diff options
Diffstat (limited to 'doc/politics.html')
| -rw-r--r-- | doc/politics.html | 1231 |
1 files changed, 1231 insertions, 0 deletions
diff --git a/doc/politics.html b/doc/politics.html new file mode 100644 index 000000000..5dd1e9f96 --- /dev/null +++ b/doc/politics.html @@ -0,0 +1,1231 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> +<HTML> +<HEAD> +<TITLE>Introduction to FreeS/WAN</TITLE> +<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1"> +<STYLE TYPE="text/css"><!-- +BODY { font-family: serif } +H1 { font-family: sans-serif } +H2 { font-family: sans-serif } +H3 { font-family: sans-serif } +H4 { font-family: sans-serif } +H5 { font-family: sans-serif } +H6 { font-family: sans-serif } +SUB { font-size: smaller } +SUP { font-size: smaller } +PRE { font-family: monospace } +--></STYLE> +</HEAD> +<BODY> +<A HREF="toc.html">Contents</A> +<A HREF="umltesting.html">Previous</A> +<A HREF="ipsec.html">Next</A> +<HR> +<H1><A name="politics">History and politics of cryptography</A></H1> +<P>Cryptography has a long and interesting history, and has been the + subject of considerable political controversy.</P> +<H2><A name="intro.politics">Introduction</A></H2> +<H3><A NAME="26_1_1">History</A></H3> +<P>The classic book on the history of cryptography is David Kahn's<A href="biblio.html#Kahn"> + The Codebreakers</A>. It traces codes and codebreaking from ancient + Egypt to the 20th century.</P> +<P>Diffie and Landau<A href="biblio.html#diffie"> Privacy on the Line: + The Politics of Wiretapping and Encryption</A> covers the history from + the First World War to the 1990s, with an emphasis on the US.</P> +<H4>World War II</H4> +<P>During the Second World War, the British "Ultra" project achieved one + of the greatest intelligence triumphs in the history of warfare, + breaking many Axis codes. One major target was the Enigma cipher + machine, a German device whose users were convinced it was unbreakable. + The American "Magic" project had some similar triumphs against Japanese + codes.</P> +<P>There are many books on this period. See our bibliography for + several. Two I particularly like are:</P> +<UL> +<LI>Andrew Hodges has done a superb<A href="http://www.turing.org.uk/book/"> + biography</A> of Alan Turing, a key player among the Ultra + codebreakers. Turing was also an important computer pioneer. The terms<A +href="http://www.abelard.org/turpap/turpap.htm"> Turing test</A> and<A href="http://plato.stanford.edu/entries/turing-machine/"> + Turing machine</A> are named for him, as is the<A href="http://www.acm.org"> + ACM</A>'s highest technical<A href="http://www.acm.org/awards/taward.html"> + award</A>.</LI> +<LI>Neal Stephenson's<A href="biblio.html#neal"> Cryptonomicon</A> is a + novel with cryptography central to the plot. Parts of it take place + during WW II, other parts today.</LI> +</UL> +<P>Bletchley Park, where much of the Ultra work was done, now has a + museum and a<A href="http://www.bletchleypark.org.uk/"> web site</A>.</P> +<P>The Ultra work introduced three major innovations.</P> +<UL> +<LI>The first break of Enigma was achieved by Polish Intelligence in + 1931. Until then most code-breakers had been linguists, but a different + approach was needed to break machine ciphers. Polish Intelligence + recruited bright young mathematicians to crack the "unbreakable" + Enigma. When war came in 1939, the Poles told their allies about this, + putting Britain on the road to Ultra. The British also adopted a + mathematical approach.</LI> +<LI>Machines were extensively used in the attacks. First the Polish + "Bombe" for attacking Enigma, then British versions of it, then + machines such as Collosus for attacking other codes. By the end of the + war, some of these machines were beginning to closely resemble digital + computers. After the war, a team at Manchester University, several old + Ultra hands included, built one of the world's first actual + general-purpose digital computers.</LI> +<LI>Ultra made codebreaking a large-scale enterprise, producing + intelligence on an industrial scale. This was not a "black chamber", + not a hidden room in some obscure government building with a small crew + of code-breakers. The whole operation -- from wholesale interception of + enemy communications by stations around the world, through large-scale + code-breaking and analysis of the decrypted material (with an enormous + set of files for cross-referencing), to delivery of intelligence to + field commanders -- was huge, and very carefully managed.</LI> +</UL> +<P>So by the end of the war, Allied code-breakers were expert at + large-scale mechanised code-breaking. The payoffs were enormous.</P> +<H4><A name="postwar">Postwar and Cold War</A></H4> +<P>The wartime innovations were enthusiastically adopted by post-war and + Cold War signals intelligence agencies. Presumably many nations now + have some agency capable of sophisticated attacks on communications + security, and quite a few engage in such activity on a large scale.</P> +<P>America's<A href="glossary.html#NSA"> NSA</A>, for example, is said + to be both the world's largest employer of mathematicians and the + world's largest purchaser of computer equipment. Such claims may be + somewhat exaggerated, but beyond doubt the NSA -- and similar agencies + in other countries -- have some excellent mathematicians, lots of + powerful computers, sophisticated software, and the organisation and + funding to apply them on a large scale. Details of the NSA budget are + secret, but there are some published<A href="http://www.fas.org/irp/nsa/nsabudget.html"> + estimates</A>.</P> +<P>Changes in the world's communications systems since WW II have + provided these agencies with new targets. Cracking the codes used on an + enemy's military or diplomatic communications has been common practice + for centuries. Extensive use of radio in war made large-scale attacks + such as Ultra possible. Modern communications make it possible to go + far beyond that. Consider listening in on cell phones, or intercepting + electronic mail, or tapping into the huge volumes of data on new media + such as fiber optics or satellite links. None of these targets existed + in 1950. All of them can be attacked today, and almost certainly are + being attacked.</P> +<P>The Ultra story was not made public until the 1970s. Much of the + recent history of codes and code-breaking has not been made public, and + some of it may never be. Two important books are:</P> +<UL> +<LI>Bamford's<A href="biblio.html#puzzle"> The Puzzle Palace</A>, a + history of the NSA</LI> +<LI>Hager's<A href="http://www.fas.org/irp/eprint/sp/index.html"> Secret + Power</A>, about the<A href="http://sg.yahoo.com/government/intelligence/echelon_network/"> + Echelon</A> system -- the US, UK, Canada, Australia and New Zealand + co-operating to monitor much of the world's communications.</LI> +</UL> +<P>Note that these books cover only part of what is actually going on, + and then only the activities of nations open and democratic enough that + (some of) what they are doing can be discovered. A full picture, + including:</P> +<UL> +<LI>actions of the English-speaking democracies not covered in those + books</LI> +<LI>actions of other more-or-less sane governments</LI> +<LI>the activities of various more-or-less insane governments</LI> +<LI>possibilities for unauthorized action by government employees</LI> +<LI>possible actions by large non-government organisations: + corporations, criminals, or conspiracies</LI> +</UL> +<P>might be really frightening.</P> +<H4><A name="recent">Recent history -- the crypto wars</A></H4> +<P>Until quite recently, cryptography was primarily a concern of + governments, especially of the military, of spies, and of diplomats. + Much of it was extremely secret.</P> +<P>In recent years, that has changed a great deal. With computers and + networking becoming ubiquitous, cryptography is now important to almost + everyone. Among the developments since the 1970s:</P> +<UL> +<LI>The US gov't established the Data Encryption Standard,<A href="glossary.html#DES"> + DES</A>, a<A href="glossary.html#block"> block cipher</A> for + cryptographic protection of unclassfied documents.</LI> +<LI>DES also became widely used in industry, especially regulated + industries such as banking.</LI> +<LI>Other nations produced their own standards, such as<A href="glossary.html#GOST"> + GOST</A> in the Soviet Union.</LI> +<LI><A href="glossary.html#public">Public key</A> cryptography was + invented by Diffie and Hellman.</LI> +<LI>Academic conferences such as<A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html"> + Crypto</A> and<A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/"> + Eurocrypt</A> began.</LI> +<LI>Several companies began offerring cryptographic products:<A href="glossary.html#RSAco"> + RSA</A>,<A href="glossary.html#PGPI"> PGP</A>, the many vendors with<A href="glossary.html#PKI"> + PKI</A> products, ...</LI> +<LI>Cryptography appeared in other products: operating systems, word + processors, ...</LI> +<LI>Network protocols based on crypto were developed:<A href="glossary.html#SSH"> + SSH</A>,<A href="glossary.html#SSL"> SSL</A>,<A href="glossary.html#IPsec"> + IPsec</A>, ...