PRIVACY Forum Digest Sunday, 20 February 1994 Volume 03 : Issue 04
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
===== PRIVACY FORUM =====
The PRIVACY Forum digest is supported in part by the
ACM Committee on Computers and Public Policy.
CONTENTS
Emotion vs. Reason in the Clipper "Debate"
(Lauren Weinstein; PRIVACY Forum Moderator)
Privacy & Automate Vehicular Identification (Joel Halpern)
More on PGP issues (Diane Barlow Close)
Private Info On Net (John Higgins)
Information on beating telemarketers in small claims court?
(Andrew Shapiro)
NII Testimony (Robert Ellis Smith)
Campaign and Petition Against Clipper (Dorothy Denning)
Who says the Clipper issue is complicated? (D. J. Bernstein)
Clipper (A. Padgett Peterson)
Notes on key escrow meeting with NSA (Matt Blaze)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
ALL submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com". All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive. All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "gopher.vortex.com".
For information regarding the availability of this digest via FAX, please
send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX
to (818) 225-7203.
-----------------------------------------------------------------------------
VOLUME 03, ISSUE 04
Quote for the day:
"This one took all the fun out of earthquakes."
-- Salesman at motorcycle equipment store
(near the epicenter of the recent L.A. quake)
speaking to the PRIVACY Forum moderator
about the quake.
----------------------------------------------------------------------
Date: Sun, 20 Feb 94 12:57 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Emotion vs. Reason in the Clipper "Debate"
Greetings. The PRIVACY Forum submission box is piled high with Clipper
related messages. I will not be distributing most of them. The level of
discourse demonstrated in some of the submissions I've received is
shockingly low--replete with ad hominem attacks and emotionally potent but
logically deprived arguments. The "debate" over Clipper is threatening to
be pulled straight into the sewer. This is clearly not an encouraging
development. The issues of Clipper and related topics are too important to
be dragged down to such a low level.
Other activities regarding this debate are also of concern. As you may
know, CPSR (Computer Professionals for Social Responsibility) has been
sponsoring an e-mail anti-Clipper petition drive. EFF (Electronic Frontier
Foundation) is sponsoring a similar e-mail based drive to pressure for U.S.
Congressional hearings regarding Clipper.
While many of the goals of both organizations are often laudable, I am not
convinced that such "petition" techniques are appropriate to the
circumstances at hand. The ease of sending e-mail means that it would
probably be possible to get 10's of 1000's of quickie "add my name to the
list" messages to such automated petition servers for virtually *any*
topic. People don't have to understand, think about, or even have really
heard about a subject, they just shoot an empty message off to an address and
add their userid to the list. Even if we assume that there isn't much
fraud from persons sending in multiple messages under differing names
(certainly possible and simple on many systems) what does such quickie
knee-jerk response mechanisms provide to enhance the debate?
CPSR has been comparing the response to their current drive to the similar
effort conducted against "Lotus Marketplace" sometime back. One could argue
that the techniques used to convince a private firm not to market a
particular niche information product (and of course, all the related
information is still widely available!) is not necessarily applicable to
arguing against a major cryptographic system with strong government backing
and apparently not inconsiderable bipartisan support (at least outside of the
"technical" community). CPSR has also recently been "promoting" a "Big
Brother Inside" postscript picture that I feel serves little but to further
trivialize this matter.
Such "power by numbers" petitions remind me of the efforts (sometimes
successful) of various pressure groups to force advertisers to drop support
of television programs with aspects that the particular group finds
distasteful, and of the practice of some radio talk show hosts to encourage
their listeners to flood some entity with calls and/or letters opposing or
supporting particular views. In almost all of these cases, the key isn't
reasoned debate, it's just names and numbers--to try blind them with shear
volume!
That such techniques are sometimes successful, and that politicians and
organizations will often react to such pressure petition drives, should not
be an endorsement of such techniques being used. There is more at stake
than simply "winning" a particular argument--the general coarsening of
debate on so many topics into a flurry of opinion polls, petition drives,
emotional television images, and the briefest of soundbites, threatens to
change the nature of democracy in fundamental and negative ways.
Clipper may not be the most important issue facing the world today. But
there seems to be a trend toward treating this highly technical issue the
same way we tend to treat discussions of gun control, abortion, and criminal
sentencing in the U.S.--that is, with a maximum of emotion and a minimum of
logic.
I don't like Clipper. I think it's a bad idea. I have expressed this
sentiment in the past in detail, so I won't go into the details again now.
