9.1 copyright
THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
1994-09-10, Copyright Timothy C. May. All rights reserved.
See the detailed disclaimer. Use short sections under "fair
use" provisions, with appropriate credit, but don't put your
name on my words.
9.2 - SUMMARY: Policy: Clipper,Key Escrow, and Digital Telephony
9.2.1. Main Points
- Clipper has been a main unifying force, as 80% of all
Americans, and 95% of all computer types, are opposed.
- "Big Brother Inside"
9.2.2. Connections to Other Sections
- the main connections are _legal_
- some possible implications for limits on crypto
9.2.3. Where to Find Additional Information
- There have been hundreds of articles on Clipper, in nearly
all popular magazines. Many of these were sent to the
Cypherpunks list and may be available in the archives. (I
have at least 80 MB of Cypherpunks list stuff, a lot of it
newspaper and magazine articles on Clipper!)
+ more Clipper information can be found at:
- "A good source is the Wired Online Clipper Archive. Send
e-mail to info-rama@wired.com. with no subject and the
words 'get help' and 'get clipper/index' in the body of
the message." [students@unsw.EDU.AU, alt.privacy.clipper,
1994-09-01]
9.2.4. Miscellaneous Comments
- As with a couple of other sections, I won't try to be as
complete as some might desire. Just too many thousands of
pages of stuff to consider.
9.3 - Introduction
9.3.1. What is Clipper?
- government holds the skeleton keys
- analogies to other systems
9.3.2. Why do most Cypherpunks oppose Clipper?
- fear of restrictions on crypto, derailing so many wonderful
possibilities
9.3.3. Why does Clipper rate its own section?
- The announcement of the "Escrowed Encryption Standard,"
EES, on April 16, 1993, was a galvanizing event for
Cypherpunks and for a large segment of the U. S.
population. The EES was announced originally as "Clipper,"
despite the use of the name Clipper by two major products
(the Intergraph CPU and a dBase software tool), and the
government backed off on the name. Too late, though, as the
name "Clipper" had become indelibly linked to this whole
proposal.
9.3.4. "Is stopping Clipper the main goal of Cypherpunks?"
- It certainly seems so at times, as Clipper has dominated
the topics since the Clipper announcement in April, 1993.
+ it has become so, with monkeywrenching efforts in several
areas
- lobbying and education against it (though informal, such
lobbying has been successful...look at NYT article)
- "Big Brother Inside" and t-shirts
- technical monkeywrenching (Matt Blaze...hesitate to claim
any credit, but he has been on our list, attended a
meeting, etc.)
- Although it may seem so, Clipper is just one
aspect...step...initiative.
- Developing new software tools, writing code, deploying
remailers and digital cash are long-range projects of great
importance.
- The Clipper key escrow proposal came along (4-93) at an
opportune time for Cypherpunks and became a major focus.
Emergency meetings, analyses, etc.
9.4 - Crypto Policy Issues
9.4.1. Peter Denning on crypto policy:
+ provided by Pat Farrell, 1994-08-20; Denning comments are
1992-01-22, presented at Computers, Freedom, and Privacy 2.
Peter D. uses the metaphor of a "clearing,"as in a forest,
for the place where people meet to trade, interact, etc.
What others call markets, agoras, or just "cyberspace."
- "Information technology in producing a clearing in which
individuals and corporations are key players besides
government. Any attempt by government to control the flow
of information over networks will be ignored or met with
outright hostility. There is no practical way that
government can control information except information
directly involved in the business of governing. It
should not try." [Peter Denning, PUBLIC POLICY FOR THE
21ST CENTURY, DRAFT 1/22/92]
- No word on how this view squares with his wife's control
freak views.
9.4.2. Will government and NSA in particular attempt to acquire some
kind of control over crypto companies?
+ speculations, apparently unfounded, that RSA Data Security
is influenced by NSA wishes
- weaknesses in the DES keys picked?
- and companies may be dramatically influenced by contracts
(and the witholding of them)
9.4.3. NIST and DSS
9.4.4. Export restrictions, Munitions List, ITAR
9.4.5. old crypto machines sold to Third World governments, cheaply
- perhaps they think they can make some changes and outsmart
the NSA (which probably has rigged it so any changes are
detectable and can be factored in)
- and just knowing the type of machine is a huge advantage
9.4.6. 4/28/97 The first of several P-K and RSA patents expires
+ U.S. Patent Number: 4200770
- Title: Cryptographic Apparatus and Method
- Inventors: Hellman, Diffie, Merkle
- Assignee: Stanford University
- Filed: September 6, 1977
- Granted: April 29, 1980
- [Expires: April 28, 1997]
+ remember that any one of these several patents held by
Public Key Partners (Stanford and M.I.T., with RSA Data
Security the chief dispenser of licenses) can block an
effort to bypass the others
- though this may get fought out in court
9.4.7. encryption will be needed inside computer systems
- for operating system protection
- for autonomous agents (active agents)
- for electronic money
9.5 - Motivations for Crypto Laws
9.5.1. "What are the law enforcement and FBI worries?"
- "FBI Director Louis Freeh is worried. The bad guys are
beginning to see the light, and it is digital. ... Freeh
fears some pretty nasty folks have discovered they can
commit highway robbery and more, without even leaving home.
Worse, to Freeh and other top cops, by using some pretty
basic technologies, savvy criminals can do their crimes
without worrying about doing time.
"Some crooks, spies, drug traffickers, terrorists and
frauds already use the tools of the information age to
outfox law enforcement officers. Hackers use PBXs to hide
their tracks as they rip off phone companies and poke
around in other people's files. Reprogrammed cellular
phones give cops fits." [LAN Magazine,"Is it 1984?," by Ted
Bunker, August 1994]
- Their fears have some validity...in the same way that the
rulers in Gutenberg's time could have some concerns about
the implications of books (breaking of guilds, spread of
national secrets, pornography, atheism, etc.).
9.5.2. "What motivated Clipper? What did the Feds hope to gain?"
- ostensibly to stop terrorists (only the unsophisticated
ones, if alternatives are allowed)
- to force a standard on average Americans
- possibly to limit crypto development
+ Phil Karn provides an interesting motivation for Clipper:
"Key escrow exists only because the NSA doesn't want to
risk blame if some terrorist or drug dealer were to use an
unescrowed NSA-produced .....The fact that a terrorist or
drug dealer can easily go elsewhere and obtain other strong
or stronger algorithms without key escrow is irrelevant.