</LI> +<LI>Crytography came into widespread use to secure bank cards, + terminals, ...</LI> +<LI>The US government replaced<A href="glossary.html#DES"> DES</A> with + the much stronger Advanced Encryption Standard,<A href="glossary.html#AES"> + AES</A></LI> +</UL> +<P>This has led to a complex ongoing battle between various mainly + government groups wanting to control the spread of crypto and various + others, notably the computer industry and the<A href="http://online.offshore.com.ai/security/"> + cypherpunk</A> crypto advocates, wanting to encourage widespread use.</P> +<P>Steven Levy has written a fine history of much of this, called<A href="biblio.html#crypto"> + Crypto: How the Code rebels Beat the Government -- Saving Privacy in + the Digital Age</A>.</P> +<P>The FreeS/WAN project is to a large extent an outgrowth of cypherpunk + ideas. Our reasons for doing the project can be seen in these quotes + from the<A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto"> + Cypherpunk Manifesto</A>:</P> +<BLOCKQUOTE> Privacy is necessary for an open society in the electronic + age. ... +<P>We cannot expect governments, corporations, or other large, faceless + organizations to grant us privacy out of their beneficence. It is to + their advantage to speak of us, and we should expect that they will + speak. ...</P> +<P>We must defend our own privacy if we expect to have any. ...</P> +<P>Cypherpunks write code. We know that someone has to write software to + defend privacy, and since we can't get privacy unless we all do, we're + going to write it. We publish our code so that our fellow Cypherpunks + may practice and play with it. Our code is free for all to use, + worldwide. We don't much care if you don't approve of the software we + write. We know that software can't be destroyed and that a widely + dispersed system can't be shut down.</P> +<P>Cypherpunks deplore regulations on cryptography, for encryption is + fundamentally a private act. ...</P> +<P>For privacy to be widespread it must be part of a social contract. + People must come and together deploy these systems for the common good. + ...</P> +</BLOCKQUOTE> +<P>To quote project leader John Gilmore:</P> +<BLOCKQUOTE> We are literally in a race between our ability to build and + deploy technology, and their ability to build and deploy laws and + treaties. Neither side is likely to back down or wise up until it has + definitively lost the race.</BLOCKQUOTE> +<P>If FreeS/WAN reaches its goal of making<A href="intro.html#opp.intro"> + opportunistic encryption</A> widespread so that secure communication + can become the default for a large part of the net, we will have struck + a major blow.</P> +<H3><A name="intro.poli">Politics</A></H3> +<P>The political problem is that nearly all governments want to monitor + their enemies' communications, and some want to monitor their citizens. + They may be very interested in protecting some of their own + communications, and often some types of business communication, but not + in having everyone able to communicate securely. They therefore attempt + to restrict availability of strong cryptography as much as possible.</P> +<P>Things various governments have tried or are trying include:</P> +<UL> +<LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian + and Canadian<A href="glossary.html#SIGINT"> signals intelligence</A> + agencies. See this<A href="http://sg.yahoo.com/government/intelligence/echelon_network/"> + collection</A> of links and this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html"> + story</A> on the French Parliament's reaction.</LI> +<LI>Others governments may well have their own Echelon-like projects. To + quote the Dutch Minister of Defense, as reported in a German<A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html"> + magazine</A>:<BLOCKQUOTE> The government believes not only the + governments associated with Echelon are able to intercept communication + systems, but that it is an activity of the investigative authorities + and intelligence services of many countries with governments of + different political signature.</BLOCKQUOTE> Even if they have nothing + on the scale of Echelon, most intelligence agencies and police forces + certainly have some interception capability.</LI> +<LI><A href="glossary.html#NSA">NSA</A> tapping of submarine + communication cables, described in<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html"> + this article</A></LI> +<LI>A proposal for international co-operation on<A href="http://www.heise.de/tp/english/special/enfo/4306/1.html"> + Internet surveillance</A>.</LI> +<LI>Alleged<A href="http://cryptome.org/nsa-sabotage.htm"> sabotage</A> + of security products by the<A href="glossary.html#NSA"> NSA</A> (the US + signals intelligence agency).</LI> +<LI>The German armed forces and some government departments will stop + using American software for fear of NSA "back doors", according to this<A +href="http://www.theregister.co.uk/content/4/17679.html"> news story</A> +.</LI> +<LI>The British Regulation of Investigatory Powers bill. See this<A href="http://www.fipr.org/rip/index.html"> + web page.</A> and perhaps this<A href="http://ars.userfriendly.org/cartoons/?id=20000806&mode=classic"> + cartoon</A>.</LI> +<LI>A Russian<A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict"> + ban</A> on cryptography</LI> +<LI>Chinese<A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china"> + controls</A> on net use.</LI> +<LI>The FBI's carnivore system for covert searches of email. See this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html"> + news coverage</A> and this<A href="http://www.crypto.com/papers/carnivore-risks.html"> + risk assessment</A>. The government had an external review of some + aspects of this system done. See this<A href="http://www.crypto.com/papers/carnivore_report_comments.html"> + analysis</A> of that review. Possible defenses against Carnivore + include: +<UL> +<LI><A href="glossary.html#PGP">PGP</A> for end-to-end mail encryption</LI> +<LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A> + for server-to-server encryption</LI> +<LI>IPsec encryption on the underlying IP network</LI> +</UL> +</LI> +<LI>export laws restricting strong cryptography as a munition. See<A href="#exlaw"> + discussion</A> below.</LI> +<LI>various attempts to convince people that fundamentally flawed + cryptography, such as encryption with a<A href="#escrow"> back door</A> + for government access to data or with<A href="#shortkeys"> inadequate + key lengths</A>, was adequate for their needs.</LI> +</UL> +<P>Of course governments are by no means the only threat to privacy and + security on the net. Other threats include:</P> +<UL> +<LI>industrial espionage, as for example in this<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html"> + news story</A></LI> +<LI>attacks by organised criminals, as in this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm"> + large-scale attack</A></LI> +<LI>collection of personal data by various companies. +<UL> +<LI>for example, consider the various corporate winners of Privacy + International's<A href="http://www.privacyinternational.org/bigbrother/"> + Big Brother Awards</A>.</LI> +<LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell tools + to defend against this</LI> +</UL> +</LI> +<LI>individuals may also be a threat in a variety of ways and for a + variety of reasons</LI> +<LI>in particular, an individual with access to government or industry + data collections could do considerable damage using that data in + unauthorized ways.</LI> +</UL> +<P>One<A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html"> + study</A> enumerates threats and possible responses for small and + medium businesses. VPNs are a key part of the suggested strategy.</P> +<P>We consider privacy a human right. See the UN's<A href="http://www.un.org/Overview/rights.html"> + Universal Declaration of Human Rights</A>, article twelve:</P> +<BLOCKQUOTE> No one shall be subjected to arbitrary interference with + his privacy, family, home or correspondence, nor to attacks upon his + honor and reputation. Everyone has the right to the protection of the + law against such interference or attacks.</BLOCKQUOTE> +<P>Our objective is to help make privacy possible on the Internet using + cryptography strong enough not even those well-funded government + agencies are likely to break it. If we can do that, the chances of + anyone else breaking it are negliible.</P> +<H3><A NAME="26_1_3">Links</A></H3> +<P>Many groups are working in different ways to defend privacy on the + net and elsewhere. Please consider contributing to one or more of these + groups:</P> +<UL> +<LI>the EFF's<A href="http://www.eff.org/crypto/"> Privacy Now!