Interesting People mailing list archives
tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr
From: David Farber <>
Date: Mon, 4 Jul 1994 14:58:09 -0400
\noindent Dual-use technology: Technology which has both military and commercial applications. \smallskip \noindent Ethernet: A 10-megabit per second local area network developed by Digital Equipment, Intel, and Xerox, and standardized by the IEEE. \smallskip \noindent Modem: An interface between telephone transmission and computer storage. \smallskip \noindent Tessara: The government name for a PCMCIA card that contains the Capstone chip. (A PCMCIA (Personal Computer Memory Card Industry Association) card is an industry standard format and electrical interface for various computer components, including memory, very small disks, etc.) \smallskip \noindent Trojan horse: A program, a component of which is capable of unexpected effects. \end{minipage}} \medskip \noindent The problem is how to secure electronic communications in the Information Age. Law enforcement believes the Escrowed Encryption Standard (EES) will provide strong communications security without making the communications of criminals and terrorists immune from lawful interception. National security officials believes EES will not interfere with its access to foreign intelligence, and thus is a secure solution to the complexities presented by the need for strong encryption. If public comments are any guide, the computer industry is persuaded that EES is a poor design that will add complexity and expense to American computer products; they see escrowed encryption as an inappropriate and expensive solution to the cryptographic problem that law enforcement and national security allege exists. Civil-liberties groups including the American Civil Liberties Union (ACLU) and the Computer Professionals for Social Responsibility (CPSR) argue that escrowed encryption technology is a major intrusion on the privacy rights of the public, and that EES is a change in policy masquerading as a government procurement standard. The EES is a voluntary standard for encryption of voice, fax, and computer information transmitted over a circuit-switched telephone system. Many of the commercial objections to it concern its expected extension to computer communications. In this chapter we examine the issues EES raises. This chapter is split into five sections: (i) Privacy Concerns Raised by EES; (ii) Impact of EES on Export; (iii) Interoperability Issues Raised by EES; (iv) EES: Hardware versus Software; and (v) Impact of EES on the U.S. Computer Industry. \begin{center} Privacy Concerns Raised by EES \end{center} \noindent Some facts are clear: \medskip \noindent 1. EES makes the users' secret keys available to the government. \medskip \noindent 2. EES was designed by the National Security Agency (NSA). \medskip \noindent 3. The underlying algorithm, SKIPJACK, is classified. \medskip \noindent There agreement ends. Advocates of EES claim the availability of strong cryptography (designed by NSA) will provide Americans with better and more readily available privacy protection than they presently enjoy. Privacy advocates believe that any cryptographic system where the government holds the keys endangers each individual's right to confidential communications. Proponents of EES observe that no one will be forced to use the system, and that EES does not prohibit other forms of encryption. Opponents respond that the National Institute of Standards and Technology (NIST) standard states ``use is encouraged when [EES] provides the desired security.'' They maintain that if a large Federal agency such as the IRS adopts EES, electronic filers who chose to secure their transmissions may have to use the algorithm. Such a choice by IRS, would have the impact of making the voluntary standard the de facto national one.\footnotemark Notwithstanding the voluntary nature of the current EES initiative, opponents fear that the government might eventually outlaw other forms of encryption. These critics of the government's plans doubt that a voluntary program will be effective in preventing the use of alternative forms of cryptography by criminals, and they contend that with EES technology widely deployed and readily available in the future, a prohibition against other methods of encryption might be seen as more politically palatable than it would be today. As such, they view the government's adoption of a voluntary standard as the first step toward such a program. There is no question that the market impact of the Federal government can be huge, although recent experience illustrates that the government's ability to influence the computer communication market is not always successful.