tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr

[David Farber <>]

rights.  PKP offered the government free use of the algorithm in exchange
for exclusive rights to Kravitz's algorithm.  Under the PKP proposal, DSS
users outside the Federal government would have to pay for use of the DSS
algorithm. Following public opposition, the government declined the offer.


There were other objections to DSS, most notably that NIST was promulgating
a weak standard.  NIST proposed a key size of 512 bits. Earlier work on the
algorithm had suggested that 512 bits ``appear[ed] to offer only marginal
security ''[LaOd, BFS].  Scientists complained that restricting the key size
unnecesarily constrained flexibility, and that improvements in algorithms
could quickly render the NIST standard obsolete. A flexible key size would
not have that difficulty.  These issues were similar to ones raised when
DES was proposed.


There were also differences from the DES situation, and these raised
concern.  For DSS, there had been no public request for proposals, and NSA
had designed the algorithm.  CPSR and members of industry and academia
asserted that NIST's reliance on NSA was directly contrary to the Computer
Security Act. These concerns were noted by Representative Jack Brooks, who
had served as Chairman of the House Government Operations Committee during
the passage of the Computer Security Act:


\begin{quote}


       [u]nder the Computer Security Act of 1987, the
       Department of Commerce [through NIST] has primary
       responsibility for establishing computer security
       standards including those dealing with cryptography.
       However, many in industry are concerned that in spite
       of the Act, the NSA continues to control the Commerce
       Department's work in this area.  For example, Commerce
       (at the urging of the National Security Agency) has
       proposed  a ``digital signature standard'' (DSS) that has
       been severely criticized by the computer and
       telecommunications industry [USHR-92, pg.2].
\end{quote}


DSS was proposed in 1991.  Public concerns  resulted in
modifications, including a flexible key size (key sizes from 512 to 1024
bits are permitted, in jumps of 64 bits).  Problems with the patent have
slowed the process, but on May 19, 1994, the government adopted DSS as a
Federal Standard [FIPS-186], announcing that the ``Department of Commerce
is not aware of patents that would be infringed by this standard''
[NIST-186]. James Bidzos, President of both PKP and RSA Data Security Inc.,
believes otherwise, ``We disagree.  There are a number of patents that we
believe cover DSS.''


\begin{center}
 Securing the Communications Infrastructure: Digital Telephony and EES
\end{center}


\noindent As the phone system has moved to a digital system, another issue
arises.  Encryption affects the government's ability to comprehend an
intercepted signal, but the government is also concerned about its ability
to intercept the signal. For this reason we include a discussion of the
FBI's ``Digital Telephony'' proposal in this chapter.


As a result of increasing standardization of telephone switching practices,
modern communication systems can provide much more information about each
call, revealing in real time where the call came from even when it
originates a long way away.  But advanced communications systems, including
such improvements as cellular telephones and call forwarding, can also
present problems to law enforcement.  The FBI was concerned about the 
ability of service providers to locate a call and, at law enforcement's
behest, install a tap.  In 1992, the Bureau prepared a legislative proposal.


At the time, the FBI was responding more to a problem the Bureau saw coming
than to one that had hit full force.  A Washington Post story of April 30,
1992 reported that ``FBI officials said they have not yet fumbled a
criminal probe due to the inability to tap a phone ...''  [Mint]. The FBI
contended that there were numerous cases where court orders had not been
sought, executed, or fully carried out by law-enforcement agencies because
of technological problems [DGBBBRGM, pg.  26]. However, Freedom of
Information Act litigation initiated by CPSR in April 1992 produced no
evidence of technical difficulties preventing the FBI from executing
wiretaps as of December 1992.


Major members of the computer and communications industries, including
AT\&T, Digital Equipment, Lotus, Microsoft, and Sun, strongly opposed the
1992 proposal.  The Electronic Frontier Foundation helped coordinate this
opposition.  Industry was particularly concerned that the proposal was too
broad, covering operators of private branch exchanges and computer
networks. Industry feared that it would have to foot the bill.
The General Accounting Office briefed Congress, and expressed concern that
alternatives to the Digital Telephony proposal had not been fully explored
[GAO-92].  The U.S.  General Services Administration characterized the
proposed legislation as unnecessary and potentially harmful to the nation's
competitiveness [GSA-92]. There were no Congressional sponsors for the
proposal.


In 1994, the FBI has prepared a revised proposal that limits the scope to
common carriers and allocates \$500 million to cover their costs.  Carriers
would have three years to comply; after that, failure to fulfill a wiretap
order could result in a fine of up to ten thousand dollars a day.  The
revised proposal, the ``Digital Telephony and Communications Privacy
Improvements Act of 1994,'' was submitted to Congress in March 1994.


