tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr

[David Farber <>]

           Whenever a telephone line is tapped, the privacy of the persons
           at both ends of the line is invaded, and all conversations
           between them upon any subject, and although proper, 
           confidential and privileged, may be overheard.  Moreover, 
           the tapping of one man's telephone line involves the 
           tapping of the telephone of every other person whom he may 
           call, or who may call him.  As a means of espionage, writs 
           of assistance and general warrants are but puny instruments 
           of tyranny and oppression when compared with wire tapping [Olm,
           pp. 570-571].
\end{quote}


Almost forty years later, Brandeis's dissent underlay the Supreme Court
opinion overruling Olmstead.  In 1967, in Katz v. United States, the
Supreme Court recognized that there was a ``reasonable expectation of
privacy'' in making a phone call -- even if the call were at a public phone
booth.  The court held that a search warrant was required for wiretapping [Katz].


Privacy rights are one of the individual's most potent defenses against the
state.  Privacy rights of the individual are embedded in the Fourth and
Fifth Amendments.  They are embedded in the Katz decision.  Brandeis
observed that privacy lies at the heart of Constitutional freedom:


\begin{quote}
            
            The makers of our Constitution undertook to secure 
            conditions favorable to the pursuit of happiness.
            They recognized the significance of man's spiritual
            nature, of his feelings and his intellect ... They 
            sought to protect Americans in their beliefs, their 
            thoughts, their emotions and their sensations.  They 
            conferred, as against the government, the right to be 
            let alone -- the most comprehensive of rights and the 
            right most valued by civilized man ... [Olm, pg. 752].


\end{quote}


Privacy is also of the heart.  Citizens of the former East Bloc countries
testify to the corruption of society that resulted from a loss of privacy.
In East Germany, the pervasive collection of information about individuals
led to an inability to trust human relationships on even the most intimate
levels [Kinz].  The United States is a very different nation, with a very
different history.  Nonetheless, loss of privacy occurs here, sometimes in
small ways, sometimes unnoticed, but together these losses change the
fabric of society [Abra].


\begin{center}


Privacy in a Technological Society


\end{center}


\noindent Sometimes privacy is traded for convenience.  We are captured on
video recordings as we shop; we leave behind electronic chronicles as we
charge phone calls.  We pay for milk and bread via an ATM withdrawal at the
supermarket, and we leave a record of our actions where five years ago we
would have left a five-dollar bill.  Sometimes it is traded for safety.
Each day hundreds of thousands of people pass through metal detectors to
get on airplanes.  Most people consider those intrusions of privacy
well worth the assurance of greater public safety.


The emerging technologies of the Information Age are revolutionizing the
ways in which people exchange information and transact business.  Much
constitutionally protected activity -- political, social, cultural,
financial -- will soon occur electronically.  Regardless of the ease and
availability of encryption, many electronic communications will not be
encrypted. But many people would prefer to keep other interactions, from
social to financial, private.  Government and citizenry agree that as the
nation faces such technological challenges as the National Information
Infrastructure, electronic communications require privacy protection.  A
split arises in how much protection is needed, and what kind.


One of the concerns raised by the American Civil Liberties Union and
Computer Professionals for Social Responsibility is that governmental
attempts to limit the use of cryptography, whether through force of law, or
through more subtle efforts such as market domination, can result in a
serious erosion of the rights to privacy.  It has been pointed out that the
Fifth Amendment's protection against compelled self-incrimination creates a
substantial obstacle in the prosecution of criminal activity, yet the
Amendment remains a valued part of American jurisprudence.  No law can
guarantee that a subpoena or search warrant will result in the revelation
of the contents of a private message.


Civil-liberties groups believe that constitutional protections need to keep
pace with new technology.  They argue that government action should not
weaken the privacy protection a citizen can use, and that Americans should
enjoy the ability to protect communications by the strongest means
possible, including the best commercially available encryption.


In any society, laws build on what came before.  In the next chapter, we
present an overview of cryptography policy during the last two decades.


\newpage
\begin{center}
Notes
\end{center}
{\small
\begin{enumerate}


\item HEW Advisory Committee on Automated Personnel Data
Systems, Records, Computers and the Rights of Citizens, 1973,  pg. 69.


