NSA response to EFF Clipper Q's

[David Farber <farber () central cis upenn edu>]

RTo: cypherpunks () toad com
Cc: ld231782 () longs lance colostate edu
Date: Wed, 01 Sep 93 23:21:58 -0600
From: "L. Detweiler" <ld231782 () longs lance colostate edu>






An EFF Online newsletter previously reported highlights from a list of
questions submitted to the NIST/NSA regarding Clipper. That entire
document is now available on ftp.eff.org in
pub/EFF/legislation/clipper-answers. It makes reference to attachments
on chip specifications that are not present in the text file.  Overall,
the document has rather numerous typographical errors for a government
document, and it's unclear whether this is the result of the EFF
scanning or whether they are in the original document. Also, at this
point in the swift-moving arena, the responses are fairly dated, coming
out long before the close of the expert review of the algorithm and a
CSSPAB meeting at the end of July.


Items in this review of the Clipper comments:


- encryption regulation
- constitutionality
- Mycotronx, VLSI rationale, history of Clipper
- Presidential directive & review procedure
- key escrow in software
- history of Skipjack
- identification information in key escrow databases
- notes on wiretap protocol
- NSA cryptographic control wish list
- Capstone capabilities
- policy review
- Clipper: a status report


Encryption Regulation

---


The major revelation in this document as reported here previously is
the statement that the Administration has progressed far enough in the
`policy review' to determine that `regulating private encryption' would
be `imprudent' and `drastic' and that no new legilsation will be
proposed to `limituse of encryption technology'. Unfortunately, in the
characteristically maddening bureacratic doublespeak of the NSA, the
previous statements suggest that this is the case only `because these
measures may be sufficient to make key escrow encryption [widespread]'.
Nevertheless the statement is extremely significant given various
ominous sound bites in the media that suggested very clearly that
cryptographic regulation was definitely `on the table' for consideration.


Constitutionality

---


The other major revelations as reported in the EFF document are the
explicit attention to constitutional issues. However, the response is
not very meaningful except to deny that any are relevant. In
particular, it does not indicate the constitutionality of any
enforcement or regulation in the area.


> The key escrow technology only ensures that government agencies, will be
> able to decrypt intercepted communications when lawfully authorized. It
> neither expands nor contracts federal, state or local law enforcement
> authority to access and decrypt communications. The key escrow technology
> simply assures the continued feasibility of lawful electronic surveillance
> under statutes that have long since been determined to be constitutional.


Mostly the document is just a reformulation of the following idea in
various ways:


> it became clear
> that a strategy was needed that could accommodate the needs of the private
> sector for top notch communications security; of U.S. industry to remain
> competitive in the world's secure communications market; and of U.S. law
> enforcement to conduct lawfully-authorized electronic surveillance.


Clearly, the writers' favorite words are `authorized' and `lawful' and
here we are doubly reassured.


Mycotronx, VLSI

---


Here are a few other significant details in the response. For the first
time there is official confirmation that the proposal goes back far
previous to the Clinton administration:


> The logic design contract for the microcircuit was awarded to MYKOTRONIX,
> Inc.  of Torrance, California, in late 1991


Mykotronx was chosen because:


> This company provided a
> unique combination of (i) expertise to quickly design custom cryptographic
> chips, (ii) secure facilities, and (iii) the cleared personnel (At the TOP
> SECRET level) necessary for the successful execution of the contract
> requirements.


Which makes me wonder. Has anyone with any serious sway in the NSA
noticed the stolen Mycotronx documents yet? I would love to see the
response to an FOIA inquiry on this one. Do they care? Did any heads
roll at Mycotronx?


> VLSI Technology of San Jose, California, was chosen as the chip foundry
> based primarily on its technological capabilities to fabricate
> microcircuits resistant to reverse engineering Selection of the vendors was
> in accordance with U.S.  government rules for sole source procurement.
> other manufacturers that wish to enter the market and can satisfy the
> technology and security requirements will be approved to manufacture these
> microcircuits.


Here we have the highly implausible suggestion that other companies
will be considered to manufacture the microcircuits. Fat chance.


Presidential Directive

---


The document gives more detail about the Presidential Review Directive
and Presidential Decision Directive behind Clipper.


> The PRD called for interagency studies examining a number
> of issues including, for example, the impact of the key escrow strategy and
> the feasibility of implementing the key escrow technique in software.
> Another issue to be addressed in the course of the review is the impact of
> advanced telecommunications on law enforcement. While analogous in the
> sense that both encryption and advanced telecommunications technology can
> impede the effectiveness of authorized law enforcement electronic
> surveillance, the two technologies present different issues and are being
> treated separately. The results of the reviews are expected early this
> fall.


Hence, the `feasibility of implementing the key escrow technique in
software' is `under review.' Later in the document, we have the point:


> Because software is easy to change, secure software implementations of the
> key escrow technique have been difficult to devise. We would welcome the
> participation of the software industry in a cooperative effort to meet this
> technical challenge.  of course, users may continue to use existing
> software encryption products.


I don't recommend cooperating with the NSA in trying to devise `secure
software' -- first of all, the suggestion that they will even have
`security' in chip hardware is a fantasy and illusion; secondly,
software is inherently free and unchained and nothing the NSA invents
can ever change that; thirdly, cooperating with the NSA can be
hazardous to one's economic health; and finally, probably no one in the
NSA seriously believes that secure software implementations are
possible, and are just throwing this out for cynical effect.


