]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> |
2 | <HTML> | |
3 | <HEAD> | |
4 | <TITLE>Introduction to FreeS/WAN</TITLE> | |
5 | <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> | |
6 | <STYLE TYPE="text/css"><!-- | |
7 | BODY { font-family: serif } | |
8 | H1 { font-family: sans-serif } | |
9 | H2 { font-family: sans-serif } | |
10 | H3 { font-family: sans-serif } | |
11 | H4 { font-family: sans-serif } | |
12 | H5 { font-family: sans-serif } | |
13 | H6 { font-family: sans-serif } | |
14 | SUB { font-size: smaller } | |
15 | SUP { font-size: smaller } | |
16 | PRE { font-family: monospace } | |
17 | --></STYLE> | |
18 | </HEAD> | |
19 | <BODY> | |
20 | <A HREF="toc.html">Contents</A> | |
21 | <A HREF="umltesting.html">Previous</A> | |
22 | <A HREF="ipsec.html">Next</A> | |
23 | <HR> | |
24 | <H1><A name="politics">History and politics of cryptography</A></H1> | |
25 | <P>Cryptography has a long and interesting history, and has been the | |
26 | subject of considerable political controversy.</P> | |
27 | <H2><A name="intro.politics">Introduction</A></H2> | |
28 | <H3><A NAME="26_1_1">History</A></H3> | |
29 | <P>The classic book on the history of cryptography is David Kahn's<A href="biblio.html#Kahn"> | |
30 | The Codebreakers</A>. It traces codes and codebreaking from ancient | |
31 | Egypt to the 20th century.</P> | |
32 | <P>Diffie and Landau<A href="biblio.html#diffie"> Privacy on the Line: | |
33 | The Politics of Wiretapping and Encryption</A> covers the history from | |
34 | the First World War to the 1990s, with an emphasis on the US.</P> | |
35 | <H4>World War II</H4> | |
36 | <P>During the Second World War, the British "Ultra" project achieved one | |
37 | of the greatest intelligence triumphs in the history of warfare, | |
38 | breaking many Axis codes. One major target was the Enigma cipher | |
39 | machine, a German device whose users were convinced it was unbreakable. | |
40 | The American "Magic" project had some similar triumphs against Japanese | |
41 | codes.</P> | |
42 | <P>There are many books on this period. See our bibliography for | |
43 | several. Two I particularly like are:</P> | |
44 | <UL> | |
45 | <LI>Andrew Hodges has done a superb<A href="http://www.turing.org.uk/book/"> | |
46 | biography</A> of Alan Turing, a key player among the Ultra | |
47 | codebreakers. Turing was also an important computer pioneer. The terms<A | |
48 | href="http://www.abelard.org/turpap/turpap.htm"> Turing test</A> and<A href="http://plato.stanford.edu/entries/turing-machine/"> | |
49 | Turing machine</A> are named for him, as is the<A href="http://www.acm.org"> | |
50 | ACM</A>'s highest technical<A href="http://www.acm.org/awards/taward.html"> | |
51 | award</A>.</LI> | |
52 | <LI>Neal Stephenson's<A href="biblio.html#neal"> Cryptonomicon</A> is a | |
53 | novel with cryptography central to the plot. Parts of it take place | |
54 | during WW II, other parts today.</LI> | |
55 | </UL> | |
56 | <P>Bletchley Park, where much of the Ultra work was done, now has a | |
57 | museum and a<A href="http://www.bletchleypark.org.uk/"> web site</A>.</P> | |
58 | <P>The Ultra work introduced three major innovations.</P> | |
59 | <UL> | |
60 | <LI>The first break of Enigma was achieved by Polish Intelligence in | |
61 | 1931. Until then most code-breakers had been linguists, but a different | |
62 | approach was needed to break machine ciphers. Polish Intelligence | |
63 | recruited bright young mathematicians to crack the "unbreakable" | |
64 | Enigma. When war came in 1939, the Poles told their allies about this, | |
65 | putting Britain on the road to Ultra. The British also adopted a | |
66 | mathematical approach.</LI> | |
67 | <LI>Machines were extensively used in the attacks. First the Polish | |
68 | "Bombe" for attacking Enigma, then British versions of it, then | |
69 | machines such as Collosus for attacking other codes. By the end of the | |
70 | war, some of these machines were beginning to closely resemble digital | |
71 | computers. After the war, a team at Manchester University, several old | |
72 | Ultra hands included, built one of the world's first actual | |
73 | general-purpose digital computers.</LI> | |
74 | <LI>Ultra made codebreaking a large-scale enterprise, producing | |
75 | intelligence on an industrial scale. This was not a "black chamber", | |
76 | not a hidden room in some obscure government building with a small crew | |
77 | of code-breakers. The whole operation -- from wholesale interception of | |
78 | enemy communications by stations around the world, through large-scale | |
79 | code-breaking and analysis of the decrypted material (with an enormous | |
80 | set of files for cross-referencing), to delivery of intelligence to | |
81 | field commanders -- was huge, and very carefully managed.</LI> | |
82 | </UL> | |
83 | <P>So by the end of the war, Allied code-breakers were expert at | |
84 | large-scale mechanised code-breaking. The payoffs were enormous.</P> | |
85 | <H4><A name="postwar">Postwar and Cold War</A></H4> | |
86 | <P>The wartime innovations were enthusiastically adopted by post-war and | |
87 | Cold War signals intelligence agencies. Presumably many nations now | |
88 | have some agency capable of sophisticated attacks on communications | |
89 | security, and quite a few engage in such activity on a large scale.</P> | |
90 | <P>America's<A href="glossary.html#NSA"> NSA</A>, for example, is said | |
91 | to be both the world's largest employer of mathematicians and the | |
92 | world's largest purchaser of computer equipment. Such claims may be | |
93 | somewhat exaggerated, but beyond doubt the NSA -- and similar agencies | |
94 | in other countries -- have some excellent mathematicians, lots of | |
95 | powerful computers, sophisticated software, and the organisation and | |
96 | funding to apply them on a large scale. Details of the NSA budget are | |
97 | secret, but there are some published<A href="http://www.fas.org/irp/nsa/nsabudget.html"> | |
98 | estimates</A>.</P> | |
99 | <P>Changes in the world's communications systems since WW II have | |
100 | provided these agencies with new targets. Cracking the codes used on an | |
101 | enemy's military or diplomatic communications has been common practice | |
102 | for centuries. Extensive use of radio in war made large-scale attacks | |
103 | such as Ultra possible. Modern communications make it possible to go | |
104 | far beyond that. Consider listening in on cell phones, or intercepting | |
105 | electronic mail, or tapping into the huge volumes of data on new media | |
106 | such as fiber optics or satellite links. None of these targets existed | |
107 | in 1950. All of them can be attacked today, and almost certainly are | |
108 | being attacked.</P> | |
109 | <P>The Ultra story was not made public until the 1970s. Much of the | |
110 | recent history of codes and code-breaking has not been made public, and | |
111 | some of it may never be. Two important books are:</P> | |
112 | <UL> | |
113 | <LI>Bamford's<A href="biblio.html#puzzle"> The Puzzle Palace</A>, a | |
114 | history of the NSA</LI> | |
115 | <LI>Hager's<A href="http://www.fas.org/irp/eprint/sp/index.html"> Secret | |
116 | Power</A>, about the<A href="http://sg.yahoo.com/government/intelligence/echelon_network/"> | |
117 | Echelon</A> system -- the US, UK, Canada, Australia and New Zealand | |
118 | co-operating to monitor much of the world's communications.</LI> | |
119 | </UL> | |
120 | <P>Note that these books cover only part of what is actually going on, | |
121 | and then only the activities of nations open and democratic enough that | |
122 | (some of) what they are doing can be discovered. A full picture, | |
123 | including:</P> | |
124 | <UL> | |
125 | <LI>actions of the English-speaking democracies not covered in those | |
126 | books</LI> | |
127 | <LI>actions of other more-or-less sane governments</LI> | |
128 | <LI>the activities of various more-or-less insane governments</LI> | |
129 | <LI>possibilities for unauthorized action by government employees</LI> | |
130 | <LI>possible actions by large non-government organisations: | |
131 | corporations, criminals, or conspiracies</LI> | |
132 | </UL> | |
133 | <P>might be really frightening.</P> | |
134 | <H4><A name="recent">Recent history -- the crypto wars</A></H4> | |
135 | <P>Until quite recently, cryptography was primarily a concern of | |
136 | governments, especially of the military, of spies, and of diplomats. | |
137 | Much of it was extremely secret.</P> | |
138 | <P>In recent years, that has changed a great deal. With computers and | |
139 | networking becoming ubiquitous, cryptography is now important to almost | |
140 | everyone. Among the developments since the 1970s:</P> | |
141 | <UL> | |
142 | <LI>The US gov't established the Data Encryption Standard,<A href="glossary.html#DES"> | |
143 | DES</A>, a<A href="glossary.html#block"> block cipher</A> for | |
144 | cryptographic protection of unclassfied documents.</LI> | |
145 | <LI>DES also became widely used in industry, especially regulated | |
146 | industries such as banking.</LI> | |
147 | <LI>Other nations produced their own standards, such as<A href="glossary.html#GOST"> | |
148 | GOST</A> in the Soviet Union.</LI> | |
149 | <LI><A href="glossary.html#public">Public key</A> cryptography was | |
150 | invented by Diffie and Hellman.</LI> | |
151 | <LI>Academic conferences such as<A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html"> | |
152 | Crypto</A> and<A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/"> | |
153 | Eurocrypt</A> began.</LI> | |
154 | <LI>Several companies began offerring cryptographic products:<A href="glossary.html#RSAco"> | |
155 | RSA</A>,<A href="glossary.html#PGPI"> PGP</A>, the many vendors with<A href="glossary.html#PKI"> | |
156 | PKI</A> products, ...</LI> | |
157 | <LI>Cryptography appeared in other products: operating systems, word | |
158 | processors, ...</LI> | |
159 | <LI>Network protocols based on crypto were developed:<A href="glossary.html#SSH"> | |
160 | SSH</A>,<A href="glossary.html#SSL"> SSL</A>,<A href="glossary.html#IPsec"> | |
161 | IPsec</A>, ...</LI> | |
162 | <LI>Crytography came into widespread use to secure bank cards, | |
163 | terminals, ...</LI> | |
164 | <LI>The US government replaced<A href="glossary.html#DES"> DES</A> with | |
165 | the much stronger Advanced Encryption Standard,<A href="glossary.html#AES"> | |
