenses for
small details is like telling people that certain small details can
confound analysis. This is a leak of information from the NSA which doesn't
seem to like these things.
In general, I think communications between the NSA and the companies begin
when software companies make unofficial inquiries about what is exportable.
-Peter
Return to October 1995
Return to “pcw@access.digex.net (Peter Wayner)”