Interesting People mailing list archives
The Clipper Initiative part 2 of 3
From: David Farber <farber () central cis upenn edu>
Date: Tue, 31 Aug 1993 16:22:03 -0800
more important than that! All of the information needed to implement DES has been widely published as a U.S. Government Standard12 for 17 years. In 1986, the International Standards Organization (ISO) approved DES as an international standard, DEA-1. Later, the ISO decided it should not standardize on any cryptographic algorithm, and DEA-1 was not published as an ISO standard. Even so, DES is probably the most widely known and accepted encryption algorithm in the international community. Books and articles are routinely published telling how to implement DES in software and indeed giving the code to do it. Products that use DES in software and hardware are routinely available worldwide. How long must our Government harm the American people with policies that have no basis in reality? Conclusion: With respect to the impact of export controls on U.S. commercial interests, the present Government policies on export of cryptography are: Depriving U.S. businesses of the ability to protect their sensitive information in a routine and economic manner, Depriving U.S. computer businesses of a rapidly growing worldwide market in information products that contain a reasonable degree of security protection, Encouraging the development of such products outside the U.S., and Exporting U.S. jobs to overseas manufacturers. Why does the Government insist on export controls? Presumably, the reason for the Government's strangle hold on export of cryptography is to prevent its widespread use against law enforcement and other legitimate government interests. But the issue is not simply law enforcement's desire to continue to wiretap criminals' phones. The not-so-invisible force behind all of this is the national security interest to intercept traffic from foreign sources for intelligence purposes. Somehow this is the deep dark secret that everyone knows but no one is supposed to mention. The conflict of interest referred to in the President's Clipper announcement is not just law enforcement desires versus the public's need for good cryptography but these much more important national security interests versus the public's need to protect its sensitive information. Conclusion: With respect to law enforcement and national security interests in intercepting communications in general: Good quality encryption technology to protect communications from eavesdropping is becoming widely available throughout the world. This inevitable shift in technology will make it increasingly difficult for law enforcement and national security interests to intercept communications, irrespective of any technical or legal measures the U.S. Government might take to prevent it, including government export controls on encryption technology or government imposed key escrow systems. Why is key escrow technology being proposed? A recent Administration publication of Questions and Answers on the Initiative13 contained the following, within the answer to this question: "With growing availability of lower cost, commercial encryption technology for use by U.S. industry and private citizens, it became clear that a strategy was needed that could accommodate the needs of the private sector for top notch communications security; of U.S. industry to remain competitive in the world's secure communications market; and of U.S. law enforcement to conduct lawfully authorized electronic surveillance."
From the above analysis it should be clear that:
while Skipjack represents very strong cryptography, with key escrow added, few will view it as "top notch communications security," just as with the 40-bit key "solution," key escrow will not allow "U.S. industry to remain competitive" in any international market, and law enforcement will find it increasingly difficult to conduct wiretaps, with or without key escrow capabilities. In short, none of these stated goals is achievable. The same "answer" then went on to say: "Enhancing the Government's ability to decrypt non-key escrow encryption used by the targets of authorized law enforcement wiretaps is another possible strategy for coping with the effects of encryption on law enforcement. However, since encryption appears in a number of forms and applications, the costs are likely to be substantial and may not be either affordable or practical given the requirement for 'real time' decryption in the course of wiretap operations." Enhancing the ability to decrypt non-key escrow encryption may well be the only practical measure that the law enforcement and national security communities can take. As a minimum, the costs of these alternatives should be well understood before we launch into a massive key escrow process that has been demonstrated to have little likelihood of achieving its goals. 