"LAWFUL USE OF ENCRYPTION.-It shall be lawful for any person within any State of the United States... to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used...
except as provided in this Act... or in any other law."
-- Senate Bill S.1587 - The Encrypted Communications Privacy Act
introduced 5 March 1996 by Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA)
details & analysis available from Electronic Privacy Information Center
and Voters Telecommunications Watch
The Main Page:
CRYPTO•LOG TM
The Internet Guide to Cryptography
Updated Friday 29 March 1996
Table of Contents:
- Algorithms & Mathematics for Cryptography
- Archives (FTP & WWW servers of documents, programs & source code)
- Bibliographies, Periodicals, E-Journals, Books, Databases, Internet Searchers
- Calendar (conferences, meetings, workshops)
- Disk & File System Encryption (SFS, Secure Drive, etc.)
- Key Escrow (Clipper & "GAK")
- Laws & Regulations (ITAR, export issues, etc.)
- Links to introductions and personal pages on cryptography
- Network & Internet Security (SSL, SHTTP, Kerberos, etc.)
- Newsgroups, FAQs and Mailing Lists
- Organizations: Academic, Commercial, Government, Policy, Technical & Professional
- Policy Discussions (see also: Policy Organizations, Laws & Regulations, Key Escrow)
- Protocols & Standards (IETF, )
- Software (products, programs and source code; PGP, IDEA, etc.)
- Steganography (hiding information within noise)
- Voice Encryption (telephone security, wiretapping threats)
- Vulnerabilities (risks, defects, hacks and cracks)
Algorithms & Mathematics for Cryptography - under construction
- Tatu Ylönen's Comments on Cryptographic Algorithms gives excellent summaries of algorithms in current use
- Prof. Ron Rivest's links to many cryptography research sites
- Terry Ritter's papers on Dynamic Substitution and Dynamic Transposition ciphers
- thesis on data-compression & MPJ, DOS-wipe, PGP utils
- archives of preprints on mathematical K-Theory
- Colloquium at Univ. of Carleton, Canada
- DES source code
- DIMACS Seminars on Complexity Theory & Cryptography (1991)
- Random Numbers:
- Cryptography Policy & Algorithms Conf, Australia (July 95)
- cryptology research at University of Cambridge
- links to math resources
- elliptic curve cryptography - crypto applications of modular elliptic functions:
- quantum cryptography - use of quantum indeterminacy for encryption & data security:
- wavelets used for data compression might also have applications in cryptography
- Sandy Harris proved 2 lemmas to Fermat's Theorem which may be useful in RSA factorization:
- i^(p^n) == i mod p; where p is prime, i and n are integers
- i^(n^s) == i^(n^3) mod s; where s is a strong prime, s=2r+1, r prime
- files on factorization at Oxford in .uk include:
- see also: Academic Organizations, Bibliographies, Conferences, Protocols, Software.
Archives
(FTP & WWW access to documents, programs & source code)
Bibliographies, Periodicals, E-Journals, Books, Databases, Internet Searchers
- Bibliographies
:
- Lawrie Brown's Cryptography Bibliography ~800 searchable entries
- Computer Science Bibliography "Glimpse" Searcher yields ~500 hits on "cryptography" in a 290kb HTML file. Glimpse is a searcher front-end for the massive Computer Science Bibliography Collection (~500k entries!) at University of Karlsruhe (U.K. mirror site), which includes the following searchable bibliographies on cryptography:
- Prof. Ron Rivest's bibliographies on Cryptography & Security and on Algorithms are included in the Computer Science Bibliography Collection (previous item), where they are easier to search online than the BibTeX files at Rivest's MIT site
- CTRS Cryptography Technical Reports Server (abstracts & links to ~20 reports)
- Sean Irvine's Cryptography Abstracts has 1400+ entries, with strongest coverage of work from the 1980's
- Douglas Stinson's Bibliography on Authentication Codes (~90 refs. Jan 1996)
- Douglas Stinson's Bibliography on Secret Sharing Schemes (~160 refs. Dec 1995)
- Cybanim (a developer of cryptographic software) provides:
- "Crypto Quotes" - news bits from popular & technical press, Australian slant
- "Crypto References" - brief cites to several hundred technical & academic papers
- CSIS' list of ~400 references on computer security
- COAST Security Archive holds abstracts & links to several hundred papers on computer security; ~20 cryptography papers in FTP archive; ~16 abstracts in cryptography
- Springer's Index to Lecture Notes in Computer Science, Vols. 500-1000 (which includes many of the Crypto and EuroCrypt conferences), yields 120+ hits on "cryptography"
- publications list of E.I.S.S. (European Institute for System Security, Univ. Karlsruhe, Germany)
- publications list of GRECC-LIENS group (Ecole Normale Supérieure, France)
- publications list of SCSI-ULB group (Brussels Free University, Belgium)
- publications list of SIRENE group (Univ. Hildesheim, Germany)
- Periodicals (printed):
- E-Journals (online newsletters):
- Books & Publishers:
- TitleBank of academic publishers lists 24 in-print books on "cryptography".