The NSA simply doesn't care as long as *they* can't be
blamed for whatever happens. Classic CYA, nothing
more.....A similar analysis applies to the export control
regulations regarding cryptography." [Phil Karn, 1994-08-
31]
- Bill Sommerfeld notes: "If this is indeed the case, Matt
Blaze's results should be particularly devastating to
them." [B.S., 1994-09-01]
9.5.3. Steve Witham has an interesting take on why folks like
Dorothy Denning and Donn Parker support key escrow so
ardently:
- "Maybe people like Dot and Don think of government as a
systems-administration sort of job. So here they are,
security experts advising the sys admins on things like...
setting permissions
allocating quotas
registering users and giving them passwords.....
deciding what utilities are and aren't available
deciding what software the users need, and installing it
(grudgingly, based on who's yelling the loudest)
setting up connections to other machines
deciding who's allowed to log in from "foreign hosts"
getting mail set up and running
buying new hardware from vendors
specifying the hardware to the vendors
...
"These are the things computer security experts advise on.
Maybe hammer experts see things as nails.
"Only a country is not a host system owned and administered
by the government, and citizens are not guests or users."
[Steve Witham, Government by Sysadmin, 1994-03-23]
9.5.4. Who would want to use key escrow?
9.5.5. "Will strong crypto really thwart government plans?"
- Yes, it will give citizens the basic capabilities that
foreign governments have had for many years
+ Despite talk about codebreakes and the expertise of the
NSA, the plain fact is that no major Soviet ciphers have
been broken for many years
+ recall the comment that NSA has not really broken any
Soviet systems in many years
- except for the cases, a la the Walker case, where
plaintext versions are gotten, i.e., where human
screwups occurred
- the image in so many novels of massive computers breaking
codes is absurd: modern ciphers will not be broken (but the
primitive ciphers used by so many Third World nations and
their embassies will continue to be child's play, even for
high school science fair projects...could be a good idea
for a small scene, about a BCC student who has his project
pulled)
9.5.6. "Why does the government want short keys?"
- Commercial products have often been broken by hackers. The
NSA actually has a charter to help businesses protect their
secrets; just not so strongly that the crypto is
unbreakable by them. (This of course has been part of the
tension between the two sides of the NSA for the past
couple of decades.)
+ So why does the government want crippled key lengths?
- "The question is: how do you thwart hackers while
permitting NSA access? The obvious answer is strong
algorithm(s) and relatively truncated keys." [Grady Ward,
sci.crypt, 1994-08-15]
9.6 - Current Crypto Laws
9.6.1. "Has crypto been restricted in countries other than the
U.S.?"
- Many countries have restrictions on civilian/private use of
crypto. Some even insist that corporations either send all
transmissions in the clear, or that keys be provided to the
government. The Phillipines, for example. And certainly
regimes in the Communists Bloc, or what's left of it, will
likely have various laws restricting crypto. Possibly
draconian laws....in many cultures, use of crypto is
tantamount to espionage.
9.7 - Crypto Laws Outside the U.S.
9.7.1. "International Escrow, and Other Nation's Crypto Policies?"
- The focus throughout this document on U.S. policy should
not lull non-Americans into complacency. Many nations
already have more Draconian policies on the private use of
encryption than the U.S. is even contemplating
(publically). France outlaws private crypto, though
enforcement is said to be problematic (but I would not want
the DGSE to be on my tail, that's for sure). Third World
countries often have bans on crypto, and mere possession of
random-looking bits may mean a spying conviction and a trip
to the gallows.
+ There are also several reports that European nations are
preparing to fall in line behind the U.S. on key escrow
- Norway
- Netherlands
- Britain
+ A conference in D.C. in 6/94, attended by Whit Diffie (and
reported on to us at the 6/94 CP meeting) had internation
escrow arrangements as a topic, with the crypto policy
makers of NIST and NSA describing various options
- bad news, because it could allow bilateral treaties to
supercede basic rights
- could be plan for getting key escrow made mandatory
+ there are also practical issues
+ who can decode international communications?
- do we really want the French reading Intel's
communications? (recall Matra-Harris)
- satellites? (like Iridium)
- what of multi-national messages, such as an encrypted
message posted to a message pool on the Internet...is
it to be escrowed with each of 100 nations?
9.7.2. "Will foreign countries use a U.S.-based key escrow system?"
- Lots of pressure. Lots of evidence of compliance.
9.7.3. "Is Europe Considering Key Escrow?"
- Yes, in spades. Lots of signs of this, with reports coming
in from residents of Europe and elsewhere. The Europeans
tend to be a bit more quiet in matters of public policy (at
least in some areas).
- "The current issue of `Communications Week International'
informs us that the European Union's Senior Officials Group
for Security of Information Systems has been considering
plans for standardising key escrow in Europe.
"Agreement had been held up by arguments over who should
hold the keys. France and Holland wanted to follow the
NSA's lead and have national governments assume this role;
other players wanted user organisations to do this." [
rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow
in Europe too, 1994-06-29]
9.7.4. "What laws do various countries have on encryption and the
use of encryption for international traffic?"
+ "Has France really banned encryption?"
- There are recurring reports that France does not allow
unfettered use of encryption.
- Hard to say. Laws on the books. But no indications that
the many French users of PGP, say, are being prosecuted.
- a nation whose leader, Francois Mitterand, was a Nazi
collaborationist, working with Petain and the Vichy
government (Klaus Barbie involved)
+ Some Specific Countries
- (need more info here)
+ Germany
- BND cooperates with U.S.
- Netherlands
- Russia
+ Information
- "Check out the ftp site at csrc.ncsl.nist.gov for a
document named something like "laws.wp" (There are
several of these, in various formats.) This contains a
survey of the positions of various countries, done for
NIST by a couple of people at Georgetown or George
Washington or some such university." [Philip Fites,
alt.security.pgp, 1994-07-03]
9.7.5. France planning Big Brother smart card?
- "PARIS, FRANCE, 1994 MAR 4 (NB) -- The French government
has confirmed its plans to replace citizen's paper-based ID
cards with credit card-sized "smart card" ID cards.
.....
"The cards contain details of recent transactions, as well
as act as an "electronic purse" for smaller value
transactions using a personal identification number (PIN)
as authorization. "Purse transactions" are usually separate
from the card credit/debit system, and, when the purse is
empty, it can be reloaded from the card at a suitable ATM
or retailer terminal." (Steve Gold/19940304)" [this was
forwarded to me for posting]
9.7.6. PTTs, local rules about modem use
9.7.7. "What are the European laws on "Data Privacy" and why are
they such a terrible idea?"
- Various European countries have passed laws about the
compiling of computerized records on people without their
explicit permission. This applies to nearly all
computerized records--mailing lists, dossiers, credit
records, employee files, etc.--though some exceptions exist
and, in general, companies can find ways to compile records
and remain within the law.
- The rules are open to debate, and the casual individual who
cannot afford lawyers and advisors, is likely to be
breaking the laws repeatedly. For example, storing the
posts of people on the Cypherpunks list in any system
retrievable by name would violate Britain's Data Privacy
laws. That almost no such case would ever result in a
prosecution (for practical reasons) does not mean the laws
are acceptable.
