|
PRIVACY Forum Digest Sunday, 20 February 1994 Volume 03 : Issue 04 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== The PRIVACY Forum digest is supported in part by the ACM Committee on Computers and Public Policy. CONTENTS Emotion vs. Reason in the Clipper "Debate" (Lauren Weinstein; PRIVACY Forum Moderator) Privacy & Automate Vehicular Identification (Joel Halpern) More on PGP issues (Diane Barlow Close) Private Info On Net (John Higgins) Information on beating telemarketers in small claims court? (Andrew Shapiro) NII Testimony (Robert Ellis Smith) Campaign and Petition Against Clipper (Dorothy Denning) Who says the Clipper issue is complicated? (D. J. Bernstein) Clipper (A. Padgett Peterson) Notes on key escrow meeting with NSA (Matt Blaze) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. ALL submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are also available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". For information regarding the availability of this digest via FAX, please send an inquiry to privacy-fax@vortex.com, call (818) 225-2800, or FAX to (818) 225-7203. ----------------------------------------------------------------------------- VOLUME 03, ISSUE 04 Quote for the day: "This one took all the fun out of earthquakes." -- Salesman at motorcycle equipment store (near the epicenter of the recent L.A. quake) speaking to the PRIVACY Forum moderator about the quake. ---------------------------------------------------------------------- Date: Sun, 20 Feb 94 12:57 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Emotion vs. Reason in the Clipper "Debate" Greetings. The PRIVACY Forum submission box is piled high with Clipper related messages. I will not be distributing most of them. The level of discourse demonstrated in some of the submissions I've received is shockingly low--replete with ad hominem attacks and emotionally potent but logically deprived arguments. The "debate" over Clipper is threatening to be pulled straight into the sewer. This is clearly not an encouraging development. The issues of Clipper and related topics are too important to be dragged down to such a low level. Other activities regarding this debate are also of concern. As you may know, CPSR (Computer Professionals for Social Responsibility) has been sponsoring an e-mail anti-Clipper petition drive. EFF (Electronic Frontier Foundation) is sponsoring a similar e-mail based drive to pressure for U.S. Congressional hearings regarding Clipper. While many of the goals of both organizations are often laudable, I am not convinced that such "petition" techniques are appropriate to the circumstances at hand. The ease of sending e-mail means that it would probably be possible to get 10's of 1000's of quickie "add my name to the list" messages to such automated petition servers for virtually *any* topic. People don't have to understand, think about, or even have really heard about a subject, they just shoot an empty message off to an address and add their userid to the list. Even if we assume that there isn't much fraud from persons sending in multiple messages under differing names (certainly possible and simple on many systems) what does such quickie knee-jerk response mechanisms provide to enhance the debate? CPSR has been comparing the response to their current drive to the similar effort conducted against "Lotus Marketplace" sometime back. One could argue that the techniques used to convince a private firm not to market a particular niche information product (and of course, all the related information is still widely available!) is not necessarily applicable to arguing against a major cryptographic system with strong government backing and apparently not inconsiderable bipartisan support (at least outside of the "technical" community). CPSR has also recently been "promoting" a "Big Brother Inside" postscript picture that I feel serves little but to further trivialize this matter. Such "power by numbers" petitions remind me of the efforts (sometimes successful) of various pressure groups to force advertisers to drop support of television programs with aspects that the particular group finds distasteful, and of the practice of some radio talk show hosts to encourage their listeners to flood some entity with calls and/or letters opposing or supporting particular views. In almost all of these cases, the key isn't reasoned debate, it's just names and numbers--to try blind them with shear volume! That such techniques are sometimes successful, and that politicians and organizations will often react to such pressure petition drives, should not be an endorsement of such techniques being used. There is more at stake than simply "winning" a particular argument--the general coarsening of debate on so many topics into a flurry of opinion polls, petition drives, emotional television images, and the briefest of soundbites, threatens to change the nature of democracy in fundamental and negative ways. Clipper may not be the most important issue facing the world today. But there seems to be a trend toward treating this highly technical issue the same way we tend to treat discussions of gun control, abortion, and criminal sentencing in the U.S.