|
This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. | |||
29 January 1998
Date: Wed, 28 Jan 1998 22:14:38 -0600
To: cypherpunks@cyberpass.net
From: Bruce Schneier <schneier@counterpane.com>
Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998
A bunch of us cryptographers would really like to attack RPK, but the
documents on the website are slippery enough to make it difficult. There
is enough unspecified for them to sneak away from any analysis.
If someone were to reverse engineer the RPK cryptosystem from this product,
I would really appreciate it.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis,MN 55419 Fax: 612-823-1590
http://www.counterpane.com
From: Jack Oswald <joswald@rpkusa.com>
To: "'John Young'" <jya@pipeline.com>,
"cypherpunks@toad.com" <cypherpunks@toad.com>
Date: Wed, 28 Jan 1998 10:27:59 -0800
Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998
It seems that there is some confusion WRT to the origin of this product.
The encryption technology was developed in New Zealand. The application
itself was developed on the Isle of Man (British Isles). As a result, the
US gov't has had nothing to do with the product and therefore none of the
"concerns" represented in the previous message have any merit. What was
meant by use of "honey" is that if you pick a fight with a government
official, they will be happy to fight back. If you complement them on
their farsighted visionary non-meddling approach you get a very different
response. Our experience has been that we get a reasonable response from
the NZ government that does not restrict the security that our products
offer nor in the way that we choose to do business.
Jack
Date: Tue, 27 Jan 1998 19:02:07 -0500
To: cypherpunks@toad.com
From: John Young <jya@pipeline.com>
Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998
Cc: Jack Oswald <joswald@rpkusa.com>
On "using honey not vinegar" rationale of RPK InvisiMail for
obtaining crypto export licenses:
Applied Cryptography, Bruce Schneier, 2nd Edition, pp. 215-16
Algorithms for Export
Algorithms for export out of the United States must be approved
by the U.S. government (actually, by the NSA--see Section 25.1)
It is widely believed that these export-approved algorithms can
be broken by the NSA. Although no one has admitted this on the
record, these are some of the things the NSA is rumored to privately
suggest to companies wishing to export their cryptographic products:
- Leak a key bit once in a while, embedded in the ciphertext.
- "Dumb down" the effective key to something in the 30-bit range.
For example, while the algorithm might accept a 100-bit key, most
of those keys might be equivalent.
- Use a fixed IV, or encrypt a fixed header at the beginning of
each encrypted message. This facilitates a known-plaintext attack.
- Generate a few random bytes, encrypt them with the key, and then
put both the plaintext and the ciphertext of those random bytes at
the beginning of the encrypted message. This also facilitates a
known-plaintext attack.
NSA gets a copy of the source code, but the algorithm's details remain
secret from everyone else. Certainly no one advertises any of these
deliberate weaknesses, but beware if you buy a U.S. encryption product
that has been approved for export.
-----
Bruce added the last "beware" phrase to the 2nd edition.
From: Jack Oswald <joswald@rpkusa.com>
To: "'Bill Stewart'" <bill.stewart@pobox.com>,
"cypherpunks@cyberpass.net" <cypherpunks@cyberpass.net>
SEMS/RPK/PKYN: Jack Oswald
SEMS/RPK/PKYI: joswald@rpkusa.com
SEMS/RPK/PKYE: 2099/1/1
SEMS/RPK/PKYR: OEOLAPFB
SEMS/RPK/PKY1: IAAACAAAAAAACICALPPPPPAADAAAMAAAABAAAAAAPCAAFOOJBHGKNEBGHJFHDIHAMJEDBLKNFGCPJMKDHPMNNABNBDBOIKLCMJPEALNIHGDNLKKFEHOIEBHOJCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
SEMS/RPK/PKY2: CAAAAAAAAAAAAAFFEFFFFFAAAAAABAAAAAAAAAAAFAAADJEOGNADKJENIGGMHMGGNIKNBFAMOBJEJOGOBJCNGMJOAHIJAALDPCOCOIFLJBKDMMCGCHGCEBDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAAAAAAAAAAAAAAAAA
Date: Mon, 26 Jan 1998 16:59:49 -0800
Organization: RPK Inc.