Skipjack

---


Information on SKIPJACK, confirming suggestions by some (e.g. A. Walker
on sci.crypt) that the algorithm is based on earlier defense-oriented
schemes in a long line of development:


> Was the encryption algorithm specifically designed for the key escrow
> initiative?
>
> No. The algorithm chosen for the key escrow microcircuit was originally
> developed by NSA for use in U.S. government communications systems, albeit
> not in the management of our nuclear arsenal as some have speculated.
> Essentially the same cryptographic technology was under government
> development and analysis for more than ten years.  Although NSA does not
> comment on the details of its design and analysis, the algorithm has
> undergone intense expert scrutiny comparable to that used in the analysis
> of cryptography intended for classified government systems. While the
> algorithm was originally developed for unclassified defense systems, it
> will be considered for certain classified applications in the future.


Key Escrow Databases

---


What about identification associated with keys in the databases? The
NSA is in a catch-22 here. If there is nothing but serial numbers in a
database, how do the key escrow agencies ensure that key IDs requested
for wiretapping are associated with the given entities named in
warrants? If they are present, how could such a scheme be maintained in
anything other than an Orwellian Totalitarian Dystopia? The following
is the first explicit commitment to total lack of identification
information in the databases:


> Some have expressed concerns that personal information could be contained
> in the key escrow databases.  The only information held by a key escrow
> agent will be the chip serial numbers and the key component associated with
> that number.  Since the information in the key escrow databases will not be
> associated with any particular individual, the database would be of no use
> in identifying individuals or otherwise obtaining personal information
> about them. Therefore, a key escrow agent will have no information about
> the person owning or using equipment containing a microcircuit for which it
> holds keys. Requests for a key component will be for a particular chip
> identification number. No information regarding the identity of the target
> of the authorized electronic surveillance will be provided to the key
> escrow agents.


Wiretap Protocol

---


Interestingly, they say that when a wiretapped device is moved to a new
phone number, they don't have the authority to tap it any longer:


> If the subject of A surveillance were to move the device to another
> location (and another telephone number), law enforcement authorities could
> not legally monitor communications at other locations. This is because, as
> noted above, electronic surveillance of wire or electronic communications
> must be directed at some identifiable telephone, cellular telephone, or
> computer facility.  Therefore, before law enforcement authorities can
> legally monitor any other telephone number in an effort to locate the
> subject's encryption device, they must first satisfy a court that there is
> probable cause to believe that illegal communications will occur over that
> line.


Major criticism is based on the fact that once a given key has been
released, a phone is forever in the future insecure. For the first time
we have the assurance


> As added protection, law enforcement will have access to a key only so long
> as it has authority to conduct a surveillance.  Systems are being designed
> to ensure that keys are destroyed when the authority to conduct a
> particular electronic surveillance has expired.


NSA wish list

---


We get a wish list of realms in which the NSA would like to control
domestic cryptography:


> Concerns have been expressed about use of this key escrow technology and
> these chips, in particular, across the panoply of new emerging
> technologies, such as ISDN, TDMA, Cellular, CDMA Cellular, ATM, SONET,
> SMDS, etc.


Don't forget PEM -- D.D. gets really excited about that one.


> It impossible to design key escrow encryption techniques that
> are almost totally transparent to the system, given the transmission media
> together with its propagation characteristics.  Optimally, the system
> should be designed with the encryption, if possible. The government intends
> to work cooperatively with industry toward this end.


Yes, just what every cryptography company wants, their personal NSA
consultant breathing down their circuits.


Capstone Capabilities

---


Here's some notes on Capstone. Most capabilities also indicated by D.D.
in her writings:


> In addition to the key escrow technology contained in the
> encryption-only chip, the enhanced chip also includes a Digital Signature
> Algorithm proposed by NIST as a FIPS; a Secure Hashing Algorithm (SHA)
> recently approved as FIPS 180; a Key Exchange Algorithm based on a public
> key exchange, a general purpose exponentiation algorithm; and a general
> purpose, random number generator which uses a pure noise source. This chip
> is now being considered for installation in PCMCIA electronic cards and for
> use in the Defense Messaging System.


Personally, I wonder if the NSA intends to phase out Clipper from the
beginning. The implementation could encrypt the law enforcement field
under that more low-level chip. The Capstone chip will be the NSA's
little `black box' miracle in every machine.


Policy Review

---


Finally, there are the indications that the `policy review' done in the
Fall will cover the exportability of key escrow and the future
cryptographic export control policy in the country concerning
`marketability and foreign competition'. While everyone is desperate
for a breakthrough here, the likely announcement will be that `no
export restrictions will be placed on Clipper' and since the technology
is completely suitable for all cryptographic applications (smirk) no
other cryptographic devices will be approved for export. That's my guess,
anyway.


Clipper: a status report

---


Current progress report on Clipper: the most serious hurdles for the
NSA right now are imposing the Clipper FIPS standard and the DSA patent
arrangement with PKP. The NSA has long demonstrated its complete
obliviousness and imperviousness to public opinion no matter how loud
or negative (consider early DSS endorsement). However, for the previous
two standards, it has reached unprecedentedly screeching levels. The
government will find it *extremely* difficult to go ahead with either
in the face of almost uniformly hostile reception to both. Doing so is
likely to raise a much larger outcry and warrant more desperate
approaches on the side of the opposition (ala Zimmermann's `guerilla
cryptography').


The future revelations in the DSS, Clipper, and `policy review' topics
will be critical in indicating whether the NSA will take a more low-key
and unobtrusive stance in regulation of domestic cryptography, with the
original Clipper announcment its boldest step ever, or whether it will
become even more paranoid and volatile in attempting to control and
strangle natural, evolving domestic cryptographic developments. If you
value your freedom, pray for the former.