From: whitfield.diffie@Eng.Sun.COM Date: Fri, 6 May 1994 at 08h04 Key Escrow: Its Impact and Alternatives Testimony of Dr. Whitfield Diffie Distinguished Engineer Sun Microsystems, Inc. Before the Subcommitee on Technology and the Law of the Senate Judiciary Committee 3 May 1994 Dr. Diffie is also testifying on behalf of the Digital Privacy and Security Working Group, a group of more than 50 computer, communications and public interest organizations and associations working on communications privacy issues. I would like to begin by expressing my thanks to the chairman, the members of the committee, and the committee staff for the chance not only of appearing before this committee, but of appearing in such distinguished company. It is a pleasure to be able to present not only my own concerns and those of Sun Microsystem, but to have the opportunity of representing the Digital Privacy and Security Working Group. I think it is also appropriate to say a few words about my experience in the field of communication security. I first began thinking about cryptography while working at Stanford University in the late summer of 1972. This subsequently brought me into contact with Professor Martin E. Hellman of the Electrical Engineering Department. Marty and I worked together throughout the mid-1970s and discovered the family of techniques now known as public key cryptography. It is these techniques that are directly responsible for the issue before the committee today. Prior to public key cryptography, any large scale cryptographically secure system required trusted elements with the fundamental capability of decrypting any message protected by the system. Public key cryptography eliminated the need for network subscribers to place this level of trust in any network element. In so doing, it potentially reduced the subscribers' vulnerability to government wiretapping. It is this vulnerability that the Escrowed Encryption Initiative, seeks to reintroduce. In 1978, I walked through the revolving door from academia to industry and for a dozen years was `Manager of Secure Systems Research' at Northern Telecom. In 1991, I took my present position with Sun Microsystems. This has allowed me an inside look at the problems of communication security from the viewpoints of both the telecommunications and computer industries. The Key Escrow Program Just over a year ago, the Administration revealed plans for a program of key escrow technology best known by the name of its flagship product the Clipper chip. The program's objective is to promote the use of cryptographic equipment incorporating a special back door or trap door mechanism that will permit the Federal Government to decrypt communications without the knowledge or consent of the communicating parties when it considers this necessary for law enforcement or intelligence purposes. In effect, the privacy of these communications will be placed in escrow with the Federal Government. The committee has asked me to address myself to this proposal and in particular to consider three issues: o Problems with key escrow, particularly in the area of privacy. o The impact of the key escrow proposal on American business both at home and abroad. o Alternatives to key escrow. Scope In the course of discussing the key escrow program over the past year, I have often encountered a piecemeal viewpoint that seeks to take each individual program at face value and treat it independently of the others. I believe, on the contrary, that it is appropriate to take a broad view of the issues. The problem confronting us is to assess the advisability of key escrow and its impact on our society. This requires examining the effect of private, commercial, and possibly criminal use of cryptography and the advisability and effect of the use of communications intelligence techniques by law enforcement. In doing this, I will attempt to avoid becoming bogged down in the distinctions between the Escrowed Encryption Standard (FIPS185) with its orientation toward telephone communications and the CAPSTONE/TESSERA/MOSAIC program with its orientation toward computer networks. I will treat these, together with the Proposed Digital Signature Standard and to a lesser extent the Digital Telephony Proposal, as a unified whole whose objective is to maintain and expand electronic interception for both law enforcement and national security purposes. Privacy Problems of Key Escrow When the First Amendment became part of our constitution in 1791, speech took place in the streets, the market, the fields, the office, the bar room, the bedroom, etc. It could be used to express intimacy, conduct business, or discuss politics and it must have been recognized that privacy was an indispensable component of the character of many of these conversations. It seems that the right --- in the case of some expressions of intimacy even the obligation --- of the participants to take measures to guarantee the privacy of their conversations can hardly have been in doubt, despite the fact that the right to speak privately could be abused in the service of crime. Today, telephone conversations stand on an equal footing with the venues available in the past. In particular, a lot of political speech --- from friends discussing how to vote to candidates planning strategy with their aides --- occurs over the phone. And, of all the forms of speech protected by the first amendment, political speech is foremost. The legitimacy of the laws in a democracy grows out of the democratic process. Unless the people are free to discuss the issues --- and privacy is an essential component of many of these discussions --- that process cannot take place. There