Interesting People mailing list archives
tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr
From: David Farber <>
Date: Mon, 4 Jul 1994 14:58:09 -0400
Whenever a telephone line is tapped, the privacy of the persons at both ends of the line is invaded, and all conversations between them upon any subject, and although proper, confidential and privileged, may be overheard. Moreover, the tapping of one man's telephone line involves the tapping of the telephone of every other person whom he may call, or who may call him. As a means of espionage, writs of assistance and general warrants are but puny instruments of tyranny and oppression when compared with wire tapping [Olm, pp. 570-571]. \end{quote} Almost forty years later, Brandeis's dissent underlay the Supreme Court opinion overruling Olmstead. In 1967, in Katz v. United States, the Supreme Court recognized that there was a ``reasonable expectation of privacy'' in making a phone call -- even if the call were at a public phone booth. The court held that a search warrant was required for wiretapping [Katz]. Privacy rights are one of the individual's most potent defenses against the state. Privacy rights of the individual are embedded in the Fourth and Fifth Amendments. They are embedded in the Katz decision. Brandeis observed that privacy lies at the heart of Constitutional freedom: \begin{quote} The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. They recognized the significance of man's spiritual nature, of his feelings and his intellect ... They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone -- the most comprehensive of rights and the right most valued by civilized man ... [Olm, pg. 752]. \end{quote} Privacy is also of the heart. Citizens of the former East Bloc countries testify to the corruption of society that resulted from a loss of privacy. In East Germany, the pervasive collection of information about individuals led to an inability to trust human relationships on even the most intimate levels [Kinz]. The United States is a very different nation, with a very different history. Nonetheless, loss of privacy occurs here, sometimes in small ways, sometimes unnoticed, but together these losses change the fabric of society [Abra]. \begin{center} Privacy in a Technological Society \end{center} \noindent Sometimes privacy is traded for convenience. We are captured on video recordings as we shop; we leave behind electronic chronicles as we charge phone calls. We pay for milk and bread via an ATM withdrawal at the supermarket, and we leave a record of our actions where five years ago we would have left a five-dollar bill. Sometimes it is traded for safety. Each day hundreds of thousands of people pass through metal detectors to get on airplanes. Most people consider those intrusions of privacy well worth the assurance of greater public safety. The emerging technologies of the Information Age are revolutionizing the ways in which people exchange information and transact business. Much constitutionally protected activity -- political, social, cultural, financial -- will soon occur electronically. Regardless of the ease and availability of encryption, many electronic communications will not be encrypted. But many people would prefer to keep other interactions, from social to financial, private. Government and citizenry agree that as the nation faces such technological challenges as the National Information Infrastructure, electronic communications require privacy protection. A split arises in how much protection is needed, and what kind. One of the concerns raised by the American Civil Liberties Union and Computer Professionals for Social Responsibility is that governmental attempts to limit the use of cryptography, whether through force of law, or through more subtle efforts such as market domination, can result in a serious erosion of the rights to privacy. It has been pointed out that the Fifth Amendment's protection against compelled self-incrimination creates a substantial obstacle in the prosecution of criminal activity, yet the Amendment remains a valued part of American jurisprudence. No law can guarantee that a subpoena or search warrant will result in the revelation of the contents of a private message. Civil-liberties groups believe that constitutional protections need to keep pace with new technology. They argue that government action should not weaken the privacy protection a citizen can use, and that Americans should enjoy the ability to protect communications by the strongest means possible, including the best commercially available encryption. In any society, laws build on what came before. In the next chapter, we present an overview of cryptography policy during the last two decades. \newpage \begin{center} Notes \end{center} {\small \begin{enumerate} \item HEW Advisory Committee on Automated Personnel Data Systems, Records, Computers and the Rights of Citizens, 1973, pg. 69. \item These include the Foreign Intelligence Surveillance Act, and Executive Order 12333, which restrict NSA's