The Clipper Initiative part 2 of 3

[David Farber <farber () central cis upenn edu>]

more important than that!

All of the information needed to implement DES has been widely
published as a U.S. Government Standard12 for 17 years.  In 1986,
the International Standards Organization (ISO) approved DES as an
international standard, DEA-1.  Later, the ISO decided it should
not standardize on any cryptographic algorithm, and DEA-1 was not
published as an ISO standard.  Even so, DES is probably the most
widely known and accepted encryption algorithm in the
international community.  Books and articles are routinely
published telling how to implement DES in software and indeed
giving the code to do it.  Products that use DES in software and
hardware are routinely available worldwide.  How long must our
Government harm the American people with policies that have no
basis in reality?

       Conclusion:

       With respect to the impact of export controls on U.S.
       commercial interests, the present Government policies on
       export of cryptography are:

                  Depriving U.S. businesses of the ability to protect
                    their sensitive information in a routine and
                    economic manner,

                  Depriving U.S. computer businesses of a rapidly
                    growing worldwide market in information products
                    that contain a reasonable degree of security
                    protection,

                  Encouraging the development of such products
                    outside the U.S., and 

                  Exporting U.S. jobs to overseas manufacturers.

       Why does the Government insist on export controls?

Presumably, the reason for the Government's strangle hold on
export of cryptography is to prevent its widespread use against
law enforcement and other legitimate government interests.

But the issue is not simply law enforcement's desire to continue
to wiretap criminals' phones. The not-so-invisible force behind
all of this is the national security interest to intercept
traffic from foreign sources for intelligence purposes.  Somehow
this is the deep dark secret that everyone knows but no one is
supposed to mention. 

The conflict of interest referred to in the President's Clipper
announcement is not just law enforcement desires versus the
public's need for good cryptography but these much more important
national security interests versus the public's need to protect
its sensitive information.

       Conclusion:

       With respect to law enforcement and national security
       interests in intercepting communications in general:

             Good quality encryption technology to protect
             communications from eavesdropping is becoming widely
             available throughout the world.  This inevitable shift
             in technology will make it increasingly difficult for
             law enforcement and national security interests to
             intercept communications, irrespective of any technical
             or legal measures the U.S. Government might take to
             prevent it, including government export controls on
             encryption technology or government imposed key escrow
             systems.

       Why is key escrow technology being proposed?

A recent Administration publication of Questions and Answers on
the Initiative13 contained the following, within the answer to
this question:

       "With growing availability of lower cost, commercial
       encryption technology for use by U.S. industry and private
       citizens, it became clear that a strategy was needed that
       could accommodate the needs

                  of the private sector for top notch
                    communications security;

                  of U.S. industry to remain competitive in the
                    world's secure communications market; and

                  of U.S. law enforcement to conduct lawfully
                    authorized electronic surveillance."

> From the above analysis it should be clear that:

                  while Skipjack represents very strong cryptography,
                    with key escrow added, few will view it as "top
                    notch communications security,"

                  just as with the 40-bit key "solution," key
                    escrow will not allow "U.S. industry to remain
                    competitive" in any international market, and

                  law enforcement will find it increasingly
                    difficult to conduct wiretaps, with or without
                    key escrow capabilities.

In short, none of these stated goals is achievable.

The same "answer" then went on to say:

       "Enhancing the Government's ability to decrypt non-key
       escrow encryption used by the targets of authorized law
       enforcement wiretaps is another possible strategy for coping
       with the effects of encryption on law enforcement.  However,
       since encryption appears in a number of forms and
       applications, the costs are likely to be substantial and may
       not be either affordable or practical given the requirement
       for 'real time' decryption in the course of wiretap
       operations."

Enhancing the ability to decrypt non-key escrow encryption may
well be the only practical measure that the law enforcement and
national security communities can take.  As a minimum, the costs
of these alternatives should be well understood before we launch
into a massive key escrow process that has been demonstrated to
have little likelihood of achieving its goals.

5.     A National Dilemma!

This situation is truly a dilemma of national importance that can
not be resolved with a "one way or the other" decision but must
involve a compromise of the interests of both sides.  Key escrow
was a good try at a solution, but as the above analysis
indicates, it will not be acceptable against the harsh realities
of economics and human nature.  Some form of  "cryptography which
is good enough for the public's use even if it may make the
national security task harder" compromise must be reached.
  