Almost a year ago in this forum, I suggested that interested persons on both
sides of the issue inform their representatives and the involved parties of
their thoughts on the matter and to express their opinions in PRIVACY Forum
as well. I had hoped that such communications would be thoughtful and rich
in meaningful arguments that would raise the level of discourse. I am
discouraged to see the level of discussion now appearing from some messages
in the PRIVACY Forum submission inbox and in some other network lists
and newsgroups.
Please folks. I know it's easy to get wound up in these matters--all
the more so when it's so simple to just shoot off an e-mail message
in a matter of minutes. But unless we all try to take the high road in
these discussions, the importance of the issues are going to be drowned
out in the shouting. Then, ultimately, we *all* lose, on both
sides of the debate.
A sampling of the Clipper messages that I thought were most suitable for
this issue of the digest have been included below, along with other
non-Clipper items.
--Lauren--
------------------------------
Date: Sat, 15 Jan 94 21:16:48 CST
From: jmh@anubis.network.com (Joel Halpern)
Subject: Privacy & Automate Vehicular Identification
I have been asked to locate qualified technical individuals to participate
in a forum on the Privacy implications of Automated Vehicular Identification
(ala drive through toll booths). This is an unofficial request, and some of
the particulars are not known to me.
The forum will be in the Silicon Valley area some time in the summer of '94.
The forum is primarily being organized by a group of legal scholars, and
they are seeking technical individuals to participate.
All I will be doing is collecting names and e-mail address, and passing
them on to those putting this together. I am not directly involved, and
am posting this as a friendly service.
If further details are need, I can get them.
Thank you,
Joel M. Halpern jmh@network.com
------------------------------
Date: Wed, 9 Feb 1994 14:07:48 -0800 (PST)
From: close@lunch.asd.sgi.com (Diane Barlow Close)
Subject: More on PGP issues
Earlier I asked some questions about PGP (and other stuff) and found
out that PGP stood for a really good encryption system. Then someone
pointed out to me that PGP implements the RSA public-key encryption
algorithm, and there is a patent on the use of RSA for digital
communication, and that includes email. I also said if you use PGP to
encrypt or sign email which you then send to someone else, and you have
not obtained a license for use of the patent from the patent holders, you
are "infringing" the patent.
That was followed up to with mail from "Tansin A. Darcos & Company"
<0005066432@mcimail.com>, who said that no, I'm wrong and PGP IS freely
available and free to use and its use infringes on nothing:
T> From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
T> Date: 29 Jan 1994 17:40:22 GMT
T>
T> Late last year, the owners of the 5 patents dealing with RSA
T> encryption (PKP Partners, Inc.) made a special arrangement with the
T> National Institutes of Science and Technology that in exchange for a
T> trade of certain encryption inventions developed by NIST to them, they
T> would make the following provisions:
T>
T> - Individuals using RSA encryption (which would include the methods
T> used in PGP) may do so *royalty free* and *without having to obtain a
T> license*;
Etc. Rest deleted. That left me totally confused. Does PGP infringe or
doesn't it? Are there exceptions or aren't there? I wrote to Jim Bidzos
asking for clarification and he basically said that the stuff about PGP
being free and legal was pure fiction. Jim said that PGP is definitely
unlicensed and is considered infringing by the patent holders. He
responded directly to "Tansin A. Darcos & Company" and cc'd me on the
response, asking me to forward this to any newsgroup or mailing list that
might be discussing this issue:
Date: Tue, 8 Feb 94 16:49:00 PST
From: jim@RSA.COM (Jim Bidzos)
Subject: RSA, patents, and pgp
To: Tansin A. Darcos & Company
I was sent a copy of statements you made that RSA had made some
licensing deal with the government, and that somehow this legitimized
the use of pgp. This is not correct.
You are probably referring to a Federal Register announcement last
year in which it was proposed that the govt would get a license to use
several PKP patents and PKP would license those patents uniformly to
the private sector. This proposal was for a proposed Digital
Signature Standard, never mentioned the RSA algorithm, never included
the RSA patent, never had anything to with pgp, and was never executed
anyway.
Making, using, or selling or distributing pgp, which is unlicensed, is
considered infringement by the patent holders, who reserve all rights
and remedies at law. This has been made clear on many occasions and
in many places, including letters written to CompuServ, AOL, and to a
large number of universities, all of whom now prohibit its use or
distribution, as stated in responses to us from their counsel.
There is, however, free and properly licensed source code for
encryption and authentication using the RSA cryptosystem for
non-commercial purposes. This software is called RIPEM (for a copy,
email the author, Mark Riordan at mrr@scss3.cl.msu.edu), and is based
on free crypto source code called RSAREF (send any message to
RSAREF@RSA.COM). Further, commercial licenses are available at low
cost for RIPEM; however, in cases where consumer privacy is the
application, no-cost commercial licenses have been and are routinely
granted.
