Testimony from Dorothy Denning

[David Farber <farber () central cis upenn edu>]

Date: Wed, 4 May 94 08:46:01 EDT
From: denning () chair cosc georgetown edu (Dorothy Denning)
To: farber () central cis upenn edu
                         Testimony Before the
          Subcommittee on Technology, Environment, and Aviation
                                 of the
               Committee on Science, Space, and Technology
                     U. S. House of Representatives




                               May 3, 1994




                           Dorothy E. Denning


                       Computer Science Department
                          Georgetown University
                          Washington, DC 20057
                        denning () cs georgetown edu


                                 Summary


The Clipper Chip and associated key escrow system is a technically
sound approach for ensuring the security and privacy of electronic
communications.  Clipper's SKIPJACK encryption algorithm provides
strong cryptographic security, and the key escrow system includes
extensive safeguards to protect against unauthorized use of keys.  The
more advanced chip, Capstone, further provides all the cryptographic
functionality needed for information security on the National
Information Infrastructure.


Recent research suggests that the technology provides a starting point
for developing an international cryptography framework that would
support secure international communications while accommodating
individual national cryptography policies.  Such a framework would be
based on standard cryptographic application interfaces and national
cryptographic modules, and might support corporate key escrow.  An
international cryptography framework would allow U.S. industry, under
existing export control policies, to develop and export software
applications that meet the information security needs of government,
industry, and individuals.


As we move into an era of even greater electronic communications, we
can and must design our telecommunications infrastructure and
encryption systems to support our needs as a nation not only for secure
communications, individual privacy, and economic strength, but also for
law enforcement and national security.  If we dismiss the intercept
needs for law enforcement and national security, society could suffer
severe economic and human losses resulting from a diminished capability
to investigate and prosecute organized crime and terrorism, and from a
diminished capability for foreign intelligence.  The Clipper Chip and
Digital Telephony proposal are important steps toward meeting all of
our national needs.


     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


My name is Dorothy Denning and I am Professor and Chair of Computer
Science at Georgetown University.  I have been in the field of
cryptography and information security for over twenty years.  Before
coming to Georgetown, I worked for Digital Equipment Corporation, SRI
International, and Purdue University.  I am author of the textbook
Cryptography and Data Security and was the first President of the
International Association for Cryptologic Research.  During the past
two years, my research has focused on the impact of encryption and
digital telephony on law enforcement's ability to conduct lawful
wiretaps and on different approaches to encryption that accommodate the
needs of law enforcement.  I am one of the outside reviewers invited by
the government to evaluate the Clipper Chip and its key escrow system,
and a member of the Software Escrowed Encryption Working Group
sponsored by NIST.  I am pleased to have this opportunity to testify
before the Subcommittee on Technology, Environment, and Aviation.


I will begin by giving my assessment of the Clipper Chip technology and
associated key escrow system.  I will then describe future options.  My
main conclusions are that the Clipper Chip is a technically sound
approach for ensuring the security and privacy of electronic
communications, that the more advanced Capstone Chip provides all the
cryptographic functionality needed for information security on the
National Information Infrastructure, and that the technology provides a
starting point towards developing an international cryptography
framework.




               Assessment of Clipper and Key Escrow System


The Clipper Chip is an implementation of the Escrowed Encryption
Standard (EES), a voluntary government standard for encrypting
sensitive but unclassified telephone communications, including voice,
fax, and data.


The chip was designed with two main goals.  The first is strong
cryptographic protection for electronic communications.  To meet this
goal, Clipper uses the SKIPJACK encryption algorithm designed by the
National Security Agency.  The second goal is a mechanism that allows
authorized law enforcement officials to decrypt Clipper encoded
communications, while ensuring a high level of protection against
unauthorized decryption.  For this, Clipper transmits a Law Enforcement
Access Field (LEAF) with all communications.  The LEAF includes the
encryption key for the communications, commonly called the "session
key," encrypted under a special chip unique key.  The chip unique key
thereby provides access to the session key, which in turn provides
access to the content of the communications.  When conducting an
authorized intercept, government officials obtain the chip unique key
by getting two key components, which are encrypted and stored in escrow
when the chip is manufactured, from two key escrow agents.  These
components are decrypted and combined inside a special key escrow
decryption processor, which then decrypts the intercepted
communications.  Both SKIPJACK and the LEAF creation method are
classified.


