Interesting People mailing list archives
The Clipper Initiative part 3 of 3
From: David Farber <farber () central cis upenn edu>
Date: Tue, 31 Aug 1993 16:22:28 -0800
In the absence of any other actions by the Government, if non-key escrow telephone encryption devices (such as the new AT&T devices) become widely available, then the sophisticated criminal will use these devices to protect his or her communications from wiretaps. That is the stated reason3 that NSA reacted so strongly against the original AT&T DES phone security device. Other criminal elements (the average ones) will probably keep using the phone system without protection. Thus the Government will again retain the ability to tap the phones of ordinary citizens and average criminals but lose the ability to tap the phones of sophisticated criminals. If the Government equips every phone with key escrow: Suppose the Government decided that the wiretap issue is of such importance that it would pay to have every phone in the country equipped with a key escrow capability so that all phone calls would be subject to easy decryption in the case of a wiretap. Most citizens and average criminals would no doubt continue to use the new key escrow phone system in the same way they use phones today, thus remaining subject to wiretaps. However, sophisticated criminals, realizing what is happening, would likely resort to other means (such as super encryption or use of the new AT&T devices) to protect their communications on top of the key escrow devices, thus exempting themselves from wiretaps. In this scenario, the Government will retain the ability to tap ordinary citizens and our average criminals but still lose access to the communications of the sophisticated criminal (if this looks repetitive, it is). Or, if the Government outlaws all non-key escrow encryption: Another scenario is the often mentioned case in which the Government outlaws all forms of encryption except those that use key escrow. (Please ignore the civil liberty issues that would arise from such an action for this discussion.) Once again most citizens, including average criminals, would continue to use the phone system (mostly in the clear with only limited key escrow capability installed), the same as they do now. These people would continue to be subject to the same level of wiretap as today. But the sophisticated criminal who is undeterred by using illegal technology will have no qualms about supplementing his or her telephone security and thus will be able again to escape law enforcement's wiretap capability. Once again, the result is the same as for the preceding scenarios. Or, ... others? The reader is encouraged to examine other scenarios. But I postulate that all will result in the same conclusion we saw repeatedly in the above cases: in the future, for those elements who wish to protect their communications against interception by the Government or anyone else, there is nothing the Government will be able to do to stop them. Key escrow procedures will not alter this situation. Technology evolves, whether we like it or not The Government, like other elements of society, is subject to shifts in technology, which in some cases bring forth new and wonderful capabilities but at times also eliminate capabilities previously enjoyed. The laser reader at the grocery checkout allowed grocery chains to run much more efficiently but also took away individual pricing, which many people dearly miss. The bomber was a terrifying threat until radar allowed improvements to defensive measures. Stealth technology has now shifted that balance again to the offensive. But we don't hear cries to ban stealth technology or to insist that the other guy put a little reflector on his Stealth planes so our radar can detect them. We accept the shift in technology for what it is and do as best we can. The balance of technology has long favored the ability to wire tap communications. With widespread use of private branch exchanges and cryptography, that balance will shift no matter what else we might do to attempt to slow it. We must be careful in our haste to impede this technological shift lest we introduce expensive and invasive capabilities that do not achieve what we desire. Footnotes for APPENIX A 1 Jim Kallstrom, FBI, in answer to a question before the CSSPAB on July 29, 1993. 2 Jim Kallstrom, FBI, in answer to a question at a Clipper Briefing April 24, 1993, at the New Executive Office Building, Washington, DC. 3 Testimony by Dr. Clinton Brooks on June 2, 1993, before the CSSPAB. APPENDIX B How will key escrow work? The original Clipper announcement indicated that the Initiative was to be used for telephone-like communications, at least for now. Many in the computer industry have been concerned about the impact of a hardware-only key escrow solution on their ability to supply products employing cryptography. An examination of the information supplied to date on key escrow provides a basic understanding of how key escrow will work domestically in telephone systems but little insight into its use in computer systems, or internationally. On July 30, 1993, NIST unveiled a draft "Escrowed Encryption Standard" that describes, often in purposefully vague terms, how a key escrow system will work. It includes a statement of applicability for voice, fax, and data limited communication levels of up to 14.2 Kbps and below. (For those not into communications jargon, that amounts to voice-grade, point-to- point communication links such as when one picks up the phone to dial another person or send a fax.) The application of key escrow to high bandwidth computer communications networks is apparently being left for later documents. The Government has insisted that the encryption being used for key escrow must be kept secret and only made available