- To many, these laws are a "good idea." But the laws miss
the main point, give a false sense of security (as the real
dossier-compilers are easily able to obtain exemptions, or
are government agencies themselves), and interfere in what
people do with information that properly and legally comes
there way. (Be on the alert for "civil rights" groups like
the ACLU and EFF to push for such data privacy laws. The
irony of Kapor's connection to Lotus and the failed
"Marketplace" CD-ROM product cannot be ignored.)
- Creating a law which bans the keeping of certain kinds of
records is an invitation to having "data inspectors"
rummaging through one's files. Or some kind of spot checks,
or even software key escrow.
- (Strong crypto makes these laws tough to enforce. Either
the laws go, or the counties with such laws will then have
to limit strong crypto....not that that will help in the
long run.)
- The same points apply to well-meaning proposals to make
employer monitoring of employees illegal. It sounds like a
privacy-enhancing idea, but it tramples upon the rights of
the employer to ensure that work is being done, to
basically run his business as he sees fit, etc. If I hire a
programmer and he's using my resources, my network
connections, to run an illegal operation, he exposes my
company to damages, and of course he isn't doing the job I
paid him to do. If the law forbids me to monitor this
situation, or at least to randomly check, then he can
exploit this law to his advantage and to my disadvantage.
(Again, the dangers of rigid laws, nonmarket
solutions,(lied game theory.)
9.7.8. on the situation in Australia
+ Matthew Gream [M.Gream@uts.edu.au] informed us that the
export situation in Oz is just as best as in the U.S. [1994-
09-06] (as if we didn't know...much as we all like to dump
on Amerika for its fascist laws, it's clear that nearly all
countries are taking their New World Order Marching Orders
from the U.S., and that many of them have even more
repressive crypto laws alredy in place...they just don't
get the discussion the U.S. gets, for apparent reasons)
- "Well, fuck that for thinking I was living under a less
restrictive regime -- and I can say goodbye to an
international market for my software.]
- (I left his blunt language as is, for impact.)
9.7.9. "For those interested, NIST have a short document for FTP,
'Identification & Analysis of Foreign Laws & Regulations
Pertaining to the Use of Commercial Encryption Products for
Voice & Data Communications'. Dated Jan 1994." [Owen Lewis,
Re: France Bans Encryption, alt.security.pgp, 1994-07-07]
9.8 - Digital Telephony
9.8.1. "What is Digital Telephony?"
- The Digital Telephony Bill, first proposed under Bush and
again by Clinton, is in many ways much worse than Clipper.
It has gotten less attention, for various reasons.
- For one thing, it is seen as an extension by some of
existing wiretap capabilities. And, it is fairly abstract,
happening behind the doors of telephone company switches.
- The implications are severe: mandatory wiretap and pen
register (who is calling whom) capaibilities, civil
penalties of up to $10,000 a day for insufficient
compliance, mandatory assistance must be provided, etc.
- If it is passed, it could dictate future technology. Telcos
who install it will make sure that upstart technologies
(e.g., Cypherpunks who find ways to ship voice over
computer lines) are also forced to "play by the same
rules." Being required to install government-accessible tap
points even in small systems would of course effectively
destroy them.
- On the other hand, it is getting harder and harder to make
Digital Telephony workable, even by mandate. As Jim
Kallstrom of the FBI puts it: ""Today will be the cheapest
day on which Congress could fix this thing," Kallstrom
said. "Two years from now, it will be geometrically more
expensive."" [LAN Magazine,"Is it 1984?," by Ted Bunker,
August 1994]
- This gives us a goal to shoot for: sabotage the latest
attempt to get Digital Telephony passed into law and it may
make it too intractable to *ever* be passed.
+ "Today will be the cheapest day on which
- Congress could fix this thing," Kallstrom said. "Two
years from now,
- it will be geometrically more expensive."
- The message is clear: delay Digital Telephony. Sabotage it
in the court of public opinion, spread the word, make it
flop. (Reread your "Art of War" for Sun Tsu's tips on
fighting your enemy.)
-
9.8.2. "What are the dangers of the Digital Telephony Bill?"
- It makes wiretapping invisible to the tappee.
+ If passed into law, it makes central office wiretapping
trivial, automatic.
- "What should worry people is what isn't in the news (and
probably never will until it's already embedded in comm
systems). A true 'Clipper' will allow remote tapping on
demand. This is very easily done to all-digital
communications systems. If you understand network routers
and protocol it's easy to envision how simple it would be
to 're-route' a copy of a target comm to where ever you
want it to go..." [domonkos@access.digex.net (andy
domonkos), comp.org.eff.talk, 1994-06-29]
9.8.3. "What is the Digital Telephony proposal/bill?
- proposed a few years ago...said to be inspiration for PGP
- reintroduced Feb 4, 1994
- earlier versrion:
+ "1) DIGITAL TELEPHONY PROPOSAL
- "To ensure law enforcement's continued ability to conduct
court-
- authorized taps, the administration, at the request of
the
- Dept. of Justice and the FBI, proposed ditigal telephony
- legislation. The version submitted to Congress in Sept.
1992
- would require providers of electronic communication
services
- and private branch exchange (PBX) operators to ensure
that the
- government's ability to lawfully intercept communications
is not
- curtailed or prevented entirely by the introduction of
advanced
- technology."
9.9 - Clipper, Escrowed Encyption Standard
9.9.1. The Clipper Proposal
- A bombshell was dropped on April 16, 1993. A few of us saw
it coming, as we'd been debating...
9.9.2. "How long has the government been planning key escrow?"
- since about 1989
- ironically, we got about six months advance warning
- my own "A Trial Balloon to Ban Encryption" alerted the
world to the thinking of D. Denning....she denies having
known about key escorw until the day before it was
announced, which I find implausible (not calling her a
liar, but...)
+ Phil Karn had this to say to Professor Dorothy Denning,
several weeks prior to the Clipper announcement:
- "The private use of strong cryptography provides, for the
very first time, a truly effective safeguard against this
sort of government abuse. And that's why it must continue
to be free and unregulated.
- "I should credit you for doing us all a very important
service by raising this issue. Nothing could have lit a
bigger fire under those of us who strongly believe in a
citizens' right to use cryptography than your proposals
to ban or regulate it. There are many of us out here who
share this belief *and* have the technical skills to turn
it into practice. And I promise you that we will fight
for this belief to the bitter end, if necessary." [Phil
Karn, 1993-03-23]
-
-
9.9.3. Technically, the "Escrowed Encryption Standard," or EES. But
early everyone still calls it "Clipper, " even if NSA
belatedly realized Intergraph's won product has been called
this for many years, a la the Fairchild processor chip of the
same name. And the database product of the same name. I
pointed this out within minutes of hearing about this on
April 16th, 1993, and posted a comment to this effect on
sci.crypt. How clueless can they be to not have seen in many
months of work what many of us saw within seconds?
