[171] in cryptography@c2.net mail archive
Re: 40-bit rc2/4
daemon@ATHENA.MIT.EDU (Michael Paul Johnson)
Wed Feb 5 15:49:57 1997
Date: Wed, 5 Feb 1997 13:24:29 -0700 (MST)
From: Michael Paul Johnson <mikej2@Exabyte.COM>
To: Greg Rose <ggr@qualcomm.com>
cc: cryptography@c2.net
In-Reply-To: <199702050706.SAA29595@avalon.qualcomm.com>
On Wed, 5 Feb 1997, Greg Rose wrote:
> Just finished reading the new EARs and was stunned
> to realise that the "40 bit RC4" exemption really
> did only apply to RC4 (and RC2). You can't, for
> example, use nobbled DES, or ROT13 (unless you
> agree to key escrow of course...)
>
> I'm impressed that the EARs even include RSA's
> phone number, so that you can license the
> software to comply with this exemption. How did
> they (RSA) manage this?
...
Yes, Greg, it is amazing that a private corporation got themselves written
into the law in a favored way like that. I recall beating the Department
of State and the NSA verbally about that about 2 years ago, with no
apparent results. It is not so amazing that the 40 bit size is tied to a
specific algorithm, however, since the algorithm used strongly affects the
brute force search work that needs to be done to crack a key. For example,
Blowfish and Diamond2 are both designed (intentionally) to make rekeying
the cipher a much slower operation than encryption and decryption, thus
offering much better performance to the honest user than to the spy.
In reality, the way in which an application is coded also affects the
threshold of what the NSA considers to be exportable without key recovery
back doors. For example, Quicrypt (ftp://ftp.csn.net/mpj/qcrypt11.zip) in
its "exportable evaluation version" places no limits on the user keys, but
selects a random session key (encrypted with the user's unlimited strength
key) of only 32 bits -- not one bit more. (I tried hard to get them to
budge, but they would not.) Anyway, there are several reasons that
Quicrypt's 32-bit session key is more or less equivalent to a 40-bit RC4
key. First, Quicrypt uses the Sapphire stream cipher, which is slightly
slower to set up a key for than RC4, and for which the NSA probably hasn't
built specialized cracking hardware (another major consideration in the
RC4 preference -- the NSA does have a limited budget, after all). Second,
the design of the program is such that the cracking has to be done for
each message intercepted, since the stronger user key is not generally
compromised by the cracking of any particular session key. Third, there
is enough known plain text in the file format to catch most passphrase
typos, but not enough to avoid having to run further checks on many "false
alarms" when doing an exhaustive key search.
Be that as it may, the export threshold of the NSA is really too weak to
be considered serious cryptography if you want your secrets kept for more
than 3 hours or so (or 3 minutes if you adversary is a well-funded spy
organization).
I learned a lot about what the NSA considers exportable when pushing
Quicrypt through the process. The good news is that the non-exportable
"registered" version of Quicrypt, called Qcrypt, uses 128-bit random
session keys, and is actually pretty useful and reasonably secure and
friendly. Therefore, I didn't totally waste my development time.
Michael Paul Johnson Opinions herein are not necessarily Exabyte's.
Work: mpj@exabyte.com http://www.exabyte.com
Personal: mpj@csn.net http://www.csn.net/~mpj BBS 303-772-1062
