3 <meta http-equiv="Content-Type" content="text/html">
4 <title>History and politics of cryptography</title>
6 content="Linux, IPsec, VPN, security, FreeSWAN, cryptography, history, politics">
9 Written by Sandy Harris for the Linux FreeS/WAN project
10 Freely distributable under the GNU General Public License
12 More information at www.freeswan.org
13 Feedback to users@lists.freeswan.org
16 RCS ID: $Id: politics.html,v 1.43 2002/03/24 18:47:36 sandy Exp $
17 Last changed: $Date: 2002/03/24 18:47:36 $
18 Revision number: $Revision: 1.43 $
20 CVS revision numbers do not correspond to FreeS/WAN release numbers.
25 <h1><a name="politics">History and politics of cryptography</a></h1>
27 <p>Cryptography has a long and interesting history, and has been the subject
28 of considerable political controversy.</p>
30 <h2><a name="intro.politics">Introduction</a></h2>
34 <p>The classic book on the history of cryptography is David Kahn's <a
35 href="biblio.html#Kahn">The Codebreakers</a>. It traces codes and
36 codebreaking from ancient Egypt to the 20th century.</p>
38 <p>Diffie and Landau <a href="biblio.html#diffie">Privacy on the Line: The
39 Politics of Wiretapping and Encryption</a> covers the history from the First
40 World War to the 1990s, with an emphasis on the US.</p>
44 <p>During the Second World War, the British "Ultra" project achieved one of
45 the greatest intelligence triumphs in the history of warfare, breaking many
46 Axis codes. One major target was the Enigma cipher machine, a German device
47 whose users were convinced it was unbreakable. The American "Magic" project
48 had some similar triumphs against Japanese codes.</p>
50 <p>There are many books on this period. See our bibliography for several. Two
51 I particularly like are:</p>
53 <li>Andrew Hodges has done a superb <a
54 href="http://www.turing.org.uk/book/">biography</a> of Alan Turing, a key
55 player among the Ultra codebreakers. Turing was also an important
56 computer pioneer. The terms <a
57 href="http://www.abelard.org/turpap/turpap.htm">Turing test</a> and <a
58 href="http://plato.stanford.edu/entries/turing-machine/">Turing
59 machine</a> are named for him, as is the <a
60 href="http://www.acm.org">ACM</a>'s highest technical <a
61 href="http://www.acm.org/awards/taward.html">award</a>.</li>
62 <li>Neal Stephenson's <a href="biblio.html#neal">Cryptonomicon</a> is a
63 novel with cryptography central to the plot. Parts of it take place
64 during WW II, other parts today.</li>
67 <p>Bletchley Park, where much of the Ultra work was done, now has a museum
68 and a <a href="http://www.bletchleypark.org.uk/">web site</a>.</p>
70 <p>The Ultra work introduced three major innovations.</p>
72 <li>The first break of Enigma was achieved by Polish Intelligence in 1931.
73 Until then most code-breakers had been linguists, but a different
74 approach was needed to break machine ciphers. Polish Intelligence
75 recruited bright young mathematicians to crack the "unbreakable" Enigma.
76 When war came in 1939, the Poles told their allies about this, putting
77 Britain on the road to Ultra. The British also adopted a mathematical
79 <li>Machines were extensively used in the attacks. First the Polish "Bombe"
80 for attacking Enigma, then British versions of it, then machines such as
81 Collosus for attacking other codes. By the end of the war, some of these
82 machines were beginning to closely resemble digital computers. After the
83 war, a team at Manchester University, several old Ultra hands included,
84 built one of the world's first actual general-purpose digital
86 <li>Ultra made codebreaking a large-scale enterprise, producing
87 intelligence on an industrial scale. This was not a "black chamber", not
88 a hidden room in some obscure government building with a small crew of
89 code-breakers. The whole operation -- from wholesale interception of
90 enemy communications by stations around the world, through large-scale
91 code-breaking and analysis of the decrypted material (with an enormous
92 set of files for cross-referencing), to delivery of intelligence to field
93 commanders -- was huge, and very carefully managed.</li>
96 <p>So by the end of the war, Allied code-breakers were expert at large-scale
97 mechanised code-breaking. The payoffs were enormous.</p>
99 <h4><a name="postwar">Postwar and Cold War</a></h4>
101 <p>The wartime innovations were enthusiastically adopted by post-war and Cold
102 War signals intelligence agencies. Presumably many nations now have some
103 agency capable of sophisticated attacks on communications security, and quite
104 a few engage in such activity on a large scale.</p>
106 <p>America's <a href="glossary.html#NSA">NSA</a>, for example, is said to be
107 both the world's largest employer of mathematicians and the world's largest
108 purchaser of computer equipment. Such claims may be somewhat exaggerated, but
109 beyond doubt the NSA -- and similar agencies in other countries -- have some
110 excellent mathematicians, lots of powerful computers, sophisticated software,
111 and the organisation and funding to apply them on a large scale. Details of
112 the NSA budget are secret, but there are some published <a
113 href="http://www.fas.org/irp/nsa/nsabudget.html">estimates</a>.</p>
115 <p>Changes in the world's communications systems since WW II have provided
116 these agencies with new targets. Cracking the codes used on an enemy's
117 military or diplomatic communications has been common practice for centuries.
118 Extensive use of radio in war made large-scale attacks such as Ultra
119 possible. Modern communications make it possible to go far beyond that.
120 Consider listening in on cell phones, or intercepting electronic mail, or
121 tapping into the huge volumes of data on new media such as fiber optics or
122 satellite links. None of these targets existed in 1950. All of them can be
123 attacked today, and almost certainly are being attacked.</p>
125 <p>The Ultra story was not made public until the 1970s. Much of the recent
126 history of codes and code-breaking has not been made public, and some of it
127 may never be. Two important books are:</p>
129 <li>Bamford's <a href="biblio.html#puzzle">The Puzzle Palace</a>, a history
131 <li>Hager's <a href="http://www.fas.org/irp/eprint/sp/index.html">Secret
132 Power</a>, about the <a
133 href="http://sg.yahoo.com/government/intelligence/echelon_network/">Echelon</a>
134 system -- the US, UK, Canada, Australia and New Zealand co-operating to
135 monitor much of the world's communications.</li>
138 <p>Note that these books cover only part of what is actually going on, and
139 then only the activities of nations open and democratic enough that (some of)
140 what they are doing can be discovered. A full picture, including:</p>
142 <li>actions of the English-speaking democracies not covered in those
144 <li>actions of other more-or-less sane governments</li>
145 <li>the activities of various more-or-less insane governments</li>
146 <li>possibilities for unauthorized action by government employees</li>
147 <li>possible actions by large non-government organisations: corporations,
148 criminals, or conspiracies</li>
151 <p>might be really frightening.</p>
153 <h4><a name="recent">Recent history -- the crypto wars</a></h4>
155 <p>Until quite recently, cryptography was primarily a concern of governments,
156 especially of the military, of spies, and of diplomats. Much of it was
157 extremely secret.</p>
159 <p>In recent years, that has changed a great deal. With computers and
160 networking becoming ubiquitous, cryptography is now important to almost
161 everyone. Among the developments since the 1970s:</p>
163 <li>The US gov't established the Data Encryption Standard, <a
164 href="glossary.html#DES">DES</a>, a <a href="glossary.html#block">block
165 cipher</a> for cryptographic protection of unclassfied documents.</li>
166 <li>DES also became widely used in industry, especially regulated
167 industries such as banking.</li>
168 <li>Other nations produced their own standards, such as <a
169 href="glossary.html#GOST">GOST</a> in the Soviet Union.</li>
170 <li><a href="glossary.html#public">Public key</a> cryptography was invented
171 by Diffie and Hellman.</li>
172 <li>Academic conferences such as <a
173 href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">Crypto</a> and
175 href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">Eurocrypt</a>
177 <li>Several companies began offerring cryptographic products: <a
178 href="glossary.html#RSAco">RSA</a>, <a href="glossary.html#PGPI">PGP</a>,
179 the many vendors with <a href="glossary.html#PKI">PKI</a> products,
181 <li>Cryptography appeared in other products: operating systems, word
183 <li>Network protocols based on crypto were developed: <a
184 href="glossary.html#SSH">SSH</a>, <a href="glossary.html#SSL">SSL</a>, <a
185 href="glossary.html#IPsec">IPsec</a>, ...</li>
186 <li>Crytography came into widespread use to secure bank cards, terminals,
188 <li>The US government replaced <a href="glossary.html#DES">DES</a> with the
189 much stronger Advanced Encryption Standard, <a
190 href="glossary.html#AES">AES</a></li>
193 <p>This has led to a complex ongoing battle between various mainly government
194 groups wanting to control the spread of crypto and various others, notably
195 the computer industry and the <a
196 href="http://online.offshore.com.ai/security/">cypherpunk</a> crypto
197 advocates, wanting to encourage widespread use.</p>
199 <p>Steven Levy has written a fine history of much of this, called <a
200 href="biblio.html#crypto">Crypto: How the Code rebels Beat the Government --
201 Saving Privacy in the Digital Age</a>.</p>
203 <p>The FreeS/WAN project is to a large extent an outgrowth of cypherpunk
204 ideas. Our reasons for doing the project can be seen in these quotes from the