9.9.4. Need for Clipper
9.9.5. Further "justifications" for key escrow
+ anonymous consultations that require revealing of
identities
- suicide crisis intervention
- confessions of abuse, crimes, etc. (Tarasoff law)
- corporate records that Feds want to look at
+ Some legitimate needs for escrowed crypto
- for corporations, to bypass the passwords of departed,
fired, deceased employees,
9.9.6. Why did the government develop Clipper?
9.9.7. "Who are the designated escrow agents?"
- Commerce (NIST) and Treasury (Secret Service).
9.9.8. Whit Diffie
- Miles Schmid was architect
+ international key escrow
- Denning tried to defend it....
9.9.9. What are related programs?
9.9.10. "Where do the names "Clipper" and "Skipjack" come from?
- First, the NSA and NIST screwed up big time by choosing the
name "Clipper," which has long been the name of the 32-bit
RISC processor (one of the first) from Fairchild, later
sold to Intergraph. It is also the name of a database
compiler. Most of us saw this immediately.
-
+ Clippers are boats, so are skipjacks ("A small sailboat
having a
- bottom shaped like a flat V and vertical sides" Am
Heritage. 3rd).
- Suggests a nautical theme, which fits with the
Cheseapeake environs of
- the Agency (and small boats have traditionally been a way
for the
+ Agencies to dispose of suspected traitors and spies).
-
- However, Capstone is not a boat, nor is Tessera, so the
trend fails.
9.10 - Technical Details of Clipper, Skipjack, Tessera, and EES
9.10.1. Clipper chip fabrication details
+ ARM6 core being used
- but also rumors of MIPS core in Tessera
- MIPS core reportedly being designed into future versions
- National also built (and may operate) a secure wafer fab
line for NSA, reportedly located on the grounds of Ft.
Meade--though I can't confirm the location or just what
National's current involvement still is. May only be for
medium-density chips, such as key material (built under
secure conditions).
9.10.2. "Why is the Clipper algorithm classified?"
- to prevent non-escrow versions, which could still use the
(presumably strong) algorithm and hardware but not be
escrowed
- cryptanalysis is always easier if the algorithms are known
:-}
- general government secrecy
- backdoors?
9.10.3. If Clipper is flawed (the Blaze LEAF Blower), how can it
still be useful to the NSA?
- by undermining commercial alternatives through subsidized
costs (which I don't think will happen, given the terrible
PR Clipper has gotten)
- mandated by law or export rules
- and the Blaze attack is--at present--not easy to use (and
anyone able to use it is likely to be sophisticated enough
to use preencryption anyway)
9.10.4. What about weaknesses of Clipper?
- In the views of many, a flawed approach. That is, arguing
about wrinkles plays into the hands of the Feds.
9.10.5. "What are some of the weaknesses in Clipper?"
- the basic idea of key escrow is an infringement on liberty
+ access to the keys
- "
+ "There's a big door in the side with a
- big neon sign saying "Cops and other Authorized People
Only";
- the trapdoor is the fact that anybody with a fax
machine can make
- themselves and "Authorized Person" badge and walk in.
- possible back doors in the Skipjace algorithm
+ generation of the escrow keys
-
+ "There's another trapdoor, which is that if you can
predict the escrow
- keys by stealing the parameters used by the Key
Generation Bureau to
- set them, you don't need to get the escrow keys from
the keymasters,
- you can gen them yourselves. "
9.10.6. Mykotronx
- MYK-78e chip, delays, VTI, fuses
- National Semiconductor is working with Mykotronx on a
faster implementation of the
Clipper/Capstone/Skipjack/whatever system. (May or may not
be connected directly with the iPower product line. Also,
the MIPS processor core may be used, instead of the ARM
core, which is said to be too slow.)
9.10.7. Attacks on EES
- sabotaging the escrow data base
+ stealing it, thus causing a collapse in confidence
- Perry Metzger's proposal
- FUD
9.10.8. Why is the algorithm secret?
9.10.9. Skipjack is 80 bits, which is 24 bits longer than the 56 bits
of DES. so
9.10.10. "What are the implications of the bug in Tessera found by
Matt Blaze?"
- Technically, Blaze's work was done on a Tessera card, which
implements the Skipjace algorithm. The Clipper phone system
may be slightly different and details may vary; the Blaze
attack may not even work, at least not practically.
- " The announcement last month was about a discovery that,
with a half-hour or so of time on an average PC, a user
could forge a bogus LEAF (the data used by the government
to access the back door into Clipper encryption). With such
a bogus LEAF, the Clipper chip on the other end would
accept and decrypt the communication, but the back door
would not work for the government." [ Steve Brinich,
alt.privacy.clipper, 1994-07-04]
- "The "final" pre-print version (dated August 20, 1994) of
my paper, "Protocol Failure in the Escrowed Encryption
Standard" is now available. You can get it in PostScript
form via anonymous ftp from research.att.com in the file
/dist/mab/eesproto.ps . This version replaces the
preliminary draft (June 3) version that previously occupied
the same file. Most of the substance is identical,
although few sections are expanded and a few minor errors
are now corrected." [Matt Blaze, 1994-09-04]
9.11 - Products, Versions -- Tessera, Skipjack, etc.
9.11.1. "What are the various versions and products associated with
EES?"
- Clipper, the MYK-78 chip.
- Skipjack.
+ Tessera. The PCMCIA card version of the Escrowed Encryption
Standard.
- the version Matt Blaze found a way to blow the LEAF
- National Semiconductor "iPower" card may or may not
support Tessera (conflicting reports).
9.11.2. AT&T Surety Communications
- NSA may have pressured them not to release DES-based
products
9.11.3. Tessera cards
- iPower
- Specifications for the Tessera card interface can be found
in several places, including " csrc.ncsl.nist.gov"--see the
file cryptcal.txt [David Koontz, 1994-08-08].
9.12 - Current Status of EES, Clipper, etc.
9.12.1. "Did the Administration really back off on Clipper? I heard
that Al Gore wrote a letter to Rep. Cantwell, backing off."
- No, though Clipper has lost steam (corporations weren't
interested in buying Clipper phones, and AT&T was very late
in getting "Surety" phones out).
- The Gore announcement may actually indicate a shift in
emphasis to "software key escrow" (my best guess).
- Our own Michael Froomkin, a lawyer, writes: "The letter is
a nullity. It almost quotes from testimony given a year
earlier by NIST to Congress. Get a copy of Senator Leahy's
reaction off the eff www server. He saw it for the empty
thing it is....Nothing has changed except Cantwell dropped
her bill for nothing." [A.Michael Froomkin,
alt.privacy.clipper, 1994-09-05]
9.13 - National Information Infrastructure, Digital Superhighway
9.13.1. Hype on the Information Superhighway
- It's against the law to talk abou the Information
Superhighway without using at least one of the overworked
metaphors: road kill, toll boths, passing lanes, shoulders,
on-ramps, off-ramps, speeding, I-way, Infobahn, etc.
