From comp.society Mon Apr 19 15:23:29 1993 Path: utcsri!utnut!cs.utexas.edu!usc!howland.reston.ans.net!paladin.american.edu!auvm!socicom Message-ID: <9304170307.AB01517@csb1.nlm.nih.gov> Date: Fri, 16 Apr 1993 16:20:19 EST From: David Sobel Organization: CPSR Civil Liberties and Computing Project Subject: White House Crypto Statemen Approved: socicom@auvm.american.edu 04/17/93 20:40:15 Sender: socicom@auvm.american.edu Newsgroups: comp.society Lines: 271 THE WHITE HOUSE Office of the Press Secretary ____________________________________________________ For Immediate Release April 16, 1993 STATEMENT BY THE PRESS SECRETARY The President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. The initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links. For too long there has been little or no dialogue between our private sector and the law enforcement community to resolve the tension between economic vitality and the real challenges of protecting Americans. Rather than use technology to accommodate the sometimes competing interests of economic growth, privacy and law enforcement, previous policies have pitted government against industry and the rights of privacy against law enforcement. Sophisticated encryption technology has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit called the "Clipper Chip" has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. A "key-escrow" system will be established to ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique 2 "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorization to conduct a wiretap. The "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. To demonstrate the effectiveness of this new technology, the Attorney General will soon purchase several thousand of the new devices. In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. In order to assess technology trends and explore new approaches (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption that accommodates: -- the privacy of our citizens, including the need to employ voice or data encryption for business purposes; -- the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; -- the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and -- the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. 3 The Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Since encryption technology will play an increasingly important role in that infrastructure, the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Further information is provided in an accompanying fact sheet. The provisions of the President's directive to acquire the new encryption technology are also available. For additional details, call Mat Heyman, National Institute of Standards and Technology, (301) 975-2758. - - --------------------------------- QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S TELECOMMUNICATIONS INITIATIVE Q: Does this approach expand the authority of government agencies to listen in on phone conversations? A: No. "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Q: Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A: They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation of this authorization to the two entities responsible for safeguarding the keys and obtain the keys for the device being used by the drug smugglers. The key is split into two parts, which are stored separately in order to ensure the security of the key escrow system. Q: Who will run the key-escrow data banks? A: The two key-escrow data banks will be run by two independent entities. At this point, the Department of Justice and the Administration have yet to determine which agencies will oversee the key-escrow data banks. Q: How strong is the security in the device? How can I be sure how strong the security is? A: This system is more secure than many other voice encryption systems readily available today. While the algorithm will remain classified to protect the security of the key escrow system, we are willing to invite an independent panel of cryptography experts to evaluate the algorithm to assure all potential users that there are no unrecognized vulnerabilities. Q: Whose decision was it to propose this product? A: The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Q: Will the government provide the hardware to manufacturers? A: The government designed and developed the key access encryption microcircuits, but it is not providing the microcircuits to product manufacturers. Product manufacturers can acquire the microcircuits from the chip manufacturer that produces them. Q: Who provides the "Clipper Chip"? A: Mykotronx programs it at their facility in Torrance, California, and will sell the chip to encryption device manufacturers. The programming function could be licensed to other vendors in the future. Q: How do I buy one of these encryption devices? A: We expect several manufacturers to consider incorporating the "Clipper Chip" into their devices. Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. The key escrow mechanism will provide Americans with an encryption product that is more secure, more convenient, and less expensive than others readily available today, but it is just one piece of what must be the comprehensive approach to encryption technology, which the Administration is developing. The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Q: What does this decision indicate about how the Clinton Administration's policy toward encryption will differ from that of the Bush Administration? A: It indicates that we understand the importance of encryption technology in telecommunications and computing and are committed to working with industry and public-interest groups to find innovative ways to protect Americans' privacy, help businesses to compete, and ensure that law enforcement agencies have the tools they need to fight crime and terrorism. Q: Will the devices be exportable? Will other devices that use the government hardware? A: Voice encryption devices are subject to export control requirements. Case-by-case review for each export is required to ensure appropriate use of these devices. The same is true for other encryption devices. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. With this in mind, we expect export licenses will be granted on a case-by-case basis for U.S. companies seeking to use these devices to secure their own communications abroad. We plan to review the possibility of permitting wider exportability of these products. --------------end------------------------- From comp.society Mon Apr 19 15:23:47 1993 Path: utcsri!utnut!cs.utexas.edu!zaphod.mps.ohio-state.edu!howland.reston.ans.net!paladin.american.edu!auvm!socicom Organization: The American University - University Computing Center Date: Sat, 17 Apr 1993 20:45:37 EDT From: Message-ID: <93107.204537SOCICOM@auvm.american.edu> Newsgroups: comp.society Subject: Cryptography, Government, and Freedom Approved: socicom@auvm.american.edu 04/17/93 20:49:16 Sender: socicom@auvm.american.edu Lines: 74 [Moderator's note: the following offers one position in the ongoing debate concerning individual liberty, privacy, and governmental interests in the information age.] --------------------------- Original message --------------------------- ~Date: Fri, 16 Apr 1993 16:23:44 EST ~Reply-To: David Sobel ~Sender: Computer Professionals for Social Responsibility ~From: David Sobel Organization: CPSR Civil Liberties and Computing Project CPSR Crypto Statement ----------------------------------------------- April 16, 1993 Washington, DC COMPUTER PROFESSIONALS CALL FOR PUBLIC DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE Computer Professionals for Social Responsibility (CPSR) today called for the public disclosure of technical data underlying the government's newly-announced "Public Encryption Management" initiative. The new cryptography scheme was announced today by the White House and the National Institute for Standards and Technology (NIST), which will implement the technical specifications of the plan. A NIST spokesman acknowledged that the National Security Agency (NSA), the super- secret military intelligence agency, had actually developed the encryption technology around which the new initiative is built. According to NIST, the technical specifications and the Presidential directive establishing the plan are classified. To open the initiative to public review and debate, CPSR today filed a series of Freedom of Information Act (FOIA) requests with key agencies, including NSA, NIST, the National Security Council and the FBI for information relating to the encryption plan. The CPSR requests are in keeping with the spirit of the Computer Security Act, which Congress passed in 1987 in order to open the development of non-military computer security standards to public scrutiny and to limit NSA's role in the creation of such standards. CPSR previously has questioned the role of NSA in developing the so-called "digital signature standard" (DSS), a communications authentication technology that NIST proposed for government-wide use in 1991. After CPSR sued NIST in a FOIA lawsuit last year, the civilian agency disclosed for the first time that NSA had, in fact, developed that security standard. NSA is due to file papers in federal court next week justifying the classification of records concerning its creation of the DSS. David Sobel, CPSR Legal Counsel, called the administration's apparent commitment to the privacy of electronic communications, as reflected in today's official statement, "a step in the right direction." But he questioned the propriety of NSA's role in the process and the apparent secrecy that has thus far shielded the development process from public scrutiny. "At a time when we are moving towards the development of a new information infrastructure, it is vital that standards designed to protect personal privacy be established openly and with full public participation. It is not appropriate for NSA -- an agency with a long tradition of secrecy and opposition to effective civilian cryptography -- to play a leading role in the development process." CPSR is a national public-interest alliance of computer industry professionals dedicated to examining the impact of technology on society. CPSR has 21 chapters in the U.S. and maintains offices in Palo Alto, California, Cambridge, Massachusetts and Washington, DC. For additional information on CPSR, call (415) 322-3778 or e-mail . ====================================== From sci.crypt Wed Apr 21 12:51:49 1993 Path: utcsri!utnut!cs.utexas.edu!zaphod.mps.ohio-state.edu!howland.reston.ans.net!bogus.sura.net!darwin.sura.net!haven.umd.edu!uunet!think.com!enterpoop.mit.edu!senator-bedfellow.mit.edu!news.mit.edu!marc From: marc@mit.edu (Marc Horowitz N1NZU) Newsgroups: sci.crypt Subject: The source of that announcement Date: 18 Apr 1993 01:19:38 GMT Organization: Massachusetts Institute of Technology Lines: 38 Distribution: world Message-ID: NNTP-Posting-Host: oliver.mit.edu The message from the NIST about the clipper chip comes from the following address: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) Just who is that, I asked myself, or rather, I asked the computer. % telnet csrc.ncsl.nist.gov 25 Trying... Connected to csrc.ncsl.nist.gov. Escape character is '^]'. 220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT expn clipper 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250 quit 221 first.org closing connection Connection closed. Well, isn't that interesting. Dorothy Denning, Mitch Kapor, Marc Rotenberg, Ron Rivest, Jim Bidzos, and others. The Government, RSA, TIS, CPSR, and the EFF are all represented. I don't suppose anybody within any of these organizations would care to comment? Or is this just the White House's idea of a cruel joke on these peoples' inboxes? Marc -- Marc Horowitz N1NZU 617-253-7788 From sci.crypt Wed Apr 21 12:52:27 1993 Path: utcsri!utnut!cs.utexas.edu!uunet!enterpoop.mit.edu!senator-bedfellow.mit.edu!athena.mit.edu!wesommer From: wesommer@mit.edu (Bill Sommerfeld) Newsgroups: sci.crypt Subject: Re: The source of that announcement Date: 18 Apr 1993 03:15:36 GMT Organization: Massachusetts Institute of Technology Lines: 112 Distribution: world Message-ID: References: NNTP-Posting-Host: bill-the-cat.mit.edu In-reply-to: marc@mit.edu's message of 18 Apr 1993 01:19:38 GMT % telnet csrc.ncsl.nist.gov 25 Trying... Connected to csrc.ncsl.nist.gov. Escape character is '^]'. 220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT expn clipper 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250 quit 221 first.org closing connection Connection closed. Note also: % telnet csmes.ncsl.nist.gov 25 Trying 129.6.54.2... Connected to csmes.ncsl.nist.gov. Escape character is '^]'. 220 csmes.ncsl.nist.gov sendmail 4.1/NIST(rbj/dougm) ready at Sat, 17 Apr 93 23:08:58 EDT expn mgrsplus 250- 250-Irene Gilbert 250-Dennis Branstad 250-Robert Rosenthal 250-Gene Troy 250- 250-Dennis Steinauer 250 telnet mail-gw.ncsl.nist.gov 25 Trying 129.6.48.199... Connected to mail-gw.ncsl.nist.gov. Escape character is '^]'. 220 mail-gw.ncsl.nist.gov sendmail 4.1/rbj/jck-3 ready at Sat, 17 Apr 93 23:06:50 EDT expn csspab 250- 250- 250-Bill Colvin 250- 250-John Kuyers 250- 250- 250- 250- 250- 250- 250-Eddie Zeitler 250-Cris Castro 250 % telnet st1.ncsl.nist.gov 25 Trying 129.6.54.91... Connected to st1.ncsl.nist.gov. Escape character is '^]'. 220 st1.ncsl.nist.gov SEndMaIl 4.1/NBS-rbj.11 rEadY At Sat, 17 Apr 93 23:13:43 EDT expn smid 250 Miles Smid expn katzke 250 Stuart Katzke quit 221 st1.ncsl.nist.gov closing connection Connection closed by foreign host. % telnet ecf.ncsl.nist.gov 25 Trying 129.6.48.2... Connected to ecf.ncsl.nist.gov. Escape character is '^]'. 220 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service ready. expn burrows 250 Burrows, James expn mcnulty 250 McNulty, Lynn quit 221 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service complete. % whois -h rs.internic.net first.org National Institute of Standards and Technology (FIRST-DOM) 225/A216 NIST GAITHERSBURG, MD 20899 Domain Name: FIRST.ORG Administrative Contact: Wack, John P. (JPW18) WACK@ENH.NIST.GOV (301) 975-3411 (FTS) 879-3411 Technical Contact, Zone Contact: Hunt, Craig W. (CWH3) Hunt@ENH.NIST.GOV (301) 975-3827 (FTS) 879-3827 Record last updated on 17-Dec-91. Domain servers in listed order: DOVE.NIST.GOV 129.6.16.2 AMES.ARC.NASA.GOV 128.102.18.3 The InterNIC Registration Services Host ONLY contains Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. -- From sci.crypt Wed Apr 21 12:55:47 1993 Newsgroups: sci.crypt,alt.privacy.clipper Path: utcsri!utnut!cs.utexas.edu!wupost!uwm.edu!linac!att!att!allegra!ulysses!ulysses!smb From: smb@research.att.com (Steven Bellovin) Subject: Clipper chip -- technical details Message-ID: <1993Apr18.200737.14815@ulysses.att.com> Date: Sun, 18 Apr 1993 20:07:37 GMT Organization: AT&T Bell Laboratories Lines: 121 I received the following two notes from Martin Hellman with details on how Clipper will work. They are posted with his permission. The implications of some details are fascinating. ------- ~Date: Sat, 17 Apr 93 23:05:23 PDT ~From: "Martin Hellman" To: (a long list of recipients) ~Subject: Clipper Chip Most of you have seen the announcement in Friday's NY Times, etc. about NIST (National Institute of Standards & Technology) announcing the "Clipper Chip" crypto device. Several messges on the net have asked for more technical details, and some have been laboring under understandable misunderstandings given the lack of details in the news articles. So here to help out is your friendly NSA link: me. I was somewhat surprised Friday to get a call from the Agency which supplied many of the missing details. I was told the info was public, so here it is (the cc of this to Dennis Branstad at NIST is mostly as a double check on my facts since I assume he is aware of all this; please let me know if I have anything wrong): The Clipper Chip will have a secret crypto algorithm embedded in Silicon. Each chip will have two secret, 80-bit keys. One will be the same for all chips (ie a system-wide key) and the other will be unit specific. I don't know what NIST and NSA will call them, but I will call them the system key SK and unit key UK in this message. The IC will be designed to be extremely difficult to reverse so that the system key can be kept secret. (Aside: It is clear that they also want to keep the algorithm secret and, in my opinion, it may be as much for that as this stated purpose.) The unit key will be generated as the XOR of two 80-bit random numbers K1 and K2 (UK=K1+K2) which will be kept by the two escrow authorities. Who these escrow authorities will be is still to be decided by the Attorney General, but it was stressed to me that they will NOT be NSA or law enforcement agencies, that they must be parties acceptable to the users of the system as unbiased. When a law enforcement agency gets a court order, they will present it to these two escrow authorities and receive K1 and K2, thereby allowing access to the unit key UK. In addition to the system key, each user will get to choose his or her own key and change it as often as desired. Call this key plain old K. When a message is to be sent it will first be encrypted under K, then K will be encrypted under the unit key UK, and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} When a court order obtains K1 and K2, and thence K, the law enforcement agency will use SK to decrypt all information flowing on the suspected link [Aside: It is my guess that they may do this constantly on all links, with or without a court order, since it is almost impossible to tell which links over which a message will flow.] This gives the agency access to E[M; K], E[K; UK], serial number in the above message. They then check the serial number of the unit and see if it is on the "watch list" for which they have a court order. If so, they will decrypt E[K; UK] to obtain K, and then decrypt E[M; K] to obtain M. I am still in the process of assessing this scheme, so please do not take the above as any kind of endorsement of the proposed scheme. All I am trying to do is help all of us assess the scheme more knowledgably. But I will say that the need for just one court order worries me. I would feel more comfortable (though not necessarily comfortable!) if two separate court orders were needed, one per escrow authority. While no explanation is needed, the following story adds some color: In researching some ideas that Silvio Micali and I have been kicking around, I spoke with Gerald Gunther, the constitutional law expert here at Stanford and he related the following story: When Edward Levi became Pres. Ford's attorney general (right after Watergate), he was visited by an FBI agent asking for "the wiretap authorizations." When Levy asked for the details so he could review the cases as required by law, the agent told him that his predecessors just turned over 40-50 blank, signed forms every time. Levi did not comply and changed the system, but the lesson is clear: No single person or authority should have the power to authorize wiretaps (or worse yet, divulging of personal keys). Sometimes he or she will be an Edward Levi and sometimes a John Mitchell. Martin Hellman ---- ~Date: Sun, 18 Apr 93 11:41:42 PDT ~From: "Martin Hellman" To: smb@research.att.com ~Subject: Re: Clipper Chip It is fine to post my previous message to sci.crypt if you also post this message with it in which: 1. I ask recipients to be sparse in their requesting further info from me or asking for comments on specific questions. By this posting I apologize for any messages I am unable to respond to. (I already spend too much time answering too much e-mail and am particularly overloaded this week with other responsibilities.) 2. I note a probably correction sent to me by Dorothy Denning. She met with the person from NSA that I talked with by phone, so her understanding is likely to better than mine on this point: Where I said the transmitted info is E{ E[M; K], E[K; UK], serial number; SK} she says the message is not double encrypted. The system key (or family key as she was told it is called) only encrypts the serial number or the serial number and the encrypted unit key. This is not a major difference, but I thought it should be mentioned and thank her for bringing it to my attention. It makes more sense since it cuts down on encryption computation overhead. From sci.crypt Wed Apr 21 13:03:01 1993 Xref: utcsri sci.crypt:15271 alt.privacy.clipper:3 Newsgroups: sci.crypt,alt.privacy.clipper Path: utcsri!utnut!cs.utexas.edu!wupost!uwm.edu!linac!att!att!allegra!ulysses!ulysses!smb From: smb@research.att.com (Steven Bellovin) Subject: More technical details Message-ID: <1993Apr19.134346.2620@ulysses.att.com> Date: Mon, 19 Apr 1993 13:43:46 GMT Organization: AT&T Bell Laboratories Lines: 116 Here are some corrections and additions to Hellman's note, courtesy of Dorothy Denning. Again, this is reposted with permission. Two requests -- first, note the roles of S1 and S2. It appears to me and others that anyone who knows those values can construct the unit key. And the nature of the generation process for K1 and K2 is such that neither can be produced alone. Thus, the scheme cannot be implemented such that one repository generates the first half-key, and another generates the second. *That* is ominous. Second -- these postings are not revealed scripture, nor are they carefully-crafted spook postings. Don't attempt to draw out hidden meanings (as opposed to, say, the official announcements of Clipper). Leave Denning out of this; given Hellman's record of opposition to DES, which goes back before some folks on this newsgroup knew how to read, I don't think you can impugn his integrity. Oh yeah -- the folks who invented Clipper aren't stupid. If you think something doesn't make sense, it's almost certainly because you don't understand their goals. --Steve Bellovin ----- ~Date: Sun, 18 Apr 93 07:56:39 EDT ~From: denning@cs.georgetown.edu (Dorothy Denning) ~Subject: Re: Clipper Chip To: (a long list of folks) I was also briefed by the NSA and FBI, so let me add a few comments to Marty's message: The Clipper Chip will have a secret crypto algorithm embedded in The algorithm operates on 64-bit blocks (like DES) and the chip supports all 4 DES modes of operation. The algorithm uses 32 rounds of scrambling compared with 16 in DES. In addition to the system key, each user will get to choose his or her own key and change it as often as desired. Call this key plain old K. When a message is to be sent it will first be K is the session key shared by the sender and receiver. Any method (e.g., public key) can be used to establish the session key. In the AT&T telephone security devices, which will have the new chip, the key is negotiated using a public-key protocol. encrypted under K, then K will be encrypted under the unit key UK, and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} My understanding is that E[M; K] is not encrypted under SK (called the "family key") and that the decrypt key corresponding to SK is held by law enforcement. Does anyone have first hand knowledge on this? I will also check it out, but this is 7am Sunday so I did not want to wait. The unit key will be generated as the XOR of two 80-bit random numbers K1 and K2 (UK=K1+K2) which will be kept by the two escrow The unit key, also called the "chip key," is generated from the serial number N as follows. Let N1, N2, and N3 be 64 bit blocks derived from N, and let S1 and S2 be two 80-bit seeds used as keys. Compute the 64-bit block R1 = E[D[E[N1; S1]; S2]; S1] (Note that this is like using the DES in triple encryption mode with two keys.) Similarly compute blocks R2 and R3 starting with N2 and N3. (I'm unlear about whether the keys S1 and S2 change. The fact that they're called seeds suggests they might.) Then R1, R2, and R3 are concatenated together giving 192 bits. The first 80 bits form K1 and the next 80 bits form K2. The remaining bits are discarded. authorities. Who these escrow authorities will be is still to be decided by the Attorney General, but it was stressed to me that they will NOT be NSA or law enforcement agencies, that they must be parties acceptable to the users of the system as unbiased. Marty is right on this and the FBI has asked me for suggestions. Please pass them to me along with your reasons. In addition to Marty's criteria, I would add that the agencies must have an established record of being able to safeguard highly sensitive information. Some suggestions I've received so far include SRI, Rand, Mitre, the national labs (Sandia, LANL, Los Alamos), Treasury, GAO. When a court order obtains K1 and K2, and thence K, the law enforcement agency will use SK to decrypt all information flowing on the suspected link [Aside: It is my guess that they may do this constantly on all links, with or without a court order, since it is almost impossible to tell which links over which a message will flow.] My understanding is that there will be only one decode box and that it will be operated by the FBI. The service provider will isolate the communications stream and pass it to the FBI where it will pass through the decode box, which will have been keyed with K. for "the wiretap authorizations." When Levy asked for the details so he could review the cases as required by law, the agent told him that his predecessors just turned over 40-50 blank, signed forms every time. Levi did not comply and changed the system, but the lesson is clear: No single person or authority should have the power to authorize wiretaps No single person does, at least for FBI taps. After completing a mound of paperwork, an agent must get the approval of several people on a chain that includes FBI legal counsel before the request is even taken to the Attorney General for final approval. Dorothy Denning From sci.crypt Wed Apr 21 13:12:48 1993 Xref: utcsri sci.crypt:15287 alt.privacy.clipper:5 Newsgroups: sci.crypt,alt.privacy.clipper Path: utcsri!utnut!cs.utexas.edu!zaphod.mps.ohio-state.edu!howland.reston.ans.net!noc.near.net!uunet!mcsun!chsun!bernina!caronni From: caronni@nessie.cs.id.ethz.ch (Germano Caronni) Subject: Re: More technical details Message-ID: <1993Apr19.162936.7517@bernina.ethz.ch> Sender: news@bernina.ethz.ch (USENET News System) Organization: Swiss Federal Institute of Technology (ETH), Zurich, CH References: <1993Apr19.134346.2620@ulysses.att.com> Date: Mon, 19 Apr 1993 16:29:36 GMT Lines: 107 In article <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes: >Here are some corrections and additions to Hellman's note, courtesy of >Dorothy Denning. Again, this is reposted with permission. > >Two requests -- first, note the roles of S1 and S2. It appears to me >and others that anyone who knows those values can construct the unit >key. And the nature of the generation process for K1 and K2 is such >that neither can be produced alone. Thus, the scheme cannot be >implemented such that one repository generates the first half-key, and >another generates the second. *That* is ominous. > >Second -- these postings are not revealed scripture, nor are they >carefully-crafted spook postings. Don't attempt to draw out hidden >meanings (as opposed to, say, the official announcements of Clipper). >Leave Denning out of this; given Hellman's record of opposition to DES, >which goes back before some folks on this newsgroup knew how to read, I >don't think you can impugn his integrity. > >Oh yeah -- the folks who invented Clipper aren't stupid. If you think >something doesn't make sense, it's almost certainly because you don't >understand their goals. > This is an addition (posted with permission) to some tech. details of cliper. They enligthen ??? the use of S1 and S2 for keygeneration. ------------------------------------------- ~Date: Mon, 19 Apr 93 08:51:57 EDT ~From: denning@cs.cosc.georgetown.edu (Dorothy Denning) ~Subject: Re: Clipper Chip I just had another conversation with NSA to clarify some of the features of Clipper. Please feel free to distribute this and my other messages on Clipper. The name of the encryption algorithm is "Skipjack." Martin Hellman had written and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} To which I responded: My understanding is that E[M; K] is not encrypted under SK (called the "family key") and that the decrypt key corresponding to SK is held by law enforcement. Does anyone have first hand knowledge on this? I was correct in that E[M; K] is not encrypted under SK. However, Skipjack being a single-key system, there is, of course, not a separate decrypt key for the family key SK. The unit key, also called the "chip key," is generated from the serial number N as follows. Let N1, N2, and N3 be 64 bit blocks derived from N, and let S1 and S2 be two 80-bit seeds used as keys. Compute the 64-bit block R1 = E[D[E[N1; S1]; S2]; S1] (Note that this is like using the DES in triple encryption mode with two keys.) Similarly compute blocks R2 and R3 starting with N2 and N3. (I'm unlear about whether the keys S1 and S2 change. The fact that they're called seeds suggests they might.) Then R1, R2, and R3 are concatenated together giving 192 bits. The first 80 bits form K1 and the next 80 bits form K2. The remaining bits are discarded. The seeds S1 and S2 do not change. The whole process is performed on a laptop computer, and S1 and S2 are supplied by two independent people so that no one person knows both. The same S1 and S2 are used during an entire "programming session" to generate keys for a stream of serial numbers. Everything is discarded at the end (the computer could be thrown out if desired). The serial number is 30 bits and the values N1, N2, and N3 are formed by padding the serial number with fixed 34-bit blocks (separate padding for each value). The resulting keys K1 and K2 are output onto separate floppy disks, paired up with their serial number. Each pair is stored in a separate file. The floppy disks are taken away by two separate people on behalf of the two escrow agencies. Dorothy Denning denning@cs.georgetown.edu -------------------------------------------------------- I am sure more technical detail will be known when time goes by. Please remark, that in posting this, I do not automatically agree with it's contents and implications. So don't swamp my mailbox :-) I just think this is an valuable addition to the less than technical discussion that is rising here. And, no, I don't mind if you call S1 and S2 'backdoor', as I could imagine the key-generation process working without these seeds and the dependency of K1,K2 from the Serial-Number. Friendly greetings, Germano Caronni -- Instruments register only through things they're designed to register. Space still contains infinite unknowns. PGP-Key-ID:341027 Germano Caronni caronni@nessie.cs.id.ethz.ch FD560CCF586F3DA747EA3C94DD01720F From sci.crypt Wed Apr 21 13:17:08 1993 Path: utcsri!utnut!cs.utexas.edu!zaphod.mps.ohio-state.edu!darwin.sura.net!guvax.acc.georgetown.edu!denning From: denning@guvax.acc.georgetown.edu Newsgroups: sci.crypt Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY Message-ID: <1993Apr19.182327.3420@guvax.acc.georgetown.edu> Date: 19 Apr 93 18:23:27 -0400 Distribution: world Organization: Georgetown University Lines: 139 The following document summarizes the Clipper Chip, how it is used, how programming of the chip is coupled to key generation and the escrow process, and how law enforcement decrypts communications. Since there has been some speculation on this news group about my own involvement in this project, I'd like to add that I was not in any way involved. I found out about it when the FBI briefed me on Thursday evening, April 15. Since then I have spent considerable time talking with the NSA and FBI to learn more about this, and I attended the NIST briefing at the Department of Commerce on April 16. The document below is the result of that effort. Dorothy Denning --------------- THE CLIPPER CHIP: A TECHNICAL SUMMARY Dorothy Denning April 19, 1993 INTRODUCTION On April 16, the President announced a new initiative that will bring together the Federal Government and industry in a voluntary program to provide secure communications while meeting the legitimate needs of law enforcement. At the heart of the plan is a new tamper-proof encryption chip called the "Clipper Chip" together with a split-key approach to escrowing keys. Two escrow agencies are used, and the key parts from both are needed to reconstruct a key. CHIP STRUCTURE The Clipper Chip contains a classified 64-bit block encryption algorithm called "Skipjack." The algorithm uses 80 bit keys (compared with 56 for the DES) and has 32 rounds of scrambling (compared with 16 for the DES). It supports all 4 DES modes of operation. Throughput is 16 Mbits a second. Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip ENCRYPTING WITH THE CHIP To see how the chip is used, imagine that it is embedded in the AT&T telephone security device (as it will be). Suppose I call someone and we both have such a device. After pushing a button to start a secure conversation, my security device will negotiate a session key K with the device at the other end (in general, any method of key exchange can be used). The key K and message stream M (i.e., digitized voice) are then fed into the Clipper Chip to produce two values: E[M; K], the encrypted message stream, and E[E[K; U] + N; F], a law enforcement block. The law enforcement block thus contains the session key K encrypted under the unit key U concatenated with the serial number N, all encrypted under the family key F. CHIP PROGRAMMING AND ESCROW All Clipper Chips are programmed inside a SCIF (secure computer information facility), which is essentially a vault. The SCIF contains a laptop computer and equipment to program the chips. About 300 chips are programmed during a single session. The SCIF is located at Mikotronx. At the beginning of a session, a trusted agent from each of the two key escrow agencies enters the vault. Agent 1 enters an 80-bit value S1 into the laptop and agent 2 enters an 80-bit value S2. These values serve as seeds to generate keys for a sequence of serial numbers. To generate the unit key for a serial number N, the 30-bit value N is first padded with a fixed 34-bit block to produce a 64-bit block N1. S1 and S2 are then used as keys to triple-encrypt N1, producing a 64-bit block R1: R1 = E[D[E[N1; S1]; S2]; S1] . Similarly, N is padded with two other 34-bit blocks to produce N2 and N3, and two additional 64-bit blocks R2 and R3 are computed: R2 = E[D[E[N2; S1]; S2]; S1] R3 = E[D[E[N3; S1]; S2]; S1] . R1, R2, and R3 are then concatenated together, giving 192 bits. The first 80 bits are assigned to U1 and the second 80 bits to U2. The rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2 are the key parts that are separately escrowed with the two escrow agencies. As a sequence of values for U1, U2, and U are generated, they are written onto three separate floppy disks. The first disk contains a file for each serial number that contains the corresponding key part U1. The second disk is similar but contains the U2 values. The third disk contains the unit keys U. Agent 1 takes the first disk and agent 2 takes the second disk. The third disk is used to program the chips. After the chips are programmed, all information is discarded from the vault and the agents leave. The laptop may be destroyed for additional assurance that no information is left behind. The protocol may be changed slightly so that four people are in the room instead of two. The first two would provide the seeds S1 and S2, and the second two (the escrow agents) would take the disks back to the escrow agencies. The escrow agencies have as yet to be determined, but they will not be the NSA, CIA, FBI, or any other law enforcement agency. One or both may be independent from the government. LAW ENFORCEMENT USE When law enforcement has been authorized to tap an encrypted line, they will first take the warrant to the service provider in order to get access to the communications line. Let us assume that the tap is in place and that they have determined that the line is encrypted with Clipper. They will first decrypt the law enforcement block with the family key F. This gives them E[K; U] + N. They will then take a warrant identifying the chip serial number N to each of the key escrow agents and get back U1 and U2. U1 and U2 are XORed together to produce the unit key U, and E[K; U] is decrypted to get the session key K. Finally the message stream is decrypted. All this will be accomplished through a special black box decoder operated by the FBI. ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. All information is based on information provided by NSA, NIST, and the FBI. Permission to distribute this document is granted. From sci.crypt Wed Apr 21 13:20:47 1993 Path: utcsri!utnut!cs.utexas.edu!uunet!pipex!demon!gtoal.com!gtoal Newsgroups: sci.crypt From: gtoal@gtoal.com (Graham Toal) Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2 Date: Mon, 19 Apr 1993 15:25:20 +0000 Message-ID: <9304191525.AA14273@pizzabox.demon.co.uk> Sender: usenet@demon.co.uk Lines: 20 From: pmetzger@snark.shearson.com (Perry E. Metzger) denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes: Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip Hmmm. A thirty bit serial number. And, we are told, the unit key U is derived deterministically from this serial number. That means that there are only one billion possible unit keys. Oh hell, it's *much* worse than that. You think they'll ever make more than a million of them? Serial numbers aren't handed out at random you know, they start at 1 and work up... Call it a 20 bit space maybe. G From sci.crypt Wed Apr 21 13:22:13 1993 Newsgroups: sci.crypt Path: utcsri!utnut!cs.utexas.edu!sdd.hp.com!usc!howland.reston.ans.net!bogus.sura.net!udel!news.intercon.com!psinntp!shearson.com!newshost!pmetzger From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2 In-Reply-To: denning@guvax.acc.georgetown.edu's message of 19 Apr 93 18:23:27 -0400 Message-ID: Sender: news@shearson.com (News) Reply-To: pmetzger@lehman.com Organization: Lehman Brothers References: <1993Apr19.182327.3420@guvax.acc.georgetown.edu> Date: Tue, 20 Apr 1993 11:54:02 GMT Lines: 102 denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes: Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip Hmmm. A thirty bit serial number. And, we are told, the unit key U is derived deterministically from this serial number. That means that there are only one billion possible unit keys. To generate the unit key for a serial number N, the 30-bit value N is first padded with a fixed 34-bit block to produce a 64-bit block N1. S1 and S2 are then used as keys to triple-encrypt N1, producing a 64-bit block R1: R1 = E[D[E[N1; S1]; S2]; S1] . Similarly, N is padded with two other 34-bit blocks to produce N2 and N3, and two additional 64-bit blocks R2 and R3 are computed: R2 = E[D[E[N2; S1]; S2]; S1] R3 = E[D[E[N3; S1]; S2]; S1] . R1, R2, and R3 are then concatenated together, giving 192 bits. The first 80 bits are assigned to U1 and the second 80 bits to U2. The rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2 are the key parts that are separately escrowed with the two escrow agencies. Hmmm. We must assume that generating the unit key U from the serial number N rather than generating it from a randomly selected U1 and U2 is an intentional way of assuring a "fail safe" for the government -- U is completedly determined given S1, S2 and N. If S1 and S2 do not change they constitute effective "master keys" (along with F), the theft of which (or the possession of which by various authorities) completely obviates the security of the system. However, more interestingly, we know, for a fact that if S1 and S2 are fixed no matter what the keyspace for U is no more than 2^30. Why not pick U1 and U2 at random? Why this interesting restriction of they key space if it NOT to provide an additional back door? I find it disturbing that at the very best my security is dependant on approximately 30 bytes worth of information that could be written on the back of a napkin. Even if S1 and S2 change periodically, the rationale behind this restriction in the size of the keyspace seems strange if one is assuming that the goal is security -- and makes perfect sense if the goal is an illusion of security. If S1 and S2 do not change, even if they remain secret I wonder if they can somehow be back-derived given enough unit key/serial number pairs. We are assured that this cannot happen -- but no one understands how Skipjack works outside of government officials and, soon, foreign intelligence services that gain the information via espionage. Presumably we will eventually have the information as well -- reverse engineering gets more and more advanced every year -- but by the time we know it may be too late. As a sequence of values for U1, U2, and U are generated, they are written onto three separate floppy disks. The first disk contains a file for each serial number that contains the corresponding key part U1. The second disk is similar but contains the U2 values. The third disk contains the unit keys U. Agent 1 takes the first disk and agent 2 takes the second disk. The third disk is used to program the chips. After the chips are programmed, all information is discarded from the vault and the agents leave. The laptop may be destroyed for additional assurance that no information is left behind. None of this makes me feel the least bit secure. The silly notion of "destroying the laptop" appears to be yet another bizarre distraction. We all know that you can't read data from DRAM that has been turned off for more than a few moments. On the other hand, what we don't know is why there is a need to generate the unit keys from S1 and S2 in the first place other than to weaken the system. We don't know if the agents in question would resist a million in cash a piece for their information -- its probably worth hundreds of million, so you can make the bribe arbitrarily hard to resist. And to tell you the truth, doing this in a "vault" rather than in Joe Random Tempest-shielded Room with a laptop computer seems like melodrama designed to make high-school dropouts from Peoria impressed -- but it does very little for most of the rest of us. The protocol may be changed slightly so that four people are in the room instead of two. The first two would provide the seeds S1 and S2, and the second two (the escrow agents) would take the disks back to the escrow agencies. What would this provide? Lets say the escrow agencies are the ACLU and the NRA and their agents personally take back the disks and are always honest. Who cares? The NSA must be laughing out loud, because they have the algorithm to regenerate U given N and likely don't need to steal they keys as they effectively already have them. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. From alt.security.pgp Wed Apr 21 17:48:48 1993 Path: utcsri!utnut!torn!howland.reston.ans.net!bogus.sura.net!darwin.sura.net!haven.umd.edu!uunet!pipex!uknet!acorn!eoe!ahaley From: ahaley@eoe.co.uk (Andrew Haley) Newsgroups: alt.security.pgp Subject: Re: PGP, the end is near? Message-ID: <1674@eouk5.eoe.co.uk> Date: 21 Apr 93 16:36:42 GMT References: Organization: EO Europe Limited, Cambridge, UK Lines: 97 X-Newsreader: TIN [version 1.1 PL8] Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : uri@watson.ibm.com (Uri Blumenthal) writes: : > Well, it's certainly well known HOW the S-boxes were designed. : > It was in the open from the beginning. What's still hidden is : > WHY they were designed this way... : Well, maybe that's a quirk in my English, but I meant that it is known : why probably they have been designed this way (to withstand : differential cryptanalysis), but it is not known how they have been : designed (i.e., what criteria exactly have been used). In the interests of accurate information, I repeat the following, which has been transmitted on the net several times before. This is about the best information you will get about the design of the DES: : From: kempf@rhrk.uni-kl.de (Markus Kempf [Physik]) : Newsgroups: sci.crypt : Subject: DES designed to withstand differential cryptanalysis : Summary: It was known in 1974 : Keywords: DES, cryptanalysis : Message-ID: <1992Mar23.171311.4134@rhrk.uni-kl.de> : Date: 23 Mar 92 17:13:11 GMT : Organization: University of Kaiserslautern, Germany : Lines: 69 : : The following statement appeared in an IBM Internal newsgroup (CRYPTAN FORUM) : and is reproduced here with the approval of the author. : ----------------------------------------------------------------------------- : : Subject: DES and differential cryptanalysis : : We have kept quiet about the following for 18 years, : and decided it's time to break the silence. : : We (IBM crypto group) knew about differential cryptanalysis in 1974. : This is why DES stood up to this line of attack; we designed the : S-boxes and the permutation in such a way as to defeat it. : : (The following assumes some knowledge of DES and the Biham-Shamir : attack. "delta" is the difference between two intermediate messages.) : : The fact that a 1-bit input delta leads to at least a 2-bit output : delta (and that an input delta of 001100 also leads to at least a : 2-bit output delta) helps to insure that any pattern is going to : involve a large number of S-boxes over the course of 16 rounds. The : fact that an input delta of 11xx00 (xx are "don't care") must lead to : a nonzero output delta, insures that any input delta for the entire : round which can lead to an output delta of 0 for the whole round, must : involve at least three S-boxes. Couple this with the demand that any : nonzero input delta to a single S-box gives rise to a particular : output delta with probability at most 1/4, and with somewhat reduced : probabilities for the deltas that can give rise to 3-box attacks such : as '19600000', and you have a defense against differential : cryptanalysis. : : During the summer of 1974 we kept coming up with different classes : of patterns that might be used against the DES (whose design was : still fluid at that point), and part of my job (I was working here : that summer) was in designing criteria for the S-boxes and the : permutation that would insure that no such pattern could have too : large a probability of success. : : By contrast, the designers of FEAL obviously did not know about : this class of attacks. It is a pity that the FEAL fell prey to : these attacks, because it apparently acted as a catalyst for the : rediscovery of the attacks by the outside world. : : I don't recall (and the documentation that survives from that era : doesn't help) whether at that time we knew the trick of sending a : block of messages to get past the first round. We certainly knew : it later, and were applying it (privately) to FEAL and a couple of : others. : : My contention is that, even though (2^47) < (2^56), still : (2^47 chosen plaintext) is *more* than (2^56 on my own machine), : and (2^47 chosen plaintext) is not a practical threat. : I say this not to belittle the Biham-Shamir work (which was very well : executed) but to assert that what we have created (DES) is still viable. : : We kept quiet about this for all these years because we knew that : differential cryptanalysis was such a potent form of cryptanalysis, : and we wished to avoid its discovery and use (either for designing : or for attacking) on the outside. Now the techniques are known, : and we felt it is time to tell our side of the story. : : Don Coppersmith : ----------------------------------------------------------------------------- : : : -- : _______________________________________________________________________________ : | Markus Kempf, Department of Physics/SAGA e.V., University of Kaiserslautern | : | Germany, kempf@rhrk.uni-kl.de | : |-----------------------------------------------------------------------------| : : From comp.risks Wed Apr 21 20:46:33 1993 Date: Mon, 19 Apr 93 9:21:53 EDT [RISKS-14.51] From: Clipper Chip Announcement Organization: FIRST, The Forum of Incident Response & Security Teams Subject: Slide presented at White House briefing on Clipper Chip Note: The following material was handed out a press briefing on the Clipper Chip on 4/16. Chip Operation Microchip User's Message +----------------------+ ------------------> | | 1. Message encrypted | Encryption Algorithm | with user's key | | | Serial # | 2. User's key encrypted | |--> with chip unique key | Chip Unique Key | User's Encryption | | 3. Serial # encrypted Key | Chip Family Key | with chip family key ------------------> | | | | +----------------------+ For Law Enforcement to Read a Suspect's Message 1. Need to obtain court authorized warrant to tap the suspect's telephone. 2. Record encrypted message 3. Use chip family key to decrypt chip serial number 4. Take this serial number *and* court order to custodians of disks A and B 5. Add the A and B components for that serial number = the chip unique key for the suspect user 6. Use this key to decrypt the user's message key for this recorded message 7. Finally, use this message key to decrypt the recorded message. From sci.crypt Wed Apr 21 20:50:15 1993 Path: utcsri!utnut!cs.utexas.edu!swrinde!gatech!howland.reston.ans.net!bogus.sura.net!darwin.sura.net!guvax.acc.georgetown.edu!denning From: denning@guvax.acc.georgetown.edu Newsgroups: sci.crypt Subject: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP Message-ID: <1993Apr21.192615.3465@guvax.acc.georgetown.edu> Date: 21 Apr 93 19:26:15 -0400 Distribution: world Organization: Georgetown University Lines: 167 Here is a revised version of my summary which corrects some errors and provides some additional information and explanation. THE CLIPPER CHIP: A TECHNICAL SUMMARY Dorothy Denning Revised, April 21, 1993 INTRODUCTION On April 16, the President announced a new initiative that will bring together the Federal Government and industry in a voluntary program to provide secure communications while meeting the legitimate needs of law enforcement. At the heart of the plan is a new tamper-proof encryption chip called the "Clipper Chip" together with a split-key approach to escrowing keys. Two escrow agencies are used, and the key parts from both are needed to reconstruct a key. CHIP CONTENTS The Clipper Chip contains a classified single-key 64-bit block encryption algorithm called "Skipjack." The algorithm uses 80 bit keys (compared with 56 for the DES) and has 32 rounds of scrambling (compared with 16 for the DES). It supports all 4 DES modes of operation. The algorithm takes 32 clock ticks, and in Electronic Codebook (ECB) mode runs at 12 Mbits per second. Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number (this length is subject to change) U, an 80-bit secret key that unlocks all messages encrypted with the chip The chips are programmed by Mykotronx, Inc., which calls them the "MYK-78." The silicon is supplied by VLSI Technology Inc. They are implemented in 1 micron technology and will initially sell for about $30 each in quantities of 10,000 or more. The price should drop as the technology is shrunk to .8 micron. ENCRYPTING WITH THE CHIP To see how the chip is used, imagine that it is embedded in the AT&T telephone security device (as it will be). Suppose I call someone and we both have such a device. After pushing a button to start a secure conversation, my security device will negotiate an 80-bit session key K with the device at the other end. This key negotiation takes place without the Clipper Chip. In general, any method of key exchange can be used such as the Diffie-Hellman public-key distribution method. Once the session key K is established, the Clipper Chip is used to encrypt the conversation or message stream M (digitized voice). The telephone security device feeds K and M into the chip to produce two values: E[M; K], the encrypted message stream, and E[E[K; U] + N; F], a law enforcement field , which are transmitted over the telephone line. The law enforcement field thus contains the session key K encrypted under the unit key U concatenated with the serial number N, all encrypted under the family key F. The law enforcement field is decrypted by law enforcement after an authorized wiretap has been installed. The ciphertext E[M; K] is decrypted by the receiver's device using the session key: D[E[M; K]; K] = M . CHIP PROGRAMMING AND ESCROW All Clipper Chips are programmed inside a SCIF (Secure Compartmented Information Facility), which is essentially a vault. The SCIF contains a laptop computer and equipment to program the chips. About 300 chips are programmed during a single session. The SCIF is located at Mykotronx. At the beginning of a session, a trusted agent from each of the two key escrow agencies enters the vault. Agent 1 enters a secret, random 80-bit value S1 into the laptop and agent 2 enters a secret, random 80-bit value S2. These random values serve as seeds to generate unit keys for a sequence of serial numbers. Thus, the unit keys are a function of 160 secret, random bits, where each agent knows only 80. To generate the unit key for a serial number N, the 30-bit value N is first padded with a fixed 34-bit block to produce a 64-bit block N1. S1 and S2 are then used as keys to triple-encrypt N1, producing a 64-bit block R1: R1 = E[D[E[N1; S1]; S2]; S1] . Similarly, N is padded with two other 34-bit blocks to produce N2 and N3, and two additional 64-bit blocks R2 and R3 are computed: R2 = E[D[E[N2; S1]; S2]; S1] R3 = E[D[E[N3; S1]; S2]; S1] . R1, R2, and R3 are then concatenated together, giving 192 bits. The first 80 bits are assigned to U1 and the second 80 bits to U2. The rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2 are the key parts that are separately escrowed with the two escrow agencies. As a sequence of values for U1, U2, and U are generated, they are written onto three separate floppy disks. The first disk contains a file for each serial number that contains the corresponding key part U1. The second disk is similar but contains the U2 values. The third disk contains the unit keys U. Agent 1 takes the first disk and agent 2 takes the second disk. Thus each agent walks away knowing an 80-bit seed and the 80-bit key parts. However, the agent does not know the other 80 bits used to generate the keys or the other 80-bit key parts. The third disk is used to program the chips. After the chips are programmed, all information is discarded from the vault and the agents leave. The laptop may be destroyed for additional assurance that no information is left behind. The protocol may be changed slightly so that four people are in the room instead of two. The first two would provide the seeds S1 and S2, and the second two (the escrow agents) would take the disks back to the escrow agencies. The escrow agencies have as yet to be determined, but they will not be the NSA, CIA, FBI, or any other law enforcement agency. One or both may be independent from the government. LAW ENFORCEMENT USE When law enforcement has been authorized to tap an encrypted line, they will first take the warrant to the service provider in order to get access to the communications line. Let us assume that the tap is in place and that they have determined that the line is encrypted with the Clipper Chip. The law enforcement field is first decrypted with the family key F, giving E[K; U] + N. Documentation certifying that a tap has been authorized for the party associated with serial number N is then sent (e.g., via secure FAX) to each of the key escrow agents, who return (e.g., also via secure FAX) U1 and U2. U1 and U2 are XORed together to produce the unit key U, and E[K; U] is decrypted to get the session key K. Finally the message stream is decrypted. All this will be accomplished through a special black box decoder. CAPSTONE: THE NEXT GENERATION A successor to the Clipper Chip, called "Capstone" by the government and "MYK-80" by Mykotronx, has already been developed. It will include the Skipjack algorithm, the Digital Signature Standard (DSS), the Secure Hash Algorithm (SHA), a method of key exchange, a fast exponentiator, and a randomizer. A prototoype will be available for testing on April 22, and the chips are expected to be ready for delivery in June or July. ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. This article is based on information provided by NSA, NIST, FBI, and Mykotronx. Permission to distribute this document is granted. From comp.risks Wed Apr 21 21:11:26 1993 Date: Tue, 20 Apr 1993 14:23:39 -0400 From: Peter Wayner Subject: Clipped Wings-- The Economic Impediment to the Clipper Chip... If all of the privacy concerns about the Clipper chip magically disappeared, the chip will still encounter widespread economic resistance. Why? Because almost everything can be done cheaper in software and the secrecy surrounding the algorithm effectively prohibits software implementations. Why would a computer designer add a high-speed encryption chip to the machine? Even if the chips cost about $25 in large quantities, they could still add about $100 to the final cost after everyone takes their markups. The computer designer must ask whether people are willing to spend extra to buy a box when the clone manufacturer in the garage down the street isn't going to be putting one in. Adding encryption in software is a different proposition. There is a one-time cost of engineering and a small extra cost for increased support. Once the code is written, the manufacturing costs do not increase. Also, software can retrofit machines for no extra cost and add widespread compatibility after the update is finished. This is why Novell, Apple and Microsoft choose to add encryption software in their latest rev of the system software. It is not even clear that the standard has much of a chance in the phone system. DSP chips and digital designs are becoming more and more part of cellular standards. Why pay extra for another chip if it can be done in the DSP? Weight and power consumption are important considerations for these applications. I'm sure that the algorithm designers and NSA committee considered the RISKS of exposing the algorithm. Scrutiny weakens the code because it makes it easier for people to attack the system. It is obvious that the committee tried to consider some of the economic RISKS involved in promulgating a "Big Brother" standard. That is why they arranged for the chips to be presented as a fait accompli as part of AT&T's latest phones. But they face an uphill battle against the forces of economics. --Peter Wayner From sci.crypt Thu Apr 22 07:33:02 1993 Newsgroups: sci.crypt Path: utcsri!utnut!torn!howland.reston.ans.net!europa.eng.gtefsd.com!news.ans.net!cmcl2!panix!habs From: habs@panix.com (Harry Shapiro) Subject: Re: The [secret] source of that announcement Message-ID: Organization: PANIX Public Access Unix, NYC References: <1r1om5$c5m@slab.mtholyoke.edu> Date: Wed, 21 Apr 1993 23:34:07 GMT Lines: 65 In <1r1om5$c5m@slab.mtholyoke.edu> jbotz@mtholyoke.edu (Jurgen Botz) writes: >Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer >recognizes the 'expn' and 'vrfy' commands... > telnet csrc.ncsl.nist.gov smtp > Trying 129.6.54.11... > Connected to csrc.ncsl.nist.gov. > Escape character is '^]'. > 220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT > expn clipper > 500 Command unrecognized >Seems like sombody didn't like your snooping around, Marc. Then it is a good thing we already have this: The csspub mailing list: csspab@mail-gw.ncsl.nist.gov, and address on the clipper mailing list, seems to contain basically the members of the NIST security board. In addition to the names already posted, their true names are as follows: burrows@ecf = James Burrows a director of NIST's National Computer Systems Laboratory mcnulty@ecf = F. Lynn McNulty an associate director for computer security at the National Institute of Standards and Technology's Computer Systems Laboratory Gangemi@dockmaster.ncsc.mil = Gaetano Gangemi is director of the secure systems program at Wang Laboratories Inc. He wrote: Computer Security Basics by Deborah Russell and G. T. Gangemi, Sr. -1991, O'Reilly and Associates slambert@cgin.cto.citicorp.com = Sandra Lambert is vice-president of information security at Citibank, N.A. lipner@mitre.org = Lipner is Mitre Corp.'s director of information systems. gallagher@dockmaster.ncsc.mil = Patrick Gallagher, director of the National Security Agency's National Computer Security Center and a security board member walker@tis.com = Stephen Walker a computer security expert and president of Trusted Information Systems, Inc. in Glenwood, Md willis@rand.org = Willis H. Ware a the Rand Corp. executive who chairs the security board. whitehurst@vnet.ibm.com = William Whitehurst is a security board member and director of IBM Corp.'s data security programs. -- Harry Shapiro habs@panix.com List Administrator of the Extropy Institute Mailing List Private Communication for the Extropian Community since 1991 -- Harry Shapiro habs@panix.com List Administrator of the Extropy Institute Mailing List Private Communication for the Extropian Community since 1991 From sci.crypt Fri Apr 23 11:06:24 1993 Xref: utcsri alt.privacy.clipper:120 sci.crypt:15651 Newsgroups: alt.privacy.clipper,sci.crypt Path: utcsri!utnut!torn!howland.reston.ans.net!usc!cs.utexas.edu!swrinde!sgiblab!sgigate!sgi!wdl1!phobos!koontzd From: koontzd@phobos.lrmsc.loral.com (David Koontz ) Subject: Is key escrow enough? Message-ID: <1993Apr22.231517.18659@wdl.loral.com> Sender: news@wdl.loral.com Organization: Loral Rolm Computer Systems References: <1993Apr22.043233.8855@uc.msc.edu> Distribution: world Date: Thu, 22 Apr 1993 23:15:17 GMT Lines: 48 >From: denning@guvax.acc.georgetown.edu > Revised, April 21, 1993 >The chips are programmed by Mykotronx, Inc., which calls them the >"MYK-78." The silicon is supplied by VLSI Technology Inc. >All Clipper Chips are programmed inside a SCIF (Secure Compartmented >Information Facility), which is essentially a vault. The SCIF contains >a laptop computer and equipment to program the chips. About 300 chips >are programmed during a single session. The SCIF is located at >Mykotronx. >ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. This article is based on >information provided by NSA, NIST, FBI, and Mykotronx. Permission to >distribute this document is granted. So, who is Mykotronx, Inc.? It would be nice to know that they are not a front company used by an intelligence or other agency of the U.S. government. While we are at it, the chip design(s) should be examined and verified against silicon to insure no trap doors or hidden protocols exist in silicon, regardless of the security level of the encryption algorithm. There is no proof that the chip won't squeel and role over for someone with the proper knowledge to interrogate it via the communications link. The design examination should be done to the gate level. Also, how does one verify that what you are looking at is reflected in tapeout, or masks? The silicon should be examined as well, the design in hand (a clean room publicly defined clipper chip) can be merged with another design later, or changed between completion and mask out. There is little proof that what you are told is in the chip is all that is in the chip. Put the (verified) masks in escrow, and use them for chip production, use a third escrow party for programming the chips. The government is asking for a lot of blind trust: the encryption algorithm, operating protocols, the agency having physical control of the devices, the silicon implementation. If the government is so trustworthy, why escrow anything? From sci.crypt Fri Apr 23 11:12:44 1993 Newsgroups: sci.crypt Path: utcsri!utnut!torn!howland.reston.ans.net!usc!elroy.jpl.nasa.gov!ames!haven.umd.edu!uunet!well!well.sf.ca.us!artmel From: artmel@well.sf.ca.us (Arthur Melnick) Subject: New Encryption Algorithm Message-ID: Summary: The history of NEA Keywords: NEA Sender: news@well.sf.ca.us Nntp-Posting-Host: well.sf.ca.us Organization: The Whole Earth 'Lectronic Link, Sausalito, CA Date: Fri, 23 Apr 1993 04:19:37 GMT Lines: 76 Ever since Craig Rowland posted his piece "New Encryption" to sci.crypt there has been some discussion of our company, Secured Communications Technologies, Inc, and on encryption algorithm, NEA. I spoke to Craig at length on 4/21/93 and we covered a lot of ground. Some of the information in the posting requires some clarification, and I would like to answer some of the questions raised on sci.crypt. SCT is a small company based in Silver Spring Maryland. Our two main products at this time are a PC based secure communications program called SECOM and a general purpose encryption chip which uses the NEA algorithm developed for SECOM. SECOM provides an encrypted secure communication link between two PC's connected over dial up telephone lines. It supports simultaneous bi-directional file transfer and keyboard to screen "chat". It has its own proprietary communications protocol which is tightly integrated to the encryption. All though it is a packetized link, the data stream appears to be continuous because the packet boundaries are hidden. When SECOM was initially developed, it was implemented to use DES encryption. A business decision was made to seek export approval for the product because it was perceived that the overseas market was a large one and provided a good marketing opportunity. We soon found out that we would NEVER be granted general export approval for anything using DES. All though the reason for this was never explicitly stated, it seems to have something to do with secret government to government agreements which are still in effect. In any event, the decision was made to develop a new and different algorithm which would take the place of DES. This was the reason NEA (New Encryption Algorithm) was born. At this time NEA is being held as a trade secret. The preliminary work of patenting it has begun, and the plan is to make it public once the patent process is complete. All though one can make certain legal arguments for keeping it an ongoing secret, I think in the case of an encryption algorithm it is necessary to let people "shoot at it" over an extended period of time to prove its worth. In order to get export approval for SECOM/NEA, it was necessary to go through NSA and to reveal to them the details of the program and algorithm. This was done only AFTER we had a finished product to submit. Let me state unequivocally that there is NO "back door" to the program or the algorithm. Secured Communications Technologies is a closely held private company and NSA/FBI/CIA/NIST/WHATEVER has NO financial interest in any way whatsoever with the company or any of the people involved. From a practical business standpoint, we are interested in selling chips and software (hopefully in large quantities) and a back door to the encryption, if found out, could destroy our credibility and our business. With the encryption algorithm approved for export, we set out to talk to a number of potential customers for encryption products and systems. We were able to identify several common threads of functionality requirements. This led to the design of a chip with the encryption algorithm "cast in silicon" and certain other capabilities added so that the chip could fulfill the broad range of requirements that we identified. We are strongly opposed to the clipper/capstone chips. In a press release today, our president, Dr. Stephen Bryen stated: "It seems as if the government has an unlimited source of funds to use to push its new bugged chips on the American Public. But do we not understand how the National Security Agency, which is not supposed to be involved in domestic spying, can fund the development of a commercial chip intended to accommodate U.S. government domestic spying activities." If they had asked me to put a "back door" in NEA I would have told them to g__ f____ed. Can NSA break NEA? Or for that matter can they break DES, RSA, IDEA, Diffy-Hellman, PGP, RC2, RC4, or whatever? I don't know and probably never will. From sci.crypt Sat Apr 24 10:55:22 1993 Xref: utcsri alt.privacy.clipper:152 sci.crypt:15729 Newsgroups: alt.privacy.clipper,sci.crypt Path: utcsri!utnut!cs.utexas.edu!swrinde!network.ucsd.edu!qualcom.qualcomm.com!qualcom!rdippold From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Clipper Not Good Enough for Government? Message-ID: Originator: rdippold@qualcom.qualcomm.com Sender: news@qualcomm.com Nntp-Posting-Host: qualcom.qualcomm.com Organization: Qualcomm, Inc., San Diego, CA Date: Fri, 23 Apr 1993 20:00:13 GMT Lines: 18 There's been some discussion very recently as to whether the government once again might exempt themselves from something they use to screw us over... Well, from comp.dcom.telecom: ~From: lesreeves@attmail.com ~Subject: Odds 'n Ends in the News * The Clipper Chip device introduced yesterday by AT&T may not be suitable for government use, says House Telecom Subcommittee Chairman Markey. In a letter to Commerce Secretary Brown, Markey asked whether the use of the technology could lead to "inadvertently increased costs to those U.S. companies hoping to serve both" the government and private markets. Markey has ordered Brown to answer several questions about security and cost concerns by April 28. (Communications Daily, 4/20/93) -- Show me a guy who's afraid to look bad, and I'll show you a guy you can beat every time. -- Renee Auberjonois From sci.crypt Mon Apr 26 10:34:13 1993 Xref: utcsri alt.privacy.clipper:204 sci.crypt:15861 Newsgroups: alt.privacy.clipper,sci.crypt Path: utcsri!utnut!torn!howland.reston.ans.net!usc!elroy.jpl.nasa.gov!decwrl!netcomsv!netcom.com!tenney From: tenney@netcom.com (Glenn S. Tenney) Subject: Hearing on 29 April 1993 Message-ID: Organization: Netcom - Online Communication Services (408 241-9760 guest) Date: Mon, 26 Apr 1993 01:35:05 GMT Lines: 105 I received a fax of a letter from Representative Markey (Subcommittee on Telecommunications and Finance) to Ron Brown (Secretary of Commerce). Since encryption and the Clipper chip are raised in this letter, I felt it would be of interest. I understand that on 29 April, Mr. Markey will be holding a hearing on the questions raised in this letter. There may also be a follow-on hearing dedicated to the clipper chip, but that's not definite. I've typed in the letter, which follows. Any errors in transcription are mine... --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER Voice: (415) 574-3420 Fax: (415) 574-0546 ------------------ letter of interest follows ---------------- April 19, 1993 The Honorable Ronald H. Brown Secretary Department of Commerce 14th and Pennsylvania Ave., NW Washington, DC 20236 Dear Secretary Brown: As you know, I have long been interested in the privacy and security of telecommunications transmissions and data in a networked environment. Recent reports concerning the Administration's endorsement of an electronic encryption standard, based upon "clipper chip" technology, have raised a number of related issues. The international competitiveness of U.S. high tech manufacturers and the software industry is a key factor that the government should consider when addressing issues of encryption and data security. As the nation moves forward in developing the national communications and information infrastructure, security of telecommunications transmissions and network data will be an increasingly important factor for protecting the privacy of users. The "hacker" community can compromise the integrity of telecommunications transmissions and databases linked by the network. The people and businesses that use the nation's telecommunications network and the personal computers linked through it increasingly are demanding that information be protected against unauthorized access, alteration, and theft. I am concerned that the Administration's plan may mean that to remain competitive internationally, U.S. companies would be compelled to develop two products -- one for U.S. government customers, and another for private, commercial users who may want a higher encryption standard. This may inadvertently increase costs to those U.S. companies hoping to serve both markets. To assist the Subcommittee's analysis of this issue, please respond to the following questions: 1. Has the encryption algorithm or standard endorsed by the Administration been tested by any entity other than NSA, NIST or the vendor? If so, please identify such entities and the nature of testing performed. If not, please describe any plans to have the algorithm tested by outside experts and how such experts will be chosen. 2. Under the Administration's plan, what entities will be the holders of the "keys" to decrypt scrambled data? What procedures or criteria will the Administration utilize to designate such key holders? 3. Does the encryption algorithm endorsed by the Administration contain a "trap door" or "back door," which could allow an agency or entity of the Federal government to crack the code? 4. It is clear that over time, changes in technologies used for communications will require new techniques and additional equipment. How will encryption devices adapt to the rapid advancement of telecommunications technology? 5. What additional costs would the proposed encryption place on the Federal government? What is the estimated cost to consumers and businesses which opt for the federal standard in their equipment? 6. What is the Commerce Department's assessment of the competitive impact of the Administration's endorsement of the "clipper chip" technology on U.S. exports of computer and telecommunications hardware and software products? I would appreciate your response by no later than close- of-business, Wednesday, April 28, 1993. If you have any questions, please have your staff contact Colin Crowell or Karen Colannino of the Subcommittee staff at (202) 226-2424. Sincerely, Edward J. Markey Chairman ### -- Glenn Tenney voice: (415) 574-3420 fax: (415) 574-0546 tenney@netcom.com Ham radio: AA6ER From alt.fan.rush-limbaugh Mon Apr 26 10:38:43 1993 Xref: utcsri alt.rush-limbaugh:20869 alt.fan.rush-limbaugh:23624 Newsgroups: alt.rush-limbaugh,alt.fan.rush-limbaugh Path: utcsri!utnut!torn!howland.reston.ans.net!zaphod.mps.ohio-state.edu!wupost!uunet!gatekeeper.us.oracle.com!decwrl!csus.edu!netcom.com!jrs From: jrs@netcom.com (John Switzer) Subject: Summary Fri 4/23/93 Message-ID: Summary: Unofficial Summary for Friday, April 23, 1993 Keywords: Unofficial Summary Rush Limbaugh Organization: Netcom Online Communications Services (408-241-9760 login: guest) Distribution: world,usa,alt,na Date: Sun, 25 Apr 1993 22:57:30 GMT Lines: 901 Unofficial Summary of the Rush Limbaugh Show for Friday, April 23, 1993 by John Switzer This unofficial summary is copyright (c) 1993 by John Switzer. All Rights Reserved. These summaries are distributed on CompuServe and the Internet, and archived on CompuServe and Internet (cathouse.aiss.uiuc.edu). Distribution to other electronic forums and bulletin boards is highly encouraged. Spelling and other corrections gratefully received. Please read the standard disclaimer which was included with the first summary for this month. In particular, please note that this summary is not approved or sanctioned by Rush Limbaugh or the EIB network, nor do I have any connection with them other as a daily listener. ****************************************************************** April 23, 1993 LIMBAUGH WATCH April 23, 1993 - It's now day 94 of "America Held Hostage" (aka the "Raw Deal") and 172 days after Bill Clinton's election, but Rush is still on the air with 594 radio affiliates (with over 15 million listeners weekly) and 207 TV affiliates (with a 4.0 rating). His first book has been on the NY Times hardback non-fiction best-seller list for 32 consecutive weeks, with 2.5 million copies sold, and his newsletter has over 250,000 subscribers. However "The Way Things Ought To Be" has fallen to the number eight spot on the LA Times best-seller list. Confused Limbaugh Watchers anxiously await future indications of whether there is any place for Rush Limbaugh in Clinton's America. MORNING UPDATE Yesterday was Earth Day, and someone who watched all the TV shows about it would have had to come away with the feeling that the planet is doomed. Nickelodeon ran "Plan It for the Planet," which portrayed Earth as a goner unless drastic action is taken now; HBO ran "Earth and the American Dream" which claims that white guys are destroying the planet while Native Americans are the only ones who are doing anything good; and CBS is running a two-parter titled "The Fire Next Time." "The Fire Next Time" is set in the not too distant future, and shows America as a nation beset with dying forests, dried-up rivers, and shrinking beaches. An epidemic of skin cancer is being caused by ozone depletion, and all of these evils are portrayed as the result of white men coming to America to pursue the American dream. "This is really poisonous stuff," Rush notes. He adds that Steven Scheider, an atmospheric scientists, was a consultant to "The Fire Next Time." Scheider was quoted in 1989, however, as saying: "To get some broadbased support to capture the public's imagination, we have to offer up scary scenarios, make simplified, dramatic statements, and make little mention of any doubts we have. Each of us has to decide what the right balance is between being effective and being honest." This guy who urges lying to the public and creating needless scares and panics is, by the way, a source in Algore's book "Earth in the Balance," a book Rush terms a "magnificent work of fiction." Rush begs his audience not to get depressed, though, because he is still around to bring truth to this matter. "All you need to remember," he concludes, "is that the environment is getting better. But never, ever, ever trust a draft dodger." FIRST HOUR Items o Rush is proud to have a new title: "Doctor of Democracy." Doctor of Phoneology <> Bo Snerdley, however, is just as proud of his title. o Rush would like to once again give his audience "one big attaboy" since not only is EIB the most listened-to radio show in Los Angeles, but also in San Francisco, where EIB has a 12 share in its second hour. EIB has similar successes in Philadelphia, Chicago, Detroit, New York City, San Diego, and many other cities. He thanks all of his listeners for making this possible. Update Mario Cuomo (Screamin' Jay Hawkins, "I Put a Spell on You") This update is related to the speech made last week by Senator Daniel Patrick Moynihan who blamed the current regime of New York City for the cultural problems the city faces. Governor Cuomo, who is a friend of Moynihan, has now joined forces with David Dinkins in attacking Moynihan for criticizing New York. Cuomo says that the "cultural breakdowns" which Moynihan referred to "could easily describe government in Washington. Wasn't it family values which went wacky on the Potomac?" Cuomo then said the city of Washington, DC was a worse place to live in than NYC. Thus, Cuomo is not only blaming a Democratic Senator for his state's problems, but is also criticizing another Democratically-run city. Rush admits he loves seeing two Democrats debate which of their cities is the worse. Update Gay Community (Klaus Naomi, "You Don't Know Me") The gay community's massive march in Washington, DC will be happening this weekend, and Rush has a list of the events which have been scheduled. Among the 300 events scheduled are: o An S&M leather party o The Lebutant Ball at the National Press Club put on by NOW o A romantic midnight cruise on the Potomac on the cruise ship "Dandy" o A mass wedding demonstration for couples' rights at the IRS building o "Hands Around the Capitol Building" protest for more AIDS funding o The Dyke March in Dupont Circle o A drag show on the Mall Rush adds that he's also heard the gays may paint the Washington Monument pink, but this is unconfirmed. *BREAK* Rush says many Americans are having their eyes opened about the truth about Bill Clinton. The news media, however, has been bombarding the public with news about the "heartless" Republican filibuster of Clinton's "jobs bill," but Rush still supports what the Republicans did. He promises to continue airing the truth about this, but says people should be heartened by how many high-ranking Democrats are starting to be very troubled by Clinton's inability to get things done. Rush had thought Bill Clinton was a policy wonk, but he was wrong. Clinton's administration is aimlessly wandering through the jungle of legislation because Clinton is a "politics wonk," not a policy wonk. Clinton knows how to play the political game and how to campaign, but not how to govern and get things done. The Clinton administration is more concerned about having the "right" sort of diversity among its members than it is about getting its policies through. The "gridlock" which is happening on Congress can't be laid on the shoulders of the Republicans because many of the moderate Democrats, who once believed Clinton was a "new Democrat," are now upset that Clinton has turned out to be the same old liberal that the Democratic Leadership Council was founded to defeat. Rush recalls the political cartoon that showed a working class man holding a cigarette and beer wearing a T-shirt emblazoned with a giant target. The Clinton administration has targeted poor guys like this because those in that administration are convinced this man is a sinner and deserves to be taxed more. The latest excuse is that smokers and drinkers by virtue of their activities put a greater strain on the health care system, and thus should pay more. Rush, however, can think of a lot of behaviors, which are now being called "rights," which raise health care costs far more than drinking or smoking. Clinton, though, wants to raise taxes only on beer and cigarettes, and he's got a lot of support from people who think that this is just a fair and equitable thing to do. The real world, though, has some surprises in store for these people. Anheuser-Busch is threatening to close their brewery in St. Louis if Clinton does indeed raise taxes on beer. The company says that the added taxes would force it to close one of its breweries, so why not its biggest one? In the real world when government makes it tougher for businesses to do business, companies will respond to cut their losses. Rush also recalls that the federal deficit will be smaller than expected because of economic growth. Clinton, though, used the excuse of a higher deficit last year as the justification for higher taxes. Since the deficit is going to be lower, though, shouldn't Clinton follow this same linear logic and cut taxes? The Democrats are in a panic mode about things, and Rush plays a quote from Senator Robert Byrd (D-WV), who said the following Wednesday when the Senate killed Clinton's "jobs bill": "So while the champaign corks are popping on the other side of the aisle tonight, billions [sic] of Americans will open a can of beans and a box of soda crackers, and wonder where they're going to find a job." Rush is surprised to learn that there are "billions" of Americans, but suggests that these Americans can find a job in the same place they always have - in companies. They certainly won't find any jobs on the floor of the Senate. However, if Senator Byrd is so worried that Americans will be eating a lot more beans now, then he should do what Congress always does in this sort of situation - tax beans. *BREAK* Rush replays the quote from Senator Byrd and notes it's the same old scare tactics that the Democrats love to use. At least, though, it's better for Americans to open a can of beans than one of pork. Rush has to laugh at the spectacle of panic-filled Democrats, who were the ones who won last November. First, Clinton claims Republicans are holding children hostage, then Senator Mitchell warns that cities will burn if Clinton's bill isn't passed, and now Byrd talks about billions of Americans eating beans. "Where has civility and responsibility gone?" asks Rush, who notes that if these were Republicans making these statements, they'd be front page news and lead items on the TV news. EIB, though, has to scour the cutting room floor to find these amazing things. Phone Phil from Kalamazoo, MI Phil watched "Earth and the American Dream" last night, and he was disappointed because 1) it was really boring and 2) had a lot of actors he really liked doing narrations. They also showed pictures of starving Ethiopians and the damage caused at Chernobyl, as if these were the fault of Americans. Rush says that the militant environmental socialists would indeed claim that these tragedies happened because of an unequal distribution of the world's wealth. The real problem, though, is not the distribution of wealth, but the unequal distribution of capitalism. Capitalism has made the US the most successful nation on the Earth and the nation which feeds the world. Rush's TV show last night was devoted to Earth Day and the idiocy which is going along with it. Rush urges those in his audience who have "The Way Things Ought to Be" (still on sale) to reread the chapter on the environment, and they'll learn how the militant environmentalist movement is the new home for world socialism. On his show, Rush played numerous clips of celebrities blaming America for the world's problems, with Lindsay Wagner even theorizing that maybe the American dream should be redefined. America, though, does more for the environment than anyone else, and it's because of capitalism. Capitalism is why America has more trees now than 70 or 170 years ago. Capitalism and its profit motive give people a reason for taking care of trees and replanting them. Rush doesn't suggest that there aren't problems or messes to be cleaned up, but the environment can't be helped by attacking prosperity and promoting disincentives against the American lifestyle. Some activists would love to see people return to the era of mud huts and straw floors, but this is absurd. The environmentalists don't let facts get in their way. When the Space Shuttle's measurements of the ozone layer discovered that ozone depletion was "shockingly low," everyone was convinced that those measurements couldn't be right. The truth, though, is that if there are reduced levels of ozone in the stratosphere, the blame can be placed only on the eruptions of Mount Pinatubo. Man's CFCs and spray cans can't be responsible for fluctuating ozone levels, which are natural changes that have been occurring for decades. Volcanoes have been around for eons, and Mount Pinatubo's eruption was a "puny" one by some standards, but it still was able to reduce the world's temperatures a degree or so and cause a minor depletion of the ozone. The Earth, though, is remarkably rejuvenative and has recovered from Pinatubo, just as it has recovered from the thousands upon thousands of eruptions which have occurred for eons. The environmentalists want people to believe that America is ignoring the "warning signs" and is destroying the planet. This is not true, and in fact an AP story on this has the following paragraph buried within it: "It is theorized that the unusually low readings might have been caused in some part by the huge 1991 eruption of a Philippine volcano." Rush points out that Mount Pinatubo destroyed two US military bases, yet its effects are basically ignored by people who think mankind is far more powerful than the forces of nature. Phil says that what bothers him is that these actors are attacking what has made them successful and rich, and he has to wonder if they possibly think they will be the elite when a socialist system is established. Rush says that this is the myth believed by all of the intellectuals and artists who support Communism. Vladimir Posner, though, can testify as to what happens under socialism - he had to leave the Soviet Union because his freedom of speech was taken away from him. This is also why so many Soviet artists defected, because they wanted the freedoms that socialism denied them. Rush is convinced that actors in general have a burning need to be taken seriously for who they really are and not just the roles they play. This desire, coupled with the guilt many of them feel for being rich and successful, pushes them into activist causes. These actors think they are actually doing something worthwhile, and because the media wants to stay on these celebrities' good sides, the press never challenges them or their opinions. They thus become "experts" and sometimes even testify before Senate committees; Jessica Lange once played a farmer's wife, and so testified before Congress on the plight of women farmers. Rush wonders if Willie Nelson will be the next to testify, perhaps on US tax policy. *BREAK* Phone Mary from Laredo, TX Mary asks why nobody asks President Clinton what kind of jobs his "jobs bill" will create - are they long-term, short-term, minimum wage, or what? Rush says this is a good question, but the press is not really concerned about this because Clinton's bill is just politics as usual to them. Clinton's stimulus bill will create jobs, but they are make-work, low-paying jobs which will nevertheless cost $90,000 each. The press, however, has seen all this before; it knows that the Democratic party typically spends big money like this to help out its mayors and other politicians. What's at stake here, though, is not if jobs will be created, because they will, but rather where jobs should be created in the first place - in the private sector or by government. President Clinton has shown himself to be no different than those liberal Democrats who think that government should create jobs so that they can by votes and be reelected. Mary understands this, but is worried that the word isn't getting out about the true nature of these jobs. Rush says that Mary shouldn't be too concerned about this because the Senate just got back from a two-week recess during which they heard no complaints about the Senate filibuster; no constituents were complaining about the stall of the "jobs bill." Also, Clinton's approval rating is dropping. People should therefore remain confident and not worry so much about what the press is reporting. Sometimes the press can con the people into believing the Democratic side of things, but right now the people seem to already know what the realities are. *BREAK* Rush says that many EIB affiliates will undoubtedly preempt his show because they'll be carrying Clinton's press conference next hour, but Rush is not going to worry about this. He'll still do his best stuff because "I'm not going to allow this President to adversely affect this show. I'm not going to sit here and do a mediocre job while waiting for him to finish." New York listeners, who already have suffered under many preemptions because of the baseball season, won't have to worry about being preempted because WABC is not going to carry the President's press conference. Operations Director John Minelli has promised not to air Clinton's press conference because, after all, "what possibly new could we learn?" *BREAK* SECOND HOUR Rush is thinking of actually holding a two-week "summer camp" version of the Limbaugh Institute. It could do a course on the Federalist Papers perhaps and be someplace Rush would like to spend two weeks. He promises to consider this possibility some more. Update Sexual Harassment (Frankie Vallie, "My Eyes Adored You") Rush sings along with the update theme, making up new words as he goes. He impresses himself with his improvisational lyric-writing capabilities and orders his staff to write down his new words as he sings them. <> There are two items to this update: o Fitness guru Richard Simmons has been sued for sexual harassment by a former employee of the QVC network, Laurie Pastor. Pastor claims when Simmons was at the network offices in 1991 to sell his workout clothing and equipment he made "lewd, lecherous, lascivious, and wanton remarks" to her. She thus wants at least $150,000 in damages. Rush wonders how much Simmons paid Pastor to make this complaint. o The University of Virginia faculty has endorsed a ban on sex between teachers and students they teach or supervise. Originally, the ban would have prohibited sex between teachers and any students, but the teachers complained that this would be "an unconstitutional limit on love." The ACLU joined the teachers, saying that banning all sex between consenting adults is a violation of the constitutional right to privacy. Rush wonders when love entered the sexual harassment scene, but is glad there will be no "unconstitutional limit on love." ******** Rush replays Senator Byrd's comment about "billions of Americans" because he wants to stress how Democratic party leaders are starting to have doubts about the Clinton administration's ability to get anything done. Rush thinks that there is a lot of good news in this, and notes that whenever he sees the press report about the "jobs bill" or "stimulus package" these words are always in quotes. Thus, doubts have been raised as to the true intent of Clinton's bill. The NY Post has some more good news about how Clinton may retreat from his $21 billion business investment tax credit. Dee Dee Myers said that "we are looking at it. We are not ruling it in. We are not ruling it out." The Washington Post says that the Republicans' "mauling" of Clinton's bill has "angered, alarmed, and frustrated" some of Clinton's most loyal supporters in Congress, and has slowed his momentum and reduced his support. NY Newsday has the headline "Little Pain in Loss of Stimulus Plan," and the accompanying story reports that the stimulus bill would not have done much good for the US economy. However, the story warns that a rejection of Clinton's deficit reduction bill would "come back to haunt the economy." Earl Caldwell in the NY Daily News writes that the Clinton "dream" is now over because of what happened in Waco. Janet Reno and President Clinton both "seemed to rush to accept responsibility" for what happened in Waco, with Reno saying "the buck stops with me." (Rush thinks that a clip of Reno saying this would make for a winning GOP political ad in 1994.) Caldwell then says that Reno and Clinton didn't go far enough - "they don't have to claim responsibility, they are responsible. What they need to tell is another story." Caldwell thinks that the Clinton administration has to explain why it acted with "such a callous disregard for human life." Rush thus is encouraged by all this because these are all Democrats talking and criticizing Clinton. *BREAK* Rush will be interviewing Charles Barkley this afternoon; the interview will appear in the June issue of the Limbaugh Letter. Rush thinks people will be surprised at what this man has to say. Rush saw last night's game, and was impressed by how seven points were scored in the last few seconds. The winning basket was lobbed in by Barkley during the last half second, and this was Barkley's first game back after being injured on the team bus. Phone Mary from Piscataway, NJ Mary would like Rush to call her son in Indianapolis to wish him a happy birthday and to tell him that his present will be a subscription to the Limbaugh Letter. Rush asks if the subscription is one year or two; Mary replies it was for only one year, and Rush points out that she could have saved $11 by getting the two-year subscription. EIB doesn't advertise this fact, but "when you call the 800 number, the eager-beaver salespeople are supposed to force - uh, offer, the option of a two year subscription to you." Rush says he'll call Mary's son, and Mary starts to give out his number on the air. Rush shouts her down, and tells his staff to get the number and call the guy. Phone Denise from Lowell, MI Denise has a poem which she thinks expresses the viewpoint of millions of thinking women across America: Intellectual Fantasies "My sin is never-ending, My shame is so profound. Too much time with you I'm spending While to another I'm bound." "I curse my own dependence, My addiction will not cease. Every day I have to tune in, noon to three, to find release." "You're the master of the airwaves, Commentator nonpareil. Rush, I need you, need you, need you, 'Cause I think as well as feel." "So I try, I cannot stop it, Somehow, someway I'll be resigned. While I'm married to another, I'll be lusting for your mind." Rush thinks this is very sweet, but "sadly so true." While he was signing books during last night's TV show, a woman told him she had an erotic dream about him last night. Rush asked for details and she replied "we had dinner together." Denise says Rush is the "sex symbol of the thinking women of America," and Rush thanks her for calling in with her thoughts and poetry. *BREAK* Phone Jeannette from Chattanooga, TN Jeannette asks Rush about Thomas Sowell's latest book, "Inside American Education." Sowell writes that the American public school system should be junked and a new system built up. She wants to know if this is possible. Rush says that this would be a major reform program which would require a great deal of parental involvement at the grass roots level. This, though, is already happening, and Rush thinks Sowell may have tapped into a new movement in America - in New York, for example, parents are actually daring to say they want to be on the local school boards. Rush suspects that things like this will happen more and more as liberal curriculums such as those introduced in NYC show up across the country. Rush is honored to know Sowell, who is an incredibly intelligent and insightful man. Jeannette says that she thinks of him the same way, but it appears that his book is being boycotted by the establishment. Rush says this is very true - political cleansing is indeed alive and well in America, and another example of it is David Brock's book on Anita Hill. David Brock has written the ultimate investigation into Anita Hill's allegations against Clarence Thomas. Portions of it have appeared in the American Spectator, and Brock was originally scheduled to appear on all the usual talk shows that are part of the book-selling circuit. These TV shows, though, basically cancelled Brock's appearances by saying that they would need a member from the "opposing camp" to appear with him. This is totally bogus, and Rush cannot remember one previous example of when an author needed someone who disagreed with him to appear on the talk show circuit with him. This is a classic example of how liberals, who claim to be the most tolerant, really are the most intolerant of all. Jeannette adds that an administrator of a large Christian school in Illinois has challenged the Chicago public schools; the administrator has said he'll educate 200 students from the Chicago schools for free for one year. If these 200 kids' test scores are higher than those of the public school students, he'll accept those students again for a reduced fee of $2500 a year. The Chicago public schools, though, have ignored his offer. Rush is not surprised since the public school system is a gravy train for many, given that it gets a lot of federal dollars. However, competition is exactly what the public school system needs, but the monolithic teachers' unions will oppose it; these teachers' groups even oppose national standards or tests because these sorts of things can point out how poorly some teachers are doing. Rush says that Sowell's book is a shocking one in that it gives an incredible number of examples of how public schools waste money and children's time. Sowell has been a bit discouraged lately, though, with his teaching career because of the many things he is forced to do as a teacher. This is why he prefers to now spend his time speaking and writing. Sowell also told Rush that he considers himself lucky to have been born in 1930, since this allowed him to grow up and mature before the monolithic civil rights coalitions took over the black community and put impediments in the way of blacks seeking to better themselves. Sowell has promised to have dinner with Rush when he visits New York in June, and Rush is looking forward to it because Sowell's intelligence makes learning from him incredibly easy. *BREAK* Phone Mona from Lewisville, TX Mona and here family were watching Rush's TV show recently when they saw the bit about the school that wants to "help" pay off the deficit by getting a quarter from every school kid in the country. Mona's two daughters, 14 and 16, though, said that if someone came up to them and asked for this money, they'd write up IOUs stating they'd fork over the dough when President Clinton is willing to cut the deficit by the same amount. Rush says that this is smart thinking, and is glad to learn that Mona's daughters are fans of his show. Mona says that they both are good students and creative, and asks Rush to say "hi" to both of them. Rush says "hi" to Jenny and Erica, and praises them for having great brains, great parents, and a great family. "Keep it up," he urges. Rush learns that the President's press conference has just ended, and he tells those listeners who were preempted that "you missed a great hour." <> He promises to repeat just a few of the great bits he did, but Bo Snerdley doesn't think that Rush should "reward" these listeners for missing his show. Rush tells Bo to lighten up, since these poor listeners weren't missing the show by choice; they were "being held hostage by the President." *BREAK* Phone Gale from Vinton, CA Gale says that her husband's aunt has lived with the Eskimos for 20 years, and thus has learned a lot about Native Americans, their lifestyles and folklore. Gale's father-in-law just died, and his estate included large shells which West Coast Indians used for money. The aunt told Gale that these large shells, called dentalia <>, were now extinct because the Indians over-harvested them. The small ones are still available, but the large ones are long gone. Rush thinks it's not possible that the Indians would have despoiled nature since they are "one with nature." After all, HBO thinks that everything they did was perfect. Gale is not convinced of this and notes that this extinction of the shell species happened long before the white man "corrupted" the Indians. Gale also wonders what happens when a bald eagle eats a Spotted Owl, and Rush tells her that this is only "nature working its magic and we're not allowed to question it." Rush thanks Gale for giving a great example of why it's folly to believe that the white man discovered a pristine paradise when he arrived at the Americas. Humans are humans, and have destroyed the environment long before white Europeans showed up. *BREAK* THIRD HOUR The number of first-time claims for unemployment benefits increased 26,000 last week, and this is being seen as a sign of slack economic and job growth. Rush says that this news could be interpreted in a number of ways. When unemployment was dropping last year after the election, both President-elect Clinton and Vice President-elect Algore were claiming that the reason for the unemployment drop and for economic growth was that their election had given the American people "hope." Well, if this is true, then doesn't it stand to reason that the increasing unemployment and slow economic growth might be due to a lack of confidence in the Clinton administration? Rush recalls that back in the post-election days, Americans still thought they were going to get a middle class tax cut. Today, though, the news each day contains yet another new tax that the Clintons are thinking about implementing. Thus, it stands to reason that the ineptness of the Clinton administration, not to mention their taxaholic fever, has dampened any hope that might have existed in American businessmen and women. If there is an economic slowdown, it's because of what those in Washington say they want to do and what they are trying to do. Perhaps they won't succeed in their efforts, but their attempts can certainly make people pessimistic. Rush recalls that Labor Secretary Robert B. Reich said last fall that the jobs that were being created were only part-time, temporary jobs. This, of course, was to be expected at the end of a recession because businesses are not willing to hire new workers until they are convinced that an expected economic growth cycle will not peter out. Now, though, businesses are beginning to think that the growth cycle is indeed petering out. There was a recovery going last fall, but the Clinton administration seems to have doomed that with their talk and actions about the economy. Update Feminist (The Forester Sisters, "Men" with "in your face" slogan) Rush first notes that a recent issue of Newsweek actually used the term "feminazi" in one of its stories, and he bets it's only a matter of time before it gets into the dictionaries. Continuing on with the update, Rush says that a feminist magazine is sponsoring the "Bring Your Daughter to Work for a Day" movement. Jim Dreier of NY Newsday has added in his column today that this program is being run in tandem with the "Leave Your Worthless Son in School That Very Same Day Day" program. The feminist program is based on the idea that environmental biases are keeping women out of business, so to fight those biases, parents are encouraged to bring their daughters with them to work so that they can see how businesses work. Rush, though, thinks that this misguided effort is a waste of time because as Dreier points out not too many boys go to work with dad to find out what is going on. Thus, the feminists are implying that men can more naturally assimilate the business environment, while women have to be given special attention in order to achieve this. "It's cockeyed," Rush states, pointing out that this is another example of how the feminist leadership has nothing to do with the mainstream American women who may think they are feminists. The feminist leadership is trying to alter basic human nature, and although people can be screwed up, it's not possible to change what human beings are. *BREAK* Phone Russell from Nashville, TN Russell saw in today's edition of the Nashville Banner that Rush has sold out his speech at this weekend's NRA convention twice over. Rush hasn't heard this, so Russell says that 3,000 tickets at $125 each were sold for the ballroom in which Rush will be appearing. However, there was such demand for tickets that the NRA hired two remote ballrooms, each holding 2,000 people, at which they'll show Rush's speech via closed-circuit TV; thus, a total of 4,000 more tickets were sold at $40 each. NRA President Wayne LaPierre told the newspaper that the NRA could have sold 20,000 tickets if they had enough space. Rush is impressed by these figures and admits he didn't know the original ballroom tickets were going for $125 each. Russell confesses he won't be seeing Rush speak because he's got season tickets for one of Nashville's two minor league teams. Russell adds that his 12-year-old daughter loves Rush's TV show, and suggested that Rush use Fleetwood Mac's song "Little Lies" as an update theme for whenever Clinton breaks one of his promises. Rush says that many people have suggested this, but the problem is that EIB would end up doing nothing but playing this song. Rush thanks Russell and his daughter, though, for the thought. Phone Bob from Brooklyn, NY Rush catches Bob in the midst of eating, and Bob explains he was eating a "celebratory grape" because they are okay to eat now. <> Bob says that Rush probably didn't want to waste any tape by recording Clinton's press conference so Bob has called to relay some highlights of what Clinton said. Rush says EIB can afford to tape the President's speeches, since EIB, after all, could record over it later. That would be the environmentally safe thing to do, Bob adds, since EIB would not have to "chop down another mylar tree." Bob agrees with Rush a lot and loves listening to him, although his lover thinks Rush tends to "puff himself up a bit." Bob also admits that he is impressed by EIB's dedication to its listeners, given that EIB pays for keeping so many 800 lines open for three hours a day. Returning to the subject of Clinton, Bob says that Clinton lambasted the Republicans for supporting reforms last year but not this one. Rush holds Bob over the break so that he can continue with this point. *BREAK* Phone Bob from Brooklyn, NY (continued) Rush says he has heard about some of the things which Clinton said in his press conference, and some people think that Clinton appeared depressed and defensive. Bob says he started out strong, with his "Huck Finn" conman's smile, but it went downhill from there. Rush says that he thinks both the press and many Democrats are disappointed with Clinton's performance up to now. As to the Republicans' support for economic reform, Rush notes that the Democrats bottled up every growth bill they could in 1992 so that they could keep the recession going and get Clinton elected. Bob says that Clinton did mention that the country was in its second year of economic recovery, as well as that America's 7% unemployment rate was a symptom of what was a "worldwide problem." Rush wonders how Clinton can think the economy has been in recovery for two years, when only last fall he was saying that it was the worst economy in 50 years. "We all know they lied," Bob says; Clinton also said "things take time" and he pointed to how it took him 10 years to change things in Arkansas. "Does that sound like an effective leader to you?" Bob asks. Rush loves that and notes that Arkansas did improve in some respects, but the improvement was along the lines of going from number 50 in the country to number 49. Bob adds that a friend has a dog who just gave birth; only one puppy survived, which made Bob think that if there's ever only one nipple left on the national sow, Senator Kennedy is going to get it, and "it's going to be pouring Scotch." Rush thanks Bob for calling with so many great insights. Rush adds that he can see the day coming when he will have to be offering helpful hints and suggestions to the President. "Suppose we get into a real emergency?" Rush asks, adding he doesn't want to go down with the ship because his solutions were rejected at the polls. This doesn't mean Rush will be joining the Clinton administration as an advisor, but he has been referring to himself today as the "Doctor of Democracy"; "it may be," he supposes, "that house calls are going to be required." Phone Mark from Akron, OH Mark gives "dittos from the former rubber capital," but explains that this is in reference to how Akron gave birth to all the rubber companies: Goodrich, Goodyear, Firestone, etc. Rush issues a sigh of relief at this explanation. Mark says he is an Anheuser-Busch distributor who is still feeling the effects of the 1991 tax increases which doubled the federal beer tax. That increase not only had a negative impact on sales, but also on jobs. Mark is not optimistic about the future and thinks that his industry has a tough road ahead of it. Mark is also tired of being classified as a drug dealer or menace to society. Three generations of his family have been in this business, yet he's being punished by higher government taxes because of what business he's in. It doesn't help him to know that his personal taxes are also going up, which means that he's being penalized for being successful. Mark applauds Rush for telling the truth about this, and for encouraging him to deal with both his state and federal legislators. He also says hello to some friends in Kansas City, and when Rush learns that these friends live near Van Brunt Avenue he remarks "I've broken down there many times." He adds that it was in Kansas City where he bought an expensive "disgronificator" for his car. *BREAK* Phone John from Baldwin, WI John mentions that President Clinton in his speech praised himself and his performance so far, and he even took credit for the "lowest interest rates in 20 years." Rush is not surprised that Clinton would try to take credit for this, although he's done nothing to achieve this feat. John adds that Ross Perot <<"When Johnny Comes Marching Home" starts playing>> was on the Today show this morning, and he actually said that Bill Clinton's plan was "wrong for the country." Rush sarcastically remarks "how bold of Mr. Perot," but John was impressed since Perot has always danced around this topic before. Bryant Gumble, though, was insisting that Clinton's plan could work if the President was only given a chance. Rush says Gumble is a neophyte who still thinks the 80s were the worst period of American history. John agrees and says that Perot actually challenged Gumble on this and used Clinton's own numbers to prove his point. John was so impressed by what Perot was saying he even admitted, "gee he's starting to make some sense." Rush comments that Perot started off slowly with his criticism of Clinton, which gave him the appearance of being open-minded and hopeful. Now, though, Perot can come forward and say that things just aren't working out, which puts him in a good position to continue his political aspirations. Rush, of course, has been saying that Clinton's plan wouldn't work from day one, but then Rush is seeking not votes but only the truth. Phone Jerry from Manhattan, NY Jerry read today's column by Evans and Novak and found an interesting sentence: "The President, Mrs. Hillary Clinton, in a closed-door Senators-only briefing, stated that she is looking at the VAT and it's under consideration all the way up to 22%." Jerry thinks that he'd be better off in Russia than paying a VAT of 22%. Rush notes that Bill Clinton has already denied he's considering a VAT, but Hillary's bringing it up in closed-door meetings. The health care task force, though, has been very secretive in everything it's done, so people are getting more and more suspicious about it. Rush doesn't think the VAT tax will ever fly, though, because there's no health care crisis and the system is not so broken that a 22% tax is necessary to fix it. In fact America doesn't have any real crises going on, and to find a real crisis one has to go to Bosnia. The Democrats, though, have to manufacture one crisis after another in order to get the public to support their plans. Rush adds he had an interesting conversation about Hillary Clinton but he can't go into it now. He tells his staff to remind him about this on Monday, and warns them that if they fail in this, "heads are going to roll!" *BREAK* Phone Dave from Storrs, CT Dave gives massive dittos, but wonders why Rush's gloatometer is not kicking in since Rush is talking so much about his ratings. Dave thinks Rush is going a little overboard about this, but Rush disagrees. However, he's glad Dave asked about this because this question is a "toughie." Rush knows that he's singing his own praises by talking about the ratings successes he's having, but he also wants to convey to his audience that he knows they are the real reason for his success. He thus wants to thank these people for what he has today. Also, nobody gave Rush half a chance when he started out over four years ago, and some "experts" are still claiming that Rush's show is just a fad. Plus, the people in Rush's audience are as much maligned as he is by the critics, so Rush wants to publicly recognize what has happened in his career, and to thank the people who are willing to admit they listen to him. "Plus, when you're number one," Rush adds, "you have to say it if nobody else will." -- John Switzer | "To Protect and Control" -- motto of the | Eerie Indiana police department. Compuserve: 74076,1250 | Internet: jrs@netcom.com | From comp.risks Tue Apr 27 19:03:56 1993 Date: 22 Apr 1993 22:03:55 -0600 (CST) From: Daren Stebner Subject: Clipper Chip Commentary (not suitable for the cynicism impaired) Short Synopsis: "We're from the government. We're here to help...." Long Synopsis: "No, no, no. Don't use those regular old encryption devices; if everyone uses them, then criminals will use them, too. And if criminals use them, Big Brother won't be able to protect you from all those nasty deals they make over the phone. It just makes the work of protecting you poor lost sheep that much harder. "Here, Big Brother will make things all better, but in order for it to work, you need to use this handy dandy NEW encryption algorithm that HE designed. He even put it on a chip to make it easy for you to use it in all of your communication devices. He even gave it a cute name -- the 'Clipper Chip'. See?! Now, since Big Brother will know how to decode the messages, He'll be able to listen in on the conversations of all of those yucky bad guys so He can put them in jail and make things all better. "Could we listen in on your conversations too? Well, yes, but we would never dream of infringing on innocent peoples' rights to privacy. That would be a crime and Big Brother doesn't commit crimes. He loves you all and would never do anything to hurt you. Most of all, he just wants to protect you from those terrible, terrible, drug dealers. That's all he would ever use the Clipper Chip for. Isn't that swell of Him?" Daren Stebner stebnerd@wl.aecl.ca From comp.risks Tue Apr 27 19:04:37 1993 Date: Fri, 23 Apr 93 00:29:38 EDT From: Tony Harminc Subject: Clipper Chip Thoughts on the Clipper Chip: 1) One of the selling points of the Clipper chip is that US companies will be able to use it to effect secure communication between their home offices and branches in foreign countries. In particular, it is implied that it is the governments of those foreign countries that will be thwarted in their attempts to listen in to the corporate secrets of America. Now why would any "friendly" foreign government (e.g. Canada, France, New Zealand) imaginably permit Clipper to be used on its territory unless it too has access to the keys for "law enforcement purposes" ? So if XYZ Corp. wants to talk in private with its French subsidiary XYZ France, SA., the French government will want access to the escrow agents so that it too can present a court order (according to French law, of course) and be given XYZ's key, if it suspects wrongdoing on the part of XYZ France. But this clearly won't do. The US escrow agents will presumably be subject to US law and might be able to refuse a French court order on some US constitutional grounds. So the French will have to have their own pair of agents, and - since there is no advance control of which chips will end up in France - these French agents will have to have the complete list of all keys. Now multiply this by a dozen or so friendly countries, with an equal number of different legal systems and constitutions... 2) Presumably the reason for keeping the algorithms secret is to prevent competitive manufacture of chips (or software) that can communicate with Clippers from being produced. (Such competitors might somehow forget to send their key lists to the escrow agents.) I know almost nothing of the technology, but it seems far fetched to me that a chip can be manufactured that *absolutely, positively* cannot be reverse engineered, or at least satisfies something analogous to being computationally infeasible to reverse engineer. There was no mention of quantum effects, but I know of no other way to even begin to make something that can't be examined with appropriate probes. I hope some hardware experts will say something on this topic. Or is it that the hardware design can be reverse engineered, but the algorithms themselves are one-way encrypted ? 