--that is, with a maximum of emotion and a minimum of logic. I don't like Clipper. I think it's a bad idea. I have expressed this sentiment in the past in detail, so I won't go into the details again now. Almost a year ago in this forum, I suggested that interested persons on both sides of the issue inform their representatives and the involved parties of their thoughts on the matter and to express their opinions in PRIVACY Forum as well. I had hoped that such communications would be thoughtful and rich in meaningful arguments that would raise the level of discourse. I am discouraged to see the level of discussion now appearing from some messages in the PRIVACY Forum submission inbox and in some other network lists and newsgroups. Please folks. I know it's easy to get wound up in these matters--all the more so when it's so simple to just shoot off an e-mail message in a matter of minutes. But unless we all try to take the high road in these discussions, the importance of the issues are going to be drowned out in the shouting. Then, ultimately, we *all* lose, on both sides of the debate. A sampling of the Clipper messages that I thought were most suitable for this issue of the digest have been included below, along with other non-Clipper items. --Lauren-- ------------------------------ Date: Sat, 15 Jan 94 21:16:48 CST From: jmh@anubis.network.com (Joel Halpern) Subject: Privacy & Automate Vehicular Identification I have been asked to locate qualified technical individuals to participate in a forum on the Privacy implications of Automated Vehicular Identification (ala drive through toll booths). This is an unofficial request, and some of the particulars are not known to me. The forum will be in the Silicon Valley area some time in the summer of '94. The forum is primarily being organized by a group of legal scholars, and they are seeking technical individuals to participate. All I will be doing is collecting names and e-mail address, and passing them on to those putting this together. I am not directly involved, and am posting this as a friendly service. If further details are need, I can get them. Thank you, Joel M. Halpern jmh@network.com ------------------------------ Date: Wed, 9 Feb 1994 14:07:48 -0800 (PST) From: close@lunch.asd.sgi.com (Diane Barlow Close) Subject: More on PGP issues Earlier I asked some questions about PGP (and other stuff) and found out that PGP stood for a really good encryption system. Then someone pointed out to me that PGP implements the RSA public-key encryption algorithm, and there is a patent on the use of RSA for digital communication, and that includes email. I also said if you use PGP to encrypt or sign email which you then send to someone else, and you have not obtained a license for use of the patent from the patent holders, you are "infringing" the patent. That was followed up to with mail from "Tansin A. Darcos & Company" <0005066432@mcimail.com>, who said that no, I'm wrong and PGP IS freely available and free to use and its use infringes on nothing: T> From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> T> Date: 29 Jan 1994 17:40:22 GMT T> T> Late last year, the owners of the 5 patents dealing with RSA T> encryption (PKP Partners, Inc.) made a special arrangement with the T> National Institutes of Science and Technology that in exchange for a T> trade of certain encryption inventions developed by NIST to them, they T> would make the following provisions: T> T> - Individuals using RSA encryption (which would include the methods T> used in PGP) may do so *royalty free* and *without having to obtain a T> license*; Etc. Rest deleted. That left me totally confused. Does PGP infringe or doesn't it? Are there exceptions or aren't there? I wrote to Jim Bidzos asking for clarification and he basically said that the stuff about PGP being free and legal was pure fiction. Jim said that PGP is definitely unlicensed and is considered infringing by the patent holders. He responded directly to "Tansin A. Darcos & Company" and cc'd me on the response, asking me to forward this to any newsgroup or mailing list that might be discussing this issue: Date: Tue, 8 Feb 94 16:49:00 PST From: jim@RSA.COM (Jim Bidzos) Subject: RSA, patents, and pgp To: Tansin A. Darcos & Company I was sent a copy of statements you made that RSA had made some licensing deal with the government, and that somehow this legitimized the use of pgp. This is not correct. You are probably referring to a Federal Register announcement last year in which it was proposed that the govt would get a license to use several PKP patents and PKP would license those patents uniformly to the private sector. This proposal was for a proposed Digital Signature Standard, never mentioned the RSA algorithm, never included the RSA patent, never had anything to with pgp, and was never executed anyway. Making, using, or selling or distributing pgp, which is unlicensed, is considered infringement by the patent holders, who reserve all rights and remedies at law. This has been made clear on many occasions and in many places, including letters written to CompuServ, AOL, and to a large number of universities, all of whom now prohibit its use or distribution, as stated in responses to us from their counsel. There is, however, free and properly licensed source code for encryption and authentication using the RSA cryptosystem for non-commercial purposes. This software is called RIPEM (for a copy, email the author, Mark Riordan at mrr@scss3.cl.msu.edu), and is based on free crypto source code called RSAREF (send any message to RSAREF@RSA.COM). Further, commercial licenses are available at low cost for RIPEM; however, in cases