S. Hrg. 103-1067
THE ADMINISTRATION'S CUPPER CHIP KEY ESCROW ENCRYPTION PROGRAM
Y 4. J 89/2: S. HRG. 103-1067
The ftdninistratioB's Clipper Chip K. . . LiNVJ
_ PHE
SUBCOMMITTEE ON TECHNOLOGY AND THE LAW
OF THE
COMMITTEE ON THE JUDICIARY UNITED STATES SENATE
ONE HUNDRED THIRD CONGRESS
SECOND SESSION ON
THE ADMINISTRATION'S IMPLEMENTATION OF A PROGRAM TO ENABLE THE GOVERNMENT TO DECODE FORMS OF COMMUNICATION THAT IS ENCRYPTED WITH A COMPUTER CHIP CALLED "CLIPPER CHIP"
MAY 3, 1994
Serial No. J-103-55
Printed for the use of the Committee on thO^*ii<nary
^^
U.S. GOVERNMENT PRINTING OFFICE ^*Si;;^/>
20-186 CC WASHINGTON : 1995
For sale by the U.S. Government Printing Office Superintendent of Documents. Congressional Sales Office, Washington, DC 20402 ISBN 0-16-047780-8
J S. Hrg. 103-1067
THE ADMINISTRATION'S CUPPER CHIP KEY ESCROW ENCRYPTION PROGRAM
Y 4. J 89/2; S. HRG, 103-1067
Tfce ftdninistration's Clipper Chip K. . .
[NG
fHE
SUBCOMMITTEE ON TECHNOLOGY AND THE LAW
OF THE
COMMITTEE ON THE JUDICIAEY UNITED STATES SENATE
ONE HUNDRED THIRD CONGRESS
SECOND SESSION ON
THE ADMINISTRATION'S IMPLEMENTATION OF A PROGRAM TO ENABLE THE GOVERNMENT TO DECODE FORMS OF COMMUNICATION THAT IS ENCRYPTED WITH A COMPUTER CHIP CALLED "CLIPPER CHIP"
MAY 3, 1994
Serial No. J-1 03-55
Printed for the use of the Committee on t:
''%l?'^
WL^Os,
m'
2CM86CC
U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 1995
For sale by the U.S. Government Printing Office Superintendent of Documents, Congressional Sales Office, Washington, DC 20402 ISBN 0-16-047780-8
COMMITTEE ON THE JUDICIARY
JOSEPH R. BIDEN, Jr., Delaware, Chairman EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah
HOWARD M. METZENBAUM, Ohio STROM THURMOND, South CaroUna
DENNIS DeCONCINI, Arizona ALAN K SIMPSON, Wyoming
PATRICK J. LEAHY, Vermont CHARLES E. GRASSLEY, Iowa
HOWELL HEFLIN, Alabama ARLEN SPECTER, Pennsylvania
PAUL SIMON, IlUnois HANK BROWN, Colorado
HERBERT KOHL, Wisconsin ^ WILLIAM S. COHEN, Maine
DIANNE FEINSTEIN, California LARRY PRESSLER, South Dakota
CAROL MOSELEY-BRAUN, IlUnois
Cynthia C. Hogan, Chief Counsel
Catherine M. Russell, Staff Director
Mark R. Disler, Minority Staff Director
Sharon Prost, Minority Chief Counsel
Subcommittee on Technology and the Law
PATRICK J. LEAHY, Vermont, Chairman HERBERT KOHL, Wisconsin ARLEN SPECTER, Pennsylvania
DIANNE FEINSTEIN, California LARRY PRESSLER, South Dakota
Bruce Cohen, Chief Counsel /Staff Director Richard Hertling, Minority Chief Counsel
(II)
CONTENTS
STATEMENTS OF COMMITTEE MEMBERS
Page
Leahy, Hon. Patrick J., U.S. Senator from the State of Vermont 1
Murray, Hon. Patty, U.S. Senator from the State of Washington 16
CHRONOLOGICAL LIST OF WITNESSES
Panel consisting of Jo Ann Harris, Assistant Attorney General, Criminal Division, U.S. Department of Justice; and Rajmiond G. Kammer, Deputy Director, National Institute of Standards and Technology 3
Panel consisting of Whitfield Diffie, engineer and cryptographer, Sun Microsystems, Inc., Mountain View, CA, on behalf of the Digital Privacy and Secxirity Working Group; and Stephen T. Walker, president, Trusted Information Systems, Inc., Glenwood, MD 33
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Diffie, Whitfield:
Testimony 33
Prepared statement 37
Harris, Jo Ann:
Testimony 3
Prepared statement 13
Kammer, Raymond G.:
Testimony 17
Prepared statement 19
Leahy, Hon. Patrick J.: Testimony 1
McConnell, Admiral J.M.:
Testimony 95
Prepared statement 103
Murray, Hon. Patty:
Testimony 16
Prepared statement 16
Walker, Stephen T.:
Testimony 42
Prepared statement 46
Attachment I: Encrjrption production identified as of Apr. 22, 1994 62
Attachment II: Compames manufacturing and/or distributing cryp- tographic products worldwide 76
APPENDIX
Additional Submissions for the Record
Prepared statements of:
Computers and Business Equipment Manufacturers Association 107
United States Council for International Business 112
Crypto Policy Perspectives:
Composed by Susan Landau, Stephen Kent, CUnt Brooks, Scott Chamey, Dorothy Denning, Whitfield Diffie, Anthony Lauck, Douglas Miller,
Peter Neumann, and David Sodel 114
Time/CNN poll conducted. Mar. 2-3, 1994 123
(III)
IV
Page
Questions and Answers
Questions to Jo Ann Harris from:
Senator Leahy 127
Senator Pressler 133
Senator Murray 134
Additional remarks of Jo Ann Harris 134
Questions to NIST from:
The Senate Subcommittee on Technology and the Law 138
Senator Murray 144
Senator Pressler 144
Questions to Whitfield Diffie from the Senate Subcommittee on Technology
and the Law 144
Letters fi*om Whitfield Diffie on behalf of Sun Microsystems Computer Corp., May 23, 1994, to:
Senator Murray 147
Senator Leahy 148
Questions to Stephen T. Walker fi-om the Senate Subcommittee on Tech- nology and the Law 148
Questions to Admiral J.M. McConnell fi*om:
The Senate Subcommittee on Technology and the Law 152
Senator Pressler 153
Senator Murray 154
THE ADMmiSTRATION'S CLIPPER CHIP KEY ESCROW ENCRYPTION PROGRAM
TUESDAY, MAY 3, 1994
U.S. Senate, Subcommittee on Technology and the Law,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:39 a.m. in room G50, Dirksen Senate Office Building, Hon. Patrick J. Leahy (chair- man of the subcommittee), presiding.
Present: Senators Specter, Pressler, and Murray [ex officio].
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE STATE OF VERMONT
Senator Leahy. Good morning. We are holding today's hearing for a number of reasons. The administration is implementing a con- troversial program to enable the government to decode any tele- phone, fax, or computer communication that is encrypted with a special computer chip called Clipper Chip. In doing so, and I under- stand the reasons for this, the administration has responded to the alarm bells that were sounded by our law enforcement and intel- ligence agencies. They are struggling to keep pace with emerging telecommunications technologies that make it easier to encrypt messages and evade lawful wiretaps.
Incidentally, the administration, has stressed, and I am sure will in testimony today, the security of Clipper Chip. The price for this security is that two Federal agencies will hold a duplicate set of keys to decode any communication encrypted with the Clipper Chip before any wiretap order has been issued.
Now, before American citizens and potential customers of Amer- ican computer and telecommunications products will see this as the solution to privacy or security concerns, they have got to be assured that iron-clad procedures are in place. We have got to be able to guarantee that, absent a court order, no one is going to be able to decode their private communications except, of course, the person they want to. Othenvise, even law-abiding users are not going to want to use encr3rption devices with Clipper Chip.
We are going to see demonstrations of how encryption works and we are going to hear from government witnesses, experts and crit- ics of Clipper Chip. I would note, that a recent Time/CNN poll indi- cated that 80 percent of the American people oppose this program, so I would hope that the public might get a chance to hear more about it today.
(1)
Admiral McConnell, I want to thank you for your willingness to be here. I understand that, as we have discussed before, you have to limit your public remarks out of concern for national security. A second part of this hearing will be held in a secure room so that we can hear the remainder of your remarks.
Now, our Constitution requires that we strike a balance between an individual's right to be left alone and conduct his or her own affairs without government interference, and our interest in a se- cure and safe society. The Clinton administration's Clipper Chip may be seen as a solution by the law enforcement and intelligence agencies, but it raises a whole lot of questions for its potential users about whether it tips that fundamental balance.
I have got to tell you I have some real questions about whether any sophisticated criminal or terrorist organization is going to use the one code endorsed by the U.S. Grovernment and for which U.S. Government agents hold the decoding keys, especially when there are a number of alternative encryption methods commercially available, including one I read was just recently sent out over the Internet.
I am concerned about the Clipper Chip's impact on the competi- tiveness of our robust high-tech industries. We have got to ensure that it does not impede American companies trying to market high- tech products overseas. The administration's steps to reform some export restrictions on encryption and telecommunications tech- nology is welcome, but we have to talk about that.
I would note that we are talking today about Clipper Chip and not about digital telephony. Many get the two mixed up, and, in a way, some of the political questions are the same. In digital te- lephony, the question is whether we will be able to hold up ad- vances in communications technology until the Justice Department can be assured that they have a way of conducting lawful wiretaps on that.
The administration is asking the same thing with Clipper Chip: That we not be allowed to develop and export encryption devices until the government is given the keys to be able to decode encrjrpted messages under appropriate standards and court orders.
My concern, I have got to tell you frankly, is what happens if we say that the Federal Government is empowered to sign off on tech- nology and technology may not go forward until they do. It bothers me very much because my experience with the Federal Govern- ment has been that in the areas of computers and telecommuni- cations the Federal Government has carefully and assiduously stayed at least 10 to 20 years behind the curve on just about every- thing.
You can make a better and clearer telephone call from the Wash- ington-to-New York shuttle than you can from Air Force 1, with all its expensive equipment. Most telephone systems of the Federal Government, as installed, have been antiquated. The only distinc- tion is they usually pay far more than they would if they just bought it off the shelf You see the FAA struggling with a computer system where they have to buy tubes from eastern European coun- tries because nobody with advanced technology even makes the dam things anymore.
If this is the same government that will sign off on when we go forward, I can see the United States being in the backwash of com-
Euter and telecommunications technology. I don't want to see that appen. I suspect that none of the witnesses from the government want to see that happen either.
So we have two problems, really. We have the problem of those who are concerned about what Clipper Chip might do to our tech- nological competitiveness in this country and, of course, we have the further problem, as pointed out by the 80 percent of the people who responded that way in the Time/CNN poll, of privacy.
The information superhighway holds the promise of an informa- tion explosion that is going to enhance our marketplace of ideas, bringing untold benefits to our citizens. But this promise will be an empty one unless people are sure that when they go online or talk on the phone they are not forfeiting important fundamental rights, like their right to privacy.
New technologies present enormous opportunities for Americans, but we have got to strive to safeguard our privacy if these tech- nologies are to prosper in this information age. Otherwise, in the service of law enforcement and intelligence needs, we are going to dampen any enthusiasm Americans may have for taking advantage of the new technology.
I come from a law enforcement background. I spent 8 years on the Senate Intelligence Committee and continue to be involved with intelligence agencies through my Appropriations Committee hat. I understand the tremendous problems, especially with orga- nized crime, that law enforcement faces, and the tremendous prob- lems, especially with terrorism and the potential threat of terror- ism, that our intelligence agencies face. But I also know that this country has to survive economically, and one of the ways we do so is the fact that we have been able to have certain technological ad- vances. I don't want that to change.
We will go first, Ms. Harris, to you, and then to Mr. Kammer, who is going to do a demonstration. Ms. Harris is Assistant Attor- ney General of the Criminal Division at the Department of Justice, and I am delighted you are here.
PANEL CONSISTING OF JO ANN HARRIS, ASSISTANT ATTOR- NEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE; AND RAYMOND G. KAMMER, DEPUTY DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
STATEMENT OF JO ANN HARRIS
Ms. Harris. Thank you, Mr. Chairman, and thank you for the opportunity to talk with you about the key escrow encryption con- cept. In particular, I want to talk about balancing the public's right to the best protection that technology can provide for legitimate communications — balancing that with the public's right to be pro- tected from criminals and terrorists, and I want to talk about how we can maintain the balance in this age when technology is, as you have noted, exploding all around us.
As I know you understand, many groups engaged in the most se- rious and violent criminal conduct, including drug traffickers and organized crime groups, major street gangs and terrorist groups.
must have a means of communicating quickly, over distance, with each other. They rely on telephonic communications to conduct their illicit activities, and at this time the law permits law enforce- ment to obtain court orders to tap into these criminal conversations upon, of course, a stringent showing of necessity and a showing of probable cause that the communications are criminal in nature.
Even though we use that power very sparingly, our ability to hear and, importantly, to understand these conversations has been crucial to effective law enforcement. Evidence from electronic sur- veillance has resulted in the convictions of, we estimate, 22,000 fel- ons in the last decade.
As a Federal trial lawyer specializing in criminal cases, I can tell you from plenty of first-hand experience and knowledge that some of the most powerful evidence I have ever seen or heard in court against these criminals are recordings of their own words directing their criminal enterprises in a way that a jury can understand.
Further, I know from experience recently that authorized wire- taps have not only caught and convicted criminals, they have saved lives, including kidnaping victims and targets of terrorist activities. For example, in four separate instances in the very recent past, law enforcement has obtained critical information about the identity of kidnapers who were threatening immediate harm to hostages. Law enforcement has learned the location of the hostages and was able to move-in and rescue the hostages before harm was done. These are fast-moving scenarios where our ability to get up on a wiretap and understand the content of the conversations in realtime is ab- solutely critical.
With court-authorized interception of telephone conversations, we have penetrated the highest levels of mob activity, narcotics traf- ficking. We have brought down whole organizations. Cases come to mind that everyone, I think, has heard of. The Pizza Connection case, the Commission case, the Hererra-Botrega case involving the Call cartel, are just examples of the power of the wiretap as a law enforcement tool, and it is not limited to just mobs and drugs. Op- eration III Wind, for example, was a Defense procurement fraud case in which wiretaps led to 45 search warrants, 60 convictions, hundreds of millions of dollars recovered in fines.
In addition, wiretaps have helped us prosecute child pornography cases, murder-for-hire schemes. They have permitted us to make seizures of tons of illicit drugs, helped us follow and seize the illicit millions of dollars made by traffickers, without compromising ongo- ing investigations.
But, Mr. Chairman, the ability to intercept these communica- tions is only the first step. We must have the ability to understand the content of these lawfully authorized wiretaps in order to act. If we intercept illicit communications in a foreign language, we need to bring in a translator who knows the language. If the lan- guage is guarded, as it frequently is in these intercepted criminal conversations, we need to bring in an expert to tell us what it means.
Critical to my point here is if intercepted criminal conversations are encrypted, we need the ability to cut through the encryption, just as we need a translator to cut through the foreign language. If we can't cut through the encryption in the coming age of tech-
nology, law enforcement efforts will be seriously hampered. This ability to understand the words that we are lawfully intercepting pursuant to court order is all we seek with the Clipper Chip, no less and no more.
Mr. Chairman, the plain fact is, as you have noted, that high- quality voice encryption in an affordable, portable, easy to use form will soon be widely available on the market. We anticipate that many legitimate users will acquire these and similar devices with the perfectly legitimate goal of protecting their personal and busi- ness confidential information. We worry, however, that such de- vices will also be used by criminal organizations to shield their ille- gal enterprises.
Mr. Chairman, last year, as you know, the Clinton administra- tion, looking ahead to the future, trying to stay ahead of the curve, sought to address both of these important issues — the protection of legitimate communications without losing our ability to intercept criminal communications with key escrow encryption.
Key escrow encryption has two fundamental features. First, on the encrjrption side, to protect communications it uses a very strong algorithm, so strong that it can only be decrypted with a key that is unique to each individual key escrow encryption chip. Second, on the decryption side, to ensure the public of the privacy afforded by the key escrow encrjrption, this unique key is split into two compo- nents, each held by one of two independent entities serving as es- crow agents. Those two entities are not permitted to release key components except to government agencies and, importantly, only to government agencies when they are already authorized by law to intercept the communications.
Mr. Chairman, we have worked to develop procedures that strike the right balance between the rigorous protection of the privacy of communications and the need in critical moments to be able to decrypt such communications in order to protect lives and preserve the public safety.
Clipper Chip key escrow encryption provides a combination of procedural requirements, technical safeguards and audit capabili- ties which will assure the integrity of the Key Escrow Encryption System without frustrating the ability of government agencies to understand encrypted communications in the course of lawful wire- taps.
Senator Leahy. What happens if it is misused? Is there any re- course by somebody whose communication was intercepted? Sup- pose it was misused. We always assume law enforcement does these things according to court order, but we know that there has been misuse of taps before. What if that happened under this? Is there any way we can go back against the person? I understand the Attorney General has suggested that the escrow agents be immune from liability for mishandling the keys. Is that a good idea?
Ms. Harris. If I may, Mr. Chairman, first address the unlikeli- hood of that ever happening, given the protections built into the system
Senator Leahy. Let us assume the unlikelihood for the purposes of my question. Assume the unlikelihood that it were to happen; unlikely things sometimes do. After 20 years in this branch of the Federal Government, I have seen an awful lot of unlikely things
happen. I have seen Presidents declare that no money was diverted to the contras. I have seen statements before the Persian Gulf War that were false, and the American people spent $1.9 billion on for- eign aid to Saddam Hussein as a result of misstatements to the American public.
I mean, things do happen, so let us just assume that one time out of a gazillion something went wrong. Is the Attorney Greneral right in sa)dng that the escrow agents should be immune from li- ability for mishandling the keys?
Ms. Harris. Mr. Chairman, I am not sure that the Attorney Gen- eral has made such a statement with respect to immunity.
Senator Leahy. What she said was the procedures do not create and are not intended to create any substantive rights for individ- uals intercepted through electronic surveillance.
Ms. Harris. All right. They are not intended to create any sub- stantive rights for people intercepted any more than the present wiretap laws are intended to create substantive rights for people who are unlawfully intercepted. We are building in such protec- tions that I find it unlikely this will happen, but let me say this, Mr. Chairman. It is a violation of Federal law right now illicitly to wiretap. We take that law very seriously. We will enforce that law.
Senator Leahy. Would it be a violation of the same Federal law illicitly to use the Clipper chip keys?
Ms. Harris. I would have to look at it more carefully.
Senator LEAHY. Should it be?
Ms. Harris. Sorry?
Senator Leahy. Would you see any problem in applying the same law to the misuse of Clipper chip keys as we apply to the misuse of wiretap today?
Ms. Harris. If, in fact, in the course of an illicit electronic sur- veillance, somehow a person got ahold of both aspects of the Clip- per Chip, had the decryption device so that things were fed into it and somehow they were able to break into this system, it is unlaw- ful to participate in illicit electronic surveillance. It depends on the facts of the case beyond that, Mr. Chairman, but I believe that if that occurs it is going to violate the law.
Senator Leahy. Ms. Harris, a concern about Clipper Chip is that the government has the keys to that. But there are other encr3T)tion systems that are pretty good now, are there not, that you as the head of the Criminal Division are faced with?
Ms. Harris. My understanding is that the Clipper Chip is so much more powerful than anything available at this time that the Clipper Chip is a spectacular way of encrypting conversations. There are certainly other devices on the market now.
Senator Leahy. What about Pretty Good Privacy, PGP? There was an article about that in the Wall Street Journal last week. And the Wall Street Journal, at least on their news items, are usually pretty accurate. Their editorials are written on a different planet. [Laughter.]
But in their article, they suggest if I recollect it correctly, that PGP is just about impossible to break. Is that right?
Ms. Harris. Well, the interesting thing about that particular de- vice, as I understand it, is that it is software in a computer and does not reach phone bands; that is, voice bands, which is what
Clipper Chip is all about. I mean, what Clipper Chip is involved with is the encryption and decryption of the voice band.
Senator Leahy. But that would be fairly easy to do. I mean, if much of our voice communications are now being digitized anyway, wouldn't it be fairly easy to run this through a computer program if somebody wanted to? If you can build it for data transmission in Pretty Good Privacy, wouldn't it be fairly easy to do it, or assume that that is going to be done within a relatively short time for voice transmission?
Ms. Harris. My understanding is that it is ever so much more complicated to do this with voice band, but I defer to the experts who are with me on the technology here.
Senator Leahy. Well, let me ask you this question. I read an ar- ticle about a convicted pedophile in California who used Pretty Good Privacy to encrypt his computer diary, which frustrated the police, who thought the computer diary might contain clues about a child pornography ring, something that I think all of us would agree that if law enforcement could find out about such a thing, we would want them to be able to take action.
Have you seen many such instances of encrypted communica- tions?
Ms. Harris. Well, let me again address the child pornography case in California, which I think is the Wall Street Journal article, and just underline that that is computer software and that is not what we are talking about here. What I am talking about is our ability to understand intercepted voice communications at a time when we already have the court orders to intercept it, and
Senator Leahy. Well, let us
Ms. Harris. I am sorry, Mr. Chairman.
Senator Leahy. No, no; go ahead.
Ms. Harris. I was going to then answer your question. The fact is that at this particular point in time law enforcement has not been frustrated by, or significantly frustrated by voice band encryption. My point is, and you certainly underlined it in your re- marks, Mr. Chairman, that we are trying to anticipate and get ahead of the curve on this particular subject because we under- stand the significance to law enforcement if, in fact, encryption de- vices as powerful as Clipper Chip are out there without our ability, under very circumscribed circumstances, to intercept and under- stand criminal conversations.
Senator Leahy. We are going to demonstrate for you here a laptop computer with a computer software that encrypts voice com- munications. I appreciate what you said about the administration wanting to be ahead of the curve and I think in a lot of these com- munications and computer matters this administration has worked to get ahead of the curve. But don't think that Clipper Chip is just going to be used in normal straight voice communications because people can put these encryption devices through their computers and run it that way.
What I would ask is, about 900 wiretaps are conducted annually?
Ms. Harris. I think the figure in 1992, which is the last time we have figures, is 919.
Senator Leahy. Did many of them involve encrypted conversa- tions?
8
Ms. Harris. The short answer is no. Our concern is clear, Mr. Chairman, that if these devices explode on the market, as we be- lieve they will, we will begin to be truly frustrated and unable to read criminal conversations.
Senator Leahy. We are talking about the Clipper Chip. Why would a criminal organization or a terrorist organization buy some- thing that has Clipper Chip in it for their encryption when they can buy other non-govemment-authorized systems that are also going to be extraordinarily difficult to crack, and perhaps impos- sible?
Ms. Harris. There are two answers to that, Mr. Chairman, and the first is — and this is just so true. I mean, why do they use tele- phones now? I mean, we are able to intercept and obtain invaluable evidence with court-authorized wiretaps because those kinds of or- ganizations, knowing that we tap, continue to use the telephones.
I think the second answer to your question is that this is not easy, but our sense is that the Clipper Chip technology is so far advanced than anything else on the market or anything coming down the road that it will be regarded both by legitimate people and by illicit criminals as so powerful an encrj^jtion device that they will purchase it, that it will be something that they will want to use.
Senator Leahy. But if I was sitting up at my farm in Vermont and running an international heroin, gun smuggling, and counter- feit Ben and Jerry's organization, why wouldn't I just buy Pretty Good Privacy, PGP, and just do it all by computer and fax? I mean that seriously. Why wouldn't I just do that and say the heck with you, and I could run it on the Internet?
Ms. Harris. Because right now, and I think for the foreseeable future, the Clipper Chip is such a more powerful encryption device that I would want, if I were you, to buy the best, and you, being quite confident that the Feds would never catch up with you, would want the best as well.
Senator Leahy. But that is my point. Suppose I really am con- fident they are not going to catch me and I am really doing some- thing very serious. Say I am in a rural location in the United States and I am running an international drug ring, something where there is enormous amounts of money so I can do whatever I want and buy whatever I want. Why would I buy something with Clipper Chip in it that comes, in effect, with a sign on it saying the Federal Government holds the keys to decipher this?
Ms. Harris. Let me again respond in two ways. First of all, you also will want to be making encrypted communications with legiti- mate organizations, with banks, with other legitimate organiza- tions, to send your messages, to move your illicit money out of the country, to do a number of things. If the Clipper Chip technology is purchased by legitimate people in this country because it is the best technology, then you — shall we change our analogy — ^then the criminal who is sitting up on a farm in Vermont is going to need to communicate with those devices that the legitimate
Senator Leahy. If he wants to move money from the Chase Man- hattan Bank to the Zurich National Bank, what you are saying is there he would have to — ^because they were using Clipper Chip, he would have to use Clipper Chip?
Ms. Harris. Let us go to III Wind. I mean, to the extent that we have a defense procurement fraud case and we have people trying to communicate with defense organizations and with legitimate companies, if you believe — that is, if the drug trafficker up in Ver- mont believes that the only way that he can interact with other independent entities with encryption devices is to also buy Clipper Chip, he is going to do it.
I suppose the second part of the answer is that to the extent that this powerful encryption algorithm is one which manufacturers de- cide to market because it is the very best, then I suppose that the market for lesser devices is not going to be that great. It is not going to be cost effective to produce those kinds of encryption de- vices.
Senator Leahy. Of course, this also assumes that these legiti- mate commercial organizations outside the United States are going to want to use some kind of a standard for encryption that they know the United States hold the keys, as compared to trying to find some other standard created by some other country for which the United States would not hold the key. We would see people in this country buying the other country's technology. That is at least a possibility?
Ms. Harris. Anything is possible. These are not easy issues, and I will absolutely say that. There is something, though, that I think needs be said perhaps not exactly in that context, but I think I need to underline time and again, from our perspective what we are talking about is already court-authorized interceptions of com- munications, and that all Clipper Chip does — after a court has al- ready authorized the interception of the communication, all that is happening here is that we are getting the ability to understand the content of those legitimately intercepted communications.
Senator Leahy. Well, as I understand it, the escrow agents re- lease the keys when they get two faxes, one from the prosecutor saying a wiretap order exists, and one from the law enforcement agency requesting the keys for a particular chip LD. number for which they say they have a wiretap order. Now, the escrow agents themselves never see this court order, is that correct?
Ms. Harris. It is correct that the escrow agents never see it themselves, and let me explain why. Certainly, they have to certify that there is a court order. Incidentally, the request — let us put it this way: If DEA has a court-authorized wiretap up intercepting the kinds of communications that I have already talked about that are important and very criminal in nature, and if they hit some white noise that sounds as if it is encrypted, law enforcement has a decrypt device through which it can run a tape or the realtime noise through and that little box will tell DEA that this is a Clip- per chip-encrypted conversation, and it will give DEA an encoded number coming off the chip.
That DEA agent and his supervisors will then communicate to each of the independent escrow agents and certify that there is a court order already in place authorizing them to intercept this com- munication; that it is a key escrow-encrypted conversation; that here is the number of the chip. This is going to the independent escrow agents, and the court order will terminate — that is, our abil- ity to intercept will terminate at such-and-such a date. Please com-
10
municate back to our decrypt device the two pieces of the key that will enable our decrypt device to decode the conversation so that we may get it in realtime.
Senator Leahy. You could get it in realtime, then?
Ms. Harris. We need it in realtime.
Senator Leahy. Then how do those keys then get returned to the escrow agent?
Ms. Harris. My understanding is that right now with the proto- type, we will have to manually destruct the keys that are in the encrypted box at the time that our authorization to intercept the communications ends pursuant to court order. As this develops, Mr. Chairman, and we are working through it right now, as I under- stand it, there will be a way that they will self-destruct at the par- ticular time at the end of the court-ordered interceptions.
Senator Leahy. So nothing gets returned to the escrow agents?
Ms. Harris. That is correct. Now, I should say that there are, as you know, in our procedures substantial auditing requirements, substantial recordkeeping requirements. I should have said as well that after the DEA agent makes his faxed request to both of the independent escrow agents and the process starts back in realtime, it is required that the Federal prosecutor in charge of this case con- tact the key escrow agents and confirm all of the certification that has been put forth by the agent.
Senator Leahy. Now, this decryption device, the one that at least puts the first trigger up to say your white noise is a Clipper Chip, and number whatever
Ms. Harris. That is right.
Senator Leahy. Have those devices been made yet?
Ms. Harris. There is one.
Senator Leahy. I mean, how many of these are we going to have? Are you going to have to have them all over the country?
Ms. Harris. Well, I think that we must — and we are very re- spectful of this — we must keep very, very careful control of the number of encryption devices. They are the kinds of items that I don't think anyone would want spread all over the country.
Senator Leahy. Well, say, you have got a case in Tucson, AZ, and you have got one in Burlington, VT, and Abilene, KS. I mean, these are geographically kind of spread around. In each one of these areas, one might assume that law enforcement, at least for the ru- dimentary type of wiretaps, have equipment to do that, but one decrypt device might not do them any good.
Ms. Harris. I mean, we are working through these issues right now and are very, very sensitive to the fact that we do not want proliferation of these decrypt devices. I believe that the technology is such, or at least we are working on it, where you could transmit the white noise to the box in a centrally located place and get the answer.
Senator Leahy. How big is this decryption device going to be? I assume it is something relatively small.
Ms. Harris. It is not huge. When I said small box to my staff, they said, well, it is not small.
Senator Leahy. Bigger than a bread box, smaller than a
Ms. Harris. I think it is about the size of — I was just getting ready to say, and my able staff says, it is a PC. It is that size.
11
Senator Leahy. Do you and the administration see any need for new legislation to implement your Clipper Chip proposal?
Ms. Harris. The short answer is no.
Senator Leahy. So you are ready to just go ahead, no matter what we might think here?
Ms. ELarris. Well, we always very, very carefully consider what is said here.
Senator Leahy, Yes, yes, yes. [Laughter.]
Ms. Harris. But let me go further, Mr. Chairman. Again, if you look at it the way that I have described, what we are talking about is simply a more sophisticated way to understand more sophisti- cated coding of criminal conversations.
Senator Leahy. Wearing my hat from another committee, there is one part, though, you may have some interest in talking to us about. How much is this thing going to cost?
Ms. Harris. I think you know that to the extent that the Depart- ment has already invested in these devices for law enforcement
Senator Leahy. No, but just running the escrow system is going to cost you millions of dollars a year, won't it?
Ms. Harris. I don't have easy estimates on that, Mr. Chairman.
Senator Leahy. Wearing the other hat from the Appropriations Committee, we may be looking at some legislation. Do you think that as part of the reporting requirements, the Justice Department should give Congress a full accounting of where these decrjrpt de- vices are? I mean, these things are set up so they can unlock a coded serial number. They can get direct transmission of the keys from the escrow agents. They can use the keys to decrypt clipper- encrypted conversations. Do you think there should be any report- ing requirement of where they are?
Ms. Harris. Well, I mean certainly there should be a reporting requirement, and what we intend to do is two things, really. We intend to report to the Administrative Office of U.S. Courts where we already report all of our court-authorized wiretaps. We will cer- tainly report there that a wiretap was encrypted and decrypted with key escrow encryption.
Also, my understanding is that to the extent that the intelligence committees are giving oversight that the information would be made available to them. We assume the Administrative Office of U.S. Courts is going to report to Congress, as it does every year.
Senator Leahy. If you say there is no legislation required, I would assume that the Justice Department at least anticipates reg- ulations being promulgated?
Ms. Harris. What we have done, and I will be happy to go through it in more detail, is we have promulgated internal regula- tions that are designed to assure that the integrity of this system will be protected. What it does is internally guide us in terms of the process by which our agents go to get the keys, certify the proc- ess by which the keys come back, the process by which we audit very carefully. We plan to audit every single encryption instance.
Senator Leahy. Would the AG be able to change the set of es- crow agents after the initial selection?
Ms. Harris. It is not
Senator Leahy. Suppose you have got an escrow agent who says, wait a minute, I think this is wrong, I don't think that this key
12
should be released. Could the Attorney General just say, well, then we are going to get a different escrow agent?
Ms. Harris. Well, let me say a couple of things. One, we are still open and looking at the options with respect to escrow agents. But, two, it is really very important that there be some continuity once the escrow agents are in place. It is not contemplated that, with the appropriate certification, the escrow agent, other than looking at the certification and saying this is not enough, this is wrong — I don't think that you will find the Attorney General wanting to change escrow agents simply because one said no.
Senator Leahy. Well, stranger things have happened. I worry about the security of the system. If I understand this correctly, every Clipper Chip has the same family key programmed into it. Law enforcement uses the family key to decode the intercepted se- rial number which the targeted chip sends out, I guess, at the be- ginning of every conversation. If they have that, they can get the government's duplicate set of decoding keys from the escrow agents following the normal procedure.
If they have got the decrypt device, the initial step, at least, can be done by anybody who has got one of the devices. I mean, let us assume that it has happened on occasion that illegal wiretaps have been done even by law enforcement. If they have got the initial decrypt device, they can at least have the family key or the num- ber.
Now, they can't get the decoding keys unless the escrow agents give them to them. Of course, without drawing this out too far, somebody had to make the decoding keys for the escrow agents. Somewhere, they are out there — that is what I am getting to, or the potential is out there.
Ms. Harris. But the potential is so minuscule. I mean, the pro- tections that are built into this system to give everyone the assur- ance that no single person can illicitly get into this system. I must say with respect to the family codes, even if you got that, because those are coded, you wouldn't be able to get the number to send off to the escrow agents, as I understand it.
I mean, we are talking about independent escrow agents. We are talking about a requirement that a prosecutor go back to the es- crow agents and confirm all the certifications. I mean, we built it in both mechanically and humanly that there are checks and doublechecks and doublechecks.
Senator Leahy. If you have the decrypt device, even if you don't know what I am saying, you at least know who I am because you know the unique I.D. number of the device I am calling from.
Ms. Harris. I don't think I would know where you were calling from, even. I would know a number, period. I would not be able to track the number.
Senator Leahy. We have several ongoing reviews; let me make sure I have got them right. We have got a White House interagency working group, the NIST, and the National Research Council of the National Academy of Sciences. You haven't fully implemented the key escrow system or the decrypt device, to see how this works. Are we moving ahead of ourselves in this? Having expressed the earlier concern about the Federal Government always trying to stay care-
13
fully and traditionally behind the curve, are we getting a little bit ahead of the curve on this one?
Ms. Haeris. Let me put it this way. The studies that you have alluded to, Mr. Chairman — the White House policy study is com- pleted, and although one continues to study these matters and will continue to study them for as long as they are important, that is completed. The NIST part of this, as I understand it, although it is probably better addressed to Mr. Kammer, is completed. I don't know about the last study that you have alluded to, but I think we are moving at the appropriate speed. And, ves, speaking of the technology, we are attempting to stay ahead of the curve.
Senator Leahy. If we allow American companies to export Clip- per Chip to non-U.S. users, say a non-U.S. user in France, what happens when the French law enforcement or intelligence commu- nity calls up and says, "by the way, we are kind of worried about Harris Ltd. that has just set up in the Bordeaux region. We don't think they are just selling wine. Can we have the keys to tap in?"
Ms. Harris. I think that we must very, very carefully control this technology and the ability to use it. As I say, we have tried to put in place procedures that will assure that. I think, with re- spect to foreign law enforcement requests, a couple of things. One, I think we have to take it on a case-by-case basis, and I think that even on a case-by-case basis I think we have to consider very care- fully keeping the technology and the hardware, for that matter, with us and just go ahead and do the translation for them; that is, give them the words, the decrypted words, but there is no reason for us to go beyond that.
[The prepared statement of Jo Ann Harris follows:]
Prepared Statement of Jo Ann Harris
Mr. Chairman members of the Subcommittee, I am pleased to be able to appear before you today to talk about a matter vital both to the protection of privacy and to the preservation of public safety.
As this Subcommittee understands quite well, many groups engaged in the most serious and violent criminal conduct — including drug traffickers, organized crime groups, and major street gangs — rely on electronic communications to conduct their iUicit activities. Without the continued ability to conduct lawfully authorized wire- taps, law enforcement at the Federal, State, and local level will be seriously ham- pered in its ability to protect society from the depredations of these criminals.
Even though it is used sparingly, electronic surveillance has been crucial to effec- tive law enforcement. Evidence from electronic surveillance has resulted in the con- victions of more than 22,000 felons over the past decade. Indeed, without wiretaps, some extremely significant criminal activity could not be detected or properly inves- tigated— much less successfully prosecuted. Wiretaps are not a routine investigative technique and are only used when other techniques have proven, or are likely to be, unsuccessful — often because those other techniques pose too great a risk to po- hce or cooperating individuals. Wiretaps permit law enforcement authorities to pen- etrate closely controlled but highly sophisticated enterprises that might otherwise engage in wholesale criminal activity with impunity. Society cannot afford to lose the protection wiretaps afford it.
At the same time, technology is making it increasingly possible for individuals and private enterprise to protect the confidentiality of personal and proprietary in- formation through the use of encryption — the electronic "scrambUng" of communica- tions. The market now offers high-quality voice encryption in an affordable, port- able, easy-to-use form. We anticipate that many legitimate users will acquire l5iese and similar devices to protect their confidential information; we worry, however, that such devices will also be used by criminal organizations to shield their illegal enterprises.
As you know, Mr. Chairman, last year the Clinton Administration sought to ad- dress both these important issues by announcing the availability of key-escrow
14
encryption (sometimes referred to as the "Clipper Chip"). Key-escrow encryption has two fundamental features. First, it uses an extremely strong algorithm, one 16 mil- lion times stronger than the Data Encryption Standard — DES — and so strong that law enforcement can only decrypt it with a kev that is unique to each individual key-escrow encryption chip. Second, to assure the public of the privacy afforded by key-escrow encryption, that unique key is spUt into two components that are held by two independent entities serving as escrow agents. Those two entities may re- lease key components only to government agencies when needed for lawftdly author- ized interceptions.
As the Administration has made clear on a number of occasions, the key-escrow encryption initiative is a voluntary one; we have absolutely no intention of mandat- ing private use of a particular kind of cryptography, nor of criminalizing the private use of certain kinds of cryptography. We are confident, however, of the quality and strength of key-escrow encryption as embodied in this chip, and we believe it will become increasingly attractive to the private sector as an excellent, easy-to-use method of protecting sensitive personal and business information.
The Chnton Administration has been farsighted in seeing the advent of high-qual- ity, user-friendly encryption products and the implications of such products. It has also been prepared to act early, when markets are still developing and when both consumers and manufacturers are seeking strong, reliable cryptography for use in mass-market products.
We believe, therefore, Mr. Chairman, that, as one major equipment manufacturer has already done, others will respond to their customers' needs for extremely strong encryption by marketing key escrow-equipped products. And as that occurs, we look for a gravitation of the market to key-escrow encryption, based on both a need for interoperability and a recognition of its inherent quality. Even many of those who may desire encryption to mask illicit activities will choose key-escrow encryption be- cause of its availability, its ease of use, and its interoperability with equipment used by legitimate enterprises. , -i
Mr. Chairman, let me speak about the key-escrow system in a bit more detail, beginning with the selection of the t'wo entities that are serving as key escrow agents. In selecting escrow agents, we looked for a number of important qualifica- tions. Among other things, the candidates needed to:
• Be experienced in handling sensitive materials;
• Be familiar with communications and computer issues;
• Be able to respond quickly, and around the clock, when government agencies need to have encryption keys issued to them; and
• Be generally regarded by the public as both reliable and effective.
Especially to get the system up and running, we believed it made sense to look to agencies of the Executive branch. In light of that consideration and the criteria I have just mentioned, the Commerce Department's National Institute of Standards and Technology (NIST) and the Treasury Department's Automated Systems Division appeared to be the two best candidates; and they have been so designated.
NIST, as you are well aware, has long experience in matters relating to protection of sensitive, unclassified information and, indeed, has been pivotal in the develop- ment of the key-escrow encryption initiative. Treasury's Automated Systems Divi- sion—which is not part of any of the Treasury law enforcement agencies— is a 24- hour a day operation that is well experienced in handling matters of the utmost sen- sitivity. , , .
As you know, on February 4, 1994, the Administration made a number ot an- nouncements regarding encryption policy generally, and key-escrow encryption spe- cifically. Among those announcements were the designation of the escrow agents and the publication of the procedures under which the escrow agents would be per- mitted to release key components:
• To Federal law enforcement authorities for use in wiretaps under Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended (Title
III); \
• To State or local law enforcement authorities for use in wiretaps under state statutes; and
• To Federal agencies for use in wiretaps under the Foreign Intelligence Surveil- lance Act (EISA).
Let me describe for you the kinds of circumstances under which escrowed key components will be made available to government agencies when needed in conjunc- tion with lawfully authorized wiretaps.
15
Mr. Chairman, as this Subcommittee well understands, Federal laws clearly lay out the circumstances in which wiretaps may be conducted, consistent with the Con- stitution. Wiretaps not lawfully authorized are criminal offenses — offenses that we take very seriously. Moreover, as the Subcommittee is aware. Federal law enforce- ment agencies may conduct wiretaps only for the most serious kinds of offenses and do so only after an extremely careful internal review of the need for, and the propri- ety of, a wiretap. That review process requires not only careful screening within the particular investigative agency — at both the local and headquarters level — but a thorough evaluation by a supervising prosecutor, usually an Assistant U.S. Attorney in the district in which the wiretap will be conducted. At each of those levels, there is a close review of the proposal to ensure that there is probable cause for the wire- tap, that the case justifies use of this important technique, and that alternative techniques are not satisfactory. Finally, no Federal Title III application may proceed without approval at a senior level within the Department of Justice. I would also note that no FISA application may proceed without the approval of the Attorney General.
And, Mr. Chairman, that leads to the most important point which is that, whether for criminal or foreign intelligence purposes, the statutes require court authorization for wiretaps, even in the extremely rare cases in which they have begun under an emergency authorization. In a criminal case, the Government must show probable cause to believe that the telephone targeted is being used in furtherance of a specific serious Federal criminal offense. In a FISA case, the Government must show prob- able cause to believe that the target of the surveillance is a foreign power or an agent of a foreign power and that the facility or place, such as the telephone, is being used by a foreign power or agent of a foreign power.
When we talk about access to escrowed components, therefore, we are talking about the ability of government agencies — Federal, State, or local — to decrypt com- munications when they are already lawfully authorized to intercept those commu- nications as part of a wiretap. We are not talking about any change in the protec- tion of the privacy of telecommunications. Nor are we talking about any additional authorization from the courts. The applicable statutes already permit government agencies that are authorized to conduct wiretaps to acquire the content of the inter- cepted communications and, if necessary, to translate or decode the communications as part of that process.
Let us assume, then, that government agents — DEA, for the sake of argument — are conducting a court-ordered wiretap and encounter unintelligible communications they think may be key-escrow encryption. What do they do? First, they can run the communications — live or on tape — through a so-called decrypt processor. The decrypt processor — a specially programmed and equipped personal computer — can tell the agents whether key-escrow encryption is being used and, if so, the unique ID number of the particular chip. This last point is critical, of course, because each chip has its own truly unique key; without knowing the ID number of the chip, the law enforcement agency cannot determine which key components to request.
Armed, however, with that information, they can submit a key component request to the two escrow agents, NIST and Treasury. In that request, they 11 be required, among other things, to:
(1) Identify themselves and the agency the/re with;
(2) Certify that they're conducting a lawful wiretap;
(3) Specify the source of the wiretap authority and its termination date; and
(4) Provide the chip ID number.
To provide greater reassurance, the certification by the DEA agents must be fol- lowed by a communication from a Federal government attorney associated with the matter, confirming that a wiretap has been lawfully authorized.
When the escrow agents receive a properly submitted request, they transmit their respective key components to the requesting agency; the components are combined within the decrypt processor which, only then, is able to decrypt communications using the particiUar chip. At the end of the authorized wiretap period, the decrypt processor's abiUty to decrjrpt communications using that particular chip will likewise terminate, and the escrow agents are to be so informed.
Those, in skeletal form, are the procedures for release of key components to Fed- eral law enforcement agencies for criminal wiretaps. Similar procedures will apply to the release of key components for use in wiretaps authorized under State stat- utes. The most notable difference is that, for release to State or local law enforce- ment agencies, the request must come from the principal prosecuting attorney of the State or political subdivision involved — normally, the State Attorney General or the
16
District Attorney of the particular county. Finally, in the case of wiretaps under FISA, the request will be made by a Federal agency and will be subject to follow- up confirmation by the Department's Office of Intelligence Policy and Review.
The Administration recognizes that public confidence in this system is of para- mount concern. The persons at NIST and Treasury who are responsible for the maintenance and, when appropriate, the release of key components are extremely serious about ensuring that tney release key components only under proper cir- cumstances. Meticulous procedures for the programming of the chips, and for the storage and handling of the keys, are being developed and refined. Even for tests of the system— decrypting communications over government-owned devices — there will be a fiill simulation of the request and release process.
The transactions of the escrow agents will be logged and recorded electronically,
Permitting subsequent review and audit. In addition, the Department of Justice will e responsible for ascertaining that the requesting agencies fullv comply with the procedures at the various stages of the process. We wiU also reflect, in the respec- tive reports to the Congress regarding wiretaps under Title III and FISA, those wiretaps in which key-escrow encrjrption was encountered and for which key compo- nents were released to a government agency.
Mr. Chairman, we have worked to develop procedvtres that strike the right bal- ance between the rigorous protection of the privacy of communications and the need, in critical moments, to be able to decrypt such communications in order to protect lives and preserve the public safety. Through a combination of procedural require- ments, technical safeguards, and audit capabilities, we believe that these procedures will assure the integrity of the key-escrow encryption system without frustrating the ability of government agencies to understand encrypted communications in the course of lawful wiretaps.
I have appreciated the opportunity to discuss with you this very important issue, and I shall be happy to try to answer any questions the Subcommittee may have.
Senator Leahy. Thank you. I have a number of other questions for the record, but Senator Murray has joined us. She is proposing legislation on this, and before we go to Mr. Kammer, I didn't know, Senator, whether you had any questions you wanted to ask of Ms. Harris.
STATEMENT OF SENATOR PATTY MURRAY
Senator Murray. Well, thank you, Mr. Chairman. I will reserve my time to ask questions later. I do have an opening statement I will submit for the record. I very much appreciate your having this hearing and asking me to join you here today. This is an especially important topic in my State, where high technology is the key to our economic future and, really, the Clipper Chip proposal has had a chilling effect on a number of innovations that are coming along.
I have a number of questions that the chairman has asked that I think have not been satisfactorily answered. I believe that tech- nology is going to be way ahead of where we are. I am very con- cerned that we are investing a great deal of time and energy and commitment into a Clipper Chip proposal, while our technology has moved way past that and it will be outdated within a very short time.
So, I will pass on questions at this time and will be here to hear the rest of the testimony. Thank you.
Senator LEAHY. Thank you.
[The prepared statement of Senator Patty Murray follows:]
Prepared Statement of Senator Patty Murray
Chairman Leahy, I appreciate the invitation to join you today for this important hearing.
Over the last decade, high technology and software manufactvu*ing have become a strong force in Washington state's economy. Growth in this sector has helped off-
17
set job losses in aircraft manufacturing. Exports are an increasingly critical part of our software production, helping to cushion downturns in our domestic economy.
That is why the Administration's Clipper Chip proposal has had a chiUing effect on software manufacturers in my state. For years, companies like Microsoft have struggled with burdensome, expensive and often anti-competitive U.S. export con- trols on encrypted software. Now, the Federal Government wants to dictate to com- panies what they can sell here at home, too.
High technology is key to our economic future. Cold War export controls are a thing of the past.
I have heard the arguments on all sides. On a laptop in my office in the Hart building, I have had DES encrypted software downloaded from Austria on the Internet. In January of this year, the Software PubUshers Association found 210 for- eign encryption products from 21 countries of which 129 use the Data Encrjrption Standard.
When I go with my teenagers to Egg head Software I read the "For Sale Only in the U.S. ' on Windows programs anyone can buy and pack in a suitcase. We can- not keep the genie in the bottle. The genie left a good long while ago, and Federal efforts to put the genie back in the bottle will be futile.
As the Acting Undersecretary of Commerce wrote to Banking Committee Chair- man Riegle a few weeks ago: "At a time when product life cycles for high tech items last no longer than one or two years, the existing statute (the Export Administration Act) inhibits the long term market potential for U.S. industry." That is why I beUeve legislation I introduced with Senator Bennett in February, S. 1846, is the correct way to go on the export problem. My biU would retain controls on exports of gen- erally available encrypted software for inteUigence or mihtary use, but not for com- mercial use.
