The Three Tenors are much in the news this week as they begin another concert tour. They've got nothing on the Seven Cryptographers. Last January the seven issued a report [1] analyzing the cryptographic strength, expressed as key length in bits, necessary to protect data in the face of a brute-force computational attack. The report came out of a meeting in November 1995 of the seven -- Matt Blaze, Whitfield Diffie, Ron Rivest, Bruce Schneier, Tsutoma Shimomura, Eric Thompson, and Michael Wiener -- sponsored by the Business Software Alliance. Their paper characterizes a range of potential opponents, from the garden-variety hacker up to the national intelligence agency assumed willing to spend tens or hundreds of millions of dollars on key recovery. The conclusions are that (1) the 40-bit encryption approved for export from the U.S. offers virtually no protection today; (2) the most serious threats now suggest a minimum key length of 75 bits; and (3) those designing systems to protect data for the next 20 years should use keys at least 90 bits long. Actual designs would use keys two or three times as long as these conservative guidelines.

Recently a four-page document intended to cast doubt on these conclusions has been circulated to members of Congress. The document is not signed and carries no indication of its origin. Matt Blaze and Whitfield Diffie were told the document originated in the National Security Agency. On June 18 Blaze and Diffie posted a note [2] to the Cypherpunks mailing list to shine light on the anonymous rebuttal document and to rebut it in turn. If the document was indeed authored within the NSA it doesn't display the agency's vaunted cryptographic expertise; its arguments are easily demolished. And why did it take six months to write?

I was alerted to this exchange by Jon Callas <jon at worldbenders dot com> and Dan Kohn <dan at teledesic dot com>.

[1] <http://www.bsa.org/policy/encryption/cryptographers.html>
[2] <ftp://ftp.research.att.com/dist/mab/keylength.nsa>

Netscape has long made available two versions of its software: one capable of encryption using 128-bit keys, for U.S/Canadian use only, and an exportable version that uses 40-bit keys. The company didn't go out of its way to publicize the fact that only the 40-bit version of its Navigator browser was available for download from Netscape's servers -- to U.S. nationals as well as to others. (If you bought the software and had it shipped to a U.S. address you got the 128-bit version.)

Netscape now offers the 128-bit Navigator for U.S. nationals to download. At the insistence of the State Department they ask you for name, address, and telephone number, in addition to the usual affirmation of citizenship, and the download page [3] informs you that verification is aided by American Business Information Inc. [4]. Presumably the Netscape CGI script submits your information to ABII's Lookup USA and verifies it before beginning the download. Perhaps Netscape has a dedicated connection to ABII: my download started immediately, but I've waited for many minutes without response from Lookup USA's Find People page [5]. Netscape's download page [3] only works from a browser that supports cookies -- Netscape 2.0 or later or beta 3 of Microsoft Internet Explorer.

On July 16 Rich Graves <llurch at Networking dot Stanford dot EDU> posted a note about the availability of the 128-bit version to the newsgroup comp.os.ms-windows.networking.win95. Quoting the 128-bit download FAQ [6] he writes:

> In case you're wondering, "Misrepresentation or omission of facts is
> covered under ITAR 127.2(a) and (b)(13). These data will only be re-
> leased to satisfy lawful requests by government agencies, should such
> requests be made."

The FAQ [6] mentions that Americans can legally go abroad carrying the secure Navigator on their laptops, if certain precautions are observed -- see TBTF for 1996-02-27 [7].

[3] <http://wwwus.netscape.com/eng/US-Current/index.html>
[4] <http://www.abii.com/>
[5] <http://www.lookupusa.com/lookupusa/adp/peopsrch.htm>
[6] <http://wwwus.netscape.com/eng/US-Current/faq.html>
[7] <http://www.tbtf.com/archive/1996-02-27.html>

Secret #67 from the arcane lore of the Prognisticators' Guild: stay in the prognistication business long enough and some of your predictions are bound to come true. Compare the following recent note carried on Edupage with the subsequent item, from TBTF for 1995-11-03 [8].

>>From Edupage (1996-07-11):

> PRIVACY LOGOS

> The Electronic Frontier Foundation and some companies doing business
> over the Internet have developed a privacy rating system to be offered
> by a nonprofit group called eTrust, which will license logos to Web
> sites indicating how much privacy a person surrenders by visiting the
> site. (USA Today 11 Jul 96 1B)

>>From TBTF for 1995-11-03 [8]:

> Nick Szabo <szabo at netcom dot com> argues... that there's hay to be made by
> companies that take the high road on privacy issues pointing out their
> competitors' privacy shortcomings. His article "Privacy Marketing" [9]
> appears on the TBTF archive by permission.

[8] <http://www.tbtf.com/archive/1995-11-03.html>
[9] <http://www.tbtf.com/resource/priv-marketing.html>

Now we revisit an item from the first issue of TBTF on the archive -- 1995-04-04 [10]:

>> WILL FLAMES BURN DOWN THE INTERNET?

>> In a discussion of the phenomenon of "flaming," the director of the
>> 21st Century Project at the University of Texas (Austin) suggests that
>> "the Internet may be on a path similar to that followed by television
>> and other communications media: the introduction of the masses so
>> alienates well-educated, cosmopolitan people that they abandon the
>> medium or resort to a specialized class of cultural material that
>> advertises its disdain for mass tastes." (The New Republic 1995-04-10 p.
>> 15)

> Next the Newt will be taking out after PBI (Public Broadcast Internet).
> [kad]

This prediction, picked up by Edupage, appeared in the magazine then edited by Michael Kinsley. He now toils over Slate [11] at Microsoft -- arguably crafting another instance of that class of cultural material that advertises its disdain for mass tastes.

[10] <http://www.tbtf.com/archive/0000.html>
[11] <http://www.slate.com/>

Jargon Scout is an irregular TBTF feature that aims to give you advance warning -- preferably before Wired Magazine picks it up -- of jargon that is just about ready to hatch into the Net's language. The feature first appeared in TBTF for 1996-02-27 [7]. Dave Birch <daveb at hyperion dot co dot uk> dropped a useful term, immediately recognizable by even tyro Net surfers, on the e$ mailing list:

> Internesia -- the growing tendency to forget exactly where in Cyberspace
> you saw a particular bit of information.