\item These include the Foreign Intelligence Surveillance Act,
and Executive Order 12333, which restrict NSA's activities targetting U.S.
persons.  In addition, oversight processes were established: President's
Intelligence Oversight Board,   DoD Intelligence Oversight, Attorney
General's Office of Intelligence Policy and Review, Senate Select Committee
on Intelligence, and House Permanent Select Committee on Intelligence.


\end{enumerate}}
\newpage
\chapter{            Cryptography in Public: A Brief History}


Cryptography is being debated in public -- again.  The particular
confluence of events -- the worldwide availability of strong cryptosystems
(including DES and RSA), the accessability of computer networks, and the
Escrowed Encryption Standard -- is new, but as cryptography has evolved
from a military tool to a corporate product, many policy issues have been
discussed and resolved.  Reinventing the wheel is poor engineering; it is
even worse in public policy.  The current discussion of cryptography needs
to be placed in context.


The overriding conflict is the same as it has been for two decades: Who
should make the policy decisions for civilian cryptography?  Before
commercial and academic groups became active in developing cryptography,
the area ``belonged'' to the National Security Agency.  Twenty years ago,
conflicts over control of cryptography arose.  In 1987, Congress passed the
Computer Security Act, legislating that decisions about civilian computer
security (including cryptography) would be made by a civilian agency.
Seven years later Computer Professionals for Social Responsibility (CPSR)
and various industrial organizations believe the NSA dominates civilian
cryptography policy, a charge members of the defense agency dispute.  This
chapter presents a brief review of the last twenty years of cryptography in
the public domain.  The story has several strands, which we have separated
into sections: (i) The Government's Standard: DES; (ii) Cryptography
Research in the late 1970s : The Emerging Conflict; (iii) The Mid-Eighties:
the Computer Security Act; (iv) the Digital Signature Standard; and (v)
Securing the Communications Infrastructure: Digital Telephony and EES.


\begin{center}
             The Government's Standard: DES


\end{center}


\noindent Our history begins in the mid-seventies.  
The Federal government sparked the encryption controversy when in 1975, the
National Bureau of Standards (NBS) proposed a  Data Encryption Standard
(DES).  What the Bureau published in the Federal Register was an IBM design
with changes recommended by the NSA, including a shorter key length (56
bits).  


A public comment period followed.  Concern centered on whether the key
length left the algorithm vulnerable to attack and whether the algorithm
contained a trapdoor.  Finally in 1977, DES (with a 56-bit key) was issued
as a Federal Information Processing Standard (FIPS); the standard has been
subject to a review every five years.  It was recertified in December 1993.


Only recently -- nineteen years after DES was introduced -- have any
attacks short of exhaustive search threatened the security of the algorithm
[Mats, BiSh].  As discussed in Chapter 1, DES is used in a broad array of
applications.


\begin{center}
  Cryptography Research in the late 1970s : The Emerging Conflict
\end{center}


\noindent In the mid-seventies Whitfield Diffie and Martin Hellman at
Stanford were wrestling with two problems:


* Key distribution: In the absence of a secure method to exchange
information, how do two distant parties exchange keys?


* Digital signatures: Could a method be devised so as to provide the
recipient of an electronic message a way of demonstrating that the
communication had come from a particular person?


\noindent This led to public-key cryptography and the RSA algorithm
(described in Chapter 1).


The RSA algorithm attracted interest from a number of circles.  Ronald
Rivest planned to present the work at an IEEE conference in Ithaca, New
York.  Before the conference, the authors received a letter from one
``J.A.Meyer,'' who warned that since foreign nationals would be present at
the scientific meeting, publication of the result was a potential violation
of the International Traffic in Arms Regulations.


On lawyers' advice, the MIT scientists halted distribution of their paper
so that the matter could be reviewed.  Meyer was identified as an employee
of NSA; the Agency promptly disavowed his letter.  Rivest presented the
paper. The scientists resumed distribution, and the furor died down for the
moment.


The following year brought a new incident and greater apprehensions. This
time NSA involvement was official.  The Agency requested a secrecy order on
a patent application submitted by George Davida, a professor at the
University of Wisconsin; this meant that Davida could not publish or
discuss his research.  After Davida and the University of Wisconsin
chancellor publicly protested, the secrecy order was lifted.


