OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: New CALEA Backdoors annouced (fwd)

Re: New CALEA Backdoors annouced (fwd)

ICMan (shanetor.securecomputing.com)
Fri, 17 Jul 1998 12:52:00 -0400

Bill,

By the way, I did not mention that this mechanism does not yet exist in
any of the products. The companies proposing this standard are
recommending it to officials as a replacement standard for key escrow.

The need for such companies to work on this standard comes from the
requirement for encryption companies to be working on some aid for law
enforcement agencies to collect communications info in order to be able
to ship 56 bit encryption to international customers. Companies who do
not work on such a project are restricted from shipping international
software with > 40 bit encryption.

These companies are only starting to add this feature into future
releases of products, in the hopes that a demonstration of the technique
will convince officials that it is viable and desirable. If the standard
is accepted, then I would imagine that all encryption vendors will move
to this model. It should gain better acceptance from the public,
domestically and internationally, than key escrow.

Most encryption vendors hold the same opinion as the rest of the security
community. Encryption software should not be restricted. Key escrow is
a morally poor solution. It also helps that key escrow is likely to kill
the ability for US companies to sell internationally acceptable
encryption products. The reason that the government disagrees is because
encrypted traffic is harder to monitor than traditional data and
communications. It would increase the difficulty of gathering
information for convictions, even after such investigative techniques
have been approved by the court. (ie. a warrant to tap phones, etc)

This solution provides security concious consumers with the protection
they need, and also provides law enforcement agancies recourse to perform
acceptable legal investigations.

ICMan

---------- Forwarded message ----------
Date: Fri, 17 Jul 1998 12:34:51 -0400 (EDT)
From: ICMan <shanedali.tor.securecomputing.com>
To: "Stout, Bill" <StoutBpios.com>
Cc: Firewall-wizards <firewall-wizardsnfr.net>
Subject: Re: New CALEA Backdoors annouced

Bill,

I would like to point out that the "backdoor" proposed is really a "front
door" with a big dead bolt on it. The proposed method of providing
access to encrypted traffic to law enforcement officials does not weaken
the key length. The key remains as strong. Access to the information is
granted to law enforcement agencies by the sysadmin. The sysadmin can
chose to comply with law agencies or not. I would recommend that they do
comply, but the option to fight an inappropriately obtained warrant still
exists.

With key escrow, enforcement agencies can crack encryption whenever they
wish, and it becomes more difficult to protect against law agencies'
inappropriate use of their capability to eavesdrop on encrypted connections.

The solution proposed should provide international companies with the
confidence to use US created VPN products. Bank of Hong Kong will not
use a US encryption product knowing that the US government can get into
their traffic at the drop of a hat.

ICMan

Disclaimer: My opinions are most likely not that of my employer. It's a
wonder they are even mine.

 

On Wed, 15 Jul 1998, Stout, Bill wrote:

>
> Ascend, Bay Networks, Cisco Systems, 3Com, Hewlett-Packard, Intel,
> Microsoft, Netscape Communications, Network Associates, Novell, RedCreek
> Communications, Secure Computing, Sun Microsystems agreed to support a
> sysadmin crypto backdoor for CALEA.
>
> http://cgi.pathfinder.com/netly/article/0,2334,14025,00.html
> http://www.cisco.com/warp/public/146/july98/3.html
> http://www.infoworld.com/cgi-bin/displayStory.pl?980714.wnencryption.htm
>
> Only a year ago did security people scoff at the existence of
> intentional 'backdoors'. For some psychological reason publicly
> announced backdoors in domestic products are more believable than
> covertly planted backdoors in foreign products.
>
> Bill Stout
>
>

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:33 CDT