Interesting People mailing list archives
IP: more on SAFE Forum
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 04 Jul 1996 17:10:51 -0400
From: bkoball () well com
Date: Thu, 4 Jul 1996 13:40:43 -0700
To: farber () central cis upenn edu
Dave,
Here's my take on the SAFE Forum last monday... use it, if you like...
it's also available at:
http:/www.well.com/user/bkoball/SAFE
-brk-
Bruce R. Koball B. R. Koball, Inc. (voice) 510 845-1350
bkoball () well com 2210 Sixth St (messages) 510 548-2450
"No Compromised Keys!" Berkeley, CA 94710 (fax) 510 845-3946
--------
SAFE Down on the Farm
It was an absolute scorcher (95+) down on The Farm this past Monday (1
July). Fortunately, I spent most of the day in the air-conditioned
comfort of Stanford's Kresge Auditorium, listening to scorching
critiques of the Clinton Administration's cryptography policy delivered
by corporate execs, cryptographers, cypherpunks and even members of
Congress.
The event was the SAFE (Security And Freedom through Encryption) Forum,
organized by the Center for Democracy and Technology, hosted by
Stanford U. and sponsored by dozens of corporations and organizations.
It drew a sizable crowd (approx. 500) and was an interesting,
informative and productive gathering. Jerry Berman (Exec. Dir. CTD)
moderated the day's events.
Especially gratifying was the participation of members of Congress
including Rep. Anna Eshoo (D-CA), Sen. Conrad Burns (R-MT), Sen.
Patrick Leahy (D-VT) (by satellite), and Rep. Zoe Lofgren (D-CA), all
voicing encouraging opinions on the push for a sensible crypto policy.
Here are my recollections of the day's proceedings (with some
paraphrasing necessitated by my less-than-complete notes):
--------
The first session started out with Berman reminding the gathering that
they were essentially preaching to the choir. Eshoo lamented the
continuing lack of understanding of Net and crypto issues in the halls
of Congress and asked the panel how they would put the argument to
legislators in terms they could understand. Leahy addressed the
gathering by video link from Vermont, and spoke of his efforts in this
area and of his home state's traditional passion for privacy.
Eric Schmidt (CTO, Sun): (Weak crypto systems) "are an IQ test for
foreign (business) executives... if they don't answer correctly, they
get fired... no foreign company wants to use a technology that can be
broken by the U.S. government..."
Craig Mundie (VP, Microsoft) : "Today, all (exportable) keys are equal
and are roughly as secure as the locks on your luggage..."
Whit Diffie (Sun) : (Talking about the use of crypto for securing
nuclear weapons and claims that availability of strong crypto would
promote nuclear proliferation)... "My resume is out but I've never been
offered the leadership of a rogue nation..." (Diffie is one of the
creators of the fundamental algorithms behind public key crypto)
Lori Fena (Exec. Dir., EFF) : Discussed EFF's initiatives in this
area.
--------
Following the first session, Cylink did a simple demo of packet
sniffing that showed how cryptography could protect against this sort
of attack.
Fellow from Cylink : "Encryption is boring, unless it doesn't work..."
--------
Berman and Eshoo were then joined by Burns for the next session and the
next panel of experts were seated.
Sen. Conrad Burns (R-MT) : (talking about VP Gore and the embracing of
technology by Gore's home state of Tennessee)..."Down there, C-band
receivers are the state flower..."
Herb Lin (NRC) : (discussing some of the high points of the NRC crypto
report) "Export controls impede security efforts... crypto policy is
not well aligned with market needs... current policy generates
uncertainty (which is anathema to business)... crypto policy is no
longer driven by Sig/Int needs but rather by the desires of law
enforcement..." The full, official NRC report may be found at:
http://www2.nas.edu/cstbweb/
Jim Omura (CTO, Cylink) : Recounted some "war stories" about the
deleterious effects of export controls on US business... 2 US companies
doing business in China, unable to deploy US-made crypto products;
orders went to Swiss companies... Major order for banking systems in
Peru lost to foreign competition for same reason...
Tim Oren (VP, Compuserve) : Reported that Compuserve was one of the
unnamed sources in the NRC crypto report and has suffered numerous
theft of services attacks, esp. from overseas, that could have been
prevented (or made more difficult) had they been able to deploy strong
crypto in their systems... also: "Connectivity is the killer app of the
Internet..."
Phil Zimmermann (PGP, Inc.) : (Talking about taking PGP commercial and
his new company's recent purchase of ViaCrypt) "PGP started out from
my concerns over human rights... If this (commercial venture) works,
I'll be the first Silicon Valley entrepreneur to become a millionaire
as a result of being an activist, instead of becoming a millionaire
then being an activist..."
--------
For the first afternoon panel, Berman was joined by Lofgren and an
impressive array of crypto experts. Berman asked them to explain the
technology and its implications in a manner accessible to legislators.
Whit Diffie : Spoke about "work factor", i.e., how much work it takes
to break encryption. A conventional crypto system is deemed "good" if
its work factor is roughly proportional to its key length... he
described 4 ranges of work factor in terms of computational
"operations" and equivalent to key length:
2^30 ops - can be done in a couple of seconds on a PC,
2^60 ops - difficult, but doable with serious effort (big budget, NSA
project),
2^90 ops - doable in distant future, but not within the useful lifetime
of data currently extant,
2^120 ops - not doable in the foreseeable future.
This shows where, in the key-length continuum, systems with 40-bit keys
fit.