activities targetting U.S. persons. In addition, oversight processes were established: President's Intelligence Oversight Board, DoD Intelligence Oversight, Attorney General's Office of Intelligence Policy and Review, Senate Select Committee on Intelligence, and House Permanent Select Committee on Intelligence. \end{enumerate}} \newpage \chapter{ Cryptography in Public: A Brief History} Cryptography is being debated in public -- again. The particular confluence of events -- the worldwide availability of strong cryptosystems (including DES and RSA), the accessability of computer networks, and the Escrowed Encryption Standard -- is new, but as cryptography has evolved from a military tool to a corporate product, many policy issues have been discussed and resolved. Reinventing the wheel is poor engineering; it is even worse in public policy. The current discussion of cryptography needs to be placed in context. The overriding conflict is the same as it has been for two decades: Who should make the policy decisions for civilian cryptography? Before commercial and academic groups became active in developing cryptography, the area ``belonged'' to the National Security Agency. Twenty years ago, conflicts over control of cryptography arose. In 1987, Congress passed the Computer Security Act, legislating that decisions about civilian computer security (including cryptography) would be made by a civilian agency. Seven years later Computer Professionals for Social Responsibility (CPSR) and various industrial organizations believe the NSA dominates civilian cryptography policy, a charge members of the defense agency dispute. This chapter presents a brief review of the last twenty years of cryptography in the public domain. The story has several strands, which we have separated into sections: (i) The Government's Standard: DES; (ii) Cryptography Research in the late 1970s : The Emerging Conflict; (iii) The Mid-Eighties: the Computer Security Act; (iv) the Digital Signature Standard; and (v) Securing the Communications Infrastructure: Digital Telephony and EES. \begin{center} The Government's Standard: DES \end{center} \noindent Our history begins in the mid-seventies. The Federal government sparked the encryption controversy when in 1975, the National Bureau of Standards (NBS) proposed a Data Encryption Standard (DES). What the Bureau published in the Federal Register was an IBM design with changes recommended by the NSA, including a shorter key length (56 bits). A public comment period followed. Concern centered on whether the key length left the algorithm vulnerable to attack and whether the algorithm contained a trapdoor. Finally in 1977, DES (with a 56-bit key) was issued as a Federal Information Processing Standard (FIPS); the standard has been subject to a review every five years. It was recertified in December 1993. Only recently -- nineteen years after DES was introduced -- have any attacks short of exhaustive search threatened the security of the algorithm [Mats, BiSh]. As discussed in Chapter 1, DES is used in a broad array of applications. \begin{center} Cryptography Research in the late 1970s : The Emerging Conflict \end{center} \noindent In the mid-seventies Whitfield Diffie and Martin Hellman at Stanford were wrestling with two problems: * Key distribution: In the absence of a secure method to exchange information, how do two distant parties exchange keys? * Digital signatures: Could a method be devised so as to provide the recipient of an electronic message a way of demonstrating that the communication had come from a particular person? \noindent This led to public-key cryptography and the RSA algorithm (described in Chapter 1). The RSA algorithm attracted interest from a number of circles. Ronald Rivest planned to present the work at an IEEE conference in Ithaca, New York. Before the conference, the authors received a letter from one ``J.A.Meyer,'' who warned that since foreign nationals would be present at the scientific meeting, publication of the result was a potential violation of the International Traffic in Arms Regulations. On lawyers' advice, the MIT scientists halted distribution of their paper so that the matter could be reviewed. Meyer was identified as an employee of NSA; the Agency promptly disavowed his letter. Rivest presented the paper. The scientists resumed distribution, and the furor died down for the moment. The following year brought a new incident and greater apprehensions. This time NSA involvement was official. The Agency requested a secrecy order on a patent application submitted by George Davida, a professor at the University of Wisconsin; this meant that Davida could not publish or discuss his research. After Davida and the University of Wisconsin chancellor publicly protested, the secrecy order was lifted. In 1979, the director of the NSA went public with the Agency's concerns. In a speech at the Armed Forces Communications and Electronics Association Admiral Bobby Inman warned that open publication of cryptography research was