9.1 copyright
   THE  CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
   1994-09-10, Copyright Timothy C. May. All rights reserved.
   See the detailed disclaimer. Use short sections under "fair
   use" provisions, with appropriate credit, but don't put your
   name on my words.

9.2 - SUMMARY: Policy: Clipper,Key Escrow, and Digital Telephony
 9.2.1. Main Points
  - Clipper has been a main unifying force, as 80% of all
     Americans, and 95% of all computer types, are opposed.
  - "Big Brother Inside"
 9.2.2. Connections to Other Sections
  - the main connections are _legal_
  - some possible implications for limits on crypto
 9.2.3. Where to Find Additional Information
  - There have been hundreds of articles on Clipper, in nearly
     all popular magazines. Many of these were sent to the
     Cypherpunks  list and may be available in the archives. (I
     have at least 80 MB of Cypherpunks list stuff, a lot of it
     newspaper and magazine articles on Clipper!)
  + more Clipper information can be found at:
    - "A good source is the Wired Online Clipper Archive. Send
       e-mail to info-rama@wired.com. with no subject and the
       words 'get help' and 'get clipper/index' in the body of
       the message." [students@unsw.EDU.AU, alt.privacy.clipper,
       1994-09-01]
 9.2.4. Miscellaneous Comments
  - As with a couple of other sections, I won't try to be as
     complete as some might desire. Just too many thousands of
     pages of stuff to consider.

9.3 - Introduction
 9.3.1. What is Clipper?
  - government holds the skeleton keys
  - analogies to other systems
 9.3.2. Why do most Cypherpunks oppose Clipper?
  - fear of restrictions on crypto, derailing so many wonderful
     possibilities
 9.3.3. Why does Clipper rate its own section?
  - The announcement of the "Escrowed Encryption Standard,"
     EES, on April 16, 1993, was a galvanizing event for
     Cypherpunks and for a large segment of the U. S.
     population. The EES was announced originally as "Clipper,"
     despite the use of the name Clipper by two major products
     (the Intergraph CPU and a dBase software tool), and the
     government backed off on the name. Too late, though, as the
     name "Clipper" had become indelibly linked to this whole
     proposal.
 9.3.4. "Is stopping Clipper the main goal of Cypherpunks?"
  - It certainly seems so at times, as Clipper has dominated
     the topics since the Clipper announcement in April, 1993.
  + it has become so, with monkeywrenching efforts in several
     areas
    - lobbying and education against it (though informal, such
       lobbying has been successful...look at NYT article)
    - "Big Brother Inside" and t-shirts
    - technical monkeywrenching (Matt Blaze...hesitate to claim
       any credit, but he has been on our list, attended a
       meeting, etc.)
  - Although it may seem so, Clipper is just one
     aspect...step...initiative.
  - Developing new software tools, writing code, deploying
     remailers and digital cash are long-range projects of great
     importance.
  - The Clipper key escrow proposal came along (4-93) at an
     opportune time for Cypherpunks and became a major focus.
     Emergency meetings, analyses, etc.

9.4 - Crypto Policy Issues
 9.4.1. Peter Denning on crypto policy:
  + provided by Pat Farrell, 1994-08-20; Denning comments are
     1992-01-22, presented at Computers, Freedom, and Privacy 2.
     Peter D. uses the metaphor of a "clearing,"as in a forest,
     for the place where people meet to trade, interact, etc.
     What others call markets, agoras, or just "cyberspace."
    - "Information technology in producing a clearing in which
       individuals and corporations are key players besides
       government. Any attempt by government to control the flow
       of information over networks will be ignored or met with
       outright hostility.  There is no practical way that
       government can control information except information
       directly involved in the business of governing.  It
       should not try." [Peter Denning, PUBLIC POLICY FOR THE
       21ST CENTURY, DRAFT 1/22/92]
  - No word on how this view squares with his wife's control
     freak views.
 9.4.2. Will government and NSA in particular attempt to acquire some
   kind of control over crypto companies?
  + speculations, apparently unfounded, that RSA Data Security
     is influenced by NSA wishes
    - weaknesses in the DES keys picked?
  - and companies may be dramatically influenced by contracts
     (and the witholding of them)
 9.4.3. NIST and DSS
 9.4.4. Export restrictions, Munitions List, ITAR
 9.4.5. old crypto machines sold to Third World governments, cheaply
  - perhaps they think they can make some changes and outsmart
     the NSA (which probably has rigged it so any changes are
     detectable and can be factored in)
  - and just knowing the type of machine is a huge advantage
 9.4.6. 4/28/97   The first of several P-K and RSA patents expires
  + U.S. Patent Number: 4200770
    - Title: Cryptographic Apparatus and Method
    - Inventors: Hellman, Diffie, Merkle
    - Assignee: Stanford University
    - Filed: September 6, 1977
    - Granted: April 29, 1980
    - [Expires: April 28, 1997]
  + remember that any one of these several patents held by
     Public Key Partners (Stanford and M.I.T., with RSA Data
     Security the chief dispenser of licenses) can block an
     effort to bypass the others
    - though this may get fought out in court
 9.4.7. encryption will be needed inside computer systems
  - for operating system protection
  - for autonomous agents (active agents)
  - for electronic money

9.5 - Motivations for Crypto Laws
 9.5.1. "What are the law enforcement and FBI worries?"
  - "FBI Director Louis Freeh is worried. The bad guys are
     beginning to see the light, and it is digital. ... Freeh
     fears some pretty nasty folks have discovered they can
     commit highway robbery and more, without even leaving home.
     Worse, to Freeh and other top cops, by using some pretty
     basic technologies, savvy criminals can do their crimes
     without worrying about doing time.
     
     "Some crooks, spies, drug traffickers, terrorists and
     frauds already use the tools of the information age to
     outfox law enforcement officers. Hackers use PBXs to hide
     their tracks as they rip off phone companies and poke
     around in other people's files. Reprogrammed cellular
     phones give cops fits." [LAN Magazine,"Is it 1984?," by Ted
     Bunker, August 1994]
  - Their fears have some validity...in the same way that the
     rulers in Gutenberg's time could have some concerns about
     the implications of books (breaking of guilds, spread of
     national secrets, pornography, atheism, etc.).
 9.5.2. "What motivated Clipper? What did the Feds hope to gain?"
  - ostensibly to stop terrorists (only the unsophisticated
     ones, if alternatives are allowed)
  - to force a standard on average Americans
  - possibly to limit crypto development
  + Phil Karn provides an interesting motivation for Clipper:
     "Key escrow exists only because the NSA doesn't want to
     risk blame if some terrorist or drug dealer were to use an
     unescrowed NSA-produced .....The fact that a terrorist or
     drug dealer can easily go elsewhere and obtain other strong
     or stronger algorithms without key escrow is irrelevant.
     The NSA simply doesn't care as long as *they* can't be
     blamed for whatever happens. Classic CYA, nothing
     more.....A similar analysis applies to the export control
     regulations regarding cryptography." [Phil Karn, 1994-08-
     31]
    - Bill Sommerfeld notes: "If this is indeed the case, Matt
       Blaze's results should be particularly devastating to
       them." [B.S., 1994-09-01]
 9.5.3. Steve Witham has an interesting take on why folks like
   Dorothy Denning and Donn Parker support key escrow so
   ardently:
  - "Maybe people like Dot and Don think of government as a
     systems-administration sort of job.  So here they are,
     security experts advising the sys admins on things like...
     
     setting permissions
     allocating quotas
     registering users and giving them passwords.....
     deciding what utilities are and aren't available
     deciding what software the users need, and installing it
              (grudgingly, based on who's yelling the loudest)
     setting up connections to other machines
     deciding who's allowed to log in from "foreign hosts"
     getting mail set up and running
     buying new hardware from vendors
     specifying the hardware to the vendors
     ...
     
