|
The Computer System Security and Privacy Advisory Board devoted its June 2-4 meeting to the issue of the Administration's recently announced government-developed key escrow encryption chip (called "Clipper chip" in the April 16 announcement) and, more broadly, to public use of cryptography and government cryptographic policies and regulations. All sessions were open to the public. This posting contains the resolutions passed at that meeting as well as the cryptographic issue statements received by the Advisory Board via e-mail. Hard copies of all of the statements submitted by the public are available by written request to: Mr. Lynn McNulty, Executive Secretary and Associate Director for Computer Security, Computer Systems Laboratory, National Institute of Standards and Technology, Building 224, Room B154, Gaithersburg, Maryland 20899. The Advisory Board was established by the Computer Security Act of 1987 (P.L. 100-235) to advise the Secretary of Commerce and the Director of NIST on security and privacy issues pertaining to Federal computer systems and report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of National Security Agency, and the appropriate committees of the Congress. COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION #1 June 4, 1993 At Mr. Kammer's request we have conducted two days of hearings. The clear message of the majority of input was that there are serious concerns regarding the Key Escrow Initiative and the Board concurs with these concerns. Many of these issues are still to be fully understood and more time is needed to achieve that understanding. Accordingly, this Board resolves to have an additional meeting in July 1993 in order to more completely respond to Mr. Kammer's request and to fulfill its statutory obligations under P.L. 100- 235. The Board recommends that the inter-agency review take note of our input collected, our preliminary finding, and adjust the timetable to allow for resolution of the significant issues and problems raised. Attached to this resolution is a preliminary distillation of the serious concerns and problems. Attachment FOR: Gallagher, Gangemi, Lambert, Lipner, Kuyers, Rand, Whitehurst, and Zeitler AGAINST: none ABSTAIN: none (FINAL) COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD ATTACHMENT TO RESOLUTION #1 June 4, 1993 - A convincing statement of the problem that Clipper attempts to solve has not been provided. - Export and import controls over cryptographic products must be reviewed. Based upon data compiled from U.S. and international vendors, current controls are negatively impacting U.S. competitiveness in the world market and are not inhibiting the foreign production and use of cryptography (DES and RSA). - The Clipper/Capstone proposal does not address the needs of the software industry, which is a critical and significant component of the National Information Infrastructure and the U.S. economy. - Additional DES encryption alternatives and key management alternatives should be considered since there is a significant installed base. - The individuals reviewing the Skipjack algorithm and key management system must be given an appropriate time period and environment in which to perform a thorough review. This review must address the escrow protocol and chip implementation as well as the algorithm itself. - Sufficient information must be provided on the proposed key escrow scheme to allow it to be fully understood by the general public. - Further development and consideration of alternatives to the key escrow scheme need to be considered, e.g., three "escrow" entities, one of which is a non-government agency, and a software based solution. - The economic implications for the Clipper/Capstone proposal have not been examined. These costs go beyond the vendor cost of the chip and include such factors as customer installation, maintenance, administration, chip replacement, integration and interfacing, government escrow system costs, etc. - Legal issues raised by the proposal must be reviewed. - Congress, as well as the Administration, should play a role in the conduct and approval of the results of the review. (FINAL) COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION #2 June 4, 1993 Key escrowing encryption technology represents a dramatic change in the nation's information infrastructure. The full implications of this encryption technique are not fully understood at this time. Therefore, the Board recommends that key escrowing encryption technology not be deployed beyond current implementations planned within the Executive Branch, until the significant public policy and technical issues inherent with this encryption technique are fully understood. FOR: Gangemi, Lambert, Lipner, Kuyers, Rand, Whitehurst, & Zeitler AGAINST: Gallagher ABSTAIN: none