206 href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">Cypherpunk
210 Privacy is necessary for an open society in the electronic age. ...
212 <p>We cannot expect governments, corporations, or other large, faceless
213 organizations to grant us privacy out of their beneficence. It is to their
214 advantage to speak of us, and we should expect that they will speak.
217 <p>We must defend our own privacy if we expect to have any. ...</p>
219 <p>Cypherpunks write code. We know that someone has to write software to
220 defend privacy, and since we can't get privacy unless we all do, we're
221 going to write it. We publish our code so that our fellow Cypherpunks may
222 practice and play with it. Our code is free for all to use, worldwide. We
223 don't much care if you don't approve of the software we write. We know
224 that software can't be destroyed and that a widely dispersed system can't
227 <p>Cypherpunks deplore regulations on cryptography, for encryption is
228 fundamentally a private act. ...</p>
230 <p>For privacy to be widespread it must be part of a social contract.
231 People must come and together deploy these systems for the common good.
235 <p>To quote project leader John Gilmore:</p>
238 We are literally in a race between our ability to build and deploy
239 technology, and their ability to build and deploy laws and treaties.
240 Neither side is likely to back down or wise up until it has definitively
241 lost the race.</blockquote>
243 <p>If FreeS/WAN reaches its goal of making <a
244 href="intro.html#opp.intro">opportunistic encryption</a> widespread so that
245 secure communication can become the default for a large part of the net, we
246 will have struck a major blow.</p>
248 <h3><a name="intro.poli">Politics</a></h3>
250 <p>The political problem is that nearly all governments want to monitor their
251 enemies' communications, and some want to monitor their citizens. They may be
252 very interested in protecting some of their own communications, and often
253 some types of business communication, but not in having everyone able to
254 communicate securely. They therefore attempt to restrict availability of
255 strong cryptography as much as possible.</p>
257 <p>Things various governments have tried or are trying include:</p>
259 <li>Echelon, a monitor-the-world project of the US, UK, NZ, Australian and
260 Canadian <a href="glossary.html#SIGINT">signals intelligence</a>
261 agencies. See this <a
262 href="http://sg.yahoo.com/government/intelligence/echelon_network/">collection</a>
264 href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">story</a>
265 on the French Parliament's reaction.</li>
266 <li>Others governments may well have their own Echelon-like projects. To
267 quote the Dutch Minister of Defense, as reported in a German <a
268 href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">magazine</a>:
271 The government believes not only the governments associated with
272 Echelon are able to intercept communication systems, but that it is an
273 activity of the investigative authorities and intelligence services of
274 many countries with governments of different political
275 signature.</blockquote>
276 Even if they have nothing on the scale of Echelon, most intelligence
277 agencies and police forces certainly have some interception
279 <li><a href="glossary.html#NSA">NSA</a> tapping of submarine communication
280 cables, described in <a
281 href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">this
283 <li>A proposal for international co-operation on <a
284 href="http://www.heise.de/tp/english/special/enfo/4306/1.html">Internet
285 surveillance</a>.</li>
286 <li>Alleged <a href="http://cryptome.org/nsa-sabotage.htm">sabotage</a> of
287 security products by the <a href="glossary.html#NSA">NSA</a> (the US
288 signals intelligence agency).</li>
289 <li>The German armed forces and some government departments will stop using
290 American software for fear of NSA "back doors", according to this <a
291 href="http://www.theregister.co.uk/content/4/17679.html">news
293 <li>The British Regulation of Investigatory Powers bill. See this <a
294 href="http://www.fipr.org/rip/index.html">web page.</a> and perhaps this
296 href="http://ars.userfriendly.org/cartoons/?id=20000806&mode=classic">cartoon</a>.</li>
298 href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">ban</a>
301 href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">controls</a>
303 <li>The FBI's carnivore system for covert searches of email. See this <a
304 href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">news
305 coverage</a> and this <a
306 href="http://www.crypto.com/papers/carnivore-risks.html">risk
307 assessment</a>. The government had an external review of some aspects of
308 this system done. See this <a
309 href="http://www.crypto.com/papers/carnivore_report_comments.html">analysis</a>
310 of that review. Possible defenses against Carnivore include:
312 <li><a href="glossary.html#PGP">PGP</a> for end-to-end mail
314 <li><a href="http://www.home.aone.net.au/qualcomm/">secure sendmail</a>
315 for server-to-server encryption</li>
316 <li>IPsec encryption on the underlying IP network</li>
319 <li>export laws restricting strong cryptography as a munition. See <a
320 href="#exlaw">discussion</a> below.</li>
321 <li>various attempts to convince people that fundamentally flawed
322 cryptography, such as encryption with a <a href="#escrow">back door</a>
323 for government access to data or with <a href="#shortkeys">inadequate key
324 lengths</a>, was adequate for their needs.</li>
327 <p>Of course governments are by no means the only threat to privacy and
328 security on the net. Other threats include:</p>
330 <li>industrial espionage, as for example in this <a
331 href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">news
333 <li>attacks by organised criminals, as in this <a
334 href="http://www.sans.org/newlook/alerts/NTE-bank.htm">large-scale
336 <li>collection of personal data by various companies.
338 <li>for example, consider the various corporate winners of Privacy
340 href="http://www.privacyinternational.org/bigbrother/">Big Brother
342 <li><a href="http://www.zeroknowledge.com">Zero Knowledge</a> sell
343 tools to defend against this</li>
346 <li>individuals may also be a threat in a variety of ways and for a variety
348 <li>in particular, an individual with access to government or industry data
349 collections could do considerable damage using that data in unauthorized
354 href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">study</a>
355 enumerates threats and possible responses for small and medium businesses.