In 1979, the director of the NSA went public with the Agency's concerns.
In a speech at the Armed Forces Communications and Electronics Association
Admiral Bobby Inman warned that open publication of cryptography research
was harmful to national security.  NSA would seek statutory authority
limiting publication of crytographic research unless a satisfactory
solution could be found.


The American Council on Education formed a study group that recommended a
two-year experiment in prepublication review by NSA of all
cryptography research [PCSG].  Review would be voluntary and prompt.
Despite the voluntary nature of the review, there was anxiety in the
academic cryptography community that this process would have a chilling
effect on the emerging field.


Meanwhile there was action on a third front: funding.  Two agencies were
responsible for funding cryptography research: NSA and the National Science
Foundation (NSF), the organization responsible for support of ``basic''
research.  When Adleman submitted a research proposal to the NSF in the
spring of 1980, the situation came to a head. NSA offered to fund the
cryptographic portions of the grant; NSF declined.  (NSF policy is to
refuse to support work with alternative funding sources.)  Adleman feared
that NSA's requirement of prior review of research could lead to
classification of his work.  An agreement was reached at the White House:
both agencies would fund work in cryptography.


Fourteen years later, the two-year experiment in prepublication review
continues.  However, researchers' fears about prior restraint and impounded
research have eased.  There have been times when an author, on NSA request,
did not publish; there have been NSA suggestions for ``minor'' changes in
some papers [Land, pg. 11]. But the requests have been few; the academic community
has not felt imposed upon by the prepublication reviews.  On one occasion,
NSA apparently aided the academic community in lifting a secrecy order
placed on a patent application.  Shamir was one of the researchers
involved, and he thanked ``the NSA ... who were extremely helpful behind the
scenes ...''[Land, pt. 12]. As far as the research community has been
concerned, it is fair to say that there have been no long-term  chilling
effects. 




\begin{center}
              The Mid-Eighties: The Computer Security Act


\end{center}


\noindent The concerns of the 1970s -- government interference
in the development of publicly available cryptography -- seemed to have
been laid to rest.  Then in September 1984, President Reagan issued
National Security Decision Directive (NSDD-145), establishing the
safeguarding of sensitive but unclassified information in communications
and computer systems as Federal policy.  NSDD-145 stipulated a Defense
Department management structure to implement the policy: the NSA, the
National Security Council, and the Department of Defense.  There were many
objections to this plan, from a variety of constituencies.  Congress
protested the expansion of Presidential authority to policy-making without
legislative participation.  From the ACLU to Mead Data Central, a broad
array of industrial and civil liberty organizations objected to Department
of Defense control of unclassified information in the civilian sector
[USHR-87].


Congress responded. In 1987 it passed the Computer Security Act (CSA),
which:


\begin{quote}
              ... assign[s] to the National Bureau of Standards
              responsibility for developing standards and 
              guidelines to assure cost-effective security 
              and privacy of sensitive information in Federal
              computer systems, drawing on the technical advice
              and assistance (including work products) of the 
              National Security Agency, where appropriate.  
\end{quote}
Civilian computing standards were to be set by a civilian agency.  NSA was
placed in an advisory role. The legislative history of the Act makes that
desire clear:
\begin{quote}
              The key question during the hearings was: Should
              a military intelligence agency, NSA, or a civilian
              agency, NBS, be in charge of the government's 
              computer standards program?  The activities of NSA
              ... reinforced the view of the Committee and many 
              others that NSA is the wrong agency to be put in 
              charge of this important program [USHR-87, pg.19].


             Since work on technical security standards 
             represents virtually all of the research 
             effort being done today, NSA would take over
             virtually the entire computer standards from 
             the Bureau of Standards.  By putting NSA in 
             charge of developing technical security 
             guidelines (software, hardware, communications),
             NBS would be left with the responsibility for
             only adminstrative and physical security 
             measures -- which have generally been done years
             ago.  NBS, in effect, would on the surface be
             given the responsibility for the computer 
             standards program with little to say about the 
             most important part of the program  -- the 
             technical guidelines developed by NSA [USHR-87, pg.95].