- Aegean Park Press publishes ~80 titles on cryptography.
- Applied Cryptography by Bruce Schneier; Wiley, 2nd. ed., 1995; major update of the primary reference on applied cryptography; errata and source code for several dozen algorithms are available; essential for programmers developing cryptographic applications
- Cryptography: Theory and Practice, by Douglas R. Stinson; CRC Press, March 1995; text on cryptography theory and applications, examples in pseudocode; see also Stinson's bibliographies on Secret Sharing Schemes and Authentication Codes
- PGP Source Code and Internals by Philip R. Zimmermann; MIT Press, 1995.
- Official PGP User's Guide by Philip R. Zimmermann; MIT Press, 1995.
- Building In Big Brother: The Cryptographic Policy Debate, edited by Lance J. Hoffman; Springer-Verlag, March 1995, $29.95, ISBN 0-387-94441-9.
- Springer-Verlag (New York) publishes proceedings of IACR conferences (Crypto, EuroCrypt, AsiaCrypt, etc.); many are out of print.
- BookWire Index - a comprehensive list of book publishers
- Databases:
These databases attempt to cover broad areas (computer science, etc.), but their coverage of cryptography is poor compared to the specialized Bibliographies listed above.
Calendar
(conferences, meetings, and workshops on cryptography & related fields)
- a large Calendar maintained by the UCL Crypto Group lists 100+ conferences on cryptography and computer security in 1996, including those sponsored by ACM, IEEE, Internet Society, IACR, IFIP, and many other organizations.
- Hypercalendar of Cipher (newsletter of the IEEE's Computer Society Technical Committee on Security & Privacy) lists 60+ conferences on computer security.
- major conferences on cryptography:
- 1996 Nov 3-7: AsiaCrypt '96; S. Korea; sponsored by IACR.
- 1996 Sep 23-27: 4th UK/Australian Int'l.Symposium on DSP for Communication Systems; Perth, W. Australia; sponsored by IEEE, CRC-BTN, IEE.
- 1996 May 30 - Jun 1: Workshop on Information Hiding; U. Cambridge, UK.
- 1996 May 18-23: ANTS II Algorithmic Number Theory Symposium II; U. Bordeaux, France.
- 1996 May 12-16: EuroCrypt '96; Zaragoza, Spain; sponsored by IACR.
- 1996 Apr 10-13: 4th Workshop on Cryptographic Protocols; U. Cambridge, UK.
- 1996 Feb 21-23: Workshop on Fast Software Encryption; U. Cambridge, UK.
- 1996 Jan 17-19: RSA Data Security Conference; San Francisco, CA.
- 1996 Jan-Jun: Programme on Computer Security, Cryptology & Coding Theory; Cambridge, UK.
- 1995 Jul 1-3: Cryptography Policy & Algorithms Conference; Queensland, Australia.
- major conferences on computer security:
- 1996 Dec 9-13: 12th Computer Security Applications Conference; San Diego, CA; sponsored by IEEE Computer Society, ACM, ACSAC.
- 1996 Sep 23-24: Communications and Multimedia Security; Joint Working Conference of IFIP TC-6 & TC-11; Univ. Essen, Germany; sponsored by IFIP.
