PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest      Monday, 28 October 1996      Volume 05 : Issue 20

            Moderated by Lauren Weinstein (         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

               The PRIVACY Forum is supported in part by the          
                 ACM (Association for Computing Machinery)
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

        Postal "Change of Address" Issues on PRIVACY Forum Radio
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Web Search Service Exposes Searches to Public Viewing
           (Lauren Weinstein; PRIVACY Forum Moderator)
        "Holographic" Full-Body Security Scanning
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Re: Blood and Privacy? (Joe Decker)
        A new attack on DES (Monty Solomon)
        IEEE Symposium on Security and Privacy - call for papers
           (Mary Ellen Zurko)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


   Quote for the day:

         "A stereo's a stereo.  Art is forever."

                        -- Neil (Cheech Marin)
                           "After Hours" (Geffen/Warner Bros.; 1985)


Date:    Sun, 27 Oct 96 16:55 PST
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Postal "Change of Address" Issues on PRIVACY Forum Radio

Greetings.  The next installment of PRIVACY Forum Radio is now available for
your listening pleasure.  This latest show features two interviews I
recently conducted related to controversies surrounding U.S. mail "change of
address" issues.  The first interview is with Mike Selnick of the United
States Postal Service in Washington D.C, regarding commercial use of change
of address data.  This is followed by John Brugger of the United States
Postal Inspection Service (also in D.C.) on the topic of fraudulent
activities related to change of address filings.  

The total running time of the show is approximately 30 minutes.
As always, these interviews are accessible at the 
PRIVACY Forum/PRIVACY Forum Radio links via:



Date:    Fri, 11 Oct 96 11:13 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Web Search Service Exposes Searches to Public Viewing

In a new twist related to privacy problems, one of the more major Web search
services, the "Magellan Internet Guide" from the Mckinley Group, Inc.
(, has implemented a feature which allows anyone to
"spy" on other people's searches.  Called the "Search Voyeur", the mechanism
automatically shows the text of 20 current, randomly selected searches,
refreshed every 20 seconds.  They certainly haven't been trying to hide it;
it was prominently mentioned in one of their press releases.

While origin address information is not included, and they say they don't
show searches that go beyond their "editorial guidelines" (presumably an
obscenity filter), even a brief viewing of the searches flying by suggests a
substantial privacy risk.  Search keywords often include individuals' names
associated with various actions or activities.  While some of the searches
can best be described as "amusing", it doesn't take too long to see others
that are troubling at best and potentially significant privacy violations at

While the "Search Voyeur" is listed (without explanation) as a link
on their home page along with a search form box, there is no explicit
statement warning users that their searches could potentially be
viewed by anyone on the net.  

The entire concept seems ill-advised.  The PRIVACY Forum has made repeated
email and telephone attempts to obtain any kind of statement or interview
from McKinley (and their new owner, Excite, Inc.) about this issue.  These
attempts have so far been completely unsuccessful; email has been
ignored and promised return phone calls have not been forthcoming.



Date:    Sun, 27 Oct 96 15:15 PST
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: "Holographic" Full-Body Security Scanning

According to an article in the Oct-Nov 1996 issue of "Compressed Air"
magazine (a wonderful Ingersoll-Rand publication that covers a very wide
range of topics), the Federal Aviation Administration is planning to begin
testing the use of a full-body "holographic" imaging system at a U.S.
airport next year.  

The system (an earlier version of which was discussed previously in the
PRIVACY Forum), actually uses millimeter waves (~30 Ghz) to quickly (within
a few seconds) generate a "naked" image of the scannee.  The device has been
under development for a number of years and appears to be evolving rapidly.
The transmitted millimeter radiation passes through clothes but bounces off
the body or other objects (e.g., everything from loose change to firearms,
hidden money packets, etc.)

Outside of the rather obvious broader privacy implications of such a device,
two special issues should also be considered.  First, even though the
millimeter radiation used is non-ionizing (e.g. less energetic than x-rays),
there is considerable controversy about the health risks of exposure to
non-ionizing radiation at these wavelengths.  The statement is made that the
system is similar in exposure to supermarket "door opener" microwave
scanners, though this seems somewhat difficult to accept given the
completely different scanning requirements of the two devices.

But another problem may be even more likely to concern the public at large
about such equipment.  As the photographs included with the article show all
too clearly, the device generates quite detailed "nude" images.  It is
decidedly uncertain how people will feel about being required to pass
through a system that creates instant 360 degree naked pictures, possibly
archived to tape as well!  The promoters of the system suggest that using
"same-sex" operators would alleviate these concerns.  Excuse me, but are we
all living on the same planet?  Talk about needing a reality check...