Subject: RE: Announcement: RPK InvisiMail released on 12 Jan, 1998
Bill - The technology that we export as part of RPK InvisiMail, is
world-class strong crypto. Key size options are 607 bits and 1279. The
math behind the system is based on the same as that of D-H. There is no
snake oil. There was no intentional or unintentional attempt to mislead
any government authority. We also did not request an export license,
because there is no need to do so in New Zealand as long as the export is
by means of the Internet. Peter G. knows this as well. The story may be
different for physical export on disk, disc or tape, although we cannot
concur with Peter's personal experience. Our experience is that we get
pretty good treatment from the NZ authorities. We also may use a different
approach. I have often heard that you can often get a better response when
using honey than vinegar. Therein may explain differences in our
respective experiences. I have personally met with the Minister of Trade
for New Zealand. His views and those of his staff seemed to be acceptable
to us and have not imposed any undue restrictions of our business or our
ability to operate.
Jack Oswald
President and CEO
RPK Fast Public Key Encryption
RPK New Zealand Ltd.
4750 Capitola Road
Capitola, CA 95010
joswald@rpkusa.com
www.rpk.co.nz
www.InvisiMail.com
+1 408.479.7874 phone
+1 408.479.1409 fax
+1 800.475.4509 pager
Date: Sun, 25 Jan 1998 18:44:13 -0700
To: RPK New Zealand Ltd <info@rpkusa.com>, cypherpunks@cyberpass.net
From: Bill Stewart <bill.stewart@pobox.com>
Subject: Re: Announcement: RPK InvisiMail released on 12 Jan, 1998
I was amused to receive two mail messages back-to-back,
one from Peter Gutmann talking about New Zealand having one of the
strictest formal export controls in the world, and one from
RPK New Zealand talking about how their encryption product is
not export-controlled because it's from NZ, not the US,
and how their RPK Fast Public Key Encryptonite(tm) Engine
is the strongest crypto in the world. Either they haven't
bothered asking for export permission, or they asked in such a way
that the export bureaucrats didn't notice it was crypto and
regulated by their crypto export preventers, or their crypto
somehow falls through the cracks, e.g. by using an algorithm with
public keys shorter than 512 bits (works for ECC, not RSA)
and private keys shorter than 40 bits (or 41 on a good day),
or perhaps passes the "snake oil test" for export permission.
I suppose it's possible that the NZ Export Bureaucrats have
lightened up since Peter's last dealings with them,
but it's not likely.
>--------------- The mail, referencing www.invisimail.com
>RPK New Zealand Ltd. in a joint venture with Virtually Online Ltd.
>has released RPK InvisiMail, a standards-based e-mail security
>application for use with Internet mail software (SMTP/POP3).
>The product offers the strongest encryption available anywhere in
>the world. Since it was built outside the United States,
>it is also available all over the world with strong encryption.
>RPK InvisiMail is also the easiest product of its type
>to setup and use which makes it quite unique.