I hope this clarifies the situation. I think it would be appropriate
to post this message wherever the erroneous message concerning pgp was
posted.
--
Diane Barlow Close
close@lunch.asd.sgi.com
------------------------------
Date: Wed, 9 Feb 1994 20:12:19 -0500 (EST)
From: John Higgins <higgins@dorsai.dorsai.org>
Subject: Private Info On Net
Let's get real here. This service that we're talking about here is available
with a phone call or fax. The fact that someone will do a background check and
deliver the results via net -- for a fee -- is not a big deal. You may object
to this service being available AT ALL. You can certainly object if any idiot
can point a gopher to a credit database for free. But the involvement of the
net in the fashion being described is completely beside the point. As a
reporter, I've used services like this from time to time. Let's not
get too alarmist here. Sure the file might get misdirected inadvertently. But I get my neighbor's mail all the
time. And I think the guy across the hall secretly reads my mail as well....
John M. Higgins higgins@dorsai.dorsai.org
Multichannel News CIS:75266,3353
FINGER me for the Cable Regulation Digest V)212-887-8390/F)212-887-8384
------------------------------
Date: Fri, 18 Feb 94 11:25:29 MST
From: shapiro@marble.Colorado.EDU (Andrew Shapiro)
Subject: Information on beating telemarketers in small claims court?
In late December 1993 or early January 1994 there were television and
newspaper stories about a guy who got fed up with repeated harrasment
from telemarketers. He took them to court and won, setting a precedent
for the rest of us. In the article there was information about how to
pursue one of these claims yourself.
Basicaly you make a note of when they called and then tell them never
to call you again. If they call again you can take them to small claims
court and recover (around) $750.00 per occurence. This has now happened
to a friend of mine but we did not clip the article.
If anyone has the information on pursuing this type of claim would they
please send it to me.
Andrew T. Shapiro
shapiro@spot.colorado.edu
shapiro@cses.colorado.edu
andrew@gooter.metronet.org
------------------------------
Date: Thu, 17 Feb 94 09:28 EST
From: Robert Ellis Smith <0005101719@mcimail.com>
Subject: NII Testimony
[ From RISKS-FORUM Digest; Volume 15, Issue 56 -- MODERATOR ]
PRINCIPLES OF PRIVACY
FOR THE NATIONAL INFORMATION INFRASTRUCTURE
Robert Ellis Smith
Publisher, PRIVACY JOURNAL, and Attorney at Law
Before the NII Task Force Working Group on Privacy
January 26, 1994
1. Any analysis of the National Information Infrastructure
must recognize that privacy includes more than an
expectation of confidentiality. The right to privacy also
includes (1) freedom from manipulation by others and (2) the
opportunity to find safe havens from the crassness and
commercialism of daily life.
2. The infrastructure must be an INFORMATION-TRANSFER
medium, not a SALES medium. It must be primarily an
INFORMATION medium, and only secondarily an ENTERTAINMENT
medium. (Will the information superhighway be only another
way to exploit couch potatoes?)
3. It must have different levels of security and
confidentiality so that some sector in it allows for
confidential communications. These communications could be
intercepted by law enforcement only under current Fourth
Amendment guidelines. Aside from that, in the confidential
portion of the infrastructure, there must be strict
penalties for the interception of any PERSONAL data without
the consent of BOTH the sending party and the person who is
the subject of the data. And for aggrieved individuals and
organizations there should be a right to sue for breaches of
confidentiality.
4. There must be some portion of the infrastructure free
from commercial messages and free from the commercial uses
of the names and electronic mail addresses of the users.
Even though it is commercial-free, this sector need not
necessarily be operated by the government or a non-profit
entity.
5. In the sectors of the infrastructure available for use
by individuals, there must remain opportunities for
ACCESSING (non-personal) data anonymously (as exist in a
library situation now). Whether
to permit anonymous MESSAGE-SENDING in these sectors
remains, for me, an open question. To deny this will
deprive the network of much of its spontaneity, creativity,
and usefulness; however, to permit anonymous message-sending
runs the risk of having these sectors dominated by obscene,
inaccurate, slanderous, racially and sexually-insulting
chatter - and worse.
6. Privacy interests are less compelling, to me, in two
other sectors of the proposed infrastructure. In those
sectors transmitting proprietary business information and
sensitive business dealings, the organizations using the
network will see to it themselves that security meets there
needs, and they will have the resources to pay for it. By
the same token, in those sectors providing point-of-sale
services (presumably from the home), companies offering
these services will provide adequate security or risk losing
customers.