3) It is not clear to me how tapping of bidirectional communications works. If the police have a court order to tap the phone of suspected criminal X, and they find that he is holding a Clipper-encrypted conversation with previously unknown person Y, will they be able to decrypt only what X says if they have only X's key from escrow ? Or will they automatically apply for Y's key too, on the grounds that he is an associate of X ? Ordinary analogue phones (and networks) echo a small amount of the received signal to the sender, but an encrypting phone will have digitized and encrypted the signal before it gets echoed (even if there is a modem and analogue circuit in the loop). Tony Harminc, Apios Systems Toronto, tony@vm1.mcgill.ca From comp.risks Tue Apr 27 19:07:46 1993 Date: Sat, 24 Apr 93 14:39:12 EDT From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Responses to Clipper Chip Discussion in RISKS-14.53 Don Alvarez wrote Now, I have enough faith in the NSA's skills to trust that you can't pass the message to the user without also passing the escrow field, but I'd like to see that in writing. That is certainly the intent. First, who knows F? If the cop on the street knows F then it quickly becomes so widely known that everyone knows it and you might as well send the serial number in the clear. Ergo only the escrow agents know F. F is embedded in every Clipper Chip, but like other chip keys, unknown to the people who use them. Only law enforcement will have a decoder box that allows the law enforcement field to be decrypted. Initially, there will be just one box, and it will be operated by the FBI. Second, what information does law enforcement get from the escrow agents? Ideally, law enforcement only gets K, the session key governing the conversation for which they have a court order. Unfortunately, in order for law enforcement to get *only* K (and not U), the escrow agents must get together and secretly combine U1 and U2 so that they can unwrap K and give it to law enforcement. But then the escrow agents would also know K, and they would be able to decrypt messages themselves. That's just a very short step away from the omniscient big-brother which the multiple-escrower scheme was designed to prevent. The escrow agents must not allowed to exchange keys with each other. Ergo, law enforcement must assemble U itself in order to find out K. This means that law enforcement now knows the key to unlock every session key ever used on this phone. It is imperative that law enforcement get U. If they are tapping a line, there may be dozens of calls on that line per day. It would be totally impractical to have to go to the escrow agents to get the session key for each call. It would be impossible to do real-time decryption under that constraint. Things are starting to look bad, but what about F? We never really figured out what F was for, we just said that only the escrow agents know F. Well, now we know what F is for. Even if law enforcement knows U, they still can't read messages without court orders, because they can't obtain E[K;U] without knowing F, and only escrow knows F. For the same reason as above, it is imperative that law enforcement be able to decode the law enforcement field in order to obtain E[K; U] and then decrypt this to get K. It is completely impractical to go the escrow agents for each conversation. Steve Holzworth wrote: I don't claim to be up on crypto, but it seems to me that once the "authorized tap" has been performed once, the agency in question now has a copy of the desired keys. They can use these keys at ANY time in the future to decrypt communications between these two parties (without having to go through the After a tap has been completed, government attorneys are required to notify the subjects of the electronic surveillance. At that point, the subjects are certainly free to purchase a new device with a new chip, or perhaps the vendors could simply replace the chip. I have one outstanding question that I haven't seen asked yet. Is there a time component in the encryption key? Since wiretaps are presumably authorized for certain time periods with both start and end dates, it should not be possible to decrypt an illegally monitored message. I am unaware of any time component. Current wiretap laws protect against this. Evidence collected after the warrant has expired can be thrown out in court. In addition, it is illegal for the service provider to implement an intercept after a warrant has expired. With the new technologies, law enforcers will be incapable of executing a tap without the assistance of the service provider. Lars-Henrik Eriksson has written If the algorithm was made public, any weaknesses would be discovered in time. If it is classified, weaknesses may never be known, or known only to the parties who have access to the classified information. The NSA has a long record of success with crypto, far better than any individual or organization in the public community. In addition, there are plans to bring in expert cryptographers to assess the algorithm. Dave Weingart wrote: It appears ... that two encryption devices, when they initiate a session, must exchange keys in order to decrypt each others messages. Great, but here's my question...what's to stop someone at machine B (who's talking to machine A) from "recording" the key from machine A when the session is started? Since it appears that the key is constant for each chip, machine B can now _always_ decrypt machine A's messages. The unit keys that are embedded in the chips are not exchanged. Instead, machines A and B negotiate a session key K that is used only for that particular conversation. Jim Sims wrote: Seems a whole lot easier to just catch the key K during the negotiation between the boxes.... It is possible for both ends to negotiate a session key K without transmitting any secret information at all, including K. One way of doing this is with a public-key distribution method. The Diffie-Hellman method works as follows. Machine A picks a secret value xa, and machine B picks xb. A sends the public value ya = g^xa mod p to B and B sends yb = g^xb mod p to A, where p is a huge prime and g is a global constant. Then A computes the session key K = yb^xa mod p = g^xbxa mod p, and B computes K = ya^xb mod p = g^xaxb mod p. Both K's are the same. An eavesdropper sees ya and yb, but since xa and xb are not known, cannot compute K. For more information about key exchange, see for example my book "Cryptography and Data Security" or some other crypto text. Dorothy Denning denning@cs.georgetown.edu [There were enough additional messages for several more issues, some raising points already covered by the above message. I have somewhat arbitrarily selected a representative few for the rest of this issue, trying to avoid duplication where possible. There may be another issue or two yet to come out of the existing backlog. PLEASE pardon some of the duplication. It is virtually impossible for me to selectively choose a few nonoverlapping paragraphs from each message. For those of you who wonder whether RISKS has been taken over by this discussion, there has been essentially no other topic of concern for the past week, although something may be brewing in the recent near-fatal aircraft autopilot failure attributed to software. PGN] From comp.risks Tue Apr 27 19:10:30 1993 Date: Mon, 26 Apr 93 23:25:44 PDT From: jim@RSA.COM (Jim Bidzos) Subject: Clipper questions Much has been said about Clipper and Capstone (the term Clipper will be used to describe both) recently. Essentially, Clipper is a government-sponsored tamper-resistant chip that employs a classified algorithm and a key escrow facility that allows law enforcement, with the cooperation of two other parties, to decipher Clipper-encrypted traffic. The stated purpose of the program is to offer telecommunications privacy to individuals, businesses, and government, while protecting the ability of law enforcement to conduct court-authorized wiretapping. The announcement said, among other things, that there is currently no plan to attempt to legislate Clipper as the only legal means to protect telecommunications. Many have speculated that Clipper, since it is only effective in achieving its stated objectives if everyone uses it, will be followed by legislative attempts to make it the only legal telecommunications protection allowed. This remains to be seen. The proposal, taken at face value, still raises a number of serious questions. What is the smallest number of people who are in a position to compromise the security of the system? This would include people employed at a number of places such as Mikotronyx, VSLI, NSA, FBI, and at the trustee facilities. Is there an available study on the cost and security risks of the escrow process? How were the vendors participating in the program chosen? Was the process open? A significant percentage of US companies are or have been the subject of an investigation by the FBI, IRS, SEC, EPA, FTC, and other government agencies. Since records are routinely subpoenaed, shouldn't these companies now assume that all their communications are likely compromised if they find themselves the subject of an investigation by a government agency? If not, why not? What companies or individuals in industry were consulted (as stated in the announcement) on this program prior to its announcement? (This question seeks to identify those who may have been involved at the policy level; certainly ATT, Mikotronyx and VLSI are part of industry, and surely they were involved in some way.) Is there a study available that estimates the cost to the US government of the Clipper program? There are a number of companies that employ non-escrowed cryptography in their products today. These products range from secure voice, data, and fax to secure email, electronic forms, and software distribution, to name but a few. With over a million such products in use today, what does the Clipper program envision for the future of these products and the many corporations and individuals that have invested in and use them? Will the investment made by the vendors in encryption-enhanced products be protected? If so, how? Since Clipper, as currently defined, cannot be implemented in software, what options are available to those who can benefit from cryptography in software? Was a study of the impact on these vendors or of the potential cost to the software industry conducted? (Much of the use of cryptography by software companies, particularly those in the entertainment industry, is for the protection of their intellectual property. Using hardware is not economically feasible for most of them.) Banking and finance (as well as general commerce) are truly global today. Most European financial institutions use technology described in standards such as ISO 9796. Many innovative new financial products and services will employ the reversible cryptography described in these standards. Clipper does not comply with these standards. Will US financial institutions be able to export Clipper? If so, will their overseas customers find Clipper acceptable? Was a study of the potential impact of Clipper on US competitiveness conducted? If so, is it available? If not, why not? I realize they are probably still trying to assess the impact of Clipper, but it would be interesting to hear from some major US financial institutions on this issue. Did the administration ask these questions (and get acceptable answers) before supporting this program? If so, can they share the answers with us? If not, can we seek answers before the program is launched? From sci.crypt Wed Apr 28 07:38:02 1993 Xref: utcsri sci.crypt:15902 misc.legal:58419 comp.org.eff.talk:17350 Path: utcsri!utnut!cs.utexas.edu!uwm.edu!lll-winken.llnl.gov!ddsw1!not-for-mail From: karl@genesis.MCS.COM (Karl Denninger) Newsgroups: sci.crypt,misc.legal,comp.org.eff.talk Subject: Government intentions regarding encryptoion Date: 26 Apr 1993 17:19:58 -0500 Organization: MCSNet, Chicago, IL Lines: 16 Distribution: inet Message-ID: <1rhn6e$j0d@genesis.MCS.COM> NNTP-Posting-Host: localhost.mcs.com There is an article in Communications Week (April 12's issue) which states definitively that not only is the justice department trying to revive the "wiretapping bill", but they are ALSO trying to find a way to force key registration. CLIPPER is an obvious thrust in exactly this direction. Dorothy Dennings is quoted in this missive. Communications Week, April 12th, page 8. Read it and get peeved folks. Then ACT NOW or lose your fundamental right to privacy. Clinton has shown us that his only interest in this has to do with abortion, and not the right of all citizens to be secure in their papers and effects. -- Karl Denninger (karl@genesis.MCS.COM) | You can never please everyone except Data Line: [+1 312 248-0900] | by bankrupting yourself. LIVE Internet in Chicago; an MCSNET first! From sci.crypt Wed Apr 28 07:40:51 1993 Xref: utcsri alt.privacy:6066 alt.security.pgp:2787 bit.listserv.xtropy-l:186 sci.crypt:15976 Newsgroups: alt.privacy,alt.security.pgp,bit.listserv.xtropy-l,demon.security,sci.crypt,uk.org.community From: whitaker@eternity.demon.co.uk (Russell Earl Whitaker) Path: utcsri!utnut!torn!nott!bnrgate!bnr.co.uk!uknet!nessie!demon!eternity.demon.co.uk!whitaker Subject: From Crossbows to Cryptography Distribution: world Organization: Extropy Institute Reply-To: whitaker@eternity.demon.co.uk X-Mailer: Simple NEWS 1.90 (ka9q DIS 1.19) Lines: 566 Date: Tue, 27 Apr 1993 23:35:56 +0000 Message-ID: <735953756snz@eternity.demon.co.uk> Sender: usenet@demon.co.uk -----BEGIN PGP SIGNED MESSAGE----- Please note that the following speech was made by Chuck Hammill in 1987. Address all letters to his address, given at the end of this document. -- Russell FROM CROSSBOWS TO CRYPTOGRAPHY: THWARTING THE STATE VIA TECHNOLOGY Given at the Future of Freedom Conference, November 1987 You know, technology--and particularly computer technology--has often gotten a bad rap in Libertarian cir- cles. We tend to think of Orwell's 1984, or Terry Gilliam's Brazil, or the proximity detectors keeping East Berlin's slave/citizens on their own side of the border, or the so- phisticated bugging devices Nixon used to harass those on his "enemies list." Or, we recognize that for the price of a ticket on the Concorde we can fly at twice the speed of sound, but only if we first walk thru a magnetometer run by a government policeman, and permit him to paw thru our be- longings if it beeps. But I think that mind-set is a mistake. Before there were cattle prods, governments tortured their prisoners with clubs and rubber hoses. Before there were lasers for eavesdropping, governments used binoculars and lip-readers. Though government certainly uses technology to oppress, the evil lies not in the tools but in the wielder of the tools. In fact, technology represents one of the most promis- ing avenues available for re-capturing our freedoms from those who have stolen them. By its very nature, it favors the bright (who can put it to use) over the dull (who can- not). It favors the adaptable (who are quick to see the merit of the new (over the sluggish (who cling to time- tested ways). And what two better words are there to de- scribe government bureaucracy than "dull" and "sluggish"? One of the clearest, classic triumphs of technology over tyranny I see is the invention of the man-portable crossbow. With it, an untrained peasant could now reliably and lethally engage a target out to fifty meters--even if that target were a mounted, chain-mailed knight. (Unlike the longbow, which, admittedly was more powerful, and could get off more shots per unit time, the crossbow required no formal training to utilize. Whereas the longbow required elaborate visual, tactile and kinesthetic coordination to achieve any degree of accuracy, the wielder of a crossbow could simply put the weapon to his shoulder, sight along the arrow itself, and be reasonably assured of hitting his tar- get.) Moreover, since just about the only mounted knights likely to visit your average peasant would be government soldiers and tax collectors, the utility of the device was plain: With it, the common rabble could defend themselves not only against one another, but against their governmental masters. It was the medieval equivalent of the armor- piercing bullet, and, consequently, kings and priests (the medieval equivalent of a Bureau of Alcohol, Tobacco and Crossbows) threatened death and excommunication, respec- tively, for its unlawful possession. Looking at later developments, we see how technology like the firearm--particularly the repeating rifle and the handgun, later followed by the Gatling gun and more advanced machine guns--radically altered the balance of interpersonal and inter-group power. Not without reason was the Colt .45 called "the equalizer." A frail dance-hall hostess with one in her possession was now fully able to protect herself against the brawniest roughneck in any saloon. Advertise- ments for the period also reflect the merchandising of the repeating cartridge rifle by declaring that "a man on horseback, armed with one of these rifles, simply cannot be captured." And, as long as his captors were relying upon flintlocks or single-shot rifles, the quote is doubtless a true one. Updating now to the present, the public-key cipher (with a personal computer to run it) represents an equiv- alent quantum leap--in a defensive weapon. Not only can such a technique be used to protect sensitive data in one's own possession, but it can also permit two strangers to ex- change information over an insecure communications channel--a wiretapped phone line, for example, or skywriting, for that matter)--without ever having previously met to exchange cipher keys. With a thousand-dollar com- puter, you can create a cipher that a multi-megabuck CRAY X-MP can't crack in a year. Within a few years, it should be economically feasible to similarly encrypt voice communi- cations; soon after that, full-color digitized video images. Technology will not only have made wiretapping obsolete, it will have totally demolished government's control over in- formation transfer. I'd like to take just a moment to sketch the mathemat- ics which makes this principle possible. This algorithm is called the RSA algorithm, after Rivest, Shamir, and Adleman who jointly created it. Its security derives from the fact that, if a very large number is the product of two very large primes, then it is extremely difficult to obtain the two prime factors from analysis of their product. "Ex- tremely" in the sense that if primes p and q have 100 digits apiece, then their 200-digit product cannot in gen- eral be factored in less than 100 years by the most powerful computer now in existence. The "public" part of the key consists of (1) the prod- uct pq of the two large primes p and q, and (2) one fac- tor, call it x , of the product xy where xy = {(p-1) * (q-1) + 1}. The "private" part of the key consists of the other factor y. Each block of the text to be encrypted is first turned into an integer--either by using ASCII, or even a simple A=01, B=02, C=03, ... , Z=26 representation. This integer is then raised to the power x (modulo pq) and the resulting integer is then sent as the encrypted message. The receiver decrypts by taking this integer to the (secret) power y (modulo pq). It can be shown that this process will always yield the original number started with. What makes this a groundbreaking development, and why it is called "public-key" cryptography," is that I can openly publish the product pq and the number x , while keeping secret the number y --so that anyone can send me an encrypted message, namely x a (mod pq) , but only I can recover the original message a , by taking what they send, raising it to the power y and taking the result (mod pq). The risky step (meeting to exchange cipher keys) has been eliminated. So people who may not even trust each other enough to want to meet, may still reliably ex- change encrypted messages--each party having selected and disseminated his own pq and his x , while maintaining the secrecy of his own y. Another benefit of this scheme is the notion of a "dig- ital signature," to enable one to authenticate the source of a given message. Normally, if I want to send you a message, I raise my plaintext a to your x and take the result (mod your pq) and send that. However, if in my message, I take the plaintext a and raise it to my (secret) power y , take the result (mod my pq), then raise that result to your x (mod your pq) and send this, then even after you have normally "decrypted" the message, it will still look like garbage. However, if you then raise it to my public power x , and take the result (mod my public pq ), so you will not only recover the ori- ginal plaintext message, but you will know that no one but I could have sent it to you (since no one else knows my secret y). And these are the very concerns by the way that are to- day tormenting the Soviet Union about the whole question of personal computers. On the one hand, they recognize that American schoolchildren are right now growing up with com- puters as commonplace as sliderules used to be--more so, in fact, because there are things computers can do which will interest (and instruct) 3- and 4-year-olds. And it is pre- cisely these students who one generation hence will be going head-to-head against their Soviet counterparts. For the Soviets to hold back might be a suicidal as continuing to teach swordsmanship while your adversaries are learning ballistics. On the other hand, whatever else a personal computer may be, it is also an exquisitely efficient copying machine--a floppy disk will hold upwards of 50,000 words of text, and can be copied in a couple of minutes. If this weren't threatening enough, the computer that performs the copy can also encrypt the data in a fashion that is all but unbreakable. Remember that in Soviet society publicly ac- cessible Xerox machines are unknown. (The relatively few copying machines in existence are controlled more inten- sively than machine guns are in the United States.) Now the "conservative" position is that we should not sell these computers to the Soviets, because they could use them in weapons systems. The "liberal" position is that we should sell them, in the interests of mutual trade and cooperation--and anyway, if we don't make the sale, there will certainly be some other nation willing to. For my part, I'm ready to suggest that the Libertarian position should be to give them to the Soviets for free, and if necessary, make them take them . . . and if that doesn't work load up an SR-71 Blackbird and air drop them over Moscow in the middle of the night. Paid for by private sub- scription, of course, not taxation . . . I confess that this is not a position that has gained much support among members of the conventional left-right political spectrum, but, af- ter all, in the words of one of Illuminatus's characters, we are political non-Euclideans: The shortest distance to a particular goal may not look anything like what most people would consider a "straight line." Taking a long enough world-view, it is arguable that breaking the Soviet govern- ment monopoly on information transfer could better lead to the enfeeblement and, indeed, to the ultimate dissolution of the Soviet empire than would the production of another dozen missiles aimed at Moscow. But there's the rub: A "long enough" world view does suggest that the evil, the oppressive, the coercive and the simply stupid will "get what they deserve," but what's not immediately clear is how the rest of us can escape being killed, enslaved, or pauperized in the process. When the liberals and other collectivists began to at- tack freedom, they possessed a reasonably stable, healthy, functioning economy, and almost unlimited time to proceed to hamstring and dismantle it. A policy of political gradualism was at least conceivable. But now, we have patchwork crazy-quilt economy held together by baling wire and spit. The state not only taxes us to "feed the poor" while also inducing farmers to slaughter milk cows and drive up food prices--it then simultaneously turns around and sub- sidizes research into agricultural chemicals designed to in- crease yields of milk from the cows left alive. Or witness the fact that a decline in the price of oil is considered as potentially frightening as a comparable increase a few years ago. When the price went up, we were told, the economy risked collapse for for want of energy. The price increase was called the "moral equivalent of war" and the Feds swung into action. For the first time in American history, the speed at which you drive your car to work in the morning be- came an issue of Federal concern. Now, when the price of oil drops, again we risk problems, this time because Ameri- can oil companies and Third World basket-case nations who sell oil may not be able to ever pay their debts to our grossly over-extended banks. The suggested panacea is that government should now re-raise the oil prices that OPEC has lowered, via a new oil tax. Since the government is seeking to raise oil prices to about the same extent as OPEC did, what can we call this except the "moral equivalent of civil war--the government against its own people?" And, classically, in international trade, can you imag- ine any entity in the world except a government going to court claiming that a vendor was selling it goods too cheaply and demanding not only that that naughty vendor be compelled by the court to raise its prices, but also that it be punished for the act of lowering them in the first place? So while the statists could afford to take a couple of hundred years to trash our economy and our liberties--we certainly cannot count on having an equivalent period of stability in which to reclaim them. I contend that there exists almost a "black hole" effect in the evolution of nation-states just as in the evolution of stars. Once free- dom contracts beyond a certain minimum extent, the state warps the fabric of the political continuum about itself to the degree that subsequent re-emergence of freedom becomes all but impossible. A good illustration of this can be seen in the area of so-called "welfare" payments. When those who sup at the public trough outnumber (and thus outvote) those whose taxes must replenish the trough, then what possible choice has a democracy but to perpetuate and expand the tak- ing from the few for the unearned benefit of the many? Go down to the nearest "welfare" office, find just two people on the dole . . . and recognize that between them they form a voting bloc that can forever outvote you on the question of who owns your life--and the fruits of your life's labor. So essentially those who love liberty need an "edge" of some sort if we're ultimately going to prevail. We obvi- ously can't use the altruists' "other-directedness" of "work, slave, suffer, sacrifice, so that next generation of a billion random strangers can live in a better world." Recognize that, however immoral such an appeal might be, it is nonetheless an extremely powerful one in today's culture. If you can convince people to work energetically for a "cause," caring only enough for their personal welfare so as to remain alive enough and healthy enough to continue working--then you have a truly massive reservoir of energy to draw from. Equally clearly, this is just the sort of ap- peal which tautologically cannot be utilized for egoistic or libertarian goals. If I were to stand up before you tonight and say something like, "Listen, follow me as I enunciate my noble "cause," contribute your money to support the "cause," give up your free time to work for the "cause," strive selflessly to bring it about, and then (after you and your children are dead) maybe your children's children will actu- ally live under egoism"--you'd all think I'd gone mad. And of course you'd be right. Because the point I'm trying to make is that libertarianism and/or egoism will be spread if, when, and as, individual libertarians and/or egoists find it profitable and/or enjoyable to do so. And probably only then. While I certainly do not disparage the concept of poli- tical action, I don't believe that it is the only, nor even necessarily the most cost-effective path toward increasing freedom in our time. Consider that, for a fraction of the investment in time, money and effort I might expend in try- ing to convince the state to abolish wiretapping and all forms of censorship--I can teach every libertarian who's in- terested how to use cryptography to abolish them unilaterally. There is a maxim--a proverb--generally attributed to the Eskimoes, which very likely most Libertarians have al- ready heard. And while you likely would not quarrel with the saying, you might well feel that you've heard it often enough already, and that it has nothing further to teach us, and moreover, that maybe you're even tired of hearing it. I shall therefore repeat it now: If you give a man a fish, the saying runs, you feed him for a day. But if you teach a man how to fish, you feed him for a lifetime. Your exposure to the quote was probably in some sort of a "workfare" vs. "welfare" context; namely, that if you genuinely wish to help someone in need, you should teach him how to earn his sustenance, not simply how to beg for it. And of course this is true, if only because the next time he is hungry, there might not be anybody around willing or even able to give him a fish, whereas with the information on how to fish, he is completely self sufficient. But I submit that this exhausts only the first order content of the quote, and if there were nothing further to glean from it, I would have wasted your time by citing it again. After all, it seems to have almost a crypto-altruist slant, as though to imply that we should structure our ac- tivities so as to maximize the benefits to such hungry beggars as we may encounter. But consider: Suppose this Eskimo doesn't know how to fish, but he does know how to hunt walruses. You, on the other hand, have often gone hungry while traveling thru walrus country because you had no idea how to catch the damn things, and they ate most of the fish you could catch. And now suppose the two of you decide to exchange information, bartering fishing knowledge for hunting knowledge. Well, the first thing to observe is that a transaction of this type categorically and unambiguously refutes the Marxist premise that every trade must have a "winner" and a "loser;" the idea that if one person gains, it must necessarily be at the "expense" of another person who loses. Clearly, under this scenario, such is not the case. Each party has gained some- thing he did not have before, and neither has been dimin- ished in any way. When it comes to exchange of information (rather than material objects) life is no longer a zero-sum game. This is an extremely powerful notion. The "law of diminishing returns," the "first and second laws of thermodynamics"--all those "laws" which constrain our possi- bilities in other contexts--no longer bind us! Now that's anarchy! Or consider another possibility: Suppose this hungry Eskimo never learned to fish because the ruler of his nation-state had decreed fishing illegal. Because fish contain dangerous tiny bones, and sometimes sharp spines, he tells us, the state has decreed that their consumption--and even their possession--are too hazardous to the people's health to be permitted . . . even by knowledgeable, willing adults. Perhaps it is because citizens' bodies are thought to be government property, and therefore it is the function of the state to punish those who improperly care for govern- ment property. Or perhaps it is because the state gener- ously extends to competent adults the "benefits" it provides to children and to the mentally ill: namely, a full-time, all-pervasive supervisory conservatorship--so that they need not trouble themselves with making choices about behavior thought physically risky or morally "naughty." But, in any case, you stare stupefied, while your Eskimo informant re- lates how this law is taken so seriously that a friend of his was recently imprisoned for years for the crime of "pos- session of nine ounces of trout with intent to distribute." Now you may conclude that a society so grotesquely oppressive as to enforce a law of this type is simply an affront to the dignity of all human beings. You may go far- ther and decide to commit some portion of your discretion- ary, recreational time specifically to the task of thwarting this tyrant's goal. (Your rationale may be "altruistic" in the sense of wanting to liberate the oppressed, or "egoistic" in the sense of proving you can outsmart the oppressor--or very likely some combination of these or per- haps even other motives.) But, since you have zero desire to become a martyr to your "cause," you're not about to mount a military campaign, or even try to run a boatload of fish through the blockade. However, it is here that technology--and in particular in- formation technology--can multiply your efficacy literally a hundredfold. I say "literally," because for a fraction of the effort (and virtually none of the risk) attendant to smuggling in a hundred fish, you can quite readily produce a hundred Xerox copies of fishing instructions. (If the tar- geted government, like present-day America, at least permits open discussion of topics whose implementation is re- stricted, then that should suffice. But, if the government attempts to suppress the flow of information as well, then you will have to take a little more effort and perhaps write your fishing manual on a floppy disk encrypted according to your mythical Eskimo's public-key parameters. But as far as increasing real-world access to fish you have made genuine nonzero headway--which may continue to snowball as others re-disseminate the information you have provided. And you have not had to waste any of your time trying to convert id- eological adversaries, or even trying to win over the unde- cided. Recall Harry Browne's dictum from "Freedom in an Unfree World" that the success of any endeavor is in general inversely proportional to the number of people whose persua- sion is necessary to its fulfilment. If you look at history, you cannot deny that it has been dramatically shaped by men with names like Washington, Lincoln, . . . Nixon . . . Marcos . . . Duvalier . . . Khadaffi . . . and their ilk. But it has also been shaped by people with names like Edison, Curie, Marconi, Tesla and Wozniak. And this latter shaping has been at least as per- vasive, and not nearly so bloody. And that's where I'm trying to take The LiberTech Project. Rather than beseeching the state to please not en- slave, plunder or constrain us, I propose a libertarian net- work spreading the technologies by which we may seize freedom for ourselves. But here we must be a bit careful. While it is not (at present) illegal to encrypt information when government wants to spy on you, there is no guarantee of what the fu- ture may hold. There have been bills introduced, for exam- ple, which would have made it a crime to wear body armor when government wants to shoot you. That is, if you were to commit certain crimes while wearing a Kevlar vest, then that fact would constitute a separate federal crime of its own. This law to my knowledge has not passed . . . yet . . . but it does indicate how government thinks. Other technological applications, however, do indeed pose legal risks. We recognize, for example, that anyone who helped a pre-Civil War slave escape on the "underground railroad" was making a clearly illegal use of technology--as the sovereign government of the United States of America at that time found the buying and selling of human beings quite as acceptable as the buying and selling of cattle. Simi- larly, during Prohibition, anyone who used his bathtub to ferment yeast and sugar into the illegal psychoactive drug, alcohol--the controlled substance, wine--was using technol- ogy in a way that could get him shot dead by federal agents for his "crime"--unfortunately not to be restored to life when Congress reversed itself and re-permitted use of this drug. So . . . to quote a former President, un-indicted co- conspirator and pardoned felon . . . "Let me make one thing perfectly clear:" The LiberTech Project does not advocate, participate in, or conspire in the violation of any law--no matter how oppressive, unconstitutional or simply stupid such law may be. It does engage in description (for educa- tional and informational purposes only) of technological processes, and some of these processes (like flying a plane or manufacturing a firearm) may well require appropriate li- censing to perform legally. Fortunately, no license is needed for the distribution or receipt of information it- self. So, the next time you look at the political scene and despair, thinking, "Well, if 51% of the nation and 51% of this State, and 51% of this city have to turn Libertarian before I'll be free, then somebody might as well cut my goddamn throat now, and put me out of my misery"--recognize that such is not the case. There exist ways to make your- self free. If you wish to explore such techniques via the Project, you are welcome to give me your name and address--or a fake name and mail drop, for that matter--and you'll go on the mailing list for my erratically-published newsletter. Any friends or acquaintances whom you think would be interested are welcome as well. I'm not even asking for stamped self- addressed envelopes, since my printer can handle mailing la- bels and actual postage costs are down in the noise compared with the other efforts in getting an issue out. If you should have an idea to share, or even a useful product to plug, I'll be glad to have you write it up for publication. Even if you want to be the proverbial "free rider" and just benefit from what others contribute--you're still welcome: Everything will be public domain; feel free to copy it or give it away (or sell it, for that matter, 'cause if you can get money for it while I'm taking full-page ads trying to give it away, you're certainly entitled to your capitalist profit . . .) Anyway, every application of these principles should make the world just a little freer, and I'm certainly willing to underwrite that, at least for the forseeable fu- ture. I will leave you with one final thought: If you don't learn how to beat your plowshares into swords before they outlaw swords, then you sure as HELL ought to learn before they outlaw plowshares too. --Chuck Hammill THE LIBERTECH PROJECT 3194 Queensbury Drive Los Angeles, California 90064 310-836-4157 hammill@netcom.com [The above LiberTech address was updated December 1992, with the permission of Chuck Hammill, by Russell Whitaker] Those interested in the issues raised in this piece should participate in at least these newsgroups: alt.privacy alt.security.pgp comp.org.eff.talk sci.crypt A copy of the RSA-based public key encryption program, PGP 2.1 (Pretty Good Privacy), can be obtained at various ftp sites around the world. One such site is gate.demon.co.uk, where an MS-DOS version can be had by anonymous ftp as pgp22.zip in /pub/pgp. Versions for other operating systems, including UNIX variants and Macintosh, are also available. Source code is also available. Here's the blurb for PGP, by the way: - ---------------------- Quote ---------------------------------------- PGP (Pretty Good Privacy) ver 2.2 - RSA public-key encryption freeware for MSDOS, protects E-mail. Lets you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. Well featured and fast! Excellent user documentation. PGP has sophisticated key management, an RSA/conventional hybrid encryption scheme, message digests for digital signatures, data compression before encryption, and good ergonomic design. Source code is free. Filenames: pgp22.zip (executable and manuals), pgp22src.zip (sources) Keywords: PGP, Pretty Good Privacy, RSA, public key, encryption, privacy, authentication, signatures, email - ---------------------- End Quote ------------------------------------- Russell Earl Whitaker whitaker@eternity.demon.co.uk Communications Editor AMiX: RWhitaker EXTROPY: The Journal of Transhumanist Thought Board member, Extropy Institute (ExI) -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK922PYTj7/vxxWtPAQEbkgQAsgOxCtZjdZMZuRfm05nwm2ObsoLH/cFh aHRnb6dmp1o+4+yxaR+BO4fpRAtNMMOhn6WUSOoUJz1qqqkghfolYRu/TeCdr9du irrb7tCwndKsQC+wcTI/Q4+cmq3HrRRTnaIWYjmfaqXPEYRODVFDXc409umVGRJb 5IgXfNgaz78= =T1vu -----END PGP SIGNATURE----- From sci.crypt Fri Apr 30 09:29:10 1993 Xref: utcsri sci.crypt:16070 comp.org.eff.talk:17440 alt.privacy:6088 Newsgroups: sci.crypt,comp.org.eff.talk,alt.privacy Path: utcsri!utnut!cs.utexas.edu!usc!sol.ctr.columbia.edu!eff!mnemonic From: mnemonic@eff.org (Mike Godwin) Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips Message-ID: <1993Apr29.210619.6412@eff.org> Originator: mnemonic@eff.org Sender: usenet@eff.org (NNTP News Poster) Nntp-Posting-Host: eff.org Organization: Electronic Frontier Foundation References: <1993Apr29.102103.12354@clarinet.com> Date: Thu, 29 Apr 1993 21:06:19 GMT Lines: 72 In article <1993Apr29.102103.12354@clarinet.com> brad@clarinet.com (Brad Templeton) writes: >Quite simply she says that the security should not DEPEND on the >secrecy of the algorithm. A secret algorithm can still be secure, >after all, we just don't know it. Only our level of trust is >affected, not the security of the system. Here's Dorothy's own response, as sent to Phil Karn: >From denning@cs.cosc.georgetown.edu Wed Apr 28 14:28:30 1993 ~Date: Wed, 28 Apr 93 17:23:52 EDT ~From: denning@cs.cosc.georgetown.edu (Dorothy Denning) ~Subject: Re: Apparently conflicting statements? To: karn@unix.ka9q.ampr.org Cc: denning@guvax.acc.georgetown.edu Errors-To: Postmaster@cs.cosc.georgetown.edu Phil, But in your own textbook you wrote: >From Dorothy Denning, CRYPTOGRAPHY AND DATA SECURITY, Addison-Wesley 1982,1983, page 8: "Cryptosystems must satisfy three general requirements: [...] "3. The security of the system should depend only on the secrecy of the keys and not on the secrecy of algorithms E [enciphering] or D [deciphering]." Are you renouncing this principle? Phil Two points: 1. Principle (3) does not say that you should make your algorithm public. If the key has 80 bits of uncertainty and the algorithm itself represents maybe thousands of bits of uncertainty, aren't you better off with that additional secrecy? The STU-III's use a classified algorithm. I haven't heard of anyone breaking it. 2. Principle (3) assumes that the problem domain is message secrecy and authenticity. The Clipper Chip is designed to do more than that, namely provide law enforcement access. This introduces new areas of potential vulnerability and changes the problem domain somewhat. Hence the requirements may be somewhat different. I did not consider the law enforcement issues when I wrote my book. Dorothy P.S. You may share this response if you want. -- Mike Godwin, | Ariel Rose Godwin mnemonic@eff.org| Born 4-15-93 at 4:34 pm in Cambridge (617) 576-4510 | 7 pounds, 1.5 ounces, 19.75 inches long EFF, Cambridge | A new citizen of the Electronic Frontier From sci.crypt Mon May 3 12:05:17 1993 Xref: utcsri sci.crypt:16204 alt.privacy.clipper:289 Path: utcsri!utnut!cs.utexas.edu!usc!rand.org!jim From: jim@rand.org (Jim Gillogly) Newsgroups: sci.crypt,alt.privacy.clipper Subject: NIST 4/30 Clipper info Message-ID: <16748@rand.org> Date: 1 May 93 21:10:58 GMT Sender: news@rand.org Organization: Banzai Institute Lines: 106 Nntp-Posting-Host: mycroft.rand.org Several people have asked to have the new NIST releases mailed to them. I just posted the pointer before (csrc.ncsl.nist.gov:/pub/nistnews) because I expected NIST to post them, as they had with previous stuff. However, better timely surfeit than possible dearth... I guess. The Secure Hash Algorithm signature for the following file is: d1b27619 83abedf3 1d3449bc 92316eac 04c21162 ---------------------------clip.txt-------------------------------- CLIPPER CHIP TECHNOLOGY CLIPPER is an NSA developed, hardware oriented, cryptographic device that implements a symmetric encryption/decryption algorithm and a law enforcement satisfying key escrow system. While the escrow management system design is not completely designed, the cryptographic algorithm (SKIPJACK) is completely specified (and classified SECRET). The cryptographic algorithm (called CA in this paper) has the following characteristics: 1. Symmetric, 80-bit key encryption/decryption algorithm; 2. Similar in function to DES (i.e., basically a 64-bit code book transformation that can be used in the same four modes of operation as specified for DES in FIPS 81); 3. 32 rounds of processing per single encrypt/decrypt operation; 4. Design started by NSA in 1985; evaluation completed in 1990. The CLIPPER CHIP is just one implementation of the CA. The CLIPPER CHIP designed for the AT&T commercial secure voice products has the following characteristics: 1. Functions specified by NSA; logic designed by MYKOTRONX; chip fabricated by VLSI, Inc.: manufactured chip programmed (made unique) by MYKOTRONX to security equipment manufacturers willing to follow proper security procedures for handling and storage of the programmed chip; equipment sold to customers; 2. Resistant to reverse engineering against a very sophisticated, well funded adversary; 3. 15-20 MB/S encryption/decryption constant throughout once cryptographic synchronization is established with distant CLIPPER Chip; 4. The chip programming equipment writes (one time) the following information into a special memory (called VROM or VIA-Link) on the chip: a. (unique) serial number b. (unique) unit key c. family key d. specialized control software 5. Upon generation (or entry) of a session key in the chip, the chip performs the following actions: a. Encrypts the 80-bit session key under the unit key producing an 80-bit intermediate result; b. Concatenates the 80-bit result with the 25-bit serial number and a 23-bit authentication pattern (total of 128 bits); c. Enciphers this 128 bits with family key to produce a 128-bit cipher block chain called the Law Enforcement Field (LEF); d. Transmits the LEF at least once to the intended receiving CLIPPER chip; e. The two communicating CLIPPER chips use this field together with a random IV to establish Cryptographic Synchronization. 6. Once synchronized, the CLIPPER chips use the session key to encrypt/decrypt data in both directions; 7. The chips can be programmed to not enter secure mode if the LEF field has been tampered with (e.g., modified, superencrypted, replaced); 8. CLIPPER chips will be available from a second source in the future; 9. CLIPPER chips will be modified and upgraded in the future; 10. CLIPPER chips presently cost $16.00 (unprogrammed) and $26.00 (programmed). 4/30/93 ---------------------------clip.txt-------------------------------- -- Jim Gillogly Hevensday, 10 Thrimidge S.R. 1993, 21:11 From sci.crypt Mon May 3 12:05:56 1993 Xref: utcsri sci.crypt:16205 alt.privacy.clipper:290 Path: utcsri!utnut!cs.utexas.edu!usc!rand.org!jim From: jim@rand.org (Jim Gillogly) Newsgroups: sci.crypt,alt.privacy.clipper Subject: NIST 4/30 Capstone info Message-ID: <16749@rand.org> Date: 1 May 93 21:13:31 GMT Sender: news@rand.org Organization: Banzai Institute Lines: 102 Nntp-Posting-Host: mycroft.rand.org The Secure Hash Algorithm signature for the following file is: e5587fc0 0d518af9 e713f346 3a26416d de9d657e ---------------------------cap.txt-------------------------------- CAPSTONE CHIP TECHNOLOGY CAPSTONE is an NSA developed, hardware oriented, cryptographic device that implements the same cryptographic algorithm as the CLIPPER chip. In addition, the CAPSTONE chip includes the following functions: 1. The Digital Signature Algorithm (DSA) proposed by NIST as a Federal Information Processing Standard (FIPS); 2. The Secure Hashing Algorithm (SHA) recently approved as FIPS 180; 3. A Key Exchange Algorithm based on a public key exchange; 4. A general purpose exponentiation algorithm; 5. A general purpose, random number generator which uses a pure noise source. The Key exchange Algorithm is programmable on the chip and uses functions 1-2 and 4-5 above. Prototypes of the CAPSTONE chip are due the last week in April. The chips are expected to sell for $85.00 each (programmed). The first CAPSTONE chips are to be installed in PCMCIA electronic boards and used for the PMSP program for the security of the Defense Messaging System. The CAPSTONE chip is big, complex and powerful. Over 850 megabytes are required by the automated design system to define the functions of the chip. VLSI Technology is fabricating the chip, and MYKOTRONX is designing and testing the chip. 1. What are the power requirements of the CAPSTONE chip? Will they fit the power requirements of battery-operated, hand held devices? The CAPSTONE chip requires a 5 volt DC voltage source. Power ratings are currently estimated at 3.5 milliamps per MHz, i.e. at 10 Mhz and 5 volt DC, power consumed is 175 milliwatts. These estimates will be refined as data are taken into the actual chips. In comparison, the CLIPPER chip consumes approximately 150 milliwatts at 5 volts DC and 10 MHz. As you can see, both chips fall within the power requirements of hand held, battery-operated devices. 2. Will the CAPSTONE chip incorporate the key escrow features of the CLIPPER chip? Yes, it will. 3. When will CAPSTONE be announced and available? Prototypes of the CAPSTONE chip are due the end of this month. We ask that you contact the manufacturer, Mykotronx Inc., for further information concerning the timetable for availability of CAPSTONE. 4. Is the Department of Defense working now to incorporate CAPSTONE in the Pre-message Security Protocol? Yes 5. Will CAPSTONE meet the design requirements of a PCMCIA card that combines voice and/or data communications with encryption capabilities? Yes 6. Will CAPSTONE use the Digital Signature Standard? What kind of key management scheme will be employed in the CAPSTONE chip? Will CAPSTONE allow the use of RSA public-key encryption in conjunction with, or as an alternative to, the DSS? If RSA is implemented on the CAPSTONE chip, will the key escrow feature function? CAPSTONE implements the Digital Signature Algorithm (DSA), proposed by NIST as a Federal Information Processing Standard (FIPS), to perform the digital signature functions. Key management is handled by an algorithm based on a public- key exchange technique. The CAPSTONE chip does not implement RSA. 4/30/93 ---------------------------cap.txt-------------------------------- -- Jim Gillogly Hevensday, 10 Thrimidge S.R. 1993, 21:13 From sci.crypt Mon May 3 12:06:45 1993 Xref: utcsri sci.crypt:16206 alt.privacy.clipper:291 Path: utcsri!utnut!cs.utexas.edu!usc!rand.org!jim From: jim@rand.org (Jim Gillogly) Newsgroups: sci.crypt,alt.privacy.clipper Subject: NIST transcript: Raymond Kammer's 4/29 testimony to Markey Committee Message-ID: <16750@rand.org> Date: 1 May 93 21:16:54 GMT Sender: news@rand.org Organization: Banzai Institute Lines: 421 Nntp-Posting-Host: mycroft.rand.org The Secure Hash Algorithm signature for the following file is: 49d65f54 5a98333f 66bde2a0 fd26f464 9e54b53d ---------------------------testim.txt-------------------------------- STATEMENT OF RAYMOND G. KAMMER ACTING DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY BEFORE THE SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE COMMITTEE ON ENERGY AND COMMERCE APRIL 29, 1993 Mr. Chairman and Members of the Subcommittee: Good morning. Thank you for inviting me to testify. I am Raymond G. Kammer, Acting Director of the National Institute of Standards and Technology of the U.S. Department of Commerce. Under the Computer Security Act of 1987, NIST is responsible for the development of standards for protecting unclassified government computer systems, except those commonly known as Warner Amendment systems (as defined in Title 10 USC 2315). NIST has a long-established program of developing computer security guidelines and standards for federal agencies. Many of these are also used, on a voluntary basis, by the private sector. We have published guidance on computer security training and awareness, identification and authentication, open systems security, incident response, cryptographic standards, trusted systems, and many other facets of computer security. Today, however, I plan to address the following topics which I believe are most directly germane to your invitation: * The need for good information security technology to protect computer and telecommunications systems and networks; * NIST's activities in telecommunications switch security; * the planned recertification of the Data Encryption Standard; * NIST's proposed Digital Signature Standard; * the recent White House announcement of a new encryption technology, called the Clipper Chip; and * the President's directive to review advanced telecommunications and encryption technology. Need for Computer Security Strong security technology is required in modern communications systems and networks to protect sensitive and valuable information. Government agencies and private corporations depend upon the integrity and availability of their communications system in order to do business. Computer viruses, network worms, hackers, and other threats against our systems emphasize the importance of telecommunications security. Additionally, I have grown convinced, through strong anecdotal evidence, most of it shared on a proprietary basis, of the growing threat to American business from "economic espionage." Much has been reported in the press of the activities of foreign intelligence services targeting American firms, and sharing their findings with competing foreign firms. I am convinced that American firms need strong security, and in particular, strong cryptography, to protect against such threats. More importantly, the Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Appropriate security techniques may at times be integrated into such systems. Telecommunications Security Federal telephone and computer networks depend upon reliable and secure telecommunications capabilities, both of long-distance carriers and local private-branch exchanges (PBXs). To examine security issues of telecommunications networks, including issues of PBX security and telecommunications switch security, NIST is currently setting up a Telecommunications Security Analysis Center. This Center will expand on initial research we have conducted on the vulnerability of telecommunications switches. Telecommunications switches are an integral part of the security of the public switched network. Security problems in switches can result in serious problems such as toll fraud, unauthorized and illegal eavesdropping, or the disabling of switches, which would result in bringing down part of the public switched network. NIST has been monitoring the growth of switch-related abuse and has been analyzing switches to be able to address the types of crimes that could be perpetrated in the future. This work includes studying the growing ease of perpetrating these crimes. There are several areas of concern: * Toll fraud. Current research indicates that the problem is well over $1 billion per year. While not all toll-fraud is accomplished technically, telecommunications switches are vulnerable to hackers who can gain unauthorized access to the use of long-distance services. This is a particular vulnerability to the owners of PBXs, who can lose considerable sums if their systems are inadequately protected. Good system configuration control is one good security measure we are examining. * Network Availability. There have been no cases of intruders purposefully bringing down parts of the public switched network. The President's National Security Telecommunications Advisory Committee (NSTAC) concluded that "Until there is confidence that strong comprehensive computer security programs are in place, the industry should assume that a motivated and resourceful adversary in one concerted manipulation of the network software could degrade at least portions of the PSN." * Unauthorized Eavesdropping. If unauthorized access is gained to telecommunications switches, which is really just a computer that switches phone calls, a hacker can gain access to the contents of phone conversations and other information transmitted through a switch. This unauthorized eavesdropping can be either "real-time," as the conversations occur, or the intruders can arrange to have the conversations and data electronically transmitted to another telecommunications switch or computer for later analysis. The purpose of the Telecommunications Security Analysis Center will be to: * Develop tools and techniques to analyze very complex systems such as switches; * Provide informal security guidance and advice to federal agencies on procurement of telecommunications switches; * Perform security analyses of commercial switches in both laboratory and real world environments; and * Develop standards and guidance for use in securing switches and in building more secure switches, while providing for the legitimate needs of law enforcement, under proper court order, to protect the American public. As we pursue this research, we will be pleased to provide additional information on our findings to the Committee. The Data Encryption Standard The current government standard for the encryption of data is known as the Data Encryption Standard (DES), which was first approved as a Federal Information Processing Standard in 1977. DES is widely used within both the government and the private sector for the protection of sensitive information, including financial information, medical information, and Privacy Act data. DES represents a proven twenty year old technology with DES products available in the marketplace for the last 15 years. Last year, NIST formally solicited comments on the recertification of DES. After reviewing those comments, and the other technical inputs that I have received, I plan to recommend to the Secretary of Commerce that he recertify DES for another five years. I also plan to suggest to the Secretary that when we announce the recertification we state our intention to consider alternatives to it over the next five years. By putting that announcement on the table, we hope to give people an opportunity to comment on orderly technological transitions. In the meantime, we need to consider the large installed base of systems that rely upon this proven standard. NIST's Proposed Digital Signature Standard The majority of the cryptographic-based security requirements in computer and network systems involve the need for strong identification and authentication. One method which we believe holds a capacity for significant improvements in security and also cost- savings by automating paper processes is the use of digital signatures. A digital signature is a computer-based method of "sealing" an electronic message in such a way that its contents cannot be changed or forged without detection and that the identity of the originator of the communication can be verified. The digital signature for a message is simply a code, or large number, that is unique for each message and each message originator (within a very high, known probability). A digital signature is computed for a message by computing a representation of the message (called a "hash" code) and a cryptographic process that uses a key associated with the message originator. Any party with access to the public key, message, and signature can verify the signature. If the signature verifies correctly, the receiver (or any other party) has confidence that the message was signed by the owner of the public key and the message has not been altered after it was signed. In 1991, NIST proposed a draft Digital Signature Standard (DSS). We received about 130 public comments. We have been reviewing these comments and revising the standard as appropriate to respond to those comments. Additionally, we have examined and are currently dealing with two claims of patent infringement, which we believe will be successfully resolved in the not-too-distant future. Once this occurs, the Secretary of Commerce needs to decide to approve the DSS as a Federal Information Processing Standard. It will then complement the Secure Hash Standard which was recently approved by the Secretary of Commerce as Federal Information Processing Standard 180. We anticipate that the DSS will find many uses within government computer systems and networks. For example, DSS could be employed in electronic funds transfer systems. Suppose an electronic funds transfer message is generated to request that $100.00 be transferred from one account to another. If the message was passed over an unprotected network, it may be possible for an adversary to alter the message and request a transfer of $1000.00. Without additional information, it would be difficult, if not impossible, for the receiver to know the message had been altered. However if the DSS was used to sign the message before it was sent, the receiver would know the message had been altered because it would not verify correctly. The transfer request could then be denied. DSS could be employed in a variety of business applications requiring a replacement of handwritten signatures. One example is Electronic Data Interchange (EDI). EDI is the computer-to-computer interchange of messages representing business documents. In the federal government, this technology is being used to procure goods and services. Digital signatures could be used to replace handwritten signatures in these EDI transactions. For instance, contracts between the government and its vendors could be negotiated electronically. A government procurement official could post an electronically signed message requesting bids for office supplies. Vendors wishing to respond to the request may first verify the message before they respond. This assures that the contents of the message have not been altered and that the request was signed by a legitimate procurement official. After verifying the bid request, the vendor could generate and sign an electronic bid. Upon receiving the bid, the procurement official could verify that the vendor's bid was not altered after it was signed. If the bid is accepted, the electronic message could be passed to a contracting office to negotiate the final terms of the contract. The final contract could be digitally signed by both the contracting office and the vendor. If a dispute arose at some later time, the contents of contract and the associated signatures could be verified by a third party. DSS is also likely to find widespread applications in the health care field. It might be used to sign digital images, for example, to assure that they remain safe against unauthorized modifications. DSS could also be useful in the distribution of software. A digital signature could be applied to software after it has been validated and approved for distribution. Before installing the software on a computer, the signature could be verified to be sure no unauthorized changes (such as the addition of a virus) have been made. The digital signature could be verified periodically to ensure the integrity of the software. In database applications, the integrity of information stored in the database is often essential. DSS could be employed in a variety of database applications to provide integrity. For example, information could be signed when it was entered into the database. To maintain integrity, the system could also require that all updates or modifications to the information be signed. Before signed information was viewed by a user, the signature could be verified. If the signature verified correctly, the user would know the information was not altered by an unauthorized party. The system could also include signatures in the audit information to provide a record of users who modified the information. The DSS can also be used in conjunction with more secure identification and authentication systems, for the protection of access to both computer and telecommunication systems. A New Encryption Technology: The Clipper Chip Approximately two weeks ago, the White House announced our intention, based on a new encryption technology, the Clipper Chip, to initiate a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. This initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links - the security of the very systems you are examining here today. Sophisticated encryption technology, including the DES, has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit, the "Clipper Chip," has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. The Clipper algorithm with an 80 bit long cryptographic key is approximately 16 million times stronger than DES. It would take a CRAY YMP over 200 years to solve one DES key. It would take the same machine over a billion years to solve one Clipper Chip key. This new technology offers opportunities for companies to protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. Protection of confidentiality of information is of critical concern to the nation. So too is the ability of law enforcement to provide safe streets and neighborhoods. Americans demand the very best in law enforcement - at the federal, state and local level. Citizens insist upon a quick response to terrorist threats, organized crime, and drug dealers, while preserving our Constitutional rights. Past experience clearly shows that one critical technology successfully used to prosecute organized crime is the use of court-authorized wiretaps. Unquestionably, these lawful electronic intercepts have saved lives and been critical to bringing criminals to justice. The "Clipper Chip" is also a powerful tool which will be used by law enforcement to protect its own sensitive communications from illicit criminal monitoring. A "key-escrow" system is envisioned that would ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys would be deposited separately in two "key- escrow" data bases established by the Attorney General. Access to these keys would be limited to government officials with legal authorization to conduct a wiretap. The President has asked the Attorney General to make arrangements with appropriate entities who would hold the keys for the key-escrow microcircuits installed in communications equipment. I understand that the Attorney General is currently studying these procedures and options for who will serve as the key escrow holders. Since the announcement from the White House, I have stressed that the "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Also, some have claimed that there is a hidden trapdoor in the chip or the algorithm. I cannot state it more simply: no trapdoor exists. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. Presidential Directive for Advanced Telecommunications and Encryption Review In order to assess technology trends and explore new approaches and technologies (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption and advanced telecommunications technology that accommodates: * the privacy of our citizens, including the need to employ voice or data encryption for business purposes; * the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; * the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and * the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. I anticipate being a member of the governmental review panel which will study this issue. I will again stress what we have stated previously. Encryption technology will play an increasingly important role in future network infrastructures and the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Thank you Mr. Chairman, I would be pleased to answer any questions. ---------------------------testim.txt-------------------------------- -- Jim Gillogly Hevensday, 10 Thrimidge S.R. 1993, 21:16 From comp.risks Mon May 17 20:50:16 1993 Date: Wed, 12 May 93 10:20:42 EDT From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: New NIST/NSA Revelations David Sobel, CPSR Legal Council, wrote in RISKS DIGEST 14.59: The proposed DSS was widely criticized within the computer industry for its perceived weak security and inferiority to an existing authentication technology known as the RSA algorithm. Many observers have speculated that the RSA technique was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm and because the RSA technique could also be used to encrypt data very securely. This is terribly misleading. NIST issued the DSS proposal along with a public call for comments as part of their normal practice with proposed standards. The community responded, and NIST promptly addressed the security concerns. Among other things, the DSS now accommodates longer keys (up to 1024 bits). As a result of the revisions, the DSS is now considered to be just as strong as RSA. Dorothy Denning From comp.risks Mon May 17 20:50:39 1993 Date: Thu, 13 May 1993 at 14h15 From: whitfield.diffie@eng.sun.com Subject: Testimony to Boucher's House Science Subcommittee, 11 May 1993 The Impact of a Secret Cryptographic Standard on Encryption, Privacy, Law Enforcement and Technology Whitfield Diffie Sun Microsystems 11 May 1993 I'd like to begin by expressing my thanks to Congressman Boucher, the other members of the committee, and the committee staff for giving us the opportunity to appear before the committee and express our views. On Friday, the 16th of April, a sweeping new proposal for both the promotion and control of cryptography was made public on the front page of the New York Times and in press releases from the White House and other organizations. This proposal was to adopt a new cryptographic system as a federal standard, but at the same time to keep the system's functioning secret. The standard would call for the use of a tamper resistant chip, called Clipper, and embody a `back door' that will allow the government to decrypt the traffic for law enforcement and national security purposes. So far, available information about the chip is minimal and to some extent contradictory, but the essence appears to be this: When a Clipper chip prepares to encrypt a message, it generates a short preliminary signal rather candidly entitled the Law Enforcement Exploitation Field. Before another Clipper chip will decrypt the message, this signal must be fed into it. The Law Enforcement Exploitation Field or LEEF is tied to the key in use and the two must match for decryption to be successful. The LEEF in turn, when decrypted by a government held key that is unique to the chip, will reveal the key used to encrypt the message. The effect is very much like that of the little keyhole in the back of the combination locks used on the lockers of school children. The children open the locks with the combinations, which is supposed to keep the other children out, but the teachers can always look in the lockers by using the key. In the month that has elapsed since the announcement, we have studied the Clipper chip proposal as carefully as the available information permits. We conclude that such a proposal is at best premature and at worst will have a damaging effect on both business security and civil rights without making any improvement in law enforcement. To give you some idea of the importance of the issues this raises, I'd like to suggest that you think about what are the most essential security mechanisms in your daily life and work. I believe you will realize that the most important things any of you ever do by way of security have nothing to do with guards, fences, badges, or safes. Far and away the most important element of your security is that you recognize your family, your friends, and your colleagues. Probably second to that is that you sign your signature, which provides the people to whom you give letters, checks, or documents, with a way of proving to third parties that you have said or promised something. Finally you engage in private conversations, saying things to your loved ones, your friends, or your staff that you do not wish to be overheard by anyone else. These three mechanisms lean heavily on the physical: face to face contact between people or the exchange of written messages. At this moment in history, however, we are transferring our medium of social interaction from the physical to the electronic at a pace limited only by the development of our technology. Many of us spend half the day on the telephone talking to people we may visit in person at most a few times a year and the other half exchanging electronic mail with people we never meet in person. Communication security has traditionally been seen as an arcane security technology of real concern only to the military and perhaps the banks and oil companies. Viewed in light of the observations above, however, it is revealed as nothing less than the transplantation of fundamental social mechanisms from the world of face to face meetings and pen and ink communication into a world of electronic mail, video conferences, electronic funds transfers, electronic data interchange, and, in the not too distant future, digital money and electronic voting. No right of private conversation was enumerated in the constitution. I don't suppose it occurred to anyone at the time that it could be prevented. Now, however, we are on the verge of a world in which electronic communication is both so good and so inexpensive that intimate business and personal relationships will flourish between parties who can at most occasionally afford the luxury of traveling to visit each other. If we do not accept the right of these people to protect the privacy of their communication, we take a long step in the direction of a world in which privacy will belong only to the rich. The import of this is clear: The decisions we make about communication security today will determine the kind of society we live in tomorrow. The objective of the administration's proposal can be simply stated: They want to provide a high level of security to their friends, while being sure that the equipment cannot be used to prevent them from spying on their enemies. Within a command society like the military, a mechanism of this sort that allows soldiers' communications to be protected from the enemy, but not necessarily from the Inspector General, is an entirely natural objective. Its imposition on a free society, however, is quite another matter. Let us begin by examining the monitoring requirement and ask both whether it is essential to future law enforcement and what measures would be required to make it work as planned. Eavesdropping, as its name reminds us, is not a new phenomenon. But in spite of the fact that police and spies have been doing it for a long time, it has acquired a whole new dimension since the invention of the telegraph. Prior to electronic communication, it was a hit or miss affair. Postal services as we know them today are a fairly new phenomenon and messages were carried by a variety of couriers, travelers, and merchants. Sensitive messages in particular, did not necessarily go by standardized channels. Paul Revere, who is generally remembered for only one short ride, was the American Revolution's courier, traveling routinely from Boston to Philadelphia with his saddle bags full of political broadsides. Even when a letter was intercepted, opened, and read, there was no guarantee, despite some people's great skill with flaps and seals, that the victim would not notice the intrusion. The development of the telephone, telegraph, and radio have given the spies a systematic way of intercepting messages. The telephone provides a means of communication so effective and convenient that even people who are aware of the danger routinely put aside their caution and use it to convey sensitive information. Digital switching has helped eavesdroppers immensely in automating their activities and made it possible for them to do their listening a long way from the target with negligible chance of detection. Police work was not born with the invention of wiretapping and at present the significance of wiretaps as an investigative tool is quite limited. Even if their phone calls were perfectly secure, criminals would still be vulnerable to bugs in their offices, body wires on agents, betrayal by co-conspirators who saw a brighter future in cooperating with the police, and ordinary forensic inquiry. Moreover, cryptography, even without intentional back doors, will no more guarantee that a criminal's communications are secure than the Enigma guaranteed that German communications were secure in World War II. Traditionally, the richest source of success in communications intelligence is the ubiquity of busts: failures to use the equipment correctly. Even if the best cryptographic equipment we know how to build is available to them, criminal communications will only be secure to the degree that the criminals energetically pursue that goal. The question thus becomes, ``If criminals energetically pursue secure communications, will a government standard with a built in inspection port, stop them. It goes without saying that unless unapproved cryptography is outlawed, and probably even if it is, users bent on not having their communications read by the state will implement their own encryption. If this requires them to forgo a broad variety of approved products, it will be an expensive route taken only by the dedicated, but this sacrifice does not appear to be necessary. The law enforcement function of the Clipper system, as it has been described, is not difficult to bypass. Users who have faith in the secret Skipjack algorithm and merely want to protect themselves from compromise via the Law Enforcement Exploitation Field, need only encrypt that one item at the start of transmission. In many systems, this would require very small changes to supporting programs already present. This makes it likely that if Clipper chips become as freely available as has been suggested, many products will employ them in ways that defeat a major objective of the plan. What then is the alternative? In order to guarantee that the government can always read Clipper traffic when it feels the need, the construction of equipment will have to be carefully controlled to prevent non-conforming implementations. A major incentive that has been cited for industry to implement products using the new standard is that these will be required for communication with the government. If this strategy is successful, it is a club that few manufacturers will be able to resist. The program therefore threatens to bring communications manufacturers under an all encompassing regulatory regime. It is noteworthy that such a regime already exists to govern the manufacture of equipment designed to protect `unclassified but sensitive' government information, the application for which Clipper is to be mandated. The program, called the Type II Commercial COMSEC Endorsement Program, requires facility clearances, memoranda of agreement with NSA, and access to secret `Functional Security Requirements Specifications.' Under this program member companies submit designs to NSA and refine them in an iterative process before they are approved for manufacture. The rationale for this onerous procedure has always been, and with much justification, that even though these manufacturers build equipment around approved tamper resistant modules analogous to the Clipper chip, the equipment must be carefully vetted to assure that it provides adequate security. One requirement that would likely be imposed on conforming Clipper applications is that they offer no alternative or additional encryption mechanisms. Beyond the damaging effects that such regulation would have on innovation in the communications and computer industries, we must also consider the fact that the public cryptographic community has been the principal source of innovation in cryptography. Despite NSA's undocumented claim to have discovered public key cryptography, evidence suggests that, although they may have been aware of the mathematics, they entirely failed to understand the significance. The fact that public key is now widely used in government as well as commercial cryptographic equipment is a consequence of the public community being there to show the way. Farsightedness continues to characterize public research in cryptography, with steady progress toward acceptable schemes for digital money, electronic voting, distributed contract negotiation, and other elements of the computer mediated infrastructure of the future. Even in the absence of a draconian regulatory framework, the effect of a secret standard, available only in a tamper resistant chip, will be a profound increase in the prices of many computing devices. Cryptography is often embodied in microcode, mingled on chips with other functions, or implemented in dedicated, but standard, microprocessors at a tiny fraction of the tens of dollars per chip that Clipper is predicted to cost. What will be the effect of giving one or a small number of companies a monopoly on tamper resistant parts? Will there come a time, as occurred with DES, when NSA wants the standard changed even though industry still finds it adequate for many applications? If that occurs will industry have any recourse but to do what it is told? And who will pay for the conversion? One of the little noticed aspects of this proposal is the arrival of tamper resistant chips in the commercial arena. Is this tamper resistant part merely the precursor to many? Will the open competition to improve semiconductor computing that has characterized the past twenty-years give way to an era of trade secrecy? Is it perhaps tamper resistance technology rather than cryptography that should be regulated? Recent years have seen a succession of technological developments that diminish the privacy available to the individual. Cameras watch us in the stores, x-ray machines search us at the airport, magnetometers look to see that we are not stealing from the merchants, and databases record our actions and transactions. Among the gems of this invasion is the British Rafter technology that enables observers to determine what station a radio or TV is receiving. Except for the continuing but ineffectual controversy surrounding databases, these technologies flourish without so much as talk of regulation. Cryptography is perhaps alone in its promise to give us more privacy rather than less, but here we are told that we should forgo this technical benefit and accept a solution in which the government will retain the power to intercept our ever more valuable and intimate communications and will allow that power to be limited only by policy. In discussion of the FBI's Digital Telephony Proposal --- which would have required communication providers, at great expense to themselves, to build eavesdropping into their switches --- it was continually emphasized that wiretaps were an exceptional investigative measure only authorized when other measures had failed. Absent was any sense that were the country to make the proposed quarter billion dollar inventment in intercept equipment, courts could hardly fail to accept the police argument that a wiretap would save the people thousands of dollars over other options. As Don Cotter, at one time director of Sandia National Laboratories, said in respect to military strategy: ``Hardware makes policy.'' Law, technology, and economics are three central elements of society that must all be kept in harmony if freedom is to be secure. An essential element of that freedom is the right to privacy, a right that cannot be expected to stand against unremitting technological attack. Where technology has the capacity to support individual rights, we must enlist that support rather than rejecting it on the grounds that rights can be abused by criminals. If we put the desires of the police ahead of the rights of the citizens often enough, we will shortly find that we are living in police state. We must instead assure that the rights recognized by law are supported rather than undermined by technology. At NSA they believe in something they call `security in depth.' Their most valuable secret may lie encrypted on a tamper resistant chip, inside a safe, within a locked office, in a guarded building, surrounded by barbed wire, on a military base. I submit to you that the most valuable secret in the world is the secret of democracy; that technology and policy should go hand in hand in guarding that secret; that it must be protected by security in depth. Recommendations There is a crying need for improved security in American communication and computing equipment and the Administration is largely correct when it blames the problem on a lack of standards. One essential standard that is missing is a more secure conventional algorithm to replace DES, an area of cryptography in which NSA's expertise is probably second to none. I urge the committee to take what is good in the Administration's proposal and reject what is bad. \begdis o The Skipjack algorithm and every other aspect of this proposal should be made public, not only to expose them to public scrutiny but to guarantee that once made available as standards they will not be prematurely withdrawn. Configuration control techniques pioneered by the public community can be used to verify that some pieces of equipment conform to government standards stricter than the commercial where that is appropriate. o I likewise urge the committee to recognize that the right to private conversation must not be sacrificed as we move into a telecommunicated world and reject the Law Enforcement Exploitation Function and the draconian regulation that would necessarily come with it. o I further urge the committee to press the Administration to accept the need for a sound international security technology appropriate to the increasingly international character of the world's economy. From sci.crypt Sat Oct 2 21:40:49 1993 Xref: utcsri sci.crypt:20003 alt.privacy.clipper:1579 comp.org.eff.talk:20765 Path: utcsri!utnut!torn!howland.reston.ans.net!vixen.cso.uiuc.edu!sdd.hp.com!spool.mu.edu!nigel.msen.com!yale.edu!cmcl2!panix!not-for-mail From: clays@panix.com (Clay Shirky) Newsgroups: sci.crypt,alt.privacy.clipper,comp.org.eff.talk Subject: SEA's Clipper Comment Date: 1 Oct 1993 21:39:54 -0400 Organization: PANIX Public Access Internet and Unix, NYC Lines: 157 Distribution: inet Message-ID: <28im5a$7tn@panix.com> NNTP-Posting-Host: panix.com To: September 28, 1993 Director, Computer Systems Laboratory ATTN: Proposed FIPS for Escrowed Encryption Standard Technology Building, Room B-154 National Institute of Standards and Technology Gaithersburg, MD 20899 ~From: The Society for Electronic Access P.O. Box 3131 Church Street Station New York, New York 10008-3131 Voice telephone: (212) 592-3801 Internet e-mail: sea@sea.org The Society for Electronic Access's response to the call for Public Comment contained in: FEDERAL REGISTER VOL. 58, No. 145 DEPARTMENT OF COMMERCE (DOC) National Institute of Standards and Technology (NIST) Docket No. 930659-3159 RIN 0693-AB19 A Proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES) 58 FR 40791 The Society for Electronic Access would like to register its concern with the proposed implementation of the Clipper Chip/Skipjack Algorithm key escrow scheme. These related protocols will be referred to as a group as "Clipper" in the body of this letter. While we do not object to classification of Federal Information Processing Standards (FIPS) for encrypting information vital to national security, we believe that a system for transfering sensitive but unclassified information used by civilian Government offices, corporations and private citizens should be open to public review. NIST, by calling for public comment, would seem to be inviting just such a review. However, NIST will not let the public examine either the Clipper Chip or the Skipjack algorithm, has not commissioned studies concerning either the cost or impact of the Clipper plan, and will not let the public examine studies undertaken by the NSA on the issue of escrow agency security. Furthermore, since an escrow scheme requires a trusted third party while in the proposed scheme NIST itself is one of the key holders, we feel that NIST will not be able to review public comment as a disinterested party. Under these circumstances we feel a call for public comment is hampered. Our concerns with Clipper fall into four broad categories: it is unecessary; the present Administration has promoted its "voluntary" use by the public without abjuring the possibility of outlawing competing systems; the key escrow scheme is not a true escrow; and attempts to gather information necessary for a public assessment of Clipper have met obstacles raised by the Government. These concerns are enumerated below. 1) Clipper is unnecessary. Clipper is not a response to any public need. In a reply to questions about Clipper from RSA, NIST states that "[the decisions made about Clipper] offer a balance among the various needs of corporations and citizens for improved security and privacy and of the law enforcement community for continued legal access to the communications of criminals." Corporations and citizens can already obtain "improved security and privacy" from a wide variety of sources, as there are several commercially available encryption standards currently on the market. Since the public already has what NIST says it needs, it follows that the only reason for Clipper to exist is the addition of the Law Enforcement Access Field (LEAF), which allows the government to decrypt all messages encrypted by Clipper. Furthermore, the phrase "legal access to the communications of criminals" is particularly chilling, as it demonstrates a lack of sensitivity to the rule of law. Neither the FBI nor any other agency entrusted with surveillance activities can determine in advance of a trial whether a citizen is a criminal or not. We believe NIST's attitude belies a misunderstanding of the rights of American citizens. 2) The Administration has promoted its "voluntary" use by the public without abjuring the possibility of outlawing competing systems. NIST has consistently maintained that outside Federal use, adoption of Clipper by citizens and individuals will be strictly voluntary. When pressed on this point by RSA, NIST responded "There are no current plans to legislate the use of Clipper. Clipper will be a government standard, which can be - and likely will be - used voluntarily by the private sector. The option for legislation may be examined during the policy review ordered by the President." We are concerned that asking for public approval of Clipper as one of several encryption possibilities open to the public while the possibility of outlawing all other options still exists will prevent legitimate assessment of Clipper's ultimate impact. Furthermore, many organizations from small companies to multi-national corporations have invested in alternative encryption schemes like RSA, Diffie-Hellman and IDEA, many of them based solely on software and therefore incompatible with Clipper even as a retro-fit. To outlaw these schemes would cause them an enormous fiscal burden, as well as mandating a US-only standard incompatible with the protocols chosen by many international standard-setting organizations, thereby reducing the competitiveness of US companies doing business in the international arena. We feel that unless the present administration publicly abjures the possibility of banning alternate methods of encryption, no true analysis of Clipper is possible. 3) The escrow scheme does not use true escrow agencies. This scheme has been publicly promoted as an escrow scheme, but the core of any functioning escrow scheme is the prescence of a trusted third party (or in this case two trusted third parties.) We are concerned with the idea that Governmental agencies will hold these positions, as they are not truly third parties. In addition, we are particularly concerned that the same agency is responsible for reviewing Public Comment on the proposed encyrption scheme and occupying the position of one of the two key holders. We are not convinced that NIST can fulfill both roles without conflict of interest. 4) Attempts to gain information necessary for public review of Clipper have met obstacles raised by the Government. The National Security Agency has asked for an increased period of time to respond to FOIA requests for information about Clipper, from 10 business days to one year. Ten business days falls within the Public Comment period. One year does not. We feel that if NSA requires this period of time to comply with requests for information that the period for public analysis and comment should also be extended for an equal period of time. Based on these concerns, the Society for Electronic Access feels that NIST should not implement the Clipper plan without comissioning studies on the cost and impact of implementing Clipper, without providing real assurances that Clipper is not a prelude to outlawing other encryption schemes, without an implementation of an escrow scheme in which NIST does not both review and participate in the proposal, and without NSA complying with FOIA requests outstanding from before September 28, 1993. Respectfully submitted, Clay Shirky Board Member, Society for Electronic Access From comp.org.eff.news Sun Feb 6 16:55:26 1994 Xref: utcsri alt.activism:61179 alt.politics.datahighway:1350 alt.privacy:10877 alt.privacy.clipper:2114 alt.security.pgp:8523 alt.wired:3792 comp.org.eff.news:215 comp.org.eff.talk:25802 talk.politics.crypto:2481 Path: utcsri!utnut!torn!howland.reston.ans.net!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: alt.activism,alt.politics.datahighway,alt.privacy,alt.privacy.clipper,alt.security.pgp,alt.wired,comp.org.eff.news,comp.org.eff.talk,talk.politics.crypto Subject: Alert--Admin. names escrow agents, no compromise on Clipper - 7 files Date: 4 Feb 1994 18:21:05 -0600 Organization: UTexas Mail-to-News Gateway Lines: 118 Sender: daemon@cs.utexas.edu Approved: mech@eff.org Distribution: inet Message-ID: <199402050021.TAA02686@eff.org> Reply-To: mech@eff.org NNTP-Posting-Host: cs.utexas.edu EFF Press Release 04/04/94 * DISTRIBUTE WIDELY * At two briefings, Feb. 4, 1994, the Clinton Administration and various agencies gave statements before a Congressional committee, and later representatives of civil liberties organizations, industry spokespersons and privacy advocates. The Electronic Frontier Foundation's position, based on what we have seen and heard from the Administration today, is that the White House is set on a course that pursues Cold War national security and law enforcement interests to the detriment of individual privacy and civil liberties. The news is grim. The Administration is: * not backing down on Clipper * not backing down on key escrow * not backing down on selection of escrow agents * already adamant on escrowed key access procedures * not willing to elminate ITAR restrictions * hiding behind exaggerated threats of "drug dealers" and "terrorists" The material released to the industry and advocacy version of the briefing have been placed online at ftp.eff.org (long before their online availability from goverment access sites, one might add). See below for specific details. No information regarding the Congressional committee version of the briefing has been announced. EFF Director Jerry Berman, who attended the private sector meeting, reported the following: "The White House and other officials briefed industry on its Clipper chip and encryption review. While the review is not yet complete, they have reached several policy conclusions. First, Clipper will be proposed as a new Federal Information Processing Standard (FIPS) next Wednesday. [Feb. 9] It will be "vountary" for government agencies and the private sector to use. They are actively asking other vendors to jump in to make the market a Clipper market. Export licensing processes will be speeded up but export restrictions will not be lifted in the interests of national security. The reason was stated bluntly at the briefing : to frustrate competition with clipper by other powerful encryption schemes by making them difficult to market, and to "prevent" strong encryption from leaving the country thus supposedly making the job of law enforcement and intelligence more difficult. Again in the interest of national security. Of course, Clipper will be exportable but they would not comment on how other governments will view this. Treasury and NIST will be the escrow agents and Justice asserted that there was no necessity for legislation to implement the escrow procedures. "I asked if there would be a report to explain the rationale for choosing these results - we have no explanation of the Administration's thinking, or any brief in support of the results. They replied that there would be no report because they have been unable to write one, due to the complexity of the issue. "One Administation spokesperson said this was the Bosnia of Telecommunications. I asked, if this was so, how, in the absense of some policy explanation, could we know if our policy here will be as successful as our policy in Bosnia?" The announcements, authorization procedures for release of escrowed keys, and q-and-a documents from the private sector briefing are online at EFF. They are: "Statement of the [White House] Press Secretary" [White House] file://ftp.eff.org/pub/EFF/Policy/Crypto/wh_press_secy.statement "Statement of the Vice President" [very short - WH] file://ftp.eff.org/pub/EFF/Policy/Crypto/gore_crypto.statement "Attorney General Makes Key Escrow Encryption Announcements" [Dept. of Just.] file://ftp.eff.org/pub/EFF/Policy/Crypto/reno_key_escrow.statement "Authorization Procedures for Release pf Emcryption Key Components in Conjunction with Intercepts Pursuant to Title III/State Statutes/FISA" [3 docs. in one file - DoJ] file://ftp.eff.org/pub/EFF/Policy/Crypto/doj_escrow_intercept.rules "Working Group on Data Security" [WH] file://ftp.eff.org/pub/EFF/Policy/Crypto/interagency_workgroup.announce "Statement of Dr. Martha Harris Dep. Asst. Secy. of State for Polit.-Mil. Affairs: Encryption - Export Control Reform" [Dept. of State] file://ftp.eff.org/pub/EFF/Policy/Crypto/harris_export.statement "Questions and Answers about the Clinton Administration's Encryption Policy" [WH] file://ftp.eff.org/pub/EFF/Policy/Crypto/wh_crypto.q-a These files are available via anonymous ftp, or via WWW at: http://www.eff.org/ in the "EFF ftp site" menu off the front page. Gopher access: gopher://gopher.eff.org/ Look in "EFF Files"/"Papers and Testimony"/"Crypto" All 7 of these documents will be posted widely on the net immediately following this notice. Contacts: Digital Privacy: Jerry Berman, Exec. Director Daniel J. Weitzner, Sr. Staff Counsel Archives: Stanton McCandlish, Online Activist General EFF Information: info@eff.org -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O From sci.crypt Sun Feb 6 18:13:28 1994 Xref: utcsri sci.crypt:23266 talk.politics.crypto:2447 comp.org.eff.talk:25681 alt.privacy.clipper:2084 Newsgroups: sci.crypt,talk.politics.crypto,comp.org.eff.talk,alt.privacy.clipper Path: utcsri!utnut!cs.utexas.edu!sdd.hp.com!col.hp.com!csn!att-in!att-out!cbnewsj!merckx!mab From: mab@research.att.com (Matt Blaze) Subject: Notes on key escrow meeting with NSA Organization: AT&T Date: Wed, 2 Feb 1994 21:02:55 GMT Message-ID: Originator: mab@merckx Sender: news@cbnewsj.cb.att.com (NetNews Administrator) Nntp-Posting-Host: merckx.l1135.att.com Lines: 162 A group from NSA and FBI met the other day with a group of us at Bell Labs to discuss the key escrow proposal. They were surprisingly forthcoming and open to discussion and debate, and were willing to at least listen to hard questions. They didn't object when asked if we could summarize what we learned to the net. Incidentally, the people at the meeting seemed to base a large part of their understanding of public opinion on Usenet postings. Postings to sci.crypt and talk.politics.crypto seem to actually have an influence on our government. A number of things came out at the meeting that we didn't previously know or that clarified previously released information. What follows is a rough summary; needless to say, nothing here should be taken as gospel, or representing the official positions of anybody. Also, nothing here should be taken as an endorsement of key escrow, clipper, or anything else by the authors; we're just reporting. These notes are based on the collective memory of Steve Bellovin, Matt Blaze, Jack Lacy, and Mike Reiter; there may be errors or misunderstandings. Please forgive the rough style. Note also the use of "~ ~" for 'approximate quotes' (a marvelous Whit Diffie-ism). NSA's stated goals and motives for all this: * DES is at the end of its useful life * Sensitive, unclassified government data needs protection * This should be made available to US Citizens * US business data abroad especially needs protection * The new technology should not preclude law enforcement access They indicated that the thinking was not that criminals would use key escrowed crypto, but that they should not field a system that criminals could easily use against them. The existence of key escrow would deter them from using crypto in the first place. The FBI representative said that they expect to catch "~only the stupid criminals~" through the escrow system. Another stated reason for key escrow is that they do not think that even government-spec crypto devices can be kept physically secure. They do expect enough to be diverted to the black market that they feel they need a response. NSA's emphasis was on the foreign black market... There seems to be a desire to manipulate the market, by having the fixed cost of key escrow cryptography amortized over the government market. Any private sector devices would have to sell a much larger number of units to compete on price. (This was somewhere between an implication and an explicit statement on their part.) When asked about cryptography in software, "~...if you want US government cryptography, you must do it with hardware~". Clipper chips should be available (to product vendors) in June. You can't just buy loose chips - they have to be installed in approved products. Your application interface has to be approved by NIST for you to get your hands on the chips. An interesting point came up about the reverse-engineering resistance of the chips: they are designed to resist reverse engineering the data in the chip without destroying the chip. It is not clear (from the information presented at the meeting) whether the chips are equally resistant to destructive reverse-engineering to learn the skipjack algorithm. They said the algorithm was patented, but they may have been joking. ("~And if that doesn't scare you enough, we'll turn the patent over to PKP.~") The resistance to reverse engineering is not considered absolute by NSA. They do feel that "~it would require the resources of a national laboratory, and anyone with that much money can design their own cryptosystem that's just as strong.~" They repeated several times that there are "~no plans to regulate the use of alternate encryption within the US by US citizens.~" They also indicated they "~weren't naive~" and didn't think that they could if they wanted to. There were 919 authorized wiretaps, and 10,000 pen register monitors, in 1992. They do not have any figures yet on how often cryptography was used to frustrate wiretaps. They do not yet have a production version of the "decoder" box used by law enforcement. Initially, the family key will be split (by the same XOR method) and handled by two different people in the athorized agencies. There is presently only one family key. The specifications of the escrow exploitation mechanism are not yet final, either; they are considering the possibility of having the central site strip off the outer layers of encryption, and only sending the session key back to the decoder box. The escrow authorities will NOT require presentation of a court order prior to releasing the keys. Instead, the agency will fill out a form certifying that they have a legal authorization. This is also backed up with a separate confirmation from the prosecutor's office. The escrow agencies will supply any key requested and will not themselves verify that the keys requested are associated with the particular court order. The NSA did not answer a question as to whether the national security community would obtain keys from the same escrow mechanism for their (legally authorized) intelligence gathering or whether some other mechanism would exist for them to get the keys. The masks for the Clipper/Capstone chip are unclassified (but are protected by trade secret) and the chips can be produced in an unclassified foundry. Part of the programming in the secure vault includes "~installing part of the Skipjack algorithm.~" Later discussion indicated that the part of the algorithm installed in the secure vault are the "S-tables", suggesting that perhaps unprogrammed Clipper chips can be programmed to implement other 80-bit key, 32 round ciphers. The Capstone chip includes an ARM-6 RISC processor that can be used for other things when no cryptographic functions are performed. In particular, it can be used by vendors as their own on-board processor. The I/O to the processor is shut off when a crypto operation is in progress. They passed around a Tessera PCMCIA (type 1) card. These cards contain a Capstone chip and can be used by general purpose PC applications. The cards themselves might not be export controlled. (Unfortunately, they took the sample card back with them...) The card will digitally sign a challenge from the host, so you can't substitute a bogus card. The cards have non-volatile onboard storage for users' secret keys and for the public keys of a certifying authority. They are building a library/API for Tessera, called Catapult, that will provide an interface suitable for many different applications. They have prototype email and ftp applications that already uses it. They intend to eventually give away source code for this library. They responded favorably to the suggestion that they put it up for anonymous ftp. Applications (which can use the library and which the NSA approves for government use) will be responsible for managing the LEAF field. Note that they intend to apply key escrowed Skipjack to other applications, including mail and file encryption. The LEAF would be included in such places as the mail header or the file attributes. This implies that it is possible to omit sending the LEAF -- but the decrypt chip won't work right if it doesn't get one. When asked, they indicated that it might be possible wire up a pair of Clipper/Capstone chips to not transmit the LEAF field, but that the way to do this is "~not obvious from the interface we give you~" and "~you'd have to be careful not to make mistakes~". They gave a lot of attention to obvious ways to get around the LEAF. The unit key is generated via Skipjack itself, from random seeds provided by the two escrow agencies (approximately monthly, though that isn't certain yet). They say they prefer a software generation process because its correct behavior is auditable. Capstone (but not Clipper) could be configured to allow independent loading of the two key halves, in separate facilities. "~It's your money [meaning American taxpayers].~" The LEAF field contains 80 bits for the traffic key, encrypted via the unit key in "~a unique mode ~", 32 bits for the unit id, and a 16 bit checksum of some sort. (We didn't waste our breath asking what the checksum algorithm was.) This is all encrypted under the family key using "~another mode ~". They expressed a great deal of willingness to make any sort of reasonable changes that vendors needed for their products. They are trying *very* hard to get Skipjack and key escrow into lots of products. From sci.crypt Sun Feb 6 18:22:10 1994 Xref: utcsri sci.crypt:23306 talk.politics.crypto:2458 comp.org.eff.talk:25723 alt.privacy.clipper:2092 Path: utcsri!utnut!cs.utexas.edu!howland.reston.ans.net!torn!falcon.ccs.uwo.ca!cogsci.uwo.ca!mckeever From: mckeever@cogsci.uwo.ca (Paul McKeever) Newsgroups: sci.crypt,talk.politics.crypto,comp.org.eff.talk,alt.privacy.clipper Subject: Re: Notes on key escrow meeting with NSA Date: 3 Feb 1994 16:31:09 GMT Organization: University of Western Ontario, London, Ont. Canada Lines: 85 Distribution: inet Message-ID: <2ir8sd$riu@falcon.ccs.uwo.ca> References: NNTP-Posting-Host: cogsci.uwo.ca Cc: Re: the NSA working "very hard" to get Clipper/Capstone into as many products as possible: YOU'RE MISSING THE POINT OF THEIR EXERCISE. Wide distribution is not as stupid as it seems: it's not meant ONLY to catch "stupid criminals". RATHER: it is the psychology that is being paid for. Specifically, Joe Lotech is going to push the "private" button on his telephone whenever he's using, say, his cellular phone (in fact, privacy mode will probably be the default, and Joe Lotech will know it). Essentially, the omnipresence of government-designed encryption will create a false sense of security among the masses. "Hey! I don't have to worry about snoopy people listening in on my cellular phone calls anymore...Cool!". When Joe Lotech is confronted by a little lab dweeb named Johnny Nofool, Johnny will say to Joe: "Hey, you know, that privacy mode doesn't prevent the police from listening in on your conversation" Joe Lotech will reply "Ah! You're paranoid man! Besides, I'm sure that the cops don't give a **** if I tell my girl that I want to have sex with her tonight! Get real! Relax! When was the last time the cops arrested YOU for talking on the phone?! You're paranoid man." Johnny Nofool replies: "No really, listen. There are all kinds of reasons that you should not rely on the privacy imparted to your phone conversations via the government's chip. For example, what about industrial espionage...it's not overly hard for a government key to get into the wrong hands you know! Or what if you are a member of some political party that the government is trying to eliminate...hi-tech McCarthyism can recur you know." Joe Lotech: "Look man. I'm a Republican. And I don't communicate any ideas that big business would like to steal: I work at GM for *****'s sake! Geez...I think you need to get laid, or take a vacation, or something man! AND BESIDES, this privacy gizmo came with the phone, it's cheap, it does the job for me, and parts are available if it breaks down...I think this gizmo will do me just fine. See ya." This conversation (or something like it) WILL occur. You watch. Government will make a lot of hoopla in the papers about how cellular phones and faxes etc. are listened to all of the time. Donohue will have testimonials of nimrods whose marriage broke up when their wife overheard them talking to a mistress by listening in with her scanner, etc., etc.. Then, you'll see Clinton or Gore strutting out on the news within weeks thereafter to announce how they are bringin the USA into the 21st century with "super chips" or some such nonsense that will both protect American privacy, and allow government to "crack down on crime" (part of the crime bill? an amendment?). Clipper will proliferate, and will me as common as pushbuttons on telephones etc.. THE PEOPLE WILL BE HAPPY AND SATISFIED. In their satisfied state, the people will, in fact APPLAUD, a move to crack down on evil criminals who are using "military" encryption to undermine American peace, and spread terrorism. It will be a CAKEWALK to pass the FBI's proposed Digital Telephony Act. Government-proof encryption will be illegal, and the penalties for possession or use will be steep. Other countries will follow suit (Canada first). The dream of perfect privacy and truly-free communication will be dead. These talks may be good, but I doubt much progress will come of them (I'm referring to these talks with the NSA and FBI). These agencies have GENUINE concerns about criminality and national security. I think the real solution is going to have to come from private industry. The private sector must make people aware of the difference between government-proof and government-prone encryption. But it must also help the NSA and FBI to overcome the very real problems associated with wide-spread, legal, government-proof encryption. Everyone needs to get thinking on an alternative to government-prone encryption, and to start educating the public before they think Clipper and Capstone are good enough, and to start thinking of ways to prevent strong encryption from being used for criminal purposes (perhaps the latter is not possible?). Just my two cents. -- Paul ==== My opinions are my own and are not intended to represent the opinions of people or organizations that disagree with me. From sci.crypt Sun Feb 6 18:23:49 1994 Xref: utcsri sci.crypt:23313 talk.politics.crypto:2459 comp.org.eff.talk:25729 alt.privacy.clipper:2093 Path: utcsri!utnut!cs.utexas.edu!howland.reston.ans.net!europa.eng.gtefsd.com!news.umbc.edu!eff!eff!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: sci.crypt,talk.politics.crypto,comp.org.eff.talk,alt.privacy.clipper Subject: Re: Notes on key escrow meeting with NSA Date: 3 Feb 1994 21:46:29 -0500 Organization: Electronic Frontier Foundation Lines: 167 Sender: mech@eff.org Message-ID: <2iscu5$ert@eff.org> References: NNTP-Posting-Host: eff.org In article , David Sternlight wrote: >In article , >Jim Bowery wrote: >> >>Who knows, maybe a few more humbling experiences like this and they'll >>all of a sudden remember who they are supposed to be serving and why >>servants aren't always given full access to all aspects of their >>masters' estates. > >These remarks come with ill grace. How so? 2 simple facts underlie his statements: 1) public servants, such as law enforcement, serve the public (us). 2) there have been many abuses of citizens (us) by such public servants. He makes a single assertation: 3) the reason for #2 above is that public servants tend to forget who they serve, and take advantage of their position. I don't think that's an unreasonable presumption. >From the start there was nothing in the >Clipper press release saying they were going to prohibit alternate >encryption. That was a fear raised here. Au contraire! From the original White House press release [** emphasis, like this, added **, and interpolated notes in brackets]: >Q: If the Administration were unable to find a technological solution >like the one proposed, ** would the Administration be willing to use legal >remedies to restrict powerful encryption devices? ** > >A: ** This is a fundamental policy question which will be considered ** >during the broad policy review. The key escrow mechanism will provide >Americans with an encryption product that is more secure, more convenient, >and less expensive than others readily available today, [implying it is meant to replace the "others"] > ** but it is just one piece of what must be the comprehensive approach to > encryption technology, which the Administration is developing. ** [more directly states that the Administration considers a "comprehensive approach" to crypto to be only one "which the Administration is developing.] > > The Administration is not saying, "since encryption threatens the >public safety and effective law enforcement, we will prohibit it outright" [note that the negation here negates only the main clause of the quoted passage, not the secondary clause. In effect this says that the Admin. is not going to ban all cryptography {of course not; they are producing it themselves], but that it DOES consider crypto to threaten "public safety and ...law enforcement."] >(as some countries have effectively done); [The implication here is also clear: 'Other countries, by definition inferior, have banned crypto. The US govt is the most massive and powerful in the world, and if it wants to, it can and will ban crypto successfully.'] >** nor is the U.S. saying that "every American, as a matter of right, is > entitled to an unbreakable commercial encryption product." ** [...] Note the last like. That's a key statement. Note the turn of phase "...nor is the U.S. saying...", implying not that a decidedly disfavoured President and his advisors are saying something, but that _the United States of America_, as a single united unit, is saying something. This is of course absurd, as is most everything in the press release, but most people are unlikely to notice this sort of thing, and it will effectively work a lot of psychological voodoo. In response to later questions they >confirmed that they had no plans to do so (within a month of the first >discussion here) and that statement was also quoted here. Au contraire! From a NIST response to a letter from PKP/RSADSI's Jim Bidzos [Emphasis/comments as before]: >NIST: ** There are no current plans to legislate the use of Clipper.** [Sounds good. Yet see last sentence in next section.] > Clipper will be a government standard, which can be - and > likely will be - used voluntarily by the private sector. The > ** option for legislation may be examined during the policy > review ordered by the President. ** and >NIST: Again, the Clipper Chip is a government standard which can > be used voluntarily by those in the private sector. We also > point out that the President's directive on "Public > Encryption Management" stated: "In making this decision, I > do not intend to prevent the private sector from developing, > or the government from approving, other microcircuits or > algorithms that are equally effective in assuring ** both ** > privacy ** and ** a secure key-escrow system." Despite the double-talk and -think in the language of this and other such documents, including the original press release, the message is clear: There are no _current_ plans to make Clipper mandatory, but their may be in the future (this was confirmed later in a response to questions about Clipper, where in it was stated that banning non-Clipper crypto was an issue that would be considered. I cannot provide quotes from that one, as I don't have it handy. When I find it I will be happy to do so.) Furthermore, the Administration may approve encryption schemes with _both_ effective crypto _and_ key-escrow (a contradiction in terms), but very clearly implies that it will not approve (as if it has any right to approve or disapprove) encryption without key-escrow. I can give other examples, but I am hungry and tired and have 200 emails to read, so I will leave further research as an exercise for the reader. >Those with >anti-government water to carry then tried to pick apart their statement in >that instance. Now we have yet another confirmation. The almost-off-the-record statement of low-rank govt. representatives does not qualify as a "confirmation" of anything. Even the President's own press releases on the matter don't confirm, they simply attempt to skirt the issue with weasel words. >Now there's nothing wrong with being careful, or questioning the government >closely in this matter, That much is true. >and we are all indebted to those who are vigilant in >the protection of our civil rights. >But to make this the occasion of a >sarcastic diatribe does not forward the action. If you mean that this man's Usenet posts won't win any "wars" for us, this is true, but I don't think it was intended to do so. Looked like expression of an opinion to me. I also, personally, don't detect any sarcasm, only irony, based on the what looks to be the reality of the situation. To sum up, until the Administration produces a VERY clear statement that: 1) Clipper absolutely positively will not ever be mandatory in any way for anyone (other than, I suppose, people passing around "sensitive but not classified" material as part of their govt. employee duties, as originally suggested), and 2) Clipper is not intended to displace private sector, commercial encryption products, and 3) that other forms of encryption, _even those with no key escrow of any kind_, will absolutely positively never ever be prohibited, then the only safe assumption that can be made is that 1, 2 and 3 are false, and that we have to fight to make them true. Any other course of action is careless, apathetic, naive and dangerous. Period. The govt's feelings won't be hurt, and they sky won't fall down, if 1, 2 and 3 actually ARE true, and we just don't know it. We're all in deep kim chee however if they are false. Better to "over react" and do no harm, than not react fast enough, and lose a good measure of our privacy. -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O From comp.risks Wed Feb 9 21:18:16 1994 Date: Wed, 09 Feb 1994 17:23:28 -0500 (EST) From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Campaign and Petition Against Clipper CPSR has announced a petition campaign to oppose the Clipper initiative. I would like to caution people about signing the petition. The issues are extremely complex and difficult. The Clipper initiative is the result of considerable deliberation by many intelligent people who appreciate and understand the concerns that have been expressed and who worked hard to accommodate the conflicting interests. The decisions that have been made were not made lightly. I would like to respond to some of the statements that CPSR has made about Clipper in their campaign and petition letters: The Clipper proposal, developed in secret by the National Security Agency, is a technical standard that will make it easier for government agents to wiretap the emerging data highway. The standard (FIPS 185) is not a standard for the Internet or any other high speed computer network. It is for the telephone system. Quoting from FIPS 185: "Data for purposes of this standard includes voice, facsimile and computer information communicated in a telephone system. A telephone system for purposes of this standard is limited to a system which is circuit switched and operating at data rates of standard commercial modems over analog voice circuits or which uses basic-rate ISDN or a similar grade wireless service." The standard will not make it any easier to tap phones, let alone computer networks. All it will do is make it technically possible to decrypt communications that are encrypted with the standard, assuming the communications are not superencrypted with something else. Law enforcers still need to get a court order just to intercept the communications in the first place, and advances in technology have made interception itself more difficult. The standard will make it much harder for anyone to conduct illegal taps, including the government. The purpose of the standard is to provide a very strong encryption algorithm - something much stronger than DES - and to do so in a way that does not thwart law enforcement and national security objectives. Keys are escrowed so that if someone uses this technology, they cannot use it against national interests. Industry groups, professional associations and civil liberties organizations have expressed almost unanimous opposition to the plan since it was first proposed in April 1993. "The public does not like Clipper and will not accept it ..." The private sector and the public have expressed nearly unanimous opposition to Clipper. As near as I know, neither CPSR nor any other group has conducted any systematic poll of industry, professional societies, or the public. While many people have voiced opposition, there are many more organizations and people who have been silent on this issue. The ACM is in the process of conducting a study on encryption. CPSR is a member of the study group, as am I. Steve Kent is chair. Our goal is a report that will articulate the issues, not a public statement either for or against. The International Association for Cryptologic Research has not to my knowledge made any official statement about Clipper. The Administration ignored the overwhelming opposition of the general public. When the Commerce Department solicited public comments on the proposal last fall, hundreds of people opposed the plan while only a few expressed support. Hundreds of people is hardly overwhelming in a population of 250 million, especially when most of the letters were the same and came in through the net following a sample letter that was sent out. The technical standard is subject to misuse and compromise. It would provide government agents with copies of the keys that protect electronic communications. "It is a nightmare for computer security." I have been one of the reviewers of the standard. We have completed our review of the encryption algorithm, SKIPJACK, and concluded it was very strong. While we have not completed our review of the key escrow system, from what I have seen so far, I anticipate that it will provide an extremely high level of security for the escrowed keys. The underlying technology was developed in secret by the NSA, an intelligence agency responsible for electronic eavesdropping, not privacy protection. Congressional investigations in the 1970s disclosed widespread NSA abuses, including the illegal interception of millions of cables sent by American citizens. NSA is also responsible for the development of cryptographic codes to protect the nation's most sensitive classified information. They have an excellent track record in conducting this mission. I do not believe that our requirements for protecting private information are greater than those for protecting classified information. I do not know the facts of the 1970s incident that is referred to here, but it sounds like it occurred before passage of the 1978 Foreign Intelligence Surveillance Act. This act requires intelligence agencies to get a court order in order to intercept communications of American citizens. I am not aware of any recent evidence that the NSA is engaging in illegal intercepts of Americans. Computer security experts question the integrity of the technology. Clipper was developed in secret and its specifications are classified. The 5 of us who reviewed the algorithm unanimously agreed that it was very strong. We will publish a final report when we complete or full evaluation. Nothing can be concluded from a statement questioning the technology by someone who has not seen it regardless of whether that person is an expert in security. NSA overstepped its legal authority in developing the standard. A 1987 law explicitly limits the intelligence agency's power to set standards for the nation's communications network. The 1987 Computer Security Act states that NIST "shall draw on the technical advice and assistance (including work products) of the National Security Agency." There is no evidence to support law enforcement's claims that new technologies are hampering criminal investigations. CPSR recently forced the release of FBI documents that show no such problems. CPSR obtained some documents from a few FBI field offices. Those offices reported no problems. CPSR did not get reports from all field offices and did not get reports from local law enforcement agencies. I can tell you that it is a fact that new communications technologies, including encryption, have hampered criminal investigations. I personally commend law enforcement for trying to get out in front of this problem. If the plan goes forward, commercial firms that hope to develop new products will face extensive government obstacles. Cryptographers who wish to develop new privacy enhancing technologies will be discouraged. The standard is voluntary -- even for the government. Mr. Rotenberg said "We want the public to understand the full implications of this plan. Today it is only a few experts and industry groups that understand the proposal. I support this objective. Unfortunately, it is not possible for most of us to be fully informed of the national security implications of uncontrolled encryption. For very legitimate reasons, these cannot be fully discussed and debated in a public forum. It is even difficult to talk about the full implications of encryption on law enforcement. This is why it is important that the President and Vice-President be fully informed on all the issues, and for the decisions to be made at that level. The Feb. 4 decision was made following an inter-agency policy review, headed by the National Security Council, that examined these issues using considerable input from industry, CPSR, EFF, and individuals as well as from law enforcement and intelligence agencies. In the absence of understanding the national security issues, I believe we need to exercise some caution in believing that we can understand the full implications of encryption on society. As part of the Feb. 4 announcement, the Administration announced the establishment of an Interagency Working Group on Encryption and Telecommunications, chaired by the White House Office of Science and Technology Policy and National Security Council, with representatives from Commerce, Justice, State, Treasury, FBI, NSA, OMB, and the National Economic Council. The group is to work with industry and public interest groups to develop new encryption technologies and to review and refine encryption policy. The NRC's Computer Science and Telecommunications Board will also be conducting a study of encryption policy. These comments may be distributed. Dorothy Denning, Georgetown University From comp.risks Sat Feb 12 16:14:32 1994 Date: Thu, 10 Feb 94 06:11:05 PST From: Fredrick B. Cohen Subject: Re: Denning's thoughts on the Clipper Chip >The standard (FIPS 185) is not a standard for the Internet or any other high >speed computer network. ... The language sounds to me like it covers ISDN which is rapidly becoming the standard for non-local networking, all switched circuits, which will soon include most cable systems, and standard commercial modems carry the vast majority of all current computer communications. What do you think the superhighway is going to be made of? We have AT+T trying for the twisted pair as the standard, and the cable companies going for a cable version, and some chasing optical, but it is all circuit switched at one point or another. > ... The standard will make it much >harder for anyone to conduct illegal taps, including the government. For someone who lived through Watergate and Irangate and all the other gates, I am amazed that you can still take this position. It only means that the class of people who will be able to get the information will be restricted to the richer and more powerful. Anyone familiar with the telephone system today knows that to tap a line requires only that the FBI tell the telephone company the phone number. The rest happens in a matter of seconds. With clipper, it will be the same way. > ... Keys are escrowed so that if someone uses this technology, they cannot > use it against national interests. How much do these escrow agents get paid, and how well are their families protected? How many guards watch them continuously? Who are we kidding? US Nuclear codes were leaked to the Soviets at the height of the cold war. Do you really think that we will protect these escrow agents any better? >As near as I know, neither CPSR nor any other group has conducted any >systematic poll ... I know for a fact that most of the major telecommunications providers are worried that Clipper will be made the standard. The reason is that they need better protection and they have to be able to do more things more flexibly than Clipper allows. They also don't want to have to pay the company who makes clipper a fortune to use a technology they don't want to use. >Hundreds of people is hardly overwhelming in a population of 250 million ... Do you claim to believe that the great silent majority is in favor of Clipper? Actually, hundreds of people who opposed it against only a few who supported it would tend to indicate that 245 Million oppose it and 5 million are in favor. Not that this was a statistically valid sample. After all, the people who oppose it are probably more knowledgeable than the general public. >... concluded it was very strong. ... In the light of 5,000 years of cryptographic history where experts claimed that systems were very strong only to find them broken soon after, I find it hard to trust the hand picked committee of 5 so-called experts who are given money and time to pass judgement on a technology that is so weak that they are afraid to expose it to the light of day. If it is so strong, why not let the rest of the world review it? The German experts said the same thing about Enigma, and lots of US experts said the same thing about for national security reasons. The infoscape is littered with failed cryptosystems and failed experts wo trusted them. >... I do not believe that our requirements for protecting private >information are greater than those for protecting classified information. >... I am not aware of any recent evidence that the NSA is engaging in >illegal intercepts of Americans. It is hard to believe that such a well known expert