tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr

[David Farber <>]

\noindent Dual-use technology: Technology which has both military and
commercial applications.


\smallskip


\noindent  Ethernet: A 10-megabit per second local area network developed
by Digital Equipment, Intel, and Xerox, and standardized by the IEEE.


\smallskip


\noindent Modem: An interface between telephone transmission and
computer storage.


\smallskip


\noindent Tessara: The government name for a  PCMCIA card that contains the
Capstone chip. (A PCMCIA (Personal Computer Memory Card Industry
Association) card is an industry standard format and electrical interface
for various computer components, including memory, very small disks, etc.)


\smallskip


\noindent Trojan horse: A program, a component of which is capable of unexpected effects.


\end{minipage}}


\medskip


\noindent The problem is how to secure electronic communications in the
Information Age.  Law enforcement believes the Escrowed Encryption Standard
(EES) will provide strong communications security without making the
communications of criminals and terrorists immune from lawful interception.
National security officials believes EES will not interfere with its access
to foreign intelligence, and thus is a secure solution to the complexities
presented by the need for strong encryption.  If public comments are any
guide, the computer industry is persuaded that EES is a poor design that
will add complexity and expense to American computer products; they see
escrowed encryption as an inappropriate and expensive solution to the
cryptographic problem that law enforcement and national security allege
exists.  Civil-liberties groups including the American Civil Liberties
Union (ACLU) and the Computer Professionals for Social Responsibility
(CPSR) argue that escrowed encryption technology is a major intrusion on
the privacy rights of the public, and that EES is a change in policy
masquerading as a government procurement standard.


The EES is a voluntary standard for encryption of voice, fax, and computer
information transmitted over a circuit-switched telephone system.  Many of
the commercial objections to it concern its expected extension to computer
communications.  In this chapter we examine the issues EES raises.  This
chapter is split into five sections: (i) Privacy Concerns Raised by EES;
(ii) Impact of EES on Export; (iii) Interoperability Issues Raised by EES;
(iv) EES: Hardware versus  Software; and (v) Impact of EES on the U.S.
Computer Industry.


\begin{center}
                   Privacy Concerns Raised by EES
\end{center}


\noindent Some facts are clear:  


\medskip


\noindent 1. EES makes  the users' secret keys available to  the 
government. 


\medskip


\noindent 2. EES was designed by the National Security Agency (NSA).  


\medskip


\noindent 3.  The underlying algorithm, SKIPJACK, is classified.  


\medskip


\noindent There agreement ends.  


Advocates of EES claim the availability of strong cryptography (designed by
NSA) will provide Americans with better and more readily available privacy
protection than they presently enjoy. Privacy advocates believe that any
cryptographic system where the government holds the keys endangers each
individual's right to confidential communications.  Proponents of EES
observe that no one will be forced to use the system, and that EES does not
prohibit other forms of encryption.  Opponents respond that the National
Institute of Standards and Technology (NIST) standard states ``use is
encouraged when [EES] provides the desired security.''  They maintain that
if a large Federal agency such as the IRS adopts EES, electronic filers who
chose to secure their transmissions may have to use the algorithm.  Such a
choice by IRS, would have the impact of making the voluntary standard the
de facto national one.\footnotemark


Notwithstanding the voluntary nature of the current EES initiative,
opponents fear that the government might eventually outlaw other forms of
encryption. These critics of the government's plans doubt that a voluntary
program will be effective in preventing the use of alternative forms of
cryptography by criminals, and they contend that with EES technology
widely deployed and readily available in the future, a prohibition against
other methods of encryption might be seen as more politically palatable
than it would be today.  As such, they view the government's adoption of a
voluntary standard as the first step toward such a program.


There is no question that the market impact of the Federal government can
be huge, although recent experience illustrates that the government's
ability to influence the computer communication market is not always
successful.\footnotemark\  Adoption of EES as a standard, voluntary or
otherwise, decreases the chance there will be competing systems available.
Indeed the true success of EES, as measured by law enforcement's continued
ability to decrypt tapped conversations, can come only at the expense of
competing systems for secure telecommunications.  There is already one
example.  In 1992 AT\&T announced a DES-based secure telephone for the mass
market.  After being approached by the government, the phone company
changed its plans and withdrew the DES version. It now produces an
EES version and also versions with proprietary algorithms.  If EES is a
success in its own terms, there will be no other secure telecommunications
equipment contending for the civilian market -- at least in the United
States.