- 1996 Sep 16-19: New Security Paradigms '96; Lake Arrowhead, CA; sponsored by ACM-SIGSAC, US DoD, Aerospace Institute.
- 1996 Aug 31 - Sep 2: Int'l Workshop on Advanced Transaction Models & Architectures; Goa, India.
- 1996 Jul 22-26: 6th USENIX UNIX Security Symposium Focusing on Applications of Cryptography; San Jose, California; sponsored by USENIX Association.
- 1995 Dec 11-15: 11th Computer Security Applications Conference; New Orleans, LA; sponsored by IEEE Computer Society, ACM, ACSAC.
- see also: NIST Computer Security Events Calendar
- major conferences on privacy and cryptography policy:
- 1996 Sep 16: Advanced Surveillance Technologies II; Ottawa, Canada; sponsored by EPIC and Privacy International
- 1996 Jun 24-26: Australasian Conference on Information Security and Privacy; New South Wales, Australia; sponsored by Australasian Society for Electronic Security and University of Wollongong; contact: Jennifer Seberry.
- 1996 May 9-11: Visions of Privacy for the 21st Century: A Search for Solutions; Victoria, British Columbia; sponsored by Privacy Commissioner for British Columbia and University of Victoria.
- 1996 May 6-8: IEEE Symposium on Security and Privacy; Oakland, CA; sponsored by IEEE.
- 1996 Mar 27-30: CFP'96: 6th Conference on Computers, Freedom & Privacy; MIT, Cambridge, MA; sponsored by MIT, ACM, and WWW Consortium.
- 1996 Apr 18-20: Conference on Technological Assaults on Privacy; Rochester Institute of Technology, Rochester, NY; Contact Wade Robison.
- 1996 Feb 29 - Mar 2: Technologies of Freedom: Blueprints for Action; Washington, DC; sponsored by Alliance for Public Technology; contact Ruth Holder.
- 1996 Feb 7-8: Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure; Canberra, Australia; sponsored by Australian Government and OECD.
- 1995 Sep 4: Conference on Advanced Surveillance Technologies; Copenhagen; sponsored by Privacy International.
- 1995 Jul 1-3: Cryptography Policy & Algorithms Conference; Queensland, Australia.
- 1995: audio tracks (WAV files) of CFP'95 conference.
Disk & File System Encryption
- disk encryption
for "on-the-fly" encryption of an entire disk partition:
- Peter Gutman's SFS Secure File System - a DOS device driver that uses SHA in feedback mode; alternate FTP site in .nl
- Edgar Swank's SecureDrive - a TSR hook for DOS that uses IDEA; available by FTP from CSN (get disk/secdr14a.zip), Cypherpunks archive, or sites in .nl, .dk, and .it
- Secure Device - a DOS device driver that encrypts a virtual, file-hosted volume with IDEA
- Matt Blaze's CFS Cryptographic File System - a UNIX device driver that uses DES; source code in files cfs112.tar.gz and cfs.1.3.shar.gz
- Will Price's CryptDisk - shareware Macintosh encryption system using IDEA-CFB (v.1.2.1 Jan 1996); available from FTP sites in U.S., another U.S., .dk, and .nl; older versions available by FTP from .ie (v.1.2) and .de (v.1.03); source code available
- Kent Marsh's FolderBolt for Mac (?)
- file encryption
for manual encryption of individual files:
- use PGP with the -c option
- Kent Briggs' Puffer 2.0 for Windows encrypts files and email using PC1 (a 40-bit stream cipher similar to RC4) in the shareware version, or the 160-bit Blowfish block cipher in the registered version; data-compression and file wiping options included
- HPACK incorporates strong encryption with a file-archiver (like PK-ZIP) for many platforms
- Diamond Lock v.2 for DOS & UNIX, with source code; older version here
- Encryptlet - an AppleScript droplet that encrypts files by drag-and-drop onto a Desktop Encryptor icon; cryptographically agile, can use AppleScript-aware version of MacPGP
- TeamWARE Crypto - commercial product for on-the-fly encryption of single files via FEAL-8 cypher; user interface is integrated with Windows File Manager
- Curve Encrypt (Mac) - version 2.2 available by FTP from .dk and .it
- Quicrypt (DOS) - need info?
