[MUD-Dev] Re: Modular MUD

Caliban Tiresias Darklock caliban at darklock.com
Mon Aug 31 07:52:28 CEST 1998


On 10:15 AM 8/31/98 -0400, I personally witnessed Adam J. Thornton jumping
up to say:
>
>Do you need a public-key system?  If so, you're really SOL.  If private key
>will do...this is going to sound incredibly cheesy, but use DES.  DES is
>exportable, and easy to crack for cheap, but if you're not protecting
>anything all that valuable, it's an awful lot better than nothing.  

DES is exportable? For some reason (and I may have made this up) I thought
the 64 bits of DES were where they came up with the 56-bit limitation,
specifically so DES would be illegal to export... am I crazy, stupid, or both?

>There
>are free implementations available, and it's simple to use; I recommend
>using it in CBC (cipher block chaining) mode.  Electronic Codebook Mode is
>easier but much more prone to spoofing.  

What I'm really concerned with is just some reversible way to encrypt the
data on disk so when some idiot goes snooping around in the directory I
don't have plaintext all over the place... I don't particularly want to
protect their data from the government or any other similarly determined,
trained, and equipped intruder. It's a game, for God's sake. Anyone going
to that much trouble to read your player data file is far more determined
than I have time to thwart. :P

>If you don't care about encrypting
>the password while it's in transit, go with DES.
[...]
>You could also look into using a secure hashing algorithm to produce a
>checksum of your password, but the feds _also_ know that a digital
>signature algorithm can be turned into a stream cipher with no difficulty,
>so it's probably not exportable, although you could see if SHA or MD5 are
>exportable without a license.

SHA is not (although Nick Gammon has written a crypt()-like version for
Windows NT/9x ports of Unix code, which may be downloaded from his
Australian site -- it's not platform compatible, but it's crypt() to the
compiler), MD5 is. The end result of MD5 is fixed-length and one-way, with
no hope whatsoever of converting it back into what you started with, so the
government doesn't care about it. I'm already planning on using MD5 on the
password in transit, which in fact is exactly what the APOP command does on
a POP3 mailbox. There are a lot of nifty and time-proven things available
from reading RFCs, if you're capable of doing so without falling asleep.
(I'm sick; I actually find RFCs entertaining. Even 822.)

Incidentally, the Diffie-Hellman patent expired last year. Doesn't make it
any more useful for me, but I thought you might like to know.

>The folks over at sci.crypt would know, and it's probably in the FAQ.

Been there, read that... they pointedly defer the question in the FAQ,
which also stresses that the legalities of encryption are specifically
off-topic in the group. So I figured it would probably be better to ask
here, instead of just e-mailing some guy at random because he posted in
sci.crypt and sounded like he knew what he was talking about.

-----------------------------------------------------------------------
Caliban Tiresias Darklock <caliban at darklock.com>   | "I'm not sorry or 
Darklock Communications <http://www.darklock.com/> |  ashamed of who I 
PGP Key AD21EE50 at <http://pgp5.ai.mit.edu/~bal/> |  really am."      
FREE KEVIN MITNICK! <http://www.kevinmitnick.com/> |  - Charles Manson 




More information about the mud-dev-archive mailing list