- Most of what is now floating around the suddenly-trendy
idea of the Digital Superduperway is little more than hype.
And mad metaphors. Misplaced zeal, confusing tangential
developments with real progress. Much like libertarians
assuming the space program is something they should somehow
be working on.
- For example, the much-hyped "Pizza Hut" on the Net (home
pizza pages, I guess). It is already being dubbed "the
first case of true Internet commerce." Yeah, like the Coke
machines on the Net so many years ago were examples of
Internet commerce. Pure hype. Madison Avenue nonsense. Good
for our tabloid generation.
9.13.2. "Why is the National Information Infrastructure a bad idea?"
- NII = Information Superhighway = Infobahn = Iway = a dozen
other supposedly clever and punning names
+ Al Gore's proposal:
- links hospitals, schools, government
+ hard to imagine that the free-wheeling anarchy of the
Internet would persist..more likely implications:
- "is-a-person" credentials, that is, proof of identity,
and hence tracking, of all interactions
- the medical and psychiatric records would be part of
this (psychiatrists are leery of this, but they may
have no choice but to comply under the National Health
Care plans being debated)
+ There are other bad aspects:
- government control, government inefficiency, government
snooping
- distortion of markets ("universal access')
- restriction of innovation
- is not needed...other networks are doing perfectly well,
and will be placed where they are needed and will be
locally paid for
9.13.3. NII, Video Dialtone
+ "Dialtone"
- phone companies offer an in-out connection, and charge
for the connection, making no rulings on content (related
to the "Common Carrier" status)
+ for video-cable, I don't believe there is an analogous
set-up being looked at
+ cable t.v.
- Carl Kadie's comments to Sternlight
9.13.4. The prospects and dangers of Net subsidies
- "universal access," esp. if same happens in health care
- those that pay make the rules
+ but such access will have strings attached
- limits on crypto
-
- universal access also invites more spamming, a la the
"Freenet" spams, in which folks keep getting validated as
new users: any universal access system that is not pay-as-
you-go will be sensitive to this *or* will result in calls
for universal ID system (is-a-person credentialling)
9.13.5. NII, Superhighway, I-way
- crypto policy
- regulation, licensing
9.14 - Government Interest in Gaining Control of Cyberspace
9.14.1. Besides Clipper, Digital Telephony, and the National
Information Infrastructure, the government is interested in
other areas, such as e-mail delivery (US Postal Service
proposal) and maintenance of network systems in general.
9.14.2. Digital Telephony, ATM networks, and deals being cut
- Rumblings of deals being cut
- a new draft is out [John Gilmore, 1994-08-03]
- Encryption with hardware at full ATM speeds
- and SONET networks (experimental, Bay Area?)
9.14.3. The USPS plans for mail, authentication, effects on
competition, etc.
+ This could have a devastating effect on e-mail and on
cyberspace in general, especially if it is tied in to other
government proposals in an attempt to gain control of
cyberspace.
- Digital Telelphony, Clipper, pornography laws and age
enforcement (the Amateur Action case), etc.
+ "Does the USPS really have a monopoly on first class mail?"
- and on "routes"?
- "The friendly PO has recently been visiting the mail
rooms of 2) The friendly PO has recently been visiting
the mail rooms of corporations in the Bay Area, opening
FedX, etc. packages (not protected by the privacy laws of
the PO's first class mail), and fining companies ($10,000
per violation, as I recall), for sending non-time-
sensitive documents via FedX when they could have been
sent via first-class mail." [Lew Glendenning, USPS
digital signature annoucement, sci.crypt, 1994-08-23] (A
citation or a news story would make this more credible,
but I've heard of similar spot checks.)
- The problems with government agencies competing are well-
known. First, they often have shoddy service..civil service
jobs, unfireable workers, etc. Second, they often cannot be
sued for nonperformance. Third, they often have government-
granted monopolies.
+ The USPS proposal may be an opening shot in an attempt to
gain control of electronic mail...it never had control of e-
mail, but its monopoly on first-class mail may be argued by
them to extend to cyberspace.
- Note: FedEx and the other package and overnight letter
carriers face various restrictions on their service; for
example, they cannot offer "routes" and the economies
that would result in.
- A USPS takeover of the e-mail business would mean an end
to many Cypherpunks objectives, including remailers,
digital postage, etc.
- The challenge will be to get these systems deployed as
quickly as possible, to make any takeover by the USPS all
the more difficult.
9.15 - Software Key Escrow
9.15.1. (This section needs a lot more)
9.15.2. things are happening fast....
9.15.3. TIS, Carl Ellison, Karlsruhe
9.15.4. objections to key escrow
- "Holding deposits in real estate transactions is a classic
example. Built-in wiretaps are *not* escrow, unless the
government is a party to your contract. As somebody on the
list once said, just because the Mafia call themselves
"businessmen" doesn't make them legitimate; calling
extorted wiretaps "escrow" doesn't make them a service.
"The government has no business making me get their
permission to talk to anybody about anything in any
language I choose, and they have no business insisting I
buy "communication protection service" from some of their
friends to do it, any more than the aforenamed
"businessmen" have any business insisting I buy "fire
insurance" from *them*." [Bill Stewart, 1994-07-24]
9.15.5. Micali's "Fair Escrow"
- various efforts underway
- need section here
- Note: participants at Karlsruhe Conference report that a
German group may have published on software key escrow
years before Micali filed his patent (reports that NSA
officials were "happy")
9.16 - Politics, Opposition
9.16.1. "What should Cypherpunks say about Clipper?"
- A vast amount has been written, on this list and in dozens
of other forums.
- Eric Hughes put it nicely a while back:
- "The hypothetical backdoor in clipper is a charlatan's
issue by comparison, as is discussion of how to make a key
escrow system
'work.' Do not be suckered into talking about an issue
that is not
important. If someone want to talk about potential back
doors, refuse to speculate. The existence of a front door
(key escrow) make back door issues pale in comparison.
"If someone wants to talk about how key escrow works,
refuse to
elaborate. Saying that this particular key escrow system
is bad has a large measure of complicity in saying that
escrow systems in general are OK. Always argue that this
particular key escrow system is bad because it is a key
escrow system, not because it has procedural flaws.
