3 September 1997
Source: J. Orlin Grabbe
From: KALLISTE@delphi.com Date: Wed, 03 Sep 1997 03:53:49 -0400 (EDT) Subject: Michael Riconosciuto on Encryption Michael Riconosciuto on Encryption by J. Orlin Grabbe Michael Riconosciuto is one of the original architects of the PROMIS backdoor. PROMIS was a people-tracking software system sold to intelligence organizations and government drug agencies worldwide. The global dispersion of PROMIS was part of a U.S. plot to spy on other spy agencies. Riconosciuto, who was Director of Research for a Wackenhut-Cabazon Indian joint venture, oversaw a group of several dozen people who worked out of business offices in nearby Indio, California. According to the testimony of Robert Booth Nichols, a CIA agent associated with Meridian International Logistics and connected to Music Corporation of America (MCA), Riconosciuto was in frequent contact with Bobby Inman, Director of the National Security Agency (NSA) and then Deputy Director of the Central Intelligence Agency (CIA), during this time. Since intelligence computers are, for security reasons, usually not connected to external networks, the original backdoor was a broadcast signal. The PROMIS software was often sold in connection with computer hardware (such as a Prime computer) using a specialized chip. The chip would broadcast the contents of the existing database to monitoring vans or collection satellites using digital spread spectrum techniques whenever the software was run. Spread spectrum techniques offer a way to mask, or disguise, a signal by making it appear as "noise" with respect to another signal. For example, one may communicate covertly on the same spectrum as a local TV broadcast signal. From the point of view of a TV receiver, the covert communication appears as noise, and is filtered out. From the point of view of the covert channel, the TV signal appears as noise. In the case of the PROMIS broadcast channel, the signal was disguised as ordinary computer noise--the type of stuff that must be reduced for TEMPEST certification in the U.S. In spread spectrum frequency communication, the transmitted spectrum is much wider than what is really necessary. In digital communication, the transmission widths of digital signals are expanded so that many "bit periods" are needed to represent one bit at baseband. This results in an improvement in the signal-to-noise- ratio. Spread spectrum techniques are used extensively in covert military communications and secure satellite systems. The covert communication channel operates off a pseudo-random binary sequence, such as a stream cipher. Stream ciphers differ from block ciphers such as DES (the Data Encryption Standard) widely used in banking. A block cipher applies a static transformation to a fixed block of data. The DES algorithm, for example, encrypts a 64-bit block of data using 64-bit keys. (The effective key size is actually 56 bits, since every eighth bit is considered a parity bit and is disgarded.) In DES electronic code book (ECB) mode, each 64-bit block of data is encrypted separately from every other block. In cipher block chaining (CBC) and cipher feedback (CFB) mode, the encryption of the current data block is dependent on previous data blocks. But under any one of these three DES modes, the transformation of a given data sequence with a given DES key will nevertheless result in the same ciphertext, regardless of the time the encryption takes place. A stream cipher, by contrast, applies a time- varying transformation to individual digits or bits of data. "Time-varying" means the same sequence of plaintext data bits seen at two different points in time will be encrypted to a different sequence of ciphertext data bits. To illustrate this for a simple case, suppose we are doing encryption using simple XOR rules of addition, adding keybits k to plaintext bits x on a bit by bit basis to obtain cipher bits y: y = x + k. XOR addition follows the rules 0+0 = 0 0+1 = 1 1+0 = 1 1+1 = 0. Suppose the plaintext data is "1011". The current key might be "1010". Then the ciphertext data is 1011+1010 = 0001. The ciphertext "0001" gives no information about the original plaintext. The plaintext could have been any one of 2^4 = 16 possible sequences of 0s and 1s. To restore the original plaintext, we XOR the ciphertext "0001" again with the key "1010" to obtain 0001+1010 = 1011. In a stream cipher, the keystream will typically be different at different points of time. This the encryption of a repeated plaintext "1011" might take the form time 1: 1011 + 1010 = 0001 time 2: 1011 + 1111 = 0100 time 3: 1011 + 0011 = 1000 and so on for other times. In this example, the "time- varying transformation" takes the simple form of a time- varying keybit stream. The most famous stream cipher is the Verdam cipher, or "one-time pad", which follows the encryption scheme just described. If the current time is i, the current plaintext bit is x(i), and the current key bit is k(i), then the ciphertext bit is y(i) = x(i) + k(i). The number of key bits, N, must exceed the number of plaintext bits M: N>M. The bits in the keystream sequence k(1), k(2), . . . , k(N) must be independently and uniformly distributed, and are used only once and then disgarded (hence "one- time pad"). Of course, this scheme--while not breakable by cryptanalysis--has other security problems. It requires both parties to have a copy of the current key, and the key to be kept secret from all hostile