- Atbash2 (DOS) - ZIP'ed file available by FTP from .dk and .it
- file-wipe utilities
overwrite deleted files to prevent their recovery; see Galacticus' Anonymity, Privacy, and Security pages
Key Escrow
- Clipper and "GAK" (government access to crypto keys)
Laws & Regulations
(ITAR, export issues, etc.)
- NEWS FLASH: Senate Bill S.1587 (the Encrypted Communications Privacy Act), introduced 5 March 1996 by Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA), *appears* to affirm Americans' rights to use cryptography of their own choosing, and to *not* use key escrow systems. But VTW points out that Rep. Goodlatte introduced "the fatal amendment that made the House version of the Telecomm Bill [Communications Decency Act] unsupportable"; and EPIC's analysis warns of "unnecessary and potentially dangerous provisions" in S.1587:
- "sets out the first criminal penalties yet proposed for the domestic use of encryption"
- "does little to roll back the deployment of Clipper-inspired key-escrow encryption"
- "does not go far enough in removing antiquated controls on the export of encryption technology"
- NEWS FLASH: U.S. State Department ruling amends ITAR to create an exemption for the "temporary export of cryptographic products for personal use," effective 16 Feb 1996.
- International Crypto Law Survey by Bert-Jaap Koops covers ~30 countries
- U.S. ITAR Regulations full text (130+ pp.) from Federal Register v.58, #139
- U.S. Arms Export Control Act (22 U.S.C. 2778): ~60 full-text excerpts from U.S. Code Online (Internet Law Library); this is the law under which ITAR was created
- U.S.: EPIC's Cryptography Policy Page covers news and analysis
- U.S.: documents on crypto export issues are archived by John Gilmore and by EFF
- U.S.: saga of Phil Karn's request to export Bruce Schneier's Applied Cryptography book & disk
- U.S.: GPO Access - searchable full-text of U.S. Code, Federal Register, Congressional Record, legislative calendars, etc., from U.S. Government Printing Office
- Australian Crypto Regulations - review by Matt Gream (Jan 1995)
- Belgian Government plans to restrict Encryption - report on legislation passed 21 Dec 1995
- Canadian Cryptography Export Controls
- European Governments Agree to Ban Strong Crypto - Council of Europe agreed (8 Sep 1995) to outlaw unescrowed strong encryption, per Communications Week Int'l. #151, reported by Ross Anderson's Risks Digest v17 #36
- Reports by Stuart A. Baker (former NSA Chief Counsel, now in private law practice):
- Michael Froomkin (Assoc. Prof. at Univ. of Miami Law School) reports on cryptography, remailers, e-cash, and the internet.
- see also: Policy Organizations, Policy Discussions
Links
- to more cryptography resources:
Network & Internet Security
- SSL (Secure Sockets Layer for TCP/IP): SSL v3.0 specification, Netscape's overview
- SSLeay & SSLapps FAQ - free SSL implementation without crippled encryption; FTP site
- SSLP Project
- Tom Ruess' list of 100+ sites on internet security; Ruess is implementing a secure web browser/server by splicing SSL (with strong crypto from non-US sources) into NCSA's XMosaic
- SHTTP Secure Hypertext Transfer Protocol
- internet security
- Lance Cottrell's page on remailers & net security
- Vasco Data Security time-phased password device
- Mosaic: search for "encryption" in all files at NSCA's MOSAIC site returns 54 hits
- review of public-key certification schemes by Carl Ellison (1 March 1996)
- S/KEY Internet Draft for Bellcore's 1-time password system; FTP archives Bellcore and at first.org
- document-marking for security
- Computer & Communications Security Reviews (by Ross Anderson); FTP site
- SSH (Secure Shell) - secure UNIX rlogin, rsh, rcp; FAQ, binaries v1.2.12
- FAQs on sniffers, anonymous FTP & intruder-detection in UNIX
- FAQs on Firewalls & Internet Security by Marcus Ranum (V-One Corp.)