7. The infrastructure ought not become a means for large
conglomerates to transfer personal information between and
among subsidiaries where the data-handling is regulated
(credit bureaus, cable companies, medical providers) and
entities where the data-handling is not regulated (telephone
providers, brokerages, credit-card processors,
telemarketing).
___________
Rather than proposing specific safeguards -- which can be
drafted later -- the task force can be most effective in
1994 by establishing the DOMINANT THEMES of the
infrastructure: information-transfer, not commercialism;
democratic access not corporate dominance; diversity (in
usage as well as in levels of security) not conformity.
------------------------------
Date: Wed, 09 Feb 1994 17:23:28 -0500 (EST)
From: denning@cs.georgetown.edu (Dorothy Denning)
Subject: Re: Campaign and Petition Against Clipper
CPSR has announced a petition campaign to oppose the Clipper
initiative. I would like to caution people about signing the petition.
The issues are extremely complex and difficult. The Clipper initiative
is the result of considerable deliberation by many intelligent people
who appreciate and understand the concerns that have been expressed and
who worked hard to accommodate the conflicting interests. The
decisions that have been made were not made lightly.
I would like to respond to some of the statements that CPSR has made
about Clipper in their campaign and petition letters:
The Clipper proposal, developed in secret by the National Security
Agency, is a technical standard that will make it easier for
government agents to wiretap the emerging data highway.
The standard (FIPS 185) is not a standard for the Internet or any other
high speed computer network. It is for the telephone system. Quoting
from FIPS 185: "Data for purposes of this standard includes voice,
facsimile and computer information communicated in a telephone system.
A telephone system for purposes of this standard is limited to a system
which is circuit switched and operating at data rates of standard
commercial modems over analog voice circuits or which uses basic-rate
ISDN or a similar grade wireless service."
The standard will not make it any easier to tap phones, let alone
computer networks. All it will do is make it technically possible to
decrypt communications that are encrypted with the standard, assuming
the communications are not superencrypted with something else. Law
enforcers still need to get a court order just to intercept the
communications in the first place, and advances in technology have made
interception itself more difficult. The standard will make it much
harder for anyone to conduct illegal taps, including the government.
The purpose of the standard is to provide a very strong encryption
algorithm - something much stronger than DES - and to do so in a way
that does not thwart law enforcement and national security objectives.
Keys are escrowed so that if someone uses this technology, they cannot
use it against national interests.
Industry groups, professional associations and civil liberties
organizations have expressed almost unanimous opposition to the
plan since it was first proposed in April 1993.
"The public does not like Clipper and will not accept it ..."
The private sector and the public have expressed nearly unanimous
opposition to Clipper.
As near as I know, neither CPSR nor any other group has conducted any
systematic poll of industry, professional societies, or the public.
While many people have voiced opposition, there are many more
organizations and people who have been silent on this issue. The ACM
is in the process of conducting a study on encryption. CPSR is a
member of the study group, as am I. Steve Kent is chair. Our goal is
a report that will articulate the issues, not a public statement either
for or against. The International Association for Cryptologic Research
has not to my knowledge made any official statement about Clipper.
The Administration ignored the overwhelming opposition of the
general public. When the Commerce Department solicited public
comments on the proposal last fall, hundreds of people opposed the
plan while only a few expressed support.
Hundreds of people is hardly overwhelming in a population of 250
million, especially when most of the letters were the same and came in
through the net following a sample letter that was sent out.
The technical standard is subject to misuse and compromise. It
would provide government agents with copies of the keys that
protect electronic communications. "It is a nightmare for computer
security."
I have been one of the reviewers of the standard. We have completed
our review of the encryption algorithm, SKIPJACK, and concluded it was
very strong. While we have not completed our review of the key escrow
system, from what I have seen so far, I anticipate that it will provide
an extremely high level of security for the escrowed keys.
The underlying technology was developed in secret by the NSA, an
intelligence agency responsible for electronic eavesdropping, not
privacy protection. Congressional investigations in the 1970s
disclosed widespread NSA abuses, including the illegal
interception of millions of cables sent by American citizens.
NSA is also responsible for the development of cryptographic codes to
protect the nation's most sensitive classified information. They have
an excellent track record in conducting this mission. I do not believe
that our requirements for protecting private information are greater
than those for protecting classified information. I do not know the
facts of the 1970s incident that is referred to here, but it sounds
like it occurred before passage of the 1978 Foreign Intelligence
Surveillance Act. This act requires intelligence agencies to get a
court order in order to intercept communications of American citizens.
