Interesting People mailing list archives
tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr
From: David Farber <>
Date: Mon, 4 Jul 1994 14:58:09 -0400
rights. PKP offered the government free use of the algorithm in exchange for exclusive rights to Kravitz's algorithm. Under the PKP proposal, DSS users outside the Federal government would have to pay for use of the DSS algorithm. Following public opposition, the government declined the offer. There were other objections to DSS, most notably that NIST was promulgating a weak standard. NIST proposed a key size of 512 bits. Earlier work on the algorithm had suggested that 512 bits ``appear[ed] to offer only marginal security ''[LaOd, BFS]. Scientists complained that restricting the key size unnecesarily constrained flexibility, and that improvements in algorithms could quickly render the NIST standard obsolete. A flexible key size would not have that difficulty. These issues were similar to ones raised when DES was proposed. There were also differences from the DES situation, and these raised concern. For DSS, there had been no public request for proposals, and NSA had designed the algorithm. CPSR and members of industry and academia asserted that NIST's reliance on NSA was directly contrary to the Computer Security Act. These concerns were noted by Representative Jack Brooks, who had served as Chairman of the House Government Operations Committee during the passage of the Computer Security Act: \begin{quote} [u]nder the Computer Security Act of 1987, the Department of Commerce [through NIST] has primary responsibility for establishing computer security standards including those dealing with cryptography. However, many in industry are concerned that in spite of the Act, the NSA continues to control the Commerce Department's work in this area. For example, Commerce (at the urging of the National Security Agency) has proposed a ``digital signature standard'' (DSS) that has been severely criticized by the computer and telecommunications industry [USHR-92, pg.2]. \end{quote} DSS was proposed in 1991. Public concerns resulted in modifications, including a flexible key size (key sizes from 512 to 1024 bits are permitted, in jumps of 64 bits). Problems with the patent have slowed the process, but on May 19, 1994, the government adopted DSS as a Federal Standard [FIPS-186], announcing that the ``Department of Commerce is not aware of patents that would be infringed by this standard'' [NIST-186]. James Bidzos, President of both PKP and RSA Data Security Inc., believes otherwise, ``We disagree. There are a number of patents that we believe cover DSS.'' \begin{center} Securing the Communications Infrastructure: Digital Telephony and EES \end{center} \noindent As the phone system has moved to a digital system, another issue arises. Encryption affects the government's ability to comprehend an intercepted signal, but the government is also concerned about its ability to intercept the signal. For this reason we include a discussion of the FBI's ``Digital Telephony'' proposal in this chapter. As a result of increasing standardization of telephone switching practices, modern communication systems can provide much more information about each call, revealing in real time where the call came from even when it originates a long way away. But advanced communications systems, including such improvements as cellular telephones and call forwarding, can also present problems to law enforcement. The FBI was concerned about the ability of service providers to locate a call and, at law enforcement's behest, install a tap. In 1992, the Bureau prepared a legislative proposal. At the time, the FBI was responding more to a problem the Bureau saw coming than to one that had hit full force. A Washington Post story of April 30, 1992 reported that ``FBI officials said they have not yet fumbled a criminal probe due to the inability to tap a phone ...'' [Mint]. The FBI contended that there were numerous cases where court orders had not been sought, executed, or fully carried out by law-enforcement agencies because of technological problems [DGBBBRGM, pg. 26]. However, Freedom of Information Act litigation initiated by CPSR in April 1992 produced no evidence of technical difficulties preventing the FBI from executing wiretaps as of December 1992. Major members of the computer and communications industries, including AT\&T, Digital Equipment, Lotus, Microsoft, and Sun, strongly opposed the 1992 proposal. The Electronic Frontier Foundation helped coordinate this opposition. Industry was particularly concerned that the proposal was too broad, covering operators of private branch exchanges and computer networks. Industry feared that it would have to foot the bill. The General Accounting Office briefed Congress, and expressed concern that alternatives to the Digital Telephony proposal had not been fully explored [GAO-92]. The U.S. General Services Administration characterized the proposed legislation as unnecessary and potentially harmful to the nation's competitiveness [GSA-92]. There were no Congressional sponsors for the proposal. In 1994, the FBI has prepared a revised proposal that limits the scope to common carriers and allocates \$500 million to cover their