The people who sent airplanes crashing into the World Trade Center and the Pentagon hate America and what they hate most is our freedom. This page is dedicated to protecting that freedom. As predicted, this horrible terrorist attack has reopened the encryption debate and once again it is necessary to explain why public access to strong encryption is in our national interest.
Many have pointed out the obvious realities that encryption technology is widely available and that terrorists will not respect laws telling them not to use it. And even if all cryptography information was removed from the Internet and from bookstores and from public libraries, the terrorist organizations who sent men to Florida to study flying have certainly enrolled members in universities to study cryptography, along with other skills useful to them such as chemistry, nuclear engineering, molecular biology, etc. There is no way to keep encryption technology a secret anymore.
I would go one step further: the U.S. Government's past misguided effort to suppress crypto is a root cause of the massive vulnerability of the United States information infrastructure. Manufacturers of commercial operating systems and application software have sharply limited the security features they include out of fear that their products will be subject to export controls. If security isn't built into foundation products, it can't be bolted on later.
Some say the reason security is lacking is that no one wants to pay for it, but the software we use is bloated with features most people don't need or want. Absent export controls, I believe free markets would have produced good security solutions because software companies need any competitive edge they can find.
In addition, many of the anti-crypto measures the government has suggested in the past, such as key escrow and "back doors," only create new vulnerabilities. In time, the security at escrow storage sites will degenerate to the joke level we saw at our airports, creating whole new opportunities for terrorists.
The Pandora's box of strong crypto was opened long ago. The bad guys already have it. The question is when will the good guys start using it for real?
The media industry wants the U.S. Congress to require every computer sold to include special circuits that limit what files you can copy. Such laws may also lead to restrictions on private use of cryptogrphy. The Senate Judiciary Committee is soliciting public comments on this legislation. Details can be found at http://judiciary.senate.gov/special/feature.cfm.
A draft paper by Scott Fluhrer, Itsik Mantin and Adi Shamir was released on July 25, 2001 and announces new attacks on the RC4 cipher that is the basis for CipherSaber-1. Some of these attacks specifically involve the use of an IV with a secret key, the very scheme used in CipherSaber. Prof. Shamir states in an e-mail accompanying the release:
"Attached you will find a new paper which describes a truly practical direct attack on WEP's cryptography. It is an extremely powerful attack which can be applied even when WEP's RC4 stream cipher uses a 2048 bit secret key (its maximal size) and 128 bit IV modifiers (as proposed in WEP2). The attacker can be a completely passive eavesdropper (i.e., he does not have to inject packets, monitor responses, or use accomplices) and thus his existence is essentially undetectable. It is a pure known-ciphertext attack (i.e., the attacker need not know or choose their corresponding plaintexts). After scanning several hundred thousand packets, the attacker can completely recover the secret key and thus decrypt all the ciphertexts. The running time of the attack grows linearly instead of exponentially with the key size, and thus it is negligible even for 2048 bit keys."
The paper itself, titled "Weaknesses in the Key Scheduling Algorithm of RC4," has been posted at http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf (in PDF format) and at http://www.crypto.com/papers/others/rc4_ksaproc.ps (in Postscript).
WEP is an encryption system used with 802.11 wireless Ethernet that employs RC4, but the attack affects CipherSaber as well. For the most part about a million separate CipherSaber messages encrypted with the same key would have to be collected for this attack to succeed. However some weak keys exist (roughly 0.2% of possible ASCII keys) that only require about 20,000 messages to break. Accordingly I recommend that CipherSaber users switch to CipherSaber-2 with a parameter N=20 or larger. This large a value for N is overkill, but it is better to err on the safe side. If this is impractical for any reason, I recommend changing keys on a regular basis to limit the amount of traffic encrypted with any one CipherSaber key (even though the IVs differ). To be safe, not more than 1000 messages should be sent using any given CipherSaber-1 key.
If and when a consensus develops on the best way to fix RC4, I will announce a corresponding version of CipherSaber. Visit the CipherSaber page periodically for updated information.
In George Lucas' Star Wars trilogy, Jedi Knights were expected to make their own light sabers. The message was clear: a warrior confronted by a powerful empire bent on totalitarian control must be self-reliant. As we face a real threat of a ban on the distribution of strong cryptography, in the United States and possibly world-wide, we should emulate the Jedi masters by learning how to build strong cryptography programs all by ourselves. If this can be done, strong cryptography will become impossible to suppress.
