1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
4 <TITLE> Introduction to FreeS/WAN</TITLE>
5 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
8 <A HREF="toc.html">Contents</a>
9 <A HREF="interop.html">Previous</a>
10 <A HREF="ipsec.html">Next</a>
12 <H1><A name="politics">History and politics of cryptography</A></H1>
13 <P> Cryptography has a long and interesting history, and has been the
14 subject of considerable political controversy. </P>
15 <H2><A name="intro.politics">Introduction</A></H2>
16 <H3><A NAME="11_1_1">History</A></H3>
17 <P> The classic book on the history of cryptography is David Kahn's <A href="biblio.html#Kahn">
18 The Codebreakers</A>. It traces codes and codebreaking from ancient
19 Egypt to the 20th century. </P>
20 <P> Diffie and Landau <A href="biblio.html#diffie">Privacy on the Line:
21 The Politics of Wiretapping and Encryption</A> covers the history from
22 the First World War to the 1990s, with an emphasis on the US. </P>
24 During the Second World War, the British "Ultra"project achieved one
25 of the greatest intelligence triumphs in the history of warfare,
26 breaking many Axis codes. One major target was the Enigma cipher
27 machine, a German device whose users were convinced it was unbreakable.
28 The American "Magic" project had some similar triumphs against Japanese
30 <P> There are many books on this period. See our bibliography for a
31 few, or try a (web or library) search on "Ultra" and "Enigma". Two
32 books I particularly like are: </P>
34 <LI>Andrew Hodges has done a superb <A href="http://www.turing.org.uk/book/">
35 biography</A> of Alan Turing, a key player among the Ultra
36 codebreakers. Turing was also an important computer pioneer. The terms <A
37 href="http://www.abelard.org/turpap/turpap.htm">Turing test</A> and <A href="http://plato.stanford.edu/entries/turing-machine/">
38 Turing machine</A> are named for him, as is the <A href="http://www.acm.org">
39 ACM</A>'s highest technical <A href="http://www.acm.org/awards/taward.html">
41 <LI> Neal Stephenson's <A href="biblio.html#neal">Cryptonomicon</A> is
42 a novel with cryptography central to the plot. Parts of it take place
43 during WW II, other parts today. </LI>
45 <P> Bletchley Park, where much of the Ultra work was done, now has a
46 museum and a <A href="http://www.bletchleypark.org.uk/"> web site</A>. </P>
47 <P> The Ultra work introduced three major innovations. </P>
49 <LI>The first break of Enigma was achieved by Polish Intelligence in
50 1931. Until then most code-breakers had been linguists, but a different
51 approach was needed to break machine ciphers. Polish Intelligence
52 realised this, recruited some clever young mathematicians, and
53 succeeded in cracking the "unbreakable" Enigma. When war came in 1939,
54 the Poles told their allies about this, putting Britain on the road to
55 Ultra. The British also adopted a mathematical approach. </LI>
56 <LI>Machines were extensively used in the attacks. First the Polish
57 "Bombe" for attacking Enigma, then British versions of it, then
58 machines such as Collosus for attacking other codes. By the end of the
59 war, some of these machines were beginning to closely resemble digital
60 computers. After the war, a team at Manchester University, several old
61 Ultra hands included, built one of the world's first actual
62 general-purpose digital computers. </LI>
63 <LI>Ultra made codebreaking a large-scale enterprise, producing
64 intelligence on an industrial scale. This was not a "black chamber",
65 not a hidden room in some obscure government building with a small crew
66 of code-breakers. The whole operation -- from wholesale interception of
67 enemy communications by stations around the world, through large-scale
68 code-breaking and analysis of the decrypted material (with an enormous
69 set of files for cross-referencing), to delivery of intelligence to
70 field commanders -- was huge, and very carefully managed. </LI>
72 <P> So by the end of the war, Allied code-breakers were expert at
73 large-scale mechanised code-breaking. The payoffs were enormous. </P>
74 <H4><A name="postwar">Postwar and Cold War</A></H4>
75 The wartime innovations were enthusiastically adopted by post-war and
76 Cold War signals intelligence agencies. Presumably many nations now
77 have some agency capable of sophisticated attacks on communications
78 security, and quite a few engage in such activity on a large scale.
79 <P> America's <A href="glossary.html#NSA">NSA</A>, for example, is said
80 to be both the world's largest employer of mathematicians and the
81 world's largest purchaser of computer equipment. Such claims may be
82 somewhat exaggerated, but beyond doubt the NSA -- and similar agencies
83 in other countries -- have some excellent mathematicians, lots of
84 powerful computers, sophisticated software, and the organisation and
85 funding to apply them on a large scale. Details of the NSA budget are
86 secret, but there are some published <A href="http://www.fas.org/irp/nsa/nsabudget.html">
88 <P> Changes in the world's communications systems since WW II have
89 provided these agencies with new targets. Cracking the codes used on an
90 enemy's military or diplomatic communications has been common practice
91 for centuries. Extensive use of radio in war made large-scale attacks
92 such as Ultra possible. Modern communications make it possible to go
93 far beyond that. Consider listening in on cell phones, or intercepting
94 electronic mail, or tapping into the huge volumes of data on new media
95 such as fiber optics or satellite links. None of these targets existed
96 in 1950. All of them can be attacked today, and almost certainly are
98 <P> The Ultra story was not made public until the 1970s. Much of the
99 recent history of codes and code-breaking has not been made public, and
100 some of it may never be. Two important books are: </P>
102 <LI>Bamford's <A href="biblio.html#puzzle">The Puzzle Palace</A>, a
103 history of the NSA </LI>
104 <LI>Hager's <A href="http://www.fas.org/irp/eprint/sp/index.html">
105 Secret Power</A>, about the <A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
106 Echelon</A> system -- the US, UK, Canada, Australia and New Zealand
107 co-operating to monitor much of the world's communications. </LI>
109 <P> Note that these books cover only part of what is actually going on,
110 and then only the activities of nations open and democratic enough that
111 (some of) what they are doing can be discovered. A full picture,
114 <LI>actions of the English-speaking democracies not covered in those
116 <LI>actions of other more-or-less sane governments </LI>
117 <LI>the activities of various more-or-less insane governments </LI>
118 <LI>possibilities for unauthorized action by government employees </LI>
120 <P> might be really frightening. </P>
121 <H4><A name="recent">Recent history -- the crypto wars</A></H4>
122 Until quite recently, cryptography was primarily a concern of
123 governments, especially of the military, of spies, and of diplomats.
124 Much of it was extremely secret.
125 <P> In recent years, that has changed a great deal. With computers and
126 networking becoming ubiquitous, cryptography is now important to almost
127 everyone. Among the developments since the 1970s: </P>
129 <LI>The US gov't established the Data Encryption Standard, <A href="glossary.html#DES">
130 DES</A> standard, a <A href="glossary.html#block">block cipher</A> for
131 cryptographic protection of unclassfied documents. It has also been
132 widely used in industry. </LI>
133 <LI><A href="glossary.html#public">Public key</A> cryptography was
134 invented by Diffie and Hellman. </LI>
135 <LI>Academic conferences such as <A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">
136 Crypto</A> and <A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">
137 Eurocrypt</A> began. </LI>
138 <LI>Several companies began offerring cryptographic products: <A href="glossary.html#RSAco">
139 RSA</A>, <A href="glossary.html#PGPI">PGP</A>, the many vendors with <A href="glossary.html#PKI">
140 PKI</A> products, ... </LI>
141 <LI>Cryptography appeared in other products: operating systems, word
142 processors, ... </LI>
143 <LI>Network protocols based on crypto were developed: <A href="glossary.html#SSH">
144 SSH</A>, <A href="glossary.html#SSL">SSL</A>, <A href="glossary.html#IPSEC">
146 <LI>Crytography came into widespread use to secure bank cards,
148 <LI>The US government replaced <A href="glossary.html#DES">DES</A> with
149 the much stronger Advanced Encryption Standard, <A href="glossary.html#AES">
152 <P> This has led to a complex ongoing battle between various mainly
153 government groups wanting to control the spread of crypto and various
154 others, notably the computer industry and the "cypherpunk" crypto
155 advocates, wanting to encourage widespread use. </P>
156 <P> Steven Levy has written a fine history of much of this, called <A href="biblio.html#crypto">
157 Crypto: How the Code rebels Beat the Government -- Saving Privacy in
158 the Digital Age</A>. </P>
159 <P> The FreeS/WAN project is to a large extent an outgrowth of <A href="http://world.std.com/~franl/crypto/cypherpunks.html">
160 cypherpunk</A> ideas. Our reasons for doing the project can be seen in
161 these quotes from the <A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">
162 Cypherpunk Manifesto</A>: <BLOCKQUOTE> Privacy is necessary for an open
163 society in the electronic age. ...