"This right issue is that the government has no right to my
private communications. Every other issue is the wrong
issue and detracts from this central one. If we defeat one
particular system without defeating all other possible such
systems at the same time, we have not won at all; we have
delayed the time of reckoning." [ Eric Hughes, Work the
work!, 1993-06-01]
9.16.2. What do most Americans think about Clipper and privacy?"
- insights into what we face
+ "In a Time/CNN poll of 1,000 Americans conducted last week
by Yankelovich
- Partners, two-thirds said it was more important to
protect the privacy of phone
- calls than to preserve the ability of police to conduct
wiretaps.
- When informed about the Clipper Chip, 80% said they
opposed it."
- Philip Elmer-Dewitt, "Who Should Keep the Keys", Time,
Mar. 4, 1994
9.16.3. Does anyone actually support Clipper?
+ There are actually legitimate uses for forms of escrow:
- corporations
- other partnerships
9.16.4. "Who is opposed to Clipper?"
- Association for Computing Machinery (ACM). "The USACM urges
the Administration at this point to withdraw the Clipper
Chip proposal and to begin an open and public review of
encryption policy. The escrowed encryption initiative
raises vital issues of privacy, law enforcement,
competitiveness and scientific innovation that must be
openly discussed." [US ACM, DC Office" ,
USACM Calls for Clipper Withdrawal, press release, 1994-06-
30]
9.16.5. "What's so bad about key escrow?"
+ If it's truly voluntary, there can be a valid use for this.
+ Are trapdoors justified in some cases?
+ Corporations that wish to recover encrypted data
+ several scenarios
- employee encrypts important files, then dies or is
otherwise unavailable
+ employee leaves company before decrypting all files
- some may be archived and not needed to be opened
for many years
- employee may demand "ransom" (closely related to
virus extortion cases)
- files are found but the original encryptor is
unknown
+ Likely situation is that encryption algorithms will be
mandated by corporation, with a "master key" kept
available
- like a trapdoor
- the existence of the master key may not even be
publicized within the company (to head off concerns
about security, abuses, etc.)
+ Government is trying to get trapdoors put in
- S.266, which failed ultimately (but not before
creating a ruckus)
+ If the government requires it...
- Key escrow means the government can be inside your home
without you even knowing it
- and key escrow is not really escrow...what does one get
back from the "escrow" service?
9.16.6. Why governments should not have keys
- can then set people up by faking messages, by planting
evidence
- can spy on targets for their own purposes (which history
tells us can include bribery, corporate espionage, drug-
running, assassinations, and all manner of illegal and
sleazy activities)
- can sabotage contracts, deals, etc.
- would give them access to internal corporate communications
- undermines the whole validity of such contracts, and of
cryptographic standards of identity (shakes confidence)
- giving the King or the State the power to impersonate
another is a gross injustice
- imagine the government of Iran having a backdoor to read
the secret journals of its subjects!
- 4th Amendment
- attorney-client privilege (with trapdoors, no way to know
that government has not breached confidentiality)
9.16.7. "How might the Clipper chip be foiled or defeated?"
- Politically, market-wise, and technical
- If deployed, that is
+ Ways to Defeat Clipper
- preencryption or superencryption
- LEAF blower
- plug-compatible, reverse-engineered chip
- sabotage
- undermining confidence
- Sun Tzu
9.16.8. How can Clipper be defeated, politically?
9.16.9. How can Clipper be defeated, in the market?
9.16.10. How can Clipper be defeated, technologically?
9.16.11. Questions
+ Clipper issues and questions
- a vast number of questions, comments, challenges,
tidbits, details, issues
- entire newsgroups devoted to this
+ "What criminal or terrrorist will be smart enough to use
encryption but dumb enough to use Clipper?"
- This is one of the Great Unanswered Questions. Clipper's
supporter's are mum on this one. Suggesting....
+ "Why not encrypt data before using the Clipper/EES?"
- "Why can't you just encrypt data before the clipper chip?
Two answers:
1) the people you want to communicate with won't have
hardware to
decrypt your data, statistically speaking. The beauty
of clipper
from the NSA point of view is that they are leveraging
the
installed base (they hope) of telephones and making it
impossible
(again, statistically) for a large fraction of the
traffic to be
untappable.
2) They won't license bad people like you to make
equipment like the
system you describe. I'll wager that the chip
distribution will be
done in a way to prevent significant numbers of such
systems from
being built, assuring that (1) remains true." [Tom
Knight, sci.crypt, 6-5-93]
-
+ What are the implications of mandatory key escrow?
+ "escrow" is misleading...
- wrong use of the term
- implies a voluntary, and returnable, situation
+ "If key escrow is "voluntary," what's the big deal?"
- Taxes are supposedly "voluntary," too.
- A wise man prepares for what is _possible_ and even
_likely_, not just what is announced as part of public
policy; policies can and do change. There is plenty of
precedent for a "voluntary" system being made mandatory.
- The form of the Clipper/EES system suggests eventual
mandatory status; the form of such a ban is debatable.
+ "What is 'superencipherment,' and can it be used to defeat
Clipper?"
- preencrypting
- could be viewed as a non-English language
+ how could Clipper chip know about it (entropy measures?)
- far-fetched
- wouldn't solve traffic anal. problem
- What's the connection between Clipper and export laws?
+ "Doesn't this make the Clipper database a ripe target?"
- for subversion, sabotage, espionage, theft
- presumably backups will be kept, and _these_ will also be
targets
+ "Is Clipper just for voice encryption?"
- Clipper is a data encryption chip, with the digital data
supplied by an ADC located outside the chip. In
principle, it could thus be used for data encryption in
general.
- In practice, the name Clipper is generally associated
with telephone use, while "Capstone" is the data standard
(some differences, too). The "Skipjack" algorithm is used
in several of these proposed systems (Tessera, also).
9.16.12. "Why is Clipper worse than what we have now?"
+ John Gilmore answered this question in a nice essay. I'm
including the whole thing, including a digression into
cellular telephones, because it gives some insight--and
names some names of NSA liars--into how NSA and NIST have
used their powers to thwart true security.
- "It's worse because the market keeps moving toward
providing real encryption.
"If Clipper succeeds, it will be by displacing real
secure encryption. If real secure encryption makes it
into mass market communications products, Clipper will
have failed. The whole point is not to get a few
Clippers used by cops; the point is to make it a
worldwide standard, rather than having 3-key triple-DES
with RSA and Diffie-Hellman become the worldwide
standard.
"We'd have decent encryption in digital cellular phones
*now*, except for the active intervention of Jerry
Rainville of NSA, who `hosted' a meeting of the standards
committee inside Ft. Meade, lied to them about export
control to keep committee documents limited to a small
group, and got a willing dupe from Motorola, Louis
Finkelstein, to propose an encryption scheme a child
could break. The IS-54 standard for digital cellular
doesn't describe the encryption scheme -- it's described
in a separate document, which ordinary people can't get,
even though it's part of the official accredited
standard. (Guess who accredits standards bodies though -
- that's right, the once pure NIST.)