\footnotemark\ Adoption of EES as a standard, voluntary or otherwise, decreases the chance there will be competing systems available. Indeed the true success of EES, as measured by law enforcement's continued ability to decrypt tapped conversations, can come only at the expense of competing systems for secure telecommunications. There is already one example. In 1992 AT\&T announced a DES-based secure telephone for the mass market. After being approached by the government, the phone company changed its plans and withdrew the DES version. It now produces an EES version and also versions with proprietary algorithms. If EES is a success in its own terms, there will be no other secure telecommunications equipment contending for the civilian market -- at least in the United States. Proponents of escrowed encryption argue that privacy protection will be better than ever. There will be a proliferation of secure telephones. It is anticipated that the escrowed system will leave an electronic audit trail.\footnotemark\ In the event that the government illegally taps a communication, the illegal interception will be much easier to uncover than it is under the present system. Opponents of escrowed encryption believe that a privacy system in which the government holds the key to every lock is no privacy system. Escrowed encryption may have been designed with the best of intentions, but Brandeis, in his famous dissent in the Olmstead wiretapping case, warns to be cautious in such situations, \begin{quote} Experience should teach us to be most on our guard when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest danger to liberty lurks in insidious encroachment by men of zeal, well-meaning but without understanding [Olm, pg. 752 - 753]. \end{quote} Civil-liberties groups strongly argue against a civilian standard being developed by a military organization. For example, CPSR points to the Computer Security Act, which the organization says decided the issue seven years ago. CPSR asserts that in a democratic society the public should play a significant role in deciding how the communications infrastructure will be designed. But the underlying algorithm for EES is classified, and the strength of the algorithm cannot be assessed by the (public) cryptography community. Reminding us of the abuses of Watergate and the revelations of the Church Committee, CPSR contends that the NSA should not be building government trapdoors into the civilian communications infrastructure. \begin{center} Impact of EES on Export \end{center} \noindent The U.S. State Department controls the export of cryptography, under the authority of the International Traffic in Arms Regulations. Despite a 1991 decision by the Coordinating Committee on Multilateral Export Controls (COCOM)\footnotemark \ declaring cryptography a dual-use technology, the United States has kept cryptography on its munitions list. A vendor, seeking an export license for a product containing cryptography, first determines whether export of the product falls under Commerce Department or State Department rules. If jurisdiction is within the Commerce Department, approval is swift. If not, the procedure becomes more complex, and NSA may become involved. With the exception of use by financial institutions and by foreign offices of U.S.-controlled companies, NSA generally will not approve export of products containing DES used for confidentiality. Approval is granted for the export of cryptography for authenticity and integrity purposes. If a product such as DES is dual-purpose, then export approval will be granted only if the vendor can demonstrate the product cannot be easily modified to protect confidentiality. Striking a balance between economic strength (by opening markets for U.S. companies) and protecting national security (by restricting the sale of military technology) requires making complex choices. Cryptography is not the only American product subject to export control. What differentiates this conflict from, say, the exportability of supercomputers is that comparable cryptographic products are available for sale internationally. A year ago, the Software Publishers Association (SPA), quantifying what had been anecdotal, searched for foreign cryptography products. By March 1994, the organization had located 152 foreign products with DES cryptography, from such countries as Australia, Belgium, Finland, Israel, Russia, Sweden, and Switzerland [SPA-94]. RSA is also routinely available in foreign cryptographic software. Neither of these facts should come as a surprise, since the specifications for both algorithms are publicly available. Supporters of export controls argue that the most serious threat to foreign-intelligence gathering comes not from stand-alone products that constitute most of the market, but from well-integrated, user-friendly systems in which cryptography is but one of many features. From this perspective, it is essential to control export of the commodity, namely desktop hardware and software with integrated cryptography. The U.S. is the preemininent supplier of such products. National security experts believe that the export-control policy is working. DES on the Internet has little impact on U.S. communications intelligence. Foreign organizations that are concerned about protecting their information from sophisticated intercept are not likely to download an encryption software program from the Internet. Instead they will buy products they trust from reputable vendors. Testifying to the Subcommittee on Economic Policy, Trade and Environment last