News.com: Crypto Doesn't Kill - People Do 259
McSpew writes: "Bravo to News.com for telling the truth about cryptography. They even cited /.'s coverage of Phil Zimmerman's real views on PGP and its possible role in any terrorist acts." On a per-word basis, this may be the best summary of why calls to ban or restrict encryption technology (as with government key escrow, or constrained key sizes) has little to do with enhancing national or world security.
Re:one-time pads (Score:2, Informative)
Re:Its too easy to circumvent restrictions (Score:4, Informative)
Well, RSA isn't exactly a full cryptosystem by itself, but this does show how easy it is.
To review the OpenPGP RFC prior to publication, I re-implemented PGP's decryption and signature checking operations working just from the spec. Admittedly I didn't write my own big integer library, but I did implement 3DES and SHA-1 myself.
It took a week.
And remember, most of that was getting the details of the protocol correct. (I spent a day just getting PKCS encoding right, for example. That's unfortunately not in the OpenPGP spec.) A terrorist who was not trying for inter-operability with PGP probably need not bother with that.
Re:Letters to congress people. (Score:3, Informative)
Darn good letter. I have three suggestions which I implemented as I was customizing it for my Congresspeople:
Thanks for posting this letter.
cbd
your friendly local English teacher
Re:Sorry (Score:4, Informative)
224137216
It's 309 digits long! As you can see the numbers are big and get exponentially bigger as the key size increases. The idea with public key encryption is that, while it is quite quick to multiply two numbers this size together, it is very hard to factor the result into the two parts again. It is possible but, for keys > about 56-bit, it is beyond what modern computers are capable of.
Distributed.net [distributed.net] is a SETI@home-like project to crack ever larger keys, among other things. Check them out.
Re:Sorry (Score:3, Informative)
Problems like this exist in maths as well as the physical world. One such problem is used in RSA encryption, which can be used in PGP. This problem centers around the belief that it is easy to multiply two very large prime numbers, but given the product it is very difficult to go back to the original primes. I say belief deliberatly since it is possible (albeit extremely unlikely) that there is an easy way to factor large numbers. Most PGP implementations actually use Elgamal rather than RSA, but the principle is similar.
If you are interested in this subject I would strongly recommend you buy/borrow a copy of Applied Cryptography by Bruce Schneier (amazon link [amazon.com]). This is the best crypto book available (IMHO) and explains the fundementals of the suject, including the maths behind RSA and ElGamal without requiring any previous knowledge.
Hope this helps.
Re:Stop this mess ! (Score:5, Informative)
"FBI investigators had been able to locate hundreds of email communications, sent 30 to 45 days before the attack....According to the FBI, the conspirators had not used encryption or concealment methods. Once found, the emails could be openly read."
Re:one-time pads (Score:3, Informative)
Let's take the common case, where one bit is in the LSB of each channel of a digitized photograph. The person who is hiding the data must first acquire digitized photographs, they do this by either scanning photos, or using a digital camera.
The problem with these photographs is that they won't be completely random. The CCD or CMOS in the camera or scanner does not have the property that the LSB is completely random, so it would take a cryptanalyst only a short period of time to find that there was information stored there.
Stegonagraphy really has none of the properties that one-time pads do. It's an interesting mechanism for obscuring data, but that's all it does, obscure. one-time-pads provide perfect security of data, even if you post the results on a Times Square billboard.
With one-time pads, the phrase 'd&@%nMn(>%#f+Nq' is equally likely to mean either 'slashdot rocks!' or 'slashdot sucks!'. There is absolutely no way to get the original plaintext of a one-time-pad encoded ciphertext unless there was a flaw with their random number generator, or they use the same pad twice.
Go read Bruce Schneier's Applied Cryptography [amazon.com].
Re:He's missed the point (Score:3, Informative)
Your intuition is correct. They have the Foreign Intelligence Surveillance Court. [google.com] The relationship between signals intelligence and law is an odd one, as shown here [heise.de].