356 VPNs are a key part of the suggested strategy.</p>
358 <p>We consider privacy a human right. See the UN's <a href="http://www.un.org/Overview/rights.html">Universal
359 Declaration of Human Rights</a>, article twelve:</p>
362 No one shall be subjected to arbitrary interference with his privacy,
363 family, home or correspondence, nor to attacks upon his honor and
364 reputation. Everyone has the right to the protection of the law against
365 such interference or attacks.</blockquote>
367 <p>Our objective is to help make privacy possible on the Internet using
368 cryptography strong enough not even those well-funded government agencies are
369 likely to break it. If we can do that, the chances of anyone else breaking it
374 <p>Many groups are working in different ways to defend privacy on the net and
375 elsewhere. Please consider contributing to one or more of these groups:</p>
377 <li>the EFF's <a href="http://www.eff.org/crypto/">Privacy Now!</a>
379 <li>the <a href="http://www.gilc.org">Global Internet Liberty
381 <li><a href="http://www.cpsr.org/program/privacy/privacy.html">Computer
382 Professionals for Social Responsibility</a></li>
385 <p>For more on these issues see:</p>
387 <li>Steven Levy (Newsweek's chief technology writer and author of the
388 classic "Hackers") new book <a href="biblio.html#crypto">Crypto: How the
389 Code Rebels Beat the Government--Saving Privacy in the Digital
391 <li>Simson Garfinkel (Boston Globe columnist and author of books on <a
392 href="biblio.html#PGP">PGP</a> and <a href="biblio.html#practical">Unix
393 Security</a>) book <a href="biblio.html#Garfinkel">Database Nation: the
394 death of privacy in the 21st century</a></li>
397 <p>There are several collections of <a href="web.html#quotes">crypto
398 quotes</a> on the net.</p>
400 <p>See also the <a href="biblio.html">bibliography</a> and our list of <a
401 href="web.html#policy">web references</a> on cryptography law and policy.</p>
403 <h3>Outline of this section</h3>
405 <p>The remainder of this section includes two pieces of writing by our
408 <li>his <a href="#gilmore">rationale</a> for starting this</li>
409 <li>another <a href="#policestate">discussion</a> of project goals</li>
412 <p>and discussions of:</p>
414 <li><a href="#desnotsecure">why we do not use DES</a></li>
415 <li><a href="#exlaw">cryptography export laws</a></li>
416 <li>why <a href="#escrow">government access to keys</a> is not a good
418 <li>the myth that <a href="#shortkeys">short keys</a> are adequate for some
419 security requirements</li>
422 <p>and a section on <a href="#press">press coverage of FreeS/WAN</a>.</p>
424 <h2><a name="leader">From our project leader</a></h2>
426 <p>FreeS/WAN project founder John Gilmore wrote a web page about why we are
427 doing this. The version below is slightly edited, to fit this format and to
428 update some links. For a version without these edits, see his <a
429 href="http://www.toad.com/gnu/">home page</a>.</p>
432 <h3><a name="gilmore">Swan: Securing the Internet against Wiretapping</a></h3>
435 <p>My project for 1996 was to <b>secure 5% of the Internet traffic against
436 passive wiretapping</b>. It didn't happen in 1996, so I'm still working on it
437 in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we can secure 20% the
438 next year, against both active and passive attacks; and 80% the following
439 year. Soon the whole Internet will be private and secure. The project is
440 called S/WAN or S/Wan or Swan for Secure Wide Area Network; since it's free
441 software, we call it FreeSwan to distinguish it from various commercial
442 implementations. <a href="http://www.rsa.com/rsa/SWAN/">RSA</a> came up with
443 the term "S/WAN". Our main web site is at <a
444 href="http://www.freeswan.org/">http://www.freeswan.org/</a>. Want to
447 <p>The idea is to deploy PC-based boxes that will sit between your local area
448 network and the Internet (near your firewall or router) which
449 opportunistically encrypt your Internet packets. Whenever you talk to a
450 machine (like a Web site) that doesn't support encryption, your traffic goes
451 out "in the clear" as usual. Whenever you connect to a machine that does
452 support this kind of encryption, this box automatically encrypts all your
453 packets, and decrypts the ones that come in. In effect, each packet gets put
454 into an "envelope" on one side of the net, and removed from the envelope when
455 it reaches its destination. This works for all kinds of Internet traffic,
456 including Web access, Telnet, FTP, email, IRC, Usenet, etc.</p>
458 <p>The encryption boxes are standard PC's that use freely available Linux
459 software that you can download over the Internet or install from a cheap
462 <p>This wasn't just my idea; lots of people have been working on it for
463 years. The encryption protocols for these boxes are called <a
464 href="glossary.html#IPsec">IPSEC (IP Security)</a>. They have been developed
466 href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">IP
467 Security Working Group</a> of the <a href="http://www.ietf.org/">Internet
468 Engineering Task Force</a>, and will be a standard part of the next major
469 version of the Internet protocols (<a
470 href="http://playground.sun.com/pub/ipng/html/ipng-main.html">IPv6</a>). For
471 today's (IP version 4) Internet, they are an option.</p>
473 <p>The <a href="http://www.iab.org/iab">Internet Architecture Board</a> and
474 <a href="http://www.ietf.org/">Internet Engineering Steering Group</a> have
475 taken a <a href="iab-iesg.stmt">strong stand</a> that the Internet should use
476 powerful encryption to provide security and privacy. I think these protocols
477 are the best chance to do that, because they can be deployed very easily,
478 without changing your hardware or software or retraining your users. They
479 offer the best security we know how to build, using the Triple-DES, RSA, and
480 Diffie-Hellman algorithms.</p>
482 <p>This "opportunistic encryption box" offers the "fax effect". As each
483 person installs one for their own use, it becomes more valuable for their
484 neighbors to install one too, because there's one more person to use it with.
485 The software automatically notices each newly installed box, and doesn't
486 require a network administrator to reconfigure it. Instead of "virtual
487 private networks" we have a "REAL private network"; we add privacy to the
488 real network instead of layering a manually-maintained virtual network on top
489 of an insecure Internet.</p>
491 <h4>Deployment of IPSEC</h4>
493 <p>The US government would like to control the deployment of IP Security with
494 its <a href="#exlaw">crypto export laws</a>. This isn't a problem for my
495 effort, because the cryptographic work is happening outside the United
496 States. A foreign philanthropist, and others, have donated the resources
497 required to add these protocols to the Linux operating system. <a
498 href="http://www.linux.org/">Linux</a> is a complete, freely available
499 operating system for IBM PC's and several kinds of workstation, which is
500 compatible with Unix. It was written by Linus Torvalds, and is still
501 maintained by a talented team of expert programmers working all over the
502 world and coordinating over the Internet. Linux is distributed under the <a
503 href="glossary.html#GPL">GNU Public License</a>, which gives everyone the
504 right to copy it, improve it, give it to their friends, sell it commercially,
505 or do just about anything else with it, without paying anyone for the
508 <p>Organizations that want to secure their network will be able to put two
509 Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM or by
510 downloading it over the net, and plug it in between their Ethernet and their
511 Internet link or firewall. That's all they'll have to do to encrypt their
512 Internet traffic everywhere outside their own local area network.</p>
514 <p>Travelers will be able to run Linux on their laptops, to secure their
515 connection back to their home network (and to everywhere else that they
516 connect to, such as customer sites). Anyone who runs Linux on a standalone PC
517 will also be able to secure their network connections, without changing their
518 application software or how they operate their computer from day to day.</p>
520 <p>There will also be numerous commercially available firewalls that use this
521 technology. <a href="http://www.rsa.com/">RSA Data Security</a> is
522 coordinating the <a href="http://www.rsa.com/rsa/SWAN">S/Wan (Secure Wide
523 Area Network)</a> project among more than a dozen vendors who use these
524 protocols. There's a <a
525 href="http://www.rsa.com/rsa/SWAN/swan_test.htm">compatability chart</a> that
526 shows which vendors have tested their boxes against which other vendors to
527 guarantee interoperatility.</p>
529 <p>Eventually it will also move into the operating systems and networking
530 protocol stacks of major vendors. This will probably take longer, because
531 those vendors will have to figure out what they want to do about the export
534 <h4>Current status</h4>
536 <p>My initial goal of securing 5% of the net by Christmas '96 was not met. It
537 was an ambitious goal, and inspired me and others to work hard, but was
538 ultimately too ambitious. The protocols were in an early stage of
539 development, and needed a lot more protocol design before they could be
540 implemented. As of April 1999, we have released version 1.0 of the software
542 href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">freeswan-1.0.tar.gz</a>),
543 which is suitable for setting up Virtual Private Networks using shared
544 secrets for authentication. It does not yet do opportunistic encryption, or
545 use DNSSEC for authentication; those features are coming in a future
549 <dd>The low-level encrypted packet formats are defined. The system for
550 publishing keys and providing secure domain name service is defined.
551 The IP Security working group has settled on an NSA-sponsored protocol
552 for key agreement (called ISAKMP/Oakley), but it is still being worked
553 on, as the protocol and its documentation is too complex and
554 incomplete. There are prototype implementations of ISAKMP. The
555 protocol is not yet defined to enable opportunistic encryption or the
556 use of DNSSEC keys.</dd>
557 <dt>Linux Implementation</dt>
558 <dd>The Linux implementation has reached its first major release and is
559 ready for production use in manually-configured networks, using Linux
560 kernel version 2.0.36.</dd>
561 <dt>Domain Name System Security</dt>
562 <dd>There is now a release of BIND 8.2 that includes most DNS Security
564 <p>The first prototype implementation of Domain Name System Security
565 was funded by <a href="glossary.html#DARPA">DARPA</a> as part of their
566 <a href="http://www.darpa.mil/ito/research/is/index.html">Information
567 Survivability program</a>. <a href="http://www.tis.com">Trusted
568 Information Systems</a> wrote a modified version of <a
569 href="http://www.isc.org/bind.html">BIND</a>, the widely-used Berkeley
570 implementation of the Domain Name System.</p>
571 <p>TIS, ISC, and I merged the prototype into the standard version of
572 BIND. The first production version that supports KEY and SIG records is
573 <b>bind-4.9.5</b>. This or any later version of BIND will do for
574 publishing keys. It is available from the <a
575 href="http://www.isc.org/bind.html">Internet Software Consortium</a>.