is that naive. It is the blind belief in government that allows it to get away with so much. We need more questioning, not less. We need affirmative facts that show they are not doing this before we will believe it. Just because they haven't been caught, doesn't mean they are innocent. >The 5 of us who reviewed the algorithm unanimously agreed that it was very >strong. We will publish a final report when we complete or full evaluation. >Nothing can be concluded from a statement questioning the technology by >someone who has not seen it regardless of whether that person is an expert in >security. I disagree strongly with this assertion. The mere fact that 5 experts agree that a technology is strong gives me no confidence whatsoever. If it is so strong, what's the big secret? If it's so strong, why does it have to be protected by a special hardware mechanism? If it is so strong, why not tell all of us so we can start to develop similar systems of our own? How can you claim it is so strong when you are afraid to even tell us how it works? History has shown that secret systems such as these are not strong. The evidence I use to condemn is 5,000 years of history. Your evidence is 5 people in a room saying it's strong. Which should we give more weight to? >... I can tell you that it >is a fact that new communications technologies, including encryption, have >hampered criminal investigations. ... If technology hampers criminal investigations, why not eliminate cars except for police. Then we could catch a lot more criminals. This is a stupid argument. Let's get better police and better tools for them to use, and not try to weaken the very fabric of our information society instead. > Mr. Rotenberg said "We want the public to understand the full > implications of this plan. Today it is only a few experts and > industry groups that understand the proposal. > >I support this objective. Unfortunately, it is not possible for most of us to >be fully informed of the national security implications of uncontrolled >encryption. For very legitimate reasons, these cannot be fully discussed and >debated in a public forum. It is even difficult to talk about the full >implications of encryption on law enforcement. This is the argument of dictators, not democracies. If it cannot be opened to public scrutiny, it does not belong here. The implications of controlled encryption are the ones you are afraid of airing. But I am not. Controlled encryption is just another way for those with power to tighten their grip. What is so frightening to you about encryption that you can't even discuss it? Is it that people will have privacy from their own government? Is it that we will be able to assure integrity in communications? Giving power to the public is not something to be feared. It is something to be sought out and encouraged. >This is why it is important >that the President and Vice-President be fully informed on all the issues, and >for the decisions to be made at that level. ... >In the absence of understanding the national security issues, I >believe we need to exercise some caution in believing that we can understand >the full implications of encryption on society. Why is it that you think you understand more about the implications of cryptography on national security than the rest of us? This elitist crap has got to end. It is bad for our country to have elitists who believe they know more than the rest of us dictating how we will live our lives. It is bad for our country that the esteemed members of this forum do not have access to your rational in order to openly discuss your points of view. It is bad for our country that professors at universities tell their students and the public not to think about the issues, but to trust that the professors know best. If you want to serve the national interest, get the debate out in the open! > ... In one recent NRC study, the committee rightly pointed out that we need more open research in this field. Perhaps Professor Denning would like to follow the recommendations of that report and open up to us. Fred Cohen - independent researcher From comp.risks Sat Feb 12 16:16:54 1994 Date: Wed, 9 Feb 94 22:16:51 EST From: ugtalbot@king.mcs.drexel.edu (George T. "14K F/D" Talbot) Subject: Re: Campaign and Petition Against Clipper I would like to comment upon a few points raised by Dr. Denning: >The decisions that have been made were not made lightly. While I appreciate the sentiments expressed by Dr. Denning here, I'm sure that those who oppose the Clipper initiative are also intelligent and have also worked very hard to make their concerns known. I have studied this issue actively and I assure you that I did not sign the petition "lightly". >The standard (FIPS 185) is not a standard for the Internet or any other high >speed computer network. While the Clipper initiative only covers the phone system, the entire proposal (Clipper and Capstone and the key escrow system) will touch the high-speed networks and should be taken as a whole. >...assuming >the communications are not superencrypted with something else. Law >enforcers still need to get a court order just to intercept the >communications in the first place... There are two points to address here. First, it is currently very difficult to produce and export cryptographic software of any significant strength due to export controls. A private entity which has the resources to produce a strong cryptographic solution will have to invest a great deal to produce such software. The current export controls would make it impossible for such an entity to compete on the world market, thus limiting profit, possibly to the point of non-profitability. This makes superencryption pretty unlikely, and this is one of the purposes of the current export controls on encryption. Also at issue is whether the government will outlaw non-Clipper/Capstone/Key Escrow encryption entirely. Second, law enforcement needs to get a court order to intercept phone communications. I know of no such need to get a court order to intercept communications on a high speed network w.r.t. Capstone. The current administration proposal does not require a court order to get the escrowed keys themselves. > The Administration ignored the overwhelming opposition of the > general public. When the Commerce Department solicited public > comments on the proposal last fall, hundreds of people opposed the > plan while only a few expressed support. > >Hundreds of people is hardly overwhelming in a population of 250 million, >especially when most of the letters were the same and came in through the net >following a sample letter that was sent out. Currently the community which is informed on this issue is rather small. It is unclear whether that population of 250 million would support the initiative if they were fully informed. Assuming the people which responded to the Commerce Department solicitation is representative of the public at large, it is clear that this is not a popular initiative outside of government/ law enforcement/national security circles. >I have been one of the reviewers of the standard. We have completed our >review of the encryption algorithm, SKIPJACK, and concluded it was very >strong. While we have not completed our review of the key escrow system, from >what I have seen so far, I anticipate that it will provide an extremely high >level of security for the escrowed keys. I'm sure that the committee which reviewed the algorithm made as accurate an assessment of the algorithm they could in the limited time they were given. What the NSA refuses to answer on this point is whether it, or the rest of the national security community will use the escrow system. If the [national security] community does not sign up [for the key escrow system], then the escrow system will be effectively compromised. >...I am not aware of any recent evidence >that the NSA is engaging in illegal intercepts of Americans... From what I understand, the Act was passed in response to the incident in the 1970s. Just because one doesn't have evidence doesn't mean that abuses don't exist, and one can't make basic policy decisions based upon that. When considering important policy like this, one has to actively consider the risks of abuse. >... From what current reports show, NSA pushed the proposal through NIST, and it was NSA, not NIST, which was the true author and sponsor of the initiative. They were operating on a "gray area" where because they were the only source for the standard considered, they effectively set the standard without explicitly violating the law. >... I can tell you that it >is a fact that new communications technologies, including encryption, have >hampered criminal investigations. I personally commend law enforcement for >trying to get out in front of this problem. Dr. Denning, would you, as a service to RISKS readers, disclose your evidence of how encryption has hampered criminal investigations? And how often? And what kind of investigations were hampered? >... In the absence of understanding the national security issues, I >believe we need to exercise some caution in believing that we can understand >the full implications of encryption on society. I disagree and Dr. Denning contradicts herself. If the decision is made at those levels, the public will not be informed. This policy is too important to relegate to a back room. George T. Talbot From comp.risks Sat Feb 12 16:18:01 1994 Date: Thu, 10 Feb 94 13:48:28 -0800 From: geoff@FICUS.CS.UCLA.EDU (Geoff Kuenning) Subject: Re: Campaign and Petition Against Clipper In RISKS-15.48, Dorothy Denning combines some good points with some very paternalistic and unsupportable claims. I will primarily address the latter. >... The Clipper initiative is the result of >considerable deliberation by many intelligent people who appreciate and >understand the concerns that have been expressed and who worked hard to >accommodate the conflicting interests. The decisions that have been made were >not made lightly. In other words, despite the fact that many intelligent and well-informed people *oppose* Clipper, "we know best, so stop complaining." The fact that the decision was made by well-intentioned people does not make it correct. >The standard (FIPS 185) is not a standard for the Internet or any other high >speed computer network. It is for the telephone system. In the first place, many people access the Internet via various forms of telephone lines. If they are encrypted, it will be easier to tap them if they use Clipper. In the second place, the Administration has been quite up-front about its desire to force key-escrow encryption into nearly every encryption application. So while Ms. Denning is technically correct in her narrow reading of the document, CPSR is equally correct in raising an alarm about the larger issue of high-speed networks. >As near as I know, neither CPSR nor any other group has conducted any >systematic poll ... Ah, the old "silent majority" argument. I thought that went out when Nixon resigned. The truth is that, among the tiny fraction of the public which has expressed an opinion, there *has* been overwhelming public opposition. Very few people have written the Government to say, "my, what a wonderful idea!" Organizations like TV networks have a multiplier rule they apply to letters, where they figure that every letter received represents N people who felt the same way, but didn't take the time to write. To suggest that only one's opposition took the time to write, and that everyone else is in agreement, is at best disingenuous and at worst intellectually dishonest. > The ACM is in the process of >conducting a study on encryption. CPSR is a member of the study group, as am >I. Steve Kent is chair. Our goal is a report that will articulate the >issues, not a public statement either for or against. In other words, having attempted to discredit what little data we *do* have, Ms. Denning is stating that there are no plans to conduct a scientific study of public opinion. Perhaps the ACM or the CPSR should fund Roper or Gallup to investigate a few questions, approved by both Ms. Denning and a CPSR representative as being unbiased? > The International Association for Cryptologic Research has not to my > knowledge made any official statement about Clipper. I don't see what relevance this has to anything. One organization of cryptologists has remained silent. So what? > Hundreds of people is hardly overwhelming in a population of 250 million, > especially when most of the letters were the same and came in through the net > following a sample letter that was sent out. The first part of this statement is patently false; the same argument could be applied to any Harris poll. The second part, about "form letter" distortions in public issues, is relevant and important. All the more reason to do a more scientific survey. > ... I do not know the facts of the 1970s > incident that is referred to here, but it sounds like it occurred before > passage of the 1978 Foreign Intelligence Surveillance Act. This act requires > intelligence agencies to get a court order in order to intercept > communications of American citizens. The 1978 act was passed in response to the abuses of the early 70's. It should not have been necessary, since the NSA was prohibited from domestic spying even before that, but the NSA figured that since the cables involved were international communications, it was OK to eavesdrop on them. This is a rather classic case illustrating the way the NSA used the loosest possible interpretation of restrictions, rather than actively trying to respect the privacy of law-abiding citizens. > I am not aware of any recent evidence > that the NSA is engaging in illegal intercepts of Americans. Once burned, twice cautious. Ms. Denning, think of the egg you'll have on your face if the NSA gets caught misbehaving a few years from now. Personally, I don't see why I should trust any person or agency that is so secretive. > The 1987 Computer Security Act states that NIST "shall draw on the technical > advice and assistance (including work products) of the National Security > Agency." The question is of who was in control. There is a world of difference between drawing on "advice and assistance," and stepping out of the picture to let someone else do the job. I believe that the latter is what CPSR is worried about. > ... I can tell you that it > is a fact that new communications technologies, including encryption, have > hampered criminal investigations. Without data or references, how are we to believe this? CPSR carried out, at great difficulty, some preliminary research. There is no indication that they selected that data, and I hope that Ms. Denning is not suggesting this. Again, we have an attempt to invoke the "silent majority" argument to claim that the sampled data is invalid. Only this time Ms. Denning doesn't even offer anything to back up her counterclaim. In the first place, let's have some facts here. What criminal investigations have been hampered by new technologies? How many? In the second place, a pervasive thread in Ms. Denning's thinking seems to be that there is no room for a tradeoff between law enforcement and freedom. Let me point out that crime would drop tremendously if the police were allowed to search anyone's home at random, without warning, and to confiscate anything they chose. But I don't think I'd want to live in such a society. Similarly, I'm perfectly willing to let a few criminal investigations be "hampered" or even fail, if it means I can use strong encryption without fear of eavesdropping or prosecution. > The standard is voluntary -- even for the government. That's not what I remember. I seem to recall that the original announcement said that the standard would be applicable to all government agencies. Is there a citation to support the claim that it's voluntary within the government? As to outside the government, yes, it's voluntary. For now. But there are already major pressures being applied to make sure that this "voluntary" standard is the only practical choice. For example, Clipper will be much easier to export than RSA, Idea, or even the venerable Enigma. Government dollars are being used to make sure that the Clipper chip is available and cheap, undercutting the possibility of fair free-market competition. And hints have been dropped that any future encryption made available to the public will also require a key escrow scheme. Geoff Kuenning geoff@ficus.cs.ucla.edu geoff@ITcorp.com A huge vote of thanks to all the police, fire, medical, water, power, and gas workers who have worked 12-hour shifts to help us out after the quake. From comp.risks Sat Feb 12 16:21:22 1994 Date: Thu, 10 Feb 1994 08:28:46 -0500 (EST) From: "Lance J. Hoffman" Subject: Clipper standard came close to being not only for phones Dorothy Denning wrote in RISKS Forum: > The [Clipper] standard (FIPS 185) is not a standard for the Internet or any > other high speed computer network. It is for the telephone system. Quoting > from FIPS 185: "Data for purposes of this standard includes voice, facsimile It apparently came close to covering everything. I have heard from several people at NIST describing the general unhappiness there about the EES. One wrote to me: > Three weeks ago, Ray Kammer {the deputy director} and Mike Rubin {the > general counsel} here told people to rewrite the FIPS 185 {the EES}, which > was in draft form, so that the standard applied to all electronic > communications, including those not covered under the then current language. > They refused, even walked out of the meeting, saying that it just could not > be done. Ray Kammer backed down, and the FIPS went out w/o the > all-inclusive language. {remarks in curly brackets added by L Hoffman for explanation} In any case, that point may be somewhat moot because Capstone applies to data! From comp.risks Sat Feb 12 16:23:05 1994 Date: 10 Feb 1994 17:55:25 -0600 From: mech@eff.org (Stanton McCandlish) Subject: FLASH: Vice President Gore Questions Current Key Escrow Policy! National Information Infrastructure Advisory Committee met today in Washington at the Old Executive Office Building. In comments made after a question and answer period, Vice President Al Gore said that key escrow policy announced last Friday (4 Feb 1994) had serious flaws and that he hope the issue of who holds the keys and under what terms would be given more serious, careful consideration. Gore made it clear that some amount of control of cryptography technology was necessary for national security. However, the key escrow policies announced by the Departments of Justice, Commerce & State, and the NSA, were "low level decisions" that got out before thorough analysis. In a conversation with Mitchell Kapor, Esther Dyson, and Mike Nelson (of the White House Staff), Gore said that he would prefer that the keys be held by some part of the Judiciary branch, or perhaps even by trusted, private escrow agents. He made it clear that he believed that the escrow agents named in last Friday's announcement (National Institute of Standards & Technology and the Treasure Department) were no appropriate key holders. Mike Nelson also indicated that there was real interest in a software-based escrow system instead of the hardware-based SKIPJACK standard Those of us who heard Gore were quite surprised. His remarks suggest that the key escrow policies to date do not have full support of the White House. Still, Gore was quite firm in asserting that some control of encryption technology is essential to national security. "Encryption and codebreaking have determined the outcome of world wars. He stated (incorrectly) that most our industrialized allies place must stricter controls in encryption that the US does. In fact, almost all COCOM countries allow the export of DES-based products, though some do not allow DES to be imported. The whole question of encryption was raised when Mitchell Kapor told the Vice President that over half of the Advisory Council members had serious reservations about the current Clipper/Skipjack policies. Gore and Kapor agreed that the Advisory Council should be used to have a serious dialogue about encryption policy. Given Gore's departure from the current Clipper proposals, there might actually be something to talk about. ========== NOTE: This DOES NOT mean that Clipper is going away. Part of stopping Clipper is to lift export controls on encryption and enable US companies to start producing products that enable all of us to protect our privacy with strong encryption. I urge you to write to Rep. Cantwell today at cantwell@eff.org. In the Subject header of your message, type "I support HR 3627." In the body of your message, express your reasons for supporting the bill. EFF will deliver printouts of all letters to Rep. Cantwell. With a strong showing of support from the Net community, Rep. Cantwell can tell her colleagues on Capitol Hill that encryption is not only an industry concern, but also a grassroots issue. *Again: remember to put "I support HR 3627" in your Subject header.* [For more info on the Cantwell bill, see Stanton's contribution in RISKS-15.47. I have deleted a lengthy repetition here. There is as yet no response from Stanton on Jon Leech's question in RISKS-15.50 on the address cantwell@eff.org. It is presumably NOT Cantwell's. PGN] Daniel J. Weitzner, Senior Staff Counsel 202-347-5400 (v) Stanton McCandlish Electronic Frontier Foundation 1001 G St, NW Suite 950 East Washington, DC 20001 202-393-5509 (f) From comp.risks Sat Feb 12 16:24:16 1994 Date: Thu, 10 Feb 1994 19:33:44 -0500 From: Carl Ellison Subject: Re: Denning's Clipper defense (RISKS-15.48) Prof. Denning has issued a defense of the Clipper proposal (which she advocated in a CACM article long before the initiative was announced). Her specifics are easy enough to refute and I'm sure others will do so. However, she closes with an idea so radical that it shocked me. Her idea that we citizens need a security clearance in order to enter the debate over whether or not we should give up a right we've had for all time (to make, use, disseminate, ..., our own strong cryptography, interfering with the government's ability to spy on us) is so radically off base that the technical debate pales by comparison. My grade-school social studies teacher is doubtless spinning in her grave. On this point, I would like to hear from newly freed members of the Eastern block. - Carl Ellison From comp.risks Sat Feb 12 16:24:52 1994 Date: Thu, 10 Feb 1994 22:45:12 CST From: roy@sendai.cybrspc.mn.org (Roy M. Silvernail) Subject: Re: Notes on key escrow meeting with NSA (Blaze, RISKS-15.48) > The LEAF field contains 80 bits for the traffic key, encrypted via the unit > key in "~a unique mode ~", 32 bits for the unit id, and a 16 bit > checksum of some sort. (We didn't waste our breath asking what the checksum > algorithm was.) This is all encrypted under the family key using "~another > mode ~". One of my concerns from the beginning of the Clipper/Capstone proposal was that the LEAF would not be protected to the same extent as the primary traffic. This paragraph confirms that the LEAF is encrypted at least differently. The RISK here is that the session keys may be vulnerable to a less rigorous cryptographic attack than the traffic itself. So it may not be necessary to even go through the dance with the escrow agencies to compromise a Clipper/Capstone chip. Of course, the Skipjack algorithm would still be required for decrypting the traffic, but it would still appear that this is a vulnerability. I wish this point had come out earlier. Roy M. Silvernail roy@sendai.cybrspc.mn.org From comp.risks Sat Feb 12 16:26:04 1994 Date: Fri, 11 Feb 94 12:03:08 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Coincidences "Once is happenstance, twice is coincidence, three times is enemy action" _You Only Live Twice_ by Ian Fleming On February 3rd, the CERT issued a warning concerning password breaking sniffers that had compromised thousands of passwords on the Internet. This was picked up by thousands of newspapers. One line read "The best long term solution...is to reduce the transmission of reusable passwords in clear-text over the network." I am told that this problem had been known by experts for quite some time before the alert. On February 4th, the administration reaffirmed the Clipper/Capstone initiative. Now I am waiting for the announcement of a "Capstone Ethernet Card" that will protect "Information Superhighway" users from such sniffers. Number three ? Padgett From comp.risks Sat Feb 12 16:27:46 1994 Date: Fri, 11 Feb 1994 14:09:16 -0500 (EST) From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Campaign and Petition Against Clipper (RISKS-15.48 and 15.50) The following comments are in response to responses posted in RISKS-15.50 on my earlier comments in RISKS-15.48: >From Marc Rotenberg: > > The NSA is responsible for foreign signal interception. It has no legal > authority to conduct wire surveillance. What are the NSA's "national > security" interests in domestic wire surveillance? I do not believe that NSA has any particular interest in domestic wire surveillance. I expect their concern is that if a product with a very strong algorithm such as SKIPJACK were to be manufactured without keys being escrowed, then such products would be very attractive on the foreign black market (presumably, such products would not be exportable) where they could interfere with foreign intelligence. > The FBI made certain claims that cryptography was impeding criminal > investigation conducted by wiretap. CPSR investigated the FBI's claims by > filing a Freedom of Information Act suit to obtain the relevant documents. > The documents provided to us by the Department of Justice revealed that none > of the FBI field officers had encountered any obstacles. The Department of > Justice has just informed us that they provided to us all relevant documents > concerning the Clipper proposal. In testimony before the Computer Systems Security and Privacy Advisory Board (CSSPAB) at NIST, James Kallstrom of the FBI said that encryption was stymying the effort in more than three but less than ten of ongoing cases. The FBI does not give details of ongoing investigations, so this information would not be available through FOIA. > There is one reported case where cryptography made it difficult for law > enforcement to obtain evidence. That case concerned reading the contents of a > file on a hard disk after it was seized. > > If this is the problem that the Clipper proposal is intended to solve, then > the key escrow scheme must be extended to every single encrypted file -- not > just encrypted communications -- everywhere in the world. I've heard of 3 cases now where encrypted files could not be decrypted, but law enforcers seem to be much more concerned about communications than stored files. Clipper does not address file encryption. > An FBI legislative proposal now under consideration at the White House would > mandate a Clipper-like scheme. That proposal is backed by fines up to $10,000 > per day and jail time. Everything I've seen has said Clipper is voluntary. Quoting from the standard: "This standard does not mandate the use of escrowed encryption devices by Federal government agencies, the private sector or other levels of government." Dept. of Commerce, NIST, Docket No. 930659-4017, RIN 063-AB19, Approval of FIPS 185, Escrowed Encryption Standard (EES). > > I support this objective. Unfortunately, it is not > > possible for most of us to be fully informed of the > > national security implications of uncontrolled > > encryption. For very legitimate reasons, these cannot > > be fully discussed and debated in a public forum. > > This assertion has never been supported by evidence. It has been used simply > to stifle criticism. Certain information relating to foreign intelligence operations is classified. Are you saying that decisions should not be based on classified information or that foreign intelligence information should not be classified? > CPSR did not participate in the inter-agency policy review. Our position from > the very beginning is that these decisions must be made openly. As part of the inter-agency review, the CSSPAB was asked to sponsor hearings on the proposal. These were held in June. The testimony that was presented was given to the government. Marc gave a presentation at those hearings, as did David Banisar of CPSR. Several people in the government who have been participating in the inter-agency review were present at the hearings. There have been several other forums as well, including one sponsored by CPSR last June. Again, several people participating in the inter-agency review were present. > > In the absence of understanding > > the national security issues, I believe we need to > > exercise some caution in believing that we can > > understand the full implications of encryption on society. > > This premise, if accepted, would mean that people in the United States would > have no right to express political views when the government claimed "national > security." Certainly, there are matters of national security that must be I did not mean to suggest that people should not express their views. Being cautious is different from being silent. >From George Talbot: > > Second, law enforcement needs to get a court order to intercept phone > communications. I know of no such need to get a court order to intercept > communications on a high speed network w.r.t. Capstone. The current > administration proposal does not require a court order to get the escrowed > keys themselves. You need a court order to intercept any electronic communications, including those on high speed nets. You need a court order to get keys. Although the court order is not given to the escrow agents (to protect the identity of those under investigation), certification that one was obtained must be presented to the escrow agents. In addition, this certification must be confirmed by an attorney associated with the U.S. Attorney's office (for a Title III federal wiretap) or an attorney associated with the DOJ Office of Intelligence Policy and Review (for a FISA wiretap). For a local wiretap, the certification must be submitted by the principal prosecuting attorney of the state or political subdivision thereof. Fred Cohen wrote: > > >Hundreds of people is hardly overwhelming in a population of 250 million ... > > Do you claim to believe that the great silent majority is in favor of Clipper? No I do not. I was merely attempting to point out what I believed was RISKy logic. > > In the light of 5,000 years of cryptographic history where experts claimed > that systems were very strong only to find them broken soon after, I find it > hard to trust the hand picked committee of 5 so-called experts who are given > money and time to pass judgement on a technology that is so weak that they are > afraid to expose it to the light of day. If it is so strong, why not let the > rest of the world review it? The German experts said the same thing about We were not paid. The main reason for not making the algorithm public is that one could build inter-operable products that bypassed key escrow, but that took advantage of the very strong algorithm. > > Why is it that you think you understand more about the implications of > cryptography on national security than the rest of us? This elitist crap has > got to end. It is bad for our country to have elitists who believe they know > more than the rest of us dictating how we will live our lives. It is bad for > our country that the esteemed members of this forum do not have access to your > rational in order to openly discuss your points of view. It is bad for our > country that professors at universities tell their students and the public not > to think about the issues, but to trust that the professors know best. If you > want to serve the national interest, get the debate out in the open! > I did not mean to suggest that I understood the national security issues. I do not. Nor did I mean to suggest that people should not think or talk about the issues. Dorothy Denning From alt.privacy Sat Feb 12 17:13:26 1994 Xref: utcsri alt.activism:61180 alt.politics.datahighway:1352 alt.privacy:10878 alt.privacy.clipper:2115 alt.security.pgp:8524 alt.wired:3793 comp.org.eff.talk:25804 talk.politics.crypto:2482 Path: utcsri!utnut!torn!spool.mu.edu!howland.reston.ans.net!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: alt.activism,alt.politics.datahighway,alt.privacy,alt.privacy.clipper,alt.security.pgp,alt.wired,comp.org.eff.talk,talk.politics.crypto Subject: CRYPTO: DoJ's new rules for access to Clipper keys Date: 4 Feb 1994 18:29:41 -0600 Organization: UTexas Mail-to-News Gateway Lines: 375 Sender: daemon@cs.utexas.edu Distribution: inet Message-ID: <199402050029.TAA02956@eff.org> NNTP-Posting-Host: cs.utexas.edu ________ begin file ____ [Note: this file contains all 3 of the "AUTHORIZATION PROCEDURES..." documents]. U.S. Department of Justice Washington, D.C. 20530 February 4, 1994 AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS IN CONJUNCTION WITH INTERCEPTS PURSUANT TO TITLE III The following are the procedures for the release of escrowed key components in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procedures cover all electronic surveillance conducted pursuant to Title III of the Omnibus crime Control and Safe Streets Act of 1968, as amended (Title III), Title 18, United States Code, Section 2510 et seq. 1) In each case there shall be a legal authorization for the interception of wire and/or electronic communications. 2) All electronic surveillance court orders under Title III shall contain provisions authorizing after-the-fact minimization, pursuant to 18 U.S.C. 2518(5), permitting the interception and retention of coded communications, including encrypted communications. 3) In the event that federal law enforcement agents discover during the course of any lawfully authorized interception that communications encrypted with a key escrow encryption method are being utilized, they may obtain a certification from the investigative agency conducting the investigation, or the Attorney General of the United States or designee thereof. Such certification shall (a) identify the law enforcement agency or other authority conducting the interception and the person providing the certification; (b) certify that necessary legal authorization has been obtained to conduct electronic surveillance regarding these communications; (c) specify the termination date of the period for which interception has been authorized; (d) identify by docket number or other suitable method of specification the source of the authorization; (e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method; (f) specify the identifier (ID) number of the key escrow encryption chip providing such encryption; and (g) specify the serial (ID) number of the key-escrow decryption device that will be used by the law enforcement agency or other authority for decryption of the intercepted communications. 4) The agency conducting the interception shall submit this certification to each of the designated key component escrow agents. If the certification has been provided by an investigative agency, as soon thereafter as practicable, an attorney associated with the United States Attorney's Office supervising the investigation shall provide each of the key component escrow agents with written confirmation of the certification. 5) Upon receiving the certification from the requesting investigative agency, each key component escrow agent shall release the necessary key component to the requesting agency. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were requested. 6) Each of the key component escrow agents shall retain a copy of the certification of the requesting agency, as well as the subsequent confirmation of the United States Attorney's Office. In addition, the requesting agency shall retain a copy of the certification and provide copies to the following for retention in accordance with normal record keeping requirements: (a) the United States Attorney's Office supervising the investigation, and (b) the Department of Justice, Office of Enforcement Operations. 7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the requesting agency to decrypt intercepted communications shall terminate, and the requesting agency may not retain the key components. 8) The Department of Justice shall, in each such case, (a) ascertain the existence of authorizations for electronic surveillance in cases for which escrowed key components have been released; (b) ascertain that key components for a particular key escrow encryption chip are being used only by an investigative agency authorized to conduct electronic surveillance of communications encrypted with that chip; and (c) ascertain that, no later than the completion of the electronic surveillance phase of the investigation, the ability of the requesting agency to decrypt intercepted communications is terminated. 9) In reporting to the Administrative Office of the United States Courts pursuant to 18 U.S.C. Section 2519(2), the Assistant Attorney General for the Criminal Division shall, with respect to any order for authorized electronic surveillance for which escrowed encryption components were released and used for decryption, specifically note that fact. These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompliance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully acquired. ************************************************************* U.S. Department of Justice Washington, D.C. 20530 February 4, 1994 AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS IN CONJUNCTION WITH INTERCEPTS PURSUANT TO STATE STATUTES Key component escrow agents may only release escrowed key components to law enforcement or prosecutorial authorities for use in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procedures apply to the release of key components to State and local law enforcement or prosecutorial authorities for use in conjunction with interceptions conducted pursuant to relevant State statutes authorizing electronic surveillance, and Title III of the Omnibus crime Control and Safe Streets Act of 1968, as amended, Title 18, United States Code, Section 2510 et seq. 1) The state or local law enforcement or prosecutorial authority must be conducting an interception of wire and/or electronic communications pursuant to lawful authorization. 2) Requests for release of escrowed key components must be submitted to the key component escrow agents by the principal prosecuting attorney of the State, or of a political subdivision thereof, responsible for the lawfully authorized electronic surveillance. 3) The principal prosecuting attorney of such State or political subdivision of such State shall submit with the request for escrowed key components a certification that shall (a) identify the law enforcement agency or other authority conducting the interception and the prosecuting attorney responsible therefor; (b) certify that necessary legal authorization for interception has been obtained to conduct electronic surveillance regarding these communications; (c) specify the termination date of the period for which interception has been authorize; (d) identify by docket number or other suitable method of specification the source of the authorization; (e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method; (f) specify the identifier (ID) number of the key escrow chip providing such encryption; and (g) specify the serial (ID) number of the key-escrow decryption device that will be used by the law enforcement agency or other authority for decryption of the intercepted communications. 4) Such certification must be submitted by the principal prosecuting attorney of that State or political subdivision to each of the designated key component escrow agents. 5) Upon receiving the certification from the principal prosecuting attorney of the State or political subdivision, each key component escrow agent shall release the necessary key component to the intercepting State or local law enforcement agency or other authority. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were requested. 6) Each of the key component escrow agents shall retain a copy of the certification of the principal prosecuting attorney of the State or political subdivision. In addition, such prosecuting attorney shall provide a copy of the certification to the Department of Justice, for retention in accordance with normal record keeping requirements. 7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the intercepting law enforcement agency or other authority to decrypt intercepted communications shall terminate, and the intercepting law enforcement agency or other authority may not retain the key components. 8) The Department of Justice may, in each such case, make inquiry to (a) ascertain the existence of authorizations for electronic surveillance in cases for which escrowed key components have been released; (b) ascertain that key components for a particular key escrow encryption chip are being used only by an investigative agency authorized to conduct electronic surveillance of communications encrypted with that chip; and (c) ascertain that, no later than the completion of the electronic surveillance phase of the investigation, the ability of the requesting agency to decrypt intercepted communications is terminated. 9) In reporting to the Administrative Office of the United States Courts pursuant to 18 U.S.C. Section 2519(2), the principal prosecuting attorney of a State or of a political subdivision of a State may, with respect to any order for authorized electronic surveillance for which escrowed encryption components were released and used for decryption, desire to note that fact. These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompliance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully acquired. ************************************************************* U.S. Department of Justice Washington D.C. 20530 February 4, 1994 AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS IN CONJUNCTION WITH INTERCEPTS PURSUANT TO FISA The following are the procedures for the release of escrowed key components in conjunction with lawfully authorized interception of communications encrypted with a key-escrow encryption method. These procedures cover all electronic surveillance conducted pursuant to the Foreign Intelligence Surveillance Act (FISA), Pub. L. 95-511, which appears at Title 50, U.S. Code, Section 1801 et seq. 1 ) In each case there shall be a legal authorization for the interception of wire and/or electronic communications. 2) In the event that federal authorities discover during the course of any lawfully authorized interception that communications encrypted with a key-escrow encryption method are being utilized, they may obtain a certification from an agency authorized to participate in the conduct of the interception, or from the Attorney General of the United States or designee thereof. Such certification shall (a) identify the agency participating in the conduct of the interception and the person providing the certification; to conduct electronic surveillance regarding these communications; (c) specify the termination date of the period for which interception has been authorized; (d) identify by docket number or other suitable method of specification the source of the authorization; (e) certify that communications covered by that authorization are being encrypted with a key-escrow encryption method; (f) specify the identifier (ID) number of the key escrow encryption chip providing such encryption; and (g) specify the serial (ID) number of the key-escrow decryption device that will be used by the agency participating in the conduct of the interception for decryption of the intercepted communications. 4) This certification shall be submitted to each of the designated key component escrow agents. If the certification has been provided by an agency authorized to participate in the conduct of the interception, a copy shall be provided to the Department of Justice, Office of Intelligence Policy and Review. As soon as possible, an attorney associated with that office shall provide each of the key component escrow agents with written confirmation of the certification. 5) Upon receiving the certification, each key component escrow agent shall release the necessary key component to the agency participating in the conduct of the interception. The key components shall be provided in a manner that assures they cannot be used other than in conjunction with the lawfully authorized electronic surveillance for which they were requested. 6) Each of the key component escrow agents shall retain a copy of the certification, as well as the subsequent written confirmation of the Department of Justice, Office of Intelligence Policy and Review. 7) Upon, or prior to, completion of the electronic surveillance phase of the investigation, the ability of the agency participating in the conduct of the interception to decrypt intercepted communications shall terminate, and such agency may not retain the key components. 8) The Department of Justice shall, in each such case, (a) ascertain the existence of authorizations for electronic surveillance in cases for which escrowed key components have been released; (b) ascertain that key components for a particular key escrow encryption chip are being used only by an agency authorized to participate in the conduct of the interception of communications encrypted with that chip; and (c) ascertain that, no later than the completion of the electronic surveillance phase of the investigation, the ability of the agency participating in the conduct of the interception to decrypt intercepted communications is terminated. 9) Reports to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence, pursuant to Section 108 of FISA, shall, with respect to any order for authorized electronic surveillance for which escrowed encryption components were released and used for decryption, specifically note that fact. These procedures do not create, and are not intended to create, any substantive rights for individuals intercepted through electronic surveillance, and noncompliance with these procedures shall not provide the basis for any motion to suppress or other objection to the introduction of electronic surveillance evidence lawfully acquired. ________ end file ______ -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O From alt.privacy Sat Feb 12 17:14:10 1994 Xref: utcsri alt.activism:61184 alt.politics.datahighway:1354 alt.privacy:10881 alt.privacy.clipper:2117 alt.security.pgp:8526 alt.wired:3795 comp.org.eff.talk:25808 talk.politics.crypto:2485 Path: utcsri!utnut!torn!howland.reston.ans.net!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: alt.activism,alt.politics.datahighway,alt.privacy,alt.privacy.clipper,alt.security.pgp,alt.wired,comp.org.eff.talk,talk.politics.crypto Subject: CRYPTO: DoS's Harris on Crypto Export Control Reform Date: 4 Feb 1994 18:44:11 -0600 Organization: UTexas Mail-to-News Gateway Lines: 97 Sender: daemon@cs.utexas.edu Distribution: inet Message-ID: <199402050044.TAA03248@eff.org> NNTP-Posting-Host: cs.utexas.edu _____ begin file _____ United States Department of State Washington, D.C. 20520 EMBARGOED FOR RELEASE, 3:00 PM EST, FEB. 4, 1994 Statement of Dr. Martha Harris Deputy Assistant Secretary of State for Political-Military Affairs February 4, 1994 Encryption -- Export Control Reform The Secretary of State is announcing today measures arising from the Administration's decision to reform export control procedures applicable to products incorporating encryption technology. These reforms are part of the Administration's effort to eliminate unnecessary controls and ensure efficient implementation. The reforms will simplify encryption product export licensing and speed the review of encryption product exports, thus helping U.S. manufacturers to compete more effectively in the global market. While there will be no changes in the types of equipment controlled by the Munitions List, we are announcing measures to expedite licensing. Last year the President announced an initiative to encourage U.S. manufacturers and users of encryption to take advantage of a government technology (the key-escrow chip) that provides excellent security while ensuring that the Government has a means to decode the encryption when lawfully authorized, such as when executing a court-authorized warrant in connection with a criminal investigation. At the time he announced this initiative, the President directed a comprehensive review of U.S. policy regarding domestic use and export of encryption technology. The reforms we are announcing today result from that review. The President has determined that vital U.S. national security and law enforcement interests compel maintaining appropriate control of encryption. Still, there is much that can be done to reform existing controls to ensure that they are efficiently implemented and to maintain U.S. leadership in the world market for encryption technology. Accordingly, the President has asked the Secretary of State to take immediate action to implement a number of procedural reforms. The reforms are: * License Reform: Under new licensing arrangements, encryption manufacturers will be able to ship their products from the United States directly to customers within approved regions without obtaining individual licenses for each end user. This will improve the ability of our manufacturers to provide expedited delivery of products, and to reduce shipping and tracking costs. It should also reduce the number of individual license requests, especially for small businesses that cannot afford international distributors. * Rapid review of export license applications: A significant number of encryption export license applications can be reviewed more quickly. For such exports, we have set a license turnaround goal of two working days. * Personal use exemption: We will no longer require that U.S. citizens obtain an export license prior to taking encryption products out of the U.S. temporarily for their own personal use. In the past, this requirement caused delays and inconvenience for business travellers. * Allow exports of key-escrow encryption: After initial review, key-escrow encryption products may now be exported to most end users. Additionally, key-escrow products will qualify for special licensing arrangements. These reforms should have the effect of minimizing the impact of export controls on U.S. industry. The Department of State will take all appropriate actions to ensure that these reforms are implemented as quickly as possible. The Secretary of State asks that encryption product manufacturers evaluate the impact of these reforms over the next year and provide feedback both on how the reforms have worked out and on recommendations for additional procedural reforms. The contact point for further information on these reforms is Rose Biancaniello, Office of Defense Trade Controls, Bureau of Political-Military Affairs, Department of State, (703) 875-6644. _____ end file ____ -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O From alt.privacy Sat Feb 12 17:19:45 1994 Path: utcsri!utnut!cs.utexas.edu!howland.reston.ans.net!vixen.cso.uiuc.edu!moe.ksu.ksu.edu!abc.ksu.ksu.edu!news From: kkruse@abc.ksu.ksu.edu (Korey J. Kruse) Newsgroups: alt.privacy Subject: NEWS STORY: Clipper chip OK'd by gov't Date: 11 Feb 1994 17:53:13 -0600 Organization: Kansas State University Lines: 82 Message-ID: <2jh5p9INN6id@abc.ksu.ksu.edu> NNTP-Posting-Host: abc.ksu.ksu.edu Summary: The gov't plans on making the clipper chip the standard in encryption Keywords: clipper chip privacy crypto Here's an article that I am reprinting for general information purposes. It appeared in the LA Times paper on Sat, Feb 5, 1994 -----------BEGIN fbi.nsa.win.fight.txt------------------snip snip snip-- HEADLINE: FBI, NSA Win Fight for High-Tech Eavesdropping Communications: White House ruling gives agencies continued access Publication Date: Saturday February 5, 1994 BYLINE: JOHN MINTZ JOHN SCHWARTZ The Clinton Administration on Friday rejected the arguments of the computer industry and civil libertarians and sided with national security agencies that sought to guarantee their ability to intercept and decode messages sent over computer and telephone lines. The White House had agreed to review initiatives begun during the George Bush Administration--and pursued under President Clinton--that favored the FBI and the National Security Agency in their efforts to ensure that the agencies can continue to read and listen to communications despite rapidly evolving encryption technologies. The Commerce Department announced Friday that a nine-month review of the issue--which has set off impassioned disputes between high-technology industries and the government--had resulted in a decision to make no major policy changes. That means the Administration will continue longstanding restrictions on exports of powerful encryption devices that the NSA cannot crack, and continue to encourage use of NSA-developed encryption gear, called the "Clipper Chip," by all U.S. firms. The Clipper Chip makes it relatively easy for the government to eavesdrop on encrypted communications. Administration officials said that the "keys" to unlock messages would be held by the National Institute of Standards and Technology and the Treasury Department. Police agencies obtaining court authority to wiretap will go to those agencies to acquire the two-part key. Taken together, the actions are seen by computer and software companies as a government attempt to keep powerful encryption technology out of both foreign and domestic markets. Further, government officials said, the Administration is expected in a few weeks to endorse an FBI proposal that U.S. telecommunications firms be required to guarantee that law enforcement agencies will have the ability to tap phone and computer lines regardless of where the technology goes. At the core of these high-tech disputes lies a fundamental conflict between Americans' cherished privacy rights and the government's investigative needs. Consumers have long known that most of their business transactions are recorded in corporate and government databases that are already shuttled around the country on communications lines. The prospect of an information superhighway that puts even more transactions on-line--from medical records to pay-per-view movie selections--raises the ante. "We can't just trust legal protections," said Jerry Berman, chairman of a coalition of business executives and civil libertarians fighting the Administration plan. However, James K. Kallstrom, the FBI's technology chief, said that without wiretapping capabilities, "you're building a sanctuary for criminality to go unfettered." U.S. high-tech executives say the Administration's position will prove to be in vain because terrorists and criminals can already buy powerful encryption technologies worldwide. The Business Software Alliance, which represents firms such as Microsoft Corp., Novell Inc. and Apple Computer Inc., on Friday expressed "deep disappointment and regret" about the Administration's stance. -----------END fbi.nsa.win.fight.txt------------------snip snip snip-- -- "Law never made men a whit more just; and, by | Korey Jerome Kruse means of their respect for it, even the well | kkruse@ksuvm.ksu.edu deposed are daily made the agents of injustice" | kkruse@ksuvm.bitnet --Henry David Thoreau "Civil Disobedience" | kkruse@ksu.ksu.edu From sci.crypt Sun Feb 13 14:37:03 1994 Xref: utcsri alt.activism:61676 alt.politics.datahighway:1535 alt.privacy.clipper:2359 alt.security.pgp:8763 comp.org.eff.talk:26562 sci.crypt:23593 Newsgroups: alt.activism,alt.politics.datahighway,alt.privacy.clipper,alt.security.pgp,comp.org.eff.talk,sci.crypt Path: utcsri!utnut!cs.utexas.edu!usc!howland.reston.ans.net!europa.eng.gtefsd.com!library.ucla.edu!csulb.edu!csus.edu!netcom.com!gillw.slip.netcom.com!gillw From: Gill Winograd Subject: Re: EFF Wants You (to add your voice to the crypto fight!) Message-ID: X-Xxmessage-Id: X-Xxdate: Sat, 12 Feb 94 00:36:41 GMT Sender: netnews@netcom.com (USENET Administration) Organization: USA X-Useragent: Version 1.1.3 References: <2jgr0h$nri@tornews.torolab.ibm.com> Date: Sun, 13 Feb 1994 00:35:06 GMT Lines: 30 In article <2jgr0h$nri@tornews.torolab.ibm.com> Ian R. Ameline, ameline@provence.torolab.ibm.com writes: Quoting Dorothy Demming: >> Mr. Rotenberg said "We want the public to understand the full >> implications of this plan. Today it is only a few experts and >> industry groups that understand the proposal. >> >>I support this objective. Unfortunately, it is not possible for most of us >> to be fully informed of the national security implications of uncontrolled >>encryption. For very legitimate reasons, these cannot be fully discussed >>and debated in a public forum. It is even difficult to talk about the full >>implications of encryption on law enforcement. It is clear why the NSA chose Ms. Demming to rubberstamp their proposal. If only persons approved by NSA can discuss the issues, and only they can have a "worthwhile and informed" opinion, why bother? Just let NSA set policy directly without the sham. Gill Winograd | "L!accent du pays o! l!on est n! demeure gillw@acm.org | dans l!esprit et dans le coeur, comme Los Angeles, California | dans le langage." | - La Rochefoucauld From comp.risks Sat Feb 19 18:58:06 1994 Date: Tue, 15 Feb 1994 01:13:48 -0800 From: "D. J. Bernstein" Subject: Who says the Clipper issue is complicated? ``I would like to caution people about signing the petition,'' Dorothy Denning said. ``The issues are extremely complex and difficult.''%1 Clipper (by which I mean EES/Skipjack/Clipper/Capstone collectively) does raise some mildly tricky issues, which I'll discuss later. But those are _side_ issues. The basic argument%2 against Clipper is simple and deserves emphasis. Clipper is bad because it is unfair competition in the crypto market. Who has paid for the design and implementation of Clipper over the past decade?%3 The taxpayers. Who has paid for ramping up Clipper production at Mykotronx? The taxpayers. Who pays for the lawyers and accountants keeping Clipper on course, and the NSA-FBI team which visits Bell Labs and other locations to promote Clipper? The taxpayers. Who will pay for the key escrow ``service,'' probably an agency with dozens of people, including armed guards? The taxpayers. I resent being forced to pay for Clipper's development and adoption. Is this Clipper subsidy the only way that the government is interfering in the market? Not at all. Consider, for example, export controls. A private company, even if it doesn't see a foreign market for its encryption products, has to register as an arms dealer and take precautions to avoid selling crypto to non-citizens. These restrictions have been dramatically reduced for Clipper.%4 Are these points a matter of dispute? Is this just my view? No. The government knows full well that Clipper is unfair competition. In fact, unfair competition is the goal of Clipper policy. According to Jerry Berman, ``the reason [for various Clipper-related actions] was stated bluntly at the [4 Feb 94 White House] briefing: to frustrate competition with Clipper by other powerful encryption schemes by making them difficult to market, and to "prevent" strong encryption from leaving the country...''%5 Now, here's the problem: The government talks about Clipper's market interference as a _good_ thing. Of course, I see it as a bad thing. America's need for data protection would be fully served by a healthy encryption industry; let's eliminate crypto export controls! If you agree with me---if you want a free crypto market---then you should oppose Clipper. There's nothing complicated about this. Let me close by briefly addressing a few side issues, mostly reasons that Clipper is risky when compared to other crypto available today. 1. There is a RISK that the Skipjack algorithm is, intentionally or unintentionally, weak. Suppose that in 1986 an NSA cryptanalyst noticed a subtle but wide hole in Skipjack, which was relatively new at the time. Why would it be in NSA's interest to divulge this information? Denning points out that we don't _know_ of any holes, but that's axiomatic---Clipper would be dead otherwise. One cannot deny the _risk_, exacerbated by secrecy, of a hole. 2. There is a RISK that Clipper will be easier to break than the basic Skipjack algorithm. Given two encryption algorithms one can (carefully) compose them to produce a ``double encryption'' which is strong even if one of the algorithms is weak. Clipper also has two encryption steps, but for a different reason---one encryption is transparent to the user, the other transparent to the FBI. If either of these different%6 steps is weak then Clipper is weak. ``Half encryption,'' I'd say. 3. There is a RISK that key escrow security will be compromised, either by bribes from the outside or by corruption from the top. It is highly dangerous to keep so many keys under the control of such a small group of people. 4. There is a RISK that, if Clipper fails to dominate the market, the government will simply outlaw all non-escrowed encryption. ``This is a fundamental policy question which will be considered during the broad policy review.''%7 Alternatively the government could outlaw Clipper superencryption while requiring Clipper in government procurements, new phones, and so on. Denning points out that Clipper is voluntary right now, but the mere fact that the government brought up the possibility of a Clipper law means that there's a risk. Footnotes: %1 To sign the CPSR Clipper petition, send a message to the address clipper.petition@cpsr.org with "I oppose Clipper" in the subject header. %2 This argument was mentioned briefly by Geoff Kuenning, RISKS-15.50, among a cast of thousands. %3 See Matt Blaze's message in RISKS-15.48. ``They said ... that Skipjack began development "~about 10 years ago.~"'' %4 See ftp.eff.org:pub/EFF/Policy/Crypto/harris_export.statement: ``After initial review, key-escrow encryption products may now be exported to most end users. Additionally, key-escrow products will qualify for special licensing arrangements.'' %5 See ftp.eff.org:pub/EFF/Policy/Crypto/wh_crypto.eff. %6 See Roy M. Silvernail's message in RISKS-15.52. %7 See the initial White House Clipper press release, 930416. ---Dan From comp.society.cu-digest Sat Feb 19 21:10:55 1994 Date: Fri, 11 Feb 1994 14:21:35 -0600 From: CuD Moderators Subject: File 5--Rep. Cantwell's Remarks on HR 3627 (From EFF ftp archives) Following are Representative Maria Cantwell's remarks to the House of Representatives when she introduced H.R. 3627, Legislation to Amend the Export Administration Act of 1979. Her synopsis of the bill appears at the end. These remarks appeared in the Congressional Record on November 24, 1993, at Volume 139, Page 3110. Please write to Rep. Cantwell today at cantwell@eff.org letting her know you support her bill. In the Subject header of your message, type "I support HR 3627." In the body of your message, express your reasons for supporting the bill. EFF will deliver printouts of all letters to Rep. Cantwell. With a strong showing of support from the Net community, Rep. Cantwell can tell her colleagues on Capitol Hill that encryption is not only an industry concern, but also a grassroots issue. *Again: remember to put "I support HR 3627" in your Subject header.