From: Shawn McMahon Area: Public Key Encryption To: David Chessler 23 Sep 94 01:29:44 Subject: Re: signing my own key. UpdReq Despite the stern warnings of the tribal elders, David Chessler said this to Shawn Mcmahon: DC> You must mean the RSA portion of PGP. The IDEA portion has DC> nothing to do with factoring numbers. I'd like to pretend I meant that, but I didn't; thanks for helping lower my level of ignorance. I'm still learning this stuff; the math is a little beyond me, and most of my knowledge comes from Schneier's book. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Jess Williams 23 Sep 94 01:40:12 Subject: ENCRYPTION... UpdReq Despite the stern warnings of the tribal elders, Jess Williams said this to Scott Mills: JW> key is better than a smaller one in my book :) Also I've JW> been trying to find a way to increase the size of the IDEA JW> portion of the code also. I'm not much of a programmer (at JW> least in C anyway) I think the IDEA portion uses key sizes of JW> 128 bits? is that correct? That is very large compared to the JW> 56 bits of DES. I would like to double it to 256 bits JW> though. Well thanks again That very likely would WEAKEN it, not strengthen it. 2^16+1 is prime, but 2^32+1 isn't, and the primeness of 2^16+1 is one of the lynchpins of the algorithm. This is all from a conversion Bruce Schneier had with one of the IDEA creators, Xuejia Lai. Quoted in "Applied Cryptography," it hadn't been published by Lai as of that writing. BTW, this is one of the pitfalls of mucking around with algorithms. If you're a dabbler (like me) instead of a mathematician or cryptologist, you're better off not touching 'em. Same thing happens when people mess with DES; one little minor change makes the whole thing suddenly MUCH easier to crack. BTW, remember that the algorithm has a very large keyspace; that 128-bits doesn't compare to a 128-bit RSA key in difficulty of a brute-force attack. It'd take 10^38 encryptions to recover a key, on average; if we plundered all the silicon in the universe, we might be able to build a machine that could do it before the sun goes nova. :-) 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: David Chessler 23 Sep 94 01:57:40 Subject: Need recommendations UpdReq Despite the stern warnings of the tribal elders, David Chessler said this to Shawn Mcmahon: DC> Securing the computer physically is always a better idea. Think DC> again about why it can't be done in this case. I absolutely agree, David, but the client doesn't want to do what it takes. DC> Actually, SFS may be more secure than SecureDrive, if the docs DC> can be beleived. Basically, it comes down to whether the NSA can be believed; they wrote the hash algorithm he uses. Personally, I suspect they have a way to beat it; but the resources of the likely attackers are PCs and non-cryptographers. DC> I should hope not. Can this drive be a removeable and just put DC> it in the safe at night? That's what the Pentagon does. That was my first suggestion; second was putting a video camera in the office and catching the bastards in the act. :-) DC> Effectively, you are relying on encryption, with no effective DC> backup. Can you rely on your client to use a good passphrase (at DC> least 30 characters for IDEA, maybe 50 Characters for SFS, which DC> has a longer key)? Nope; in fact, I can guarantee you that he'll use lousy passwords. I did manage to get him to consider a couple tips, but they'll do no more than double the time necessary to crack it by brute-force search. DC> Will the client put the passphrase on paper? In his desk? On a DC> post it note on the monitor? Probably. I made sure to tell him that I could not guarantee that anything I did was going to protect his data, and that I'd be glad to refer him to a security specialist if he wanted it absolutely safe. All I guaranteed was that if he didn't give the password to anybody else, it'd slow somebody down. Perhaps until after the data becomes useless (it has a very short life) but no promises. DC> Most clients are lousy about passwords. And is the client DC> one person or a staff? How many people have to have access? Far too many. Hell, the fact that *I* know the password with which he began (dunno if he's changed it) means too many people know. DC> Re-think the whole physical security issue. Unless you get some DC> *very* good answers about your client's willingness to engage in DC> some inconvenient procedures with pass phrases, why do you think DC> the client will be better with them than he is with physical DC> security. I don't; stubborn bastard just won't do it. DC> So the first question is, why not lock it in the safe? Unless DC> you get *very* good answers for that, go no further. If their suspicions about who might be looking are correct, the CMOS password might have been enough. I think that, barring writing the password down, the data will be safe for long enough. The attacker is unlikely to bother with even trying to gather up equipment to tape off the data and take it home, and if he does he'll most likely be throwing a dictionary at it on a 486-based home PC. Eventually, he'll get in; but most likely not in time. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Shawn K. Quinn 23 Sep 94 01:55:34 Subject: There goes more freedom! UpdReq Despite the stern warnings of the tribal elders, Shawn K. Quinn said this to Tom Almy: JH>> - (UPI) WASHINGTON, DC. The White House confirmed today that the FCC JH>> will become the Federal agency to assume responsibility for regulating JH>> the so-called "Information Super Highway." [...] SKQ> It came from UPI (or at least appears to have) and you think it's SKQ> a JOKE?! Uhm, Shawn; what evidence do you have that it came from UPI, other than the fact that the poster tapped three keystrokes while writing the message? I usually use Reuters for my own hoaxes; people are less likely to have the phone number handy for checking. 201434369420143436942014343694201434369420143436942014343694718 From: Bruce Bozarth Area: Public Key Encryption To: Shawn K. Quinn 20 Sep 94 11:09:00 Subject: There goes more freedom! UpdReq On 09-20-94, without care of life or limb, Shawn K. Quinn spake thusly to Reed Darsey regarding There goes more freedom! SK>To Jeff Hancock and anyone else wanting to post a sick joke: Make SK>sure you mark your spoofs as spoofs before the rest of us think they're SK>acutally real and thus make themselves look like fools. Prudent folks verify info before acting...which helps avoid the second half of your statement. ... WinQwk 2.0b#0 201434369420143436942014343694201434369420143436942014343694718 From: Jim Bell Area: Public Key Encryption To: JESS WILLIAMS 22 Sep 94 17:55:00 Subject: ENCRYPTION... UpdReq -=> Quoting Jess Williams@1:345/31 to Scott Mills <=- SM> Some versions will make keys much larger than 1024. JW> Thanks for the info, I've been looking for a version that will allow JW> you to make the key size anything you want. My favorite PGP version JW> is 2.6uix I have the source for it. If I knew how to make the Key JW> size capability bigger I would. I can make a 1264 bit key but that JW> is the biggest I can make right now. Some people will say there is JW> no need to make keys that big at this time and that may be true but JW> A bigger key is better than a smaller one in my book :) Also I've JW> been trying to find a way to increase the size of the IDEA portion JW> of the code also. I'm not much of a programmer (at least in C anyway) JW> I think the IDEA portion uses key sizes of 128 bits? is that correct? JW> That is very large compared to the 56 bits of DES. I would like to JW> double it to 256 bits though. Well thanks again It really wouldn't help much. Assuming that there is no weakness in IDEA, the only way to find a message is a "brute-force" attack, checking an average of 2**127 decodes to find the message. That, BTW, is 128 billion billion billion billion decodes. In other words, if you had a billion separate computers, each with a billion sub-processors, and each sub-processor doing a billion decodes per second, it would take an average of 4000 years to do a decrypt. Not likely any time soon. Also, keep in mind that since IDEA keys are "randomly" issued with each new message, finding a single IDEA key doesn't help do anything except decrypt that single message. It is far more valuable to attack the (comparatively) weaker RSA key. ... Way Too Much is Not Nearly Enough. ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Richard Walker 16 Sep 94 11:08:04 Subject: Re: Net 106 still at it? UpdReq -=> Richard Walker was saying something about Re: Net 106 still at it? =snip= RW> So far, I know of no felony convictions for refusing to route RW> encrypted "private" flagged email. Show me one, and I'll contentedly RW> change my opinion. I don't even know of a single instance of modest RW> harassment by the feds of someone who refuses to route encrypted mail. not bloody well likely to hear of one any time soon in any case. you've been around long enough to know that the feds aren't exactly thrilled about the prospect of widespread pgp use. i don't see them doing anything to enhance its acceptance. RW> Basically, my opinion is that PGP makes you look suspicious to Uncle RW> Sam; Uncle Sam may not be able to read your message, but that won't RW> stop him from *creating* a plausible fiction and nailing your behind RW> to the wall, given half a provocation. true, but this is only an indication of how far off the path of liberty we've gone in this country. it doesn't invalidate the fact that pgp has many legitimate uses. =snip= RW> Big difference, the phone company is a recognized and regulated common RW> carrier, to whom I pay big bucks each month. Last time I checked, RW> yall are leaching off of a basically free service, routed netmail is RW> not a right. You have no contract with the distributors stating that RW> they will route your netmail. also true. i see this as a major drawback for fido. i've not had any problem sending pgp messages across the internet unless my message passes through fido. the principle of mail delivery is basically the same at it's heart. if everyone passes everyone else's mail, it all will balance out over all imo. i think stopping pgp mail is sillyness. of course, i don't think sillyness should be legislated against. if a person doesn't want to allow pgp on their system, it's o.k. with me since i have no _right_ to use their property. it might be a helpful courtesy to make note of their refusal to route said mail somewhere. i don't know how this would be done, as i'm just a lowly user, and not a sysop, but might there be some kind of flag set for this? amp <0003701548@mcimail.com> ... Anyone coming for my guns had better be prepared to meet 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Christopher Baker 16 Sep 94 11:29:28 Subject: public_keys archive UpdReq -----BEGIN PGP SIGNED MESSAGE----- chris, is there an archive available of this echo? i'd like to send it to a friend new to the pgp thang and the signal to noise ratio in this echo would make it worthwhile. also, do you have an internet address? amp <0003701548@mcimail.com> -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCxAgUBLnnHvdQ9obngT6LhAQF+6wTeIfVPqTuUHqLD7Ty1qCMq8luvpy9D9O3X 6/mbfd/1dBP1Aja48tfOWB4keJxaqM8JkzWLI/o3wumZfewoIQEyTb0DUFAgFGy5 DVtCsSShdFsxSeHgwYOQJPbkx0TXUyT87WxICZau+lg7kM8peSDLJk6Li7o3XSQ4 B5HFE5bAze+CVZpT3PtSG0OcncdSBvqOwkuehSEWWUNhMf9v =T0kA -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 ... FBI: Fry, Burn, Incinerate 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Jeff Hancock 16 Sep 94 11:37:40 Subject: There goes more freedom! UpdReq -----BEGIN PGP SIGNED MESSAGE----- -=> Jeff Hancock was saying something about There goes more freedom! JH> @Via SLMAIL v3.5C (#1540) JH> + This message was written by CAPTAIN BLADE to ALL JH> + + and forwarded from area CHAOS JH> + JH> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ JH> * Original Echo Area: Houston Sysop JH> * Original Message by: Mike Wheeler of 1:106/1136 JH> * to: All JH> A reliable message poster left this on my system. Thought I would JH> share it with you. JH> ----------------------------------------------------------------------- JH> - (UPI) WASHINGTON, DC. The White House confirmed today that the FCC JH> will become the Federal agency to assume responsibility for regulating =snip= i'd quote back the offending passages, but i'd just be posting this back to you. i'll forward this to the eff and cspr and see what they have to say. anything you or anyone else can find on this would be appreciated. i'll post back anythiing i can find. time to put my senator's office to work... judging from the requirements mentioned, i don't believe it. correction: i _do_ believe it. the internet is a threat to their power. they'll do anything to stop it. you ruined my day. amp <0003701548@mcimail.com> -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCxAgUBLnnJxNQ9obngT6LhAQHi7gTfQhP7VSZWMLBk1ayc890+ETIV7/hi4Fuj okCFy5xtqShRs+cRR12CDcHnAyc9FI+GCZc/00LAI1el4bX6oXXQNUpyQD4ifLc9 YZTZfBbZzDtYDz9YjjWw+tdYRBG3bc9FlDQqhqdb/09NFLCwGKB2vQv7WDc9kznh mYFqh9CBjnGRtcr6Q7WqUtSLSOVFoawBJP0yv156pWOAzK0L =Gn4J -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 ... Very funny Mr. Scott - now beam up my clothes! 