- Kerberos (network user-authentication protocol): FAQ, newsgroup, programs & source code avail. at FTP sites in .us and .nl
- Cygnus Network Security system based on Kerberos
- SESAME - an enhanced public-domain version of Kerberos; can replace Kerberos in DCE; an ECMA standard; Internet drafts are filed to progress it to an RFC (Feb 1996)
- Security Bug in Kerberos 4.0 reported by 2 Purdue students; caused by inadequate RNG operation; similar to the Netscape Crack by CS students at UC Berkeley in fall 1995
- "Decentralized Trust Management" - paper by Matt Blaze (with Joan Feigenbaum and Jack Lacy) on alternatives to traditional (X.509, PGP, etc.) identity-based certificates, to be presented at the Oakland Security Conference in May 1996
- MOSS (MIME Object Security Services) is a proposed Internet Standard (RFC 1847 & RFC 1848, Oct 1995) for adding Privacy Enhanced Mail services (encryption and authentication) to MIME e-mail; developed by Trusted Information Services with ARPA funding; UNIX source code is available; performs similar services as Zimmerman's PGP and RSA's S/MIME
- Decense - a new suite of Perl scripts (v0.10 alpha) which provides anonymous access to web servers, designed to defeat censorship of the net, released Feb 1996 by Ray Cromwell
- SAIC Documents (from Science Applications International Corp.) on security of WWW servers, firewalls, TCP/IP protocols, etc.
- see also: Protocols
Newsgroups, FAQs and Mailing Lists
Organizations, Academic
(universities & institutes, in alphabetical order by country)
- SCSI-ULB (Cryptography & Computer Security Section in CS Dept. at Brussels Free University, Belgium)
- COSIC (Computer Security & Industrial Cryptography Group, EE Dept. of Katholieke Universiteit Leuven, Belgium)
- Cryptology Group at UCL (University Catholoqie de Louvain, Belgium)
- Laboratory for Theoretical & Quantum Computing (Université de Montréal, Canada)
- GRECC-LIENS (Groupe de Recherche En Complexité et Cryptographie at Ecole Normale Supérieure, France)
- LIX (Computer Science Laboratory at École Polytechnique, France) - computational number theory and algorithms (F. Morain, R. Lercier)
- D.E.A. Algorithmique (France) - complexity, coding, and cryptography (J. Stern)
- SIRENE (Security In Computer Networks Group, Univ. Hildesheim, Germany) - crypto applications in anonymity, authentication, and digital payment systems; mirror site at IBM Zürich
- EISS (European Institute for System Studies, Univ. Karlsruhe, Germany) - TESS system of crypto primitives built on modular exponentiation; escrowed-key cryptography
- Information Security & Cryptography Research Group (ETH Zürich, Switzerland)
- Cryptography and Information Security Group (M.I.T) - founded by Profs. Goldwasser, Micali, and Rivest
- CSIS (Center for Secure Information Systems at George Mason University) - security in large computer systems
- NPAC (Northeast Parallel Architectures Center) - RSA factorization
- UMBC-STRG (Security Technology Research Group at Univ. Maryland Baltimore Campus) - quantum cryptography & computation, net security
- U. Mass Theoretical Computer Science Group - algebraic algorithms & complexity theory (S. Landau)
- Computer Security Research Laboratory (Univ. California, Davis) - intrusion detection research sponsored by NSA, ARPA & LLNL
- International Cryptography Institute and Prof. Denning's "Cryptography Project"
- Network Systems Research Group (U. Arizona) - experimental study of protocols for end-to-end encryption in high speed networks
- courses and seminars:
Organizations, Commercial
- IBM: SecureWay is IBM's line of security products and services for Internet and business applications, including cryptographic hardware & software, secure Internet browsers, servers, gateways and firewalls, and embedded cryptography for Lotus Notes.
- IBM and RSA announced (Jan 1996) a joint project to modify RSA's BSAFE encryption engine and IBM's Common Cryptographic Architecture (CCA) to allow applications developed with RSA's toolkits to access IBM's cryptographic hardware.
- Open Blueprint is IBM's grand architecture for distributed client/server computing, and includes a cryptographic security component
- IBM's Zurich Research Center is a mirror site for the European SIRENE group (Security Research in Computer Networks)
- Math Works, Inc. - developer of general-purpose computational software (MatLab, signal processing toolkits, etc.)
