Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!think!harvard!seismo!brl-adm!brl-smoke!smoke!nsc!nsc!chongo@decwrl.dec.com From: chongo@decwrl.dec.com Newsgroups: net.legal Subject: DES Message-ID: <1735@brl-smoke.ARPA> Date: Wed, 12-Mar-86 11:36:43 EST Article-I.D.: brl-smok.1735 Posted: Wed Mar 12 11:36:43 1986 Date-Received: Sat, 15-Mar-86 01:58:33 EST Sender: news@brl-smoke.ARPA Lines: 48 In article <8603061745.AA03046@ucbvax.berkeley.edu> hyatt@UDEL-DEWEY.ARPA (Glenn Hyatt) writes: >The NSA has trouble decrypting intercepted communications that are >thus encrypted, and anticipates greatly increased traffic of this >sort if DES becomes an international standard. First allow me to introduce one view of 'DES history': Actually the trend on DES has been towards it being LESS secure. Several advances in the area of DES-like functions have shown that DES contains some disturbing properties. While direct proof is still lacking, indications suggest that DES has flaws. When DES came out, people claimed that the IBM was pressured by the NSA to reduce the Cypher size and add a few funny 'S-boxes'. It was claimed that the modification by the NSA was done to introduce a 'backdoor' into DES. Knowing this 'backdoor' would allow someone to decrypt DES with ease. It has been shown that one should be able to construct DES-like systems that have 'backdoors'. Furthermore, one can make the discovery of the 'backdoor' without knowledge of the creation process would be VERY hard. The NSA has never made any useful comments on the ideas behind DES. Question: If the above were true, and someone were to find the 'trapdoor' and publish it, damages could result. Could the person who found/published the flaw be held accountable for the damage? Would the person be viewed as saving the world from other folks who were already exploiting the 'trapdoor'? Consider the same question if were proven that the DES created to with flaws in mind. Now for a bit of post-DES trends: Current ideas on the books include the production and license of a chip or black-box that performeds encryption/decryption. The package would be placed inside a package in such a way as to make in very hard to open it up and look inside. Even if one were to snatch the algorithm, publication/disclosure of it would be in violation of the trade secret since only people who were thusly licenced could obtain the chip. (kinda like Un*x licendes) Worse yet, only special keys/codes can be used with the chip. One would have to obtain your own keys from the chip supplier. The claim will be that restriction of the internals of the black-box would make it harder for someone to discover a security hole. Keys must be obtained so as to not reveal the encryption algorithm. One could obtain enough keys, and in such a fashion so as to make it 'hard' to trace who got what key. But who would validate the chip makers and set up the key production systems? The NSA. Now that takes gaul! chongo /\oo/\