New US national crypto policy study released

Rohit Khare (khare@pest.w3.org)
Fri, 31 May 96 09:59:59 -0400


[Yes, this is long. But think of it this way: it's great data compression vs.
reading the whole report! If you could care less, jump to Markoff's NYTimes
article at the end]

[Pre-PS: Anyone out there know how to obtain / already have a *complete*
prerelease copy of the report? There was a meeting in D.C. to hand out a
select few copies yesterday, and one at SRI next Wednesday]

> * A report released yesterday by the National Research
> Council
> recommends broad public use of encryption software on
> the Internet and calls for the lifting of bans on the
> exportation of encryption software.

The complete report hardcopy is only avail by attending an f2f NRC briefing
until August... only HTML preface and recommendations at this time:
http://www2.nas.edu/cstbweb/28e2.html

The title is: "Cryptography's Role in Securing the Information Society"

> "Basic Principle: U.S. national policy should be changed
> to support the broad use of cryptography in ways that
> take into account competing U.S. needs and desires for
> individual privacy, international economic
> competitiveness, law enforcement, national security, and
> world leadership."

> current national cryptography policy is not adequate to
> support the information security requirements of an
> information society

> National cryptography policy should support three
> objectives:
>
> 1. Broad availability of cryptography to all legitimate
> elements of U.S. society.

> 2. Continued economic growth and leadership of key U.S.
> industries and businesses in an increasingly global
> economy, including but not limited to U.S. computer,
> software, and communications companies. Such leadership
> is an integral element of national security.

> 3. Public safety and protection against foreign and
> domestic threats. Insofar as possible, communications
> and stored information of foreign parties whose interests
> are hostile to those of the United States should be
> accessible to U.S. intelligence agencies. Similarly, the
> communications and stored information of criminal elements
> that are a part of U.S. and global society should be
> available to law enforcement authorities as provided by
> law.

> on balance, the advantages of more widespread use of
> cryptography outweigh the disadvantages

> Recommendation 1: No law should bar the manufacture,
> sale, or use of any form of encryption within the United
> States.

> Recommendation 2: National cryptography policy should be
> developed by the executive and legislative branches on
> the basis of open public discussion and governed by the
> rule of law.

[The last bit is important because today all export battles are fought as
_adminstrative_ battles with State, Commerce, etc, and specific decisions
cannot be challenged in court]

> Recommendation 3: National cryptography policy affecting
> the development and use of commercial cryptography should
> be more closely aligned with market forces.

[Well, we're obviously trying our best here at W3C]

> Recommendation 4: Export controls on cryptography should
> be progressively relaxed but not eliminated.

> Recommendation 4.1--Products providing confidentiality
> at a level that meets most general commercial requirements
> should be easily exportable [2]. Today, products with
> encryption capabilities that incorporate the 56-bit DES
> algorithm provide this level of confidentiality and should
> be easily exportable.

[But they SPECIFICALLY PRECLUDE extensibility to Triple-DES modes]

Here's the meat: they still want US-based escrow for stronger cross-border
protection:

> Recommendation 4.2--Products providing stronger
> confidentiality should be exportable on an expedited
> basis to a list of approved companies if the proposed
> product user is willing to provide access to decrypted
> information upon legally authorized request.

This still recapitulates ALL the existing messiness about "If a message goes
from GM to Renault, whose law applies? Will France accept traffic that is
escrowed only to US authorities? Will GM-USA accept French jurisdiction over
its keys?"

The committee thinks public shame is a sufficient tool to motivate companies
to self-escrow and waive fifth-amendment-like rights to prevent later
disclosure:

> From the standpoint of U.S. law enforcement interests,
> continued inclusion on the list of approved firms is a
> powerful incentive for a company to abide by its agreement
> to provide access to plaintext under the proper
> circumstances.

> foreign firms specifically determined by U.S. authorities
> to be major and trustworthy firms should qualify for the
> list of approved companies.