fall, Stephen Walker, President of Trusted Information Systems, explained that his company had attempted to implement Privacy Enhanced Mail (PEM) for the British Ministry of Defence. Since PEM uses both RSA and DES, Trusted Information Systems was unable to export the algorithm directly. Instead the British subsidiary of the company, Trusted Information Systems Limited, arranged to implement a British version of PEM, using DES and RSA algorithms available in the U.K. The Ministry of Defence got their program. DES and RSA were not exported, and several British computer scientists got the work [Walk, pg. 68]. Quantifying lost sales is difficult. One can count the number of export-license applications denied or withdrawn, but that misses the mark. Foreign customers who know that the products they want will not receive U.S. export approval are unlikely to waste time approaching American companies. At the same time, export controls are sometimes cited as the reason for a lost sale when the facts are otherwise. The Department of State export-license statistics give only a partial picture of the situation. Features, even ones not purchased, increase sales. If U.S. companies cannot include cryptography used for confidentiality in their products, that fact turns away sales even if cryptographic security is not presently required. Buyers are reluctant to commit to a company for fear that sometime later they will want to upgrade their system, perhaps including cryptographic security, and the American company will not be able to supply them, because of U.S. export controls. Multinational companies are particularly interested in protecting their electronic communications. The U.S. policy on export control of encryption makes adaption of U.S. encryption products a poor choice, since compatibility is a prime consideration to purchasers. In seven different instances between April 1993 and April 1994, the Semaphore Communications Corporation was advised by the State Department or the NSA that it would be unable to export secure communications equipment with strong cryptography for confidentiality. One such example occurred when Semaphore Communications Corporation lost out to a German competitor. The competitor offered a German-built DES-based system that could be exported to the buyer's U.S. office. Semaphore was unable to export a DES-based product to the buyer's home office in Germany [Walk, pg. 70]. The seven contracts for which Semaphore could not compete represented one million dollars in sales, a large amount for a small firm. Furthermore, this also resulted in Semaphore losing a multiyear agreement with an estimated value of several million dollars in that period. The government's response has been to ease export restrictions on some cryptographic products. For example, Ronald Rivest of MIT has designed two variable-key-length cipher functions, RC2 and RC4, that can be used instead of DES in export versions of products. Under an agreement with the Software Publishers Association, the Department of State has a streamlined export-license process for versions of RC2 and RC4 that are limited to a 40-bit key size. (56-bit keys are allowed if the export is to foreign subsidiaries or overseas offices of U.S. companies.) But the 40-bit key size is smaller than a 56-bit DES key, and thus these algorithms are perceived by users as being less secure than the DES. Moreover, RC2 and RC4 are not compatible with DES, creating potential interoperability problems for users. Export-control policy on cryptography has complicated development of secure systems. Digital Equipment Computer's DESNC, a DES encryptor placed between a workstation (or several workstations) and an Ethernet cable to encrypt traffic to and from the workstation, is an example of a useful product that died an untimely death in part because of export control. Because of the product's use of DES for confidentiality, government policy did not permit the general export of DESNC. There was still a domestic market. But Digital Equipment marketing managers feared that publicizing DESNC, without the availability of a comparable product for export would alienate Digital Equipment's foreign customers by suggesting that unencrypted Ethernet technology is vulnerable (it is), but without providing a solution for non-U.S. customers. A high-cost item, DESNC was unlikely to be a big seller in either foreign or domestic markets, but an inability to offer this product on a global basis posed a critical customer relations problem. These concerns, in combination with the negative publicity it would bring to Ethernet technology, were deemed unacceptable trade-offs.\footnotemark National security experts have argued that removal of U.S. export controls on cryptography could be replaced by the imposition of foreign import controls; they point to France, which requires registration of cryptographic algorithms, as an example. However, at present no Western European governments other than France restrict the import of cryptographic products, and only a few Asian governments do so. The impact of FIPS185 on the export of American cryptography is unclear.