166 | AES</A></LI> | |
167 | </UL> | |
168 | <P>This has led to a complex ongoing battle between various mainly | |
169 | government groups wanting to control the spread of crypto and various | |
170 | others, notably the computer industry and the<A href="http://online.offshore.com.ai/security/"> | |
171 | cypherpunk</A> crypto advocates, wanting to encourage widespread use.</P> | |
172 | <P>Steven Levy has written a fine history of much of this, called<A href="biblio.html#crypto"> | |
173 | Crypto: How the Code rebels Beat the Government -- Saving Privacy in | |
174 | the Digital Age</A>.</P> | |
175 | <P>The FreeS/WAN project is to a large extent an outgrowth of cypherpunk | |
176 | ideas. Our reasons for doing the project can be seen in these quotes | |
177 | from the<A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto"> | |
178 | Cypherpunk Manifesto</A>:</P> | |
179 | <BLOCKQUOTE> Privacy is necessary for an open society in the electronic | |
180 | age. ... | |
181 | <P>We cannot expect governments, corporations, or other large, faceless | |
182 | organizations to grant us privacy out of their beneficence. It is to | |
183 | their advantage to speak of us, and we should expect that they will | |
184 | speak. ...</P> | |
185 | <P>We must defend our own privacy if we expect to have any. ...</P> | |
186 | <P>Cypherpunks write code. We know that someone has to write software to | |
187 | defend privacy, and since we can't get privacy unless we all do, we're | |
188 | going to write it. We publish our code so that our fellow Cypherpunks | |
189 | may practice and play with it. Our code is free for all to use, | |
190 | worldwide. We don't much care if you don't approve of the software we | |
191 | write. We know that software can't be destroyed and that a widely | |
192 | dispersed system can't be shut down.</P> | |
193 | <P>Cypherpunks deplore regulations on cryptography, for encryption is | |
194 | fundamentally a private act. ...</P> | |
195 | <P>For privacy to be widespread it must be part of a social contract. | |
196 | People must come and together deploy these systems for the common good. | |
197 | ...</P> | |
198 | </BLOCKQUOTE> | |
199 | <P>To quote project leader John Gilmore:</P> | |
200 | <BLOCKQUOTE> We are literally in a race between our ability to build and | |
201 | deploy technology, and their ability to build and deploy laws and | |
202 | treaties. Neither side is likely to back down or wise up until it has | |
203 | definitively lost the race.</BLOCKQUOTE> | |
204 | <P>If FreeS/WAN reaches its goal of making<A href="intro.html#opp.intro"> | |
205 | opportunistic encryption</A> widespread so that secure communication | |
206 | can become the default for a large part of the net, we will have struck | |
207 | a major blow.</P> | |
208 | <H3><A name="intro.poli">Politics</A></H3> | |
209 | <P>The political problem is that nearly all governments want to monitor | |
210 | their enemies' communications, and some want to monitor their citizens. | |
211 | They may be very interested in protecting some of their own | |
212 | communications, and often some types of business communication, but not | |
213 | in having everyone able to communicate securely. They therefore attempt | |
214 | to restrict availability of strong cryptography as much as possible.</P> | |
215 | <P>Things various governments have tried or are trying include:</P> | |
216 | <UL> | |
217 | <LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian | |
218 | and Canadian<A href="glossary.html#SIGINT"> signals intelligence</A> | |
219 | agencies. See this<A href="http://sg.yahoo.com/government/intelligence/echelon_network/"> | |
220 | collection</A> of links and this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html"> | |
221 | story</A> on the French Parliament's reaction.</LI> | |
222 | <LI>Others governments may well have their own Echelon-like projects. To | |
223 | quote the Dutch Minister of Defense, as reported in a German<A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html"> | |
224 | magazine</A>:<BLOCKQUOTE> The government believes not only the | |
225 | governments associated with Echelon are able to intercept communication | |
226 | systems, but that it is an activity of the investigative authorities | |
227 | and intelligence services of many countries with governments of | |
228 | different political signature.</BLOCKQUOTE> Even if they have nothing | |
229 | on the scale of Echelon, most intelligence agencies and police forces | |
230 | certainly have some interception capability.</LI> | |
231 | <LI><A href="glossary.html#NSA">NSA</A> tapping of submarine | |
232 | communication cables, described in<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html"> | |
233 | this article</A></LI> | |
234 | <LI>A proposal for international co-operation on<A href="http://www.heise.de/tp/english/special/enfo/4306/1.html"> | |
235 | Internet surveillance</A>.</LI> | |
236 | <LI>Alleged<A href="http://cryptome.org/nsa-sabotage.htm"> sabotage</A> | |
237 | of security products by the<A href="glossary.html#NSA"> NSA</A> (the US | |
238 | signals intelligence agency).</LI> | |
239 | <LI>The German armed forces and some government departments will stop | |
240 | using American software for fear of NSA "back doors", according to this<A | |
241 | href="http://www.theregister.co.uk/content/4/17679.html"> news story</A> | |
242 | .</LI> | |
243 | <LI>The British Regulation of Investigatory Powers bill. See this<A href="http://www.fipr.org/rip/index.html"> | |
244 | web page.</A> and perhaps this<A href="http://ars.userfriendly.org/cartoons/?id=20000806&mode=classic"> | |
245 | cartoon</A>.</LI> | |
246 | <LI>A Russian<A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict"> | |
247 | ban</A> on cryptography</LI> | |
248 | <LI>Chinese<A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china"> | |
249 | controls</A> on net use.</LI> | |
250 | <LI>The FBI's carnivore system for covert searches of email. See this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html"> | |
251 | news coverage</A> and this<A href="http://www.crypto.com/papers/carnivore-risks.html"> | |
252 | risk assessment</A>. The government had an external review of some | |
253 | aspects of this system done. See this<A href="http://www.crypto.com/papers/carnivore_report_comments.html"> | |
254 | analysis</A> of that review. Possible defenses against Carnivore | |
255 | include: | |
256 | <UL> | |
257 | <LI><A href="glossary.html#PGP">PGP</A> for end-to-end mail encryption</LI> | |
258 | <LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A> | |
259 | for server-to-server encryption</LI> | |
260 | <LI>IPsec encryption on the underlying IP network</LI> | |
261 | </UL> | |
262 | </LI> | |
263 | <LI>export laws restricting strong cryptography as a munition. See<A href="#exlaw"> | |
264 | discussion</A> below.</LI> | |
265 | <LI>various attempts to convince people that fundamentally flawed | |
266 | cryptography, such as encryption with a<A href="#escrow"> back door</A> | |
267 | for government access to data or with<A href="#shortkeys"> inadequate | |
268 | key lengths</A>, was adequate for their needs.</LI> | |
269 | </UL> | |
270 | <P>Of course governments are by no means the only threat to privacy and | |
271 | security on the net. Other threats include:</P> | |
272 | <UL> | |
273 | <LI>industrial espionage, as for example in this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html"> | |
274 | news story</A></LI> | |
275 | <LI>attacks by organised criminals, as in this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm"> | |
276 | large-scale attack</A></LI> | |
277 | <LI>collection of personal data by various companies. | |
278 | <UL> | |
279 | <LI>for example, consider the various corporate winners of Privacy | |
280 | International's<A href="http://www.privacyinternational.org/bigbrother/"> | |
281 | Big Brother Awards</A>.</LI> | |
282 | <LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell tools | |
283 | to defend against this</LI> | |
284 | </UL> | |
285 | </LI> | |
286 | <LI>individuals may also be a threat in a variety of ways and for a | |
287 | variety of reasons</LI> | |
288 | <LI>in particular, an individual with access to government or industry | |
289 | data collections could do considerable damage using that data in | |
290 | unauthorized ways.</LI> | |
291 | </UL> | |
292 | <P>One<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html"> | |
293 | study</A> enumerates threats and possible responses for small and | |
294 | medium businesses. VPNs are a key part of the suggested strategy.</P> | |
295 | <P>We consider privacy a human right. See the UN's<A href="http://www.un.org/Overview/rights.html"> | |
296 | Universal Declaration of Human Rights</A>, article twelve:</P> | |
297 | <BLOCKQUOTE> No one shall be subjected to arbitrary interference with | |
298 | his privacy, family, home or correspondence, nor to attacks upon his | |
299 | honor and reputation. Everyone has the right to the protection of the | |
300 | law against such interference or attacks.</BLOCKQUOTE> | |
301 | <P>Our objective is to help make privacy possible on the Internet using | |
302 | cryptography strong enough not even those well-funded government | |
303 | agencies are likely to break it. If we can do that, the chances of | |
304 | anyone else breaking it are negliible.</P> | |
305 | <H3><A NAME="26_1_3">Links</A></H3> | |
306 | <P>Many groups are working in different ways to defend privacy on the | |
307 | net and elsewhere. Please consider contributing to one or more of these | |
308 | groups:</P> | |
309 | <UL> | |
310 | <LI>the EFF's<A href="http://www.eff.org/crypto/"> Privacy Now!</A> | |
311 | campaign</LI> | |
312 | <LI>the<A href="http://www.gilc.org"> Global Internet Liberty Campaign</A> | |
313 | </LI> | |
314 | <LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer | |
315 | Professionals for Social Responsibility</A></LI> | |
316 | </UL> | |
317 | <P>For more on these issues see:</P> | |
318 | <UL> | |
319 | <LI>Steven Levy (Newsweek's chief technology writer and author of the | |
320 | classic "Hackers") new book<A href="biblio.html#crypto"> Crypto: How | |
321 | the Code Rebels Beat the Government--Saving Privacy in the Digital Age</A> | |
322 | </LI> | |
323 | <LI>Simson Garfinkel (Boston Globe columnist and author of books on<A href="biblio.html#PGP"> | |