I look forward to today's testimony.
Senator Leahy. Mr. Kammer, it is all yours. Gro ahead, and then we will go back to further questions.
STATEMENT OF RAYMOND G. KAMMER
Mr. Kammer. Perhaps I could make three points and then go to the demonstration. First of all, the escrowed encryption standard is voluntary. It is not mandatory. It is voluntary for use both by government and by the private sector. Secondly — this is for the record because of some public discussion of this — there is no trap door in the escrow encryption standard. And then the third point is the U.S. Government needs encryption for civil privacy applica- tion— census data, the IRS, and the like.
Because the U.S. Government will ultimately buy a lot of what- ever it selects, the price will presumably go down. Also, because people will have reasons to have conversations with the govern- ment perhaps in an encrypted environment, that will tend also to influence the marketplace. It seems to me that it is important that the government, to the extent it is influencing the marketplace, in- fluence the marketplace in a way that does not harm law enforce- ment, and this standard does that.
Those are my three points. If you would like, I will go to a dem- onstration.
Senator Leahy. Would you, please?
Mr. Kammer. Sure. This is the TSD 3600 you have, Mr. Chair- man, by you, and what I intend to do is phone you from here and then engage the TSD 3600, which has in it a Clipper Chip. What will happen is there will be an initial sort of negotiation between this device and the device there that will take about four seconds, and they are negotiating what is called a session key, which is a unique key that will engage the algorithm in the chip for our con- versation, after which we will be able to have a conversation.
18
In addition, I have brought a tape recording of what people would hear if they intercepted because there wasn't any convenient way to set it up here.
Senator Leahy. Sure.
Mr. Kammer. So, with that, I will dial in.
Senator Leahy. My God, it worked. I take back everjrthing I said. [Laughter.]
Mr. Kammer. We are now engaged in a normal encrypted con- versation.
Senator Leahy. I can hear it.
Mr. Kammer. I will now engage the encrjrption. All you need to do is watch. At this point, the two devices are negotiating a session key. As I said before, it takes about four seconds. There is now emerged a session number which should be the same number for each of us, sir, which is FB 57.
Senator Leahy. Interestingly enough, there is a slight delay, a fraction of a second delay, of the voices going back and forth. The only way I am aware of that is I can hear you in one ear, your ac- tual voice, and hear you in here. But, obviously, it is being slowed down by about a quarter of a second.
Mr. Kammer. Yes, sir. The quality of the voice, however — if we v/eren't in the same place, it would be a little less irritating. You can perceive the lag even if we were in remote locations, but the quality of the voice is actually quite good, in my opinion.
Senator Leahy. Yes, it is very good, not like the old-fashioned scrambled phones.
Mr. Kammer. With that, I have cleare4 and if you hit "clear" on your end, then we can just hang up. If there were now some person who was intercepting that conversation, or some other, it would sound as this will once I get it going.
[There follows a transcription of an audio tape:]
This recording is designed to demonstrate the ability of the TSD 3600, equipped with Clipper technology, to secure voice communications. I have been talking over a telephone with a TSD 3600 in the clear mode. I will now initiate the secure mode.
Senator Leahy. That was the identifying number.
Mr. Kammer. That is right. That was the preamble where they were negotiating a session key, and then that static sound is the white noise that people would hear.
Senator LEAHY. Now, has the Department of Justice bought these?
Mr. Kammer. They have purchased 9,000 devices at this point.
Senator Leahy. Is that going to replace the old STU phones?
Mr. Kammer. The application that this is cleared for at this time is for civil data, not classified data. The STU's, as you know, are for classified data.
Senator Leahy. Has anybody outside the government bought any of these devices with the Clipper Chip in it?
Mr. Kammer. At this point, they are just coming on the market and if there are any deployed, it would be a negligible number at this point.
Senator Leahy. And if I had this on my phone and you did not have it on yours, I can still call you just in the clear?
Mr. Kammer. No problem; normal communications.
19
Senator Leahy. But if I hit my red button, you are going to hear a beep and a clunk?
Mr. Kammer. Well, it won't find anybody to negotiate with, so it will just sort of sit there and dither. [Laughter.]
Senator Leahy. Heck, I am used to that. [Laughter.]
[The prepared statement of Raymond G. Kammer follows:]
Prepared Statement of Raymond G. Kammer
Introduction
Good morning. My name is Raymond G. Kammer, Deputy Director of the Com- merce Department's National Institute of Standards and Technology (NIST). Thank you for inviting me here today to testify on the Administration's key escrow encirption initiative. The Computer Security Act of 1987 assigns NIST responsibil- ity for the development of standards for protecting unclassined government com- puter systems, except those commonly known as "Warner Amendment systems" (as defined in Title 10 U.S.C. 2315).
In response to the topics in which the Committee expressed an interest, I would like to focus my remarks on the following:
(1) The principal encryption policy issue confronting us,
(2) The importance of encrjrption technology,
(3) How voluntary key escrow encryption technically works and how it en- sures privacy and confidentiality,
(4) Alternatives to the voluntary key escrow initiative,
(5) Critical components of the Administration's policy on encryption tech- nology,
(6) Recent initiative to modify Secure Hash Standard, and
(7) The effectiveness of the Computer Security Act of 1987.
1. THE PRINCIPAL ENCRYPTIGN POLICY ISSUE
First, I would like to broadly outUne an important public poUcy and societal issue confronting us today regarding unclassified government and commercial cryptog- raphy. In developing cryptographic standards, one can not avoid two often compet- ing interests. On the one hand are the needs of users — corporate, government, and individual — in protecting telecommunications transmissions of sensitive information. Cryptography can be used for excellent information protection. On the other hand are the interests of the national security and law enforcement communities in being able to monitor electronic communications. In particvilar, I am focusing upon their need for continued abiUty to keep our society safe from crime and our nation secure.
Rapid advances in digital telecommunications have brought this issue to a head. Some experts have stated that, within ten years, most digital telecommunications will be encrypted. Unless we address this issue expeditiously, law enforcement will lose an important tool in fighting crime — the abih^ to wiretap — and the mission of our Intelhgence Community will oe made more difficult. The Committee is undoubt- edly aware of the benefits such intelhgence brings to the nation. This matter raises broad societal issues of significant importance. I have personally been involved in many meetings of a philosophical and wide-ranging nature to discuss this dilemma.
Four broad conceptual alternatives emerged:
• Seek a legislative mandate criminaUzing the use of unauthorized cryptography.
• Seek wide adoption of an encryption method with an unannounced "trap door." This was never seriously considered.
• Seek wide voluntary adoption of a technology incorporating a secure "key es- crow" scheme.
• Allow technology to evolve without government intervention; in effect, do noth- ing.
None of these options satisfies all interested parties fully. I doubt such a solution even exists, but the Admiinistration has chosen the voluntary key escrow technology approach as the most desirable alternative for protecting voice communications without impairing the ability of law enforcement agencies to continue to conduct wiretaps. For data communication the long-standing Data Encryption Standard has recently been recertified for use.
20
It is interesting to note that other countries have faced this same issue and cho- sen different solutions. France, for example, outlaws the use of unregistered cryp- tographic devices within its borders.
2. THE IMPORTANCE OF ENCRYPTION TECHNOLOGY
Encryption provides one of the best ways to guarantee information integrity and obtain cost-effective information confidentiality. Encryption transforms intelligible information into an unintelligible form. This is accompUshed by using a mathemati- cal algorithm and a "key" (or keys) to manipulate the data in a complex manner. The resulting enciphered data can then be transmitted without fear of disclosure, provided, of course, that the implementation is seciu-e and the mathematical-based algorithrn is sound. The original information can then be understood through a decryption process. As I shall discuss, knowledge of the particular key utilized for a particular encryption of information (or, in the case of asymmetric cryptography, knowledge of the associated key of the key pair) allows decryption of the informa- tion. For this reason, such keys are highly protected.
Uses of cryptography
Encryption can be used in many applications for assuring integrity and confiden- tiality, or both. It can be used to protect the integrity and/or confidentiality of phone calls, computer files, electronic mall, electronic medical records, tax records, cor- porate proprietary data, credit records, fax transmissions and many other types of electronic information. It is expected that cryptographic technologies will be used on a voluntary basis in the protection of information and services provided via the Na- tional Information Infrastructure.
Encryption used with these and other types of information protects the individual privacy of our citizens including, for example, their records and transactions with government agencies and financial institutions. Private sector organizations can also benefit from encryption by securing their product development and marketing plans, for example. It also can protect against industrial espionage by making computers more secure against unauthorized break-ins and, if data is encrypted, making it use- less for those without the necessary key.
The government has long used cryptography for the protection of its information — from that involving highly classified defense and foreign relations activities to un- classified records, such as those protected under the Privacy Act. My point here is not to list all potential applications and benefits but to give you a feel for the innu- merable applications and benefits which encryption, when securely implemented, can provide.
Hazards of cryptography
Counterbalanced against its benefits, encryption also can present many substan- tial drawbacks — to both the government and other users. First and foremost, encryption can frustrate legally authorized criminal investigations by the federal, state, and local law enforcement agencies. As their representatives can better ex- plain, lawful electronic surveillance has proven to be of the utmost benefit in both investigating and prosecuting serious criminal activity, including violent crime. CryptograpWc technologies can also seriously harm our national security and intel- ligence capabihties. As I shall discuss, the Administration recognizes that the con- sequences of wide-spread, high quality encryption upon law enforcement and na- tional security are considerable.
Encryption may also prove a potential hazard to other users, such as private sec- tor firms, particularly as we move into the Information Age. Private firms, too, are concerned about the misuses of cryptography by their employees. For example, a rogue employee may encrypt files and offer the "key" for ransom. This is often re- ferred to as the "data hostage" issue. Keys can also be lost or forgotten, resvdting in the unavailability of data. Additionally, users of encryption may gain a false sense of security by using poorly designed or implemented encryption. To protect against such hazards, some corporations have expressed interest, in a "corporate" key escrowing capability to minimize harm to their organizations from internal mis- use of cr3T)tography. As security experts point out, such a false sense of security can be worse than if no secvuity measures were taken at all. Encryption is not a "ciu-e- all" to all security problems.
Let me now turn to the details of the Administration's key escrow encryption ini- tiative.
21
3. VOLUNTARY KEY ESCROW ENCRYPTION INITIATIVE
Goals of the voluntary key escrow encryption initiative
I will begin my remarks about the government-developed key escrow encryption chips (referred to as "chips" herein) by discussing the goals that we were trying to achieve in developing this technology for application to voice-grade communication.
At the outset, we sought to develop a technology which provides very strong pro- tection for government information requiring confidentiality protection. Much of the sensitive information which the government holds, processes, and transmits is per- sonal and requires strong protection. Tax records and census data are two such ex- amples. We sought nothing less than excellent protection for government commu- nications. In order to allow agencies to easily take advantage of this technology, its voluntary use (in Federal Information Processing Standards (FIPS) 185) to protect telephone communications has been approved by the Secretary of Commerce.
The chips implementing FIPS 185 efficiently support applications within its scope. They far exceed the speed requirements of commercial modems existing today or en- visioned for the near future.
In addition to the need for strong information protection, the increasingly digitized nature of advanced telecommunications is expected to significantly hamper the ability of domestic law enforcement to carry out lawfully authorized wire- tapping. Their problem has two dimensions.
First, the design and complexity of the nation's telecommunications networks makes locating those communications which can be lawfully tapped very difficult. This is the digital telephony issue, which my law enforcement colleague will discuss today.
Second, the proliferation of encryption is expected to make law enforcement's tasks more difficult. If a telephone conversation is encrj^jted, resources must be ex- pended for decryption, where feasible. Such expenditures and technical capabilities are normally far outside the ability of local law enforcement organizations and could be quite significant at the federal level. In seeking to make available a strong encryption technology, we have sought to take into account the needs of the law en- forcement community. For example, one of the reasons that the SKIPJACK algo- rithm, the formula on which the key escrow chip is based, is being kept classified is that its release would make their job much harder were it to be used to hide criminal activity.
Misconceptions concerning the purpose of the voluntary key escrow encryption initia- tive
A number of those opposed to this Administration initiative have expressed doubt about whether the key escrow encryption initiative can do anything to solve this na- tion's crime problem. Of course, this initiative cannot by itself do so. The basic in- tent of the program is the provision of sound security, without adversely affecting other government interests, including, when necessary, the protection of society through lawfully authorized electronic surveillance.
The voluntary key escrow encryption initiative, first and foremost, was devised to provide solid, first-rate cryptographic security for the protection of information held by the government when government agencies decide such protection is needed for unclassified government communications — for example, tax, social security and pro- prietary information (The Escrowed Encryption Standard (FIPS 185) allows federal agencies to use this technology for protection of telephone communications.) This was done, in part, with the realization that the current government cryptographic technique, the Data Encryption Standard (which was recently re-approved) is over fifteen years old; while DES is still sound, its usefiilness will not continue indefi- nitely. We also recognized that were we to disclose an even stronger algorithm (with the government's "seal of approval"), it could be misused to hamper lav^ul investiga- tions, particularly electronic surveillance.
In approving this initiative, we felt it important that protective measures be taken to prevent its misuse — a safety catch, if you will. This wiU help assure that this powerful technology is not misused if adopted and used voluntarily by others. Our method of providing this safety mechanism relies upon escrowing cryptographic key components so that, if the technology is misused, lawful investigations will not be thwarted. Additionally, the algorithm (SKIPJACK) will remain classified so that its only uses will be consistent with our safety mechanism, key escrowing. I think it is fair to say that use of this powerful algorithm without key escrowing could pose a serious threat to our public safety and our national security.
22
Key escrow encryption technology
The National Security Agency, in consviltation with NIST and the federal law en- forcement community, undertook to apply voluntary key escrow encryption tech- nology to voice-grade communications. The product of this effort was announced in the April 16, 1993 White House release concerning the key escrow encryption chip. I note that we have chosen to discontinue use of the term "Clipper Chip" to avoid potential confusion with products and services with similar names.
The state-of-the-art microcircuit, the key escrow encryption chip, can be used in new, relatively inexpensive encrjrption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm more powerftil than many in commercial use today. The SKIPJACK algorithm, with an 8-bit long cryptographic key, is approximately 16 million times stronger than DES. For the record, I will restate my earlier public statements that there is no trapdoor in the algorithm.
Each key escrow encryption chip has two basic functions. The first is an encryption function, which is accomplished by the SKIPJACK algorithm, developed and rigorously tested by NSA. The second function is a law enforcement access method. I will discuss each briefly.
The SKIPJACK algorithm is a symmetric algorithm (as opposed to "pubUc-key" algorithms). Basically, this means that the same cryptographic key (the session key) is used for both encryption and decryption. The algorithm is so strong that the De- partment of Defense will evaluate it for use in protecting selected classified appUca- tions.
The second basic function of the chip is the provision for law enforcement access under lawful authorization. To do so, each chip is programmed with three values: a cryptographic family key, a device unique key, and a serial number. (The device unique key is split into two key components which are then encrypted and are pro- vided to the two current escrow agents, NIST and the Automated Systems Division of the Department of the Treasury, for secure storage.) These three values are used in conjunction with the session key (which itself encrypts the message) in the cre- ation of the law enforcement access field. When law enforcement has obtained law- ful authorization for electronic surveillance, the serial number can be obtained elec- tronically. Law enforcement can then take the serial number and a certification of their legal authorization to the two escrow agents. (Detailed procedvires for the re- lease of these key components were issued by the Department of Justice in early February.) After these certifications are received, the encrypted components will be transmitted by escrow agent officials for combination in the decrypt-processor.
After decryption of the key components within the decrypt processor, the two key components are then mathematically combined, yielding the device unique key. This key is used to obtain another key, the session key, which is used to decrypt and understand the message. This device unique key mav be used by law enforcement only for the decryption of communications obtained during the applicable period of time of the lawftil electronic surveillance authorization. It can also only be used to decrypt communications transmitted or received by the device in question.
Security and privacy using key escrow encryption
When the Administration announced the voluntary key escrow encryption initia- tive, we anticipated that questions would be raised about the strength and integrity of the SKIPJACK algorithm, which is at the heart of the system. We assured the public that we knew of no weakness in the algorithm and that there was not an undisclosed point of entry, commonly referred to as a trapdoor. The algorithm was designed by cryptographic experts at the National Security Agency and withstood a rigorous testing and analysis process.
As a further way to indicate the fundamental strength of SKIPJACK, we invited a group of independent experts in cryptography to review the algorithm, under ap- propriate security conditions, and make their results publicly known, again, consist- ent with the classified nature of the algorithm. This group consisted of Ernest Brickell (Sandia National laboratories), Dorothy Denning (Georgetown University), Stephen Kent (BEN Communications Corp.), David Maher (AT&T) and Walter Tuchman (Amperif Corp.). These experts reported that:
• Under an assumption that the cost of processing power is halved every eighteen months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive search will be equal to the cost of breaking DES today;
and
• There is no significant risk that SKIPJACK can be broken through a shortcut method of attack.
23
Let me also repeat the reasons why the algorithm must remain classified. First, we believe it woxild be irresponsible to publish the technical details. This would be tantamount to handing over this strong algorithm to those who may use it to hide criminal activity. Pubfishing the algorithm may also reveal some of the classified design techniques that NSA uses to design military-strength technology. It would also allow devices to be built without the key escrowing feature, again allowing criminals to take advantage of the strength of this very powerfial technology without any safeguard for society.
With regard to privacy, key escrow encryption can, of course, be used to protect personal information contained in telephone communications. Moreover, the vol- untary key escrow encryption initiative does not ejcpand the government's authority for the conduct of electronic surveillance, as my colleague from the Federal Bureau of Investigation will discuss. It is important to understand that the escrow agents will not track the devices by individual owners; they will simply maintain a database of chip ID numbers and associated chip unique key components (which themselves are encrypted).
4. ALTERNATIVES TO THE VOLUNTARY KEY ESCROW INITIATIVE
In reaction to industry's concerns about ovir hardware-only implementation of key escrow encryption, we announced an opportunity for industry to work with us on developing secure software-based key escrow encryption. Unfortunately, initial in- dustry interest was minimal; our offer, however, remains open. We are also willing to work on hardware alternatives to key escrowing as we emphasized in our recent announcements.
The Administration has been seeking to meet with members of the computer, soft- ware, and telecommunications industries to discuss the importance of this matter. We are open to other approaches.
5. KEY GOVERNMENT POLICIES ON UNCLASSIFIED/COMMERCIAL ENCRYPTION
Encryption is an important tool to protect privacy and confidentiality
As I discussed earlier, encryption is powerful technology that can protect the con- fidentiality of data and the privacy of individuals. The government will continue to rely on this technology to protect its secrets as well as tne personal and proprietary data it maintains. Use of encryption by federal agencies is encouraged when it cost- effectively meets their security requirements.
No legislation restricting domestic use of cryptography
Early in the policy review process, we stated that the Administration would not be seeking legislation to restrict the use, manufacture, or sale of encryption products in the U.S. This was a fear that was expressed in the pubUc comments we received, and one that continues, despite our repeated assertions to the contrary. Let me be clear — this Administration does not seek legislation to prohibit or in any way re- strict the domestic use of cryptography.
Export controls on encryption are necessary but administrative procedures can be streamlined
Encryption use worldwide affects our national security. While this matter cannot be discussed in deteiil publicly without harm to this nation's intelligence sources and methods, I can point to the Vice President's public statement that encryption has "huge strategic value." The Vice President's description of the critical importance of encryption is important to bear in mind as we discuss these issues today.
In recent months, the Administration has dramatically relaxed export controls on computer and telecommunications equipment. However, we have retained export controls on encryption technology, in both hardware and sofl;ware. These controls strongly promote our national security. These export controls include mass market software implementing the Data Encryption Standard. The Administration deter- mined, however, that there are a number of reforms the government can implement to reduce the burden of these controls on U.S. industry.
These reforms are part of the Administration's goal to eliminate unnecessary con- trols and ensure efficient implementation of those controls that must remain. For example, fewer licenses will be required by exporters since manufacturers will be able to ship their approved products from the U.S. directly to customers within ap- proved regions without obtaining individual Ucenses for each end user. Additionally, the State Department has set a license review turnaround goal of two working days for most applications. Moreover, the State Department will no longer require that U.S. citizens obtain an export license prior to taking encryption products out of the U.S. temporarily for their own personal use. Lastly, after a one-time initial technical
24
review, key escrow encryption products may now be exported to most end users. These reforms shoxild help to minimize the effect of export controls on U.S. industry.
The government requires a mechanism to deal with continuing encryption policy is- sues
In recognition of this, the Interagency Working Group on Encryption and Tele- communications was formed in recognition of the possibility that the economic sig- nificance of our current encryption policy could change. The Working Group has been assigned to monitor changes in the balance that the President has struck with these pohcy decisions and to recommend changes in policy as circumstances war- rant. The Working Group will work with industry on technologies like the key es- crow encryption chip and^in the development and evaluation of possible alternatives to the chip.
The group is co-chaired by the White House Office of Science and Technology Pol- icy and the National Security Council. It includes representatives from all depart- ments and agencies which participated in the policy review and others as appro- priate, and keeps the Information Policy Committee of the Information Infi-astruc- ture Task Force apprised of its activities.
Flexibility on encryption approaches
From the time of the initial White House announcement of this technology, we have stated that this key escrow encryption technology provides:
(1) Exceptionally strong protection and
(2) A feature to protect society against those that would seek to misuse it.
I have personally expressed our flexibility in seeking solutions to these difficult issues. We have offered to work with industry in developing alternative soft\vare and hardware approaches to key escrowing. We actively seek additional solutions to these difficult problems.
We also stand willing to assist the Congressionally-directed study of these issues by the National Research Council.
Use ofEES is voluntary and limited to telephone systems
The Escrowed Encryption Standard, which was approved on February 3, 1994, is a voluntary standard for use both within and outside of the federal government. It is appUcable for protecting telephone communications, including voice, fax and modem. No decisions have been made about applying key escrow encryption tech- nology to computer-to-computer communications (e.g., e-mail) for the federal -govern- ment. Government standards should not harm law enforcement / national security
This is fairly straightforward, but can be difficult to achieve. In setting standards, the interests of all the components of the government should be taken into account. In the case of encryption, this means not only the user community, but also the law enforcement and national security communities, particularly since standards setting activities can have long-term impacts (which, unfortunately, can sometimes be hard to forecast).
6. SECURE HASH STANDARD
As the Committee may be aware, NIST has recently initiated the process to issue a technical modification to Federal Information Processing Standard 180, the Secure Hash Standard. The Secure Hash Standard uses a cryptographic-type algorithm to produce a short hash value (also known as a "representation ' or ' message digest") of a longer message or file. This hash value is calculated such that any change to the file or message being hashed, will, to a very high degree of probability, change the hash value. This standard can be used alone to protect the integrity of data files against inadvertent modification. When used in conjunction with a digital signature, it can be used to detect any unauthorized modification to data.
Our intent to modify the standard was announced by NIST after the National Se- curity Agency informed me that their mathematicians had discovered a previously unknown weakness in the algorithm. This meant that the standard, while still very strong, was not as robust as we had originally intended. This correction will return the standard to its intended level of strength.
I think this announcement illustrates two usefiil issues with regard to cryp- tographic-based standards. First, developing sound cryptographic technology is very difficult. This is also seen with commercial algorithms, including those used for hashing and encryption. Secondly, this incident demonstrates the commitment of
25
NIST, with NSA's technical assistance, to promulgating sound seoirity standards. In this case, a weakness was found, and is being quickly corrected.
7. EFFECTIVENESS OF THE COMPUTER SECURITY ACT OF 1987
Lastly, as requested in your invitation to appear here today, let me briefly address the effectiveness of the Computer Security Act of 1987 (P.L. 100-235). I will first briefly comment on what we learned about the state of computer security in the fed- eral government during our agency visit process and then tvun to cryptographic-spe- cific issues.
As part of our efforts to increase awareness of the need for computer security, during 1991-1992, officials from 0MB, NIST and NSA visited 28 federal depart- ments and agencies. Each visit was designed to increase senior managers' aware- ness of security issues and to motivate them to improve security. I believe that what we learned during those visits remains valid — and indicates that we still need to focus on basic computer security issues in the government.
Specifically, OMB, NIST and, NSA proposed the following steps to improve secu- rity:
• Focus management attention on computer security.
• Improve planning for security.
• Update security awareness and training programs.
• Improve contingency planning and incident response capabilities.
• Improve communication of useful security techniques.
• Assess security vulnerabilities in emerging information technologies.
Actions are being taken by NIST and other agencies to address each of these areas. The background and discussion of the need for these measures is discussed in the summary report prepared by OMB on "Observations of Agency Computer Se- curity Practices and Implementation of OMB Bulletin No. 90-08" (February 1993). In short, the Computer Security Act provides an appropriate framework for agen- cies— to continue improving the security of their automated systems — but much work remains to be done, by NIST and individual federsd agencies.
One of the questions that the Committee was interested in was whether there is a need to modify this legislation in response to the same advancements in tech- nology that led to the key escrow initiative and digital telephony proposal. First, I would observe that the Act, as a broad framework, is not tied to a specific tech- nology. I think it would be unworkable if the Act were to address specinc computer technologies, since this is a rapidly evolving field. Also, I would note that the Act does not address digital telephony concerns — the Administration is proposing sepa- rate legislation in that area. In short, no modifications to the Act are necessary be- cause of technology advances.
Before leaving tiie subject of the Computer Security Act, however, let me briefly comment on the Escrowed Encryption Standard. I strongly believe that NIST and NSA have complied with the spirit and intent of the Act. At the same time, this issue underscores the complex issues which arise in the course of developing com- puter security standards, particularly cryptographic-based standards for unclassified systems.
The Act, as you are aware, authorizes NIST to draw upon computer security guidelines developed by NSA to the extent that NIST determines they are consistent with the requirements for protecting sensitive information in federal computer sys- tems. In the area of cryptography, we believe that federed agencies have valid re- quirements for access to strong encryption (and other cryptographic-related stand- ards) for the protection of their information. We were also aware of other require- ments of the law enforcement and national security community. Since NSA is con- sidered to have the world's foremost cryptographic capabilities, it only makes sense (from both a technological and economic point of view) to draw upon their guidelines and skills as useful inputs to the development of standards. The use of NSA-de- signed and -tested algorithms is fully consistent with the Act. We also work jointly with NSA in many other areas, including the development of criteria for the security evaluation of computer systems. They have had more experience than anyone else in such evaluations. As in the case of cryptography, this is an area in which NIST can benefit from NSA's expertise.
Summary
Key escrow encryption can help protect proprietary information, protect the pri- vacy of personal phone conversations and prevent unauthorized release of data transmitted telephonicaUy. Key escrow encryption is available as a valuable tool for
26
protecting federal agencies' critical information communicated by telephone. At the same time, this technology preserves the ability of federal, state and local law en- forcement agencies to intercept lawfully the phone conversations of criminals.
Encryption technology will play an increasingly important security role in future computer applications. Its use for security must be balanced with tne need to pro- tect all Americans from those who break the law.
Thank you, Mr. Chairman. I would be pleased to answer your questions.
Rajmiond G. Kammer is the Deputy Director of NIST. He is responsible for the day to day operation of the Institute as well as long-range planning and policy de- velopment. NIST is the only Federal laboratory exphcitly charged with providing technical research and services to enhance U.S. industrial competitiveness. NIST provides support for industry's development of precompetitive generic technologies and diffusing technological advances to users in all segments of the economy. In ad- dition, NIST provides the measurements, calibrations, and quality assurance tech- niques which underpin U.S. commerce, technological progress, improved product re- liability and manufacturing processes, and public safety. NIST carries out many of these efforts in partnership with industry and government.
A graduate ot the University of Maryland, Kammer joined NIST in 1969 as a pro- gram analyst. Over the following decade he served the agency and the U.S. Depart- ment of Commerce in a succession of offices concerned with budgetary and program analysis; planning; and personnel management. In 1980, Mr. Kammer was ap- pointed Deputy Director of NIST. He also has served as Acting Director of NIST, Acting Director of the National Measurement Laboratory, and Acting Director of the Advanced Technology Program.
In 1991, Kammer was named the Deputy Under Secretary for Oceans and Atmos-
Rhere, NOAA, Department of Commerce. While in that position, he served as rOAA's Chief Operating Officer and was responsible for overseeing the day-to-day operation of NOAA's five major line offices. In 1993, Kammer returned to NIST as Deputy Director.
In addition, Kammer has chaired several important evaluation committees for the Department of Commerce, including reviews of satellite systems for weather mon- itoring and the U.S. LANDSAT program, and the next generation of weather radars used by the U.S. government. He also served a three-year term on the Board of Di- rectors of ASTM, a major international government for the development of voluntary standards for materials, products, systems, and services.
His awards include both the Gold and Silver medals of the Department of Com- merce, the William A. Jump Award for Exceptional Achievement in Public Adminis- tration, the Federal Government Meritorious Executive Award, and the Roger W. Jones Award for Executive Leadership.
Senator Leahy. You are working with industry, as I understand it, to improve on the key escrow chips, to develop key escrow soft- ware, and to examine alternatives to Clipper Chip. What are the improvements a^nd alternatives to Clipper Chip that NIST is con- sidering, or have I overstated the situation?
Mr. Kammer. We are in active collaboration with four private sector entities that responded to a public advertisement that we made, and the intent was to have discussions both on hardware im- provements and software. In the case of the hardware improve- ments, what people are interested in is can the algorithm be incor- porated on some other chip that is already in a communications de- vice, for instance, thereby reducing the power requirements.
The full name of the game in communications is you want to be portable, you want to be light, you want to take no power at all, ideally, or very little power. To incorporate the clipper hardware on a portable telephone, for instance, it uses enough power now to be irritating to the manufacturers. They don't think it is very attrac- tive until we can reduce the power.
In terms of the software, we would like to see if we can find a concept, and we have not yet, where we would be able to preserve law enforcement and still encrypt in a software mode rather than
27
a hardware mode. Intellectually, that is a very formidable idea. If you could ever think of a way of doing it, you would have the best of all worlds, in that you use no power when you use software and, of course, it doesn't weigh an5^hing, so that would be very desir- able.
Those discussions have been — ^the group that has been undertak- ing this has been meeting biweekly since last — ^bimonthly — I am sorry — since last December working on these issues.
Senator Leahy. There is no way to get in on the conversation you and I had? There would be no way for somebody to put a device like this on the line between the two of us and pick it up, or is there?
Mr. Kammer. Yes, sir, there would be, with considerable effort. I mean, they would have to know which line it was going to pass through, which is a very formidable problem in itself, but let us say somehow people have
Senator Leahy. Well, let us say you are calling me from Chicago and I am in Vermont, but they know what office you are going to call from.
Mr. Kammer. Right, so they would put it on a wire.
Senator Leahy. So they would have to be within a few feet of where you are. Can they do that?
Mr. Kammer. Then what would happen is you would not get the indication that it was secure. The negotiation would say "retry" in- stead of "secure."
Senator Leahy. It would pick up the fact that there is something in the way of the connection?
Mr. Kammer. It would know that there was what we call a man in the middle. It would know that there is such an individual there. If I went to that much trouble, probably what I would rather do is just put a microphone under your desk.
Senator Leahy. Well, that was going to be my next question.
The National Research Council of the National Academy of Sciences is doing a 2-year study of shortcomings in how national encryption policy is made, and Clipper Chip, and so on. Is there any reason why the administration couldn't wait to implement its Key Escrow Encryption System until after we got this study?
Mr. Kammer. The urgency from our point of view was that prod- ucts like the TSD 3600 were coming into the marketplace, and what drove us was indeed that happening and the possibility — and this can still happen, but the technology would just whirl ahead of us and we would wake up one morning — suddenly there were fax machines everywhere, you know, and maybe suddenly there was the TSD 3600 with an algorithm in it that was very vexing to law enforcement, and that could still happen. I mean, Clipper is vol- untary. People could pick something else, and they may.
Senator Leahy. Well, suppose they don't pick Clipper Chip. Are we going to stop the use of it?
Mr. Kammer. No, sir. We still have a substantial influence on the marketplace just because of price and because of the convenience of communicating with the government. Additionally, the experts in this field, I think, tend to underestimate the formidable task of most normal people setting up their own personal encryption net. It is not a trivial thing to do.
28
Indeed, many people use good algorithms and set the net up so poorly that they are exploitable because of the defects in how they set it up. In a nation where most people can't program their own VCR's, I mean this is something to think about.
Senator Leahy. Senator Murray points out it is OK because our kids can. There is an 8-year-old girl who lives across the street and we call her over to set the thing up and she takes care of it for us. [Laughter.]
Are foreign governments going to permit the use of Clipper Chip or Capstone overseas?
Mr. Kammer. We have started some discussions with foreign gov- ernments. It is an interesting problem. Most of the Western Euro- pean countries actually have laws on the books, in many cases since the 1920's, that allow them to regulate all use of encryption. Some countries are rather active in their enforcement of these laws, some are rather lax, but the laws exist on the books.
Senator Leahy. If we are setting an industry standard, what do you do if some of the major countries, especially those that have major commercial interests with us, say no, or we will let you use it, but only if we have the keys?
Mr. Kammer. That is all a negotiation to take place.
Senator Leahy. Is any of it taking place now?
Mr. Kammer. There have been some initial discussions with se- lected governments. It may be that Admiral McConnell would have more to share with you in the following session.
Senator Leahy. Now, I understand that software is available that could be used with Clipper to bypass the key escrow feature. A sender of information can first encrjrpt the information with soft- ware using DES or RSA algorithms, then transmit that information double-encrypted with Clipper. So, in other words, even if you decrypt Clipper, what you do is you peel the onion off and under- neath it is still an onion, an encrypted one. Doesn't that defeat you?
Mr. Kammer. You are exactly correct, and indeed that would con- found our intent. However, you had to go through a couple of trou- blesome steps here and to the extent that you have done it success- fully, we are confounded. Most people probably won't go to that much trouble, experience suggests, or won't do it successfully, expe- rience suggests.
Senator Leahy. Is the administration considering outlawing all other encryption methods?
Mr. Kammer. We took as one of our assignments during the presidentially instructed review to consider that and we rejected it. We think that mandatory regulation in this area would be an inap- propriate approach for our society.
Senator Leahy. Last year when you testified before Representa- tive Markers subcommittee, you were asked if foreign companies would purchase Clipper Chip and you replied, "I think under the current circumstances, probably if I were running a foreign com- pany, that would be a decision I would not make." Do you still feel that way?
Mr. Kammer. I have been surprised. In conversations with a lot of the multinational companies, what they seem to assign a very high priority to is something they can use everywhere. They are
29
substantially less concerned about the ability of our government, at least, to access their information. They have expressed concerns about what they view as the practice of some other governments of intercepting commercial information to share with commercial companies, and that does worry them, but people were less resist- ant than I imagined at that time.
Senator Leahy. So if you were back there last April before Con- gressman Marke/s subcommittee, would you give the same an- swer?
Mr. Kammer. Knowing what I knew then, I think I would have been obliged to.
Senator Leahy. No, but today.
Mr. Kammer. No, I wouldn't.
Senator Leahy. If other countries don't let Clipper Chip in, do we have a problem using the information superhighway that every- body wants to get on now? I mean, I look at Internet where I can go and pick up articles from a university in Australia or commu- nicate with somebody in Eastern Europe. I mean, what about this? Are we suddenly going to see countries cutting off Internet?
Mr. Kammer. 'Riere is going to have to be at some point a world- wide solution to this. The power of Internet is too attractive. People aren't going to be willing to forgo that, and any country that forgoes is forgoing economic opportunity that means they won't sur- vive for that long.
The critical things that you are going to need for commerce are, first of all, digital signature. If you want to sell or buy from people you have never met, you have to have some unambiguous way of assuring that they indeed incurred the debt and that they are lia- ble for it. Digital signature is that solution. You are going to need some way of sealing data so you can be confident that it wasn't changed. That is sometimes called message authentication. Those two things are absolutely necessary for commerce. For many kinds of commerce, you are also going to need some kind of confidential- ity that goes across borders. This is a difficult problem.
Senator Leahy. And it becomes more difficult if Clipper Chip is the standard. I really cannot imagine a number of these countries allowing it, no matter what commercial disadvantage they might be put at, without having a way of cracking into it.
Mr. Kammer. The possibility of some solution that doesn't in- volve a trusted third party, whoever it is — I haven't thought of any- thing myself, nor have I talked to anybody that has thought of any- thing that goes to some balance between protection from criminal activities balanced with privacy. What most people say it is not possible to do it at all and therefore let us just go a hundred per- cent privacy, the heck with the law enforcement. I don't know how it is going to come out.
Senator Leahy. Well, can you imagine any groundswell of enthu- siasm here in the United States for giving these keys to some other country, no matter who they are?
Mr. Kammer. I can't.
Senator Leahy. Now, I understand that the cost of establishing the escrow system will be about $14 million and the cost of running it will be about $16 million annually. Is there any statutory author- ity for these expenditures?
30
Mr. Kammer. During the review that we did, there was a legisla- tive review as well and we have the authority under the Computer Security Act, as it amended the NIST Organic Act. There is no au- thorization for the money at this point.
Senator Leahy. Ms. Harris, I think you were very forthcoming with the Justice Department's view on legislation, but if there is enough concern here, there will be legislation.
Senator Specter?
Senator Specter. Thank you very much, Mr. Chairman.
In noting the examples of cryptographic products which are being produced by others, are there some, Mr. Kammer, that are more complicated and more difficult to decrypt?
Mr. Kammer. If you have two well-designed algorithms, then the measurement is usually something called the work factor, and that is how long it would take you to try all the possible keys that exist, but that first big "if is a real big "if." There are algorithms that are out in public use that seem to have rated very long work fac- tors that indeed are not all that well designed. So, first, you have to know is it really designed as well as it is labeled, and then, sec- ondly, if so, then you can start comparing work factors. Presuming two good algorithms, the one with the biggest work factor is pre- sumably the best one.
Senator Specter. Well, you lost me. Let me try again.
Mr. Kammer. Sure.
Senator SPECTER. Are there some cryptogram systems that we cannot break at this moment?
Mr. Kammer. Yes, sir.
Senator Specter. Are there any cryptogram systems that cannot be broken with enough energy and time applied?
Mr. Kammer. No, sir, but the amount of time could range into hundreds, you know, of years.
Senator Specter. All right, so criminal elements or foreign agents could have access to cryptogram systems which we might not be able to break except with very extensive efforts.
Mr. Kammer. That is correct. That presumes a rather sophisti- cated criminal who is also very disciplined about implementing the system, but yes.
Senator Specter. General Harris, what pause does that give you for wiretaps if it is possible for organized crime or sophisticated for- eign agents to use these cryptographic systems?
Ms. Harris. It is clearly of grave concern. Our hope with Clipper Chip is that it will become a device of choice so widespread that at least we will not have developed and then made available pri- vately a technology which will frustrate law enforcement.
Senator Specter. With so many of these other cryptographic de- vices available from so many other countries — ^Australia, Denmark, Finland, Germany, Israel, Russia, the United Kingdom— isn't there sufficient competition with this kind of a device so that whatever we do with ours won't make a whole lot of difference? Won't foreign agents or criminals who want access to secret cryptography will be able to have it, whatever we do with Clipper Chip?
Ms. Harris. It is our hope that if Clipper Chip becomes the standard of choice for legitimate businesses that there will come a
31
time when even illegitimate criminal enterprises will have to com- municate with legitimate operators around the world.
Senator Specter. But, General Harris, why should it become the product of choice when there are so many others available?
Ms. Harris. I must tell you. Senator, that my understanding is that although others are available, they are not that good; that Clipper is — probably "light years" is strong a word, but that Clip- per is so much stronger than the available — is so much stronger and so much better than what is available that, developed and made available, as the intention is, to the market, it will be the encrypter of choice. I mean, that is the hope. At least it will be one that this country has developed which will not frustrate law en- forcement.
Senator Specter. Given technology's rapid advances, is there any estimate as to how long it would be before someone is likely to produce a better system?
Ms. Harris. I think that I would not speculate on that. Senator. Clearly, people are working on it, and clearly we are not just sort of stopped with Clipper Chip either. I mean, there must be a con- tinuing review and work on this subject. I mean, this is a subject of grave concern to law enforcement, I am sure you understand.
Senator Specter. When the codes would be in the hands of two governmental agencies, is there a possibility that they might be used without a court order in a system which requires a court order for a wiretap?
Ms. Harris. I do not believe that they will be misused without court order. We have built into our protocols several fail-safe provi- sions. For instance, as you have noted, first of all, obviously, we have got to have a court order. The certification by the law enforce- ment agent who picks up an encoded conversation pursuant to Clipper Chip is required to certify to both of the independent key escrow holders that there is a court order, when it is going to end, and the identifying numbers.
Each one of those independent escrow agents has to act inde- pendently to send back to the decrypt device the appropriate codes that have to be combined in the machine, and then the responsible Federal officer, if it is a Federal wiretap
Senator Specter. Who is the custodian for this code in the De- partment of Justice, or who is the proposed custodian?
Ms. Harris. For the two escrow agents?
Senator Specter. Yes.
Ms. Harris. NIST is one, and what comes down to the command center at the Department of Treasury is the other right now.
Senator Specter. So Justice will not be a custodian?
Ms. Harris. That is absolutely correct. We have very carefully picked key escrow holders that are not law enforcement agencies.
Senator Specter. Treasury has significant law enforcement func- tions.
Ms. Harris. Not this aspect of Treasury, Senator.
Senator SPECTER. Which aspect is it?
Ms. Harris. It comes down to the command center at Treasury. It is part of their Automated Systems Division. It is on their ad- ministrative side.
32
Senator SPECTER. Well, it is very interesting. I recall being a lieutenant in the Air Force years ago in the Office of Special Inves- tigation in the special branch called Cryptography, and from that vantage point I have always doubted that anything is a secret.
I have had experience where only three highly trusted people in a major investigation I ran years ago in the district attorney's office in Philadelphia knew about a matter; I have always had real res- ervations about how secret you can be.
Let me just ask both of you one final question, and that is do you really think we can make it so that it is secret? General Harris?
Ms. Harris. I believe that we can make it and, with human and mechanical technological safeguards, make it literally impossible for the whole system to be misused, and that it will function pursu- ant to court-authorized interceptions and function simply as a translator, so to speak, so that we can understand the content of communications that a court has authorized us to intercept.
Senator Specter. Mr. Kammer, will it really be secret?
Mr. Kammer. Yes, sir, I believe that we can be successful in making it secret.
Senator Specter. Well, the technology is fascinating. We had the Director of the FBI in on a hearing not too long ago and the shoe was on the other foot. The Director of the FBI was asking for legis- lation which would enable the FBI to keep up with the crooks, with all of the changes in the telephone system. So this subcommittee has its work cut out for it, but we will try to be helpful.
Thank you very much. Thank you, Mr. Chairman.
The Chairman. Senator Murray?
Senator Murray. Thank you, Mr. Chairman.
Mr. Kammer, has NIST evaluated the foreign programs that are available?
Mr. Kammer. We have occasionally evaluated selected ones out of interest. The NSA has done a much more thorough-going job and you may find it useful to discuss that in the next hearing.
Senator Murray. OK; thank you. On April 28, the Wall Street Journal quoted a computer expert as predicting criminals will rou- tinely encrypt information within 2 years. Do you agree with that assessment?
Mr. Kammer. I think the timeframe of 2 years is extremely un- likely at this point. I don't think there will be widespread use even among sophisticated users in 2 years.
Senator Murray. Would Clipper Chip affect that timetable in any way?
Mr. Kammer. Well, I can sort of reason by analogy. DES was re- leased 17 years ago and for the first 5 years it was regarded, be- cause it had come from the government, with fear and loathing by all, and then it gradually began to penetrate the marketplace and now it is the choice for banking and for a number of other uses. That process took about 12, 13 years before it really got to the point where it was in widespread use. I don't think this will hap- pen that quickly — quicker than that, but not very quickly.
Senator MURRAY. So you don't see the Clipper Chip becoming commonplace for 10 to 15 years?
Mr. Kammer. Things happen faster now than they did 15 years ago, but I think it will be at least 5 years before any marketplace
33
choice emerges, Clipper or possibly something else. This is vol- untary. People may pick something else.
Senator Murray. And you don't think that anybody can figure that out in the next 15 years?
Mr. Kammer. DES still serves us well and it is 17 years old. DES' work factor, if you will, is 2 to the 56th. This is 2 to the 80th. It is 16 million times stronger than DES, Clipper is.
Senator Murray. Do you have any way of knowing if someone figures it out?
Mr. Kammer. My guess is that it would be so rapidly dissemi- nated on the Internet and people would be so proud of themselves that I would hear from many sources simultaneously.
Senator Murray. OK; thank you.
Senator Leahy. Well, of course, on the Internet we found Pretty Good Program
Mr. Kammer. Protection, PGP.
Senator Leahy. Pretty Good Protection. That zipped out there and now the government is raising issues about whether that was an unlawful exporting of encryption. We know how quickly things move. There is no reason to think that somebody else won't do that.
I am going to submit a number of questions for the record to both of you, if you don't mind. I have questions ranging everywhere from why one supplier of Clipper Chip and the obvious questions of mo- nopoly that come out of that, to a number of other technical ques- tions.
I appreciate your testimony, and I want to tell you that I am not an automatic fan of Clipper Chip or the proposals of the adminis- tration on this. I would ask you, if you go back over the questions and answers and you find there is more information and more ma- terial you want us to have, in all fairness, please feel free to bring it forth.
[The questions of committee members are found in the appendix:]
Ms. Harris. Thank you.
Senator Leahy. Thank you. We will take about a 2-minute recess to set up for the next panel. Thank you very much.
[Recess.]
Senator Leahy. We are back on the record.
Our first witness will be Whitfield DifTie, an engineer and cryp- tographer with Sun Microsystems, Inc. Mr. Diffie is the inventor of the concept of public key crj^jtography and one of the founding members of the International Association for Cryptographic Re- search.
Mr. Diffie, we will begin with you.
PANEL CONSISTING OF WHITFIELD DIFFIE, ENGINEER AND CRYPTOGRAPHER, SUN MICROSYSTEMS, INC., MOUNTAIN VIEW, CA, ON BEHALF OF THE DIGITAL PRIVACY AND SECU- RITY WORKING GROUP; AND STEPHEN T. WALKER, PRESI- DENT, TRUSTED INFORMATION SYSTEMS, INC., GLENWOOD, MD
STATEMENT OF WHITFIELD DIFFIE
Mr. Diffie. Well, we know you hear about sculduggery in these things. My notes just disappeared.
34
Senator Leahy. The dog ate them?
Mr. DiFFiE. I frankly don't know. I went back to pick up my notes and I can't find them.
Senator Leahy. Would you like some more time?
Mr, DiFFlE. No, no; that is fine. Thank you. Maybe this will make up in fi-eshness for what it lacks in preparation.
I want to thank you, to start with, for inviting me to this. This is sort of appropriate. You introduced me as the inventor of the concept of public key cryptography. I did it working with Marty Hellman at Stanford University nearly 20 years ago, and the con- cept we introduced that is, in fact, in the TSD 3600 over there in some sense created this whole problem because prior to that all cryptographically secure networks required a central administra- tion that actually had the power to decrypt traffic. It had to hold keys in order to make introductions that would allow it to decrypt traffic, and the techniques that we had the privilege of pioneering have allowed systems like this in which the phones negotiate di- rectly with each other and no third party is able to read the traffic. So I guess I deserve whatever happens.
Subsequently, I went to Northern Telecom. I say this just to em- phasize that I have had some experience with communications se- curity in the telecommunications environment. After a 12 years of that, I came to Sun Microsystems and I am now very involved with Internet and Internet sort of security and things of that kind.
I have three things I was asked to comment on, and let me try to get through them rather quickly. I view this from a broad per- spective. I try not to get tied up in individual issues of this network of programs that are being proposed — the Clipper, the Capstone, the Digital Telephony bill, and the Digital Signature.
I believe there is a fundamental issue here of whether we should be using the power of technology to increase the privacy of citizens or to expand the power of the government, and I accept the legit- imacy of that power in a lot of cases, to use electronic surveillance against its citizens and against other people.
I think there has been a lot of what I would call irresponsible comment to the effect that cryptography represents something new, it represents some sort of absolute privacy, and since this new thing has appeared, it needs to be regulated.
I think if you look back to the era of the Bill of Rights, you will see that at that time any two people could have a private conversa- tion merely by having the common sense to walk 100 yards off away from people. They would know there were no tape recorders, no shotgun microphones, and they would be having a private con- versation. Nobody in the world today has that assurance. If you are talking on a secure phone, if you are talking in a secure conference room, you are depending on the cooperation of hundreds of people who built and maintain those systems.