I am not aware of any recent evidence that the NSA is engaging
in illegal intercepts of Americans.
Computer security experts question the integrity of the
technology. Clipper was developed in secret and its
specifications are classified.
The 5 of us who reviewed the algorithm unanimously agreed that it was
very strong. We will publish a final report when we complete or full
evaluation. Nothing can be concluded from a statement questioning the
technology by someone who has not seen it regardless of whether that
person is an expert in security.
NSA overstepped its legal authority in developing the standard. A
1987 law explicitly limits the intelligence agency's power to set
standards for the nation's communications network.
The 1987 Computer Security Act states that NIST "shall draw on the
technical advice and assistance (including work products) of the
National Security Agency."
There is no evidence to support law enforcement's claims that new
technologies are hampering criminal investigations. CPSR recently
forced the release of FBI documents that show no such problems.
CPSR obtained some documents from a few FBI field offices. Those
offices reported no problems. CPSR did not get reports from all field
offices and did not get reports from local law enforcement agencies. I
can tell you that it is a fact that new communications technologies,
including encryption, have hampered criminal investigations. I
personally commend law enforcement for trying to get out in front of
this problem.
If the plan goes forward, commercial firms that hope to develop
new products will face extensive government obstacles.
Cryptographers who wish to develop new privacy enhancing
technologies will be discouraged.
The standard is voluntary -- even for the government.
Mr. Rotenberg said "We want the public to understand the full
implications of this plan. Today it is only a few experts and
industry groups that understand the proposal.
I support this objective. Unfortunately, it is not possible for most
of us to be fully informed of the national security implications of
uncontrolled encryption. For very legitimate reasons, these cannot be
fully discussed and debated in a public forum. It is even difficult to
talk about the full implications of encryption on law enforcement.
This is why it is important that the President and Vice-President be
fully informed on all the issues, and for the decisions to be made at
that level. The Feb. 4 decision was made following an inter-agency
policy review, headed by the National Security Council, that examined
these issues using considerable input from industry, CPSR, EFF, and
individuals as well as from law enforcement and intelligence agencies.
In the absence of understanding the national security issues, I believe
we need to exercise some caution in believing that we can understand
the full implications of encryption on society.
As part of the Feb. 4 announcement, the Administration announced
the establishment of an Interagency Working Group on Encryption
and Telecommunications, chaired by the White House Office of
Science and Technology Policy and National Security Council, with
representatives from Commerce, Justice, State, Treasury, FBI,
NSA, OMB, and the National Economic Council. The group is to
work with industry and public interest groups to develop new
encryption technologies and to review and refine encryption policy.
The NRC's Computer Science and Telecommunications Board will also
be conducting a study of encryption policy.
These comments may be distributed.
Dorothy Denning
Georgetown University
------------------------------
Date: Tue, 15 Feb 1994 01:13:48 -0800
From: "D. J. Bernstein" <djb@silverton.berkeley.edu>
Subject: Who says the Clipper issue is complicated?
[ From RISKS-FORUM Digest; Volume 15, Issue 56 -- MODERATOR ]
``I would like to caution people about signing the petition,'' Dorothy
Denning said. ``The issues are extremely complex and difficult.''%1
Clipper (by which I mean EES/Skipjack/Clipper/Capstone collectively)
does raise some mildly tricky issues, which I'll discuss later. But
those are _side_ issues. The basic argument%2 against Clipper is simple
and deserves emphasis.
Clipper is bad because it is unfair competition in the crypto market.
Who has paid for the design and implementation of Clipper over the past
decade?%3 The taxpayers. Who has paid for ramping up Clipper production
at Mykotronx? The taxpayers. Who pays for the lawyers and accountants
keeping Clipper on course, and the NSA-FBI team which visits Bell Labs
and other locations to promote Clipper? The taxpayers. Who will pay for
the key escrow ``service,'' probably an agency with dozens of people,
including armed guards? The taxpayers.
I resent being forced to pay for Clipper's development and adoption.
Is this Clipper subsidy the only way that the government is interfering
in the market? Not at all. Consider, for example, export controls. A
private company, even if it doesn't see a foreign market for its
encryption products, has to register as an arms dealer and take
precautions to avoid selling crypto to non-citizens. These restrictions
have been dramatically reduced for Clipper.%4
Are these points a matter of dispute? Is this just my view? No. The
government knows full well that Clipper is unfair competition.