324 | PGP</A> and<A href="biblio.html#practical"> Unix Security</A>) book<A href="biblio.html#Garfinkel"> | |
325 | Database Nation: the death of privacy in the 21st century</A></LI> | |
326 | </UL> | |
327 | <P>There are several collections of<A href="web.html#quotes"> crypto | |
328 | quotes</A> on the net.</P> | |
329 | <P>See also the<A href="biblio.html"> bibliography</A> and our list of<A href="web.html#policy"> | |
330 | web references</A> on cryptography law and policy.</P> | |
331 | <H3><A NAME="26_1_4">Outline of this section</A></H3> | |
332 | <P>The remainder of this section includes two pieces of writing by our | |
333 | project leader</P> | |
334 | <UL> | |
335 | <LI>his<A href="#gilmore"> rationale</A> for starting this</LI> | |
336 | <LI>another<A href="#policestate"> discussion</A> of project goals</LI> | |
337 | </UL> | |
338 | <P>and discussions of:</P> | |
339 | <UL> | |
340 | <LI><A href="#desnotsecure">why we do not use DES</A></LI> | |
341 | <LI><A href="#exlaw">cryptography export laws</A></LI> | |
342 | <LI>why<A href="#escrow"> government access to keys</A> is not a good | |
343 | idea</LI> | |
344 | <LI>the myth that<A href="#shortkeys"> short keys</A> are adequate for | |
345 | some security requirements</LI> | |
346 | </UL> | |
347 | <P>and a section on<A href="#press"> press coverage of FreeS/WAN</A>.</P> | |
348 | <H2><A name="leader">From our project leader</A></H2> | |
349 | <P>FreeS/WAN project founder John Gilmore wrote a web page about why we | |
350 | are doing this. The version below is slightly edited, to fit this | |
351 | format and to update some links. For a version without these edits, see | |
352 | his<A href="http://www.toad.com/gnu/"> home page</A>.</P> | |
353 | <CENTER> | |
354 | <H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A> | |
355 | </H3> | |
356 | </CENTER> | |
357 | <P>My project for 1996 was to<B> secure 5% of the Internet traffic | |
358 | against passive wiretapping</B>. It didn't happen in 1996, so I'm still | |
359 | working on it in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we | |
360 | can secure 20% the next year, against both active and passive attacks; | |
361 | and 80% the following year. Soon the whole Internet will be private and | |
362 | secure. The project is called S/WAN or S/Wan or Swan for Secure Wide | |
363 | Area Network; since it's free software, we call it FreeSwan to | |
364 | distinguish it from various commercial implementations.<A href="http://www.rsa.com/rsa/SWAN/"> | |
365 | RSA</A> came up with the term "S/WAN". Our main web site is at<A href="http://www.freeswan.org/"> | |
366 | http://www.freeswan.org/</A>. Want to help?</P> | |
367 | <P>The idea is to deploy PC-based boxes that will sit between your local | |
368 | area network and the Internet (near your firewall or router) which | |
369 | opportunistically encrypt your Internet packets. Whenever you talk to a | |
370 | machine (like a Web site) that doesn't support encryption, your traffic | |
371 | goes out "in the clear" as usual. Whenever you connect to a machine | |
372 | that does support this kind of encryption, this box automatically | |
373 | encrypts all your packets, and decrypts the ones that come in. In | |
374 | effect, each packet gets put into an "envelope" on one side of the net, | |
375 | and removed from the envelope when it reaches its destination. This | |
376 | works for all kinds of Internet traffic, including Web access, Telnet, | |
377 | FTP, email, IRC, Usenet, etc.</P> | |
378 | <P>The encryption boxes are standard PC's that use freely available | |
379 | Linux software that you can download over the Internet or install from | |
380 | a cheap CDROM.</P> | |
381 | <P>This wasn't just my idea; lots of people have been working on it for | |
382 | years. The encryption protocols for these boxes are called<A href="glossary.html#IPsec"> | |
383 | IPSEC (IP Security)</A>. They have been developed by the<A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html"> | |
384 | IP Security Working Group</A> of the<A href="http://www.ietf.org/"> | |
385 | Internet Engineering Task Force</A>, and will be a standard part of the | |
386 | next major version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html"> | |
387 | IPv6</A>). For today's (IP version 4) Internet, they are an option.</P> | |
388 | <P>The<A href="http://www.iab.org/iab"> Internet Architecture Board</A> | |
389 | and<A href="http://www.ietf.org/"> Internet Engineering Steering Group</A> | |
390 | have taken a<A href="iab-iesg.stmt"> strong stand</A> that the Internet | |
391 | should use powerful encryption to provide security and privacy. I think | |
392 | these protocols are the best chance to do that, because they can be | |
393 | deployed very easily, without changing your hardware or software or | |
394 | retraining your users. They offer the best security we know how to | |
395 | build, using the Triple-DES, RSA, and Diffie-Hellman algorithms.</P> | |
396 | <P>This "opportunistic encryption box" offers the "fax effect". As each | |
397 | person installs one for their own use, it becomes more valuable for | |
398 | their neighbors to install one too, because there's one more person to | |
399 | use it with. The software automatically notices each newly installed | |
400 | box, and doesn't require a network administrator to reconfigure it. | |
401 | Instead of "virtual private networks" we have a "REAL private network"; | |
402 | we add privacy to the real network instead of layering a | |
403 | manually-maintained virtual network on top of an insecure Internet.</P> | |
404 | <H4>Deployment of IPSEC</H4> | |
405 | <P>The US government would like to control the deployment of IP Security | |
406 | with its<A href="#exlaw"> crypto export laws</A>. This isn't a problem | |
407 | for my effort, because the cryptographic work is happening outside the | |
408 | United States. A foreign philanthropist, and others, have donated the | |
409 | resources required to add these protocols to the Linux operating | |
410 | system.<A href="http://www.linux.org/"> Linux</A> is a complete, freely | |
411 | available operating system for IBM PC's and several kinds of | |
412 | workstation, which is compatible with Unix. It was written by Linus | |
413 | Torvalds, and is still maintained by a talented team of expert | |
414 | programmers working all over the world and coordinating over the | |
415 | Internet. Linux is distributed under the<A href="glossary.html#GPL"> | |
416 | GNU Public License</A>, which gives everyone the right to copy it, | |
417 | improve it, give it to their friends, sell it commercially, or do just | |
418 | about anything else with it, without paying anyone for the privilege.</P> | |
419 | <P>Organizations that want to secure their network will be able to put | |
420 | two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM | |
421 | or by downloading it over the net, and plug it in between their | |
422 | Ethernet and their Internet link or firewall. That's all they'll have | |
423 | to do to encrypt their Internet traffic everywhere outside their own | |
424 | local area network.</P> | |
425 | <P>Travelers will be able to run Linux on their laptops, to secure their | |
426 | connection back to their home network (and to everywhere else that they | |
427 | connect to, such as customer sites). Anyone who runs Linux on a | |
428 | standalone PC will also be able to secure their network connections, | |
429 | without changing their application software or how they operate their | |
430 | computer from day to day.</P> | |
431 | <P>There will also be numerous commercially available firewalls that use | |
432 | this technology.<A href="http://www.rsa.com/"> RSA Data Security</A> is | |
433 | coordinating the<A href="http://www.rsa.com/rsa/SWAN"> S/Wan (Secure | |
434 | Wide Area Network)</A> project among more than a dozen vendors who use | |
435 | these protocols. There's a<A href="http://www.rsa.com/rsa/SWAN/swan_test.htm"> | |
436 | compatability chart</A> that shows which vendors have tested their | |
437 | boxes against which other vendors to guarantee interoperatility.</P> | |
438 | <P>Eventually it will also move into the operating systems and | |
439 | networking protocol stacks of major vendors. This will probably take | |
440 | longer, because those vendors will have to figure out what they want to | |
441 | do about the export controls.</P> | |
442 | <H4>Current status</H4> | |
443 | <P>My initial goal of securing 5% of the net by Christmas '96 was not | |
444 | met. It was an ambitious goal, and inspired me and others to work hard, | |
445 | but was ultimately too ambitious. The protocols were in an early stage | |
446 | of development, and needed a lot more protocol design before they could | |
447 | be implemented. As of April 1999, we have released version 1.0 of the | |
448 | software (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz"> | |
449 | freeswan-1.0.tar.gz</A>), which is suitable for setting up Virtual | |
450 | Private Networks using shared secrets for authentication. It does not | |
451 | yet do opportunistic encryption, or use DNSSEC for authentication; | |
452 | those features are coming in a future release.</P> | |
453 | <DL> | |
454 | <DT>Protocols</DT> | |
455 | <DD>The low-level encrypted packet formats are defined. The system for | |
456 | publishing keys and providing secure domain name service is defined. | |
457 | The IP Security working group has settled on an NSA-sponsored protocol | |
458 | for key agreement (called ISAKMP/Oakley), but it is still being worked | |
459 | on, as the protocol and its documentation is too complex and | |
460 | incomplete. There are prototype implementations of ISAKMP. The protocol | |
461 | is not yet defined to enable opportunistic encryption or the use of | |
462 | DNSSEC keys.</DD> | |
463 | <DT>Linux Implementation</DT> | |
464 | <DD>The Linux implementation has reached its first major release and is | |
465 | ready for production use in manually-configured networks, using Linux | |
466 | kernel version 2.0.36.</DD> | |
467 | <DT>Domain Name System Security</DT> | |
468 | <DD>There is now a release of BIND 8.2 that includes most DNS Security | |
469 | features. | |
470 | <P>The first prototype implementation of Domain Name System Security was | |