As one of the cryptographers invited by the government to evaluate
Clipper, I had the opportunity to learn about NSA's design and
evaluation of SKIPJACK, and to perform experiments on the algorithm to
determine its ability to withstand particular attacks.  As the result
of this study, I concluded that SKIPJACK does not contain any
"trapdoor" and is not vulnerable to any short-cut method of attack.
The other four reviewers and myself issued a joint report stating that
there was no significant risk that SKIPJACK could be broken by any
short cut method of attack.  In addition, we observed that because
SKIPJACK's 80-bit keys are 24 bits longer than those used by the Data
Encryption Standard (DES), under an assumption that the cost of
processing power continues to be halved every year and a half, it will
be 36 years before the cost of breaking SKIPJACK by trying all possible
keys is comparable to the cost of breaking DES today.  Thus, Clipper
can be expected to provide strong cryptographic protection for several
decades.


Although publication of SKIPJACK would have the advantage of giving
more people the opportunity to review it and, therefore, foster greater
public trust, publication would undermine the second goal of Clipper.
In particular, it would enable someone to build a hardware or software
product that used SKIPJACK without escrowing keys, thereby taking
advantage of the government's strong algorithm in order to make
communications immune from lawful interception and foreign intelligence
operations.  It is for this reason also that the EES specifies a
tamper-resistant hardware implementation; there is no known way of
reliably hiding the structure of an algorithm in software.


We also examined Clipper's classified LEAF creation method to make sure
that chip unique keys and session keys are not vulnerable to exposure.
We found no vulnerabilities.


Clipper's second goal of allowing authorized government access is
implemented through a key escrow system, wherein keys are released upon
receipt of certification of legal authority to wiretap.  Of particular
concern to users of Clipper is whether that system will adequately
protect against unauthorized access by the government or anyone else.


We are currently in the process of reviewing the entire key escrow
system, both as it is currently configured and as it will be configured
in the final system.  From what I have seen so far, I believe that the
risk of unauthorized access will be acceptably low, and that any such
occurrence will be detectable through auditing.


The key escrow system has been designed with extensive safeguards to
ensure that no single individual or two individuals from the same
organization can compromise the escrowed key components, and to ensure
that any potential compromises are detectable.  I would like to mention
two of these safeguards here: "two person integrity" and auditing.  Two
person integrity has been used successfully for many years to protect
top secret cryptographic material and other highly sensitive government
information.  It is used in the key escrow system for all operations
that involve key escrow data.  For example, it takes two people from
each escrow agent to access that agent's escrowed key components, and
representatives of both agents to supply law enforcement with the
encrypted key components and information needed to decrypt those
components.


Auditing is used extensively throughout the key escrow system.  For
example, detailed audit records are produced from the time the key
components are generated, encrypted, and stored with the escrow agents
through their release to law enforcement and ultimate deletion in the
law enforcement decryption processor.  Using these logs, it should be
possible for an auditor to determine that a particular key released to
the government was used only as authorized.  If a key is used to
decrypt communications not authorized to have been intercepted or used
to decrypt communications not intercepted during the period when the
authorization was in effect, this would be detected in the audit.


Some people have criticized Clipper's approach to key escrow for giving
law enforcement access to the chip unique keys rather than the
individual session keys on a per conversation basis.  They are
concerned that law enforcement will misuse the chip keys to decrypt
traffic illegally intercepted prior to or following a court order.  My
assessment is that a key escrow system that would require law
enforcement to go through the escrow agents for each individual
conversation, which can be in the hundreds per day, not only would be
excessively burdensome to the point of seriously jeopardizing many
investigations, but also is unjustified and unnecessary given other
legal, operational, and technical safeguards.