     "These are the things computer security experts advise on.
     Maybe hammer experts see things as nails.
     
     "Only a country is not a host system owned and administered
     by the government, and citizens are not guests or users."
     [Steve Witham, Government by Sysadmin, 1994-03-23]
     
 9.5.4. Who would want to use key escrow?
 9.5.5. "Will strong crypto really thwart government plans?"
  - Yes, it will give citizens the basic capabilities that
     foreign governments have had for many years
  + Despite talk about codebreakes and the expertise of the
     NSA, the plain fact is that no major Soviet ciphers have
     been broken for many years
    + recall the comment that NSA has not really broken any
       Soviet systems in many years
      - except for the cases, a la the Walker case, where
         plaintext versions are gotten, i.e., where human
         screwups occurred
  - the image in so many novels of massive computers breaking
     codes is absurd: modern ciphers will not be broken (but the
     primitive ciphers used by so many Third World nations and
     their embassies will continue to be child's play, even for
     high school science fair projects...could be a good idea
     for a small scene, about a BCC student who has his project
     pulled)
 9.5.6. "Why does the government want short keys?"
  - Commercial products have often been broken by hackers. The
     NSA actually has a charter to help businesses protect their
     secrets; just not so strongly that the crypto is
     unbreakable by them. (This of course has been part of the
     tension between the two sides of the NSA for the past
     couple of decades.)
  + So why does the government want crippled key lengths?
    - "The question is: how do you thwart hackers while
       permitting NSA access? The obvious answer is strong
       algorithm(s) and relatively truncated keys." [Grady Ward,
       sci.crypt, 1994-08-15]

9.6 - Current Crypto Laws
 9.6.1. "Has crypto been restricted in countries other than the
   U.S.?"
  - Many countries have restrictions on civilian/private use of
     crypto. Some even insist that corporations either send all
     transmissions in the clear, or that keys be provided to the
     government. The Phillipines, for example. And certainly
     regimes in the Communists Bloc, or what's left of it, will
     likely have various laws restricting crypto. Possibly
     draconian laws....in many cultures, use of crypto is
     tantamount to espionage.

9.7 - Crypto Laws Outside the U.S.
 9.7.1. "International Escrow, and Other Nation's Crypto Policies?"
  - The focus throughout this document on U.S. policy should
     not lull non-Americans into complacency. Many nations
     already have more Draconian policies on the private use of
     encryption than the U.S. is even contemplating
     (publically). France outlaws private crypto, though
     enforcement is said to be problematic (but I would not want
     the DGSE to be on my tail, that's for sure). Third World
     countries often have bans on crypto, and mere possession of
     random-looking bits may mean a spying conviction and a trip
     to the gallows.
  + There are also several reports that European nations are
     preparing to fall in line behind the U.S. on key escrow
    - Norway
    - Netherlands
    - Britain
  + A conference in D.C. in 6/94, attended by Whit Diffie (and
     reported on to us at the 6/94 CP meeting) had internation
     escrow arrangements as a topic, with the crypto policy
     makers of NIST and NSA describing various options
    - bad news, because it could allow bilateral treaties to
       supercede basic rights
    - could be plan for getting key escrow made mandatory
    + there are also practical issues
      + who can decode international communications?
        - do we really want the French reading Intel's
           communications? (recall Matra-Harris)
      - satellites? (like Iridium)
      - what of multi-national messages, such as an encrypted
         message posted to a message pool on the Internet...is
         it to be escrowed with each of 100 nations?
 9.7.2. "Will foreign countries use a U.S.-based key escrow system?"
  - Lots of pressure. Lots of evidence of compliance.
 9.7.3. "Is Europe Considering Key Escrow?"
  - Yes, in spades. Lots of signs of this, with reports coming
     in from residents of Europe and elsewhere. The Europeans
     tend to be a bit more quiet in matters of public policy (at
     least in some areas).
  - "The current issue of `Communications Week International'
     informs us that the European Union's Senior Officials Group
     for Security of Information Systems has been considering
     plans for standardising key escrow in Europe.
     
     "Agreement had been held up by arguments over who should
     hold the keys. France and Holland wanted to follow the
     NSA's lead and have national governments assume this role;
     other players wanted user organisations to do this." [
     rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow
     in Europe too, 1994-06-29]
 9.7.4. "What laws do various countries have on encryption and the
   use of encryption for international traffic?"
  + "Has France really banned encryption?"
    - There are recurring reports that France does not allow
       unfettered use of encryption.
    - Hard to say. Laws on the books. But no indications that
       the many French users of PGP, say, are being prosecuted.
    - a nation whose leader, Francois Mitterand, was a Nazi
       collaborationist, working with Petain and the Vichy
       government (Klaus Barbie involved)
  + Some Specific Countries
    - (need more info here)
    + Germany
      - BND cooperates with U.S.
    - Netherlands
    - Russia
  + Information
    - "Check out the ftp site at csrc.ncsl.nist.gov for a
       document named something like "laws.wp"  (There are
       several of these, in various formats.)  This  contains a
       survey of the positions of various countries, done for
       NIST by a couple of people at Georgetown or George
       Washington or some such university." [Philip Fites,
       alt.security.pgp, 1994-07-03]
 9.7.5. France planning Big Brother smart card?
  - "PARIS, FRANCE, 1994 MAR 4 (NB) -- The French government
     has confirmed its plans to replace citizen's paper-based ID
     cards with credit card-sized "smart card" ID cards.
     .....
     "The cards contain details of recent transactions, as well
     as act  as an "electronic purse" for smaller value
     transactions using a personal identification number (PIN)
     as authorization. "Purse transactions" are usually separate
     from the card credit/debit system, and, when the purse is
     empty, it can be reloaded from the card at a suitable ATM
     or retailer terminal."  (Steve Gold/19940304)" [this was
     forwarded to me for posting]
 9.7.6. PTTs, local rules about modem use
 9.7.7. "What are the European laws on "Data Privacy" and why are
   they such a terrible idea?"
  - Various European countries have passed laws about the
     compiling of computerized records on people without their
     explicit permission. This applies to nearly all
     computerized records--mailing lists, dossiers, credit
     records, employee files, etc.--though some exceptions exist
     and, in general, companies can find ways to compile records
     and remain within the law.
  - The rules are open to debate, and the casual individual who
     cannot afford lawyers and advisors, is likely to be
     breaking the laws repeatedly. For example, storing the
     posts of people on the Cypherpunks list in any system
     retrievable by name would violate Britain's Data Privacy
     laws. That almost no such case would ever result in a
     prosecution (for practical reasons) does not mean the laws
     are acceptable.
  - To many, these laws are a "good idea." But the laws miss
     the main point, give a false sense of security (as the real
     dossier-compilers are easily able to obtain exemptions, or
     are government agencies themselves), and interfere in what
     people do with information that properly and legally comes
     there way. (Be on the alert for "civil rights" groups like
     the ACLU and EFF to push for such data privacy laws. The
     irony of Kapor's connection to Lotus and the failed
     "Marketplace" CD-ROM product cannot be ignored.)
  - Creating a law which bans the keeping of certain kinds of
     records is an invitation to having "data inspectors"
     rummaging through one's files. Or some kind of spot checks,
     or even software key escrow.
  - (Strong crypto makes these laws tough to enforce. Either
     the laws go, or the counties with such laws will then have
     to limit strong crypto....not that that will help in the
     long run.)
  - The same points apply to well-meaning proposals to make
     employer monitoring of employees illegal. It sounds like a
     privacy-enhancing idea, but it tramples upon the rights of
     the employer to ensure that work is being done, to
     basically run his business as he sees fit, etc. If I hire a
     programmer and he's using my resources, my network
     connections, to run an illegal operation, he exposes my
     company to damages, and of course he isn't doing the job I
     paid him to do. If the law forbids me to monitor this
     situation, or at least to randomly check, then he can
     exploit this law to his advantage and to my disadvantage.
     (Again, the dangers of rigid laws, nonmarket
     solutions,(lied game theory.)
 9.7.8. on the situation in Australia
  + Matthew Gream [M.Gream@uts.edu.au] informed us that the
     export situation in Oz is just as best as in the U.S. [1994-
     09-06] (as if we didn't know...much as we all like to dump
     on Amerika for its fascist laws, it's clear that nearly all
     countries are taking their New World Order Marching Orders
     from the U.S., and that many of them have even more
     repressive crypto laws alredy in place...they just don't
     get the discussion the U.S. gets, for apparent reasons)
    - "Well, fuck that for thinking I was living under a less
       restrictive regime -- and I can say goodbye to an
       international market for my software.]
    - (I left his blunt language as is, for impact.)
 9.7.9. "For those interested, NIST have a short document for FTP,
   'Identification & Analysis of Foreign Laws & Regulations
   Pertaining to the Use of Commercial Encryption Products for
   Voice & Data Communications'. Dated Jan 1994." [Owen Lewis,
   Re: France Bans Encryption, alt.security.pgp, 1994-07-07]

