IP: Re: HP press conference on crypto

[Dave Farber <farber () cis upenn edu>]

This is in reply to Ross Stapleton-Gray    piece on the HP crypto issue djf




Date: Fri, 22 Nov 1996 18:05:25 -0500
To: farber () linc cis upenn edu
From: thompson () tis com (Bill Thompson)


I just thought you'd like some additional info re: your [Ross
Stapleton-Gray   - ed] comments


> Analysis of HP (Snip)
> > The technology itself appears to be in the form of a "tamper-proof"
> > physical device (reminiscent of Clipper/Capstone) which would hold
> > "dormant" encryption mechanisms.  These could be activated through
> > assertion of a "Policy Activation Token" received from a "Security Domain
> > Authority."  Individual encrypted messages would have appended a "Key
> > Recovery Field" to permit the specific session key for that message to be
> > retrieved by a key recovery agent.


Yes, the technology is "tamper proof (resistant?), and it will contain
"broken" implementations of RSA, and RecoverKey, the addition of either of
which is a funtion of the policy activation token that is present.  In
addition, a certificate from an export approved Key Recovery Center (KRC)
will be necessary to enable any key recovery "required" products.  In US
shipments, there will be full RSA policy tokens available, as well as user
descretionary key recovery policy tokens, which do not require a government
approved key recovery center.


The exported versions will include available policy tokens for 40 bit and
56 bit DES without recovery fields, and tokens requiring recovery fields
for cryptography stronger than 56 bits (128 bit RC2, RC4, 168 bit triple
DES).  There will be a special US only policy token that supports all of
these, and it will automatically create a key recovery field if
interoperation with an exported product is detected, assuming a valid
export approved KRC certificate also exists.  If any of required conditions
aren't met, the product simply won't work in that mode, but can work in
other modes.  It is possible that similar products can be configured for
other markets (ie full encryption within a country with user choice on
recovery, but requirements for key recovery on all communications or file
exchanges across international boundaries with more than 56 bit DES), but
that isn't in concrete yet, and will vary by country.  France, for example,
will be requiring key recovery on all encrypted traffic, domestic or
international.


> > None of the literature goes into much detail of how governments would play
> > in this... presumably the requirement for "Policy Activation Tokens" means
> > that HP (through hardware partner Intel) could ship a lot of devices that
> > could implement 56-bit DES today, and be later activated to provide
> > 128-bit escrowed Algorithm X, or Y, or Z (not clear if the tamper-proof
> > box can be loaded with new encryption code, or if it's only working from
> > the original set of stored protocols).  It's not clear if there's a
> > deactivation capability, or if there is, how the user would be compelled
> > to use it (though one could imagine a time-out feature requiring
> > reactivation).


You are correct, it is likely that many ICFs will be exported with 56 bit
DES and no recovery enabled via policy tokens.  Policy tokens can be
changed, so adding additional capabilities later (say with key redovery) is
possible, and subject to memory restrictions, other algorithms can also be
added.  There currently is no time out for the 56 bit DES product, but
since they can't be exported after Jan 1, 1999, they will probably see a
declining use rate after that in favor of stronger (albeit key recovery
enabled) encryption products.  I think user choice, rather than regulation
will drive that, as two years from now 56 bit DES will likely not be seen
as secure enough for many transactions.


> > I'll leave it to the real crypto analysts to sort out, but it looks as if
> > what HP, Intel and Microsoft (which has a crypto API for the technology to
> > be fitted in) have delivered is a general-purpose Clipper-like container,
> > with a key escrow structure in two areas: the device itself is governed by
> > the Policy Activation Token, and individual session keys can be
> > reconstructed by whomever the escrow agents are.  At first glance there
> > seem to be a lot of unknowns, e.g., whether this system would be as
> > subject to corruption of the Key Recovery Field (and hence rendered
> > unreadable by the escrow agents) as Matt Blaze showed Clipper and its LEAF
> > to be.


The asnwer here is absolutely not, and that is a central issue in the
export approval.  While nothing is absolutely tamper proof, the
implementation is so difficult to change (because of crypto signing
techniques and separate hashing of operational and boot up code which a
hacker will not be privy to information about) it will be significantly
easier to start from scratch than try to modify or defeat either a software
or hardware implementation of RecoverKey. The ICF adds another layer of
difficulty on top of that, as does the fact that certificates will also
contain crypto authentication information used in the calculations.  This
will change all the time and must be validated on both ends of the
cryptgraphic implementation.


> > Not a software solution either, requiring an Intel device... presumably
> > device keys (for use by the "Policy Activation Token") would be
> > established by Intel for passage to "the authorities," or Intel could
> > produce keyable devices.


There are software CSP implementations to be available from TIS in January
1997 which use the same CAPI calls, and will be 100% compatible with the
hardware framework.  Since they are software, they will be less expensive,
but slower in operation.  They will be tamper resistant as well, although
perhaps to a lesser degree than the hardware soultion, but still
significant enough to thwart modification.  Intel will not have any way to
control the recovery process, and the keying of the devices will be totally
up to the users.


> > Dunno... the more I think about this the more I'm unsure that this is a
> > safe system (from the perspective of keeping strong crypto out of
> > nongovernment hands)... spoofing of Tokens, corruption of the KRF, etc.,
> > all seem reasonable stunts.
> >
> > Ross


Healty skeptcism is always a reasonable posture, but the collective
knowledge of lots of crypto experts who have seen all kinds of attempts at
spoofing, etc. are present in these products.  The whole idea is a
framework designed to support user needs to protect their information and
be completely in control of the recovery process, whether it is for
themselves or to satisfy legal demands from law enforcement or the
intelligence community.  The private sector is in control, not the
government.  All government can do is establish rules as to who can be
approved to be a recovery agent for export enabled crypto, and they have
(grudgingly) allowed it to be copanies protecting their own information.
> > _____________________________________________________________________
> > Ross Stapleton-Gray                     TeleDiplomacy, Inc.
> > director () embassy org                    2503 Columbia Pike, Suite 118
> > Director, Electronic Embassy Program    Arlington VA 22204
> > http://www.embassy.org                  +1 703 685-5197 / 5257 fax


If you have other questions, I'd be delighted to try to answer them.  I
think as you look at this in greater detail, you'll be less concerned about
the big brother problem, and more a believer that this technology provides
the best balance between strong confidentiality for users and compliance
with laws, not only ours in the US, but in other countries as well, who are
now very concerned we will open the crypto floodgates.


Regards,
Bill


*--------------------------------------------------------------------------*
|R. William Thompson                   Vice President, Business Development|
|Trusted Information Systems                               thompson () tis com|
|444 Castro Street, Suite 800                         (415) 962-8885, X3019|
|Mountain View, CA  94041                                Fax (415) 962-9330|
|Office in Home                              Home Office Tel (512) 263-3110|
|9305 Scenic Bluff Drive                     Home Office Fax (512) 669-7069|
|Austin, TX  78733                                  Home Tel (512) 263-5936|
|                                                   Home Fax (512) 263-9436|
*--------------------------------------------------------------------------*