While cryptographers like to wallow in the complexity of their art, the basic elements of a strong cryptographic system are quite simple and well known in the programming community. By choosing a simple but strong cipher that is already widely published and agreeing on how to use it, anyone with elementary programming skills can write their own encryption program without relying on any products that can be banned.
CipherSaber-1 uses Ron Rivest's RC4 algorithm as published in the second edition of Bruce Schneier's Applied Cryptography. RC4 is widely respected and used in a number of products, including SSL, the tool Web browsers use to secure credit card forms. With a long enough key RC4 is considered strong by most experts. RC4 is also extraordinarily easy to explain and to reproduce. As Schneier says, "The algorithm is so simple that most programmers can quickly code it from memory." Implementations of RC4 are widely available on the Internet but it is actually easier to write your own version.
The legal status of the RC4 algorithm is the subject of some controversy. The RSA Security still considers RC4 proprietary. It is not patented and, to the extent that Schneier is correct (and no one doubts him), it is not confidential. However, anyone wishing to build a commercial product using CipherSaber might find it cost-effective, as well as polite, to obtain a license from RSA. The name RC4 is a trademark. ARCFOUR has been proposed as a generic name for this algorithm. Apologies to Prof. Rivest for suggesting individuals use his invention without his consent. If there were another strong algorithm so singularly suitable, CipherSaber would have used it.
CipherSaber is a symmetric-key file encryption system. That means it uses the same secret key to encode and decode a computer file. To send a secret message, just attach the CipherSaber encoded binary file to an e-mail. Both sender and recipient must have the same secret key.
Because CipherSaber uses a stream cipher, an initialization vector must be attached to the user's key to prevent the same RC4 key from being used twice. CipherSaber uses a ten byte long random string for this purpose. When your CipherSaber-1 program encrypts a file, it must put the ten byte initialization vector in front of the coded data. For decryption, your CipherSaber-1 program reads the initialization vector from the file and appendeds it to the user key before the RC4 key setup step.
A CipherSaber-1 program can be implemented in 16 lines of QBasic (38 individual Basic statements). The source code is short enough to print on tee-shirts and coffee mugs. But there is no need to distribute source code at all. The CipherSaber concept can be passed on by word of mouth, if necessary.
The U.S. Congress has considered legislation that would ban the domestic distribution of cryptographic products that do not provide for immediate government access to the plaintext of messages. This government access must be possible without the consent or even the knowledge of the message's sender or recipient. The stated intent is to protect us from criminals and terrorists. Also, an international agreement on limiting the spread of armaments, called the Wassenaar Arrangement, limits export of mass-market software containing strong cryptography.
Future attacks on encryption freedom will probably come in the international arena. For example, there is a serious effort in the Council of Europe to draft a "Cybercrime" treaty that could include restrictions on encryption. There is also a potential attack from the intellectual property community, based on the "anti-circumvention" provisions in the latest copyright treaty.
The simplicity of CipherSaber should prove once and for all that the criminals and terrorists of this world will not be deprived of strong cryptography simply because the distribution of unapproved products is banned. They can get the necessary technology to make their own from existing textbooks or the Internet whenever they feel they need it.
Another goal of CipherSaber is to demonstrate that strong cryptography cannot be banned without severe restrictions on freedom of speech. Banning the sale of a complex computer program or even the multi-volume printed edition of PGP source code may seem acceptable to many people. Banning the simple instructions needed for CipherSaber will require the starkest abridgment of the First Amendment.
Finally, CipherSaber is a useful pedagogical tool, helping to educate students by presenting them with a real-world programming problem that has both technical and ethical dimensions. We urge teachers of computer science and authors of books on programming to consider including CipherSaber as an exercise in their courses and texts.
CipherSaber parallels the time honored doctrine of jury nullification, where jurors simply refuse to convict persons of violating laws that the jurors determine are unreasonable or unjust. Similarly technologists may take lawful steps as individuals to prevent their work from being used to build a totalitarian infrastructure. It is not that the present U.S. Government is evil -- it may well be the most benign government in history. But once the technology for totalitarian control is in place, this or any government will inexorably use it more and more, as recent events in Washington have demonstrated. And that technology is coming together with alarming rapidity. George Orwell's novel 1984 is not science fiction, it is just one more high tech product plan that missed its original delivery date.