5. A National Dilemma! This situation is truly a dilemma of national importance that can not be resolved with a "one way or the other" decision but must involve a compromise of the interests of both sides. Key escrow was a good try at a solution, but as the above analysis indicates, it will not be acceptable against the harsh realities of economics and human nature. Some form of "cryptography which is good enough for the public's use even if it may make the national security task harder" compromise must be reached. For over fifty years, the national security side of this story has always had the interest of every U.S. Administration and for good reason. "Codebreaking is the most important form of secret intelligence in the world today. It produces much more and much more trustworthy information than spies, and this intelligence exerts great influence upon the policies of governments."14 Breaking the codes of others has been and continues to be a vital aspect of our national security. But we are now in an international world of interconnected communications systems carrying all kinds of sensitive information vital to our economic and national well being. Technology has advanced to the point where cryptography is both highly feasible and desirable for use by private citizens and business. It is dangerous to deny ourselves the ability to protect our own sensitive information in the hope that we may still be able to eavesdrop on others. We must face the fact that foreign interests already have good cryptography which they will increasingly use to protect their communications no matter how the U.S. Government tries to impede them. If they do not employ good cryptographic mechanisms and practices, it is for reasons other than their unavailability. It is essential that we hear from the other side, the interests and needs of the public to protect its information, so that we can weigh the two issues and reach a carefully considered resolution to this dilemma for today and the future. As cryptography becomes more widespread, the ability to routinely intercept and read such traffic will inevitably get harder. Key escrow, if it were to become very widely used, could make both the law enforcement and national security community's jobs much easier. But key escrow will not become widely used outside of government. The new non-key escrow phone devices will outsell all Clipper phones (except for the devices that the Government forces itself to buy). Key escrow will never find a significant market in the computer communications world for the simple economic reason that it will cost more then software encryption. No one who is not forced to use key escrow will choose to pay extra for it. And, as discussed in the Appendices, attempts to mandate the use of key escrow or to outlaw other forms of encryption will not succeed even if given the force of law. The Final Conclusion Key escrow is not the panacea that its inventors envisioned. It will not drive out DES and other good cryptographic systems. In a very real sense, the President's Clipper Chip Initiative has sounded the alarm for those who once viewed cryptography as solely of interest to the technicians. It may well have galvanized opposition to unreasonable and restrictive government export control policies in this area once and for all. Just as the law enforcement community has to face the fact that no matter what we do, wiretaps are going to be less useful in the future because of advances in technology, so the intelligence community has to face the fact that it will become progressively harder to listen in to others. Over the years, the Government's policy of denying export of cryptographic devices has perhaps slowed this inevitable trend a little. But, increasingly, the negative effects of these policies on U.S. business, both on users and suppliers of these technologies, far outweigh any positive effect that further restrictions can have. Others have and will use good quality cryptography whether we allow ourselves to do so or not. We must not penalize ourselves by further restricting cryptography, either through poorly founded export policies or poorly thought out technologies such as key escrow. 6. So where do we go from here? The Administration is currently conducting an "Interagency Review" as called for in the President's April announcement. Input from the public is being received from the testimony at meetings such as from the CSSPAB and from groups such as the Digital Privacy and Security Working Group as well as industry and the public at large. This Interagency Review is not, however, a public debate of the issues confronting us. The interests of the commercial sector and of the public at large are not well represented here. Recent proposed Congressional legislation15 has called for the establishment of a "Comprehensive Independent Study of National Cryptography Policy" by the National Research Council. Such a study is welcomed as a means for exploring all sides of this most important issue even if it does put off resolution of the issue for up to two years. In any case, it is essential that the Congress become involved in the timely resolution of this issue in a way that properly balances the law enforcement and national security interests with those of the public to protect its sensitive information. Footnotes 1 This paper represents my personal opinions and not necessarily those of any organization with which I am affiliated. 2 White House Press Release, April 16, 1993. 3 AT&T Telephone Security Device brochures presented to the Congressionally chartered CSSPAB in September, 1992. 4 Testimony by Dr. Clinton Brooks on June 2, 1993, before the CSSPAB. 5 The Government has chosen to call the process of storing keys for access by law enforcement authorities "key escrow." The term "escrow" has specific legal meaning, and its use here implies a legal formalism beyond what appears to be provided. The draft Escrow Encryption Standard cites a definition of escrow as having delivered something "to a third person to be given to the grantee only upon fulfillment of a condition." As pointed out by Janlori Goldman, both the "escrow agents," who will hold the keys, and the law enforcement community are part of the Executive Branch of the Federal Government and can hardly be considered truly third parties in the legal sense. Rather than "key escrow," many refer to this simply as "the Government has your keys." 6 The Washington Post, April 17, 1993, page 1. 