471 | funded by<A href="glossary.html#DARPA"> DARPA</A> as part of their<A href="http://www.darpa.mil/ito/research/is/index.html"> | |
472 | Information Survivability program</A>.<A href="http://www.tis.com"> | |
473 | Trusted Information Systems</A> wrote a modified version of<A href="http://www.isc.org/bind.html"> | |
474 | BIND</A>, the widely-used Berkeley implementation of the Domain Name | |
475 | System.</P> | |
476 | <P>TIS, ISC, and I merged the prototype into the standard version of | |
477 | BIND. The first production version that supports KEY and SIG records is<B> | |
478 | bind-4.9.5</B>. This or any later version of BIND will do for | |
479 | publishing keys. It is available from the<A href="http://www.isc.org/bind.html"> | |
480 | Internet Software Consortium</A>. This version of BIND is not | |
481 | export-controlled since it does not contain any cryptography. Later | |
482 | releases starting with BIND 8.2 include cryptography for authenticating | |
483 | DNS records, which is also exportable. Better documentation is needed.</P> | |
484 | </DD> | |
485 | </DL> | |
486 | <H4>Why?</H4> | |
487 | <P>Because I can. I have made enough money from several successful | |
488 | startup companies, that for a while I don't have to work to support | |
489 | myself. I spend my energies and money creating the kind of world that | |
490 | I'd like to live in and that I'd like my (future) kids to live in. | |
491 | Keeping and improving on the civil rights we have in the United States, | |
492 | as we move more of our lives into cyberspace, is a particular goal of | |
493 | mine.</P> | |
494 | <H4>What You Can Do</H4> | |
495 | <DL> | |
496 | <DT>Install the latest BIND at your site.</DT> | |
497 | <DD>You won't be able to publish any keys for your domain, until you | |
498 | have upgraded your copy of BIND. The thing you really need from it is | |
499 | the new version of<I> named</I>, the Name Daemon, which knows about the | |
500 | new KEY and SIG record types. So, download it from the<A href="http://www.isc.org/bind.html"> | |
501 | Internet Software Consortium</A> and install it on your name server | |
502 | machine (or get your system administrator, or Internet Service | |
503 | Provider, to install it). Both your primary DNS site and all of your | |
504 | secondary DNS sites will need the new release before you will be able | |
505 | to publish your keys. You can tell which sites this is by running the | |
506 | Unix command "dig MYDOMAIN ns" and seeing which sites are mentioned in | |
507 | your NS (name server) records.</DD> | |
508 | <DT>Set up a Linux system and run a 2.0.x kernel on it</DT> | |
509 | <DD>Get a machine running Linux (say the 5.2 release from<A href="http://www.redhat.com"> | |
510 | Red Hat</A>). Give the machine two Ethernet cards.</DD> | |
511 | <DT>Install the Linux IPSEC (Freeswan) software</DT> | |
512 | <DD>If you're an experienced sysadmin or Linux hacker, install the | |
513 | freeswan-1.0 release, or any later release or snapshot. These releases | |
514 | do NOT provide automated "opportunistic" operation; they must be | |
515 | manually configured for each site you wish to encrypt with.</DD> | |
516 | <DT>Get on the linux-ipsec mailing list</DT> | |
517 | <DD>The discussion forum for people working on the project, and testing | |
518 | the code and documentation, is: linux-ipsec@clinet.fi. To join this | |
519 | mailing list, send email to<A href="mailto:linux-ipsec-REQUEST@clinet.fi"> | |
520 | linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says | |
521 | "subscribe linux-ipsec". (You can later get off the mailing list the | |
522 | same way -- just send "unsubscribe linux-ipsec").</DD> | |
523 | <P></P> | |
524 | <DT>Check back at this web page every once in a while</DT> | |
525 | <DD>I update this page periodically, and there may be new information in | |
526 | it that you haven't seen. My intent is to send email to the mailing | |
527 | list when I update the page in any significant way, so subscribing to | |
528 | the list is an alternative.</DD> | |
529 | </DL> | |
530 | <P>Would you like to help? I can use people who are willing to write | |
531 | documentation, install early releases for testing, write cryptographic | |
532 | code outside the United States, sell pre-packaged software or systems | |
533 | including this technology, and teach classes for network administrators | |
534 | who want to install this technology. To offer to help, send me email at | |
535 | gnu@toad.com. Tell me what country you live in and what your | |
536 | citizenship is (it matters due to the export control laws; personally I | |
537 | don't care). Include a copy of your resume and the URL of your home | |
538 | page. Describe what you'd like to do for the project, and what you're | |
539 | uniquely qualified for. Mention what other volunteer projects you've | |
540 | been involved in (and how they worked out). Helping out will require | |
541 | that you be able to commit to doing particular things, meet your | |
542 | commitments, and be responsive by email. Volunteer projects just don't | |
543 | work without those things.</P> | |
544 | <H4>Related projects</H4> | |
545 | <DL> | |
546 | <DT>IPSEC for NetBSD</DT> | |
547 | <DD>This prototype implementation of the IP Security protocols is for | |
548 | another free operating system.<A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz"> | |
549 | Download BSDipsec.tar.gz</A>.</DD> | |
550 | <DT>IPSEC for<A href="http://www.openbsd.org"> OpenBSD</A></DT> | |
551 | <DD>This prototype implementation of the IP Security protocols is for | |
552 | yet another free operating system. It is directly integrated into the | |
553 | OS release, since the OS is maintained in Canada, which has freedom of | |
554 | speech in software.</DD> | |
555 | </DL> | |
556 | <H3><A name="policestate">Stopping wholesale monitoring</A></H3> | |
557 | <P>From a message project leader John Gilmore posted to the mailing | |
558 | list:</P> | |
559 | <PRE>John Denker wrote: | |
560 | ||
561 | > Indeed there are several ways in which the documentation overstates the | |
562 | > scope of what this project does -- starting with the name | |
563 | > FreeS/WAN. There's a big difference between having an encrypted IP tunnel | |
564 | > versus having a Secure Wide-Area Network. This software does a fine job of | |
565 | > the former, which is necessary but not sufficient for the latter. | |
566 | ||
567 | The goal of the project is to make it very hard to tap your wide area | |
568 | communications. The current system provides very good protection | |
569 | against passive attacks (wiretapping and those big antenna farms). | |
570 | Active attacks, which involve the intruder sending packets to your | |
571 | system (like packets that break into sendmail and give them a root | |
572 | shell :-) are much harder to guard against. Active attacks that | |
573 | involve sending people (breaking into your house and replacing parts | |
574 | of your computer with ones that transmit what you're doing) are also | |
575 | much harder to guard against. Though we are putting effort into | |
576 | protecting against active attacks, it's a much bigger job than merely | |
577 | providing strong encryption. It involves general computer security, | |
578 | and general physical security, which are two very expensive problems | |
579 | for even a site to solve, let alone to build into a whole society. | |
580 | ||
581 | The societal benefit of building an infrastructure that protects | |
582 | well against passive attacks is that it makes it much harder to do | |
583 | undetected bulk monitoring of the population. It's a defense against | |
584 | police-states, not against policemen. | |
585 | ||
586 | Policemen can put in the effort required to actively attack sites that | |
587 | they have strong suspicions about. But police states won't be able to | |
588 | build systems that automatically monitor everyone's communications. | |
589 | Either they will be able to monitor only a small subset of the | |
590 | populace (by targeting those who screwed up their passive security), | |
591 | or their monitoring activities will be detectable by those monitored | |
592 | (active attacks leave packet traces or footprints), which can then be | |
593 | addressed through the press and through political means if they become | |
594 | too widespread. | |
595 | ||
596 | FreeS/WAN does not protect very well against traffic analysis, which | |
597 | is a kind of widespread police-state style monitoring that still | |
598 | reveals significant information (who's talking to who) without | |
599 | revealing the contents of what was said. Defenses against traffic | |
600 | analysis are an open research problem. Zero Knowledge Systems is | |
601 | actively deploying a system designed to thwart it, designed by Ian | |
602 | Goldberg. The jury is out on whether it actually works; a lot more | |
603 | experience with it will be needed.</PRE> | |
604 | <P>Notes on things mentioned in that message:</P> | |
605 | <UL> | |
606 | <LI>Denker is a co-author of a<A href="intro.html#applied"> paper</A> on | |
607 | a large FreeS/WAN application.</LI> | |
608 | <LI>Information on Zero Knowledge is on their<A href="http://www.zks.net/"> | |
609 | web site</A>. Their Freedom product, designed to provide untracable | |
610 | pseudonyms for use on the net, is no longer marketed.</LI> | |
611 | <LI>Another section of our documentation discusses ways to<A href="ipsec.html#traffic.resist"> | |
612 | resist traffic analysis</A>.</LI> | |
613 | </UL> | |
614 | <H2><A name="weak">Government promotion of weak crypto</A></H2> | |
615 | <P>Various groups, especially governments and especially the US | |
616 | government, have a long history of advocating various forms of bogus | |
617 | security.</P> | |
618 | <P>We regard bogus security as extremely dangerous. If users are | |
619 | deceived into relying on bogus security, then they may be exposed to | |
620 | large risks. They would be better off having no security and knowing | |
621 | it. At least then they would be careful about what they said.</P> | |
622 | <P><STRONG>Avoiding bogus security is a key design criterion for | |
623 | everything we do in FreeS/WAN</STRONG>. The most conspicuous example is | |
624 | our refusal to support<A href="#desnotsecure"> single DES</A>. Other | |
625 | IPsec "features" which we do not implement are discussed in our<A href="compat.html#dropped"> | |