9.8 - Digital Telephony
 9.8.1. "What is Digital Telephony?"
  - The Digital Telephony Bill, first proposed under Bush and
     again by Clinton, is in many ways much worse than Clipper.
     It has gotten less attention, for various reasons.
  - For one thing,  it is seen as an extension by some of
     existing wiretap capabilities. And, it is fairly abstract,
     happening behind the doors of telephone company switches.
  - The implications are severe: mandatory wiretap and pen
     register (who is calling whom) capaibilities, civil
     penalties of up to $10,000 a day for insufficient
     compliance, mandatory assistance must be provided, etc.
  - If it is passed, it could dictate future technology. Telcos
     who install it will make sure that upstart technologies
     (e.g., Cypherpunks who find ways to ship voice over
     computer lines) are also forced to "play by the same
     rules." Being required to install government-accessible tap
     points even in small systems would of course effectively
     destroy them.
  - On the other hand, it is getting harder and harder to make
     Digital Telephony workable, even by mandate. As Jim
     Kallstrom of the FBI puts it:  ""Today will be the cheapest
     day on which Congress could fix this thing," Kallstrom
     said. "Two years from now, it will be geometrically more
     expensive.""  [LAN Magazine,"Is it 1984?," by Ted Bunker,
     August 1994]
  - This gives us a goal to shoot for: sabotage the latest
     attempt to get Digital Telephony passed into law and it may
     make it too intractable to *ever* be passed.
  + "Today will be the cheapest day on which
    - Congress could fix this thing," Kallstrom said. "Two
       years from now,
    - it will be geometrically more expensive."
  - The message is clear: delay Digital Telephony. Sabotage it
     in the court of public opinion, spread the word, make it
     flop. (Reread your "Art of War" for Sun Tsu's tips on
     fighting your enemy.)
  -
 9.8.2. "What are the dangers of the Digital Telephony Bill?"
  - It makes wiretapping invisible to the tappee.
  + If passed into law, it makes central office wiretapping
     trivial, automatic.
    - "What should worry people is what isn't in the news (and
       probably never will until it's already embedded in comm
       systems). A true 'Clipper' will allow remote tapping on
       demand. This is very easily done to all-digital
       communications systems. If you understand network routers
       and protocol it's easy to envision how simple it would be
       to 're-route' a copy of a target comm to where ever you
       want it to go..."  [domonkos@access.digex.net (andy
       domonkos), comp.org.eff.talk, 1994-06-29]
 9.8.3. "What is the Digital Telephony proposal/bill?
  - proposed a few years ago...said to be inspiration for PGP
  - reintroduced Feb 4, 1994
  - earlier versrion:
  + "1)  DIGITAL TELEPHONY PROPOSAL
    - "To ensure law enforcement's continued ability to conduct
       court-
    - authorized taps, the administration, at the request of
       the
    - Dept. of Justice and the FBI, proposed ditigal telephony
    - legislation.  The version submitted to Congress in Sept.
       1992
    - would require providers of electronic communication
       services
    - and private branch exchange (PBX) operators to ensure
       that the
    - government's ability to lawfully intercept communications
       is not
    - curtailed or prevented entirely by the introduction of
       advanced
    - technology."