has been a very important change in two hundred years, however. In the seventeen-nineties two ordinary people could achieve a high degree of security in conversation merely by the exercise of a little prudence and common sense. Giving the ordinary person comparable access to privacy in the normal actions of the world today requires the ready availability of complex technical equipment. It has been thoughtlessly said, in discussions of cryptographic policy, that cryptography brings the unprecedented promise of absolute privacy. In fact, it only goes a short way to make up for the loss of an assurance of privacy that can never be regained. As is widely noted, there is a fundamental similarity between the power of the government to intercept communications and its ability to search premises. Recognizing this power, the fourth amendment places controls on the government's power of search and similar controls have been placed by law on the use of wiretaps. There is, however, no suggestion in the fourth amendment of a guarantee that the government will find what it seeks in a search. Just as people have been free to to protect the things they considered private, by hiding them or storing them with friends, they have been free to protect their conversations from being overheard. The ill ease that most people feel in contemplating police use of wiretaps is rooted in awareness of the abuses to which wiretapping can be put. Unlike a search, it is so unintrusive as to be invisible to its victim and this inherently undermines accountability. Totalitarian regimes have given us abundant evidence that the use of wiretaps and even the fear of their use can stifle free speech. Nor is the political use of electronic surveillance a strictly foreign problem. We have precedent in contemporary American history for its use by the party in power in its attempts to stay in power? The essence of the key escrow program is an attempt use the buying power and export control authority of government to promote standards that will deny ordinary people ready options for true protection of their conversations. In a world where more and more communication take place between people who frequently can not meet face to face, this is a dangerous course of action. The objections raised so far apply to the principle of key escrow. Objections can also be raised to details of the present proposal. These deal with the secrecy of the algorithm, the impact on security of the escrow mechanism, and the way in which the proposal has been put into effect. Secrecy of the SKIPJACK Algorithm An objection that has been raised to the current key escrow proposal is that the cryptographic algorithm used in the Clipper Chip is secret and is not available for public scrutiny. One counter to this objection is that the users of cryptographic equipment are neither qualified to evaluate the quality of the algorithm nor, with rare exceptions, interested in attempting the task. In a fundamental way, these objections miss the point. Within the national security establishment, responsibility for communication security is well understood. It rests with NSA. In industry, the responsibility is far more diffuse. Individual users are not typically concerned with the functioning of pieces of equipment. They acquire trust through a complex social web comprising standards, corporate security officers, professional societies, etc. A classified standard foisted on the civilian sector will have only one element of this process, Federal endorsement. One consequence of the use of a classified algoritym that is of particular concern to industry is the fact that the algorithm is only available in tamper resistant hardware. Software is one of the most flexible and economical ways of building products known. In typical computer engineering practice, the additional expense of implementing functions in hardware is only undertaken when the speed of software in not adequate for the task. Often in these cases, more expensive, higher performance, hardware implementations interoperate with less expensive, lower performance versions. Having a standard that can only be implemented in hardware will increase costs and damage interoperability. Security Problems with Key Escrow From the viewpoint of a user, any key escrow system diminishes security. It puts potential for access to the user's communications in the hands of an escrow agent who's intentions, policies, security capabilities, and future cannot be entirely known. In the context of modern secure telephone systems, the contrast between escrowed and unescrowed communications is particularly stark. In the process of setting up a secure call, modern secure telephones manufacture cryptographic keys that will be used for the protection of one and only one call and will be erased after the call is complete. Public key cryptography has made it possible to do this in such a way that these keys, once erased, can never be recovered. This give the users a degree of privacy similar to that in a face to face meeting. The effect of key escrow is much like having a tape recorder on throughout the meeting. Even if the tapes are very carefully protected, the people whose words they hold can never be certain that they will not someday be played to a much wider audience. There are also specific vulnerabilities associated with the present proposal. The Skipjack algorithm uses 80-bit keys. If it is as good as NSA claims, cryptanalyzing it will require searching through all these keys or doing about a million billion billion encryptions. This makes it sixteen million times as hard to break as DES. A telephone conversation would have to be valuable indeed to justify the expense of such a computation and it is quite plausible that this is entirely infeasible today. The problem is that in creating the Law Enforcement Access Field, or LEAF that implements key escrow, the Clipper chip also uses 80-bit keys. This means that in order to be able to decode everything ever encrypted by a Clipper chip it is only necessary to do a little more than twice as much work as would be required to read any one message --- one cryptanalysis to recover a Session Key followed by one to recover the Device Unique Key. A third cryptanalysis is needed to obtain the Family Key, but this need be done only once, since it is the same in all chips. The process is conceptually straightforward. 