where consumer privacy is the application, no-cost commercial licenses have been and are routinely granted. I hope this clarifies the situation. I think it would be appropriate to post this message wherever the erroneous message concerning pgp was posted. -- Diane Barlow Close close@lunch.asd.sgi.com ------------------------------ Date: Wed, 9 Feb 1994 20:12:19 -0500 (EST) From: John Higgins <higgins@dorsai.dorsai.org> Subject: Private Info On Net Let's get real here. This service that we're talking about here is available with a phone call or fax. The fact that someone will do a background check and deliver the results via net -- for a fee -- is not a big deal. You may object to this service being available AT ALL. You can certainly object if any idiot can point a gopher to a credit database for free. But the involvement of the net in the fashion being described is completely beside the point. As a reporter, I've used services like this from time to time. Let's not get too alarmist here. Sure the file might get misdirected inadvertently. But I get my neighbor's mail all the time. And I think the guy across the hall secretly reads my mail as well.... John M. Higgins higgins@dorsai.dorsai.org Multichannel News CIS:75266,3353 FINGER me for the Cable Regulation Digest V)212-887-8390/F)212-887-8384 ------------------------------ Date: Fri, 18 Feb 94 11:25:29 MST From: shapiro@marble.Colorado.EDU (Andrew Shapiro) Subject: Information on beating telemarketers in small claims court? In late December 1993 or early January 1994 there were television and newspaper stories about a guy who got fed up with repeated harrasment from telemarketers. He took them to court and won, setting a precedent for the rest of us. In the article there was information about how to pursue one of these claims yourself. Basicaly you make a note of when they called and then tell them never to call you again. If they call again you can take them to small claims court and recover (around) $750.00 per occurence. This has now happened to a friend of mine but we did not clip the article. If anyone has the information on pursuing this type of claim would they please send it to me. Andrew T. Shapiro shapiro@spot.colorado.edu shapiro@cses.colorado.edu andrew@gooter.metronet.org ------------------------------ Date: Thu, 17 Feb 94 09:28 EST From: Robert Ellis Smith <0005101719@mcimail.com> Subject: NII Testimony [ From RISKS-FORUM Digest; Volume 15, Issue 56 -- MODERATOR ] PRINCIPLES OF PRIVACY FOR THE NATIONAL INFORMATION INFRASTRUCTURE Robert Ellis Smith Publisher, PRIVACY JOURNAL, and Attorney at Law Before the NII Task Force Working Group on Privacy January 26, 1994 1. Any analysis of the National Information Infrastructure must recognize that privacy includes more than an expectation of confidentiality. The right to privacy also includes (1) freedom from manipulation by others and (2) the opportunity to find safe havens from the crassness and commercialism of daily life. 2. The infrastructure must be an INFORMATION-TRANSFER medium, not a SALES medium. It must be primarily an INFORMATION medium, and only secondarily an ENTERTAINMENT medium. (Will the information superhighway be only another way to exploit couch potatoes?) 3. It must have different levels of security and confidentiality so that some sector in it allows for confidential communications. These communications could be intercepted by law enforcement only under current Fourth Amendment guidelines. Aside from that, in the confidential portion of the infrastructure, there must be strict penalties for the interception of any PERSONAL data without the consent of BOTH the sending party and the person who is the subject of the data. And for aggrieved individuals and organizations there should be a right to sue for breaches of confidentiality. 4. There must be some portion of the infrastructure free from commercial messages and free from the commercial uses of the names and electronic mail addresses of the users. Even though it is commercial-free, this sector need not necessarily be operated by the government or a non-profit entity. 5. In the sectors of the infrastructure available for use by individuals, there must remain opportunities for ACCESSING (non-personal) data anonymously (as exist in a library situation now). Whether to permit anonymous MESSAGE-SENDING in these sectors remains, for me, an open question. To deny this will deprive the network of much of its spontaneity, creativity, and usefulness; however, to permit anonymous message-sending runs the risk of having these sectors dominated by obscene, inaccurate, slanderous, racially and sexually-insulting chatter - and worse. 6. Privacy interests are less compelling, to me, in two other sectors of the proposed infrastructure. In those sectors transmitting proprietary business information and sensitive business dealings, the organizations using the network will see to it themselves that security meets there needs, and they will have the resources to pay for it. By the same token, in those sectors providing point-of-sale services (presumably from the home), companies offering these services will provide adequate security or risk losing customers. 