Phil Karn's comments to NIST (Phil is an old hand)

[David Farber <farber () central cis upenn edu>]

                                        7431 Teasdale Avenue
                                        San Diego, CA 92122
                                        karn () unix ka9q ampr org
                                        September 27, 1993






Director, Computer Systems Laboratory
ATTN: Proposed FIPS for Escrowed Encryption Standard
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD 20899


Re: A Proposed Federal Information Processing Standard for an Escrowed
Encryption Standard (EES)
Docket No 930659-3159
RIN 0693-AB19


                Comments of Philip R. Karn, Jr


Sirs:


I am writing in response to your call for comments on the
aforementioned matter that appeared in the Federal Register on July
30, 1993. I am writing as a concerned individual with BS and MS
degrees in electrical and computer engineering and 15 years of
professional experience in communications, computer networking and
security at leading edge R&D organizations. I currently work in the
digital cellular telephone industry, a ripe application for robust
encryption if there ever was one. I feel that my experience in this
field qualifies me to comment on the practicality of the proposed
standard.


First of all, I am totally opposed to the entire concept of key
escrow. It is a dangerous, un-American and fatally flawed idea that
should never have been proposed. In my opinion, everyone has the
Constitutional right to use the encryption scheme of their choice,
whether or not the government can break it. The impact of strong
encryption on the enforcement of legitimate laws is and will remain
minimal.  Even unbreakable encryption is incapable of thwarting
standard investigational techniques such as informants, testimony
compelled through grants of immunity, "end point" surveillance (e.g.,
hidden microphones), the gathering of physical evidence of crimes and
so forth.


Strong un-escrowed encryption will, on the other hand, finally put an
end to illegal, often politically motivated interceptions of private
electronic communications without having to rely on anyone's goodwill,
such as the still-unnamed "key escrow agencies". Precisely because
eavesdropping has been so easy to do and so hard to detect, the
government has repeatedly proven itself untrustworthy in this regard,
as documented in great detail by the Watergate investigations and the
Church Committee hearings of the 1970s. Why should we trust it now?


Although the government currently claims that the EES will be a
"voluntary" standard, many of its features make no sense whatsoever in
this context.  For example, why must the Skipjack algorithm be kept
secret if individuals remain free to use other algorithms such as
triple-key DES or IDEA that are quite probably even stronger?


The government's claim is completely transparent, as one simply cannot
escape the conclusion that the EES is a prelude to a ban on all other
encryption schemes, or at least a ban on those the government can't
crack. And this presents a profoundly disturbing threat to some very
important Constitutional principles.


Countless others have argued forcefully against the proposal on these
and other grounds. For example, see the points made by the Computing
Professionals for Social Responsibility (CPSR) in the attached
Appendix. I fully agree with CPSR and feel that they alone should have
been enough to stop the proposal long ago.


However, the fact that the Escrowed Encryption Standard has advanced
so quickly despite these serious problems reveals the totally
one-sided nature of the decision process. Far from being an
independent and impartial agency, NIST has proven itself to be merely
a pawn for the National Security Agency, the Federal Bureau of
Investigation and other powerful intelligence and law enforcement
agencies.  Despite (or perhaps because of) encryption's enormous
potential to put real "teeth" into the Constitutional principles of
privacy and freedom of speech and association, these agencies are
notably unsympathetic to the widespread use of strong encryption. By
their very nature, these agencies are unlikely to be persuaded even by
the most profound concerns about civil liberties.


Therefore, as strongly as I oppose the EES on philosophical grounds,
restating these arguments here in further detail would be a waste of
time. I would instead like to dwell on one particular practical
drawback to EES as proposed, one that renders it utterly useless for
its intended purpose.


THE EES IS UNACCEPTABLE BECAUSE OF ITS HARDWARE-ONLY NATURE


Many of the potential applications for the proposed standard involve
mass produced and highly miniaturized consumer electronics devices
where the physical space and power requirements, cost and availability
of each of thousands of hardware components is of critical
importance.