harmful to national security. NSA would seek statutory authority limiting publication of crytographic research unless a satisfactory solution could be found. The American Council on Education formed a study group that recommended a two-year experiment in prepublication review by NSA of all cryptography research [PCSG]. Review would be voluntary and prompt. Despite the voluntary nature of the review, there was anxiety in the academic cryptography community that this process would have a chilling effect on the emerging field. Meanwhile there was action on a third front: funding. Two agencies were responsible for funding cryptography research: NSA and the National Science Foundation (NSF), the organization responsible for support of ``basic'' research. When Adleman submitted a research proposal to the NSF in the spring of 1980, the situation came to a head. NSA offered to fund the cryptographic portions of the grant; NSF declined. (NSF policy is to refuse to support work with alternative funding sources.) Adleman feared that NSA's requirement of prior review of research could lead to classification of his work. An agreement was reached at the White House: both agencies would fund work in cryptography. Fourteen years later, the two-year experiment in prepublication review continues. However, researchers' fears about prior restraint and impounded research have eased. There have been times when an author, on NSA request, did not publish; there have been NSA suggestions for ``minor'' changes in some papers [Land, pg. 11]. But the requests have been few; the academic community has not felt imposed upon by the prepublication reviews. On one occasion, NSA apparently aided the academic community in lifting a secrecy order placed on a patent application. Shamir was one of the researchers involved, and he thanked ``the NSA ... who were extremely helpful behind the scenes ...''[Land, pt. 12]. As far as the research community has been concerned, it is fair to say that there have been no long-term chilling effects. \begin{center} The Mid-Eighties: The Computer Security Act \end{center} \noindent The concerns of the 1970s -- government interference in the development of publicly available cryptography -- seemed to have been laid to rest. Then in September 1984, President Reagan issued National Security Decision Directive (NSDD-145), establishing the safeguarding of sensitive but unclassified information in communications and computer systems as Federal policy. NSDD-145 stipulated a Defense Department management structure to implement the policy: the NSA, the National Security Council, and the Department of Defense. There were many objections to this plan, from a variety of constituencies. Congress protested the expansion of Presidential authority to policy-making without legislative participation. From the ACLU to Mead Data Central, a broad array of industrial and civil liberty organizations objected to Department of Defense control of unclassified information in the civilian sector [USHR-87]. Congress responded. In 1987 it passed the Computer Security Act (CSA), which: \begin{quote} ... assign[s] to the National Bureau of Standards responsibility for developing standards and guidelines to assure cost-effective security and privacy of sensitive information in Federal computer systems, drawing on the technical advice and assistance (including work products) of the National Security Agency, where appropriate. \end{quote} Civilian computing standards were to be set by a civilian agency. NSA was placed in an advisory role. The legislative history of the Act makes that desire clear: \begin{quote} The key question during the hearings was: Should a military intelligence agency, NSA, or a civilian agency, NBS, be in charge of the government's computer standards program? The activities of NSA ... reinforced the view of the Committee and many others that NSA is the wrong agency to be put in charge of this important program [USHR-87, pg.19]. Since work on technical security standards represents virtually all of the research effort being done today, NSA would take over virtually the entire computer standards from the Bureau of Standards. By putting NSA in charge of developing technical security guidelines (software, hardware, communications), NBS would be left with the responsibility for only adminstrative and physical security measures -- which have generally been done years ago. NBS, in effect, would on the surface be given the responsibility for the computer standards program with little to say about the most important part of the program -- the technical guidelines developed by NSA [USHR-87, pg.95]. \end{quote} The House was specifically concerned that cryptography be allowed to develop in the public sector: \begin{quote} ... NSA's secretiveness resulted in an inappropriate approach when it attempted to deal with national policy issues such as the issue of public cryptography. Historically, this science has been the exclusive domain of government, and in this country it is one of NSA's