164 <P> We cannot expect governments, corporations, or other large,
165 faceless organizations to grant us privacy out of their beneficence.
166 It is to their advantage to speak of us, and we should expect that
167 they will speak. ... </P>
168 <P> We must defend our own privacy if we expect to have any. ... </P>
169 <P> Cypherpunks write code. We know that someone has to write software
170 to defend privacy, and since we can't get privacy unless we all do,
171 we're going to write it. We publish our code so that our fellow
172 Cypherpunks may practice and play with it. Our code is free for all to
173 use, worldwide. We don't much care if you don't approve of the
174 software we write. We know that software can't be destroyed and that a
175 widely dispersed system can't be shut down. </P>
176 <P> Cypherpunks deplore regulations on cryptography, for encryption is
177 fundamentally a private act. ... </P>
178 <P> For privacy to be widespread it must be part of a social contract.
179 People must come and together deploy these systems for the common good.
181 </BLOCKQUOTE> To quote project leader John Gilmore: <BLOCKQUOTE> We are
182 literally in a race between our ability to build and deploy
183 technology, and their ability to build and deploy laws and treaties.
184 Neither side is likely to back down or wise up until it has
185 definitively lost the race. </BLOCKQUOTE></P>
186 <P> If FreeS/WAN reaches its goal of making <A href="intro.html#opp.intro">
187 opportunistic encryption</A> widespread so that secure communication
188 can become the default for a large part of the net, we will have struck
190 <H3><A name="intro.poli">Politics</A></H3>
191 The political problem is that nearly all governments want to monitor
192 their enemies' communications, and some want to monitor their citizens.
193 They may be very interested in protecting some of their own
194 communications, and often some types of business communication, but not
195 in having everyone able to communicate securely. They therefore attempt
196 to restrict availability of strong cryptography as much as possible.
197 <P> Things various governments have tried or are trying include:</P>
199 <LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian
200 and Canadian <A href="glossary.html#SIGINT">signals intelligence</A>
201 agencies. See this <A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
202 collection</A> of links and this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">
203 story</A> on the French Parliament's reaction.</LI>
204 <LI>Others governments may well have their own Echelon-like projects.
205 To quote the Dutch Minister of Defense, as reported in a German <A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">
206 magazine</A>: <BLOCKQUOTE> The government believes not only the
207 governments associated with Echelon are able to intercept
208 communication systems, but that it is an activity of the investigative
209 authorities and intelligence services of many countries with
210 governments of different political signature. </BLOCKQUOTE> Even if
211 they have nothing on the scale of Echelon, most intelligence agencies
212 and police forces certainly have some interception capability. </LI>
213 <LI><A href="glossary.html#NSA">NSA</A> tapping of submarine
214 communication cables, described in <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">
215 this article</A></LI>
216 <LI>A proposal for international co-operation on <A href="http://www.heise.de/tp/english/special/enfo/4306/1.html">
217 Internet surveillance</A>.</LI>
218 <LI>Alleged <A href="http://cryptome.org/nsa-sabotage.htm">sabotage</A>
219 of security products by the <A href="glossary.html#NSA">NSA</A> (the
220 US signals intelligence agency).</LI>
221 <LI>The German armed forces and some government departments will stop
222 using American software for fear of NSA "back doors", according to
223 this <A href="http://www.theregister.co.uk/content/4/17679.html">news
225 <LI>The British Regulation of Investigatory Powers bill. See this <A href="http://www.fipr.org/rip/index.html">
226 web page.</A> and perhaps this <A href="http://ars.userfriendly.org/cartoons/?id=20000806&mode=classic">
228 <LI>A Russian <A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">
229 ban</A> on cryptography</LI>
230 <LI>Chinese <A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">
231 controls</A> on net use.</LI>
232 <LI>The FBI's carnivore system for covert searches of email. See this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">
233 news coverage</A> and this <A href="http://www.crypto.com/papers/carnivore-risks.html">
234 risk assessment</A>. The government had an external review of some
235 aspects of this system done. See this <A href="http://www.crypto.com/papers/carnivore_report_comments.html">
236 analysis</A> of that review. Possible defenses against Carnivore
239 <LI><A href="glossary.html#PGP">PGP</A> for end-to-end mail encryption </LI>
240 <LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A>
241 for server-to-server encryption </LI>
242 <LI>IPSEC encryption on the underlying IP network </LI>
245 <LI>export laws restricting strong cryptography as a munition. See <A href="#exlaw">
246 discussion</A> below.</LI>
247 <LI>various attempts to convince people that fundamentally flawed
248 cryptography, such as encryption with a <A href="#escrow">back door</A>
249 for government access to data or with <A href="#shortkeys">inadequate
250 key lengths</A>, was adequate for their needs. </LI>
252 <P> Of course governments are by no means the only threat to privacy
253 and security on the net. Other threats include:</P>
256 <LI>industrial espionage, as for example in this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">
258 <LI>attacks by organised criminals, as in this <A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
259 large-scale attack</A></LI>
260 <LI>collection of personal data by various companies.