7. The infrastructure ought not become a means for large conglomerates to transfer personal information between and among subsidiaries where the data-handling is regulated (credit bureaus, cable companies, medical providers) and entities where the data-handling is not regulated (telephone providers, brokerages, credit-card processors, telemarketing). ___________ Rather than proposing specific safeguards -- which can be drafted later -- the task force can be most effective in 1994 by establishing the DOMINANT THEMES of the infrastructure: information-transfer, not commercialism; democratic access not corporate dominance; diversity (in usage as well as in levels of security) not conformity. ------------------------------ Date: Wed, 09 Feb 1994 17:23:28 -0500 (EST) From: denning@cs.georgetown.edu (Dorothy Denning) Subject: Re: Campaign and Petition Against Clipper CPSR has announced a petition campaign to oppose the Clipper initiative. I would like to caution people about signing the petition. The issues are extremely complex and difficult. The Clipper initiative is the result of considerable deliberation by many intelligent people who appreciate and understand the concerns that have been expressed and who worked hard to accommodate the conflicting interests. The decisions that have been made were not made lightly. I would like to respond to some of the statements that CPSR has made about Clipper in their campaign and petition letters: The Clipper proposal, developed in secret by the National Security Agency, is a technical standard that will make it easier for government agents to wiretap the emerging data highway. The standard (FIPS 185) is not a standard for the Internet or any other high speed computer network. It is for the telephone system. Quoting from FIPS 185: "Data for purposes of this standard includes voice, facsimile and computer information communicated in a telephone system. A telephone system for purposes of this standard is limited to a system which is circuit switched and operating at data rates of standard commercial modems over analog voice circuits or which uses basic-rate ISDN or a similar grade wireless service." The standard will not make it any easier to tap phones, let alone computer networks. All it will do is make it technically possible to decrypt communications that are encrypted with the standard, assuming the communications are not superencrypted with something else. Law enforcers still need to get a court order just to intercept the communications in the first place, and advances in technology have made interception itself more difficult. The standard will make it much harder for anyone to conduct illegal taps, including the government. The purpose of the standard is to provide a very strong encryption algorithm - something much stronger than DES - and to do so in a way that does not thwart law enforcement and national security objectives. Keys are escrowed so that if someone uses this technology, they cannot use it against national interests. Industry groups, professional associations and civil liberties organizations have expressed almost unanimous opposition to the plan since it was first proposed in April 1993. "The public does not like Clipper and will not accept it ..." The private sector and the public have expressed nearly unanimous opposition to Clipper. As near as I know, neither CPSR nor any other group has conducted any systematic poll of industry, professional societies, or the public. While many people have voiced opposition, there are many more organizations and people who have been silent on this issue. The ACM is in the process of conducting a study on encryption. CPSR is a member of the study group, as am I. Steve Kent is chair. Our goal is a report that will articulate the issues, not a public statement either for or against. The International Association for Cryptologic Research has not to my knowledge made any official statement about Clipper. The Administration ignored the overwhelming opposition of the general public. When the Commerce Department solicited public comments on the proposal last fall, hundreds of people opposed the plan while only a few expressed support. Hundreds of people is hardly overwhelming in a population of 250 million, especially when most of the letters were the same and came in through the net following a sample letter that was sent out. The technical standard is subject to misuse and compromise. It would provide government agents with copies of the keys that protect electronic communications. "It is a nightmare for computer security." I have been one of the reviewers of the standard. We have completed our review of the encryption algorithm, SKIPJACK, and concluded it was very strong. While we have not completed our review of the key escrow system, from what I have seen so far, I anticipate that it will provide an extremely high level of security for the escrowed keys. The underlying technology was developed in secret by the NSA, an intelligence agency responsible for electronic eavesdropping, not privacy protection. Congressional investigations in the 1970s disclosed widespread NSA abuses, including the illegal interception of millions of cables sent by American citizens. NSA is also responsible for the development of cryptographic codes to protect the nation's most sensitive classified information. They have an excellent track record in conducting this mission. I do not believe that our requirements for protecting private information are greater than those for protecting classified information. I do not know the facts of the 1970s incident that is referred to here, but it sounds like it occurred before passage of the 1978 