[This is an article from Jim Bidzos of PKP/RSADSI, the makers of the RSA encryption products, opposing the Administration's Clippper chip scheme. First published in Computer underground Digest 6.23] Date: Tue Mar 8 12:07:47 1994 >From jim@RSA.COM Subject: File 2--Some Thoughts on Clipper (by Jim Bidzos) SOME THOUGHTS ON CLIPPER, NSA, AND ONE KEY ESCROW ALTERNATIVE In a recent editorial, Dr. Dorothy Denning of Georgtown University argued in support of the U.S. government's proposed Clipper Chip, a security device that would allow law enforcement to decipher the communications of users of such devices. Dr. Denning attempts to argue that Clipper is necessary for law enforcement agencies to be able to do their job. I'm not going to argue that one; there are plenty of people who can argue that compromising privacy for all citizens in order to aid law enforcement is a bad idea more effectively than I, particularly in the Clipper case, where the arguments from law enforcement are dubious at best. (The current justification is inadequate; there may be better reasons, from a law enforcement perspective, but we haven't heard them yet.) Without doubt, law enforcement and intelligence are huge stakeholders in the debate over encryption. But every individual and corporation in the U.S. must be included as well. Are NSA's actions really in the best interests of all the stakeholders? Are there alternatives to the current key escrow program? If one steps back and looks at what has happened over the last few years, one might well question the government's approach with Clipper, if not its motivation, for dealing with this problem. (I believe it may even be possible to conclude that Clipper is the visible portion of a large-scale covert operation on U.S. soil by NSA, the National Security Agency.) Over a number of years, through their subversion of the Commerce Department (who should be championing the causes of U.S. industry, not the intelligence agencies), NSA has managed to put many U.S. government resources normally beyond their control, both legally and practically, to work on their program of making U.S. and international communications accessible. The first step was the MOU (Memorandum of Understanding) between the Commerce Department's National Institute of Standards and Technology (NIST) and the Defense Department's NSA. This document appears to contravene the provisions of the Computer Security Act of 1987, the intent of which was to give NIST control over crypto standards-making for the unclassified government and commercial sectors. The MOU essentially gave NSA a veto over any proposals for crypto standards by NIST. By using the standards making authority of NIST, NSA is attempting to force the entire U.S. government to purchase Clipper equipment since only NIST-standard equipment may be purchased by government agencies. This purchasing power can then be used to force U.S. manufacturers to build Clipper products or risk losing government business. (GSA is currently questioning NSA's authority to control government-wide procurement, and should continue to do so.) This of course not only subsidizes Clipper products, but could make Clipper a de facto standard if the costs associated with alternatives are too high. These costs to industry, of ignoring Clipper, come in the form of lost government market share, costly support for multiple versions of incompatible products, and non-exportability of non-Clipper products. It also appears that NSA is desperately seeking a digital signature standard that would force users to take that signature capability wrapped up with a Clipper chip. If this is the case, as it appears to be, then NSA has is trying to use what is probably the most powerful business tool of the information age as a means to deny us its benefits unless we subsidize and accept Clipper in the process. This would, if true, be an unprecedented abuse of government power to influence U.S. industry and control individual privacy. (Clipper is part of a chip called Capstone, which is where their proposed digital signature standard would be used.) The overall cost of these policies is unknown. We only know that NSA has spent a considerable amount of money on the program directly. Other costs are not so obvious. They are: - A burdened U.S. industry, which will have to build multiple products or more expensive products that support multiple techniques; - A low-intensity "trade war" with the rest of the world over encryption; - Lost sales to U.S. companies, since international buyers will surely go to non-U.S. suppliers for non- Clipper encryption, as may buyers in the U.S.; - Potential abuses by government and loss of privacy for all citizens. Does NSA truly believe they can displace other methods with Clipper? With over three million licensed, documented RSA products, the technology they feel threatened by, in use in the U.S. today? Not likely; therefore, they have already decided that these costs are acceptable even if they only delay the inevitable, and that U.S. industry and U.S. taxpayers should bear these costs, whatever they are. This policy was apparently developed by unelected people who operate without oversight or accountability. Does the White House really support this policy? It has been reported that NSA is attempting to gain support from foreign governments for escrow technology, especially if "local control" is provided. Even if NSA can convince their sister organizations around the world to support key escrow (by offering Clipper technology with a do-your-own-escrow option), will