</A> + campaign</LI> +<LI>the<A href="http://www.gilc.org"> Global Internet Liberty Campaign</A> +</LI> +<LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer + Professionals for Social Responsibility</A></LI> +</UL> +<P>For more on these issues see:</P> +<UL> +<LI>Steven Levy (Newsweek's chief technology writer and author of the + classic "Hackers") new book<A href="biblio.html#crypto"> Crypto: How + the Code Rebels Beat the Government--Saving Privacy in the Digital Age</A> +</LI> +<LI>Simson Garfinkel (Boston Globe columnist and author of books on<A href="biblio.html#PGP"> + PGP</A> and<A href="biblio.html#practical"> Unix Security</A>) book<A href="biblio.html#Garfinkel"> + Database Nation: the death of privacy in the 21st century</A></LI> +</UL> +<P>There are several collections of<A href="web.html#quotes"> crypto + quotes</A> on the net.</P> +<P>See also the<A href="biblio.html"> bibliography</A> and our list of<A href="web.html#policy"> + web references</A> on cryptography law and policy.</P> +<H3><A NAME="26_1_4">Outline of this section</A></H3> +<P>The remainder of this section includes two pieces of writing by our + project leader</P> +<UL> +<LI>his<A href="#gilmore"> rationale</A> for starting this</LI> +<LI>another<A href="#policestate"> discussion</A> of project goals</LI> +</UL> +<P>and discussions of:</P> +<UL> +<LI><A href="#desnotsecure">why we do not use DES</A></LI> +<LI><A href="#exlaw">cryptography export laws</A></LI> +<LI>why<A href="#escrow"> government access to keys</A> is not a good + idea</LI> +<LI>the myth that<A href="#shortkeys"> short keys</A> are adequate for + some security requirements</LI> +</UL> +<P>and a section on<A href="#press"> press coverage of FreeS/WAN</A>.</P> +<H2><A name="leader">From our project leader</A></H2> +<P>FreeS/WAN project founder John Gilmore wrote a web page about why we + are doing this. The version below is slightly edited, to fit this + format and to update some links. For a version without these edits, see + his<A href="http://www.toad.com/gnu/"> home page</A>.</P> +<CENTER> +<H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A> +</H3> +</CENTER> +<P>My project for 1996 was to<B> secure 5% of the Internet traffic + against passive wiretapping</B>. It didn't happen in 1996, so I'm still + working on it in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we + can secure 20% the next year, against both active and passive attacks; + and 80% the following year. Soon the whole Internet will be private and + secure. The project is called S/WAN or S/Wan or Swan for Secure Wide + Area Network; since it's free software, we call it FreeSwan to + distinguish it from various commercial implementations.<A href="http://www.rsa.com/rsa/SWAN/"> + RSA</A> came up with the term "S/WAN". Our main web site is at<A href="http://www.freeswan.org/"> + http://www.freeswan.org/</A>. Want to help?</P> +<P>The idea is to deploy PC-based boxes that will sit between your local + area network and the Internet (near your firewall or router) which + opportunistically encrypt your Internet packets. Whenever you talk to a + machine (like a Web site) that doesn't support encryption, your traffic + goes out "in the clear" as usual. Whenever you connect to a machine + that does support this kind of encryption, this box automatically + encrypts all your packets, and decrypts the ones that come in. In + effect, each packet gets put into an "envelope" on one side of the net, + and removed from the envelope when it reaches its destination. This + works for all kinds of Internet traffic, including Web access, Telnet, + FTP, email, IRC, Usenet, etc.</P> +<P>The encryption boxes are standard PC's that use freely available + Linux software that you can download over the Internet or install from + a cheap CDROM.</P> +<P>This wasn't just my idea; lots of people have been working on it for + years. The encryption protocols for these boxes are called<A href="glossary.html#IPsec"> + IPSEC (IP Security)</A>. They have been developed by the<A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html"> + IP Security Working Group</A> of the<A href="http://www.ietf.org/"> + Internet Engineering Task Force</A>, and will be a standard part of the + next major version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html"> +IPv6</A>). For today's (IP version 4) Internet, they are an option.</P> +<P>The<A href="http://www.iab.org/iab"> Internet Architecture Board</A> + and<A href="http://www.ietf.org/"> Internet Engineering Steering Group</A> + have taken a<A href="iab-iesg.stmt"> strong stand</A> that the Internet + should use powerful encryption to provide security and privacy. I think + these protocols are the best chance to do that, because they can be + deployed very easily, without changing your hardware or software or + retraining your users. They offer the best security we know how to + build, using the Triple-DES, RSA, and Diffie-Hellman algorithms.</P> +<P>This "opportunistic encryption box" offers the "fax effect". As each + person installs one for their own use, it becomes more valuable for + their neighbors to install one too, because there's one more person to + use it with. The software automatically notices each newly installed + box, and doesn't require a network administrator to reconfigure it. + Instead of "virtual private networks" we have a "REAL private network"; + we add privacy to the real network instead of layering a + manually-maintained virtual network on top of an insecure Internet.</P> +<H4>Deployment of IPSEC</H4> +<P>The US government would like to control the deployment of IP Security + with its<A href="#exlaw"> crypto export laws</A>. This isn't a problem + for my effort, because the cryptographic work is happening outside the + United States. A foreign philanthropist, and others, have donated the + resources required to add these protocols to the Linux operating + system.<A href="http://www.linux.org/"> Linux</A> is a complete, freely + available operating system for IBM PC's and several kinds of + workstation, which is compatible with Unix. It was written by Linus + Torvalds, and is still maintained by a talented team of expert + programmers working all over the world and coordinating over the + Internet. Linux is distributed under the<A href="glossary.html#GPL"> + GNU Public License</A>, which gives everyone the right to copy it, + improve it, give it to their friends, sell it commercially, or do just + about anything else with it, without paying anyone for the privilege.</P> +<P>Organizations that want to secure their network will be able to put + two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM + or by downloading it over the net, and plug it in between their + Ethernet and their Internet link or firewall. That's all they'll have + to do to encrypt their Internet traffic everywhere outside their own + local area network.</P> +<P>Travelers will be able to run Linux on their laptops, to secure their + connection back to their home network (and to everywhere else that they + connect to, such as customer sites). Anyone who runs Linux on a + standalone PC will also be able to secure their network connections, + without changing their application software or how they operate their + computer from day to day.</P> +<P>There will also be numerous commercially available firewalls that use + this technology.<A href="http://www.rsa.com/"> RSA Data Security</A> is + coordinating the<A href="http://www.rsa.com/rsa/SWAN"> S/Wan (Secure + Wide Area Network)</A> project among more than a dozen vendors who use + these protocols. There's a<A href="http://www.rsa.com/rsa/SWAN/swan_test.htm"> + compatability chart</A> that shows which vendors have tested their + boxes against which other vendors to guarantee interoperatility.</P> +<P>Eventually it will also move into the operating systems and + networking protocol stacks of major vendors. This will probably take + longer, because those vendors will have to figure out what they want to + do about the export controls.</P> +<H4>Current status</H4> +<P>My initial goal of securing 5% of the net by Christmas '96 was not + met. It was an ambitious goal, and inspired me and others to work hard, + but was ultimately too ambitious. The protocols were in an early stage + of development, and needed a lot more protocol design before they could + be implemented. As of April 1999, we have released version 1.0 of the + software (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz"> +freeswan-1.0.tar.gz</A>), which is suitable for setting up Virtual + Private Networks using shared secrets for authentication. It does not + yet do opportunistic encryption, or use DNSSEC for authentication; + those features are coming in a future release.</P> +<DL> +<DT>Protocols</DT> +<DD>The low-level encrypted packet formats are defined. The system for + publishing keys and providing secure domain name service is defined. + The IP Security working group has settled on an NSA-sponsored protocol + for key agreement (called ISAKMP/Oakley), but it is still being worked + on, as the protocol and its documentation is too complex and + incomplete. There are prototype implementations of ISAKMP. The protocol + is not yet defined to enable opportunistic encryption or the use of + DNSSEC keys.</DD> +<DT>Linux Implementation</DT> +<DD>The Linux implementation has reached its first major release and is + ready for production use in manually-configured networks, using Linux + kernel version 2.0.36.