Foreign Intelligence Surveillance Act. This act requires intelligence agencies to get a court order in order to intercept communications of American citizens. I am not aware of any recent evidence that the NSA is engaging in illegal intercepts of Americans. Computer security experts question the integrity of the technology. Clipper was developed in secret and its specifications are classified. The 5 of us who reviewed the algorithm unanimously agreed that it was very strong. We will publish a final report when we complete or full evaluation. Nothing can be concluded from a statement questioning the technology by someone who has not seen it regardless of whether that person is an expert in security. NSA overstepped its legal authority in developing the standard. A 1987 law explicitly limits the intelligence agency's power to set standards for the nation's communications network. The 1987 Computer Security Act states that NIST "shall draw on the technical advice and assistance (including work products) of the National Security Agency." There is no evidence to support law enforcement's claims that new technologies are hampering criminal investigations. CPSR recently forced the release of FBI documents that show no such problems. CPSR obtained some documents from a few FBI field offices. Those offices reported no problems. CPSR did not get reports from all field offices and did not get reports from local law enforcement agencies. I can tell you that it is a fact that new communications technologies, including encryption, have hampered criminal investigations. I personally commend law enforcement for trying to get out in front of this problem. If the plan goes forward, commercial firms that hope to develop new products will face extensive government obstacles. Cryptographers who wish to develop new privacy enhancing technologies will be discouraged. The standard is voluntary -- even for the government. Mr. Rotenberg said "We want the public to understand the full implications of this plan. Today it is only a few experts and industry groups that understand the proposal. I support this objective. Unfortunately, it is not possible for most of us to be fully informed of the national security implications of uncontrolled encryption. For very legitimate reasons, these cannot be fully discussed and debated in a public forum. It is even difficult to talk about the full implications of encryption on law enforcement. This is why it is important that the President and Vice-President be fully informed on all the issues, and for the decisions to be made at that level. The Feb. 4 decision was made following an inter-agency policy review, headed by the National Security Council, that examined these issues using considerable input from industry, CPSR, EFF, and individuals as well as from law enforcement and intelligence agencies. In the absence of understanding the national security issues, I believe we need to exercise some caution in believing that we can understand the full implications of encryption on society. As part of the Feb. 4 announcement, the Administration announced the establishment of an Interagency Working Group on Encryption and Telecommunications, chaired by the White House Office of Science and Technology Policy and National Security Council, with representatives from Commerce, Justice, State, Treasury, FBI, NSA, OMB, and the National Economic Council. The group is to work with industry and public interest groups to develop new encryption technologies and to review and refine encryption policy. The NRC's Computer Science and Telecommunications Board will also be conducting a study of encryption policy. These comments may be distributed. Dorothy Denning Georgetown University ------------------------------ Date: Tue, 15 Feb 1994 01:13:48 -0800 From: "D. J. Bernstein" <djb@silverton.berkeley.edu> Subject: Who says the Clipper issue is complicated? [ From RISKS-FORUM Digest; Volume 15, Issue 56 -- MODERATOR ] ``I would like to caution people about signing the petition,'' Dorothy Denning said. ``The issues are extremely complex and difficult.''%1 Clipper (by which I mean EES/Skipjack/Clipper/Capstone collectively) does raise some mildly tricky issues, which I'll discuss later. But those are _side_ issues. The basic argument%2 against Clipper is simple and deserves emphasis. Clipper is bad because it is unfair competition in the crypto market. Who has paid for the design and implementation of Clipper over the past decade?%3 The taxpayers. Who has paid for ramping up Clipper production at Mykotronx? The taxpayers. Who pays for the lawyers and accountants keeping Clipper on course, and the NSA-FBI team which visits Bell Labs and other locations to promote Clipper? The taxpayers. Who will pay for the key escrow ``service,'' probably an agency with dozens of people, including armed guards? The taxpayers. I resent being forced to pay for Clipper's development and adoption. Is this Clipper subsidy the only way that the government is interfering in the market? Not at all. Consider, for example, export controls. A private company, even if it doesn't see a foreign market for its encryption products, has to register as an arms dealer and take precautions to avoid selling crypto to non-citizens. These restrictions have been dramatically reduced for Clipper.