- MicroSoft:
- Microsoft CAPI (Cryptographic API) - enables Win32 applications to encrypt or digitally sign data using independent modules called cryptographic service providers (CSPs); announced Jan 1996, expected release in 1Q '96 for WinNT
- Microsoft PCT (Private Communication Technology) - Internet draft of Microsoft's "enhancements" to Netscape's SSL protocol for general-purpose encryption & authentication of internet messages released Oct 1995; PCTRef v1.0 Source Code for WinNT & Linux (released Jan 1996); more info from Microsoft
- RSA Data Security, Inc. (RSADSI) - major developer/vendor of cryptography software:
- Trusted Information Systems, Inc. (TIS):
- VeriSign, Inc. - developer of Digital IDs for electronic commerce; announced plans (Jan 1996) to incorporate Digital ID's into secure email programs from Banyan, ConnectSoft, Frontier, Netscape and Worldtalk
- CRYPTOCard Corp. - user authentication tokens for network access control
- see also: Protocols, Software
Organizations, Government
- NSA (U.S. National Security Agency) official home page, original charter
- NIST (U.S. National Institute of Science & Technology) Computer Security Resource Clearinghouse
- FAQ on NSA and NIST and their role in commercial cryptography, by RSA Data Security, Inc. (May 1995)
- DARPA's Information Technology Office (ITO) sponsors computer research in many fields, including:
- Federal Internet Security Plan (FISP) - defines Internet security requirements for federal agencies; from the Federal Networking Council's Privacy & Security Working Group
- Collaborations In Security (CIS) - a group of federal agencies and contractors who collaborate in testing computer security hardware and software
- NASA's Advanced Network Applications (ANA) project is creating a prototype for the U.S. Postal Service of a "national trusted messaging infrastructure" that requires "public-key identity certificates" for sending e-mail
- CSE (Canadian Communication Security Establishment) - NSA's Canadian counterpart: official and unofficial home pages
- NRL-ITD U.S. Naval Research Laboratory - Information Technology Division
- Navy INFOSEC - U.S. Navy Information Security Program mission & organization
- "Rainbow Books" online - DOD/NSA criteria for trusted computer systems
- AJAX pointers to official home pages of ~80 military & government agencies (mostly U.S.)
- FBI (U.S. Federal Bureau of Investigation) official home page
- DECA program (Development of Espionage, Counterintelligence & Counterterrorism Awareness) deals with economic, industrial, and technological intelligence gathering
- Above the Law is a new book (Scribner 1996) about the controversial surveillance activities and political agenda of the U.S. Justice Department & FBI
- Digital Telephony Initiative and CALEA (Communications Assistance for Law Enforcement Act of 1994) - FBI plan for automated surveillance of millions of phone lines
- newsgroup: alt.politics.org.fbi
- GPO Access - searchable full-text of U.S. Code, Federal Register, Congressional Record, legislative calendars, etc., from U.S. Government Printing Office
- U.S. Code Online - searchable full-text of U.S. Code from Internet Law Library
- Government Privacy Commissions (not yet directly concerned with cryptography):
Organizations, Policy & Public Interest
Organizations, Technical & Professional
- IACR International Association for Cryptologic Research
- SIAM Society for Industrial and Applied Mathematics
- ACM Association for Computing Machinery
- ACM SIGACT Special Interest Group on Algorithms and Computation Theory
- ACM SIGSAC Special Interest Group on Security, Audit and Control
- IEEE Institute of Electrical & Electronic Engineers
- IETF (Internet Engineering Task Force) and the IETF Security Working Groups
- W3C (WWW Consortium) and the W3C Security Group
Policy Discussions
Protocols & Standards
- standardized algorithms and cryptographic systems
are the foundations for many higher-level security protocols:
- internet security
protocols:
- PGP Internet Drafts:
- network security
protocols:
- credit card
protocols for encrypted internet transactions - the newest standard (SET) emerged from two now obsolete proposals (SEPP and STT) from competing camps:
- digital cash
protocols for secure electronic payments:
- see also: Network & Internet Security, Software
Software
(products, programs and source code)
- Applied Cryptography by Bruce Schneier; Wiley, 2nd. ed., 1995; a major update of the primary reference on applied cryptography; errata and source code for several dozen algorithms are available; essential for programmers developing cryptographic applications
- CryptoLib 1.1 by Jack Lacy (AT&T Bell Labs) - library of primitives for building cryptographic applications; runs under Unix, DOS, and Windows 3.1, NT, and 95; source code available in US & Canada by e-mail request, or by FTP from sites in .it and .au
- Crypto++ 2.0 - a free C++ class library of many cryptographic primitives, by Wei Dai (who also runs an experimental PGP-based Time Stamp Service)
- Peter Gutman's CryptLib - a free "universal interface" in ANSI C to the major conventional-key (symmetric) algorithms (incl. code for MDC/SHS, DES, 3DES, IDEA, RC4, and SAFER), plus well-planned infrastructure for adding more
- Cybanim produces cryptographic software and free info:
- SIFR, a PEM-style eMail Sign and Cipher; RSA or LUC public keys & tDES encryption
- Cryptographic Libraries (RSA, DH, DSA, Fiat-Shamir, GQ, ZK etc.)