\end{quote}


The House was specifically concerned that cryptography be allowed to
develop in the public sector:


\begin{quote}


            ...  NSA's secretiveness resulted in an 
            inappropriate approach when it attempted 
            to deal with national policy issues 
            such as the issue of public cryptography.  
            Historically, this science has been the 
            exclusive domain of government, and in this 
            country it is one of NSA's primary missions.  
            However, with the advent of modern computers 
            and communications, there has been in recent 
            years considerable interest in cryptography, 
            particularly by the business community, which 
            is interested in keeping its proprietary 
            information from competitors.  As a result of 
            the emerging need to protect information, the 
            academic community has done research work in 
            the field.  NSA has made numerous attempts to 
            either stop such work or to make sure it has 
            control over the work by funding it, pre-publication 
            reviews or other methods [USHR-87, pg.21].
\end{quote}


During the debate on the Act, Director of the Office of Management and
Budget, Jim Miller, had told the Government Operations Committee how the
legislation would be implemented:
\begin{quote}


             Computer security standards, like other computer
             standards, will be developed in accordance with 
             established NBS procedures.  In this regard the 
             technical security guidelines provided by NSA to 
             NBS will be treated as advisory and subject to 
             appropriate NBS review [USHR-87, pg. 37].


\end{quote} 


The implementation of the Act has been controversial.  The National
Institute of Standards and Technology (NIST, formerly NBS) and NSA 
signed a Memorandum of Understanding (MOU) to implement the Act, 
outlining areas of necessary agency interaction.  As part of this, they 
established a Technical Working Group ``to review and analyze issues of 
mutual interest pertinent to protection of systems that process sensitive 
or other unclassified information.''   The MOU also states:
 
\begin{quote}
        The NIST and the NSA shall ensure the Technical
        Working Group reviews prior to public disclosure
        all matters regarding technical systems security 
        techniques to be developed for use in protecting
        sensitive information in federal computer systems
        to ensure they are consistent with the national
        security of the United States.
\end{quote}
 
In this document, NIST and NSA were acknowledging that the public
development or promulgation of technical security standards regarding
cryptography could present a serious possibility of harm to national
security.  Critics of the MOU, including CPSR, contended that Congress,
cognizant of the national security considerations, had nonetheless sought
to restrict NSA's ability to dictate the selection of security standards
for unclassified information standards. These critics contend that this and
other aspects of the MOU violate the intent of Congress.  In the next two
sections of this chapter, we examine several Federal initiatives in
cryptography, two of which had a large NSA role.




\begin{center}
                         Digital Signature Standard
\end{center}


\noindent As noted in Chapter 1, cryptography performs a variety of
functions: ``[It] can help prevent penetration from the outside. It can
protect the privacy of users of the system so that only authorized
participants can comprehend communications.  It can ensure integrity of the
communications.  It can increase assurance that the received messages are
genuine.''


Digital signatures facilitate electronic funds transfer, commitment of
computer resources, and signing of documents.  Without that electronic
establishment of authenticity, how can you establish the validity of a
signature on an electronic contract?  It was no surprise that NIST should
decide to establish a digital-signature standard; the one the agency chose
was.


RSA Data Security was established in 1981; by 1991 the list of purchasers
of its digital-signature technology included Apple, AT\&T, DEC, IBM, Lotus,
Microsoft, Northern Telecom, Novell, Sun, and WordPerfect.  RSA had been
accepted as a standard by several standards organizations;\footnotemark\  it
was fast on its way to becoming the defacto digital-signature standard.


In establishing a standard for digital signatures, NIST's criteria were
somewhat different from that of the computer industry.  In particular, the
government wanted to avoid the possibility that the digital-signature
standard could be used for confidentiality. It was also important that the
standard be nonproprietary.  NIST proposed the Digital Signature Standard
(DSS) [NIST-XX] as a FIPS.  There was great consternation -- and not only
at RSA Data Security. It was immediately apparent that DSS could not
interoperate with digital signatures already in use.


Although NIST announced that DSS would be patented by the government and
would be available free of charge, patent problems arose immediately.  The
government agency had chosen an algorithm that was based on unpatented work
of an independent researcher, Tahir ElGamal.  David Kravitz, an employee of
NSA, filed a patent application for the Digital Signature Algorithm; this 
was subsequently awarded [Krav].


To its chagrin, NIST discovered that Claus Schnorr, a German mathematician,
had already received U.S. and German patents for a similar algorithm
[Schn-89, Schn-90b].  Public Key Partners (PKP) acquired Schnorr's patent