In such products, there is a very strong preference to implement as
many functions in software as possible.  There are many reasons for
this: general purpose microprocessors and memories tend to be produced
in much higher volume than special purpose devices, thus providing
substantial economies of scale; software can be upgraded more easily
in a production run or after sale than can hardware; and once written,
software has essentially zero incremental costs of production. Indeed,
even the incremental hardware cost of adding a particular software
function is often also zero, thanks to the unused ROM, RAM and CPU
cycles often found in imbedded microcomputer systems.


Driving this emphasis on software are the fights marketing people and
design engineers regularly have over the use of individual parts
costing as little as a few pennies each.  The smaller and lighter the
product, the greater the price it will command in the marketplace,
even if it is functionally equivalent to a larger and heavier
product. No rational designer will add a part to do something that he
could easily do in software.


In my own field, digital cellular telephony, it is clear that strong
encryption using published algorithms can easily be implemented in
software on existing microcontrollers, particularly at the low data
rates involved.  The MYK-78 chip, rumored to cost $90-$100 each and
capable of running at megabit rates, is enormous overkill that the
extremely competitive cellular market cannot afford. It is a complete
non-starter.


Even if a chip like the MYK-78 were redesigned to cost substantially
less, designers will be extremely reluctant to use highly proprietary
devices available from only a single supplier. No rational
manufacturer will make his production line depend entirely on the
health of a single small company, especially one such as Mykotronix
with whom so few have any prior experience.


Summary


The Escrowed Encryption Standard is not only fatally flawed on any
number of Constitutional considerations, its sole reliance on hardware
implementation makes it completely impractical and uneconomical for
the mass consumer market.  It is likely that the proposal is nothing
more than a cynical attempt by federal intelligence agencies to be
seen "helping" to secure civilian communications while actually doing
everything possible to thwart actual progress.  However, in the hope
that NIST is sincerely interested in truly meaningful and practical
security for all, I offer these comments.


The present proposal should be completely abandoned. Furthermore, NIST
should advocate the complete removal of roadblocks (particularly
export controls) that have so far effectively thwarted any real
progress by the civilian communications industry to apply widely known
cryptographic techniques to its products.




                                        Sincerely,




                                        Philip R. Karn, Jr.

Appendix


The following text was taken from an electronic message from Computing
Professionals for Social Responsibility (CPSR) that was widely distributed
on the Internet. I fully agree with each of the points that are made.


* The potential risks of the proposal have not been assessed and 
many questions about the implementation remain unanswered.  The 
NIST notice states that the current proposal "does not include 
identification of key escrow agents who will hold the keys for the 
key escrow microcircuits or the procedures for access to the 
keys."  The key escrow configuration may also create a dangerous 
vulnerability in a communications network.  The risks of misuse of 
this feature should be weighed against any perceived benefit.


* The classification of the Skipjack algorithm as a "national 
security" matter is inappropriate for technology that will be used 
primarily in civilian and commercial applications.  Classification 
of technical information also limits the computing community's 
ability to evaluate fully the proposal and the general public's 
right to know about the activities of government.
 
* The proposal was not developed in response to a public concern 
or a business request.  It was put forward by the National 
Security Agency and the Federal Bureau of Investigation so that 
these two agencies could continue surveillance of electronic 
communications. It has not been established that is necessary for 
crime prevention.  The number of arrests resulting from wiretaps 
has remained essentially unchanged since the federal wiretap law 
was enacted in 1968.


* The NIST proposal states that the escrow agents will provide the 
key components to a government agency that "properly demonstrates 
legal authorization to conduct electronic surveillance of 
communications which are encrypted."  The crucial term "legal 
authorization" has not been defined.  The vagueness of the term 
"legal authorization" leaves open the possibility that court-
issued warrants may not be required in some circumstances.  This 
issue must be squarely addressed and clarified. 


* Adoption of the proposed key escrow standard may have an adverse 
impact upon the ability of U.S. manufacturers to market 
cryptographic products abroad.  It is unlikely that non-U.S. users 
would purchase communication security products to which the U.S. 
government holds keys.