In fact, unfair competition is the goal of Clipper policy. According to
Jerry Berman, ``the reason [for various Clipper-related actions] was
stated bluntly at the [4 Feb 94 White House] briefing: to frustrate
competition with Clipper by other powerful encryption schemes by making
them difficult to market, and to "prevent" strong encryption from
leaving the country...''%5
Now, here's the problem: The government talks about Clipper's market
interference as a _good_ thing.
Of course, I see it as a bad thing. America's need for data protection
would be fully served by a healthy encryption industry; let's eliminate
crypto export controls! If you agree with me---if you want a free crypto
market---then you should oppose Clipper. There's nothing complicated
about this.
Let me close by briefly addressing a few side issues, mostly reasons
that Clipper is risky when compared to other crypto available today.
1. There is a RISK that the Skipjack algorithm is, intentionally or
unintentionally, weak. Suppose that in 1986 an NSA cryptanalyst noticed
a subtle but wide hole in Skipjack, which was relatively new at the
time. Why would it be in NSA's interest to divulge this information?
Denning points out that we don't _know_ of any holes, but that's
axiomatic---Clipper would be dead otherwise. One cannot deny the _risk_,
exacerbated by secrecy, of a hole.
2. There is a RISK that Clipper will be easier to break than the basic
Skipjack algorithm. Given two encryption algorithms one can (carefully)
compose them to produce a ``double encryption'' which is strong even if
one of the algorithms is weak. Clipper also has two encryption steps,
but for a different reason---one encryption is transparent to the user,
the other transparent to the FBI. If either of these different%6 steps
is weak then Clipper is weak. ``Half encryption,'' I'd say.
3. There is a RISK that key escrow security will be compromised, either
by bribes from the outside or by corruption from the top. It is highly
dangerous to keep so many keys under the control of such a small group
of people.
4. There is a RISK that, if Clipper fails to dominate the market, the
government will simply outlaw all non-escrowed encryption. ``This is a
fundamental policy question which will be considered during the broad
policy review.''%7 Alternatively the government could outlaw Clipper
superencryption while requiring Clipper in government procurements, new
phones, and so on. Denning points out that Clipper is voluntary right
now, but the mere fact that the government brought up the possibility
of a Clipper law means that there's a risk.
Footnotes:
%1 To sign the CPSR Clipper petition, send a message to the address
clipper.petition@cpsr.org with "I oppose Clipper" in the subject header.
%2 This argument was mentioned briefly by Geoff Kuenning, RISKS-15.50,
among a cast of thousands.
%3 See Matt Blaze's message in RISKS-15.48. ``They said ... that
Skipjack began development "~about 10 years ago.~"''
%4 See ftp.eff.org:pub/EFF/Policy/Crypto/harris_export.statement:
``After initial review, key-escrow encryption products may now be
exported to most end users. Additionally, key-escrow products will
qualify for special licensing arrangements.''
%5 See ftp.eff.org:pub/EFF/Policy/Crypto/wh_crypto.eff.
%6 See Roy M. Silvernail's message in RISKS-15.52.
%7 See the initial White House Clipper press release, 930416.
---Dan
------------------------------
Date: Wed, 9 Feb 94 08:57:06 -0500
From: padgett@tccslr.dnet.mmc.com
(A. Padgett Peterson, P.E. Information Security)
Subject: Clipper
I am getting a bit tired of everybody bashing clipper without actually
examining it and because it does not seem to be a perfect solution.
Being an engineer, I am used to imperfect solutions that are adequate
for the job.
Clipper seems to me to be "good enough" to make it difficult to break
and no-one has said (or is able to enforce) that whatever it is cannot
be encrypted offline and then sent by the Clip chip.
My big frustration is not in having one to play with but then am in
a DC hotel room (airport was closed by an American plane stuck in
the mud at the end of the runway - where is George Kennedy when you
need him ?) on a 15 pound laptop at 2400 baud - point is it gets
the job done !
No-one seems to be talking about the big plusses to the clip chip
(actually Capstone) so I will:
o Autoignition
o Authentication of both ends to both ends
o DSS
o *cheap*
o essential to the "Information Two-Lane-Blacktop"
Has anyone considered that last one ? I would wager that the courts
may accept as legal documents ones sent this way, something desperately
needed - not "unbreakable" but *legally acceptable* and approved for
SBU - Sensitive but Unclassified. No wonder so many vested interests are
in an uproar because it will be another billion dollar industry. I just
keep being reminded of "...Secretary Fall was convicted of taking the
bribe that Doheny was acquitted of giving."
Personally, I will wait until I have one to make any technical judgements.