> firms on the list of approved companies are defined in
> such a way as to increase the likelihood that they will
> be responsible corporate citizens, and as such responsive
> to relevant legal processes that may be invoked if access
> to plaintext data is sought.

On the upside, at least the debate is moving back to the rightful issue: "How
can we see plaintext?" -- NOT "how can we get your keys?":

> customers benefit because they retain the choice about
> how they will provide access to decrypted information.

This is important, because as the last White House lead balloon on crypto
escrow forgot, the potential release of a key has FAR wider consequences than
releasing a decrypted message: with the key in the public, years of traffic
can be decrypted, signatures become invalid, indeed your whole identity would
have to be 'replaced' every few months to limit the scope of such damage.

> Recommendation 4.3--The U.S. government should streamline
> and increase the transparency of the export licensing
> process for cryptography.

A complete win -- this is the heart of the Fear, Uncertainty and Doubt
surrounding the whole swamp. MIT is still basically the only organization that
had the guts to move forward even amidst such corrosive FUD -- and still few
companies wish to follow PGP since no one in the government can offer written
criteria for how to do it safely and legally.

> For example, the presumptive decision for cryptography
> submitted to the State Department for export licensing
> should be for approval rather than disapproval

Recommendation 5 is the committee's response to "Public Safety" issues:

> Recommendation 5: The U.S. government should take steps
> to assist law enforcement and national security to adjust
> to new technical realities of the information age.

Basically, L.E. will have to change to meet the enemy instead of demanding
the enemy be defined away. Tapping and bugging and spying and stinging are all
still possible with crypto, and we can strengthen Gov'ts role here w/o
wreaking havoc on crypto for legit users.

> Recommendation 5.1--The U.S. government should actively
> encourage the use of cryptography in nonconfidentiality
> applications such as user authentication and integrity
> checks.

This is precisely what W3C is aiming at first. It's the main benefit of our
modular approach to security enhancement over SHEN/S-HTTP (before anyone
shouts, yes, both support modes with "null" encryption -- technically
equivalent, but not morally equivalent).

> Recommendation 5.2--The U.S. government should promote
> the security of the telecommunications networks more
> actively. At a minimum, the U.S. government should promote
> the link encryption of cellular communications[3] and
> the improvement of security at telephone switches.

I think an emphasis on link-encrypted IPsec and support for end-to-end
encrypted tunnels like SSL/STLP would also be justified on the same basis.
Note that link encryption still means "tappable at the end points" -- it's NOT
an endorsement of encrypted documents, messages, and encrypted storage at the
ends. This is basically OK, since the desktop devices we are worried about
have virtually zero security once the bits come across the wire, anyway. There
are few practical provisions for providing encrypted storage in, say, WIN95
NTFS or MacFS, and even if there were, the cleartext is vulnerable to all
manner of viruses while its being edited or viewed. So I think link-privacy is
a fair and useful goal at this time.

> Recommendation 5.3--To better understand how escrowed
> encryption might operate, the U.S. government should
> explore escrowed encryption for its own uses. To address
> the critical international dimensions of escrowed
> communications, the U.S. government should work with
> other nations on this topic.

#1: Pilot it on yourself #2: Go do the international-convention thing and
check back with us in a few years... which has the clean side-effect of
pushing the whole debate into the future, AFTER we all have experience with
pervasive crypto:

> Imposing a particular solution to the encryption dilemma
> at this time is likely to have a significant negative
> impact on the natural market development of applications
> made possible by new information services and
> technologies. While the nation may choose to bear these
> costs in the future, it is particularly unwise to bear
> them in the absence of a large-scale need

The next few recommendations are about the consequences of crypto-enhanced crime:

> Recommendation 5.4--Congress should seriously consider
> legislation that would impose criminal penalties on the
> use of encrypted communications in interstate commerce
> with the intent to commit a federal crime.