On February 17, 1994, FBI Director Louis Freeh reiterated the agency's
concerns in a speech to the Executives' Club of Chicago: ``Development of
technology is moving so rapidly that several hundred court-authorized
surveillances already have been prevented by new technological impediments
with advanced communications equipment.''  In testimony to  Congress on
March 18, 1994, Freeh reported that a 1993 informal survey of federal,
state and local law-enforcement agencies revealed 91 instances of recent
court orders for electronic surveillance that could not be fully
implemented [Freeh, pg 33].  The problems were due to a variety of causes,
including 29 cases of special calling features (such as call forwarding),
and 30 cases involving difficulties with cellular phones (including the
inability of the carriers to provide dialed number information).  Under
questioning by Senator Leahy, Freeh answered that the FBI had not
encountered court-authorized wiretap orders the Bureau could not execute
due to digital telephony.  However, in his prepared testimony Freeh
cited two examples where wiretaps could not be executed due to digital
telephony [Freeh, pg. 34].


While wiretapping can procure signals, secure telephones can render those
signals useless to the wiretapper.  Secure telephones using advanced key
management are widespread in the national security community.  Although
voice-encryption systems for the commercial market have been a staple of
companies such as Gretag and Crypto AG in Switzerland and Datotek and TCC
in the U.S., only in 1992 was the first mass market device for secure voice
encryption brought forth by a major corporation. AT\&T announced the Model
3600 Telephone Security Device, which employed a DES chip for encryption.


The Department of Justice had been concerned about just such a development,
and a federal initiative had been underway to preempt it.  In April 1993
the President announced the key-escrow initiative: the ``Clipper'' chip and
its associated key escrow scheme, while AT\&T announced a telephone privacy
device that uses the device.  This proposed standard raises a number of
questions about cryptography within telecommunications. In the next chapter
we discuss the Escrowed Encryption Standard.




\vspace{0.7in}
\rule{2in}{.01in}
\begin{center}
Notes
\end{center}
{\small
\begin{enumerate}


\item RSA is listed by International Standards Organization
standard 9796 as a compatible cryptographic algorithm.  RSA is part of the
Society for Worldwide Interbank Financial Transactions (SWIFT) standard,
and the ANSI X9.31 standard for the U.S.  banking industry.  It forms part
of the Internet Privacy Enhanced Mail (PEM) standard.


\end{enumerate}}






\newpage
\begin{center}
\Large{\bf{                       Using Clipper}}




\end{center}


\medskip


\begin{enumerate}


\item Two participants establish a communication channel and set up a
``session key'' (KS).


\item Once the session key is established, each device passes the session
key, KS, to its Clipper chip, which encrypts it using the chip's
unique key (KU).  From this and other information, including the
chip's identifier (UID), the encrypted session key forms a Law
Enforcement Access Field (LEAF), that is transmitted to the other
device.


\item Encrypted communications can begin.


\item Government officials with legal authorization ``listen in'' to
encrypted conversation, and tape it.  Tape is sent to FBI for analysis.


\item The decrypt processor determines that Clipper was used for encryption
and decodes LEAF.  The UID is determined from the LEAF.


\item The FBI uses the UID to identify the chip to the escrow agents
(presently the National Institute of Standards and Technology, and the
Department of Treasury's Automated Systems Division).  The FBI gets the two
halves of the chip's key, KU1 and KU2.  (KU is determined by taking the XOR
of KU1 and KU2.) The shared session key can be recovered
from the LEAF produced by either chip.


\item The decrypt processor uses the chip's unique key (KU) to decode the
session key (KS) in the LEAF.  Once the chip's unique key has been
obtained, the process can be abbreviated, since all encrypted calls made
using this chip can be similarly decoded.




\end{enumerate}


















\addtocontents{toc}{Encrypting Using Clipper}{}
\newpage
\chapter{     The Government Solution: The Escrowed Encryption Standard}




\framebox[5.25in][c]{
\begin{minipage}{5.0in}
\noindent Vocabulary words: 


\smallskip


\noindent Capstone:  Name of the chip with Clipper plus Digital Signature
Algorithm, key exchange, and associated mathematical functions.


\smallskip


\noindent Clipper: Name of the chip with the SKIPJACK algorithm and the
key-escrow feature.


\smallskip


\noindent Key-escrow: A system by which the device private keys are kept in
a repository.