So individuals can no longer achieve privacy in the way they could then, and the impact of this — ^the credible impact, I believe, for our democracy is that the integrity of political speech, which frequently means the privacy of political speech, is something that is, in the Madisonian view, the root of the legitimacy of laws in a democracy.
35
I think that with the progress of technology, what has happened is that we are in a position where if we do not make it a national priority to protect individual privacy, to guarantee that when indi- viduals want privacy they can have it, we will have an ebbing away of the privacy that is essential to the democratic process.
Now, since we are short of time here, let me turn quickly — it is a rare privilege to speak on an issue where it seems that matters of conscience and matters of business go side by side. Sun Microsystems does about half its business outside the country and we are proud to be part of what we regard as building the infra- structure of the future information society, and that infrastructure will, in particularly, be the infrastructure that will support the commerce of the future.
The infrastructure of commerce has always required security. Ships' holds, warehouses, bills of lading — all of this is the classical security machinery of commerce, and if we are going to have the promise that the information society offers, we are going to need to have international standards for security. They can't be some- thing that are weighted to try to give particular advantages to par- ticular governments, particular agencies, et cetera.
My final point — I was asked to comment on alternatives, and I see that light has turned yellow, which means I should be turning yellow, I suppose.
Senator Leahy. No, no; don't worry about it. They give me some latitude around here, so go ahead. [Laughter.]
Mr. DiFFiE. I have been asked to speak on alternatives to this matter, and I think you can't speak about alternatives without ask- ing first whether there is a problem and what the problem is, and therefore what the various possible solutions are.
In looking at the evidence that has been presented before this committee and other places for either the problems of law enforce- ment or intelligence, I don't find the evidence compelling. There is no question that particular sources of intelligence get closed off from time to time, but if you look at technical intelligence and par- ticular technical law enforcement facilities, you will find they are growing by leaps and bounds.
In electronic surveillance, warrants — I haven't been able to get the exact percentage that are, so to speak, room bugs and the per- centage that are taps, but I know that in many of these cases tradi- tional bugging accounts for a good deal of the information, and bugs are getting smaller, higher fidelity, harder to detect, et cetera.
If you similarly look at intelligence, you find that electronic intel- ligence is expanding dramatically, and the reason is that improved particularly radio and mobile communication channels draw far more valuable traffic into vulnerable channels than ever is pro- tected by the introduction of technical measures. I don't know if that will go on forever, but it has been progressing steadily for dec- ades now.
On the other hand, one can say that, in fact, alternatives to this will come about of their own accord. If you look at cryptography as a security measure, you have no choice but to distinguish two cases, communications and storage.
Now, in communications the view is that the communications are ephemeral. You don't try to save your own cipher text. You don't
36
worry about having to get it back if the keys to a conversation are lost later. As a matter of fact, you particularly want them to go away. Senator Specter mentioned the various spy scandals and things, and worrying about keeping things secret. In fact, the two most dramatic spy scandals prior to Ames in our own recent his- tory were both cryptographic spies who kept keying material after they were supposed to have destroyed it and then sold it to the KGB.
The advantage of a device like the original TSD 3600 or the STU-III is that it creates ephemeral keys that exist only for the duration of one conversation and then are destroyed when the con- versation ends and cannot be rederived from any of the surviving information. On the other hand, to create escrow agents, no matter how carefully constructed, is to create keys that stay in existence for months or years or decades after the conversations that they protected, and that is to create a potential loophole of immense pro- portions.
On the other hand, if you look at cryptography to protect storage, then you have no choice at an3rthing above the individual level but to provide alternative mechanisms of access to the information. If a corporation were to keep its records encrypted — and there would be many benefits to that; that would mean it could ship them out over the Internet to storage sites so that if its headquarters burned down it would be able to get them back immediately. It would nonetheless have to be sure that somebody other than one archivist or one controller or something like that had the keys that protected this information. There would have to be alternative mechanisms that would be under the control of the corporate officers and they would provide them
Senator Leahy, They go through some of those same questions about who has the keys even now in storing information in elec- tronic files because you at least need a password to get into that file.
Mr. DiFFlE. Yes, although typically less things are being done cryptographically. Almost by definition, there are other ways other than passwords to get around them.
Senator Leahy. It gives you a trap door.
Mr. DiFFiE. Well, we don't usually think of it that way. It is just sort of a normal maintenance matter that if you take the machine apart, then you get at the information in other ways.
Since I am aware of time, let me sum up by saying that suppose we make a mistake in this decision; then there are two ways we can make the mistake. We can either fail to adopt a key escrow system now and when one is perhaps necessary, or we can adopt a key escrow system when one is, in fact, not necessary. Which of those mistakes would be worse?
My own view is that if we fail to adopt one this year — this talk of getting out ahead of the curve, and so forth, is really not very much to the point. Given that the life cycle of electronic equipment is rather short — devices like that, people expect to replace every 2, 3, 5, or 7 years. If this market domination strategy for introducing new cryptographic equipment that has this back door built into it is taken up at any time — if it can succeed at all, it will succeed in a few years.
37
On the other hand, suppose we do adopt something, despite all its controls that I believe are very dangerous to the process of de- mocracy and that represents a statement, in principle, somehow for the first time that people don't really have a right to have con- fidence in the measures they take to protect their own communica- tions. Then I believe we will run the risk of building a bureaucracy that is now defending this new power that it has gotten, and that that would be very difficult to dislodge even if we subsequently de- cided it had been a bad idea.
Thank you very much.
[The prepared statement of Whitfield Diffie follows:]
Prepared Statement of Dr. Whitfield Diffie
I would like to begin by expressing my thanks to Senator Leahy, the other mem- bers of the committee, and the committee staff for the opportunity not only of ap- pearing before this committee, but of appearing in such distinguished company.
I think it is also appropriate to say a few words about my experience in the field of communication security. I first began thinking about cryptography while working at Stanford University in the late summer of 1972. My feeling was that cryptog- raphy was vitally important for personal privacy and my goal was to make it oetter known. I am pleased to say that if I have succeeded in nothing else, I have achieved that goal. Toaay, cryptography is a bit better known. In 1978, I walked through the revolving door from academia to industry and for a dozen years was "Manager of Secure Systems Research" at Northern Telecom. In 1991, I took my present position with Sun Microsystems. This has allowed me an inside look at the problems of com- munication security from the viewpoints of both the telecommunications and com- puter industries. I am also testifying today on behalf of the Digital Privacy and Se- curity Working Group, a group of more than 50 computer, communications and pub- lic interest organizations and associations dedicated to working on communications privacy issues.
THE KEY ESCROW PROGRAM
Just over a year ago, the Administration revealed plans for a program of key es- crow technology best known by the name of its flagship product the Clipper chip. The program's objective is to promote the use of cryptographic equipment incor- porating a special back door or trap door mechanism that will permit the Federal Government to decrypt communications without the knowledge or consent of the communicating parties when it considers this necessary for law enforcement or in- telligence pvu*poses. In effect, the privacy of these communications will be placed in escrow witn the Federal Government.
The committee has asked me to address myself to this proposal and in particular to consider three issues:
• Problems with key escrow, particularly in the area of privacy.
• The impact of the key escrow proposal on American business both at home and abroad.
• Alternatives to key escrow.
ON SCOPE AND PERSPECTIVE
The problems of today are usually best viewed in historical perspective. A century ago, the world witnessed the development of the first global telecommunications sys- tems, with the appearance of transoceanic cables and later radio. The new tech- nology posed an unprecedented challenge to national sovereignty. Countries could still control the movement of people and goods across their borders, but ideas and information could now move around the world without being subject to the scrutiny of customs or immigration officials.
The challenge, of^course, is one that the notion of national sovereignty and nation state survived. In part this is due to the rise of mechanisms of censorship and regu- lation to control the new media. In part it is due to the fact that telecommunications
1 Dr. Diffie is also testifying on behalf of the Digital Privacy and Security Working Group, a group of more than 50 computer, communications and public interest organizations and associa- tions working on communications privacy issues.
38
proved tremendously useful to governments themselves. The new tool was promptly exploited by the European colonial powers, particularly Britain, to bind tneir em- pires more tightly together than had ever been possible in the past.
Telecommunications transformed government, giving admimstrators real time ac- cess to their representatives in remote parts of the world. It transformed commerce, facilitating world wide enterprises and beginning the internationalization of busi- ness that nas become the byword of the present decade. It transformed warfare bv giving generals the abiUty to operate from the relative safety of rear areas and ad- mirals the capacity to control fleets scattered across oceans.
Once again, we are in the midst of a revolution in telecommunications technology and once again we hear the warning that national security, and perhaps even na- tional sovereignty, are in danger. As the most powerful country in the world and the country whose welfare is the most dependent on both the security of its own communications and its success in communications intelligence, the United States confronts this challenge most directly.
In the course of discussing the key escrow program over the past year, I have often encountered a piecemeal viewpoint that seeks to take each individual program at face value and treat it independently of the others. I believe, on the contrary, that it is appropriate to take a broad view of the issues. The problem confronting us is assessing the advisability and impact of key escrow on our society. This re- quires examining the effect of private, commercial, and possibly criminal use of cryptography and the advisability and effect of the use of communications intel- ligence techniques by law enforcement. In so doing, I will attempt to avoid getting bogged down in the distinctions between the Escrowed Encryption Standard (FIPS185) with its orientation toward telephone communications and the CAP- STONE/TESSERA/MOSAIC program with its orientation toward computer net- works. I will treat these, together with the Proposed Digital Signature Standard and to a lesser extent the Digital Telephony Proposal, as a unified whole whose objective is to maintain and expand electronic interception for both law enforcement and na- tional security purposes.
PRIVACY PROBLEMS OF KEY ESCROW
When the First Amendment became part of our constitution in 1791, speech took place in the streets, the market, the fields, the offic^, the bar room, the bedroom, etc. It could be used to express intimacy, conduct business, or discuss politics and it must have been recognized that privacy was an indispensable component of the character of many of these conversations. It seems that the right — in the case of some expressions of intimacy even the obligation — of the participants to take meas- ures to guarantee the privacv of their conversations can hardly have been in doubt, despite the fact that tne right to speak privately could be abused in the service of crime.
Today, telephone conversations stand on an equal footing with the venues avail- able then. In particular, a lot of political speech — from friends discussing how to vote to candidates planning strate^ with tneir aids — occurs over the phone. And, of all the forms of speech protected by the first amendment, political speech is fore- most. The legitimacy of the laws in a democracy grows out of the democratic proc- ess. Unless the people are free to discuss the issues — and privacy is an essential component of many of these discussions — that process cannot take place.
There has been a very important change in two hundred years, however. In the seventeen-nineties two ordinary people could achieve a high degree of security in conversation merely by the exercise of a Uttle prudence and common sense. Giving the ordinary person comparable access to privacy in the normal actions of the world today requires the ready availability of complex technical equipment. It has been thoughtlessly said, in discussions of cryptographic policy, that cryptography brings the unprecedented promise of absolute privacy. In fact, it only goes a short way to make up for the loss of an assurance of privacy that can never be regained.
As is widely noted, there is a fundamental similarity between the power of the government to intercept communications and its ability to search premises. Rec- ognizing this power, the fovuth amendment places controls on the government's power of search and similar controls have been placed by law on the use of wiretaps. There is, however, no suggestion in the fourth amendment of a guarantee that the government will find what it seeks in a search. Just as people have been free to
firotect the things they considered private, by hiding them or storing them with riends, they have been free to protect their conversations from being overheard.
The iU ease that most people feel in contemplating police use of wiretaps is rooted in awareness of the abuses to which wiretapping can be put. Unlike a search, it is so unintrusive as to be invisible to its victim and this inherently undermines ac-
39
countability. Totalitarian regimes have given us abundant evidence that the use of wiretaps and even the fear of their use can stifle free speech. Nor is the political use of electronic surveillance a strictly foreign problem. We have precedent in con- temporarv American history for its use by the party in power in its attempts to stay in power?
The essence of the key escrow program is an attempt use the buving power and export control authority of government to promote standards that will deny ordinary people ready options for true protection of their conversations. In a world where more and more communication take place between people who frequently can not meet face to face, this is a dangerous course of action.
OTHER DIFFICULTIES OF THE PRESENT PROPOSAL
The objections raised so far apply to the principle of key escrow. Objections can also be raised to details of the present proposal. These deal with the secrecy of the algorithm, the impact on security of the escrow mechanism, and the way in which the proposal has been put into effect.
One objection that has been raised to the current key escrow proposal is that the cryptographic algorithm used in the Clipper Chip is secret and is not available for public scrutiny. Ont counter to this objection is that the users of cryptographic equipment are neither qualified to evaluate the quality of the algorithm nor, with rare exceptions, interested in attempting the task. In a fundamental way, these ob- jections miss the point.
Within the national security establishment, responsibility for communication secu- rity is well understood. It rests with NSA. Outside of that establishment, particu- larly in industry, that responsibility is far more defuse. Individual users are not typically concerned with the ftinctioning of pieces of equipment. They acquire trust through a complex social web comprising standards, corporate security officers, pro- fessional societies, etc. A classified standard foisted on the civilian sector will have only one element of this process, federal endorsement.
In explaining the rationale behind key escrow at the 1993 National Computer Se- curity Conference, CUnt Brooks of NSA, argiaed that key escrow was not a trap door, reserving that term for a more mathematical approach in which the algorithm is not kept secret. Brooks held that this idea had been rejected on the grounds that the trap door could be found and exploited by opponents. Ironically, a similar weak- ness lurks within the escrow approach, because the cost to an opponent of extracting the family key and unit key of a chip from the chips communications is only margin- allv greater than the cost of extracting the key for an individual message.
Finally, there are disturbing aspects to the development of the key escrow FIPS. Under the Computer Security Act of 1987, responsibility for security of civilian com- munications rests with the National Institute of Standards and Technology. Pursu- ant to this statute, the Escrowed Encryption Standard appeared as Federal Informa- tion Processing Standard 185, under the auspices of the Commerce Department. Ap- parently, however, authority over the secret technology underlying the standard and the documents embodying this technology, continues to reside with NSA. We thus have a curious arrangement in which a Department of Commerce standard seems to be under the effective control of a Department of Defense agency. This appears to violate at least the spirit of the Computer Security Act and strain beyond credi- bility its provisions for NIST's making use of NSA's expertise.
IMPACT ON BUSINESS
Business today is characterized by an unprecedented freedom and volume of trav- el by both people and goods. Ease of communication, both physical and electronic, has ushered in an era of international markets and multinational corporations. No country is large enough that its industries can concentrate on the domestic market to the exclusion of all others. When foreign sales rival or exceed domestic ones, the structure of the corporation follows suit with new divisions placed in proximity to markets, materials, or labor.
Security of electronic communication is as essential in this environment as secu- rity of transportation and storage have been to businesses throughout history. The communication system must ensure that orders for goods and services are genuine, guarantee that payments are credited to the proper accounts, and protect the pri- vacy of business plans and personal information.
Two new factors are making security both more essential and more difficult to achieve. The first is the rise in importance of intellectual property. Since much of what is now bought and sold is information varjdng from computer programs to sur- veys of customer buying habits, information security has become an end in itself rather than just a means for ensuring the security of people and property. The sec-
40
ond is the rising demand for mobility in communications. Traveling corporate com- puter users sit down at workstations they have never seen before and expect the same environment that is on the desks in their offices. They carry cellular tele- phones and communicate constantly by radio. They haul out portable PCs and dial their home computers from locations around the globe. With each such action they expose their information to threats of eavesdropping and falsification barely known a decade ago.
Because this information economy is relentlessly global, no nation can successfully isolate itself from international competition. The communication systems we build will have to be interoperable with those of other nations. A standard based on a secret American technology and designed to give American inteUigence access to the communications it protects seems an unlikely candidate for widespread acceptance. If we are to maintain ovu- leading position in the information market places, we must give our full support to the development of open international security stand- ards that protect the interests of all parties fairly.
POTENTIAL FOR EXCESSIVE REGULATION
The key escrow program also presents the spectre of increased regulation. FIPS185 states that "Approved implementations may be procured by authorized or- ganizations for integration into security equipment." This raises the question of what organizations will be authorized and what requirements will be placed upon them? Is it likely that people prepared to require that surveillance be built into com- munication switches would shrink from requiring that equipment make pre- encryption difficult as a condition for getting "approved implementations'? Such re- quirements have been imposed as conditions of export approval for security equip- ment. Should industry's need to acquire tamper resistant parts force it to suomit to such requirements, key escrow wUl usher in an era of unprecedented regulation of American development and manufacturing.
ALTERNATIVES TO KEY ESCROW
It is impossible to address the issue of alternatives to key escrow, without asking what, if any, is the problem.
In recent testimony before this committee, the FBI has portrayed communications interception as an indispensable tool of police work and argued that the utility of this tool is threatened by developments in modern communications. Unfortunately, this testimony uses the broader term "electronic surveillance" almost exclusively. Al- though it refers to a number of convictions, it names not a single defendant, court, or case. This raises two issues: the effectiveness of electronic surveillance in general and that of communications interception in particular.
It is easier to believe that the investigative and evidential utility of wiretaps is rising that to believe it is falling. This is partly because criminals, like everyone else, does more talking on the phone these days. It is partly because modem sys- tems Uke provide much more information about a call, telling you where it came from in real time even when it is from a long way away.
With respect to other kinds of electronic surveillance, the picture looks even brighter. Miniaturization of electronics and improvements in digital signal process- ing are making bugs smaller, improving their fidelity, making them harder to de- tect, and making them more reliable. Forms of electronic surveillance for which no warrant is held to be necessarily, particularly TV cameras in public places, have be- come widespread. This creates a base of information that was, for example, used in two distinct ways in the Tylenol poisoning case of some years back.
Broadening the consideration of high tech crime fighting tools to include vehicle tracking, DNA fingerprinting, individual recognition by infrared tracing of the veins in the face, and database profiUng, makes it seem unlikely that the failures of law enforcement are due to the inadequacy of its technical tools.
If we turn our attention to foreign intelligence, we see a similar picture. Commu- nications intelligence today is enjoying a golden age. The steady migration of com- munications fi-om older, less accessible, media, both physical and electronic, has been the dominant factor. The loss of information resulting from improvements in security has been consistently outweighed by the increased volume and quahty of information available. As a result, the communications intelligence product has been improving for more than fifl;y years.
The situation, furthermore, is improving. The rising importance of telecommuni- cations in the life of industrialized countries coupled with the rising importance of wireless communications, can be expected to give rise to an intelligence bonanza in the decades to come.
41
Mobile communication is one of the fastest growing areas of the telecommuni- cations industry and the advantages of cellular phones, wireless local area net- works, and direct satellite communication systems are such that they are often in- stalled even in applications where mobility is not required. SateUite communications are in extensive use, particularly in equatorial regions and cellular telephone sys- tems are being widely deployed in rural areas throughout the world in preference to undertaking the substantial expense of subscriber access wiring.
New technologies are also opening up new possibilities. Advances in emitter iden- tification, network penetration techniques, and the implementation of cryptanaljrtic or crypto-diagnostic operations within intercept equipment are likely to provide more new sources of intelligence than are lost as a result of commercial use of cryp- tography.
It should also be noted that changing circumstances change appropriate behavior. Although intelligence continues to play a vital role in the post cold war world, the techniques that were appropriate against an opponent capable of destroying the United States within hours may not be appropriate against merely economic rivals.
If, however, that we accept that some measure of control over the deployment of cryptography is needed, we must distinguish two cases:
• The use of cryptography to protect communications and
• The use of cryptography to protect stored information.
It is good security practice in protecting communications to keep any keys that can be used to decipher the communications for as short a time as possible. Discov- eries in cryptography in the past two decades have made it possible to have secure telephones in which the keys last only for the duration of the call and can never be recreated, thereafter. A key escrow proposal surrenders this advantage by creat- ing a new set of escrowed keys that are stored indefinitely and can always be used to read earlier traffic.
With regard to protection of stored information, the situation is quite different. The keys for decrypting information in storage must be kept for the entire lifetime of the stored information; if they are lost, the information is useless. An individual might consider encrypting files and trusting the keys to memory, but no organiza- tion of any size coiild risk the bulk of its files in this fashion. Some form of key archiving, backup, or escrow is thus inherent in the use of cryptography for storage. Such procedures will guarantee that encrypted files on disks are accessible to sub- poena in much the same way that file on paper are today.
In closing, I would like to as which would be the more serious mistake: adopting a key escrow system that we do not need or fail to move quickly enough to adopt one that we do.
It is generally accepted that rights are not absolute. If private access to high- grade encryption presented a clear and present danger to society, there would be Uttle political opposition to controlling it. The reason there is so much disagreement is that there is so little evidence of a problem.
If allowing or even encouraging wide dissemination of high-grade cryptography proves to be a mistake, it is likely to be a correctable mistake. Generations of elec- tronic equipment follow one another very quickly. If cryptography comes present such a problem that there is a popular consensus for regulating it, this will be just as possible in a decade as it is today. If on the other hand, we set the precedent of bmlding government surveillance capabilities into our security equipment we risk entrenching a bureaucracy that will not easily surrender the power this gives.
Notes:
I have treated some aspects of the subjects treated here at greater length in other testimony and comments and copies of these have been made available to the committee.
'The Impact of Regulating Cryptography on the Computer and Communications Industries" Testimony Before the House Subcommittee on Telecommunications and Finance, 9 June 1993.
"The Impact of a Secret Cryptographic Standard on Encryption, Privacy, Law Enforcement and Technology" Testimony Before the House Subcommittee on Science and Technology, 11 May 1993.
Letter to the director of the Computer Systems Laboratory at the National Institute of Stand- ards and Technology, commenting on the proposed Escrowed Encryption Standard, 27 Septem- ber 1993.
Senator Leahy. Thank you,
Mr. Walker, we had earlier the question asked of, the Justice De- partment whether you could use other encrjrption devices for voice communications through our computers. The answer was some-
42
what different than I had expected. I will turn it to you and let you do your own testimony.
STATEMENT OF STEPHEN T. WALKER
Mr. Walker. Thank you very much, Mr. Chairman. My name is Steve Walker and I am the founder and President of Trusted Infor- mation Systems, an 11-year old computer security company. Before I started TIS, I had spent 22 years with the Defense Department at the National Security Agency, the Advanced Research Projects Agency, and the Office of the Secretary of Defense.
Before we get to the demo of an alternative to the answer that you got from the Justice Department, I would like to make a few comments and then move to the demo.
Senator Leahy. Sure.
Mr. Walker. I am opposed to the key escrow cryptography as proposed by the administration's Clipper initiative. I believe that any government program that is as potentially invasive of the pri- vacy rights of American citizens as key escrow is should only be imposed after careful review by the Congress and the passage of legislation, legislation that is signed by the President and, if nec- essary, declared constitutional by the Supreme Court.
In 1968, we went through a very painful process of authorizing wiretaps under very stringent conditions, and I believe that the government imposition of key escrow procedures deserves no less careful consideration. I believe that many Americans will accept government-imposed key escrow if it is established through law and if the holder of the keys is in the judiciary branch of the gov- ernment. But without such action, I suspect most Americans will remain firmly opposed to Clipper.
I am concerned that there appears to be very little business case for the administration's assertions that key escrow will maintain law enforcement's ability to wiretap criminals. I fear that, as pres- ently being pursued, the Clipper initiative will be an expensive pro- gram that will yield few, if any, results.
I am actually angered that the government's fixation on law en- forcement and national security interests has delayed the estab- lishment of a digital signature standard for over 12 years and done considerable harm to the economic interests of the United States. Mr. Kammer talked about a digital signature standard and how important it was, but, in fact, because of the fixation on the inter- ests of law enforcement and national security, we don't have one when we could have had it 12 years ago.
I am also opposed to continued imposition of export controls on products that employ cryptography that are already routinely available throughout the world, as we will discuss here in a mo- ment. The only effects that these controls are having is to deny U.S. citizens and businesses protection of their own sensitive infor- mation from foreign and domestic industrial espionage, and to place U.S. information system producers at a severe disadvantage in a rapidly growing market. I also wish to say, and I am sorry Senator Murray is not here, that I very strongly support her bill, S. 1846, and Maria Cantwell's bill, H.R. 3627, in their attempts to alleviate this export control problem.
43
I was very pleased when Ray Kammer brought in the Clipper TSD and demonstrated it because I wanted to talk just for a minute about how we got into this mess, the Clipper mess, in some sense. This is the culprit that began it. This is a TSD that looks very much like the one that you used a few minutes ago, except at the end of the TSD 3600 there is a "D." This device was initially announced back in September 1992 by AT&T, with some public- ity— two-page ads in Business Week and elsewhere — and it has DES in it. In some very real sense, it was the introduction of this device that caused NSA and the FBI to go into a flurry to try to find an alternative.
In January 1993, AT&T began shipping these devices. I got eight of them at that time, but they told us they were only on loan. You couldn't buy them, and they promised us there would be something better in April. This was in 1993. In April, when the administra- tion announced the Clipper initiative, the same day AT&T pledged their support for it. Unfortunately, Clipper Chips were not ready and so AT&T cooled its heels.
Then very quietly, in August 1993, yet another device was intro- duced. This is the 3600 P. It has a proprietary algorithm in it, pro- prietary to AT&T. We don't know what its quality is relative to DES, but it can't be exported, so it must be pretty good.
These devices have been on sale — I bought this one from AT&T — since last August and they are now selling both the Clipper device that has an "E" after the 3600 for "escrow," presumably, and the P device to the marketplace. When you ask them what are their thoughts on this, they say, well, let's let the market decide what it wants. So part of the discussion this morning that you have al- ready had about are people going to buy the 3600 escrow device — there already is an alternative that they can pick and let the mar- ket, in fact, decide.
In the interests of time, I have done a quick market analysis which I won't spend time on. I asked AT&T how many TSD's they expected to sell and I was told by one individual they expected to sell about as many as the STU-III's that are out there, the very popular classified phone systems. There are about 250,000 of those out there, and if you look at the chart comparing the number of wiretaps that are anticipated and the 500 million phones that are in the United States now, my estimate — and I basically challenge the administration to produce some contrary numbers that show I am wrong. If there are 250,000 such devices sold, there will be 2.5 key escrow calls intercepted each year. If the $16 million estimate for operating the key escrow centers is amortized across that, each one of those calls will cost $6.4 million.
Now, if the numbers are wrong, if we increase it by a factor of 10 or a factor of 100, when we get to the point where we have 25 million of these devices, 1 on every 20 telephones, we are still only going to get a key escrow call every IV2 days and it is still going to cost $64,000 for that call, which is twice the price of a current wiretap that doesn't involve cryptography.
I would like to switch for a moment to the export control situa- tion just to emphasize the things that we have here on the side. The administration has asserted that export controls are not harm- ful to U.S. business because there are no commercially available
44
foreign products involving cryptography. Last year, the Software Publishers Association commissioned a study to look at this issue and we have our latest results over in this chart.
We have now found over 340 foreign products that involve cryp- tography coming from 22 countries around the world. One hundred fifty-five of these use DES and 70 of them at least use it with soft- ware. We have been able to purchase products from the companies listed on the bottom there and those are on display. The notebooks that we have there contain the product literature that we have on each of the products that are there. It is arguable that this is not an overwhelming number that we have found, but it certainly ap- pears more significant than many people have suspected.
Another thing that we have found from our survey, though, that is frightening to me, at least, and to U.S. businesses is that those products that we obtained are DES software products. We got them from Australia, Denmark, Finland, Germany, Israel, Russia and the United Kingdom. We got them without any trouble at all. In many cases, these people have distributors around the world, some- times in the United States. You can call a German company on an 800 number. Somebody in Connecticut answers it, and you will have a DES software product on your desk the next day. We cannot ship those back. We would be in complete violation of U.S. export laws.
The issue here is that it is not a level playing field. Our allies, our friends, in England and in Germany are routinely shipping products like this to us which we can't ship to them, and that is a very grave concern and why I have particular support for the
Senator Leahy. So if you were an American company with branches overseas and you wanted to use this, you would have the branches overseas buy the product from the source overseas and then ship to you the product that you would use back here?
Mr. Walker. Well, if it was my company overseas, my subsidi- ary, I can get approval from the State Department. It takes about 6 months to do that, but you are right.
Senator Leahy. Yes; I understand that. I am talking about a multinational.
Mr. Walker. Multinational companies are routinely buying prod- ucts from foreign sources. In my written testimony, I have several examples. A company called Semaphore in California listed about 15 examples of lost sales recently that they have encountered, and everyone has these experiences. Fortune Magazine this month has a two-page article in which the president of Sun and other compa- nies talk about how serious this problem is and how little good it is doing anyone.
Senator Leahy. The laptops that we are going to use in your demonstration didn't come with encryption capability already pro- grammed in them, did they?
Mr. Walker. No; they did not.
Senator Leahy. Was it very difficult to add the DES program to it?
Mr. Walker. No; the gentleman who did it is sitting behind me. It took him about a day to add it. Basically, if you wish, sir — ^yours looks like it is in working order there.
45
Senator Leahy. The computer is in working order. That doesn't necessarily mean that I am going to know what I am doing with
it. Mr. Walker. Well, it is going to be easy. I will explain it to you,
sir.
Senator Leahy. I have got the cursor on "talk" right now.
Mr. Walker. Don't hit yet.
Senator Leahy. I mean, it is so tempting. My hand is just twitch- ing here.
Mr. Walker. OK; go ahead. It is all right.
Senator Leahy. No, no, I am not going to. Go ahead, go ahead.
Mr. Walker. It is all right if you would like to do that.
These are basically Macintosh PowerBooks. They are actually last year's models. If we had had this year's models, it would run a little bit faster. This is a program that is available for about $70 from a company called Two Way Communications in San Diego, CA. It is routinely available to anybody who wants it. These laptops have built into them speakers and microphones, and there- fore they have the ability to handle multimedia communications of all sorts.
Basically, what we did was obtain this piece of software from the San Diego Company which, incidentally, is written by a program- mer in Moscow. That has nothing to do with the cryptography at all, just an indication of the worldwide nature of all of this. It has on it a button called "talk" which, if you hit the cursor, will allow you to talk to me. If you would like to do that, go ahead.
That is working.
Senator Leahy. OK; now, it says "stop." Is that OK?
Mr. Walker. Yes; when you are activating it, it will then give you the opportunity to turn it off by hitting the "stop" button. Now, if you notice down below there is a little button called "encrypt sound" just below the "talk" button. It is a little square.
Senator Leahy. Yes.
Mr. Walker. If you will just move the cursor down and press that, sir?
Senator Leahy. Got it.
Mr. Walker. Now, you are speaking to me in DES encrypted communications.
Senator Leahy. All right.
Mr. Walker. It doesn't sound any different than it did before.
Senator Leahy. No. I am just going to adjust my volume here a little bit.
Mr. Walker. The volume needs to be adjusted in the room.
Senator Leahy. So, now, is the sound going through, encrypted at your end?
Mr. Walker. Well, no. It is in the clear at my end.
Senator Leahy. I mean, it is encrypted between here and where you are.
Mr. Walker. Yes; if you would hit the "stop" button, then I will talk through you and be able to indicate to you how it would sound if you were intercepting this.
Senator Leahy. I just hit the "stop" button.
Mr. Walker. OK; now, I will turn mine on. The reason we do this one way right now — I mean, one at a time — is because of the
46
lack of power in these laptop computers. If we had PC's sitting here, then it would be much better.
Now, I am going to hit the "encrypt" button. Now, I am speaking to you encrypted. Can you hear me or do we need to adjust the
Senator Leahy. No; I can hear it.
Mr. Walker. We are getting feedback through the speaker sys- tem, I am afraid. Now, if I decided I didn't want you to hear what I was doing anymore, I could hit the "encrypt" button again. This is what you would hear if you had the wrong key. I will turn it off so that we don't have to do that again. This is the same thing that they talked to us about with the tape that they were playing where you hear the white noise.
Essentially, all I did was change the key that I am using, and you didn't know what the key was and so what you heard was noise. So if you were somewhere out on the net intercepting this, that is what you would get if we didn't have the same key.
Basically, that is the demo. It is that laptop computers can be used as telephones or as communications vehicles over the Internet or anywhere else on a routine basis. This stuff is available right now, and adding cryptography to it was fairly trivial. It took a day or so to find where to put it in here and then just take DES from anywhere in the world and plug it in. The effect on you and me hearing this is, in fact, no different when it is encrypted than when it is not.
I will turn mine off. You can turn it back on if you would like.
Senator Leahy. I hit "stop." I think I am off.
Mr. Walker. I can hear you now.
Senator Leahy. You can?
Mr. Walker. Yes.
Senator Leahy. Now, what do I do to turn this sucker off en- tirely?
Mr. Walker. You just hit the "stop" button and close the top. The point of this is not that there is any magic here; in fact, that there isn't any magic here.
Senator Leahy. But it also makes a point I asked earlier in the hearing of is it possible to just set this up with a commercial encryption program.
[Stephen T. Walker submitted the following materials:]
Prepared Statement of Stephen T. Walker
I am pleased to testify today about the concerns I share with many Americans about the Administration's Clipper Initiative and the negative impact that U.S. ex- port control regulations on cryptography are having on U.S. national economic inter- ests.
My name is Stephen T. Walker. I am the founder and President of Trusted Infor- mation Systems (TIS), Inc., an eleven year old frnn with over 100 employees. With offices in Meiryland, California, and England, TIS specializes in research, product development, and consulting in the fields of computer and communications security.
My background includes twenty-two years as an employee of the Department of Defense, the National Security Agency (NSA), the Advanced Research Projects Agency, and the Office of the Secretary of Defense. During my final three years in government, I was the Director of Information Systems for the Assistant Secretary of Defense for Communications, Command, Control, and Intelligence (C3I).
For the past three years, I have been a member of the Cornputer System Security and Privacy Advisory Board, chartered by Congress in the Computer Security Act of 1987 to advise the Executive and Legislative Branches on matters of national con- cern in computer security. In March 1992, the Board first called for a national re-
47
view of the balance between the interests of law enforcement/national security and those of the pubUc regarding the use of cryptography in the United States. The Board has been heavily involved in this review, receiving public input on the Ad- ministration's CUpper initiative, announced by the President on April 16, 1993, and reaffirmed on February 4, 1994. I am also a member of the National Institute of Standards and Technology's (NIST) Software Escrowed Encryption Working Group, which is examining the possibihties for alternatives to the CUpper key escrow sys- tem.
OVERVIEW
My testimony today will include my concerns with the Administration's Clipper key escrow program and U.S. Government's rigid control of the export of products containing cryptography in the face of growing worldwide availabihty and easy ex- port of such products by other countries. In Summary:
I am opposed to key escrow cryptography as proposed in the Administration's CUpper Initiative.
I beUeve that any government procedure that is as potentiaUy invasive of the privacy rights of American citizens as key escrow should only be imposed after careful Congressional consideration and passage of legislation by the Congress, which is signed into law by the President and determined to be Constitutional by the Supreme Court. In 1968, properly authorized government wiretaps of pri- vate citizens were legaUzed through this process. Government imposition of key escrow procedures deserves no less careful consideration.
I beUeve that most Americans wovild accept government-imposed key escrow if it was established by law and if the key escrow center was located in the Ju- dicial Branch of government.
I am concerned that there is not a sound "business" case to support^ the Ad- ministration's assertion that key escrow will maintain law enforcement's ability to wiretap the communications of criminals. I fear that as presently being pur- sued, the CUpper Initiative will be an expensive program that will yield few if any results.
I am angered that the government's fixation on law enforcement and national security interests has delayed estabUshment of a Digital Signature Standard (DSS) for over twelve years and done considerable harm to the economic inter- ests of the United States.
I am also opposed to the continued imposition by the U.S. Government of ex- port controls on products and technologies employing cryptography that are rou- tinely available throughout the world. The only effects these controls have are to deny U.S. citizens and businesses protection for their sensitive information from foreign and domestic industrial espionage and to place U.S. information system products at a disadvantage in the rapidly growing international market- place.
A PATTERN OF ADMINISTRATION INITIATIVES
A number of recent Administration initiatives have heightened the concerns of many Americans:
• The digital telephony initiative, in which the government wants to ensure that it can always tap everyone's phone when it has the legal authority to do so,
• The Clipper key escrow initiative, in which the Administration wants to be sure that it can easily break the cryptography of American citizens when it has the legal authority to do so,
• The Digital Signature Standard non-initiative, in which the government has re- peatedly, for twelve years, failed to achieve a basic technological capabiUty that is widely acknowledged as being essential to electronic commerce, and
• The continued imposition of controls on the export of cryptographic products in spite of clear evidence of foreign availabihty of similar products and foreign gov- ernments' failure to impose similar export controls, and in contrast to the mas- sive relaxation of export controls in other areas of high technology.
AU of these activities, taken together, lead one to the ominous conclusion that the Administration's goal is to severely restrict the average American's abiUty to protect his or her sensitive information with the hope that in so doing, it will also restrict such capabiUties of criminals, terrorists, and those opposed to the United States.
All of these initiatives are symptoms of the fundamental national dilemma we face of finding a proper balance between:
48
• The rights of private individuals and organizations to protect their own sen- sitive information and, in effect, our national economic interests and
• The needs of law enforcement and national security interests to be able to mon- itor the communications of our adversaries.
Until we can strike a reasonable balance between these basic needs, this debate will continue. Unfortunately, the Administration's position is focused solely on the interests of law enforcement and national security to the exclusion of the rights of private citizens and the nation's economic interests.
I believe that only the Congress can determine where a reasonable balance lies between Americans' right to privacy and our national security interests.
We can no longer afford to have this determination being made exclusively by the Executive Branch.
CLIPPER KEY ESCROW
I would like to begin by siunmarizing my concerns with the Administration's key escrow initiatives.
Law enforcement and national security communications interceptions are vital functions of a modem government. I support these functions and encourage their continuation.
But the sky will not fall if we do not have Clipper key escrow or if cryptographic export controls are relaxed to levels consistent with worldwide availability. Law en- forcement as we know it will not end if a few wiretaps encounter encrypted commu- nications. And the nation's ability to listen in to the communications of its adversar- ies will not end if some of those intercepts encounter increased use of crj^jtography.
They had better not end, because both law enforcement wiretaps and national se- curity intercepts are going to encounter ever-increasing amounts of encrypted com- munications no matter what the Administration does or does not do.
We must understand and accept the growing availability of cryptography world- wide as a basic fact of life. The ever-widening availability of cryptographic tech- nology in the U.S. and overseas will make it harder day by day to monitor the com- munications of our adversaries, no matter what measures the Administration may attempt to take. There are no magic solutions to this issue, which originates in the very same technological advances that we are all taking advantage of in our daily lives.
We must also understand that those same technological advances are creating greatly improved techniques for exhaustively checking the key space of cryp- tographic algorithms such as DES and for factoring large prime numbers. A design for a system that could exhaustively check the key space of DES in SVz hours was described at a public conference on cryptography last Summer. A group at Bellcore recently announced they had factored a 129 digit number, a new high.
The concept put forward by some in government that if we do not have key escrow or if we allow export of DES products, all our intelligence operations will suddenly fail, is false. On the contrary. Key escrow will never be more than a small side show in the world of cryptography and DES cryptography will continue its rapid growth worldwide whether the US allows its export or not. Our government will be much better served by focusing on techniques to defeat known algorithms father than pro- moting new techniques Qiat are highly unpopular in the US and abroad.
TECHNOLOGY SHIFTS THREATEN THE WIRETAP BALANCE
Since 1968, when the wiretap provisions of the Omnibus Crime Control and Safe Streets Act went into effect, we seem as a nation to have found a constructive bal- ance between the needs of law enforcement to intercept communications of sus- pected criminals and the desire of the public for the perception of privacy in its com- munications. The apparent successes tnat law enforcement has acnieved through le- gally authorized wiretaps against organized crime, coupled with the difficulties cited by law enforcement officials in obtaining them, and the steady rate of 800 or so per year over the past decade all indicate that we probably have achieved about as good a balance on this issue as we can ever get.
But now technological advances threaten to upset this balance. The ready avail- ability of good quality cryptography in inexpensive phone devices threatens to make it easy for those criminals who recognize that they may be tapped to protect them- selves. The AT&T announcement in September 1992 of a relatively cheap Telephone Security device (TSD) that uses the Data Encryption Standard (DES) cryptographic algorithm to protect phone conversations apparently threw NSA and the FBI into high gear to find an alternative.
49
And bring on clipper
What emerged from this was the CUpper initiative, the goal of which is to give the American pubUc very good cryptography that could, if necessary, be readilv decrypted by authorized law enforcement officials. A firestorm of protests then fol- lowed from virtually all segments of the American public and many of our friends overseas that government-imposed key escrow is not something that they want.
In the midst of the flood of protests over violations of civil liberties and infringe- ments of Bill of Rights that key escrow will cause and complaints about the use of a secret algorithm to protect unclassified information, several basic "laws" of the marketplace seem to have been overlooked. The Administration has never presented a "business plan" describing how Clipper will succeed in maintaining the abiUty of law enforcement to wiretap the phones of criminals. The lack of a fundamental un- derstanding of how things work in a competitive marketplace shows up conspicu- ously throughout this story.
One of the first principles of business is to have your product ready for the market when the market is ready for it. In January 1993, following their September 1992 announcement, AT&T began shipping TSDs with DES. But pressure from the gov- ernment apparently convinced AT&T to endorse the as yet unannounced CUpper program. So AT&T "loaned" the DES devices to their first customers with a promise that something 'Taetter" would be available in "April." And sxire enough, on April 16, 1993, as the Administration announced CUpper, AT&T pledged its support.
Unfortunately, CUpper chips were not ready. So AT&T cooled its heels waiting for something to seU. Finally, in August 1993, AT&T quietly introduced another TSD that uses proprietary cryptographic algorithms, thus creating a major competitor for CUpper.
In effect, we have come full circle. In September 1992, the initial AT&T announce- ment was perceived by the government as a major threat to law enforcement. In August 1993, while waiting for Clipper chips, AT&T introduced a similar product that must represent a similar threat. AT&T is now selUng both CUpper and non- CUpper TSDs in order to let the market decide which it wants.
What is the market for clipper?
In any business venture, it is important to understand the potential market for a product and to determine if one's market penetration will be sufficient to achieve one's goals.
For it to maintain law enforcement's abiUty to wiretap, the Clipper initiative must achieve a reasonably high market penetration. The problem is that very few people today wiU want to buy a telephone security device, even if it costs $50 instead of over $1,000. Very few residential users wiU bother, and those who do wiU find few people to talk to. Businesses wiU buy telephone security devices for their executives to protect strategic business communications, but the vast bulk of routine business communications will go unprotected.
Today there are estimated to be over 500 million phones in residential and busi- ness use in the U.S. When asked how many TSDs AT&T expected to sell, one esti- mate was at least as many as the popular STU-III secure phones for use with clas- sified information. There are approximately 250,000 STU-IIIs instaUed today.
Numbers Uke these represent a very reasonable business case for AT&T, but will they allow the Clipper program to achieve its goal of solving the law enforcement wiretap problem?
If the above estimates are correct, in a few years roughly five one-hundredths of one percent (0.05%) of America's phones wiU be protected by TSDs (250,000/ 500,000,000). Of course many of these will use the proprietary algorithm rather than CUpper. But we wiU optimisticaUy assume that this percentage represents the situation with CUpper TSDs in five years.
Now if one analyzes the average number of court-authorized wiretaps over the past fifteen years, one can reasonably conclude that 1,000 such wiretaps per year would be a reasonable projection for the near future. One could further assume that each court-ordered wiretap results in as many as five actual phone taps. This leads to an estimate of 5,000 physical wiretaps per year. A typical cost for a wiretap oper- ation not involving cryptography has been estimated at $50,000 to $60,000.
In the Administration's proposed key escrow plan, there wiU be two key escrow centers, one at NIST and one at Treasury, that, when fully operational, wiU be available 24 hours a day, seven days a week, year round. These wiU each require a staff of at least ten people at a labor cost of $ 1.5M per year. The non-labor costs of each center wiU be another $ 1.5M leading to a total annual cost for both centers of$6.0M.
No estimate exists for how much it has cost to develop and promote the Clipper initiative. In a business analysis, it would be important to amortize these costs over
50
the expected value of the "product," but for now all we have to use is the estimated cost of operating the centers.
If Clipper TSDs represent 0.05% of the phones in America and there are 5,000 taps per year, then law enforcement officials can reasonably expect to encounter on average 2.5 Clipper key-escrowed phone taps per year, or one every 145 days. If the cost of the key escrow center operations is amortized over 2.5 calls per year, each key-escrowed wiretap will cost $2.45M ($50 K for wiretap and 2.4M for escrow cen- ter expenses). At $1,000 per TSD, 250,000 will cost the consumer $250M.
But suppose the STU-III equivalent estimate is far too conservative for sales of TSDs. If sales are 2.5 million devices (0.5% of all phones), this will lead to intercep- tion of approximately 25 key-escrowed phone calls per year, about one every fifteen days. If the key escrow centers' costs are amortized over 25 calls per year, each key- escrowed wiretap will cost $290,000 ($50 K for wiretap and $240K for escrow center expenses). If TSD prices fall in an expanded market to $500 per TSD, 2.5M devices will cost the consumer $1.25B.
If the demand for TSDs is truly enormous, reaching 5% of all phones in the U.S., one could expect about one key-escrowed wiretap every day and a half. In this case, the cost of a key-escrowed wiretap will rise to $74,000 ($50 K for wiretap and $24,000 for escrow center expenses). Only in this last case does any form of cost benefit tradeoff for the cost of a wiretap make sense. Even if prices were to fall to $100 per TSD, 25M will cost the consumer $2.5B.
Number of Clipper |
250,000 |
2,500,000 |
25,000,000 |
Telephone Security |
|||
Devices: |
|||
Percent of U.S. phones: |
00.05% |
00.5% |
5% |
Number of Key Escrow |
2.5 |
25 |
250 |
taps/yr: |
|||
One call to key escrow |
145 days |
15 days |
1.5 days |
center every: |
|||
Cost per escrowed key |
$2.4M |
$240,000 |
$24,000 |
call: |
This scenario assumes that the population of phones likely to be tapped is roughly the same as that of the general popiilation. Unfortunately, this is unlikely to be true since, on one hand, the average criminal who doesn't realize he is Ukely to be tapped is unlikely to bother with any form of TSDs and so can be wiretapped using conven- tional means and, on the other hand, the "sophisticated" criminal, who understands what he may be up against, will almost certainly buy non-key escrowed TSDs. Under these circvimstances, 2.5 key-escrowed calls per year is probably very optimis- tic.
Now there are those who say. If only one of those calls is a World Trade Center bomb plot, it will all be worth it!" But the World Trade Center bombers went back for a deposit on the rental truck they blew up. If they are the types we are up against, they will not have enough sense to use a TSD. And as pointed out above, the sophisticated criminal will surely know enough to not buy a key-escrowed TSD.
A contradictory story has also been put forth that claims that the Administration never intended to catch criminals using key escrow. In this version, the intent was to introduce cryptographic capabilities that are substantially better than what is available now and to include key escrow to deny their use to criminals. If this is the "real" reason for Clipper, then the Administration must understand that they wll never get any wiretap calls for key escrow. If so, one must anticipate that the extensive protections now being planned for the escrowed keys will diminish over time from disuse. If this happens, all those who bought the "stronger" encryption capability will then become viilnerable to trivial decryption.
The Administration has stated that its plan is to buy enough TSDs to flood the market, thus making them so cheap that everyone will buy them. Their plan for "flooding" the market is to buy 9,000 devices using funds confiscated from criminals. Such a purchase wiU have little effect either in achieving the installed base nec- essary for key escrow to work properly or in reducing the price to a level where the devices are pervasive.
Even if every factor in this analysis is slanted in favor of Clipper, it is difficult to see how this program is going to help law enforcement maintain its ability to wiretap criminals. Clipper is an expensive program for both the government and the consimier that shows little if any promise of achieving its goal.
51
International aspects of key escrow
The Administration has stated that Clipper systems with key escrow will be ex- portable. The question remaining to be answered is will anyone outside the U.S. be interested. In July 1992, NSA agreed that certain encryption algorithms that were limited to 40-bit key lengths could be exportable. But 40-bit key lengths are so weak that no one inside or outside the U.S. would want them. It is clear that foreign gov- ernments may want key escrow systems to allow them to monitor communications, but their citizens will generally share the concerns of most Americans.
It may be possible for governments to work out bilateral agreements to share escrowed keys (though little progress has been reported to date), but this will do nothing for \he growing need of multinational companies to communicate with oth- ers across international boundaries. The international aspects of key escrow remain a thorny problem, which will defy solution for a long time.