%4 Are these points a matter of dispute? Is this just my view? No. The government knows full well that Clipper is unfair competition. In fact, unfair competition is the goal of Clipper policy. According to Jerry Berman, ``the reason [for various Clipper-related actions] was stated bluntly at the [4 Feb 94 White House] briefing: to frustrate competition with Clipper by other powerful encryption schemes by making them difficult to market, and to "prevent" strong encryption from leaving the country...''%5 Now, here's the problem: The government talks about Clipper's market interference as a _good_ thing. Of course, I see it as a bad thing. America's need for data protection would be fully served by a healthy encryption industry; let's eliminate crypto export controls! If you agree with me---if you want a free crypto market---then you should oppose Clipper. There's nothing complicated about this. Let me close by briefly addressing a few side issues, mostly reasons that Clipper is risky when compared to other crypto available today. 1. There is a RISK that the Skipjack algorithm is, intentionally or unintentionally, weak. Suppose that in 1986 an NSA cryptanalyst noticed a subtle but wide hole in Skipjack, which was relatively new at the time. Why would it be in NSA's interest to divulge this information? Denning points out that we don't _know_ of any holes, but that's axiomatic---Clipper would be dead otherwise. One cannot deny the _risk_, exacerbated by secrecy, of a hole. 2. There is a RISK that Clipper will be easier to break than the basic Skipjack algorithm. Given two encryption algorithms one can (carefully) compose them to produce a ``double encryption'' which is strong even if one of the algorithms is weak. Clipper also has two encryption steps, but for a different reason---one encryption is transparent to the user, the other transparent to the FBI. If either of these different%6 steps is weak then Clipper is weak. ``Half encryption,'' I'd say. 3. There is a RISK that key escrow security will be compromised, either by bribes from the outside or by corruption from the top. It is highly dangerous to keep so many keys under the control of such a small group of people. 4. There is a RISK that, if Clipper fails to dominate the market, the government will simply outlaw all non-escrowed encryption. ``This is a fundamental policy question which will be considered during the broad policy review.''%7 Alternatively the government could outlaw Clipper superencryption while requiring Clipper in government procurements, new phones, and so on. Denning points out that Clipper is voluntary right now, but the mere fact that the government brought up the possibility of a Clipper law means that there's a risk. Footnotes: %1 To sign the CPSR Clipper petition, send a message to the address clipper.petition@cpsr.org with "I oppose Clipper" in the subject header. %2 This argument was mentioned briefly by Geoff Kuenning, RISKS-15.50, among a cast of thousands. %3 See Matt Blaze's message in RISKS-15.48. ``They said ... that Skipjack began development "~about 10 years ago.~"'' %4 See ftp.eff.org:pub/EFF/Policy/Crypto/harris_export.statement: ``After initial review, key-escrow encryption products may now be exported to most end users. Additionally, key-escrow products will qualify for special licensing arrangements.'' %5 See ftp.eff.org:pub/EFF/Policy/Crypto/wh_crypto.eff. %6 See Roy M. Silvernail's message in RISKS-15.52. %7 See the initial White House Clipper press release, 930416. ---Dan ------------------------------ Date: Wed, 9 Feb 94 08:57:06 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Clipper I am getting a bit tired of everybody bashing clipper without actually examining it and because it does not seem to be a perfect solution. Being an engineer, I am used to imperfect solutions that are adequate for the job. Clipper seems to me to be "good enough" to make it difficult to break and no-one has said (or is able to enforce) that whatever it is cannot be encrypted offline and then sent by the Clip chip. My big frustration is not in having one to play with but then am in a DC hotel room (airport was closed by an American plane stuck in the mud at the end of the runway - where is George Kennedy when you need him ?) on a 15 pound laptop at 2400 baud - point is it gets the job done ! No-one seems to be talking about the big plusses to the clip chip (actually Capstone) so I will: o Autoignition o Authentication of both ends to both ends o DSS o *cheap* o essential to the "Information Two-Lane-Blacktop" Has anyone considered that last one ? I would wager that the courts may accept as legal documents ones sent this way, something desperately needed - not "unbreakable" but *legally acceptable* and approved for SBU - Sensitive but Unclassified. No wonder so many vested interests are in an uproar because it will be another billion dollar industry. I just keep being reminded of "...Secretary Fall was convicted of taking the bribe that Doheny was acquitted of giving." Personally, I will wait until I have one to make any technical judgements. Warmly, Padgett ------------------------------ Date: Tue, 08 Feb 94 16:03:55 -0500 From: Matt Blaze <mab@research.att.com> Subject: Notes on key escrow meeting with NSA [ From RISKS-FORUM Digest; Volume 15, Issue 48 -- MODERATOR ] A group from NSA and FBI met the other day with a group of us at Bell Labs to discuss the key escrow proposal. They were surprisingly forthcoming and open to discussion and debate, and were willing to at least listen to hard questions. They