9.9 - Clipper, Escrowed Encyption Standard
 9.9.1. The Clipper Proposal
  - A bombshell was dropped on April 16, 1993. A few of us saw
     it coming, as we'd been debating...
 9.9.2. "How long has the government been planning key escrow?"
  - since about 1989
  - ironically, we got about six months advance warning
  - my own "A Trial Balloon to Ban Encryption" alerted the
     world to the thinking of D. Denning....she denies having
     known about key escorw until the day before it was
     announced, which I find implausible (not calling her a
     liar, but...)
  + Phil Karn had this to say to Professor Dorothy Denning,
     several weeks prior to the Clipper announcement:
    - "The private use of strong cryptography provides, for the
       very first time, a truly effective safeguard against this
       sort of government abuse. And that's why it must continue
       to be free and unregulated.
    - "I should credit you for doing us all a very important
       service by raising this issue. Nothing could have lit a
       bigger fire under those of us who strongly believe in a
       citizens' right to use cryptography than your proposals
       to ban or regulate it.  There are many of us out here who
       share this belief *and* have the technical skills to turn
       it into practice. And I promise you that we will fight
       for this belief to the bitter end, if necessary." [Phil
       Karn, 1993-03-23]
    -
    -
 9.9.3. Technically, the "Escrowed Encryption Standard," or EES. But
   early everyone still calls it "Clipper, " even if NSA
   belatedly realized Intergraph's won product has been called
   this for many years, a la the Fairchild processor chip of the
   same name. And the database product of the same name. I
   pointed this out within minutes of hearing about this on
   April 16th, 1993, and posted a comment to this effect on
   sci.crypt. How clueless can they be to not have seen in many
   months of work what many of us saw within seconds?
 9.9.4. Need for Clipper
 9.9.5. Further "justifications" for key escrow
  + anonymous consultations that require revealing of
     identities
    - suicide crisis intervention
    - confessions of abuse, crimes, etc. (Tarasoff law)
  - corporate records that Feds want to look at
  + Some legitimate needs for escrowed crypto
    - for corporations, to bypass the passwords of departed,
       fired, deceased employees,
 9.9.6. Why did the government develop Clipper?
 9.9.7. "Who are the designated escrow agents?"
  - Commerce (NIST) and Treasury (Secret Service).
 9.9.8. Whit Diffie
  - Miles Schmid was architect
  + international key escrow
    - Denning tried to defend it....
 9.9.9. What are related programs?
9.9.10. "Where do the names "Clipper" and "Skipjack" come from?
  - First, the NSA and NIST screwed up big time by choosing the
     name "Clipper," which has long been the name of the 32-bit
     RISC processor (one of the first) from Fairchild, later
     sold to Intergraph. It is also the name of a database
     compiler. Most of us saw this immediately.
  -
  + Clippers are boats, so are skipjacks ("A small sailboat
     having a
    - bottom shaped like a flat V and vertical sides" Am
       Heritage. 3rd).
    - Suggests a nautical theme, which fits with the
       Cheseapeake environs of
    - the Agency (and small boats have traditionally been a way
       for the
    + Agencies to dispose of suspected traitors and spies).
      -
    - However, Capstone is not a boat, nor is Tessera, so the
       trend fails.

9.10 - Technical Details of Clipper, Skipjack, Tessera, and EES
9.10.1. Clipper chip fabrication details
  + ARM6 core being used
    - but also rumors of MIPS core in Tessera
  - MIPS core reportedly being designed into future versions
  - National also built (and may operate) a secure wafer fab
     line for NSA, reportedly located on the grounds of Ft.
     Meade--though I can't confirm the location or just what
     National's current involvement still is. May only be for
     medium-density chips, such as key material (built under
     secure conditions).
9.10.2. "Why is the Clipper algorithm classified?"
  - to prevent non-escrow versions, which could still use the
     (presumably strong) algorithm and hardware but not be
     escrowed
  - cryptanalysis is always easier if the algorithms are known
     :-}
  - general government secrecy
  - backdoors?
9.10.3. If Clipper is flawed (the Blaze LEAF Blower), how can it
   still be useful to the NSA?
  - by undermining commercial alternatives through subsidized
     costs (which I don't think will happen, given the terrible
     PR Clipper has gotten)
  - mandated by law or export rules
  - and the Blaze attack is--at present--not easy to use (and
     anyone able to use it is likely to be sophisticated enough
     to use preencryption anyway)
9.10.4. What about weaknesses of Clipper?
  - In the views of many, a flawed approach. That is, arguing
     about wrinkles plays into the hands of the Feds.
9.10.5. "What are some of the weaknesses in Clipper?"
  - the basic idea of key escrow is an infringement on liberty
  + access to the keys
    - "
    + "There's a big door in the side with a
      - big neon sign saying "Cops and other Authorized People
         Only";
      - the trapdoor is the fact that anybody with a fax
         machine can make
      - themselves and "Authorized Person" badge and walk in.
         
  - possible back doors in the Skipjace algorithm
  + generation of the escrow keys
    -
    + "There's another trapdoor, which is that if you can
       predict the escrow
      - keys by stealing the parameters used by the Key
         Generation Bureau to
      - set them, you don't need to get the escrow keys from
         the keymasters,
      - you can gen them yourselves. " 
9.10.6. Mykotronx
  - MYK-78e chip, delays, VTI, fuses
  - National Semiconductor is working with Mykotronx on a
     faster implementation of the
     Clipper/Capstone/Skipjack/whatever system. (May or may not
     be connected directly with the iPower product line.  Also,
     the MIPS processor core may be used, instead of the ARM
     core, which is said to be too slow.)
9.10.7. Attacks on EES
  - sabotaging the escrow data base
  + stealing it, thus causing a collapse in confidence
    - Perry Metzger's proposal
  - FUD
9.10.8. Why is the algorithm secret?
9.10.9. Skipjack is 80 bits, which is 24 bits longer than the 56 bits
   of DES. so
9.10.10. "What are the implications of the bug in Tessera found by
   Matt Blaze?"
  - Technically, Blaze's work was done on a Tessera card, which
     implements the Skipjace algorithm. The Clipper phone system
     may be slightly different and details may vary; the Blaze
     attack may not even work, at least not practically.
  - " The announcement last month was about a discovery that,
     with a half-hour or so of time on an average PC, a user
     could forge a bogus LEAF (the data used by the government
     to access the back door into Clipper encryption). With such
     a bogus LEAF, the Clipper chip on the other end would
     accept and decrypt the communication, but the back door
     would not work for the government." [ Steve Brinich,
     alt.privacy.clipper, 1994-07-04]
  - "The "final" pre-print version (dated August 20, 1994) of
     my paper, "Protocol Failure in the Escrowed Encryption
     Standard" is now available.  You can get it in PostScript
     form via anonymous ftp from research.att.com in the file
     /dist/mab/eesproto.ps .  This version replaces the
     preliminary draft (June 3) version that previously occupied
     the same file.  Most of the substance is identical,
     although few sections are expanded and a few minor errors
     are now corrected." [Matt Blaze, 1994-09-04]

9.11 - Products, Versions -- Tessera, Skipjack, etc.
9.11.1. "What are the various versions and products associated with
   EES?"
  - Clipper, the MYK-78 chip.
  - Skipjack.
  + Tessera. The PCMCIA card version of the Escrowed Encryption
     Standard.
    - the version Matt Blaze found a way to blow the LEAF
    - National Semiconductor "iPower" card may or may not
       support Tessera (conflicting reports).
9.11.2. AT&T Surety Communications
  - NSA may have pressured them not to release DES-based
     products
9.11.3. Tessera cards
  - iPower
  - Specifications for the Tessera card interface can be found
     in several places, including " csrc.ncsl.nist.gov"--see the
     file  cryptcal.txt [David Koontz, 1994-08-08].