1. Starting with a set of messages encrypted with a particular Clipper chip cryptanalyze the LEAF fields, by trying every key, until a key is found that produces a well formed plaintext from every LEAF. This works because the LEAF specifically includes an authenticator designed to make well formed LEAFs recognizable. Once the Family Key has been found it can be used in attacking any Clipper Chip and this process need not be repeated. 2. Pick a message and decrypt its LEAF with the family key. Eighty bits of the result form a cryptogram whose plaintext is the Session Key used to encrypt the message. Decrypt this field with every key in turn. Try decrypting the message with each resulting 80-bit quantity to see if it is the correct session key. When the correct session key is discovered, the key that produced it will be the correct Device Unique Key. 3. The combination of the Family Key and the Device Unique Key can now be used to read any message ever encrypted by the Clipper chip under attack. It might be argued that the scenario described above requires knowing the SKIPJACK algorithm and the LEAF creation method, both of which are classified. It is an article of faith, however, in communications security that nothing that stays constant for a long period of time can be counted on to remain secret. With the passage of time, the chances that the chips will be reverse engineered increases. Irregularities in Adoption of the Standard Finally, there are disturbing aspects to the development of the key escrow FIPS. Under the Computer Security Act of 1987, responsibility for security of civilian communications rests with the National Institute of Standards and Technology. Pursuant to this statute, the Escrowed Encryption Standard appeared as Federal Information Processing Standard 185, under the auspices of the Commerce Department. Apparently, however, authority over the secret technology underlying the standard and the documents embodying this technology, continues to reside with NSA. We thus have a curious arrangement in which a Department of Commerce standard seems to be under the effective control of a Department of Defense agency. This appears to violate at least the spirit of the Computer Security Act and strain beyond credibility its provisions for NIST's making use of NSA's expertise. Impact on Business Business today is characterized by an unprecedented freedom and volume of travel by both people and goods. Ease of communication, both physical and electronic, has ushered in an era of international markets and multinational corporations. No country is large enough that its industries can concentrate on the domestic market to the exclusion of all others. When foreign sales rival or exceed domestic ones, the structure of the corporation follows suit with new divisions placed in proximity to markets, materials, or labor. Security of electronic communication is as essential in this environment as security of transportation and storage have been to businesses throughout history. The communication system must ensure that orders for goods and services are genuine, guarantee that payments are credited to the proper accounts, and protect the privacy of business plans and personal information. Two new factors are making security both more essential and more difficult to achieve. The first is the rise in importance of intellectual property. Since much of what is now bought and sold is information varying from computer programs to surveys of customer buying habits, information security has become an end in itself rather than just a means for ensuring the security of people and property. The second is the rising demand for mobility in communications. Traveling corporate computer users sit down at workstations they have never seen before and expect the same environment that is on the desks in their offices. They carry cellular telephones and communicate constantly by radio. They haul out portable PCs and dial their home computers from locations around the globe. With each such action they expose their information to threats of eavesdropping and falsification barely known a decade ago. Because this information economy is relentlessly global, no nation can successfully isolate itself from international competition. The communication systems we build will have to be interoperable with those of other nations. A standard based on a secret American technology and designed to give American intelligence access to the communications it protects seems an unlikely candidate for widespread acceptance. If we are to maintain our leading position in the information market places, we much give our full support to the development of open international security standards that protect the interests of all parties fairly. Potential for Excessive Regulation The key escrow program also presents the specter of increased regulation of the design and production of new computer and communications products. FIPS185 states