in hardware versions that are highly tamper resistant so that the key escrow measures cannot be subverted or bypassed. First for telephones ... The operation of telephone security devices (such as the AT&T 3600 "bump-in-the-wire"), in the absence of key escrow, can readily be understood. In such devices, the user (typically a person rather than a computer) places a phone call and, once a connection has been established with the desired parties, presses the "secure" button which initiates the synchronization of both parties' encryption devices. At this point encrypted communication proceeds until either party hangs up or presses the "clear" button. This is approximately how the original AT&T 3600 that uses the DES operates. The addition of key escrow to such a device occurs approximately as follows. After the "secure" key is pressed and the cryptographic synchronization has taken place, each device generates a special "Law Enforcement Access Field" (LEAF) and exchanges it with the device at the other end of the connection. The LEAF contains, among other things, an encrypted version of the device's unique identification number. If a wiretap is in place when the "secure" key is pressed, the wiretap authorities will be able to detect the LEAF and extract the unique id, which can then be sent to the Government key escrow agents (two of them are envisioned at present for added protection from improper use). Each key escrow agent will return his/her instance of the device's unique key in encrypted forms that together will allow the wiretap authority to decrypt the scrambled communications. The equipment that the wiretap authority will need to detect key escrowed telephone communications and ascertain the target device's unique id will be relatively straight forward. Once it detects the synchronization exchange between encryption devices, it need only wait until the LEAF is sent to pick up the device's ID. How will the exchange with the key escrow agents take place? How the actual exchange between the law enforcement authority and the two key escrow agents will occur has not been publicly stated (at least as of this writing1). The escrow agent must determine that the law enforcement authority has a valid wiretap court order even though he or she must not be told whom the wiretap is for or to whom the device ID belongs. The exchange between the wiretapper and the two key escrow agents must happen quickly because real-time taps of urgent phone calls may be taking place. Under these circumstances, it is difficult to comprehend what particularly critical role the escrow agent is performing since he or she has virtually no information on which to base a decision to send the device's unique key to the wiretapper. It is also difficult to see how the audit trail that each escrow agent must keep will be of any value in detecting misuse of the system since all it contains is the fact that a requested key was returned to a particular wiretap authority at a particular time. How many intercept devices there will be has not yet been determined. One per law enforcement jurisdiction seems too many, one per locality having wiretaps last year doesn't seem right, and a few stockpiled in Washington with the key escrow agents feels wrong. And who will pay for all of this? How much the key escrow service will cost and who will pay for it have not yet been determined either. Presumably, the Government will pay for the costs of acquiring, storing, cataloging, and accessing escrow keys, though it may seek an increase in the Federal excise tax on phone use to fund it. The user will have to pay for the device (unless the scenario in which the Government pays for everything comes about). The price of the AT&T devices today is approximately $1200 each. Presumably, the Clipper version of the AT&T device will not cost the consumer any more (even though because of the extra Clipper chip it will cost AT&T more to make). But unless the Clipper version is actually lower in price than the non-key escrow devices, it is difficult to see why a consumer will choose the key escrow version over the ordinary one. It also remains to be seen how many people are willing to pay extra (even if the price drops by a factor of ten) for any form of telephone security. ... and then for computer communications? Typically, computer-to-computer communications such as electronic mail do not involve a time synchronization between the sender and the receiver. One can originate mail that takes minutes or hours to deliver, and the receiver can take days to get around to reading it. So the equivalent of one user pressing the "secure" button to synchronize the encryption devices with the receiver does not exist. Today's electronic mail security services typically use a pseudo random number to encrypt the text of the message to be sent and then encrypt that message key using the receiver's public key to protect it during transmission and send it along with the encrypted message. The receiver's process looks up his or her private key, decrypts the message key, and then decrypts the message itself. It would be possible to have the originating process generate a LEAF and send it along with the message so that any wiretap could identify the unique ID of the sender. This would, of course, require a LEAF for every message sent. Is hardware-only encryption feasible? The Government has stated a firm requirement that the encryption process must be performed in hardware to protect the integrity of the encryption itself and the resulting LEAF. Clearly that portion of the system that does the encryption can be implemented in a hardware device or smart card or PCMCIA card. The electronic mail (or other) application system itself will at some level be implemented in software on a host computer, personal computer, or