576 This version of BIND is not export-controlled since it does not contain
577 any cryptography. Later releases starting with BIND 8.2 include
578 cryptography for authenticating DNS records, which is also exportable.
579 Better documentation is needed.</p>
585 <p>Because I can. I have made enough money from several successful startup
586 companies, that for a while I don't have to work to support myself. I spend
587 my energies and money creating the kind of world that I'd like to live in and
588 that I'd like my (future) kids to live in. Keeping and improving on the civil
589 rights we have in the United States, as we move more of our lives into
590 cyberspace, is a particular goal of mine.</p>
592 <h4>What You Can Do</h4>
594 <dt>Install the latest BIND at your site.</dt>
595 <dd>You won't be able to publish any keys for your domain, until you have
596 upgraded your copy of BIND. The thing you really need from it is the
597 new version of <i>named</i>, the Name Daemon, which knows about the new
598 KEY and SIG record types. So, download it from the <a
599 href="http://www.isc.org/bind.html">Internet Software Consortium </a>
600 and install it on your name server machine (or get your system
601 administrator, or Internet Service Provider, to install it). Both your
602 primary DNS site and all of your secondary DNS sites will need the new
603 release before you will be able to publish your keys. You can tell
604 which sites this is by running the Unix command "dig MYDOMAIN ns" and
605 seeing which sites are mentioned in your NS (name server) records.</dd>
606 <dt>Set up a Linux system and run a 2.0.x kernel on it</dt>
607 <dd>Get a machine running Linux (say the 5.2 release from <a
608 href="http://www.redhat.com">Red Hat</a>). Give the machine two
610 <dt>Install the Linux IPSEC (Freeswan) software</dt>
611 <dd>If you're an experienced sysadmin or Linux hacker, install the
612 freeswan-1.0 release, or any later release or snapshot. These releases
613 do NOT provide automated "opportunistic" operation; they must be
614 manually configured for each site you wish to encrypt with.</dd>
615 <dt>Get on the linux-ipsec mailing list</dt>
616 <dd>The discussion forum for people working on the project, and testing
617 the code and documentation, is: linux-ipsec@clinet.fi. To join this
618 mailing list, send email to <a
619 href="mailto:linux-ipsec-REQUEST@clinet.fi">linux-ipsec-REQUEST@clinet.fi</a>
620 containing a line of text that says "subscribe linux-ipsec". (You can
621 later get off the mailing list the same way -- just send "unsubscribe
625 <dt>Check back at this web page every once in a while</dt>
626 <dd>I update this page periodically, and there may be new information in
627 it that you haven't seen. My intent is to send email to the mailing
628 list when I update the page in any significant way, so subscribing to
629 the list is an alternative.</dd>
632 <p>Would you like to help? I can use people who are willing to write
633 documentation, install early releases for testing, write cryptographic code
634 outside the United States, sell pre-packaged software or systems including
635 this technology, and teach classes for network administrators who want to
636 install this technology. To offer to help, send me email at gnu@toad.com.
637 Tell me what country you live in and what your citizenship is (it matters due
638 to the export control laws; personally I don't care). Include a copy of your
639 resume and the URL of your home page. Describe what you'd like to do for the
640 project, and what you're uniquely qualified for. Mention what other
641 volunteer projects you've been involved in (and how they worked out). Helping
642 out will require that you be able to commit to doing particular things, meet
643 your commitments, and be responsive by email. Volunteer projects just don't
644 work without those things.</p>
646 <h4>Related projects</h4>
648 <dt>IPSEC for NetBSD</dt>
649 <dd>This prototype implementation of the IP Security protocols is for
650 another free operating system. <a
651 href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">Download
652 BSDipsec.tar.gz</a>.</dd>
653 <dt>IPSEC for <a href="http://www.openbsd.org">OpenBSD</a></dt>
654 <dd>This prototype implementation of the IP Security protocols is for yet
655 another free operating system. It is directly integrated into the OS
656 release, since the OS is maintained in Canada, which has freedom of
657 speech in software.</dd>
660 <h3><a name="policestate">Stopping wholesale monitoring</a></h3>
662 <p>From a message project leader John Gilmore posted to the mailing list:</p>
663 <pre>John Denker wrote:
665 > Indeed there are several ways in which the documentation overstates the
666 > scope of what this project does -- starting with the name
667 > FreeS/WAN. There's a big difference between having an encrypted IP tunnel
668 > versus having a Secure Wide-Area Network. This software does a fine job of
669 > the former, which is necessary but not sufficient for the latter.
671 The goal of the project is to make it very hard to tap your wide area
672 communications. The current system provides very good protection
673 against passive attacks (wiretapping and those big antenna farms).
674 Active attacks, which involve the intruder sending packets to your
675 system (like packets that break into sendmail and give them a root
676 shell :-) are much harder to guard against. Active attacks that
677 involve sending people (breaking into your house and replacing parts
678 of your computer with ones that transmit what you're doing) are also
679 much harder to guard against. Though we are putting effort into
680 protecting against active attacks, it's a much bigger job than merely
681 providing strong encryption. It involves general computer security,
682 and general physical security, which are two very expensive problems
683 for even a site to solve, let alone to build into a whole society.
685 The societal benefit of building an infrastructure that protects
686 well against passive attacks is that it makes it much harder to do
687 undetected bulk monitoring of the population. It's a defense against
688 police-states, not against policemen.
690 Policemen can put in the effort required to actively attack sites that
691 they have strong suspicions about. But police states won't be able to
692 build systems that automatically monitor everyone's communications.
