Article 27950 of alt.security: Path: nntpd.lkg.dec.com!pa.dec.com!decuac.dec.com!haven.umd.edu!purdue!lerc.nasa.gov!magnus.acs.ohio-state.edu!math.ohio-state.edu!howland.reston.ans.net!tank.news.pipex.net!pipex!in2.uu.net!agis!ns2.mainstreet.net!bug.rahul.net!a2i!lila.a2i!lila From: Bill Dorsey Newsgroups: sci.crypt,alt.security,alt.security.pgp,comp.security.misc,comp.security.unix,comp.dcom.telecom.tech,comp.speech,talk.politics.crypto Subject: ANNOUNCE: Nautilus 1.0a Secure Phone Software Date: 28 Aug 1995 22:44:12 GMT Organization: a2i network Lines: 210 Message-ID: <41tgrs$76u@bug.rahul.net> NNTP-Posting-Host: bolero.rahul.net NNTP-Posting-User: lila Keywords: telephone speech compression encryption Xref: nntpd.lkg.dec.com sci.crypt:43014 alt.security:27950 alt.security.pgp:41078 comp.security.misc:20922 comp.security.unix:19308 comp.dcom.telecom.tech:18178 comp.speech:6674 talk.politics.crypto:12270 -----BEGIN PGP SIGNED MESSAGE----- Announcing Nautilus 1.0: Secure Telephony on your Personal Computer =================================================================== WHAT IS NAUTILUS? - ----------------- Nautilus is a program that lets you have encrypted voice telephone conversations with your friends without needing any special equipment. Nautilus runs on IBM-PC compatible personal computers (386DX25 or faster) under MSDOS or Linux as well as desktop Sun workstations running SunOS or Solaris. The MSDOS version requires a Soundblaster compatible sound card while the Linux version can also support some additional cards. All versions need a high speed (9600 bps or faster) modem to work. The speech quality is pretty good at 14.4kbps and acceptable at speeds as low as 7200 bps. This means that Nautilus can be used reasonably reliably over cellular phones, in good reception areas. Nautilus is the first program of this type that we know of to be distributed for free with source code. A few similar commercial programs have been distributed without source, so that their security cannot be independently examined. Other free programs with source are now beginning to appear. GET IT WHILE YOU CAN - -------------------- Certain parts of the US Government appear to be working to ban civilian use of cryptography whose keys are not accessible to the government. Documents recently obtained from the FBI under the Freedom of Information Act support this conclusion. If programs like Nautilus are made illegal, we will have to stop further development and distribution. We believe that the US Constitution entitles every citizen to use secure communications that only he or she controls the keys to (see the First and Fourth Amendments for more information). So we urge everybody to get a copy of Nautilus *now* and start using it. Although we have many enhancements planned for future versions that will make Nautilus better to use, the current version is already reliable and provides everything necessary to protect your privacy even if no further improvements are released. For more info about the recently published FBI documents, see the Electronic Privacy Information Center's web page on the subject at http://www.epic.org/crypto/ban/fbi_dox/. WHAT IS NEW IN THIS RELEASE? - ---------------------------- We are pleased to announce that with this release, Nautilus is officially out of beta test. Nautilus has been through three public beta test releases and been examined by several knowledgeable cryptographers. No catastrophic security bugs were found in any of the beta releases, though some minor ones have been found and fixed. Nautilus 1.0 has a few minor user interface and other improvements and some non-security-related bug fixes compared to 0.9.2, but 0.9.2 has been operating stably for several months and has needed *no* security fixes. Version 1.0 is entirely compatible with 0.9.2 and we have deliberately postponed adding any new features that we feared might introduce bugs. Version 1.1 will have some interesting new features including an automatic key exchange protocol that gives forward secrecy and does not require secret passphrases. While Nautilus still has had nowhere near the net-wide scrutiny of email programs like PGP, its ciphers are well-tested and its protocols are simple and robust. We are now willing to place more confidence in Nautilus's security than we would in any of the comparable programs that we know of. This is mostly because the other programs have not withstood public scrutiny of their source code for as long (or at all). New Feature Summary for Version 1.0: + Linux and Solaris support + Updated documentation + "Verbose mode" prints more info about Nautilus's operation + Enhanced 8500bps coder (improved audio quality) + Ability to change mic sensitivity from config file (see docs) + Ability to change output volume from config file (see docs) + Ability to set arbitrary com port addresses and IRQ's. + Automatically