that `Approved implementations may be procured by authorized organizations for integration into security equipment.' This raises the question of what organizations will be authorized and what requirements will be placed upon them? Is it likely that people prepared to require that surveillance be built into communication switches would shrink from requiring that equipment make pre-encryption difficult as a condition for getting `approved implementations'? Such requirements have been imposed as conditions of export approval for security equipment. Should industry's need to acquire tamper resistant parts force it to submit to such requirements, key escrow will usher in an era of unprecedented regulation of American development and manufacturing. Alternatives to Key Escrow It is impossible to address the issue of alternatives to key escrow, without asking whether there is a problem, what the problem is and what solution, if any, the problem requires. In recent testimony before this committee, the FBI has portrayed communications interception as an indispensable tool of police work and complained that the utility of this tool is threatened by developments in modern communications. This testimony, however, uses the broader term `electronic surveillance' almost exclusively and appears to include some cases in which the electronic surveillance consisted of bugs rather than wiretaps. Although the FBI testimony speaks of numerous of convictions, it names not a single defendant, court, case, or docket number. This imprecision makes adequate study of the testimony impossible and leaves open two issues: the effectiveness of communications interception in particular and that of electronic surveillance in general. On balance, it appears more likely that the investigative and evidential utility of wiretaps is rising than that it is falling. This is partly because criminals, like law abiding citizens, do more talking on the phone these days. It is partly because modern communication systems, like ISDN, provide much more information about each call, revealing where it came from in real time even when it originated a long way away. This detailed information about who called whom, when, and for how long, that modern switches provide, improves the PEN register and trap and trace techniques that police use to map the extent of criminal conspiracies. It is unaffected by any encryption that the callers may apply. With respect to other kinds of electronic surveillance, the picture for law enforcement looks even brighter. Miniaturization of electronics and improvements in digital signal processing are making bugs smaller, improving their fidelity, making them harder to detect, and making them more reliable. Forms of electronic surveillance for which no warrant is held to be necessary, particularly TV cameras in public places, have become widespread. This creates a base of information that was, for example, used in two distinct ways in the Tylenol poisoning case of the mid-1980s. Broadening the consideration of high tech crime fighting tools to include vehicle tracking, DNA fingerprinting, individual recognition by infrared tracing of the veins in the face, and database profiling, makes it seem unlikely that the failures of law enforcement are due to the inadequacy of its technical tools. If we turn our attention to foreign intelligence, we see a similar picture. Communications intelligence today is enjoying a golden age. The steady migration of communications from older, less accessible, media, both physical and electronic, has been the dominant factor. The loss of information resulting from improvements in security has been consistently outweighed by the increased volume and quality of information available. As a result, the communications intelligence product has been improving for more than fifty years, with no end in sight. The rising importance of telecommunications in the life of industrialized countries coupled with the rising importance of wireless communications, can be expected to give rise to an intelligence bonanza in the decades to come. Mobile communication is one of the fastest growing areas of the telecommunications industry and the advantages of cellular phones, wireless local area networks, and direct satellite communication systems are such that they are often installed even in applications where mobility is not required. Satellite communications are in extensive use, particularly in equatorial regions and cellular telephone systems are being widely deployed in rural areas throughout the world in preference to undertaking the substantial expense of subscriber access wiring. New technologies are also opening up new possibilities. Advances in emitter identification, network penetration techniques, and the implementation of cryptanalytic or crypto-diagnostic operations within intercept equipment are likely to provide more new sources of intelligence than are lost as a result of commercial use of cryptography. It should also be noted that changing circumstances change appropriate behavior. Although intelligence continues to play a vital role in the post cold war world, the techniques that were appropriate against an opponent capable of destroying the United States within hours may not be appropriate against merely economic rivals. If, however, that we accept that some measure of control over the deployment of cryptography is needed, we must distinguish two cases: The use of cryptography to protect communications and The use of cryptography to protect stored information. It is good security practice in protecting communications to keep any keys that can be used to decipher the communications for as short a