========= From Peter Gutmann's web page
This policy has resulted in New
Zealand enjoying the dubious distinction of having the strictest export
controls on earth, with everything ranging from crypto hardware down to
software, library books, computer magazines, and journals being restricted
from export. It's not even possible for a university to publish academic
research without prior permission from a government agency, and the
requirements for obtaining this permission are structured to ensure that they
can never be fulfilled. You can find the information on:
http://www.cs.auckland.ac.nz/~pgut001/policy/
==============================
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Date: Sat, 24 Jan 1998 07:28:09 -0500
To: cypherpunks@cyberpass.net
From: Robert Hettinga <rah@shipwright.com>
Subject: Announcement: RPK InvisiMail released on 12 Jan, 1998
--- begin forwarded text
From: RPK New Zealand Ltd <info@rpkusa.com>
Date: Fri, 23 Jan 1998 15:24:28
Subject: Announcement: RPK InvisiMail released on 12 Jan, 1998
You have received this message because at some time during the past two
years you have requested to be put on the RPK New Zealand Ltd. company
mailing list. (We're the Fast Public Key Encryption company). If you wish
to be removed from the list, please forward this message to
remove@rpkusa.com
--------------------------------
RPK New Zealand Ltd. in a joint venture with Virtually Online Ltd. has
released RPK InvisiMail, a standards-based e-mail security application for
use with Internet mail software (SMTP/POP3). The product offers the
strongest encryption available anywhere in the world. Since it was built
outside the United States, it is also available all over the world with
strong encryption. RPK InvisiMail is also the easiest product of its type
to setup and use which makes it quite unique.
You can learn more about this product by reading the press release below or
by visiting the web site at www.InvisiMail.com. We are also offering FREE
downloads of the RPK InvisiMail Intro product. Please give it a try and
pass it along to anyone you like.
--------------------------------
For Immediate Release
Contact: Sal Cataldi, Cataldi PR +1 212.941.9464, scataldi@earthlink.net,
www.InvisiMail.com
RPK InvisiMail(tm), secure Internet e-mail with globally available strong
encryption for Microsoft, Netscape platforms
SAN FRANCISCO, Jan. 12, 1998 - InvisiMail Ltd (www.InvisiMail.com)
announced today immediate worldwide availability of RPK(tm) InvisiMail(tm),
a standards-based e-mail security add-in for Microsoft, Netscape and other
POP3/SMTP Internet e-mail clients and gateway servers. Tested and
certified by the International Computer Security Association
(www.ncsa.com), RPK InvisiMail automatically and transparently encrypts
e-mail messages and attachments, authenticates the sender and verifies the
contents of each message have not been changed in transit.
RPK InvisiMail is globally available with high strength encryption.
InvisiMail and the underlying RPK encryption algorithm were developed
outside the United States. Therefore, InvisiMail is not subject to
restrictive U.S. export policies. RPK InvisiMail is as easy to set up and
use as anti-virus software, and just as important.
While Microsoft and Netscape battle each other with incompatible and
difficult to use security offerings, InvisiMail seamlessly integrates with
ALL popular POP3/SMTP e-mail products including Netscape, Microsoft,
Eudora, Pegasus, Calypso -- more than any other solution available today --
making it the preferred e-mail security product for multi-platform use,
worldwide.
All InvisiMail users can send the FREE InvisiMail Intro version to anyone
worldwide, providing compatibility without requiring others to purchase
anything, making InvisiMail unique among
e-mail security offerings.
"Most people don't realize that their e-mail can be forged, altered or read
by anyone, any time, without any evidence," said Jack Oswald, President and
CEO of RPK Ltd. "Without products like RPK InvisiMail, communications on
the Internet are untrustworthy."
InvisiMail uses the RPK Fast Public Key Encryptonite(tm) Engine, the
strongest cryptography available worldwide today. RPK is dramatically
faster than the well-known RSA algorithm, yet just as secure. RPK has been
analyzed by world class cryptographers who have issued reports on the
security and integrity of the technology.
"InvisiMail is the easiest, fastest, most transparent e-mail security
product I have seen," said Kevin Shannon, President of net*Gain, a
specialist in launching Internet companies. "This is the product we've all
been waiting for."
As part of its official launch, InvisiMail Professional is available FREE
to all New Zealand residents for ninety days.
RPK InvisiMail is available in two desktop versions: Intro (FREE) and
Professional (introductory price $29.95). RPK InvisiMail Enterprise
Gateway Server will be available Q2 1998. InvisiMail can be downloaded
from: www.InvisiMail.com.
All trademarks and registered trademarks are those of their respective
companies.
***
--- end forwarded text
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>