262 <LI>for example, consider the various corporate winners of Privacy
263 International's <A href="http://www.privacyinternational.org/bigbrother/">
264 Big Brother Awards</A>.</LI>
265 <LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell
266 tools to defend against this</LI>
269 <LI>individuals may also be a threat in a variety of ways and for a
270 variety of reasons </LI>
271 <LI>in particular, an individual with access to government or industry
272 data collections could do considerable damage using that data in
273 unauthorized ways. </LI>
275 <P> One <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">
276 study</A> enumerates threats and possible responses for small and
277 medium businesses. VPNs are a key part of the suggested strategy. </P>
278 <P> We consider privacy a human right. Our objective is to help make
279 privacy possible on the Internet using cryptography strong enough not
280 even those well-funded government agencies are likely to break it. If
281 we can do that, the chances of anyone else breaking it are negliible. </P>
282 <H3><A NAME="11_1_3">Links</A></H3>
283 Many groups are working in different ways to defend privacy on the net
284 and elsewhere. Please consider contributing to one or more of these
287 <LI>the EFF's <A href="http://www.eff.org/crypto/">Privacy Now!</A>
289 <LI>the <A href="http://www.gilc.org">Global Internet Liberty Campaign</A>
291 <LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer
292 Professionals for Social Responsibility</A></LI>
294 <P> For more on these issues see: </P>
296 <LI>Steven Levy (Newsweek's chief technology writer and author of the
297 classic "Hackers") new book <A href="biblio.html#crypto"> Crypto: How
298 the Code Rebels Beat the Government--Saving Privacy in the Digital Age</A>
300 <LI>Simson Garfinkel (Boston Globe columnist and author of books on <A href="biblio.html#PGP">
301 PGP</A> and <A href="biblio.html#practical"> Unix Security</A>) book <A href="biblio.html#Garfinkel">
302 Database Nation: the death of privacy in the 21st century</A></LI>
303 <LI>an <A href="http://www.immaterial.net/page.php3?id=44">interview</A>
304 with Eblen Morgan (general counsel to the <A href="">Free Software
305 Foundation</A> and a professor at Columbia Law School) on the
306 "encryption wars". </LI>
308 <P> See also the <A href="biblio.html">bibliography</A> and our list of <A
309 href="web.html#policy">web references</A> on cryptography law and
311 <H3><A NAME="11_1_4">Outline of this section</A></H3>
312 <P> The remainder of this section includes two pieces of writing by our
315 <LI>his <A href="#gilmore">rationale</A> for starting this</LI>
316 <LI>another <A href="#policestate">discussion</A> of project goals</LI>
318 <P>and discussions of:</P>
320 <LI><A href="#desnotsecure">why we do not use DES</A></LI>
321 <LI><A href="#exlaw">cryptography export laws</A></LI>
322 <LI>why <A href="#escrow">government access to keys</A> is not a good
324 <LI>the myth that <A href="#shortkeys">short keys</A> are adequate for
325 some security requirements</LI>
327 <P> and a section on <A href="#press">press coverage of FreeS/WAN</A>.</P>
328 <H2><A name="leader">From our project leader</A></H2>
329 <P> FreeS/WAN project founder John Gilmore wrote a web page about why
330 we are doing this. The version below is slightly edited, to fit this
331 format and to update some links. For a version without these edits, see
332 his <A href="http://www.toad.com/gnu/">home page</A>.</P>
334 <H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A>
337 <P>My project for 1996 was to <B>secure 5% of the Internet traffic
338 against passive wiretapping</B>. It didn't happen in 1996, so I'm
339 still working on it in 1997, 1998, and 1999! If we get 5% in 1999 or
340 2000, we can secure 20% the next year, against both active and passive
341 attacks; and 80% the following year. Soon the whole Internet will be
342 private and secure. The project is called S/WAN or S/Wan or Swan for
343 Secure Wide Area Network; since it's free software, we call it
344 FreeSwan to distinguish it from various commercial implementations. <A href="http://www.rsa.com/rsa/SWAN/">
345 RSA</A> came up with the term "S/WAN". Our main web site is at <A href="http://www.freeswan.org/">
346 http://www.freeswan.org/</A>. Want to help?</P>
347 <P>The idea is to deploy PC-based boxes that will sit between your
348 local area network and the Internet (near your firewall or router)
349 which opportunistically encrypt your Internet packets. Whenever you
350 talk to a machine (like a Web site) that doesn't support encryption,
351 your traffic goes out "in the clear" as usual. Whenever you connect
352 to a machine that does support this kind of encryption, this box
353 automatically encrypts all your packets, and decrypts the ones that
354 come in. In effect, each packet gets put into an "envelope" on one
355 side of the net, and removed from the envelope when it reaches its
356 destination. This works for all kinds of Internet traffic, including
357 Web access, Telnet, FTP, email, IRC, Usenet, etc.</P>
358 <P>The encryption boxes are standard PC's that use freely available
359 Linux software that you can download over the Internet or install from
361 <P>This wasn't just my idea; lots of people have been working on it for
362 years. The encryption protocols for these boxes are called <A href="glossary.html#IPSEC">
363 IPSEC (IP Security)</A>. They have been developed by the <A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">
364 IP Security Working Group</A> of the <A href="http://www.ietf.org/">
365 Internet Engineering Task Force</A>, and will be a standard part of
366 the next major version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
367 IPv6</A>). For today's (IP version 4) Internet, they are an option.</P>
368 <P>The <A href="http://www.iab.org/iab">Internet Architecture Board</A>
369 and <A href="http://www.ietf.org/"> Internet Engineering Steering Group</A>
370 have taken a <A href="iab-iesg.stmt">strong stand</A> that the
371 Internet should use powerful encryption to provide security and
372 privacy. I think these protocols are the best chance to do that,
373 because they can be deployed very easily, without changing your
374 hardware or software or retraining your users. They offer the best
375 security we know how to build, using the Triple-DES, RSA, and
376 Diffie-Hellman algorithms.</P>
377 <P>This "opportunistic encryption box" offers the "fax effect". As
378 each person installs one for their own use, it becomes more valuable
379 for their neighbors to install one too, because there's one more
380 person to use it with. The software automatically notices each newly
381 installed box, and doesn't require a network administrator to
382 reconfigure it. Instead of "virtual private networks" we have a "REAL
383 private network"; we add privacy to the real network instead of
384 layering a manually-maintained virtual network on top of an insecure
386 <H4>Deployment of IPSEC</H4>
387 <P>The US government would like to control the deployment of IP
388 Security with its <A href="#exlaw">crypto export laws</A>. This isn't
389 a problem for my effort, because the cryptographic work is happening
390 outside the United States. A foreign philanthropist, and others, have
391 donated the resources required to add these protocols to the Linux
392 operating system. <A href="http://www.linux.org/">Linux</A> is a
393 complete, freely available operating system for IBM PC's and several
394 kinds of workstation, which is compatible with Unix. It was written
395 by Linus Torvalds, and is still maintained by a talented team of
396 expert programmers working all over the world and coordinating over
397 the Internet. Linux is distributed under the <A href="glossary.html#GPL">
398 GNU Public License</A>, which gives everyone the right to copy it,
399 improve it, give it to their friends, sell it commercially, or do just
400 about anything else with it, without paying anyone for the privilege.</P>
401 <P>Organizations that want to secure their network will be able to put
402 two Ethernet cards into an IBM PC, install Linux on it from a $30
403 CDROM or by downloading it over the net, and plug it in between their
404 Ethernet and their Internet link or firewall. That's all they'll have
405 to do to encrypt their Internet traffic everywhere outside their own
406 local area network.</P>
407 <P>Travelers will be able to run Linux on their laptops, to secure
408 their connection back to their home network (and to everywhere else
409 that they connect to, such as customer sites). Anyone who runs Linux
410 on a standalone PC will also be able to secure their network
411 connections, without changing their application software or how they
412 operate their computer from day to day.</P>
413 <P>There will also be numerous commercially available firewalls that
414 use this technology. <A href="http://www.rsa.com/">RSA Data Security</A>
415 is coordinating the <A href="http://www.rsa.com/rsa/SWAN">S/Wan
416 (Secure Wide Area Network)</A> project among more than a dozen vendors
417 who use these protocols. There's a <A href="http://www.rsa.com/rsa/SWAN/swan_test.htm">
418 compatability chart</A> that shows which vendors have tested their
419 boxes against which other vendors to guarantee interoperatility.</P>
420 <P>Eventually it will also move into the operating systems and
421 networking protocol stacks of major vendors. This will probably take
422 longer, because those vendors will have to figure out what they want
423 to do about the export controls.</P>
424 <H4>Current status</H4>
425 <P>My initial goal of securing 5% of the net by Christmas '96 was not
426 met. It was an ambitious goal, and inspired me and others to work
427 hard, but was ultimately too ambitious. The protocols were in an
428 early stage of development, and needed a lot more protocol design
429 before they could be implemented. As of April 1999, we have released
430 version 1.0 of the software (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">
431 freeswan-1.0.tar.gz</A>), which is suitable for setting up Virtual
432 Private Networks using shared secrets for authentication. It does not
433 yet do opportunistic encryption, or use DNSSEC for authentication;
434 those features are coming in a future release.</P>
437 <DD>The low-level encrypted packet formats are defined. The system for
438 publishing keys and providing secure domain name service is defined.