\smallskip




\noindent PCMCIA card: The Personal Computer Memory Card Industry
Association (PCMCIA) card is an industry standard format and electrical
interface for various computer components, including memory, very small
disks, etc.


\smallskip


\noindent Session key: A key established by the participants and used for a
single communication.


\smallskip


\noindent SKIPJACK: The encryption algorithm that underlies the Escrowed
Encryption Standard.


\end{minipage}}


\medskip


\noindent On April 16, 1993, the White House announced the Escrowed
Encryption Initiative, ``a voluntary program to improve security and
privacy of telephone communications while meeting the legitimate needs of
law enforcement'' [OPS]. The initiative included a chip for encryption,
Clipper,\footnotemark\ to be incorporated into telecommunications
equipment, and a key-escrow scheme.  The National Security Agency (NSA)
designed the system, and the underlying cryptographic algorithm, SKIPJACK,
is classified.


Public response, both in the form of testimony presented at hearings held
by National Institute of Standards and Technology (NIST) at the Computer
Systems Security and Privacy Advisory Board, and in written comments to
NIST, was overwhelmingly negative.  Despite that, on February 4, 1994,
after months of governmental review, the Department of Commerce announced
the approval of the Escrowed Encryption Standard (EES) as a voluntary
Federal Information Processing Standard (FIPS); ``voluntary'' means that if
a Federal agency determines that telecommunications equipment transmitting
sensitive but unclassified information should encrypt the data, it can
choose EES -- or any other FIPS (e.g., DES).  In this chapter, we present
EES and the policies surrounding its use.


We begin with a brief description of the workings of the standard; a more 
complete description is found in the appendix.  


\begin{center}


EES Encryption


\end{center}


\noindent If two participants want to communicate using EES, both must have
telecommunications security devices with a Clipper chip. The devices
establish an 80-bit ``Session Key,'' and pass this to their chips, which
encrypt it with information specific to the chip (the chip-unique key).
This creates a Law Enforcement Access Field (LEAF), which is transmitted to
the other party.  Encrypted communication can begin.


As in other cryptosystems, the encryption algorithm, SKIPJACK, and the
session key protect confidentiality.  But this is a cryptosystem with a
difference: if there is a legal authorization for a wiretap, the secrecy
provided by EES will not be a barrier to law enforcement.  It's an adroit
twist:  communications are secure unless there is probable cause of an
indictable offense (and all other requirements of Title III, FISA, or the
state statutes, also apply).  


Every Clipper chip will have its chip-unique key registered with the
Federal government. To protect the confidentiality of the key, it will be
``split,'' and the components will be held by two Federal escrow agents --
NIST and the Treasury Department's Automated Systems Division -- one at
each.  Both components are needed to reconstruct the key.  The standard
authorizes keeping each chip's private key secret -- unless there is legal
authorization to do otherwise.  Key registration will occur during
manufacturing at a secure commercial facility, and escrow officers from the
two agencies will be present during the chip-programming process.


\begin{center}


EES Decryption by Law Enforcement


\end{center}


\noindent The Federal government knows the SKIPJACK algorithm, and it can
build devices to decrypt it.  If a law enforcement officer is listening to
a legally tapped conversation, and the communications becomes
incomprehensible, the law enforcement officer will tape it, and send the
tape to the FBI for analysis.  Bureau officers will analyze the
communication to see if it is EES encrypted.  If so, a special decrypt
processor will decrypt the LEAF (recall that transmission of the LEAF
precedes the encrypted conversation) transmitted from the target phone.
The processor will extract the chip ID.


With that identification, the two escrow agents will be able to supply the
two halves of the escrowed chip-unique key.  These are entered along with
the expiration date for the court order into the decrypt processor.  The
processor performs the decryption, using the chip-unique key to decrypt the
session key.


Presently the key will have to be manually erased from the decrypt
processor.  It is currently envisioned that when the key is erased, an
audit trail record will be generated and transmitted to the escrow
agents.\footnotemark\ Under procedures issued by the Department of Justice
[DoJB], the investigating agency may not retain the key past the expiration
of the surveillance authorization.  The Department of Justice procedures
explicitly state that they ``do not create, and are not intended to create,
any substantive rights for individuals intercepted through electronic
surveillance, and noncompliance with these procedures shall not provide the
basis for any motion to suppress or other objection to the introduction of
electronic surveillance evidence lawfully acquired'' [DoJB].