these other organizations succeed in selling it to their government, industry and citizens? Most countries around the world have much stronger privacy laws and a longer history of individual privacy than the U.S. WHY AGAIN WHEN IT DIDN'T WORK THE FIRST TIME? Many seem to have forgotten or are not aware that the Clipper program is not new, and it's also not the first time NSA has attempted to force communications security on U.S. industry that it could compromise. In the mid-80's, NSA introduced a program called the Commercial COMSEC Endorsement Program, or CCEP. CCEP was essentially Clipper in a black box, since the technology was not sufficiently advanced to build lower-cost chips. Vendors would join CCEP (with the proper security clearances) and be authorized to incorporate classified algorithms into communications systems. NSA had proposed that they themselves would actually provide the keys to end-users of such systems. The new twist is access by key escrow. To see how little things have changed, consider this quote: "...RSA Data Security, Inc. asserts that since CCEP-2 is not published and therefore cannot be inspected by third parties, the NSA could put a 'trap door' in the algorithm that would enable the agency to inspect information transmitted by the private sector. When contacted, NSA representative Cynthia Beck said that it was the agency's policy not to comment on such matters." That was in 1987. ("The Federal Snags in Encryption Technology," Computer and Communications Decisions, July 1987, pp. 58-60.) To understand NSA's thinking, and the danger of their policies, consider the reply of a senior NSA official when he was asked by a reporter for the Wall Street Journal if NSA, through the CCEP program, could read anyone's communications: "Technically, if someone bought our device and we made the keys and made a copy, sure we could listen in. But we have better things to do with our time." (The Wall Street Journal, March 28, 1988, page 1, column 1, "A Supersecret Agency Finds Selling Secrecy to Others Isn't Easy," by Bob Davis.) Another NSA official, in the same Journal story, said "The American Public has no problem with relying on us to provide the technology that prevents the unauthorized launch of nuclear weapons. If you trust us to protect against that, you can trust us to protect private records." Remember that the Cold War was still on at that time. Law enforcement and intelligence gathering are certainly impeded by the use of cryptography. There are certainly legitimate concerns that these interests have. But is the current approach really the way to gain support from industry and the public? People with a strong military and intelligence bias are making all the decisions. There seem to be better ways to strike a balance. AN ALTERNATIVE PROPOSAL One approach would be to have NIST develop a standard with three levels. The first level could specify the use of public-key for key management and signatures without any key escrow. There could be a "Level II" compliance that adds government key escrow to message preparation. "Level III" could be key escrow controlled by the user, typically a corporation. Would this work? The first level, meeting the standard by itself, would back up the government's claim that key escrow is voluntary; if I want privacy and authentication without key escrow, then I can have it, as the government has claimed I can. Actions speak louder than words. Why would any vendors support Level II? There would be several reasons. They would find a market in the government, since the government should purchase only Level II products. (I would certainly like our public servants to use key escrow, just as I want work product paid for by my corporation to be accessible. Of course, anyone can buy Level I products for home and personal use.) So the government can still influence the private sector by buying only products that include Level II compliance. Also, Level II products would be decontrolled for export. This way the market can decide; vendors will do what their customers tell them to. This satisifies the obvious desire on the part of the government to influence what happens with their purchasing power. Level III would allow any user to insert escrow keys they control into the process. (Level II would not be a prerequisite to Level III.) My company may want key escrow; I, as an individual, may want to escrow my keys with my attorney or family members; a standard supporting these funtions would be useful. I don't necessarily want or need the government involved. NIST already knows how to write a FIPS that describes software and hardware implementations, and to certify that implementations are correct. This approach cetainly isn't perfect, but if the administration really believes what it says and means it, then I submit that this is an improvement over a single key escrow FIPS foisted on everyone by NSA, and would stand a much better chance of striking a workable balance between the needs of the government and the right of individuals to privacy. Therefore, it RISKS much less than the current plan. The real problem with the way NSA works is that we don't find out what they're really doing and planning for decades, even when they're wrong. What if they are? In the 60's and 70's, the CIA was out of control, and the Congress, after extensive hearings that detailed some of the abuses of power by the CIA, finally moved to force more accountability and oversight. In the 80's and 90's, NSA's activities should be equally scrutinized by a concerned Congress.