439 The IP Security working group has settled on an NSA-sponsored protocol
440 for key agreement (called ISAKMP/Oakley), but it is still being worked
441 on, as the protocol and its documentation is too complex and
442 incomplete. There are prototype implementations of ISAKMP. The
443 protocol is not yet defined to enable opportunistic encryption or the
444 use of DNSSEC keys.</DD>
445 <DT>Linux Implementation</DT>
446 <DD>The Linux implementation has reached its first major release and is
447 ready for production use in manually-configured networks, using Linux
448 kernel version 2.0.36.</DD>
449 <DT>Domain Name System Security</DT>
450 <DD>There is now a release of BIND 8.2 that includes most DNS Security
452 <P>The first prototype implementation of Domain Name System Security
453 was funded by <A href="glossary.html#DARPA">DARPA</A> as part of their <A
454 href="http://www.darpa.mil/ito/research/is/index.html">Information
455 Survivability program</A>. <A href="http://www.tis.com">Trusted
456 Information Systems</A> wrote a modified version of <A href="http://www.isc.org/bind.html">
457 BIND</A>, the widely-used Berkeley implementation of the Domain Name
459 <P>TIS, ISC, and I merged the prototype into the standard version of
460 BIND. The first production version that supports KEY and SIG records
461 is <B>bind-4.9.5</B>. This or any later version of BIND will do for
462 publishing keys. It is available from the <A href="http://www.isc.org/bind.html">
463 Internet Software Consortium</A>. This version of BIND is not
464 export-controlled since it does not contain any cryptography. Later
465 releases starting with BIND 8.2 include cryptography for
466 authenticating DNS records, which is also exportable. Better
467 documentation is needed.</P>
470 <P>Because I can. I have made enough money from several successful
471 startup companies, that for a while I don't have to work to support
472 myself. I spend my energies and money creating the kind of world that
473 I'd like to live in and that I'd like my (future) kids to live in.
474 Keeping and improving on the civil rights we have in the United
475 States, as we move more of our lives into cyberspace, is a particular
477 <H4>What You Can Do</H4>
479 <DT>Install the latest BIND at your site.</DT>
480 <DD>You won't be able to publish any keys for your domain, until you
481 have upgraded your copy of BIND. The thing you really need from it is
482 the new version of <I>named</I>, the Name Daemon, which knows about
483 the new KEY and SIG record types. So, download it from the <A href="http://www.isc.org/bind.html">
484 Internet Software Consortium </A> and install it on your name server
485 machine (or get your system administrator, or Internet Service
486 Provider, to install it). Both your primary DNS site and all of your
487 secondary DNS sites will need the new release before you will be able
488 to publish your keys. You can tell which sites this is by running the
489 Unix command "dig MYDOMAIN ns" and seeing which sites are mentioned in
490 your NS (name server) records.</DD>
491 <DT>Set up a Linux system and run a 2.0.x kernel on it</DT>
492 <DD>Get a machine running Linux (say the 5.2 release from <A href="http://www.redhat.com">
493 Red Hat</A>). Give the machine two Ethernet cards.</DD>
494 <DT>Install the Linux IPSEC (Freeswan) software</DT>
495 <DD>If you're an experienced sysadmin or Linux hacker, install the
496 freeswan-1.0 release, or any later release or snapshot. These releases
497 do NOT provide automated "opportunistic" operation; they must be
498 manually configured for each site you wish to encrypt with.</DD>
499 <DT>Get on the linux-ipsec mailing list</DT>
500 <DD>The discussion forum for people working on the project, and testing
501 the code and documentation, is: linux-ipsec@clinet.fi. To join this
502 mailing list, send email to <A href="mailto:linux-ipsec-REQUEST@clinet.fi">
503 linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says
504 "subscribe linux-ipsec". (You can later get off the mailing list the
505 same way -- just send "unsubscribe linux-ipsec").</DD>
507 <DT>Check back at this web page every once in a while</DT>
508 <DD>I update this page periodically, and there may be new information
509 in it that you haven't seen. My intent is to send email to the
510 mailing list when I update the page in any significant way, so
511 subscribing to the list is an alternative.</DD>
513 <P>Would you like to help? I can use people who are willing to write
514 documentation, install early releases for testing, write cryptographic
515 code outside the United States, sell pre-packaged software or systems
516 including this technology, and teach classes for network
517 administrators who want to install this technology. To offer to help,
518 send me email at gnu@toad.com. Tell me what country you live in and
519 what your citizenship is (it matters due to the export control laws;
520 personally I don't care). Include a copy of your resume and the URL
521 of your home page. Describe what you'd like to do for the project,
522 and what you're uniquely qualified for. Mention what other volunteer
523 projects you've been involved in (and how they worked out). Helping
524 out will require that you be able to commit to doing particular
525 things, meet your commitments, and be responsive by email. Volunteer
526 projects just don't work without those things.</P>
527 <H4>Related projects</H4>
529 <DT>IPSEC for NetBSD</DT>
530 <DD>This prototype implementation of the IP Security protocols is for
531 another free operating system. <A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">
532 Download BSDipsec.tar.gz</A>.</DD>
533 <DT>IPSEC for <A href="http://www.openbsd.org">OpenBSD</A></DT>
534 <DD>This prototype implementation of the IP Security protocols is for
535 yet another free operating system. It is directly integrated into the
536 OS release, since the OS is maintained in Canada, which has freedom of
537 speech in software.</DD>
539 <H3><A name="policestate">Stopping wholesale monitoring</A></H3>
540 <P>From a message project leader John Gilmore posted to the mailing
545 > Indeed there are several ways in which the documentation overstates the
546 > scope of what this project does -- starting with the name
547 > FreeS/WAN. There's a big difference between having an encrypted IP tunnel
548 > versus having a Secure Wide-Area Network. This software does a fine job of
549 > the former, which is necessary but not sufficient for the latter.
551 The goal of the project is to make it very hard to tap your wide area
552 communications. The current system provides very good protection
553 against passive attacks (wiretapping and those big antenna farms).
554 Active attacks, which involve the intruder sending packets to your
555 system (like packets that break into sendmail and give them a root
556 shell :-) are much harder to guard against. Active attacks that
557 involve sending people (breaking into your house and replacing parts
558 of your computer with ones that transmit what you're doing) are also
559 much harder to guard against. Though we are putting effort into
560 protecting against active attacks, it's a much bigger job than merely
561 providing strong encryption. It involves general computer security,
562 and general physical security, which are two very expensive problems
563 for even a site to solve, let alone to build into a whole society.
565 The societal benefit of building an infrastructure that protects
566 well against passive attacks is that it makes it much harder to do
567 undetected bulk monitoring of the population. It's a defense against
568 police-states, not against policemen.
570 Policemen can put in the effort required to actively attack sites that
571 they have strong suspicions about. But police states won't be able to
572 build systems that automatically monitor everyone's communications.
573 Either they will be able to monitor only a small subset of the
574 populace (by targeting those who screwed up their passive security),
575 or their monitoring activities will be detectable by those monitored
576 (active attacks leave packet traces or footprints), which can then be
577 addressed through the press and through political means if they become
580 FreeS/WAN does not protect very well against traffic analysis, which
581 is a kind of widespread police-state style monitoring that still
582 reveals significant information (who's talking to who) without
583 revealing the contents of what was said. Defenses against traffic
584 analysis are an open research problem. Zero Knowledge Systems is
585 actively deploying a system designed to thwart it, designed by Ian
586 Goldberg. The jury is out on whether it actually works; a lot more
587 experience with it will be needed.
589 <P> Notes on things mentioned in that message: </P>
591 <LI>Denker is a co-author of a <A href="intro.html#applied">paper</A>
592 on a large FreeS/WAN application.</LI>
593 <LI> Information on Zero Knowledge is on their <A href="http://www.zks.net/">
594 web site</A>. Their Freedom product is designed to provide untracable
595 pseudonyms for use on the net.</LI>
596 <LI>Another section of our documentation discusses ways to <A href="ipsec.html#traffic.resist">
597 resist traffic analysis</A>. </LI>
599 <H2><A name="weak">Government promotion of weak crypto</A></H2>
600 <P> Various groups, especially governments and especially the US
601 government, have a long history of advocating various forms of bogus
603 <P> We regard bogus security as extremely dangerous. If users are
604 deceived into relying on bogus security, then they may be exposed to
605 large risks. They would be better off having no security and knowing
606 it. At least then they would be careful about what they said.</P>
607 <P><STRONG> Avoiding bogus security is a key design criterion for
608 everything we do in FreeS/WAN</STRONG>. The most conspicuous example is
609 our refusal to support <A href="desnotsecure">single DES</A>. Other
610 IPSEC "features" which we do not implement are discussed in our <A href="compat.html#dropped">
611 compatibility</A> document.</P>
612 <H3><A name="escrow">Escrowed encryption</A></H3>
613 <P> Various governments have made persistent attempts to encourage or
614 mandate "escrowed encrytion", also called "key recovery", or GAK for
615 "government access to keys". The idea is that cryptographic keys be
616 held by some third party and turned over to law enforcement or security
617 agencies under some conditions.</P>
619 Mary had cryptography
620 Her keys were in escrow
621 And everything that Mary said
622 The feds were sure to know
624 (If anyone knows the origin of that ditty, let <A href="mailto:sandy@storm.ca">
625 let me know</A> so I can credit the author.)