9.12 - Current Status of EES, Clipper, etc.
9.12.1. "Did the Administration really back off on Clipper? I heard
   that Al Gore wrote a letter to Rep. Cantwell, backing off."
  - No, though Clipper has lost steam (corporations weren't
     interested in buying Clipper phones, and AT&T was very late
     in getting "Surety" phones out).
  - The Gore announcement may actually indicate a shift in
     emphasis to "software key escrow" (my best guess).
  - Our own Michael Froomkin, a lawyer, writes:  "The letter is
     a nullity.  It almost quotes from testimony given a year
     earlier by NIST to Congress.  Get a copy of Senator Leahy's
     reaction off the eff www  server.  He saw it for the empty
     thing it is....Nothing has changed except Cantwell dropped
     her bill for nothing." [A.Michael Froomkin,
     alt.privacy.clipper, 1994-09-05]

9.13 - National Information Infrastructure, Digital Superhighway
9.13.1. Hype on the Information Superhighway
  - It's against the law to talk abou the Information
     Superhighway without using at least one of the overworked
     metaphors: road kill, toll boths, passing lanes, shoulders,
     on-ramps, off-ramps, speeding, I-way, Infobahn, etc.
  - Most of what is now floating around the suddenly-trendy
     idea of the Digital Superduperway is little more than hype.
     And mad metaphors. Misplaced zeal, confusing tangential
     developments with real progress. Much like libertarians
     assuming the space program is something they should somehow
     be working on.
  - For example, the much-hyped "Pizza Hut" on the Net (home
     pizza pages, I guess). It is already being dubbed "the
     first case of true Internet commerce." Yeah, like the Coke
     machines on the Net so many years ago were examples of
     Internet commerce. Pure hype. Madison Avenue nonsense. Good
     for our tabloid generation.
9.13.2. "Why is the National Information Infrastructure a bad idea?"
  - NII = Information Superhighway = Infobahn = Iway = a dozen
     other supposedly clever and punning names
  + Al Gore's proposal:
    - links hospitals, schools, government
    + hard to imagine that the free-wheeling anarchy of the
       Internet would persist..more likely implications:
      - "is-a-person" credentials, that is, proof of identity,
         and hence tracking, of all interactions
      - the medical and psychiatric records would be part of
         this (psychiatrists are leery of this, but they may
         have no choice but to comply under the National Health
         Care plans being debated)
  + There are other bad aspects:
    - government control, government inefficiency, government
       snooping
    - distortion of markets ("universal access')
    - restriction of innovation
    - is not needed...other networks are doing perfectly well,
       and will be placed where they are needed and will be
       locally paid for
9.13.3. NII, Video Dialtone
  + "Dialtone"
    - phone companies offer an in-out connection, and charge
       for the connection, making no rulings on content (related
       to the "Common Carrier" status)
    + for video-cable, I don't believe there is an analogous
       set-up being looked at
      + cable t.v.
        - Carl Kadie's comments to Sternlight
9.13.4. The prospects and dangers of Net subsidies
  - "universal access," esp. if same happens in health care
  - those that pay make the rules
  + but such access will have strings attached
    - limits on crypto
    -
  - universal access also invites more spamming, a la the
     "Freenet" spams, in which folks keep getting validated as
     new users: any universal access system that is not pay-as-
     you-go will be sensitive to this *or* will result in calls
     for universal ID system (is-a-person credentialling)
9.13.5. NII, Superhighway, I-way
  - crypto policy
  - regulation, licensing

9.14 - Government Interest in Gaining Control of Cyberspace
9.14.1. Besides Clipper, Digital Telephony, and the National
   Information Infrastructure, the government is interested in
   other areas, such as e-mail delivery (US Postal Service
   proposal) and maintenance of network systems in general.
9.14.2. Digital Telephony, ATM networks, and deals being cut
  - Rumblings of deals being cut
  -  a new draft is out [John Gilmore, 1994-08-03]
  - Encryption with hardware at full ATM speeds
  - and SONET networks (experimental, Bay Area?)
9.14.3. The USPS plans for mail, authentication, effects on
   competition, etc.
  + This could have a devastating effect on e-mail and on
     cyberspace in general, especially if it is tied in to other
     government proposals in an attempt to gain control of
     cyberspace.
    - Digital Telelphony, Clipper, pornography laws and age
       enforcement (the Amateur Action case), etc.
  + "Does the USPS really have a monopoly on first class mail?"
    - and on "routes"?
    - "The friendly PO has recently been visiting the mail
       rooms of 2) The friendly PO has recently been visiting
       the mail rooms of corporations in the Bay Area, opening
       FedX, etc. packages (not protected by the privacy laws of
       the PO's first class mail), and fining companies ($10,000
       per violation, as I recall), for sending non-time-
       sensitive documents via FedX when they could have been
       sent via first-class mail." [Lew Glendenning, USPS
       digital signature annoucement, sci.crypt, 1994-08-23] (A
       citation or a news story would make this more credible,
       but I've heard of similar spot checks.)
  - The problems with government agencies competing are well-
     known. First, they often have shoddy service..civil service
     jobs, unfireable workers, etc. Second, they often cannot be
     sued for nonperformance. Third, they often have government-
     granted monopolies.
  + The USPS proposal may be an opening shot in an attempt to
     gain control of electronic mail...it never had control of e-
     mail, but its monopoly on first-class mail may be argued by
     them to extend to cyberspace.
    - Note: FedEx and the other package and overnight letter
       carriers face various restrictions on their service; for
       example, they cannot offer "routes" and the economies
       that would result in.
    - A USPS takeover of the e-mail business would mean an end
       to many Cypherpunks objectives, including remailers,
       digital postage, etc.
    - The challenge will be to get these systems deployed as
       quickly as possible, to make any takeover by the USPS all
       the more difficult.

9.15 - Software Key Escrow
9.15.1. (This section needs a lot more)
9.15.2. things are happening fast....
9.15.3. TIS, Carl Ellison, Karlsruhe
9.15.4. objections to key escrow
  - "Holding deposits in real estate transactions is a classic
     example. Built-in wiretaps are *not* escrow, unless the
     government is a party to your contract.  As somebody on the
     list once said, just because the Mafia call themselves
     "businessmen" doesn't make them legitimate; calling
     extorted wiretaps "escrow" doesn't make them a service.
     
     "The government has no business making me get their
     permission to talk to anybody about anything in any
     language I choose, and they have no business insisting I
     buy "communication protection service" from some of their
     friends to do it, any more than the aforenamed
     "businessmen" have any business insisting I buy "fire
     insurance" from *them*." [Bill Stewart, 1994-07-24]
9.15.5. Micali's "Fair Escrow"
  - various efforts underway
  - need section here
  - Note: participants at Karlsruhe Conference report that a
     German group may have published on software key escrow
     years before Micali filed his patent (reports that NSA
     officials were "happy")

9.16 - Politics, Opposition
9.16.1. "What should Cypherpunks say about Clipper?"
  - A vast amount has been written, on this list and in dozens
     of other forums.
  - Eric Hughes put it nicely a while back:
  - "The hypothetical backdoor in clipper is a charlatan's
     issue by comparison, as is discussion of how to make a key
     escrow system
     'work.'  Do not be suckered into talking about an issue
     that is not
     important.  If someone want to talk about potential back
     doors, refuse to speculate.  The existence of a front door
     (key escrow) make back door issues pale in comparison.
     
     "If someone wants to talk about how key escrow works,
     refuse to
     elaborate.  Saying that this particular key escrow system
     is bad has a large measure of complicity in saying that
     escrow systems in general are OK.  Always argue that this
     particular key escrow system is bad because it is a key
     escrow system, not because it has procedural flaws.
     