parties. This in turn requires that the keys be generated, stored, and communicated in a totally secure manner--a massive problem in itself. So one-time pads are typically only used in "hot lines", such as the old Red Telephone between Moscow and Washington, D.C. that was installed with the hope that a little jawboning could help avert nuclear war. ("Can we talk?") Practical cryptography for digital and analog communication thus uses "keystream generators" which typically determine the keystream as some function f of an underlying key K, and the current state of the system s(i): k(i) = f(K, s(i)). This key stream k(i) can be added to the original bit stream to produce a new (encrypted) stream (as is done in "direct sequence" spread spectrum systems). Or the key stream can be used to make the carrier frequency hop around within the spread sprectrum bandwidth (as is done in "frequency hopping" systems). Many variations and combinations are possible. Like many people associated with PROMIS (including Earl Brian, the man who sold it around the world), Michael Riconosciuto is in jail. Riconosciuto was convicted on charges relating to the construction of a methamphetamine lab. Michael Riconosciuto appears in a recent manuscript "The Last Circle" by "Carol Marshall" (whose real name is Seymour). Much of the book is based on interviews with, and files purloined from, Riconosciuto. Part of the subject matter of "The Last Circle" involves the West Coast activities of "The Company", a paramilitary drug dealing operation using ex-law enforcement and ex-intelligence personel that was based in Lexington, KY, in the late 70s and early 80s. However, because "The Last Circle" makes extensive use of Riconosciuto's files, it is also concerned with many other activities, including in particular a biowarfare project undertaken by the Wackenhut-Cabazon Indian joint venture. ("The Company" itself is the subject of another book entitled "The Bluegrass Conspiracy" by Sally Denton.) Riconosciuto wrote me in regard to a speech I gave to the Libertarian Party of Colorado on digital cash on April 20, 1997. I have added some comments with respect to the issues mentioned. May 8, 1997 M. Riconosciuto 21309-086 Med. A-1 Box 819 Coleman, FL 33521 "Orlin, "[Name omitted] has been sending me some of your published material for some time. I have some questions concerning your talk on digital cash. "First a little of my background. I started with computers when a "laptop" was an IBM porta-punch. My first serious computing experience was on an IBM system 1620. I went from there to the IBM 7090/7094 systems and from there to the then "new" IBM 360 family. I missed the 370 generations, because during that time my responsibilities had me in a position where comp center staff handled all my data processing. I have been on the DEC/PDP systems since they first came out (PDP 8, PDP 10, PDP 11) and stayed with them as they matured into the VAX system. My programming experience runs the gamut from absolute coding sheets in unit record type systems, to top down/structured programming. I have been at this for awhile. I am not impressed by the Intel/MS standard that has taken over the computing world. Although I might note that Windows NT has suspicious similarity to the VAX/VMS operating system. "Up until six months ago I had access to a computer and the latest literature because of my inmate job assignments in facilities management and prison industries. We had a high end Pentium CAD set up in facilities and a network connection on a Data General Avion system in Unicor prison industries. I also had the responsibility of maintenance on a Honeywell building automation control DDC-HVAC system. "As a direct result of the TV interview with the Germans I was pulled off my premium inmate job and re- assigned to the duty of picking up cigarette butts in the recreation yard for $5 per month. This was inspite of exemplary job assignment reports and no disruptive behavior incidents." [Comment: Riconosciuto is referring here to an interview he gave on the PROMIS backdoor to German television.] "[paragraph omitted] "The point of all this is to make it clear that I am not that far out of touch with the current state of the art. "This brings me to the first question that I want to ask about your digital cash speech. "1) In your reference to the "discrete logarithm problem" are you taking into consideration the Donald Coppersmith work? Coppersmith developed a computationally feasible way to take discrete logarithms back in the 80s. Needless to say, this work has been played down, but it has been in the open literature." [Comment: The discrete log problem is the problem of finding x such that g^x =y mod n, for a given y, g, and n. Here x is the discrete logarithm of y to the base g. Since this is hard to do, one can form a public/private key system with x as the private (secret) key and y = g^x mod n as the public key. [Of course, the hard-to-do job of taking discrete logarithms may not be the only way to approach a given problem. The security of Diffie-Hellman, to which I referred in my speech, is apparently based on discrete logarithms, but is susceptable to a simple attack by a person in the middle of the communication process. In Diffie- Hellman, Alice generates x and send Bob g^x mod n. Bob generates y and sends Alice g^y mod n. They both then calculate g^(xy) mod n as the session key. (The best an observer can do is calculate g^(x+y), without taking