NIST/NSA/DOJ VIEW OF SKE _________________________________________________________________ * Summary: NIST meeting 9/6 and 9/7/95 * Communications versus storage * Open letter to Geoff Greiveldinger, DoJ * Security companies need a higher moral standard * Mike Nelson's marketing strategy for CKE * ...or, you guys will think of something * A strategy for product development _________________________________________________________________ NIST (the National Institute of Standards and Technology) held a two day public meeting on September 6 and 7, 1995 to discuss and refine the criteria and sample system design written up by the NSA (National Security Agency) under which applications or devices using software key escrow cryptography would be allowed to be exported. (Joel McNamara has posted some of the handouts from the NIST SKE Workshop.) The proposed 10 criteria were discussed by the industry representatives present and the almost universal conclusion was that the criteria can not be taken seriously. A representative of IBM set the tone in an early comment from the floor which almost everyone else from industry repeated. He prefaced his remarks with (roughly): Let me start by pointing out that my participation in these meetings should not be construed as endorsement of the policy being discussed here. Privacy groups were less gentle in their criticism. See, for example, the reaction from Marc Rotenberg in the RISKS forum. As to why these can not be taken seriously, consider the following example. The maximum key length of an exported cryptosystem is to be 64 bits, but only if the ``key escrow'' system provides direct access to keys by the covert surveillance forces (law enforcement and NSA) of the United States. This is for an exported system, going to a place where 128-bit IDEA is standard and 168-bit 3-key triple-DES is easily available. So, the foreign customer gets a less powerful algorithm coupled with a US Government side door. Needless to say, such a system would have no market. _________________________________________________________________ Communications versus Storage One theme which emerged early in the 2-day meeting was that of the representatives of industry saying that the market wants emergency access to encrypted stored data but has no desire for emergency access to encrypted communications. [If a key is lost during real-time communication, the parties can hang up and call again, with a new key exchange. If e-mail has multiple recipients (counting self as a recipient), then it has built-in emergency access without any added structure. It is stored files for which loss of a key becomes devastating.] The Government, on the other hand, was interested primarily in getting covert access to encrypted communications. [The group within the FBI interested in access to seized computers (the `CART'?) was not represented at the meeting.] I remember observing to a few other participants that this is a long standing pattern. In the multi-thousand year dual-source, dual-use history of cryptography, civilians did almost all the encryption of storage while governments did the vast majority of encrypted communications. As one fellow participant noted, this is quite logical. Governments have physical security, including armed forces, for protecting stored data. _________________________________________________________________ You don't want to make systems which keep a criminal's information private from the government. In the morning of the second day, Geoff Greiveldinger of the Department of Justice gave a description of the kinds of crimes which DoJ wants to use wiretapping to solve. He closed this litany of lawbreaking with the assertion that software manufacturers don't want to provide products which allow such lawbreakers to keep their criminal evidence hidden from law enforcement. I'm sorry to have to contradict you, Geoff, but I do want to make such systems. Would you have American companies stop renting trucks because some terrorist decided to fill one with explosives and kill innocent children? Would you have American companies stop making automobiles because bank robbers have been known to use cars for getaways? Would you have all new buildings constructed with FBI microphones in every wall because some criminals meet in private rooms in order to plan crimes? When an American company sweeps its conference room for bugs, finds some and destroys them, it doesn't matter whether those bugs were planted by industrial spies or the FBI. The company has a right to eliminate them. When that company ties two such conference rooms together by video-conference equipment and encrypts the line between them using strong link encryption, it is performing the same defensive operation in cyberspace. It is protecting itself from spies and it doesn't matter that the wiretaps it frustrates might be illegal ones by industrial spies or legal ones by the FBI. The right to attempt to achieve privacy is a long-standing one in this country, perhaps inalienable and certainly not one for us casually to surrender. When I design and build systems for privacy for my customers, I am providing products for law-abiding, honest people. I am aware of criminals, of course. Criminals are the threats against whom I protect my customers. These criminals are usually not in the government but that doesn't mean that I believe I should offer my honest customers up for a strip-search in cyberspace. The law enforcement agencies of this free country have no right to expect blanket access to the ciphertext of citizens. It will take legislation to get that right and I will do everything in my power to keep such legislation from passing. Barring such legislation, I will make sure that honest American citizens have cryptography with which to attempt to maintain their privacy, even from the government. We have the right to attempt to keep a secret from government agencies and continuous demonstration of that right is an important part of this free country. On the other hand, I am sympathetic to law enforcement officers. I have several friends in that business. I have asked my friends and acquaintances who do surveillance (2 IRS agents investigating organized crime for tax evasion; 2 undercover cops in Boston's highest drug neighborhood; 1 DEA agent in the midwest) if they ever encounter