The capstone tessera program
Apparently when AT&T announced its DES TSD in late 1992, NSA had already been working on a program called Capstone which was to provide good quality cryp- tography and key escrow for computer communications. Applying these techniques to telephones required only a stripped down Capstone, which came to be called Clip- per.
Capstone is a key ingredient in a program to provide information security for the Defense Message System and other programs within the Department of Defense. It is also being pushed for a wide variety of other programs within the government including the IRS, Social Security, and even Congressional systems.
Provimng good cryptographic protection in a computer communications environ- ment is much more difficult than in a telephone context. The ease with which a user can manipulate his or her text either before passing it to the Capstone process or after it has been encrypted makes it very difficult to ensure the effectiveness of the result. Also, the technologies involved in the present implementations of the Skip- jack algorithm, while sufficient for telephone and low speed computer communica- tions, will not easily scale to meet the needs of high speed computer communica- tions.
Because it uses a secret algorithm, Capstone and the oroducts that use it will onlv be available in hardware implementations such as the NSA Tessera PCMCIA card. It has been suggested that if the interfaces that Tessera uses could be genereilized so that other cryptographic algorithms could be implemented in compatible pack- ages, the Tessera program could have a much greater market penetration.
The Government has stated that Tessera will be exportable. If such common cryp- tographic interfaces existed, mass market software vendors who support Tessera covild integrate cryptographic functions into their applications without concern for export controls on their products and vendors withan individual countries could build Tessera equivalent PCMCIA cards using alternative cryptographic algorithms. Such a development would provide a fundamental increase in the market for cryp- tographic products and thus increase the chances for market penetration of products such as Tessera. At this time, it is unclear whether NSA will choose to generalize the Tessera interfaces to allow cards with other algorithms to coexist.
Strengths of clipper
I am convinced that Skipjack, the cryptographic algorithm in Clipper, is a very good algorithm. I also believe that procedures can be developed for protecting escrowed keys that will provide reasonable assurance that the keys will not be com- promised under normal circumstances. I have known many of the people at NIST and NSA who have worked on this program for many years. I believe they are hon- est, well-intentioned people who are doing the best job they can to protect the inter- ests of the law enforcement and national security communities.
My concerns are not with the strengths of this program or the integrity of the people who have put it together but with whether there is any practical chance that it will achieve its goals and whether the American people are ready for key escrow.
What should Congress do?
For any form of key escrow system to work, it must have the confidence of the American people. The Administration claims that it does not need legislation to im- pose key escrow, that it is operating entirely within the provisions of the wiretap statutes. This may be legally correct, but we should take lessons from the past on how to convince people to accept ideas that do not immediately seem to be in their best interests.
At least once before in modem times, the government was faced with convincing the American public to allow something that did not seem in the best interests of
52
the average citizen, that is, to allow the government to wiretap phones. But in 1968, Congress passed and the President signed a law that established a balance on the wiretap issue that appears reasonable to most of us.
If key escrow is the vital answer to encrypted wiretaps as the Administration claims, we should follow the same process we md for authorizing wiretaps:
(1) Congressional debate,
(2) Passage of legislation,
(3) Presidential signature, and
(4) Judicial review.
This full process is necessary before the American people will accept key escrow. The only excuse for not doing this seems to be that the process will take too long. But the reaction to date incScates that by not taking the time for the legislative process, the Clipper program will be little more than a program the government im- poses on itself.
I strongly recommend that the Administration propose legislation that would give key escrow the same legal standing as court-ordered wiretaps. If the Administration does not take this action soon, I believe the Congress should act on its owti to review this concept and determine if key-escrowed communications should be imposed on the American people.
THE DIGITAL SIGNATURE NON-INITIATIVE
Key escrow is not the only instance in which the Administration has focused al- most exclusively on the law enforcement and national security side of an important issue. In almost total contrast to the haste with which the Clipper initiative has pro- ceeded, the government's efforts over the past decade to establish a digital signature standard, an essential tool in any form of electronic commerce, have failed miser- ably. The background of this incredible failiu"e should be very embarrassing to some- one, but it appears there are so many participants that no one needs to take the blame.
According to a recent GAO report, this odyssey began in the early 1980s when the National Bureau of Standards (NBS, now NIST) sought a public key encryption standard to complement the DES. No progress was made even though nearly every- one acknowledged the essential need for such a capability and that the technology necessary for it already existed in the RSA public key encryption algorithm among others.
In the 1988 hearings on the progress of the Computer Security Act, the Directors of NSA and NBS were pressvu"ed to get on with establishing a public key encryption standard. In the recently released, highly censored proceedings of the joint NSA- NBS Technical Working Group, the tortuous deliberations toward a DSS are evi- dent. Despite the ready availability of technology such as RSA, which could have provided a DSS as early as 1982, the government persisted in seeking an alternative with limited capabilities.
In the House Subcommittee on Science hearing on Internet Security, March 22, 1994, Mr. Lynn McNulty, Associate Director of the NIST National Computer Sys- tems Laboratory, testified that:
* * * our strategy ♦ * * was to develop encryption technologies that did not do damage to the national security or law enforcement capabilities of this country. And our objective in developing the digital signature standard was to come out with a technology that did signatures and nothing else very well. It could not be used for either encrjrption or to provide key man- agement or key distribution techniques for other symmetric encryption technologies.
With these constraints, the government placed itself in a very difficult situation that it has proceeded to make very much worse with time.
In August 1991, after considering at least four alternatives, NIST finally an- nounced with much fanfare the selection of the Digital Signature Algorithm (DSA) for the DSS. NIST stated that this algorithm, patented by an NSA employee, would be royalty-free to all parties, an attractive offer since the use of RSA or other public key alternatives would require royalty pasonents to RSA Data Security, Inc., or Pub- Uc Key Partners (PKP). A royalty-free signature algorithm was sufficiently attrac- tive that many felt DSA could succeed against the already popular RSA algorithm.
The initial public comment period on the DSS selection brought mostly technical comments on the algorithm itself. Following this there was a long silent period dur- ing which NIST's only comment was that the lawyers were working on patent is-
53
sues. It seems there was a German, Professor Doctor C.P. Schnorr, who had a U.S. patent that he claimed was infringed upon by the DSA. NIST visited Professor Doc- tor Schnorr seeking to work out the patent issues. Apparently PKP did also, because in early 1993, PKP told the government that they now had the rights to Professor Doctor Schnorr's patent and that use of DSA by the government would infringe upon their patent rights.
In order to resolve this problem, NIST announced in June 1993 that they in- tended to give PKP an exclusive license to the DSA. The U.S. Government would have free use of DSA, but everyone else, including foreign governments, would have to pay royalties to PKP. This situation was very different from the August 1991 pro- posal. Now the only advantage of DSA over its well-established rival RSA was gone. The government wanted DSA because it could not be easily used for functions other than digital signature. But the public and other governments could no longer per- ceive any advantage to DSA.
The public comments, including several from foreign governments, on this NIST licensing proposal were overwhelmingly negative. Again the government's lack of any sense of the impact of this on the marketplace was apparent. Another long pe- riod of silence by the government extended from late summer 1993 until early 1994.
Then on February 4, 1994, as part of the Clipper approval announcement, NIST stated that the exclusive licensing of DSA to PKP would not take place, and it was the government's intention that the DSA would be available to anyone free of royal- ties. When asked what the government would do now to make this possible, the re- sponse was they would either (1) continue trying to negotiate a desd with PKP, (2) take the process to courts to prove that DSA did not infringe upon PKP's patents, or (3) develop a new algorithm. There was, of course, no timetable for resolving these alternatives.
So now we are no better off than we were in mid-1991 or perhaps even 1982. But today there are major commerciad activities that are using RSA as the basis for digi- tal signatures and there are major government programs, such as the IRS mod- ernization effort, that must have a digital signature capability to succeed. NISTs present advice to government programs in need of a digital signature capability is to do whatever they want.
Recalling Mr. McNulty's testimony from above, we have another example of the government's insistence that law enforcement and national security interests totally dominate those of the public and civilian government. The result is that a capability that could have been available as a government standard in 1982 and is now a defacto commercial world standard has been held back for twelve years, and there remains no real prospect for when this issue will be resolved.
What should Congress do?
Unfortunately, in this case it is difficult to suggest what the Congress can do.
It would be unusual but not out of the realm of possibilities for the Congress to mandate the use of an existing industry standard for digital signatures for all gov- ernment programs involving electronic commerce. The cleeir failure of the Executive Branch to find a suitable alternative after twelve years of searching and the urgent needs of government and commercial interests to have a readily available means for signing electronic documents would justify such a step by the CTongress.
EXPORT CONTROL OF CRYPTOGRAPHY
And there are other examples of how the government's dominant concern for na- tional security and law enforcement capabilities has driven the U.S. down paths that harm our national economic interests.
Since the publication of the DES as a U.S. Federal Information Processing Stand- ard (FIPS) in 1977, cryptography has shifted from the exclusive domain of govern- ments to that of individuals and businesses. DES in both hardware and software implementations is a defacto international standard against which all other cryp- tographic algorithms are measured.
The controversy that arose as soon as DES was published concerning whether it had weaknesses that intelligence organizations could exploit fostered the highly fruitful academic research into public key cryptography in the late 1970s. Public key algorithms have the major advantage that the sender does not need to have estab- lished a previous secret key with the recipient for communications to begin. Public key algorithms, such as RSA, have become as populair and widely used as DES throughout the world for integrity, confidentiality, and key management.
Software publishers association study
The Administration has asserted that export controls are not harming U.S. eco- nomic interests because there are no foreign cryptographic products and programs
54
commercially available. Implementations of DES, RSA, and newer algorithms, such as the International Data Encryption Algorithm (IDEA), are available routinely on the Internet from sites all over the world. But according to the Administration, these do not count as commercial products.
In order to understand just how widespread cryptography is in ths world, in May of 1993, the Software Publishers Association (SPA) commissioned a study of prod- ucts employing crpytography within and outside the U.S. There was a significant amount of knowledge about specific products here and there, but no one had ever tried to assemble a comprehensive database with, where possible, verification of product availability. I reported the results of this survey in hearings before the Sub- committee on Economic Policy, Trade and Environment, Committee on Foreign Af- fairs, U.S. House of Representatives last October.
Information on new products continues to flow in daily. As of today:
• We have identified 340 foreign hardware, software, and combination products for text, file, and data encryption from 22 foreign countries: Argentina, Aus- tralia, Belgium, Canada, Denmark, Finland, France, Germany, Hong Kong, India, Ireland, Israel, Japan, the Netherlands, New ZeaJand, Norway, Russia, South Africa, Spain, Sweden, Switzerland, and the United Kingdom.
• Of these, 155 employ DES either in hardware of software.
• We have confirmed the availability of 70 foreign encrjrption software programs and kits that employ the DES algorithm. These are puolished by companies in Australia, Belgium, Canada, Denmark, Finland, Germany, Israel, the Nether- lands, Russia, Sweden, Switzerland, and the United Kingdom.
• Some of these companies have distributors throughout the world, including in the U.S. One German company has distributors in 14 countries. One U.K com- pany has distributors in at least 13 countries.
• The programs for these DES software products are installed by the users insert- ing a floppy diskette; the kits enable encryption capabilities to be easily pro- grammed into a variety of applications.
A complete listing of all confirmed products in the database is identified in At- tachment 1.
As part of this survey, we have ordered and taken delivery on products containing DES software from the following countries: Australia, Denmark, Finland, Germany, Israel, Russia, and the United Kingdom.
Foreign customers increasingly recognize and are responding to the need to pro- vide software-only encryption solutions. Although the foreign encryption market is still heavily weighted towards encr3rption hardware and hardware/soitware combina- tions, the market trend is towards software for reasons of cost, convenience, and space.
• On the domestic front, we have identified 423 products, of which 245 employ DES. Thus, at least 245 products are unable to be exported, except in very lim- ited circumstances, to compete with the many available foreign products.
• In total, we have identified to date 763 crj^jtographic products, developed or dis- tributed by a total of 366 companies (211 foreign, 155 domestic) in at least 33 countries.
DES is also widely available on the Internet, and the recently popularized Pretty Ciood Privacy encryption software program, which implements the IDEA encryption algorithm, also is widely available throughout the world.
The ineffectiveness of export controls is also evident in their inability to stop the spread of technology through piracy. The software industry has a multibillion dollar worldwide problem with software piracy. Mass market software is easy to duplicate and easy to ship via modem, suitcase, laptop, etc. Accordingly, domestic software products with encryption are easily available for export — through illegal but perva- sive software piracy — to anyone who desires them.
Foreign customers who need data security now turn to foreign rather than U.S. sources to fulfill that need. As a result, the U.S. Government is succeeding only in crippling a vital American industry's exporting ability.
Frequently heard arguments
There are a series of arguments frequently heard to justify continued export con- trol of cryptographic products.
The first argument is that such products are not available outside the U.S., so U.S. software and hardware developers are not hurt by export controls.
The statistics from the SPA survey prove that this argument is false!
55
A second argument is that even if products are available, they cannot be pur- chased worldwide.
Our experience with purchasing products indicates that this also is not true. We have found 462 companies in 33 foreign countries and the U.S. that are manufacturing, marketing, and/or distributing cryptographic products, most on a worldwide basis. The names of these companies are listed in Attachment 2.
All the products we ordered were shipped to us in the U.S. within a few days. The German products were sent to us directly from their U.S. distributors in Virginia and Connecticut, respectively. Our experience has been that if there is paperwork required by the governments in which these companies operate to approve cryptographic exports, it is minimal and results in essentially mime- diate approval for shipping to friendly countries.
A third argument frequently heard is that the products sold in other parts of the world are inferior to those available in the U.S.
We have purchased products from several sources throughout the world. We or- dered DES-based PC file encryption programs for shipment using routine channels from:
• Algorithmic Research Limited (ARL), Israel
• Sophos Ltd., UK
• Cryptomathic A/S, Denmark
• CEInfosys GmbH, Germany
• uti-maco, Germany
• Elias Ltd., Russia (distributed through EngRus Software International, UK)
The products we obtained from these manufactiu-ers and distributors were in every case first-rate implementations of DES. To better understand if foreign prod- ucts are somehow inferior, we have examined several of these products to see if we can detect flaws or inherent weaknesses.
What we have found in our limited examination is that while these products gen- erally use fully compliant DES implementations, they sometimes do not make use of all the facilities that might be available to them. The result is a full-strength DES product that is fully adequate for protecting commercial sensitive information but would not meet the strict requirements of a full national security product review.
Two examples of facilities that these products do not fully utilize are:
• Initialization Vector (IV) (data added to the beginning of text to be encrypted to ensure synchronization with the decryption process). Frequently, these sim- ple file encryption products use the same IV everytime. A product designed for protecting national security information would vary the IV each time.
• Key Generation: Frequently, these products use an encryption key derived from a string of text that is typed in by the user. Users mav tend to use the same simple alphanumeric text strings to encrypt multiple files. A product designed for protecting national security information would generate a truly random encrjrption key, usually with each use.
It is important to note that there appears to be no difference between foreign and U.S. commercial products in the use of these simplifications.
A fourth frequently heard argument is that many countries have import restric- tions that would prevent U.S. exports even if the U.S. relaxed its export controls.
While our surveys has focused on the ease of importing products into the U.S., we have noted that many of the companies in our survey have distributors through- out the world. There may be countries that restrict imports of cryptography just as there may be those that restrict internal use of cryptography. But we are unaware of any countries in this category.
Other countries have relaxed export controls
Our survey results also point to a much more ominous finding! Apparently the controls imposed by the U.S. Government on export of cryptographic products from the U.S. are far more restrictive than those imposed by most other countries, includ- ing our major allies. The effect of this most unfortunate situation is to cripple U.S. industry while our friends overseas appear to be free to export as they wish.
The U.S. imposes very strict rules on the export of cryptographic products. In gen- eral, applications for the export of products that use DES will be denied even to friendly countries unless they are for financial uses or for U.S. subsidiaries. We have been told repeatedly by the U.S. Government that other countries such as the United Kingdom and Germany have the same export restrictions that the U.S. does.
56
But our experiences with the actual purchases of cryptographic products show a very different picture.
We know that companies in Australia, Denmark, Germany, Israel, South Africa, Sweden, Switzerland, and the United Kingdom are freely shipping DES products to the U.S. and presumably elsewhere in the world with no more then a lew days of government export control delay, if any. Sometimes the claim is that they have to fill out some papers," but it's no big problem. In Australia, we are told, the export- ing company must get a certificate mat the destination country does not repress its citizens. Many countries allow shipment so long as it is not to former CoCom re- stricted countries (the former Soviet block and countries that support terrorism).
Our experience with these purchases has demonstrated conclusively that U.S. business is at a severe disadvantage in attempting to sell products to the world market. If our competitors overseas can routinely snip to most places in the world within days and we must go though time-consuming and onerous procedures with the most likely outcome being denial of the export request, we might as well not even try. And that is exactly what many U.S. companies have decided.
And please be certain to understand that we are not talking about a few isolated products involving encrjT)tion. More and more we are talking about major informa- tion processing applications like word processors, databases, electronic mail pack- ages, and integrated software systems that must use cryptography to provide even the most basic level of security being demanded by multinational companies.
Demonstrations of available cryptograph ic products
We have before us today several examples of cryptographic products that were lawfully obtained in the United States from foreign vendors:
• AR DISKrete: produced by Algorithmic Research Limited (ARL), Israel. Uses DES disk/file encryption to provide PC security and access control.
• EDS: produced by Sophos Ltd., UK. DES-based PC file encryption package.
• F2F (File-to-File): produced by Cryptomathic A/S, Denmark. DES-based PC file encryption utility.
• Soflcrypt: produced by CElnfosys GmbH, Germany. DES-based PC file encryption utility.
• SAFE-GUARD Easy: produced by uti-maco, Germany. DES-based PC file encryption utility.
• EXCELLENCE for DOS: produced by EUas Ltd., Russia; distributed through EngRus Software International, UK. GOST-based (Russian DES equivalent) PC file encryption utility.
In addition to these products, we have the complete set of notebooks of product literature we have gathered to confirm the information in our worldwide survey of cryptographic products.
We also have a demonstration of the power of the digital revolution and the im- pact it will have on all our communications in the future. Traditionally, when we think of voice communications, we think of the telephone in its many forms (desk, cordless, cellular, car). However, many modem computer workstations now have the ability to carry voice as well as other multimedia communications. Routinely today on the Internet, voice conferences are held over packet switched communications networks.
Today we have a demonstration using two off-the-shelf Apple Macintosh PowerBooks that come with both speakers and microphones that enable software programs such as Talker from 2 Way Computing, Inc., of San Diego, CA, to trans- form a laptop computer into a telephone.
With this laptop computer telephone, it is easy to protect phone conversations from eavesdroppers. Since all the telephone functions are performed in software, it is trivial to add an encryption algorithm, such as the DES, to the software and pro- vide good quality encryption to the digitized speech.
Export control of information in the public domain
The U.S. International Trade in Arms Regulations (ITAR) govern what products can and cannot be subjected to export controls. These regulations clearly define a set of conditions in which information considered to be in the "pubUc domain" can not be subject to controls. In the ITAR itself; public domain is defined as informa- tion that is published and that is generally accessible or available to the public:
• Through sales at bookstores,
• At libraries,
• Through patents available at the patent office, and
57
• Through public release in any form after approval by the cognizant U.S. Gov- ernment department or agency.
The Data Encryption Standard has been openly published as a Federal Informa- tion Processing Standard by the U.S. Government since 1977. Implementations of it in hardware and software are routinely available in the U.S. and throughout the world. Publication of software programs containing DES in paper form are per- mitted because of the First Amendment in the Bill of Rights. But the export of DES as hardware or software remains subject to export control despite its clearly being in the pubUc domain.
One frustrating and somewhat humorous result of this situation occurred recently when NIST published a FIPS that contained source code for DES. In paper form, the Automated Password Generation Standard, FIPS 181, is acceptable for world- wide dissemination. But when NIST made the FIPS available over the Internet without an export restriction notice, it was immediately copied by computers in Den- mark, the UK, and Taiwan. When it was pointed out that NISTs actions were in apparent violation of the ITARs, they quickly moved the file to a new directory with an appropriate export prohibition notice. Now FIPS 181 is available from hosts throiighout the world along with the notice that export from the U.S. is in violation of U.S. export control laws.
NIST "exported" source code for DES with apparent immunity. Phil Zimmerman is still being investigated by the U.S. government and facing a four year imprison- ment for aUedgedly doing nothing more.
Unfortunately, U.S. companies are not allowed to treat the export of DES in quite so simple a manner. As discussed earlier, DES is routinely available anywhere in the world. It meets the definition of "in the public domain" on numerous levels. And yet U.S. companies are prevented from exporting it other than to Canada. This situ- ation is yet another example of the inconsistencies of U.S. export control policies.
Industrywide experiences
Some companies do try to compete and offer excellent DES-based products in the U.S. But because of the export restrictions, they must develop weaker versions for export if they wish to pursue foreign markets. Many companies forgo the business rather than spend extra money to develop another inferior product that cannot com- pete with products widely available in the market.
The government already has a measure of lost sales and dissatisfied customers in the number of State Department/NSA export license apphcations denied, modi- fied, or withdrawn. However, it is impossible to estimate accurately the full extent of lost sales. Many potential customers know that U.S. companies cannot meet their demand and thus no longer require. Conversely, most major companies have given up even trying to get export approvals for DES to meet customer demand.
One U.S. company. Semaphore Communications Corporation, that makes products using DES encryption has provided the following comments on their recent experi- ences (quoted from a letter dated 4/20/94 to Stephen T. Walker from WiUiam Fer- guson of Semaphore):
As a small company with limited resources, we have chosen to get an as- sessment directly from the NSA prior to investing too many resources in pursuing the situations, as the NSA Export Office is the ultimate authority on whetner any export license will be granted; or the U.S. companies with familiarity of the export regulations have advised us of their position before we invested too many resources.
The recent short-list of opportunities include:
1. NATO: order placed by SHAPE Technical Centre in 11/93 as precursor of NATO- wide security plan; ore-order query to State Dept. gave verbal approval as ship- ment was to an AP(J address: on submitting license application, NSA denied per- mission to ship. NATO officials are currently trying to get permission from NSA, but have thus far been denied.
2. Hong Kong Immigration Department: project to secure network communications for all department sites with fully redundant scheme: sought ruUng before bidding in partnership with AT&T; demed 4/93. All competitors bid Racal; as a British company they had no restrictions.
3. Norway Telecom: planning secure network for government and financial users using single solution: sought ruling before bidding; told use sounded too general and export office would have difficulty approving. 10/93.
4. Dutch National Police computer network: application to secure entire national data network: advised would not be granted permission when seeking pre-bid nil-
58
ing, 11/93. Attempted to have our application viewed in same context as open li- cense granted to DEC and IBM for similar equipment, but advised would need letters from all Dutch government agency department head? for any consider- ation. This effort would have reauired more than three months of effort by com- pany executive located in Holland. Deemed too expensive for only one project.
5. Michelin: seeking solution to secure global network including all US-based, ex- Firestone facilities: when advised of export restrictions, Michelin rejected US- based technology to seek other solution; 4/93.
6. Volkswagen: in planning of security strategy for global networks; solicited bid: rejected US-based technology when informed of export regulations, 2/93.
7. Boeing: one of largest global users of secure communications: advised Boeing didn't want to have to deal with export regulations for meeting needs: continues to buy Racal products to avoid U.S. regulations. Continue to try to sell, but have met with resistance for procurements 10/92. 4/93, 11/93. Volume would be very high as Boeing took delivery of 800 routers in 1993, and our equipment would have 1:1 relationship. Boeing now in another review cycle.
8. GE: has major program in planning to secure global networks: diverse ownership in many locations has GE seeking foreign solutions for global uniformity.
9. Swiss National Justice and Police Department: project to connect all police and court locations in country: advised by NSA that approval would be hard to justify based on fact that it was Switzerland, 4/94.
10. Thomsen CSF: seeking technology partner for next generation of Thomsen prod- ucts: sought out Semaphore as Thomsen technology group finds our technology to be far ahead of any other global options, and wanted to have fast time-to-market: NSA suggested we discontinue further discussions, 4/94.
1 I.Sikorsky: advised permission would not be granted for equipment at foreign joint-venture partners for new commercial helicopter venture, 3/94. Revisited with another NSA export official in 4/94, and advised that license might be granted if use was to principal benefit of a USA company. No firm commitment until license application is submitted as one location is in Japan.
12. Glaxo Pharmaceutical; world's largest pharmaceutical company has global re- quirement to secure testing and development data: will seek other solutions as Semaphore cannot deliver to other global locations, 2/94.
13. Pillsbury: has strategy to secure global networks: as owned by UK-based Grand Metropolitan, will seek other solutions which can be shipped to all global loca- tions, 11793.
The total value for all of these opportunities are estimated to be in the range of $30 to $50 million based on the preliminary estimates of the projects.
You have Semaphore's permission to submit this information with your testimony before the Congress.
Gauging the extent of economic harm industrywide is what is an inherently dif- ficult task because most companies do not want to reveal that sort of information. Consequently what exists, with the exception of statements hke that from Sema- phore, is mostly anecdotal information. But the accumulation of anecdotal informa- tion collected by the SPA paints a picture of three ways in which tiie export controls on cryptographic products are hurting American high-tech industry.
(1) Loss of business directly related to cryptographic products: First, for many data security companies, every sale is vital, and the loss of contracts smaller than $1 million can often mean the difference between life and death for these companies. The confusion and uncertainty associated with export controls on encryption gen- erate severe problems for small firms, but not as severe as the loss of business they suffer from anti-competitive export controls. Examples abound:
• One U.S. company reported loss of revenues equal to a third of its current total revenues because export controls on DES-based encryption closed off a market when its customer, a foreign government, privatized the function for which the encrjnption was used, and the U.S. company was not permitted to sell to the pri- vate foreign firm. The company estimates it loses millions of dollars a year be- cause it receives substantial orders every month from various European cus- tomers but cannot fill them because of export controls.
• One small firm could not sell to a European company because that company sold to clients other than financial institutions (for which export controls grant an exception). Later, the software firm received reports of sales of pirated copies of its software. This constituted the loss of a $400,000 contract for the small U.S. software firm.
59
• Because of existing export restrictions, an American company recently found it- self unable to export a mass market software program that provided encryption using Canadian technology based on a Japanese algorithm. Yet other European and Japanese companies are selling competing products worldwide using the same Canadian technology.
• An SPA member's product manager in Europe reported the likely loss of at least 50% of its business among European financial institutions, defense industries, telecommunications companies, and government agencies if present restrictions on key size are not lifted.
• Yet another SPA member company reported the potential loss of a substantial portion of its international business if it cannot commit to provide DES in its programs.
• A German firm that opened a subsidiary in the U.S. sought a single source encryption software product for both its German and U.S. sites. A U.S. data se- curity firm that bid for the contract lost the business because U.S. export con- trols required that the German firm would have to wait approximately six months while a license was processed to sell them software with encryption for foreign appUcation. The license could only be for one to three years, the three year license being more expensive. Consequently, the German firm ended up purchasing a DES-based system from another Cferman company, and the U.S. firm lost the business.
• A foreign government selected one soft;ware company's data security product as that government's security standard. The company's application to export the DES version was denied, and as a consequence the order was lost. This cost the company a $400,000 order and untold millions in future business.
(2) Loss of business from U.S. companies with international concerns: Second, multinational corporations (MNCs) are a prime source of business in the expanding international market for encryption products. Many U.S. -based firms have foreign subsidiaries or operations that do not meet export requirements. While U.S. prod- ucts may be competitive in the U.S., many MNCs obtain from foreign sources encryption systems that will be compatible with the company's worldwide oper- ations. Moreover, foreign MNCs cannot rely on the availability of U.S. products and have been known to import foreign cryptography for use in their U.S. operations.
• One U.S. firm reports the loss of business from foreign MNCs that will not inte- grate the company's products into their U.S. operations because of the export restrictions that would prevent them from being compatible with their domestic operations.
• The Computer Business Equipment Manufacturers Association reports that one of its members was denied an export license and lost a $60 million sale of net- work controllers and software for encryption of financial transactions when the Western European customer could not ensure that encryption would be limited to financial transactions.
(3) Loss of business where cryptography is part of a system: Third, encryption sys- tems are frequently sold as a component of a larger system. These "leveraged" sales offer encryption as a vital component of a broad system. Yet the encryption feature is the primary feature for determining exportability. Because of the export restric- tions, U.S. firms are losing the business not just for the encryption product but for the entire system because of the restrictions on one component of it.
• One data security firm has estimated that export restrictions constrain its mar- ket opportunities by two-thirds. Despite its superior system, it has been unable to respond to requests fi*om NATO, the Swedish PTT, and British telecommuni- cations companies because it cannot export the encryption they demand. This has cost the company millions in foregone business.
• One major computer company lost two sales in Western Europe within the last 12 months totaling approximately $80 million because the file and data encrjT)tion in the integrated system was not exportable.
One possible solution to the problem of export controls may be for U.S. companies to relocate overseas. Some U.S. firms have considered moving their operations over- seas and developing their technology there to avoid U.S. export restrictions. Thus, when a U.S. company with technology that is clearly in demand is kept from export- ing that technology, it may be forced to export jobs instead.
60
How are U.S. citizens and businesses being affected by all this?
The answer to this question is painfully simple. When U.S. industry forgoes the opportunity to produce products that integrate good security practices, such as crjrp- tography, into their products because they cannot export those products to their overseas markets, U.S. users (individuals, companies, and government agencies) are denied access to the basic tools they need to protect their own sensitive information.
The U.S. Government does not have the authority to regulate the use of cryptog- raphy within this country. But if through strict control of exports they can deter industry from building products that effectively employ cryptography, then they have achieved a very effective form of internal use control. You and I do not have good cryptography available to us in the word processors and data base manage- ment and spreadsheet systems even though there is no law against our use of cryp- tography. If we want to encrjrpt our sensitive information, we must search out spe- cial products that usually must be used separately from oiu" main workstation appli- cations. This is a very effective form of internal use control, and it makes all levels of U.S. industry vulnerable to foreign and domestic industrial espionage.
And Clipper, as presently being implemented, does nothing to help this problem.
What should Congress do?
In this case, Congress is already doing something! Last November, Representative Maria Cantwell introduced HR 3627, a bill that would shift export control of mass market software products including those with cryptography, for the Department of State to the Department of Commerce, thus allowing them to be treated as normal commodities instead of munitions. This bill should be considered as part of Chair- man Gejdenson's overall bill to reform export controls. In the Senate, the Murray- Bennett initiative, S 1846, to reform export controls has a similar objective.
Legislation such as HR 3627 and S 1846 must be passed as soon as possible to balance the national economic interests against those of law enforcement and na- tional security.
SUMMARY
On clipper key escrow
In addition to all the concerns about civil liberties and the use of classified cryp- tography to protect unclassified information, there are very real concerns about whether Clipper will really help law enforcement deal with the emergence of encrypted phone and data traffic. The Administration needs to come forth with some form of business plan for how it expects this program to succeed in the marketplace.
The imposition of a technology as potentially invasive of Americans' right to pri- vacy should not occiu* merely by executive edict but rather as the result of careful consideration and passage of legislation by the Congress and by being signed into law by the President and determined to be Constitutional by the Supreme Coxul. Only when this has been completed will most Americans accept key escrow. Only then will Clipper key escrow have a chance of succeeding.
If the Administration does not take immediate steps to introduce legislation defin- ing the role of key escrow in the U.S., Congress must take decisive steps to do so itself.
The digital signature standard
The continuing failiare of the U.S. Government to promulgate a Digital Signature Standard after twelve years of trying is a national economic tragedy. The world of electronic commerce could have been well along by now instead ofjust getting start- ed had a standard been established even a few years ago. Those in government who think they are making great strides with the National Performance Review and the National Information Infrastructure will soon realize that until there is an effective DSS, their efforts will be of very limited success.
Make no mistake about it, the reason we have no DSS is because the national security and law enforcement interests in the U.S. have stymied all attempts to ap- prove the logical worldwide defacto standard, and they have not been able to come up with an alternative. And it does not appear that they will succeed in identifying one any time in the near future.
Congress is well justified in taking the extraordinary step of naming a Digital Sig- nature Standard based on the worldwide commercial choice. Congress has an obliga- tion to the American people to allow the U.S. to enter the world of electronic com- merce before the 21st century. It truly appears that we may never have a DSS oth- erwise.
61
On export control of cryptography
The widespread availability of crjrptography throughout the world and the ease with which other countries, including our closest alMes, allow the export of cryptog- raphy to the U.S. and elsewhere make it imperative that our U.S. Government's reg- ulation of cryptographic exports move out of the Cold War. Export controls have been relaxed on every other form of high tech computer and communications tech- nology. Continuation of crjrptography export controls is only hurting American citi- zens and businesses.
Law enforcement and national security interests will continue to encounter ever- growing amounts of encrj^ited communications no matter how many restrictive steps the Administration attempts to take. We must reahze this basic fact of tech- nology advancement and stop hamstringing U.S. national economic interests in the hope that we are helping our national security interests.
It is evident from the Administration's refusal to relax crjrptographic export poli- cies during the Clipper Interagency Review that the Executive Branch is going to continue to emphasize the interests of national security and law enforcement over our national economic interests until we become a third-rate economic power.
Only the Congress can take the steps to balance the interests of American citizens and businesses against that immovable force. I strongly support the Cantwell Bill, HR 3627, and the Murray-Bennett initiative, S 1846.
On a national policy on cryptography
All of these concerns reflect the dilemma between the interests of private citizens and businesses in the U.S. to protect their sensitive information and the interests of law enforcement and national secvirity to be able to monitor the communications of our adversaries.
We need a national statement of policy in this country defining what "rights" indi- viduals and the government can expect in the use of cryptography. Such a policy might ban the use of cryptography by private citizens or remove all restrictions on cryptography exports. More ukely, it will seek a compromise to balance our national economic and security interests. One example of such policy is:
"Good cryptography" shall be available to U.S. citizens and businesses with- out government restriction.
"Good cryptography is defined as that which is commonly available through- out the world, presently the Data Encryption Standard and RSA pubUc key cryptography with a 1024-bit modulus.
"Without government restriction" means without export control or other gov- ernment regulation.
The Administration must understand that until a fair and open review of such a national policy is completed, the struggle over the control of cryptography will not go away.
The Congress can and must play a pivotal role in resolving this dilemma. I strong- ly urge members of Congress to find a resolution of this issue before our economic interests are surrendered in the interests of law enforcement and national security.
62
ATTACHMENT 1
o a a 0.
I
SI
a. < u. O
M
<
a
UJ
z
UJ Q
«
O
Q
o
cr a
z g
>-
a.
> a: o z ai
z g
UJ
cr o u.
ft
X X
I
££
515
££££
If
II
-5 S3
f
ISIS
II
63
64
5|!
t
n
t t£
I
*i
§i
n
II
III!
I
I
Uu
1
n
i\
I
n
n
n
}
I
I
65
SIS
II
I
III!
55
I
li
III
11
* 1
1
I!!
3 a
1 1
X z
i'i
i3i
ii
n
!
u
11
^s
'^1
66
67
I
U
i
a .
ijl
68
a
lii
^t
t
I
1
u
i
. • • •
II
!l
11
1
I
}
n
!ii;
If
1.
hi
U
Inuim
u\
69
11
li
ii
1 1
X X
I*
Z m
u
111
* ■•
if
H
n
n
nun
6]Q ouuuuuuou
I
llllll!!l!lll!lll
11
L^!loi^Lff!lMol^i%
n
12
70
ii
ii
I
iii
«?
it
III
III
ft
II
II
S
u
U
III
HIS
in
III!
;l.
{]
1:
111
1
llillilil!
71
0.
o>
CM
-J
£
0.
< u. O
u
< o
UJ
Ml
a
u
D O
o
d
Q.
z o
p
Q.
>
o
z
UJ
o «
UJ
o o
I
I
>iZ i
,1
c 2
Jl
n
III
III
!
II
72
•a
I
H
!
i
Ji
II
II
•■?
ii
Hi
73
74
li
II
I
SI
II
1
a
I
I
Vt
I
II
II
_ 8
II
fl
II
£1£
11
1
13
li
75
a
Ol
a 0.
<n
CM
0.
<
u. O
(0
< o
UJ IL
1-
z u o
OT
t-
o
O
o cc
0.
z o
> d o
z
UJ
o
p
OT UJ
g
UJ |
"iisfs's ii U |
aoSo ii of |
1 lillll n u |
1 |535|||li||5||^5 |
r i i i i 1 1 .iliiiniiLMi |
76
ATTACHMENT 2
COMPANIES MANUFACTURING-AND/OR DISTRIBUTING CRYPTOGRAPHIC PRODUCTS WORLDWIDE
From the Software Publishers Association survey of cryptographic products as of April 25, 1994.
ARGENTINA AUSTRALIA
Newnet S.A.
Cybanim Pty Ltd.
Datamatic Pty Ltd.
Eracom Pty Ltd.
Eric Young
Loadplan Australasia Pty Ltd.
LUCENT
News Datacom
Randata
Robust Software
Ross Williams
Sagem Australasia Pty Ltd.
TRAC Systems
Tracom
AUSTRIA BAHRAIN BELGIUM
CANADA
Schrack-Dat
International Information Systems
Cryptech NV/SA GSA Ran Data Europe Highware, Inc. UninaSA Vector
A.B. Data Sales, Inc. Concord-Eracom Computer Ltd. Isolation Systems Mobius Encryption Technologies Newbridge Microsystems Northern Telecom Canada Limited Okiok Data Paradyne Canada Ltd.
1
77
Secured Commimication Canada 93, Inc.
DENMARK Aarhus University, Computer Science Department
CryptoMathic GN Datacom Iversen & Martens A/S LSI Logic/Dataco AS Swanholm Computing A/S
FINLAND
Antti Louko Ascom Fintel OY Instrumentoiti OY
FRANCE
Atlantis
CCETT
CSEE • Division Communication et Infotmatique
CSIL
Cryptcch France
Dassault Automatismes et Telecommunications
Digital Equipment Corporation (DEC), Paris
Research Lab
Incaa France S A.R.L.
LAAS
Philips Communication Systems
Rast Electronics
S A. Gretag
Sagem
Smart Diskene
Societe Sagem
GERMANY AR Datensichemngssystemc GmbH
CCI
CE Infosys GmbH Concord-Eracom Computer GmbH Controlwarc GmbH Data Safe
Dynatech-GesellschaA fiir Datenverarbeitung GmbH
EuroCom EDV FAST Electronic Gliss & Herweg GMD Gretag Elektronik GmbH
78
KryptoKom
Markt & Technik Software Partners Intl. GmbH
Paradyne GmbH
Siemens
Smart Diskette GmbH
Tela Versichening
Tele Security Timmann
Telenet Kommunication
The Compatibility Box GmbH
Tulip Computers
im-MACO GmbH
GREECE |
G J.Mcssaritis & Co. Ltd. |
ORCO Ltd. |
|
HONG KONG |
News Datacom |
Triple D Ltd. |
|
INDIA |
Chenab Info Technology |
IRELAND |
Eurologic Systems, Ltd. |
Renaissance Contingency Services, Ltd, |
|
Shamus Software Ltd. |
|
ISRAEL |
Algorithmic Research Ltd. |
ELYASIM |
|
News Datacom |
|
TADIRAN |
|
ITALY |
Incaa SRL |
Olivetti |
|
Ratio Sri |
|
Tclvox s.a.s. |
|
Unlautomation |
JAPAN
Fujitsu Labs Ltd.
Japan's National Defense Academy Paradyne Japan, KK Yokohama National University
LUXEMBORG MALTA
Telindus SA Shirebum Co. Ltd.
79
NETHERLANDS
Ad Infinitum Programs (AIP-NL)
CRYPSYS Data Security
Concord Eracom Nederland BV
Cryptech Nederland
DigiCash
DSP International
Geveke Electronics BV
Incaa Datacom BV
Incaa Nederland BV
Repko BV Datacomms
Verspeck & Socters BV
NEW ZEALAND
LUC Encryption Technology, Ltd. (LUCENT)
Peter Gutmann
Peter Smith and Michael Lennon
NORWAY
BDC Bergen Data Consulting A/S
Ericcson Semafor
PDI
Scand PC Sys/Sectra
Skanditek A/S
UMISA
POLAND PORTUG.AL
SOFT-u.l.
Inforaova Redislogar SA
RUSSiA
Askri DKL Ltd. Elias Ltd. LAN Crypto RESCrypto ScanTech TELECRYPT. Ltd.
SAUDI ARABIA SINGAPORE
Info Guard Saudi Arabia
Communications Systems Engineering Pty. Ltd. Digitus Computer Systems
SOUTH AFRICA
BSS (Pty) Ltd.
Computer Security Associates
80
EFT
InfoPlan - Division of Denel P/L
Intelligent
Nanoteq
Net One
Siemens Ltd.
Spescom
Technctics
SPAIN
Asociacion Espanola de Empresas de Informatica
Asociacion Nacional de Industrias Electronicas
Redislogar Comminicaciones SA
SECARTYS
Sinutec
Tccnitrade Int. SA
SWEDEN
AV System Infocard
Ardy Elektronics
Au-System Infocard AB
COST Computer Security Technologiej
International
DynaSoft
QA InformatLk AB
SONOR Crypto AB
SecuriCrypto AB
Stig Ostholm
Tomas Tesch AB
S^^^TZERLAND
ASCOM Tech AG Brown-Boveri Crypto AG ETH Zurich Ete-Hager AG Gretag AG Incaa Datacom AG Info Guard AG Omnisec AG Organs Safeware
UK
Aiitech Computer Security British Telecom Business Simulations
81
Cambridge Electric Industries Codepoini Systems Ltd. Compserve Ltd. Compserve Ltd. Computer Associates Computer Security Ltd. Cylink Ltd. Data liuiovatioQ Ltd. DataSoft IntemationaJ Ltd. Datamedia Corporation, Ltd. Digital Crypto
Dynatech Communcations Ltd.-{Northem ofRce) Dynatech Communication Ltd. EngRus
Fulcnim Communicatioas GEC-Marconi Secure Systems Gelosia
Global CIS Ltd. Gretag Ltd. Honeywell
IT Security International ITV
IncaaUK Interconnections International Data Security International Software Management J.R.Ward Computers Ltd. JPY Associates Jaguar Communications Ltd. Janus Sovereign Loadplan Logica UK Marconi
Microft Technology Inc.
Micronyx UK Ltd.
Micronyx UK Ltd.
Network Systems
News Datacom
Northern Telecom Europe Limited
PC Security Ltd.
PPCP
Paradyne European Headquarters
Plessy Crypto
Plus 5 Engineering Ltd.
82
Prosoft Ltd.
Protection Systems Ltd.
Racal
Racal Milgo
Radius
S&S International
Shareware pic
Sington Associates
Smart Diskene UK
Smith's Associates
Softdiskette
Sophos Ltd.
Stralfors Data
Sygnus Data Communications
The Software Forge Ltd.
Time & Data Systems
Tricom
University College London
Widney Ash
Zergo
Zeta Communications Ltd.
USA 3COM Corp.
ADT Security Systems
AO Electronics
AOS
ASC Systems
ASD Software Inc.
ASP
AST Research
AT&T
AT&T Bell Laboratories
AT&T Datotek Inc.
Access Data Recovery
Advanced Computer Security Concepts
Advanced Encryption Systems
Advanced Information Systems
Advanced Micro Devices, Inc. (AMD)
Aladdin Software Security
American Computer Security
Anagram Laboratories USA Applied Software Inc.
Arkansas Systems, Inc.
83
Ashton Tate BCC
BLOC Development Corporauon
Banyan
Bi-Hex Co.
Borland
Braintree Technology
Burroughs
CE Infosys of America, Inc.
Casady and Greene
Centcl Federal Systems Inc.
Centra] Point Software
Certus Intcnnational
Cettlaji Corp.
Chase Manhattan Bank, N.A.
Clarion
Codex Corp.
Collins Telecommunications Products Division
Command SW Systems
Comracrypt
Communication Devices Inc.
Complan
Computer Associates International, Inc.
Contempor^y Cybernetics
Cryptall
Cryptech
Cryptex/Gretag Ltd.
CyliiJc Corp.
Cypher Comms Technology
DSC Communications
DataBase International
DataJcey Inc.
Datamedia Corporation
Datamedia Corp. (DC Area)
Datawatch, Triangle Software Division
Datotek, Inc.
Dell Computer
Digital Delivery. Inc.
Digital Enterprises Inc.
Digital Equipment Co^roration (DEC)
Digital Pathways
Docuiel/Olivetti Corp.
Dolphin Soft>A-are
8
84
Dowty Network Systems ELIASHIM Microcomputers Inc. EMUCOM Enigma Logic, Inc. Enterprise Solutions Ltd. Fairchild Seminconductor Fifth Generation Systems, Inc. Fischer International Front Line Software GN Tclematic Inc. GTE Sylvania Gemplus Card International General Electric Company Glenco Engineering HYDELCO, Inc. Hawk Technologies Inc. USA Hawkeye Grafix, Inc.
Hilgraeve, Inc.
Hughes Aircraft Company
Hughes Data Systems Inc.
Hughes Network Systems - California
Hughes Network Systems - Maryland
Hybrid Communicatior •>
INFOSAFE
Incaa Inc.
Info Resource Engineering
Info Security Systems
Information Conversion Sevices
Information Security Associates, Inc.
Information Security Corp.
Innovative Communications Technologies, Inc.
Intel
Internationa] Business Machines (IBM)
Inter-Tech Corp.
Isolation Systems, Inc.
Isolation Systems, Inc.
John E. Holt and Associates
Jones Futurex, Inc.
Kensington Microware Ltd.
Kent Marsh Ltd.
Key Concepts
Kinetic Corp.
LUCENT
85
Lassen Software, Inc. Lattice Inc.
Lexicon, ICOT Corporation Litronic Industries (Information Systems Division) Litrooic Industries (Virginia) Lotus MCTcl
Maedac Enterprises Magna
MarkRiordan
Massachusetts Institute of Technology Matsushita Electronic Components Co. Mergent International Micanopy MicroSystems Inc. Micro Card Technologies, Inc. Micro Seoirity Systems Inc. MicroFrame Inc.
Microcom Inc. (Utilities Product Group) MicroLink Technologies Inc. Micronyx Micro rim Microsoft Mika,L.P. Mike Ingle
Morning Star Technologies Morse Security Group, Inc. Motorola
NEC Technologies National Semiconductor Network- 1, Inc. Networking Dynamics Corp. Nixdorf Computer Corporation Northern Telecom Inc. Norton Novell
OnLine SW International Ontrak Computer Systems Inc. Optimum Electronics, Inc. USA Otocom Systems Inc.
PC Access Control Inc. PC Dynamics Inc. PC Guardian PC Plus Inc.
10
86
Paradyne Caribbean, Inc.
Paradyne Corporation
ParaJon Technologies
Persona] Computer Card Corp.
Pinon Engineering, Inc.
Prime Factors
RSA Data Security, Inc.
RSA Laboratories
Racal Datacom
Racal-Guardata
Racal-Milgo USA
Rainbow Technology
Raxco
Rothenbuhler Engineering
S Sqtiared Electronics
SCO
SVC
Safetynet
Samna Corp
Scrambler Systems Corp.
Sector Technology
Secur-Data Systems, Inc.
Secura Technologies
Secure Systems Group Intemationl, Inc.
Security Dynamics
Security Microsystems Inc.
Semaphore Communications
Sentry Systems, Inc.
Silver Oak Systems
SmartDisk Security Corp.
Software Directions, Inc.
Solid Oak Software
SophCo, Inc.
Sota Miltopc
Stellar Systems Inc.
Steriing Softw.-arc Inc. (Dylakor Division)
Sterling Software Inc. (System SW Marketing
Division)
SunSoft
Symantec
TRW, Electronic Product Ltd.
Techmar Computer Products, Inc.
Techmatics, Inc.
11
87
Technical Communications Corp. (TCC) Telequip Corp. Terry Riner Texas Instruments, Inc. The Exchange Thumbscan, Inc. Tracor Ultron Trigram Systems Tritron Sytcms
Trusted Information Systems, Inc. UNIVAC USA UTI-MACO Safeguard Systems
UUNet Technologies, Inc. United Sofhvare Security Uptronics, Inc. VLSI Technology, Inc. Verdix Corp. (Secure Products Division) ViaCrypt
Visionary Electronics Wang Laboratories Wells Fargo Security Products Western DataCom Co. Inc. Western Digital Corporation Westinghouse Electric Corp. WordPerfect XTree
Xetron Corp. Yeargin Engineering Zenith Data Systems hDC usrESZ Software, Inc.
YUGOSLAVL«i Sophos Yu d.o.o.