The US Government is relaxing restrictions on encryption export. New rules reportedly remove most restrictions on publishing source code. Perhaps CipherSaber helped officials see the futility of their pervious policy. Any liberalization is a welcome development, but the next administration could reverse course and tighten the rules. Powerful people still want a crypto ban. President Clinton recently sighed a law requiring annual reports on "law enforcement encounters with encrypted communications in the execution of wiretap orders." Expect reports that imply encryption is a big problem for law enforcement. (See the FAQ for statistics on how few criminals are actually convicted by wiretaps.)
To keep this the gains we have made for crypto freedom, spread the word about CipherSaber!
CipherSaber-1 is an encryption method based on simple use of existing technology:
1. The CipherSaber-1 encryption algorithm is RC4 as published in the beginning of Chapter 17 of Applied Cryptography, Second Edition, by Bruce Schneier, John Wiley & Sons, New York, 1996. RC4 is on page 397 in the English edition, ISBN 0-471-11709-9. Also see the CipherSaber FAQ.
2. Each encrypted file consists of a ten byte initialization vector followed by the cipher text. A new, random ten byte initialization vector should be created each time encryption is performed.
3. The cipher key, which is the array K(i) in Schneier's notation, consists of the user key, in the form of an Ascii text string, followed by the ten byte initialization vector.
The above is all a programmer needs to know in order to write a program that can encipher and decipher CipherSaber-1 files.
The user key is a text string, rather than a hex value, because humans are more likely to be able to memorize a text string with sufficient entropy. To leave room for the initialization vector, the length of the user key must be less than 246 bytes. To insure adequate mixing of the initialization vector and user key, we recommend you select a user key of 53 bytes or less. (This limitation does not apply to Ciphersaber-2 with N bigger than 3.) For medium security (64 bit entropy), we recommend a user key with a minimum of 15 random letters, or 5 short words selected at random from a dictionary (see the Diceware page for an easy way to do this). For high security, use 20 random letters or seven Diceware words. (90 bit entropy).
Any value that is unique for each message can be used for initialization vector, but use of random values makes encrypted files indistinguishable from random noise and helps prevent "related key" attacks, so random initialization vector values are strongly recommended. Note that the initialization vector is not kept secret. The random number generation used to make the initialization vector does not have to be particularly strong. The "rand" functions in most programming environments will suffice for a moderate number of messages, provided the function is seeded in some way so that the seed is not the same each time, for example, by using the system clock. See a Cryptanalysis of CipherSaber for more details.
For file encryption, a user need only memorize one key or passphrase. For messaging, users need to exchange pairs of keys through some secure means, most likely in person. Maintaining a list of correspondent's keys or passphrases in a master file, preferably itself encrypted with a memorized master key, is less convenient than public key encryption. But it may be all that is left in a few years if PGP key servers are banned.
It may even be possible to teach a manual version of the Diffie-Hellman key exchange, perhaps using large number calculators (easily built in Java 1.1). The Diffie-Hellman procedure need be carried out just once per pair of correspondents, since CipherSaber eliminates the need to exchange keys for every message.
CipherSaber programs can be easily written in almost any programming language. The Basic language, which used to come with all DOS based computers, is suitable. It can still be found on the Microsoft Windows '95 CD-ROM in the OTHER\OLDMSDOS directory, and on the Microsoft Windows '98 CD-ROM in the TOOLS\OLDMSDOS directory. Just copy QBASIC.EXE and QBASIC.HLP to your hard drive's DOS directory and you can start programming. Begin by writing a program that can copy binary files byte by byte and then test it thoroughly before you add the encryption algorithm.
Macintosh users can download the free Chipmunk Basic interpreter from the Internet. But beware: Chipmunk Basic strings are implimented as C strings and do not let you store a value of zero. Therefore you must use arrays to store ciphertext.
You can also "ascii armor" CipherSaber-encrypted files to allow them to be sent as text. See the FAQ for the recommended way. Users can, of course, add features of their own to CipherSaber programs. For example a secure diary system that stored files in CipherSaber would not be hard to write in Java or Visual Basic. However it is important to keep CipherSaber itself simple so everyone can write a program that will read and write CipherSaber files.