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Brad Ems 19 Sep 94 22:08:48 Subject: Getting Started w/PGP UpdReq -----BEGIN PGP SIGNED MESSAGE----- i'll take a stab at answering your questions. one of the nice things about forums such as this, is that there will most likely be several different viewpoints presented. BE> 1: I have both PGP 2.3 and 2.6. I have learned that after a certain BE> date, PGP 2.6 will not work with keys generated by 2.3. Am I BE> correct in thinking this? if you are using version 2.6, you _may_ have problems with some bigger keys. version 2.6 does not handle keys bigger than 1024 bits. it does also not handle keys made by _much_ older versions of pgp. my information is incomplete on the latest version (2.6.1 or 2.61). i understand that it will handle larger keys. BE> 2. I have a number of friends that have BE> PGP and we'd like to begin using it for private e-mail. Where is a BE> good message clearing house where we can post (if there is one)? 'securemail' is a collection of systems that provide routing for encrypted netmail. see if a node local to you participates. if so support him/her. if not, join yourself, or find someone who will. you also might consider the internet if you have access. i've been able to maintain private conversations from mcimail to the internet for a while now. it seems to work pretty well for my purposes. a third option might be a private forum on a bbs for just the people you want to converse with. BE> 3. I have heard that give that MIT worked on PGP to legalize it in the BE> eyes of the Washington bureaucrats, it may not be entirely robust. BE> has anyone any info on 2.6's integrity? mit is one of the partners in pkp, the group that claims the patent to the algorythm behind pgp. version 2.6 is 'legal' for use in zone 1. there are doubts as to the enforcability of their patent. so far, it seems clean cryptographically to those who've looked at it. the main difficulty at the moment is that it is a fairly buggy release. i can't say that i understand this as it seems that the bug fixes are released by independent folx seemingly within hours of the 'official' release. BE> 4. I have read and re-read the BE> manuals that come with PGP, doing better than most by this alone!! and I believe I have a good idea of how BE> it works and how to effectively use it, but in reading the posts in BE> this sub, I realize that I may not know as much as I think. How BE> much here is cryptographic finery that a bumpkin like me does not BE> need to know, and how much is critical stuff that will have Janet BE> Reno knocking on my door if I don't? feel free to join the rest of us bumpkins! i've leared a lot in this echo. (thanks to all who participate). overall, i think this echo has a better signal to noise ratio than most i've seen. if reno decides to kick down your door and hold a waco barbque, whether you encrypt or not won't help you unless you ascii armor is the full body type. (with a gas mask) BE> Brad Ems **** LEGALIZE FREEDOM **** sounds like a good idea to me. amp <0003701548@mcimail.com> ... Guns for sale. Please dust off the cocaine... -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCxAgUBLn5SStQ9obngT6LhAQHnWQTfWivDVJLyl/xwyt79X715fxlBpPmgKZpC B3PD5hcQpHXqSlLdjxj0D25ySghyybCTqvCwKGmahUrPUc/awYoox0Luom8+2oqC WqpFbU4M+FLU7MMRZvaTTWXEvpSMMNR4pQTpzLzzeGwdfi48/uaw/Fk+Z0SbFV5D iLKENkSDLlJg6T8s5scvix32s1wX/11n2JKpuF898BEORvSU =jF6t -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Tim Devore 19 Sep 94 22:09:28 Subject: Key Revocation UpdReq -----BEGIN PGP SIGNED MESSAGE----- =snip= TD> This is the last time that I'm gonna get caught with my pants down and TD> not have an updated back up of my configs, I Hope. next time you create a key pair, copy your keyrings to alternate files, then create a revocation certificate and copy the pgp directory to a floppy and write protect it. (make two copies if you believe in murphy as much as i do.) this protects you in two ways. you wil have backup copies of your keys, and you will also have a ready-made revocation certificate if, for some reason, you forget your passphrase. amp <0003701548@mcimail.com> ... Want my ammunition? You can have them one bullet at a tim -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCxAgUBLn5Se9Q9obngT6LhAQHUNATfRec9A8tNhnetJMueCR1pgIcjLzb9ozvu czrbTKSmyIv7QmrYvVC30G0TyaFjyBsn8d7FQNpUPyqfLanQ3Arr6tfKWZZP8P7P ix8EMDgyS+ibDbiFNkDkX7SBQdiyHcwMGpkxpu+WMXV8/1gl4b9IFfwMY0PIPGb2 cRSWZ1eq1C5Mo3vJkEeJFp8OFTR69JgI2v4/mqsBnZf3lm19 =nJB8 -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Rich Veraa 19 Sep 94 19:27:38 Subject: Re: Need recommendations UpdReq -----BEGIN PGP SIGNED MESSAGE----- =snip= RV> Take a look at SecureDevice (SECDEV13.ARJ). It