</DD> +<DT>Domain Name System Security</DT> +<DD>There is now a release of BIND 8.2 that includes most DNS Security + features. +<P>The first prototype implementation of Domain Name System Security was + funded by<A href="glossary.html#DARPA"> DARPA</A> as part of their<A href="http://www.darpa.mil/ito/research/is/index.html"> + Information Survivability program</A>.<A href="http://www.tis.com"> + Trusted Information Systems</A> wrote a modified version of<A href="http://www.isc.org/bind.html"> + BIND</A>, the widely-used Berkeley implementation of the Domain Name + System.</P> +<P>TIS, ISC, and I merged the prototype into the standard version of + BIND. The first production version that supports KEY and SIG records is<B> + bind-4.9.5</B>. This or any later version of BIND will do for + publishing keys. It is available from the<A href="http://www.isc.org/bind.html"> + Internet Software Consortium</A>. This version of BIND is not + export-controlled since it does not contain any cryptography. Later + releases starting with BIND 8.2 include cryptography for authenticating + DNS records, which is also exportable. Better documentation is needed.</P> +</DD> +</DL> +<H4>Why?</H4> +<P>Because I can. I have made enough money from several successful + startup companies, that for a while I don't have to work to support + myself. I spend my energies and money creating the kind of world that + I'd like to live in and that I'd like my (future) kids to live in. + Keeping and improving on the civil rights we have in the United States, + as we move more of our lives into cyberspace, is a particular goal of + mine.</P> +<H4>What You Can Do</H4> +<DL> +<DT>Install the latest BIND at your site.</DT> +<DD>You won't be able to publish any keys for your domain, until you + have upgraded your copy of BIND. The thing you really need from it is + the new version of<I> named</I>, the Name Daemon, which knows about the + new KEY and SIG record types. So, download it from the<A href="http://www.isc.org/bind.html"> + Internet Software Consortium</A> and install it on your name server + machine (or get your system administrator, or Internet Service + Provider, to install it). Both your primary DNS site and all of your + secondary DNS sites will need the new release before you will be able + to publish your keys. You can tell which sites this is by running the + Unix command "dig MYDOMAIN ns" and seeing which sites are mentioned in + your NS (name server) records.</DD> +<DT>Set up a Linux system and run a 2.0.x kernel on it</DT> +<DD>Get a machine running Linux (say the 5.2 release from<A href="http://www.redhat.com"> + Red Hat</A>). Give the machine two Ethernet cards.</DD> +<DT>Install the Linux IPSEC (Freeswan) software</DT> +<DD>If you're an experienced sysadmin or Linux hacker, install the + freeswan-1.0 release, or any later release or snapshot. These releases + do NOT provide automated "opportunistic" operation; they must be + manually configured for each site you wish to encrypt with.</DD> +<DT>Get on the linux-ipsec mailing list</DT> +<DD>The discussion forum for people working on the project, and testing + the code and documentation, is: linux-ipsec@clinet.fi. To join this + mailing list, send email to<A href="mailto:linux-ipsec-REQUEST@clinet.fi"> + linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says + "subscribe linux-ipsec". (You can later get off the mailing list the + same way -- just send "unsubscribe linux-ipsec").</DD> +<P></P> +<DT>Check back at this web page every once in a while</DT> +<DD>I update this page periodically, and there may be new information in + it that you haven't seen. My intent is to send email to the mailing + list when I update the page in any significant way, so subscribing to + the list is an alternative.</DD> +</DL> +<P>Would you like to help? I can use people who are willing to write + documentation, install early releases for testing, write cryptographic + code outside the United States, sell pre-packaged software or systems + including this technology, and teach classes for network administrators + who want to install this technology. To offer to help, send me email at + gnu@toad.com. Tell me what country you live in and what your + citizenship is (it matters due to the export control laws; personally I + don't care). Include a copy of your resume and the URL of your home + page. Describe what you'd like to do for the project, and what you're + uniquely qualified for. Mention what other volunteer projects you've + been involved in (and how they worked out). Helping out will require + that you be able to commit to doing particular things, meet your + commitments, and be responsive by email. Volunteer projects just don't + work without those things.</P> +<H4>Related projects</H4> +<DL> +<DT>IPSEC for NetBSD</DT> +<DD>This prototype implementation of the IP Security protocols is for + another free operating system.<A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz"> + Download BSDipsec.tar.gz</A>.</DD> +<DT>IPSEC for<A href="http://www.openbsd.org"> OpenBSD</A></DT> +<DD>This prototype implementation of the IP Security protocols is for + yet another free operating system. It is directly integrated into the + OS release, since the OS is maintained in Canada, which has freedom of + speech in software.</DD> +</DL> +<H3><A name="policestate">Stopping wholesale monitoring</A></H3> +<P>From a message project leader John Gilmore posted to the mailing + list:</P> +<PRE>John Denker wrote: + +> Indeed there are several ways in which the documentation overstates the +> scope of what this project does -- starting with the name +> FreeS/WAN. There's a big difference between having an encrypted IP tunnel +> versus having a Secure Wide-Area Network. This software does a fine job of +> the former, which is necessary but not sufficient for the latter. + +The goal of the project is to make it very hard to tap your wide area +communications. The current system provides very good protection +against passive attacks (wiretapping and those big antenna farms). +Active attacks, which involve the intruder sending packets to your +system (like packets that break into sendmail and give them a root +shell :-) are much harder to guard against. Active attacks that +involve sending people (breaking into your house and replacing parts +of your computer with ones that transmit what you're doing) are also +much harder to guard against. Though we are putting effort into +protecting against active attacks, it's a much bigger job than merely +providing strong encryption. It involves general computer security, +and general physical security, which are two very expensive problems +for even a site to solve, let alone to build into a whole society. + +The societal benefit of building an infrastructure that protects +well against passive attacks is that it makes it much harder to do +undetected bulk monitoring of the population. It's a defense against +police-states, not against policemen. + +Policemen can put in the effort required to actively attack sites that +they have strong suspicions about. But police states won't be able to +build systems that automatically monitor everyone's communications. +Either they will be able to monitor only a small subset of the +populace (by targeting those who screwed up their passive security), +or their monitoring activities will be detectable by those monitored +(active attacks leave packet traces or footprints), which can then be +addressed through the press and through political means if they become +too widespread. + +FreeS/WAN does not protect very well against traffic analysis, which +is a kind of widespread police-state style monitoring that still +reveals significant information (who's talking to who) without +revealing the contents of what was said. Defenses against traffic +analysis are an open research problem. Zero Knowledge Systems is +actively deploying a system designed to thwart it, designed by Ian +Goldberg. The jury is out on whether it actually works; a lot more +experience with it will be needed.</PRE> +<P>Notes on things mentioned in that message:</P> +<UL> +<LI>Denker is a co-author of a<A href="intro.html#applied"> paper</A> on + a large FreeS/WAN application.</LI> +<LI>Information on Zero Knowledge is on their<A href="http://www.zks.net/"> + web site</A>. Their Freedom product, designed to provide untracable + pseudonyms for use on the net, is no longer marketed.</LI> +<LI>Another section of our documentation discusses ways to<A href="ipsec.html#traffic.resist"> + resist traffic analysis</A>.</LI> +</UL> +<H2><A name="weak">Government promotion of weak crypto</A></H2> +<P>Various groups, especially governments and especially the US + government, have a long history of advocating various forms of bogus + security.</P> +<P>We regard bogus security as extremely dangerous. If users are + deceived into relying on bogus security, then they may be exposed to + large risks. They would be better off having no security and knowing + it. At least then they would be careful about what they said.</P> +<P><STRONG>Avoiding bogus security is a key design criterion for + everything we do in FreeS/WAN</STRONG>. The most conspicuous example is + our refusal to support<A href="#desnotsecure"> single DES</A>. Other + IPsec "features" which we do not implement are discussed in our<A href="compat.html#dropped"> + compatibility</A> document.</P> +<H3><A name="escrow">Escrowed encryption</A></H3> +<P>Various governments have made persistent attempts to encourage or + mandate "escrowed encrytion", also called "key recovery", or GAK for + "government access to keys". The idea is that cryptographic keys be + held by some third party and turned over to law enforcement or security + agencies under some conditions.</P> +<PRE> Mary had a little key - she kept it in escrow, + and every thing that Mary said, + the feds were sure to know.</PRE> +<P>A<A href="web.html#quotes"> crypto quotes</A> page attributes this to<A +href="http://www.scramdisk.clara.net/"> Sam Simpson</A>.</P> +<P>There is an excellent paper available on<A href="http://www.cdt.org/crypto/risks98/"> + Risks of Escrowed Encryption</A>, from a group of cryptographic + luminaries which included our project leader.</P> +<P>Like any unnecessary complication, GAK tends to weaken security of + any design it infects. For example:</P> +<UL> +<LI>Matt Blaze found a fatal flaw in the US government's Clipper chip + shortly after design information became public. See his paper "Protocol + Failure in the Escrowed Encryption Standard" on his<A href="http://www.crypto.com/papers/"> + papers</A> page.</LI> +<LI>a rather<A href="http://www.pgp.com/other/advisories/adk.asp"> nasty + bug</A> was found in the "additional decryption keys" "feature" of some + releases of<A href="glossary.html#PGP"> PGP</A></LI> +</UL> +<P>FreeS/WAN does not support escrowed encryption, and never will.</P> +<H3><A name="shortkeys">Limited key lengths</A></H3> +<P>Various governments, and some vendors, have also made persistent + attempts to convince people that:</P> +<UL> +<LI>weak systems are sufficient for some data</LI> +<LI>strong cryptography should be reserved for cases where the extra + overheads are justified</LI> +</UL> +<P><STRONG>This is utter nonsense</STRONG>.</P> +<P>Weak systems touted include:</P> +<UL> +<LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that + until recently were all various<A href="#exlaw"> export laws</A> + allowed</LI> +<LI>56-bit single DES, discussed<A href="#desnotsecure"> below</A></LI> +<LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for + unrestricted export under various current laws</LI> +</UL> +<P>The notion that choice of ciphers or keysize should be determined by + a trade-off between security requirements and overheads is pure + bafflegab.</P> +<UL> +<LI>For most<A href="glossary.html#symmetric"> symmetric ciphers</A>, it + is simply a lie. Any block cipher has some natural maximum keysize + inherent in the design -- 128 bits for<A href="glossary.html#IDEA"> + IDEA</A> or<A href="glossary.html#CAST128"> CAST-128</A>, 256 for + Serpent or Twofish, 448 for<A href="glossary.html#Blowfish"> Blowfish</A> + and 2048 for<A href="glossary.html#RC4"> RC4</A>. Using a key size + smaller than that limit gives<EM> exactly zero</EM> savings in + overhead. The crippled 40-bit or 64-bit version of the cipher provides<EM> + no advantage whatsoever</EM>.</LI> +<LI><A href="glossary.html#AES">AES</A> uses 10 rounds with 128-bit + keys, 12 rounds for 192-bit and 14 rounds for 256-bit, so there + actually is a small difference in overhead, but not enough to matter in + most applications.</LI> +<LI>For<A href="glossary.html#3DES"> triple DES</A> there is a grain of + truth in the argument. 3DES is indeed three times slower than single + DES. However, the solution is not to use the insecure single DES, but + to pick a faster secure cipher.<A href="glossary.html#CAST128"> + CAST-128</A>,<A href="glossary.html#Blowfish"> Blowfish</A> and the<A href="glossary.html#AES"> + AES candidate</A> ciphers are are all considerably faster in software + than DES (let alone 3DES!), and apparently secure.</LI> +<LI>For<A href="glossary.html#public"> public key</A> techniques, there + are extra overheads for larger keys, but they generally do not affect + overall performance significantly. Practical public key applications + are usually<A href="glossary.html#hybrid"> hybrid</A> systems in which + the bulk of the work is done by a symmetric cipher. The effect of + increasing the cost of the public key operations is typically + negligible because the public key operations use only a tiny fraction + of total resources. +<P>For example, suppose public key operations use use 1% of the time in + a hybrid system and you triple the cost of public key operations. The + cost of symmetric cipher operations is unchanged at 99% of the original + total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 + = 102, a 2% rise in system cost.</P> +</LI> +</UL> +<P>In short,<STRONG> there has never been any technical reason to use + inadequate ciphers</STRONG>. The only reason there has ever been for + anyone to use such ciphers is that government agencies want weak + ciphers used so that they can crack them. The alleged savings are + simply propaganda.</P> +<PRE> Mary had a little key (It's all she could export), + and all the email that she sent was opened at the Fort.</PRE> +<P>A<A href="web.html#quotes"> crypto quotes</A> page attributes this to<A +href="http://theory.lcs.mit.edu:80/~rivest/"> Ron Rivest</A>. NSA + headquarters is at Fort Meade, Maryland.</P> +<P>Our policy in FreeS/WAN is to use only cryptographic components with + adequate keylength and no known weaknesses.</P> +<UL> +<LI>We do not implement single DES because it is clearly<A href="#desnotsecure"> + insecure</A>, so implemeting it would violate our policy of avoiding + bogus security. Our default cipher is<A href="glossary.html#3DES"> 3DES</A> +</LI> +<LI>Similarly, we do not implement the 768-bit Group 1 for<A href="glossary.html#DH"> + Diffie-Hellman</A> key negotiation. We provide only the 1024-bit Group + 2 and 1536-bit Group 5.</LI> +</UL> +<P>Detailed discussion of which IPsec features we implement or omit is + in out<A href="compat.html"> compatibility document</A>.</P> +<P>These decisions imply that we cannot fully conform to the IPsec RFCs, + since those have DES as the only required cipher and Group 1 as the + only required DH group. (In our view, the standards were subverted into + offerring bogus security.) Fortunately, we can still interoperate with + most other IPsec implementations since nearly all implementers provide + at least 3DES and Group 2 as well.</P> +<P>We hope that eventually the RFCs will catch up with our (and others') + current practice and reject dubious components. Some of our team and a + number of others are working on this in<A href="glossary.html#IETF"> + IETF</A> working groups.</P> +<H4>Some real trade-offs</H4> +<P>Of course, making systems secure does involve costs, and trade-offs + can be made between cost and security. However, the real trade-offs + have nothing to do with using weaker ciphers.</P> +<P>There can be substantial hardware and software costs. There are often + substantial training costs, both to train administrators and to + increase user awareness of security issues and procedures. There are + almost always substantial staff or contracting costs.</P> +<P>Security takes staff time for planning, implementation, testing and + auditing. Some of the issues are subtle; you need good (hence often + expensive) people for this. You also need people to monitor your + systems and respond to problems. The best safe ever built is insecure + if an attacker can work on it for days without anyone noticing. Any + computer is insecure if the administrator is "too busy" to check the + logs.</P> +<P>Moreover, someone in your organisation (or on contract to it) needs + to spend considerable time keeping up with new developments. EvilDoers<EM> + will</EM> know about new attacks shortly after they are found. You need + to know about them before your systems are attacked. If your vendor + provides a patch, you need to apply it. If the vendor does nothing, you + need to complain or start looking for another vendor.</P> +<P>For a fairly awful example, see this<A href="http://www.sans.org/newlook/alerts/NTE-bank.htm"> + report</A>. In that case over a million credit card numbers were taken + from e-commerce sites, using security flaws in Windows NT servers. + Microsoft had long since released patches for most or all of the flaws, + but the site administrators had not applied them.</P> +<P>At an absolute minimum, you must do something about such issues<EM> + before</EM> an exploitation tool is posted to the net for downloading + by dozens of "script kiddies". Such a tool might appear at any time + from the announcement of the security hole to several months later. + Once it appears, anyone with a browser and an attitude can break any + system whose administrators have done nothing about the flaw.</P> +<P>Compared to those costs, cipher overheads are an insignificant factor + in the cost of security.