* The text of the Cantwell bill can be found with the any of the following URLs (Universal Resource Locaters): ftp://ftp.eff.org/pub/EFF/Policy/Legislation/cantwell.bill http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill As of Feb. 9, 1994, co-sponsors of this bill were: Wyden (OR), Orton (UT), Manzulo (IL), Edwards (CA). Contact shabbir@panix.com to find out if the list is growing. ********************************************************************** Mr. Speaker, I am today introducing legislation to amend the Export Administration Act of 1979 to liberalize export controls on software with encryption capabilities. A vital American industry is directly threatened by unilateral U.S. Government export controls which prevent our companies from meeting worldwide user demand for software that includes encryption capabilities to protect computer data against unauthorized disclosure, theft, or alteration. The legislation I am introducing today is needed to ensure that American companies do not lose critical international markets to foreign competitors that operate without significant export restrictions. Without this legislation, American software companies, some of America's star economic performers, have estimated they stand to lose between $6 and $9 billion in revenue each year. American hardware companies are already losing hundreds of millions of dollars in lost computer system sales because increasingly sales are dependent on the ability of a U.S. firm to offer encryption as a feature of an integrated customer solution involving hardware, software, and services. The United States' export control system is broken. It was designed as a tool of the cold-war, to help fight against enemies that no longer exist. The myriad of Federal agencies responsible for controlling the flow of exports from our country must have a new charter, recognizing today's realities. Next year, the House Foreign Affairs Subcommittee of Economic Policy, Trade and the Environment, of which I am a member, will be marking up legislation to overhaul the Export Administration Act. It is my hope that the legislation I introduce today will be included in the final Export Administration Act rewrite. This legislation takes some important steps to resolve a serious problem facing some of our most dynamic industries. It would give the Secretary of Commerce exclusive authority over dual use information security programs and products, eliminates the requirement for export licenses for generally available software with encryption capabilities, and requires the Secretary to grant such validated licenses for exports of other software with encryption capabilities to any country to which we already approve exports for foreign financial institutions. The importance of this legislation cannot be overstated. America's computer software and hardware companies, including such well-known companies as Apple, DEC, Hewlett-Packard, IBM, Lotus, Microsoft, Novell, and WordPerfect, have been among the country's most internationally competitive firms earning more than one-half of their revenues from exports. The success of American software and hardware companies overseas is particularly dramatic and the importance of foreign markets is growing. Currently, American software companies hold a 75 percent worldwide market share and many derive over 50 percent of their revenues from foreign sales. American computer hardware manufacturers earn more than 60 percent of their revenues from exports. As my colleagues are well-aware, we are participants in a new information age that is quickly transforming local and national marketplaces and creating new international marketplaces where none previously existed. President Clinton and Vice President Gore have both spent considerable time explaining their vision of the National Information Infrastructure that is essential to our continued economic growth. Part of that infrastructure is already in place. International business transactions that just a few years ago took days or weeks or months to complete can now be accomplished in minutes. Driving this marketplace transformation is the personal computer. And, at the heart of every personal computer is computer software. Even the most computer illiterate of us recognize that during the past decade, computer prices have dropped dramatically while computer capabilities have increased exponentially. That combination has made it possible to exchange information and conduct business at a scale that was considered science fiction only a few years ago. Indeed, we all now rely on computer networks to conduct business and exchange information. Whether it be the electronic mail or "e-mail" system that we all now use in our congressional offices or the automated teller system relied on to conduct our personal financial affairs, we rely on computer networks of information. In the future, individuals will use information technologies to conduct virtually any of the routine transactions that they do today in person, over the telephone, and through paper files. From personal computers at home, in schools, and in public libraries, they will access books, magazine articles, videos, and multimedia resources on any topic they want. People will use computer networks to locate and access information about virtually any subject imaginable, such as background on the candidates in local political races, information on job opportunities in distant cities, the weather in the city or country they will be visiting on their vacation, and the highlights of specific sports events. Consumers will use their computers and smart televisions to shop and pay for everything from clothing and household goods to airline tickets, insurance, and all types of on-line services. Electronic records of the items they purchase and their credit histories will be easy to compile and maintain. Individuals will access home health programs from their personal computers for instant advice on medical questions, including mental health problems, information about the symptoms of AIDS, and a variety of personal concerns that they would not want other family members, or their neighbors and employers to know about. They will renew their prescriptions and obtain copies of their lab results electronically. The U.S. economy is becoming increasingly reliant on this information network. While we may not often think about these networks, they now affect every facet of our professional, business, and personal lives. They are present when we make an airline reservation; when we use a credit card to make a purchase; or when we visit a doctor who relies on a computer network to store our medical information or to assist in making a diagnosis. These networks contain information concerning every facet of our lives. For businesses, the reliance on information security is even greater. While businesses rely on the same commercial use networks that individual consumers use, in addition, businesses are now transmitting information across national and international borders with the same ease that the information was once transmitted between floors of the same office building. While all of this information exchange brings with it increased efficiencies and lower operating costs, it has also brought with it the need to protect the information from improper use and tampering. Information security is quickly becoming a top priority for businesses that rely on computer networks to conduct business. According to a recent survey of Fortune 500 companies conducted for the Business Software Alliance, 90 percent of the participants said that information security was important to their operations. Indeed, almost half of the Fortune 500 companies surveyed recently stated that data encryption was important to protect their information. One third of those companies said they look for encryption capabilities when buying software. The challenge for information security can be met by America's computer companies. American companies are deeply involved in efforts to ensure that the information transmitted on computer networks is secure. Numerous companies have developed and are developing software products with encryption capabilities that can ensure that transmitted information is received only by the intended user and that it is received in an unaltered form. Those encryption capabilities are based on mathematical formulas or logarithms of such a size that makes it almost impossible to corrupt data sources or intercept information being transmitted. I wish I could stand here today and tell my colleagues that U.S. export control laws were working and encryption technology was only available to American software companies. However, this is not the case. Sophisticated encryption technology has been available as a published public standard for over a decade and many private sources, both domestic and foreign, have developed encryption technology that they are marketing to customers today. It is an industry where commercial competition is fierce and success will go to the swift. Software is being developed and manufactured with encryption capabilities for the simple reason that software customers are demanding it. Computer users recognize the vulnerability of our information systems to corruption and improper use and are insisting on protection. That protection will be purchased or obtained from American companies or from foreign software companies. The choice is not whether the protection will be obtained, but from which company. Incredible as it may seem to most of my colleagues, the Executive Branch has seen fit to regulate exports of American computer software with encryption capabilities -- that is, the same software that is available across the counter at your local Egghead or Computerland software store -- as munitions and thereby substantially prohibit its export to foreign customers. This policy, which has all the practical effect of shutting the barn door after the horses have left in preventing access to software with encryption capabilities, does have the actual detrimental effect of seriously endangering sales of both generally available American software and American computer systems. This is because increasingly sales are dependent on the ability of a U.S. firm to offer encryption as a feature of an integrated customer solution involving hardware, software and services. Indeed, software can be exported abroad by the simplest measures and our intelligence gathering agencies have no hope of ever preventing it. Unlike most munitions that are on the prohibited export list, generally available software with encryption capabilities can be purchased without any record by anyone from thousands of commercial retail outlets, or ordered from hundreds of commercial mail order houses, or obtained for free from computer bulletin boards or networks. Once obtained, it can be exported on a single indistinguishable floppy disk in the coat pocket of any traveler or in any business envelope mailed abroad. Moreover, both generally available and customized software can be exported without anyone ever actually leaving the United States. All that is necessary are two computers with modems, one located in the United States and one located abroad. A simple international phone call and a few minutes is all that it takes to export any software program. Once a software program with encryption capabilities is in a foreign country, any computer can act as a duplicating machine, producing as many perfect copies of the software as needed. The end result is that the software is widely available to foreign users. All this was demonstrated at a hearing held on October 12 by Chairman Gejdenson's Economic Policy Trade and Environment Subcommittee of the Foreign Affairs Committee. Furthermore, while current Executive Branch policy regulates the export of American manufactured software with encryption capabilities, it is obviously powerless to prevent the development and manufacture of such software by foreign competitors. Not surprisingly, that is exactly what is happening. We heard testimony at the subcommittee's hearing that over 200 foreign hardware, software and combination products for text, file, and data encryption are available from 20 foreign countries. As a result, foreign customers, that have, in the past, spent their software dollars on American-made software, are now being forced, by American policy, to buy foreign software -- and in some cases, entire foreign computer systems. The real impact of these policies is that customers and revenue are being lost with little hope of regaining them, once lost. All precipitated by a well-intentioned, but completely misguided and inappropriate policy. There were efforts, in the last Congress to correct this policy. In response, the Bush Administration did, in fact, marginally improve its export licensing process with regard to mass market software with limited encryption capabilities. However, those changes are simply insufficient to eliminate the damage being done to American software companies. My legislation is strongly supported by the Business Software Alliance. The Business Software Alliance represents the leading American software businesses, including Aldus, Apple Computer, Autodesk, Borland International, Computer Associates, GO Corp., Lotus Development, Microsoft, Novell, and WordPerfect. In addition, Adobe Systems, Central Point, Santa Cruz Operation, and Symantec are members of BSA's European operation. Together, BSA members represent 70 percent of PC software sales. The legislation is also supported by the Industry Coalition on Technology Transfer, an umbrella group representing 10 industry groups including the Aerospace Industries Association, American Electronic Association, Electronics Industry Association, and Computer and Business Equipment Manufacturing Association. All these companies are at the forefront of the software revolution. Their software, developed for commercial markets, is available throughout the world and is at the core of the information revolution. They represent the finest of America's future in the international marketplace, and the industry has repeatedly been recognized as crucial to America's technological leadership in the 21st century. My legislation is straightforward. It would allow American companies to sell the commercial software they develop in the United States to their overseas customers including our European allies -- something that is very difficult if not impossible under present policies. I urge my colleagues to support this legislation and ask unanimous consent that the text of the bill and a section-by-section explanation be printed at this point. ************************************************************************ Section-By-Section Analysis of Report Control Liberalization for Information Security Programs and Products Section 1 Section 1 amends the Export Administration Act by adding a new subsection that specifically addresses exports of computer hardware, software and technology for information security including encryption. The new subsection has three basic provisions. First, it gives the Secretary of Commerce exclusive authority over the export of such programs and products except those which are specifically designed for military use, including command, control and intelligence applications or for deciphering encrypted information. Second, the government is generally prohibited from requiring a validated export license for the export of generally available software (e.g., mass market commercial or public domain software) or computer hardware simply because it incorporates such software. Importantly, however, the Secretary will be able to continue controls on countries of terrorists concern (like Libya, Syria, and Iran) or other embargoed countries (like Cuba and North Korea) pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (except for instances where IEEPA is employed to extend EAA-based controls when the EAA is not in force). Third, the Secretary is required to grant validated licenses for exports of software to commercial users in any country to which exports of such software has been approved for use by foreign financial institutions. Importantly, the Secretary is not required to grant such export approvals if there is substantial evidence that the software will be diverted or modified for military or terrorists' end-use or re-exported without requisite U.S. authorization. Section 2 Section 2 provides definitions necessary for the proper implementation of the substantive provisions. For example, generally available software is offered for sale or licensed to the public without restriction and available through standard commercial channels of distribution, is sold as is without further customization, and is designed so as to be installed by the purchaser without additional assistance from the publisher. Computer hardware and computing devices are also defined. From comp.society.cu-digest Sat Feb 19 21:14:07 1994 Date: Sat, 12 Feb 94 18:00:11 PST From: hkhenson@CUP.PORTAL.COM Subject: File 6--Amateur Action BBS and Clipper [There has been a *lot* of traffic on the Clipper debate recently about how key escrow would work in practice. This was written in reply to an entire issue of comp.risks] If I may boil down one side of the Clipper/Capstone debate, it is certain members of the government saying: "We need to implement this encryption method so as to avoid problems we think may be coming. Trust us! We promise not to abuse your privacy." [except for the following--expandable--list of reasons.] Unlike some in this debate, I do not doubt the sincerity of Dorothy Denning or others like her. And I would have a lot fewer problems with Clipper/Capstone proposal if the people who will be granting access to the keys and those with legal access to the keys were of Dorothy's caliber. However, people of good will are not likely to be the ones who apply for these keys to your privacy in the future. I am right in the middle of a case which has remarkable similarities to a Clipper "request for keys." Full details have been posted to comp.eff.talk and misc.legal, but in brief summery, a Postal Inspector from Tennessee is attempting (for political reasons) to impose the obscenity standards of that region on an adult BBS run from Milpitas (just North of San Jose). To this end, he obtained a warrant to take the BBS hardware. Because of contained email and First Amendment activities of a BBS, subpoenas, not warrants, are required under two sections of federal law. The laws are Title 42, Section 2000aa, and Title 18 Section 2701, the same ones which were applied in the well-known Steve Jackson Games case. Pointers to these federal laws were *posted* on the BBS. The postal inspector downloaded this file (most of which *I* originally wrote), and *included* it in his affidavit for a search warrant to a Magistrate-Judge in San Francisco, along with a remarkably weak theory of how he could avoid application of these laws to himself. To obtain a warrant to take email and 2000aa materials, a number of judicial findings should have been made. None were. The postal inspector got his warrant, mailed child pornography to the BBS, served the warrant, and "found" the child porn. To give you an idea of the good will (and competence) of the particular agent involved, he had not included the child porn in the warrant, and so had to fill out another document at the time of the search. On this form he specifically described the material as "sent without his knowledge" (referring to the sysop). Of course this statement did not prevent this child pornography (in the sysop's house for all of half an hour) from being the basis of one count (of 12) of a grand jury indictment the BBS sysop faces in Tennessee. This warrant example applies to the Clipper situation. The risk under Clipper is that your private communications will be protected by the *weakest* link in the chain--one of the thousands of low level Magistrate-Judges among whom law enforcement agents shop for warrants and will shop for keys. These judges tend to be busy, or lazy or both, and they *trust* law enforcement agents. Even if the law is *directly quoted* in search warrant affidavits or key requests, and these laws *expressly forbid* granting warrants or key requests under the conditions cited, the judge may not even read a lengthy supporting affidavit before approving it. He is *very* unlikely to consider the underlying laws when granting a request. The key escrow agents provide no protection whatsoever since they simply fill orders from agents with approved applications. Judges ignore the law with impunity, and so do law enforcement agents because one agency will almost never investigate another. As a practical matter, applications for search warrants are almost never denied. The same situation is certain to occur for Clipper key applications, no mater how weak the justification happens to be, or what laws are being violated by those seeking the keys. From comp.society.cu-digest Sat Feb 19 21:15:19 1994 Date: Wed, 16 Feb 1994 10:24:49 EST From: Dave Banisar Subject: File 4--Big Brother Inside Logo BIG BROTHER INSIDE LOGO A parody of the Intel's Logo modified for the Clipper Chip is now available for use for stickers, posters, brochures etc. The Big Brother Inside graphic files are now available at the CPSR Internet Archive - ftp/gopher cpsr.org /cpsr/privacy/crypto/clipper big_brother_inside_sticker.ps (postscript-scale to fit your project) big_brother_inside_logo.gif (Color GIF - good startup/background screen) big_brother_inside_picts_info.txt (Info on the files) The files have also been uploaded to America Online in the Mac Telecom and Graphic Arts folders. big_brother_inside_sticker.ps is a generic postscript file, created in CorelDraw. The postscript image lies landscape on the page, and consists of the intel-logo's ``swoosh'' and crayon-like lettering on the inside. This design was originally created for the sticker project: the image was screened onto transparent stickers 1" square for the purpose of applying them to future clipper-chip products. (cdodhner@indirect.com was in charge of that project; as far as I know he's still distributing them for a small donation to cover printing & mailing costs). The design was created by Matt Thomlinson From comp.society.cu-digest Tue Feb 22 22:06:06 1994 Date: 18 Feb 94 15:23:33 EST From: Mark Lloyd <73670.57@COMPUSERVE.COM> Subject: File 6--Clipper Questions and Answers in a Nutshell Clipper Q and A By W. Mark Lloyd WHAT IS THE CLIPPER CHIP? The Clipper chip is an encryption chip using an algorithm called Skipjack. The Skipjack algorithm was developed by the National Security Agency (NSA) for the National Institute of Standards and Technology (NIST). Data encrypted using the Skipjack algorithm can be decrypted using a secret process that requires two separate keys. These keys would be escrowed separately by NIST and the Department of Treasury. Under the plan, a law enforcement agency would require a court order to get the two keys that would have to be combined to decrypt a transmission generated with a Clipper chip. HOW DOES THE SKIPJACK ALGORITHM DO THIS? Encryption algorithms use numbers called keys that are like combinations to a lock. Messages are encrypted and decrypted much the same as locks are locked and unlocked. The key to any Clipper encoded message is itself encrypted using a key derived from two other keys that are stored separately. The encrypted key and a number that identifies the chip that sent the message are then encrypted with another key that is common to many other chips. All of this is sent along with the encrypted original message. This is done so if a law enforcement agency wants to decrypt a message the process can be reversed: The outer portion of the encrypted key is decrypted to get the number that identifies the unit that sent the message. This is used to obtain the two separate escrowed keys that are then combined to decrypt the session key that allows the original message to be decrypted. Lets look at another way. You have the session key S, the key E derived from the two escrowed keys, the family key F, the message M and the chip identification number C. Its all put together like this: (M encrypted with key S)+(((S encrypted with key E) C )encrypted with F) IS THE SYSTEM SECURE? If everything goes right, according to the a panel of five cryptography experts who have reviewed it. WHAT ALGORITHM DOES THE ACTUAL ENCRYPTION? That is classified information. BUT AREN'T GOOD ENCRYPTION ALGORITHMS SECURE, EVEN WHEN EVERYONE KNOWS WHAT THEY ARE, LIKE DES? Yes. THEN WHY NOT JUST PUBLISH THE ALGORITHM? The reasons cited are that compromising the algorithm would be detrimental to national security. This means that secret techniques are used in the algorithm. SO A GOVERNMENT SECRET IS GOING TO BE IN THOUSANDS OF THESE CLIPPER CHIPS SHIPPED ALL OVER THE WORLD? That's the plan. SO IF SOMEONE FIGURES OUT HOW TO GET THE ALGORITHM FROM THE CLIPPER CHIPS, OUR NATIONAL SECURITY COULD BE COMPROMISED? If you follow the NSA's logic, yes. Law enforcement officials are going to be using the algorithm and the family key many time to get unit identification numbers. Lets say that the algorithm is leaked. Or one of the black boxes that will be used to decrypt the chips is compromised and the algorithm and family keys are generally known? What will happens then? The algorithm could be subject to tampering. From our explanation in question two we would go from this: (M encrypted with key S)+(((S encrypted with key E) C )encrypted with F) to this (M encrypted with key S)+(S encrypted with key E) C. This would leave the chip number open to tampering. Also in theory it would allow a steady attack on the key E, that would compromise the unit. This attack is theoretically better than attacking a message without the law enforment field, but even if the key S is known (by getting someone with a chip with to send you a message with a key you have negotiated) it would still be difficult with todays computer power. In any case anyone with anything to hide wouldnt use a Clipper chip for transmissions they wanted to keep secret from law enforcement authorities. MOST ENCRYPTION IS DONE WITH SOFTWARE. CAN THE SKIPJACK ALGORITHM BE USED IN SOFTWARE ENCRYPTING SYSTEMS? No. The nature of the Skipjack algorithm makes it only useful if it is released in a special tamper proof chip. SO THE ALGORITHM IS ONLY USEFUL FOR APPLICATIONS THAT CAN USE HARDWARE ENCRYPTION? Yes. WHAT IF I WANT TO ENCRYPT A MESSAGE WITH A REALLY SECURE ALGORITHM BEFORE IT IS ENCRYPTED BY A CLIPPER CHIP? That would be a simple and obvious way to get around the Clipper chip. BUT ISN'T MOST ENCRYPTION CURRENTLY DONE USING SOFTWARE ON GENERAL PURPOSE MICROPROCESSORS? Yes. IS CLIPPER GOING TO BE EASIER TO EXPORT THAN DES? According to the Clinton administration, yes. IS THERE A FOREIGN MARKET FOR CLIPPER ENCRYPTION DEVICES? For there to be a market there needs to be a reason for foreign purchasers to prefer Skipjack or Clipper technology to currently available algorithms. This has not been shown to be true. There a report in the British press that the NSA has a representative in London that is lobbying European governments to adopt the Clipper chip. WHAT IF A FOREIGN GOVERNMENT WANTS TO SPY ON THEIR OWN CITIZENS, WILL WE GIVE THEM THE KEYS TO DO THIS? Good question. What if a foreign government allows the importation of Clipper chips, but only if they get the keys first? Would we be responsible for their abuse? That question has not been answered yet. If we only give them the key when they ask, what if we suspect the keys they want are to spy on a political adversay. What if a foreign government decides to make an issue of us not giving them the keys to a Clipper chip we sold them? How will we deal with this? We would be in a no win situation. WILL THE NSA GET THE KEYS TO SKIPJACK UNITS THAT ARE EXPORTED? Government officials have said to some people that the NSA will not get these keys. NSA has not yet said this on the record. HAVE ORGANIZATIONS THAT REPRESENT THE COMPUTER HARDWARE AND SOFTWARE INDUSTRIES ASKED FOR A NEW ALGORITHM TO EXPORT? No. Both the Software Publishing Association and the American Electronics Association, along with other industry groups, have asked that the DES algorithm be made available for easy export. The DES algorithm is already available all over the world. DES is classified as a munition by the US government and cannot be exported easily. THE ANNOUNCEMENT FROM THE WHITE HOUSE ON FEBRUARY 4 SPOKE ABOUT THE PROBLEM OF "TERRORISTS, DRUG DEALERS, AND OTHER CRIMINALS" USING ENCRYPTION. WILL THE CLIPPER CHIP DO ANYTHING TO PREVENT THESE PEOPLE FROM USING NON-ESCROWED ENCRYPTION TECHNIQUES? No. These prople will be able to encrypt with whatever algorithm they want. ARE THERE OTHER WAYS OF ESCROWING KEYS VOLUNTARILY, FOR GOVERNMENTAL AND BANKING NEEDS THAT REQUIRE BOTH CONFIDENTIALITY AND ACCOUNTABILITY? Yes. There is work being done now on techniques that allow much more flexible ways of voluntarily escrowing keys. From comp.society.privacy Tue Feb 22 22:07:45 1994 Path: utcsri!utnut!torn!spool.mu.edu!howland.reston.ans.net!news.moneng.mei.com!uwm.edu!computer-privacy-request From: chris@quay.ie (Christopher Davey) Newsgroups: comp.society.privacy Subject: Re: Clipper Overseas Date: 21 Feb 1994 02:40:47 GMT Organization: Quay Financial Software Lines: 33 Sender: comp-privacy@uwm.edu Approved: comp-privacy@uwm.edu Message-ID: NNTP-Posting-Host: 129.89.2.6 X-Original-Submission-Date: Thu, 17 Feb 1994 15:40:09 GMT X-Submissions-To: comp-privacy@uwm.edu X-Administrivia-To: comp-privacy-request@uwm.edu X-Computer-Privacy-Digest: Volume 4, Issue 033, Message 1 of 9 Originator: levine@blatz.cs.uwm.edu Christopher Zguris <0004854540@mcimail.com> writes: I haven't seen this discussed so I'm going to ask. What are the implications for Clipper's use on communications between US and foreign countries and companies? If company A in the US is communicating with Company B is some other part of the world over a Clipper-encrypted data link couldn't the NSA legally monitor and decode the communition if they chose to do so? It's a given that the NSA monitors a lot of data communications, and I remember reading about the monitoring of US communications using NSA equipment in foreign countries thereby by avoiding the issue of monitoring on US soil, so couldn't the same trick be used to monitor communications in foreign countries that would also include US links? If we're talking about a world-wide link than a monitoring link in a foreign node could give access to the whole thing. How does key escrow affect potential international users? Anybody care to shed some light on this subject? I read a article in the "Independant on Sunday" last weekend, which that a senior NSA official, James Hearn was in London "with the task of selling the 16 governments of the European Union and European Free Trade Association on the virtues of a controversial electronic scrambling technology" - ie Clipper. The question in my mind is, are the governments of these independant countries going to adopt Clipper, if they do not have the ability to decrypt it ? No way ! And I bet they don't have to go through the escrow agencies in the US either. In which case, the whole thing seems wide open. -- Chris Davey Internet: chris@quay.ie Quay Financial Software Phone : +353 1 6612377 Fax: +353 1 6607592 From comp.society.privacy Tue Feb 22 22:08:03 1994 Path: utcsri!utnut!torn!spool.mu.edu!howland.reston.ans.net!vixen.cso.uiuc.edu!uwm.edu!computer-privacy-request From: tcj@netcom.com (Todd Jonz) Newsgroups: comp.society.privacy Subject: Re: Clipper Overseas Date: 21 Feb 1994 02:40:49 GMT Organization: Sanity Cruise Enterprises, Ltd. Lines: 27 Sender: comp-privacy@uwm.edu Approved: comp-privacy@uwm.edu Message-ID: NNTP-Posting-Host: 129.89.2.6 X-Original-Submission-Date: Fri, 18 Feb 1994 09:49:50 GMT X-Submissions-To: comp-privacy@uwm.edu X-Administrivia-To: comp-privacy-request@uwm.edu X-Computer-Privacy-Digest: Volume 4, Issue 033, Message 2 of 9 Originator: levine@blatz.cs.uwm.edu Christopher Zguris (0004854540@mcimail.com) writes: If company A in the US is communicating with Company B is some other part of the world over a Clipper-encrypted data link couldn't the NSA legally monitor and decode the communition if they chose to do so? Sure, assuming that they had the private keys for both companies. But this would mean that the escrow mechanism for these keys wasn't worth a damn. That's what's so scary about the whole Clipper proposal. Imagine if one of the conditions of securing a federally funded home loan were that you make a copy of your front door key and entrust it to your local police department for the duration of the loan. Even assuming that you trust your local police department implicitly as an organization, if there's even one individual in its employ with access to that key who can be compromised, you might as well just leave your front door open. How does key escrow affect potential international users? It seems to me that the biggest threat to international users would be the potential for Clipper to become ubiquitous in the U.S. One objective of the Clipper proposal is to discourage the private sector from bringing competitive systems to market. If this tactic is successful, it would mean that foreign companies wishing to do business with U.S. firms would have little choice but to jump on the bandwagon. From sci.crypt Tue Feb 22 22:09:09 1994 Xref: utcsri sci.crypt:23837 sci.electronics:78300 sci.misc:9567 Newsgroups: sci.crypt,sci.electronics,sci.misc Path: utcsri!utnut!torn!howland.reston.ans.net!europa.eng.gtefsd.com!library.ucla.edu!csulb.edu!csus.edu!netcom.com!grady From: grady@netcom.com (Grady Ward) Subject: Re: TEMPEST - Electronic Eavesdropping Message-ID: Followup-To: sci.crypt,sci.electronics,sci.misc Organization: Moby lexical databases X-Newsreader: TIN [version 1.2 PL1] References: <2k5qn0$jj5@camco.celestial.com> Date: Sun, 20 Feb 1994 16:01:16 GMT Lines: 33 Ray Jones (ray@camco.celestial.com) wrote: : >In the US it is illegal to monitor cellular calls. It is even illegal to : >sell scanners that can receive the cellular frequencies. : I think you are incorrect. There have been several cases where drug dealers : were convicted because of the information monitored from celluar calls. No : search warrent required either. : The Suprem Court has ruled several time that anything put into the public : airwaves is free for the taking (receiving). This is why premimum TV : programs (HBO, etc.) satelite broadcasts are encoded. The ECPA of 1987 (available from ftp.eff.org) criminalizes *monitoring* of certain transmissions (other than for test purposes). Some of these include, cellular, mobile telephones, encrypted communications, the list goes on. Most people believe that this part of the law was passed at the behest of cellular companies wanting to promise the public 'privacy' without actually needing the capital to fit cell phones with good crypto. Yes, you could go to jail if you turn on a radio to listen to certain radio waves coming into your bedroom. The Pro2006 scanner from Radio Shack is easily modified to receive cellular, but will be forbidden to import or manufacture as of (I think) this April. 73 kn6jr -- Grady Ward | compiler of Moby lexicons: | finger grady@netcom.com +1 707 826 7715 | Words, Hyphenator, Part-of-Speech | for more information (voice/24hr FAX) | Pronunciator, Thesaurus | 15 E2 AD D3 D1 C6 F3 FC grady@netcom.com | and Language; all royalty-free | 58 AC F7 3D 4F 01 1E 2F From talk.politics.crypto Thu Mar 3 19:57:55 1994 Xref: utcsri comp.org.eff.talk:27895 talk.politics.crypto:3236 alt.privacy.clipper:2743 Newsgroups: comp.org.eff.talk,talk.politics.crypto,alt.privacy.clipper Path: utcsri!utnut!torn!howland.reston.ans.net!sol.ctr.columbia.edu!news.kei.com!world!news.bu.edu!att-in!att-out!cbnewsj!merckx!mab From: mab@research.att.com (Matt Blaze) Subject: Denning Clipper Editorial in Newsday, 2/22/94 Organization: AT&T Bell Laboratories Date: Wed, 23 Feb 1994 21:58:37 GMT Message-ID: Originator: mab@merckx Sender: news@cbnewsj.cb.att.com (NetNews Administrator) Nntp-Posting-Host: merckx.l1135.att.com Lines: 90 Forwarded to the net with permission of the author. Note that I'm just passing this along, and nothing here should be taken as an endorcement of the views presented. -matt ====================================================================== | Newsday, Tuesday, February 22, 1994, Viewpoints | ====================================================================== The Clipper Chip Will Block Crime By Dorothy E. Denning Hidden among the discussions of the information highway is a fierce debate, with huge implications for everyone. It centers on a tiny computer chip called the Clipper, which uses sophisticated coding to scramble electronic communications transmitted through the phone system. The Clinton administration has adopted the chip, which would allow law enforcement agencies with court warrants to read the Clipper codes and eavesdrop on terrorists and criminals. But opponents say that, if this happens, the privacy of law-abiding individuals will be a risk. They want people to be able to use their own scramblers, which the government would not be able to decode. If the opponents get their way, however, all communications on the information highway would be immune from lawful interception. In a world threatened by international organized crime, terrorism, and rogue governments, this would be folly. In testimony before Congress, Donald Delaney, senior investigator with the New York State Police, warned that if we adopted an encoding standard that did not permit lawful intercepts, we would have havoc in the United States. Moreover, the Clipper coding offers safeguards against casual government intrusion. It requires that one of the two components of a key embedded in the chip be kept with the Treasury Department and the other component with the Commerce Department's National Institute of Standards and Technology. Any law enforcement official wanting to wiretap would need to obtain not only a warrant but the separate components from the two agencies. This, plus the superstrong code and key system would make it virtually impossible for anyone, even corrupt government officials, to spy illegally. But would terrorists use Clipper? The Justice Department has ordered $8 million worth of Clipper scramblers in the hope that they will become so widespread and convenient that everyone will use them. Opponents say that terrorists will not be so foolish as to use encryption to which the government holds the key but will scramble their calls with their own code systems. But then who would have thought that the World Trade Center bombers would have been stupid enough to return a truck that they had rented? Court-authorized interception of communications has been essential for preventing and solving many serious and often violent crimes, including terrorism, organized crime, drugs, kidnaping, and political corruption. The FBI alone has had many spectacular successes that depended on wiretaps. In a Chicago case code-named RUKBOM, they prevented the El Rukn street gang, which was acting on behalf of the Libyan government, from shooting down a commercial airliner using a stolen military weapons system. To protect against abuse of electronic surveillance, federal statutes impose stringent requirements on the approval and execution of wiretaps. Wiretaps are used judiciously (only 846 installed wiretaps in 1992) and are targeted at major criminals. Now, the thought of the FBI wiretapping my communications appeals to me about as much as its searching my home and seizing my papers. But the Constitution does not give us absolute privacy from court-ordered searches and seizures, and for good reason. Lawlessness would prevail. Encoding technologies, which offer privacy, are on a collision course with a major crime-fighting tool: wiretapping. Now the Clipper chip shows that strong encoding can be made available in a way that protects private communications but does not harm society if it gets into the wrong hands. Clipper is a good idea, and it needs support from people who recognize the need for both privacy and effective law enforcement on the information highway. ====================================================================== | Copyright Newsday. All rights reserved. This article can be freely | | distributed on the net provided this note is kept intact, but it may | | not be sold or used for profit without permission of Newsday. | ====================================================================== From comp.risks Sun Mar 6 16:21:40 1994 Date: Thu, 3 Mar 94 09:43:58 PST From: jim@RSA.COM (Jim Bidzos) Subject: SOME THOUGHTS ON CLIPPER, NSA, AND ONE KEY-ESCROW ALTERNATIVE In a recent editorial, Dr. Dorothy Denning of Georgetown University argued in support of the U.S. government's proposed Clipper Chip, a security device that would allow law enforcement to decipher the communications of users of such devices. Dr. Denning attempts to argue that Clipper is necessary for law enforcement agencies to be able to do their job. I'm not going to argue that one; there are plenty of people who can argue that compromising privacy for all citizens in order to aid law enforcement is a bad idea more effectively than I, particularly in the Clipper case, where the arguments from law enforcement are dubious at best. (The current justification is inadequate; there may be better reasons, from a law enforcement perspective, but we haven't heard them yet.) Without doubt, law enforcement and intelligence are huge stakeholders in the debate over encryption. But every individual and corporation in the U.S. must be included as well. Are NSA's actions really in the best interests of all the stakeholders? Are there alternatives to the current key escrow program? If one steps back and looks at what has happened over the last few years, one might well question the approaches, if not the motivation. (I believe it may even be possible to conclude that Clipper is the visible portion of a large-scale covert operation on U.S. soil by the National Security Agency.) Over a number of years, through their subversion of the Commerce Department (who should be championing the causes of U.S. industry, not the intelligence agencies), NSA has managed to put many U.S. government resources normally beyond their control, both legally and practically, to work on their program of making U.S. and international communications accessible. The first step was the MOU (Memorandum of Understanding) between NIST NSA. This document appears to contravene the provisions of the Computer Security Act of 1987, the intent of which was to give NIST control over standards-making for the unclassified government and commercial sectors. The MOU essentially gave NSA a veto over any proposals for crypto standards by NIST. By using the standards making authority of the National Institute of Standards and Technology (NIST), NSA is attempting to force the entire U.S. government to purchase Clipper equipment since only NIST-standard equipment may be purchased by government agencies. This purchasing power can then be used to force U.S. manufacturers to build Clipper products or risk losing government business. (GSA is currently questioning NSA's authority to control government-wide procurement, and should continue to do so.) This of course not only subsidizes Clipper products, but could make Clipper a de facto standard if the costs associated with alternatives are too high. These costs to industry, of ignoring Clipper, come in the form of lost government market share, costly support for multiple versions of incompatible products, and non-exportability of non-Clipper products. It also appears that NSA is desperately seeking a digital signature standard that would force users to take that signature capability wrapped up with a Clipper chip. If this is the case, as it appears to be, then NSA has is trying to use what is probably the most powerful business tool of the information age as a means to deny us its benefits unless we subsidize and accept Clipper in the process. This would, if true, be an unprecedented abuse of government power to influence U.S. industry and control individual privacy. (Clipper is part of a chip called Capstone, which is where their proposed digital signature standard would be used.) The overall cost of these policies is unknown. We only know that NSA has spent a considerable amount of money on the program directly. Other costs are not so obvious. They are: * A burdened U.S. industry, which will have to build multiple products or more expensive products that support multiple techniques; * A low-intensity "trade war" with the rest of the world over encryption; * Lost sales to U.S. companies, since international buyers will surely go to non-U.S. suppliers for non- Clipper encryption, as may buyers in the U.S.; * Potential abuses by government and loss of privacy for all citizens. Does NSA truly believe they can displace other methods with Clipper? With over three million RSA products, the technology they feel threatened by, in use in the U.S. today? Not likely; therefore, they have already decided that these costs are acceptable even if they only delay the inevitable, and that U.S. industry and U.S. taxpayers should bear these costs, whatever they are. This policy was apparently developed by unelected people who operate without oversight or accountability. Does the White House really support this policy? (Does this all sound familiar?) It has been rumored that NSA will gain support from foreign governments for escrow technology, especially if "local control" is provided. Even if NSA can convince their sister organizations around the world to support key escrow (by offering Clipper technology with a do-your-own-escrow option), will these other governments succeed in selling it to their industry and citizens? Most countries around the world have much stronger privacy laws and a longer history of individual privacy than the U.S. WHY AGAIN WHEN IT DIDN'T WORK THE FIRST TIME? Many seem to have forgotten or are not aware that the Clipper program is not new, and it's also not the first time NSA has attempted to force communications security on U.S. industry that it could compromise. In the mid-80's, NSA introduced a program called the Commercial COMSEC Endorsement Program, or CCEP. CCEP was essentially Clipper in a black box, since the technology was not sufficiently advanced to build lower-cost chips. Vendors would join CCEP (with the proper security clearances) and be authorized to incorporate classified algorithms into communications systems. NSA had proposed that they themselves would actually provide the keys to end-users of such systems. The new twist is access by key escrow. To see how little things have changed, consider this quote: "...RSA Data Security, Inc. asserts that since CCEP-2 is not published and therefore cannot be inspected by third parties, the NSA could put a 'trap door' in the algorithm that would enable the agency to inspect information transmitted by the private sector. When contacted, NSA representative Cynthia Beck said that it was the agency's policy not to comment on such matters." That was in 1987. ("The Federal Snags in Encryption Technology," Computer and Communications Decisions, July 1987, pp. 58-60.) To understand NSA's thinking, and the danger of their policies, consider the reply of a senior NSA official when he was asked by a reporter for the Wall Street Journal if NSA, through the CCEP program, could read anyone's communications: "Technically, if someone bought our device and we made the keys and made a copy, sure we could listen in. But we have better things to do with our time." (The Wall Street Journal, March 28, 1988, page 1, column 1, "A Supersecret Agency Finds Selling Secrecy to Others Isn't Easy," by Bob Davis.) Another NSA official, in the same Journal story, said "The American Public has no problem with relying on us to provide the technology that prevents the unauthorized launch of nuclear weapons. If you trust us to protect against that, you can trust us to protect private records." Remember that the Cold War was still on at that time. Maybe they're not so busy today. Law enforcement and intelligence gathering are certainly impeded by the use of cryptography. There are certainly legitimate concerns that these interests have. But is the current approach really the way to gain support? People with a strong military and intelligence bias are making all the decisions. There seem to be better ways to strike a balance. AN ALTERNATIVE PROPOSAL One approach would be to have NIST develop a standard with three levels. The first level could specify the use of public-key for key management and signatures without any key escrow. There could be a "Level II" compliance that adds government key escrow to message preparation. "Level III" could be key escrow controlled by the user, typically a corporation. Would this work? The first level, meeting the standard by itself, would back up the government's claim that key escrow is voluntary; if I want privacy and authentication without key escrow, then I can have it, as the government has claimed I can. Actions speak louder than words. Why would any vendors support Level II? They would find a market in the government. (I would certainly like our public servants to use key escrow, just as I want work product paid for by my corporation to be accessible.) So the government can still influence the private sector by buying only products that include Level II compliance. Also, Level II products would be decontrolled for export. The market can decide; vendors will do what their customers tell them to. This satisfies the obvious desire on the part of the government to influence what happens, as a consumer. Level III would allow any user to insert escrow keys they control into the process. (Level II would not be a prerequisite to Level III.) My company may want key escrow; I, as an individual, may want to escrow my keys with my attorney or family members; a standard supporting these functions would be useful. I don't necessarily want or need the government involved. NIST already knows how to write a FIPS that describes software and hardware implementations, and to certify that implementations are correct. This approach certainly isn't perfect, but if the administration really believes what it says and means it, then I submit that this is an improvement over a single key escrow FIPS foisted on everyone by NSA, and would stand a much better chance of striking a workable balance between the needs of the government and the right of individuals to privacy. Therefore, it RISKS much less than the current plan. The real problem with the way NSA works is that we don't find out what they're really doing and planning for decades, even when they're wrong. What if they are? In the 60's and 70's, the CIA was out of control, and the Congress, after extensive hearings that detailed some of the abuses of power by the CIA, finally moved to force more accountability and oversight. In the 80's and 90's, NSA's activities should be equally scrutinized by a concerned Congress. From comp.society.cu-digest Tue Mar 15 22:06:40 1994 Date: Tue Mar 8 12:07:47 1994 >From jim@RSA.COM Subject: File 2--Some Thoughts on Clipper (by Jim Bidzos) SOME THOUGHTS ON CLIPPER, NSA, AND ONE KEY ESCROW ALTERNATIVE In a recent editorial, Dr. Dorothy Denning of Georgtown University argued in support of the U.S. government's proposed Clipper Chip, a security device that would allow law enforcement to decipher the communications of users of such devices. Dr. Denning attempts to argue that Clipper is necessary for law enforcement agencies to be able to do their job. I'm not going to argue that one; there are plenty of people who can argue that compromising privacy for all citizens in order to aid law enforcement is a bad idea more effectively than I, particularly in the Clipper case, where the arguments from law enforcement are dubious at best. (The current justification is inadequate; there may be better reasons, from a law enforcement perspective, but we haven't heard them yet.) Without doubt, law enforcement and intelligence are huge stakeholders in the debate over encryption. But every individual and corporation in the U.S. must be included as well. Are NSA's actions really in the best interests of all the stakeholders? Are there alternatives to the current key escrow program? If one steps back and looks at what has happened over the last few years, one might well question the government's approach with Clipper, if not its motivation, for dealing with this problem. (I believe it may even be possible to conclude that Clipper is the visible portion of a large-scale covert operation on U.S. soil by NSA, the National Security Agency.) Over a number of years, through their subversion of the Commerce Department (who should be championing the causes of U.S. industry, not the intelligence agencies), NSA has managed to put many U.S. government resources normally beyond their control, both legally and practically, to work on their program of making U.S. and international communications accessible. The first step was the MOU (Memorandum of Understanding) between the Commerce Department's National Institute of Standards and Technology (NIST) and the Defense Department's NSA. This document appears to contravene the provisions of the Computer Security Act of 1987, the intent of which was to give NIST control over crypto standards-making for the unclassified government and commercial sectors. The MOU essentially gave NSA a veto over any proposals for crypto standards by NIST. By using the standards making authority of NIST, NSA is attempting to force the entire U.S. government to purchase Clipper equipment since only NIST-standard equipment may be purchased by government agencies. This purchasing power can then be used to force U.S. manufacturers to build Clipper products or risk losing government business. (GSA is currently questioning NSA's authority to control government-wide procurement, and should continue to do so.) This of course not only subsidizes Clipper products, but could make Clipper a de facto standard if the costs associated with alternatives are too high. These costs to industry, of ignoring Clipper, come in the form of lost government market share, costly support for multiple versions of incompatible products, and non-exportability of non-Clipper products. It also appears that NSA is desperately seeking a digital signature standard that would force users to take that signature capability wrapped up with a Clipper chip. If this is the case, as it appears to be, then NSA has is trying to use what is probably the most powerful business tool of the information age as a means to deny us its benefits unless we subsidize and accept Clipper in the process. This would, if true, be an unprecedented abuse of government power to influence U.S. industry and control individual privacy. (Clipper is part of a chip called Capstone, which is where their proposed digital signature standard would be used.) The overall cost of these policies is unknown. We only know that NSA has spent a considerable amount of money on the program directly. Other costs are not so obvious. They are: - A burdened U.S. industry, which will have to build multiple products or more expensive products that support multiple techniques; - A low-intensity "trade war" with the rest of the world over encryption; - Lost sales to U.S. companies, since international buyers will surely go to non-U.S. suppliers for non- Clipper encryption, as may buyers in the U.S.; - Potential abuses by government and loss of privacy for all citizens. Does NSA truly believe they can displace other methods with Clipper? With over three million licensed, documented RSA products, the technology they feel threatened by, in use in the U.S. today? Not likely; therefore, they have already decided that these costs are acceptable even if they only delay the inevitable, and that U.S. industry and U.S. taxpayers should bear these costs, whatever they are. This policy was apparently developed by unelected people who operate without oversight or accountability. Does the White House really support this policy? It has been reported that NSA is attempting to gain support from foreign governments for escrow technology, especially if "local control" is provided. Even if NSA can convince their sister organizations around the world to support key escrow (by offering Clipper technology with a do-your-own-escrow option), will these other organizations succeed in selling it to their government, industry and citizens? Most countries around the world have much stronger privacy laws and a longer history of individual privacy than the U.S. WHY AGAIN WHEN IT DIDN'T WORK THE FIRST TIME? Many seem to have forgotten or are not aware that the Clipper program is not new, and it's also not the first time NSA has attempted to force communications security on U.S. industry that it could compromise. In the mid-80's, NSA introduced a program called the Commercial COMSEC Endorsement Program, or CCEP. CCEP was essentially Clipper in a black box, since the technology was not sufficiently advanced to build lower-cost chips. Vendors would join CCEP (with the proper security clearances) and be authorized to incorporate classified algorithms into communications systems. NSA had proposed that they themselves would actually provide the keys to end-users of such systems. The new twist is access by key escrow. To see how little things have changed, consider this quote: "...RSA Data Security, Inc. asserts that since CCEP-2 is not published and therefore cannot be inspected by third parties, the NSA could put a 'trap door' in the algorithm that would enable the agency to inspect information transmitted by the private sector. When contacted, NSA representative Cynthia Beck said that it was the agency's policy not to comment on such matters." That was in 1987. ("The Federal Snags in Encryption Technology," Computer and Communications Decisions, July 1987, pp. 58-60.) To understand NSA's thinking, and the danger of their policies, consider the reply of a senior NSA official when he was asked by a reporter for the Wall Street Journal if NSA, through the CCEP program, could read anyone's communications: "Technically, if someone bought our device and we made the keys and made a copy, sure we could listen in. But we have better things to do with our time." (The Wall Street Journal, March 28, 1988, page 1, column 1, "A Supersecret Agency Finds Selling Secrecy to Others Isn't Easy," by Bob Davis.) Another NSA official, in the same Journal story, said "The American Public has no problem with relying on us to provide the technology that prevents the unauthorized launch of nuclear weapons. If you trust us to protect against that, you can trust us to protect private records." Remember that the Cold War was still on at that time. Law enforcement and intelligence gathering are certainly impeded by the use of cryptography. There are certainly legitimate concerns that these interests have. But is the current approach really the way to gain support from industry and the public? People with a strong military and intelligence bias are making all the decisions. There seem to be better ways to strike a balance. AN ALTERNATIVE PROPOSAL One approach would be to have NIST develop a standard with three levels. The first level could specify the use of public-key for key management and signatures without any key escrow. There could be a "Level II" compliance that adds government key escrow to message preparation. "Level III" could be key escrow controlled by the user, typically a corporation. Would this work? The first level, meeting the standard by itself, would back up the government's claim that key escrow is voluntary; if I want privacy and authentication without key escrow, then I can have it, as the government has claimed I can. Actions speak louder than words. Why would any vendors support Level II? There would be several reasons. They would find a market in the government, since the government should purchase only Level II products. (I would certainly like our public servants to use key escrow, just as I want work product paid for by my corporation to be accessible. Of course, anyone can buy Level I products for home and personal use.) So the government can still influence the private sector by buying only products that include Level II compliance. Also, Level II products would be decontrolled for export. This way the market can decide; vendors will do what their customers tell them to. This satisifies the obvious desire on the part of the government to influence what happens with their purchasing power. Level III would allow any user to insert escrow keys they control into the process. (Level II would not be a prerequisite to Level III.) My company may want key escrow; I, as an individual, may want to escrow my keys with my attorney or family members; a standard supporting these funtions would be useful. I don't necessarily want or need the government involved. NIST already knows how to write a FIPS that describes software and hardware implementations, and to certify that implementations are correct. This approach cetainly isn't perfect, but if the administration really believes what it says and means it, then I submit that this is an improvement over a single key escrow FIPS foisted on everyone by NSA, and would stand a much better chance of striking a workable balance between the needs of the government and the right of individuals to privacy. Therefore, it RISKS much less than the current plan. The real problem with the way NSA works is that we don't find out what they're really doing and planning for decades, even when they're wrong. What if they are? In the 60's and 70's, the CIA was out of control, and the Congress, after extensive hearings that detailed some of the abuses of power by the CIA, finally moved to force more accountability and oversight. In the 80's and 90's, NSA's activities should be equally scrutinized by a concerned Congress. From comp.society.cu-digest Tue Mar 15 22:07:06 1994 Date: Mon, 28 Feb 1994 13:25:25 -0500 (EST) From: The Advocate Subject: File 4--Re: Newsday Clipper Story (CuD 6.19) > Newsday, Tuesday, February 22, 1994, Viewpoints > The Clipper Chip Will Block Crime > By Dorothy E. Denning Before We go any further, let your old friend the Advocate join the greek chorus, of people singing their personal respect and admiration for Dr Denning. Her work in the Neidorf case was without par