Eric Thompson (Access Data) : his clients include the FBI... said that
they can build an RC4 cracker from AMD 29K parts for $8900, and for $1M
they can build a DES cracker (14 days) from Xilinx parts.
Bruce Schneier (Counterpane Systems) : described the difference between
direct attacks and "data harvesting," and the importance of crypto in
protecting against each.
Tom Parenty (Sybase) : Worked in crypto for NSA in 1980s... started by
quoting old NSA motto, "In God We Trust, All Else We Monitor." He
pointed out that there are over 500 crypto products currently available
from foreign sources.
Matt Blaze (Cryptographer) : spoke about the enormous difficulty of
implementing a standard, secure crypto system, and how the added
complexity of a key escrow system would render practical implementation
almost impossible... Consider the govt's requirements for a key
escrow operation; 24 hr/day, 365 days/year with a 2-hour response
time... it would be extremely difficult for such an operation to be
both secure and effective...
Diffie offered some caustic analogies on the concept of a
govt-controlled escrow agency: Clinton White House and FBI files -
dossier escrow; Nixon admin's enemies list - tax return escrow; 1941
Japanese internment - Census data escrow...
--------
For the final panel of the day, Berman was joined by Ken Bass and a
number of legal experts and advocates.
Ken Bass (former Counsel for Intelligence Policy under Carter, now a
Partner with Venable, Baetjer, Howard and Civiletti) : Explained that
export controls on cryptography were originally engendered by national
security concerns, "but now the NSA is hiding behind the FBI's
shield... the NSA has recognized that its export controls were actually
damaging its ability to monitor by encouraging an arms race among
cryptographers..."
He also pointed out that the lines drawn by export controls are a
marker declaring that exportable crypto systems are breakable, thus
providing the incentive for the development of more powerful systems...
had they not clamped down on DES, for instance, the market would still
believe that it's strong... "the NSA wants to preserve the fiction of
security..."
"The NSA's job is monitoring as much traffic as they can to find the
bad guys, but in law enforcement you don't use electronic surveillance
to find the crooks, you use it to gather additional evidence to convict
them... the probable cause requirement for warrants means that law
enforcement already has strong evidence of a crime..."
Jim Lucrie (Americans for Tax Reform) : Called the govt's efforts to
suppress crypto and to mandate key escrow "the biggest power grab since
the income tax... government wants real time access to everything you
do on the net..."
Barry Steinhard (ACLU) : "The issue is shifting to law enforcement's
concern for preserving wiretapping abilities... it s no longer driven
by national security concerns..."
Cindy Cohen (Attorney, McGlashan & Sarrail) : Has been working the
EFF/Bernstein case. "There is another class of losers in this case;
the scientists..." She said that by declaring that researcher Bernstein
cannot publish his ideas on the Net , the government is, in effect,
limiting scientific inquiry...
Barbara Simons (USACM) : Decried the fact that "most of the voices in
these policy debates are lobbyists..."
John Gilmore (EFF) : Pointed out that the judge in the Bernstein ruling
said "for the purposes of First Amendment, source code is speech."
Michael Froomkin (U. of Miami Law School) : enumerated his "Two Hard
Truths" about the government's perception of crypto issues, and the
"Three Steps" that seem to comprise the government's current strategy
for dealing with them:
Truth One: "From the govt's point of view, there are useful, valuable
results from the current controls on crypto."
Truth Two: "Controls have been working so far... e.g., Windows'95
doesn't have any built-in provision for strong crypto."
Step One: "Conduct an open process (i.e., hearings, consultations with
industry, etc.), but then go and do whatever you want."
Step Two: "Promote international pressure for crypto control through
diplomatic channels, etc... essentially a closed process."
Step Three: "The Bribe/Blackmail model... promote centralized systems
(e.g. for electronic transactions, etc.) and require that, in order to
participate, you must use approved crypto."
--------
In general, there was agreement among the participants at the Forum
that export restrictions on cryptography are hindering the
competitiveness of US high-tech businesses, that a government-mandated
key-escrow system is technically and commercially ill-advised, and
that, while government controls on cryptographic technology grew out of
national security concerns, they're now being driven by law enforcement.
And a couple of my own comments:
Because mandatory key escrow was so roundly denounced, I became
concerned that positive commercial applications of _voluntary_ key
escrow systems might be getting tarred with the same brush. These
include things like lost key recovery that will be essential to
businesses when crypto-enabled applications become widespread. Herb Lin
did talk about allowing the development of key escrow systems to be
driven by market demand instead of by government fiat.
The incantation that "the genie is out of the bottle" was also invoked
several times during the day, to emphasize the futility of attempts at
controlling this technology. While it's true that applications with
strong crypto, like PGP, are readily available worldwide, they have
yet to find widespread use, primarily because you've got to make the
extra effort to use them.
It follows that the true benefits of cryptographic technology (network
security, commercial confidentiality, and personal privacy) will not
be realized until it is included in mainstream applications in a
seamless, integrated manner, such that its use is automatic, coming
without special thought or effort by the user. Several speakers alluded
to this, but I think it bears repeating. This is government's fear and
the Net's goal.
In summary, I think this was a valuable event and I congratulate its
organizers and participants on a job well done.
(c) 1996 B.R.Koball
Bruce R. Koball B. R. Koball, Inc. (voice) 510 845-1350
bkoball () well com 2210 Sixth St (messages) 510 548-2450
"No Compromised Keys!" Berkeley, CA 94710 (fax) 510 845-3946
Current thread:
- IP: more on SAFE Forum Dave Farber (Jul 04)