693 Either they will be able to monitor only a small subset of the
694 populace (by targeting those who screwed up their passive security),
695 or their monitoring activities will be detectable by those monitored
696 (active attacks leave packet traces or footprints), which can then be
697 addressed through the press and through political means if they become
700 FreeS/WAN does not protect very well against traffic analysis, which
701 is a kind of widespread police-state style monitoring that still
702 reveals significant information (who's talking to who) without
703 revealing the contents of what was said. Defenses against traffic
704 analysis are an open research problem. Zero Knowledge Systems is
705 actively deploying a system designed to thwart it, designed by Ian
706 Goldberg. The jury is out on whether it actually works; a lot more
707 experience with it will be needed.</pre>
709 <p>Notes on things mentioned in that message:</p>
711 <li>Denker is a co-author of a <a href="intro.html#applied">paper</a> on a
712 large FreeS/WAN application.</li>
713 <li>Information on Zero Knowledge is on their <a
714 href="http://www.zks.net/">web site</a>. Their Freedom product, designed
715 to provide untracable pseudonyms for use on the net, is no longer
717 <li>Another section of our documentation discusses ways to <a
718 href="ipsec.html#traffic.resist">resist traffic analysis</a>.</li>
721 <h2><a name="weak">Government promotion of weak crypto</a></h2>
723 <p>Various groups, especially governments and especially the US government,
724 have a long history of advocating various forms of bogus security.</p>
726 <p>We regard bogus security as extremely dangerous. If users are deceived
727 into relying on bogus security, then they may be exposed to large risks. They
728 would be better off having no security and knowing it. At least then they
729 would be careful about what they said.</p>
731 <p><strong>Avoiding bogus security is a key design criterion for everything
732 we do in FreeS/WAN</strong>. The most conspicuous example is our refusal to
733 support <a href="#desnotsecure">single DES</a>. Other IPsec "features" which
734 we do not implement are discussed in our <a
735 href="compat.html#dropped">compatibility</a> document.</p>
737 <h3><a name="escrow">Escrowed encryption</a></h3>
739 <p>Various governments have made persistent attempts to encourage or mandate
740 "escrowed encrytion", also called "key recovery", or GAK for "government
741 access to keys". The idea is that cryptographic keys be held by some third
742 party and turned over to law enforcement or security agencies under some
744 <pre> Mary had a little key - she kept it in escrow,
745 and every thing that Mary said,
746 the feds were sure to know.</pre>
748 <p>A <a href="web.html#quotes">crypto quotes</a> page attributes this to <a
749 href="http://www.scramdisk.clara.net/">Sam Simpson</a>.</p>
751 <p>There is an excellent paper available on <a
752 href="http://www.cdt.org/crypto/risks98/">Risks of Escrowed Encryption</a>,
753 from a group of cryptographic luminaries which included our project
756 <p>Like any unnecessary complication, GAK tends to weaken security of any
757 design it infects. For example:</p>
759 <li>Matt Blaze found a fatal flaw in the US government's Clipper chip
760 shortly after design information became public. See his paper "Protocol
761 Failure in the Escrowed Encryption Standard" on his <a
762 href="http://www.crypto.com/papers/">papers</a> page.</li>
763 <li>a rather <a href="http://www.pgp.com/other/advisories/adk.asp">nasty
764 bug</a> was found in the "additional decryption keys" "feature" of some
765 releases of <a href="glossary.html#PGP">PGP</a></li>
768 <p>FreeS/WAN does not support escrowed encryption, and never will.</p>
770 <h3><a name="shortkeys">Limited key lengths</a></h3>
772 <p>Various governments, and some vendors, have also made persistent attempts
773 to convince people that:</p>
775 <li>weak systems are sufficient for some data</li>
776 <li>strong cryptography should be reserved for cases where the extra
777 overheads are justified</li>
780 <p><strong>This is utter nonsense</strong>.</p>
782 <p>Weak systems touted include:</p>
784 <li>the ludicrously weak (deliberately crippled) 40-bit ciphers that until
785 recently were all various <a href="#exlaw">export laws</a> allowed</li>
786 <li>56-bit single DES, discussed <a href="#desnotsecure">below</a></li>
787 <li>64-bit symmetric ciphers and 512-bit RSA, the maximums for unrestricted
788 export under various current laws</li>
791 <p>The notion that choice of ciphers or keysize should be determined by a
792 trade-off between security requirements and overheads is pure bafflegab.</p>
794 <li>For most <a href="glossary.html#symmetric">symmetric ciphers</a>, it is
795 simply a lie. Any block cipher has some natural maximum keysize inherent
796 in the design -- 128 bits for <a href="glossary.html#IDEA">IDEA</a> or <a
797 href="glossary.html#CAST128">CAST-128</a>, 256 for Serpent or Twofish,
798 448 for <a href="glossary.html#Blowfish">Blowfish</a> and 2048 for <a
799 href="glossary.html#RC4">RC4</a>. Using a key size smaller than that
800 limit gives <em>exactly zero </em>savings in overhead. The crippled
801 40-bit or 64-bit version of the cipher provides <em>no advantage
802 whatsoever</em>.</li>
803 <li><a href="glossary.html#AES">AES</a> uses 10 rounds with 128-bit keys,
804 12 rounds for 192-bit and 14 rounds for 256-bit, so there actually is a
805 small difference in overhead, but not enough to matter in most
807 <li>For <a href="glossary.html#3DES">triple DES</a> there is a grain of
808 truth in the argument. 3DES is indeed three times slower than single DES.
809 However, the solution is not to use the insecure single DES, but to pick
810 a faster secure cipher. <a href="glossary.html#CAST128">CAST-128</a>, <a
811 href="glossary.html#Blowfish">Blowfish</a> and the <a
812 href="glossary.html#AES">AES candidate</a> ciphers are are all
813 considerably faster in software than DES (let alone 3DES!), and
814 apparently secure.</li>
815 <li>For <a href="glossary.html#public">public key</a> techniques, there are
816 extra overheads for larger keys, but they generally do not affect overall
817 performance significantly. Practical public key applications are usually
818 <a href="glossary.html#hybrid">hybrid</a> systems in which the bulk of
819 the work is done by a symmetric cipher. The effect of increasing the cost
820 of the public key operations is typically negligible because the public
821 key operations use only a tiny fraction of total resources.
822 <p>For example, suppose public key operations use use 1% of the time in a
823 hybrid system and you triple the cost of public key operations. The cost
824 of symmetric cipher operations is unchanged at 99% of the original total
825 cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 = 102,
826 a 2% rise in system cost.</p>
830 <p>In short, <strong>there has never been any technical reason to use
831 inadequate ciphers</strong>. The only reason there has ever been for anyone
832 to use such ciphers is that government agencies want weak ciphers used so
833 that they can crack them. The alleged savings are simply propaganda.</p>
834 <pre> Mary had a little key (It's all she could export),
835 and all the email that she sent was opened at the Fort.</pre>
837 <p>A <a href="web.html#quotes">crypto quotes</a> page attributes this to <a
838 href="http://theory.lcs.mit.edu:80/~rivest/">Ron Rivest</a>. NSA headquarters
839 is at Fort Meade, Maryland.</p>
841 <p>Our policy in FreeS/WAN is to use only cryptographic components with
842 adequate keylength and no known weaknesses.</p>
844 <li>We do not implement single DES because it is clearly <a
845 href="#desnotsecure">insecure</a>, so implemeting it would violate our
846 policy of avoiding bogus security. Our default cipher is <a
847 href="glossary.html#3DES">3DES</a></li>
848 <li>Similarly, we do not implement the 768-bit Group 1 for <a
849 href="glossary.html#DH">Diffie-Hellman</a> key negotiation. We provide
850 only the 1024-bit Group 2 and 1536-bit Group 5.</li>
853 <p>Detailed discussion of which IPsec features we implement or omit is in out
854 <a href="compat.html">compatibility document</a>.</p>
856 <p>These decisions imply that we cannot fully conform to the IPsec RFCs,
857 since those have DES as the only required cipher and Group 1 as the only
858 required DH group. (In our view, the standards were subverted into offerring
859 bogus security.) Fortunately, we can still interoperate with most other IPsec
860 implementations since nearly all implementers provide at least 3DES and Group
863 <p>We hope that eventually the RFCs will catch up with our (and others')
864 current practice and reject dubious components. Some of our team and a number
865 of others are working on this in <a href="glossary.html#IETF">IETF</a>
868 <h4>Some real trade-offs</h4>
870 <p>Of course, making systems secure does involve costs, and trade-offs can be
871 made between cost and security. However, the real trade-offs have nothing to
872 do with using weaker ciphers.</p>
874 <p>There can be substantial hardware and software costs. There are often
875 substantial training costs, both to train administrators and to increase user
876 awareness of security issues and procedures. There are almost always
877 substantial staff or contracting costs.</p>
879 <p>Security takes staff time for planning, implementation, testing and
880 auditing. Some of the issues are subtle; you need good (hence often
881 expensive) people for this. You also need people to monitor your systems and
882 respond to problems. The best safe ever built is insecure if an attacker can
883 work on it for days without anyone noticing. Any computer is insecure if the
884 administrator is "too busy" to check the logs.</p>
886 <p>Moreover, someone in your organisation (or on contract to it) needs to
887 spend considerable time keeping up with new developments. EvilDoers
888 <em>will</em> know about new attacks shortly after they are found. You need
889 to know about them before your systems are attacked. If your vendor provides
890 a patch, you need to apply it. If the vendor does nothing, you need to
891 complain or start looking for another vendor.</p>
893 <p>For a fairly awful example, see this <a
894 href="http://www.sans.org/newlook/alerts/NTE-bank.htm">report</a>. In that
895 case over a million credit card numbers were taken from e-commerce sites,
896 using security flaws in Windows NT servers. Microsoft had long since released
897 patches for most or all of the flaws, but the site administrators had not
900 <p>At an absolute minimum, you must do something about such issues
901 <em>before</em> an exploitation tool is posted to the net for downloading by
902 dozens of "script kiddies". Such a tool might appear at any time from the
903 announcement of the security hole to several months later. Once it appears,
904 anyone with a browser and an attitude can break any system whose
905 administrators have done nothing about the flaw.</p>
907 <p>Compared to those costs, cipher overheads are an insignificant factor in
908 the cost of security.</p>
910 <p>The only thing using a weak cipher can do for you is to cause all your
911 other investment to be wasted.</p>
913 <h2><a name="exlaw">Cryptography Export Laws</a></h2>
915 <p>Many nations restrict the export of cryptography and some restrict its use
916 by their citizens or others within their borders.</p>
918 <h3><a name="USlaw">US Law</a></h3>
920 <p>US laws, as currently interpreted by the US government, forbid export of
921 most cryptographic software from the US in machine-readable form without
922 government permission. In general, the restrictions apply even if the
923 software is widely-disseminated or public-domain and even if it came from
924 outside the US originally. Cryptography is legally a munition and export is
925 tightly controlled under the <a href="glossary.html#EAR">EAR</a> Export
926 Administration Regulations.</p>
928 <p>If you are a US citizen, your brain is considered US territory no matter
929 where it is physically located at the moment. The US believes that its laws
930 apply to its citizens everywhere, not just within the US. Providing technical
931 assistance or advice to foreign "munitions" projects is illegal. The US
932 government has very little sense of humor about this issue and does not
933 consider good intentions to be sufficient excuse. Beware.</p>
935 <p>The <a href="http://www.bxa.doc.gov/Encryption/">official website</a> for
936 these regulations is run by the Commerce Department's Bureau of Export
937 Administration (BXA).</p>
939 <p>The <a href="http://www.eff.org/bernstein/">Bernstein case</a> challenges
940 the export restrictions on Constitutional grounds. Code is speech so
941 restrictions on export of code violate the First Amendment's free speech
942 provisions. This argument has succeeded in two levels of court so far. It is
943 quite likely to go on to the Supreme Court.</p>
945 <p>The regulations were changed substantially in January 2000, apparently as
946 a government attempt to get off the hook in the Bernstein case. It is now
947 legal to export public domain source code for encryption, provided you notify
948 the <a href="glossary.html#BXA">BXA</a>.</p>
950 <p>There are, however, still restrictions in force.