12
88
Senator Leahy. Now, let me ask you this. On this program, how difficult would it be to decrypt it?
Mr, Walker. Well, we have the decrj^jtion program in there on your phone and it is doing the decryption. You mean how difficult would it be for someone else?
Senator Leahy. Yes; let us say that it is somebody else.
Mr. Walker. This is standard DES, which is 56 bits of key. As Ray Kammer said, DES has served us very well for 17 years. It would take — well, there was an estimate last summer at the crypto conference that if you built a special purpose device for $10 mil- lion— this was actually an engineering estimate of some detail — you could exhaustively check the key space of DES in 3.5 hours, and that is the fastest that anyone has ever regularly predicted that.
Senator Leahy. But Clipper Chip would take a lot longer than that.
Mr. Walker. Clipper is 80 bits, and it is 2 to the 56th versus 2 to the 80th and it is 16 million times harder to do Clipper, so Clipper is very strong. Of course, and I don't want to hammer this too hard, but the question of what we do if DES gets too weak — well, one thing to do is to back up essentially DES processes to- gether— it is actually three of them — and you can double the key length. So you can go to 128 bits with DES with the algorithms and with the software that is already available.
Senator Leahy. With this, if you were sending something to me, I have got to know the key,
Mr, Walker. That is right.
Senator Leahy. One, I have got to have the program, but then I have got to know which key to use.
Mr. Walker. Yes; and if you were to use it as a telephone you would like to set it up like the — well, if you want key escrow, you can run it the same way that the exchange of the key happens with the Clipper, If you don't like key escrow, you can do it the way they did it in the P version, which doesn't have key escrow. We could have, in fact, set up that same key exchange process. We just didn't have the time to do it.
Senator Leahy, Now, you have linked them by an independent line, but you could have done this over regular telephone lines, couldn't you?
Mr. Walker, That is right, yes, sir.
Senator Leahy. And if you wanted to talk to your employees in London from an office in Maryland, you could use the same com- puter program to scramble those kinds of conversations?
Mr. Walker. Yes.
Senator Leahy, And data transmission, also?
Mr. Walker. Yes; we have an alternative to PGP called Privacy Enhanced Mail, which is essentially the same kind of functionality that was talked about in the Wall Street Journal the other day. Some folks in England want it, the Ministry of Defense, in fact, and we have not been able to sell it to them because of the export laws.
The specs for PEM are internationally available and so we actu- ally hired a scientist in England to rewrite the code from scratch using DES £ind RSA that is already available in England, and we
89
have demonstrated that to the British Ministry of Defense. They can buy it in England. We can't sell them our stuff here, so we have essentially done a second implementation. The irony is that the British export laws are such that we may well be able to export to the U.S. the version that we built in England which, of course, we couldn't ever send back to them.
Senator Leahy. Now, the administration has stated that the use of key escrow encryption is going to be voluntary even for Federal agencies, and that no alternative encryption system is going to be outlawed.
Mr. Walker. Yes; that sounds very good.
Senator Leahy. Then what is the concern? If that is so, why is there concern about Clipper Chip?
Mr. Walker. If that is so and if the numbers that I have pro- jected down here are also right, one shouldn't have a concern about it. One is not certain that that is going to remain so forever, though. I mean, I am fearful that they are going to realize in 4 or 5 years, you know, this just isn't working; we are still having a problem. Then they will change the rules and it won't be voluntary.
Senator Leahy. Yes; you are saying if Clipper Chips are not ac- cepted on a voluntary basis. Then what do you think they are going to say? Whether you have got Clipper or DES or Pretty Good Pri- vacy, or whatever, you have got to have a key escrow feature?
Mr. Walker. It is clear — and I want to be very clear. I sym- pathize greatly with the law enforcement and the national security interests in this, and I am not trying to make their lives harder in this. As I was talking to the admiral just before we started here, he said this all started back when Admiral Inman let DES out. Well, indeed, that is the case. DES got out of the bag in 1976 or 1977 and we are now seeing it available around the world.
Their job, unfortunately, is going to get much harder whether we impose key escrow or whether we continue to control export control or not. I don't want to make their job harder, but I don't think it is reasonable for them to sacrifice U.S. national economic interests in the interest of keeping something that is already out of the bag and is eventually going to make life very difficult for them anyway.
Senator Leahy. Unless they require the key escrow feature with everything.
Mr. Walker. Indeed; key escrow, though, as we have seen in these devices and in the Tessera cards that are part of the Cap- stone Program, requires that it be done in hardware. I am a mem- ber of the NIST Software Escrow Alternatives Committee, and we indeed have met bimonthly, not biweekly, and we are struggling with whether there is any alternative here.
To require key escrow that you can't defeat trivially, you have to do it in hardware, and the whole point of this demonstration and thousands of others like it is encryption is available in software. No one is going to want to put key escrow along with this if, in fact, they have to add hardware to this when they already have it with- out it. So making a law that says you have to have key escrow will be one of the most significant laws that no one pays attention to that we have had in a long time.
Senator Leahy. We have had a few of those over the years.
90
Mr. Walker. Indeed; I mean, it's Prohibition all over again. It is going to be fun.
Senator Leahy. I am too young to remember; that was before my time anyway, but I remember some of the stories my father told me about that.
You talk about NIST. Mr. Kammer, when he was testifying, said that NIST is open to other approaches. One, do you feel it is? I mean, you are serving with that advisory committee. Secondly, are there alternatives to Clipper Chip that could serve the objectives of protecting the privacy of communications, but not irreparably damage some of our national security and law enforcement needs?
I should emphasize in this that I am convinced both from open hearings and classified hearings that we have some very, very seri- ous law enforcement needs and we have some very, very serious national security needs.
Mr. Walker. I agree.
Senator Leahy. In the national security area, I don't worry so much, as I have said on many occasions, about an army marching against us or a navy sailing against us, or an air force, because we are far too powerful for that. I am far more worried about a well- organized, well-directed, well-motivated terrorist group coming from abroad, one that could cause enormous physical damage as well as psychological damage. One that, I don't think it would be stretching it too far to say, could cause real damage to our constitu- tional liberties and our constitutional way of doing things, more so than the armies of World War I and World War II. Such a group could suddenly make us question everjrthing from our search and seizure laws to our freedom of speech laws. That, as an American and one who has seen the importance of those constitutional safe- guards, bothers me very much.
So do you see such alternatives?
Mr. Walker. Well, there are alternatives that people have talked about. Sylvia McCauley at MIT has proposed for some time, and indeed apparently has some patents on some key escrow tech- nologies. Basically, those end up being voluntary unless you can — I mean, easy to bypass is what I mean, making them — the law en- forcement people can't insist that this is, in fact, going to be im- posed everytime, and that seems to be a real hangup with the ad- ministration that if it is not something that can be imposed everytime it is used, then they are not interested in it. Unless we reorder the way in which we build our computers and our tele- phones, it is going to be very difficult, without something like the Clipper or the Capstone chip, to be able to have this happen everytime.
To your other point, I think this is why I have come to the con- clusion after thinking about this for a year that we have a national dilemma here — the difference between individuals' rights to privacy and the law enforcement and national security needs. That is why I think it is so important that this be submitted for legislation and let all sides have their say and let the Congress decide whether we should impose this or not.
I really am not sure there is any other way to get out of this one. I mean, wiretaps are not an attractive thing to individuals, but we have decided that under certain circumstances wiretaps are OK.
91
We may well decide that key escrow is OK. It certainly does pro- vide advantages if it becomes widely used, but I don't think — as the administration is now proceeding with this essentially on its own without any legislation, without any other use of the separation of powers of the Constitution, I don't think Americans are going to buy Clipper escrow devices, and so it is not going to achieve what they want.
If we considered legislation and as a country we decided this is the thing we need, for exactly the reasons that you were just giv- ing, then fine. I will go along with it. I don't actually have that big a problem if our government is using — I mean, what I am suggest- ing is we put the key escrow center in the judiciary so that nobody in the executive branch supposedly can twist their arms.
We are in a situation where we have to trust our government for a certain amount of things. We shouldn't have to trust it for any more than we have to, and everytime we do something like this we should use all the separation of powers that we can. Put the en- forcement in the executive branch, put the decisionmaking about the keys in the judicial branch, and keep them separate. It is the best system we have got and we should be using it.
Senator Leahy. Mr. DifTie, how do you feel about this?
Mr. DiFFlE. Well, as I said, my first response to this is to look broadly at the technical resources of law enforcement and say, if you see the expanding possibilities not only of electronic surveil- lance but of DNA fingerprinting, of recognition of people in infrared photographs and a whole range of things that have become avail- able to law enforcement as investigative and enforcement tools, it seems very clear that the failures of law enforcement in contem- porary society are not failures of their technical capabilities.
On the other hand, the introduction of new technologies into soci- ety brings up the problem of how we embody existing traditions, values, procedures, et cetera, in using those technologies, and I think that is a thoroughly legitimate question about the way in which cryptography will be deployed. In talking about the intrinsic character of key escrow in storage cryptography, I was citing one example of that kind of thing.
Senator Leahy. But you don't question, do you, the fact that there can be some very, very legitimate national security interests in knowing, for example, what kinds of communications might be sent from a country hostile to us or known to harbor and protect terrorists to people here in the United States, and that in protect- ing our national security there may be a very real need to know what was in that communication on a realtime basis?
Mr. DiFFiE. I don't doubt the value of communications intel- ligence. When you are talking about explicitly communications of terrorist groups that are foreign state-supported, I see no reason that the foreign state should be any more hesitant to supply them with COMSEC equipment than they are to supply them with AK- 47's.
Senator Leahy. You think that what they would do is give them the kind of communication equipment that we might not be able to decipher anyway?
Mr. DiFFlE. Well, you know, there has been a lot of pessimism in amateur circles over many years about communications Intel-
92
ligence. The fact is that communications are quite hard to protect, and one of the important things about the sort of devices like the PSD 3600 is that they protect some aspects of your communica- tions, but they don't do anything to protect the traffic analysis, the trap and trace, the pen registers, and all of that. So I think that you really have to take a comprehensive view of the communica- tions intelligence and investigative techniques when you ask what the impact of cryptography applied at one level or another is going to be.
Senator Leahy. Do you see the need for the ability to find out what somebody is sa3dng, on a realtime basis for law enforcement inside our country? Consider a criminal holding somebody hostage for a ransom and threatening that if the ransom is not paid by a certain time, the person is going to be killed. We want to know where the communications are going, to try and determine where that person might be, with the possibility of a rescue prior to the person being killed. I mean, this is not a fanciful movie-of-the-week but could be a real-life situations.
Mr. DiFFlE. That is a very good example when you are talking about trying to trace calls, finding out where people are, and so forth. That is something which modern communications technology has made an overwhelming improvement in. If you look at the con- ventional wiretap, it is not so vastly much better than putting a bug in somebody's room. It is placed on what is called the local loop and it gives you access to the communications on the local loop with very little, if any, information about where calls are coming from.
If you look at modem communications intercepts inside digitized telephone systems, you are getting realtime information about where calls came from even if they are long distance.
Senator Leahy. But you might not know what the call is if you don't know who is on there.
Mr. DiFFlE. I don't doubt that it is possible to construct a par- ticular scenario that emphasizes any individual investigative tech- nique. What I am trying to point out here is that the overall growth in investigative capability that has flowed from the changes in telecommunications gives law enforcement a wide range of new things that they can do that they couldn't do in the past, and that for them to accept those gleefully and then try to turn to any indi- vidual element with which they are now having more trouble with- out taking account of the fact that that is made up for by other re- sources is to give an unfair impression of the relative importance of particular investigative techniques versus very serious privacy concerns for business and individuals.
Senator LEAHY. Mr. Walker, what happens on the global elec- tronic superhighway if Clipper Chip becomes the U.S. standard for encryption but other countries don't want to let it in?
Mr. Walker, We will have a U.S. superhighway and we won't be part of what is happening elsewhere. If I might add just a minute to the comments that Whit was saying, yes, there is the possibility that some vital event will happen which we may lose to encrypted communications, but I think we have to balance that on the other side.
93
I participated 2 years ago in hearings with Congressman Brooks on foreign industrial espionage and, essentially, U.S. business is wide-open en masse right now to communications intercepts any- where in the world, and we do not have cryptography available on our laptops as part of Microsoft's products or Novell's products or WordPerfect's products because we can't export it from this coun- try. We don't have it ourselves either. You don't have it routinely available and neither do I. m j /^
So, yes, there is a concern that some event, a World Trade Cen- ter bombing, or whatever, may occur and we may lose something with that, but we are at grave risk that all of our technology that we are passing over the United States or global superhighway is wide-open at this time, and sometime we have to fmd a balance be- tween the possibility of an event like a World Center Trade bomb- ing employing cryptography and the absolute certainty that all of our industrial information is passing in the clear around the world, easy for our adversaries, governments and other countries, to pick off and listen to.
We have got to fmd a balance between those, and the balance has just swayed so far in favor of national security and law enforce- ment that it is going to eventually result in making the U.S. a third-rate power before we realize how significant that is.
Senator Leahy. Larry?
Senator Pressler. Well, thank you very much, Mr. Chairman.
You may have covered this already, and if you have I apologize. I have been dealing with other committees this morning. As you are aware, critics of the administration's proposal argue that, as a practical matter, no criminal or foreign spy or terrorist of any so- phistication would be foolish enough to us an encryption device de- signed by the NSA and approved by the FBI.
Why do we feel that people whose telecommunications the NSA and FBI want most to decode will be the very people most likely to use this technology?
Mr. Walker. I suspect you should have been here during the previous people testifying. We agree with you.
Senator Leahy. We spent about 2 hours going through that one.
Senator Pressler. OK.
Mr. Walker. We don't disagree with the assertion that— well, I will say specifically this is an AT&T 3600 that does not use key escrow. It is currently for sale. There is a Clipper version that is also for sale. I think people who have any sense that they may be wiretapped are going to go to their AT&T store and buy this one rather than the Clipper one, for exactly the reason you mentioned.
Senator Pressler. Well, are there sufficient safeguards in the es- crow system? You would have to have a court-authorized wiretap, and I guess two agencies would have to be involved. It sounds to me as though there are some fairly extensive safeguards built in.
Mr. Walker. My personal opinion is with law enforcement oper- ating within the law, the procedures that they are establishing— I have been briefed on this several times on the Computer System Advisory Board and other things — are going to be sufficient for this, law enforcement operating within the law.
I am concerned that law enforcement operating outside of the law doing something that is not authorized — these procedures may
94
not be good enough for that. I am not sure that you could ever have procedures that are good enough for that, which is the concern about establishing key escrow as a mechanism anyway, in any case, and why I believe we need to have legislation to review whether we really want this or not.
Mr. DiFFlE. I think my understanding is that in the early 1940's when Japanese Americans were interned, the information that was used to identify them was, in part, census information that was very explicitly legally — clear legal impropriety in using the census information for this purpose.
I think when we think about creating what the escrow system might become — that is, a repository of keys that could be used to read a vast amount of American traffic — we are considering creat- ing a vulnerability, a very long-term vulnerability in the U.S. Com- munications System. In these discussions, it is always important to emphasize that as valuable as telecommunications are to us at present, they will be more valuable in the future. They will be more the essence of our society in a few years than they are now.
So I am very worried that we are creating something that is a fundamental danger to the security of our communications system under the guise of an improvement to the security of our commu- nications system.
Senator Pressler. Now, Mr. Walker, you describe how present U.S. laws prohibit the export by your company of encryption prod- ucts. Are you in favor of eliminating those laws completely? If not, what should be exported and what should be prohibited?
Mr. Walker. I believe that there needs to be a balance found be- tween super-good cryptography that is used by the U.S. Govern- ment to protect its classified information — I don't think that should be exported. What I am suggesting is things that are routinely available throughout the world ought to be able to be exported by the United States.
We have relaxed export controls on every kind of computer and telecommunications in the last couple of years except that involving cryptography. In the survey we are doing, which is done at a very low budget without a whole lot of fancy people working on it, we have found a very large number of DES and better products that are available throughout world. Why is it that U.S. companies are excluded from being able to participate in that?
So I am not suggesting that we ban export controls on cryptog- raphy as a whole. I am saying let us find what the level is that is available routinely around the world and establish that as the basis where U.S. companies can participate. If U.S. companies can participate in exporting things like DES, then you will find Microsoft and Novell and WordPerfect including encryption in their products so that when you want to protect a file from someone else reading it or when some company wants to use this to protect their very sensitive information, they will have the tools available to do it.
We do not have control in this country of the internal use of cryp- tography, but the use of export control has been so strong that it has, in effect, created a control of its use within the United States. It is legal to use DES to encrypt your Microsoft files, but you won't find a product that lets you do that relatively easily because the
95
people who build those products can't sell it to half the market that they have.
So we are in a situation which requires some degree of sense ap- plied to it. Don't ban the export of cryptography in general. Good systems, military use systems, should not be exportable, but rou- tine things that are available in the bookstores in London and in Germany and in Australia and South Africa — we ought to be able to sell those, too. That is what I am seeking, and I believe that is what the Cantwell and the Murray bills, in fact, are seeking to do, and I strongly encourage that the House and the Senate pass those as quickly as possible.
Senator Pressler. Thank you very much.
Senator Leahy. Thank you. We will take a 2-minute recess to allow the next panel to set up.
[Recess.]
Senator Leahy. During the break, someone asked me the num- bers, and I reversed the cost estimate. NIST has estimated that $14 million is the cost of setting up the Key Escrow System, and $16 million is the annual maintenance cost. I forgot who asked me the question, but I hope they are still in the room. I wanted to cor- rect it if I gave it just the other way around.
Admiral McConnell is the Director of the NSA, the National Se- curity Agency, and has been for a couple of years. Before that, he served as head of the Intelligence Department of the Committee of the Chiefs of Staff of the U.S. Armed Forces. The admiral has been most patient in listening. By the end of this day, he and I will probably have heard more than either one of us ever wanted to hear on this subject.
Admiral I appreciate your being here because your involvenient is absolutely essential in getting any resolution on this. I might note for the record that I appreciate the amount of time you have spent personally with me on this, and that the time your staff has spent. It has been very, very helpful, and I must say in my experi- ence in 20 years in dealing with those in the intelligence agencies, I have never had anybody be more cooperative or more forthcoming than you have and I just wanted to publicly commend you on that, especially since some of the things that you are cooperative about I can't publicly thank you for, but I thank you in general.
Gro ahead.
STATEMENT OF ADMIRAL J.M. McCONNELL
Admiral McCONNELL. Mr. Chairman, I appreciate the oppor- tunity to comment. As you know, I have submitted a statement for the record, but in the interests of time I would like to just make a few brief comments.
I noted that you started earlier this morning — it seems like hours and hours ago now
Senator Leahy. It was.
Admiral McConnell. About the CNN/Time poll; 80 percent of Americans were against this. Just for interest, I pursued that a bit to read the question that was asked. Although the question wasn't published, it was stated in a way with pejoratives three times along the way to basically come down to, do you want the govern- ment reading your communications, as opposed to stating it in a
96
way to say this is not an enhanced or additional authority for the government to do its law enforcement mission, which includes le- gally authorized wiretaps. So I think the question was probably a little bit biased in the way it was asked.
Sir, your letter asked me to address what was NSA's role in this whole process, and it can be summed up very succinctly. We were the technical adviser to NIST that you heard from earlier and to the FBI and the Department of Justice. The FBI, in the legislation that they have submitted, recognized that they had a problem with the communications process going from analog to digital, referred to popularly as the digital telephony legislation. In conjunction with that, they began to appreciate the potential impact of encryption.
They came to us, as did NIST, in our role as directed under the Computer Security Act of 1987, and asked for technical assistance. Quite frankly, this was a very tough technical challenge for us. We sat down to sort through potential technical solutions and what we came up with was escrowed key.
Now, I would like to make the point that you only have three choices if you are going to encrypt something. You can use encryption that is exploitable, meaning that it is neither, not of suf- ficient key length or there is a weakness or there is something that would allow an adversary to break into it. You can use encryption that is exploitable, or you can use encryption that is unexploitable but uses an escrowed key. In my opinion, that is where we came out. We made encryption that is not exploitable. We factored in the escrow key, for all the reasons that have been enumerated for you this morning.
NSA has been castigated regularly in the literature on this sub- ject as being the perpetrator and having sinister motives, and so on, and I would just like to take a moment here in public to try to put a little balance on some of those comments.
First of all, NSA has no domestic surveillance function. NSA has no law enforcement function. We do not target Americans. We have no direct association with law enforcement other than if we collect something in our mission of foreign intelligence that would be of use to law enforcement, we make that information available, just like we would make it available to any other agency of government or to the Congress.
The second point I would make is we certainly are a nation of laws. Our activities are governed by law and we have very exten- sive oversight not only in the executive branch, but also in the Con- gress, two committees, and you, of course, served on one of those committees. That oversight, sir, as you well know, is quite exten- sive on what we do.
Our mission is to target foreign activities, so anything that NSA is engaged in is strictly in a foreign context. Now, what are those things? Military capabilities; proliferation of weapons of mass de- struction, even the creation of weapons of mass destruction; sci- entific and technical intelligence on weapons systems and ability of countermeasures to defeat U.S. systems; and, in fact, military oper- ations, and you could extend it on to foreign government actions that would either harm their neighbors or would harm the inter-
97
ests of the country. All of those are very important things, and let me just use a current example.
Most who have focused at all on foreign relations are concerned about the events in North Korea. North Korea either has or they intend to build a nuclear weapon. They have a missile system that has a current range, we estimate, in the neighborhood of 1,000 km. They intend to build missiles with capabilities beyond 1,000 km. Now, that is of interest to the United States and it is of interest to our allies, the South Koreans, the Japanese, and others.
NSA's interest in this thing called cryptography and standards, and particularly international standards, is influenced by our serv- ice to the Nation to maintain awareness of what is going on in the world that impacts on not only military operations, but the formu- lation of foreign policy and that sort of thing.
Successful completion of our mission has saved lives not only in the military context, but in the civilian context, not only for the United States, but for our allies. We have provided information to our policymakers for the formulation of foreign policy. We did it last year, we did it last month, we did it yesterday, and we are doing it this morning.
Now, what I would like to do — since most of everything that I am involved with currently is classified and I am unable to speak free- ly on it, I want to try to give this a sense of relevance by speaking to a historical context.
In World War II in the Atlantic theater, the United States and Great Britain collaborated to break the communications of the enemy. Through the ability to read the communications of the enemy, we knew when they were planning battles, with what level force. We knew how to engage, when and where, and when it was to our advantage.
The U-boat force, the submarine force, was approaching success in shutting down the flow of war materials going from the United States to England and to Europe. The success in code-breaking al- lowed the United States to either circumvent the U-boats or to sink them. It made an incredible difference. Historians have credited, now that this information is public, World War II coming to com- pletion in Europe, if not 2 years, at least 18 months, sooner than it would have otherwise.
Now, let me switch to the Pacific. The United States succeeded in breaking the code of the enemy in the Pacific. Because of that, with an inferior naval force, we immediately started to enjoy naval victory. The first was on the Coral Sea, the battle of the Coral Sea, and the second was at Midway. At the battle of Midway, the tide was turned.
Now, it is very interesting what happened in this historical con- text. The Coral Sea and the battle of Midway occurred in 1942. In the summer of 1942, a newspaper reporter became aware that the United States was breaking the communications of the enemy and it was published in a U.S. newspaper. It became a cause celebre and was repeated a number of times, and by the late summer the enemy had changed their communications process.
Coincident with that, the campaign in the Solomon Islands was initiated. It was long and it was bloody. We could not see their in- tentions. We did not understand what they were planning to do.
98
Therefore, it cost countless thousands of Hves that, in my view, could have been avoided if our capability to exploit had been pre- served.
NSA is involved in this level of activity every day, but as you well know, it is classified. If I spoke about it in public, what suc- cess we do enjoy today would disappear. So I use this historical context to try to provide some weight to what it means to the Na- tion.
I just would terminate on that particular subject in a current context by just advising you that the Secretary of Defense and Gen- eral Powell at the conclusion of Desert Storm came out to NSA to personally thank the employees, the men and women, of NSA for the contributions that they made.
Sir, when we were asked to provide a technical solution, if there was a technical solution to this seemingly intractable problem, we started with a list of objectives, and I want to give those objectives. First and foremost, we just made ourselves a list of, as citizens, how would we like a technical solution to come out.
The first was, contrary to what appears in the popular literature, enhancement and protection of the privacy of Americans. That was number one on our list. The second was to protect public and pri- vate corporate information, business information; to promote U.S. competitiveness.; and, of course, the last objective was what we were asked to provide some thought to by Justice and NIST, and that was to allow law enforcement to monitor criminals or terror- ists.
We conceived Clipper. It has been referred to here most often as Clipper. It is actually an algorithm and the name of it is Skipjack. Clipper is just one application of Skipjack. There are others. As has been stated earlier, it is 16 million times stronger than the current Federal standard, which is referred to as DES, or the Data Encryption Standard.
The idea was to escrow the key, hold it in such a way that it could be drawn for legitimate purposes. But if you really think about it for a moment, the auditability of the process and the ac- countability of the process improves the privacy of Americans over where it is today. Today, a political opponent, a used car salesman, a credit research bureau, a rogue cop, could intercept someone's communications. If they were using the devices that we have dis- cussed here this morning with escrowed key, then the only way that you could break that communication would be with some over- sight provided by a court in a process that is more accountable than what exists currently.
So I think, in my view, we have struck the proper balance be- tween privacy protection and law enforcement access. I really be- lieve when I have thought this through, and I have been working at it and thinking about it now for some 2 years, that the privacy of Americans is enhanced, not degraded. It not only is court-author- ized, but we tried to make it analogous to the way we do nuclear weapons — two-agency control and two-man control, never allowing one person to have absolute control of the process. The existing wiretap authorities have not been expanded, and existing legal pro- tections, in fact, in my view, have been strengthened.
99
NSA's INFOSEC mission, our mission which is not well known to most of those who talk about us and most discussions about what we do against foreign interests in terms of intelligence collec- tion— we do have another mission, and that is information security for the government. We make the government's code, and because we are probably the most robust encryption activity available to the country, our expertise is drawn upon so we can take some of that technology that we have, in fact, spent millions of dollars on to make it available to resolve some of these other problems.
The administration did not take this lightly. They spent some 9 months reviewing it. They solicited and considered industry views. They concluded at the end of that deliberation that export controls on cryptography should be maintained as being in the best inter- ests of the Nation so that it would not damage NSA's mission and our global responsibilities.
A number of reforms were announcing mandating speeding-up of the process and easing the regulatory burden to get, in fact, ap- proved export items of a cryptographic nature exported — key es- crow products that can be licensed quickly for movement out of the country so long as it is consistent with national security.
Now, a number of laws have been discussed today, and issues discussed today, and I think our two previous speakers captured it very eloquently. What I heard was one discussion of privacy and another discussion of profit motive or being motivated to do this be- cause it may have some impact on U.S. business.
I would just highlight that there are other rules and regulations that people find offensive in the privacy sense, but to come into this hearing today I was electronically searched. To get on an air- plane, I am electronically searched. The Congress has decided that that invasion of privacy is worth it in the interests of public safety. The same argument is being made with regard to court-authorized intercept of terrorist or criminal communications. Some would claim that these and other laws invade privacy. In my view, it is a balance of that privacy.
Key escrow is a technical solution to a very complex set of equi- ties. As a matter of fact, at NSA that is how we refer to this issue. In addition to being a headache, we call it our equities issue. Whose equities are involved? I go back to what our original objec- tives were — Americans' privacy, corporate interest, law enforce- ment, and the competitiveness of U.S. business. So when we weigh all those equities, at least in my view, and I would say fortunately in the view of the administration which reviewed this, to include very active participation by the Vice President — he came down on the side of the most equities are represented and protected by the key escrow initiative.
So, that concludes my statement. I would be happy to try to an- swer your questions.
Senator Leahy. Thank you; skipjack is for voice encryption now. Are you working on something even faster for data encryption?
Admiral McCoNNELL. Yes, sir. Currently, Skipjack can be made fast enough to keep up with any current or anticipated application, but there will be a need to go faster and we will either have to make Skipjack go faster or have a new approach. One of the things I might mention is, working for Defense — Defense had asked us to
100
come up with a technical solution for a way to use the information superhighway to exchange E-mail communications with business, with contractors, and so on, in a way that would be protected. That was why Skipjack was invented. The application is something we call Capstone. It is a PC card that just plugs in and provides you a lot of the functionality that has been discussed earlier.
When the FBI and Justice presented us with this other problem, we just took the Skipjack algorithm and applied it to basically a voice-only problem. Now, so far in the administration's review, the only thing that they have authorized in this FIPS, or this standard which is published by NIST, is for the voice and a low data rate application only. Where we are proceeding with Capstone, or this application for the Defense Department, that is strictly for govern- ment use, and whether it is going to be made available to the pub- lic and become a voluntary standard, and so on, is yet to be deter- mined.
Senator Leahy. I think your discussion of the Pacific battles was illustrative. Without going into any specific case, the hypothetical I used earlier today about threats from terrorist organizations — would you say that is a realistic hypothetical?
Admiral McConnell. Sir, I thought Mr. Walker made a compel- ling argument for what is out there, and I just would highlight — and this is difficult for me to answer because it gets into sources and methods.
Senator Leahy. Well, maybe I should ask it this way. Is it your estimation as one who deals with the security of this country that the United States, like most other Western nations, is not immune from terrorist threats from abroad?
Admiral McCONNELL. No, no, sir, not at all.
Senator Leahy. That is basically my question.
Admiral McConnell. Not at all.
Senator Leahy. Do you know whether foreign governments would be interested in importing key escrow encryption products to which they, not the U.S. Government, hold the keys?
Admiral McCONNELL. Sir, this is a very interesting question and, in my view, when we have entered into discussions with our coun- terparts— we have counterpart relationships, as you are aware, and I would say that we in this country are probably a little further along in the decision process than some of our allies.
You used an example earlier, if you wanted to import cryptog- raphy into France, and I found it very interesting that you used France as your example because you can't import cryptography into France. When we have talked to our business partners, those that we deal with in the private sector, we frequently are asked, why can't you get my products into France? Well, the French pass laws that say you can't do that. They are going through this deliberation in the EC and in Europe and in the individual countries of Europe to determine how they are going to address this problem.
I just would use a phrase that I used when we had an oppor- tunity to meet with the Vice President and discuss this issue and when we were coming to closure for decision. I said, sir, if you lis- ten to the argument that unexploitable encryption should be avail- able in this country to be exported anjrwhere we want to export it in the world, then you take the problem that we are attempting to
101
solve in this country and make it our allies' problem. Our allies have problems with criminals and drug dealers and terrorists. Are they likely to allow U.S. firms to import cryptography into their country that would shut out their law enforcement abilities? So these questions are very difficult. They are incredibly complex, and we are going through that process. I don't know exactly how it will
come out.
Senator Leahy. Have we had governments that have asked us, if we go forward with this, to work out a deal to share keys with
them?
Admiral McCONNELL. There are discussions with my counter- parts and there are discussions at the law enforcement level. How it will turn out I can't forecast, but I would say that the objective of some of the various participants in the discussion is, if there is a law enforcement problem involving a foreign country and this technology is used, to work out some process that could help con- tribute to solving that law enforcement problem.
One of the things I worry about is this is exportable by an Amer- ican by his own use. Now, he may not be permitted to use it in some given country because of the laws of that country, but he will be able to use it in other places. What I worry about is how do I ensure the privacy of that American who is in a foreign country. So these are very difficult questions that we will have to work our way through.
Senator Leahy. But then we could have the possibility of these keys being in countries other than our own.
Admiral McConnell. Yes, sir, we could.
Senator Leahy. How does a country like France address the question that if they prohibit encryption devices or encryption pro- grams that they may be just closed out of the whole information superhighway entirely?
Admiral McConnell. Currently, the information superhighway is not encrypted, and that is what
Senator Leahy. But I mean if somebody used Pretty Good Pri- vacy, for example, on there, it is encrypted.
Admiral McConnell. Yes, sir.
Senator Leahy. I mean, if you have got somebody sitting on the outskirts of Paris who clicks on to the Internet and if he uses Pret- ty Good Privacy to encrypt his message and send it to somebody in San Diego, CA, it is there.
Admiral McConnell. Yes, sir. The laws, as they have been ex- plained to me, in France are that you cannot import, export or do- mestically produce encryption without government approval.
Senator Leahy. So, that person would be in violation of the law?
Admiral McConnell. That person would be in violation of French law in that specific instance. Now, cases are made that this technology is available around the world, it is on Internet, it flows, and so on.
Senator Leahy. Especially with the EC and worldwide trade, you can have companies who have got a branch in France and Italy, Ireland, the United States, Canada, Mexico, and Argentina. They may be constantly sending material back and forth, everything from E-mail to specs and diagrams and blueprints, and want to
102
encrypt it all. Doesn't a country like France get into an impossible situation if they are suddenly cut out of that loop?
Admiral McCoNNELL. Yes, sir, you can make that argument. So far, it hasn't gotten to that point. My choice, of course, would be if it is possible for key escrow standards to be established in a way that we can work it out with our allies, and so on, and that pro- tects each person's equities. We don't really know where this is going.
I want to address the point that was made earlier by one of the preceding witnesses about the availability of these products. Sir, I don't deny that you can put something on Internet and it will flow, but I do a market survey of the globe every day, 24 hours a day, and what I can report back to you is, as a practical matter, for the kinds of things that are interested in from a foreign intelligence as- pect there is not widespread use of some of these things.
Does that mean that there will not be widespread use in the fu- ture? We are judging human behavior, so we don't know exactly how that is going to turn out, but of the products that have been available to us to examine, they are not all as they have been ad- vertised to be. Now, that is a cute way of saying the real answer is classified and I will discuss it with you at a later time. The argu- ments being made in public I have difficulty refuting because what I know is at a classified level.
Senator Leahy. Well, we are going to go shortly into that part of the hearing, but let me ask you this. What if the key escrow encryption chip — say, the Clipper Chip — is not widely accepted on a voluntary basis? Now, I understand some of the things that are being done to make it more acceptable, such as the government buying and the cost going down, and so on and so forth. Would the intelligence and law enforcement agencies recommend that all encryption systems — DES, Pretty Gk)od Privacy, whatever else- have a key escrow feature, with the government holding a dupli- cate set of the keys?
Admiral McConnell. On a mandatory basis?
Senator Leahy. Yes.
Admiral McCONNELL. That is not the intent of the administra- tion.
Senator Leahy. Well, would that suffice in order to allow expor- tation?
Admiral McConnell. Currently, there are products exported from the country that do not have escrow key. As a matter of fact, the vast majority of those who desire export
Senator Leahy. They are not as good either.
Admiral McConnell. No, sir. That is correct. Skipjack is no triv- ial algorithm. I mean, if you were to attack this — ^as it has been described earlier, as you run something to exhaustion and if it is robust — if you were to attack it, I mean you are into not hundreds, but thousands of years before you could ever run it to exhaustion.
Senator Leahy. Well, let us think of it another way. Suppose you have got a Clipper Chip the Key Escrow System and everything else, and somebody double encrypts it, say, using DES. Can you tell from looking at the cipher, the encrypted text, whether the under- lying message was encrjrpted?
Admiral McConnell. It would be difficult. If one were to use
103
Senator Leahy. In other words, I am asking you if double encrypting can defeat Clipper Chip.
Admiral McCONNELL. Yes, sir, it clearly could, but there would be no advantage to using Clipper and, let us say, DES, for example. You would just use DES. Assuming that you were a criminal and the government held the keys, getting through Clipper you would still have the same level of protection, which is a 56-bit key, a ro- bust algorithm known as DES.
Senator Leahy. Let me ask you about the family key. Every Clip- per Chip has the same family key programmed into it, if I under- stand it correctly. It is used by law enforcement to decode an inter- cepted serial number or the identifier that is at the beginning of each encrj^ted conversation.
Now, if somebody got unauthorized access to the chip family key, can they do anything with that? For example, can they keep track of communications traffic back and forth between a particular chip?
Admiral McCONNELL. They would be able to read the serial num- ber on the chip.
Senator LEAHY. Is that about it?
Admiral McCONNELL. Yes, sir, but that is kind of an interesting question, sir. With your law enforcement background, I am sure you are aware that if you are conducting a criminal investigation every phone call — records are kept by the phone company for toll- ing purposes, so if you are a criminal investigator with a case open, you just subpoena those records or get the records and they are made available to you. So there wouldn't be any advantage to — if I were law enforcement, I sure wouldn't want to break the law to do something I could get with due course.
Senator Leahy. But they couldn't use it to in any way decode?
Admiral McConnell. No, sir.
Senator Leahy. They would still need the
Admiral McCONNELL. No, sir, and they wouldn't get any more in- formation than they already get in current activity.
Senator LEAHY. Well, Admiral, unless you want to add something in open session, we will go over to the bubble.
Admiral McCONNELL. No, sir. Thank you for the opportunity to comment.
Senator Leahy. Thank you.
[The prepared statement of Admiral J.M. McConnell follows:]
Prepared Statement of Vice Admiral J.M. McConnell
Good morning. I appreciate the opportunity to discuss with you NSA's interests in and involvement with the Administration's key escrow encirption program and its decision to encourage the use of the government designed encryption microcircviits, commonly referred to as CLIPPER chips. These microcircuits, or chips, provide robust encryption, but also enable law enforcement organizations, when lawfully authorized, to obtain the key that unlocks the encryption. The Presi- dent's program advances two seemingly conflicted interests — preserving critical elec- tronic surveillance capabilities, on the one hand, and providing excellent informa- tion systems security, on the other. I will discuss the role we played in support of this program. I will also discuss NSA's interests, both in general and in respect to the President's program.
NSA's ROLE IN THE PRESIDENT'S INITIATIVE
Our role in support of this initiative can be summed up as "technical advisors" to the National Institute of Standards and Technology (NIST) and the FBI.
104
As the nation's signals intelligence (SIGINT) authority and cryptographic experts, NSA has long had a role to advise other government organizations on issues that relate to the conduct of electronic surveillance or matters affecting the security of communications systems. Oxir function in the latter category became more active with the passage of the Computer Security Act of 1987. The Act states that the Na- tional Bureau of Standards (now NIST) may, where appropriate, draw upon the technical advice and assistance of NSA. It also provides that NIST must draw upon computer system technical security guidelines developed by NSA to the extent that NIST determines that such guidelines are consistent with the requirements for pro- tecting sensitive information in federal computer systems. These statutory guide- lines have formed the basis for NSA's involvement with the key escrow program.
Subsequent to the passage of the Computer Security Act, NIST and NSA formally executed a memorandum of understanding (MOU) that created a Technical Working Group to faciUtate our interactions. The FBI, though not a signatory to the MOU, was a frequent participant in our meetings. The FBI realized that they had a do- mestic law enforcement problem — the use of certain technologies in communications and computer systems that can prevent effective use of court authorized wiretaps, a critical weapon in their fight against crime and criminals. In the ensuing discus- sions, the FBI and NIST sought our technical advice and expertise in cryptography to develop a technical means to allow for the proliferation of top quality encrjrption technology while affording law enforcement the capability to access encrypted com- munications under lawfully authorized conditions.
We undertook a research and development program with the intent of finding a means to meet NIST's and the FBI's concerns. The program led to the development of two microcircuits or chips. The first was an all-purpose chip with encryption, pub- lic key exchange, digital signature, and hashing functions. The second contained the encryption function only and is intended for use in devices in which digital signa- ture and hashing are not needed and key exchange is provided by some means out- side the chip.
Throughout the design and development of the key escrow encryption system, we placed an emphasis on providing for the protection of users' privacy. We focused on ways in which we could preserve law enforcement's existing capabilities without un- dermining privacy rights and protections embodied in current law.
One of the technical solutions to these privacy concerns is the spUt escrowed key. All chips have been designed to be programed with their own identification number and a unique key that could be used to unlock the encr3T)tion. Because the chip- unique keys can be used to unlock the encryption, we also devised a means to spUt the keys and to keep each part with a different custodian. Neither part is useful without the other. The parts of each chip's unique key are separately escrowed with two trusted custodians at the time the chip is programmed. In this way, when law enforcement officials conduct a court-authorized wiretap and encounter this encryption, they can identify the chip being used and obtain the corresponding chip- unique key fi*om the custodians, again using the coxirt authorization. This concept of splitting the key into two or more parts is a sound secvuity technique which pro- vides a safeguard against unlawful attempts to obtain keys and illegally access pro- tected communications. This also provides security against the risk that a single custodian might lose control of the keys, making the corresponding chips wilnerable to decryption.
In addition to splitting the key, the system has been designed so that the chip- unique key components are encrjTJted. Neither the custodians nor law enforcement officials know even a portion of the unique keys. The unique keys are only decrypted in a special device used to decrypt communications encr3T)ted with key escrow chips. These devices are, of course, kept under strict control to ensure they are used only in connection with authorized wiretaps.
With the key escrow concept, the U.S. is the only country, so far, proposing a tech- nique that provides its citizens very good privacy protection and maintains the cur- rent ability of law enforcement agencies to fight crime. Other countries are using government licensing or other means to restrict the use of encryption. We have gone to great lengths to provide for both the privacy and law enforcement interests and I believe we have developed the best technical approach to date. As a result, I be- lieve the key escrow encryption system actually enhances privacy protections when you consider that most people currently use no encryption. Widespread use of CLIP- PER will make it easy for people to take advantage of the benefits that high quality encryption offers.
105
nsa's interests in the key escrow initiative
While our role in this initiative has been that of technical advisor to^ NIST and the FBI, we are very interested in the outcome and its impact on NSA's two mis- sions, information security and foreign signals intelligence.
NSA has a mission to devise security techniques for government communications and computer systems that process classified information or are involved in certain military or intelUgence activities. In keeping with the Computer Security Act of 1987, we also make available to NIST the benefits of our security expertise so they can, as appropriate, use it to promvilgate the security standards appUcable to the systems under their purview, i.e. federal systems that process sensitive unclassified information. Through our support of NIST and the promulgation of standards for federal systems, we advance a goal we all share— assuring that Americans have available to them the products they need to secure their communications and com- puter systems.
The NSA Information Systems Security, or INFOSEC, organization is continu- ously striving to understand the threats to information systems and to devise new or improved methods to protect against those threats. While most of us only con- sider the security of our systems when there is a much publicized case of computer hacking or intercepted cellular calls, NSA's INFOSEC people recognize the threats are ever present. They possess a unique sensitivity to the nature and the extent of these threats, and these insights into information system vulnerabilities form the foundation for building information systems security products. We have appUed this knowledge and unrivaled cryptographic expertise for over 40 years in designing se- curity products for U.S. communications and information systems that I can say with confidence and pride, are second to none.
Key escrow technology advances NSA's INFOSEC interests. For one thing, the encryption microcircuits provide excellent security, better by far than the Data Encryption Standard (DES). We will use these chips in products to secure informa- tion systems for which we are responsible. We are also pleased to see such robust security available for the voluntary use of all Americans. To the extent that we can use commercial off-the-shelf products as a basis for securing information systems under our purview, the cost to all users will decline. Moreover, widespread use of these products will enhance the interoperability of systems among all users. All of this is to the good of our INFOSEC interests.
The key escrow initiative was designed to accommodate all of our interests in as- suring the privacy of our communications and in preserving law enforcement access to communications when necessary and lawfully authorized. This accommodation re- flects the Administrations realization of the importance of effectively managing this technology so as to preserve our electronic surveillance capabilities. Whether it is law enforcement's wiretap-derived evidence of a crime or intelligence information re- garding a foreign government, we as a nation use the product of electronic surveil- lance to assure the national security and the public safety.
From a signals intelligence standpoint, we are only concerned with the use of encryption by targets of our foreign intelligence efforts. Clearly, the success of NSA's intelligence mission depends on our continued ability to collect and understand for- eign communications. Encryption, a technique for scrambhng communications so that unintended recipients cannot understand their contents, can disrupt our ability to produce foreign signals intelligence. Controls on encryption exports are important to maintaining our capabihties.
At the direction of the President in April, 1993, the Administration spent ten months carefully reviewing its encryption pohcies, with particular attention to those issues related to export controls on encryption products. The Administration con- sulted with many industry and private sector representatives and sought their opin- ions and suggestions on the entire encryption export control poUcy and process. As a result of this review, the Administration concluded that the current encryption ex- port controls are in the best interest of the nation and must be maintained, but that some changes should be made in the export licensing process in order to maximize the exportability of encryption products and to reduce the regulatory burden on ex- porters. These changes will greatly ease the licensing process and allow exporters to more rapidly and easily export their products.
In addition, the Administration agreed at the vu-ging of industry that key escrow encryption products would be exportable. Our announcement regarding the exportability of key escrow encryption products has caused some to assert that the Administration is permitting the export of key escrow products while controlling competing products in order to force manufacturers to adopt key escrow technology. "These arguments are without foundation.
106
Many non-key escrow encryption products have long been licensed for export. Such products will continue to be approved for export notwithstanding the fact that key escrow encryption products are becoming available. Moreover, we will continue to review proposed exports of new encryption products and will license them for ex- port in any case in which the export is consistent with national interests. Finally, as I mentioned earlier, the Administration is in the process of implementing reforms of the licensing process to speed licensing and reduce the licensing burdens on encryption exporters. These reforms will benefit exporters of key escrow and non- key-escrow encryption alike. In short, we are not using or intending to use export controls to force vendors to adopt key escrow technology.
CONCLUSION
In sum, I believe the President's initiative is a reasonable response to a very dif- ficult set of issues. It accommodates users' interests in security and the law enforce- ment interest to unlock encryption when lawfully authorized. The procedures for escrowing key are being developed to ensure the security of the devices is not com-
fromised by the escrow system. There are, to be sure, issues to be ironed out, but am confident we will work out the wrinkles. I would be pleased to answer any questions you may have.
Senator Leahy. The subcommittee stands adjourned. [Whereupon, at 12:41 p.m., the subcommittee was adjourned.]
APPENDIX
Additional Submissions for the Record
Prepared Statement of Computer and Business Equipment Manufacturers
Association
SUMMARY
CBEMA represents the leading U.S. providers of information technology products and services.! Its members had combined sales of $270 billion in 1992, representing about 4.5% of our nation's gross national product. They employ more than 1 million people in the United States. CBEMA develops and advocates public poUcies bene- ficial to the information technology industry in the U.S., participates in all pertinent standards programs worldwide, and sponsors the U.S. committees developing vol- untary standards, domestically and internationally, for information technology.
CBEMA initially reacted to the President's key escrow/Skipjack 2 initiative during hearings in June held by the Computer System Sectuitv and Privacy Advisory Board to the National Institute of Standards and Technology. The CBEMA state- ment voiced our industry's concerns about individual privacy, the marketability of products, both in the U.S. and abroad, the technical difficulties of incorporating kev escrow/Skipjack into devices, and the cost>'competitiveness problems associated with key escrow/Skipjack.
This paper further develops several of those issues and offers CBEMA's rec- ommencfations that will meet both law enforcement and private sector needs in the U.S. and abroad.^ This document neither endorses nor criticizes the concept of key escrow. It does, however, examine the realities of a marketplace that has evolved without a key escrow system and concludes that:
• The negative implications of using key escrow/Skipjack for protecting typical in- formation technology applications far outweigh the potential benefits.
• The Data Encryption Standard should be recertified.
• An encryption strategy should be developed in a pubhc forum.
• Sponsored research is needed to develop a software embodiment for key escrow.
• Encryption export controls need revision.
INFORMATION TECHNOLOGY HAS BECOME GLOBAL AND NETWORKED
Each year the market for information technology equipment and related products becomes increasingly global. During the 1970s and early 80s the majority of sales by U.S. manufacturers was domestic. Today, however, between half and two-thirds of all sales by U.S. information technology manufacturers are to foreign customers.
1 See appended list of members.
2 "Key escrow" refers to the general concept; for specificity we have used the term "key escrow/ Skipjack" to refer to the technical embodiment currently under discussion.
3 The viewpoint in the paper is that of vendors in a global market seeking to meet their cus- tomers' needs, including those of the government. Therefore, its focus is on business and eco- nomic implications, and it expresses no positions on the social, political or legal issues surround- ing the key escrow/Skipjack proposal.
(107)
108
The globalization of the market for information technology products has paralleled a revolution in information technology use that has fundamentally changed the then existing modes of operation. In the 1970s and early 80s most businesses imple- mented large main frame computer complexes that served employees at the site or remote terminals connected to a single computer system. Because few of these com- puter systems were connected with other computer systems, most seciuity measures were directed at the computer site.
