Announcing Nautilus 0.9.2 (Beta Test) ===================================== WHAT IS NEW IN THIS RELEASE? ---------------------------- Nautilus 0.9.2 is the third release of Nautilus. Nautilus 0.9.0 was released on May 10th, and Nautilus 0.9.1 was released on May 22nd. Version 0.9.2 corrects all known security problems to date -- specifically, the replay attacks discovered by Dan Bernstein and Colin Plumb. Unfortunately, in order to prevent the replay attacks, we have been forced to alter the protocol in a way that is incompatible with previous releases. Thus, Nautilus 0.9.2 will not interoperate with versions 0.9.0 or 0.9.1. We will endeavor to keep things compatible in the future, but until version 1.0 comes out, users should expect things like this to happen occasionally. In addition to fixing security problems present in earlier releases, version 0.9.2 adds some new features. We have added a 6400 bps coder which sounds almost as good as the 8500 bps coder and should enable many cellular modem users to use Nautilus. In addition, we have doubled the amount of audio data used to seed our random number generator and added a test to warn the user if there is insufficient entropy in the audio input (like if you leave your microphone turned off or unplugged when you execute the program). Finally, we have improved the documentation somewhat, fixed a few other minor bugs, and added a runtime-configurable modem reset string which allows you to reset your modem to your usual values after Nautilus has completed running. The remainder of this announcement is virtually identical to the 0.9.1 announcement, so if you have already seen the earlier one, just connect to the nearest ftp site mentioned below to download the 0.9.2 release of Nautilus. WHAT IS NAUTILUS? ----------------- Nautilus is a program that lets you have encrypted voice telephone conversations with your friends without needing any special equipment. Nautilus runs on IBM-PC compatible personal computers (386DX25 or faster) as well as desktop Sun workstations running SunOS or Solaris. The PC version requires a Soundblaster compatible sound card. Both versions need a high speed (9600 bps or faster) modem to work. The speech quality is pretty good at 14.4kbps and acceptable at speeds as low as 7200 bps. Nautilus is the first program of this type that we know of to be distributed for free with source code. A few similar commercial programs have been distributed without source, so that their security cannot be independently examined. HOW DOES IT WORK? ----------------- Nautilus uses your computer's audio hardware to digitize and play back your speech using homebrew speech compression functions built into the program. It encrypts the compressed speech using your choice of the Blowfish, Triple DES, or IDEA block ciphers, and transmits the encrypted packets over your modem to your friend's computer. At the other end, the process is reversed. The program is half-duplex; just hit a key to switch between talking and listening. Nautilus's encryption key is generated from a shared secret passphrase that you and your friend choose together ahead of time, perhaps via email using PGP, RIPEM, or a similar program. Nautilus itself does not currently incorporate any form of public key cryptography. Further details are in the release notes included with the program. FTP SITES --------- Nautilus is available in three different formats: nautilus-0.9.2.tar.gz - full source code naut090.zip - MSDOS executable and associated documentation naut090s.zip - full source code It is available at the following FTP sites: ftp://ftp.csn.org:/mpj/I_will_not_export/crypto_???????/voice/ This is an export controlled ftp site: read /mpj/README for information on access. ftp://miyako.dorm.duke.edu/mpj/crypto/voice/ This is an export controlled ftp site: read /mpj/GETTING_ACCESS for information on access. ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ripem.msu.edu/pub/crypt/msdos/nautilus-phone-0.9.2-source.zip ftp://ripem.msu.edu/pub/crypt/msdos/nautilus-phone-0.9.2-exe.zip This is an export controlled ftp site: read /pub/crypt/GETTING_ACCESS for information on access. It is also available at: Colorado Catacombs BBS - (303) 772-1062 INTERNATIONAL USE ----------------- Sorry, but under current US law, Nautilus is legal for domestic use in the US only. We don't like this law but have to abide by it while it is in effect. Nautilus is distributed through export-restricted FTP sites for this reason. Export it at your own risk. IMPORTANT --------- This is a BETA TEST VERSION of a BRAND NEW CRYPTOGRAPHY PROGRAM. Although we've done our best to choose secure ciphers and protocols for Nautilus, its design details have not yet been reviewed by anyone except the authors, and it's VERY EASY to make mistakes in such programs that mess up the security. We advise against putting too much faith in the security of the program until it has undergone a lot more reviewing and debugging. We encourage cryptographers and users alike to examine and test the program thoroughly, and *please* let us know if you find anything wrong. We hope to release an updated version within about one month fixing any serious bugs found in the current version, though probably not having many new features. Finally, although we'll try to fix any bugs reported to us, WE CANNOT BE RESPONSIBLE FOR ANY ERRORS. CONTACTING THE DEVELOPERS ------------------------- Nautilus was written by Bill Dorsey, Pat Mullarky, and Paul Rubin. To contact the developers, please send email to nautilus@lila.com. This announcement, and the source and executable distribution files, are all signed with the following PGP public key. Please use it to check the authenticity of the files and of any fixes we may post. You can also use it to send us encrypted email if you want. We will try to keep such email confidential, but cannot guarantee it. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi+tZx4AAAEEALUDK2d68thTyVmD5bXeBEELLFtAgNU6O+M+anooPjXr9sBD 7HsHt4VYtDNY3ecefQAFTzTrBwn9V7Ya2EwVttT2cTEiOj9O6mii+QvOXplxsyWo SHsuLIjUzHqY9KvlDDMrBuVhs1qWdbXXax4uKB83kZUlABCVAinl/J//FNOFAAUT tCdOYXV0aWx1cyBEZXZlbG9wZXJzIDxuYXV0aWx1c0BsaWxhLmNvbT6JAJUCBRAv rWeHg1x2TS1X7GUBAYw4BACNBO/efXHqyMfFw8fzfwuUhHqGf4+VRbLWTvL6/JfH 9Vb8G7dhPQQvm6Q6KVnO6LyNskjb1d5noA03vIObC7hwTbr9sznohSd2OyRsTHiE Zdqnx0uv+ypsK+ZTOs4uRoKLd2C4sMqdylKaoF2D7Ob7rCwaGucQBuom8L0C0O7n eokAlQIFEC+tZ04p5fyf/xTThQEBe9EEAJS5fQWa7ev5Ke8Rpzx7zKqkbu7MyJS3 KSKIpsxyYqmx8k/9GmzNP4xxXUCjfro1zPp84WS3oeft0Qg9fOee09PFsjQ3yxI6 bH06tPO/mKmNrTGcLQmncrqyf4iOscBoIPYjXSSAG/ULz7Hwa2+vmjUkWk1K93BL port+RWomAoq =M+h4 -----END PGP PUBLIC KEY BLOCK-----