and her commitment to issues in Cyberspace are intellectually rigorous and passionate. It thus doubly pains me when such an old and respected friend seems to have gone astray. > Hidden among the discussions of the information highway is a fierce > debate, with huge implications for everyone. It centers on a tiny > computer chip called the Clipper, which uses sophisticated coding to > scramble electronic communications transmitted through the phone > system. Just like other systems already in use for military and government or commercial transactions. > > The Clinton administration has adopted the chip, which would allow > law enforcement agencies with court warrants to read the Clipper codes > and eavesdrop on terrorists and criminals. But opponents say that, if or agencies with corrupt motives to spy on virtually every transaction telephonic or datic that moves on the information highway. future expansion of network systems will allow easy access to virtually all data, without regard, and with intrusion, without detection. > this happens, the privacy of law-abiding individuals will be a risk. individuals and corporations. > They want people to be able to use their own scramblers, which the > government would not be able to decode. WOuld not be able to decode? no, would not be able to decode without spending some money. Dr Denning forgets that we spend an estimated $27 Billion dollars per year on the NSA, an agency devoted entirely to signals interception, decryption and analysis. THis same agency has been involved in the Clipper developement and has refused to make any of it's files available and has instead crowded the field with classified segments. > If the opponents get their way, however, all communications on the > information highway would be immune from lawful interception. In a Hardly. It merely means that interception would require either more detailed de-crpyption efforts or attack at sources of transmission or reception. These same complaints are repackaged complaints about miranda rights, the exclusionary rule and every other legal reform of this century. > world threatened by international organized crime, terrorism, and rogue > governments, this would be folly. In testimony before Congress, Donald International organised crime? you mean like the Mafia, whom the CIA helped set up? and who work routinely as government agents? Terrorism? in this country of 250 million people less the 15 people per year die on average from terrorist activities. considering 50,000 americans die every year on the roads, someone needs to get their priorities re-aligned. Rogue governments? like the libyans, or Iraq and iran? how will clipper harm a foreign government? not to mention these countries are all paper tigers. the last time we dealt with traq, i seem to recall we waxed their army without breaking a sweat. i am not worried. > Delaney, senior investigator with the New York State Police, warned > that if we adopted an encoding standard that did not permit lawful > intercepts, we would have havoc in the United States. But don forgets that his standard allows un-lawful intercepts. lets look at this word havoc. that means a state of chaos or confusion. If i go to anacostia on a friday night, i would say havoc exists. if i go into a DC school by day, i could say havoc exists. when LA burned last year havoc ran rampant, and certainly this had little to do with the lack of a proper data encryption standard. The operation of the polis has little to do with the effectiveness of our secret police. > > Moreover, the Clipper coding offers safeguards against casual > government intrusion. It requires that one of the two components of Not neccesarily. Although Dr denning and a team of independent scientists reviewed the clipper standard, they are not specialists in code breaking. I do not know how immune clipper is to corruption once partial knowledge is attained. knowledge of header blocks, and access to partial keys and key fragments may make closure of the cryptic circle a simpler proposition then her analysis indicated. > a key embedded in the chip be kept with the Treasury Department and the The dept that brought us the Secret service and the ATF? i don't think so. > other component with the Commerce Department's National Institute of > Standards and Technology. Any law enforcement official wanting to who work hand in glove with the NSA? she forgets a single compromised official may be able to subvert the entire system as mr Ames so easily demonstrated last week. > wiretap would need to obtain not only a warrant but the separate > components from the two agencies. This, plus the superstrong code and > key system would make it virtually impossible for anyone, even corrupt > government officials, to spy illegally. I think this is optimism in action. > But would terrorists use Clipper? The Justice Department has would Clipper stop terrorism? Seriously can anyone guarantee that this technology will end terrorism? will clipper end drug trafficking? > their calls with their own code systems. But then who would have > thought that the World Trade Center bombers would have been stupid > enough to return a truck that they had rented? Considering the people who bomber the world trade center were keystone terrorists, i would hardly hold them up as examples. I would look at people like Carlos the Jackal, THe Red Army, Black September, Islamic Jihad, etc... These are highly sophisticated, well trained killers, and far more effective and dangerous. > Court-authorized interception of communications has been essential > for preventing and solving many serious and often violent crimes, for all the crime and violence in our society, i doubt law enforcement is doing a good job. what we see is another band-aid on serious social problems. > including terrorism, organized crime, drugs, kidnaping, and political > corruption. The FBI alone has had many spectacular successes that > depended on wiretaps. In a Chicago case code-named RUKBOM, they > prevented the El Rukn street gang, which was acting on behalf of the > Libyan government, from shooting down a commercial airliner using a > stolen military weapons system. Dr Dennings faith is touching here. The El Rukns were done in in part because the government compromised their lawyer. And also had several agents inside the organization. Please a better example must be out there. > To protect against abuse of electronic surveillance, federal > statutes impose stringent requirements on the approval and execution > of wiretaps. Wiretaps are used judiciously (only 846 installed > wiretaps in 1992) and are targeted at major criminals. and how many wiretaps are installed il-legally? considering during the gulf war the FBI was wire-tapping the homes of arab-americans i wonder how well they use the legal process. also if we are talking 846 wiretaps, and say, 200 hours of tape from each, we are talking about 200,000 hours of conversation. i am certain that the NSA has the facility to de-crypt this number of calls. And if they don't why don't they? they must listen to foreign conversations, and i am sure the russians are not so accomodating as to use clear voice signaling. > Now, the thought of the FBI wiretapping my communications appeals to > me about as much as its searching my home and seizing my papers. > But the Constitution does not give us absolute privacy from > court-ordered searches and seizures, and for good reason. Lawlessness > would prevail. But the constitution does not forbid me from keeping safes, or cryptic records or speaking in navajo, either. Dr Denning must have far less faith in the body politic then I do. besides if you want to see lawlessness, look at the beltway on friday afternoon. > Encoding technologies, which offer privacy, are on a collision > course with a major crime-fighting tool: wiretapping. Now the wiretapping is a minor crime fighting tool. for all the law enforcement personnell we have, and all the cases brought each year, less then 1% involve wiretapping to start with. these same complaints have been made about facsimile transmission, computer data, cell phones and cars. technology changes and law enforcement adapts. this is the first time, i have ever seen law enforcement try to cripple a technology befoe it becomes prevalent. ASk yourself a question Dr Denning. Cars are used in crime, criminals often escape from the police. why shouldn't all cars be restricted to 35MPH, by design so the police can always capture and pursue? fast cars, like the ferrari have not brought chaos to our society. why should cryptography? > Clipper chip shows that strong encoding can be made available in a way > that protects private communications but does not harm society if it > gets into the wrong hands. Clipper is a good idea, and it needs how will clipper prevent the wrong hands from getting strong encoding? will only outlaws have strong crypto? > support from people who recognize the need for both privacy and > effective law enforcement on the information highway. sure we need law enforcement on the info highway, but i don't need a trooper in the back seat to listen to me talk to my girlfirend as we drive. i just need a trooper to watch for speeders and drunk drivers. Dr Denning was part of the clipper review team, and as such may be psychologically and emotionally committed to the project. I hope her earlier effort shave not clouded her ability to conduct a dispassionate social and policy analysis. Also Louis Freeh was interviewed by John Markoff in an article in todays NYT about the return of the Digital Telephony Standard. Freeh said "If we are to have a peaceful and orderly society, people will have to sacrifice a little privacy". I couldn't believe this. Didn't jefferson say something on the lines of those who sacrifice liberty for a little peace deserve neither? or was that heinlein? The other interesting factoid to counter all the discussion on Terrorism, Nuclear death threats and Drug Dealing, is that Aldrich Ames was arrested last week in the biggest spy scandal this century since the Rosenbergs. Ames who was the CIA chief of CounterIntelligence/Soviet-Eastern Division was as well trained in tradecraft as one can be. He never used any telephonic encryption, despite total access to all these devices. Sorry if the spys aren't using them, then why do we need a way to break them? Your friend The Advocate. PS Advocate prediction #13. That to push the clipper chip, supporters will claim that Child pornographers are distributing Snuff films in unbreakable crypto-form so that they can't be detected. From comp.society.cu-digest Tue Mar 15 22:08:47 1994 Date: 3 Mar 1994 12:12:08 -0500 From: hovaness@PANIX.COM(Haig Hovaness) Subject: File 5--Newsday's Encryption and Law Enforcement (Re: CuD 6.19) With all due respect to Professor Denning, I offer the following observations in response to the material in her recent posting. 1. Professor Denning's views are representative of a small minority in the US academic community. However, through her energetic campaign to promote pro-Clipper arguments, a casual observer of the debate would conclude that her position is representative of a substantial segment of academic opinion. This was especially evident in the ACM Communications "dialogue" on Clipper, in which Professor Denning's comments occupied almost half of the editorial space. 2. Professor Denning's efforts to advance her views are not limited to journalistic advocacy and Usenet postings. Her presence on the ACM committee studying Clipper has contributed to the success of the pro-Clipper faction in deadlocking the committee, and thus preventing the largest computing professional society from taking an anti-Clipper position, a position that would reflect the sentiments of the majority of the membership. 3. Professor Denning consistently makes generous assumptions about the proper and lawful actions of government officials - assumptions that anyone familiar with recent American history knows to be naive. For example, the political manipulation of information gathered by J. Edgar Hoover, former Director of the F.B.I. is common knowledge. 4. Professor Denning relies heavily on anecdotal evidence of crimes "prevented" through communications intercepts without presenting accurate data on the (very small) number of crimes in which the intercept was essential to the success of law enforcement. Others have posted the figures, and they suggest that the practical value of such intercepts is greatly overstated. 5. Professor Denning maintains that secure encryption is a difficult technology to master and is not readily available to the general public. In view of the existence of PGP, and the likely availability of its voice-scrambling successor, this is a ludicrous claim. 6. Professor Denning offers no explanation for how a US national standard restricting encryption can be viable in the context of worldwide voice and data communications. How can the US government possibly assert control of information packets crossing US "cyberspace?" 7. Professor Denning omits to mention that polls reveal that the majority of the US public are opposed to telephone wiretaps. All available evidence suggests that Clipper would never survive a public referendum. 8. Professor Denning neglects to mention that the entire commercial sector of the US computing industry is united in opposition to Clipper. Moreover, much of the business community is also hostile to the concept of Government interception of business communications. 9. Professor Denning's arguments are ultimately authoritarian. She believes that the judgement of government officials must carry greater weight than the will of the people. This is a profoundly anti-democratic position. Haig Hovaness Pelham Manor, NY hovaness@panix.com From comp.society.cu-digest Tue Mar 15 22:10:11 1994 Date: Sun, 6 Mar 1994 14:13:18 -0500 From: Dave Banisar Subject: File 1--Time Magazine on Clipper Time Magazine, March 14, 1994 TECHNOLOGY WHO SHOULD KEEP THE KEYS? The U.S. government wants the power to tap into every phone, fax and computer transmission BY PHILIP ELMER-DEWITT ... (general background) ... (general info on techo advances) Thus the stage was set for one of the most bizarre technology-policy battles ever waged: the Clipper Chip war. Lined up on one side are the three- letter cloak-and-dagger agencies -- the NSA, the CIA and the FBI -- and key policymakers in the Clinton Administration (who are taking a surprisingly hard line on the encryption issue). Opposing them is an equally unlikely coalition of computer firms, civil libertarians, conservative columnists and a strange breed of cryptoanarchists who call themselves the cypherpunks. At the center is the Clipper Chip, a semiconductor device that the NSA developed and wants installed in every telephone, computer modem and fax machine. The chip combines a powerful encryption algorithm with a ''back door'' -- the cryptographic equivalent of the master key that opens schoolchildren's padlocks when they forget their combinations. A ''secure'' phone equipped with the chip could, with proper authorization, be cracked by the government. Law-enforcement agencies say they need this capability to keep tabs on drug runners, terrorists and spies. Critics denounce the Clipper -- and a bill before Congress that would require phone companies to make it easy to tap the new digital phones -- as Big Brotherly tools that will strip citizens of whatever privacy they still have in the computer age. In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich Partners, two-thirds said it was more important to protect the privacy of phone calls than to preserve the ability of police to conduct wiretaps. When informed about the Clipper Chip, 80% said they opposed it. The battle lines were first drawn last April, when the Administration unveiled the Clipper plan and invited public comment. For nine months opponents railed against the scheme's many flaws: criminals wouldn't use phones equipped with the government's chip; foreign customers wouldn't buy communications gear for which the U.S. held the keys; the system for giving investigators access to the back-door master codes was open to abuse; there was no guarantee that some clever hacker wouldn't steal the keys. But in the end the Administration ignored the advice. In early February, after computer- industry leaders had made it clear that they wanted to adopt their own encryption standard, the Administration announced that it was putting the NSA plan into effect. Government agencies will phase in use of Clipper technology for all unclassified communications. Commercial use of the chip will be voluntary -- for now. It was tantamount to a declaration of war, not just to a small group of crypto-activists but to all citizens who value their privacy, as well as to telecommunications firms that sell their products abroad. Foreign customers won't want equipment that U.S. spies can tap into, particularly since powerful, uncompromised encryption is available overseas. ''Industry is unanimous on this,'' says Jim Burger, a lobbyist for Apple Computer, one of two dozen companies and trade groups opposing the Clipper. A petition circulated on the Internet electronic network by Computer Professionals for Social Responsibility gathered 45,000 signatures, and some activists are planning to boycott companies that use the chips and thus, in effect, hand over their encryption keys to the government. ''You can have my encryption algorithm,'' said John Perry Barlow, co-founder of the Electronic Frontier Foundation, ''when you pry my cold dead fingers from my private key.'' ... (history of Public Key encryption). ... (history of PGP) Rather than outlaw PGP and other such programs, a policy that would probably be unconstitutional, the Administration is taking a marketing approach. By using its purchasing power to lower the cost of Clipper technology, and by vigilantly enforcing restrictions against overseas sales of competing encryption systems, the government is trying to make it difficult for any alternative schemes to become widespread. If Clipper manages to establish itself as a market standard -- if, for example, it is built into almost every telephone, modem and fax machine sold -- people who buy a nonstandard system might find themselves with an untappable phone but no one to call. That's still a big if. Zimmermann is already working on a version of PGP for voice communications that could compete directly with Clipper, and if it finds a market, similar products are sure to follow. ''The crypto genie is out of the bottle,'' says Steven Levy, who is writing a book about encryption. If that's true, even the nsa may not have the power to put it back. Reported by David S. Jackson/San Francisco and Suneel Ratan/Washington From comp.society.cu-digest Tue Mar 15 22:12:13 1994 Date: Sun, 13 Mar 1994 11:30:17 -0500 From: John Perry Barlow Subject: File 1--Clipping the Wings of Freedom (Reprint, by J.P. Barlow) Clipping the Wings of Freedom page 1 Jackboots on the Infobahn by John Perry Barlow [Note: I wish to reserve to Wired Magazine first paper publication of the following piece. However, given the fairly immediate nature of this issue, I am net-casting it now. Feel free to pass it on electronically as you see fit, but please do not turn it into any sort of hard copy until Wired has done so. I also encourage you to buy the April issue of Wired in which it will appear.] On January 11, I managed to schmooze myself aboard Air Force 2. It was flying out of LA, where its principal passenger had just outlined his vision of the Information Superhighway to a suited mob of television, show biz, and cable types who fervently hoped to own it one day...if they could ever figure out what the hell it was. >From the standpoint of the Electronic Frontier Foundation, the speech had been wildly encouraging. The Vice President's announced program incorporated many of the concepts of open competition, universal access, and deregulated common carriage which we'd been pushing for the previous year. But he had said nothing about future of privacy, except to cite among the bounties of the NII its ability to "help law enforcement agencies thwart criminals and terrorists who might use advanced telecommunications to commit crimes." On the plane I asked him what this had meant regarding Administration policy on cryptography. He became non-committal as a cigar store indian. "We'll be making some announcements... I can't tell you anything more." He hurried back to the front of the plane, leaving me to troubled speculation. Despite its fundamental role in assuring privacy, transaction security, and reliable identity within the NII, the Clinton/Gore Administration policies regarding cryptography have not demonstrated an enlightenment to match the rest of their digital visions. The Clipper Chip...which bodes to be either the goofiest waste of federal dollars since Gerald Ford's great Swine Flu program or, if actually deployed, a surveillance technology of profound malignancy...seemed at first an ugly legacy of Reagan/Bush. "This is going to be our Bay of Pigs," one White House official told me at the time Clipper was introduced, referring to the distastrous Cuban invasion plan Kennedy inherited from Eisenhower. (Clipper, in case you're just tuning in, is an encryption chip which the NSA and FBI hope will someday be in every phone and computer in America. It scrambles your communications, making them unintelligible to all but their intended recipient. All, that is, but the government, which would hold the "key" to your chip. The key would separated into two pieces, held in escrow, and joined with the appropriate "legal authority.") Of course, trusting the government with your privacy is trusting a peeping tom to install your window blinds. And, since the folks I've met in this White House seem extremely smart, conscious, and freedom-loving...hell, a lot of them are Deadheads...I was sure that after they felt fully moved in, they'd face down the NSA and FBI, let Clipper die a natural death, and lower the export embargo on reliable encryption products. Furthermore, NIST and the National Security Council have been studying both Clipper and export embargoes since April. Given that the volumes of expert testimony they collected opposed them both almost unanimously , I expected the final report to give the Administration all the support it needed to do the right thing. I was wrong about this. Instead, there would be no report. Apparently, they couldn't draft one which supported, on the evidence, what they had decided to do instead. THE OTHER SHOE DROPS On Friday, February 4, the other jack-boot dropped. A series of announcements from the Administration made it clear that cryptography would become their very own "Bosnia of telecommunications" (as one staffer put it). It wasn't just that the old Serbs in the NSA and the FBI were still making the calls. The alarming new reality was that the invertebrates in the White House were only too happy to abide by them. Anything to avoid appearing soft on drugs or terrorism. So, rather than ditching Clipper, they declared it a Federal Data Processing Standard, backing that up with an immediate government order for 50,000 Clipper devices. They appointed NIST and the Department of Treasury as the "trusted" third parties that would hold the Clipper key pairs. (Treasury, by the way, is also home to such trustworthy agencies as the Secret Service and the Bureau of Alcohol, Tobacco, and Firearms.) They re-affirmed the export embargo on robust encryption products, admitting for the first time that its purpose was to stifle competition to Clipper. And they outlined a very porous set of requirements under which the cops might get the keys to your chip. (They would not go into the procedure by which the NSA would get them, though they assured us it was sufficient.) They even signaled the impending return of the dread Digital Telephony, an FBI legislative initiative which would require fundamentally re-engineering the information infrastructure to make provision of wiretapping ability the paramount design priority. INVASION OF THE BODY SNATCHERS Actually, by the time the announcements thudded down, I wan't surprised by them. I had spent several days the previous week in and around the White House. I felt like I was in another re-make of The Invasion of the Body Snatchers. My friends in the Administration had been transformed. They'd been subsumed by the vast mind-field on the other side of the security clearance membrane, where dwell the monstrous bureaucratic organisms which feed themselves on fear. They'd adopted the institutionally paranoid National Security Weltanschauung. They used all the tell-tale phrases. Mike Nelson, the White House point man on NII, told me, "If only I could tell you what I know, you'd feel the same way I do." I told him I'd been inoculated against that argument during Vietnam. (And it does seem to me that if you're going to initiate a process which might end freedom in America, you probably need an argument that isn't classified.) Besides, how does he know what he knows? Where does he get his information? Why the NSA, of course. Which, given its strong interest in the outcome, seems hardly an unimpeachable source. However they reached it, Clinton and Gore have an astonishingly simple bottom line, against which even the future of American liberty and prosperity is secondary: They believe that it is their responsibility to eliminate, by whatever means, the possibility that some terrorist might get a nuke and use it on, say, the World Trade Center. They have been convinced that such plots are more likely to ripen to their hideous fruition behind a shield of encryption. The staffers I talked to were unmoved by the argument that anyone smart enough to steal and detonate a nuclear device is probably smart enough to use PGP or some other uncompromised crypto standard. And never mind that the last people who popped a hooter in the World Trade Center were able to put it there without using any cryptography and while under FBI surveillance. We are dealing with religion here. Though only 10 American lives were lost to terrorism in the last two years, the primacy of this threat has become as much an article of faith with these guys as the Catholic conviction that human life begins at conception or the Mormon belief that the Lost Tribe of Israel crossed the Atlantic in submarines. In the spirit of openness and compromise, they invited EFF to submit other solutions to the "problem" of the nuclear-enabled terrorist besides key escrow devices, but they would not admit into discussion the argument that such a threat might, in fact, be some kind of phantasm created by the spooks to ensure their lavish budgets into the Post-Cold War era. As to the possibility that good old-fashioned investigative techniques might be more valuable in preventing their show-case catastrophe (as it was after the fact in finding the alleged perpetrators of the last attack on the World Trade Center),they just hunkered down and said that when wire-taps were necessary, they were damned well necessary. When I asked about the business that American companies lose to their inability to export good encryption products, one staffer essentially dismissed the market, saying that total world trade in crypto goods was still less than a billion dollars. (Well, right. Thanks more to the diligent efforts of the NSA than lack of sales potential.) I suggested that a more immediate and costly real-world effect of their policies would be reducing national security by isolating American commerce, owing to a lack of international confidence in the security of our data lines. I said that Bruce Sterling's fictional data-enclaves in places like the Turks and Caicos Islands were starting to look real world inevitable. They had a couple of answers to this, one unsatisfying and the other scary. Their first answer was that the international banking community could just go on using DES, which still seemed robust enough to them. [DES is the old federal Data Encryption Standard, thought by most cryptologists to be nearing the end of its credibility.] More troubling was their willingness to counter the data-enclave future with one in which no data channels anywhere would be secure from examination by some government or another. They pointed to unnamed other countries which were developing their own mandatory standards and restrictions regarding cryptography and have said to me on several occasions words to the effect that, "Hey, it's not like you can't outlaw the stuff. Look at France." Of course, they have also said repeatedly...and for now I believe them...that they have absolutely no plans to outlaw non-Clipper crypto in the U.S. But that doesn't mean that such plans couldn't develop in the presence of some pending "emergency." Then there is that White House briefing document, issued at the time Clipper was first announced, which asserts that no U.S. citizen "as a matter of right, is entitled to an unbreakable commercial encryption product." Now why, if it's an ability they have no intention of contesting, do they feel compelled to declare that it's not a right? Could it be that they are preparing us for the laws they'll pass after some bearded fanatic has gotten himself a surplus nuke and used something besides Clipper to conceal his plans for it? If they are thinking about such an eventuality, we should be doing so as well. How will we respond? I believe there is a strong, though currently untested, argument that outlawing unregulated crypto would violate the First Amendment, which surely protects the manner of our speech as clearly as it protects the content. But of course the First Amendment is, like the rest of the Constitution, only as good as the government's willingness of the to uphold it. And they are, as I say, in a mood to protect our safety over our liberty. This is not a mind-frame against which any argument is going to be very effective. And it appeared that they had already heard and rejected every argument I could possibly offer. In fact, when I drew what I thought was an original comparison between their stand against naturally proliferating crypto and the folly of King Canute (who placed his throne on the beach and commanded the tide to leave him dry), my opposition looked pained and said he had heard that one almost as often as jokes about road-kill on the Information Superhighway. I hate to go to war with them. War is always nastier among friends. Furthermore, unless they've decided to let the NSA design the rest of the National Information Infrastructure as well, we need to go on working closely with them on the whole range of issues like access, competition, workplace privacy, common carriage, intellectual property, and such. Besides, the proliferation of strong crypto will probably happen eventually no matter what they do. But then again, it might not. In which case we could shortly find ourselves under a government that would have the automated ability to log the time, origin and recipient of everycall we made, could track our physical whereabouts continuously, could keep better account of our financial transactions than we do, and all without a warrant. Talk about crime prevention! Worse, under some vaguely defined and surely mutable "legal authority," they also would be able to listen to our calls and read our e-mail without having to do any backyard rewiring. (And wouldn't even need that to monitor our overseas calls.) If there's going to be a fight, I'd far rather it be with this government than the one we'd likely face on that hard day. Hey, I've never been a paranoid before. It's always seemed to me that most governments are too incompetent to keep a good plot strung together all the way from coffee break to quitting time. But I am now very nervous about the government of the United States of America. Because Bill 'n' Al, whatever their other new paradigm virtues, have allowed the very old paradigm trogs of the Guardian Class to the define as their highest duty the defense of America against an enemy that exists primarily in the imagination and is therefore capable of anything. To assure absolute safety against such an enemy, there is no limit to the liberties we will eventually be asked to sacrifice. And, with a Clipper chip in every phone, there will certainly be no technical limit on their ability to enforce those sacrifices. WHAT YOU CAN DO GET CONGRESS TO LIFT THE CRYPTO EMBARGO The Administration is trying to impose Clipper on us by manipulating market forces. Purchasing massive numbers of Clipper devices, they intend to produce an economy of scale which will make them cheap while their export embargo renders all competition either expensive or non-existent. We have to use the market to fight back. While it's unlikely that they'll back down on Clipper deployment, the Electronic Frontier Foundation believes that with sufficient public involvement, we can get Congress to eliminate the export embargo. Rep. Maria Cantwell (D-WA) has a bill (H.R. 3627) before the Economic Policy, Trade, and Environment Science Subcommittee of the House Foreign Affairs Committee which would do exactly that. She will need a lot of help from the public. They may not care much about your privacy in DC, but they still care about your vote. Please signal your support of H.R. 3627, either by writing her directly or e-mailing her at cantwell@eff.org. Messages sent to that address will be printed out and delivered to her office. In the Subject header of your message, please include the words "support HR 3627." In the body of your message, express your reasons for supporting the bill. You may also express your sentiments to Rep. Lee Hamilton, the Foreign Relations Committee chairman, by e-mailing hamilton@eff.org. Furthermore, since there is nothing quite as powerful as a letter from a constituent, you should check the following list of subcommittee and committee members to see if your congressperson is among them. If so, please copy them your letter to Ms. Cantwell. Economic Policy, Trade, and Environment Science Subcommittee: Democrats: Sam Gejdenson (Chairman), James Oberstar, Cynthia McKinney, Maria Cantwell, Eric Fingerhut, Albert R. Wynn, Harry Johnston, Eliot Engel, Charles Schumer. Republicans: Toby Roth (ranking), Donald Manzullo, Doug Bereuter, Jan Meyers, Cass Ballenger, Dana Rohrabacher. Foreign Affairs Committee: Democrats: Lee Hamilton (Chairman), Tom Lantos, Robert Torricelli, Howard Berman, Gary Ackerman, Eni Faleomavaega, Matthew Martinez, Robert Borski, Donal Payne, Robert Andrews, Robert Menendez, Sherrod Brown, Alcee Hastings, Peter Deutsch, Don Edwards, Frank McCloskey, Thomas Sawyer, Luis Gutierrez. Republicans: Benjamin Gilman (ranking), William Goodling, Jim Leach, Olympia Snowe, Henry Hyde, Christopher Smith, Dan Burton, Elton Gallegly, Ileana Ros-Lehtinen, David Levy, Lincoln Diaz-Balart, Ed Royce. BOYCOTT CLIPPER DEVICES AND THE COMPANIES WHICH MAKE THEM. Don't buy anything with a Clipper chip in it. Don't buy any product from a company which manufactures devices with "Big Brother Inside." It is likely that the government will ask you to use Clipper for communications with the IRS or when doing business with Federal agencies. They cannot, as yet, require you to do so. Just say no. LEARN ABOUT ENCRYPTION AND EXPLAIN THE ISSUES TO YOUR UNWIRED FRIENDS The administration is banking on the likelihood that this stuff too technically obscure to agitate anyone but nerds like us. You prove them wrong by patiently explaining what's going on to all the people you know who have never touched a computer and glaze over at the mention of words like "cryptography." Maybe you glaze over yourself. Don't. It's not that hard. For some hands-on experience, download a copy of PGP, a shareware encryption engine which uses the robust RSA encryption algorithm. and learn to use it. GET YOUR COMPANY TO THINK ABOUT EMBEDDING REAL CRYPTOGRAPHY IN ITS PRODUCTS If you work for a company which makes software, computer hardware, or any kind of communications device, work from within to get them to incorporate RSA or some other strong encryption scheme into their products. If they say that they are afraid to violate the export embargo, ask them to consider manufacturing such products overseas and importing them back into the United States. There appears to be no law against that. As yet. You might also lobby your company to join the Digital Privacy and Security Working Group, a coalition of companies and public interest groups that includes IBM, Apple, Sun, Microsoft (and, interestingly, Clipper phone manufacturer AT&T) that is working to get the embargo lifted. JOIN EFF, CPSR, OR BOTH Self-serving as it sounds coming from me, I think you can do a lot to help by becoming a member of one of these organizations. In addition to giving you access to the latest information on this subject, every additional member strengthens our credibility with Congress. Join the Electronic Frontier Foundation by writing membership@eff.org. Join Computer Professionals for Social Responsibility by writing [provide e-mail address here.] In his LA speech, Gore called the development of the NII "a revolution." And it is a revolutionary war we are engaged in here. Clipper is a last ditch attempt by the United States, the last great power from the Industrial Era, to establish imperial control over Cyberspace. If they win, the most liberating development in the history of humankind could become, instead, the surveillance system which will monitor our grandchildren's morality. We can be better ancestors than that. John Perry Barlow is co-founder and Vice-Chairman of the Electronic Frontier Foundation, a group which defends liberty, both in Cyberspace and the Physical World. He has three daughters. From comp.risks Wed Mar 30 21:51:47 1994 Date: Fri, 18 Mar 94 09:52:54 EST From: denning@chair.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Clipper Compromised RISKS-15.66 included a brief from "Network World," which referenced a story in the "Security Insider Report" suggesting that Aldrich Ames could have had access to Clipper's classified SKIPJACK algorithm or Clipper keys. A New York Times reporter asked me about this rumor a few weeks ago, and the whole idea struck me as so obviously absurd that I could hardly stop laughing. Nevertheless, I did check it out with people who would know. They confirmed what I thought. The whole rumor is total nonsense. What I don't understand is why people persist is spreading rumors and speculation that have no basis and don't even make sense. Dorothy Denning From comp.risks Wed Jun 8 21:02:16 1994 Date: Fri, 3 Jun 1994 20:14:29 -0700 From: sidney@taurus.apple.com (Sidney Markowitz) Subject: Details of flaw in Clipper I have seen lots of discussion about the New York Times report on Matt Blaze's discovery of a flaw in Clipper's key escrow system, with more confusion than anything else. Here is the best article that I have seen on the net explaining exactly what Dr. Blaze has found. There's also confusion about the implications. My understanding is that this method might allow someone with a Clipper chip device to have a secure communication with another person with a Clipper device that could not be decrypted by law enforcement *and* it does not require the cooperation of the second person. That last part is what makes this significant, since two people can agree to just encrypt their messages with, say PGP, if they want to be secure from law enforcement decryption. But if Blaze's method is practical, the widespread use of Clipper would make it harder on law enforcement by making it easier than it is now for someone to have secure communication with people without having to plan with them to do so. -- sidney markowitz [begin quote of Message-ID: crossposted to sci.crypt, talk.politics.crypto, alt.policy.clipper] [Run in RISKS with permission of "Perry E. Metzger" . PGN] Many people have misconceptions about what Matt did. Based on his paper (no, you can't have a copy since he told me not to distribute it; I'm sure he'll release it when its ready for prime time) and discussions with him, the trick is this. [The Escrowed Encryption Standard is abbreviated as EES.] The LEAF acts much as an key to tell the EES unit that it should function. It contains three elements: 1) the 32 bit unit id of the EES unit generating the LEAF 2) the 80 bit session key, encrypted in the escrowed key for that unit. 3) a 16 bit checksum based on the unencrypted session key and the initialization vector (IV) for the session. All three components are concatenated to form a 128 bit unit, which is encrypted in the family key in order to produce the LEAF, reportedly using a unique mode of Skipjack. The remote unit takes in the LEAF, decrypts it with the family key, and checks the cleartext session key and IV to see if they produce the proper 16 bit checksum. If so, it accepts the LEAF and functions properly. Note that the encrypted key inside the LEAF is useless to the remote EES since it doesn't have the other EES's escrowed key. It has to rely on the cleartext session key and IV alone to check that the checksum looks right. Sadly for the NSA, the checksum is only 16 bits long. Given a session key and initialization vector, I can fairly quickly generate a large number of fake LEAFs (chosen at random) and find one that a captive EES unit will accept as being the right LEAF for a given session key/IV. The contents of the LEAF will be garbage, but the remote unit will not know that, and will happily go along with using it. I needn't know the family key, or even the checksum algorithm. The point here is, of course, that I can freely interoperate with non-rogue EES units -- I can communicate with non-subverted units without revealing my privates hidden beneath the LEAF. (sorry for the pun.) [*] By the way, Matt had to figure out the components of the checksum on his own -- the mechanism for calculating it and where it came from were not documented. BTW, for those who have asked, in case the preceding didn't make it clear, can't you just reuse an old LEAF or a stolen LEAF because the session key/IV won't correspond and the checksum won't be right -- you have to generate and test. Perry Metzger perry@imsi.com [end quoted message] [*] [Turning over a new LEAF is better than if you LEAF well enough alone, he suggested FIGuratively. PGN] From comp.risks Wed Jun 8 21:05:25 1994 Date: Sat, 4 Jun 94 22:35:29 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Flaw ? in Clipper This has already gotten out of hand on the Usenet. In simplest terms, what Matt Blaze found is that is is possible to spoof a CLIPPER LEAF (law enforcement access field). IMHO this is almost meaningless since *both* ends will need to do this (AFAIR each side sends a LEAF. If only one LEAF is spoofed, it will just be necessary for a legal tapper to use the other one). Thus to be effective, both ends will need special spoofing equipment and in that case they might as well use something other than Clipper. Even better use something different but prefix a valid Clipper LEAF. Right. Remember Occam's Gillette. Dr. Blase also mentioned that it would take about 20 minutes to come up with a valid checksum. Much easier would simply be to record a valid LEAF from another chip and use that. The most important element is that the SKIPJACK algorithm is in no way affected by this and is as strong as ever, only the government's ability to use the LEAF may be compromised. I still expect the government to drop key escrow when the hardware is ready and that there will still be two means available to defeat Clipper available to the government - without using any backdoor/trapdoor and without any weakness in SKIPJACK (see my earlier postings - one is similar to the way GSM can be tapped now). Personally, I feel that Clipper is a valuable mid-range low-announced- cost device that is "good enough for government work". PGP or triple DES used in combination with Clipper is a viable next step up. Padgett P.S. Anyone notice Enigma-Logic's announcement of a one-time-password-token emulation for the PC @ US$10/user (maybe less) ? Certainly an answer to sniffers. From comp.risks Wed Jun 8 21:05:44 1994 Date: Mon, 6 Jun 1994 19:29:45 -0700 From: sidney@taurus.apple.com (Sidney Markowitz) Subject: Blaze's Clipper paper available via ftp Matt Blaze is the AT&T researcher who has made the news recently for discovering a flaw in the Clipper protocol. I saw an announcement from him that a preliminary draft of his paper "Protocol Failure in the Escrowed Encryption Standard" is available via anonymous ftp from resarch.att.com in the file /dist/mab/eesproto.ps in PostScript format. He cautions that there will be a final version of the paper which will likely include additional material on the production version of the PCMCIA card, and that this draft is based on his examination of a prototype card. -- sidney markowitz From comp.risks Wed Jun 8 21:07:35 1994 Date: Tue, 7 Jun 1994 03:19:55 -0700 From: Paul Carl Kocher Subject: Re: Flaw in Clipper detected (Huggins, RISKS-16.11) Although I doubt people will modify devices with hard-wired Clipper chips, this is seems to be a very serious blow to Tessera (the government's PCMCIA card with a Clipper chip). Tessera has a standard programming interface that passes the programmer's calls to the encryption card. Any experienced assembly language programmer could easily add "support" for Blaze's technique for bypassing the LEAF (Law Enforcement Access Field) validation check. This could be done transparently and without significantly impacting performance. It could also fix up the side effects of the attack (e.g. the first block is bad in CBC mode, etc). Under MSDOS this could be done with a TSR that would intercept calls to the card directly, so it would work with all Tessera applications. The same TSR could also substitute pre-computed and/or brute-forced LEAFs for interoperability with non-cheating users. We were told that the reason for having escrowed keys and a secret algorithm was to keep terrorists from having strong crypto. Now the bad guys have full-strength SkipJack, the public has a flawed "standard," and because the algorithm is classified we can't look for other problems. I'm also wondering what's going on inside NSA -- DSS originally had alarmingly-small keys and has been widely criticized, SHA was defective, and now this... -- Paul Kocher kocherp@leland.stanford.edu From comp.society.cu-digest Wed Jun 8 21:09:40 1994 Date: Thu, Jun 2 1994 17:33:21 PDT From: Brock Meeks Subject: File 2--Jacking in from the SNAFU Port (Clipper Snafu update) ((Moderators' Note: The following article may not be reprinted or reproduced without the explicit consent of the author)). CyberWire Dispatch // Copyright (c) 1994 // Jacking in from the SNAFU Port: Washington, DC -- Matthew Blaze never intended to make the front page of the New York Times. He was just doing his job: Nose around inside the government's most secret, most revered encryption code to see if he could "break it." Blaze, a researcher for AT&T Bell Labs, was good at this particular job. Maybe a bit too good. Although he didn't actually "break" the code, he did bend the fuck out of it. That feat landed him a front page story in the June 2 issue of the New York Times. What Blaze found -- and quietly distributed among colleagues and federal agencies in a draft paper -- was that design bugs in Skipjack, the computer code that underlies the Clipper Chip encryption scheme, can be jacked around, and re-scrambled so that not even the Feds can crack it. This of course defeats the whole purpose of the Clipper Chip, which is to allow ONLY the government the ability to eavesdrop on Clipper encoded conversations, faxes, data transmissions, etc. What Blaze's research attacks is something called the LEAF, short for "Law Enforcement Access Field." The LEAF contains the secret access code needed by law enforcement agents to decode the scrambled messages. Blaze discovered that the LEAF uses only a 16- bit checksum, which is a kind of self-checking mathematical equation. When the checksum equations match up, the code is valid and everything's golden. The cops get to unscramble the conversations and another kiddie porn ring is brought to justice. (This is what the FBI will tell you... again and again and again and... ) But you can generate a valid 16-bit checksum in about 20 minutes, according to those crypto-rebels that traffic the Internet's Cypherpunks mailing list. "A 16-bit checksum is fucking joke," one cryptographic expert from the list told Dispatch. "If it weren't so laughable, I'd be insulted that all this tax payer money has gone into the R&D of something so flawed." But the New York Times got the story *wrong* or at least it gave only part of the story. "What the New York Times story didn't say was that the findings... had nothing to do with the Government standard, which covers voice, facsimile and low-speed data transmission," said an AT&T spokesman. AT&T was the first company to publicly support the Clipper Chip. A stance that was essentially bought and paid for by the U.S. government with the promise it would get big government contracts to sell Clipper equipped phones to Uncle Sam, according to documents previously obtained by Dispatch. The AT&T spokesman said the "frailty" that Blaze discovered doesn't actually exist in the Clipper Chip applications. "Our scientists, working with National Security Agency (NSA) scientists, were conducting research on proposed future extensions of the standard," he said. Those "future extensions" are the so-called Tessera chip, intended to be embedded in a PCMCIA credit card sized device that fits into a slot in your computer. When the NSA trotted out its Tessera card, it invited Blaze, among others, to review the technology, essentially becoming a beta-tester for the NSA. No formal contract was signed, no money changed hands. Blaze took on the job in a volunteer role. Using a prototype Tessera chip installed on a PCMCIA card, he broke the damn thing. AT&T claims the whole scenario is different from the Clipper because the LEAF generated by Clipper "is a real time application... with Tessera it's static," the spokesman said. He said Tessera would be used to encrypt stored communications or Email. "And with Tessera, the user has the ability to get at the LEAF," he said, "with Clipper, you don't." Blaze will deliver his paper, titled "Protocol Failure in the Escrowed Encryption Standard," this fall during the Fairfax Conference. His findings "should be helpful" to the government "as it explores future applications," of its new encryption technology the AT&T spokesman said. In our view, it's better to learn a technology's limitations while there's time to make revisions before the Government spends large sums to fund development programs." This is an important, if subtle statement. The Clipper Chip never underwent this type of "beta-testing," a fact that's drawn the ire of groups such as Computer Professionals for Social Responsibility (CPSR) and the Electronic Frontier Foundation (EFF). When the White House began to take hits over this ugly situation, it agreed to have an independent panel of experts review the classified code to check for any trapdoors. Those experts claim they found nothing fishy, but their report -- alas --has also been classified, leading to further demands for openness and accountability. The White House is stalling, naturally. But in an apparent about face, the NSA allowed an "open" beta- testing for Tess and -- surprise -- we find out there are bugs in the design. Okay, Pop Quiz time: Does the existence of "Blaze Bug" make you feel: (A) More secure about the government's claim that Clipper will only be used to catch criminals and not spy on the citizenry. (B) Less secure about everything you've ever been told about privacy and encryption by the Clinton Administration. (C) Like this entire episode is really an extended "Stupid Pet Tricks" gag being pulled by David Letterman. If you're still unsure about Clipper, check this quote from the AT&T spokesman: "It's worth noting that Clipper Chip wasn't subjected to this type of testing." Ah-huh... any questions? The NSA is trying to downplay the news. "Anyone interested in circumventing law enforcement access would most likely choose simpler alternatives," said Michael Smith, the agency's planning director, as quoted by the New York Times. "More difficult and time-consuming efforts, like those discussed in the Blaze paper, are very unlikely to be employed." He's right. Those "simpler alternatives" include everything from private encryption methods to not using a Clipper equipped phone or fax in the first place. (Of course, the FBI keeps insisting that criminals won't use any of this "simpler" knowledge because they are "dumb.") Despite the NSA's attempt to blow off these findings, the agency is grinding its gears. One NSA source told Dispatch that the Blaze paper is "a major embarrassment for the program." But the situation is "containable" he said. "There will be a fix." Dispatch asked if there would be a similar review of the Clipper protocols to see if it could be jacked around like Tess. "No comment," was all he said. Meeks out... From comp.society.cu-digest Wed Jun 8 21:11:20 1994 Date: Thu, Jun 2 1994 17:33:21 PDT From: Brock Meeks Subject: File 3--Jacking in from the "We Knew It All Along" Port (Clipper) ((Moderators' Note: The following article may not be reprinted or reproduced without the explicit consent of the author)). CyberWire Dispatch // Copyright (c) 1994 // Jacking in from the "We Knew It All Along" Port: Washington, DC -- The key technology underlying the Administration's Tessera "Crypto Card" was fatally flawed from its inception, Dispatch has learned. Government researchers working for the National Security Agency have known for months about the flaw, but purposefully withheld that information from the public, a government official acknowledged today to Dispatch. Cryptographic researchers at the super-secret NSA have known all along that the program used to scramble a key part of the government's Clipper system could be thwarted by a computer savvy user with 28 minutes of free time, according to an NSA cryptographic expert that spoke to Dispatch under the condition he not be identified. "Everyone here knew that the LEAF (Law Enforcement Access Field) could be fucked with if someone knew what they were doing," the NSA expert said. "We knew about the flaw well before it became public knowledge. What we didn't know is how long it would take an outside source to discover the flaw." In essence, the NSA decided to play a kind of high-tech cat and mouse game with a technology being hailed as the most secure in the world. So secure, the White House is asking the public to give up a degree of privacy because there's no chance it can be abused. "We figured [the presense of the flaw] was an acceptable risk," the NSA expert said. "If no one found out, we probably would have fixed it sooner or later," he said. "I can't imagine that we would have let that one slip through." But someone spoiled the end game. A 33-year-old AT&T scientist Matthew Blaze discovered the crack in the White House's increasingly crumbling spy vs. citizen technology. Acting as a kind of beta-tester, Blaze found several techniques that could be used to successfully thwart the LEAF, the encrypted data stream needed by law enforcement officers in order to identify what amounts to a social security number for each Clipper or Tessera chip. Once the LEAF is in hand, law enforcement agents then submit it to the "key escrow agents." These escrow agents are two government authorized agencies that keep watch over all the keys needed to descramble Clipper or Tessera encoded conversations, faxes or data transmissions. Without the keys from these two agencies, the law enforcement agents hear nothing but static. Without the LEAF, the agencies won't cough up the keys. Bottom line: If the LEAF is fucked, so is access to the scrambled communications. What Blaze so eloquently discovered is that someone with a modicum of knowledge could do was jack around with the LEAF, rendering it unusable. What Blaze didn't realize is that he was merely acting as an NSA stooge. But the methods discovered by Blaze, and outlined in a draft paper he'll later present this month during a high brow security shindig known as the Fairfax conference, are cumbersome. "The techniques used to implement (the work arounds) carry enough of a performance penalty, however, to limit their usefulness in real-time voice telephony, which is perhaps the government's richest source of wiretap-based intelligence," Blaze writes in his paper. Notice he says "limit" not "completely render useless." Important distinction. Are there other, faster, more clever ways to circumvent the LEAF? "If there are, I wouldn't tell you," the NSA crypto expert said. Shut Up and Chill Out ===================== The National Institute of Standards and Technology (NIST), the agency walking point for the White House on the Clipper issue, takes these revelations all in stride. Sort of a "shut up and chill out" attitude. The techniques described by Blaze "are very unlikely to be used in actual communications," a NIST spokeswoman said. Does that mean they could never be used? "It's very unlikely." NIST, when confronted with the fact that NSA researchers knew all along that the technology was broken, was unapologetic. "All sound cryptographic designs and products consider tradeoffs of one sort or another when design complexities, costs, time and risks are assessed," the NIST spokeswoman said. The Clipper family of encryption technologies "is no exception," she said. NIST said that the Tessera card "isn't a standard yet, so the process of testing it's integrity is ongoing." The technology in Tess is known as the Capstone chip, which, unlike the Clipper Chip, hasn't yet been accepted as a standard, NIST said. Flaws, therefore, are assumably just part of an ongoing game. The fact that the NSA knew about this flaw when it asked people like Blaze to test it was "just part of the ongoing testing procedure," the spokeswoman said. And if Blaze or some other idea hamster hadn't discovered the flaw? You make the call. What about Clipper? Are there such flaws in it? NIST says "no" because it has already been through "independent testing" and accepted as a standard. If there are flaws there, they stay put, or so it seems. Clipper's My Baby ================= Beyond the high risk crypto games the NSA has decided to play, there's another disturbing circumstance that could torpedo the Clipper before it's given its full sailing orders. This obstacle comes in the form of a patent dispute. Silvio Micali, a scientist at the massachusetts Institute of Technology says the Clipper is his baby. He claims to hold two crucial patents that make the Clipper tick. "We are currently in discussions with Mr. Micali," NIST said. "We are aware of his patent claims and we're in the process of addressing those concerns now," a NIST spokeswoman said. She wouldn't go into details about as to the extent of the talks, but obviously, the government is worried. They haven't flatly denied Micali's claims. If this all sounds like a bad nightmare, you're right. NIST ran into the same problems with its Digital Signature Standard, the technology they've adopted as a means to "sign" and verify the validly of electronic mail messages. Others jumped on the government's DSS standard, claiming they were owed royalties because they held patents on the technology. These discussions are still "ongoing" despite the government's adoption of the standard. The same situation is now happening with Clipper. One could make a case that Yogi Berra is the policy wonk for the Clipper program: "It's like deja vu all over again," Berra once said. So it is, Yogi... so it is. Meeks out... From comp.society.cu-digest Wed Jun 8 21:15:17 1994 Date: Thu, 2 June, 1994 23:54:21 EDT From: anon Subject: File 1--AT&T Lab Scientist Discovers Flaw in Clipper Chip (The government's proposed encryption technology may not be as secure as proponents want us to think. This might be of interest to you--anon). Scientist Insists U.S. Computer Chip has Big Flaw By John Markoff Extracted from the New York Times, June 2, 1994 Technology that the Clinton administration has been promoting for use by law enforcement officials to eavesdrop on electronically scrambled telephone and computer conversations is flawed and can be defeated, a computer scientist says. Someone with sufficient computer skills can defeat the government's technology by using it to encode messages so that not even the government can crack them, according to AT&T Bell Laboratories researcher Matthew Blaze. (The article explains the background to the fight to implement Clipper by the Clinton Adminstration as a means to help law enforcment, and notes that the technolgoy has been widely criticized by communications executives and others) The industry also fears foreign customers might shun equipment if Washington keeps a set of electronic keys. But now Blaze. as a result of his independent testing of Clipper, is putting forth perhaps the most compelling criticism yet: The technology simply doesn't work as advertised. Blaze spelled out his findings in a draft report that he has been ciculat-ing quietly among computer researchers and federal agencies in recent weeks. "The government is fighting an uphill battle," said Martin Hellman. a Stanford University computer scientist who has read Blaze's paper and who is an expert in data encryption. "People who want to work around Clipper will be able to do it." But the National Security Agency. the government's electronic spying agency, said Wednesday that Clipper remained useful, despite the flaw uncovered by Blaze. "Anyone interested in circumventing law enforcement access would most likely choose simpler alternatives," Michael Smith, the agency's director of policy. said in a written statement. "More difficult and time consuming efforts. like those discussed in the Blaze paper, are very unlikely to be employed." (The article summarizes the government's defense for Clipper) But industry executives have resisted adopting Clipper. Because the underlying mathematics of the technology remain a classified government secret, industry officials say there is no way to be certain that it is as secure as encoding techniques already on the market. They also fear that Clipper's electronic back door, which is designed for legal wiretapping of communications. could make it subject to abuse by the government or civilian computer experts. Privacy-rights advocates have cited similar concerns. Industry executives also have worried that making Clipper a fed-eral government standard would be a first step toward prescribing the technology for private industry or requiring that it be included in sophisticated computing and communications devices that are to be exported. Blaze said that the flaw he discovered in the Clipper design would not permit a third party to break a coded computer conversation. But it would enable two people to have a secret conversation that law enforcement officials could not unscramble. And that could render Clipper no more useful to the government than encryption technology already on the market to which it does not hold the mathematical keys. "Nothing I've found affects the security of the Clipper system from the point of view of people who might want to break the system." Blaze said. "This does quite the opposite. Somebody can use it to circumvent the law enforcement surveillance mechanism." The article concludes by noting that Blaze said that several simple changes to the Clipper design could fix the flow, but that this might be difficult because the changes would require the government to start over in designing clipper. The governmetn has already started ordering telephones containing the Clipper chip for federal agencies. From comp.risks Mon Jun 27 22:53:24 1994 Date: Thu, 16 Jun 1994 17:29:40 -0400 (EDT) From: ROBACK@ENH.NIST.GOV Subject: NIST Response to Blaze Attack on Clipper Note: The following material was released by NIST in response to recent articles regarding AT&T/Matt Blaze and the key escrow chip. A second more technical response follows. ------------------------- June 2, 1994 Contact: Anne Enright Shepherd (301) 975-4858 The draft paper by Matt Blaze* describes several techniques aimed at circumventing law enforcement access to key escrowed encryption products based on government-developed technologies. As Blaze himself points out, these techniques deal only with the law-enforcement feature, and in no way reduce the key escrow chips' inherent security and data privacy. -- "None of the methods given here permit an attacker to discover the contents of encrypted traffic or compromise the integrity of signed messages. Nothing here affects the strength of the system from the point of view of the communicating parties...." p. 7. Furthermore, Blaze notes that the techniques he is suggesting are of limited use in real-world voice applications. -- "28 minutes obviously adds too much latency to the setup time for real-time applications such as secure telephone calls." p. 7. -- "The techniques used to implement them do carry enough of a performance penalty, however, to limit their usefulness in real-time voice telephony, which is perhaps the government's richest source of wiretap- based intelligence." p. 8. Anyone interested in circumventing law enforcement access would most likely choose simpler alternatives (e.g., use other nonescrowed devices, or super encryption by a second device). More difficult and time-consuming efforts, like those discussed in the Blaze paper, merit continued government review -- but they are very unlikely to be employed in actual communications. All sound cryptographic designs and products consider trade-offs among design complexity, costs, time and risks. Voluntary key escrow technology is no exception. Government researchers recognized and accepted that the law enforcement access feature could be nullified, but only if the user was willing to invest substantial time and trouble, as the Blaze report points out. Clearly, the government's basic design objective for key escrow technology was met: to provide users with very secure communications that will still enable law enforcement agencies to benefit from lawfully authorized wiretaps. It is still the only such technology available today. Today, most Americans using telephones, fax machines, and cellular phones have minimal privacy protection. The key escrow technology -- which is available on a strictly voluntary basis to the private sector -- will provide the security and privacy that Americans want and need. * Statements from "Protocol Failure in the Escrowed Encryption Standard," May 20 draft report by Matt Blaze, AT&T Bell Laboratories ----- Note: The following provides additional technical material in response to questions regarding a recent paper by Matt Blaze on key escrow encryption. -------------------------------------- Technical Fact Sheet on Blaze Report and Key Escrow Encryption Several recent newspaper articles have brought attention to a report prepared by Dr. Matthew Blaze, a researcher at AT&T's Bell Labs. These articles characterize a particular finding in Blaze's report as a ~flaw~ in the U.S. government's key escrow encryption technology. None of the findings in Dr. Blaze's paper in any way undermines the security and privacy provided by the escrow encryption devices. The finding which has received the most publicity could allow a non-compliant or ~rogue~ application to send messages to compliant or ~non-rogue~ users which will not be accessible by law enforcement officials through the escrowed encryption standard field called the Law Enforcement Access Field (LEAF). Dr. Blaze's approach uses the openly disclosed fact that the LEAF contains 16-bit checkword to prevent rogue users from modifying the law enforcement access mechanism. This 16-bit checkword is part of the 128-bit LEAF, which also includes the enciphered traffic key and the unique chip identifier. Dr. Blaze's method is to randomly generate different 128-bit LEAFs until he gets one that passes the checkword. It will take on average 216, or 65,536 tries. This is not a formidable task; it could be done in less than an hour. Dr. Blaze questions the adequacy of a 16-bit checkword and suggests using a larger one, to ensure that the exhaustion attack would be so time consuming as to be impractical. The chip designers recognized the strengths and limitations of a 16-bit checkword. Following are the reasons why they chose to use a checkword of only 16 bits: * There were four fundamental considerations that the designers considered in choosing the LEAF parameters. These were: (1) ease of access by authorized law enforcement agencies, (2) impact on communications, (3) a sufficiently large identifier field which would not constrain manufacturers, and (4) the difficulty required to invalidate the LEAF mechanism by techniques such as those described by Dr. Blaze. * The purpose of the LEAF is to preserve law enforcement's ability to access communications in real-time. The encrypted traffic key, which enables them to do this, is 80 bits long. In addition to this 80-bit field, the LEAF must contain the unique identification number of the key escrow encryption chip doing the encryption. * The size of the identifier field was the subject of considerable deliberation. In the earliest considerations it was only 25 bits long. The chip designers recognized that 25 bits did not offer enough flexibility to provide for multiple manufacturers of key escrow devices. Different chip manufacturers would need manufacturer identifiers as well as their own chip identifiers to ensure that identifiers are unique. Eventually, the designers agreed that 32 bits would adequately meet this requirement. * In many environments, error-free delivery of data is not guaranteed, and there is considerable concern by communication engineers that requiring error-free transmission of a fixed field (the LEAF) could make the encryption device difficult to use. In early discussions with industry, they were opposed to any checkword. In the end, they agreed it would be acceptable if the size of the LEAF was restricted to 128 bits. This left 16 bits for a checkword to inhibit bypassing the LEAF. While recognizing the possibility of exhausting these 16 bits, the designers concluded that 16 bits are adequate for the first intended application. Security enhancements are being made for other applications, such as the TESSERA card. Note that computations are required to search for a matching checkword, which then has to be properly substituted into the communications protocol. The performance and cost penalties of the search operation are significant for telephone, radio, and other such applications, thus providing adequate protection against this technique for bypassing the LEAF. In summary: * Although this technique would allow one to bypass the LEAF, the security provided by the escrow encryption devices would not be altered. Users' information would still be protected by the full strength of the encryption algorithm. * Dr. Blaze was accurate in noting that these attacks are of limited effectiveness in real-time telephony. * When designing the key escrow chip, NSA emphasized sound security and privacy, along with user friendliness. The attacks described by Dr. Blaze were fully understood at the time of initial chip design. The use of 16 bits for the checkword was an appropriate choice in view of the constraints of a 128-bit LEAF. It provides excellent security for real-time telephone applications with high assurance that law enforcement's interests are protected. * Dr. Blaze's research was done using prototype TESSERA cards. As part of the family of planned releases/upgrades, NSA already has incorporated additional security safeguards into the production TESSERA cards to protect against the kinds of attacks described by Dr. Blaze. From comp.org.eff.news Mon Jul 25 21:26:37 1994 Xref: utcsri alt.2600:16422 alt.activism:71428 alt.activism.d:15373 alt.politics.datahighway:4663 alt.politics.org.nsa:769 alt.privacy:16436 alt.privacy.clipper:4702 alt.security.pgp:17665 alt.society.resistance:1937 alt.wired:11342 comp.org.cpsr.talk:1414 comp.org.eff.news:251 comp.org.eff.talk:36647 misc.legal:96328 sci.crypt:29823 talk.politics.crypto:6623 Path: utcsri!utnut!torn!spool.mu.edu!howland.reston.ans.net!