     "This right issue is that the government has no right to my
     private communications.  Every other issue is the wrong
     issue and detracts from this central one.  If we defeat one
     particular system without defeating all other possible such
     systems at the same time, we have not won at all; we have
     delayed the time of reckoning." [ Eric Hughes, Work the
     work!, 1993-06-01]
9.16.2. What do most Americans think about Clipper and privacy?"
  - insights into what we face
  + "In a Time/CNN poll of 1,000 Americans conducted last week
     by Yankelovich
    - Partners, two-thirds said it was more important to
       protect the privacy of phone
    - calls than to preserve the ability of police to conduct
       wiretaps.
    - When informed about the Clipper Chip, 80% said they
       opposed it."
    - Philip Elmer-Dewitt, "Who Should Keep the Keys", Time,
       Mar. 4, 1994
9.16.3. Does anyone actually support Clipper?
  + There are actually legitimate uses for forms of escrow:
    - corporations
    - other partnerships
9.16.4. "Who is opposed to Clipper?"
  - Association for Computing Machinery (ACM). "The USACM urges
     the Administration at this point to withdraw the Clipper
     Chip proposal and to begin an open and public review of
     encryption policy.  The escrowed encryption initiative
     raises vital issues of privacy, law enforcement,
     competitiveness and scientific innovation that must be
     openly discussed." [US ACM, DC Office" ,
     USACM Calls for Clipper Withdrawal, press release, 1994-06-
     30]
9.16.5. "What's so bad about key escrow?"
  + If it's truly voluntary, there can be a valid use for this.
    + Are trapdoors justified in some cases?
      + Corporations that wish to recover encrypted data
        + several scenarios
          - employee encrypts important files, then dies or is
             otherwise unavailable
          + employee leaves company before decrypting all files
            - some may be archived and not needed to be opened
               for many years
          - employee may demand "ransom" (closely related to
             virus extortion cases)
          - files are found but the original encryptor is
             unknown
      + Likely situation is that encryption algorithms will be
         mandated by corporation, with a "master key" kept
         available
        - like a trapdoor
        - the existence of the master key may not even be
           publicized within the company (to head off concerns
           about security, abuses, etc.)
      + Government is trying to get trapdoors put in
        - S.266, which failed ultimately (but not before
           creating a ruckus)
  + If the government requires it...
    - Key escrow means the government can be inside your home
       without you even knowing it
  - and key escrow is not really escrow...what does one get
     back from the "escrow" service?
9.16.6. Why governments should not have keys
  - can then set people up by faking messages, by planting
     evidence
  - can spy on targets for their own purposes (which history
     tells us can include bribery, corporate espionage, drug-
     running, assassinations, and all manner of illegal and
     sleazy activities)
  - can sabotage contracts, deals, etc.
  - would give them access to internal corporate communications
  - undermines the whole validity of such contracts, and of
     cryptographic standards of identity (shakes confidence)
  - giving the King or the State the power to impersonate
     another is a gross injustice
  - imagine the government of Iran having a backdoor to read
     the secret journals of its subjects!
  - 4th Amendment
  - attorney-client privilege (with trapdoors, no way to know
     that government has not breached confidentiality)
9.16.7. "How might the Clipper chip be foiled or defeated?"
  - Politically, market-wise, and technical
  - If deployed, that is
  + Ways to Defeat Clipper
    - preencryption or superencryption
    - LEAF blower
    - plug-compatible, reverse-engineered chip
    - sabotage
    - undermining confidence
    - Sun Tzu
9.16.8. How can Clipper be defeated, politically?
9.16.9. How can Clipper be defeated, in the market?
9.16.10. How can Clipper be defeated, technologically?
9.16.11. Questions
  + Clipper issues and questions
    - a vast number of questions, comments, challenges,
       tidbits, details, issues
    - entire newsgroups devoted to this
  + "What criminal or terrrorist will be smart enough to use
     encryption but dumb enough to use Clipper?"
    - This is one of the Great Unanswered Questions. Clipper's
       supporter's are mum on this one. Suggesting....
  + "Why not encrypt data before using the Clipper/EES?"
    - "Why can't you just encrypt data before the clipper chip?
       
       Two answers:
       
       1) the people you want to communicate with won't have
       hardware to
          decrypt your data, statistically speaking.  The beauty
       of clipper
          from the NSA point of view is that they are leveraging
       the
          installed base (they hope) of telephones and making it
       impossible
          (again, statistically) for a large fraction of the
       traffic to be
          untappable.
       
       2) They won't license bad people like you to make
       equipment like the
          system you describe.  I'll wager that the chip
       distribution will be
          done in a way to prevent significant numbers of such
       systems from
          being built, assuring that (1) remains true." [Tom
       Knight, sci.crypt, 6-5-93]
       
    -
  + What are the implications of mandatory key escrow?
    + "escrow" is misleading...
      - wrong use of the term
      - implies a voluntary, and returnable, situation
  + "If key escrow is "voluntary," what's the big deal?"
    - Taxes are supposedly "voluntary," too.
    - A wise man prepares for what is _possible_ and even
       _likely_, not just what is announced as part of public
       policy; policies can and do change. There is plenty of
       precedent for a "voluntary" system being made mandatory.
    - The form of the Clipper/EES system suggests eventual
       mandatory status; the form of such a ban is debatable.
  + "What is 'superencipherment,' and can it be used to defeat
     Clipper?"
    - preencrypting
    - could be viewed as a non-English language
    + how could Clipper chip know about it (entropy measures?)
      - far-fetched
    - wouldn't solve traffic anal. problem
  - What's the connection between Clipper and export laws?
  + "Doesn't this make the Clipper database a ripe target?"
    - for subversion, sabotage, espionage, theft
    - presumably backups will be kept, and _these_ will also be
       targets
  + "Is Clipper just for voice encryption?"
    - Clipper is a data encryption chip, with the digital data
       supplied by an ADC located outside the chip. In
       principle, it could thus be used for data encryption in
       general.
    - In practice, the name Clipper is generally associated
       with telephone use, while "Capstone" is the data standard
       (some differences, too). The "Skipjack" algorithm is used
       in several of these proposed systems (Tessera, also).
9.16.12. "Why is Clipper worse than what we have now?"
  + John Gilmore answered this question in a nice essay. I'm
     including the whole thing, including a digression into
     cellular telephones, because it gives some insight--and
     names some names of NSA liars--into how NSA and NIST have
     used their powers to thwart true security.
    - "It's worse because the market keeps moving toward
       providing real encryption.
       
       "If Clipper succeeds, it will be by displacing real
       secure encryption. If real secure encryption makes it
       into mass market communications products, Clipper will
       have failed.  The whole point is not to get a few
       Clippers used by cops; the point is to make it a
       worldwide standard, rather than having 3-key triple-DES
       with RSA and Diffie-Hellman become the worldwide
       standard.
       
       "We'd have decent encryption in digital cellular phones
       *now*, except for the active intervention of Jerry
       Rainville of NSA, who `hosted' a meeting of the standards
       committee inside Ft. Meade, lied to them about export
       control to keep committee documents limited to a small
       group, and got a willing dupe from Motorola, Louis
       Finkelstein, to propose an encryption scheme a child
       could break.  The IS-54 standard for digital cellular
       doesn't describe the encryption scheme -- it's described
       in a separate document, which ordinary people can't get,
       even though it's part of the official accredited
       standard.  (Guess who accredits standards bodies though -
       - that's right, the once pure NIST.)
       
