Interesting People mailing list archives
IP: CDT Preliminary Analysis of "Clipper III" Encryption
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 23 May 1996 07:04:53 -0400
The Administration's latest encryption policy proposal, already dubbed "Clipper III," would use a new government-sanctioned certification system as an incentive to virtually impose key escrow on domestic encryption users. The draft proposal, "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure," would establish a new "public key infrastructure" for encryption. Such a public key infrastructure would enable users of encryption to clearly identify the people they are communicating with, and is widely viewed as an important prerequisite for the widespread use of secure electronic communications. However, the Clipper III proposal would establish this infrastructure at a price: All users of the public key infrastructure would have to ensure government access to their encryption keys through an approved key escrow agent. Clipper III will not meet the privacy and security needs of Internet users. While the proposal represents real progress by the Administration in recognizing the importance of encryption, in reality it provides few provisions to protect individual privacy. The proposal is hardly voluntary -- it makes key escrow a virtual precondition for participation in a secure GII. It targets domestic users of encryption, contains few guidelines for key exchanges with foreign governments, and encourages collection of highly sensitive private key information. Moreover, it contains none of the standards for key holder liability, limits on access to keys by law enforcement, or audit requirements that many have already identified as crucial to protecting individual privacy in even a voluntary key escrow system. For these reasons, CDT believes that the Clipper III proposal is another step in the wrong direction for U.S. encryption policy. Overview of the Administration Proposal Taking a nod from the European Commission's recent Trusted Third Party initiative, the Clipper III proposal would develop a needed public key infrastructure, couched in the language of privacy and security, and use it as an incentive for development of a de facto key escrow system. The Clipper III proposal: Acknowledges the importance of encryption and the need for a public key infrastructure (PKI) -- The proposal reaffirms the importance of encryption and the emerging need for a system to certify public encryption keys. Such a "public key infrastructure" would allow users to certify to other users that their public keys in fact belonged to them, allowing the keys to be used and trusted for encrypted commerce and communication. Without such a system, "users cannot know with whom they are dealing on the network, or sending money to, or who signed a document, or if the document was intercepted and changed by a third party."1 Establishes a complex new Key Management Infrastructure (KMI) -- The proposal would form a new public key infrastructure to tie encryption users to their public keys. The KMI would establish new certification authorities that would guarantee -- and be held liable for -- the identity of a public key. The new entities proposed under the Administration plan include: Certification Authorities (CAs) - to identify and issue certificates to users; Escrow Authorities (EAs) - to hold private key information as required; and Policy Approving Authorities (PAAs) -- overarching bodies, possibly under governmental control, responsible for certifying trusted escrow authorities. Requires key escrow as a condition of participation in the new public key infrastructure -- In order to participate in the new Key Management Infrastructure, users would be required to ensure law enforcement access to encrypted information. "One condition of obtaining a certificate is that sufficient information (e.g., private keys or other information as appropriate) has been escrowed with a certified escrow authority to allow access to a user's data or communications."2 The escrow agent could be the certification authority or another third-party, so long as they meet "minimum standards" including "performance criteria to meet law enforcement's needs." Self-escrow would also be allowed for entities that meet certain unspecified "necessary performance requirements." Relaxes export controls for key escrow products as in Clipper II -- The proposal would "continue and expand" the NIST "Clipper II" export control provisions proposed this fall, allowing 64 bit software/80 bit hardware exports to any destination if keys are escrowed in the U.S. or if the U.S. has a bilateral escrow agreement. Other exports to certain markets would be considered, upon case-by-case review and under certain conditions. Key length limits would presumably expand as law enforcement confidence in the key escrow authorities grew. Critique and Areas of Concern Clipper III does represent a major step forward by the Administration in acknowledging the importance of encryption and public key cryptography: "Government can no longer monopolize state of the art cryptography. ... It is unrealistic to believe that government can produce solutions which keep ahead of today's rapidly changing information technology."3 The proposal goes on to note that, "[Public key cryptography features] are needed to support electronic commerce, public services, redefined business processes, and