primary missions. However, with the advent of modern computers and communications, there has been in recent years considerable interest in cryptography, particularly by the business community, which is interested in keeping its proprietary information from competitors. As a result of the emerging need to protect information, the academic community has done research work in the field. NSA has made numerous attempts to either stop such work or to make sure it has control over the work by funding it, pre-publication reviews or other methods [USHR-87, pg.21]. \end{quote} During the debate on the Act, Director of the Office of Management and Budget, Jim Miller, had told the Government Operations Committee how the legislation would be implemented: \begin{quote} Computer security standards, like other computer standards, will be developed in accordance with established NBS procedures. In this regard the technical security guidelines provided by NSA to NBS will be treated as advisory and subject to appropriate NBS review [USHR-87, pg. 37]. \end{quote} The implementation of the Act has been controversial. The National Institute of Standards and Technology (NIST, formerly NBS) and NSA signed a Memorandum of Understanding (MOU) to implement the Act, outlining areas of necessary agency interaction. As part of this, they established a Technical Working Group ``to review and analyze issues of mutual interest pertinent to protection of systems that process sensitive or other unclassified information.'' The MOU also states: \begin{quote} The NIST and the NSA shall ensure the Technical Working Group reviews prior to public disclosure all matters regarding technical systems security techniques to be developed for use in protecting sensitive information in federal computer systems to ensure they are consistent with the national security of the United States. \end{quote} In this document, NIST and NSA were acknowledging that the public development or promulgation of technical security standards regarding cryptography could present a serious possibility of harm to national security. Critics of the MOU, including CPSR, contended that Congress, cognizant of the national security considerations, had nonetheless sought to restrict NSA's ability to dictate the selection of security standards for unclassified information standards. These critics contend that this and other aspects of the MOU violate the intent of Congress. In the next two sections of this chapter, we examine several Federal initiatives in cryptography, two of which had a large NSA role. \begin{center} Digital Signature Standard \end{center} \noindent As noted in Chapter 1, cryptography performs a variety of functions: ``[It] can help prevent penetration from the outside. It can protect the privacy of users of the system so that only authorized participants can comprehend communications. It can ensure integrity of the communications. It can increase assurance that the received messages are genuine.'' Digital signatures facilitate electronic funds transfer, commitment of computer resources, and signing of documents. Without that electronic establishment of authenticity, how can you establish the validity of a signature on an electronic contract? It was no surprise that NIST should decide to establish a digital-signature standard; the one the agency chose was. RSA Data Security was established in 1981; by 1991 the list of purchasers of its digital-signature technology included Apple, AT\&T, DEC, IBM, Lotus, Microsoft, Northern Telecom, Novell, Sun, and WordPerfect. RSA had been accepted as a standard by several standards organizations;\footnotemark\ it was fast on its way to becoming the defacto digital-signature standard. In establishing a standard for digital signatures, NIST's criteria were somewhat different from that of the computer industry. In particular, the government wanted to avoid the possibility that the digital-signature standard could be used for confidentiality. It was also important that the standard be nonproprietary. NIST proposed the Digital Signature Standard (DSS) [NIST-XX] as a FIPS. There was great consternation -- and not only at RSA Data Security. It was immediately apparent that DSS could not interoperate with digital signatures already in use. Although NIST announced that DSS would be patented by the government and would be available free of charge, patent problems arose immediately. The government agency had chosen an algorithm that was based on unpatented work of an independent researcher, Tahir ElGamal. David Kravitz, an employee of NSA, filed a patent application for the Digital Signature Algorithm; this was subsequently awarded [Krav]. To its chagrin, NIST discovered that Claus Schnorr, a German mathematician, had already received U.S. and German patents for a similar algorithm [Schn-89, Schn-90b]. Public Key Partners (PKP) acquired Schnorr's patent
Current thread:
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- <Possible follow-ups>
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)