costs. Carriers would have three years to comply; after that, failure to fulfill a wiretap order could result in a fine of up to ten thousand dollars a day. The revised proposal, the ``Digital Telephony and Communications Privacy Improvements Act of 1994,'' was submitted to Congress in March 1994. On February 17, 1994, FBI Director Louis Freeh reiterated the agency's concerns in a speech to the Executives' Club of Chicago: ``Development of technology is moving so rapidly that several hundred court-authorized surveillances already have been prevented by new technological impediments with advanced communications equipment.'' In testimony to Congress on March 18, 1994, Freeh reported that a 1993 informal survey of federal, state and local law-enforcement agencies revealed 91 instances of recent court orders for electronic surveillance that could not be fully implemented [Freeh, pg 33]. The problems were due to a variety of causes, including 29 cases of special calling features (such as call forwarding), and 30 cases involving difficulties with cellular phones (including the inability of the carriers to provide dialed number information). Under questioning by Senator Leahy, Freeh answered that the FBI had not encountered court-authorized wiretap orders the Bureau could not execute due to digital telephony. However, in his prepared testimony Freeh cited two examples where wiretaps could not be executed due to digital telephony [Freeh, pg. 34]. While wiretapping can procure signals, secure telephones can render those signals useless to the wiretapper. Secure telephones using advanced key management are widespread in the national security community. Although voice-encryption systems for the commercial market have been a staple of companies such as Gretag and Crypto AG in Switzerland and Datotek and TCC in the U.S., only in 1992 was the first mass market device for secure voice encryption brought forth by a major corporation. AT\&T announced the Model 3600 Telephone Security Device, which employed a DES chip for encryption. The Department of Justice had been concerned about just such a development, and a federal initiative had been underway to preempt it. In April 1993 the President announced the key-escrow initiative: the ``Clipper'' chip and its associated key escrow scheme, while AT\&T announced a telephone privacy device that uses the device. This proposed standard raises a number of questions about cryptography within telecommunications. In the next chapter we discuss the Escrowed Encryption Standard. \vspace{0.7in} \rule{2in}{.01in} \begin{center} Notes \end{center} {\small \begin{enumerate} \item RSA is listed by International Standards Organization standard 9796 as a compatible cryptographic algorithm. RSA is part of the Society for Worldwide Interbank Financial Transactions (SWIFT) standard, and the ANSI X9.31 standard for the U.S. banking industry. It forms part of the Internet Privacy Enhanced Mail (PEM) standard. \end{enumerate}} \newpage \begin{center} \Large{\bf{ Using Clipper}} \end{center} \medskip \begin{enumerate} \item Two participants establish a communication channel and set up a ``session key'' (KS). \item Once the session key is established, each device passes the session key, KS, to its Clipper chip, which encrypts it using the chip's unique key (KU). From this and other information, including the chip's identifier (UID), the encrypted session key forms a Law Enforcement Access Field (LEAF), that is transmitted to the other device. \item Encrypted communications can begin. \item Government officials with legal authorization ``listen in'' to encrypted conversation, and tape it. Tape is sent to FBI for analysis. \item The decrypt processor determines that Clipper was used for encryption and decodes LEAF. The UID is determined from the LEAF. \item The FBI uses the UID to identify the chip to the escrow agents (presently the National Institute of Standards and Technology, and the Department of Treasury's Automated Systems Division). The FBI gets the two halves of the chip's key, KU1 and KU2. (KU is determined by taking the XOR of KU1 and KU2.) The shared session key can be recovered from the LEAF produced by either chip. \item The decrypt processor uses the chip's unique key (KU) to decode the session key (KS) in the LEAF. Once the chip's unique key has been obtained, the process can be abbreviated, since all encrypted calls made using this chip can be similarly decoded. \end{enumerate} \addtocontents{toc}{Encrypting Using Clipper}{} \newpage \chapter{ The Government Solution: The Escrowed Encryption Standard} \framebox[5.25in][c]{ \begin{minipage}{5.0in} \noindent Vocabulary words: \smallskip \noindent Capstone: Name of the chip with Clipper plus Digital Signature Algorithm, key exchange, and associated mathematical functions. \smallskip \noindent Clipper: Name of the chip with the SKIPJACK algorithm and the key-escrow feature. \smallskip \noindent Key-escrow: A system by which the device private keys are kept in a repository. \smallskip \noindent PCMCIA card: The Personal Computer Memory Card Industry Association (PCMCIA) card is an industry standard format and electrical interface for various computer components, including memory, very small disks, etc. \smallskip \noindent Session key: A key established by the participants and used for a single communication. \smallskip \noindent SKIPJACK: The encryption algorithm that underlies the Escrowed Encryption Standard. \end{minipage}} \medskip \noindent On April 16, 1993, the White House announced the Escrowed Encryption Initiative, ``a voluntary program to improve security and privacy of telephone communications while meeting the legitimate needs of law enforcement'' [OPS]. The initiative included a chip for encryption, Clipper,\footnotemark\ to be incorporated into telecommunications equipment, and a key-escrow scheme. The National Security Agency (NSA) designed the system, and the underlying cryptographic algorithm, SKIPJACK, is classified. Public response, both in the form of testimony presented at hearings held by National Institute of Standards and Technology (NIST) at the Computer Systems Security and Privacy Advisory Board, and in written comments to NIST, was overwhelmingly negative. Despite that, on February 4, 1994, after months of governmental review, the Department of Commerce announced the approval of the Escrowed Encryption Standard (EES) as a voluntary Federal Information Processing Standard (FIPS); ``voluntary'' means that if a Federal agency determines that telecommunications equipment transmitting sensitive but unclassified information should encrypt the data, it can choose EES -- or any other FIPS (e.g., DES). In this chapter, we present EES and the policies surrounding its use. We begin with a brief description of the workings of the standard; a more complete description is found in the appendix. \begin{center} EES Encryption \end{center} \noindent If two participants want to communicate using EES, both must have telecommunications security devices with a Clipper chip. The devices establish an 80-bit ``Session Key,'' and pass this to their chips, which encrypt it with information specific to the chip (the chip-unique key). This creates a Law Enforcement Access Field (LEAF), which is transmitted to the other party. Encrypted communication can begin. As in other cryptosystems, the encryption algorithm, SKIPJACK, and the session key protect confidentiality. But this is a cryptosystem with a difference: if there is a legal authorization for a wiretap, the secrecy provided by EES will not be a barrier to law enforcement. It's an adroit twist: communications are secure unless there is probable cause of an indictable offense (and all other requirements of Title III, FISA, or the state statutes, also apply). Every Clipper chip will have its chip-unique key registered with the Federal government. To protect the confidentiality of the key, it will be ``split,'' and the components will be held by two Federal escrow agents -- NIST and the Treasury Department's Automated Systems Division -- one at each. Both components are needed to reconstruct the key. The standard authorizes keeping each chip's private key secret -- unless there is legal authorization to do otherwise. Key registration will occur during manufacturing at a secure commercial facility, and escrow officers from the two agencies will be present during the chip-programming process. \begin{center} EES Decryption by Law Enforcement \end{center} \noindent The Federal government knows the SKIPJACK algorithm, and it can build devices to decrypt it. If a law enforcement officer is listening to a legally tapped conversation, and the communications becomes incomprehensible, the law enforcement officer will tape it, and send the tape to the FBI for analysis. Bureau officers will analyze the communication to see if it is EES encrypted. If so, a special decrypt processor will decrypt the LEAF (recall that transmission of the LEAF precedes the encrypted conversation) transmitted from the target phone. The processor will extract the chip ID. With that identification, the two escrow agents will be able to supply the two halves of the escrowed chip-unique key. These are entered along with the expiration date for the court order into the decrypt processor. The processor performs the decryption, using the chip-unique key to decrypt the session key. Presently the key will have to be manually erased from the decrypt processor. It is currently envisioned that when the key is erased, an audit trail record will be generated and transmitted to the escrow agents.\footnotemark\ Under procedures issued by the Department of Justice [DoJB], the investigating agency may not retain the key past the expiration of the surveillance authorization. The Department of Justice procedures explicitly state that they ``do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompliance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully acquired'' [DoJB]. For interceptions conducted under Title III, FISA, or the state statutes, procedures for receiving the escrowed keys will require legal authorization, and an inability to comprehend a tapped conversation. Rules for decrypting communications intercepted outside the nation's borders are somewhat less clear. NSA has legal authorization to intercept communcations outside the United States so long as those being tapped are not U.S. persons. (Such surveillance, however, may not be legal under the laws of a foreign country.) But