Proponents of escrowed encryption argue that privacy protection will be
better than ever.  There will be a proliferation of secure telephones. It
is anticipated that the escrowed system will leave an electronic audit
trail.\footnotemark\ In the event that the government illegally taps a
communication, the illegal interception will be much easier to uncover than
it is under the present system.  Opponents of escrowed encryption believe
that a privacy system in which the government holds the key to every lock
is no privacy system.  Escrowed encryption may have been designed with the
best of intentions, but Brandeis, in his famous dissent in the Olmstead
wiretapping case, warns to be cautious in such situations,


\begin{quote}
            Experience should teach us to be most on our guard when 
            the government's purposes are beneficent.  Men born to
            freedom are naturally alert to repel invasion of their 
            liberty by evil-minded rulers.  The greatest danger to
            liberty lurks in insidious encroachment by men of zeal, 
            well-meaning but without understanding [Olm, pg. 
            752 - 753].
\end{quote}


Civil-liberties groups strongly argue against a civilian standard being
developed by a military organization.  For example, CPSR points to the
Computer Security Act, which the organization says decided the issue seven
years ago.  CPSR asserts that in a democratic society the
public should play a significant role in deciding how the communications
infrastructure will be designed.  But the underlying algorithm for EES is
classified, and the strength of the algorithm cannot be assessed by the
(public) cryptography community.  Reminding us of the abuses of Watergate
and the revelations of the Church Committee, CPSR contends that the NSA
should not be building government trapdoors into the civilian
communications infrastructure.


\begin{center}
                   Impact of EES on Export
\end{center}


\noindent The U.S. State Department controls the export of cryptography,
under the authority of the International Traffic in Arms Regulations.
Despite a 1991 decision by the Coordinating Committee on Multilateral
Export Controls (COCOM)\footnotemark \ declaring cryptography a dual-use
technology, the United States has kept cryptography on its munitions list.
A vendor, seeking an export license for a product containing cryptography,
first determines whether export of the product falls under Commerce
Department or State Department rules.  If jurisdiction is within the
Commerce Department, approval is swift.  If not, the procedure becomes more
complex, and NSA may become involved.


With the exception of use by financial institutions and by foreign offices
of U.S.-controlled companies, NSA generally will not approve export of
products containing DES used for confidentiality.  Approval is granted for
the export of cryptography for authenticity and integrity purposes.  If a
product such as DES is dual-purpose, then export approval will be granted
only if the vendor can demonstrate the product cannot be easily modified to
protect confidentiality.


Striking a balance between economic strength (by opening markets for U.S.
companies) and protecting national security (by restricting the sale of
military technology) requires making complex choices.  Cryptography is not
the only American product subject to export control.  What differentiates
this conflict from, say, the exportability of supercomputers is that
comparable cryptographic products are available for sale internationally.
A year ago, the Software Publishers Association (SPA), quantifying what had
been anecdotal, searched for foreign cryptography products. By March 1994,
the organization had located 152 foreign products with DES cryptography,
from such countries as Australia, Belgium, Finland, Israel, Russia, Sweden,
and Switzerland [SPA-94].  RSA is also routinely available in foreign
cryptographic software.  Neither of these facts should come as a surprise,
since the specifications for both algorithms are publicly available.


Supporters of export controls argue that the most serious threat to
foreign-intelligence gathering comes not from stand-alone products that
constitute most of the market, but from well-integrated, user-friendly
systems in which cryptography is but one of many features.  From this
perspective, it is essential to control export of the commodity, namely
desktop hardware and software with integrated cryptography.  The U.S. is
the preemininent supplier of such products.


National security experts believe that the export-control policy is
working.  DES on the Internet has little impact on U.S. communications
intelligence.  Foreign organizations that are concerned about protecting
their information from sophisticated intercept are not likely to download
an encryption software program from the Internet.  Instead they will buy
products they trust from reputable vendors.