626 | compatibility</A> document.</P> | |
627 | <H3><A name="escrow">Escrowed encryption</A></H3> | |
628 | <P>Various governments have made persistent attempts to encourage or | |
629 | mandate "escrowed encrytion", also called "key recovery", or GAK for | |
630 | "government access to keys". The idea is that cryptographic keys be | |
631 | held by some third party and turned over to law enforcement or security | |
632 | agencies under some conditions.</P> | |
633 | <PRE> Mary had a little key - she kept it in escrow, | |
634 | and every thing that Mary said, | |
635 | the feds were sure to know.</PRE> | |
636 | <P>A<A href="web.html#quotes"> crypto quotes</A> page attributes this to<A | |
637 | href="http://www.scramdisk.clara.net/"> Sam Simpson</A>.</P> | |
638 | <P>There is an excellent paper available on<A href="http://www.cdt.org/crypto/risks98/"> | |
639 | Risks of Escrowed Encryption</A>, from a group of cryptographic | |
640 | luminaries which included our project leader.</P> | |
641 | <P>Like any unnecessary complication, GAK tends to weaken security of | |
642 | any design it infects. For example:</P> | |
643 | <UL> | |
644 | <LI>Matt Blaze found a fatal flaw in the US government's Clipper chip | |
645 | shortly after design information became public. See his paper "Protocol | |
646 | Failure in the Escrowed Encryption Standard" on his<A href="http://www.crypto.com/papers/"> | |
647 | papers</A> page.</LI> | |
648 | <LI>a rather<A href="http://www.pgp.com/other/advisories/adk.asp"> nasty | |
649 | bug</A> was found in the "additional decryption keys" "feature" of some | |
650 | releases of<A href="glossary.html#PGP"> PGP</A></LI> | |
651 | </UL> | |
652 | <P>FreeS/WAN does not support escrowed encryption, and never will.</P> | |
653 | <H3><A name="shortkeys">Limited key lengths</A></H3> | |
654 | <P>Various governments, and some vendors, have also made persistent | |
655 | attempts to convince people that:</P> | |
656 | <UL> | |
657 | <LI>weak systems are sufficient for some data</LI> | |
658 | <LI>strong cryptography should be reserved for cases where the extra | |
659 | overheads are justified</LI> | |
660 | </UL> | |
661 | <P><STRONG>This is utter nonsense</STRONG>.</P> | |
662 | <P>Weak systems touted include:</P> | |
663 | <UL> | |
664 | <LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that | |
665 | until recently were all various<A href="#exlaw"> export laws</A> | |
666 | allowed</LI> | |
667 | <LI>56-bit single DES, discussed<A href="#desnotsecure"> below</A></LI> | |
668 | <LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for | |
669 | unrestricted export under various current laws</LI> | |
670 | </UL> | |
671 | <P>The notion that choice of ciphers or keysize should be determined by | |
672 | a trade-off between security requirements and overheads is pure | |
673 | bafflegab.</P> | |
674 | <UL> | |
675 | <LI>For most<A href="glossary.html#symmetric"> symmetric ciphers</A>, it | |
676 | is simply a lie. Any block cipher has some natural maximum keysize | |
677 | inherent in the design -- 128 bits for<A href="glossary.html#IDEA"> | |
678 | IDEA</A> or<A href="glossary.html#CAST128"> CAST-128</A>, 256 for | |
679 | Serpent or Twofish, 448 for<A href="glossary.html#Blowfish"> Blowfish</A> | |
680 | and 2048 for<A href="glossary.html#RC4"> RC4</A>. Using a key size | |
681 | smaller than that limit gives<EM> exactly zero</EM> savings in | |
682 | overhead. The crippled 40-bit or 64-bit version of the cipher provides<EM> | |
683 | no advantage whatsoever</EM>.</LI> | |
684 | <LI><A href="glossary.html#AES">AES</A> uses 10 rounds with 128-bit | |
685 | keys, 12 rounds for 192-bit and 14 rounds for 256-bit, so there | |
686 | actually is a small difference in overhead, but not enough to matter in | |
687 | most applications.</LI> | |
688 | <LI>For<A href="glossary.html#3DES"> triple DES</A> there is a grain of | |
689 | truth in the argument. 3DES is indeed three times slower than single | |
690 | DES. However, the solution is not to use the insecure single DES, but | |
691 | to pick a faster secure cipher.<A href="glossary.html#CAST128"> | |
692 | CAST-128</A>,<A href="glossary.html#Blowfish"> Blowfish</A> and the<A href="glossary.html#AES"> | |
693 | AES candidate</A> ciphers are are all considerably faster in software | |
694 | than DES (let alone 3DES!), and apparently secure.</LI> | |
695 | <LI>For<A href="glossary.html#public"> public key</A> techniques, there | |
696 | are extra overheads for larger keys, but they generally do not affect | |
697 | overall performance significantly. Practical public key applications | |
698 | are usually<A href="glossary.html#hybrid"> hybrid</A> systems in which | |
699 | the bulk of the work is done by a symmetric cipher. The effect of | |
700 | increasing the cost of the public key operations is typically | |
701 | negligible because the public key operations use only a tiny fraction | |
702 | of total resources. | |
703 | <P>For example, suppose public key operations use use 1% of the time in | |
704 | a hybrid system and you triple the cost of public key operations. The | |
705 | cost of symmetric cipher operations is unchanged at 99% of the original | |
706 | total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 | |
707 | = 102, a 2% rise in system cost.</P> | |
708 | </LI> | |
709 | </UL> | |
710 | <P>In short,<STRONG> there has never been any technical reason to use | |
711 | inadequate ciphers</STRONG>. The only reason there has ever been for | |
712 | anyone to use such ciphers is that government agencies want weak | |
713 | ciphers used so that they can crack them. The alleged savings are | |
714 | simply propaganda.</P> | |
715 | <PRE> Mary had a little key (It's all she could export), | |
716 | and all the email that she sent was opened at the Fort.</PRE> | |
717 | <P>A<A href="web.html#quotes"> crypto quotes</A> page attributes this to<A | |
718 | href="http://theory.lcs.mit.edu:80/~rivest/"> Ron Rivest</A>. NSA | |
719 | headquarters is at Fort Meade, Maryland.</P> | |
720 | <P>Our policy in FreeS/WAN is to use only cryptographic components with | |
721 | adequate keylength and no known weaknesses.</P> | |
722 | <UL> | |
723 | <LI>We do not implement single DES because it is clearly<A href="#desnotsecure"> | |
724 | insecure</A>, so implemeting it would violate our policy of avoiding | |
725 | bogus security. Our default cipher is<A href="glossary.html#3DES"> 3DES</A> | |
726 | </LI> | |
727 | <LI>Similarly, we do not implement the 768-bit Group 1 for<A href="glossary.html#DH"> | |
728 | Diffie-Hellman</A> key negotiation. We provide only the 1024-bit Group | |
729 | 2 and 1536-bit Group 5.</LI> | |
730 | </UL> | |
731 | <P>Detailed discussion of which IPsec features we implement or omit is | |
732 | in out<A href="compat.html"> compatibility document</A>.</P> | |
733 | <P>These decisions imply that we cannot fully conform to the IPsec RFCs, | |
734 | since those have DES as the only required cipher and Group 1 as the | |
735 | only required DH group. (In our view, the standards were subverted into | |
736 | offerring bogus security.) Fortunately, we can still interoperate with | |
737 | most other IPsec implementations since nearly all implementers provide | |
738 | at least 3DES and Group 2 as well.</P> | |
739 | <P>We hope that eventually the RFCs will catch up with our (and others') | |
740 | current practice and reject dubious components. Some of our team and a | |
741 | number of others are working on this in<A href="glossary.html#IETF"> | |
742 | IETF</A> working groups.</P> | |
743 | <H4>Some real trade-offs</H4> | |
744 | <P>Of course, making systems secure does involve costs, and trade-offs | |
745 | can be made between cost and security. However, the real trade-offs | |
746 | have nothing to do with using weaker ciphers.</P> | |
747 | <P>There can be substantial hardware and software costs. There are often | |
748 | substantial training costs, both to train administrators and to | |
749 | increase user awareness of security issues and procedures. There are | |
750 | almost always substantial staff or contracting costs.</P> | |
751 | <P>Security takes staff time for planning, implementation, testing and | |
752 | auditing. Some of the issues are subtle; you need good (hence often | |
753 | expensive) people for this. You also need people to monitor your | |
754 | systems and respond to problems. The best safe ever built is insecure | |
755 | if an attacker can work on it for days without anyone noticing. Any | |
756 | computer is insecure if the administrator is "too busy" to check the | |
757 | logs.</P> | |
758 | <P>Moreover, someone in your organisation (or on contract to it) needs | |
759 | to spend considerable time keeping up with new developments. EvilDoers<EM> | |
760 | will</EM> know about new attacks shortly after they are found. You need | |
761 | to know about them before your systems are attacked. If your vendor | |
762 | provides a patch, you need to apply it. If the vendor does nothing, you | |
763 | need to complain or start looking for another vendor.</P> | |
764 | <P>For a fairly awful example, see this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm"> | |
765 | report</A>. In that case over a million credit card numbers were taken | |
766 | from e-commerce sites, using security flaws in Windows NT servers. | |
767 | Microsoft had long since released patches for most or all of the flaws, | |
768 | but the site administrators had not applied them.</P> | |
769 | <P>At an absolute minimum, you must do something about such issues<EM> | |
770 | before</EM> an exploitation tool is posted to the net for downloading | |
771 | by dozens of "script kiddies". Such a tool might appear at any time | |
772 | from the announcement of the security hole to several months later. | |
773 | Once it appears, anyone with a browser and an attitude can break any | |
774 | system whose administrators have done nothing about the flaw.</P> | |
775 | <P>Compared to those costs, cipher overheads are an insignificant factor | |
776 | in the cost of security.</P> | |
777 | <P>The only thing using a weak cipher can do for you is to cause all | |
778 | your other investment to be wasted.</P> | |
779 | <H2><A name="exlaw">Cryptography Export Laws</A></H2> | |
780 | <P>Many nations restrict the export of cryptography and some restrict | |