951 Moreover, the regulations can still be changed again whenever the government
952 chooses to do so. Short of a Supreme Court ruling (in the Berstein case or
953 another) that overturns the regulations completely, the problem of export
954 regulation is not likely to go away in the forseeable future.</p>
956 <h4><a name="UScontrib">US contributions to FreeS/WAN</a></h4>
958 <p>The FreeS/WAN project <strong>cannot accept software contributions, <em>
959 not even small bug fixes</em>, from US citizens or residents</strong>. We
960 want it to be absolutely clear that our distribution is not subject to US
961 export law. Any contribution from an American might open that question to a
962 debate we'd prefer to avoid. It might also put the contributor at serious
965 <p>Of course Americans can still make valuable contributions (many already
966 have) by reporting bugs, or otherwise contributing to discussions, on the
967 project <a href="mail.html">mailing list</a>. Since the list is public, this
968 is clearly constitutionally protected free speech.</p>
970 <p>Note, however, that the export laws restrict Americans from providing
971 technical assistance to foreign "munitions" projects. The government might
972 claim that private discussions or correspondence with FreeS/WAN developers
973 were covered by this. It is not clear what the courts would do with such a
974 claim, so we strongly encourage Americans to use the list rather than risk
975 the complications.</p>
977 <h3><a name="wrong">What's wrong with restrictions on cryptography</a></h3>
979 <p>Some quotes from prominent cryptography experts:</p>
982 The real aim of current policy is to ensure the continued effectiveness of
983 US information warfare assets against individuals, businesses and
984 governments in Europe and elsewhere.<br>
985 <a href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson, Cambridge
986 University</a></blockquote>
989 If the government were honest about its motives, then the debate about
990 crypto export policy would have ended years ago.<br>
991 <a href="http://www.counterpane.com"> Bruce Schneier, Counterpane
992 Systems</a></blockquote>
995 The NSA regularly lies to people who ask it for advice on export control.
996 They have no reason not to; accomplishing their goal by any legal means is
997 fine by them. Lying by government employees is legal.<br>
998 John Gilmore.</blockquote>
1000 <p>The Internet Architecture Board (IAB) and the Internet Engineering
1001 Steering Group (IESG) made a <a href="iab-iesg.stmt">strong statement</a> in
1002 favour of worldwide access to strong cryptography. Essentially the same
1003 statement is in the appropriately numbered <a
1004 href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">RFC 1984</a>. Two critical
1008 ... various governments have actual or proposed policies on access to
1009 cryptographic technology ...
1011 <p>(a) ... export controls ...<br>
1012 (b) ... short cryptographic keys ...<br>
1013 (c) ... keys should be in the hands of the government or ...<br>
1014 (d) prohibit the use of cryptology ...</p>
1016 <p>We believe that such policies are against the interests of consumers and
1017 the business community, are largely irrelevant to issues of military
1018 security, and provide only a marginal or illusory benefit to law
1019 enforcement agencies, ...</p>
1021 <p>The IAB and IESG would like to encourage policies that allow ready
1022 access to uniform strong cryptographic technology for all Internet users in
1026 <p>Our goal in the FreeS/WAN project is to build just such "strong
1027 cryptographic technology" and to distribute it "for all Internet users in all
1030 <p>More recently, the same two bodies (IESG and IAB) have issued <a
1031 href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">RFC 2804</a> on why the IETF
1032 should not build wiretapping capabilities into protocols for the convenience
1033 of security or law enforcement agenicies. The abstract from that document
1037 The Internet Engineering Task Force (IETF) has been asked to take a
1038 position on the inclusion into IETF standards-track documents of
1039 functionality designed to facilitate wiretapping.
1041 <p>This memo explains what the IETF thinks the question means, why its
1042 answer is "no", and what that answer means.</p>
1044 A quote from the debate leading up to that RFC:
1047 We should not be building surveillance technology into standards. Law
1048 enforcement was not supposed to be easy. Where it is easy, it's called a
1050 Jeff Schiller of MIT, in a discussion of FBI demands for wiretap capability
1051 on the net, as quoted by <a
1052 href="http://www.wired.com/news/politics/0,1283,31895,00.html">Wired</a>.</blockquote>
1054 <p>The <a href="http://www.ietf.org/mailman/listinfo/raven">Raven</a> mailing
1055 list was set up for this IETF discussion.</p>
1057 <p>Our goal is to go beyond that RFC and prevent Internet wiretapping
1060 <h3><a name="Wassenaar">The Wassenaar Arrangement</a></h3>
1062 <p>Restrictions on the export of cryptography are not just US policy, though
1063 some consider the US at least partly to blame for the policies of other
1064 nations in this area.</p>
1066 <p>A number of countries:</p>
1068 <p>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
1069 Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
1070 Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of
1071 Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
1072 Switzerland, Turkey, Ukraine, United Kingdom and United States</p>
1074 <p>have signed the Wassenaar Arrangement which restricts export of munitions
1075 and other tools of war. Cryptographic sofware is covered there.</p>
1077 <p>Wassenaar details are available from the <a
1078 href="http://www.wassenaar.org/"> Wassenaar Secretariat</a>, and elsewhere in
1079 a more readable <a href="http://www.fitug.de/news/wa/index.html"> HTML
1082 <p>For a critique see the <a href="http://www.gilc.org/crypto/wassenaar">
1086 The Global Internet Liberty Campaign (GILC) has begun a campaign calling
1087 for the removal of cryptography controls from the Wassenaar Arrangement.
1089 <p>The aim of the Wassenaar Arrangement is to prevent the build up of
1090 military capabilities that threaten regional and international security and
1093 <p>There is no sound basis within the Wassenaar Arrangement for the
1094 continuation of any export controls on cryptographic products.</p>
1097 <p>We agree entirely.</p>
1099 <p>An interesting analysis of Wassenaar can be found on the <a
1100 href="http://www.cyber-rights.org/crypto/wassenaar.htm">cyber-rights.org</a>
1103 <h3><a name="status">Export status of Linux FreeS/WAN</a></h3>
1105 <p>We believe our software is entirely exempt from these controls since the
1107 href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">General
1108 Software Note</a> says:</p>
1111 The Lists do not control "software" which is either:
1113 <li>Generally available to the public by . . . retail . . . or</li>
1114 <li>"In the public domain".</li>
1118 <p>There is a note restricting some of this, but it is a sub-heading under
1119 point 1, so it appears not to apply to public domain software.</p>
1121 <p>Their glossary defines "In the public domain" as:</p>
1124 . . . "technology" or "software" which has been made available without
1125 restrictions upon its further dissemination.