From the government's perspective, if strong cryptography is widely used,
then EES will be deemed successful if it dominates the market for cryptographic products in the telecommunications arena. Presently there are but a handful of U.S. companies offering secure telephones, including Datotek (now owned by AT\&T) and Technical Communication Corporation; these businesses are small, with each representing about \$10 million in sales annually. \begin{center} Interoperability Issues Raised by EES \end{center} \noindent Interoperability -- the ability of users to communicate between different systems -- is essential for any telecommunications system. For example, problems arose during the Gulf War because the coalition forces that were assembled did not share a common, secure communications system. Civilian needs during peacetime are quite different from military needs during wartime. It remains true, however, that interoperability is crucial in the communications arena. Assuming that the United States government has no plans to change the classified status of the SKIPJACK algorithm, it is unlikely that the European Community will adopt EES as a standard for secure telecommunications. \begin{center} EES: Hardware versus Software \end {center} \noindent The government's attempt to create strong cryptography that would not hinder law enforcement's abilities to comprehend legally intercepted conversations resulted in several controversial aspects of the EES design: escrowed encryption, classification of the SKIPJACK algorithm, and availability of the algorithm only in hardware. As far as law enforcement access is concerned, an implementation of the SKIPJACK algorithm without the Law Enforcement Access Field would completely miss the point. Law enforcement agents would be unable to decrypt. To make such implementations more difficult, EES is available only in tamper-resistant hardware. This is more expensive than a software solution -- and not only the government will be paying. In lots of ten thousand, Clipper chips will cost approximately \$15; industry experts contends that this translates to a finished product with escrowed encryption capabilities costing about \$60 more than one without. In lots of one hundred thousand, the price drops to \$10 each, with a corresponding drop to \$40 for the finished product. Software implementations also offer a flexibility that hardware does not. A family of compatible products is an excellent way to sell new technology. Vendors will often offer the capability of beginning with low-cost software, with the option of upgrading to higher-performance hardware when needed. But hardware-only implementations of encryption do not allow that kind of versatility. NIST is investigating the possibility of a software version of key-escrow encryption. Several proposals are currently under investigation. \newpage \begin{center} Impact of EES on the U.S. Computer Industry \end{center} \noindent For nearly two decades, industry and academic experts have argued that protecting computer communications is vitally important. Many have posited that the civilian market for cryptography is about to take off. The EES initiative would encourage the adoption of cryptography. From the day it was proposed, the computer industry has protested. Why? It will need to be used only by those who wish to encrypt voice, fax, or computer information sent to a Federal agency that has adopted the standard. The computer industry sees the standard as significantly less than voluntary. Should EES be adopted by a Federal agency with a large constituency, such as the Social Security Administration, industry will have to make EES standardly available in domestic equipment. In such circumstances, consumers will demand products with EES. The computer industry has made an investment in DES and RSA solutions for secure systems. From a vendor viewpoint, escrowed encryption will be an expensive add-on that will add little new functionality. Furthermore, multiple methods of encryption increase complexity, thus discouraging demand. Computer vendors believe that the combination of a classified algorithm and key registration with the U.S. government will make EES unattractive internationally. If this is true, U.S. computer companies will have to implement other forms of cryptography to make American products competitive in the world marketplace. At the same time, domestic demand may mean that EES will need to be in products for the U.S. market. Manufacturers support dual product lines when they must, but from a vendor viewpoint, this is an unnecessary distraction and added expense. Semiconductor manufacturers are concerned about government control of the manufacture of Clipper chips. (NSA licenses the manufacturers of the chip.) Vendors avoid sole-source supplies when possible, but the government has committed to establishing multiple sources for the chips. Vendors also do not like to adopt technology whose manufacture they cannot control. Finally, some in the industry are disturbed about the possibility of the government controlling more than just the manufacture of Clipper chips. Suppose a company wants to integrate EES into its central processing unit. The government controls that right. Does that mean that the National Security Agency will be making design decisions for a U.S. civilian product? Some vendors have raised the concern that the government might want to exert close oversight over vendor integration of escrowed encryption. The fact that the government is promoting the use of
Current thread:
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- <Possible follow-ups>
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)
- tex version of USACM Crypto report. Note The IEEE US Activities committee also took a position. Sorr David Farber (Jul 04)