The obvious corollary is that states should do the same for intrastate
crimes. Congressional action usually follows state action, but it might lead
the way here. [The report acknowledges that it would rest upon the Court to
act fairly on the issue of "intent", esp where no crime is committed as a
result]

> Recommendation 5.5--High priority should be given to
> research, development, and deployment of additional
> technical capabilities for law enforcement and national
> security to cope with new technological challenges.

"Law enforcement, you have 3 years before this all breaks loose, so go back
to the lab and do the cryptanalysis [and operational analysis of devices,
switches, etc!"

> considerable time can be expected to elapse before
> cryptography is truly ubiquitous. Thus, law enforcement
> and national security authorities have a window in which
> to develop new capabilities for addressing future
> challenges. Such development should be supported, because
> these capabilities are almost certain to have a greater
> impact on their future information collection efforts
> than will aggressive attempts to promote escrowed
> encryption to a resistant market.

The concerns apply to international spying too -- and this is what has been
driving the NSA all along:

> losses in traditional signals intelligence capability
> would likely result in diminished effectiveness of the
> U.S. intelligence community. To help assure the continuing
> availability of strategic and tactical intelligence,
> efforts to develop alternatives to traditional signals
> intelligence collection techniques should be given high
> priority in the allocation of financial and personnel
> resources before products covered by Recommendation 4.1
> become widely used.

The last area, policy recommendations, is a little thin because the committee
was not chartered to explore this area in depth.

> Recommendation 6: The U.S. government should develop a
> mechanism to promote information security in the private
> sector.

How about they double W3C's security budget? ;-) Seriously, realistic Federal
participation in EXISTING processes is the most helpful posture: being
productive members of IETF, W3C, IEEE P.1363, etc. as well as listening to
industry: SPA, BSA, perhaps SIG someday.

> The information security interests of most of the private
> sector have no formal place at the policy-making table:
> the National Security Agency represents the classified
> government community, while the charter of the National
> Institute of Standards and Technology directs it to focus
> on the unclassified needs of the government (and its
> budget is inadequate to do more than that). Other
> organizations such as the Information Infrastructure Task
> Force and the Office of Management and Budget have broad
> influence but few operational responsibilities. As a
> result, business and individual stakeholders do not have
> adequate representation in the development of information
> security standards and export regimes.

There are still operational problems with including private citizens' input,
since security clearances may still be required, leading yet again to the
'Dorothy Denning' effect: strong suspicion of Government cleared and approved
'private sector' review:

> The government might consider the appointment of fully
> cleared parties from the private sector who could
> participate in government policy discussions relevant to
> export control decisions and/or decisions that affect
> the information security interests of the private sector.
> (Despite the committee's conclusion that the broad
> outlines of national cryptography policy can be argued
> on an unclassified basis, classified information may
> nevertheless be invoked in such discussions and uncleared
> participants would be unable to contribute. Clearances
> for these individuals are necessary to preclude this
> possibility.)

-----------------------------------------------------------------------------
Other notes:

A damning conviction of Skipjack, the algorithm behind Clipper I:

> Finally, users in the private sector need confidence that
> products with cryptographic functionality will indeed
> perform as advertised. To the maximum degree possible,
> national cryptography policy should support the use of
> algorithms, product designs, and product implementations
> that are open to public scrutiny. Information security
> mechanisms for widespread use that depend on a secret
> algorithm or a secret implementation invite a loss of
> public confidence, because they do not allow open testing
> of the security, they increase the cost of hardware
> implementations, and they may prevent the use of software
> implementations as described below. Technical work in
> cryptography conducted in the open can expose flaws
> through peer review and assure the private sector user
> community about the quality and integrity of the work
> underlying its cryptographic protection.

The committee does realize that 40bit is losing sales for US producers:

> The committee believes that many foreign customers
> unwilling to overlook the perceived weaknesses of 40-bit
> RC2/RC4 encryption, despite superior noncryptography
> features in U.S. information technology products, are
> likely to accept DES-based encryption as being adequate

They think DES is good for 10 more years?!

