Interesting People mailing list archives
THE CLIPPER INITIATIVE in three pqrts - 1 of 3
From: David Farber <farber () central cis upenn edu>
Date: Tue, 31 Aug 1993 16:21:43 -0800
THE CLIPPER INITIATIVE All Americans have a Right to Privacy! But Key Escrow Won't Help Stephen T. Walker1 Trusted Information Systems, Inc. August 31, 1993 1. Summary On April 16, 1993, the President announced "a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement."2 This announcement contains the very strong statement that: "The Administration is committed to policies that protect all Americans' right to privacy [emphasis added] while also protecting them from those who break the law." The announcement describes a new encryption algorithm that is "more powerful" than many in commercial use today while preserving "the ability of federal, state, and local law enforcement agencies to lawfully intercept the phone conversations of criminals" through the use of a "key-escrow" system. This paper summarizes my review of the information presented to the Computer System Security and Privacy Advisory Board (CSSPAB) in public testimony and related publicly available information concerning the President's "Clipper Chip" Initiative. Based on this review I have concluded that: Key escrow technology will NOT protect Americans "from those who break the law." For Administration policies to "protect all Americans' right to privacy," the Administration will have to acknowledge the worldwide availability of good quality cryptography and stop denying Americans the use of technologies that are freely available to others in the name of protecting us "from those who break the law." The real issue confronting us in the President's Clipper Chip Initiative is obtaining an appropriate balance between: legitimate law enforcement and national security concerns with intercepting communications that are not in the best interests of the U.S., and legitimate concerns with protecting U.S. Government and commercial sector sensitive information and preserving the U.S. economic position. For too long, the law enforcement and national security interests have controlled the dialog in this debate through their special positioning in the Executive Branch of the Government. Now with advances in technology and worldwide availability of cryptography threatening to impede the ability to easily listen to others, these agencies are proposing potentially highly invasive measures that have little prospect of improving law enforcement and national security intercept capabilities, while having a significant negative impact on U.S. commercial capabilities and interests. Meanwhile, requirements to protect U.S. Government and commercial sensitive information and maintain U.S. strength in the computer industry remain restricted without a voice in the debate. While there may be a strong desire to slow the erosion in our technical communications intercept capabilities, this paper will show that the new key escrow approach will have little positive impact because it will see little use beyond the government. However, if the Administration were to acknowledge today's worldwide availability of good quality encryption capabilities, such as the Data Encryption Standard (DES), our Government and commercial interests in protecting U.S. sensitive data would be vastly improved. In so doing, our ability to intercept others could be marginally hurt, but many feel the gains outweigh the losses. We must have a balanced review representing both sides of this national dilemma. Such a debate cannot occur exclusively within the Executive Branch of the Government because of its close affiliation with the law enforcement and national security communities and the absence of any effective representation for U.S. commercial interests. The Congress is the only organization that represents all constituencies affected by such a debate. In the interest of reaching a fair and timely resolution of this national issue, I strongly encourage the Congress to act swiftly to establish a national policy regarding the use of cryptography to resolve this dilemma and clarify all Americans' right to privacy. 2. Background In the fall of 1992, AT&T announced a telephone security device that would provide high quality security using the DES algorithm to protect the public's sensitive phone calls.3 Orders were taken for delivery in early 1993. When the devices arrived, purchasers were told they were only "on loan" and would be replaced by a "better" device in "April 1993." According to Dr. Clinton Brooks of NSA, AT&T came to NSA asking if they should use DES in these devices.4 NSA realized that if it did not want DES to become widely used in such devices, it would have to accelerate the availability of technology it already had under development (now known as Clipper) that would give higher security than DES but with key escrow5 capabilities to protect the interests of the law enforcement community. Apparently, AT&T decided to go along with NSA so long as the Clipper technology was made available on a timely basis. On the same day in April that the President proclaimed the Clipper Initiative, "AT&T announced it would use the new chip in all its secure non-government telephones."6 But the chips that implement Clipper have been delayed through manufacturing difficulties. So in early August AT&T announced immediate availability of two new non-Clipper, non-key escrow telephone security devices, using AT&T proprietary algorithms, one approved for export, the other not. At the same time, Cylink, a manufacturer of security equipment, announced a DES- based phone security device. It would seem that in a little less than a year, we have come full circle. Once again there are telephone security devices (DES and non-DES) on the market, this time in open competition with the Government's proposed key escrow system that was intended to replace an earlier DES-based offering. 