"The reason it's secret is because it's so obviously
weak. The system generates a 160-bit "key" and then
simply XORs it against each block of the compressed
speech. Take any ten or twenty blocks and recover the
key by XORing frequent speech patterns (like silence, or
the letter "A") against pieces of the blocks to produce
guesses at the key. You try each guess on a few blocks,
and the likelihood of producing something that decodes
like speech in all the blocks is small enough that you'll
know when your guess is the real key.
"NSA is continuing to muck around in the Digital Cellular
standards committee (TR 45.3) this year too. I encourage
anyone who's interested to join the committee, perhaps as
an observer. Contact the Telecommunications Industry
Association in DC and sign up. Like any standards
committee, it's open to the public and meets in various
places around the country. I'll lend you a lawyer if
you're a foreign national, since the committee may still
believe that they must exclude foreign nationals from
public discussions of cryptography. Somehow the crypto
conferences have no trouble with this; I think it's
called the First Amendment. NSA knows the law here --
indeed it enforces it via the State Dept -- but lied to
the committee." [John Gilmore, "Why is clipper worse than
"no encryption like we have," comp.org.eff.talk, 1994-04-
27]
9.16.13. on trusting the government
- "WHAT AM THE MORAL OF THE STORY, UNCLE REMUS?....When the
government makes any announcement (ESPECIALLY a denial),
you should figure out what the government is trying to get
you to do--and do the opposite. Contrarianism with a
vengance. Of all the advice I've offered on the
Cypherpunks Channel, this is absolutely the most certain."
[Sandy Sandfort, 1994-07-17]
- if the Founders of the U.S. could see the corrupt,
socialist state this nation has degenerated to, they'd be
breaking into missile silos and stealing nukes to use
against the central power base.
+ can the government be trusted to run the key escrow system?
- "I just heard on the news that 1300 IRS employees have
been disciplined for unauthorized accesses to
electronically filed income tax returns. ..I'm sure they
will do much better, though, when the FBI runs the phone
system, the Post Office controls digital identity and
Hillary takes care of our health." [Sandy Sandfort, 1994-
07-19]
- This is just one of many such examples: Watergate ("I am
not a crook!"), Iran-Contra, arms deals, cocaine
shipments by the CIA, Teapot Dome, graft, payoffs,
bribes, assassinations, Yankee-Cowboy War, Bohemian
Grove, Casolaro, more killings, invasions, wars. The
government that is too chicken to ever admit it lost a
war, and conspicuously avoids diplomatic contact with
enemies it failed to vanquish (Vietnam, North Korea,
Cuba, etc.), while quickly becoming sugar daddy to the
countries it did vanquish...the U.S. appears to be
lacking in practicality. (Me, I consider it wrong for
anyone to tell me I can't trade with folks in another
country, whether it's Haiti, South Africa, Cuba, Korea,
whatever. Crypto anarchy means we'll have _some_ of the
ways of bypassing these laws, of making our own moral
decisions without regard to the prevailing popular
sentiment of the countries in which we live at the
moment.)
9.17 - Legal Issues with Escrowed Encryption and Clipper
9.17.1. As John Gilmore put it in a guest editorial in the "San
Francisco Examiner," "...we want the public to see a serious
debate about why the Constitution should be burned in order
to save the country." [J.G., 1994-06-26, quoted by S.
Sandfort]
9.17.2. "I don't see how Clipper gives the government any powers or
capabilities it doesn't already have. Comments?"
9.17.3. Is Clipper really voluntary?
9.17.4. If Clipper is voluntary, who will use it?
9.17.5. Restrictions on Civilian Use of Crypto
9.17.6. "Has crypto been restricted in the U.S.?"
9.17.7. "What legal steps are being taken?"
- Zimmermann
- ITAR
9.17.8. reports that Department of Justice has a compliance
enforcement role in the EES [heard by someone from Dorothy
Denning, 1994-07], probably involving checking the law
enforcement agencies...
9.17.9. Status
+ "Will government agencies use Clipper?"
- Ah, the embarrassing question. They claim they will, but
there are also reports that sensitive agencies will not
use it, that Clipper is too insecure for them (key
lenght, compromise of escrow data, etc.). There may also
be different procedures (all agencies are equal, but some
are more equal than others).
- Clipper is rated for unclassified use, so this rules out
many agencies and many uses. An interesting double
standard.
+ "Is the Administration backing away from Clipper?"
+ industry opposition surprised them
- groups last summer, Citicorp, etc.
- public opinion
- editorial remarks
- so they may be preparing alternative
- and Gilmore's FOIA, Blaze's attack, the Denning
nonreview, the secrecy of the algortithm
+ will not work
- spies won't use it, child pornographers probably won't
use it (if alternatives exist, which may be the whole
point)
- terrorists won't use it
- Is Clipper in trouble?
9.17.10. "Will Clipper be voluntary?"
- Many supporters of Clipper have cited the voluntary nature
of Clipper--as expressed in some policy statements--and
have used this to counter criticism.
+ However, even if truly voluntary, some issues
+ improper role for government to try to create a
commercial standard
- though the NIST role can be used to counter this point,
partly
- government can and does make it tough for competitors
- export controls (statements by officials on this exist)
+ Cites for voluntary status:
- original statement says it will be voluntary
- (need to get some statements here)
+ Cites for eventual mandatory status:
- "Without this initiative, the government will eventually
become helpless to defend the nation." [Louis Freeh,
director of the FBI, various sources]
- Steven Walker of Trusted Information Systems is one of
many who think so: "Based on his analysis, Walker added,
"I'm convinced that five years from now they'll say 'This
isn't working,' so we'll have to change the rules." Then,
he predicted, Clipper will be made mandatory for all
encoded communications." [
+ Parallels to other voluntary programs
- taxes
9.18 - Concerns
9.18.1. Constitutional Issues
- 4th Amend
- privacy of attorney-client, etc.
+ Feds can get access without public hearings, records
- secret intelligence courts
-
+ "It is uncontested (so far as I have read) that under
certain circum-
- stances, the Federal intelligence community wil be
permitted to
- obtain Clipper keys without any court order on public
record. Only
- internal, classified proceedings will protect our
privacy."
9.18.2. "What are some dangers of Clipper, if it is widely adopted?"
+ sender/receiver ID are accessible without going to the key
escrow
- this makes traffic analysis, contact lists, easy to
generate
+ distortions of markets ("chilling effects") as a plan by
government
- make alternatives expensive, hard to export, grounds for
suspicion
- use of ITAR to thwart alternatives (would be helped if
Cantwell bill to liberalize export controls on
cryptography (HR 3627) passes)
+ VHDL implementations possible
- speculates Lew Glendenning, sci.crypt, 4-13-94
- and recall MIPS connection (be careful here)
9.18.3. Market Isssues
9.18.4. "What are the weaknesses in Clipper?"