I have no doubt that there might be special situations where such a device,
as an alternative to "pat-downs" or other intrusive personal searches, could
be useful.  But broadscale deployment of such systems in airports as a
routine body scanning procedure seems unlikely to be acceptable to most of
the public.



Date:    Tue, 15 Oct 96 10:28:11 PDT
From: (Joe Decker)
Subject: Re: Blood and Privacy?

John Levine wrote:
> * The Red Cross seems to use a scheme where they accept blood from pretty
> much anyone, but if your blood flunks a test they'll silently discard all
> future donations from you.  I presume this is one of the main impetuses for
> the SSN tagging.  Of course, since they make no attempt to verify the SSN you
> provide, a bad guy who had contaminated blood and wanted to subvert their
> system need only make up a different SSN on each visit.

Yes, it is my understanding as a long-time blood donator that the discarding
process is the impetus for the SSN tagging.

One nit:  I don't believe that the Red Cross is trying to catch
malicious people trying to subvert the blood supply.  I believe their
primary concern is trying to minimize the risk of someone donating
blood that has any chance of being (say) HIV-positive.  Even if told
their blood had tested positive, a dontator might later decide their
blood was safe on the basis of other tests, or their own faith, and
work to donate their blood anyhow.  This is a distinct mindset from
'I'm trying to subvert the blood supply.', and without knowing numbers,
many of the checks in the donation process seemed to be aimed at
overcoming the ability of the donator to deny (to themselves or others)
any risks their blood might contain.

(I do not speak for the Red Cross.)



Date:    Tue, 22 Oct 1996 03:41:13 -0400
From:    Monty Solomon <monty@roscom.COM>
Subject: A new attack on DES 

Excerpt from RISKS DIGEST 18.54

Date: Fri, 18 Oct 1996 16:58:50 +0200
From: Shamir Adi <>
Subject: A new attack on DES 

You have recently referred in RISKS [18.50, 18.52] to the ingenious new
attack against public key cryptosystems developed at Bellcore. All the
published information on the subject (including Bellcore's press release)
stress that the attack is not applicable to secret key cryptosystems.  Well,
Eli Biham and I have just released a research announcement in which we show
that an extension of the attack can, under the same realistic fault model,
break almost any secret-key algorithm, including DES, multiple DES, IDEA,
etc. The attack on DES was actually implemented on a PC, and it found the
key by analysing fewer than 200 ciphertexts generated from unknown

Adi Shamir

= = = = = =

Research announcement: A new cryptanalytic attack on DES

Eli Biham                                 Adi Shamir
Computer Science Dept.                    Applied Math Dept.
The Technion                              The Weizmann Institute
Israel                                    Israel

                 18 October 1996

In September 96, Boneh Demillo and Lipton from Bellcore announced an
ingenious new type of cryptanalytic attack which received widespread
attention (see, e.g., John Markoff's 9/26/96 article in the New York Times).
Their full paper had not been published so far, but Bellcore's press release
and the authors' FAQ (available at specifically state that
the attack is applicable only to public key cryptosystems such as RSA, and
not to secret key algorithms such as the Data Encryption Standard (DES).
According to Boneh, "The algorithm that we apply to the device's faulty
computations works against the algebraic structure used in public key
cryptography, and another algorithm will have to be devised to work against
the nonalgebraic operations that are used in secret key techniques." In
particular, the original Bellcore attack is based on specific algebraic
properties of modular arithmetic, and cannot handle the complex bit
manipulations which underly most secret key algorithms.

In this research announcement, we describe a related attack (which we call
Differential Fault Analysis, or DFA), and show that it is applicable to
almost any secret key cryptosystem proposed so far in the open literature.
In particular, we have actually implemented DFA in the case of DES, and
demonstrated that under the same hardware fault model used by the Bellcore
researchers, we can extract the full DES key from a sealed tamperproof DES
encryptor by analysing fewer than 200 ciphertexts generated from unknown
cleartexts.  The power of Differential Fault Analysis is demonstrated by the
fact that even if DES is replaced by triple DES (whose 168 bits of key were
assumed to make it practically invulnerable), essentially the same attack
can break it with essentially the same number of given ciphertexts.

We would like to greatfully acknowledge the pioneering contribution of Boneh
Demillo and Lipton, whose ideas were the starting point of our new attack.

In the rest of this research announcement, we provide a short technical
summary of our practical implementation of Differential Fault Analysis of 

DES. Similar attacks against a large number of other secret key cryptosystems
will be described in the full version of our paper.


The attack follows the Bellcore fundamental assumption that by exposing a
sealed tamperproof device such as a smart card to certain physical effects
(e.g., ionizing or microwave radiation), one can induce with reasonable
probability a fault at a random bit location in one of the registers at some
random intermediate stage in the cryptographic computation. Both the bit
location and the round number are unknown to the attacker.