781 | its use by their citizens or others within their borders.</P> | |
782 | <H3><A name="USlaw">US Law</A></H3> | |
783 | <P>US laws, as currently interpreted by the US government, forbid export | |
784 | of most cryptographic software from the US in machine-readable form | |
785 | without government permission. In general, the restrictions apply even | |
786 | if the software is widely-disseminated or public-domain and even if it | |
787 | came from outside the US originally. Cryptography is legally a munition | |
788 | and export is tightly controlled under the<A href="glossary.html#EAR"> | |
789 | EAR</A> Export Administration Regulations.</P> | |
790 | <P>If you are a US citizen, your brain is considered US territory no | |
791 | matter where it is physically located at the moment. The US believes | |
792 | that its laws apply to its citizens everywhere, not just within the US. | |
793 | Providing technical assistance or advice to foreign "munitions" | |
794 | projects is illegal. The US government has very little sense of humor | |
795 | about this issue and does not consider good intentions to be sufficient | |
796 | excuse. Beware.</P> | |
797 | <P>The<A href="http://www.bxa.doc.gov/Encryption/"> official website</A> | |
798 | for these regulations is run by the Commerce Department's Bureau of | |
799 | Export Administration (BXA).</P> | |
800 | <P>The<A href="http://www.eff.org/bernstein/"> Bernstein case</A> | |
801 | challenges the export restrictions on Constitutional grounds. Code is | |
802 | speech so restrictions on export of code violate the First Amendment's | |
803 | free speech provisions. This argument has succeeded in two levels of | |
804 | court so far. It is quite likely to go on to the Supreme Court.</P> | |
805 | <P>The regulations were changed substantially in January 2000, | |
806 | apparently as a government attempt to get off the hook in the Bernstein | |
807 | case. It is now legal to export public domain source code for | |
808 | encryption, provided you notify the<A href="glossary.html#BXA"> BXA</A> | |
809 | .</P> | |
810 | <P>There are, however, still restrictions in force. Moreover, the | |
811 | regulations can still be changed again whenever the government chooses | |
812 | to do so. Short of a Supreme Court ruling (in the Berstein case or | |
813 | another) that overturns the regulations completely, the problem of | |
814 | export regulation is not likely to go away in the forseeable future.</P> | |
815 | <H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4> | |
816 | <P>The FreeS/WAN project<STRONG> cannot accept software contributions,<EM> | |
817 | not even small bug fixes</EM>, from US citizens or residents</STRONG>. | |
818 | We want it to be absolutely clear that our distribution is not subject | |
819 | to US export law. Any contribution from an American might open that | |
820 | question to a debate we'd prefer to avoid. It might also put the | |
821 | contributor at serious legal risk.</P> | |
822 | <P>Of course Americans can still make valuable contributions (many | |
823 | already have) by reporting bugs, or otherwise contributing to | |
824 | discussions, on the project<A href="mail.html"> mailing list</A>. Since | |
825 | the list is public, this is clearly constitutionally protected free | |
826 | speech.</P> | |
827 | <P>Note, however, that the export laws restrict Americans from providing | |
828 | technical assistance to foreign "munitions" projects. The government | |
829 | might claim that private discussions or correspondence with FreeS/WAN | |
830 | developers were covered by this. It is not clear what the courts would | |
831 | do with such a claim, so we strongly encourage Americans to use the | |
832 | list rather than risk the complications.</P> | |
833 | <H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3> | |
834 | <P>Some quotes from prominent cryptography experts:</P> | |
835 | <BLOCKQUOTE> The real aim of current policy is to ensure the continued | |
836 | effectiveness of US information warfare assets against individuals, | |
837 | businesses and governments in Europe and elsewhere. | |
838 | <BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson, | |
839 | Cambridge University</A></BLOCKQUOTE><BLOCKQUOTE> If the government | |
840 | were honest about its motives, then the debate about crypto export | |
841 | policy would have ended years ago. | |
842 | <BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane | |
843 | Systems</A></BLOCKQUOTE><BLOCKQUOTE> The NSA regularly lies to people | |
844 | who ask it for advice on export control. They have no reason not to; | |
845 | accomplishing their goal by any legal means is fine by them. Lying by | |
846 | government employees is legal. | |
847 | <BR> John Gilmore.</BLOCKQUOTE> | |
848 | <P>The Internet Architecture Board (IAB) and the Internet Engineering | |
849 | Steering Group (IESG) made a<A href="iab-iesg.stmt"> strong statement</A> | |
850 | in favour of worldwide access to strong cryptography. Essentially the | |
851 | same statement is in the appropriately numbered<A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt"> | |
852 | RFC 1984</A>. Two critical paragraphs are:</P> | |
853 | <BLOCKQUOTE> ... various governments have actual or proposed policies on | |
854 | access to cryptographic technology ... | |
855 | <P>(a) ... export controls ... | |
856 | <BR> (b) ... short cryptographic keys ... | |
857 | <BR> (c) ... keys should be in the hands of the government or ... | |
858 | <BR> (d) prohibit the use of cryptology ...</P> | |
859 | <P>We believe that such policies are against the interests of consumers | |
860 | and the business community, are largely irrelevant to issues of | |
861 | military security, and provide only a marginal or illusory benefit to | |
862 | law enforcement agencies, ...</P> | |
863 | <P>The IAB and IESG would like to encourage policies that allow ready | |
864 | access to uniform strong cryptographic technology for all Internet | |
865 | users in all countries.</P> | |
866 | </BLOCKQUOTE> | |
867 | <P>Our goal in the FreeS/WAN project is to build just such "strong | |
868 | cryptographic technology" and to distribute it "for all Internet users | |
869 | in all countries".</P> | |
870 | <P>More recently, the same two bodies (IESG and IAB) have issued<A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt"> | |
871 | RFC 2804</A> on why the IETF should not build wiretapping capabilities | |
872 | into protocols for the convenience of security or law enforcement | |
873 | agenicies. The abstract from that document is:</P> | |
874 | <BLOCKQUOTE> The Internet Engineering Task Force (IETF) has been asked | |
875 | to take a position on the inclusion into IETF standards-track documents | |
876 | of functionality designed to facilitate wiretapping. | |
877 | <P>This memo explains what the IETF thinks the question means, why its | |
878 | answer is "no", and what that answer means.</P> | |
879 | </BLOCKQUOTE> A quote from the debate leading up to that RFC:<BLOCKQUOTE> | |
880 | We should not be building surveillance technology into standards. Law | |
881 | enforcement was not supposed to be easy. Where it is easy, it's called | |
882 | a police state. | |
883 | <BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap | |
884 | capability on the net, as quoted by<A href="http://www.wired.com/news/politics/0,1283,31895,00.html"> | |
885 | Wired</A>.</BLOCKQUOTE> | |
886 | <P>The<A href="http://www.ietf.org/mailman/listinfo/raven"> Raven</A> | |
887 | mailing list was set up for this IETF discussion.</P> | |
888 | <P>Our goal is to go beyond that RFC and prevent Internet wiretapping | |
889 | entirely.</P> | |
890 | <H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3> | |
891 | <P>Restrictions on the export of cryptography are not just US policy, | |
892 | though some consider the US at least partly to blame for the policies | |
893 | of other nations in this area.</P> | |
894 | <P>A number of countries:</P> | |
895 | <P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech | |
896 | Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, | |
897 | Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, | |
898 | Portugal, Republic of Korea, Romania, Russian Federation, Slovak | |
899 | Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom | |
900 | and United States</P> | |
901 | <P>have signed the Wassenaar Arrangement which restricts export of | |
902 | munitions and other tools of war. Cryptographic sofware is covered | |
903 | there.</P> | |
904 | <P>Wassenaar details are available from the<A href="http://www.wassenaar.org/"> | |
905 | Wassenaar Secretariat</A>, and elsewhere in a more readable<A href="http://www.fitug.de/news/wa/index.html"> | |
906 | HTML version</A>.</P> | |
907 | <P>For a critique see the<A href="http://www.gilc.org/crypto/wassenaar"> | |
908 | GILC site</A>:</P> | |
909 | <BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a | |
910 | campaign calling for the removal of cryptography controls from the | |
911 | Wassenaar Arrangement. | |
912 | <P>The aim of the Wassenaar Arrangement is to prevent the build up of | |
913 | military capabilities that threaten regional and international security | |
914 | and stability . . .</P> | |
915 | <P>There is no sound basis within the Wassenaar Arrangement for the | |
916 | continuation of any export controls on cryptographic products.</P> | |
917 | </BLOCKQUOTE> | |
918 | <P>We agree entirely.</P> | |
919 | <P>An interesting analysis of Wassenaar can be found on the<A href="http://www.cyber-rights.org/crypto/wassenaar.htm"> | |
920 | cyber-rights.org</A> site.</P> | |
921 | <H3><A name="status">Export status of Linux FreeS/WAN</A></H3> | |
922 | <P>We believe our software is entirely exempt from these controls since | |
923 | the Wassenaar<A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf"> | |
924 | General Software Note</A> says:</P> | |
925 | <BLOCKQUOTE> The Lists do not control "software" which is either: | |
926 | <OL> | |
927 | <LI>Generally available to the public by . . . retail . . . or</LI> | |
928 | <LI>"In the public domain".</LI> | |
929 | </OL> | |
930 | </BLOCKQUOTE> | |
931 | <P>There is a note restricting some of this, but it is a sub-heading | |
932 | under point 1, so it appears not to apply to public domain software.</P> | |
933 | <P>Their glossary defines "In the public domain" as:</P> | |