       "The reason it's secret is because it's so obviously
       weak.  The system generates a 160-bit "key" and then
       simply XORs it against each block of the compressed
       speech.  Take any ten or twenty blocks and recover the
       key by XORing frequent speech patterns (like silence, or
       the letter "A") against pieces of the blocks to produce
       guesses at the key.  You try each guess on a few blocks,
       and the likelihood of producing something that decodes
       like speech in all the blocks is small enough that you'll
       know when your guess is the real key.
       
       "NSA is continuing to muck around in the Digital Cellular
       standards committee (TR 45.3) this year too.  I encourage
       anyone who's interested to join the committee, perhaps as
       an observer.  Contact the Telecommunications Industry
       Association in DC and sign up.  Like any standards
       committee, it's open to the public and meets in various
       places around the country.  I'll lend you a lawyer if
       you're a foreign national, since the committee may still
       believe that they must exclude foreign nationals from
       public discussions of cryptography.  Somehow the crypto
       conferences have no trouble with this; I think it's
       called the First Amendment.  NSA knows the law here --
       indeed it enforces it via the State Dept -- but lied to
       the committee." [John Gilmore, "Why is clipper worse than
       "no encryption like we have," comp.org.eff.talk, 1994-04-
       27]
9.16.13. on trusting the government
  - "WHAT AM THE MORAL OF THE STORY, UNCLE REMUS?....When the
     government makes any announcement (ESPECIALLY a denial),
     you should figure out what the government is trying to get
     you to do--and do the opposite.  Contrarianism with a
     vengance.  Of all the advice I've  offered on the
     Cypherpunks Channel, this is absolutely the most certain."
     [Sandy Sandfort, 1994-07-17]
  - if the Founders of the U.S. could see the corrupt,
     socialist state this nation has degenerated to, they'd be
     breaking into missile silos and stealing nukes to use
     against the central power base.
  + can the government be trusted to run the key escrow system?
    - "I just heard on the news that 1300 IRS employees have
       been disciplined for unauthorized accesses to
       electronically filed income tax returns.  ..I'm sure they
       will do much better, though, when the FBI runs the phone
       system, the Post Office controls digital identity and
       Hillary takes care of our health." [Sandy Sandfort, 1994-
       07-19]
    - This is just one of many such examples: Watergate ("I am
       not a crook!"), Iran-Contra, arms deals, cocaine
       shipments by the CIA, Teapot Dome, graft, payoffs,
       bribes, assassinations, Yankee-Cowboy War, Bohemian
       Grove, Casolaro, more killings, invasions, wars. The
       government that is too chicken to ever admit it lost a
       war, and conspicuously avoids diplomatic contact with
       enemies it failed to vanquish (Vietnam, North Korea,
       Cuba, etc.), while quickly becoming sugar daddy to the
       countries it did vanquish...the U.S. appears to be
       lacking in practicality. (Me, I consider it wrong for
       anyone to tell me I can't trade with folks in another
       country, whether it's Haiti, South Africa, Cuba, Korea,
       whatever. Crypto anarchy means we'll have _some_ of the
       ways of bypassing these laws, of making our own moral
       decisions without regard to the prevailing popular
       sentiment of the countries in which we live at the
       moment.)

9.17 - Legal Issues with Escrowed Encryption and Clipper
9.17.1. As John Gilmore put it in a guest editorial in the "San
   Francisco Examiner," "...we want the public to see a serious
   debate about why the Constitution should be burned in order
   to save the country." [J.G., 1994-06-26, quoted by S.
   Sandfort]
9.17.2. "I don't see how Clipper gives the government any powers or
   capabilities it doesn't already have.  Comments?"
9.17.3. Is Clipper really voluntary?
9.17.4. If Clipper is voluntary, who will use it?
9.17.5. Restrictions on Civilian Use of Crypto
9.17.6. "Has crypto been restricted in the U.S.?"
9.17.7. "What legal steps are being taken?"
  - Zimmermann
  - ITAR
9.17.8. reports that Department of Justice has a compliance
   enforcement role in the EES [heard by someone from Dorothy
   Denning, 1994-07], probably involving checking the law
   enforcement agencies...
9.17.9. Status
  +  "Will government agencies use Clipper?"
    - Ah, the embarrassing question. They claim they will, but
       there are also reports that sensitive agencies will not
       use it, that Clipper is too insecure for them (key
       lenght, compromise of escrow data, etc.). There may also
       be different procedures (all agencies are equal, but some
       are more equal than others).
    - Clipper is rated for unclassified use, so this rules out
       many agencies and many uses. An interesting double
       standard.
  + "Is the Administration backing away from Clipper?"
    + industry opposition surprised them
      - groups last summer, Citicorp, etc.
    - public opinion
    - editorial remarks
    - so they may be preparing alternative
    - and Gilmore's FOIA, Blaze's attack, the Denning
       nonreview, the secrecy of the algortithm
  + will not work
    - spies won't use it, child pornographers probably won't
       use it (if alternatives exist, which may be the whole
       point)
    - terrorists won't use it
  - Is Clipper in trouble?
9.17.10. "Will Clipper be voluntary?"
  - Many supporters of Clipper have cited the voluntary nature
     of Clipper--as expressed in some policy statements--and
     have used this to counter criticism.
  + However, even if truly voluntary, some issues
    + improper role for government to try to create a
       commercial standard
      - though the NIST role can be used to counter this point,
         partly
    - government can and does make it tough for competitors
    - export controls (statements by officials on this exist)
  + Cites for voluntary status:
    - original statement says it will be voluntary
    - (need to get some statements here)
  + Cites for eventual mandatory status:
    - "Without this initiative, the government will eventually
       become helpless to defend the nation." [Louis Freeh,
       director of the FBI, various sources]
    - Steven Walker of Trusted Information Systems is one of
       many who think so: "Based on his analysis, Walker added,
       "I'm convinced that five years from now they'll say 'This
       isn't working,' so we'll have to change the rules." Then,
       he predicted, Clipper will be made mandatory for all
       encoded communications." [
  + Parallels to other voluntary programs
    - taxes

9.18 - Concerns
9.18.1. Constitutional Issues
  - 4th Amend
  - privacy of attorney-client, etc.
  + Feds can get access without public hearings, records
    - secret intelligence courts
    -
    + "It is uncontested (so far as I have read) that under
       certain circum-
      - stances, the Federal intelligence community wil be
         permitted to
      - obtain Clipper keys without any court order on public
         record.  Only
      - internal, classified proceedings will protect our
         privacy." 
9.18.2. "What are some dangers of Clipper, if it is widely adopted?"
  + sender/receiver ID are accessible without going to the key
     escrow
    - this makes traffic analysis, contact lists, easy to
       generate
  + distortions of markets ("chilling effects") as a plan by
     government
    - make alternatives expensive, hard to export, grounds for
       suspicion
    - use of ITAR to thwart alternatives (would be helped if
       Cantwell bill to liberalize export controls on
       cryptography  (HR 3627) passes)
    + VHDL implementations possible
      - speculates Lew Glendenning, sci.crypt, 4-13-94
      - and recall MIPS connection (be careful here)
9.18.3. Market Isssues
9.18.4. "What are the weaknesses in Clipper?"
  + Carl Ellison analyzed it this way:
    - "It amuses the gallows-humor bone in me to see people
       busily debating the quality of Skipjack as an algorithm
       and the quality of the review of its strength.
       