3. What are the Real Issues with Key Escrow What impact will these new products have on the Government's voluntary program to have key escrow systems become widely used? Will the law abiding public prefer to buy secure phones with or without key escrow, or just not buy them at all? And where is all of this headed in the computer communications world? Do we need/want key escrow capabilities for our communications? Can we afford the price we will have to pay for them? Before we can answer these questions we need to examine a number of difficult issues from practical, economic, and philosophical perspectives. Law Enforcement's Wiretap Capabilities An analysis of the prospects for the law enforcement community being able to maintain its present level of wiretap capability is contained in Appendix A. Through examination of a series of scenarios ranging from doing nothing to mandatory enforcement of key escrow cryptography for all phones in the U.S., it becomes clear that irreversible advances in digital telephony technology and growing availability of encryption will make it increasingly difficult to wiretap the communications of sophisticated criminal elements, with or without key escrow capabilities. Conclusion: With respect to the feasibility of law enforcement's being able to continue present day telephone wiretaps of illegal activities: Over the next few years, the law enforcement community will probably lose the technical ability to wiretap sophisticated criminal activities, regardless of whether we install key escrow systems or not, and conversely, the law enforcement community will almost certainly retain the technical ability to wiretap law abiding citizens and unsophisticated criminals, regardless of whether we install key escrow systems or not. Key Escrow Applied to Telephones and Computer Communications The limited available information concerning how key escrow techniques will work for telephone and computer communications systems is analyzed in Appendix B. Key escrow techniques appear relatively straight forward in simple point-to-point telephone situations, but their application to sophisticated computer communications environments is much more complex. While technically feasible, these applications will be subject to a wide variety of software bypasses of the hardware-only key escrow provisions that will defeat their effectiveness. They will also impose a unique hardware expense on the user which will be unacceptable in most situations. Conclusion: With respect to the use of key escrow for telephone communications: The emergence of the non-key escrow telephone security devices (such as the new AT&T and Cylink devices) will confuse the market place and deprive the Government of its hoped for widespread voluntary use of key escrow. With respect to the use of key escrow for computer network communications: Significant technical and legal complications confront the use of key escrow in computer applications. The Government's hardware-only restrictions for key escrow systems cannot be achieved in computer systems where software controls the basic applications for file transfer, electronic mail, and electronic commerce. No specific requirement for law enforcement wiretap of computer communications has been identified. Conventional search warrant procedures may be adequate for obtaining computer data rather than key escrowed wiretaps. International Acceptance of Key Escrow The issues of international acceptance and use of key escrow techniques seem to have been poorly thought out in the Clipper plan. The sharing of escrowed keys with other governments opens technological, political, and psychological issues that are likely to be insurmountable. One need only consider the feelings of a U.S. citizen whose encryption keys were available to a collection of foreign interests to recognize that foreign interests will feel the same way about U.S. Government key escrow. While one can understand how individual governments might see advantages in such sharing, it is difficult to see how individual citizens anywhere will find the use of key escrow acceptable. In a world of growing multinational economies, key escrow arrangements among individual governments seem sadly out of place. The Skipjack7 Algorithm and Key Escrow Control Procedures The Government's Skipjack review team found8 that the algorithm used in the Clipper chip is sound and not subject to easy defeat by exhaustive key search9 or shortcut attacks. I am fully prepared to accept this team's findings both because of the quality of people who performed the analysis and the belief that NSA would not introduce a flaw in an algorithm of this type. But the problem with Clipper, if there is one, will not be in the algorithm itself but with the key escrow control procedures which the Government is developing to grant law enforcement access to the Clipper keys. The key escrow control procedures, which are still not fully