[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Off-topic: crypto crippling

To: "'Anders Rundgren'" <anders.rundgren@xxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Off-topic: crypto crippling
From: "denis bider" <denis.bider@xxxxxxxxxxx>
Date: Sat, 17 Jun 2000 15:40:58 +0200
Importance: Low
In-reply-to: <>
Reply-to: <denis-at-globera@xxxxxxxxxxxxxx>

[I would have posted this to the sci.crypt newsgroup, but I dislike doing
that for several reasons - among them, slow message propagation, spam and
last but not the least, I do not have Usenet configured and it takes a while
to find a server that carries sci.crypt. Does anyone know of a regular
mailing list equivalent to the sci.crypt newsgroup?]

Actually,

I have heard a rumour that the '128-bit encryption' that Microsoft is
shipping with Windows 2000 has actually been tweaked in such a way that it
is only 128-bit when observed by a non-clued-in person, but is rather 40-bit
for the people who know how it has been designed.

In effect, rumour therefore has it that 88 bits out of the 128 are set in
such a way that it is extremely easy to find them for someone who knows how.
The French are supposed to have found this out, and they are supposed to
have been a little bit upset because of this fact.

I am not sure how much of this is actually the truth. The person I received
this information from might have confused this with the silent "3DES -> DES"
fallback in Windows that has been demonstrated lately.

Can anyone confirm or deny the above rumour?

Anyway. The bottom line is - I think people today are a little bit crazy to
use, and even buy, security software as executables without any kind of
access to the source code. It is plain stupid, and it gives the country
which supplied you with the binaries a perfect weapon for the information
wars that are due to ensue sooner or later. The world is not all roses all
the time. Remember the several-billion-dollar deal which was lost by the
European airplane manufacturer to Boeing because the USA was eavesdropping
on their conversations with the purchaser?

Iraq, Vatican and several others have learned this lesson when they bought
black-box crypto machines from Crypto AG, only to find out that the machine
transmits the encryption key almost in plaintext along with the encrypted
message. Which, hence, was easily recoverable by folks from the NSA and from
the German intelligence agency.

denis


-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@jaybis.com]
Sent: 17. junij 2000 14:44
To: PKIX-List
Subject: Why is Java still crypto-crippled?


I have since quite a while been using W2K (Bill, it IS great!)  using strong
crypto
although I live in Europe.   But why can't I get that for JDK?  Without
special permissions.

This is a *serious* threat to Java to be dependent on third-party tools when
the "other guy" has it all built-in!

Anders

Not religious about Java but likes it anyway.

References:
- Why is Java still crypto-crippled?
  - From: Anders Rundgren

Prev by Date: Why is Java still crypto-crippled?
Next by Date: Re: Can we form certificates with just name and e-mail address
Previous by thread: Why is Java still crypto-crippled?
Next by thread: Re: Why is Java still crypto-crippled?
Index(es):
- Date
- Thread