encrypted communications or files. They don't. Neither does anyone in their offices. Of course, even if they did it would remain so important to preserve our right to attempt to keep secrets from the government that their frustration would just have to be accepted. The fact that this isn't a real problem makes my decision that much easier. I am left with no moral qualms at all. In summary, criminals are so few that I will not design for them. I will not treat my vast majority of honest users as if they were criminals just because some criminal might someday use my product and frustrate you. Do you want me to design for that small percentage of customers who are criminals? If so, I should design for the small percentage of the government who are criminals and who misuse wiretaps in spite of the laws which you claim protect us from abuse: specifically, I should attempt to protect my customers from the next instance of J. Edgar Hoover or Richard Nixon. _________________________________________________________________ A Higher Moral Standard Like government officials, computer system designers must adhere to a high moral standard. They must avoid not only actual improper actions but also the appearance of impropriety. Look at the trouble Prodigy got into from what was probably a programming error -- allowing left-over, undeleted bytes of an old file to be transmitted with new files. Look at the damage control which the appearance of potential spying during its registration process caused Microsoft to have to perform. We who design security products for computers have an even higher moral standard to live up to. Not only must we convince a customer that we are not spying on them for our own commercial purposes, we must convince them that we are not providing an espionage back door (or side door or front door) for various domestic or foreign intelligence agencies, competing companies or private investigative enterprises. Customers need to trust us. If they discover that we are making deals with an intelligence agency, we end up with major damage control to perform. An agreement to provide government access to a citizen's keys is an immediate black mark. It must be kept fully disclosed and even then it might be a fatal flaw, preventing adoption of a security product. It might even taint everything produced by the company, not just the compromised product. _________________________________________________________________ Sell to Chinese dissidents In the opening session, Mike Nelson of the OSTP (Office of Science and Technology Policy on the vice president's staff) presented his discussion of the Key Escrow criteria. He was asked who in his right mind would buy a product with a master key escrowed in the U.S., with access by US Law Enforcement. His answer was that a Chinese dissident would be quite happy to have the key escrowed by a US agent, in the US, for US government access -- rather than by a Chinese agent, in China, for Chinese government access. That's a good plan, Mike. That's a huge market. I'm looking forward to seeing the agreement with the People's Republic under which they allow the importation of such products. _________________________________________________________________ You guys will think of something Needless to say, Mike Nelson's marketing plan for CKE wasn't accepted overwhelmingly. :-) In fact, it inspired a fair amount of derision. So, the question kept coming up. Thursday morning, Geoff Greiveldinger addressed it, during his panel presentation. According to my notes, he observed that the US software industry is good at making products which are attractive to consumers and that he assumed we could make products incorporating US Government access key escrow to be attractive enough to overcome the negative evaluation some foreign (or domestic) customer might apply because of the US Government access. This theme has come up before with Mike Nelson. There seems to be a belief in Government circles that we in industry will package the bitter pill of loss of privacy in the honey of an attractive product and thereby accomplish what the Clipper/Capstone initiative failed to accomplish -- widespread US Government Access Cryptography (GAC) among US if not world citizens. Geoff closed his talk with the observation that the Government is trying this market-driven approach -- selling GAC bundled with something attractive -- and hoping that it will work. Life is easier if it does work, he noted. If it doesn't, .... [He trailed off on that note -- leaving the listener to fill in the blank.] _________________________________________________________________ A Plan for American Business It's apparent that it will take many years to change the US export laws. The claim that a correction is just around the corner appears to be just stringing US business along. Meanwhile, if we hold off product development until we learn the new export laws, we are in severe danger of becoming uncompetitive with the industry outside the US (if we're not already uncompetitive). What we need to do is product development, now. Since it may take many years to have a proper correction of the export laws, we need to give up on export for the purpose of product development. We need to pursue the domestic market and build it. Then our lobbyists can pursue reform of the export laws in parallel, without paralyzing our development efforts. The NSA may respond that export reform is just around the corner and that we in industry must be careful not to go down a path which we'll have to abandon when the real export rules come out. They claimed that this time but presented us with a set of criteria which would make compliant products all but impossible to sell overseas. As far as we have to believe, this process is a ruse -- a stall -- to prevent us from doing product development. I contend that what we will learn from actual development of the domestic market will be valuable education for the next round of products once the export rules are relaxed. Meanwhile, we will have developed a real market -- the domestic one -- not as large as the world market, but not to be ignored. And, if the lobbyists ever break the export laws free from the NSA, we would have product worth shipping. _________________________________________________________________ Carl Ellison --- cme@acm.org