For over fifty years, the national security side of this story
has always had the interest of every U.S. Administration and for
good reason.  "Codebreaking is the most important form of secret
intelligence in the world today.  It produces much more and much
more trustworthy information than spies, and this intelligence
exerts great influence upon the policies of governments."14 
Breaking the codes of others has been and continues to be a vital
aspect of our national security. 

But we are now in an international world of interconnected
communications systems carrying all kinds of sensitive
information vital to our economic and national well being. 
Technology has advanced to the point where cryptography is both
highly feasible and desirable for use by private citizens and
business.  It is dangerous to deny ourselves the ability to
protect our own sensitive information in the hope that we may
still be able to eavesdrop on others.

We must face the fact that foreign interests already have good
cryptography which they will increasingly use to protect their
communications no matter how the U.S. Government tries to impede
them.  If they do not employ good cryptographic mechanisms and
practices, it is for reasons other than their unavailability.

It is essential that we hear from the other side, the interests
and needs of the public to protect its information, so that we
can weigh the two issues and reach a carefully considered
resolution to this dilemma for today and the future.

As cryptography becomes more widespread, the ability to routinely
intercept and read such traffic will inevitably get harder.  Key
escrow, if it were to become very widely used, could make both
the law enforcement and national security community's jobs much
easier.  

But key escrow will not become widely used outside of government. 
The new non-key escrow phone devices will outsell all Clipper
phones (except for the devices that the Government forces itself
to buy).  Key escrow will never find a significant market in the
computer communications world for the simple economic reason that
it will cost more then software encryption.  No one who is not
forced to use key escrow will choose to pay extra for it.

And, as discussed in the Appendices, attempts to mandate the use
of key escrow or to outlaw other forms of encryption will not
succeed even if given the force of law.

       The Final Conclusion

Key escrow is not the panacea that its inventors envisioned.  It
will not drive out DES and other good cryptographic systems.  In
a very real sense, the President's Clipper Chip Initiative has
sounded the alarm for those who once viewed cryptography as
solely of interest to the technicians.  It may well have
galvanized opposition to unreasonable and restrictive government
export control policies in this area once and for all.

Just as the law enforcement community has to face the fact that
no matter what we do, wiretaps are going to be less useful in the
future because of advances in technology, so the intelligence
community has to face the fact that it will become progressively
harder to listen in to others.  Over the years, the Government's
policy of denying export of cryptographic devices has perhaps
slowed this inevitable trend a little.  But, increasingly, the
negative effects of these policies on U.S. business, both on
users and suppliers of these technologies, far outweigh any
positive effect that further restrictions can have.

Others have and will use good quality cryptography whether we
allow ourselves to do so or not.  We must not penalize ourselves
by further restricting cryptography, either through poorly
founded export policies or poorly thought out technologies such
as key escrow.

6.     So where do we go from here?

The Administration is currently conducting an "Interagency
Review" as called for in the President's April announcement. 
Input from the public is being received from the testimony at
meetings such as from the CSSPAB and from groups such as the
Digital Privacy and Security Working Group as well as industry
and the public at large.  This Interagency Review is not,
however, a public debate of the issues confronting us.  The
interests of the commercial sector and of the public at large are
not well represented here.

Recent proposed Congressional legislation15 has called for the
establishment of a "Comprehensive Independent Study of National
Cryptography Policy" by the National Research Council.  Such a
study is welcomed as a means for exploring all sides of this most
important issue even if it does put off resolution of the issue
for up to two years.

In any case, it is essential that the Congress become involved in
the timely resolution of this issue in a way that properly
balances the law enforcement and national security interests with
those of the public to protect its sensitive information.

Footnotes

1      This paper represents my personal opinions and not
       necessarily those of any organization with which I am
       affiliated.

2      White House Press Release, April 16, 1993.                     

3      AT&T Telephone Security Device brochures presented to the
       Congressionally chartered CSSPAB in September, 1992.

4      Testimony by Dr. Clinton Brooks on June 2, 1993, before the
       CSSPAB.

5      The Government has chosen to call the process of storing
       keys for access by law enforcement authorities "key escrow." 
       The term "escrow" has specific legal meaning, and its use
       here implies a legal formalism beyond what appears to be
       provided.  The draft Escrow Encryption Standard cites a
       definition of escrow as having delivered something "to a
       third person to be given to the grantee only upon
       fulfillment of a condition."  As pointed out by Janlori
       Goldman, both the "escrow agents," who will hold the keys,
       and the law enforcement community are part of the Executive
       Branch of the Federal Government and can hardly be
       considered truly third parties in the legal sense.  Rather
       than "key escrow," many refer to this simply as "the
       Government has your keys." 