works similar to MS RV> Doublespace; you set up a "virtual drive" as big or little as you RV> want. Uses IDEA encryption. VERY easy to use. i've heard of this and am intrigued. do you know where it can be downloaded on a first call basis? amp <0003701548@mcimail.com> -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCxAgUBLn4sadQ9obngT6LhAQHeagTffL01KcJr4cvbg3ejY9ZwgZnMKMkgX+ZF eVmCj5zPxtBg7XSpUMizraE0JZ7reQl8lvVTcvXdRyhhHBHIwSfxZXJkKE6YlnGO XlaP8I12lv3yHnnMcDvQ7ROJU3uPub9JQ8cbOSiAaSxPt5hPZWflSNvVG/oMmsIZ vB53XSVNYU8w+AY44bnR/aNMaBPkuJEa7g3gCUwI7wmmZrU3 =UPM5 -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 ... What good ingredients, liberty and immigrants. TGAMP 201434369420143436942014343694201434369420143436942014343694718 From: Richard Godbee Area: Public Key Encryption To: All 22 Sep 94 16:15:32 Subject: Signing Messages and Other 'Newbie' Questions...UpdReq All, I'm relatively new to PGP, but I like the ideas behind it and would like to get involved in the use of PGP. But, I have a question... =) --CUT HERE-8<-- To sign a plaintext file with your secret key: pgp -s textfile [-u your_userid] --CUT HERE-8<-- Okay, I think this is how most of you here sign all of your messages, but (I'm probably wrong here; I just want to make sure) would this give away your secret key? Why not sign it with your public key? Thanks... --Ricky Godbee, Jr. richard.godbee@bmtmicro.com --- * TLX v3.40 * Go ahead! Do it! You can always apologize later... 201434369420143436942014343694201434369420143436942014343694718 From: John Schofield Area: Public Key Encryption To: Ron Pritchett 22 Sep 94 08:09:04 Subject: Key Change? UpdReq -----BEGIN PGP SIGNED MESSAGE----- --====-- RP> I just added a new User ID to my trusty old key & was wondering it RP> that would cause problems if someone happened to encode something on RP> my "old" public key.... It's the same key as your old one, just with a new user ID added. The key itself is the same. JMS -----BEGIN PGP SIGNATURE----- Version: 2.7 Comment: Call 818-345-8640 voice for info on Keep Out magazine. iQCVAwUBLoGcnGj9fvT+ukJdAQHJoAP/cK0buaIP/t2ZdZCl+HOX2pa6FqHsvcYj 8l1afQ8nuThlzoiF6ITn/cZ44O4BMDhiq1oCUHWXeMEAeGGWbZZ8A6uWECT2I5DC UiS/vIwDCZl+bKe2EJQUMB6lG1Ebn3vbpmdU6rfIPtdeVz/btR7KTpk6kxDCEPiO ldo8hTzFv0E= =JGsc -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... "It's not frozen up, it's just resting." -- John Schofield 201434369420143436942014343694201434369420143436942014343694718 From: John Schofield Area: Public Key Encryption To: jason carr 22 Sep 94 08:09:04 Subject: PGPSORT UpdReq -----BEGIN PGP SIGNED MESSAGE----- --====-- jc> Anybody have a copy of this for FREQ? Yes. PGPSRT.ZIP 13k Available from: 1:102/903 14.4k bps 1:102/904 28.8k bps JMS -----BEGIN PGP SIGNATURE----- Version: 2.7 Comment: Call 818-345-8640 voice for info on Keep Out magazine. iQCVAwUBLoGdLGj9fvT+ukJdAQFmIgP7BS3s5h9aE4UBPv53CF6cWnkMIyKqqHNt 92m7E2yU3KSWxDoVLqgWBKso5jGdz1TcUctu6k38QNaGwqzsJx48GAWpOGu2kvWb dHedkqoBBAsY4AGbwwYMLU5KqN6v4EHcWWlD/guyEC1HQZp6d+QM5mSu2EjtTmva u325sunQTdA= =naWn -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... Privacy is a sacred right. 201434369420143436942014343694201434369420143436942014343694718 From: Donn Dubuque Area: Public Key Encryption To: All 22 Sep 94 12:12:00 Subject: Pgp Interface To Msmail UpdReq Does anyone know of an easy to use (windows preferably) interface to MSMAIL? Thanks in advance. --- * CMPQwk #1.4* UNREGISTERED EVALUATION COPY 201434369420143436942014343694201434369420143436942014343694718 From: Scott Mills Area: Public Key Encryption To: Ron Pritchett 22 Sep 94 07:48:10 Subject: Key Change? UpdReq -----BEGIN PGP SIGNED MESSAGE----- Monday September 19 1994, Ron Pritchett writes to All: RP> I just added a new User ID to my trusty old key & was wondering it RP> that would cause problems if someone happened to encode something on RP> my "old" public key.... It's never caused me any problems and I've added three or four ID's to the key. Scott I am Clinton of Borg. Hillary says resistance is futile! Scott Mills 1024/26CD5D03 PGP fingerprint = 13 D6 FF 43 53 3D 54 7B 94 D0 6B F4 24 13 E5 BD sm@f119.n265.z1.fidonet.org -----BEGIN PGP SIGNATURE----- Version: 2.61 iQCVAwUBLoFvbCP6qSQmzV0DAQGXZgQAgccUcvpP44qS15cDyJKRRXsCKmrwm+qw /bWdHR7cKOTSUgYm+vTTx5FrE3JkvVpxFvnDFguUefnPXIsYezH4jWCMFMkbmSQm BTCUyEjvdcMpkhRcpp2yrNlQZvJuZkir8CgzVKEp8EvZcp0ldHqPZMfu89jsf/jG YIooPdlMyy0= =1ETi -----END PGP SIGNATURE----- --- 201434369420143436942014343694201434369420143436942014343694718