We further assume that the attacker is in physical possession of the
tamperproof device, so that he can repeat the experiment with the same
cleartext and key but without applying the external physical effects. As a
result, he obtains two ciphertexts derived from the same (unknown) cleartext
and key, where one of the ciphertexts is correct and the other is the result
of a computation corrupted by a single bit error during the computation. For
the sake of simplicity, we assume that one bit of the right half of the data
in one of the 16 rounds of DES is flipped from 0 to 1 or vice versa, and
that both the bit position and the round number are uniformly distributed.

In the first step of the attack we identify the round in which the fault
occurred.  This identification is very simple and effective: If the fault
occurred in the right half of round 16, then only one bit in the right half
of the ciphertext (before the final permutation) differs between the two
ciphertexts. The left half of the ciphertext can differ only in output bits
of the S box (or two S boxes) to which this single bit enters, and the
difference must be related to non-zero entries in the difference
distribution tables of these S boxes.  In such a case, we can guess the six
key bit of each such S box in the last round, and discard any value which
disagree with the expected differences of these S boxes (e.g., differential
cryptanalysis). On average, about four possible 6-bit values of the key
remain for each active S box.

If the faults occur in round 15, we can gain information on the key bits
entering more than two S boxes in the last round: the difference of the
right half of the ciphertext equals the output difference of the F function
of round 15.  We guess the single bit fault in round 15, and verify whether
it can cause the expected output difference, and also verify whether the
difference of the right half of the ciphertext can cause the expected
difference in the output of the F function in the last round (e.g., the
difference of the left half of the ciphertext XOR the fault).  If
successful, we can discard possible key values in the last round, according
to the expected differences.  We can also analyse the faults in the 14'th
round in a similar way.  We use counting methods in order to find the key.
In this case, we count for each S box separately, and increase the counter
by one for any pair which suggest the six-bit key value by at least one of
its possible faults in either the 14'th, 15'th, or 16'th round.

We have implemented this attack on a personal computer.  Our analysis
program found the whole last subkey given less than 200 ciphertexts,
with random single-faults in all the rounds.

This attack finds the last subkey.  Once this subkey is known, we can
proceed in two ways: We can use the fact that this subkey contains 48 out of
the 56 key bits in order to guess the missing 8 bits in all the possible
2^8=256 ways. Alternatively, we can use our knowledge of the last subkey to
peel up the last round (and remove faults that we already identified), and
analyse the preceding rounds with the same data using the same attack. This
latter approach makes it possible to attack triple DES (with 168 bit keys),
or DES with independent subkeys (with 768 bit keys).

This attack still works even with more general assumptions on the fault
locations, such as faults inside the function F, or even faults in the key
scheduling algorithm.  We also expect that faults in round 13 (or even prior
to round 13) might be useful for the analysis, thus reducing the number of
required ciphertext for the full analysis.


Differential Fault Analysis can break many additional secret key
cryptosystems, including IDEA, RC5 and Feal.  Some ciphers, such as Khufu,
Khafre and Blowfish compute their S boxes from the key material.  In such
ciphers, it may be even possible to extract the S boxes themselves, and the
keys, using the techniques of Differential Fault Analysis.  Differential
Fault Analysis can also be applied against stream ciphers, but the
implementation might differ by some technical details from the
implementation described above.


Date:    Mon, 14 Oct 1996 10:50:00 -0400
From:    Mary Ellen Zurko <>
Subject: IEEE Symposium on Security and Privacy - call for papers

                           CALL FOR PAPERS
1997 IEEE Symposium on                              May 4-7, 1997
Security and Privacy                            Oakland, California
                             sponsored by
  IEEE Computer Society Technical Committee on Security and Privacy
                         in cooperation with
    The International Association for Cryptologic Research (IACR)

The Symposium on Security and Privacy has, for 16 years, been the
premier forum for the presentation of developments in computer
security and for bringing together researchers and practitioners in the
field.  We seek to build on this tradition of excellence by
re-emphasizing work on engineering and applications while maintaining
our interest in theoretical advances. 

We continue to seek to broaden the scope of the Symposium.  We want to
hear not only about new theoretical results, but also about the design
and implementation of secure systems in specific application areas and
about policies relating to system security.  We are particularly
interested in papers on policy and technical issues relating to privacy
in the context of the information infrastructure, papers that relate
software and system engineering technology to the design of secure
systems and papers on hardware and architectural support for secure
systems. Papers or Panels which discuss the application of theory to
practice which describe not only the successes but the failures and
the lessons learned are of special interest.

