From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cypherpunks@Algebra.COM
Message Hash: d1955692e0ab66529c08bd463ebe6e37ec3a55cdda94d3711ad45b8007d533cd
Message ID: <87743538523871@cs26.cs.auckland.ac.nz>
Reply To: N/A
UTC Datetime: 1997-10-21 12:23:51 UTC
Raw Date: Tue, 21 Oct 1997 20:23:51 +0800
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Tue, 21 Oct 1997 20:23:51 +0800
To: cypherpunks@Algebra.COM
Subject: Re: EC refutes GAK
Message-ID: <87743538523871@cs26.cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain
[I originally posted this to the c2.net crypto list but apparently it never
appeared, I've reposted it here in case anyone finds it useful]
>The report also notes a new (to me, anyway) method of bypassing GAK while
>maintaining full compliance with the law:
>
>"Users could encrypt a relatively large number of session keys in a way that
>the previous key encrypts the next one, always using one or several official
>escrow/recovery systems. Only the last key would be used to encrypt the
>message.
There's another way to foil GAK which I don't think has been mentioned before,
using what is often referred to as "malicious obedience" in the military (or
"you asked for it, you got it" elsewhere):
Since I don't trust any cryptosystem based on mathematical principles, I
encrypt all my communications using a one-time pad communicated on CDROM
(700+MB if you push it). To limit the exposure of each pad, I change it once a
month at a cost of ~$1 per CDR blank. If I communicate with around 100 people
that's 100 x 12 x 700+MB or (rounding things up a bit) a terabyte of keying
material a year. Since they use their own pads to communicate back to me,
anyone wanting to intercept a years worth of traffic to/from me would need to
archive 100 terabytes of keying material (I'd make sure I spread out the bits
of pad I used so they couldn't just keep the useful bits and discard the rest).
In any case since this will only be used for court-authorised intercepts (just
keep repeating that until you believe it), everything would have to be archived
without any changes so it could be used as evidence.
At a cost of $100/month in CDR's this should comply with any GAK law (instant
access to keys, etc), but will also do a reasonable job of overwhelming any
centralised repository charged with storing the data. Of course since I don't
trust the government any more than I trust those nasty cryptosystems based on
mathematical principles, I'd use triple DES underneath the OTP just to be sure.
Peter.
Return to October 1997
Return to “pgut001@cs.auckland.ac.nz (Peter Gutmann)”