1127 <p>N.B. Copyright restrictions do not remove "technology" or "software"
1128 from being "in the public domain".</p>
1131 <p>We therefore believe that software freely distributed under the <a
1132 href="glossary.html#GPL">GNU Public License</a>, such as Linux FreeS/WAN, is
1133 exempt from Wassenaar restrictions.</p>
1135 <p>Most of the development work is being done in Canada. Our understanding is
1136 that the Canadian government accepts this interpretation.</p>
1138 <li>A web statement of <a
1139 href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm"> Canadian
1140 policy</a> is available from the Department of Foreign Affairs and
1141 International Trade.</li>
1142 <li>Another document from that department states that <a
1143 href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">public domain
1144 software</a> is exempt from the export controls.</li>
1145 <li>A researcher's <a
1146 href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">analysis</a>
1147 of Canadian policy is also available.</li>
1150 <p>Recent copies of the freely modifiable and distributable source code exist
1151 in many countries. Citizens all over the world participate in its use and
1152 evolution, and guard its ongoing distribution. Even if Canadian policy were
1153 to change, the software would continue to evolve in countries which do not
1154 restrict exports, and would continue to be imported from there into unfree
1155 countries. "The Net culture treats censorship as damage, and routes around
1158 <h3><a name="help">Help spread IPsec around</a></h3>
1160 <p>You can help. If you don't know of a Linux FreeS/WAN archive in your own
1161 country, please download it now to your personal machine, and consider making
1162 it publicly accessible if that doesn't violate your own laws. If you have the
1163 resources, consider going one step further and setting up a mirror site for
1164 the whole <a href="intro.html#munitions">munitions</a> Linux crypto software
1167 <p>If you make Linux CD-ROMs, please consider including this code, in a way
1168 that violates no laws (in a free country, or in a domestic-only CD
1171 <p>Please send a note about any new archive mirror sites or CD distributions
1172 to linux-ipsec@clinet.fi so we can update the documentation.</p>
1174 <p>Lists of current <a href="intro.html#sites">mirror sites</a> and of <a
1175 href="intro.html#distwith">distributions</a> which include FreeS/WAN are in
1176 our introduction section.</p>
1178 <h2><a name="desnotsecure">DES is Not Secure</a></h2>
1180 <p>DES, the <strong>D</strong>ata <strong>E</strong>ncryption
1181 <strong>S</strong>tandard, can no longer be considered secure. While no major
1182 flaws in its innards are known, it is fundamentally inadequate because its
1183 <strong>56-bit key is too short</strong>. It is vulnerable to <a
1184 href="glossary.html#brute">brute-force search</a> of the whole key space,
1185 either by large collections of general-purpose machines or even more quickly
1186 by specialized hardware. Of course this also applies to <strong>any other
1187 cipher with only a 56-bit key</strong>. The only reason anyone could have for
1188 using a 56 or 64-bit key is to comply with various <a
1189 href="exportlaw.html">export laws</a> intended to ensure the use of breakable
1192 <p>Non-government cryptologists have been saying DES's 56-bit key was too
1193 short for some time -- some of them were saying it in the 70's when DES
1194 became a standard -- but the US government has consistently ridiculed such
1197 <p>A group of well-known cryptographers looked at key lengths in a <a
1198 href="http://www.counterpane.com/keylength.html"> 1996 paper</a>. They
1199 suggested a <em>minimum</em> of 75 bits to consider an existing cipher secure
1200 and a <em>minimum of 90 bits for new ciphers</em>. More recent papers,
1201 covering both <a href="glossary.html#symmetric">symmetric</a> and <a
1202 href="glossary.html#public">public key</a> systems are at <a
1203 href="http://www.cryptosavvy.com/">cryptosavvy.com</a> and <a
1204 href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">rsa.com</a>.
1205 For all algorithms, the minimum keylengths recommended in such papers are
1206 significantly longer than the maximums allowed by various export laws.</p>
1209 href="http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-09/0095.html">1998
1210 ruling</a>, a German court described DES as "out-of-date and not safe enough"
1211 and held a bank liable for using it.</p>
1213 <h3><a name="deshware">Dedicated hardware breaks DES in a few days</a></h3>
1215 <p>The question of DES security has now been settled once and for all. In
1216 early 1998, the <a href="http://www.eff.org/">Electronic Frontier
1217 Foundation</a> built a <a
1218 href="http://www.eff.org/descracker.html">DES-cracking machine</a>. It can
1219 find a DES key in an average of a few days' search. The details of all this,
1220 including complete code listings and complete plans for the machine, have
1221 been published in <a href="biblio.html#EFF"><cite>Cracking DES</cite></a>, by
1222 the Electronic Frontier Foundation.</p>
1224 <p>That machine cost just over $200,000 to design and build. "Moore's Law" is
1225 that machines get faster (or cheaper, for the same speed) by roughly a factor
1226 of two every 18 months. At that rate, their $200,000 in 1998 becomes $50,000
1229 <p>However, Moore's Law is not exact and the $50,000 estimate does not allow
1230 for the fact that a copy based on the published EFF design would cost far
1231 less than the original. We cannot say exactly what such a cracker would cost
1232 today, but it would likely be somewhere between $10,000 and $100,000.</p>
1234 <p>A large corporation could build one of these out of petty cash. The cost
1235 is low enough for a senior manager to hide it in a departmental budget and
1236 avoid having to announce or justify the project. Any government agency, from
1237 a major municipal police force up, could afford one. Or any other group with
1238 a respectable budget -- criminal organisations, political groups, labour
1239 unions, religious groups, ... Or any millionaire with an obsession or a
1240 grudge, or just strange taste in toys.</p>
1242 <p>One might wonder if a private security or detective agency would have one
1243 for rent. They wouldn't need many clients to pay off that investment.</p>
1245 <h3><a name="spooks">Spooks may break DES faster yet</a></h3>
1247 <p>As for the security and intelligence agencies of various nations, they may
1248 have had DES crackers for years, and theirs may be much faster. It is
1249 difficult to make most computer applications work well on parallel machines,
1250 or to design specialised hardware to accelerate them. Cipher-cracking is one
1251 of the very few exceptions. It is entirely straightforward to speed up
1252 cracking by just adding hardware. Within very broad limits, you can make it
1253 as fast as you like if you have the budget. The EFF's $200,000 machine breaks
1254 DES in a few days. An <a href="http://www.planepage.com/">aviation
1255 website</a> gives the cost of a B1 bomber as $200,000,000. Spending that
1256 much, an intelligence agency could break DES in an average time of <em>six
1257 and a half minutes</em>.</p>
1259 <p>That estimate assumes they use the EFF's 1998 technology and just spend
1260 more money. They may have an attack that is superior to brute force, they
1261 quite likely have better chip technology (Moore's law, a bigger budget, and
1262 whatever secret advances they may have made) and of course they may have
1263 spent the price of an aircraft carrier, not just one aircraft.</p>
1265 <p>In short, we have <em>no idea</em> how quickly these organisations can
1266 break DES. Unless they're spectacularly incompetent or horribly underfunded,
1267 they can certainly break it, but we cannot guess how quickly. Pick any time
1268 unit between days and milliseconds; none is entirely unbelievable. More to
1269 the point, none of them is of any comfort if you don't want such
1270 organisations reading your communications.</p>
1272 <p>Note that this may be a concern even if nothing you do is a threat to
1273 anyone's national security. An intelligence agency might well consider it to
1274 be in their national interest for certain companies to do well. If you're
1275 competing against such companies in a world market and that agency can read
1276 your secrets, you have a serious problem.</p>
1278 <p>One might wonder about technology the former Soviet Union and its allies
1279 developed for cracking DES during the Cold War. They must have tried; the
1280 cipher was an American standard and widely used. Certainly those countries
1281 have some fine mathematicians, and those agencies had budget. How well did
1282 they succeed? Is their technology now for sale or rent?</p>
1284 <h3><a name="desnet">Networks break DES in a few weeks</a></h3>
1286 <p>Before the definitive EFF effort, DES had been cracked several times by
1287 people using many machines. See this <a
1288 href="http://www.distributed.net/pressroom/DESII-1-PR.html"> press
1289 release</a> for example.</p>
1291 <p>A major corporation, university, or government department could break DES
1292 by using spare cycles on their existing collection of computers, by
1293 dedicating a group of otherwise surplus machines to the problem, or by
1294 combining the two approaches. It might take them weeks or months, rather than
1295 the days required for the EFF machine, but they could do it.</p>
1297 <p>What about someone working alone, without the resources of a large
1298 organisation? For them, cracking DES will not be easy, but it may be
1299 possible. A few thousand dollars buys a lot of surplus workstations. A pile
1300 of such machines will certainly heat your garage nicely and might break DES
1301 in a few months or years. Or enroll at a university and use their machines.