</P> +<P>The only thing using a weak cipher can do for you is to cause all + your other investment to be wasted.</P> +<H2><A name="exlaw">Cryptography Export Laws</A></H2> +<P>Many nations restrict the export of cryptography and some restrict + its use by their citizens or others within their borders.</P> +<H3><A name="USlaw">US Law</A></H3> +<P>US laws, as currently interpreted by the US government, forbid export + of most cryptographic software from the US in machine-readable form + without government permission. In general, the restrictions apply even + if the software is widely-disseminated or public-domain and even if it + came from outside the US originally. Cryptography is legally a munition + and export is tightly controlled under the<A href="glossary.html#EAR"> + EAR</A> Export Administration Regulations.</P> +<P>If you are a US citizen, your brain is considered US territory no + matter where it is physically located at the moment. The US believes + that its laws apply to its citizens everywhere, not just within the US. + Providing technical assistance or advice to foreign "munitions" + projects is illegal. The US government has very little sense of humor + about this issue and does not consider good intentions to be sufficient + excuse. Beware.</P> +<P>The<A href="http://www.bxa.doc.gov/Encryption/"> official website</A> + for these regulations is run by the Commerce Department's Bureau of + Export Administration (BXA).</P> +<P>The<A href="http://www.eff.org/bernstein/"> Bernstein case</A> + challenges the export restrictions on Constitutional grounds. Code is + speech so restrictions on export of code violate the First Amendment's + free speech provisions. This argument has succeeded in two levels of + court so far. It is quite likely to go on to the Supreme Court.</P> +<P>The regulations were changed substantially in January 2000, + apparently as a government attempt to get off the hook in the Bernstein + case. It is now legal to export public domain source code for + encryption, provided you notify the<A href="glossary.html#BXA"> BXA</A> +.</P> +<P>There are, however, still restrictions in force. Moreover, the + regulations can still be changed again whenever the government chooses + to do so. Short of a Supreme Court ruling (in the Berstein case or + another) that overturns the regulations completely, the problem of + export regulation is not likely to go away in the forseeable future.</P> +<H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4> +<P>The FreeS/WAN project<STRONG> cannot accept software contributions,<EM> + not even small bug fixes</EM>, from US citizens or residents</STRONG>. + We want it to be absolutely clear that our distribution is not subject + to US export law. Any contribution from an American might open that + question to a debate we'd prefer to avoid. It might also put the + contributor at serious legal risk.</P> +<P>Of course Americans can still make valuable contributions (many + already have) by reporting bugs, or otherwise contributing to + discussions, on the project<A href="mail.html"> mailing list</A>. Since + the list is public, this is clearly constitutionally protected free + speech.</P> +<P>Note, however, that the export laws restrict Americans from providing + technical assistance to foreign "munitions" projects. The government + might claim that private discussions or correspondence with FreeS/WAN + developers were covered by this. It is not clear what the courts would + do with such a claim, so we strongly encourage Americans to use the + list rather than risk the complications.</P> +<H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3> +<P>Some quotes from prominent cryptography experts:</P> +<BLOCKQUOTE> The real aim of current policy is to ensure the continued + effectiveness of US information warfare assets against individuals, + businesses and governments in Europe and elsewhere. +<BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson, + Cambridge University</A></BLOCKQUOTE><BLOCKQUOTE> If the government + were honest about its motives, then the debate about crypto export + policy would have ended years ago. +<BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane + Systems</A></BLOCKQUOTE><BLOCKQUOTE> The NSA regularly lies to people + who ask it for advice on export control. They have no reason not to; + accomplishing their goal by any legal means is fine by them. Lying by + government employees is legal. +<BR> John Gilmore.</BLOCKQUOTE> +<P>The Internet Architecture Board (IAB) and the Internet Engineering + Steering Group (IESG) made a<A href="iab-iesg.stmt"> strong statement</A> + in favour of worldwide access to strong cryptography. Essentially the + same statement is in the appropriately numbered<A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt"> + RFC 1984</A>. Two critical paragraphs are:</P> +<BLOCKQUOTE> ... various governments have actual or proposed policies on + access to cryptographic technology ... +<P>(a) ... export controls ... +<BR> (b) ... short cryptographic keys ... +<BR> (c) ... keys should be in the hands of the government or ... +<BR> (d) prohibit the use of cryptology ...</P> +<P>We believe that such policies are against the interests of consumers + and the business community, are largely irrelevant to issues of + military security, and provide only a marginal or illusory benefit to + law enforcement agencies, ...</P> +<P>The IAB and IESG would like to encourage policies that allow ready + access to uniform strong cryptographic technology for all Internet + users in all countries.</P> +</BLOCKQUOTE> +<P>Our goal in the FreeS/WAN project is to build just such "strong + cryptographic technology" and to distribute it "for all Internet users + in all countries".</P> +<P>More recently, the same two bodies (IESG and IAB) have issued<A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt"> + RFC 2804</A> on why the IETF should not build wiretapping capabilities + into protocols for the convenience of security or law enforcement + agenicies. The abstract from that document is:</P> +<BLOCKQUOTE> The Internet Engineering Task Force (IETF) has been asked + to take a position on the inclusion into IETF standards-track documents + of functionality designed to facilitate wiretapping. +<P>This memo explains what the IETF thinks the question means, why its + answer is "no", and what that answer means.</P> +</BLOCKQUOTE> A quote from the debate leading up to that RFC:<BLOCKQUOTE> + We should not be building surveillance technology into standards. Law + enforcement was not supposed to be easy. Where it is easy, it's called + a police state. +<BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap + capability on the net, as quoted by<A href="http://www.wired.com/news/politics/0,1283,31895,00.html"> + Wired</A>.</BLOCKQUOTE> +<P>The<A href="http://www.ietf.org/mailman/listinfo/raven"> Raven</A> + mailing list was set up for this IETF discussion.</P> +<P>Our goal is to go beyond that RFC and prevent Internet wiretapping + entirely.</P> +<H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3> +<P>Restrictions on the export of cryptography are not just US policy, + though some consider the US at least partly to blame for the policies + of other nations in this area.</P> +<P>A number of countries:</P> +<P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech + Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, + Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, + Portugal, Republic of Korea, Romania, Russian Federation, Slovak + Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom + and United States</P> +<P>have signed the Wassenaar Arrangement which restricts export of + munitions and other tools of war. Cryptographic sofware is covered + there.</P> +<P>Wassenaar details are available from the<A href="http://www.wassenaar.org/"> + Wassenaar Secretariat</A>, and elsewhere in a more readable<A href="http://www.fitug.de/news/wa/index.html"> + HTML version</A>.</P> +<P>For a critique see the<A href="http://www.gilc.org/crypto/wassenaar"> + GILC site</A>:</P> +<BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a + campaign calling for the removal of cryptography controls from the + Wassenaar Arrangement. +<P>The aim of the Wassenaar Arrangement is to prevent the build up of + military capabilities that threaten regional and international security + and stability . . .</P> +<P>There is no sound basis within the Wassenaar Arrangement for the + continuation of any export controls on cryptographic products.</P> +</BLOCKQUOTE> +<P>We agree entirely.</P> +<P>An interesting analysis of Wassenaar can be found on the<A href="http://www.cyber-rights.org/crypto/wassenaar.htm"> + cyber-rights.org</A> site.</P> +<H3><A name="status">Export status of Linux FreeS/WAN</A></H3> +<P>We believe our software is entirely exempt from these controls since + the Wassenaar<A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf"> + General Software Note</A> says:</P> +<BLOCKQUOTE> The Lists do not control "software" which is either: +<OL> +<LI>Generally available to the public by . . . retail . . . or</LI> +<LI>"In the public domain".