626 <P> There is an excellent paper available on <A href="http://www.cdt.org/crypto/risks98/">
627 Risks of Escrowed Encryption</A>, from a group of cryptographic
628 luminaries which included our project leader.</P>
629 <P> Like any unnecessary complication, GAK tends to weaken security of
630 any design it infects. For example: </P>
632 <LI>Matt Blaze found a fatal flaw in the US government's Clipper chip
633 shortly after design information became public. See his paper "Protocol
634 Failure in the Escrowed Encryption Standard" on his <A href="http://www.crypto.com/papers/">
635 papers</A> page.</LI>
636 <LI>a rather <A href="http://www.pgp.com/other/advisories/adk.asp">
637 nasty bug</A> has recently been found in the "additional decryption
638 keys" "feature" of recent releases of <A href="glossary.html#PGP">PGP</A>
641 <P> FreeS/WAN does not support escrowed encryption, and never will.</P>
642 <H3><A name="shortkeys">Limited key lengths</A></H3>
643 <P> Various governments, and some vendors, have also made persistent
644 attempts to convince people that: </P>
646 <LI>weak systems are sufficient for some data </LI>
647 <LI>strong cryptography should be reserved for cases where the extra
648 overheads are justified </LI>
650 <STRONG> This is nonsense</STRONG>.
651 <P> Weak systems touted include:</P>
653 <LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that
654 until recently were all various <A href="#exlaw">export laws</A>
656 <LI>56-bit single DES, discussed <A href="#desnotsecure">below</A></LI>
657 <LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for
658 unrestricted export under various current laws</LI>
660 <P> The notion that choice of ciphers or keysize should be determined
661 by a trade-off between security requirements and overheads is pure
664 <LI>For most <A href="glossary.html#symmetric">symmetric ciphers</A>,
665 it is simply a lie. Any block cipher has some natural maximum keysize
666 inherent in the design -- 128 bits for <A href="glossary.html#IDEA">
667 IDEA</A> or <A href="glossary.html#CAST128"> CAST-128</A>, 256 for any
668 of the <A href="glossary.html#AES"> AES</A> ciphers, 448 for <A href="glossary.html#Blowfish">
669 Blowfish</A> and 2048 for <A href="glossary.html#RC4"> RC4</A>. Using
670 any key size up to that natural limit the overheads are exactly what
671 they would be for the crippled 40-bit or 64-bit version of the cipher.</LI>
672 <LI>For the special case of <A href="glossary.html#3DES">triple DES</A>
673 there is a grain of truth in the argument. 3DES is indeed three times
674 slower than single DES. Of course it is also fast enough for many
675 applications. In cases where it isn't, the solution is not to use the
676 insecure single DES, but to pick a faster secure cipher. <A href="glossary.html#CAST128">
677 CAST-128</A>, <A href="glossary.html#Blowfish"> Blowfish</A> and the <A href="glossary.html#AES">
678 AES candidate</A> ciphers are are all considerably faster in software
679 than DES (let alone 3DES), and apparently secure.</LI>
680 <LI>For <A href="glossary.html#public">public key</A> techniques, there
681 are extra overheads for larger keys, but they generally do not affect
682 overall performance significantly. Practical public key applications
683 are usually <A href="glossary.html#hybrid">hybrid</A> systems in which
684 the bulk of the work is done by a symmetric cipher. The effect of
685 increasing the cost of the public key operations is typically
686 negligible because the public key operations use only a tiny fraction
687 of total resources. </LI>
688 <P> For example, suppose public key operations use use 1% of the time
689 in a hybrid system and you triple the cost of public key operations.
690 The cost of symmetric cipher operations is unchanged at 99% of the
691 original total cost, so the overall effect is a jump from 99 + 1 = 100
692 to 99 + 3 = 102, a 2% rise in system cost.</P>
694 <P> In short, <STRONG>there has never been any technical reason to use
695 inadequate ciphers</STRONG>. The only reason there has ever been for
696 anyone to use such ciphers is that government agencies want weak
697 ciphers used so that they can crack them. The alleged savings are
698 simply propaganda.</P>
699 <P> Of course, making systems secure does involve costs, and trade-offs
700 can be made between cost and security. There can be substantial
701 hardware and software costs. There are almost always substantial staff
702 or contracting costs: </P>
704 <LI>Security takes staff time for planning, implementation and
705 auditing. Some of the issues are subtle; you need good (hence often
706 expensive) people for this. </LI>
707 <LI>You also need people to monitor your systems and respond to
708 problems. The best safe ever built is insecure if an attacker can work
709 on it for days without anyone noticing. Any computer is insecure if the
710 administrator is "too busy" to check the logs. </LI>
711 <LI>Moreover, someone in your organisation (or on contract to it) needs
712 to spend considerable time keeping up with new developments.
714 <LI>When some novel attack threatens some program you use, someone
716 <LI>When the vendor provides a patch that fixes the vulnerability,
717 someone should apply it. </LI>
718 <P> For a fairly awful example, see this <A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
719 report</A>. In that case over a million credit card numbers were taken
720 from e-commerce sites, using security flaws in Windows NT servers.
721 Microsoft had long since released patches for most or all of the flaws,
722 but the site administrators had not applied them. </P>
723 <LI>If the vendor does nothing, someone should do at least one of:
725 <LI>raise hell with the vendor </LI>
726 <LI> raise the question of changing vendors </LI>
730 At an absolute minimum, you must do something about such issues <EM>
731 before</EM> an exploitation tool is posted to the net for downloading
732 by dozens of "script kiddies". Such a tool might appear at any time
733 from the announcement of the security hole to several months later.