For interceptions conducted under Title III, FISA, or the state statutes,
procedures for receiving the escrowed keys will require legal authorization,
and an inability to comprehend a tapped conversation.  Rules for decrypting
communications intercepted outside the nation's borders are somewhat less
clear.  NSA has legal authorization to intercept communcations outside
the United States so long as those being tapped are not U.S. persons.
(Such surveillance, however, may not be legal under the laws of a foreign
country.)  But interception is a different matter from obtaining escrowed
keys.  The Department of Justice has announced that decryption of
EES-encoded messages ``[would be] carried out within the law,''  but
``Procedures might not be released''  [DoCB]. Thus, at this point, Federal
policy on interception and decryption of foreign EES-encrypted messages is
not known.


\begin{center}


Security of the System


\end{center}


\noindent Some cryptography experts and others in industry and academia are
skeptical of using a publicly untested classified algorithm for encryption.
NSA has attested to the strength of the algorithm.  A panel of cryptography
and security experts (including two members of this panel) invited by NIST
to study the quality of the SKIPJACK algorithm concluded that SKIPJACK
appeared to be both strong and resistant to attack [BDKMT].  The effort was
limited in scope.  Working within a tight time frame, they could not
attempt a complete investigation of the algorithm's security.  However,
they examined the structure of the algorithm, and the procedures followed
by NSA in developing and evaluating the algorithm, and they were satisfied.
Nonetheless, public skepticism of classified design has been fueled by the
recent discovery that under certain circumstances the function of the LEAF
can be subverted.\footnotemark


As discussed in Chapter 4, three aspects of EES make it attractive to law
enforcement and national security.  Key-escrow ensures law enforcement
access to encrypted conversations whenever there is legal authorization.
The classification of the algorithm means that advanced encryption design
is not made available even while strong cryptography is.  




\begin{center}


Use of Escrowed Encryption


\end{center}


\noindent EES is a standard for encryption of voice, fax, and computer
information transmitted over a circuit-switched telephone system. It is
fully anticipated that escrowed encryption will be extended to other forms
of electronic communications. In mid-April NSA awarded Group Technology
Corporation a contract for 22000 to 75000 Tessera cards.  Tessera is a
PCMCIA card, an electronic device roughly the size of a credit card, for
which many computers now include an interface.  Tessera can be used with
computer software to support encrypted and/or digitally signed
communication applciations such as electronic mail.  By retaining the
user's keys on the card, the card protects the keys from compromise should
the computer in use be penetrated.


FIPS 185, the Federal publication defining EES, does not contain enough
information to design or implement EES devices.  Specifications must
be obtained from the NSA, and the agency's approval is required for the
manufacture of Clipper chips.  At present, Clipper chips are being
manufactured only by Mykotronx; they are being used in AT\&T secure
telephone devices.  Government approval, however, is also required for the
use of the key-escrow chips in commercial products [NIST-94, pg. 6004].


Export of devices containing escrowed keys will be permitted, except to
those countries that face a Congressional embargo on military technology
(e.g., Libya).  It is anticipated that the Federal government will shortly
announce a Distribution Agreement for EES technology; this will streamline
the export license procedure for escrowed encryption products. 


The February 1994 announcement went some distance to answering questions
regarding EES.  Many concerns remain.  In the next chapter, we examine
the remaining issues.


\newpage
\begin{center}
Notes
\end{center}
{\small
\begin{enumerate}


\item The name ``Clipper'' had been previously trademarked by
Intergraph Corp.  for their microprocessor chip, and for a time, the
government stopped using Clipper referring to the escrowed encryption chip.
However, Intergraph graciously ceded to the government the right to use
the name ``Clipper'' for the escrowed encryption chip.


\item Private communication with Miles Smid, June 3, 1994.
Smid is Manager, Security Technology Group, Computer Security Division, of
the Computer Systems Laboratory at NIST.


\item Working with publicly available material, Matthew Blaze
of AT\&T Bell Laboratories has developed a technique for replacing the LEAF
containing the current session key by one containing an unrelated key
[Blaz]. The practical implications of Blaze's findings are subject to
debate.  Perhaps his most significant finding was a technique that allows
one participant in a communication to construct unilaterally a LEAF (with
considerable pre-computation) that denies law enforcement access, but which
will be accepted as ``valid'' by a communicant using EES-compliant
technology.  This technique is readily applied to computer-based
communication such as E-mail, but it probably is not applicable to current
secure telephone system designs.




\end{enumerate}}
\newpage
\chapter{             Issues Highlighted by the Escrowed Encryption
Standard }


\framebox[5.25in][c]{
\begin{minipage}{5.0in}
\noindent Vocabulary words: 


\smallskip


\noindent Capstone:  Name of the chip with Clipper plus Digital Signature
Algorithm, key exchange, and associated mathematical functions.


\smallskip