934 | <BLOCKQUOTE> . . . "technology" or "software" which has been made | |
935 | available without restrictions upon its further dissemination. | |
936 | <P>N.B. Copyright restrictions do not remove "technology" or "software" | |
937 | from being "in the public domain".</P> | |
938 | </BLOCKQUOTE> | |
939 | <P>We therefore believe that software freely distributed under the<A href="glossary.html#GPL"> | |
940 | GNU Public License</A>, such as Linux FreeS/WAN, is exempt from | |
941 | Wassenaar restrictions.</P> | |
942 | <P>Most of the development work is being done in Canada. Our | |
943 | understanding is that the Canadian government accepts this | |
944 | interpretation.</P> | |
945 | <UL> | |
946 | <LI>A web statement of<A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm"> | |
947 | Canadian policy</A> is available from the Department of Foreign Affairs | |
948 | and International Trade.</LI> | |
949 | <LI>Another document from that department states that<A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm"> | |
950 | public domain software</A> is exempt from the export controls.</LI> | |
951 | <LI>A researcher's<A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html"> | |
952 | analysis</A> of Canadian policy is also available.</LI> | |
953 | </UL> | |
954 | <P>Recent copies of the freely modifiable and distributable source code | |
955 | exist in many countries. Citizens all over the world participate in its | |
956 | use and evolution, and guard its ongoing distribution. Even if Canadian | |
957 | policy were to change, the software would continue to evolve in | |
958 | countries which do not restrict exports, and would continue to be | |
959 | imported from there into unfree countries. "The Net culture treats | |
960 | censorship as damage, and routes around it."</P> | |
961 | <H3><A name="help">Help spread IPsec around</A></H3> | |
962 | <P>You can help. If you don't know of a Linux FreeS/WAN archive in your | |
963 | own country, please download it now to your personal machine, and | |
964 | consider making it publicly accessible if that doesn't violate your own | |
965 | laws. If you have the resources, consider going one step further and | |
966 | setting up a mirror site for the whole<A href="intro.html#munitions"> | |
967 | munitions</A> Linux crypto software archive.</P> | |
968 | <P>If you make Linux CD-ROMs, please consider including this code, in a | |
969 | way that violates no laws (in a free country, or in a domestic-only CD | |
970 | product).</P> | |
971 | <P>Please send a note about any new archive mirror sites or CD | |
972 | distributions to linux-ipsec@clinet.fi so we can update the | |
973 | documentation.</P> | |
974 | <P>Lists of current<A href="intro.html#sites"> mirror sites</A> and of<A href="intro.html#distwith"> | |
975 | distributions</A> which include FreeS/WAN are in our introduction | |
976 | section.</P> | |
977 | <H2><A name="desnotsecure">DES is Not Secure</A></H2> | |
978 | <P>DES, the<STRONG> D</STRONG>ata<STRONG> E</STRONG>ncryption<STRONG> S</STRONG> | |
979 | tandard, can no longer be considered secure. While no major flaws in its | |
980 | innards are known, it is fundamentally inadequate because its<STRONG> | |
981 | 56-bit key is too short</STRONG>. It is vulnerable to<A href="glossary.html#brute"> | |
982 | brute-force search</A> of the whole key space, either by large | |
983 | collections of general-purpose machines or even more quickly by | |
984 | specialized hardware. Of course this also applies to<STRONG> any other | |
985 | cipher with only a 56-bit key</STRONG>. The only reason anyone could | |
986 | have for using a 56 or 64-bit key is to comply with various<A href="exportlaw.html"> | |
987 | export laws</A> intended to ensure the use of breakable ciphers.</P> | |
988 | <P>Non-government cryptologists have been saying DES's 56-bit key was | |
989 | too short for some time -- some of them were saying it in the 70's when | |
990 | DES became a standard -- but the US government has consistently | |
991 | ridiculed such suggestions.</P> | |
992 | <P>A group of well-known cryptographers looked at key lengths in a<A href="http://www.counterpane.com/keylength.html"> | |
993 | 1996 paper</A>. They suggested a<EM> minimum</EM> of 75 bits to | |
994 | consider an existing cipher secure and a<EM> minimum of 90 bits for new | |
995 | ciphers</EM>. More recent papers, covering both<A href="glossary.html#symmetric"> | |
996 | symmetric</A> and<A href="glossary.html#public"> public key</A> systems | |
997 | are at<A href="http://www.cryptosavvy.com/"> cryptosavvy.com</A> and<A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html"> | |
998 | rsa.com</A>. For all algorithms, the minimum keylengths recommended in | |
999 | such papers are significantly longer than the maximums allowed by | |
1000 | various export laws.</P> | |
1001 | <P>In a<A href="http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-09/0095.html"> | |
1002 | 1998 ruling</A>, a German court described DES as "out-of-date and not | |
1003 | safe enough" and held a bank liable for using it.</P> | |
1004 | <H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3> | |
1005 | <P>The question of DES security has now been settled once and for all. | |
1006 | In early 1998, the<A href="http://www.eff.org/"> Electronic Frontier | |
1007 | Foundation</A> built a<A href="http://www.eff.org/descracker.html"> | |
1008 | DES-cracking machine</A>. It can find a DES key in an average of a few | |
1009 | days' search. The details of all this, including complete code listings | |
1010 | and complete plans for the machine, have been published in<A href="biblio.html#EFF"> | |
1011 | <CITE> Cracking DES</CITE></A>, by the Electronic Frontier Foundation.</P> | |
1012 | <P>That machine cost just over $200,000 to design and build. "Moore's | |
1013 | Law" is that machines get faster (or cheaper, for the same speed) by | |
1014 | roughly a factor of two every 18 months. At that rate, their $200,000 | |
1015 | in 1998 becomes $50,000 in 2001.</P> | |
1016 | <P>However, Moore's Law is not exact and the $50,000 estimate does not | |
1017 | allow for the fact that a copy based on the published EFF design would | |
1018 | cost far less than the original. We cannot say exactly what such a | |
1019 | cracker would cost today, but it would likely be somewhere between | |
1020 | $10,000 and $100,000.</P> | |
1021 | <P>A large corporation could build one of these out of petty cash. The | |
1022 | cost is low enough for a senior manager to hide it in a departmental | |
1023 | budget and avoid having to announce or justify the project. Any | |
1024 | government agency, from a major municipal police force up, could afford | |
1025 | one. Or any other group with a respectable budget -- criminal | |
1026 | organisations, political groups, labour unions, religious groups, ... | |
1027 | Or any millionaire with an obsession or a grudge, or just strange taste | |
1028 | in toys.</P> | |
1029 | <P>One might wonder if a private security or detective agency would have | |
1030 | one for rent. They wouldn't need many clients to pay off that | |
1031 | investment.</P> | |
1032 | <H3><A name="spooks">Spooks may break DES faster yet</A></H3> | |
1033 | <P>As for the security and intelligence agencies of various nations, | |
1034 | they may have had DES crackers for years, and theirs may be much | |
1035 | faster. It is difficult to make most computer applications work well on | |
1036 | parallel machines, or to design specialised hardware to accelerate | |
1037 | them. Cipher-cracking is one of the very few exceptions. It is entirely | |
1038 | straightforward to speed up cracking by just adding hardware. Within | |
1039 | very broad limits, you can make it as fast as you like if you have the | |
1040 | budget. The EFF's $200,000 machine breaks DES in a few days. An<A href="http://www.planepage.com/"> | |
1041 | aviation website</A> gives the cost of a B1 bomber as $200,000,000. | |
1042 | Spending that much, an intelligence agency could break DES in an | |
1043 | average time of<EM> six and a half minutes</EM>.</P> | |
1044 | <P>That estimate assumes they use the EFF's 1998 technology and just | |
1045 | spend more money. They may have an attack that is superior to brute | |
1046 | force, they quite likely have better chip technology (Moore's law, a | |
1047 | bigger budget, and whatever secret advances they may have made) and of | |
1048 | course they may have spent the price of an aircraft carrier, not just | |
1049 | one aircraft.</P> | |
1050 | <P>In short, we have<EM> no idea</EM> how quickly these organisations | |
1051 | can break DES. Unless they're spectacularly incompetent or horribly | |
1052 | underfunded, they can certainly break it, but we cannot guess how | |
1053 | quickly. Pick any time unit between days and milliseconds; none is | |
1054 | entirely unbelievable. More to the point, none of them is of any | |
1055 | comfort if you don't want such organisations reading your | |
1056 | communications.</P> | |
1057 | <P>Note that this may be a concern even if nothing you do is a threat to | |
1058 | anyone's national security. An intelligence agency might well consider | |
1059 | it to be in their national interest for certain companies to do well. | |
1060 | If you're competing against such companies in a world market and that | |
1061 | agency can read your secrets, you have a serious problem.</P> | |
1062 | <P>One might wonder about technology the former Soviet Union and its | |
1063 | allies developed for cracking DES during the Cold War. They must have | |
1064 | tried; the cipher was an American standard and widely used. Certainly | |
1065 | those countries have some fine mathematicians, and those agencies had | |
1066 | budget. How well did they succeed? Is their technology now for sale or | |
1067 | rent?</P> | |
1068 | <H3><A name="desnet">Networks break DES in a few weeks</A></H3> | |
1069 | <P>Before the definitive EFF effort, DES had been cracked several times | |
1070 | by people using many machines. See this<A href="http://www.distributed.net/pressroom/DESII-1-PR.html"> | |
1071 | press release</A> for example.</P> | |
1072 | <P>A major corporation, university, or government department could break | |
1073 | DES by using spare cycles on their existing collection of computers, by | |
1074 | dedicating a group of otherwise surplus machines to the problem, or by | |