workstation. That software, while it probably cannot compromise the hardware, can certainly bypass it, leaving out or modifying the LEAF. Such action could result in unsuccessful decryption by the receiver's hardware device. But there are several scenarios in which groups of people who want to defeat the key escrow process will certainly be able to do so. The first case involves using another software encryption process (such as Pretty Good Privacy [PGP] or Privacy Enhanced Mail [PEM]) to superencrypt the message before sending it to the key escrow encryption hardware. The message would have a legitimate LEAF and be fully compliant with the latest version of the Escrowed Encryption Standard. But if the law enforcement authorities ever try to decrypt it, they will find the superencrypted message underneath. A second approach at defeating the escrow process would be for the software that processes the message after it has been encrypted by the key escrow hardware to save the LEAF and modify the one that is contained in the message so that it looks okay. The real LEAF could be forwarded in parts in other portions of the communications protocols so that the receiving system could reconstruct the proper LEAF, reinsert it in the message, and send the message to the key escrow decryption hardware. Any law enforcement use would, of course, be thwarted by the improper LEAF. A third approach would be to just encrypt the message after it has been through the key escrow hardware so that the message, LEAF and all, would be encrypted. Of course, if one is going to do this, one would not bother with the key escrow hardware in the first place. The point of all this is that truly hardware-only implementations of key escrow techniques are not possible in computer applications. Within a very short time after the introduction of key escrow systems, software patches for most popular application programs to defeat key escrow without detection (until a wiretap is attempted) will be available on free software bulletin boards everywhere. Anyone who wants to protect their communications from wiretap can do so easily without detection. Even if the Government were to mandate the use of key escrow hardware, one can quickly expect software implementations that look like the hardware output (but won't work on a wiretap) to crop up just to save the extra cost of purchasing the hardware. Interception complexity The problems for the interceptor are considerably more difficult than in the telephone case. First of all, the wiretap must capture all of the data being sent to be effective. This will be okay if the direct link to the user's computer is tapped, but much more difficult if only one of the many links in the wide area network over which the user's data is sent can be tapped, since only portions of the communications may be intercepted. The interceptor's device must understand all of the computer protocols up to and including the specific electronic mail or other application protocol to be able to find the LEAF in the maze of protocol layers. Given today's sophisticated protocol handling devices, building such an interception tool is not considered a technological challenge, but a general purpose tool capable of intercepting LEAFs in a wide variety of application layer protocol streams will be considerably more complex than the simple telephone interception device. Legal side of broad network wiretaps? It is also worthy of some legal scholar's review to determine if the provisions in the wiretap statute that require minimization of the intercept of traffic other than that associated with the actual wiretap target will render blanket searches of wide area network links illegal. It certainly will be hard to avoid examining massive quantities of information that have absolutely nothing to do with the wiretap target in such a search. All of these concerns taken together make it clear that implementing key escrow encryption in the large number of existing and future applications for computer communications will be a much more difficult task than that envisioned for telephone systems. And who will pay? Once again, presumably the Government will pay for the interception costs, but the user will have to pay for the actual hardware devices that are employed. The cost of $25 per chip translates into $100 per device, once it is packaged and documented for end user installation. If one envisions 10 million such devices put into operation in the next few years, that amounts to $1 billion in extra cost to the user community. This cost must be weighed against the essentially free software packages that are available. And for what capability? But does the FBI really need to obtain computer traffic by wiretap? In all the comments I have seen to date, no one has indicated that the law enforcement community needs wiretaps to obtain computer communications. Most computer systems have automatic backup capabilities that keep archive copies of all files in case of equipment failures. Law enforcement authorities can obtain copies of electronic mail or other computer files through traditional search warrant procedures instead of resorting to difficult-to-obtain wiretaps. A counter argument might be that searches yield historical data while wiretaps yield real-time data. But until there is a demonstrated need for a capability, we must not use the possibility that we might want something as the excuse to pursue a path that is contrary to technological evolution. Footnote for APPENDIX B 1 The information in this section of the paper is derived from the testimony of Mr. Geoffrey Greiveldinger, Special Counsel, Narcotic and Dangerous Drug Section of the Department of Justice before the CSSPAB on July 29, 1993.
Current thread:
- The Clipper Initiative part 3 of 3 David Farber (Aug 31)