734 Once it appears, anyone with a browser and an attitude can break any
735 system whose administrators have done nothing about the flaw. </LI>
736 <LI>There are often substantial training costs, both to train
737 administrators and to increase user awareness of security issues and
740 <P> Compared to those costs, cipher overheads are an insignificant
741 factor in the cost of security. Note, however, that choosing an
742 insecure cipher can cause all your other investment to be wasted.</P>
743 <P> Our policy in FreeS/WAN is to use only cryptographic components
744 with adequate keylength and no known weaknesses. </P>
746 <LI>We do not implement single DES because it is clearly <A href="#desnotsecure">
747 insecure</A>, so implemeting it would violate our policy of avoiding
748 bogus security. Our default cipher is <A href="glossary.html#3DES">3DES</A>
750 <LI> Similarly, we do not implement the 768-bit Group 1 for <A href="glossary.html#DH">
751 Diffie-Hellman</A> key negotiation. It is not clear that this is
752 secure, so we provide only the 1024-bit Group 2 and 1536-bit Group 5.</LI>
754 <P> These decisions imply that we cannot fully conform to the IPSEC
755 RFCs, since those have DES as the only required cipher and Group 1 as
756 the only required DH group. (In our view, the standards were subverted
757 into offerring bogus security.) Fortunately, we can still interoperate
758 with most other IPSEC implementations since nearly all implementers
759 provide at least 3DES and Group 2 as well.</P>
760 <P> We hope that eventually the RFCs will catch up with our (and
761 others') current practice and reject dubious components. Some of our
762 team and a number of others are working on this in <A href="glossary.html#IETF">
763 IETF</A> working groups.</P>
764 <H2><A name="exlaw">Cryptography Export Laws</A></H2>
765 <P>Many nations restrict the export of cryptography and some restrict
766 its use by their citizens or others within their borders.</P>
767 <H3><A name="USlaw">US Law</A></H3>
768 <P>US laws, as currently interpreted by the US government, forbid
769 export of most cryptographic software from the US in machine-readable
770 form without government permission. In general, the restrictions apply
771 even if the software is widely-disseminated or public-domain and even
772 if it came from outside the US originally. Cryptography is legally a
773 munition and export is tightly controlled under the <A href="glossary.html#EAR">
774 EAR</A> Export Administration Regulations.</P>
775 <P>If you are a US citizen, your brain is considered US territory no
776 matter where it is physically located at the moment. The US believes
777 that its laws apply to its citizens everywhere, not just within the
778 US. Providing technical assistance or advice to foreign "munitions"
779 projects is illegal. The US government has very little sense of humor
780 about this issue and does not consider good intentions to be
781 sufficient excuse. Beware.</P>
782 <P>The <A href="http://www.bxa.doc.gov/Encryption/">official website</A>
783 for these regulations is run by the Commerce Department's Bureau of
784 Export Administration (BXA). Information on various challenges to them
785 is indexed in the <A href="ftp://ftp.cygnus.com/pub/export/export.html">
786 Cryptography Export Control Archives</A>. </P>
787 <P> The <A href="http://www.eff.org/bernstein/">Bernstein case</A>
788 challenges the export restrictions on Constitutional grounds. Code is
789 speech so restrictions on export of code violate the First Amendment's
790 free speech provisions. This argument has succeeded in two levels of
791 court so far. It is quite likely to go on to the Supreme Court.</P>
792 <P> The regulations were changed substantially in January 2000,
793 apparently as a government attempt to get off the hook in the Bernstein
794 case. It is now legal to export public domain source code for
795 encryption, provided you notify the <A href="glossary.html#BXA">BXA</A>
797 <P> There are, however, still restrictions in force. See this <A href="">
798 article</A>. Moreover, the regulations can still be changed again
799 whenever the government chooses to do so. Short of a Supreme Court
800 ruling (in the Berstein case or another) that overturns the regulations
801 completely, the problem of export regulation is not likely to go away
802 in the forseeable future. </P>
803 <H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4>
804 <P>The FreeS/WAN project <STRONG>cannot accept software contributions, <EM>
805 not even small bug fixes</EM>, from US citizens or residents</STRONG>.
806 We want it to be absolutely clear that our distribution is not subject
807 to US export law. Any contribution from an American might open that
808 question to a debate we'd prefer to avoid. It might also put the
809 contributor at serious legal risk.</P>
810 <P>Of course Americans can still make valuable contributions (many
811 already have) by reporting bugs, or otherwise contributing to
812 discussions, on the project <A href="mail.html">mailing list</A>.
813 Since the list is public, this is clearly constitutionally protected
815 <P> Note, however, that the export laws restrict Americans from
816 providing technical assistance to foreign "munitions" projects. The
817 government might claim that private discussions or correspondence with
818 FreeS/WAN developers were covered by this. It is not clear what the
819 courts would do with such a claim, so we strongly encourage Americans
820 to use the list rather than risk the complications.</P>
821 <H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3>
822 <P>Some quotes from prominent cryptography experts:</P>
823 <BLOCKQUOTE> The real aim of current policy is to ensure the continued
824 effectiveness of US information warfare assets against individuals,
825 businesses and governments in Europe and elsewhere.
826 <BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson,
827 Cambridge University</A></BLOCKQUOTE><BLOCKQUOTE> If the government
828 were honest about its motives, then the debate about crypto export
829 policy would have ended years ago.
830 <BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane
831 Systems</A></BLOCKQUOTE><BLOCKQUOTE> We should not be building
832 surveillance technology into standards. Law enforcement was not
833 supposed to be easy. Where it is easy, it's called a police state.
834 <BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap
835 capability on the net, as quoted by <A href="http://www.wired.com/news/politics/0,1283,31895,00.html">
836 Wired</A>.</BLOCKQUOTE>
837 <P>The Internet Architecture Board (IAB) and the Internet Engineering
838 Steering Group (IESG) made a <A href="iab-iesg.stmt">strong statement</A>
839 in favour of worldwide access to strong cryptography. Essentially the
840 same statement is in the appropriately numbered <A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">
841 RFC 1984</A>. Two critical paragraphs are:</P>
842 <BLOCKQUOTE> We believe that such policies are against the interests of
843 consumers and the business community, are largely irrelevant to issues
844 of military security, and provide only a marginal or illusory benefit
845 to law enforcement agencies, as discussed below.
846 <P>The IAB and IESG would like to encourage policies that allow ready
847 access to uniform strong cryptographic technology for all Internet
848 users in all countries.</P>
850 <P>Our goal in the FreeS/WAN project is to build just such "strong
851 cryptographic technology" and to distribute it "for all Internet users
852 in all countries".</P>
853 <P>More recently, the same two bodies (IESG and IAB) have issued <A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">
854 RFC 2804</A> on why the IETF should not build wiretapping capabilities
855 into protocols for the convenience of security or law enforcement
857 <P>Our goal is to go beyond that and prevent Internet wiretapping
859 <H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3>
860 <P>Restrictions on the export of cryptography are not just US policy,
861 though some consider the US at least partly to blame for the policies
862 of other nations in this area.</P>
863 <P>A number of countries:</P>
864 <P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech
865 Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland,
866 Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland,
867 Portugal, Republic of Korea, Romania, Russian Federation, Slovak
868 Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom
869 and United States</P>
870 <P>have signed the Wassenaar Arrangement which restricts export of
871 munitions and other tools of war. Cryptographic sofware is covered
873 <P>Wassenaar details are available from the <A href="http://www.wassenaar.org/">
874 Wassenaar Secretariat</A>, and elsewhere in a more readable <A href="http://www.fitug.de/news/wa/index.html">
875 HTML version</A>.</P>
876 <P>For a critique see the <A href="http://www.gilc.org/crypto/wassenaar">
878 <BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a
879 campaign calling for the removal of cryptography controls from the
880 Wassenaar Arrangement.
881 <P>The aim of the Wassenaar Arrangement is to prevent the build up of
882 military capabilities that threaten regional and international
883 security and stability . . .</P>
884 <P>There is no sound basis within the Wassenaar Arrangement for the
885 continuation of any export controls on cryptographic products.</P>
887 <P>We agree entirely.</P>
888 <P> An interesting analysis of Wassenaar can be found on the <A href="http://www.cyber-rights.org/crypto/wassenaar.htm">
889 cyber-rights.org</A> site. </P>
890 <H3><A name="status">Export status of Linux FreeS/WAN</A></H3>
891 <P>We believe our software is entirely exempt from these controls since
892 the Wassenaar <A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">
893 General Software Note</A> says:</P>
894 <BLOCKQUOTE> The Lists do not control "software" which is either:
896 <LI>Generally available to the public by . . . retail . . . or</LI>
897 <LI>"In the public domain".</LI>
900 <P>There is a note restricting some of this, but it is a sub-heading
901 under point 1, so it appears not to apply to public domain software.</P>
902 <P>Their glossary defines "In the public domain" as:</P>
903 <BLOCKQUOTE> . . . "technology" or "software" which has been made
904 available without restrictions upon its further dissemination.
905 <P>N.B. Copyright restrictions do not remove "technology" or "software"
906 from being "in the public domain".</P>
908 <P>We therefore believe that software freely distributed under the <A href="glossary.html#GPL">
909 GNU Public License</A>, such as Linux FreeS/WAN, is exempt from
910 Wassenaar restrictions.</P>
911 <P>Most of the development work is being done in Canada. Our
912 understanding is that the Canadian government accepts this
915 <LI>A web statement of <A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm">
916 Canadian policy</A> is available from the Department of Foreign
917 Affairs and International Trade.</LI>
918 <LI>Another document from that department states that <A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">
919 public domain software</A> is exempt from the export controls.</LI>
920 <LI>A researcher's <A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">
921 analysis</A> of Canadian policy is also available.</LI>
923 <P>Recent copies of the freely modifiable and distributable source code
924 exist in many countries. Citizens all over the world participate in
925 its use and evolution, and guard its ongoing distribution. Even if
926 Canadian policy were to change, the software would continue to evolve
927 in countries which do not restrict exports, and would continue to be
928 imported from there into unfree countries. "The Net culture treats
929 censorship as damage, and routes around it."</P>
930 <H3><A name="help">Help spread IPSEC around</A></H3>
931 <P> You can help. If you don't know of a Linux FreeS/WAN archive in
932 your own country, please download it now to your personal machine, and
933 consider making it publicly accessible if that doesn't violate your own
934 laws. If you have the resources, consider going one step further and
935 setting up a mirror site for the whole <A href="intro.html#munitions">
936 munitions</A> Linux crypto software archive.</P>
937 <P>If you make Linux CD-ROMs, please consider including this code, in a
938 way that violates no laws (in a free country, or in a domestic-only CD
940 <P>Please send a note about any new archive mirror sites or CD
941 distributions to linux-ipsec@clinet.fi so we can update the
943 <P>Lists of current <A href="intro.html#sites">mirror sites</A> and of <A
944 href="intro.html#distwith">distributions</A> which include FreeS/WAN
945 are in our introduction section.</P>
946 <H2><A name="desnotsecure">DES is Not Secure</A></H2>
947 <P>DES, the <STRONG>D</STRONG>ata <STRONG>E</STRONG>ncryption <STRONG> S</STRONG>
948 tandard, can no longer be considered secure. While no major flaws in
949 its innards are known, it is fundamentally inadequate because its <STRONG>
950 56-bit key is too short</STRONG>. It is vulnerable to <A href="glossary.html#brute">
951 brute-force search</A> of the whole key space, either by large
952 collections of general-purpose machines or even more quickly by
953 specialized hardware. Of course this also applies to <STRONG>any other
954 cipher with only a 56-bit key</STRONG>. The only reason anyone could
955 have for using a 56 or 64-bit key is to comply with various <A href="exportlaw.html">
956 export laws</A> intended to ensure the use of breakable ciphers.</P>
957 <P>Non-government cryptologists have been saying DES's 56-bit key was
958 too short for some time -- some of them were saying it in the 70's
959 when DES became a standard -- but the US government has consistently
960 ridiculed such suggestions.</P>
961 <P>A group of well-known cryptographers looked at key lengths in a <A href="http://www.counterpane.com/keylength.html">
962 1996 paper</A>. They suggested a <EM>minimum</EM> of 75 bits to
963 consider an existing cipher secure and a <EM>minimum of 90 bits for
964 new ciphers</EM>. More recent papers, covering both <A href="glossary.html#symmetric">
965 symmetric</A> and <A href="glossary.html#public">public key</A> systems
966 are at <A href="http://www.cryptosavvy.com/">cryptosavvy.com</A> and <A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">
967 rsa.com</A>. For all algorithms, the minimum keylengths recommended in
968 such papers are significantly longer than the maximums allowed by
969 various export laws.</P>
970 <P> In a <A href="http://www.thestandard.net/articles/display/0,1449,1780,00.html">
971 1998 ruling</A>, a German court described DES as "out-of-date and not
972 safe enough" and held a bank liable for using it.</P>
973 <H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3>
974 <P>The question of DES security has now been settled once and for all.
975 In early 1998, the <A href="http://www.eff.org/">Electronic Frontier
976 Foundation</A> built a <A href="http://www.eff.org/descracker.html">
977 DES-cracking machine</A>. It can find a DES key in an average of a few
978 days' search. The details of all this, including complete code
979 listings and complete plans for the machine, have been published in <A href="biblio.html#EFF">
980 <CITE>Cracking DES</CITE></A>, by the Electronic Frontier Foundation.</P>
981 <P> That machine cost just over $200,000 to design and build. "Moore's
982 Law" is that machines get faster (or cheaper, for the same speed) by
983 roughly a factor of two every 18 months. At that rate, their $200,000
984 in 1998 becomes $50,000 in 2001. </P>
985 <P> However, Moore's Law is not exact and the $50,000 estimate does not
986 allow for the fact that a copy based on the published EFF design would
987 of course cost far less than the original. We cannot say exactly what
988 such a cracker would cost today, but it would likely be somewhere
989 between $10,000 and $100,000. </P>
990 <P> A large corporation could build one of these out of petty cash. The
991 cost is low enough for a senior manager to hide it in a departmental
992 budget and avoid having to announce or justify the project. Any
993 government agency, from a major municipal police force up, could afford
994 one. Or any other group with a respectable budget -- criminal
995 organisations, political groups, labour unions, religious groups, ...
996 Or any millionaire with an obsession or a grudge, or just strange taste
998 <P>One might wonder if a private security or detective agency would
999 have one for rent. They wouldn't need many clients to pay off that
1001 <H3><A name="spooks">Spooks may break DES faster yet</A></H3>
1002 <P>As for the security and intelligence agencies of various nations,
1003 some of them may have had DES crackers for years. Possibly very fast
1004 ones! Cipher-cracking is one of the few known applications which is
1005 easy to speed up by just adding more processors and memory. Within
1006 very broad limits, you can make it as fast as you like if you have the
1007 budget. The EFF's $200,000 machine breaks DES in a few days. An <A href="http://www.planepage.com/">
1008 aviation website</A> gives the cost of a B1 bomber as $200,000,000.
1009 Spending that much, an intelligence agency could expect to break DES
1010 in an average time of <EM>six and a half minutes</EM>.</P>
1011 <P>That estimate assumes they use the EFF's 1998 technology and just
1012 spend more money. They may have an attack that is superior to brute
1013 force, they quite likely have better chip technology (Moore's law, a
1014 bigger budget, and whatever secret advances they may have made) and of
1015 course they may have spent the price of an aircraft carrier, not just
1017 <P>In short, we have <EM>no idea</EM> how quickly these organisations
1018 can break DES. Unless they're grossly incompetent, they can certainly
1019 do it more quickly than the users of the cipher would like, but beyond
1020 that we can't say. Pick any time unit between days and milliseconds.