Today, however, interconnected computers are the norm. Digital networks — such as electronic mail systems, Internet, and digital telephone system — increasingly are reUed upon for routine as well as sensitive communications, and security is required for those interconnections and for the personal computers being interconnected to those networks. Continuing rapid development of information technology products depends heavily upon wireless technology, and security will be required for commu- nications among these products as well.
For the ftitiu-e we must develop processes that will support successful develop- ment of a National Information Infrastructure (which will in reality be global). In this development major concern is already focused on how to safeguard information on the network.
ENCRYPTION HAS BECOME A CRITICAL COMPONENT OF INFORMATION SECURITY
During the evolution of information processing, encryption also gained signifi- cance. Although some vendors implemented their own versions of encryption, the Data Encryption Standard (DES) and public key algorithms (such as RSA) became the leading cryptographic techniques. DES is an American National Standard as well as a Federal Information Processing Standard (FIPS). Today a large installed base of devices and systems rely on DES and RSA. The banking industry, for exam-
Ele, has its standards for interbank operations such as funds transfer based on the lES. Encrvption based on the DES standard also is used increasingly in over-the- counter software products and as an element of larger hardware and software solu- tions.
In the 1980s customers demanded that vendors provide products which would op- erate with one another. A major response to this demand was creation of the Inter- national Organization for Standardization/International Electrotechnical Commis- sion (ISO/IEC) Open Systems Interconnection (OSI) architecture, which provides se- curity services including encryption among its specifications. In another response, some vendors formed the Open Software Foundation (OSF) to help standardize im- plementation of fundamental software tools across platforms such as the UNIX oper- ating system. OSF has announced a set of network software products implementing the distributed computing environment (DCE) which uses the DES algorithm for purposes of authentication, data confidentialitv and integrity, and network access control. The Internet Society utiUzes both DES and RSA to provide its Privacy En- hanced Mail (PEM) facility. This technique is very close to that utilized in the X.400 messaging recommendation and supported by the ISO/IEC OSI Directory standard. The American National Standards Institute (ANSI) standards committee for bank- ing, X9, has also recently adopted these techniques. In short, the infrastructure to support security services for business needs, e.g., electronic data interchange of transaction documents, health care automation and so on, is rapidly being deployed. A key factor in the acceptance of DES and RSA is the confidence in their cryp- tographic strength and overall integrity that has developed over years of public scrutiny.
Demand for encryption is expected to increase more rapidly as techniques become more simplified. In the past, utilization of encryption was a deeply considered deci- sion made by user management, since employing it imposed significant costs, espe- cially those of key management. But simpler key management techniques have been developed that maintain a high level of security. One approach, for example, in- volves using a public key technique to deUver the DES key and DES to encrypt the contents for confidentiality. As an example of another approach, the DCE noted above generates session keys and manages the keys with total transparency to the user. A result of this simphfication has been the rapid evolution to using encryption for applications in the commercial marketplace, because encryption services may be included in typical information technology appUcations at a much lower cost.
Whole new classes of application and product have been developed which incor- porate encryption in the product design. One example is automated teller products. In such systems the customer is assiu-ed of security without having to think about how this is achieved. Other examples of this product-design-encryption trend are non-repudiation and digital signature services in electronic data interchange and privacy enhanced mail on the Internet These newest developments indicate that
109
encryption will become more, rather than less, prevalent in the future — both in or- ganizationally controlled environments and in stranger-to-stranger operation.
DESIGN & INTEROPERABILITY CONSIDERATIONS REQUIRE FLEXIBLE ENCRYPTION, AVAILABLE IN BOTH HARDWARE AND SOFTWARE
The importance of computer secvirity has dramatically increased due to wide- spread deployment of distributed processing, open network highways, and greater interoperation of computing platforms from many vendors. To beet this challenge, the computer industry requires consistent cryptographic standards for algorithms, procedures and applications. It also requires vendor access to information regarding algorithms for freedom of implementation in various technologies and products. This access and the resulting flexibility of implementation are largely responsible for the success of DES and public key encryption. As a result of this evolution interested vendors have negotiated licenses for the use of RSA. DES licenses are available roy- alty free.
Other design and cost issues emerge when the application of key escrow/Skipjack to wireless technologies is examined. Experience to date with cordless and cellular phones shows that their vulnerability to being overheard is a significant weakness. The cutting edge of information technology products, both personal and for the of- fice, rely on wireless technology. Thus, many organizational customers will demand encryption capability to maintain the confidentiality required for their operations. The vendor's margins for these devices are expected to be slim, due to fierce com-
Sietition and savvy, cost-conscious customers. Tnus a premium will continue to exist or flexibility in implementation and low cost.
Current rules-of-thumb put the final price of a component at four times its cost to the manufacturer. Therefore the cost of key escrow/Skipjack (currently estimated at $25) and its support circuitry could significantly raise a product's price compared to the price of the same product without this encrjrption capability. It is apparent that a hardware encryption method such as key escrow/Skipjack is a costly alter- native to software embedded encryption, even with royalties.
For portable and personal devices there will be an additional issue raised by the size and power requirements of the physical embodiment. The limiting performance factor for such devices is battery life. Key escrow/Skipjack, then, must be designed to cause a very low power drain. Combining this with the restricted physical space available, an attractive design approach would be to use software encryption, since the designers typically seek to minimize the number of chips in the device.
The requirements of hardware/software implementations and interoperability are two vital requirements that are not met by key escrow/Skipjack. In summary, the classified nature of the Skipjack algorithm creates the following problems for indus- try:
1. Selection of a new, classified, unpublished algorithm for domestic commercial usage is counter to the need for broad interoperability and management of cryp- tography that is required by the customer.
2. The choice of classified technology for commercial appUcations restricts the indus- try's ability to effectively and efficiently meet market needs. Since detedls are un- known to product developers, it is impossible to implement that capability by em- bedding it in systems products. With a single classified key escrow/Skipjack imple- mentation, this function cannot be effective in a broad range of products requiring cryptographic capability. Whereas published algorithms have been effectively en- gineered into products that range from a smart card" to a mainframe, they do not rely on a single technological implementation.
3. Because the Skipjack algorithm is classified, software implementations are ex- cluded. In some cases encryption, while needing to be secure, does not need to be fast. In this environment a software implementation might be the wisest, least ex- pensive solution.
4. In certain applications there is a requirement to selectively apply encryption to data. For example, in supporting electronic mail the address on the "envelope" must be in the clear, even though the "letter" is encrypted. This will be difficult to implement without customizing the encryption service. Since Skipjack is classi- fied and isolated on a chip, such customization is difficult at best.
THE CONDITIONS DO NOT EXIST FOR MANDATORY IMPLEMENTATION OF KEY ESCROW/
SKIPJACK
Implementation of key escrow/Skipjack as a standard for data in the U.S., through extensive government procurement, would increase costs to the Government
110
by the need to design security products for which there is very limited overseas de- mand. Specifically, the U.S. Government's guaranteed access to communications made with products that incorporate key escrow/Skipjack will make the products ei- ther unacceptable or highly undesirable for most non-U.S. customers. Other tech- niques (e.g., DES) will therefore continue to be used, even though they are subject to restrictive U.S. export controls. The resulting fragmentation of the market will provide an advantage to overseas producers, who will continue to market DES-based and other security products both in the U.S. and abroad.
The DES standard will continue to be used worldwide regardless of volume pur- chasing by the U.S. Government. The DES standard is already widely used in the banking industry, for commercial applications within the U.S., and by governments outside the U.S. Implementations are available in both hardware and softwsire; in- vestment in the installed base of DES applications is considerable. Consequently, U.S. firms will continue to be solicited to provide data encryption products based on DES. Some users stand to be disadvantaged commercially by implementation of key escrow/Skipjack. In the banking industry, for example, systems would have to be designed to this standard for communication with government agencies (e.g., the Federal Reserve); however, institutions will have to continue to maintain data com- munications based on both standards to serve non-U.S. financial institutions and in- stitutions tiiat do not communicate with the Federal Government.
Key escrow/Skipjack is not compatible with implementations worldwide. Since customers demand that devices interoperate with tiie installed base to protect the investment they have made in hardware, software and administration of their sys- tems, they will be unlikely to accept devices implementing key escrow/Skipjack be- cause they lack the interoperability they need.
INDEPENDENT OF KEY ESCROW/SKIPJACK, EXPORT CONTROLS ON ENCRYPTION SOFTWARE AND HARDWARE MUST BE RATIONALIZED
Although the Administration's key escrow/Skipjack proposal does not specifically state the export control policy to be applied to this tecnnology, no discussion of encryption can omit the export control igsue.
The U.S. controls all encryption products for export. Data encryption "* is con- trolled as a military item by the Department of State. As a matter of poUcy, a vir- tual embargo is in place for all exports of products containing data encryption to commercial customers other than banks, even to end-users located in countries that are America's closest alUes. This policy disregards the legitimate commercial need for strong encryption capability.
Despite the fact that many types of software products containing encrjrption, par- ticularly those in the public domain and those that are sold on a mass-market basis, are beyond effective control, and also the fact that many overseas vendors are now offering strong encryption, the U.S. has made no significant change in its approach to controlling these products. As a result, U.S. companies experience a loss in poten- tial sales and increased corporate security risk with no commensurate benefit in terms of national security.
Key escrow/Skipjack does not "cure" the fundamental problems of U.S. export con- trols on encryption. As the key escrow concept underlying the approach is designed to ensure access by the U.S. Government, products based on it will be either unac- ceptable or highly undesirable for most overseas customers-even in the absence of export controls. Thus export controls on this device are not needed or desirable.
In the study of export control issues, CBEMA and its members have received re- quests to provide the "facts" proving current controls impose a serious reduction in U.S. company competitiveness. Our consensus analysis of the issue for the future is contained in this paper. Our consensus comments about the past are in our state- ment for the June 2 MST hearings. Ovu- members individually nave agreed to make available company proprietary information under appropriate arrangements to en- sure confidentiality.
CBEMA RECOMMENDATIONS
This paper has examined the design, interoperability, cost, potential customer ac- ceptance and export control problems that are obstacles to the widespread use and acceptance of key escrow/Skipjack. Yet CBEMA members are well aware of the con- cerns of the U.S. government that led to the development of key escrow/Skipjack. In an attempt to balance those concerns with the realities of the marketplace,
â– *We use the term "data encryption" to include all forms of controlled encryption for confiden- tiality. This term includes "file encryption."
Ill
CBEMA offers the following recommendations regarding the key escrow/Skipjack proposal.
1. CBEMA members have had much discussion regarding the implications of key escrow/Skipjack to the future of the information and telecommunications indus- tries. It is predicted that much of the previous separate technology of voice, fax and data will converge. Current and future multimedia personal workstations are examples of this convergence. In this environment the workstation will serve as a voice answering machine, take voice dictation, fax information from a fax modem and have the ability to store, manipulate and send images. Indeed, the confusion on the possible scope of key escrow/Skipjack was emphasized in the draft Federal Information Processing Standard (FIPS) regarding escrowed encryption (EES). This draft contained an unusual description of the scope by de- fining the word "data" as to include voice, fax, and computer information sent across telephone lines.
Before the merger of these technologies, it was appropriate to look at each ap- plication and build hardware and software satisfying that specific application. Be- cause of this former approach, there is limited imbedded investment within gov- ernment and industry in telephone and telephony products used in encrypting un- classified voice communications. It would therefore seem that financial and oper- ational dislocation problems would be minimized if the use of key escrow/Skipjack were restricted to these traditional appUcations and its use were to remain vol- untary.
However, employing key escrow/Skipjack even to secure traditional telephony applications cpn be expected to create undesirable product design and market ramifications for computer and software industries due to the previously men- tioned convergence of these technologies. It seems inappropriate that the govern- ment would continue to view these as separate and distinct appUcation sireas when the rest of private industry is enjoying the benefits ftx>m an integrated ap- proach. There is tne possibility that key escrow/Skipjack could conceivably satisfy the need for encryption in government and commercial traditional telephony ap- plications if the resulting devices could accommodate the space, cost, through put and power constraints that are imposed by the key escrow/Skipjack devices. Such investments should be made with the knowledge that successful completion of Recommendations two through four could obsolete that investment.
2. Key escrow/Skipjack, given present limitations, is unsuitable for applications in which there is an embedded oase of DES or similar capabiUty, particularly of the software variety. Therefore CBEMA recommends that DES be recertified as a fed- eral standau-d tor data communications for an additional five years. During these five years, government should collaborate with industry to achieve a mutually ac- ceptable encryption standards strategy, appUcable to all communications, i.e., voice and data, and narrow and broad band communications. Both DES and pub- lic key encryption should be considered in this effort, including the possible appli- cation of the concept of key escrow to these technologies.
3. Develop an encryption strategy in a public standards forum, i.e., the American National Standards Institute Accredited Standards Committee on Information Processing Systems, X3, in the U.S., and then the International O^anization for Standardization/International Electrotechnical Commission Joint Committee on Information Technology, JTC-1, internationally, with the objective of achieving one or more encryption standards capable of meeting the requirements and ac- ceptable to all users. CBEMA strongly recommends that all relevant issues, in- cluding international acceptance, be considered with the specific objective of agreeing on one or more international standards to satisfy the public need for encryption for information transfer of every kind in various environments.
4. The government has requested industry's assistance to develop a software embod- iment of Key Escrow/Skipjack. The government should issue a request for pro- posal through an agency, e.g., the Advanced Research Projects Agency, for pursuit of a software implementation of a strong encryption facility to be accomplished without compromising the facility's nature.
5. In view of me widespread availabiUty of encryption products worldwide and the legitimate commercial need for encryption products, CBEMA urges that the fol- lowing improvements be made with regard to export controls on encryption. These improvements will more closely align the U.S. with COCOM poHcies and will also enable U.S. companies to compete internationally:
• Software that is pubUcly available or mass market (per the internationally ac- cepted COCOM definition) should be decontrolled except for shipment to terror- ist and embargoed countries.
112
• Hardware implementations of decontrolled software should be similarly decon- trolled.
• Dual-use encryption (not specifically designed for military applications) should be controlled under the Export Administration Act and be subject to Depart- ment of Commerce jurisdiction, not controlled under the ITAR.
• Encryption functionality cvirrently under Commerce Department jurisdiction and controlled under national discretion procedures should be decontrolled.
• In view of the fact that overseas demand for key escrow/Skipjack will not pose any danger to the United States, enciyption functionality provided by key es- crow/Skipjack should not be controlled for export.
Prepared STATEMEhrr of the United States Council for International
Business
The U.S. Council for International Business is pleased to submit its views on encryption and Clipper.
Introduction
The U.S. Council represents American business positions in the major inter- national economic institutions, and before the Executive and Legislative branches of the U.S. Government. As the U.S. member of the International Chamber of Com- merce (ICC), the Business and Industry Advisory Committee (BIAC) to the OECD, and the International Organization oi Employers (lOE), the U.S. Council is the American business group that officially consiilts with the key intergovernmental bodies influencing international business. Its primary objective is to promote an open system of world trade, finance, and investment.
The Need for an International Encryption Policy
The U.S. needs a comprehensive encryption poUcy that provides security for com- munications. Such an encryption policy should preserve the right of privacy for busi- ness and individuals in voice and digital communications transmissions. At the same time, we recognize the government's legitimate interest in accessing telephone communications for law enforcement and national security reasons. We therefore support the U.S. Administration's directive to Government agencies to develop a comprehensive encryption policy, as announced one year ago on April 16, 1993.
An encrjrption policy, however, is not solely a domestic issue. 'The presence of an internationally accepted encryption policy is essential, as companies operate in a global marketplace. International businesses are demanding seamless webs of com- munications networks whereby information can flow in a free and secure manner. Today secure communications are critical to intra- and inter-corporate communica- tions and transactions, as hackers, criminals and unauthorized parties find increas- ingly sophisticated tools to violate the privacy and security of communications sys- tems. Companies need effective, internationally accepted cryptographic standards for secure communications and digital signatures to conduct their operations. Al- though highly technical in nature, such standards could have a profound effect upon the competitiveness of U.S. manufacturers and users of products with encryption features.
"Clipper"
The Executive Branch's announcement in April 1993 of its encryption initiatives raised great concern among U.S. businesses. Since these initiatives (Clipper and Capstone) do not employ internationally accepted standard technologies and edgo- rithms, business will be forced to employ dual systems in order to ensure secure communications on a global scale. Implementation of these initiatives will represent significant cost to American industry in equipment, software, and other resources.
The U.S. Council's concerns over the Administration's initiatives were expressed in a December 16, 1993 letter to Secretary of Commerce Ronald H. Brown and a March 3, 1994 letter to Vice President Albert Gk)re. In our letter to Vice President Gore, we said that despite the overwhelming negative public response, the Clipper initiative was still being advanced. Recently, there have been presentations given and press coverage on a new encryption initiative known as Tessera which imple- ments the Capstone chip. Since Tessera has the same fundamental attributes as Clipper, our concerns, as explained below, also apply to Tessera.
113
As a voice of business, representing large users and vendors of encryption sys- tems, the U.S. Council would like to concentrate its comments on Clipper on three issues of great concern to its members:
(1) competitiveness,
(2) cost to users, and
(3) UabiUty.
1. COMPETITIVENESS
To be competitive in the global marketplace, U.S. companies must be able to sell and integrate into their products, systems that are freely exportable and desirable to users worldwide. Multmationals need secure communications so they can interact not only with their offices but also their suppUers and customers worldwide. For ex- ample, in order for financial institutions to be competitive they must use encna)tion systems, for banking and non-banking applications, that are acceptable worldwide so thev can communicate with other financial institutions and their customers around the world. The competitiveness of U.S. companies can be approached from two separate, yet interrelated aspects:
(a) Foreign desirabiUty for chip devices, and
(b) Current export restrictions.
a. Foreign desirability of the key escrow chip
It is unlikely that foreign buyers, especially foreign governments, will want a sys- tem developed by the U.S. Government, whereby the U.S. Government holds, or has access to, the keys. Foreign import controls and regulatory requirements for encryption systems present yet another impediment to the foreign sales of CUpper. While there are few obstacles to sales of U.S. encryption products in most foreign countries, some countries require ftiU disclosure of the algorithm or demand that the manufacturers or users deposit the key with the proper authorities. Clipper contains a classified algorithm so it cannot be registered in countries that require disclosure of the algorithm. As the U.S. Government is the holder of, or has access to, the key, a user of CUpper could not deposit the key and it is not known whether the Govern- ment will comply with this requirement. Therefore, it seems unlikely that Clipper could be sold in countries that have such requirements.
b. Current export controls
The competitiveness of U.S. companies has suffered long enough under current ex- port control restrictions. DES and RSA use algorithms that are unclassified, widely available around the world, internationally-accepted, implementable in hardware and software, and, most importantly, secure for communications. These encryption systems have been under, and are continually subject to, pubUc scrutiny. As such they have stood the test of time; there have not been any proven successful attempts to break DES or RSA. By protecting economic interests, DES and RSA enhance na- tional security.
Although DES and RSA are widely available and used around the world, they are subject to export control restrictions. Non-U.S. vendors produce and sell these sys- tems in foreign countries where U.S. companies are prohibited from selling because of U.S. export controls. Other encryption systems, based on less powerful algorithms (RC2 and RC4), can be exported on a fast-track export licensing approval process. These weaker systems, however, are less desirable to users of encryption systems. Multinational corporations need to communicate, in a seciire manner, with their vendors and customers around the world and should not be prohibited from using the most secure system available. These weaker systems are also less appealing in the international market because foreigners can produce and use the more powerful DES and RSA systems. Moreover, because many foreigners are not subject to the strict export controls that exist in the U.S., non-U.S. manufacturers can sell within their own country and to other countries, where U.S. companies cannot compete. Our competitiveness will only worsen if existing restrictions continue while foreign capabihty to provide and use powerful encryption systems increases. The logic be- hind continuing such strict controls on certain U.S. exports, which have wide foreign availability, seems flawed and therefore such controls should be aboUshed.
2. COSTS TO USERS
There are also substantial operational and administrative costs associated with CUpper. Since Clipper does not interoperate with other encryption systems such as DES, RSA, RC2, and RC4, users will face an additional cost of acquiring the device
114
that contains the Clipper chip. Although the chip itself is relatively inexpensive (ap- proximately $25 per chip), the cost of implementing it into existing communications systems, or in addition to current systems, will be substantial. The cost to buy the device that contains the Clipper chip will be many times more than the chip itself Given the substantial investment already made in the installed base of DES and RSA products, the cost to buy additional and different devices is large. Moreover, this is an additional cost that many businesses will essentially be forced to absorb. Corporations that communicate with U.S. Government agencies that use Clipper will also have to use Clipper and thus absorb the costs.
The administrative costs, such as key management^ to support differing encryption systems are also substantial. When kev management is implemented for only one encryption system, the cost can be held to a minimum. If users need to implement several key management operations, supporting different encryption sys- tems, the costs will be significant.
3. LIABIUTY
Lastly, the U.S. Council is very concerned about the issue of liability. Since Clip- per is a hardware-based device through which information is encrypted, a com- promise of the key will destroy the security of the system and all data contained therein. It is unclear how a company would know if the key has been compromised, who is liable, and who should bear the cost of replacement. Moreover, the con- sequential damages resulting from a breach in seciuity might be tremendous and possibly unrecoverable. In DES and RSA systems, the user selects his own key; therefore, the keys are not susceptible to being compromised beyond the user's own control. In the case of Clipper, tne main keys are assigned during manufacturing, are not changeable by the user and are escrowed with designated agencies. Even though the Gk)vemment is responsible for developing and holding, or having access to, the keys, it has stated that it would not be liable for any compromise of the keys.
Recommendations
Any encryption policy should be based on an algorithm that is unclassified, implementable in hardware and software, and useable in interconnected networks that are defined by toda3r's global economy. The preferred approach is to use algo- rithms that are standards (i.e., DES and RSA) and which can be used for digital signature, message authentication, encryption, and key management where the key management system is controlled by ite user. Moreover, the encryption system should neither be subject to export control restrictions nor incompatible with exist- ing encryption systems used worldwide. The U.S. Government and the private sec- tor should work together in an open forum to develop an acceptable encryption pol- icy. Our efforts should be coordinated with foreign governments, international insti- tutions, and the international business community to develop a global encryption policy.
Crypto Poucy Perspectives
by Susan Landau, Stephen Kent, Clint Brooks, Scott Chamey, Dorothy Denning, Whitfield Diffie, Anthony Lauck, Douglas Miller, Peter Neumann, and David Sobel
On April 16, 1993, the White House armounced the Escrowed Encryption Initia- tive, "a voluntary program to improve security and privacy of telephone communica- tions while meeting the legitimate needs of law enforcement." The initiative in- cluded a chip for encryption (Clipper), to be incorporated into telecommunications eqviipment, and a scheme under which secret encryption keys are escrowed with the government; keys will be available to law enforcement officers with legal authoriza- tion. The National Security Agency (NSA) designed the system and the underlying cryptographic algorithm SKIPJACK, which is classified. Despite substantial nega- tive comment, ten months later the National Institute of Standards and Technology approved the Escrowed Encryption Standard (EES) as a voluntary Federal standard for encryption of voice, fax, and computer information transmitted over circuit- switched telephone systems.
Underlying the debate on EES are significant issues of conflicting pubUc needs. ^ Every day, millions of people use telephones, fax machines, and computer networks
^EES is primarily for use with telephones and fax machines, but this report also addresses the expected extension of escrowed encryption to a broader context than the present Federal standard.
115
for interactions that used to be the province of written exchanges or face-to-face meetings. Private citizens may want to protect their communications from electronic eavesi-oppers. Law enforcement seeks continued access to criminals' communica- tions (under legal authorization). In order to compete in the global marketplace, U.S. manufacturers want to include strong cryptography in their products. Yet na- tional-security interests dictate continued access to foreign intelligence. Both the EES and the controversy surrounding it are but the latest and most visible develop- ments of a conflict inherent in the Information Age. Electronic communication is now an unavoidable component of modem life.
Many times a day people transmit sensitive data over insecure channels: reciting credit card numbers over cellular phones (scanners are ubiquitous), having private exchanges over E-mail (Internet systems are frequently penetrated), charging calls from airports and hotel lobbies (our Personal Identification Numbers (PINs) are eas- ily captured). The problem is magnified at the corporate level. For several years in the mneteen-seventies, IBM executives conducted thousands of phone conversations about business on the company's private microwave network — and those conversa- tions were systematically eavesdropped upon by Soviet Intelligence agents.
IBM's situation is not unique. Weak links exist throughout electronic communica- tions, in networks and in distributed computer systems. Often the vulnerability of communications allows system penetration. Computer systems can be a weak link. Deceptive communications can easily undermine users' confidence in a system. For example, a group of students at the University of Wisconsin forged an E-mail letter of resignation from the Director of Housing to the Chancellor of the University. There can be denials of service because of altered or jammed communications; "video pirates" have disrupted satellite television programs a number of times.
Over the past five years thousands of mainframe computers have been replaced by networked distributed computing systems. This process is accelerating, and that change will only increase the importance of secvu-e electronic communications. The National Information Infrastructiu-e (Nil), the "information superhighway", wiU have an even greater effect. Businesses will teleconnect with customers to sell and bill. Manufacturers will electronically query suppliers to check product availability. Insurance companies, doctors and medical centers will carry on electronic exchanges about patient treatment. The emerging technologies of the Information Age are rev- olutionizing the ways in which people exchange information and transact business. Much of the information being sent on the Nil will be sensitive. Protecting confiden- tiality, authenticity and integrity in the information infrastructure is extremely im- portant to economic stability and nationad security.
How can communications security be achieved? A very important part of the solu- tion is cryptography. Cryptography was once the domain of generals and small chil- dren, but the advent of the Information Age has sharply increased the public's need for it. Cryptography can help prevent penetration from the outside. It can protect the privacy of users of the system so that only authorized participants can com- prehend communications. It can ensure integrity of communications. It can increase assurance that received messages are genuine.
Confidentiality, the benefit most oft«n associated with cryptography, is obtained by transforming (encrypting) data so that it is unintelligible by anyone except the intended recipient. Integrity is a security service that permits a user to detect if data has been tampered with during transmission or while in storage. Closely relat- ed to integrity is authenticity, whicn provides a user with a means of verifying the identity of the sender of a message.
Over the last twenty years several strong cryptographic algorithms^ have emerged, including the Data Encryption Standard, or UES, and the public kev algo- rithms, Diffie-Hellman and RSA. DES is coming to the end of its useful Ufe with its key size and complexity being overtaken by improvements in speed and cost of computers. Because strong cryptography for confidentiality purposes has the poten- tial to interfere with foreign intelligence gathering, the U.S. government generally does not permit the export of strong cryptography for confidentiality purposes. Strong cryptography can also impede electronic surveillance by law enforcement. Yet the U.S. private sector, from bankers to the future users of the Nil, needs strong cryptography.
CRYPTOGRAPHIC ALGORITHMS
The Escrowed Encryption Standard (EES) was proposed as a solution to these conflicting problems, by making available strong cryptography while providing a
2 Strong cryptographic algorithms are ones which are exceedingly difficult to break by attacks including exhaustive search over the entire key space.
116
mechanism through which law enforcement could access encrjrpted communications. But EES raises problems of its own: '
(i) Many are uncomfortable with a cnmtographic scheme in which the pri- vate keys of users are available to the u!S. government,
(ii) Many distrust a scheme where an algorithm for pubUc use is classi- fied,
(iii) Foreign buyers may be unwilling to purchase products that imple- ment the EES, and
(iv) The algorithm is available only in hardware form, increasing costs and decreasing flexibility.
In 1975, the United States proposed DES for the protection of "sensitive but un- classified information" by government agencies. DES, which was designed by IBM, and adopted as a Federal Information Processing Standard (FIPS) in 1977 (in the same series that now includes the EES). It is a private or single-key system and the key used to protect communications between two parties must be known to both parties and kept secret from everyone else.
At the time DES was proposed, it enjoyed a period of controversy in which its keys were characterized as too small and other weaknesses were suspected. Despite this, DES has proven remarkably resistant to public attacks.
At about the same time, academic researchers developed a family of cryptographic techniques that became known as pubhc-key or two-key cryptography. One ap-
K roach, proposed by Ralph Merkle at Berkeley and refined by Whitfield Diffie and lartin Hemnan at Stanford allowed two parties to negotiate a common secret piece of information over an insecure channel. Another, proposed by Diffie and Hellman and realized by Ron Rivest, Adi Shamir, and Leonard Adleman of MIT, made it pos- sible to use a key that was not secret (a public key) to encrypt a message that could only be decrypted by a particular secret key. Conversely, a message transformed by a secret key could be verified as coming from the sender by applying the sender's pubUc key. This second use of pubUc-key technology came to be called a digital sig- nature.
By 1991, the RSA system, which is based on the notion that factoring integers is computationally much more difficult than multiplsdng them, had become the de- facto standard for digital signatures. The list of licensees of RSA digital signature technology^ read Uke a computer industry roll-call: Apple, AT&T, DEC, IBM, Lotus, Microsoft, Northern Telecom, Novell, Sun, WordPerfect.
RSA and DES provide the U.S. commercial sector with techniques for achieving confidentiality, integrity and authenticity; for example. Privacy Enhanced Mail (PEM), an Internet standard for secure E-mail, combines them to achieve security. However, with the exception of exporting DES for use by financial institutions or foreign offices of U.S.-controUed companies, the State Department typically refiises export hcense for confidentiality systems employing the algorithm. Despite this, DES is beheved to be the most widely used ciyptosystem in the world, except per- haps scramblers used for pay-television. In the United States, the American Bank- ing Association recommends DES whenever cryptography is needed to protect finan- ciS data. DES is the cryptographic scheme most often used in commercially avail- able secure telephones.
The export system presents a problem for U.S. industry, all the more so since DES is widely available outside the United States. A March 1994 study by the Soft;- ware Publishers Association lists thirty-three foreign countries with 152 cryptog- raphy-based products using DES.
EMBEDDING CRYPTOGRAPHY
A brief look at communication systems explains the importance of cryptography in achieving security. Telephony is an excellent example. The only way to provide a secure voice path between two telephones at arbitrary locations is to encrypt the words spoken into one and decrypt tnem as they come out of the other. Public-key cryptography makes it possible ior the two phones to agree on a common key known only to them without the mediation of a trusted third party. The users simply estab- lish the call, push a button, and wait a few seconds for the phones to make the ar- rangements.
In the simplest systems, the users must rely on voice recognition to assure au- thenticity, just as with unsecured phone calls. If the system must provide authen- tication to users who do not know one another, some central administration is re-
3 RSA is patented in the U.S.
117
quired to issue cryptographic credentials by which each phone can recognize the
other. I.- J
Currently, secure telephones are expensive. In addition to the cryptographic de- vices, a seoire phone must include a voice digitizer to convert speech to a form in which it can be encrypted and a modem to encode the digitized signal for trans- mission over the phone Une. As a result, the least expensive secure phones cost over a thousand dollars apiece.
Securing communications for computers in a distributed system presents different problems. There is no analogue of voice recognition. If authentication is to be avail- able, it must be done by formal cryptographic procedures. This requires the comput- ers to identify people or machines through long-term keys. The relationship between telephones, even secure telephones, is conceptually simple: they set up calls and transmit sound. The relationship between computers in a distributed system is con- siderably more complex: machines routinely share files and execute programs for each other. These wedded interactions compUcate the process of protection and make computer break-ins difficult to prevent.
Systems owners are typically unwilling to make substantial investments in hard- ware or software for security purposes, although they may be willing to pay some premium for products that contain integrated security features. Many vendors see software as the least expensive means of adding cryptographic security features to their products.
A secure mail system like PEM is the workstation analogue of a secure telephone; it encrypts and decrypts mail so the user can correspond privately. Unfortunately, a software implementation of PEM is vulnerable to penetration of the program in- cluding the compromise of its long term keys. One of the ways in which such pene- trations occur is through the implanting of modified programs or other data into the user's working environment. Without trustworthiness, cryptography embedded in an appUcation or in the operating system is no panacea.
LAW ENFORCEMENT
Technology causes a constant rearrangement in the relationship between the criminal and the law. The advent of telecommunications enabled criminals to exe- cute their plans more covertly. Once law enforcement learned how to listen in, offi- cials could do so without placing themselves in danger. Wiretapping is a tool that diminishes the value of communications to criminals cryptography potentially counters this.
Current wiretap law dates from the 1968 Omnibus Crime Control and Safe Streets Act; Title III of the Act established the basic law governing interceptions in criminal investigations. In 1978 the Foreign InteUigence Surveillance Act estab- lished the national-security counterpart to Title III, authorizing electronic surveil- lance for foreign intelligence.
Title III requires a court order for the installation of a wiretap (as do most FISA intercepts). For Title III orders there must be probable cause to believe that the tar- geted communications device — whether phone, fax, or computer — is being used to fa- cilitate a crime, which must be one of those enumerated by the law. Thirty-seven states also have statutes authorizing wiretaps; by law, the state requirements must be at least as restrictive as the Federal statute.
Since 1968, when Title III was passed, there have been approximately nine hun- dred Federal and state wiretaps annually. In data released by the Administrative Office of the U.S. Courts, between 1968 and 1992, the average annual number of incriminating conversations intercepted has remained between two and four hun- dred thousand. In 1992, the average cost of installing a wiretap and subsequently monitoring it was $46,492.
The law enforcement community views wiretaps as essential. Such surveillance not only provides information not obtainable by other means, it also yields evidence that is considered extremely reliable and probative. According to the FBI, organized crime has had severe setbacks due to the use of wiretap surveillance. The FBI be- lieves the tool is critical for drug cases. Wiretapping is an important investigative technique in cases of governmental corruption and acts of terrorism.
The importance of wiretap surveillance was the reason for the Digital Telephony Proposal, which was developed by the FBI and submitted to Congress in 1992. To ensure that the government's abiUty to intercept communications is not curtailed by the introduction of advanced digital switching technology, this proposal requires providers of electronic communication services to design their switches accordingly. Major members of the computer and communications industries, including AT&T, Digital, Lotus, Microsoft and Sun, strongly opposed the proposal, and there were no
118
Congressional sponsors. A revised proposal was recently submitted for consider- ation.
The Digital Telephony Proposal concerns access to communications, but law en- forcement is also concerned about its ability to understand those communications after interception. Off-the-shelf encryption technology may be an easy way for lawbreakers to foil criminal investigative work. Members of the law-enforcement community view EES as a solution that provides the public with strong cryptog- raphy while not compromising investigators' ability to comprehend legally inter- cepted communications.
NATIONAL SECURITY
Foreign access to cryptography of even moderate strength poses a problem for U.S. intelligence. Those who think about vulnerabilities from the viewpoint of secu- rity typically regard strong encr3rption of each message as the only barrier to com- munications intelligence. However, a message cannot be analyzed until it has been located. Locating u\e traffic of interest is as important a problem as any. Even encryption tihat is too weak to resist concerted attack can multiply the cost of targeting traffic several-fold.
The growth of communications intelligence in this century has been accompanied by a similar growth in techniques for protecting communications, particularly crjrp- tography. Nonetheless the communications intelligence product is now better than ever. In the recent past, there has been migration of communications from more se- cure media such as wirelines or physical shipment to microwave and satellite chan- nels; this migration has far outstripped the appUcation of any protective measures.
But while the United States may be the greatest beneficiary of communications intelligence in the world today, it is also its greatest potential prey. The protection of American communications against both interception and disruption is vital to the security of the country.
When DES was adopted as a government standard in 1977, cryptographic protec- tion of substantial quality became available in both hardware and soft-ware pack- ages. With hindsight, some in the intelligence community might consider the pubUc disclosure of the DES algorithm to have been a serious error. DES-based equipment became available throughout the world; cryptographic principles revealed by study- ing the algorithm inspired new cryptographic designs; and DES provided a training ground for a generation of public cryptanalysts.
EXPORT CONTROL
National-security experts argue that export control is essential if the U.S. is to protect its communications without affording protection to the rest of the world. Ex-
fort-control policy seeks to limit foreign accessibility to strong cryptography, nternet availability of strong cryptography notwithstanding, many security experts believe that the export control policy is working. They argue that foreign organiza- tions that are concerned about protecting their information from sophisticated inter- cept are not likely to download an encryption program from the Internet. Others disagree, and believe that the only real effect of present export-control policy is to ship U.S. jobs overseas. Many complain that export control has had a chilling effect on American business by making Lf.S. products less competitive.
Export-control policy on cr3T)tography has complicated development of secure sys- tems. An example is provided by the Digital Equipment's Distributed System Secu- rity Architecture (DSSA), which DEC spent many years and many millions of dol- lars developing. In planning the system, Digital sought to make a product which would pass government export controls for cryptography. In particular, in designing DSSA Digital engineers carefully separated authentication from confidentiality. They began building two distinct versions of the product, a domestic one with au- thentication and confidentiality, and one for export, with authentication only. This additional complexity slowed the work. A Digital senior manager familiar with the program asserted that the delays associated with attempts to meet export restric- tions were a significant factor in Digital's decision to abandon DSSA.
Cryptography is not the only American product subject to export control. Striking a balance between economic strength (by opening markets for U.S. companies), and protecting national security (by restricting the sale of military technology) requires making complex choices. What differentiates this conflict from, say, the exportability of supercomputers, is that equivalent cryptographic products are available for sale internationally. Opponents of cryptographic export controls argue that U.S. vendors are penalized while cr3T)tographic products proliferate. Proponents of these controls argue that the most serious tnreat to foreign intelligence gathering comes not from stand-alone products that constitute most of the market, but from well-integrated,
119
user-friendly systems in which cryptography is but one of many featiires. From this perspective, it is essential to control export of the commodity, desktop hardware and software with integrated cryptography. The U.S. is the pre-emininent suppUer of such products.
National-security experts have argued that removal of U.S. export controls on cryptography would result in the imposition of foreign import controls; they point to France, which does not permit the use of encryption without governmental reg- istration of the algorithm. In recent years, the policy of the U.S. government is to oppose trade restraints, so this contention; something of an about-face. It is specula- tive. At present, no Western European governments other than France restrain the import of cryptographic products, and only a few Asian governments do so.
The EES may have an indirect impact on the export of computer eqviipment. Ex- port of key-escrow equipment will be permitted, but both the secrecy of the algo- rithm and the U.S. government's possession of keys may dampen the enthusiasm of prospective foreign buyers. In order to build products for both the domestic and export markets, computer vendors might need to support two sets of cryptographic algorithms.
THE RIGHT TO PRIVACY
If law enforcement and national-security interests argue against the availability of strong crjrptography without key escrow, other traditions of the U.S. argue strongly in its favor. The right to privacy, the "right to be left alone" is fundamental to American life. Civil libertarians view the availability of strong cryptography as necesseiry to the ability to communicate in privacy.
Protecting American's privacy rights is a constant struggle. Private industry, in- cluding credit bureaus, insurance companies, and direct marketers, collects a vast amount of information about individuals. The proliferation of electronic databases has only exacerbated the problems Congress attempted to ameUorate twenty-four years ago, when it passed the Fair Credit Reporting Act. Despite abuses by the pri- vate sector, civil-Uberties groups view government abuse of privacy with much greater concern. In its attempt to ensure the safety of its citizens, the government can overstep boundaries of the rights of the individual. One does not have to look far back in the nation's history to find egregious examples of such abuse.
Based on ir^ormation illegally supplied by the Census Bureau, one hundred and twelve thousand Americans of Japanese ancestry were put in internment camps during World War II. During the nineteen-sixties, the FBI regularly taped conversa- tions of many civil rights leaders, including Martin Luther King. The 1974 Senate Select Committee to Study Governmental Operations found numerous examples of the NSA abuse of privacy rights of private individuals. As a direct result of these activities, legislative, executive order and regulatory provisions were instituted with the intent of eliminating future such occurrences.
Privacy rights are one of the individual's most potent defenses against the state. Privacy rights of the individual are embedded in the Fourth and FifUi Amendments. Supreme Court Justice Louis Brandeis said it eloquently in his dissent on the Olmstead wiretapping case,
The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. They recognized the significance of man's spir- itual nat\ire, of his feelings and his intellect * * * They sought to protect Americans in their beUefs, their thoughts, their emotions and their sensa- tions. They conferred, as against the government, the right to be let £done — the most comprehensive of rights and the right most valued by civilized man ♦ ♦ * 4
Privacy, however, is not always deemed absolute. Sometimes privacy is traded for convenience. Americans are captvu-ed on video recordings as we shop; we leave be- hind electronic chronicles as we charge phone calls. We pay for milk and bread via an ATM withdrawal at the supermarket, and we leave a record of our actions where five years ago we would have left a five-dollar bill. Sometimes it is traded for safety. Each day hundreds of thousands of Americans pass through metal detectors to get on airplanes. Most people consider those intrusions of privacy well worth the assur- ance of greater public safety.
* Olmstead v. United States, 277 U.S. 438, 1928, pg. 752.
120
CRYPTOGRAPHY POLICY
Civil-liberties groups argue that constitutional protections need to keep pace with new technology. Their concern is that governmental attempts to limit the use of crjrptography, whether through force of law, or through more subtle efforts such as market domination, can result in the foreclosing of privacy protection choices.
Concern over control of crjrptography first arose when crjrptography became an ac- tive area of research for academia and business. There were conflicts over which Federal agencies would fund non-governmental cryptography research, and whether such work might be subject to some form of prior restraint on publication.
In response to these difficulties, the American Council on Education convened a study group, which presented a set of voluntary guidelines for prepublication review of research papers in cryptography. The National Security Agency and the National Science Foundation worked out an agreement by which boui agencies would fund cryptographic research. Research now floiuishes in both domains.
Several years later. President Reagan issued National Security Decision Directive 145 (NSDD-145), establishing as Federal policy the safeguarding of sensitive but unclassified information in communications and computer systems. NSDD-145 stip- ulated a Defense Department management structure to implement the policy: the NSA, the National Secvuity Council and the Department of Defense. There were many objections to this plan, from a variety of constituencies. Congress protested the expansion of Presidential authority to policy-making without legislative partici-
f)ation. From the ACLU to Mead Data Central, a broad array of industrial and civil- iberties organizations objected to Department of Defense control of unclassified in- formation in the civiUan sector.
In 1987 Congress sought to clarify the issue with the Computer Security Act, which assigned to the National Bureau of Standards (now the National Institute of Standards and Technology, or NIST) "responsibility for developing standards and guidelines to assure cost-effective security and privacy of sensitive information in Federal computer systems, drawing on the technical advice and assistance (includ- ing work products) of the National Secxirity Agency, where appropriate."
Civilian computer security standards were to be set by a civilian agency. But seven years later both civil-liberties and industrial groups feel NSA is more involved in civilian standards than the Computer Security Act mandated. They point to the NSA-designed digital signature standard (DSS) and the cr5T)tographic algorithm SKIPJACK that underUes EES. Concerns over national-security involvement in ci- vilian matters, as well as concerns over the government plan to escrow keys of pri- vate users have led such civil-Uberties groups as the ACLU and Computer profes- sionals for Social Responsibility to oppose EES.
EES AND PRIVACY
Advocates of EES claim the availability of strong cryptography will provide Amer- icans with better and more readily available privacy protection than they currently enjoy. They observe that no one will be forced to use it, and that other forms of encryption will be allowed. Opponents believe the potential for abuse by the govern- ment makes EES a danger not to be risked, and counter that if a large Federal agency like the IRS adopts EES, then electronic filers who choose to secure their transmissions may have to use EES. This would have the impact of making the vol- untary standard the de facto national one.
There is no question that the market impact of the Federal government can be huge, although recent experience illustrates that the government's ability to influ- ence the computer communication market is not always successful.^ Adoption of EES, as a standard, voluntary or otherwise, decreases the chance there will be com- peting systems available. Indeed the true success of EES, as measured by law en- forcement's continued ability to decrypt intercepted conversations, can only come at the expense of (widespread use of) competing systems for seoire telecommuni- cations.
Proponents respond that privacy protection will be better than ever. Should the government illegally tap a communication, the escrowed system will leave an elec- tronic audit trail, and make the illegal interception easier to uncover than it is at present. Reminding us of the abuses of Watergate and the revelations of the Church Committee, civil-liberties groups contend that the NSA should not be building gov- ernment trap-doors into the civilian communications infrastructure.
^ The failure of the GOSIP initiative, an attempt to mandate procurement of computer commu- nication protocols that conform to the 150 OSI standards, is one such example.
121
EES AND THE COMPUTER INDUSTRY
Meanwhile EES presents other problems for the computer industry. The govern- ment's attempt to create strong cryptography that would not hinder law enforce- ment's abilities to comprehend legally intercepted conversations led to a hardware solution. Industry prefers software implementations for a number of reasons. They are cheaper, and they offer a flexibihty that hardware does not.
The industry has already made substantial investments in DES and RSA solu- tions for secure systems. In lots of ten thousand, Clipper chips will cost approxi- mately $15; industry experts contend that this translates to a finished product with escrowed encryption capabiUties costing about sixty dollars more than one without. From a vendor viewpoint, hardware encrjrption provides greater secxirity but does so at much greater expense than software. It is not clear that prospective pur- chasers are wiling to pay for this increased security.
THE BROADER POLICY ISSUES
In the full report, we discuss in detail the various policy and technical concerns surrounding cryptography. The problems of communications seciuity and its cryp- tographic solution are technical ones, but the issues are much broader. They deserve careful and thoughtful public debate. We raise questions here and in the full report. Answers will take longer.
It took the Supreme Court nearly forty years to expound on the privacy of tele- phone communications. In the Olmstead case in 1928, the Supreme Court held that wiretapping evidence did not need court authorization. Over the next four decades, the Court slowly created a penumbra of privacy for telecommunications. Finally, in 1967, in Katz versus the United States, the Court held that a phone call in even so public a place as a phone booth was deserving of privacy — it could not be tapped without prior court authorization. Computer communications differ from the tele- phone, but it is likely that the public's embrace of this medium will be considerably more rapid than the acceptance of the earlier technology. How will law and policy for the protection of electronic communications evolve? Is there an absolute right to communications privacy?
Members of the law enforcement community believe that the widespread use of encrjrpted telecommunications (especially phone calls) will interfere with their abil- ity to carry out authorized wiretaps. Is this a problem that needs a solution? Should cryptographic solutions for communications security include authorized government access for law enforcement and national security purposes?
What will happen if criminals use cryptography other than EES? The Digital Te- lephony proposal involves investment in the telephone infrastructure in order to en- siu-e that court-authorized wiretaps can be carried out. These wiretap capabilities will be less useful if communications are encrypted. What is the relationship be- tween Digital Telephony and EES? Will there be any future attempt to outlaw alter- native forms of cryptography?
What would the success of escrowed encryption mean? Would it simply mean gov- ernment use of EES-type products? Or wovdd it mean a much more widespread use of EES products? Would it mean the availability of EES-type products to the exclu- sion of all else?
We are experiencing fundamental transformations in the way that people and or- ganizations communicate. The very infrastructure of the nation is changing. The question we need to address is: How shovild we interpret the Fourth Amendment,
The right of the people to be secure in their persons, house, papers and effects against unreasonable searches and seizures shall not be violated; and no warrants shall issue but upon probable cause * * *
for the Information Age?
DESCRIPTION OF AUTHORS
Susan Landau is Research Associate Professor at the University of Massachu- setts. She works in algebraic algorithms, which has applications to cryptography.
Stephen Kent is Chief Scientist-Security Technology for Bolt Beranek and Newamn Inc. For over 18 years, he has been an architect of computer network secu- rity protocols and technology for use in the government and commercial sectors.
Clinton C. Brooks is an Assistant to the Director of the National Security Agency. He is responsible for orchestrating the Agency's technical support for the govern- ment's key escrow initiative.
122
Scott Charney is Chief of the Computer Crime Unit in the Criminal Division in the Department of Justice. He supervises five federal prosecutors who are respon- sible for implementing the Justice Department's Computer Crime Initiative.
Dorothy E. Denning is Professor and Chair of Computer Science at Georgetown University. She is author of "Cryptography and Data Security" and one of the out- side reviewers of the Clipper system.
Whitfield Diffie is Distinguished Engineer at Sun Microsystems. He is the co-in- ventor of public-key cryptography, and has worked extensively in cryptography and secure systems.
Anthony Lauck is a Corporate Consulting Engineer at Digital Eqviipment and its lead network architect since 1978. His contributions span a wide range of networking and distributed processing technologies.
Douglas Miller is Government Affairs Manager for the Software Publishers Asso- ciation.
Peter G. Nevunann has been a computer professional since 1953, and involved in computer-communication security since 1965. He chairs the ACM Committee on Computers and Public Policy and moderates the Risks Forum.
David L. Sobel is Legal Counsel to the Electronic Privacy Information Center (EPIC). He specializes in civil liberties, information and privacy law and frequently writes about these issues.
