Category Archives: Cryptography

Bruce Schneier is one of life's cool people and the author of Applied Cryptography, the book that introduced me to serious crypto. It took me almost a week to work through it, but I was hooked.

Bruce also does a newsletter on crypto and security more generally. The current issue of the Crypto-Gram has an intriguing item on the mystery of Chalabi and the Iraninan codes. Recall that the US is suppposed to have learned somehow that Chalabi told the Iranians we'd broken their code, possibly because the Iranians themselves mentioned this (disinfo??) in a communication they may have known the US could read:

So now the NSA's secret is out. The Iranians have undoubtedly changed their encryption machines, and the NSA has lost its source of Iranian secrets. But little else is known. Who told Chalabi? Only a few people would know this important U.S. secret, and the snitch is certainly guilty of treason. Maybe Chalabi never knew, and never told the Iranians. Maybe the Iranians figured it out some other way, and they are pretending that Chalabi told them in order to protect some other intelligence source of theirs.

…

If the Iranians knew that the U.S. knew, why didn't they pretend not to know and feed the U.S. false information? Or maybe they've been doing that for years, and the U.S. finally figured out that the Iranians knew. Maybe the U.S. knew that the Iranians knew, and are using the fact to discredit Chalabi.

The really weird twist to this story is that the U.S. has already been accused of doing that to Iran. In 1992, Iran arrested Hans Buehler, a Crypto AG employee, on suspicion that Crypto AG had installed back doors in the encryption machines it sold to Iran — at the request of the NSA. He proclaimed his innocence through repeated interrogations, and was finally released nine months later in 1993 when Crypto AG paid a million dollars for his freedom — then promptly fired him and billed him for the release money. At this point Buehler started asking inconvenient questions about the relationship between Crypto AG and the NSA.

So maybe Chalabi's information is from 1992, and the Iranians changed their encryption machines a decade ago.

Or maybe the NSA never broke the Iranian intelligence code, and this is all one huge bluff.

In this shadowy world of cat-and-mouse, it's hard to be sure of anything.

Cryptographers are often great people. Counter-intelligence people tend to be professional paranoids, and some are quite mad, because even they can't be sure…

It ended not with a bang, but a whimper. Thanks to a strategy of strategic amelioration of rules whenever they looked about to be struck down, combined with judicious promises not to prosecute people who were otherwise covered by the letter of the law, the US government has dodged the whole hail of bullets that was the Bernstein cryptography case. The proceedings produced a great opinion — Bernstein v. U.S. Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999), but it was withdrawn, Bernstein v. U.S. Dept. of Justice, 192 F.3d 1308 (9th Cir. 1999) pending an en banc hearing that never happened. Then it was remanded.

Now comes news that, the Bernstein Cryptography Case Is Dismissed.

Chicago, 15 October 2003 – The longest-running court case against the government's encryption regulations has come to an end, for now.

The regulations were challenged by Daniel J. Bernstein, a professor of mathematics, statistics, and computer science at the University of Illinois at Chicago. Bernstein filed his lawsuit in February 1995 and won four court decisions against the constitutionality of the government's previous regulations.

In an October 2002 court hearing on the current encryption regulations, Department of Justice attorney Tony Coppolino told the court that the government would not enforce several portions of the regulations.

“I can assure you that the regulatory authority does not want [researchers who are collaborating at conferences] sending us an e-mail every time they change something in an algorithm,'' Coppolino told the court. Coppolino also said that commmercial book publishers and assembly-language publishers did not need to obtain licenses.

Continue reading →