Date: Wed, 13 Sep 1995 19:19:15 -0700 Subject: Ron Plesser's take on NIST GAK meeting _________________________________________________________________ PIPER & MARBURY L.L.P. Memorandum To: Interested Parties From: Ron Plesser Date: September 11, 1995 Subject: NIST Key Escrow Encryption Meeting The National Institute of Standards and Technology on September 6 and 7 held a meeting on issues regarding key escrow encryption, focusing on export criteria for software and desirable characteristics for U.S. key escrow agents. Ten draft software key escrow export criteria were put forth by NIST for consideration and possible revision (see below). Key escrow encryption is the recent Administration proposal for an alternative to Clipper Chip, which industry opposed. Key escrow would, in the Administration's view, allow the export of software with strong encryption. In summary, the government would permit the general licensing of 64-bit-key encryption provided that it be manufactured with a key that would be maintained by independent escrow agents who were certified by the U.S. government. Foreign escrow agents could be used where there was a bi-lateral agreement with the particular country involved. NIST Deputy Director Ray Kammer provided an overview of the goals of the meeting, and said that NIST plans to issue a Federal Register notice containing a "revised set of thoughts" in three weeks. There will be a 60-day comment period following publication of the revised principles in the Federal Register. The NIST will then review the comments received and determine whether there is enough consensus to proceed. There will be additional meetings on September 15, 1995 to discuss the Federal government's requirements for its own information processing standards for key escrow encryption. This meeting will take place at the Gaithersburg, Maryland Hilton Hotel from 9:00 a.m. to 5:00 p.m. It was clear from the meeting, both in presentations and conversation during breaks, that most computer systems and certainly those used by large entities will have key escrow systems for encryption. There was even a person who spoke who said that they are doing this now. Many people at the meeting acknowledged that key escrow would be implemented at some point for domestic as well as for exported programs. The issue is who would hold the key. For example, could a company hold its own keys or could an independent agent be used? The people who create mass market software, however, still expressed significant opposition to key escrow. While the government went to some length to express that this solution is neutral as to software or hardware, it has to be acknowledged that hardware-based systems are easier to control. The subject that was not well discussed was encryption in relation to network services and the internet. It was discussed in relation to the issues of interoperability and the ability to decrypt both sides of a communication. The assumption that I and others had at the outset was that the Administration had made progress in the last year in raising itself from the ashes of Clipper Chip. By the end of the meeting that was not altogether clear. There will remain a great deal of controversy surrounding this issue. Congress is sure to get involved and it will get messier before it gets resolved. Administration Comments Mike Nelson, who is special assistant for information technology to the White House Office of Science and Technology Policy and co-chair of the inter-agency working group on encryption, provided a historical overview of the data encryption issue. He said that the proposed 64-bit-key encryption is 17 million times stronger than the 40-bit-key encryption currently allowed to be exported. Under the proposed policy, software with 64-bit-key encryption could be exported to friendly countries under certain conditions, all of which require that a key to that encryption be available in the U.S. from an independent third-party. Mr. Nelson stated that the new policy will open up new market opportunities for the U.S. computer software industry, and that key escrow has the potential to become a de facto global standard. The Administration policy for 40-bit-key encryption will continue as-is, and no keys will have to be escrowed for such systems. Mr. Nelson said that the government's main concern is that strong encryption products not be available in the mass market. In response to questioning, Mr. Nelson stated that the 64-bit-key limit is being imposed because the government is not certain that the key escrow system will work. Once the system is up and running, longer keys may be allowable. He said that the draft criteria are based on national security needs, and that they were pushed as far as possible to meet commercial needs. Mr. Nelson added that the Administration is discussing the possibility of federal legislation with Hill staff to avoid varying state laws on encryption. Industry Perspectives General reaction was mixed to the government's proposal. Most heavy industrial and commercial users of encryption seemed accepting of the Administration's position. To them this meant greater flexibility and would mean that most larger systems could get export licenses for 64-bit-key systems and this would expand the capacity to sell larger systems abroad. This position was exemplified by Trusted Information Systems (TIS), representatives of which spoke several times. In a presentation, Peter Dinsmore of TIS offered restatements of the criteria to make them more commercially viable, and a set of "criteria for the criteria," which are as follows: 1) don't specify commercial criteria, 2) don't exceed the minimum, 3) don't allow criteria creep, 4) don't solve the dual-rogue problem, 5) don't over protect, and 6) use generic nomenclature. He recommended that criteria six and nine be removed altogether, a view that was echoed by other participants. The mass market software industry and the public interest groups were very opposed to the Administration proposal. They do not believe that 64-bit key is sufficient, and they do not believe that anyone will buy U.S.