It is important to not make the key escrow more complicated or
burdensome than required to make the risk of unauthorized use of
Clipper keys acceptably low.  I believe that with the current approach
it will be extremely difficult if not impossible for anyone, including
the government, to improperly access Clipper-encrypted communications,
and that unauthorized use of Clipper keys will be detectable through
auditing.  Clipper will provide far greater protection against illegal
wiretaps by the government than is presently available.


In addition to providing excellent protection, Clipper offers high
speed encryption.  Present chips encrypt at a rate of about 20 Mbits
per second.  As technology improves, we can expect corresponding
improvements in the speed of Clipper.


Clipper is technically sound and inexpensive.  In lots of 100,000 or
more, a fully programmed chip is expected to cost $10.00 by fall.
Clipper's implementation in commercial products such as the AT&T 3600
Telephone Security Device will give the government and public access to
high quality, easy-to-use, and cryptographically strong encryption for
telephone communications.


The Capstone Chip, which is an advanced version of Clipper, goes
further and provides all the cryptographic functionality needed for
information security within the National Information Infrastructure to
support secure electronic commerce and other applications.  In addition
to implementing the specifications for the EES, Capstone implements the
Digital Signature Algorithm, which provides a digital signature
capability comparable in strength to the RSA digital signature system;
the Secure Hash Algorithm, which provides integrity protection; a key
exchange method; and various other functions.  Capstone is embedded in
the Tessera PCMCIA card, where it will be used in the government's
Mosaic system to provide secure electronic mail for the Defense
Messaging System.




                             Future Options


Recent research suggests that the government's escrowed encryption
approach can provide a starting point for developing an international
cryptography framework that would support secure international
communications while accommodating individual national cryptography
policies.  Such a framework would allow the U.S. computer and software
industry to strengthen its leadership in the global market under
existing export control policies.


Keith Klemba and Jim Schindler of Hewlett-Packard presented such a
framework to NIST's Computer Systems Security and Privacy Advisory
Board (CSSPAB) in March.  Their approach is to standardize the service
elements of national cryptography policies, which would be encoded in
smart cards called "national flag cards."  The U.S. flag card, for
example, could include a Clipper or Capstone Chip.  With a common
standard, developers of software products could build applications that
provide information security by interfacing with a national
cryptographic module that satisfies the policy requirements of the
country where the product is used.  Since the applications themselves
would not implement cryptographic functions, they would be exportable,
addressing the main concern of the software industry regarding export
controls.


Steve Walker, President of Trusted Information Systems, has proposed
that a consortium of interested parties define preliminary standards
for Cryptographic Application Programming Interfaces (CAPIs), and then
experimentally test them out with cryptographic modules implemented in
PCMCIA cards.  Such CAPIs could build on NIST's draft set of
Application Layer Cryptographic Service Calls, the interface
specifications for the Tessera PCMCIA card, which uses the Capstone
Chip and thus implements key escrow, and other publicly available
specifications.  A challenge will be to do this in a way that does not
promote the proliferation of unescrowed encryption, thereby thwarting
lawful access by the government.


Within an international cryptography framework, it might be possible to
add a corporate key escrow system, wherein organizations and
individuals could escrow keys with private sector agents, and then
obtain access to those keys without a warrant.  One of the concerns of
many potential users of encryption, particularly organizations, is that
encrypted information could become inaccessible if keys are
accidentally lost, intentionally destroyed, or held for ransom.  A
corporate escrow system could help protect an organization's
information assets and protect against liability problems by ensuring
that keys are under the control of those accountable for the assets.
Donn Parker at SRI International has been advocating such an approach,
and Frank Sudia at Bankers Trust presented to the CSSPAB a proposal for
an international corporate key escrow system, which could use escrow
agents in different countries.  The Bankers Trust system builds on an
alternative approach to key escrow, which was developed by Professor
Silvio Micali at MIT and ties in with public-key cryptography.


A corporate escrow system might be coupled with that used by the
government for law enforcement and national security purposes, as in
the Bankers Trust approach, but it also could be separate.  Although
many of the mechanisms would be similar, the goals are different.  With
a separate system, the keys escrowed under the corporate escrow system
might be different from those escrowed for law enforcement.