- Kuttaka Large Integer Calculator - free DOS program; r^b mod c, Lucas Sequences, etc.
- "Crypto Quotes" - news bits from popular & technical press, Australian slant
- "Crypto References" - brief cites to several hundred technical & academic papers
- DES
(Data Encryption Standard):
- IDEA (International Data Encryption Algorithm):
- Diceware
for Passphrase Generation: Reinhold's papers and random word tables
- Snefru hash function
- MIRACL V3.3 (Multiprecision Integer & Rational Arithmetic C Library) - C code with C++ interfaces for manipulation of large fixed-length integers; uses in-line assembler for 80x86 processors; sample programs for modern factoring algorithms, public key systems, DSS, discrete logs; 82 pp. manual; free for non-commercial use.
- Dynamic Substitution and Dynamic Transposition ciphers by Terry Ritter
- IMD5 - an implementation of MD5 (message digest algorithm defined in RFC1321) via the "Component Object Model" (COM) within Microsoft's OLE system
- MacIntosh cryptography software:
- PGP (Pretty Good Privacy) - Phil Zimmerman's public-key e-mail security system
- PGP Shells & Utilities - interface PGP to e-mail, file systems, networks, etc.
- a large page of links to PGP front-ends and shells for Windows, DOS, Unix, OS2, & MAC, maintained by Scott Hauert
- PGP interfaces for e-mail programs:
- PgpEudra 0.20 - a PGP-shell that runs as an extension to the 16-bit Eudora versions
- WinPMAIL - interface to Pegasus Mail (Windows)
- PGP interfaces for operating systems:
- PGP-based time-stamp services attach a dated non-forgeable PGP signature to messages you submit:
- RIPEM
- Mark Riordan's Internet Privacy Enhanced E-Mail system
- CRYPT.SCM is a small library of cryptographic functions written by Ulf Möller in "Scheme". Scheme is an algorithmic language (written in C) defined by IEEE P1178, and runs under many OS's including DOS, OS/2 and Unix.
- NOISE.SYS, a random-noise device driver for DOS; source incl., 386 req'd.