time as possible. Discoveries in cryptography in the past two decades have made it possible to have secure telephones in which the keys last only for the duration of the call and can never be recreated, thereafter. A key escrow proposal surrenders this advantage by creating a new set of escrowed keys that are stored indefinitely and can always be used to read earlier traffic. With regard to protection of stored information, the situation is quite different. The keys for decrypting information in storage must be kept for the entire lifetime of the stored information; if they are lost, the information is lost. An individual might consider encrypting files and trusting the keys to memory, but no organization of any size could risk the bulk of its files in this fashion. Some form of key archiving, backup, or escrow is thus inherent in the use of cryptography for storage. Such procedured will guarantee that encrypted files on disks are accessible to subpoena in much the same way that file on paper are today. Many business communications, such as electronic funds transfers, fall into an intermediate category. Although the primary purpose is communication rather than storage, the transactions are of a formal nature. In these cases, an escrow mechanism much like those in current commercial use may be appropriate. In a high value transaction, where the buyer and seller do not have an established business relationship, either party may demand the use of a mutually trusted escrow agent who will take temporary custody of both the goods and the payment. In a similar fashion, either party to an encrypted transaction might demand that only keys escrowed with a mutually acceptable escrow agent be used. What is most important here is that the laws, customs, and practices governing electronic commerce and, in a broader context, electronic society are just beginning to develop. It is likely that escrow mechanisms will be among the tools employed. It is, however, too early to say what form they should take. They will need to be worked out as society gets more experience with the new communications media. They should not be imposed by government before society's real needs have been determined. Conduct of the Key Escrow Initiative In my experience, the people who support the key escrow initiative are inclined to express substantial trust in the government. I find it ironic therefore that in its conduct of this program, the administration has followed a course that could hardly have been better designed to provoke distrust. The introduction of mechanisms designed to assure the governments ability to conduct electronic surveillance on its citizens and limit the ability of the citizens to protect themselves against such surveillance is a major policy desision of the information age. It has been presented, however, as a technicality, buried in an obscure series of regulations. In so doing, it has avoided congressional consideration of either its objectives or its budget. The underlying secrecy of the technology has been used as a tool for doleing out information piecemeal and making a timely understanding of the issues difficult to achieve. Suppose We Make a Mistake In closing, I would like to ask a question. Suppose we make a mistake? o Suppose we fail to adopt a key excrow system and later decide that one is needed? o Suppose we adopt a key escrow system now when none is needed? Which would be the more serious error? It is generally accepted that rights are not absolute. If private access to high-grade encryption presented a clear and present danger to society, there would be little political opposition to controlling it. The reason there is so much disagreement is that there is so little evidence of a problem. If allowing or even encouraging wide dissemination of high-grade cryptography proves to be a mistake, it will be a correctable mistake. Generations of electronic equipment follow one another very quickly. If cryptography comes to present such a problem that there is popular consensus for regulating it, this will be just as possible in a decade as it is today. If on the other hand, we set the precedent of building government surveillance capabilities into our security equipment we risk entrenching a bureaucracy that will not easily surrender the power this gives. Recommendation In light of these considerations, I would like to suggest that the Federal Standards making process should be brought back into line with the intent of the Computer Security Act of 1987. Congres should press the National Institute of Standards and Technology, with the cooperation of the National Security Agency, to declassify the SKIPJACK algorithm and issue a revised version of FIPS 185 that specifies the algorithm and omits the key escrow provisions. This would be a proper replacement for FIPS 46, the Data Encryption Standard, and would serve the needs of the U.S. Government, U.S. industry, and U.S. citizens for years to come. Notes I have examined some aspects of the subjects treated here at greater length in other testimony and comments and copies of these have been made available to the committee. ``The Impact of Regulating Cryptography on the Computer and Communications Industries'' Testimony Before the House Subcommittee on Telecommunications and Finance, 9 June 1993. ``The Impact of a Secret Cryptographic Standard on Encryption, Privacy, Law Enforcement and Technology'' Testimony Before the House Subcommittee on Science and Technology, 11 May 1993 Letter to the director of the Computer Systems Laboratory at the National Institute of Standards and Technology, commenting on the proposed Escrowed Encryption Standard, 27 September 1993.