interception is a different matter from obtaining escrowed keys. The Department of Justice has announced that decryption of EES-encoded messages ``[would be] carried out within the law,'' but ``Procedures might not be released'' [DoCB]. Thus, at this point, Federal policy on interception and decryption of foreign EES-encrypted messages is not known. \begin{center} Security of the System \end{center} \noindent Some cryptography experts and others in industry and academia are skeptical of using a publicly untested classified algorithm for encryption. NSA has attested to the strength of the algorithm. A panel of cryptography and security experts (including two members of this panel) invited by NIST to study the quality of the SKIPJACK algorithm concluded that SKIPJACK appeared to be both strong and resistant to attack [BDKMT]. The effort was limited in scope. Working within a tight time frame, they could not attempt a complete investigation of the algorithm's security. However, they examined the structure of the algorithm, and the procedures followed by NSA in developing and evaluating the algorithm, and they were satisfied. Nonetheless, public skepticism of classified design has been fueled by the recent discovery that under certain circumstances the function of the LEAF can be subverted.\footnotemark As discussed in Chapter 4, three aspects of EES make it attractive to law enforcement and national security. Key-escrow ensures law enforcement access to encrypted conversations whenever there is legal authorization. The classification of the algorithm means that advanced encryption design is not made available even while strong cryptography is. \begin{center} Use of Escrowed Encryption \end{center} \noindent EES is a standard for encryption of voice, fax, and computer information transmitted over a circuit-switched telephone system. It is fully anticipated that escrowed encryption will be extended to other forms of electronic communications. In mid-April NSA awarded Group Technology Corporation a contract for 22000 to 75000 Tessera cards. Tessera is a PCMCIA card, an electronic device roughly the size of a credit card, for which many computers now include an interface. Tessera can be used with computer software to support encrypted and/or digitally signed communication applciations such as electronic mail. By retaining the user's keys on the card, the card protects the keys from compromise should the computer in use be penetrated. FIPS 185, the Federal publication defining EES, does not contain enough information to design or implement EES devices. Specifications must be obtained from the NSA, and the agency's approval is required for the manufacture of Clipper chips. At present, Clipper chips are being manufactured only by Mykotronx; they are being used in AT\&T secure telephone devices. Government approval, however, is also required for the use of the key-escrow chips in commercial products [NIST-94, pg. 6004]. Export of devices containing escrowed keys will be permitted, except to those countries that face a Congressional embargo on military technology (e.g., Libya). It is anticipated that the Federal government will shortly announce a Distribution Agreement for EES technology; this will streamline the export license procedure for escrowed encryption products. The February 1994 announcement went some distance to answering questions regarding EES. Many concerns remain. In the next chapter, we examine the remaining issues. \newpage \begin{center} Notes \end{center} {\small \begin{enumerate} \item The name ``Clipper'' had been previously trademarked by Intergraph Corp. for their microprocessor chip, and for a time, the government stopped using Clipper referring to the escrowed encryption chip. However, Intergraph graciously ceded to the government the right to use the name ``Clipper'' for the escrowed encryption chip. \item Private communication with Miles Smid, June 3, 1994. Smid is Manager, Security Technology Group, Computer Security Division, of the Computer Systems Laboratory at NIST. \item Working with publicly available material, Matthew Blaze of AT\&T Bell Laboratories has developed a technique for replacing the LEAF containing the current session key by one containing an unrelated key [Blaz]. The practical implications of Blaze's findings are subject to debate. Perhaps his most significant finding was a technique that allows one participant in a communication to construct unilaterally a LEAF (with considerable pre-computation) that denies law enforcement access, but which will be accepted as ``valid'' by a communicant using EES-compliant technology. This technique is readily applied to computer-based communication such as E-mail, but it probably is not applicable to current secure telephone system designs. \end{enumerate}} \newpage \chapter{ Issues Highlighted by the Escrowed Encryption Standard } \framebox[5.25in][c]{ \begin{minipage}{5.0in} \noindent Vocabulary words: \smallskip \noindent Capstone: Name of the chip with Clipper plus Digital Signature Algorithm, key exchange, and associated mathematical functions. \smallskip
Current thread:
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- <Possible follow-ups>
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)