1021 None of these is entirely unbelievable. More to the point, none of
1022 them is of any comfort if you don't want such organisations reading
1023 your communications.</P>
1024 <P>Note that this may be a concern even if nothing you do is a threat
1025 to anyone's national security. An intelligence agency might well
1026 consider it to be in their national interest for certain companies to
1027 do well. If you're competing against such companies in a world market
1028 and that agency can read your secrets, you have a serious problem. For
1029 example, see this <A href="http://www.msnbc.com/news/403435.asp?cp1=1">
1030 NBC story</A> or this <A href="http://cryptome.org/dp/Econ_Espionage.htm">
1031 analysis</A>. The US are the villains in those pieces, but there is no
1032 reason to imagine they are the only threat.</P>
1033 <P>One might wonder about technology the former Soviet Union and its
1034 allies developed for cracking DES during the Cold War. They must have
1035 tried; the cipher was an American standard and widely used. How well
1036 did they succeed? Is their technology now for sale or rent?</P>
1037 <H3><A name="desnet">Networks break DES in a few weeks</A></H3>
1038 <P>Before the definitive EFF effort, DES had been cracked several times
1039 by people using many machines. See this <A href="http://www.distributed.net/pressroom/DESII-1-PR.html">
1040 press release</A> for example.</P>
1041 <P>A major corporation, university, or government department could
1042 break DES by using spare cycles on their existing collection of
1043 computers, by dedicating a group of otherwise surplus machines to the
1044 problem, or by combining the two approaches. It might take them weeks
1045 or months, rather than the days required for the EFF machine, but they
1047 <P>What about someone working alone, without the resources of a large
1048 organisation? For them, cracking DES will not be easy, but it may be
1049 possible. A few thousand dollars buys a lot of surplus workstations. A
1050 pile of such machines will certainly heat your garage nicely and might
1051 break DES in a few months or years. Or enroll at a university and use
1052 their machines. Or use an employer's machines. Or crack security
1053 somewhere and steal the resources to crack a DES key. Or write a virus
1054 that steals small amounts of resources on many machines. Or . . .</P>
1055 <P>None of these approaches are easy or break DES really quickly, but
1056 an attacker only needs to find one that is feasible and breaks DES
1057 quickly enough to be dangerous. How much would you care to bet that
1058 this will be impossible if the attacker is clever and determined? How
1059 valuable is your data? Are you authorised to risk it on a dubious bet?</P>
1060 <H3><A name="no_des">We disable DES</A></H3>
1061 <P>In short, it is now absolutely clear that <STRONG>DES is not secure</STRONG>
1064 <LI>any <STRONG>well-funded opponent</STRONG></LI>
1065 <LI>any opponent (even a penniless one) with access (even stolen
1066 access) to <STRONG>enough general purpose computers</STRONG></LI>
1068 <P>That is why <STRONG>Linux FreeS/WAN disables all transforms which
1069 use plain DES</STRONG> for encryption.</P>
1070 <P>DES is in the source code, because we need DES to implement our
1071 default encryption transform, <A href="glossary.html#3DES">Triple DES</A>
1072 . <STRONG>We urge you not to use single DES</STRONG>. We do not
1073 provide any easy way to enable it in FreeS/WAN, and our policy is to
1074 provide no assistance to anyone wanting to do so.</P>
1075 <H3><A name="40joke">40-bits is laughably weak</A></H3>
1076 <P>The same is true, in spades, of ciphers -- DES or others -- crippled
1077 by 40-bit keys, as many ciphers were required to be until recently
1078 under various <A href="#exlaw">export laws</A>. A brute force search
1079 of such a cipher's keyspace is 2<SUP>16</SUP> times faster than a
1080 similar search against DES. The EFF's machine can do a brute-force
1081 search of a 40-bit key space in <EM>seconds</EM>. One contest to crack
1082 a 40-bit cipher was won by a student <A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1">
1083 using a few hundred idle machines at his university</A>. It took only
1084 three and half hours.</P>
1085 <P>We do not, and will not, implement any 40-bit cipher.</P>
1086 <H3><A name="altdes">Triple DES is almost certainly secure</A></H3>
1087 <P><A href="glossary.html#3DES">Triple DES</A>, usually abbreviated
1088 3DES, applies DES three times, with three different keys. DES seems to
1089 be basically an excellent cipher design; it has withstood several
1090 decades of intensive analysis without any disastrous flaws being
1091 found. It's only major flaw is that the small keyspace allows brute
1092 force attacks to succeeed. Triple DES enlarges the key space to 168
1093 bits, making brute-force search a ridiculous impossibility.</P>
1094 <P>3DES is currently the only block cipher implemented in FreeS/WAN.
1095 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs
1096 still do it at quite respectable speeds. Some <A href="glossary.html#benchmarks">
1097 speed measurements</A> for our code are available.</P>
1098 <H3><A name="aes.ipsec">AES in IPSEC</A></H3>
1099 <P> The <A href="glossary.html#AES">AES</A> project has recently chosen
1100 a replacement for DES, a new standard cipher for use in non-classified
1101 US government work and in regulated industries such as banking. This
1102 cipher will almost certainly become widely used for many applications,
1103 including IPSEC, but perhaps not quickly.</P>
1104 <P> The winner, announced in October 2000 after several years of
1105 analysis and discussion, was the <A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">
1106 Rijndael</A> cipher from two Belgian designers. </P>
1107 <P> It is likely that many IPSEC implementations will add Rijndael
1108 support over the next few months or years. FreeS/WAN will almost
1109 certainly do so, but it is not high on the priority list. This might
1110 be an excellent project for a volunteer.</P>
1111 <H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2>
1112 <H3><A NAME="11_6_1">FreeS/WAN 1.0 press</A></H3>
1114 <LI><A href="http://www.wired.com/news/news/technology/story/19136.html">
1115 Wired</A> "Linux-Based Crypto Stops Snoops", James Glave April 15 1999</LI>
1116 <LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml">
1118 <LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar
1119 Group Limited; looking at FreeS/WAN from a perspective of business
1121 <LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI>
1122 <LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>
1123 , Tasty Bits from the Technology Front</LI>
1124 <LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">
1125 Salon Magazine</A> "Free Encryption Takes a Big Step"</LI>
1127 <H3><A name="release">Press release for version 1.0</A></H3>
1129 Strong Internet Privacy Software Free for Linux Users Worldwide
1131 Toronto, ON, April 14, 1999 -
1133 The Linux FreeS/WAN project today released free software to protect
1134 the privacy of Internet communications using strong encryption codes.
1135 FreeS/WAN automatically encrypts data as it crosses the Internet, to
1136 prevent unauthorized people from receiving or modifying it. One
1137 ordinary PC per site runs this free software under Linux to become a
1138 secure gateway in a Virtual Private Network, without having to modify
1139 users' operating systems or application software. The project built
1140 and released the software outside the United States, avoiding US
1141 government regulations which prohibit good privacy protection.
1142 FreeS/WAN version 1.0 is available immediately for downloading at
1143 http://www.xs4all.nl/~freeswan/.
1145 "Today's FreeS/WAN release allows network administrators to build
1146 excellent secure gateways out of old PCs at no cost, or using a cheap
1147 new PC," said John Gilmore, the entrepreneur who instigated the
1148 project in 1996. "They can build operational experience with strong
1149 network encryption and protect their users' most important
1150 communications worldwide."
1152 "The software was written outside the United States, and we do not
1153 accept contributions from US citizens or residents, so that it can be
1154 freely published for use in every country," said Henry Spencer, who
1155 built the release in Toronto, Canada. "Similar products based in the
1156 US require hard-to-get government export licenses before they can be
1157 provided to non-US users, and can never be simply published on a Web
1158 site. Our product is freely available worldwide for immediate
1159 downloading, at no cost."
1161 FreeS/WAN provides privacy against both quiet eavesdropping (such as
1162 "packet sniffing") and active attempts to compromise communications
1163 (such as impersonating participating computers). Secure "tunnels" carry
1164 information safely across the Internet between locations such as a
1165 company's main office, distant sales offices, and roaming laptops. This
1166 protects the privacy and integrity of all information sent among those
1167 locations, including sensitive intra-company email, financial transactions
1168 such as mergers and acquisitions, business negotiations, personal medical
1169 records, privileged correspondence with lawyers, and information about
1170 crimes or civil rights violations. The software will be particularly
1171 useful to frequent wiretapping targets such as private companies competing
1172 with government-owned companies, civil rights groups and lawyers,
1173 opposition political parties, and dissidents.
1175 FreeS/WAN provides privacy for Internet packets using the proposed
1176 standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN
1177 negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
1178 keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern
1179 $500 PC can set up a tunnel in less than a second, and can encrypt
1180 6 megabits of packets per second, easily handling the whole available
1181 bandwidth at the vast majority of Internet sites. In preliminary testing,
1182 FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
1183 Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code,
1184 its innards are open to review by outside experts and sophisticated users,
1185 reducing the chance of undetected bugs or hidden security compromises.
1187 The software has been in development for several years. It has been
1188 funded by several philanthropists interested in increased privacy on
1189 the Internet, including John Gilmore, co-founder of the Electronic
1190 Frontier Foundation, a leading online civil rights group.
1193 Hugh Daniel, +1 408 353 8124, hugh@toad.com
1194 Henry Spencer, +1 416 690 6561, henry@spsystems.net
1196 * FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
1197 Security, Inc; used by permission.
1200 <A HREF="toc.html">Contents</a>
1201 <A HREF="interop.html">Previous</a>
1202 <A HREF="ipsec.html">Next</a>