Testifying to the Subcommittee on Economic Policy, Trade and Environment
last fall, Stephen Walker, President of Trusted Information Systems,
explained that his company had attempted to implement Privacy Enhanced Mail
(PEM) for the British Ministry of Defence.  Since PEM uses both RSA and
DES, Trusted Information Systems was unable to export the algorithm
directly.  Instead the British subsidiary of the company, Trusted
Information Systems Limited, arranged to implement a British version of
PEM, using DES and RSA algorithms available in the U.K.  The Ministry of
Defence got their program. DES and RSA were not exported, and several
British computer scientists got the work [Walk, pg. 68].


Quantifying lost sales is difficult.  One can count the number of
export-license applications denied or withdrawn, but that misses the mark.
Foreign customers who know that the products they want will not receive
U.S. export approval are unlikely to waste time approaching American
companies. At the same time, export controls are sometimes cited as the
reason for a lost sale when the facts are otherwise.  The Department of
State export-license statistics give only a partial picture of the
situation.  


Features, even ones not purchased, increase sales.  If U.S.  companies
cannot include cryptography used for confidentiality in their products,
that fact turns away sales even if cryptographic security is not presently
required.  Buyers are reluctant to commit to a company for fear that
sometime later they will want to upgrade their system, perhaps including
cryptographic security, and the American company will not be able to supply
them, because of U.S. export controls.


Multinational companies are particularly interested in protecting their
electronic communications. The U.S. policy on export control of encryption
makes adaption of U.S. encryption products a poor choice, since
compatibility is a prime consideration to purchasers.  In seven different
instances between April 1993 and April 1994, the Semaphore Communications
Corporation was advised by the State Department or the NSA that it would be
unable to export secure communications equipment with strong cryptography
for confidentiality. One such example occurred when Semaphore
Communications Corporation lost out to a German competitor. The competitor
offered a German-built DES-based system that could be exported to the
buyer's U.S.  office.  Semaphore was unable to export a DES-based product
to the buyer's home office in Germany [Walk, pg. 70].  The seven contracts
for which Semaphore could not compete represented one million dollars in
sales, a large amount for a small firm.  Furthermore, this also resulted in
Semaphore losing a multiyear agreement with an estimated value of several
million dollars in that period.


The government's response has been to ease export restrictions on some
cryptographic products.  For example, Ronald Rivest of MIT has designed two
variable-key-length cipher functions, RC2 and RC4, that can be used instead
of DES in export versions of products.  Under an agreement with the
Software Publishers Association, the Department of State has a streamlined
export-license process for versions of RC2 and RC4 that are limited to a
40-bit key size. (56-bit keys are allowed if the export is to foreign
subsidiaries or overseas offices of U.S.  companies.)  But the 40-bit key
size is smaller than a 56-bit DES key, and thus these algorithms are
perceived by users as being less secure than the DES.  Moreover, RC2 and
RC4 are not compatible with DES, creating potential interoperability
problems for users.


Export-control policy on cryptography has complicated development of secure
systems.  Digital Equipment Computer's DESNC, a DES encryptor placed
between a workstation (or several workstations) and an Ethernet cable to
encrypt traffic to and from the workstation, is an example of a useful
product that died an untimely death in part because of export control.


Because of the product's use of DES for confidentiality, government policy
did not permit the general export of DESNC.  There was still a domestic
market.  But Digital Equipment marketing managers feared that publicizing
DESNC, without the availability of a comparable product for export would
alienate Digital Equipment's foreign customers by suggesting that
unencrypted Ethernet technology is vulnerable (it is), but without
providing a solution for non-U.S. customers.  A high-cost item, DESNC was
unlikely to be a big seller in either foreign or domestic markets, but an
inability to offer this product on a global basis posed a critical customer
relations problem.  These concerns, in combination with the negative
publicity it would bring to Ethernet technology, were deemed unacceptable
trade-offs.\footnotemark


National security experts have argued that removal of U.S. export controls
on cryptography could be replaced by the imposition of foreign import
controls; they point to France, which requires registration of
cryptographic algorithms, as an example.  However, at present
no Western European governments other than France restrict the import of
cryptographic products, and only a few Asian governments do so.