7 Skipjack is the name for the encryption algorithm used in the Clipper Chip. 8 "SKIPJACK Review Interim Report: The SKIPJACK Algorithm," July 28, 1993, by Ernest Brickell, Dorothy Denning, Stephen Kent, David Maher, and Walter Tuchman. 9 The Skipjack team cites several exhaustive key search attacks on the Skipjack 80-bit key space that are useful when compared with the present U.S. Government approved-for- export 40-bit key size. They postulate a $50M machine consisting of 100,000 processors that takes 4 million years to exhaust an 80-bit key space. Such a machine could check a 40-bit key space in 8.15 hours. They also speculate on a $1.2B machine with a 1GHz clock speed that takes 1 year to search an 80-bit key space. A machine 10,000 times slower or with 1/10,000 the processors could check a 40-bit key space in just over 1 second. An 80-bit key space is very strong and a 40-bit key space is extremely weak! 10 Sponsored by the Software Publishers Association, prompted in part by U.S. Government officials' insistence that they were unaware of the availability of foreign cryptographic products. 11 Dr. Ray Kammer, Deputy Director of NIST on July 30, 1993, at the CSSPAB hearing. 12 Federal Information Processing Standard (FIPS) Publication Number 46. 13 "Key Escrow Encryption Technology," from John D. Podesta, Assistant to the President and Staff Secretary for the White House, to Jerry Berman of the Digital Privacy and Security Working Group, dated July 29, 1993. 14 From the Preface of The Code-Breakers by David Kahn. 15 H.R.2401 as reported by House committee, July 30, 1993, House Report No 103-200, Item 77: (34) Sec. 262. Comprehensive Independent Study of National Cryptography Policy. This bill is scheduled for further action on Sept. 8. APPENDIX A What can law enforcement expect from wiretaps in the future? The FBI and other law enforcement experts have made strong and sometimes impassioned pleas that we not let technology advances deny them the opportunity to tap into phone conversations of illegal activities. Acknowledging the relatively small number of wiretaps per year and the difficult process that the court system requires for obtaining a wiretap, they argue persuasively that the value of wiretaps in organized/white collar crime is invaluable and must not be lost. The possibility of encountering scrambled communications that cannot be decrypted is the concern being addressed by the Government's Clipper initiative. However, there are many other concerns inherent in the digital telephony issue that were acknowledged by the FBI during the Board's hearings to be of greater concern than encryption.1 One of the very serious aspects of this problem involves extending wiretaps beyond the "reach" of the telephone central office. A wiretap on a home phone can be effected entirely at the telephone company central office. A wiretap on a business phone connected by a private branch exchange (PBX) cannot be directly tapped by the phone company. In earlier proposed legislation, the FBI sought technical solutions to the digital telephony problems that would ensure they would not lose their ability to wiretap illegal communications. Few would argue that the public wants the law enforcement community to provide effective protection against all forms of criminal activity. This situation argues strongly for keeping wiretaps as effective as possible for the benefit of the law enforcement community and the public in general. But what is the future for wiretaps, anyway? Since key escrow procedures have been identified as the Government's fundamental means of ensuring the continuation of effective wiretaps, it is essential that we examine just how effective wiretap capabilities will be in the future, whether we establish key escrow procedures or not. Today (prior to the recent AT&T phone security announcement), only a few relatively expensive telephone encryption capabilities are available, and very few wiretaps encounter encrypted communications.2 Today, the general public and apparently most criminals use the public phone system to communicate without additional protection and are thus subject to conventional wiretaps. One way to understand how things may turn out in the future is to postulate a series of scenarios and examine the different outcomes. If we do nothing: There are techniques available today for encrypting phones; however, because this whole topic of wiretaps and encryption has until now been of obscure interest only to technicians, the criminal element probably has not bothered to use them. Now that high- level attention is being called to this issue, one can easily conjecture that sophisticated criminals (those who understand the threats to their activities and the availability and cost of countermeasures) are actively looking for ways to protect themselves from wiretaps. In this scenario, the Government will retain the ability to tap the communications of ordinary citizens and average criminals but lose access to the communications of the sophisticated criminal. If non-key escrow devices become widely available:
Current thread:
- The Clipper Initiative part 2 of 3 David Farber (Aug 31)