6      The Washington Post, April 17, 1993, page 1.

7      Skipjack is the name for the encryption algorithm used in
       the Clipper Chip.

8      "SKIPJACK Review Interim Report: The SKIPJACK Algorithm,"
       July 28, 1993, by Ernest Brickell, Dorothy Denning, Stephen
       Kent, David Maher, and Walter Tuchman.

9      The Skipjack team cites several exhaustive key search
       attacks on the Skipjack 80-bit key space that are useful
       when compared with the present U.S. Government approved-for-
       export 40-bit key size.  They postulate a $50M machine
       consisting of 100,000 processors that takes 4 million years
       to exhaust an 80-bit key space.  Such a machine could check
       a 40-bit key space in 8.15 hours. They also speculate on a
       $1.2B machine with a 1GHz clock speed that takes 1 year to
       search an 80-bit key space. A machine 10,000 times slower or
       with 1/10,000 the processors could check a 40-bit key space
       in just over 1 second. An 80-bit key space is very strong
       and a 40-bit key space is extremely weak!

10     Sponsored by the Software Publishers Association, prompted
       in part by U.S. Government officials' insistence that they
       were unaware of the availability of foreign cryptographic
       products.

11     Dr. Ray Kammer, Deputy Director of NIST on July 30, 1993, at
       the CSSPAB hearing.

12     Federal Information Processing Standard (FIPS) Publication
       Number 46.

13     "Key Escrow Encryption Technology," from John D. Podesta,
       Assistant to the President and Staff Secretary for the White
       House, to Jerry Berman of the Digital Privacy and Security
       Working Group, dated July 29, 1993.

14     From the Preface of The Code-Breakers by David Kahn.

15     H.R.2401 as reported by House committee, July 30, 1993,
       House Report No 103-200, Item 77: (34) Sec. 262.
       Comprehensive Independent Study of National Cryptography
       Policy. This bill is scheduled for further action on Sept.
       8.

                               APPENDIX A

What can law enforcement expect from wiretaps in the future?

The FBI and other law enforcement experts have made strong and
sometimes impassioned pleas that we not let technology advances
deny them the opportunity to tap into phone conversations of
illegal activities.  Acknowledging the relatively small number of
wiretaps per year and the difficult process that the court system
requires for obtaining a wiretap, they argue persuasively that
the value of wiretaps in organized/white collar crime is
invaluable and must not be lost.

The possibility of encountering scrambled communications that
cannot be decrypted is the concern being addressed by the
Government's Clipper initiative.  However, there are many other
concerns inherent in the digital telephony issue that were
acknowledged by the FBI during the Board's hearings to be of
greater concern than encryption.1

One of the very serious aspects of this problem involves
extending wiretaps beyond the "reach" of the telephone central
office.  A wiretap on a home phone can be effected entirely at
the telephone company central office.  A wiretap on a business
phone connected by a private branch exchange (PBX) cannot be
directly tapped by the phone company.  In earlier proposed
legislation, the FBI sought technical solutions to the digital
telephony problems that would ensure they would not lose their
ability to wiretap illegal communications.  

Few would argue that the public wants the law enforcement
community to provide effective protection against all forms of
criminal activity.  This situation argues strongly for keeping
wiretaps as effective as possible for the benefit of the law
enforcement community and the public in general.
 
But what is the future for wiretaps, anyway?

Since key escrow procedures have been identified as the
Government's fundamental means of ensuring the continuation of
effective wiretaps, it is essential that we examine just how
effective wiretap capabilities will be in the future, whether we
establish key escrow procedures or not.

Today (prior to the recent AT&T phone security announcement),
only a few relatively expensive telephone encryption capabilities
are available, and very few wiretaps encounter encrypted
communications.2  Today, the general public and apparently most
criminals use the 
public phone system to communicate without additional protection
and are thus subject to conventional wiretaps.

One way to understand how things may turn out in the future is to
postulate a series of scenarios and examine the different
outcomes.

       If we do nothing:

There are techniques available today for encrypting phones;
however, because this whole topic of wiretaps and encryption has
until now been of obscure interest only to technicians, the
criminal element probably has not bothered to use them.  Now that
high- level attention is being called to this issue, one can
easily conjecture that sophisticated criminals (those who
understand the threats to their activities and the availability
and cost of countermeasures) are actively looking for ways to
protect themselves from wiretaps.  In this scenario, the
Government will retain the ability to tap the communications of
ordinary citizens and average criminals but lose access to the
communications of the sophisticated criminal.

       If non-key escrow devices become widely available: