Interesting People mailing list archives
IP: more on SAFE Forum
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 04 Jul 1996 17:10:51 -0400
From: bkoball () well com Date: Thu, 4 Jul 1996 13:40:43 -0700 To: farber () central cis upenn edu Dave, Here's my take on the SAFE Forum last monday... use it, if you like... it's also available at: http:/www.well.com/user/bkoball/SAFE -brk- Bruce R. Koball B. R. Koball, Inc. (voice) 510 845-1350 bkoball () well com 2210 Sixth St (messages) 510 548-2450 "No Compromised Keys!" Berkeley, CA 94710 (fax) 510 845-3946 -------- SAFE Down on the Farm It was an absolute scorcher (95+) down on The Farm this past Monday (1 July). Fortunately, I spent most of the day in the air-conditioned comfort of Stanford's Kresge Auditorium, listening to scorching critiques of the Clinton Administration's cryptography policy delivered by corporate execs, cryptographers, cypherpunks and even members of Congress. The event was the SAFE (Security And Freedom through Encryption) Forum, organized by the Center for Democracy and Technology, hosted by Stanford U. and sponsored by dozens of corporations and organizations. It drew a sizable crowd (approx. 500) and was an interesting, informative and productive gathering. Jerry Berman (Exec. Dir. CTD) moderated the day's events. Especially gratifying was the participation of members of Congress including Rep. Anna Eshoo (D-CA), Sen. Conrad Burns (R-MT), Sen. Patrick Leahy (D-VT) (by satellite), and Rep. Zoe Lofgren (D-CA), all voicing encouraging opinions on the push for a sensible crypto policy. Here are my recollections of the day's proceedings (with some paraphrasing necessitated by my less-than-complete notes): -------- The first session started out with Berman reminding the gathering that they were essentially preaching to the choir. Eshoo lamented the continuing lack of understanding of Net and crypto issues in the halls of Congress and asked the panel how they would put the argument to legislators in terms they could understand. Leahy addressed the gathering by video link from Vermont, and spoke of his efforts in this area and of his home state's traditional passion for privacy. Eric Schmidt (CTO, Sun): (Weak crypto systems) "are an IQ test for foreign (business) executives... if they don't answer correctly, they get fired... no foreign company wants to use a technology that can be broken by the U.S. government..." Craig Mundie (VP, Microsoft) : "Today, all (exportable) keys are equal and are roughly as secure as the locks on your luggage..." Whit Diffie (Sun) : (Talking about the use of crypto for securing nuclear weapons and claims that availability of strong crypto would promote nuclear proliferation)... "My resume is out but I've never been offered the leadership of a rogue nation..." (Diffie is one of the creators of the fundamental algorithms behind public key crypto) Lori Fena (Exec. Dir., EFF) : Discussed EFF's initiatives in this area. -------- Following the first session, Cylink did a simple demo of packet sniffing that showed how cryptography could protect against this sort of attack. Fellow from Cylink : "Encryption is boring, unless it doesn't work..." -------- Berman and Eshoo were then joined by Burns for the next session and the next panel of experts were seated. Sen. Conrad Burns (R-MT) : (talking about VP Gore and the embracing of technology by Gore's home state of Tennessee)..."Down there, C-band receivers are the state flower..." Herb Lin (NRC) : (discussing some of the high points of the NRC crypto report) "Export controls impede security efforts... crypto policy is not well aligned with market needs... current policy generates uncertainty (which is anathema to business)... crypto policy is no longer driven by Sig/Int needs but rather by the desires of law enforcement..." The full, official NRC report may be found at: http://www2.nas.edu/cstbweb/ Jim Omura (CTO, Cylink) : Recounted some "war stories" about the deleterious effects of export controls on US business... 2 US companies doing business in China, unable to deploy US-made crypto products; orders went to Swiss companies... Major order for banking systems in Peru lost to foreign competition for same reason... Tim Oren (VP, Compuserve) : Reported that Compuserve was one of the unnamed sources in the NRC crypto report and has suffered numerous theft of services attacks, esp. from overseas, that could have been prevented (or made more difficult) had they been able to deploy strong crypto in their systems... also: "Connectivity is the killer app of the Internet..." Phil Zimmermann (PGP, Inc.) : (Talking about taking PGP commercial and his new company's recent purchase of ViaCrypt) "PGP started out from my concerns over human rights... If this (commercial venture) works, I'll be the first Silicon Valley entrepreneur to become a millionaire as a result of being an activist, instead of becoming a millionaire then being an activist..." -------- For the first afternoon panel, Berman was joined by Lofgren and an impressive array of crypto experts. Berman asked them to explain the technology and its implications in a manner accessible to legislators. Whit Diffie : Spoke about "work factor", i.e., how much work it takes to break encryption. A conventional crypto system is deemed "good" if its work factor is roughly proportional to its key length... he described 4 ranges of work factor in terms of computational "operations" and equivalent to key length: 2^30 ops - can be done in a couple of seconds on a PC, 2^60 ops - difficult, but doable with serious effort (big budget, NSA project), 2^90 ops - doable in distant future, but not within the useful lifetime of data currently extant, 2^120 ops - not doable in the foreseeable future. This shows where, in the key-length continuum, systems with 40-bit keys fit. Eric Thompson (Access Data) : his clients include the FBI... said that they can build an RC4 cracker from AMD 29K parts for $8900, and for $1M they can build a DES cracker (14 days) from Xilinx parts. Bruce Schneier (Counterpane Systems) : described the difference between direct attacks and "data harvesting," and the importance of crypto in protecting against each. Tom Parenty (Sybase) : Worked in crypto for NSA in 1980s... started by quoting old NSA motto, "In God We Trust, All Else We Monitor." He pointed out that there are over 500 crypto products currently available from foreign sources. Matt Blaze (Cryptographer) : spoke about the enormous difficulty of implementing a standard, secure crypto system, and how the added complexity of a key escrow system would render practical implementation almost impossible... Consider the govt's requirements for a key escrow operation; 24 hr/day, 365 days/year with a 2-hour response time... it would be extremely difficult for such an operation to be both secure and effective... Diffie offered some caustic analogies on the concept of a govt-controlled escrow agency: Clinton White House and FBI files - dossier escrow; Nixon admin's enemies list - tax return escrow; 1941 Japanese internment - Census data escrow... -------- For the final panel of the day, Berman was joined by Ken Bass and a number of legal experts and advocates. Ken Bass (former Counsel for Intelligence Policy under Carter, now a Partner with Venable, Baetjer, Howard and Civiletti) : Explained that export controls on cryptography were originally engendered by national security concerns, "but now the NSA is hiding behind the FBI's shield... the NSA has recognized that its export controls were actually damaging its ability to monitor by encouraging an arms race among cryptographers..." He also pointed out that the lines drawn by export controls are a marker declaring that exportable crypto systems are breakable, thus providing the incentive for the development of more powerful systems... had they not clamped down on DES, for instance, the market would still believe that it's strong... "the NSA wants to preserve the fiction of security..." "The NSA's job is monitoring as much traffic as they can to find the bad guys, but in law enforcement you don't use electronic surveillance to find the crooks, you use it to gather additional evidence to convict them... the probable cause requirement for warrants means that law enforcement already has strong evidence of a crime..." Jim Lucrie (Americans for Tax Reform) : Called the govt's efforts to suppress crypto and to mandate key escrow "the biggest power grab since the income tax... government wants real time access to everything you do on the net..." Barry Steinhard (ACLU) : "The issue is shifting to law enforcement's concern for preserving wiretapping abilities... it s no longer driven by national security concerns..." Cindy Cohen (Attorney, McGlashan & Sarrail) : Has been working the EFF/Bernstein case. "There is another class of losers in this case; the scientists..." She said that by declaring that researcher Bernstein cannot publish his ideas on the Net , the government is, in effect, limiting scientific inquiry... Barbara Simons (USACM) : Decried the fact that "most of the voices in these policy debates are lobbyists..." John Gilmore (EFF) : Pointed out that the judge in the Bernstein ruling said "for the purposes of First Amendment, source code is speech." Michael Froomkin (U. of Miami Law School) : enumerated his "Two Hard Truths" about the government's perception of crypto issues, and the "Three Steps" that seem to comprise the government's current strategy for dealing with them: Truth One: "From the govt's point of view, there are useful, valuable results from the current controls on crypto." Truth Two: "Controls have been working so far... e.g., Windows'95 doesn't have any built-in provision for strong crypto." Step One: "Conduct an open process (i.e., hearings, consultations with industry, etc.), but then go and do whatever you want." Step Two: "Promote international pressure for crypto control through diplomatic channels, etc... essentially a closed process." Step Three: "The Bribe/Blackmail model... promote centralized systems (e.g. for electronic transactions, etc.) and require that, in order to participate, you must use approved crypto." -------- In general, there was agreement among the participants at the Forum that export restrictions on cryptography are hindering the competitiveness of US high-tech businesses, that a government-mandated key-escrow system is technically and commercially ill-advised, and that, while government controls on cryptographic technology grew out of national security concerns, they're now being driven by law enforcement. And a couple of my own comments: Because mandatory key escrow was so roundly denounced, I became concerned that positive commercial applications of _voluntary_ key escrow systems might be getting tarred with the same brush. These include things like lost key recovery that will be essential to businesses when crypto-enabled applications become widespread. Herb Lin did talk about allowing the development of key escrow systems to be driven by market demand instead of by government fiat. The incantation that "the genie is out of the bottle" was also invoked several times during the day, to emphasize the futility of attempts at controlling this technology. While it's true that applications with strong crypto, like PGP, are readily available worldwide, they have yet to find widespread use, primarily because you've got to make the extra effort to use them. It follows that the true benefits of cryptographic technology (network security, commercial confidentiality, and personal privacy) will not be realized until it is included in mainstream applications in a seamless, integrated manner, such that its use is automatic, coming without special thought or effort by the user. Several speakers alluded to this, but I think it bears repeating. This is government's fear and the Net's goal. In summary, I think this was a valuable event and I congratulate its organizers and participants on a job well done. (c) 1996 B.R.Koball Bruce R. Koball B. R. Koball, Inc. (voice) 510 845-1350 bkoball () well com 2210 Sixth St (messages) 510 548-2450 "No Compromised Keys!" Berkeley, CA 94710 (fax) 510 845-3946
Current thread:
- IP: more on SAFE Forum Dave Farber (Jul 04)