didn't object when asked if we could summarize what we learned to the net. Incidentally, the people at the meeting seemed to base a large part of their understanding of public opinion on Usenet postings. Postings to RISKS, sci.crypt and talk.politics.crypto seem to actually have an influence on our government. Since the many of the points brought up at the meeting have been discussed in RISKS, it seems appropriate to post a summary here. A number of things came out at the meeting that we didn't previously know or that clarified previously released information. What follows is a rough summary; needless to say, nothing here should be taken as gospel, or representing the official positions of anybody. Also, nothing here should be taken as an endorsement of key escrow, clipper, or anything else by the authors; we're just reporting. These notes are based on the collective memory of Steve Bellovin, Matt Blaze, Jack Lacy, and Mike Reiter; there may be errors or misunderstandings. Please forgive the rough style. Note also the use of "~ ~" for 'approximate quotes' (a marvelous Whit Diffie-ism). NSA's stated goals and motives for all this: * DES is at the end of its useful life * Sensitive, unclassified government data needs protection * This should be made available to US Citizens * US business data abroad especially needs protection * The new technology should not preclude law enforcement access They indicated that the thinking was not that criminals would use key escrowed crypto, but that they should not field a system that criminals could easily use against them. The existence of key escrow would deter them from using crypto in the first place. The FBI representative said that they expect to catch "~only the stupid criminals~" through the escrow system. Another stated reason for key escrow is that they do not think that even government-spec crypto devices can be kept physically secure. They do expect enough to be diverted to the black market that they feel they need a response. NSA's emphasis was on the foreign black market... There seems to be a desire to manipulate the market, by having the fixed cost of key escrow cryptography amortized over the government market. Any private sector devices would have to sell a much larger number of units to compete on price. (This was somewhere between an implication and an explicit statement on their part.) When asked about cryptography in software, "~...if you want US government cryptography, you must do it with hardware~". The NSA people were asked whether they would consider evaluating ciphers submitted by the private sector as opposed to simply proposing a new cipher as a "black box" as they did with Skipjack. They said they can't do this because, among other things, of the extraordinary effort required to properly test a new cipher. They said that it often takes from 8-12 years to design, evaluate and certify a new algorithm, and that Skipjack began development "~about 10 years ago.~" I asked if we should infer anything from that about the value of the (limited time and resource) civilian Skipjack review. They accepted the question with good humor, but they did say that the civilian review was at least presented with and able to evaluate some of the results of NSA's previous internal reviews. Clipper chips should be available (to product vendors) in June. You can't just buy loose chips - they have to be installed in approved products. Your application interface has to be approved by NIST for you to get your hands on the chips. An interesting point came up about the reverse-engineering resistance of the chips: they are designed to resist non-destructive reverse engineering. It was not clear (from the information presented at the meeting) whether the chips are equally resistant to destructive reverse-engineering. That is, the chips are designed to resist non-destructive reverse engineering to obtain the unit keys. They do not believe that it is possible to obtain the unit key of a particular chip without destroying the chip. They did not present any assertions about resistance to destructive reverse engineering, such that several chips can be taken apart and destroyed in the process, to learn the Skipjack algorithm. They said the algorithm was patented, but they may have been joking. ("~And if that doesn't scare you enough, we'll turn the patent over to PKP.~") The resistance to reverse engineering is not considered absolute by NSA. They do feel that "~it would require the resources of a national laboratory, and anyone with that much money can design their own cryptosystem that's just as strong.~" They repeated several times that there are "~no plans to regulate the use of alternate encryption within the US by US citizens.