[MUD-Dev] Re: Modular MUD

[Adam J. Thornton]

On Mon, Aug 31, 1998 at 07:52:28AM -0700, Caliban Tiresias Darklock wrote:
> DES is exportable? For some reason (and I may have made this up) I thought
> the 64 bits of DES were where they came up with the 56-bit limitation,
> specifically so DES would be illegal to export... am I crazy, stupid, or both?

DES is essentially 56-bit, since the last 8 are computed from the first 56.
I think you still do need a license but if you can prove that DES is all
you use it's readily granted.  Or at least more readily granted than if you
use anything else.  But for a hobby project this is still going to be
hellishly expensive.  I misremembered its exportability.

40-bit RC4 is, I think, exportable without any license, or with minimal
licensing.  You might want to take a look at that; so is 40-bit RC2.  These
won't protect against much of anybody, but they are one step better than
ROT-13.  If you only want minimal security, it's not a problem.

Since this is just going to encrypt stuff on a hard drive somewhere--that
is, doesn't have to interoperate with other servers elsewhere, you
could also put all your crypto functionality into a single DLL and publish
enough information about the APIs to allow someone elsewhere to write a DLL
and drop it in.

Or, better still: find someone outside the States (and not in France, North
Korea, Iraq, Libya, or China) to write your crypto code, as a plug-in DLL.
Yeah, it complicates the downloading a lot, but it's better than a
mandatory 31-41 month federal prison sentence.

> What I'm really concerned with is just some reversible way to encrypt the
> data on disk so when some idiot goes snooping around in the directory I
> don't have plaintext all over the place... I don't particularly want to
> protect their data from the government or any other similarly determined,
> trained, and equipped intruder. It's a game, for God's sake. Anyone going
> to that much trouble to read your player data file is far more determined
> than I have time to thwart. :P

I'm not sure how to turn RC2 or RC4 into a block cipher, but it can be
done.  If you don't have a copy of Bruce Schneier's _Applied Cryptography_
you ought to get one; the second edition is excellent.  I don't know if his
warning that RSA will sue anyone using RC4 without a license still holds,
or not.  But RSA licenses cost, I think, something like $25K, which is out
of the hobbyist's price range.

> compiler), MD5 is. The end result of MD5 is fixed-length and one-way, with
> no hope whatsoever of converting it back into what you started with, so the
> government doesn't care about it. I'm already planning on using MD5 on the
> password in transit, which in fact is exactly what the APOP command does on
> a POP3 mailbox. There are a lot of nifty and time-proven things available
> from reading RFCs, if you're capable of doing so without falling asleep.
> (I'm sick; I actually find RFCs entertaining. Even 822.)

Seek help.  Now.

Well, due to US law, you're kind of over a barrel.  However....you can
assume network connectivity in anyone installing your client, right?  So
have someone in Australia or somewhere develop a cryptosystem for you to an
API you specify (should be about 10 minutes of work: write a wrapper
function for the algorithm of your choice).  Then have your installation
script make sure that you're not in France, and then ftp down the DLL as
part of the installation, and put it in the right place.

Adam
--
adam at princeton.edu 
"There's a border to somewhere waiting, and a tank full of time." - J. Steinman