Topics on which papers and panel sessions proposals are invited
include, but are not limited to, the following:

        Commercial and Industrial Security,
        Security and other Critical System Properties,
        Secure Systems,
        Distributed Systems,
        Network Security,
        Database Security,
        Data Integrity,
        Access Controls,
        Information Flow ,
        Security Verification,
        Viruses and Worms,
        Security Protocols,
        Intrusion Detection,
        Privacy Issues,
        Policy Modeling

A continuing feature of the symposium will be a session of 5-minute
talks. We want to hear from people who are advancing the field in the
areas of system design and implementation, but may lack the resources
needed to prepare a full paper. Abstracts of these talks will be
distributed at the Symposium. 

This year we are instituting mechanisms for "electronic" submission
of papers for the refereeing process. Final papers will still be
submitted in hard copy. 

We will continue to accept papers submitted via various forms of mail,
but not fax.  Papers should include an abstract, must not exceed 7500
words, and must report original work that has not been published
previously and is not under consideration for publication
elsewhere. The names and affiliations of authors should appear on a
separate cover page only, as "blind" refereeing is used. Authors must
certify prior to December 27, 1996 that all necessary clearances for
publication have been obtained. The committee strongly encourages
authors to include archival sources as references (books, journal
articles, etc.) and to include references to "WEB" or other "NET"
sources only if they can be backed up by some archival source. In this
way, we can ensure that people who read the paper 5 years from now
will have access to the information used as background and
justification of the arguments presented.

Panel proposals should include a title, an abstract which describes
the topic(s) to be discussed, the names of all proposed participants
and assurances that the participants agree to serve on the panel, a
proposed length and format for the panel and any other information
that the panel proposer thinks would support their proposal. We will
publish the Panel Abstract in the Proceedings as well as any position
papers submitted by the panelists in support of the panel proposal.

Those submitting papers via "hard copy" should send six copies of
their paper or panel proposal to:

George W. Dinolt, Program Co-Chair 
Lockheed Martin Western Development Laboratories, 
Mail Stop X20, 
3200 Zanker Road, 
San Jose, CA 95134. 

Please mark the envelope "IEEE Security and Privacy Symposium." 

The title, abstract and authors names should be on a separate cover
page so that we can support the "blind refereeing process." We would
also like to have an electronic, ascii text version of the abstract
sent seperately to The electronic version of
the abstract should include the title and the abstract as it appears
in the paper.

Authors who wish to submit an electronic version of a paper or panel proposal 
for evaluation should follow the instructions that will be posted
on our "Web" site at 

<a href=>;</a>;

or by sending mail to with the word
"Instructions" in the Subject line. Instructions will be included in
the reply.  Papers and panel proposals must be received (however sent)
by 6:00 P.M. (PST) on Monday Dec. 2, 1996 (The deadline has been
extended from the original call). Authors will be notified by
mid-January about the status of their papers.

Authors who submit an abstract for a 5-minute talk should include a
title, all authors names and their affiliations, where appropriate,
and text. The whole should fit easily on one 8.5" by 11" page.
Abstracts for 5-minute talks should be sent to George W. Dinolt at the
above address U.S. Postal address to be received no later than Friday,
April 19, 1997 at 6:00 P.M local time. We will review abstracts and
accept as many as we can. Please mark the envelope

"IEEE Security and Privacy Symposium - 5 minute Abstracts"

General Chair: Steve Kent,  BBN, USA
Vice Chair: Mike Reiter, AT&T Laboratories - Research, USA
Program Co-Chairs: George Dinolt, Lockheed Martin WDL, USA
                   Paul Karger, IBM, USA
Treasurer:      Charlie Payne, SCTC, USA

Program Committee:
Deborah Cooper, The DMC Company
Terry Vickers Benzel, Trusted Information Systems
Lee Benzinger, Lockheed Martin WDL
Yair Frankel, Sandia Labs
Li Gong, Sun Microsystems
Heather Hinton, Ryerson Polytechnic University Canada
Cynthia Irvine, Naval Postgraduate School
Suchil Jajodia, George Mason University
Dale Johnson, MITRE
Carl Landwehr, Naval Research Laboratory
Teresa Lunt, DARPA/ITO 
John McHugh, Portland State University
John McLean, Naval Research Laboratory
Catherine A. Meadows, Naval Research Laboratory
Richard B. Neely, CTA
Richard E. Newman-Wolfe, Univeristy of Florida
Sylvan Pinsky, National Security Agency
Sue Rho, Trusted Information Systems
Mike Reiter,AT&T Laboratories --- Research 
Peter Ryan, DRA Malvern, United Kingdom
Pierangela Samarati, Universita' di Milano, Italy
Tom Schubert, Portland State University
Elisabeth Sullivan, Sequent
Paul Syverson, Naval Reseach Laboratory
Tom Van Vleck, CyberCash Inc. 
Shyhtsun F. Wu, North Carolina State University
Mary Ellen Zurko, OSF


End of PRIVACY Forum Digest 05.20

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.