1302 Or use an employer's machines. Or crack security somewhere and steal the
1303 resources to crack a DES key. Or write a virus that steals small amounts of
1304 resources on many machines. Or . . .</p>
1306 <p>None of these approaches are easy or break DES really quickly, but an
1307 attacker only needs to find one that is feasible and breaks DES quickly
1308 enough to be dangerous. How much would you care to bet that this will be
1309 impossible if the attacker is clever and determined? How valuable is your
1310 data? Are you authorised to risk it on a dubious bet?</p>
1312 <h3><a name="no_des">We disable DES</a></h3>
1314 <p>In short, it is now absolutely clear that <strong>DES is not
1315 secure</strong> against</p>
1317 <li>any <strong>well-funded opponent</strong></li>
1318 <li>any opponent (even a penniless one) with access (even stolen access) to
1319 <strong>enough general purpose computers</strong></li>
1322 <p>That is why <strong>Linux FreeS/WAN disables all transforms which use
1323 plain DES</strong> for encryption.</p>
1325 <p>DES is in the source code, because we need DES to implement our default
1326 encryption transform, <a href="glossary.html#3DES">Triple DES</a>. <strong>We
1327 urge you not to use single DES</strong>. We do not provide any easy way to
1328 enable it in FreeS/WAN, and our policy is to provide no assistance to anyone
1329 wanting to do so.</p>
1331 <h3><a name="40joke">40-bits is laughably weak</a></h3>
1333 <p>The same is true, in spades, of ciphers -- DES or others -- crippled by
1334 40-bit keys, as many ciphers were required to be until recently under various
1335 <a href="#exlaw">export laws</a>. A brute force search of such a cipher's
1336 keyspace is 2<sup>16</sup> times faster than a similar search against DES.
1337 The EFF's machine can do a brute-force search of a 40-bit key space in
1338 <em>seconds</em>. One contest to crack a 40-bit cipher was won by a student
1339 <a href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1"> using a few
1340 hundred idle machines at his university</a>. It took only three and half
1343 <p>We do not, and will not, implement any 40-bit cipher.</p>
1345 <h3><a name="altdes">Triple DES is almost certainly secure</a></h3>
1347 <p><a href="glossary.html#3DES">Triple DES</a>, usually abbreviated 3DES,
1348 applies DES three times, with three different keys. DES seems to be basically
1349 an excellent cipher design; it has withstood several decades of intensive
1350 analysis without any disastrous flaws being found. It's only major flaw is
1351 that the small keyspace allows brute force attacks to succeeed. Triple DES
1352 enlarges the key space to 168 bits, making brute-force search a ridiculous
1355 <p>3DES is currently the only block cipher implemented in FreeS/WAN. 3DES is,
1356 unfortunately, about 1/3 the speed of DES, but modern CPUs still do it at
1357 quite respectable speeds. Some <a href="glossary.html#benchmarks">speed
1358 measurements</a> for our code are available.</p>
1360 <h3><a name="aes.ipsec">AES in IPsec</a></h3>
1362 <p>The <a href="glossary.html#AES">AES</a> project has chosen a replacement
1363 for DES, a new standard cipher for use in non-classified US government work
1364 and in regulated industries such as banking. This cipher will almost
1365 certainly become widely used for many applications, including IPsec.</p>
1367 <p>The winner, announced in October 2000 after several years of analysis and
1368 discussion, was the <a
1369 href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</a> cipher
1370 from two Belgian designers.</p>
1372 <p>It is almost certain that FreeS/WAN will add AES support. <a
1373 href="web.html#patch">AES patches</a> are already available.</p>
1375 <h2><a name="press">Press coverage of Linux FreeS/WAN:</a></h2>
1377 <h3>FreeS/WAN 1.0 press</h3>
1380 href="http://www.wired.com/news/news/technology/story/19136.html">Wired</a>
1381 "Linux-Based Crypto Stops Snoops", James Glave April 15 1999</li>
1383 href="http://slashdot.org/articles/99/04/15/1851212.shtml">Slashdot</a></li>
1384 <li><a href="http://dgl.com/itinfo/1999/it990415.html">DGL</a>, Damar Group
1385 Limited; looking at FreeS/WAN from a perspective of business
1387 <li><a href="http://linuxtoday.com/stories/5010.html">Linux Today</a></li>
1388 <li><a href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</a>,
1389 Tasty Bits from the Technology Front</li>
1391 href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">Salon
1392 Magazine</a> "Free Encryption Takes a Big Step"</li>
1395 <h3><a name="release">Press release for version 1.0</a></h3>
1396 <pre> Strong Internet Privacy Software Free for Linux Users Worldwide
1398 Toronto, ON, April 14, 1999 -
1400 The Linux FreeS/WAN project today released free software to protect
1401 the privacy of Internet communications using strong encryption codes.
1402 FreeS/WAN automatically encrypts data as it crosses the Internet, to
1403 prevent unauthorized people from receiving or modifying it. One
1404 ordinary PC per site runs this free software under Linux to become a
1405 secure gateway in a Virtual Private Network, without having to modify
1406 users' operating systems or application software. The project built
1407 and released the software outside the United States, avoiding US
1408 government regulations which prohibit good privacy protection.
1409 FreeS/WAN version 1.0 is available immediately for downloading at
1410 http://www.xs4all.nl/~freeswan/.
1412 "Today's FreeS/WAN release allows network administrators to build
1413 excellent secure gateways out of old PCs at no cost, or using a cheap
1414 new PC," said John Gilmore, the entrepreneur who instigated the
1415 project in 1996. "They can build operational experience with strong
1416 network encryption and protect their users' most important
1417 communications worldwide."
1419 "The software was written outside the United States, and we do not
1420 accept contributions from US citizens or residents, so that it can be
1421 freely published for use in every country," said Henry Spencer, who
1422 built the release in Toronto, Canada. "Similar products based in the
1423 US require hard-to-get government export licenses before they can be
1424 provided to non-US users, and can never be simply published on a Web
1425 site. Our product is freely available worldwide for immediate
1426 downloading, at no cost."
1428 FreeS/WAN provides privacy against both quiet eavesdropping (such as
1429 "packet sniffing") and active attempts to compromise communications
1430 (such as impersonating participating computers). Secure "tunnels" carry
1431 information safely across the Internet between locations such as a
1432 company's main office, distant sales offices, and roaming laptops. This
1433 protects the privacy and integrity of all information sent among those
1434 locations, including sensitive intra-company email, financial transactions
1435 such as mergers and acquisitions, business negotiations, personal medical
1436 records, privileged correspondence with lawyers, and information about
1437 crimes or civil rights violations. The software will be particularly
1438 useful to frequent wiretapping targets such as private companies competing
1439 with government-owned companies, civil rights groups and lawyers,
1440 opposition political parties, and dissidents.
1442 FreeS/WAN provides privacy for Internet packets using the proposed
1443 standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN
1444 negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
1445 keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern
1446 $500 PC can set up a tunnel in less than a second, and can encrypt
1447 6 megabits of packets per second, easily handling the whole available
1448 bandwidth at the vast majority of Internet sites. In preliminary testing,
1449 FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
1450 Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code,
1451 its innards are open to review by outside experts and sophisticated users,
1452 reducing the chance of undetected bugs or hidden security compromises.
1454 The software has been in development for several years. It has been
1455 funded by several philanthropists interested in increased privacy on
1456 the Internet, including John Gilmore, co-founder of the Electronic
1457 Frontier Foundation, a leading online civil rights group.
1460 Hugh Daniel, +1 408 353 8124, hugh@toad.com
1461 Henry Spencer, +1 416 690 6561, henry@spsystems.net
1463 * FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
1464 Security, Inc; used by permission.</pre>