discrete logarithms.) However, if Eve controls all communication between the two, she can substitute her own parameters, and decrypt both sides of the conversation before forwarding the messages. Be this as it may, Diffie introduced a simple variant of this process--called Station to Station (STS) protocol--which completely eliminates the man-in-the-middle attack. [Riconosciuto refers to the work of Coppersmith [1], [2] in finding discrete logarithms. Coppersmith greatly increased the efficiency of finding discrete logs in fields of characteristic 2 (which use digits 0 and 1, and thus are efficient in programming), so that the modulus has to be of the order of n = 2^1000 to be secure.] "2) You of course are aware that RSA type algorithms are no more secure that the modulus is difficult to factor. Are you aware of the latest advances in . . . differential cryptanalysis and meet in the middle techniques? Are you aware of the work by Lenstra . . . et al with their methods of quadratic sieves etc?" [Comment: Riconosciuto is refering here are to several types of cryptanalytic attacks. Differential cryptanalysis and meet-in-the- middle generally refer to attacks on DES, while the work of Lenstra is directly relevant to RSA. [The methods of Lenstra [3], Cohen and Lenstra [4], and Pomerance, Rumely, and Adleman [5], use Fermat's Little Theorem (or its analog in extension fields of rational numbers) and Gauss and Jacobi sums to test for primality. [The quadratic sieve for factoring n has running time of the order of exp((ln n ln ln n)^.5). A slightly faster method is [6] the number field sieve, which has running time of the order of exp((ln n)^(1/3) (ln ln n)^(2/3)).] "3) Have you ever heard of the Hilbert spectral processing technique and its application to high speed factoring systems? [Comment: I'm not sure exactly what Riconosciuto has in mind here. But communication signals can be decomposed into addable parts using systems of orthogonal functions such as Fourier series or Walsh functions. [Riconosciuto may be referring to the results of Xiao and Massey [9], who characterize correlation-immune functions in terms of their Walsh transforms.] "4) Are you familiar with fast elliptical encryption methods?" [Comment: I did not refer to these in my speech as they are fairly complex. Elliptic curve cryptosystems stem from the work of Neal Koblitz [7] and others. Some have alleged that the Skipjack algorithm used in the Clipper Chip is an elliptic curve algorithm. [The analog of taking a power in modular arithmetic is multiplication on elliptic curves. So the analog of the Diffie- Hellman problem in the elliptic curve world is to find the interger n such that nB = P, where B and P are points on an elliptic curve. Here n can be thought of as the "discrete logarithm" of P to the base B. Elliptic curve cryptosystems are believed to offer equal security at shorter key lengths.] "5) Do you remember the hard knapsack problems of Merkle and Hellman and how they fell?" [Comment: Knapsack problems were so- named because they resemble the problem of fitting a number of items k into a total volume V--like packing a knapsack.. They have the characteristic that they are NP- complete, so that theoretically an encryption scheme could be constructed from them that is not solvable in polynomial time (with respect to k). However, the original Merkle-Hellman knapsack was broken by Shamir. So Riconosciuto is suggesting that implemented discrete log systems may have hidden weaknesses much like the original knapsack encryption systems. There is a knapsack system due to Chor and Rivest that hasn't been broken yet, to my knowledge.] "This should be a good place to start. Let me know if you receive my letter. [sentence omitted.] "Michael Riconosciuto "21309-086" [Comment: Encryption issues are important. However, I doubt they will be the deciding security issue in most systems of digital cash. Ross Anderson [8] has accumulated a lot of evidence from the financial services industry that demonstrates that most security failures involve errors in protocol or in implementation. Equally important, most current systems that have been called "digital cash" have been designed with deliberate security holes to allow monitoring of transactions at critical points.] References [1] D. Coppersmith, "Fash Evaluation of logarithms in fields of characteristic two," IEEE Transactions on Information Theory, 30, 1984, 587-594. [2] D. Coppersmith, A. Odlyzko, and R. Schroeppel, "Discrete Logarithms in GF(p)," Algorithmica 1, 1986, 1- 15. [3] A. Lenstra, "Primality testing," Cryptology and Computational Number Theory, Proc. Symp. Appl. Math, 42, 1990, 13-25. [4] H. Cohen and H. W. Lenstra, Jr., "Primality testing and Jacobi sums," Math. Comp. 42, 1984, 297-330. [5] L.M. Adleman, C. Pomerance, and R.S. Rumely, "On Distinguishing prime numbers from composite numbers," Annals of Math. 177, 1983, 173-206. [6] A. Lenstra and H. W. Lenstra, Jr., eds. The Development of the Number Field Sieve, Springer-Verlag, 1993. [7] Neal Koblitz, A Course in Number Theory and Cryptography, Springer-Verlag, 1994. [8] Anderson, Ross, "Why Cryptosystems Fail," Association for Computing Machinery, 1st Conf.- Computer and Comm. Security `93, November 1993. [9] G. Z. Xiao and J. L. Massey, "A spectral characterization of correlation-immune functions," IEEE Transactions on Information Theory, 34, 1988, 569-571. Posted September 2, 1997 Web Page: http://www.aci.net/kalliste/