1998-11-14 - nCipher joined KRAP/GAK drive too?

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Message Hash: 501025a3660de75132a4d100366436422f1e6e864eeaf740ddca1ecd46a0c216
Message ID: <199811132348.XAA27396@server.eternity.org>
Reply To: N/A
UTC Datetime: 1998-11-14 00:29:24 UTC
Raw Date: Sat, 14 Nov 1998 08:29:24 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sat, 14 Nov 1998 08:29:24 +0800
To: cypherpunks@cyberpass.net
Subject: nCipher joined KRAP/GAK drive too?
Message-ID: <199811132348.XAA27396@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




This arose out of a discussion on ukcrypto about NAI (which PGP Inc is
now part of) having recently rejoined the KRA list -- I notice that
nCipher are on it too, and there was a earlier exchange on ukcrypto
about nCipher...

=========

nCipher too are now on the KRAP list (wonder how long for?)

Bruce Tober forwards from www.kra.org:
> [...]
>          nCipher Corporation Ltd.

nCipher fairly recently made some press release that was commented on
on this list as sounding a bit in favour of UK/DTI/GCHQ GAK attempts.
Then they claimed that it was just being read incorrectly and the text
was neutral and the title that was badly chosen and by hired PR.

So nCipher guys, how do you explain the membership of KRAP away?

>From the last list discussion, Ian Jackson, who works for nCipher wrote:

: We do not have any weakened or GAK products.  The Marketing Director
: has assured me that we have no plans to produce any.

also:

: So, in summary, there are no artificial restrictions on the sizes of
: keys which can be used, generated or stored by our units, and no
: backdoor GAK or key recovery facilities.

given the KRAP membership one might have cause to be worry that this
may not still be true.  Perhaps people using recent nCipher boards or
with recent software upgrades ought to read the specs real closely --
to see if it admits to encrypting stuff to GCHQ also!

Ian also wrote (in a post marked as not an official nCipher statement):
: I personally would feel that putting deliberate backdoors or other
: similar things into our products would be highly unethical and I would
: have nothing to do with it.

and:
: This has nothing to do with the spooks or escrow or anything of the
: kind.  

That's what GAK and KRAP is all about -- putting backdoors into
products which the government and secret service groups like GCHQ,
NSA and ECHELON get the keys to.

and:
: I do believe that the personal views of senior management at
: nCipher - particularly towards the technical end - are opposed to
: escrow et al.

Perhaps those technical types could have a go at prevailing over
whichever marketing type or suit decided to sign up for KRAP.

This is not intended to attack Ian, as he seemed pretty much against
GAK, and Niko van Someren to some extent too.  Not so sure about the
other non technical can Someren, but clearly someone in nCipher thinks
KRAP and GAK are a good marketing ploy.

Otherwise, I figure you're better off giving money to DEC alpha than
supporting GAKkers.  Alpha's run SSLeay pretty fast.

Adam

=========

and a second post, with more specifics:

=========

I wrote:
> nCipher too are now on the KRAP list (wonder how long for?)

here we go:

        http://www.ncipher.com/news/files/press/97/keyrecov.html

since May 97!

contains such gems as:
:       We are delighted to support the Key Recovery Alliance," said
:       Alex van Someren, President of nCipher. 

so that pin-points at least one GAK enthousiast at nCipher.

It also makes for some rather strange contradictions.  The flap about
nCiphers apparent whole-hearted support for DTI GAK attempts was May
this year -- nCipher had already been a paid up KRAP member for a
whole year.

press release continues (least there is any confusion as to what KRA
as an organisation is about):

: Encryption makes information readable only to a person holding a
: unique "key" which will unlock the data. Encryption is critical to
: ensure the security of sensitive information that is either stored
: electronically or sent over public networks such as the Internet.
: Key recovery is a new method that allows for authorized access
: to encrypted information without the need to store or "escrow"
: any encryption keys with a third party. Key recovery is an
: effective tool to meet commercial, private and institutional needs.

institutions obliquely mentioned being presumably the likes of GCHQ 
and NSA?

yet Ian was saying:
> : So, in summary, there are no artificial restrictions on the sizes of
> : keys which can be used, generated or stored by our units, and no 
> : backdoor GAK or key recovery facilities.

saying there were no key recovery facilities, and

: We do not have any weakened or GAK products.  The Marketing Director
: has assured me that we have no plans to produce any.

and no plans to install any.  yet this is what KRA is all about, and they
were signed up to it already at that time.

I suppose someone is now going to try to claim that KRA is all about
key recovery for commercial purposes, but not for government -- but
this is not the way I understand that KRA came into being at all.

I think it is very much a NSA led attempt to further the clipper
attempts.  If I recall it started in the wake of the NSA/NIST attempts
at clipper IV (or whatever number it was at by then) to coerce
companies into including software based key escrow.

Probably tied up with the permission to use marginally higher key
lengths if the company can demonstrate to NSA a plan to introduce GAK
in two year time scale (within the US), though I may be forgetting the
details.  Anyone like to clarify KRAs aims and history?

Adam





Thread