- Ruby Block Cipher - a simple block cypher (although it cannot be used in Electronic Codebook mode) similar to a cryptographic hash function with a block size of 64 bits; more info
- Python Cryptography Toolkit - free software (hash, en/decrypt, public-key, etc) for Python (an interpreted object-oriented language similar to Perl or Java) by Andrew Kuchling (Aug 1995); FTP site
- CYPRIS (CrYPtographic RISc processor) - a coprocessor chip developed by Lockheed-Martin Advanced Technology Labs for DoD applications requiring "algorithm agile" reprogrammable cryptography; may also have business/commercial applications
- Enigma a software version of the famous WW2 crypto machine, and other cryptographic software
- "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" (a report commissioned by Business Software Alliance) by M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener; Jan 1996; Matt Blaze comments that that "more efficient attacks than those we considered might also be possible and should be taken into account by the prudent cryptosystem designer;" ASCII text and PostScript format
- see also: Archives, Commerical Organizations, Protocols
Steganography
- hiding information within noise; a way to supplement (not replace) encryption, to prevent the existence of encrypted data from being detected
Voice Encryption
(telephone security, wiretapping threats) - 3 software programs listed below turn a computer (with modem and sound card) into a secure telephone, using speech compression and strong encryption protocols to provide a secure real-time voice channel over the public telephone system or Internet:
- PGPfone - Windows'95/NT version 1.0b1 available from FTP sites in .nl, .fi, and .no; release 1.0b6 for Macintosh (not compatible with previous versions) available from FTP site in .nl; source code available "shortly"
- Nautilus v1.0a - voice encryption for DOS and Unix; source code avail.; alternate FTP sites in .it, .uk, and .fi
- Speak Freely - Windows application that encrypts and sends real-time voice data over a network; supports encryption with DES, IDEA, or key file; supports PGP for key-exchange
- Louis Cypher (LC-1) - a prototype secure telephone unit that uses "fulltime RSA" encryption "for both the exchange of session keys and the data transfer itself"; developed by German students Huwig and Baller
- Digital Telephony Initiative and CALEA (Communications Assistance for Law Enforcement Act of 1994) - FBI plan for automated surveillance of millions of phone lines
- ATTILA is a traffic analyzer for public telephone and ATM/SONET networks developed for DoD; ATTILA has "powerful wire tapping capability" and can "define filters" to "trigger the capture of traffic on connections between... specified originating and/or terminating call addresses (with wild card fields). The captured traffic could be displayed (heard/seen) in real time or stored in memory for later playback."
- Technical Surveillance Countermeasures - extensive information on wiretapping threats and (non-cryptographic) countermeasures
Vulnerabilities
- risks & defects in cryptography-based security systems
- Timing Attack - precise CPU timing of cryptographic computations can reveal key information
- Paul Kocher's paper (Dec 1995) brought widespread attention to the timing attack problem
- RSA's Comments explain how the timing attack is easy to guard against
- Matt Blaze's quantize code for Unix and Win32 defeats the timing attack by inserting a delay time in crypto computations
- Bugs Bounty: Community Connexion offers prizes for discovery of security bugs in Netscape, Win95, and Java
- security defects in MicroSoft's Windows NT and Win95:
- Netscape Cracked - Ian Goldberg and David Wagner (CS students at UC Berkeley), writing in Dr. Dobb's Journal (Jan 1996), describe weaknesses they found in the PRNG of Netscape's SSL implementation; see also their report on crypto-quality pseudo-random numbers
- Flaw in Kerberos 4.0 reported by 2 Purdue students; caused by inadequate RNG operation, similar to Netscape SSL flaw (previous item)
- "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" (report commissioned by Business Software Alliance) by M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener; Jan 1996; Matt Blaze comments that that "more efficient attacks than those we considered might also be possible and should be taken into account by the prudent cryptosystem designer;" ASCII text and PostScript format
- UNIX sendmail can be exploited to gain root access; this attack can be hidden in JavaScript (see next item) and works behind firewalls
- JAVA and JavaScript pose serious security hazards, not because of any weakness in cryptography, but because security was not part of their original design. Current versions lack features for configurability, authentication, and control over whose applets or scripts are run. Fixes to these security holes will likely incorporate encryption technology.
- more on crack of Netscape
- RSA factorization
- BellCore report on RSA factorization
- NPAC Northeast Parallel Architectures Center - RSA factorization
- PGP Attack FAQ - review of how PGP might be attacked or compromised (Feb 1996)
- password crackers
COPYRIGHT (C) 1996 Robert G. Flower. All rights reserved.
Permission is granted to any nonprofit nongovernment organization to reproduce any portion of this document, provided that this copyright notice is reproduced. Any other reproduction in part or in whole in any form or medium without explicit written permission of the copyright owner is prohibited.
Trademarks are the property of their respective owners.
DISCLAIMER:
This information is provided for research and educational purposes only. No warranty is made as to its accuracy, completeness, or suitability for any particular purpose. Cryptography technology is regulated in some countries. The reader is responsible for compliance with applicable laws.