</LI> +</OL> +</BLOCKQUOTE> +<P>There is a note restricting some of this, but it is a sub-heading + under point 1, so it appears not to apply to public domain software.</P> +<P>Their glossary defines "In the public domain" as:</P> +<BLOCKQUOTE> . . . "technology" or "software" which has been made + available without restrictions upon its further dissemination. +<P>N.B. Copyright restrictions do not remove "technology" or "software" + from being "in the public domain".</P> +</BLOCKQUOTE> +<P>We therefore believe that software freely distributed under the<A href="glossary.html#GPL"> + GNU Public License</A>, such as Linux FreeS/WAN, is exempt from + Wassenaar restrictions.</P> +<P>Most of the development work is being done in Canada. Our + understanding is that the Canadian government accepts this + interpretation.</P> +<UL> +<LI>A web statement of<A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm"> + Canadian policy</A> is available from the Department of Foreign Affairs + and International Trade.</LI> +<LI>Another document from that department states that<A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm"> + public domain software</A> is exempt from the export controls.</LI> +<LI>A researcher's<A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html"> + analysis</A> of Canadian policy is also available.</LI> +</UL> +<P>Recent copies of the freely modifiable and distributable source code + exist in many countries. Citizens all over the world participate in its + use and evolution, and guard its ongoing distribution. Even if Canadian + policy were to change, the software would continue to evolve in + countries which do not restrict exports, and would continue to be + imported from there into unfree countries. "The Net culture treats + censorship as damage, and routes around it."</P> +<H3><A name="help">Help spread IPsec around</A></H3> +<P>You can help. If you don't know of a Linux FreeS/WAN archive in your + own country, please download it now to your personal machine, and + consider making it publicly accessible if that doesn't violate your own + laws. If you have the resources, consider going one step further and + setting up a mirror site for the whole<A href="intro.html#munitions"> + munitions</A> Linux crypto software archive.</P> +<P>If you make Linux CD-ROMs, please consider including this code, in a + way that violates no laws (in a free country, or in a domestic-only CD + product).</P> +<P>Please send a note about any new archive mirror sites or CD + distributions to linux-ipsec@clinet.fi so we can update the + documentation.</P> +<P>Lists of current<A href="intro.html#sites"> mirror sites</A> and of<A href="intro.html#distwith"> + distributions</A> which include FreeS/WAN are in our introduction + section.</P> +<H2><A name="desnotsecure">DES is Not Secure</A></H2> +<P>DES, the<STRONG> D</STRONG>ata<STRONG> E</STRONG>ncryption<STRONG> S</STRONG> +tandard, can no longer be considered secure. While no major flaws in its + innards are known, it is fundamentally inadequate because its<STRONG> + 56-bit key is too short</STRONG>. It is vulnerable to<A href="glossary.html#brute"> + brute-force search</A> of the whole key space, either by large + collections of general-purpose machines or even more quickly by + specialized hardware. Of course this also applies to<STRONG> any other + cipher with only a 56-bit key</STRONG>. The only reason anyone could + have for using a 56 or 64-bit key is to comply with various<A href="exportlaw.html"> + export laws</A> intended to ensure the use of breakable ciphers.</P> +<P>Non-government cryptologists have been saying DES's 56-bit key was + too short for some time -- some of them were saying it in the 70's when + DES became a standard -- but the US government has consistently + ridiculed such suggestions.</P> +<P>A group of well-known cryptographers looked at key lengths in a<A href="http://www.counterpane.com/keylength.html"> + 1996 paper</A>. They suggested a<EM> minimum</EM> of 75 bits to + consider an existing cipher secure and a<EM> minimum of 90 bits for new + ciphers</EM>. More recent papers, covering both<A href="glossary.html#symmetric"> + symmetric</A> and<A href="glossary.html#public"> public key</A> systems + are at<A href="http://www.cryptosavvy.com/"> cryptosavvy.com</A> and<A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html"> + rsa.com</A>. For all algorithms, the minimum keylengths recommended in + such papers are significantly longer than the maximums allowed by + various export laws.</P> +<P>In a<A href="http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-09/0095.html"> + 1998 ruling</A>, a German court described DES as "out-of-date and not + safe enough" and held a bank liable for using it.</P> +<H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3> +<P>The question of DES security has now been settled once and for all. + In early 1998, the<A href="http://www.eff.org/"> Electronic Frontier + Foundation</A> built a<A href="http://www.eff.org/descracker.html"> + DES-cracking machine</A>. It can find a DES key in an average of a few + days' search. The details of all this, including complete code listings + and complete plans for the machine, have been published in<A href="biblio.html#EFF"> +<CITE> Cracking DES</CITE></A>, by the Electronic Frontier Foundation.</P> +<P>That machine cost just over $200,000 to design and build. "Moore's + Law" is that machines get faster (or cheaper, for the same speed) by + roughly a factor of two every 18 months. At that rate, their $200,000 + in 1998 becomes $50,000 in 2001.</P> +<P>However, Moore's Law is not exact and the $50,000 estimate does not + allow for the fact that a copy based on the published EFF design would + cost far less than the original. We cannot say exactly what such a + cracker would cost today, but it would likely be somewhere between + $10,000 and $100,000.</P> +<P>A large corporation could build one of these out of petty cash. The + cost is low enough for a senior manager to hide it in a departmental + budget and avoid having to announce or justify the project. Any + government agency, from a major municipal police force up, could afford + one. Or any other group with a respectable budget -- criminal + organisations, political groups, labour unions, religious groups, ... + Or any millionaire with an obsession or a grudge, or just strange taste + in toys.</P> +<P>One might wonder if a private security or detective agency would have + one for rent. They wouldn't need many clients to pay off that + investment.</P> +<H3><A name="spooks">Spooks may break DES faster yet</A></H3> +<P>As for the security and intelligence agencies of various nations, + they may have had DES crackers for years, and theirs may be much + faster. It is difficult to make most computer applications work well on + parallel machines, or to design specialised hardware to accelerate + them. Cipher-cracking is one of the very few exceptions. It is entirely + straightforward to speed up cracking by just adding hardware. Within + very broad limits, you can make it as fast as you like if you have the + budget. The EFF's $200,000 machine breaks DES in a few days. An<A href="http://www.planepage.com/"> + aviation website</A> gives the cost of a B1 bomber as $200,000,000. + Spending that much, an intelligence agency could break DES in an + average time of<EM> six and a half minutes</EM>.</P> +<P>That estimate assumes they use the EFF's 1998 technology and just + spend more money. They may have an attack that is superior to brute + force, they quite likely have better chip technology (Moore's law, a + bigger budget, and whatever secret advances they may have made) and of + course they may have spent the price of an aircraft carrier, not just + one aircraft.</P> +<P>In short, we have<EM> no idea</EM> how quickly these organisations + can break DES. Unless they're spectacularly incompetent or horribly + underfunded, they can certainly break it, but we cannot guess how + quickly. Pick any time unit between days and milliseconds; none is + entirely unbelievable. More to the point, none of them is of any + comfort if you don't want such organisations reading your + communications.</P> +<P>Note that this may be a concern even if nothing you do is a threat to + anyone's national security. An intelligence agency might well consider + it to be in their national interest for certain companies to do well. + If you're competing against such companies in a world market and that + agency can read your secrets, you have a serious problem.</P> +<P>One might wonder about technology the former Soviet Union and its + allies developed for cracking DES during the Cold War. They must have + tried; the cipher was an American standard and widely used. Certainly + those countries have some fine mathematicians, and those agencies had + budget. How well did they succeed? Is their technology now for sale or + rent?</P> +<H3><A name="desnet">Networks break DES in a few weeks</A></H3> +<P>Before the definitive EFF effort, DES had been cracked several times + by people using many machines. See this<A href="http://www.distributed.net/pressroom/DESII-1-PR.html"> + press release</A> for example.