From: Eric Verheul <everheul@NGI.NL>
To: “‘Ulf Moeller’” <um@c2.net>
Message Hash: e5745a1f07f43da4116884a0ba38703693d3265963ed64c921aec008ae7c953e
Message ID: <01BBBA25.B6CD8860@port13.ztm.pstn.rijnhaave.net>
Reply To: N/A
UTC Datetime: 1996-10-14 22:19:24 UTC
Raw Date: Mon, 14 Oct 1996 15:19:24 -0700 (PDT)
From: Eric Verheul <everheul@NGI.NL>
Date: Mon, 14 Oct 1996 15:19:24 -0700 (PDT)
To: "'Ulf Moeller'" <um@c2.net>
Subject: RE: binding cryptography
Message-ID: <01BBBA25.B6CD8860@port13.ztm.pstn.rijnhaave.net>
MIME-Version: 1.0
Content-Type: text/plain
Ulf Moeller[SMTP:um@c2.net] wrote:
>: liberal (Japan) to non-liberal (France). We believe that "binding
>: cryptography" is flexible enough to achieve this: a liberal crypto
>: policy might use no Trusted Retrieval Parties at all, while a very
>: non-liberal country might want one (government controlled) TRP, a
>: compliance check on all network traffic and a ban on other crypto.
>
>I doubt that even French internet providers would want their routers
>to perform six modolo exponetiations and four modolo divisions
>whenever someone opens a secure socket...
They could, however, take random checks which could also be
performed off-line (after the connection was established or even already finished again). Remember we called it fraud-*detecting* not fraud-*preventing*.
BTW, some people on the cypherpunks list seem to think that you can't fraude with a *voluntary* system. However, that is possible: when you do not comply with the *agreed* rules of conduct then the phrase "fraude" is appropriate. The same holds, for instance, when you make copies of microsoft word and resell them. Then you don't comply to the rules that you voluntarily agreed to when buying it...
> We offered a solution for the *first* task not for the *second*; the
> point is that criminals(!) do not gain any real advantage from using
> the system in that way as they - among other things - still face the
> key-management problem. The above dicussions are only relevant in
> countries where the use of crypto outside the structure would be
> prohibited.
>
>Of course, criminals do get real advantage from this system. They can
>use strong encryption for their messages and super-encrypt them using
>"binding" cryptography. So their illegal messages look perfectly
>inconnous as long as their government trusts in the "binding" property
>of this scheme. Only when the GAK key holder tries to decrypt a
>message, they notice that they cannot read it.
I agree, that is inevitable.
>
>Can you imagine that anyone would ever create a program that tries to
>look like a conforming implementation, but generates invalid "binding"
>data -- when it is so much easier to simply use PGP, and (if
>necessary) disguise that fact using the government-approved encryption
>software? I don't, so in my opinion the verification process is
>abolutely useless.
Can you imagine what would happen if governments would (help to) set up a system that has no safeguards at all, i.e. that could give criminals all the anonimity and confidentiality they need? Governments can't probably prevent criminals and the like to use encryption to stay out of sight of law enforcement agencies, but they should not facilitate them either. In the next few years all kinds of "standard" commerical software will come on the market with all kinds of standard security in it. I don't want criminals to be happy with Custom of The Shelf products for security, let them work for their security.
One might say, binding cryptography, like several
>other cryptographic protocols, is a nice 'solution', but one with no
>corresponding 'problem' in the real world. :) It doesn't help in
>legitimate law enforcement, but it causes trouble to network operators
>and it deprives law-abiding citizens of their privacy.
We have set up the TRPs in such a flexible way that anybody could find one he can trust, one might even set up his own TRP. Also in the paper we describe how two or more TRPs could be used. Maybe some countries don't want TRP at all. The bottom line is that law-abiding citizens always have to give up some of their freedom to stop criminals (that is why you have to have registration plates on your car, a lock on your car, bicycle, house etc.). That is a fact of life; one I hate. So the point is: where is the middle of giving up freedom and stopping criminals? Well, I think that our concept gives a flexible way of implementing any national middle.. I agree with some of the poster to cypherpunks that governments involves the general public too less in the determination of this middle (some posters said it more strongly). Cryptopolicy is not a binary discussion; although some posters on this list seem to think so.
>And criminals don't face "the key-management problem". In any GAK
>scheme, the official keys can be used to certify other un-escrowed
>encryption keys. Binding cryptography makes it just a little easier,
>because there is no need to create any "illegal" key pairs. Everyone
>can encrypt messages using the government-certified ElGamal keys,
>and then repeat that process, this time including the data required
>for goverment access.
> that use of other systems will always be possible. Also, the above
> discussions already showed that if such a system is voluntary, then
> there are lots of way to go around it.
>
>Criminals will always find ways around these systems -- even if they are
>mandatory. Just those who actually "have nothing to fear", will not
>go in the risk to use illegal encryption. So governments can wiretap
>law-abiding citizens, but not criminals. What useful is a system like
>that?
>
You are absolutely right. However, as said above if governments (help to) set up a security system then they should at least attempt to make criminal abuse difficult. The lock on my bicycle is not really 100% either (as I found out quite to often); if I'd no lock at all I would have a lot more problems. Also, I am *not* for a mandatory system.
Best regards, Eric
Return to October 1996
Return to “snow <snow@smoke.suba.com>”