+ Carl Ellison analyzed it this way:
- "It amuses the gallows-humor bone in me to see people
busily debating the quality of Skipjack as an algorithm
and the quality of the review of its strength.
Someone proposes to dangle you over the Grand Canyon
using
sewing thread
tied to
steel chain
tied to
knitting yarn
and you're debating whether the steel chain has been X-
rayed properly to see if there are flaws in the metal.
"Key generation, chip fabrication, court orders,
distribution of keys once acquired from escrow agencies
and safety of keys within escrow agencies are some of the
real weaknesses. Once those are as strong as my use of
1024-bit RSA and truly random session keys in keeping
keys on the two sides of a conversation with no one in
the middle able to get the key, then we need to look at
the steel chain in the middle: Skipjack itself." [Carl
Ellison, 1993-08-02]
+ Date: Mon, 2 Aug 93 17:29:54 EDT
From: cme@ellisun.sw.stratus.com (Carl Ellison)
To: cypherpunks@toad.com
Subject: cross-post
Status: OR
Path: transfer.stratus.com!ellisun.sw.stratus.com!cme
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Newsgroups: sci.crypt
Subject: Skipjack review as a side-track
Date: 2 Aug 1993 21:25:11 GMT
Organization: Stratus Computer, Marlboro MA
Lines: 28
Message-ID: <23k0nn$8gk@transfer.stratus.com>
NNTP-Posting-Host: ellisun.sw.stratus.com
It amuses the gallows-humor bone in me to see people
busily debating the
quality of Skipjack as an algorithm and the quality of
the review of its
strength.
Someone proposes to dangle you over the Grand Canyon
using
sewing thread
tied to
steel chain
tied to
knitting yarn
and you're debating whether the steel chain has been X-
rayed properly
to see if there are flaws in the metal.
Key generation, chip fabrication, court orders,
distribution of keys once
acquired from escrow agencies and safety of keys within
escrow agencies are
some of the real weaknesses. Once those are as strong as
my use of
1024-bit RSA and truly random session keys in keeping
keys on the two sides
of a conversation with no one in the middle able to get
the key, then we
need to look at the steel chain in the middle: Skipjack
itself.
- "Key generation, chip fabrication, court orders,
distribution of keys once acquired from escrow agencies
and safety of keys within escrow agencies are some of
the real weaknesses. Once those are as strong as my
use of 1024-bit RSA and truly random session keys in
keeping keys on the two sides of a conversation with no
one in the middle able to get the key, then we need to
look at the steel chain in the middle: Skipjack
itself."
9.18.5. What it Means for the Future
9.18.6. Skipjack
9.18.7. National security exceptions
- grep Gilmore's FOIA for mention that national security
people will have direct access and that this will not be
mentioned to the public
+ "The "National Security" exception built into the Clipper
proposal
- leaves an extraordinarily weak link in the chain of
procedures designed
- to protect user privacy. To place awesome powers of
surveillance
- technologically within the reach of a few, hoping that so
weak a chain
- will bind them, would amount to dangerous folly. It
flies in the face
- of history.
9.18.8. In my view, any focus on the details of Clipper instead of
the overall concept of key escrow plays into their hands.
This is not to say that the work of Blaze and others is
misguided....in fact, it's very fine work. But a general
focus on the _details_ of Skipjack does nothing to allay my
concerns about the _principle_ of government-mandated crypto.
If it were "house key escrow" and there were missing details
about the number of teeth allowed on the keys, would be then
all breathe a sigh of relief if the details of the teeth were
clarified? Of course not. Me, I will never use a key escrow
system, even if a blue ribbon panel of hackers and
Cypherpunks studies the design and declares it to be
cryptographically sound.
9.18.9. Concern about Clipper
- allows past communications to be read
+ authorities could--maybe--read a lot of stuff, even
illegally, then use this for other investigations (the old
"we had an anonymous tip" ploy)
- "The problem with Clipper is that it provides police
agencies with dramatically enhanced target acquistion.
There is nothing to prevent NSA, ATF, FBI (or the Special
Projects division of the Justice Department) from
reviewing all internet traffic, as long as they are
willing to forsake using it in a criminal prosecution."
[dgard@netcom.com, alt.privacy.clipper, 1994-07-05]
9.18.10. Some wags have suggested that the new escrow agencies be
chosen from groups like Amnesty International and the ACLU.
Most of us are opposed to the "very idea" of key escrow
(think of being told to escrow family photos, diaries, or
house keys) and hence even these kinds of skeptical groups
are unacceptable as escrow agents.
9.19 - Loose Ends
9.19.1. "Are trapdoors--or some form of escrowed encryption--
justified in some cases?"
+ Sure. There are various reasons why individuals, companies,
etc. may want to use crypto protocols that allow them to
decrypt even if they've lost their key, perhaps by going to
their lawyer and getting the sealed envelope they left with
him, etc.
- or using a form of "software key escrow" that allows them
access
+ Corporations that wish to recover encrypted data
+ several scenarios
- employee encrypts important files, then dies or is
otherwise unavailable
+ employee leaves company before decrypting all files
- some may be archived and not needed to be opened for
many years
- employee may demand "ransom" (closely related to virus
extortion cases)
- files are found but the original encryptor is unknown
+ Likely situation is that encryption algorithms will be
mandated by corporation, with a "master key" kept available
- like a trapdoor
- the existence of the master key may not even be
publicized within the company (to head off concerns about
security, abuses, etc.)
- The mandatory use of key escrow, a la a mandatory Clipper
system, or the system many of us believe is being developed
for software key escrow (SKE, also called "GAK," for
"government access to keys, by Carl Ellison) is completely
different, and is unacceptable. (Clipper is discussed in
many places here.)
9.19.2. DSS
+ Continuing confusion over patents, standards, licensing,
etc.
- "FIPS186 is DSS. NIST is of the opinion that DSS does not
violate PKP's patents. PKP (or at least Jim Bidzos) takes
the position that it does. But for various reasons, PKP
won't sue the government. But Bidzos threatens to sue
private parties who infringe. Stay tuned...." [Steve
Wildstrom, sci.crypt, 1994-08-19]
- even Taher ElGamal believes it's a weak standard
- subliminal channels issues
9.19.3. The U.S. is often hypocritical about basic rights
- plans to "disarm" the Haitians, as we did to the Somalians
(which made those we disarmed even more vulnerable to the
local warlords)
- government officials are proposing to "silence" a radio
station in Ruanda they feel is sending out the wrong
message! (Heard on "McNeil-Lehrer News Hour," 1994-07-21]
9.19.4. "is-a-person" and RSA-style credentials
+ a dangerous idea, that government will insist that keys be
linked to persons, with only one per person
- this is a flaw in AOCE system
- many apps need new keys generated many times