123
o
Yankeiovich Partners
3622 C»nipus Drive. HM>port Beaoh. CA 92660
Memorandum
To: |
Data users |
From: |
HalQuinley 'â– . |
Date: |
March? |
Subject |
Timc/CNN poll |
Here are the results of the latest Timc/CNN poll conducted on March 2-3, 1994. The survey was conducted by telephone among 600 adult Americans. The sampling enx)r is plus or minus 4%.
124
The r)«-QnerYpti<;^n rhip Tgmmft (March 2-3, 1994)
%
19. Which of the following do you fhlnkr i s more -inipnrfcant?
Protecting the ability of police and
other government officials to catch
criminals by listening to phone calls 29
(Or, ) Protecting the ability of private
citizens to prevent anyone, including the
police, from listening to thpir phone calls 66
Not sure 5
20. It has been proposed that a connputer chip be installed in every telephone, computer modem and fax machine. The government would be able to tap into these devices and listen to messages if a judge permits it. Do you favor or oppose giving the federal govemraent this authority?
Favor 18
Oppose 80
Not sure 2
Time/CNN rv 03/2-3/94 • -13-
125
>< ' * St o «a O « HI #
s
a:'
oo
ihtl S HI
* * *
'-•-'C ««w «««
»««^ •*(<« wo
ss
m
OKI
0
mm |
5S |
|
oo W-4 |
||
^S |
wo no |
|
1-t |
^s |
PS |
«<0 |
-8 |
|
ss |
•DO e>o •4 |
|
• |
4» |
|
OH |
MO â– to |
oo |
«in |
no NO |
v4 |
OO eo |
|
S8 |
•> •>o ■#o |
|
n«s |
||
n«4 |
• HvAmHl «t wo ►»>
•» ll*V«<l3« -« HO MM
^s
• • |
-4 |
no oo |
•1 |
«r< |
|
ee K»t» ** |
MO •«o «>4 |
|
AVI |
no MO |
|
2§^58g
Ot<HMOSS 5
s
126
I
CI
r.
m m 0 » r ^o ■»?» f*rt •**! f*'* no •-• t««> T<o
• « ar « « c~ wo <■* «M -Jn wc
« # «
OlA HW «f-l
p*r» OO
* » •»
Mm *^o r>ia\
# « « wak ^<* -HO
»5 rfrl
# 0% v^*^ mo 0DO AO
<» # «>
■tin nra >>(•
<trt mo
o ^ «• lor* «H ^o t-t- ISO
Oct •HW r<0 OC0 riO
•> <» 4>
WM N-< "O
V^W OO
d « i7
UIA MW lAO
^<- VO
« <-> *
tnitf totti ^iH
nS b-K "O
• o
»lo r->* to WO OO
no
•'o or< *o «•> ^ ao
K 3 sa
g 2 6-
4 «■O
t^ ». o »
o
w
127
Questions and Answers
Answers to Questions From Senator Leahy to Assistant Attorney General
Jo Ann Harris
Question 1. What is the number of people who will have access to the key escrow facilities within the Commerce and Treasviry Departments? What is the number of people with access to those keys that have been released pursuant to court order?
Answer 1. To begin with, it must be understood that the key-escrow databases will be held in encrypted form and that the escrow agents will be incapable of decrypting those databases. Nevertheless, both NIST and Treasury will strictly limit the nimiber of individuals that have access to the key-escrow databases, with the objective of keeping that number to the minimvim necessary to meet the require- ments of thr system, including the need for a 24-hoiu- response capabihty. In each agency, the number of individuals with such access is expected to be no more than about a dozen, and, in each case, fewer than that number are expected to be in- volved in the chip programming process. Moreover, all such individuals will hold na- tional security clearances at least to the Secret level.
We understand the second question as asking the number of persons who will have access to the key components at the agency to which the components have been released for use in conjunction with lawfully authorized electronic surveillance. We cannot, of course, provide a precise number of the persons at, for example, a field office of the Drug Enforcement Administration, who might be present when a key component is received from an escrow agent. In this regard, however, it should be remembered that the key components are stored and transmitted in encrypted form and that the encrypted components can only be decrypted, combined, and used by the decrypt processor. Therefore, the receiving law enforcement agency has no access to the unencrypted key. Consequently, we believe that what is important is not the number of persons at the receiving law enforcement agency who may lay eyes on an encrypted string of 80 bits, but, rather, the rigid controls over the con- duct of electronic surveillance that may require decryption of key escrow-encrypted communications.
Question 2. Can an escrow agent exercise discretion in the release of key informa- tion? Can they refuse an inappropriate request?
Answer 2. The escrow agents are not in a position to exercise discretion regarding the propriety of releasing key components in response to properly submitted re- quests, because they should not substitute their judgment regarding the propriety of decrypting communications for the judgment of the court that has authorized the interception of such communications. The procedures for key component release to government agencies are intended to permit escrow agents to respond promptly to requests submitted in proper form and to maintain clear, auditable records of the transaction.
A properly submitted request will include, among other things, identification of the agency and individuals making the request, identification of the source of the authorization to conduct electronic surveillance, and specification of the termination date of the authorized surveillance period. Federal agency requests for releases under Title III or FISA will be followed by an attorneys confirmation of authority to conduct electronic surveillance; State or local requests are to be submitted by the principal prosecuting attorney of the State or poUtical subdivision involved. A key escrow agent may not, of course, release a key component in response to a request not meeting the requirements for submission, including, for example, one that does not specify the source of the authorization.
Question 3. What is the process for auditing the activities of the escrow agents and use of the keys?
Answer 3. Aumting wall be possible at various stages of the process, as well as in retrospect. Thus, for example, after being advised of a key component release re- quest, the Department of Justice will make necessary inquiry to be assured that the relevant Federal, State or local authorities have been authorized to conduct elec- tronic surveillance for criminal investigative purposes, or that relevant Federal au- thorities have been authorized to conduct electronic surveillance under FISA. (At least at the outset, such inquiry will be made in all cases.) Kev component releases will require confirmation of receipt of the key components by the intended recipient agency.
The fully developed key escrow database system will provide permanent electronic records of transactions, particularly the details of releases of key components, with secure audit capabilities built in. The compliance of the key escrow agents will be
128
subject to inspection, both by representatives of the Department of Justice and by inspection personnel within their own organizations, to verify the relationship be- tween each key escrow component release and a properly submitted release request and receipt of a certification of termination of decryption capability in conjunction with the end of the authorized period of electronic surveillance.
Later versions of the decrypt processor will automatically terminate decryption ca- pability no later than the end of the period of authorized electronic surveillance. In the prototype version, decryption capabiUty is terminated manually. That termi- nation can easily be confirmed by physical inspection, particularly since, in the early stages of Uie program, the decrypt processors are expected to be centrally held.
These methods of confuming the integrity of the system are over and above those procedures normally associated with electronic surveillance. For example, electronic surveillance logs can be reviewed to confirm that a request for key component re- lease truly was associated with the particular wiretap on which the requester reUed.
Question 4. Situations have arisen where the government has created systems that were only supposed to be used for one purpose but have been permitted to be used for others. What protections are in place to make sure that the key escrow databases held by the escrow agents are never used for any purpose other than to decrypt messages piirsuant to a lawful court order?
Answer 4. Each of the kev escrow agents administers a database that comprises, essentially, two groups of data: a series of chip unique ID numbers and, for each chip unique ID number, a string of 80 bits that is stored only in encrypted form. Those databases contain no personal information associated with individuals who may own or use devices equipped with the particular chips; hence, the key escrow databases are not susceptible to the kinds of misuse to which databases of personal information might be subject.
Nonetheless, the Administration recognizes that it is crucial to ensure that key components contained in those databases are only made available to government agencies for use in conjunction with lawfully authorized electronic surveillance. For that reason, rigorous procedures for release of key components have been approved (copies of which are attached), and extremely strict database handling and process- ing technology and procedures have been implemented and are being further re- fined.
It should also be noted that key components will be provided requestmg govern- ment agencies upon their certification of authority to conduct electronic surveillance; their actual submission of a court order will not be necessary.
Question 5. How will the released escrow keys be transported to the law enforce- ment agency requesting them? What safeguards will be used when transporting the escrow keys?
Answer 5. Key components are stored and transmitted to law enforcement agen- cies in encrypted form; they can be decrypted and combined only within the decrypt processor. Thus, neither the escrow agents, nor personnel at the law enforcement agency, will see the actual key components. Normally, the key components will be transmitted electronically. Initially, for use in the prototype version of the decrypt processor, they will be hand-carried by representatives of the respective escrow agents, to be manually entered (in encrypted form) into the processor. More ad- vanced versions of the decrypt processor will be able to receive input of the key com- ponents electronically transmitted directly from the escrow facility.
Question 6. If an escrow location is compromised, all chip data contained there is compromised with what could be devastating consequences for U.S. Government and private sector entities using security devices with Clipper Chip. Do you antici- pate that these locations will become targets of opportunity for any criminal or ter- rorist organization? What back-up or physical security measures are envisioned? If multiple copies of the keys are kept, does this increase the threat of compromise?
Answer 6. The key escrow system has been designed so that knowledge of one kev component provides no information regarding the other key component, nor regard- ing the entire unique key. Moreover, the key components are themselves maintained in encrypted form, so that a person with access to a key component database does not even know the actual key components. Notwithstanding these safeguards built into the system, physical security of the key-escrow databases is a matter of fun- damental concern, and security procedures for handling and storing the databases take full account of that concern. The key-escrow databases are to be held under the kinds of protections accorded the most sensitive kinds of national security infor- mation. Back-up database capabilities will be maintained, so that escrow agents will be able to respond in a timely fashion even if the primary site is, for example, inca- pacitated by a fire or power outage. The back-up capabilities are subject to the same levels of protection as the primary systems.
129
Question 7. A decrypt device will receive an electronic transmittal of the two key halves from the escrow agents. The decrypt device will then be able to decrypt the intercepted message, until the wiretap authorization ends, when it will automati- cally turn itself on. According to Department of Justice testimony at the May 3, 1994 hearing, one of these decrjmt devices has been built. How many more of these devices do you expect to be biult? WiU the decrypt devices be maintained in the central secure facility? If so, who will maintain custody of the devices and how will they be distributed to the law enforcement agencies that need them?
Answer 7. Termination of a decrypt processor's ability to decrypt communications using a particular key-escrow chip is a fundamental protection biult into the system, and law enforcement agencies that have received key components will be required to certify such termination. In the prototype model of the decrypt processor, that termination is effected manually; automatic termination will be available in later versions.
The number of decrjrpt processors that will ultimately be produced will probably be in large measure a function of the number of key-escrow equipped devices in use throughout the country and the number of times key-escrow encryption is encoun- tered in the course of wiretaps. For the foreseeable mture, it is likely that decrypt processors would be centrally held by the FBI, to be made available for use in the field on an as-needed basis.
Question 8. The objective of the key escrow encryption system is to provide "real- time" electronic surveillance rather than recording and post-processing of targeted encrypted communications. How will this be accomplishea with only one decrypt de- vice in the event that encrypted communications are intercepted over more than one wiretap?
Answer 8. As noted in the previous question, the key escrow system is stiU in its beginning phases and, therefore, the number of decrypt processors is, at the mo- ment, necessarily limited. This condition will change over time. However, the fact that there is only one decrypt processor currently available does not mean that it can only be used in support of one wiretap at a time. The decrypt processor is capa- ble of holding within its memory up to one hundred keys. Therefore, while it can only decrypt one communication at a time, it can readily be shifted from one wiretap to another as needed. Even wiretaps conducted at different locations can be accom- modated by retransmitting an encrypted intercepted communication from the pri- mary monitoring location to the location of the decrypt processor.
Question 9. The Attorney General has selected >flST and the Automated Systems Division of the Treasury Department as the government agencies entrusted with safeguarding the keys because they could handle sensitive material in computer form and could respond quickly to requests for the keys,
• Is it correct that other government agencies could also satisfy this criteria?
• Could one or both of the escrow agents be non- government, private sector enti- ties?
Answer 9. Of course, other government agencies could meet the requirements for satisfactory service as key component escrow agents. Some of those agencies, how- ever, might not be perceived as sufficiently independent of law enforcement or na- tioned security entities, or may otherwise not be considered as capable as the two selected agencies.
With respect to the second question, it may not be necessary that both escrow agents be government entities. However, should a private entity serve as an escrow agent, there may be additional complexities regarding, among other things, the terms of any contract under which the entity serves; provisions to ensure the contin- ued corporate existence of such an entity; the entity's ability to accord the database the necessary physical security; the entity's ability to staff the system with suffi- cient numbers of appropriately cleared personnel; and its ability and willingness to respond to key component requests from all authorized law enforcement agencies, State and local as well as Federal.
Question 10. Can the Attorney General change the escrow agents after the initial selection? How can the government be prevented from moving the escrow respon- sibilities to a more pUable escrow agent, if one of the agents refuses to turn over the keys?
Answer 10. The Attorney General can designate an alternative escrow agent, and, as part of its continuing review of ways to make the system even better, the Admin- istration is considering whether there should be at least one escrow agent not with- in the Cabinet Departments. Designation of an alternative escrow agent would en- tail substantial complexities, not to mention considerable costs associated with es- tablishing the necessary capabilities in the new agency. It will not be done lightly, nor could it be done without a good deal of publicity. Replacement of one escrow
130
agent with another would involve even greater complexities, since it would reaxiire the first to convey to the second its entire database to permit continviity in the nan- dUng and auditing of the database.
The second question seems to hypothesize an escrow agent's refusal to release a requested key component, followed by a retaliatory transfer of escrow agent respon- sibilities to a agency deemed less likely to be recalcitrant. The short answer is that such a replacement, while theoretically possible, could abrogate the integritv of the system and would very likely undermine public confidence in it. Moreover, the Clin- ton Administration would not accept as an escrow agent an entity that would not fully comply with the protections built into the system. Indeed, regardless of the ad- ministration in power, the fact that such a change would be logistically very difficult and could only be done in a very public fashion makes it an extremely unlikely sce- nario.
Question 11. In explaining the procedures the escrow agents must follow to safe- guard the keys, the Attorney General stated "the procedures do not create, and are not intended to create any substantive rights for individuals intercepted through electronic surveillance." Does this, in effect, give the escrow agents immunity from Uability for mishandling the keys? Does this give the right incentives to the escrow agents about safeguarding the keys? What are the current available remedies for mishandling the keys?
Answer 11. The language to which you refer is part of the final paragraph in each of the three published sets of procedures for release of key components under, re- spectively, Title III, the Foreign Intelligence Surveillance Act (FISA), and State criminal wiretap statutes.
The language is intended to make clear that the procedures themselves do not create any rights for individuals whose communications have been intercepted and for whose devices key components have been made available to government agen- cies. On the other hand, neither does the language abolish any rights that may oth- erwise exist by statute or at common law. It is not intended to be, nor could it serve to immunize the Government or its agents from liability for inappropriate release of escrowed key components if there is some basis in law for imposing liability on such persons.
In this regard, it is important to bear in mind the fundamental interest at issue; namely, the protection of the privacy of communications. Release of key escrow com- ponents to permit decryption is an adjunct to the interception of communications and the acquisition of the contents thereof— much like arranging for translation of communications occurring in a foreign language. The privacy interest in the commu- nication continues to be protected by the Fourth Amendment and by the relevant statutes— Title III, FISA, or the individual State statutes. Unauthorized electronic surveillance is a Federal felony offense, regardless of whether the intercepted com- munications are encrjrpted.
While key components must only be released to proper recipients and under ap- propriate conditions, there should be no confusion about the fact that an individual's {)rivacy interest inheres in his or her communications. If key components are re- eased to a government agency entitled to intercept communications encrypted with a chip for which those components form the chip unique key, a departure from some technical aspect of the key release procedures will not — and shoiild not — render ei- ther the intercept or the decryption unlawful. If key components are for some reason released to an entity not entitled to receive them, but are not used in conjunction with a communications intercept, the individual will not have suffered an invasion of his or her communications privacy. It is not clear under what, if any, cir- cumstances mere release of one or even both keys might create civil liability, if that release does not facilitate an unlawful electronic surveillance.
Question 12. Should the U.S. government be prepared to make a strong warranty to the American public about the security of the key escrow system? Could this war- ranty be in the form of stiff penalties for breaches of the escrow procedures and in- demnification for those whose chips are compromised due to failures in the security of the escrow system?
Answer 12. The Clinton Administration has already given strong assurances to the American pubUc about the security of the key escrow system and will continue to do so. It is not clear whether public perceptions about key-escrow encryption would be materially affected by either imposition of penalties for breach of escrow procedures or indemnification of persons whose chips have been compromised through escrow system security failures.
It may, however, be useful to make a few points regarding those possible ap- proaches. First, as noted in the answer to the preceding question, the privacy pro- tection attaches to the communication, not merely to the keys needed to decrypt that communication. Federal law already imposes severe penalties (both civil and
131
criminal) for unlawful interception of communications, and, therefore, no additional penalties are needed in that regard. ^^
Second, some persons speak of a variety of circumstances as constituting a com- promise" of a key escrow encryption chip. It is not clear that mere release of key components for a particular chip to persons not authorized to intercept communica- tions encrypted with that chip necessarily means that the chip has been com- promised. The key components alone do not permit decryption of communications encrypted with the particular chip; that process requires, as well, access to a decryption capability. Moreover, decryption of communications requires access to the communications themselves, the privacy of which is subject to the protections of the Fourth Amendment and relevant statutes.
Question 13. Should there be civil or even criminal liability for wrongfully disclos- ing any of the component keys to the key escrow chips? If not, why not?
Answer 13. As noted in the answers to the two preceding questions, the rigorous statutory protections against unauthorized electronic surveillance and against unau- thorized disclosure of electronic surveillance already provide both civil and criminal penalties for the unlawful interception of communications and the unauthorized dis- closure of the contents of lawfully intercepted communications. (See 18 U.S.C. §§2511, 2517, and 2520.) Release of escrowed key components would, at most, facili- tate understanding of the contents of intercepted communications. An individual's willful or reckless release of key components in a manner not consistent with the operative procedures would likely be subject to administrative action. Separate criminal or civil penalties do not appear to be needed.
Question 14. The Department of Justice testified at the May 3, 1994 hearing that no new legislation was needed to implement the key escrow encryption program.
• Should the Justice Department be required by law to report to Congress on those wiretaps in which key-escrow encryption was encountered and for which key components were released to a government agency?
• Should the Justice Department's new responsibilities for ensuring comphance with the key escrow procedures by State and local law enforcement authorities be codified in law?
• Should the Justice Department be required by law to give Congress a complete accounting of the number, use and location of the decrypt devices?
• Should procedures for changing an escrow agent be codified in law?
Answer 14. The Department of Justice does not see a need for legislation to deal with any of these matters. For example, the Department already expects that Con- gress will be made aware of wiretaps in which key-escrow encryption was encoun- tered and for which key components were released. The Department expects to pro- vide such information to the Administrative Office of the United States Courts for inclusion in the Office's annual report to the Congress on electronic surveillance under Title III and State statutes. With respect to electronic surveillance under EISA, the Department will provide such information as part of its FISA report to the intelligence oversight committees.
The Department does not anticipate difficulty with assuring State and local com- pliance with key component release procedures, particularly when the decryption ca- pability rests exclusively in the hands of the Federal Government. With regard to the possible accounting for deciTpt processors and their use and location, the De- partment does not object to providing such information to the Congress on a periodic basis. Finally, with regard to the selection of escrow agents, the Department be- lieves that legislation to govern the process by which the Executive Branch might select an alternative escrow agent could hamper its ability to improve the system. Any selection of alternative escrow agents would, like the selection of the current agents, be preceded by appropriate consultation with the Congress.
Question 15. How will State and local law enforcement agencies access the key escrow system? Will every local Sheriff or police department that wants a decrypt device or the Chip Family Key get one?
Answer 15. The procedures for releasing key components for use in conjunction with wiretaps under State statutes are much the same as those for release of key components in conjunction with wiretaps under Title III or FISA. An important dif- ference, however, is that requests for key components from State and local authori- ties cannot be submitted by law enforcement agencies; rather, they are to be submit- ted by the principal prosecuting attorney of the particular State or poUtical subdivi- sion. This not only significantly reduces the total number of entities that might make requests, but ensvu-es that requests are made by high-level, usually elected officials, of the various jurisdictions.
132
As noted in the answer to an earlier question, the Administration recognizes that access to decrypt processors must remain carefully controlled. Among other things, key components will be released for use within a particular decrypt processor and will only be able to be decrypted and combined within that unit. Accordingly, careful control of the decrypt processors will contribute significantly to assurances of the integrity of the system.
Law enforcement agencies will not have access to the family key other than as programmed into the decrypt processor.
Question 16. Every CUpper Chip has the same Family Key programmed into it. When a wiretap intercepts conversations encrypted with Clipper Chip, law enforce- ment uses this Family Key to decode the intercepted serial number, or unique iden- tifier, which the targeted chip sends out at the beginning of every conversation. With the serial number, the law enforcement agency can get the government's dupU- cate set of decoding keys from the escrow agents.
• Who has access to the Clip Family Key? Are they going to be distributed to all law enforcement agencies so they can quickly decipher serial numbers of chips that may become the target of a wiretap order?
• Will the Chip Family Key to all Clipper Chips be protected in any way and, if so, how?
• The Chip Family Key is built into the Chip when it is programmed and cannot be changed. In the event that someone got unauthorizedi access to the Chip Family Key, what could that person do with it?
Answer 16. With respect to the first question, access to the family key is very closely held. The family key is the combination of two binary numbers that are inde- pendently and randomly generated and held, respectively, by the Department of Justice and the FBI. The combined family key is held under tightly controlled condi- tions in a dual-control safe at the programming facility for use in the programming process. When needed for a programming run, the family key is extracted from stor- age by specially designated employees of the programming facihty, in the presence of representatives of the escrow agents, and entered into the programmer. At the end of a programming run, the programmer is again cleared of the family key. In addition, the family kev is programmed into decryption equipment so that such equipment can discern the particular chip ID number when necessary.
With respect to the question regarding availability of the family key to law en- forcement agencies, the foregoing explanation indicates the extraordinary limita- tions on access to the family key. Law enforcement agencies desirous of learning whether a particular communication is encrypted with key-escrow encryption and, if so, learning the particular chip ID number will have access to the family key only as programmed into the decrypt processor. This may require a particular law en- forcement agency not possessing such a processor to provide to an agency that does hold one the communications suspected of being encrypted, so that the initial deter- mination can be made. It should be emphasized, however, that a law enforcement agency's determination of whether communications are being encrypted, and of the ID number of the chip performing the encryption, would occur in conjunction with the conduct of a lawftilly authorized wiretap — not, as the question may imply, as part of activities preceding such authorization.
Notwithstanding the protections afforded the family key, access to that key is of only minimal value to a law enforcement agency. Apart from its ability to provide the law enforcement agency the ID number of a particular encryption chip, the fam- ily key, whether or not in the decrypt processor, is of no discernible value. The fam- ily key provides no access to the user's encrypted communications, nor does it make it any more possible for the law enforcement agency to conduct electronic surveil- lance of either encrypted or unencrypted communications.
Question 17. The Justice Department has assumed responsibility to "take steps to monitor compliance with the procedures." What steps will the Justice Department take to monitor comphance by state and local law enforcement authorities, who con- duct the majority of wiretaps, to ensure that (a) the decrypt devices are adequately safeguarded and are deactivated when the authorization period ends; (b) the Chip Family Key is adequately safeguarded and (c) communications to the escrow agents are authentic?
Answer 17. The question correctly notes that the majority of criminal wiretaps are conducted by State and local law enforcement. If key-escrow encryption becomes widely used, one can infer that a significant proportion of the key component re- leases will be associated with wiretaps conducted under State statutes. It is, of course, of fundamental importance that escrowed keys are no more susceptible to improper use by State or local authorities than by Federal agencies.
133
(a) As noted earlier, the Department of Justice expects that, for some time, decrypt processors will be few in number and centrally maintained and con- trolled. In that event, it will be relatively easy to be assured that a decrypt processor is not diverted to an unauthorized person and that the decryption ca-
{)ability is terminated at the end of the authorized period of electronic surveil- ance. At a later time, should a State or local law enforcement agency be able to acqviire and hold its own decrypt processor, we expect that the decrypt proc- essor version will be one that will, among other things, (a) produce an electronic receipt for the key components transmitted to it, (b) have the capability of decrjrpting and combining only key components destined for that specific decrjT)t processor, and (c) automatically terminate its ability to decrypt the par- ticular encryption chip. These technical characteristics, coupled with the con- tinuing reqviirement that the key component request mvist come fi"om the prin- cipal prosecuting attorney of a State or political subdivision, will offer great as- surance against diversion of decrypt processors and unauthorized retention of decryption capabilities.
(b) With respect to the family key, the short answer is that the family key will not be available to State or local authorities, save within decrypt proc- essors. Apart from its abihty to provide the law enforcement agency the ID number of a particular encryption chip, the family key, whether or not in the decrypt processor, is of no discernible value to that agency. The family key pro- vides no access to the user's encrypted communications.
(c) Requests from State or local authorities for release of key components are to come, not from law enforcement agencies, but from the principal prosecuting attorneys of the States or political subdivisions involved. The authenticity of such submissions can be confirmed by contact with the principal prosecuting at- torney involved, which is expected to be a rather easy matter.
Question 18. American firms are allowed to export Clipper Chip devices to non- U.S. customers. What procedures are contemplated or in place to deal with requests by foreign law enforcement authorities for access to the keys to any CUpper Chip device being used abroad?
Answer 18. The Administration is according this issue careful consideration at this time. The Department of Justice believes that a number of important consider- ations would app^ to any decision on whether to comply with a foreign countr^s request for assistance in decryption of key-escrow encrypted communications. For example, it will be important to know whether American citizens are targets of the electronic surveillance, and it will likely be important to know the reason for the electronic surveillance and the circumstances under which it was authorized, as well as whether the United States also has an interest in the electronic surveillance. It should also be noted that we may be able to assist the foreign country without pro- viding it either decryption equipment or the key components for the particular encryption chip — by, for instance, decrypting the communications in this country and merely providing the decrjrpted text to the requester.
Answers to Questions From Senator Pressler to Assistant Attorney
General Jo Ann Harris
Question 1. Why do you believe that private" manufacturers and users will pur- chase equipment which contains the Skipjack algorithm if that means the govern- ment can decode any encrypted messages, once it obtains the proper court approval?
Answer 1. Your question rightly notes that key-escrow encryption chips use the Skipjack algorithm, an algorithm substantially stronger than others now in common use; it is, for example, 16 miUion times stronger than the Data Encryption Standard (DES). The strength of the Skipjack algorithm makes key-escrow encryption chips attractive for use oy the Federal Government in protecting sensitive unclassified in- formation.
Likewise, we believe that it will make such chips attractive to the private sector, and for much the same reason; namely, that it is a remarkably strong protection against intrusion by eavesdroppers or even persons or entities engaged in corporate espionage. Most of us recognize that we will never be the targets of wiretaps and we do not fear that prospect. We do, however, worry about illicit interception of ovtr communications, and strong encryption is excellent insurance against such activi- ties.
In addition, we believe that many businesses will come to recognize the value of strong encryption that protects their proprietary information from unauthorized ac- cess, out does not permit their employees to engage with impunity in criminal ac-
134
tivities inimical to the firms' interest and law enforcement woxild be rendered help- less to investigate.
Question 2. What types of incentives does the Administration plan to use to en- courage the use of the Clipper Chip? What are the future steps of implementation which the Administration proposes to take?
Answer 2. Various Executive Branch agencies are considering whether, and for what pxirposes, they may adopt key-escrow encrjrption and make it possible for per- sons outside the government to use key-escrow encrjrption for conducting secure communications with them. The Administration is also consulting with tele- communications equipment manufacturers regarding possible incorporation of key- escrow encryption in their products. In addition, the easy exportability of products equipped with key-escrow encryption should prove to be very attractive both to U.S. manufacturers of such equipment and to their customers.
Question 3. I understand the Administration is considering replacing one of the two escrow agents with a more neutral third-party, such as an entity in the Judicial branch or in the private sector. Which entities are being considered? What criteria must any prospective escrow agent have?
Answer 3. The Administration continues to look for ways to improve the kev-es- crow system. The system may be perceived to improve by the designation of at least one alternative escrow agent. Accordingly, the Administration is considering wheth- er such an alternative shovild be designated and, if so, what must be done to effect such a designation. For example, an entity that is not part of a Cabinet Department may require legislative authority to serve as an escrow agent.
In selecting escrow agents, we looked for a number of important qualifications. Among other things, the candidates needed to:
• Be experienced in handling sensitive materisils;
• Be familiar with communications and computer issues;
• Be able to respond qmckly, and around the clock, when government agencies need to have encryption keys issued to them; and
• Be generally regarded by the public as both reliable and effective.
Answer to a Question From Senator Murray to Assistant Attorney General
Jo Ann Harris
Question 1. In my office in the Hart bxiilding this February, I downloaded fi-om the Internet an Austrian program that uses DES encryption. This was on a laptop computer, using a modem over a phone line. The Software PubUshers' Association says there are at least 120 DES or comparable programs worldwide. However, U.S. export control laws prohibit American exporters from selling comparable DES pro- grams abroad.
With at least 20 million people hooked up to the Internet, how do U.S. export con- trols actually prevent criminals, terrorists or whoever from obtaining DES encrypted software?
Answer 1. On the matter of export controls on encrypted software, the Depart- ment of Justice defers to the National Seciuity Agency, which, we understand, has been asked the same question.
Appendix
KEY COMPONENT RELEASE PROCEDURES
Authorization procedures for release of encryption key components in conjunction with intercepts pursuant to title Hi The following are the procedures for the release of escrowed key components in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procediires cover all electronic stirveillance conducted pursuant to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended (Title III), Title 18, United States Code, Section 2510 et seq.
(1) In each case there shall be a legal authorization for the interception of wire and/or electronic communications.
(2) All electronic surveillance coiui; orders under Title III shall contain provisions authorizing after-the-fact minimization, pursuant to 18 U.S.C. 2518(5), permitting the interception and retention of coded communications, including encrjrpted communications.
135
(3) In the event that federal law enforcement agents discover during the course of any lawfully authorized interception that communications encrypted with a key-escrow encryption method are being utilized, they may obtain a certification from the mvestigative agency conducting the in- vestigation, or the Attorney General of the United States or designee there- of. Such certification shall:
(a) identify the law enforcement agency or other authority conducting the interception and the person providing the certification;
(b) certify that necessary legal authorization has been obtained to con- duct electronic surveillance regarding these communications;
(c) specify the termination date of the period for which interception has been autnorized;
(d) identify by docket number or other suitable method of specification the source of tJrie authorization;
(e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method;
(f) specify the identifier (ID) number of the key-escrow encryption chip providing such encryption; and
(g) specify the serial (ID) number of the key-escrow decryption device that will be used by the law enforcement agency or other authority for decryption of the intercepted communications.
(4) The agency conducting the interception shall submit this certification to each of the designated key component escrow agents. If the certification has been provided by an investigative agency, as soon thereafter as prac- ticable, an attorney associated with the United States Attorney's Office su- pervising the investigation shall provide each of the key component escrow agents with written confirmation of the certification.
(5) Upon receiving the certification from the requesting investigative agency, each key component escrow agent shall release the necessary key component to the requesting agency. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were re- quested.
(6) Each of the key component escrow agents shall retain a copy of the certification of the requesting agency, as well as the subsequent confirma- tion of the United States Attorney's Office. In addition, the requesting agen- cy shall retain a copy of the certification and provide copies to the following for retention in accordance with normal recordkeeping requirements:
(a) the United States Attorney's Office supervising the investigation, and
(b) the Department of Justice, Office of Enforcement Operations.
(7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the abiUty of the requesting agency to decrypt intercepted communications shall terminate, and the requesting agency may not retain the key components.
(8) The Department of Justice shall, in each such case,
(a) ascertain the existence of authorizations for electronic surveillance in cases for which escrowed key components have been released;
(b) ascertain that key components for a particular key-escrow encryption chip are being used only by an investigative agency authorized to conduct electronic surveillance of communications encrypted with that chip; and
(c) ascertain that, no later than the completion of the electronic surveil- lance phase of the investigation, the abiUty of the requesting agency to decrypt intercepted communications is terminated.
(9) reporting to the Administrative Office of the United States Courts pursuant to 18 U.S.C. Section 2519(2), the Assistant Attorney General for the Criminal Division shall, with respect to any order for authorized elec- tronic surveillance for which escrowed encryption components were released and used for decryption, specifically note that fact.
These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompli- ance with these procedures shall not provide the basis for any motion to suppress
136
or other objection to the introduction of electronic surveillance evidence lawfully ac- quired.
Authorization procedures for release of encryption key components in conjunction with intercepts pursuant to state statutes Key component escrow agents may only release escrowed key components to law enforcement or prosecutorial authorities for use in conjunction with lawfully author- ized interception of communications encrypted with a key-escrow encryption meth- od. These procedures apply to the release of key components to State and local law eniforcement or prosecutorial authorities for use in conjunction with interceptions conducted pursuant to relevant State statutes authorizing electronic surveillance, and Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amend- ed, Title 18, United States Code, Section 2510 et seq.
(1) The State or local law enforcement or prosecutorial authority must be conducting an interception of wire and/or electronic communications pursu- ant to lawful authorization.
(2) Requests for release of escrowed key components must be submitted to the key component escrow agents by the principal prosecuting attorney of the State, or of a political subdivision thereof, responsible for the lawftilly authorized electronic surveillance.
(3) The principal prosecuting attorney of such State or political subdivision of such State shall submit with the request for escrowed key components a certification that shall:
(a) identify the law enforcement agency or other authority conducting the interception and the prosecuting attorney responsible therefor;
(b) certify that necessary legal authorization for interception has been obtained to conduct electronic surveillance regarding these communications;
(c) specify the termination date of the period for which interception has been authorized;
(d) identify by docket number or other suitable method of specification the source of the authorization;
(e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method;
(f) specify the identifier (ID) number of the key-escrow chip providing such encryption; and
(g) specify the serial (ID) niunber of the key-escrow decryption device that will be used by the law enforcement agency or other authority for decryption of the intercepted communications.
(4) Such certification must be submitted by the principal prosecuting at- torney of that State or political subdivision to each of the designated key component escrow agents.
(5) Upon receiving the certification from the principal prosecuting attor- ney of the State or political subdivision, each key component escrow agent shall release the necessary key component to the intercepting State or local law enforcement agency or other authority. The key components shall be provided in a manner that assures they cannot be used other than in con- junction with the lawfully authorized electronic surveillance for which they were requested.
(6) Each of the key component escrow agents shall retain a copy of the certification of the principal prosecuting attorney of the State or poHtical subdivision. In addition, such prosecuting attorney shall provide a copy of the certification to the Department of Justice, for retention in accordance with normal recordkeeping requirements.
(7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the intercepting law enforcement agency or other authority to decrypt intercepted communications shall terminate, and the intercepting law enforcement agency or other authority may not retain the key components.
(8) The Department of Justice may, in each such case, make inquiry to:
(a) ascertain the existence of authorizations for electronic surveillance in cases for which escrowed key components have been released;
(b) ascertain that key components for a particular key- escrow encryption chip are being used only by an investigative agency authorized
137
to conduct electronic surveillance of communications encrypted with that chip; and
(c) ascertain that, no later than the completion of the electronic surveil- lance phase of the investigation, the ability of the requesting agency to decrjTJt intercepted communications is terminated.
(9) In reporting to the Administrative Office of the United States Courts pursuant to 18 U.S.C. Section 2519(2), the principal prosecuting attorney of a State or of a political subdivision of a State may, with respect to any order for authorized electronic surveillance for which escrowed encryption components were released and used for decryption, desire to note that fact.
These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompli- ance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully ac- quired.
Authorization procedures for release of encryption key components in conjunction with intercepts pursuant to FISA The following are the procedures for the release of escrowed key components in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procedures cover all electronic surveillance conducted pursuant to the Foreign Intelligence Surveillance Act (FISA), Pub. L. 95- 511, which appears at Title 50, U.S. Code, Section 1801 et seq.
(1) In each case there shall be a legal authorization for the interception of wire and/or electronic communications.
(2) In the event that federal authorities discover during the course of any lawfiilly authorized interception that communications encrypted with a key- escrow encryption method are being utilized, they may obtain a certification from an agency authorized to participate in the conduct of the interception, or from the Attorney General of the United States or designee thereof Such certification shall
(a) identify the agency participating in the conduct of the interception and the person providing me certification;
(b) certify that necessary legal authorization has been obtained to con- duct electromc surveillance regarding these communications;
(c) specify the termination date of the period for which interception has been autnorized;
(d) identify by docket number or other suitable method of specification the source of the authorization;
(e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method;
(f) specify the identifier (ID) number of the key-escrow encryption chip providing such encryption; and
(g) specify the serial (ID) number of the key-escrow decryption device that will be used by the agency participating in the conduct of tne intercep- tion for decryption of the intercepted communications.
(4) This certification shall be submitted to each of the designated key component escrow agents. If the certification has been provided by an agen- cy authorized to participate in the conduct of the interception, a copy shall be provided to the Department of Justice, Office of Intelligence Policy and Review. As soon as possible, an attorney associated with that office shall provide each of the key component escrow agents with written confirmation of the certification.
(5) Upon receiving the certification, each key component escrow agent shall release the necessary key component to the agency participating in the conduct of the interception. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic sxirveillance for which they were re- quested.
(6) Each of the key component escrow agents shall retain a copy of the certification, as well as the subsequent written confirmation of the Depart- ment of Justice, Office of Intelligence Policy and Review.
(7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the agency participating in the conduct of
138
the interception to decrypt intercepted communications shall terminate, and such agency may not retain the key components.
(8) The Department of Justice shall, in each such case,
(a) ascertain the existence of authorizations for electronic siu-veillance in cases for which escrowed key components have been released;
(b) ascertain that key components for a particvilar key-escrow encryption chip are being used only by an agency authorized to participate in the conduct of the interception of communications encrypted with that chip; and
(c) ascertain that, no later than the completion of the electronic surveil- lance phase of the investigation, the abiUty of the agency participating in the conduct of the interception to decrypt intercepted communications is terminated.
(9) Reports to the House Permanent Select Committee on InteUigence and the Senate Select Committee on Intelligence, pursuant to Section 108 of FISA, shall, with respect to any order for authorized electronic surveillance for which escrowed encrjrption components were released and used for decryption, specifically note that fact.
These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompli- ance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully ac- quired.
Answers to Questions From the Senate Subcommittee on Technology and
Law to NIST
Question 1. How long has the key escrow encryption standard been in develop- ment? Which agency originated these concepts?
Answer 1. The concept of key escrow has been in development, as a solution to meeting the needs for information protection while not harming the government's ability to conduct lawful electronic surveillance, for about five years. The final devel- opment and approval process of the Escrowed Encryption Standard (Federal Infor- mation Processing Standard 185) began following the President's decision an- nounced on April 16, 1993. The concepts were developed at the National Security Agency, in response to requirements oi law enforcement agencies and following dis- cussions with NIST.
Question 2. Before NIST recommended the key escrow encryption method for nonclassified information, did it consider commercially-available encryption meth- ods? If so, why were they rejected?
Answer 2. The voluntary key escrow encryption chip was developed specifically be- cause no other products, commercial or otherwise, met the needs of the government for protecting its sensitive information in voice grade telephone communications while at the same time protecting its lawful electronic surveillance capabilities.
Question 3. The Administration recently established an interagency Working Group on Encryption and Telecommunications "to develop new encryption tech- nologies" and "to review and refine Administration policies regarding encryption." Is this Group reviewing the Clipper Chip program?
Answer 3. This group is momtoring on-going development of the voluntary key es- crow encryption initiative (e.g., alternative methods, better implementations, etc.). It is not reviewing the President's decision to commit the government to promote voluntary key escrow encryption for voice grade telephone communications.
Question 3.1. Has this Working Group yet recommended any changes to the Clip- per Chip program? If so, what are those recommendations?
Answer 3.1. The Working group continues to pursue voluntary key escrow encryption technologies — and stands ready to work with interested industry firms to do so. It has not recommended any specific changes to the current program.
Question 3.2. What refinements to the Clipper Chip program is this Group consid- ering?
Answer 3.2. It is examining organizations outside the CabinetDepartments to serve as alternative escrow agents. It is also examining issues involving inter- national law enforcement cooperation on voluntary key escrow encryption matters.
Question 3.3. When will this Working Group complete its review of the Clipper Chip program?
Answer 3.3. While there is no re-examination of the Administration's commitment to the key escrow encryption initiative, the review of its implementation will likely
139
continue for some time. This reflects the need to monitor both the voluntary key escrow encryption program and other encryption developments.
Question 4. NIST is supposed to be leading efforts to work with industry to im- prove on the key escrow chips, to develop a key-escrow software and to examine al- ternatives to Clipper Chip. Could you describe NIST's progress on each of these three tasks? Specifically, what are the improvements and alternatives to CUpper Chip that NIST is considering?
Answer 4. The key escrow encryption software working group, which includes sev- eral industry representatives, has met several times to:
1) Specify and structure the problems to be solved;
2) Study the overall system integrity requirements for an acceptable solution;
3) Develop and list criteria for evaluating alternative proposed solutions; and
4) Begin defining software-based alternatives to the voluntary CUpper Chip key escrow system.
This research work can reasonably be expected to last at least two-three years.
Regarding hardware improvements, no working group has yet been formed, but the Administration has repeatedly expressed its mlnngness to work with interested industry participants to develop improvements and alternatives.
Question 5. The Defense Authorization Bill for Fiscal vear 1994 has authorized $800,000 to be spent by the National Research Council of the National Academy of Sciences to conduct a two-year study of federal encryption poUcy. Do you think this study is necessary?
Answer 5. While we believe that the Administration's review of these issues was thorough, this study may identify new approaches for privacy while preserving law- ful electronic surveillance capabilities which would be useful. The NRC's report will receive careful study.
Question 5.1. Why is the Administration not waiting to implement its key escrow encryption proCTam until the National Research Council's study is completed?
Answer oil. The Administration's key escrow encrjrption initiative was announced on April 16, 1993, over seven months before the enactment of the National Defense Authorization Act for FY-94, which authorized the NRC study. The NRC study, which will consider issues substantially broader than those involved in key escrow encryption, will not be completed for at least two more years. The Administration's voluntary key escrow encryption initiative seeks to ensure that in setting new fed- eral standards, lawful electronic surveillance capabilities are not undermined. De- lajdng our standeirds would harm federal agencies' capabilities to protect their infor- mation. Setting good encryption standards without key escrowing would harm law- ful surveillance capabilities.
Question 5.2. Should this study be expedited?
Answer 5.2. NIST is not participating directly in the study, which is not yet un- derway. We do not know whether the study could be expedited without diminishing its thoroughness and accuracy.
Question 6. The Government wants the key escrow encryption standard to become the de facto industry standard in the United States, but has assured industry that use of the key escrow chips is voluntary. Would the Government abandon the Clip- per Chip program if it is shown to be unsuccessful beyond Government use?
Answer 6. The key escrow encryption initiative successfully provides for excellent protection of federal information (and that of other users), without undermining the ability of law enforcement to conduct lawful electronic surveillance. Since it meets these goals successfully, the Escrowed Encryption Standard will continue to be a highly satisfactory method of protecting sensitive federal information and, therefore, should remain in effect regardless of its level of adoption within the private sector.
Question 7. If a user first encrypts a message with software using DES, and then transmits the message "double encrypted" with a key escrow chip, can you tell from looking at the cipher, or encrypted text, that the underlying message was encrypted?
Answer 7. No. The only way to tell that a message has been "double encrypted" in this way would be to decrypt the "outer layer" of encryption (i.e., that done with CUpper). Only then would one be able to teU that the message had first been encrypted with something else.
Question 8. Capstone is the Skipjack implementation for use with data transmit- ted electronically. Has the Capstone chip been incorporated in any product currently being marketed? When will the Capstone chip be released?
Answer 8. Capstone chips are just now becoming available. The Capstone chip is being incorporated into a personal computer memory card ("PCMCIA card") for use in providing security for sensitive government information in the Defense Message System. This is the only product actually in production using Capstone. The Cap-
140
stone chip technically can be used for many security applications, not just computer data.
Question 9. As computer and telecommunications technology advances, we are able to send more information at higher speeds. The speed and reliability of our telecommunications infrastructure gives American businesses the necessary edge in our global marketplace. The specifications for CUpper Chip indicate that it is de- signed to work on phone systems that transmit information no faster than 14,400 bits per second or on basic-rate ISDN lines, which transmit information at about 64,000 bits per second. Do the Clipper and Capstone Chips work fast enough for advanced telecommunications systems? Will Clipper Chip be able to keep up with the increasing speeds of telecommunications networks? Can the Skipjack algorithm be "scaled" to work at higher speeds?" (See combined answer to questions 9 and 10 below.)
Question 10. Other commercially available encrvption methods, like the Data Encryption Standard, have encryption rates much higher than CUpper Chip. Cur- rent high speed DES processors have encryption rates of approximately 200 million bits per second, which dwarfs the Clipper Chip's maximum throughput of 15 million bits per second. How will the Clipper Chip technology be able to compete with other encryption methods tiiat can keep up with the higher speeds of emerging tech- nologies?
Combined answer to Questions 9 and 10. The Clipper Chip as a hardware device was specially designed for end-to-end encryption of^ low-speed applications such as digitized voice. It is more than fast enough for this purpose, even if encrypted traffic is carried on the most advanced, high-speed telecommunications backbones. Cap- stone also was designed for end-to-end encryption of user data. Neither CUpper nor Capstone was designed to perform bulk encryption of high-speed telecommuni-
The Skipjack algorithm, Uke the DES algorithm, is suitable for use at much high- er speeds than implemented in CUpper and Capstone, and Skipjack-based hardware can be designed for higher-speed Unk-encryption applications as the need arises. As the speeds of the newest telecommunications technologies continue to grow, new kev escrow devices will be developed as needed. Key escrow encryption technology will be able to compete with most other encryption methods for very high-speed appUca- tions.
Question 11. The Administration has assured industry that the key escrow tech- nology will be enhanced to keep pace with future data requirements. What is the Administration doing to develop key escrow technology that can work with emerging high-speed communications tecnnologies?
Answer 11. The Administration is working to identify needs for higher-speed ap- pUcations of key escrow technology and wiU work to develop key escrow encryption devices to meet those needs. The technology for escrowing keys is readily adaptable to emerging high-speed applications.
Question 12. Openly avaUable devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because eveirone was free to try to build a bet- ter version. Given the restrictions on who can build key escrow encryption chips, how wiU these chips keep up with advances in semiconductor speed, power, capacity and integration?
Answer 12. Despite the requirements that a firm must meet to produce key es- crow encryption chips, we expect that there will be a number of manufacturers com- peting against each other to produce the best product, and that such competition will (frive them to keep up with the latest technological advances. It is worth noting that only a few companies can produce the sophisticated microprocessors you ref- erence, yet the competition in that market has driven them to achieve remarkable advances in that technology.
Question 13. NIST estimates the cost of estabUshing the key escrow faciUties to be $14 milUon and the cost of operating the key escrow facilities will be about $16 milUon annually. What is your statutory authority for these expenditures?
Answer 13. Under the Computer Security Act of 1987, NIST is responsible not only for developing Federal Information Processing Standards for the protection of sensitive federal government information, but also for providing assistance in using the Standards and applying the results of program activities under the Act.
Most directly appUcable are sections 278g-3(b) (1) and (3) of title 15 of the U.S. Code. Subsection (3) authorizes NIST to provide technical assistance in implement- ing the Act to operators of federal systems. Subsection (1) authorizes NIST to assist the private sector in "using and applying" the results of NIST's programs under the Act, thus showing that the scope of the assistance authorized by the Act includes help in applying the standards NIST develops. This section indicates that NIST may
141
provide technical assistance to the private sector rather than just to the federal agencies that must comply with the standards.
Question 14. What has been spent to date on Skipjack, Capstone and Clipper Chip?
Answer 14. NIST's FY-94 expenditures through the end of April are approxi- mately $268,000. FY-93 expenditures regarding the Clipper Chip and key escrow encryption technologies involved a significant portion of NIST's computer security budget, specifically the level of resources devoted to this technology was approxi- mately four years of professional staff time and travel expenses of about $10,000.
NSA will provide their funding information separately to the Committee.
No cost figure can be assigned to the NSA's development of the SKIPJACK algo- rithm, in part because it was developed as a family of classified algorithms over a period of years.
Question 15. NIST has explained that the single company manufacturing the CUp- per Chips was selected because of its expertise in designing custom encryption chips, as well as its secure facilities and employees with nigh security clearances. How long will it take for the Government to certify another vendor of Clipper Chip? What progress, if any, has the Administration mad,e on finding another vendor?