national security." However, Clipper III is also a clear attempt to force the widespread adoption of key escrow by leveraging the need of encryption users to participate in a public key certification system. Major problems with the proposal include: It makes key escrow a precondition for participation in the public key infrastructure - Other than law enforcement access, there is no reason the public key infrastructure must store private keys. On the contrary, the essential breakthrough of public key cryptography is the ability it gives users to share public key information and partake fully in authenticated, secure communications without revealing any private key information to third parties. Data recovery -- the ability to recover encrypted data if a private key is lost -- is the main rationale presented for key escrow. However, data recovery can be done independently of the public key infrastructure if desired, and in a more secure manner. It is not voluntary -- Though participation is theoretically "voluntary," under Clipper III users will have no choice but to escrow their keys or forego participation in the Information Age economy. The proposal itself calls the key infrastructure a "basic and entirely essential foundation." To participate, users will need to escrow their keys; if they choose not to participate in the KMI, users will be unable to obtain the essential certifications that the Administration foresees as being the standard for secure electronic communications and commerce. It targets domestic users -- While export controls have ostensibly been aimed at controlling the use of encryption by foreign users, the Clipper III proposal is clearly aimed at domestic users of encryption. It leaves international key exchange problems unresolved -- Without a system of international agreements, interoperability is at risk. The same encryption and/or authentication scheme exportable to Germany or France might not be exportable to India or China in the absence of appropriate bilateral agreements. Bilateral agreements raise their own issues: under what standards will keys be released to foreign governments, especially those with no tradition of Fourth Amendment search and seizure protection? It contains no key escrow privacy provisions -- The Administration proposal only tangentially addresses the privacy problems posed by key escrow systems. As others have already noted in the encryption policy debate, any key escrow system (even if voluntary) raises issues regarding the need for: liability rules for unauthorized key disclosures by escrow agents; standards for law enforcement access; auditing requirements for escrow agents; and guidelines for decryption information access.4 Clipper III contains no such standards or guidelines. It compromises network security by encouraging storage of private key information -- Clipper III requires the accumulation of private keys or other decryption information in dangerous and vulnerable points-of-failure -- the escrow agents. At the same time as it seeks to design a secure infrastructure, the proposal builds enormous new vulnerabilities into the system. It is not responsive to years of feedback from industry and policy advocates --The proposal answers few of the concerns repeatedly raised by privacy advocates or industry. It reflects a policy-making process still driven by national security and law enforcement concerns rather than the privacy needs of individuals and the security needs of the online economy. Conclusion As the European Commission prepares to release its Trusted Third Party encryption proposals in Europe, the very similar Clipper III proposal provides a preview of the choices being made around the world to sacrifice privacy concerns in the name of law enforcement access. The Administration proposal has the potential to hold the budding public key infrastructure -- an important component of secure communications online -- hostage to the demands of law enforcement. Instead, CDT believes the Administration should use this opportunity to develop a more secure and trusted communications infrastructure for all users, even those in countries without the same tradition of Fourth Amendment protection afforded to U.S. citizens. CDT looks forward to continuing to work towards voluntary, private-sector security standards for the information infrastructure independent of escrow requirements or export controls. Footnotes 1 Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure, at 3 (May 17, 1996). 2 Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure, at 5 (May 17, 1996). 3 Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure, at 2 (May 17, 1996). 4 Some data recovery or interception mechanisms (e.g., the TIS data recovery center model, etc.) allow for much less intrusive means of decryption access than others. For example, if a system provides access to private keys, than every communication using that key is compromised. The costs of accidental disclosure are consequently much higher than they need to be, and there is no ability to narrowly tailor law enforcement requests. To the extent that key escrow is ever used, standards should be put in place to keep access to encrypted information as narrowly tailored as possible. Back to the CDT Clipper III Page Back to the CDT Cryptography Page Back to the CDT Home Page
Current thread:
- IP: CDT Preliminary Analysis of "Clipper III" Encryption Dave Farber (May 23)