</P> +<P>A major corporation, university, or government department could break + DES by using spare cycles on their existing collection of computers, by + dedicating a group of otherwise surplus machines to the problem, or by + combining the two approaches. It might take them weeks or months, + rather than the days required for the EFF machine, but they could do + it.</P> +<P>What about someone working alone, without the resources of a large + organisation? For them, cracking DES will not be easy, but it may be + possible. A few thousand dollars buys a lot of surplus workstations. A + pile of such machines will certainly heat your garage nicely and might + break DES in a few months or years. Or enroll at a university and use + their machines. Or use an employer's machines. Or crack security + somewhere and steal the resources to crack a DES key. Or write a virus + that steals small amounts of resources on many machines. Or . . .</P> +<P>None of these approaches are easy or break DES really quickly, but an + attacker only needs to find one that is feasible and breaks DES quickly + enough to be dangerous. How much would you care to bet that this will + be impossible if the attacker is clever and determined? How valuable is + your data? Are you authorised to risk it on a dubious bet?</P> +<H3><A name="no_des">We disable DES</A></H3> +<P>In short, it is now absolutely clear that<STRONG> DES is not secure</STRONG> + against</P> +<UL> +<LI>any<STRONG> well-funded opponent</STRONG></LI> +<LI>any opponent (even a penniless one) with access (even stolen access) + to<STRONG> enough general purpose computers</STRONG></LI> +</UL> +<P>That is why<STRONG> Linux FreeS/WAN disables all transforms which use + plain DES</STRONG> for encryption.</P> +<P>DES is in the source code, because we need DES to implement our + default encryption transform,<A href="glossary.html#3DES"> Triple DES</A> +.<STRONG> We urge you not to use single DES</STRONG>. We do not provide + any easy way to enable it in FreeS/WAN, and our policy is to provide no + assistance to anyone wanting to do so.</P> +<H3><A name="40joke">40-bits is laughably weak</A></H3> +<P>The same is true, in spades, of ciphers -- DES or others -- crippled + by 40-bit keys, as many ciphers were required to be until recently + under various<A href="#exlaw"> export laws</A>. A brute force search of + such a cipher's keyspace is 2<SUP>16</SUP> times faster than a similar + search against DES. The EFF's machine can do a brute-force search of a + 40-bit key space in<EM> seconds</EM>. One contest to crack a 40-bit + cipher was won by a student<A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1"> + using a few hundred idle machines at his university</A>. It took only + three and half hours.</P> +<P>We do not, and will not, implement any 40-bit cipher.</P> +<H3><A name="altdes">Triple DES is almost certainly secure</A></H3> +<P><A href="glossary.html#3DES">Triple DES</A>, usually abbreviated + 3DES, applies DES three times, with three different keys. DES seems to + be basically an excellent cipher design; it has withstood several + decades of intensive analysis without any disastrous flaws being found. + It's only major flaw is that the small keyspace allows brute force + attacks to succeeed. Triple DES enlarges the key space to 168 bits, + making brute-force search a ridiculous impossibility.</P> +<P>3DES is currently the only block cipher implemented in FreeS/WAN. + 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs + still do it at quite respectable speeds. Some<A href="glossary.html#benchmarks"> + speed measurements</A> for our code are available.</P> +<H3><A name="aes.ipsec">AES in IPsec</A></H3> +<P>The<A href="glossary.html#AES"> AES</A> project has chosen a + replacement for DES, a new standard cipher for use in non-classified US + government work and in regulated industries such as banking. This + cipher will almost certainly become widely used for many applications, + including IPsec.</P> +<P>The winner, announced in October 2000 after several years of analysis + and discussion, was the<A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/"> + Rijndael</A> cipher from two Belgian designers.</P> +<P>It is almost certain that FreeS/WAN will add AES support.<A href="web.html#patch"> + AES patches</A> are already available.</P> +<H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2> +<H3><A NAME="26_6_1">FreeS/WAN 1.0 press</A></H3> +<UL> +<LI><A href="http://www.wired.com/news/news/technology/story/19136.html"> +Wired</A> "Linux-Based Crypto Stops Snoops", James Glave April 15 1999</LI> +<LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml"> +Slashdot</A></LI> +<LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar + Group Limited; looking at FreeS/WAN from a perspective of business + computing</LI> +<LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI> +<LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>, + Tasty Bits from the Technology Front</LI> +<LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html"> +Salon Magazine</A> "Free Encryption Takes a Big Step"</LI> +</UL> +<H3><A name="release">Press release for version 1.0</A></H3> +<PRE> Strong Internet Privacy Software Free for Linux Users Worldwide + +Toronto, ON, April 14, 1999 - + +The Linux FreeS/WAN project today released free software to protect +the privacy of Internet communications using strong encryption codes. +FreeS/WAN automatically encrypts data as it crosses the Internet, to +prevent unauthorized people from receiving or modifying it. One +ordinary PC per site runs this free software under Linux to become a +secure gateway in a Virtual Private Network, without having to modify +users' operating systems or application software. The project built +and released the software outside the United States, avoiding US +government regulations which prohibit good privacy protection. +FreeS/WAN version 1.0 is available immediately for downloading at +http://www.xs4all.nl/~freeswan/. + +"Today's FreeS/WAN release allows network administrators to build +excellent secure gateways out of old PCs at no cost, or using a cheap +new PC," said John Gilmore, the entrepreneur who instigated the +project in 1996. "They can build operational experience with strong +network encryption and protect their users' most important +communications worldwide." + +"The software was written outside the United States, and we do not +accept contributions from US citizens or residents, so that it can be +freely published for use in every country," said Henry Spencer, who +built the release in Toronto, Canada. "Similar products based in the +US require hard-to-get government export licenses before they can be +provided to non-US users, and can never be simply published on a Web +site. Our product is freely available worldwide for immediate +downloading, at no cost." + +FreeS/WAN provides privacy against both quiet eavesdropping (such as +"packet sniffing") and active attempts to compromise communications +(such as impersonating participating computers). Secure "tunnels" carry +information safely across the Internet between locations such as a +company's main office, distant sales offices, and roaming laptops. This +protects the privacy and integrity of all information sent among those +locations, including sensitive intra-company email, financial transactions +such as mergers and acquisitions, business negotiations, personal medical +records, privileged correspondence with lawyers, and information about +crimes or civil rights violations. The software will be particularly +useful to frequent wiretapping targets such as private companies competing +with government-owned companies, civil rights groups and lawyers, +opposition political parties, and dissidents. + +FreeS/WAN provides privacy for Internet packets using the proposed +standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN +negotiates strong keys using Diffie-Hellman key agreement with 1024-bit +keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern +$500 PC can set up a tunnel in less than a second, and can encrypt +6 megabits of packets per second, easily handling the whole available +bandwidth at the vast majority of Internet sites. In preliminary testing, +FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH, +Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code, +its innards are open to review by outside experts and sophisticated users, +reducing the chance of undetected bugs or hidden security compromises. + +The software has been in development for several years. It has been +funded by several philanthropists interested in increased privacy on +the Internet, including John Gilmore, co-founder of the Electronic +Frontier Foundation, a leading online civil rights group. + +Press contacts: +Hugh Daniel, +1 408 353 8124, hugh@toad.com +Henry Spencer, +1 416 690 6561, henry@spsystems.net + +* FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data + Security, Inc; used by permission.</PRE> +<HR> +<A HREF="toc.html">Contents</A> +<A HREF="umltesting.html">Previous</A> +<A HREF="ipsec.html">Next</A> +</BODY> +</HTML> |