Interesting People mailing list archives
TIS Comments on Escrowed Encryption Standard from Stephen Walker
From: David Farber <farber () central cis upenn edu>
Date: Thu, 30 Sep 1993 09:32:06 -0400
September 28, 1993 Director, Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B-154 Gaithersburg, MD 20899 Attn: Proposed FIPS for Escrowed Encryption Standard Dear Sir: On behalf of TIS, I hereby submit our very serious objections to the referenced proposed Federal Information Processing Standard (FIPS) and our recommendation that this proposal be rejected by the Department of Commerce for consideration as a FIPS. Our objections are in three all encompassing areas. First, this draft is a corruption of the basic FIPS process itself. Second, it is a technically content-free standard. Third, it lacks any evidence of an economic analysis of the cost-benefit relationship of the proposed key escrow process. 1. Corruption of the FIPS Process This proposed FIPS deviates so significantly from the "normal" FIPS process that it violates almost thirty years of tradition of open standards that have been subjected to repeated public scrutiny and are as technically sound as any public process can make them. Independent of the contents of this proposed FIPS, this shift in the FIPS process itself must be resisted if we are ever to have technical standards that are acceptable to the public again. The traditional FIPS process, as represented by the very recent FIPS 140-1 proposal, typically involves the generation of a set of technical ideas which are discussed in public workshops and seminars, followed by a draft proposed standard which is widely distributed for public comment, often followed by several iterations, each attempting to meet the technical concerns of particular segments of the public and, eventually, resulting in a FIPS document that represents an acceptable compromise of technical ideas. This process, amazingly similar to the way Congress passes legislation, however long and frustrating, is undoubtedly the best process we will ever devise for producing a publicly acceptable standard that will be implemented by industry and yield products that can be purchased by consumers as well as the Government. The Escrowed Encryption Standard (EES) proposed FIPS completely ignores this process and puts forth in the briefest, technically content-free document possible, a proposal which forces the public to rely completely on secret information that they will never be able to examine or understand. Secret specifications may be a necessary part of developing equipment and procedures for protecting classified national security related information. But, they have no place in a free society in protecting unclassified Government and commercial information. One must assume that the technicians that have devised the classified background for this FIPS shell are good at what they are doing (though the rumored further delay in availability of Clipper chips to the first quarter of 1994 does not build one's confidence). But, one must question the need for such secrecy and the price the Government will pay for being unwilling to share the technology by which it intends to protect our unclassified information. There are alternatives to key escrow encryption that are technically sound and could follow the traditional FIPS approach. There are multiple instances of telephone security devices that are presently commercially available using proprietary approaches that could serve as a useful model for a FIPS. There is a long tradition dating back at least to the Data Encryption Standard, by which NIST seeks proposals from industry and negotiates to have complete rights granted to the public to use the approved commercial approach. For unspecified reasons, NIST has chosen to abdicate its FIPS procedures and, without seeking public suggestions, to proceed directly with this unorthodox classified FIPS approach. The only apparent reason given for the haste with which this process is proceeding is that "the President said he wanted it." Apparently, the staff people who prepared the President's statement of April 16, 1993 on the Clipper Initiative included comments to the effect that NIST should proceed quickly to develop a FIPS covering key escrow procedures. I do not believe that if President Clinton understood, when he signed the April 16 announcement, he was asking for such a corruption of the technical process by which FIPS are developed, he would have signed the announcement. 2. Technically Content-Free Standard This proposed standard contains so little specific information that it is almost totally useless to anyone attempting to implement a key escrow telephone system. The single most important motive for a FIPS is to establish a means for interoperability among multiple vendors' products. If there is so little information available in the FIPS that no one knows how to implement it without a classified contract, then I believe this document should not be called a FIPS. It relies upon specifications of the encryption/decryption algorithm (SKIPJACK) and the LEAF Creation Method 1 (LCM-1) that are classified. There is precedent in a very brief FIPS (FIPS 107 on Local Area Networks), but, in this case, the FIPS references a publicly available, extensively reviewed and unclassified American National/IEEE/ISO Standard (802.3) that gives complete specifications for implementing that standard. Anything less than this should be unacceptable as a FIPS. 3. Lack of a Cost-Benefit The entire key escrow process, as it has been reported in public over the past six months, seems to be devoid of any analysis of what it will cost verses what it will accomplish. Perhaps the Government has performed such an analysis, but I am unaware of any indications to that effect. In the same spirit that I offered my comments on the fundamental flaws in the NIST proposal to license the Digital Signature Algorithm to the Public Key Partners Corporation, I now offer the following relatively superficial analysis of the law enforcement benefits of key escrow. I hope this simple look will be augmented by better information from the Administration that will show that I am wrong in my approach and/or conclusions. If one estimates the number of telephone security devices that may be in use in the U.S. in the next ten years, one must acknowledge that, for the most part, the general public will not spend the extra money to protect its routine phone calls from an unforeseen threat. Businesses will probably purchase these devices for their executives but not bother for the bulk of their routine transactions. As a result, I estimate that, optimistically, as many as ten percent (10%) of the public phones in the U.S. may be protected with security devices in the next ten years. Given that the Administration has assured us that the public will not be prohibited from using alternative encryption systems, when one considers how many of these devices will be key escrow devices, one must take into account already available competing devices such as the AT&T proprietary 3600s and the Cylink DES devices which do not use key escrow procedures. I estimate that of the installed devices, no more than fifty percent (50%) will be key escrowed devices in the next ten years. The number of Title III wiretaps that take place in a given year is approximately 4,000 (the number of court ordered wiretaps is approximately 800 times an average of 5 physical taps per court order). If my estimate of the number of key escrow phone devices is accurate and those estimates represent the population of phones that the law enforcement authorities expect to encounter when placing a wiretap, then we should see approximately 200 actual key escrowed phone taps in any given year or approximately 16 per month; 1 every 2 days or so. This is hardly enough to justify all the key escrow administrative expenses. Unfortunately, the estimates of five percent (5%) of the U.S. phones having and using key escrow devices is not likely to be representative of the population of phones that law enforcement authorities will encounter. Business executives will use key escrow phones, but those that do not want their calls monitored by anyone will choose devices that are not subject to key escrow. So even the optimistic numbers cited above are probably overly optimistic. One cannot avoid commenting that it appears the key escrow agents will no doubt make the Maytag repair man look like a beehive of activity. I recognize that there may be an EES II on the way that will extend key escrow to computer communications and perhaps increase the activity of the key escrow agents. On the other hand, presumably any Title III wiretaps of computer communications are already included in the estimated 4,000 wiretaps per year, so perhaps not. And for this, how much will it cost to operate the key escrow process? Does anyone know? I offer the above admittedly superficial analysis in the hope that the Administration will be forth coming with better documented estimates to justify why it is so intent on proceeding so quickly down the key escrow path. I fear that the proposed EES is just a symptom of a process that seems out of control. One can only hope that the President's Interagency review of cryptography, that is expected to reach its conclusions soon, will recognize that there really is no need to proceed at such great speed and that the Administration and the public will be much better served by using a somewhat accelerated FIPS process, that makes use of public technical input, in establishing the U.S. public telephone security policy for the next twenty or thirty years. Slow down and look at the alternatives! We cannot afford not to! Sincerely, Stephen T. Walker cc: John Podesta
Current thread:
- TIS Comments on Escrowed Encryption Standard from Stephen Walker David Farber (Sep 30)