~" They also indicated they "~weren't naive~" and didn't think that they could if they wanted to. There were 919 authorized wiretaps, and 10,000 pen register monitors, in 1992. They do not have any figures yet on how often cryptography was used to frustrate wiretaps. They do not yet have a production version of the "decoder" box used by law enforcement. Initially, the family key will be split (by the same XOR method) and handled by two different people in the authorized agencies. There is presently only one family key. The specifications of the escrow exploitation mechanism are not yet final, either; they are considering the possibility of having the central site strip off the outer layers of encryption, and only sending the session key back to the decoder box. The escrow authorities will NOT require presentation of a court order prior to releasing the keys. Instead, the agency will fill out a form certifying that they have a legal authorization. This is also backed up with a separate confirmation from the prosecutor's office. The escrow agencies will supply any key requested and will not themselves verify that the keys requested are associated with the particular court order. As an aside, we've since been informed by a member of the civilian Skipjack review committee that the rationale for not having the escrow agency see the actual wiretap order is so that they do not have access to the mapping between key serial numbers and people/telephones. Regarding the scale of the escrow exploitation system, they said that they did not yet have a final operational specification for the escrow protocols, but did say that the escrow agencies would be expected to deliver keys "~within about 2 hours~" and are aiming for "~close to real time.~" Initially, the FBI would have the decoder box, but eventually, depending on costs and demand, any law enforcement agency authorized to conduct wiretaps would be able to buy one. The two escrow agencies will be responsible for verifying the certification from and securely delivering the key halves to any such police department. The NSA did not answer a question as to whether the national security community would obtain keys from the same escrow mechanism for their (legally authorized) intelligence gathering or whether some other mechanism would exist for them to get the keys. The masks for the Clipper/Capstone chip are unclassified (but are protected by trade secret) and the chips can be produced in an unclassified foundry. Part of the programming in the secure vault includes "~installing part of the Skipjack algorithm.~" Later discussion indicated that the part of the algorithm installed in the secure vault are the "S-tables", suggesting that perhaps unprogrammed Clipper chips can be programmed to implement other 80-bit key, 32 round ciphers. The Capstone chip includes an ARM-6 RISC processor that can be used for other things when no cryptographic functions are performed. In particular, it can be used by vendors as their own on-board processor. The I/O to the processor is shut off when a crypto operation is in progress. They passed around a Tessera PCMCIA (type 1) card. These cards contain a Capstone chip and can be used by general purpose PC applications. The cards themselves might not be export controlled. (Unfortunately, they took the sample card back with them...) The card will digitally sign a challenge from the host, so you can't substitute a bogus card. The cards have non-volatile onboard storage for users' secret keys and for the public keys of a certifying authority. They are building a library/API for Tessera, called Catapult, that will provide an interface suitable for many different applications. They have prototype email and ftp applications that already uses it. They intend to eventually give away source code for this library. They responded favorably to the suggestion that they put it up for anonymous ftp. Applications (which can use the library and which the NSA approves for government use) will be responsible for managing the LEAF field. Note that they intend to apply key escrowed Skipjack to other applications, including mail and file encryption. The LEAF would be included in such places as the mail header or the file attributes. This implies that it is possible to omit sending the LEAF -- but the decrypt chip won't work right if it doesn't get one. When asked, they indicated that it might be possible wire up a pair of Clipper/Capstone chips to not transmit the LEAF field, but that the way to do this is "~not obvious from the interface we give you~" and "~you'd have to be careful not to make mistakes~". They gave a lot of attention to obvious ways to get around the LEAF. The unit key is generated via Skipjack itself, from random seeds provided by the two escrow agencies (approximately monthly, though that isn't certain yet). They say they prefer a software generation process because its correct behavior is auditable. Capstone (but not Clipper) could be configured to allow independent loading of the two key halves, in separate facilities. "~It's your money [meaning American taxpayers].~" The LEAF field contains 80 bits for the traffic key, encrypted via the unit key in "~a unique mode <grin>~", 32 bits for the unit id, and a 16 bit checksum of some sort. (We didn't waste our breath asking what the checksum algorithm was.) This is all encrypted under the family key using "~another mode <grin>~". They expressed a great deal of willingness to make any sort of reasonable changes that vendors needed for their products. They are trying *very* hard to get Skipjack and key escrow into lots of products. Finally, I should make clear that "Clipper" is more properly called the "MYK-78T". [Matt, Thanks for the contribution, and thanks for making careful distinctions among the escrow initiative (EEI), the algorithm (Skipjack), the telephone implementation (Clipper), and the computer system/network implementation (Capstone). Much of what has been written on the subject has been confused because those distinctions were not consistently made. PGN] ------------------------------ End of PRIVACY Forum Digest 03.04 ************************