-manufactured software with a key that is to be held by a third party under at least some control by the government. There was a fair amount of confusion on the issue at the meeting, but it now seems clear that the government would permit foreign escrow where there are bi-lateral agreements with friendly nations. In a presentation, Bob Holleyman of the Business Software Alliance criticized the Administration's failure to "liberalize export controls on generally available software employing non-key escrow encryption." Also, he stated that the Administration's proposal and the draft criteria "continue to reflect a misunderstanding of the market place and, if implemented in anything like their current form, will prevent key escrow encryption from ever being commercially adopted." Mr. Holleyman recommended a number of features for a marketable system, including a variety of encryption algorithms using at least 64-bit keys and user specification of a key holder. In addition, the representative of MCI strongly objected to the proposal as an incursion into the private sector and as an impediment to the development of a strong information infrastructure. Encryption guru Whit Diffie of Sun Micro Systems and others objected to the proposal. Danny Weitzner of the Center for Democracy and Technology said that CDT was going to go to Congress and object to the implementation of this proposal. They thought that it was a bad deal and the government should not be placed in the position of directing standards and requiring back doors into encryption systems. Discussion of Criteria Six, Seven and Eight Following the industry presentations, participants divided into groups to discuss various criteria. The group that discussed criteria six, seven and eight made the following observations and recommendations. There seemed to be universal objection to criterion six. This would limit the interoperability of systems. It effectively states that exported 64-bit key cannot be used to decrypt messages that were encrypted with a higher value. This would make it very difficult for U.S. companies to interact with foreign subsidiaries. The internet would find great difficulty in connection with this criteria. Regarding criterion seven, concern was raised that in the context of e-mail, it would be onerous to do key escrow for every transmission. Concern also was raised about maintaining the integrity of intellectual property in instances in which the escrow agent is in a foreign country. In effect, when one chooses an escrow center, one also is selecting a legal system. A request was made for a supplemental document explaining applicable existing laws. Concern was raised that all of the criteria are focused on the voice communication paradigm, rather than on the dynamic data communications environment. Laws also are focused on this paradigm, and law moves slowly whereas computer technology moves rapidly. In addition, the criteria do not address varying international laws on issues such as privacy. Companies will have to comply with the laws of the strictest countries. Concern was raised that privacy considerations are not as apparent in the criteria as ease of access by law enforcement agencies. Also, innocent parties could be de-escrowed. In addition, it was emphasized that encryption must not interfere with use of existing software. Information was requested on two encryption schemes, Banker's Trust and Fortress. It was recommended that the TIS restatement of criterion seven be adopted. This restatement is as follows: "The key escrow mechanism allows access to both sides of a simultaneous (i.e., two-way) communication with only access to the decrypting information from one of the users." It also was recommended that for bi-directional communications, both parties negotiate a common key and escrow it, and that for one way communications, the sender select the escrow key. Regarding criterion eight, it was agreed that the technology issues, international issues, and privacy issues are the same as those for criterion seven. It was noted that certain implementations would require escrowing of the session key, which is unrealistic. It was agreed that with one court order, law enforcement agencies should have the ability to decrypt a stream of messages. However, there must be a time limit on decryption. It was agreed that agents should be able to implement an automated system. General Review/Comments on All Criteria Industry and government representatives met less formally with the objective of reviewing each of the criteria and attempting to reconcile differences. However, this did not occur; instead, broader issues were discussed. There was a certain amount of tension during this session, as each side complained that the other did not understand its needs. Industry members said that it seemed that implementation of the draft criteria, or a version thereof, is a foregone conclusion on the part of government, without industry input concerning the entire concept. Specifically, industry members challenged the 64-bit maximum as being arbitrary and unnecessary. They said that although 56-bit encryption was discussed with government last year, technology moves rapidly, and now 64 bits are not enough. A NIST representative countered that the National Security Agency is "putting a big card on the table" with 64 bits. Industry members also protested that the criteria do not meet the needs of the global marketplace. Consumers will not buy products designed to meet these criteria because they already have access to 64-bit encryption with no keys either free or at a low cost. They argued that the scope of the criteria (e.g., criterion nine) is broader than the stated objective of exportability, and requested more information as to why each criterion is being proposed. Concern also was raised that foreign countries with bi-lateral agreements with the U.S. will act against U.S. key escrow agents. Also, industry will not know the terms of these agreements. Export Procedures Officials of Department of State and the Department of Commerce explained in general terms how this program would work. Each application would go first to the State Department for a jurisdictional certification on technical aspects. If State were satisfied that the criteria had been met, then it would certify the application over to the Commerce Department for general licensing procedures. There would also be an escrow package, that would have to be certified. It was not clear who would control the certification of escrow agents. Escrow Agents The issue of who could be an escrow agent and how they would be controlled was discussed, but not resolved. The issues of liability for wrongful release, the conditions of release, and related questions were not resolved. It seemed clear to me that escrow agents would have to be independent of the user entity. If this law firm were to use an encryption package in its London office, the key would have to be placed with a third party. Conclusion While no issues were resolved at the meeting, it provided a valauble forum for the exchange of ideas between government and industry. Focus now turns to Congress, and to the crafting of a constructive response to the upcoming Federal Register notice. The Administration seems open to changes. The mass market software industry and the public interest community seem negative. We will continue to keep you informed.