Another possible option is a software-based approach to encryption and
key escrow.  The NIST-sponsored Software Escrowed Encryption Working
Group, of which I am a member, is working towards requirements and
specifications for an international software-based key escrow
encryption system that would meet the needs of businesses, governments,
and individuals for secure domestic and international communications
and the needs of national governments for accessing communications
under their legal authority.  A challenge here is finding a way that
does not allow the user to readily circumvent the key escrow process.
At this point, it is too early to tell whether we will achieve our
goal.


Both a corporate key escrow system and a software-based escrow system
are likely to be substantially more complex than the current
Clipper/Capstone key escrow system, and may depend on the
implementation of a public key infrastructure.  Thus, they do not
represent near-term alternatives to the Clipper approach.  In addition
to its simplicity, the Clipper system also has the advantage of
guaranteeing key escrow without requiring any action on the part of
users and of offering potentially greater privacy by escrowing keys by
device rather than by user.




                               Conclusions


The Clipper Chip and associated key escrow system provides both strong
communications security and lawful government access, while providing a
very high level of protection against unauthorized access.  Clipper
offers strong encryption for electronic communications, while the more
advanced Capstone Chip offers a full range of cryptographic functions
to satisfy the requirements for secure electronic commerce and other
applications on the NII.


As we move into an era of even greater electronic communications, we
can and must design our telecommunications infrastructure and
encryption systems to support our needs as a nation for secure
communications, individual privacy, economic strength, effective law
enforcement, and national security.  The Clipper Chip is an important
step towards meeting all our national needs, and the government should
continue to move forward with the program.


The government needs an encryption standard to succeed DES.  If in lieu
of Clipper, the government were to adopt and promote a standard that
provides strong encryption without government access, society could
suffer severe economic and human losses resulting from a diminished
capability of law enforcement to investigate and prosecute organized
crime and terrorism, and from a diminished capability for foreign
intelligence.  Critics argue that unescrowed encryption will
proliferate through the private sector anyway, undermining the
government's efforts.  Indeed, this is possible since some proponents
of cryptography either actively oppose government wiretaps or dismiss
law enforcement and national security needs as unessential.
Nevertheless, the government rightly concluded that it would be
irresponsible to promote a standard that foils law enforcement when
technology is at hand to accommodate law enforcement needs without
jeopardizing security and privacy.  Moreover, through the
Administration's commitment to Clipper or some other form of key
escrow, escrowed encryption may dominate in the market, mitigating the
impact of unescrowed encryption on law enforcement.  Several
researchers and industry leaders recognize the value of providing both
secure communications and authorized government access, so escrowed
encryption may gain in popularity, particularly as a framework for
international cryptography evolves.


Clipper is also a good testbed for trying out key escrow.  If key
escrow encryption is successful, it might form the basis for a
broader-based, more complex key escrow system, possibly managed by the
private sector, which would allow individual and organizational access
as well as access by the government.  Such a system might support
international key escrow and a variety of encryption standards and
national policies.  If the key escrow system for some reason fails to
provide acceptable protection against unauthorized use of keys, then
the escrowed keys can always be destroyed, leaving behind strong
cryptographic protection.  By contrast, it would be extremely difficult
to go the other way and implement key escrow after some other form of
strong encryption has come into widespread use.


Assuming efforts to develop an international key escrow framework prove
successful, such a framework could support secure international
communications while accommodating individual national policies
governing cryptography.  An international framework likely would be
based on standard cryptographic application interfaces and national
cryptographic modules, and could support Clipper and Capstone
technology along with other forms of escrowed encryption.  This
approach would allow U.S. industry, under existing export control
policies, to strengthen its leadership in the global market by
developing and exporting software applications that meet the
information security needs of government, industry, and individuals.


Just as encryption has threatened the government's ability to access
communications intercepted under its legal authority, advances in
telecommunications technology are already undermining the government's
ability to intercept those communications in the first place and to
obtain call setup information.  While Clipper addresses the former
problem, the proposed Digital Telephony legislation addresses the
latter.  Both are needed in order to ensure that as technology provides
greater communications security, law enforcement agencies continue to
have the tools they need to investigate major crimes and acts of
terrorism.