detects incompatible versions at the other end and tells you what is wrong (previous versions mysteriously just didn't work when the other end was incompatible). The remainder of this announcement is similar to earlier Nautilus announcements, so if you have already seen the earlier ones, just connect to the nearest ftp site mentioned below to download the 1.0 release of Nautilus. HOW DOES NAUTILUS WORK? - ----------------------- Nautilus uses your computer's audio hardware to digitize and play back your speech using homebrew speech compression functions built into the program. It encrypts the compressed speech using your choice of the Blowfish, Triple DES, or IDEA block ciphers, and transmits the encrypted packets over your modem to your friend's computer. At the other end, the process is reversed. The program is half-duplex; just hit a key to switch between talking and listening. Nautilus's encryption key is generated from a shared secret passphrase that you and your friend choose together ahead of time, perhaps via email using PGP, RIPEM, or a similar program. Nautilus itself does not currently incorporate any form of public key cryptography. Further details are in the documentation file included with the program. FTP SITES - --------- Nautilus is available in three different formats: nautilus-1.0a.tar.gz - full source code naut10a.zip - MSDOS executable and associated documentation naut10as.zip - full source code It is available at the following FTP sites: ftp://ftp.csn.org:/mpj/I_will_not_export/crypto_???????/voice/ This is an export controlled ftp site: read /mpj/README for information on access. ftp://miyako.dorm.duke.edu/mpj/crypto/voice/ This is an export controlled ftp site: read /mpj/GETTING_ACCESS for information on access. ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-1.0a-source.tar.gz ftp://ripem.msu.edu/pub/crypt/msdos/nautilus-phone-1.0a-source.zip ftp://ripem.msu.edu/pub/crypt/msdos/nautilus-phone-1.0a-exe.zip This is an export controlled ftp site: read /pub/crypt/GETTING_ACCESS for information on access. You may be able to find additional ftp sites using the "archie" ftp site locating program. See http://www.earn.net/gnrt/archie.html for more info. It is also available at: Colorado Catacombs BBS - (303) 772-1062 INTERNATIONAL USE - ----------------- Sorry, but under current US law, Nautilus is legal for domestic use in the US only. We don't like this law but have to abide by it while it is in effect. Nautilus is distributed through export-restricted FTP sites for this reason. Export it at your own risk. IMPORTANT - --------- Although we've done our best to choose secure ciphers and protocols for Nautilus, and its design details have been reviewed by several experts, it is still VERY EASY to make mistakes in such programs that mess up the security. It is still possible, though less likely than before, that some security bugs remain. We urge that users needing very high security take an in-depth approach to protecting their privacy. See the Nautilus documentation file for more info. As usual, we encourage cryptographers and users alike to examine and test the program thoroughly, and *please* let us know if you find anything wrong. And as always, although we'll try to fix any bugs reported to us, WE CANNOT BE RESPONSIBLE FOR ANY ERRORS. CONTACTING THE DEVELOPERS - ------------------------- The Nautilus development team is now made up of Bill Dorsey, Pat Mullarky, Paul Rubin, Gil Spencer, and Andy Fingerhut. To contact the developers, send email to . This announcement, and the source and executable distribution files, are all signed with the following PGP public key. Please use it to check the authenticity of the files and of any fixes we may post. You can also use it to send us encrypted email if you want. We will try to keep such email confidential, but cannot guarantee it. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi+tZx4AAAEEALUDK2d68thTyVmD5bXeBEELLFtAgNU6O+M+anooPjXr9sBD 7HsHt4VYtDNY3ecefQAFTzTrBwn9V7Ya2EwVttT2cTEiOj9O6mii+QvOXplxsyWo SHsuLIjUzHqY9KvlDDMrBuVhs1qWdbXXax4uKB83kZUlABCVAinl/J//FNOFAAUT tCdOYXV0aWx1cyBEZXZlbG9wZXJzIDxuYXV0aWx1c0BsaWxhLmNvbT6JAJUCBRAv rWeHg1x2TS1X7GUBAYw4BACNBO/efXHqyMfFw8fzfwuUhHqGf4+VRbLWTvL6/JfH 9Vb8G7dhPQQvm6Q6KVnO6LyNskjb1d5noA03vIObC7hwTbr9sznohSd2OyRsTHiE Zdqnx0uv+ypsK+ZTOs4uRoKLd2C4sMqdylKaoF2D7Ob7rCwaGucQBuom8L0C0O7n eokAlQIFEC+tZ04p5fyf/xTThQEBe9EEAJS5fQWa7ev5Ke8Rpzx7zKqkbu7MyJS3 KSKIpsxyYqmx8k/9GmzNP4xxXUCjfro1zPp84WS3oeft0Qg9fOee09PFsjQ3yxI6 bH06tPO/mKmNrTGcLQmncrqyf4iOscBoIPYjXSSAG/ULz7Hwa2+vmjUkWk1K93BL port+RWomAoq =M+h4 - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMEBL2inl/J//FNOFAQEV7AQAnT+apzRKYuYIODZQqCqFDoWE8y1rATRZ vcHrQ3XWdSnCA2g7JoZBsaPt5dHPyy9issczVNcDONiN7Z8SV2O/GY7S2od0ALfm imExwrRaZja2TjGCUcnYKVFiKwj0wI5ZEFkSy/7PBE10eYBEVW05QSGsyYrzf+Rx 4SHkJ7closY= =Rok5 -----END PGP SIGNATURE----- -- Bill Dorsey