worked out, are intended to provide law enforcement with rapid access to keys while protecting the public from improper disclosure to unauthorized individuals. As described to the CSSPAB on July 29, 1993, the procedures appear to provide very limited protection against a government official who might be operating in an illegal manner. Constitutional Rights Issues Many people have discussed concerns about possible violations of the Constitutional rights of individual citizens by the use of key escrow procedures. I will defer such questions to others with a legal background. I do have one concern regarding the comment in the President's April 16 announcement that "the Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law." These two goals seem impossible to achieve at the same time. This seems to be more a "right to privacy from everyone but the Government," which is a long way from the Bill of Rights. Overall Conclusion: Key escrow technology will NEITHER advance the public's right to privacy NOR protect it "from those who break the law." As desirable as those goals may be to the Government, the technical, economic, and personal privacy aspects of key escrow techniques will limit them from playing a significant role in our future telephone and computer communications systems. As our communication technologies continue their rapid evolution, we must be careful not to hamstring them with restrictive "solutions" to issues that have been overtaken by technology. 4. But what about protecting "all Americans' right to privacy"? Even if key escrow can't assure the protection of Americans "from those who break the law," we can make progress on the other theme of the Clipper announcement, the protection of "all Americans' right to privacy"! There are several issues to be considered here: Good cryptography (of the quality of DES) is already available worldwide and attempts to contain it in the U.S. are only hurting U.S. users and vendors. Because of export restrictions, U.S. manufacturers are reluctant to integrate good cryptography into their products since they cannot sell them to the majority of their markets. This has multiple negative effects, such as: - denying U.S. users good quality integrated encryption products even for use only in the U.S., - denying U.S. computer vendors significant overseas sales which automatically go to foreign vendors, and thus, - exporting U.S. jobs in computer related industries to foreign countries. An ongoing study of foreign availability of cryptography10 has in only a few weeks found several hundred products, most of them DES-based, that are available just about anywhere in the world. Many of these products, being sold in the U.S., are from foreign manufacturers since many countries' export laws, while claiming to be similar to those of the U.S., make it quite easy to get export licenses to the U.S. Several German DES products are routinely sold here through a blanket export license. But once here, those products cannot leave the U.S. This situation effectively guarantees that whatever worldwide business there will be in products that use cryptography will go to those companies in those countries that can readily export their products. The U.S. is losing this very important and rapidly growing market. And it's not just the sale of products that use cryptography that we are losing. When U.S. companies cannot supply reasonable cryptography fully integrated into their entire product line, they are losing the sale of major information systems, of which the cryptographic products may be only a small portion. Mass market software is one of the few industries where the U.S. holds a significant technological and commercial advantage. Yet U.S. producers are reluctant to incorporate cryptography into their products, solely because of U.S. export uncertainty. The Software Publishers Association, in a major shift in U.S. export policy in 1992, obtained blanket export permission for encryption products using keys limited to 40-bit key lengths. However, the world market, which already has ready access to 56-bit key DES products, recognizes the weakness of 40-bit keys and simply will not accept them. Government officials11 complain that industry cannot provide an economic analysis of how much business is being lost through the imposition of export controls on cryptography. They have a right to complain, but they must understand that this is a rapidly emerging economic environment. Once we can document in detail what we are losing or have lost, the situation will be so far along that we will be out of the game and unable to recover. We must look at the indicators and adjust our strategy based on them or we will lose much more than the sale of a few cryptographic devices. DES is not in the public domain? The U.S. Department of State has declared that information about cryptography that is not in the public domain cannot be exported. When faced with the question, "Isn't DES in the public domain?" they insist that it is not. To do otherwise, of course, would be to admit that DES could be readily exported, which they are determined not to allow. If exportability of good quality encryption products were not a critical issue for the U.S. computer industry, this U.S. Government policy would be just one more case where policy ignores reality. Unfortunately, it's much
Current thread:
- THE CLIPPER INITIATIVE in three pqrts - 1 of 3 David Farber (Aug 31)