Feel free to e-mail your comments, suggestions and experiences with CipherSaber. Please do not send your CipherSaber programs. No encryption software -- source code or object code -- will be posted on this site!
To popularize CipherSaber, a "gif" file encrypted using CipherSaber, is available on this Web site. This file, when decoded, can be printed as a CipherKnight wall certificate. The certificate may be displayed by persons who met certain criteria, including writing the program that decrypted the certificates. Here are the honor-system-enforced rules:
1. Write you own CipherSaber program.
2. Write a letter to your political representative expressing your opinion (whatever it may be) on the need for encryption freedom.
3. Download and install PGP, generate a key pair and post your key to a public key server.
4. Use a CipherSaber to send an secret message to another person.
5. Decrypt cknight.cs1 and print the CipherSaber wall certificate using the CipherSaber program you wrote yourself. The key is: "ThomasJefferson"
Any of the eligibility requirements above is waved if it illegal in the applicant's local jurisdiction or if the applicant reasonably believes carrying it out would place him or her in danger.
The following files are provided to help you check your work. Caution: Watch out for alterations in test file content due to text mode translation. Use ftp in binary mode, if possible, to download the files.
Note: Adam Back has created some test vectors for Ciphersaber-2 that are easy to remember. See his web page at http://www.cypherspace.org/adam/csvec/.
This is a short text file encrypted with "asdfg" as the user key. Here are the contents of cstest1.cs1 in hex, in case you cannot download the file for some reason:
6f 6d 0b ab f3 aa 67 19 03 15 30 ed b6 77 ca 74 e0 08 9d d0 e7 b8 85 43 56 bb 14 48 e3 7c db ef e7 f3 a8 4f 4f 5f b3 fd
This text file was CipherSaber-1 encrypted with the key "SecretMessageforCongress" Remember that CipherSaber keys are case sensitive.
This file is encrypted with the key "ThomasJefferson" It contains your CipherKnight wall certificate as a .gif file.
All the CipherSaber test files as a zip archive. Download this file to avoid text translation problems.
"It is the common fate of the indolent to see their rights become prey to the active. The condition upon which God hath given liberty to man is eternal vigilance."
John Philpot Curran, 1790
Even if the proposed ban on strong cryptography does not become law, it is important that the CipherSaber concept be distributed as widely as possible. Please help in any legal way you can.
Here are some people who have acted on this request:
Co-author E-mail for Dummies, Internet for Dummies Quick Reference
CipherSaber programs may be subject to export controls in the United States, and many other countries and may be illegal altogether in some countries. Persons traveling to other countries should familiarize themselves with local regulations. Consult a lawyer if you need legal advice.
Star Wars is a registered trademark of Lucasfilm Ltd. RC4 is a registered trademark of the RSA Security Inc http://www.rsa.com/.
While CipherSaber-1 merely uses a published cipher, to the extent that anyone might consider that there are patentable improvements to the art embodied in CipherSaber-1 or CipherSaber-2, they are hereby placed in the public domain.
The test samples and the encrypted version of the CipherKnight certificate may be freely copied and distributed intact by any means.
Deciphered versions of the CipherKnight certificate are Copyright © 1997 by Arnold G. Reinhold but may be be copied and printed for individual, non-commercial use by any individual meeting the eligibility criteria described above.
CipherSaber, CS1, CS2, and CipherKnight are trademarks of Arnold G. Reinhold. A free, nonexclusive license is hereby granted to use the marks CipherSaber, CS1 and CS2 on any product that is interoperable with CipherSaber as demonstrated by the ability to decrypt the test samples supplied and to produce files readable by other implementations of CipherSaber. The marks may also be used in supporting material that promotes CipherSaber.
Books that are hyperlinked are available on-line in association with Amazon.com.
Copyright © 1997-2002 by Arnold Reinhold. This page may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version of which is presently available at http://www.opencontent.org/openpub/) Distribution of substantively modified versions of this document (other than complete and reasonably accurate translations into non-English languages) is prohibited without the explicit permission of the copyright holder. Reasonable requests will be given careful and prompt consideration. The OPL requirement that the author's name appear on the outer surface of any book containing this material is hereby waved. Acknowledgement in the Table of Contents is sufficient.