Answer 15. Several firms have expressed interest in becoming vendors of key es- crow encryption chips. So far, one of these (other than the current company) has demonstrated that it has the technical expertise, secure facihties, and cleared per- sonnel necessary to do the job. We expect that this firm would be able to commence production by early 1996.
Question 16. Once a given chip has been compromised due to use of the escrowed keys, is there any mechanism or program to re-key or replace compromised hard- ware? Is there any method for a potential acquiring party to verify whether the keys on a given chip have been compromised?
Answer 16. It should be emphasized that release of escrowed key components to law enforcement agencies for use in conjunction with lawfully authorized electronic surveillance does not constitute compromise of the particular chip associated with those key components. Upon completion of electronic surveillance, the law enforce- ment agency's abiUty to decrypt communications with the particular chip ends, and therefore, those communications again become undecryp table unless and until the key components are released once more. There is no way to re-key chips for which escrowed keys have been used. If a chip could be re-keyed, it might be possible for users to replace the chip unique key, thus defeating the law enforcement access field. 'The hardware can be replaced with new hardware for which keys have not been released from escrow.
Question 17. The Skipjack algorithm itself is classified, but the halves of the keys held by the escrow agents cannot be since they will be released upon presentation of a court order. Will the databases maintained by the escrow agents to hold the keys be subject to the Freedom of Information Act? What exception will you rely upon to justify withholding requests for information under FOIA?
Answer 17. As a matter of clarification, it should be noted that the key compo- nents are not themselves part of the SKIPJACK algorithm, nor do they, in combina- tion with each other or with any other group of binary numbers, generate the algo- rithm, or provide any information regarding its characteristics.
We understand your question regarding the Freedom of Information Act as relat- ing to the electronically stored key components held by NIST as an escrow agent, which information associates each particular chip-unique ID number with one of the components of its unique key. Release of these key components would permit a FOIA requestor to circumvent the protections that NIST is required to develop and promulgate as Federal Information Processing Standards under the Computer Secu- rity Act of 1987 (P.L. 100-235). Under 5 U.S.C. 552(b)(2), agencies are authorized to withhold information the disclosure of which would risk the circumvention of a statute or agency regulation. Therefore, the key escrow materials are protectible under 5 U.S.C. 552(b)(2).
Question 18. Normal secvirity procedures involve changing cryptography keys peri- odically, in case one has been compromised. For example, those of us who use E- mail systems are accustomed to periodically changing our password for access to the system. But Clipper Chip's family and unique key cannot be changed by the user. If these keys are compromised, it will not matter how frequently the user changed their session keys. Does the long use of the same family and unique keys increase the likelihood that these keys will be compromised while they are still in use? Does this eliminate a significant degree of the user's control of the level of security that the system provides?
Answer 18. No. As discussed in the answers to other questions, access to the key escrow components will be highly controlled. In addition, these components them-
142
selves will be encrjrpted. Extensive audit procedures have been designed into the system to guard against any unauthorized access. Given these and other extensive protections, it is very unlikely that long use of the same chip unique or family key will have any negative impact upon users' security.
Question 19. How secure is the Clipper Chip if someone gets unauthorized access to half the key?
Answer 19. Knowledge of only one key component provides no information about the chip unique key and, therefore, does not in any way harm the security of the user.
Question 20. Every Clipper Chip has the same Family Key programmed into it. When conversations encrypted with Clipper Chip are intercepted, this Family Key is used to decode the intercepted serial number, or unique identifier, which the tar- geted chip transmits at the beginning of every conversation. With the serial number, the law enforcement agency can get the government set of key components from the escrow agents. Who has access to the Chip Family Key? Is it going to be distributed to all law enforcement agencies so they can quickly decipher serial numbers of chips that may become the target of a wiretap order? Will the Chip Family Key be pro- tected in any way and, if so, how?
Answer 20. With respect to the first question, access to the family key is very closely held. The family key is the combination of two binary numbers independ- ently and randomly generated and held, respectively, by the Department of Justice and the FBI. The combined family key is held under tightly controlled conditions in a dual-control safe at the programming facility for use in the programming proc- ess. When needed for a programming run, the family key is extracted from storage by specially designated employees of the programming facility, in the presence of representatives of the escrow agents, and entered into the programmer. At the end of a programming run, the programmer is again cleared of the family key. In addi- tion, the family key is programmed into all law enforcement decrypt processors to discern the particular chip ID number when necessary.
With respect to the question regarding availability of the family key, the foregoing explanation indicates the extraordinary limitations on access to the family key. Agencies desirous of learning whether a particular communication is encrypted with key escrow encryption and, if so, learning the particular chip ID number will have access to the family key only as programmed into the decrypt processor. This may require a particular agency not possessing such a processor to provide to an agency that does hold one the communications suspected of being encrypted, so that the im- tial determination can be made. It should be emphasized, however, that an agency's determination of whether communications are being encrypted, and of the ID num- ber of the chip performing the encryption, would occur in conjunction with the con- duct of a lawmlly authorized surveillance — not, as the question may imply, as part of activities preceding such authorization. Further questions on the protection of the family key are best directed to the U.S. Department of Justice.
Question 21. The Chip Family Key is built into the chip when it is programmed and cannot be changed. In the event that someone got unauthorized access to the Chip Family Key, what could that person do with it?
Answer 21. In the very unlikely event that someone were able to gain access to the family key and were able to figure out a means to use it, the only information that could be obtained would be the serial numbers of the EES devices used for a telecommunication. Of course, intercepting such a telecommunication without lawful authorization would be a felony offense.
Question 22. CUpper Chip design data will need to be released to manufacturers in order for them to incorporate the chip into security devices. How will we be as- sured that this design information, in itself, will not allow the key escrow chips to be compromised?
Answer 22. The only design data which will need to be released to manufacturers of devices using the chip are its interface specifications, such as size, power require- ments, data input, and the like. None of these data can in any way be used to deter- mine the encryption algorithm or any other information affecting the security of the encryption.
Question 23. A decrypt device will be used to receive an electronic transmittal of the two key halves from the escrow agents. The decrypt device will then be able to decrypt the intercepted message, until the wiretap authorization ends, when it will automatically turn itself off". How many of these decrypt devices will be built? Will the decrypt devices be maintained in a central secure facility? If so, who will maintain custody of the devices and how will they be distributed to the law enforce- ment agencies that need them?
Answer 23. Termination of a decrypt processor's ability to decrypt communications using a peirticular key escrow chip is a fundamental protection built into the system
143
and law enforcement agencies that have received key components will be required to certify such termination. In the prototype model of the decrypt processor, that termination is effected manually; automatic termination will be available in later versions.
The number of decrypt processors that will ultimately be produced will probably be in large measure a function of the number of key escrow equipped devices in use throughout the country and the number of times key escrow encryption is encoun- tered in the course of wiretaps. For the foreseeable future, when it is Ukely that the number of decryption processors will be small, it is likely that they would be centrally held by the FBI, to be made available for use in the field on an as-needed basis.
Question 24. The key escrow approach is designed to ensure the ability of the American government to access confidential data. What would make key escrow chips manufactxired in America an attractive encryption method for foreign cus- tomers?
Answer 24. The key escrow initiative was undertaken to provide users with robust security without undermining lawfully authorized wiretaps. This point is important to emphasize as the market for this product very much depends on who users per- ceive as a threat to intercept their communications. The potential export meirket for encryption products can be divided into two categories: exports for foreign govern- ment use and exports for non-government use. The most likely government users of commercial encryption products would be countries that have a relatively low de- gree of technical sophistication, lack other resources necessary to develop their own encryption products, and do not perceive the United States as a primary threat. Such countries might be primarily concerned about access to their communications by neighboring countries, terrorists, criminal elements, or domestic poUtical oppo- nents. Such government users might view a wUnerabihty to possible eavesdropping by the United States as a price worth paying in return for security against those more immediate threats. However, we do not expect such users to constitute a major export market for key escrow encryption products.
The non-government sector represents a much greater potential export market for key escrow encryption products. While some prospective users abroad may steer clear of key escrow products because the United States will retain access, there may be many who believe they are unlikely to be targeted by U.S. intelligence in any case or for whom the superior security offered by key escrow encryption products against threats of greater concern may make key escrow products an attractive op- tion. (For example, a distributor of pay-TV programming may depend on encryption to ensure that only those viewers who pay for the service can decrypt the TV signal. Such a distributor probably would not be concerned about the threat of access by the United States Grovemment, and might favor koy escrow encryption over compet- ing products that use weaker encryption algorithms.) In addition, others may be at- tracted to key escrow encryption products in part by the need to interoperate with other users of such products, especially businesses in the United States.
Question 25. If key escrow chips are not commercially accepted abroad, and export controls continue to restrict the export of other strong encryption schemes, is the U.S. Government limiting American companies to a U.S. market?
Answer 25. U.S. firms nave long been major players in the international commer- cial encryption market despite export controls on encryption products. We do not im- pose a blanket embargo on products which encrypt data or voice. Encryption prod- ucts undergo a one-time technical review, the results of which are used in decisions as to whether a given product can be exported to particular end users consistent with U.S. interests. Afler the one-time review, products are given expedited licens- ing treatment. Some are licensed for export to virtually all end users. Some products are licensed less widely. Overall, over 95% of export license applications for encryption products are approved. Any encryption product can be exported by U.S. businesses for use in their facilities abroad. In addition, the President recently di- rected that a number of changes be made in the Licensing process to expedite Licens- ing and to ease the regulatory burden on exporters. In short, we have every reason to expect that the U.S. will continue to be a major exporter of commercial encryption products, regardless of the commercial success of key escrow encryption products.
Question 26. Is the key escrow encryption system compatible with existing encryption methods in use?
Answer 26. As is true among devices using different algorithms (e.g., DES, RSA, RC4, etc.) key escrow encryption products will not interoperate with other products using a different algorithm. Note also that many commercial products that use the same algorithm do not interoperate due to other constraints (e.g., transmission rates, voice-digitization process, other protocols, etc.).
144
Question 27. As part of NIST's continuing review of the key escrow encryption scheme, is NIST considering any new encryption approach that wovild be compatible with the embedded base of equipment?
Answer 27. No new approaches are being considered with the specific goal of com- patibility with some installed devices. Note that no encryption approacn would be consistent with the entire installed base of equipment. It is too widely varied.
Question 28. Critics of U.S. export restrictions on strong encrjrption technology argue that these restrictions have the effect of reducing the domestic availability of user-friendly encryption, which could otherwise be routinely incorporated in soft- ware and telecommunications equipment. What is the Administration's response to this criticism?
Answer 28. We do not believe that export controls have reduced the domestic availability of encrsrption. Encrjrption products have been commercially available in this country for a long time, especially since the adoption of the Data Encryption Standard (DES) as a Federal Information Processing Standard in 1977. However, demand for such products has been Umited, with government purchases comprising the bulk of the encryption market. As pubUc interest in and understanding of the need for security increases, we are moving aggressively to make available to the public, on a voluntary basis, the voluntary key escrow encryption technology needed to provide strong encryption without sacrificing the public's interest in effective law enK)rcement. Far from reducing the domestic availability of encryption, government actions, from adopting the DES standard to development of key escrow encryption technology, and even in driving the market during the years when there was little commercial interest, have greatly increased the domestic availability of encryption products, rather than reducing it.
Answer to a Question From Senator Patty Murray to NIST
Question 1. In my office in the Hart building this February, I downloaded from the Internet an Austrian program that uses DES encryption. This was on a laptop computer, using a modem over a phone line. The Software Publishers' Association says there are at least 120 DES or comparable programs worldwide. However, U.S. export control laws prohibit American exporters from selling comparable DES pro- grams abroad. With at least 20 million people hooked up to the Internet, how do U.S. export controls actually prevent criminals, terrorists or whoever from obtaining DES encryption software?
Answer 1. On the matter of export controls on encryption software (including DES), NIST defers to the National Security Agency, which, we understand, has been asked the same question.
Answer to a Question From Senator Larry Pressler to Raymond Kammer,
Deputy Director, NIST
Question 1. NIST has approved the use of the Clipper Chip as the federal stand- ard for encoding federal communications involving sensitive but unclassified infor- mation. Is there a reason why the Clipper Chip is not approved for classified infor- mation as well? If so, please explain.
Answer 1. The National Security Agency approves encryption systems for the pro- tection of classified information, and is considering approval of Clipper for selected classified applications. The encrjT)tion algorithm used in the Clipper Chip, called SKIPJACK, is one of a family of encrjrption algorithms developed by NSA for use in protecting classified information.
Answers to Questions From the Senate Subcommittee on Technology and
THE Law to Whitfield Diffie
Question 1. The serial number, or unique identifier number, for each key escrow chip is sent out as a header on each encrypted communication. If the Government just wanted to know where I was and not what I was sajdng, would it be possible for the Government to track down the header on my communications and figure out where I was from where I was sending out my encrypted messages? Could you ex- plain how this would be possible? Do you have concerns about this?
Answer 1. The serial number is contained in a block encrypted with the Family Key and is thus accessible only to those who can obtain the Family Key. This point is discussed further in the response to question 8.
Concealing the gross characteristics of messages (existence, timing, length, origin, destination, etc.) is typically more difficult to achieve by end-to-end techniques
145
(those that operate only in the user's equipment) than concealing their contents. In modem telepnone systems the called and calling nvimbers of phone calls are typi- cally easy to get at. (This is what makes possible the controversial Caller-ID serv- ice.) In electronic mail — even encrypted electronic mail — this information is nor- mally contained in the message headers. In the case of cellular telephones, the par- ticular characterists of the phone as a radio (Emitter ID) can be detected and used to distinguish among indiviaual phones.
In short, although preventing interceptors from detecting serial numbers would be one necessary step in preventing tracking, that task is quite difficult and serial numbers may not oe the most critical element.
Question 2. NIST has stated that "industry interest in developing seciu-e software based on key escrow encryption is minimal. Is that a correct assessment and, if so, could you explain why?
Answer 2. NIST's statement is unfamiliar to me, but certainly accords with my experience. We do not perceive oiir customers as wanting escrowed encryption, so why would we want to develop software around it? There are de facto industry standards growing up around public key and multiple-DES. I suspect I speak for a broad segment of tne industry in sajdng that we prefer to develop software based on pubUcly known techniques that are receiving acceptance from our customers.
Question 3. In a speech last month at a telecommunications conference in Buenos Aires, Vice President Gore described his vision for a global information network to Unk the people of the world and provide a global information marketplace. How would the electronic information flow between countries be effected if other coun- tries wiU not let Clipper Chip in?
Answer 3. At present most internet traffic, Uke most of the world's communica- tions, is unencrypted. It is the belief of those of us who support improvement of tele- communication seoirity that the developing information infrastructvu-e will not be able to serve its function adequately unless it is made more secure. Since the net- work— Uke the world economy — is international, worldwide interoperability stand- ards are required. Security products that are the exclusive property of one country, or even a small group, of countries, would appear to have no possibility of fulfilling this function.
Question 4. We are market leaders in applications software and operating sys- tems. Our world leadership in operating systems is dependent on integrating secu- rity in internationally distributed systems. If overseas companies provide systems based on algorithms without key escrow schemes that encrypt faster and more se- curely, how will we compete internationally?
Answer 4. If overseas companies produce operating systems and application pro- grams based on security mechanisms that cannot be exported from the Umted States, the U.S. software business will surely suffer.
Question 5. The National Security Agency has stated that "many non-key escrow encrjrption products have long been licensed for export * * * [and] * * * will continue to be * * *. " Do you share this view that many American encryption products are freely licensed for export?
Answer 5. You have quoted NSA as saying that products "have been licensed for export" and "will continue to be." They have said nothing about "freely." In our ex- perience it is often difficult and time consuming to get export licenses in secure com- munications and related areas even when there are comparable foreign products or when licenses have previously been granted for similar shipments.
The history of export licenses, however, is a question of facts not of views and these are facts to which I have Uttle access. The question points up an issue that should be high on the export reform agenda: An opening up of the export control process that creates a written public record of export control policies and decisions.
Question 6. The Administration has stated that the Skipjack algorithm in the Clipper Chip must remain classified and only specially certified vendors will be given access to it. By contrast, openly available devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because everyone was free to try to build a better version. Given uie restrictions on who can build Clipper de- vices, do you have any concerns about how CUpper will keep up with advances in semiconductor speed, power, capacity and integration?
Answer 6. I do, but these concerns are merely part of a larger concern. If the semi-conductor industry becomes dependent on parts available only on the suffer- ance of the government, it will no longer be free to make and carry out basic busi- ness decisions.
Should NSA (which appears to have control of the technology and the supply of parts despite the fact that key escrow is a Department of Commerce standard) de- cide to cease authorizing the production of clipper chips, industry would no longer be able to ship products interoperable with those sold earlier.
146
When Digital Equipment Corporation concluded some years ago that a very high speed DES device might be needed, it developed one internally using Gallium Arse- nide technology. Should a semi-conductor manufacturer decide that a similar high- speed SKIPJACK chip was reqviired it would need NSA's concurrence and coopera- tion to go ahead with the product. Under these circumstances, it might be blocked because NSA did not have any way of tamper proofing a sufficiently fast design. It should also be noted that such developments could be blocked or delayed even when they were completely in accord with government policy and objectives, because of lack of government funds, personnel, or other resources.
Question 7. The Administration has assured industry that the key escrow tech- nology will be enhanced to keep pace with future data requirements. Are you aware of anything the Administration is doing to develop key escrow technology that can work with emerging high-speed communications technologies?
Answer 7. It is my understanding that a high speed algorithm called BATON is under development, but I have no further information.
Question 8. Every CUpper Chip has the same Family Key programmed into it. This Family Key is used by law enforcement to decode an intercepted serial number, or unique identifier, that is transmitted at the beginning of every encrypted con- versation. The law enforcement agency presents this serial number to get the decod- ing keys from the escrow agents. In the event that someone got unauthorized access to the Chip Family Key, what could that person do with it? Do you have any con- cerns about who will have access to the Chip Family Key?
Answer 8. Although the administration seems to be saying that the Family Key will be very tightly controlled, it is traditional COMSEC doctrine that nothing that remains constant for a long period of time can be expected to remain secret. This is the view under which cryptographic systems are always presumed to be known to an opponent.
Possession of the family key, together with the LEAF creation method, would allow an opponent to identify individual cryptographic chips as discussed under question 1. It would also bring an opponent one step closer to recovering Chip Unique Keys, as described in my testimony, and thus having potential access to all past and future messages encrypted by particular chips.
Question 9. The Internet Privacy Enhanced Mail (PEM) is becoming an inter- nationally recognized system for encrypting Electronic Mail over the Internet. If the Administration is successful in making the Skipjack key escrow system an American standard for encrypting electronic mail while the rest of the world uses PEM, how would this effect encrypted E-mail traffic between the U.S. and other countries?
Answer 9. I don't know how widely PEM is used at present, either inside or out- side the U.S. PEM, in contrast to its competitor Pretty Good Privacy or PGP, has a rigid certificate structure that requires the construction of certification hierarchies and registration of users. The effect is to require top down adoption of PEM rather than promoting its free spread among users. This has slowed its "market penetra- tion." PEM is also export controlled, although I have been told there are non-U.S.
implementations. „ ^ ■, ■r>T^n/r
At present only the DES/RSA combination of cryptosystems are reflected in PEM standards. PEM is potentially flexible, however, attaching labels to messages that indicate the cryptosystem in use. (Sun's implementation, for example, allows alter- nate cryptosystems.) There has been discussion of expanding PEM to allow triple DES and a key escrow based version seems equally possible.
Nonetheless, if a multiple DES and RSA version of PEM is widely used outside the U.S. and a key escrow version is used within, this will present a major barrier to secure communications between American and foreign companies. Question 10. Is the demand for strong encryption technology growing and, if so,
why?
Answer 10. It is hard to distinguish a demand for strong encryption from a de- mand for encryption period. It is, after all, rare for someone to want weak encryption. Usually it is accepted because strong encryption is too expensive or oth- erwise unavailable. The long history of scrambled (weakly analog encrypted) tele- phones, for example, was a result of the high cost of digitizing the sound so that it could be strong^ encrypted. ^, . , . , • ^v *
That said, the demand for encryption is growing. The fundamental reason is that as the quahty of communication networks improves, the value of the traffic they carry increases. At one time long distance telephone calls were too expensive and too poor in quality to be used for anything more than making appointments or get- ting quick answers to questions. Today, entire business meetings are conducted by phone. The growth in quality and cost performance of written electronic commumca- tions has been even greater and has lead to important and sensitive message being
147
transmitted by fax or electronic mail. Today, most of these messages go without "en- velopes." That is what encryption provides.
Sun Microsystems Computer Corp.,
Mountain View, CA, May 23, 1994.
Hon. Patty Murray, Committee on the Judiciary, U.S. Senate, Washington, DC.
Dear Senator Murray: I very much appreciate the opportunity to respond to your question:
Question 1. In my office in the Hart building this February, I downloaded from the Internet an Austrian program that uses DES encryption. This was on a laptop computer, using a modem over a phone Une. The Software Publishers' Association says there are at least 120 DES or comparable programs worldwide. However, U.S. export control laws prohibit American exporters from selling comparable DES pro- grams abroad.
With at least 20 miUion people hooked up to the Internet, how do U.S. export con- trols actually prevent criminals, terrorists or whoever from obtaining DES encrjrpted software?
Answer 1. I have considered this issue with some care and I believe the answer lies in the critical dependence of the adoption of security measures on their ease of use.
No matter how obvious the need for communication security is to those of us who work in the field, it is difficult to sell. The reason for this is that communications intelligence is rarely visible to its target. Even if a company finds that it is repeat- edly loosing bids by small margins to a single competitor, discovering whether the vulnerability is in communications or procedures or personnel is very difficvdt. Under the circumstances, selling secure communications is much like selling insur- ance against a disaster that the customer cannot see.
The resvdt is that users tend to avail themselves of secure communications only when security is built in as an automatic function that does not interfere with their work or require their attention. The availabihty of a cryptographic program that is not integrated into an application is useful only to those already dedicated to the practice of security. For these people, converting the Federal Standard for DES or some similar algorithm specification into a program is a small part of the job.
Consider for example, someone who is writing many drafts of a report and keep- ing them encrypted by using a file encryption program separate from the word proc- essor. The writer must not only remember to reencrypt the file after each editing session, but if the word processor leaves unintended copies around on the disk, must run a disk cleaning program as well. Any sUp-up potentially leaves the docvunent vulnerable to compromise and similar examples present themselves in communica- tion.
What NSA fears is a Sun or Microsoft or DEC operating system with encryption built in in such a way that after an initial log-in, all security is provided trans- parently for the user. This might, for example, support an application allowing peo- ple at remote locations to work jointly on a document. All drafts would be commu- nicated encrypted without the writers having to do anything.
The answer to your question is thus twofold. The U.S. export controls probably do not prevent criminals or terrorists who are attentive to security from getting ac- cess to encryption software. They may, for a time, prevent these people from getting what honest business people want: Encryption software that functions automatically and invisibly in thefr operating systems and supports a variety of application pro- grams in a consistent way.
From a communications intelligence viewpoint, NSA's fear is rational. Because the software marketplace is international, however, the effect of export controls has been to stifle the development of security in operating systems. Companies whose markets are frequently more than half foreign are loathe to expend resources devel- oping features that can be sold to only a minority of their customers.
Concern with America's position in international trade is also rational, however. It seems unlikely that businesses can indefinitely increase their dependence on com- puters and communications without installing security mechanisms commensurate with the value of their investments. The secvuity machinery itself will be a small fraction of the total revenue for computer systems and software, but its smooth inte-
148
gration into operating systems and applications may be the sine qua non of future market acceptance. Yours truly,
Whitfield Diffie, Distinguished Engineer.
Sun Microsystems Computer Corp.,
Mountain View, CA, May 23, 1994.
Hon. Patrick J. Leahy, Committee on the Judiciary, U.S. Senate, Washington, DC.
Dear Senator Leahy: I very much appreciate both the opportunity of speaking before yovu* subcommittee and the opportunity to respond to your questions, the an- swers to which I have attached to this letter.
As I sat listening to the committee proceedings, I felt a glimmer of hope that the key escrow proposal might actually be stopped. At the same time I realized that winning this "fight," should we be so lucky, would not contribute to winning the larger battle: The battle to improve the security of American business and personal communications.
For more than a decade, we have been trying without much success to persuade the public that their communications are worth protecting and that this protection is worth paying for. In this campaign, we have usually had little support from NSA and at times we have had active opposition. NSA, however, has a decisive role to play and the battle probably cannot oe won without it.
NSA is in possession of a vast body of information about both the vulnerabilities of communications and actual instances of their exploitation. When it is in market- ing mode, as it was during the mid-nineteen eighties with its STU-III and CCEP programs, it lends its weight to be view that the communication's of Americans are being exploited and need protection. When it is arguing against commercial stand- ards or tne relaxation of export controls, it takes the opposite view.
In undertaking the key escrow program, NSA has put forth a deal. They will lend both their technical and marketing abilities to the development of a new generation of widely available securitv equipment. The condition is the key escrow. Most of NSA's budget goes to intelligence and intelligence demands its cut. Should the key escrow program be stopped, it seems likely that we will return to a situation in which industry must try to persuade the public of the need for seciuity over NSA's opposition or at best in the face of its indifference.
I suggest, therefore, that should Congress choose to take over the reigns of policy in this area, it will not be sufficient to end the Administration's venture into key escrow. It will be necessary to insist that protecting the communications of all Americans be put foremost among NSA's responsibilities and to mandate NSA's ftill and unreserved participation in this program.
Yoiirs truly,
Whitfield Diffie, Distinguished Engineer.
Answers to Questions From the Senate Subcommittee on Technology and
THE Law to Stephen T. Walker
Question 1. The serial number, or unique identifier number, for each key escrow chip is sent out as a header on each encrypted communication. If the government just wanted to know where I was and not what I was saying, would it be possible for the government to track down the header on my commumcations and figure out where I was from where I was sending out my encrypted messages? Could you ex- plain how this would be possible? Do you have concerns about this?
Answer 1. It would be relatively straightforward for the government to track the movement of individuals and the phone numbers of people with whom they are com- municating using the Clipper key escrow system without the need for a wiretap court order.
The law enforcement decryption unit that is used to initially detect the use of a Clipper device contains the "family key" of all CUpper telephone security devices. This key allows the decryption unit to identify the unique serial number without any interaction with the key escrow centers. Anyone with access to such a decryption unit could identify calls from specific Clipper devices without a court order.
149
Such activity would require access to phone communications facilities that would normally be associated with court-ordered wiretaps. Access to the decryption unit would normally be reserved for law enforcement officials [Initially there is only one such unit, but presumably if Clipper becomes widely used, there will be many avail- able to law enforcement throughout the country.]
It is important to note that if one does not use a TSD, one's communications are trivially vulnerable to this same threat today.
Question 2. You are a member of the Computer System Security and Advisory Board, which was created by the Computer Security Act of 1987 to advise NIST on computer policy matters. Was this Board consulted by NIST during consideration of the key escrow encryption standard?
Answer 2. The Board was never consulted "before-the-fact" in any of the Adminis- tration's announcements on Clipper, the Digital Signature Standard, the Escrow Encryption Standard or any other matter related to cryptography. In each case the members of the Board were as surprised as the general public by these announce- ments.
As was demonstrated in the case of the proposed licensing of the Digital Signature Algorithm to Public Key Partners last June, the advice of the Board relative to the cost impact on the general public eventually lead to a reversal of that proposal. Had the advice of the Board been sought before this proposal was put forwaro, I believe at least nine months of delay in issuing the Digital Signature Standard could have been saved. Given that the government has delayed the issuing of the DSS for over twelve years, though, it is not clear that this woidd have made much difference.
It is important to note that all activities of the Board except those dealing with budgets and proprietary concerns must be held in open session. Under these cir- cumstances, describing its proposed actions to the Board would be equivalent to the government announcing its actions in public. 1 do believe that if tne government wanted to it could make use of the proprietary information provisions to seek the advise of the Board prior to announcing its policy decisions. It is apparent that the government has chosen not to take this course in every announcement related to cryptography.
Question 3. Many users prefer encryption software because it is more cost effective than a hardware solution. So far, Clipper Chip has not been implemented in soft- ware. NIST announced in February that it will try to establish cooperative partner- ships with the software industry to develop key escrow software. You are a member of NIST's Software Escrowed Working Group, which is examining the possibilities for alternatives to Clipper Chip. Has any progress been made? If not, could you ex- plain why?
Answer 3. I am a member of the NIST Software Escrow Encryption Working Group and just this past week, I have made a proposal to NIST and NSA of an al- ternative to Clipper key escrow that I believe provides as good a solution to the law enforcement concerns while being implementable entirely in software, "rhis proposal could provide a far more cost-effective solution to key escrow than Clipper. I made this proposal in the interests of demonstrating that key escrow could be achieved without secret encryption algorithms and mandatory hardware.
I must reiterate the major concern of my testimony before your hearing that gov- ernment-imposed key escrow in any form, whether implemented in Clipper hard- ware or in software, should not take place until it has been subjected to mil legisla- tive review, passage of a law, signed by the President, and if necessary, determined to be Constitutional by the Supreme Court.
My suggestion that at least one software key escrow approach is just as good as that envisioned in Clipper is made as a technical suggestion for consideration by the government in full recognition that the government may choose to impose this tech- nique on the American people without the benefit of Congressional consideration. I sincerely hope this does not happen.
Question 4. NIST has stated that "industry interest in developing secure software based on key escrow encryption is minimal." Is that a correct assessment and, if so, could you explain why?
Answer 4. The statement in quotes in this question is a complex statement that must be treated in parts. I believe that industry is concerned about key escrow for many reasons. Key escrow implemented in hardware using Clipper represents a sig- nificant increase in the complexity and cost of their products. Even key escrow im- plemented in software will complicate products whUe not adding to their market- ability.
More importantly, I am convinced that industry has little interest in developing key escrow encryption techniques, whether in hardware or software, for exactly the same reason as most Americans citizens: they don't like it. If we as a people decide that the benefits of key escrow are worth the risks to individual privacy, if we pass
150
legislation making key escrow legal under controlled circumstances, then I believe most Americans and most of American industry will support its implementation in computer and telephone products. Until then, I believe the opposition to key escrow will continue. .
Question 5. In a speech last month at a telecommunications conference in Buenos Aires, Vice President Gore described his vision for a global information network to hnk the people of the world and provide a global information marketplace. How would the electronic information flow between countries be affected if other coun- tries will not let Clipper Chip in? , ^ ,
Answer 5. I have thought a great deal about the international aspects of key es- crow, whether by Clipper or in software. I do not see any practical way in which key escrow is ever going to work in a multinational setting. I believe that individual governments may work out ways for sharing the results of law enforcement inter- cepts in foreign countries. But I see no way that multinational companies will be able to communicate with their customers and suppUers in foreign countries if each government imposes its own form of key escrow. Vice President Gore's vision of a global information marketplace will be impossible so long as the U.S. Government or any other government feels key escrow is essential to their law enforcement in- terests. If the U.S. persists in this, it may have a national information marketplace, but it will be locked out of the international marketplace.
Question 6. We are market leaders in appUcations software and operating sys- tems. Our world leadership in operating systems is dependant on integrating secu- rity in internationally distributed systems. If overseas companies provide systems based on algorithms without key escrow schemes that encrypt faster and more se- curely, how will we compete internationally?
Answer 6. We are rapidly reaching the point where we cannot compete inter- nationally in products that incorporate good quality security. Multinational compa- nies are requiring such capabilities in the information systems they are buying, and we are being locked out of those sales. And these are not just sales of encryption products. They involve all aspects of word processing, spreadsheets, integrated office products, database management systems, the very heart of our information system industry. We are not able to compete in these security-conscious marketplaces, and increasingly this will affect both our market share and our own abilities to protect U.S. sensitive information. , . ,
Question 7. In your testimony you note that the Skipjack algorithm works fast enough to encrypt phone and low speed computer communications but will not eas- ily scale to meet the needs of high speed computer communications." Could you ex- plain this limitation in the underlying algorithm for Clipper Chip?
Answer 7. This question has a complex answer that involves the way key escrow will be used as well as its implementation in hardware.
First, the problem I was referring to is not a limitation of the Skipjack algorithm but relates to the hardware technologies currently being used to implement Clipper and Capstone. Some people have stated that the current versions will have to be reimplemented to work at the higher speeds required by modem computer commu- nications.
But the nature of key escrow of individual communications reqmres interaction on a per-phone call or per-computer message basis. This is best done at the user end of the communications links (the individual phones or computers originating the communications). The present implementations of Clipper and Capstone are well- suited to this use. , ,. , . J Jxl- J
There are other uses of cryptography that require much higher bandwidth and are not amenable to individual key escrow. Bulk encryption of high bandwidth commu- nications links requires very fast cryptography. The Skipjack algorithm could prob- ably be implemented with much higher speed technology for such uses. But key es- crow of individual phone calls or computer messages is not meaningful in high band- width bulk encryption applications. „, •• i • i. -x u j
If the American people agree that we need key escrow. Skipjack, with its embed- ded key escrow, will play a role in achieving that capability. But key escrow is not the answer to all our cryptographic needs. We will also need cryptographic tech- nologies that will operate at the same speeds as our highest bandwidth commumca- tions. For these devices, key escrow makes no sense.
Question 8. The National Security Agency has stated that "many non-key escrow encryption products have long been licensed for export * * * [and] * * * will continue to be: Do you share this view that many American encryption products are freely licGnsfid for GXiDort
Answer 8. There are many encryption products made in the U.S. with "weak" cryptography that are approved for export from the U.S. The best example is the so called %PA deal" of 1992 in which the government agreed to the export of prod-
151
ucts containing cryptography so long as the key length used was 40 bits or less (the key length of the Data Encryption Standard is 56 bits).
Unfortunately, key lengths of 40 bits or less are, with today's technology, trivially easy to defeat. When U.S. companies attempt to sell products based on 40-bit keys to tiieir foreign customers who already have 56-bit DES products, they generally fail.
As the use of good quality cryptography continues to grow, those U.S. products that have weak crj^jtography (and are therefore approved for export) will lose any market share that may now exist.
Question 9. The administration has stated that the Skipjack algorithm in the Clip- per Chip must remain classified and only specially certified vendors will be given access to it. By contrast, openly available devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because everyone was free to try to build a better version. Given uie restrictions on who can bviild Clipper de- vices, do you have any concerns about how Clipper will keep up with advances in semiconductor speed, power, capacity and integration?
Answer 9. This is a fundamental question at the core of technological advances throughout our society. If the last twenty years have shown anything, it is that open development of technologies that compete directly in the marketplace will be far more successful than closed designs. This is true for personal computers and for cryptographic devices.
Classified encryption algorithms that must be designed and implemented in closed communities will never be able to compete with the open-market development of products based on DES and similar public algorithms. Key escrow does not require the use of classified algorithms; it will work equally well with DES or other popular algorithms. If the Administration insists on a closed development and implementa- tion process, it will relegate its key escrow ideas to a very small segment of the oversdl market for cr5TJtography.
Question 10. The Administration has assured industry that the key escrow tech- nology will be enhanced to keep pace with future data requirements. Are you aware of anything the Administration is doing to develop key escrow technology that can work with emerging high-speed communications technologies?
Answer 10. No, but I believe there are many techniques that can be used to at- tempt to make key escrow work with high speed communications. See my answers to questions 7 and 9.
Question 11. Every Clipper Chip has the same Family Key programmed into it. This Family Key is used by law enforcement to decode an intercepted serial number, or unique identifier, that is transmitted at the beginning of every encrjrpted con- versation. The law enforcement agency presents this serial number to get the decod- ing keys from the escrow agents. In the event that someone got unauthorized access to the Chip Family Key, what could that person do with it? Do you have any con- cerns about who will have access to the Chip Family Key?
Answer 11. If an unauthorized individual obtmned access to a device family key, that individual could create a capability to track the users of any device in that fam- ily, as was discussed in question 1. I believe that the procedures being established for protection of family keys and device escrow keys are quite strong. But as was pointed out by Senator Specter, it is not easy to keep a secret over a long period of time.
Question 12. The Internet Privacy Enhanced Mail (PEM) is becoming an inter- nationeilly recognized system for encrypting Electronic Mail over the Internet. If the Administration is successful in making the key escrow chips an American standard for encrypting electronic mail while the rest of the world uses PEM, how would this affect encrypted E-mail traffic between the U.S. and other countries?
Answer 12. If key escrow were to become a mandatory standard in the U.S. while the rest of the world continued to use Internet PEM, there would be very little encrypted e-mail between the U.S. and the rest of the world.
Question 13. Is the demand for strong encryption technology growing and, if so, why?
Answer 13. Concern for the protection of sensitive information from unauthorized disclosure, modification or destruction is growing in all segments of the information technology market, from individuals to large corporations and governments. The de- mand for good quality cryptography will continue to grow until this concern can be adequately addressed. This is a mndamental issue that the Administration's policies of always siding with the law enforcement and national security interests continue to ignore. People will find ways to protect their sensitive information even if they have to buy encryption products from foreign sources.
152
Answers to Questions From the Senate Subcommittee on Technology and The Law to Vice Admiral J.M. McConnell
Question 1. The Defense Authorization Bill for Fiscal Year 1994 has authorized $800,000 to be spent by the National Research Council of the National Academy of Sciences to conduct a study of federal encryption policy. Can we wait to implement the key escrow encryption program until we have the benefit of the NRC's study? Do you think this study is necessary? Should this study be expedited?
Answer 1. We do not believe that we can wait until after the NRC studjr is com- pleted in 1996 to begin implementation of the key escrow initiative. The information technology industry is dynamic and fast-moving, and to wait another two years or more would, we beUeve, jeopardize the success of the initiative. Industry demand for encryption products is growing, and the technology is available now to meet that demand with encryption products that provide an outstanding level of seciuity to the user without making it impossible for law enforcement agencies to conduct law- fiil wiretaps. To wait for the completion of the NRC study would make it much more likely that the market would tiun to other encryption products which would defeat lawful wiretaps. We beUeve that such a delay would not be in the best interest of the American people.
Neither do we believe that the study should be expedited. For our part, we will carefully consider the conclusions of the NRC study. We expect that it will give very careful consideration to the issues, and we would not want the pressure of an un- necessarilv short deadline to limit the study group's abiUty to produce the best re- port possible.
Question 2. The Administration has said that it is continuing to restrict export of the most sophisticated encryption devices, in part, "because of the concerns of our allies who fear that strong encryption technology would inhibit their law enforce- ment capabilities." Do we really need to help our alUes by prohibiting the export of strong American encryption products, since those same countries can simply con- trol the encryption bought within their borders?
Answer 2. Exports of encryption products are subject to review primarily to pro- tect U.S. national interests, including national security, law enforcement, foreign poUcy, and other important interests. The law enforcement concerns of our aUies are a consideration, especially as the abiUty of our allies to combat terrorism, drug traf- ficking, and other international law enforcement problems can have direct benefits to the United States. However, foreign law enforcement concerns do not drive our export control policy. We would continue to review encryption exports to protect U.S. national interests even if foreign law enforcement concerns disappeared.
Question 3. Do you know whether foreign governments would be interested in im- porting key escrow encryption products to which they hold the decoding keys?
Answer 3. Several foreign governments have expressed interest in key escrow encryption technology due to their own law enforcement concerns. There have been some preliminary discussions, but issues such as who would hold the escrowed keys and the circumstances of government access to escrowed keys must be fully vetted.
Question 4. Th6 Government wants the key escrow encryption standard to become the de facto industry standard in the United States. Would the Government aban- don the CUpper Chip program if it is shown to be unsuccessful beyond government use?
Answer 4. We do not expect the program to be unsuccessful beyond government. We have developed a sound security product that we expect will find many uses in government information systems and further beUeve that government use will bring with it a commercial market, particularly in the defense sector. We have developed a sound security product that we expect will find many uses in government informa- tion systems regardless of its success in commercial markets.
Question 5. Openly available devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because everyone was free to try to build a bet- ter version. Given the restrictions on who can build devices with the classified Skip- jack algorithm, how will key escrow chips keep up with advances in semiconductor speed, power, capacity and integration?
Answer 5. Despite the requirements that a firm must meet to produce key escrow encryption chips, we expect that there will be a number of manufacturers competing against each other to produce the best product, and that such competition will drive them to keep up with the latest technological advances. It is worth noting that only a few companies can produce the sophisticated microprocessors you reference, yet the competition in that market has driven them to achieve remarkable advances in that technology. NSA's STU-III secure telephone program provides an example of a cryptographic product line that keeps pace with technology.
153
The presence of a classified algorithm does not preclude keeping pace with tech- nology. Through NSA's use of a competitive, multi-vendor approach, STU-III secure telephone products have continued to evolve in response to user requirements and technologic^ advances despite their use of a classified encryption algorithm and the consequent need for security restrictions on the manufactvu-ers.
Question 6. How well does the Skipjack algorithm work on telecommunications op- erating at very high speeds? Is NSA working on another algorithm, called BATON, that could be used at high speeds with a key escrow system? Will Capstone be com- patible with BATON? , , ^ OT^TT,T*r.T^
Answer 6. Using currently available microelectromcs technology, the bKlfJACK algorithm could not be used for encryption at very high speeds. BATON is the name of an algorithm developed by NSA that could be used at higher rates of speed. We have no plans to develop key escrow encryption devices using BATON, however. In- stead, we are considering another algorithm for use at high speeds with a key es- crow system. , u v otrrn T A nv
A high-speed key escrow device based on an algorithm other than SKIPJACK would not be "compatible with Capstone" in the sense that traffic encrypted by such a device could not be decrypted by Capstone, and vice versa. However, since such a device would be used for much higher-speed applications than those for which Capstone was designed, there would be no need tor it to be compatible with Cap- stone in that sense.
Question 7. Can Capstone be used to encrypt video programming? If so, have cable companies been approached by any government agency to use Capstone to scramble or encrypt cable programs?
Answer 7. Capstone could be used to encrypt any digital signal, including video programming, operating at up to about 10 million bits per second. It could be used for encrypting individual video channels but not for bulk encryption of many chan- nels multiplexed together in a single hnk. NSA is not aware of any government agency approaching cable companies to urge the use of Capstone. Two manufactur- ers have asked us about the suitabiHty of key escrow devices for this purpose, how- ever.
Question 8. Encryption sofl;ware is available that can be used with Clipper to encrypt a message before or after it has been encrypted with Clipper. This 'double encrypting" risks bypassing the key escrow feature. If a sender first encrypts the message with software using DES, and then transmits the message double encrypted" with CUpper, can you tell fi-om looking at the cipher, or encrypted text, that the underlying message was encrypted? .
Answer 8. The only way to tell that a message has been "double encrypted in this way would be to decrypt the "outer layer" of encryption, i.e. that done with Clipper. Only then would one be able to tell that the message had first been encrypted with something else.
Answers to Questions From Senator Pressler to Vice Admiral J.M.
mcconnell
Question 1. Admiral as you are aware, critics of the Administration's proposal argue that as a practical matter, no criminal, foreign spy, or terrorist of any sophis- tication would be fooUsh enough to use an encryption device designed by the NSA and approved by the FBI. How do you lespond? Why do[n't you] think the people whose telecommunications the NSA and the FBI want most to decode will be the very people most unlikely to use this technology?
Answer 1. From what we know today, the overriding requirement that spies, ter- rorists, and criminals have is for readily available and easy to use equipment that interoperates. Key escrow encryption is not meant to be a tool to catch criminals. It will make excellent encryption available to legitimate businesses and private citi- zens without allowing criminals to use the telecommunications system to plan and commit crimes with impunity. We beheve it would be irresponsible for government to make excellent encryption broadly available knowing that its use by criminals would make it impossible for law enforcement agencies to conduct lawful wiretaps against them.
The Department of Justice credits information gleaned through wiretaps as lead- ing to more than 20,000 felony convictions since the early 1980s. This would not have been possible if the criminals had been using encryption systems the FBI could not break.
Without government action, however, this fortunate situation will change. At present most people, and most criminals, don't use encryption. However, there is an increasing public awareness of the value of encryption for protecting private per-
BOSTON PUBLIC LIBRARY
^^^ 3 9999 6'5982" 914 1
sonal and business communications. Increasing demand for encryption by the puDuc will likely lead to the widespread use of some form of standardized encryption on the pubUc telecommunications network. .
This development would have great benefits for the country. Legitimate busi- nesses and private individuals could use the telecommunications system secure in the knowle^e that their private information such as business records and credit card numbers could not be intercepted by third parties.
But there is a down side. Criminals, terrorists, and others could also use the sys- tem to plan crimes, launder money, and the hke, completely secure in the knowl- edge that law enforcement agencies could not listen to those communications. Just as legitimate businesses operate much more efficiently and effectively using the telecommunications system than they could without it, so will criminal enterprises be able to operate more efficiently and effectively if they no longer have to avoid using the telecommunications system.
The United States is faced with a choice. We can sit back and watch as the emerg- ing national information infrastructure becomes a valuable tool for criminals and terrorists to use to plan and carry out their activities with complete securi^, or we can take steps to maintain the current ability of government to conduct lawful wire- taps so that prudent criminals will have to find other less efficient ways to operate and foolish ones may be caught. Key escrow encryption is the latter option.
Question 2. Would widespread use of the Skipjack algorithm harm U.S. exports? Do you think it is unlikely foreign businesses will purchase American encryption technology if the U.S. Government holds a set of the decoding keys?
Answer 2. I do not believe that widespread use of key escrow encryption in the United States will harm U.S. exports. If it has any effect at all, it could increase exports somewhat. Key escrow encryption products provide another option for for- eign purchasers that they have not had in the past; to the extent that foreigners do purchase key escrow encryption products, it will mean an increase in exports. Meanwhile, U.S. exporters are free to continue to sell the products they currently sell in foreign markets and to seek license approvals for new products.
It is difficult to predict the foreign market for U.S. key escrow encryption tech- nology. Businesses that fear U.S. Government interception of their communications presumably would avoid products for which the U.S. Government holds keys. How- ever, there are a number of reasons why foreign businesses might purchase them. One major reason would be to communicate securely with U.S. businesses that use them. In addition, the superior level of security provided by key escrow products (against all but lawful U.S. Government access) may make them attractive to for- eign businesses that do not view U.S. Government access as a major concern. While some prospective users abroad may steer clear of key escrow products because the United States will retain access, there may be many who beUeve they are unlikely to be targeted by U.S. intelligence in any case or for whom the superior security offered by key escrow encryption products against threats of greater concern may make key escrow products an attractive option. For example, a distributor of pay- TV programming may depend on encryption to ensure that only those viewers who pay for the service can decrypt the TV signal. Such a distributor probably would not be concerned about the threat of access by the United States Government, and might favor suitable key escrow encryption products over competing products that use weaker encryption algorithms.
Question 3. You were present when the previous panehst, Stephen Walker, de- scribed how present U.S. laws prohibit his company from exporting encryption prod- ucts. As I understand it. Senator Murray's bill, S. 1846, attempts to relax these ex- port controls somewhat. Please give us your views on this legislation.
Answer 3. I support the Administration's position, as announced by the White House on February 4, that current export controls must remain in place and that regulatory changes should be implemented to speed exports and reduce the hcensing burden on exporters. The bill you reference appears to be inconsistent with the Ad- ministration position. I would be happy to provide you further information on the Administration's reasons for maintaining the current export controls in an appro- priate setting.
Answer to a Question From Senator Murray to Vice Admiral McConnell
Question 1. In my office in the Hart building this February, I downloaded from the Internet an Austrian program that uses DES encryption. This was on a laptop computer, using a modem over a phone Une. The Software PubUshers Association says there are at least 120 DES or comparable programs worldwide. However, U.b. export control laws prohibit American exporters from selling comparable DES pro-
155
grams abroad. With at least 20 million people hooked up to the Internet, how do U.S. export controls actually prevent criminals, terrorists, or whoever from obtain- ing DES encryption software?
Answer 1. Serious users of encryption do not entrust their secxuity to software distributed via networks or bulletin boards. There is simply too much risk that vi- ruses, Trojan Horses, programming errors, and other security flaws may exist in such software which could not be detected by the user. Serious users of encryption, those who depend on encryption to protect valuable data and cannot afford to take such chances, instead turn to other sources in which they can have greater con- fidence. Such serious users include not only entities which may threaten U.S. na- tional secvirity interests, but also businesses and other major consumers of encryption products. Encryption software distribution via Internet, bulletin board, or modem does not undermine the effectiveness of encryption export controls.
\
ISBN 0-16-047780-8
9 780160"477805
90000