> The bottom line for the committee is that DES is "good
> enough" for most information security applications and
> is likely to be good enough for the next decade, because
> only the most highly motivated and well-funded
> organizations will be capable of sustaining brute-force
> attacks on DES during that time.

Finally, the 'liberal' tone of this document does seem to explain the 'leak'
from the White House 2 weeks ago of a very pro-escrow, Clipper III draft.
Bidzos' quote below is quite accurate. And now, perhaps as with PICS, W3C
(might) get called upon to speak, extrapolating from last Friday's Security
Interest Group reports.

------------------------------------------------------------------------------
Finally, the NYT sayeth:

May 31, 1996

White House Challenged on Data Security

By JOHN MARKOFF

The U.S. government should immediately relax export controls on electronic
data coding products and allow the computer, software and telecommunications
industries to set data security standards, a new report urged Thursday.

The report, commissioned by Congress and prepared for the National Research
Council of the National Academy of Sciences, stands in direct opposition to
existing Clinton administration proposals for data security standards and for
linking the relaxation of export controls to the adoption of such standards.

The report calls for the widespread commercial adoption of technologies used
to prevent illegal wiretapping of computer data, telephone, cellular and other
wireless communications. The National Research Council provides science and
technology advice under a Congressional charter.

The report also states that despite creating potential problems for law
enforcement agencies by making it easier for criminals to shield their
communications from government wiretappers, cryptography would also help
prevent crime by sheltering communications and electronic transactions from
the prying eyes of electronic interlopers.

"Without information security, computer crime in this country will rise very
rapidly," said Kenneth Dam, the chairman of the panel that prepared the
report. Dam, deputy secretary of state during the Reagan administration, is
also professor of American and foreign law at the University of Chicago.

The report, industry executives said, is likely to become a key weapon in the
battle between the federal government and industry and civil liberties
groups.

"It echoes things we have been saying for some time," said Jim Bidzos, chief
executive of RSA Data Security Inc., a developer of computer security
software. "The next battleground is going to be Capitol Hill because the
administration isn't going to give up easily."

In particular, the report takes issue with administration efforts to force
the use of data-scrambling systems using "escrowed" keys that would let law
enforcement and intelligence agencies use built-in backdoors to ead coded
information.

Cryptography, once used only by spies and the military, has become an
increasingly vital technology for insuring security in electronic commerce and
personal privacy. It relies on the use of mathematical formulas to scramble
electronic information so that it cannot be read without the proper digital
"key."

Key escrow systems like those proposed by the administration in its Clipper
chip program would split the key and have trusted third parties like the
Treasury Department hold parts of it, making it possible for law enforcement
agencies to generate keys without consulting the sources of the data.

As recently as two weeks ago, the administration was pushing for key escrow
coding approaches to data scrambling. A draft White House policy paper has
proposed linking relaxation of export controls to systems that included key
escrowing. The recent paper also indicated that the government was willing to
accept "self-escrow" systems for some large corporations that would allow them
to hold all parts of the keys.

Critics of key escrow management technology note that it can be abused by
agencies that wish to exceed their surveillance authority and that the
technology is vulnerable to a single point of failure. If a so-called master
key is stolen, they say, the entire coding system can be compromised.

Because strong cryptography would complicate the mission of U.S. intelligence
agencies, the federal government currently places tight controls on the
export of software and hardware that offer stronger cryptographic protection
than 40-bit keys.

Such keys are made up of a binary number that is 40 digits long. Computer
experts, however, have shown that even 40-bit keys are vulnerable to attacks.

The report released Thursday, "Cryptography's Role in Securing the
Information Society," calls for dropping stiff export controls on products
that use the Data Encryption Standard, which relies on a 56-bit key and offers
stronger protection against computerized attacks than a 40-bit key.

---
Rohit Khare -- 617/253-5884
Technical Staff, World Wide Web Consortium
NE43-354, MIT LCS, 545 Tech Square, Cambridge, MA 02139