The impact of FIPS185 on the export of American cryptography is unclear.
> From the government's perspective, if strong cryptography is widely used,
then EES will be deemed successful if it dominates the market for
cryptographic products in the telecommunications arena. Presently there are
but a handful of U.S. companies offering secure telephones, including
Datotek (now owned by AT\&T) and Technical Communication Corporation; these
businesses are small, with each representing about \$10 million in sales
annually.


\begin{center}
                 Interoperability Issues Raised by EES
\end{center}


\noindent Interoperability -- the ability of users to communicate between
different systems -- is essential for any telecommunications system.  For
example, problems arose during the Gulf War because the coalition forces
that were assembled did not share a common, secure communications system.


Civilian needs during peacetime are quite different from military needs
during wartime.  It remains true, however, that interoperability is crucial
in the communications arena.  Assuming that the United States government
has no plans to change the classified status of the SKIPJACK algorithm, it
is unlikely that the European Community will adopt EES as a standard for
secure telecommunications.




\begin{center}
                       EES: Hardware versus Software
\end {center}


\noindent The government's attempt to create strong cryptography that would
not hinder law enforcement's abilities to comprehend legally intercepted
conversations resulted in several controversial aspects of the EES design:
escrowed encryption, classification of the SKIPJACK algorithm, and
availability of the algorithm only in hardware.


As far as law enforcement access is concerned, an implementation of the
SKIPJACK algorithm without the Law Enforcement Access Field would
completely miss the point.  Law enforcement agents would be unable to
decrypt. To make such implementations more difficult, EES is available only
in tamper-resistant hardware.


This is more expensive than a software solution -- and not only the
government will be paying.  In lots of ten thousand, Clipper chips will
cost approximately \$15; industry experts contends that this translates to
a finished product with escrowed encryption capabilities costing 
about \$60 more than one without.  In lots of one hundred thousand, the
price drops to \$10 each, with a corresponding drop to \$40 for the
finished product.


Software implementations also offer a flexibility that hardware does not.
A family of compatible products is an excellent way to sell new technology.
Vendors will often offer the capability of beginning with low-cost
software, with the option of upgrading to higher-performance hardware when
needed. But hardware-only implementations of encryption do not allow that
kind of versatility.


NIST is investigating the possibility of a software version of key-escrow
encryption.  Several proposals are currently under investigation.


\newpage


\begin{center}
            Impact of EES on the U.S. Computer Industry 
\end{center} 


\noindent For nearly two decades, industry and academic experts have argued
that protecting computer communications is vitally important.  Many have
posited that the civilian market for cryptography is about to take off.
The EES initiative would encourage the adoption of cryptography.  From the
day it was proposed, the computer industry has protested.  Why?  It will
need to be used only by those who wish to encrypt voice, fax, or computer
information sent to a Federal agency that has adopted the standard.


The computer industry sees the standard as significantly less than
voluntary.  Should EES be adopted by a Federal agency with a large
constituency, such as the Social Security Administration, industry will have
to make EES standardly available in domestic equipment.  In such
circumstances, consumers will demand products with EES.  The computer
industry has made an investment in DES and RSA solutions for secure
systems.  From a vendor viewpoint, escrowed encryption will be an expensive
add-on that will add little new functionality.  Furthermore, multiple
methods of encryption increase complexity, thus discouraging demand.


Computer vendors believe that the combination of a classified algorithm and
key registration with the U.S. government will make EES unattractive
internationally.  If this is true, U.S. computer companies will have to
implement other forms of cryptography to make American products competitive
in the world marketplace.  At the same time, domestic demand may mean that
EES will need to be in products for the U.S.  market.  Manufacturers
support dual product lines when they must, but from a vendor viewpoint,
this is an unnecessary distraction and added expense.


Semiconductor manufacturers are concerned about government control of the
manufacture of Clipper chips.  (NSA licenses the manufacturers of the
chip.)  Vendors avoid sole-source supplies when possible, but the
government has committed to establishing multiple sources for the chips.
Vendors also do not like to adopt technology whose manufacture they cannot
control.  


Finally, some in the industry are disturbed about the possibility of the
government controlling more than just the manufacture of Clipper chips.
Suppose a company wants to integrate EES into its central processing unit.
The government controls that right.  Does that mean that the National
Security Agency will be making design decisions for a U.S. civilian
product?  Some vendors have raised the concern that the government might
want to exert close oversight over vendor integration of escrowed
encryption.  The fact that the government is promoting the use of