Warmly,
Padgett
------------------------------
Date: Tue, 08 Feb 94 16:03:55 -0500
From: Matt Blaze <mab@research.att.com>
Subject: Notes on key escrow meeting with NSA
[ From RISKS-FORUM Digest; Volume 15, Issue 48 -- MODERATOR ]
A group from NSA and FBI met the other day with a group of us at Bell Labs to
discuss the key escrow proposal. They were surprisingly forthcoming and open
to discussion and debate, and were willing to at least listen to hard
questions. They didn't object when asked if we could summarize what we
learned to the net. Incidentally, the people at the meeting seemed to base a
large part of their understanding of public opinion on Usenet postings.
Postings to RISKS, sci.crypt and talk.politics.crypto seem to actually have an
influence on our government.
Since the many of the points brought up at the meeting have been
discussed in RISKS, it seems appropriate to post a summary here.
A number of things came out at the meeting that we didn't previously know or
that clarified previously released information. What follows is a rough
summary; needless to say, nothing here should be taken as gospel, or
representing the official positions of anybody. Also, nothing here should be
taken as an endorsement of key escrow, clipper, or anything else by the
authors; we're just reporting. These notes are based on the collective memory
of Steve Bellovin, Matt Blaze, Jack Lacy, and Mike Reiter; there may be errors
or misunderstandings. Please forgive the rough style. Note also the use of
"~ ~" for 'approximate quotes' (a marvelous Whit Diffie-ism).
NSA's stated goals and motives for all this:
* DES is at the end of its useful life
* Sensitive, unclassified government data needs protection
* This should be made available to US Citizens
* US business data abroad especially needs protection
* The new technology should not preclude law enforcement access
They indicated that the thinking was not that criminals would use key escrowed
crypto, but that they should not field a system that criminals could easily
use against them. The existence of key escrow would deter them from using
crypto in the first place. The FBI representative said that they expect to
catch "~only the stupid criminals~" through the escrow system.
Another stated reason for key escrow is that they do not think that
even government-spec crypto devices can be kept physically secure.
They do expect enough to be diverted to the black market that they feel
they need a response. NSA's emphasis was on the foreign black market...
There seems to be a desire to manipulate the market, by having the fixed cost
of key escrow cryptography amortized over the government market. Any private
sector devices would have to sell a much larger number of units to compete on
price. (This was somewhere between an implication and an explicit statement
on their part.)
When asked about cryptography in software, "~...if you want US government
cryptography, you must do it with hardware~".
The NSA people were asked whether they would consider evaluating ciphers
submitted by the private sector as opposed to simply proposing a new cipher as
a "black box" as they did with Skipjack. They said they can't do this
because, among other things, of the extraordinary effort required to properly
test a new cipher. They said that it often takes from 8-12 years to design,
evaluate and certify a new algorithm, and that Skipjack began development
"~about 10 years ago.~" I asked if we should infer anything from that about
the value of the (limited time and resource) civilian Skipjack review. They
accepted the question with good humor, but they did say that the civilian
review was at least presented with and able to evaluate some of the results of
NSA's previous internal reviews.
Clipper chips should be available (to product vendors) in June. You can't
just buy loose chips - they have to be installed in approved products. Your
application interface has to be approved by NIST for you to get your hands on
the chips.
An interesting point came up about the reverse-engineering resistance of the
chips: they are designed to resist non-destructive reverse engineering. It
was not clear (from the information presented at the meeting) whether the
chips are equally resistant to destructive reverse-engineering. That is, the
chips are designed to resist non-destructive reverse engineering to obtain the
unit keys. They do not believe that it is possible to obtain the unit key of
a particular chip without destroying the chip. They did not present any
assertions about resistance to destructive reverse engineering, such that
several chips can be taken apart and destroyed in the process, to learn the
Skipjack algorithm. They said the algorithm was patented, but they may have
been joking. ("~And if that doesn't scare you enough, we'll turn the patent
over to PKP.~")
The resistance to reverse engineering is not considered absolute by NSA. They
do feel that "~it would require the resources of a national laboratory, and
anyone with that much money can design their own cryptosystem that's just as
strong.~"
They repeated several times that there are "~no plans to regulate the use of
alternate encryption within the US by US citizens.~" They also indicated they
"~weren't naive~" and didn't think that they could if they wanted to.
There were 919 authorized wiretaps, and 10,000 pen register monitors, in 1992.
They do not have any figures yet on how often cryptography was used to
frustrate wiretaps.