1075 | combining the two approaches. It might take them weeks or months, | |
1076 | rather than the days required for the EFF machine, but they could do | |
1077 | it.</P> | |
1078 | <P>What about someone working alone, without the resources of a large | |
1079 | organisation? For them, cracking DES will not be easy, but it may be | |
1080 | possible. A few thousand dollars buys a lot of surplus workstations. A | |
1081 | pile of such machines will certainly heat your garage nicely and might | |
1082 | break DES in a few months or years. Or enroll at a university and use | |
1083 | their machines. Or use an employer's machines. Or crack security | |
1084 | somewhere and steal the resources to crack a DES key. Or write a virus | |
1085 | that steals small amounts of resources on many machines. Or . . .</P> | |
1086 | <P>None of these approaches are easy or break DES really quickly, but an | |
1087 | attacker only needs to find one that is feasible and breaks DES quickly | |
1088 | enough to be dangerous. How much would you care to bet that this will | |
1089 | be impossible if the attacker is clever and determined? How valuable is | |
1090 | your data? Are you authorised to risk it on a dubious bet?</P> | |
1091 | <H3><A name="no_des">We disable DES</A></H3> | |
1092 | <P>In short, it is now absolutely clear that<STRONG> DES is not secure</STRONG> | |
1093 | against</P> | |
1094 | <UL> | |
1095 | <LI>any<STRONG> well-funded opponent</STRONG></LI> | |
1096 | <LI>any opponent (even a penniless one) with access (even stolen access) | |
1097 | to<STRONG> enough general purpose computers</STRONG></LI> | |
1098 | </UL> | |
1099 | <P>That is why<STRONG> Linux FreeS/WAN disables all transforms which use | |
1100 | plain DES</STRONG> for encryption.</P> | |
1101 | <P>DES is in the source code, because we need DES to implement our | |
1102 | default encryption transform,<A href="glossary.html#3DES"> Triple DES</A> | |
1103 | .<STRONG> We urge you not to use single DES</STRONG>. We do not provide | |
1104 | any easy way to enable it in FreeS/WAN, and our policy is to provide no | |
1105 | assistance to anyone wanting to do so.</P> | |
1106 | <H3><A name="40joke">40-bits is laughably weak</A></H3> | |
1107 | <P>The same is true, in spades, of ciphers -- DES or others -- crippled | |
1108 | by 40-bit keys, as many ciphers were required to be until recently | |
1109 | under various<A href="#exlaw"> export laws</A>. A brute force search of | |
1110 | such a cipher's keyspace is 2<SUP>16</SUP> times faster than a similar | |
1111 | search against DES. The EFF's machine can do a brute-force search of a | |
1112 | 40-bit key space in<EM> seconds</EM>. One contest to crack a 40-bit | |
1113 | cipher was won by a student<A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1"> | |
1114 | using a few hundred idle machines at his university</A>. It took only | |
1115 | three and half hours.</P> | |
1116 | <P>We do not, and will not, implement any 40-bit cipher.</P> | |
1117 | <H3><A name="altdes">Triple DES is almost certainly secure</A></H3> | |
1118 | <P><A href="glossary.html#3DES">Triple DES</A>, usually abbreviated | |
1119 | 3DES, applies DES three times, with three different keys. DES seems to | |
1120 | be basically an excellent cipher design; it has withstood several | |
1121 | decades of intensive analysis without any disastrous flaws being found. | |
1122 | It's only major flaw is that the small keyspace allows brute force | |
1123 | attacks to succeeed. Triple DES enlarges the key space to 168 bits, | |
1124 | making brute-force search a ridiculous impossibility.</P> | |
1125 | <P>3DES is currently the only block cipher implemented in FreeS/WAN. | |
1126 | 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs | |
1127 | still do it at quite respectable speeds. Some<A href="glossary.html#benchmarks"> | |
1128 | speed measurements</A> for our code are available.</P> | |
1129 | <H3><A name="aes.ipsec">AES in IPsec</A></H3> | |
1130 | <P>The<A href="glossary.html#AES"> AES</A> project has chosen a | |
1131 | replacement for DES, a new standard cipher for use in non-classified US | |
1132 | government work and in regulated industries such as banking. This | |
1133 | cipher will almost certainly become widely used for many applications, | |
1134 | including IPsec.</P> | |
1135 | <P>The winner, announced in October 2000 after several years of analysis | |
1136 | and discussion, was the<A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/"> | |
1137 | Rijndael</A> cipher from two Belgian designers.</P> | |
1138 | <P>It is almost certain that FreeS/WAN will add AES support.<A href="web.html#patch"> | |
1139 | AES patches</A> are already available.</P> | |
1140 | <H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2> | |
1141 | <H3><A NAME="26_6_1">FreeS/WAN 1.0 press</A></H3> | |
1142 | <UL> | |
1143 | <LI><A href="http://www.wired.com/news/news/technology/story/19136.html"> | |
1144 | Wired</A> "Linux-Based Crypto Stops Snoops", James Glave April 15 1999</LI> | |
1145 | <LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml"> | |
1146 | Slashdot</A></LI> | |
1147 | <LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar | |
1148 | Group Limited; looking at FreeS/WAN from a perspective of business | |
1149 | computing</LI> | |
1150 | <LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI> | |
1151 | <LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>, | |
1152 | Tasty Bits from the Technology Front</LI> | |
1153 | <LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html"> | |
1154 | Salon Magazine</A> "Free Encryption Takes a Big Step"</LI> | |
1155 | </UL> | |
1156 | <H3><A name="release">Press release for version 1.0</A></H3> | |
1157 | <PRE> Strong Internet Privacy Software Free for Linux Users Worldwide | |
1158 | ||
1159 | Toronto, ON, April 14, 1999 - | |
1160 | ||
1161 | The Linux FreeS/WAN project today released free software to protect | |
1162 | the privacy of Internet communications using strong encryption codes. | |
1163 | FreeS/WAN automatically encrypts data as it crosses the Internet, to | |
1164 | prevent unauthorized people from receiving or modifying it. One | |
1165 | ordinary PC per site runs this free software under Linux to become a | |
1166 | secure gateway in a Virtual Private Network, without having to modify | |
1167 | users' operating systems or application software. The project built | |
1168 | and released the software outside the United States, avoiding US | |
1169 | government regulations which prohibit good privacy protection. | |
1170 | FreeS/WAN version 1.0 is available immediately for downloading at | |
1171 | http://www.xs4all.nl/~freeswan/. | |
1172 | ||
1173 | "Today's FreeS/WAN release allows network administrators to build | |
1174 | excellent secure gateways out of old PCs at no cost, or using a cheap | |
1175 | new PC," said John Gilmore, the entrepreneur who instigated the | |
1176 | project in 1996. "They can build operational experience with strong | |
1177 | network encryption and protect their users' most important | |
1178 | communications worldwide." | |
1179 | ||
1180 | "The software was written outside the United States, and we do not | |
1181 | accept contributions from US citizens or residents, so that it can be | |
1182 | freely published for use in every country," said Henry Spencer, who | |
1183 | built the release in Toronto, Canada. "Similar products based in the | |
1184 | US require hard-to-get government export licenses before they can be | |
1185 | provided to non-US users, and can never be simply published on a Web | |
1186 | site. Our product is freely available worldwide for immediate | |
1187 | downloading, at no cost." | |
1188 | ||
1189 | FreeS/WAN provides privacy against both quiet eavesdropping (such as | |
1190 | "packet sniffing") and active attempts to compromise communications | |
1191 | (such as impersonating participating computers). Secure "tunnels" carry | |
1192 | information safely across the Internet between locations such as a | |
1193 | company's main office, distant sales offices, and roaming laptops. This | |
1194 | protects the privacy and integrity of all information sent among those | |
1195 | locations, including sensitive intra-company email, financial transactions | |
1196 | such as mergers and acquisitions, business negotiations, personal medical | |
1197 | records, privileged correspondence with lawyers, and information about | |
1198 | crimes or civil rights violations. The software will be particularly | |
1199 | useful to frequent wiretapping targets such as private companies competing | |
1200 | with government-owned companies, civil rights groups and lawyers, | |
1201 | opposition political parties, and dissidents. | |
1202 | ||
1203 | FreeS/WAN provides privacy for Internet packets using the proposed | |
1204 | standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN | |
1205 | negotiates strong keys using Diffie-Hellman key agreement with 1024-bit | |
1206 | keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern | |
1207 | $500 PC can set up a tunnel in less than a second, and can encrypt | |
1208 | 6 megabits of packets per second, easily handling the whole available | |
1209 | bandwidth at the vast majority of Internet sites. In preliminary testing, | |
1210 | FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH, | |
1211 | Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code, | |
1212 | its innards are open to review by outside experts and sophisticated users, | |
1213 | reducing the chance of undetected bugs or hidden security compromises. | |
1214 | ||
1215 | The software has been in development for several years. It has been | |
1216 | funded by several philanthropists interested in increased privacy on | |
1217 | the Internet, including John Gilmore, co-founder of the Electronic | |
1218 | Frontier Foundation, a leading online civil rights group. | |
1219 | ||
1220 | Press contacts: | |
1221 | Hugh Daniel, +1 408 353 8124, hugh@toad.com | |
1222 | Henry Spencer, +1 416 690 6561, henry@spsystems.net | |
1223 | ||
1224 | * FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data | |
1225 | Security, Inc; used by permission.</PRE> | |
1226 | <HR> | |
1227 | <A HREF="toc.html">Contents</A> | |
1228 | <A HREF="umltesting.html">Previous</A> | |
1229 | <A HREF="ipsec.html">Next</A> | |
1230 | </BODY> | |
1231 | </HTML> |