       Someone proposes to dangle you over the Grand Canyon
       using
       
               sewing thread
       tied to
               steel chain
       tied to
               knitting yarn
       
       and you're debating whether the steel chain has been X-
       rayed properly to see if there are flaws in the metal.
       
       "Key generation, chip fabrication, court orders,
       distribution of keys once acquired from escrow agencies
       and safety of keys within escrow agencies are some of the
       real weaknesses.  Once those are as strong as my use of
       1024-bit RSA and truly random session keys in keeping
       keys on the two sides of a conversation with no one in
       the middle able to get the key, then we need to look at
       the steel chain in the middle: Skipjack itself."  [Carl
       Ellison, 1993-08-02]
    + Date: Mon, 2 Aug 93 17:29:54 EDT
       From: cme@ellisun.sw.stratus.com (Carl Ellison)
       To: cypherpunks@toad.com
       Subject: cross-post
       Status: OR
       
       Path: transfer.stratus.com!ellisun.sw.stratus.com!cme
       From: cme@ellisun.sw.stratus.com (Carl Ellison)
       Newsgroups: sci.crypt
       Subject: Skipjack review as a side-track
       Date: 2 Aug 1993 21:25:11 GMT
       Organization: Stratus Computer, Marlboro MA
       Lines: 28
       Message-ID: <23k0nn$8gk@transfer.stratus.com>
       NNTP-Posting-Host: ellisun.sw.stratus.com
       
       
       It amuses the gallows-humor bone in me to see people
       busily debating the
       quality of Skipjack as an algorithm and the quality of
       the review of its
       strength.
       
       Someone proposes to dangle you over the Grand Canyon
       using
       
               sewing thread
       tied to
               steel chain
       tied to
               knitting yarn
       
       and you're debating whether the steel chain has been X-
       rayed properly
       to see if there are flaws in the metal.
       
       Key generation, chip fabrication, court orders,
       distribution of keys once
       acquired from escrow agencies and safety of keys within
       escrow agencies are
       some of the real weaknesses.  Once those are as strong as
       my use of
       1024-bit RSA and truly random session keys in keeping
       keys on the two sides
       of a conversation with no one in the middle able to get
       the key, then we
       need to look at the steel chain in the middle: Skipjack
       itself.
       
      - "Key generation, chip fabrication, court orders,
         distribution of keys once acquired from escrow agencies
         and safety of keys within escrow agencies are some of
         the real weaknesses.  Once those are as strong as my
         use of 1024-bit RSA and truly random session keys in
         keeping keys on the two sides of a conversation with no
         one in the middle able to get the key, then we need to
         look at the steel chain in the middle: Skipjack
         itself."
9.18.5. What it Means for the Future
9.18.6. Skipjack
9.18.7. National security exceptions
  - grep Gilmore's FOIA for mention that national security
     people will have direct access and that this will not be
     mentioned to the public
  + "The "National Security" exception built into the Clipper
     proposal
    - leaves an extraordinarily weak link in the chain of
       procedures designed
    - to protect user privacy.  To place awesome powers of
       surveillance
    - technologically within the reach of a few, hoping that so
       weak a chain
    - will bind them, would amount to dangerous folly.  It
       flies in the face
    - of history. 
9.18.8. In my view, any focus on the details of Clipper instead of
   the overall concept of key escrow plays into their hands.
   This is not to say that the work of Blaze and others is
   misguided....in fact, it's very fine work. But a general
   focus on the _details_ of Skipjack does nothing to allay my
   concerns about the _principle_ of government-mandated crypto.
   
   If it were "house key escrow" and there were missing details
   about the number of teeth allowed on the keys, would be then
   all breathe a sigh of relief if the details of the teeth were
   clarified? Of course not. Me, I will never use a key escrow
   system, even if a blue ribbon panel of hackers and
   Cypherpunks studies the design and declares it to be
   cryptographically sound.
9.18.9. Concern about Clipper
  - allows past communications to be read
  + authorities could--maybe--read a lot of stuff, even
     illegally, then use this for other investigations (the old
     "we had an anonymous tip" ploy)
    - "The problem with Clipper is that it provides police
       agencies with dramatically enhanced target acquistion.
       There is nothing to prevent NSA, ATF, FBI (or the Special
       Projects division of the Justice Department) from
       reviewing all internet traffic, as long as they are
       willing to forsake using it in a criminal prosecution."
       [dgard@netcom.com, alt.privacy.clipper, 1994-07-05]
9.18.10. Some wags have suggested that the new escrow agencies be
   chosen from groups like Amnesty International and the ACLU.
   Most of us are opposed to the "very idea" of key escrow
   (think of being told to escrow family photos, diaries, or
   house keys) and hence even these kinds of skeptical groups
   are unacceptable as escrow agents.

9.19 - Loose Ends
9.19.1. "Are trapdoors--or some form of escrowed encryption--
   justified in some cases?"
  + Sure. There are various reasons why individuals, companies,
     etc. may want to use crypto protocols that allow them to
     decrypt even if they've lost their key, perhaps by going to
     their lawyer and getting the sealed envelope they left with
     him, etc.
    - or using a form of "software key escrow" that allows them
       access
  + Corporations that wish to recover encrypted data
    + several scenarios
      - employee encrypts important files, then dies or is
         otherwise unavailable
      + employee leaves company before decrypting all files
        - some may be archived and not needed to be opened for
           many years
      - employee may demand "ransom" (closely related to virus
         extortion cases)
      - files are found but the original encryptor is unknown
  + Likely situation is that encryption algorithms will be
     mandated by corporation, with a "master key" kept available
    - like a trapdoor
    - the existence of the master key may not even be
       publicized within the company (to head off concerns about
       security, abuses, etc.)
  - The mandatory use of key escrow, a la a mandatory Clipper
     system, or the system many of us believe is being developed
     for software key escrow (SKE, also called "GAK," for
     "government access to keys, by Carl Ellison) is completely
     different, and is unacceptable. (Clipper is discussed in
     many places here.)
9.19.2. DSS
  + Continuing confusion over patents, standards, licensing,
     etc.
    - "FIPS186 is DSS. NIST is of the opinion that DSS does not
       violate PKP's patents. PKP (or at least Jim Bidzos) takes
       the position that it does. But for various reasons, PKP
       won't sue the government. But Bidzos threatens to sue
       private parties who infringe. Stay tuned...." [Steve
       Wildstrom, sci.crypt, 1994-08-19]
    - even Taher ElGamal believes it's a weak standard
  - subliminal channels issues
9.19.3. The U.S. is often hypocritical about basic rights
  - plans to "disarm" the Haitians, as we did to the Somalians
     (which made those we disarmed even more vulnerable to the
     local warlords)
  - government officials are proposing to "silence" a radio
     station in Ruanda they feel is sending out the wrong
     message! (Heard on "McNeil-Lehrer News Hour," 1994-07-21]
9.19.4. "is-a-person" and RSA-style credentials
  + a dangerous idea, that government will insist that keys be
     linked to persons, with only one per person
    - this is a flaw in AOCE system
    - many apps need new keys generated many times