They do not yet have a production version of the "decoder" box used by law
enforcement. Initially, the family key will be split (by the same XOR method)
and handled by two different people in the authorized agencies. There is
presently only one family key. The specifications of the escrow exploitation
mechanism are not yet final, either; they are considering the possibility of
having the central site strip off the outer layers of encryption, and only
sending the session key back to the decoder box.
The escrow authorities will NOT require presentation of a court order prior to
releasing the keys. Instead, the agency will fill out a form certifying that
they have a legal authorization. This is also backed up with a separate
confirmation from the prosecutor's office. The escrow agencies will supply
any key requested and will not themselves verify that the keys requested are
associated with the particular court order.
As an aside, we've since been informed by a member of the civilian Skipjack
review committee that the rationale for not having the escrow agency see the
actual wiretap order is so that they do not have access to the mapping between
key serial numbers and people/telephones.
Regarding the scale of the escrow exploitation system, they said that they did
not yet have a final operational specification for the escrow protocols, but
did say that the escrow agencies would be expected to deliver keys "~within
about 2 hours~" and are aiming for "~close to real time.~" Initially, the FBI
would have the decoder box, but eventually, depending on costs and demand, any
law enforcement agency authorized to conduct wiretaps would be able to buy
one. The two escrow agencies will be responsible for verifying the
certification from and securely delivering the key halves to any such police
department.
The NSA did not answer a question as to whether the national security
community would obtain keys from the same escrow mechanism for their (legally
authorized) intelligence gathering or whether some other mechanism would exist
for them to get the keys.
The masks for the Clipper/Capstone chip are unclassified (but are protected by
trade secret) and the chips can be produced in an unclassified foundry. Part
of the programming in the secure vault includes "~installing part of the
Skipjack algorithm.~" Later discussion indicated that the part of the
algorithm installed in the secure vault are the "S-tables", suggesting that
perhaps unprogrammed Clipper chips can be programmed to implement other 80-bit
key, 32 round ciphers.
The Capstone chip includes an ARM-6 RISC processor that can be used for other
things when no cryptographic functions are performed. In particular, it can
be used by vendors as their own on-board processor. The I/O to the processor
is shut off when a crypto operation is in progress.
They passed around a Tessera PCMCIA (type 1) card. These cards contain a
Capstone chip and can be used by general purpose PC applications. The cards
themselves might not be export controlled. (Unfortunately, they took the
sample card back with them...) The card will digitally sign a challenge from
the host, so you can't substitute a bogus card. The cards have non-volatile
onboard storage for users' secret keys and for the public keys of a certifying
authority.
They are building a library/API for Tessera, called Catapult, that will
provide an interface suitable for many different applications. They have
prototype email and ftp applications that already uses it. They intend to
eventually give away source code for this library. They responded favorably
to the suggestion that they put it up for anonymous ftp.
Applications (which can use the library and which the NSA approves for
government use) will be responsible for managing the LEAF field. Note that
they intend to apply key escrowed Skipjack to other applications, including
mail and file encryption. The LEAF would be included in such places as the
mail header or the file attributes. This implies that it is possible to omit
sending the LEAF -- but the decrypt chip won't work right if it doesn't get
one.
When asked, they indicated that it might be possible wire up a pair of
Clipper/Capstone chips to not transmit the LEAF field, but that the way to do
this is "~not obvious from the interface we give you~" and "~you'd have to be
careful not to make mistakes~". They gave a lot of attention to obvious ways
to get around the LEAF.
The unit key is generated via Skipjack itself, from random seeds provided by
the two escrow agencies (approximately monthly, though that isn't certain
yet). They say they prefer a software generation process because its correct
behavior is auditable.
Capstone (but not Clipper) could be configured to allow independent loading of
the two key halves, in separate facilities. "~It's your money [meaning
American taxpayers].~"
The LEAF field contains 80 bits for the traffic key, encrypted via the unit
key in "~a unique mode <grin>~", 32 bits for the unit id, and a 16 bit
checksum of some sort. (We didn't waste our breath asking what the checksum
algorithm was.) This is all encrypted under the family key using "~another
mode <grin>~".
They expressed a great deal of willingness to make any sort of reasonable
changes that vendors needed for their products. They are trying *very* hard
to get Skipjack and key escrow into lots of products.
Finally, I should make clear that "Clipper" is more properly called the
"MYK-78T".
[Matt, Thanks for the contribution, and thanks for making careful
distinctions among the escrow initiative (EEI), the algorithm (Skipjack),
the telephone implementation (Clipper), and the computer system/network
implementation (Capstone). Much of what has been written on the subject
has been confused because those distinctions were not consistently made.
PGN]
------------------------------
End of PRIVACY Forum Digest 03.04
************************
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
