[MUD-Dev] Re: Modular MUD

[John Bertoglio]

From: Adam J. Thornton <adam at phoenix.Princeton.EDU>
Date: Monday, August 31, 1998 8:46 AM


>On Mon, Aug 31, 1998 at 07:52:28AM -0700, Caliban Tiresias Darklock wrote:
>> DES is exportable? For some reason (and I may have made this up) I
thought
>> the 64 bits of DES were where they came up with the 56-bit limitation,
>> specifically so DES would be illegal to export... am I crazy, stupid, or
both?
>
>DES is essentially 56-bit, since the last 8 are computed from the first 56.
>I think you still do need a license but if you can prove that DES is all
>you use it's readily granted.  Or at least more readily granted than if you
>use anything else.  But for a hobby project this is still going to be
>hellishly expensive.  I misremembered its exportability.
>
>40-bit RC4 is, I think, exportable without any license, or with minimal
>licensing.  You might want to take a look at that; so is 40-bit RC2.  These
>won't protect against much of anybody, but they are one step better than
>ROT-13.  If you only want minimal security, it's not a problem.
>
>Since this is just going to encrypt stuff on a hard drive somewhere--that
>is, doesn't have to interoperate with other servers elsewhere, you
>could also put all your crypto functionality into a single DLL and publish
>enough information about the APIs to allow someone elsewhere to write a DLL
>and drop it in.
>
>Or, better still: find someone outside the States (and not in France, North
>Korea, Iraq, Libya, or China) to write your crypto code, as a plug-in DLL.
>Yeah, it complicates the downloading a lot, but it's better than a
>mandatory 31-41 month federal prison sentence.
>
>> What I'm really concerned with is just some reversible way to encrypt the
>> data on disk so when some idiot goes snooping around in the directory I
>> don't have plaintext all over the place... I don't particularly want to
>> protect their data from the government or any other similarly determined,
>> trained, and equipped intruder. It's a game, for God's sake. Anyone going
>> to that much trouble to read your player data file is far more determined
>> than I have time to thwart. :P
>
>I'm not sure how to turn RC2 or RC4 into a block cipher, but it can be
>done.  If you don't have a copy of Bruce Schneier's _Applied Cryptography_
>you ought to get one; the second edition is excellent.  I don't know if his
>warning that RSA will sue anyone using RC4 without a license still holds,
>or not.  But RSA licenses cost, I think, something like $25K, which is out
>of the hobbyist's price range.
>
>> compiler), MD5 is. The end result of MD5 is fixed-length and one-way,
with
>> no hope whatsoever of converting it back into what you started with, so
the
>> government doesn't care about it. I'm already planning on using MD5 on
the
>> password in transit, which in fact is exactly what the APOP command does
on
>> a POP3 mailbox. There are a lot of nifty and time-proven things available
>> from reading RFCs, if you're capable of doing so without falling asleep.
>> (I'm sick; I actually find RFCs entertaining. Even 822.)
>
>Seek help.  Now.
>
>Well, due to US law, you're kind of over a barrel.  However....you can
>assume network connectivity in anyone installing your client, right?  So
>have someone in Australia or somewhere develop a cryptosystem for you to an
>API you specify (should be about 10 minutes of work: write a wrapper
>function for the algorithm of your choice).  Then have your installation
>script make sure that you're not in France, and then ftp down the DLL as
>part of the installation, and put it in the right place.
>
>Adam
>--
>adam at princeton.edu
>"There's a border to somewhere waiting, and a tank full of time." - J.
Steinman
>
>--
>MUD-Dev: Advancing an unrealised future.
>