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: alt.2600,alt.activism,alt.activism.d,alt.politics.datahighway,alt.politics.org.nsa,alt.privacy,alt.privacy.clipper,alt.security.pgp,alt.society.resistance,alt.wired,comp.org.cpsr.talk,comp.org.eff.news,comp.org.eff.talk,misc.legal,sci.crypt,talk.politics.crypto Subject: White House retreats on Clipper Date: 21 Jul 1994 13:04:03 -0500 Organization: UTexas Mail-to-News Gateway Lines: 161 Sender: nobody@cs.utexas.edu Approved: mech@eff.org Distribution: inet Message-ID: <199407211803.OAA13096@eff.org> NNTP-Posting-Host: news.cs.utexas.edu Yesterday, the Clinton Administration announced that it is taking several large, quick steps back in its efforts to push EES or Clipper encryption technology. Vice-President Gore stated in a letter to Rep. Maria Cantwell, whose encryption export legislation is today being debated on the House floor, that EES is being limited to voice communications only. The EES (Escrowed Encryption Standard using the Skipjack algorithm, and including the Clipper and Capstone microchips) is a Federal Information Processing Standard (FIPS) designed by the National Security Agency, and approved, despite a stunningly high percentage anti-EES public comments on the proposal) by the National Institute of Standards and Technology. Since the very day of the announcement of Clipper in 1993, public outcry against the key "escrow" system has been strong, unwavering and growing rapidly. What's changed? The most immediate alteration in the White House's previously hardline path is an expressed willingness to abandon the EES for computer applications (the Capstone chip and Tessera card), and push for its deployment only in telephone technology (Clipper). The most immediate effect this will have is a reduction in the threat to the encryption software market that Skipjack/EES plans posed. Additionally, Gore's letter indicates that deployment for even the telephone application of Clipper has been put off for months of studies, perhaps partly in response to a draft bill from Sens. Patrick Leahy and Ernest Hollings that would block appropriation for EES development until many detailed conditions had been met. And according to observers such as Brock Meeks (Cyberwire Dispatch) and Mark Voorhees (Voorhees Reports/Information Law Alert), even Clipper is headed for a fall, due to a variety of factors including failure in attempts to get other countries to adopt the scheme, at least one state bill banning use of EES for medical records, loss of NSA credibility after a flaw in the "escrowed" key system was discovered by Dr. Matt Blaze of Bell Labs, a patent infringement lawsuit threat (dealt with by buying off the claimant), condemnation of the scheme by a former Canadian Defense Minister, world wide opposition to Clipper and the presumptions behind it, skeptical back-to-back House and Senate hearings on the details of the Administration's plan, and pointed questions from lawmakers regarding monopolism and accountability. One of the most signigicant concessions in the letter is that upcoming encryption standards will be "voluntary," unclassified, and exportable, according to Gore, who also says there will be no moves to tighten export controls. Though Gore hints at private, rather than governmental, key "escrow," the Administration does still maintain that key "escrow" is an important part of its future cryptography policy. EFF would like to extend thanks to all who've participated in our online campaigns to sink Clipper. This retreat on the part of the Executive Branch is due not just to discussions with Congresspersons, or letters from industry leaders, but in large measure to the overwhelming response from users of computer-mediated communication - members of virtual communities who stand a lot to gain or lose by the outcome of the interrelated cryptography debates. Your participation and activism has played a key role, if not the key role, in the outcome thus far, and will be vitally important to the end game! Below is the public letter sent from VP Gore to Rep. Cantwell. ****** July 20, 1994 The Honorable Maria Cantwell House of Representatives Washington, D.C., 20515 Dear Representative Cantwell: I write to express my sincere appreciation for your efforts to move the national debate forward on the issue of information security and export controls. I share your strong conviction for the need to develop a comprehensive policy regarding encryption, incorporating an export policy that does not disadvantage American software companies in world markets while preserving our law enforcement and national security goals. As you know, the Administration disagrees with you on the extent to which existing controls are harming U.S. industry in the short run and the extent to which their immediate relaxation would affect national security. For that reason we have supported a five-month Presidential study. In conducting this study, I want to assure you that the Administration will use the best available resources of the federal government. This will include the active participation of the National Economic Council and the Department of Commerce. In addition, consistent with the Senate-passed language, the first study will be completed within 150 days of passage of the Export Administration Act reauthorization bill, with the second study to be completed within one year after the completion of the first. I want to personally assure you that we will reassess our existing export controls based on the results of these studies. Moreover, all programs with encryption that can be exported today will continue to be exportable. On the other hand, we agree that we need to take action this year to assure that over time American companies are able to include information security features in their programs in order to maintain their admirable international competitiveness. We can achieve this by entering into an new phase of cooperation among government, industry representatives and privacy advocates with a goal of trying to develop a key escrow encryption system that will provide strong encryption, be acceptable to computer users worldwide, and address our national needs as well. Key escrow encryption offers a very effective way to accomplish our national goals, That is why the Administration adopted key escrow encryption in the "Clipper Chip" to provide very secure encryption for telephone communications while preserving the ability for law enforcement and national security. But the Clipper Chip is an approved federal standard for telephone communications and not for computer networks and video networks. For that reason, we are working with industry to investigate other technologies for those applications. The Administration understands the concerns that industry has regarding the Clipper Chip. We welcome the opportunity to work with industry to design a more versatile, less expensive system. Such a key escrow system would be implementable in software, firmware, hardware, or any combination thereof, would not rely upon a classified algorithm, would be voluntary, and would be exportable. While there are many severe challenges to developing such a system, we are committed to a diligent effort with industry and academia to create such a system. We welcome your offer to assist us in furthering this effort. We also want to assure users of key escrow encryption products that they will not be subject to unauthorized electronic surveillance. As we have done with the Clipper Chip, future key escrow systems must contain safeguards to provide for key disclosure only under legal authorization and should have audit procedures to ensure the integrity of the system. Escrow holders should be strictly liable for releasing keys without legal authorization. We also recognize that a new key escrow encryption system must permit the use of private-sector key escrow agents as one option. It is also possible that as key escrow encryption technology spreads, companies may established layered escrowing services for their own products. Having a number of escrow agents would give individuals and businesses more choices and flexibility in meeting their needs for secure communications. I assure you the President and I are acutely aware of the need to balance economic an privacy needs with law enforcement and national security. This is not an easy task, but I think that our approach offers the best opportunity to strike an appropriate balance. I am looking forward to working with you and others who share our interest in developing a comprehensive national policy on encryption. I am convinced that our cooperative endeavors will open new creative solutions to this critical problem. Sincerely, Al Gore AG/gcs ****** -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O From comp.org.eff.news Mon Jul 25 21:26:37 1994 Xref: utcsri comp.org.eff.news:252 comp.org.eff.talk:36701 Path: utcsri!utnut!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: comp.org.eff.news,comp.org.eff.talk Subject: EFFector Online 07.12 - Clipper hammered, IITF RFC, OP Passes House Date: 22 Jul 1994 18:18:37 -0500 Organization: UTexas Mail-to-News Gateway Lines: 1003 Sender: nobody@cs.utexas.edu Approved: mech@eff.org Distribution: inet Message-ID: <199407222318.TAA25897@eff.org> NNTP-Posting-Host: news.cs.utexas.edu ========================================================================= ________________ _______________ _______________ /_______________/\ /_______________\ /\______________\ \\\\\\\\\\\\\\\\\ \ ||||||||||||||||| / //////////////// \\\\\\\\\\\\\\\\\/ ||||||||||||||||| / //////////////// \\\\\\_______/\ ||||||_______\ / //////_____\ \\\\\\\\\\\\\ \ |||||||||||||| / ///////////// \\\\\\\\\\\\\/____ |||||||||||||| / ///////////// \\\\\___________/\ ||||| / //// \\\\\\\\\\\\\\\\ \ ||||| / //// \\\\\\\\\\\\\\\\/ ||||| \//// ========================================================================= EFFector Online Volume 07 No. 12 July 22, 1994 editors@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 In This Issue: EFF Analysis of Vice-President Gore's Letter on Cryptography Policy EFF Reactions to Encryption Standards & Procedures Act (07/12/94 Draft) NSA Letter to Sen. Hollings Re: Clipper Appropriation Draft Bill Interoperability Demo - ISDN and Internet PPP EFF Congratulates Rep Markey on Passage of Open Platform Bill HR3636 US ACM Calls for Clipper Withdrawal, Releases Crypto Policy Report IITF Intellectual Property Draft Report - Request for Comments New Faces at EFF - Robin Abner (Membership), Darby Costello (Finance) What YOU Can Do ---------------------------------------------------------------------- ~Subject: EFF Analysis of Vice-President Gore's Letter on Cryptography Policy ---------------------------------------------------------------------------- July 22, 1994 Two days ago, Vice-President Al Gore signaled a major setback in the Administration's Clipper program, and a willingness to engage in serious negotiations leading to a comprehensive new policy on digital privacy and security. Many questions remain about the future, but one thing is certain: Clipper is a dead end, and those of us who are concerned about digital privacy have won a new opportunity to shape a better policy. The Vice-President's letter to Rep. Maria Cantwell (D-WA) made it clear that while Clipper might have a small place in the telephone security market, it has no future in the digital world. "...[T]he Clipper Chip is an approved federal standard for telephone communications and not for computer networks and video networks. For that reason, we are working with industry to investigate other technologies for those applications.... We welcome the opportunity to work with industry to design a more versatile, less expensive system. Such a key escrow system would be implementable in software, firmware, hardware, or any combination thereof, would not rely upon a classified algorithm, would be voluntary, and would be exportable." Clipper does not meet most of these criteria, so, according to the Vice- President, it is a dead end. END OF THE LINE FOR CLIPPER -- LONG-RUN EFFORT TO DRIVE MARKET WILL FAIL The premise of the Clipper program was that the government could drive the market toward use of encryption products which incorporated government-based key escrow agents. A series of subtle and not so subtle government actions would encourage private citizens to use this technology, thus preserving law enforcement access to encrypted communications. Clipper was originally announced as the first element of a family of hardware-based, government key escrow encryption devices that would meet security needs for both voice and data communications on into the future. Clipper itself was purely a voice and low-speed data product, but other members of the Skipjack family, including Tessera and Capstone, were to be compatible with Clipper and were intended to lead the way from escrowed encryption in voice to escrowed encryption for data. Plans are already announced, in fact, to use Tessera and Capstone in large government email networks. At the time, the hope was that government use of this technology would push private sector users toward key escrow systems as well. Now, the announcement that the Administration is re-thinking plans for data encryption standards leaves Clipper a stranded technology. No one wants to buy, or worse yet, standardize on, technology which has no upgrade path. As a long-run effort to force the market toward government-escrowed encryption standards, Clipper is a failure. WE STILL MUST WORK FOR VOLUNTARY, OPEN, EXPORTABLE STANDARDS The fight for privacy and security in digital media is by no means over. Though the Administration has backed away from Clipper, and expressed willingness to talk about other solutions, we are pursuing serious progress on the following issues: * Improved telephone encryption standards For the reasons listed by the Vice-President, in addition to the inherent problems of making copies of all your keys available, Clipper is a poor choice for telephone encryption. Industry should develop a standard for truly secure and private telephones, make them available from multiple manufacturers worldwide, and make them interoperate securely with audio conferencing software on multimedia PC's. * Truly voluntary standards Any cryptographic standard adopted by the government for private sector use must be truly voluntary. Voluntary means, to us, that there are statutory guarantees that no citizen will be required or pressured into using the standard for communications with the government, or with others. No government benefits, services, or programs should be conditioned on use of a particular standard, especially if it involves government or private key escrow. * Open standards Standards chosen must be developed in an open, public process, free from classified algorithms. The worldwide independent technical community must be able to create and evaluate draft standards, without restriction or government interference, and without any limits on full participation by the international cryptographic community. * No government escrow systems Any civilian encryption standard which involves government getting copies of all the keys poses grave threats to privacy and civil liberties, and is not acceptable in a free society. * Liberalization of export controls Lifting export controls on cryptography will make the benefits of strong cryptography widely available to our own citizens. U.S. hardware, software and consumer electronics manufacturers will build encryption into affordable products once they are given access to a global marketplace. Today's widespread availability of "raw" cryptographic technology both inside and outside the United States shows that the technology will always be available to "bad guys". The real question is whether our policies will allow encryption to be built into the fabric of our national and international infrastructure, to provide significantly increased individual privacy, improved financial privacy, increased financial security, enhanced freedom of association, increased individual control over identity, improved security and integrity of documents, contracts, and licenses, reduced fraud and counterfeiting, the creation of significant new markets for buying and selling of intellectual property, and a lessened ability to detect and prosecute victimless crimes. These benefits are not free, however. EFF does recognize that new communications technologies pose real challenges to the work of law enforcement. Just as the automobile, the airplane, and even the telephone created new opportunities for criminal activity, and new difficulties for law enforcement, encryption technology will certainly require changes in traditional investigative techniques. We also recognize that encryption will prevent many of the online crimes that will likely occur without it. We further believe that these technologies will create new investigative tools for law enforcement, even as they obsolete old ones. Entering this new environment, private industry, law enforcement, and private citizens must work together to balance the requirements of both liberty and security. Finally, the export controls used today to attempt to control this technology are probably not Constitutional under the First Amendment; if the problems of uncontrolled export are too great, a means of control must be found which does not restrict free expression. CONGRESSIONAL LEADERSHIP TOWARD COMPREHENSIVE POLICY FRAMEWORK IS CRITICAL The efforts of Congresswoman Maria Cantwell, Senator Patrick Leahy, and other members of Congress, show that comprehensive policies on privacy, security and competitiveness in digital communication technologies can only be achieved with the active involvement of Congress. Unilateral policy efforts by the Executive branch, such as Clipper and misguided export control policies, will not serve the broad interests of American citizens and businesses. So, we are pleased to see that the Vice-President has pledged to work with the Congress and the private sector in shaping a forward-looking policy. We see the Vice-President's letter to Congresswoman Cantwell as an important opening for dialogue on these issues. The principles of voluntariness and open standards announced in the Vice- President's letter, as well as those mentioned here, must be incorporated into legislation. We believe that under the leadership of Senator Leahy, Reps. Cantwell, Valentine, Brooks and others, this will be possible in the next congress. EFF is eager to work with the Congress, the Administration, along with other private sector organizations to help formulate a new policy. EFF is also pleased to be part of the team of grass roots activism, industry lobbying, and public interest advocacy which has yielded real progress on these issues. FOR MORE INFORMATION CONTACT: Jerry Berman, Executive Director Daniel J. Weitzner, Deputy Policy Director For the full text of the Gore/Cantwell letter, see: ftp.eff.org, /pub/Alerts/gore_clipper_retreat_cantwell_072094.letter gopher.eff.org, 1/Alerts, gore_clipper_retreat_cantwell_072094.letter http://www.eff.org/pub/Alerts/gore_clipper_retreat_cantwell_072094.letter ------------------------------ ~Subject: EFF Reactions to Encryption Standards & Procedures Act (Draft) ----------------------------------------------------------------------- The staff of the House Science, Space, and Technology Committee has just released a draft bill which would create a somewhat more public process for establishment of Clipper-like escrowed encryption systems. Entry of the Congress into this policy debate is a welcome change after 18 months of one-sided Executive Branch edicts. However, considerable changes would be required before the legislation would meet EFF's goals for a truly open federal encryption policy which preserves the right of private individuals to use any form of encryption, without restriction or penalty. Despite its promise of an open process, this bill is by no means a repudiation of the Clipper program, In fact, it enshrines in legislation several key aspects of the Clipper policy. However, inasmuch as the bill seeks to establish NIST authority to develop escrow encryption systems, it raises real questions about whether NIST or other agencies have any authority now to spend federal funds on escrow encryption systems. Overview of the bill: The bill directs the Department of Commerce, through the National Institute of Standards and Technology, to issue escrowed encryption standards. The standards issued would be subject to public comment and afford the opportunity for judicial review under the terms of the Administrative Procedures Act. Similar procedures created for the designation of government key escrow agents. Several aspects of the Clinton Administration's approach to cryptography policy are accepted by this bill: 1. Absolute preservation of law enforcement and national security access By this bill, any encryption standards adopted must "preserve the functional ability of the government to interpret, in a timely manner, electronic information that has been obtained pursuant to an electronic surveillance permitted by law." Sec 31(b)(2)(E). 2. Weak privacy protection The bill specifies that standards adopted should advance the development of the NII, but offers only qualified support for privacy. Standards should are only required to go so far as to not "diminish existing privacy rights...." Sec 31(b)(2)(D). 3. Increased role for National Security Agency in civilian privacy and security matters The bill establishes a permanent role for the National Security Agency in the creation of privacy and security standards for use by the private sector. Currently, under the Computer Security Act, NIST is encouraged to consult with the NSA on matters of federal systems security and to draw "computer system technical security guidelines developed by the National Security Agency to the extent that the National Bureau of Standards determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems." This would explicitly extend the NSA role from federal systems to systems intended for public, civilian use. As such, this is a major change in the Computer Security Act. Issues to be addressed in draft: To create a truly open policy process, to protect privacy, and to ensure the development of the best privacy-protecting technology possible, the bill should be augmented with the following provisions: 1. Voluntary standards Any legislation on encryption standards must guarantee that no one will be required to use such standards, nor will use of other encryption standards be curtailed by law. Furthermore, federal encryption policy should guarantee that access to government programs, opportunities, or even the ability to communicate with the government, should never be conditioned on the use of any escrowed encryption standard. From the first announcement of the Clipper program, the Clinton Administration has assured the public that escrowed encryption would remain voluntary. This promise must be included in legislation. 2. Open design process The draft bill does call for an open process for formation of encryption standards. Legislation should make explicit that an open process means that no classified algorithms or technologies may be included. Though there was public comment on the Escrowed Encryption FIPS (the Clipper Federal Information Processing Standard), public process in that case was meaningless because the core technology remained behind a veil of secrecy. 3. Remedies for negligence or abuse by escrow agents As drafted, the proposal drastically limits the liability of federal escrow agents for all but "willful" abuse by federal employees. The escrow agents must also be responsible for unauthorized release of keys because of the actions of private individuals or because of negligent practices by government agents. 4. Exploration of voluntary, private sector escrow agents Finally, if the government is going to adopt a government-based escrow system, it should also be required to explore the possibility of private party escrow systems based on open standards. The full text of the draft bill is available from EFF's archives: ftp.eff.org, /pub/EFF/Policy/Crypto/encryp_stds_procedures_94_bill.draft gopher.eff.org, 1/EFF/Policy/Crypto/encryp_stds_procedures_94_bill.draft http://www.eff.org/pub/EFF/Policy/Crypto/encryp_stds_procedures_94_bill.draft ------------------------------ ~Subject: NSA Letter to Sen. Hollings Re: Clipper Appropriations Draft Bill -------------------------------------------------------------------------- NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE Fort George G. Meade, Maryland 20755 8 July 1994 Honorable Ernest P. Hollings Chairman, Subcommittee on Commerce, Justice, State and Judiciary Committee on Appropriations United States Senate Washington, DC 20510-6027 Dear Senator Hollings: We recently received a copy of a draft amendment that Senator Leahy proposed to you that would condition expenditure of appropriated funds for key escrow encryption (including the CLIPPER Chip) on satisfaction of several requirements. This language will have a major impact on the Administration's overall key escrow strategy. We are very concerned about several aspects of the proposal. Most importantly, this language would cause significant delays (perhaps two years or more) in the introduction and use of escrowed key encryption products. With such a delay, alternative, non-escrow cryptographic products likely would become the norm in the United States and perhaps abroad as well. Widespread use of non-escrowed encryption could irretrievably damage our ability to encourage the use of key escrow encryption, putting at risk law enforcement effectiveness and critical foreign intelligence activities. Another very significant concern is the impact of delays on major Defense Department programs to secure its information systems that process information regarding funds transfers, personnel data, medical files, logistics support, and much more. Since most of that information today is processed, transferred, and stored on unclassified and unprotected computing and telecommunications systems, it is extremely vulnerable. The threat to these systems is real. Already, some of our systems have been penetrated. While we do not know who penetrated the systems, we believe potential threats include foreign intelligence activities, criminals, terrorists, and hackers. In addition to potential threats from external entities, network/computer attacks could also be initiated by "insiders". Network/computer protection within DoD is a fundamental military readiness issue and the need for security products is immediate. The DoD is implementing a major program to help protect unclassified but sensitive information in the Defense Messaging System (DMS) through the use of key escrow technology. Programming has already begun on the first set of over 22,000 protection devices for this application. Key escrow products will provide privacy, authentication, and data integrity solutions for critical information system [sic]. At the same time, escrowing of keys will preserve a mechanism for law enforcement organizations to access these systems when lawfully authorized, e.g., in connection with investigations of possible fraud. Delays in the process could have sever, negative consequences for DMS. In summary, key escrow encryption technology is vital to the Defense Department's operational readiness and its ability to conduct day-to-day activities, and we cannot afford to delay implementation of these critical security products. I recognize that you may have other questions and we are prepared to meet with you at your convenience on this matter. I have sent a similar letter to Senator Domenici. /s/ J.M. McConnell Vice Admiral, U.S. Navy Director, NSA ------------------------------ ~Subject: Interoperability Demo - ISDN and Internet PPP ------------------------------------------------------ PRESS RELEASE ISDN PPP INTEROPERABILITY DEMO GAITHERSBURG, MD, JUNE 24, 1994 -- Today at the NIUF, seven ISDN equipment vendors demonstrated interoperable local and wide area network connectivity using Point-to-Point Protocol (PPP) over ISDN. This crucial step opens the way to grand-scale interoperability of ISDN LAN connection equipment. "National ISDN 1 and 2 worked on standardized connectivity at the circuit level, but that wasn't enough. Users need applications to launch connections, and remote LAN access applications are standardizing around PPP. This interoperability demonstration puts these vendors ahead of other ISDN vendors, who better get with it or get left out" (according to Jay Batson, Senior Analyst with Network Strategy Service at Forrester Research). Seven leading US, Canadian and European vendors demonstrated interoperable ISDN remote access to LANs: AccessWorks Communications Inc. Cisco Systems, Inc. DigiBoard, Inc. Gandalf Technologies, Inc. IBM Corp. netCS Informationstechnik GmbH Network Express Vendors and end-users accessed Internet, read their e-mail, and sent files back home as part of the demonstration. "For the first time, telecommuters and branch office users can choose the equipment that they prefer. Everyone can get their equipment from different vendors, but it all works together", said Jake Jacobson, Manager of Advanced Communication Laboratories at JPL. Using Basic Rate ISDN lines and LAN attachments provided by the US National Institute for Standards and Technology (NIST), vendors interconnected their devices and attached to local and remote LANs. As part of the demonstration, vendors and end users accessed Internet, read their e-mail, and sent files back home. End users and vendors alike agreed that this will greatly promote rapid expansion of telecommuting, remote Internet access, branch office connectivity, and other useful applications. "The European ISDN Users Forum has also sanctioned PPP as the official interoperability standard" said Rick Kuhlbars of netCS, Berlin, Germany PPP is a set of protocols recommended by the Internet Engineering Task Force (IETF) that allows LAN connection equipment to negotiate which features and protocols will be supported by both ends of a connection. PPP is rapidly becoming a standard for LAN connections since it allows dissimilar products to quickly negotiate which features will be selected for a particular connection. Some reactions: "Global trade requirements and business relationships compel us to interoperate using these kinds of standards based procedures." - Stan Kluz, Lawrence Livermore National Laboratory. "This allows us to have students, faculty and staff select a wider array of equipment and maintain interoperability with both Ameritech's switches as well as the University's emerging ISDN dial in pools." - Dory Leifer, University of Michigan. "For the first time, users now have ISDN networking plug and play. Vendors' network products which support these specifications assure that they can access networks without concern as to what ISDN networking equipment is in use on the network end." - Jeff Fritz, West Virginia University, Chairman of the Enterprise Network Data Interconnectivity Family (ENDIF), a working group of NIUF. NIUF - the North American ISDN User's Forum is an association of ISDN vendors, users, and service providers working together to promote and improve the use of ISDN in North America. Contacts for additional information: Reggie Best, AccessWorks Communications Inc., (800) 248-8204, rbest@accessworks.com. Kevin Dickson, Cisco Systems, (415) 326-1941, kdickson@cisco.com. Bob Downs, ENDIF liaison to IETF, Combinet, (408) 522-9020, bdowns@combinet.com. Jeff Fritz, ENDIF Chairman, West Virginia Univ., (304) 293-2060, jfritz@wvnvm.wvnet.edu. Douglas Frosst, Gandalf, Ontario, Canada, (613) 723-6500, dfrosst@gandalf.ca. Rick Kuhlbars, netCS, Berlin, Germany, 49.30/856 999-0, rick@netcs.com. Randy Sisto, Network Express, (313) 761-5005, rsisto@nei.com. Julie Thomtez, DigiBoard, (612) 943-9020, juliet@digibd.com. IBM, IBM ISDN Information, (919) 254-ISDN. Respectfully Submitted, Gerry Hopkins, ENDIF ViceChair acting for the Secretary ------------------------------ ~Subject: EFF Congratulates Rep Markey on Passage of Open Platform Bill HR3636 ----------------------------------------------------------------------------- Earlier this month, the House of Representatives has passed both HR 3636 and 3626. HR 3636, the Markey/Fields bill, is based on EFF's Open Platform Proposal. HR 3626 passed on a vote of 423 to 5 (7 not voting). HR 3636 passed on a vote of 423 to 4 (8 not voting). No amendments were offered to either bill on the Floor. After the votes, the bills were ordered to be combined into one bill, which will be sent to the Senate. The Senate is currently considering its own similar legislation. Electronic Frontier Foundation praises passage of House Telecommunications Bill (HR 3636), in combination with the Antitrust Reform Act (HR 3626). Key provisions of the bill will provide affordable access to multimedia network services for the American public ****** The Electronic Frontier Foundation (EFF) is pleased that the US House of Representatives has passed major telecommunications legislation, and commends all who have worked on the bill, especially Chairman Ed Markey (D-MA). Key provisions of the legislation ensure that Open Platform service will be made widely available to all Americans, as the first step in the development of an interactive, multimedia information infrastructure. "Under the Open Platform services sections, the Federal Communications Commission is required to issue regulations which make switched, digital telecommunications service available and affordable for the American public in the near term," explained Daniel J. Weitzner, Deputy Policy Director of EFF. Many of the multimedia services that will help increase educational opportunity in our schools, provide access to library resources, enable distance learning, and support telecommuting, can be delivered over network services that are available today. Yet, telecommunications carriers have been slow in offering these services to the public. While an interactive broadband network should be our long term policy goal, there is no reason to wait for broadband to reap the benefits of digital technologies such as ISDN available in the network today. "Guided by Congress, FCC action to cause deployment and tariffing of Open Platform services will dramatically enhance American's access to multimedia information sources, " said Weitzner. Mitchell Kapor, Chairman of the Board of the Foundation, praised the efforts of Chairman Markey (D-MA) and said that an information infrastructure "built based on Open Platform principles will be a vibrant web of communications and information that enhance free speech and democratic discourse. Open architecture will also enable the NII to be the site of innovation, economic growth, and job creation." HR 3636 recognizes that advanced telecommunications services are becoming more important for individuals and public institutions and that the definition of universal service should evolve over time to ensure affordable access to such advanced services for all Americans. The bill provides that Open Platform service should be considered as the next step in the evolution of universal service. We can hope that in many circumstances a more competitive market will provide high quality access at low prices for many parts of the country. A flexible definition of universal service will help ensure that where the market fails to provide minimum acceptable levels of service, careful tailored regulation will help fill the void. For all of these reasons, the Open Platform sections have been enthusiastically supported by a diverse coalition of public interest groups and key players in the computer and communications industries. "The job of ensuring openness and access to the NII is only just beginning, but the Open Platform services that made possible by the bill take a decisive first step in the right direction," said Weitzner. Contacts: Jerry Berman, Executive Director, Internet: Daniel J. Weitzner, Deputy Policy Director, Internet: Telephone: v: 202-347-5400 f: 202-393-5509 ****** June 28, 1994 Hon. Edward Markey, Chairman House Telecommunications & Finance Subcommittee 316 Ford House Office Building Washington, DC 20150 Dear Chairman Markey, We want to congratulate you and Representative Fields on the passage of HR 3636 and to thank you for efforts and foresight in support of the Open Platform sections of the bill. Built based on Open Platform principles, the NII will be a vibrant web of communications and information that enhance free speech and democratic discourse. Such an open environment will also enable the NII to be the site of innovation, economic growth, and job creation. Under the Open Platform services sections, the Federal Communications Commission is required to issue regulations which make switched, digital telecommunications service available and affordable for the American public in the near term. As you know, many of the multimedia services that will help increase educational opportunity in our schools, provide access to library resources, enable distance learning, and support telecommuting, can be delivered over network services that are available today. Yet, telecommunications carriers have been slow in offering these services to the public. While an interactive broadband network should be our long term policy goal, there is no reason to wait for broadband to reap the benefits of digital technologies such as ISDN available in the network today. Guided by Congress, FCC action to cause deployment and tariffing of Open Platform services will dramatically enhance American's access to multimedia information sources. Widely available Open Platform services will also help jump start that multimedia information and communications market place. HR 3636 recognizes that advanced telecommunications services are becoming more important for individuals and public institutions and that the definition of universal service should evolve over time to ensure affordable access to such advanced services for all Americans. The bill, thus, provides that Open Platform service should be considered as the next step in the evolution of universal service. We can hope that in many circumstances a more competitive market will provide high quality access at low prices for many parts of the country. Your work in creating a flexible definition of universal service will help ensure that where the market fails to provide minimum acceptable levels of service, careful tailored regulation will help fill the void. For all of these reasons, the Open Platform sections have been enthusiastically supported by a diverse coalition of public interest groups and key players in the computer and communications industries. The job of ensuring openness and access to the NII is only just beginning, but the Open Platform services that you have made possible take a decisive first step in the right direction. Again, we commend you and your colleagues for supporting the Open Platform services sections and promise to continue to work with you to ensure enactment of comprehensive telecommunications legislation with strong Open Platform provisions this year. Sincerely, Jerry Berman Executive Director ------------------------------ ~Subject: US ACM Calls for Clipper Withdrawal, Releases Crypto Policy Report --------------------------------------------------------------------------- ~From: US ACM, DC Office U S A C M Association for Computing Machinery, U.S. Public Policy Committee * PRESS RELEASE * Thursday, June 30, 1994 Contact: Barbara Simons (408) 463-5661, simons@acm.org (e-mail) Jim Horning (415) 853-2216, horning@src.dec.com (e-mail) Rob Kling (714) 856-5955, kling@ics.uci.edu (e-mail) COMPUTER POLICY COMMITTEE CALLS FOR WITHDRAWAL OF CLIPPER COMMUNICATIONS PRIVACY "TOO IMPORTANT" FOR SECRET DECISION-MAKING WASHINGTON, DC The public policy arm of the oldest and largest international computing society today urged the White House to withdraw the controversial "Clipper Chip" encryption proposal. Noting that the "security and privacy of electronic communications are vital to the development of national and international information infrastructures," the Association for Computing Machinery's U.S. Public Policy Committee (USACM) added its voice to the growing debate over encryption and privacy policy. In a position statement released at a press conference on Capitol Hill, the USACM said that "communications security is too important to be left to secret processes and classified algorithms." The Clipper technology was developed by the National Security Agency, which classified the cryptographic algorithm that underlies the encryption device. The USACM believes that Clipper "will put U.S. manufacturers at a disadvantage in the global market and will adversely affect technological development within the United States." The technology has been championed by the Federal Bureau of Investigation and the NSA, which claim that "non-escrowed" encryption technology threatens law enforcement and national security. "As a body concerned with the development of government technology policy, USACM is troubled by the process that gave rise to the Clipper initiative," said Dr. Barbara Simons, a computer scientist with IBM who chairs the USACM. "It is vitally important that privacy protections for our communications networks be developed openly and with full public participation." The USACM position statement was issued after completion of a comprehensive study of cryptography policy sponsored by the ACM (see companion release). The study, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy," was prepared by a panel of experts representing various constituencies involved in the debate over encryption. The ACM, founded in 1947, is a 85,000 member non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact of that technology on the world's major social challenges. USACM was created by ACM to provide a means for presenting and discussing technological issues to and with U.S. policymakers and the general public. For further information on USACM, please call (202) 298-0842. USACM Position on the Escrowed Encryption Standard The ACM study "Codes, Keys and Conflicts: Issues in U.S Crypto Policy" sets forth the complex technical and social issues underlying the current debate over widespread use of encryption. The importance of encryption, and the need for appropriate policies, will increase as networked communication grows. Security and privacy of electronic communications are vital to the development of national and international information infrastructures. The Clipper Chip, or "Escrowed Encryption Standard" (EES) Initiative, raises fundamental policy issues that must be fully addressed and publicly debated. After reviewing the ACM study, which provides a balanced discussion of the issues, the U.S. Public Policy Committee of ACM (USACM) makes the following recommendations. 1. The USACM supports the development of public policies and technical standards for communications security in open forums in which all stakeholders -- government, industry, and the public -- participate. Because we are moving rapidly to open networks, a prerequisite for the success of those networks must be standards for which there is widespread consensus, including international acceptance. The USACM believes that communications security is too important to be left to secret processes and classified algorithms. We support the principles underlying the Computer Security Act of 1987, in which Congress expressed its preference for the development of open and unclassified security standards. 2. The USACM recommends that any encryption standard adopted by the U.S. government not place U.S. manufacturers at a disadvantage in the global market or adversely affect technological development within the United States. Few other nations are likely to adopt a standard that includes a classified algorithm and keys escrowed with the U.S. government. 3. The USACM supports changes in the process of developing Federal Information Processing Standards (FIPS) employed by the National Institute of Standards and Technology. This process is currently predicated on the use of such standards solely to support Federal procurement. Increasingly, the standards set through the FIPS process directly affect non-federal organizations and the public at large. In the case of the EES, the vast majority of comments solicited by NIST opposed the standard, but were openly ignored. The USACM recommends that the standards process be placed under the Administrative Procedures Act so that citizens may have the same opportunity to challenge government actions in the area of information processing standards as they do in other important aspects of Federal agency policy making. 4. The USACM urges the Administration at this point to withdraw the Clipper Chip proposal and to begin an open and public review of encryption policy. The escrowed encryption initiative raises vital issues of privacy, law enforcement, competitiveness and scientific innovation that must be openly discussed. 5. The USACM reaffirms its support for privacy protection and urges the administration to encourage the development of technologies and institutional practices that will provide real privacy for future users of the National Information Infrastructure. ****** Association for Computing Machinery PRESS RELEASE Thursday, June 30, 1994 Contact: Joseph DeBlasi, ACM Executive Director (212) 869-7440 Dr. Stephen Kent, Panel Chair (617) 873-3988 Dr. Susan Landau, Panel Staff (413) 545-0263 COMPUTING SOCIETY RELEASES REPORT ON ENCRYPTION POLICY "CLIPPER CHIP" CONTROVERSY EXPLORED BY EXPERT PANEL WASHINGTON, DC A panel of experts convened by the nation's foremost computing society today released a comprehensive report on U.S. cryptography policy. The report, "Codes, Keys and Conflicts: Issues in U.S Crypto Policy," is the culmination of a ten-month review conducted by the panel of representatives of the computer industry and academia, government officials, and attorneys. The 50-page document explores the complex technical and social issues underlying the current debate over the Clipper Chip and the export control of information security technology. "With the development of the information superhighway, cryptography has become a hotly debated policy issue," according to Joseph DeBlasi, Executive Director of the Association for Computing Machinery (ACM), which convened the expert panel. "The ACM believes that this report is a significant contribution to the ongoing debate on the Clipper Chip and encryption policy. It cuts through the rhetoric and lays out the facts." Dr. Stephen Kent, Chief Scientist for Security Technology with the firm of Bolt Beranek and Newman, said that he was pleased with the final report. "It provides a very balanced discussion of many of the issues that surround the debate on crypto policy, and we hope that it will serve as a foundation for further public debate on this topic." The ACM report addresses the competing interests of the various stakeholders in the encryption debate -- law enforcement agencies, the intelligence community, industry and users of communications services. It reviews the recent history of U.S. cryptography policy and identifies key questions that policymakers must resolve as they grapple with this controversial issue. The ACM cryptography panel was chaired by Dr. Stephen Kent. Dr. Susan Landau, Research Associate Professor in Computer Science at the University of Massachusetts, co-ordinated the work of the panel and did most of the writing. Other panel members were Dr. Clinton Brooks, Advisor to the Director, National Security Agency; Scott Charney, Chief of the Computer Crime Unit, Criminal Division, U.S. Department of Justice; Dr. Dorothy Denning, Computer Science Chair, Georgetown University; Dr. Whitfield Diffie, Distinguished Engineer, Sun Microsystems; Dr. Anthony Lauck, Corporate Consulting Engineer, Digital Equipment Corporation; Douglas Miller, Government Affairs Manager, Software Publishers Association; Dr. Peter Neumann, Principal Scientist, SRI International; and David Sobel, Legal Counsel, Electronic Privacy Information Center. Funding for the cryptography study was provided in part by the National Science Foundation. The ACM, founded in 1947, is a 85,000 member non-profit educational and scientific society dedicated to the development and use of information technology, and to addressing the impact of that technology on the world's major social challenges. For general information, contact ACM, 1515 Broadway, New York, NY 10036. (212) 869-7440 (tel), (212) 869-0481 (fax). Information on accessing the report electronically will be posted soon on Usenet. ------------------------------ ~Subject: IITF Intellectual Property Draft Report - Request for Comments ----------------------------------------------------------------------- The Information Infrastructure Task Force (IITF) working group on Intellectual Property Rights has released their preliminary draft report for public review and comment. The paper, "Intellectual Property and the National Information Infrastructure," is available from the Patent & Trademark Office via anonymous FTP from ftp.uspto.gov in /pub/nii-ip or on the Web at URL http://www.uspto.gov/ Comments may be sent electronically to nii-ip@uspto.gov; the deadline for comments is September 7, 1994. ------------------------------ ~Subject: New Faces at EFF: Robin Abner (Membership), Darby Costello (Finance) ----------------------------------------------------------------------------- Robin Abner - Director of Membership Robin Abner is the Director of Membership for the Electronic Frontier Foundation. Robin works with EFF's Board and staff to plan membership strategy and oversee marketing, administration and member services. Prior to joining EFF, Robin was Director of Membership and Marketing at Non-Profit Management Associates, Inc. in Washington, DC, where she developed and administered membership programs for several non-profit organizations. In addition, she served as Deputy Director of the Friends of the National Library of Medicine. Robin majored in Computer Science at George Washington University and is currently studying Technology and Management at the University of Maryland in College Park. Robin is a member of the American Society of Association Executives (ASAE) and is co-chair of ASAE's Roundtable Steering Committee. In 1993, she was appointed to the Membership Council of ASAE's Board and was awarded their Diversity Career Development Scholarship. ****** Darby Costello - Director of Finance & Administration Darby Costello, EFF's new Director of Finance and Administration, handles oversight of all financial activities/transactions, human resources and office management. Darby is a long-time Washingtonian, has worked in the non-profit world for over 10 years, and earned a BSBA in Accounting from George Washington University. She is partial to cats and has two Burmese, Juan and Flor, who share their Kalorama apartment with Darby. She is devoted to the arts (opera in particular) and actively involved with a newly-formed local opera company. Ms. Costello is a rabid, nearly indiscriminate, reader. ------------------------------ ~Subject: What YOU Can Do ------------------------ "The net poses a fundamental threat not only to the authority of the government, but to all authority, because it permits people to organize, think, and influence one another without any institutional supervision whatsoever. The government is responding to this threat with the Clipper Chip." - John Seabrook, "My First Flame", _New_Yorker_ 06/06/94 Who will decide how much privacy is "enough"? The Electronic Frontier Foundation believes that individuals should be able to ensure the privacy of their personal communications through any technological means they choose. However, the government's current restrictions on the export of encrytion software have stifled the development and commercial availability of strong encryption in the U.S. Now, more than ever, EFF is working to make sure that you are the one that makes these decisions for yourself. Our members are making themselves heard on the whole range of issues. EFF collected over 5000 letters of support for Rep. Maria Cantwell's bill to liberalize restrictions on cryptography. We also gathered over 1400 letters supporting Sen. Leahy's open hearings on the proposed Clipper encryption scheme, which were held in May 1994. And EFF collected over 90% of the public comments that were submitted to NIST regarding whether or not Clipper should be made a federal standard. You KNOW privacy is important. You have probably participated in our online campaigns. Have you become a member of EFF yet? The best way to protect your online rights is to be fully informed and to make your opinions heard. EFF members are informed and are making a difference. Join EFF today! For EFF membership info, send queries to membership@eff.org, or send any message to info@eff.org for basic EFF info, and a membership form. ------------------------------ Administrivia ============= EFFector Online is published by: The Electronic Frontier Foundation 1001 G Street NW, Suite 950 E Washington DC 20001 USA +1 202 347 5400 (voice) +1 202 393 5509 (fax) +1 202 638 6119 (BBS - 16.8k ZyXEL) +1 202 638 6120 (BBS - 14.4k V.32bis) Internet: ask@eff.org Internet fax gate: remote-printer.EFF@9.0.5.5.3.9.3.2.0.2.1.tpc.int Coordination, production and shipping by: Stanton McCandlish, Online Activist/SysOp/Archivist Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. To subscribe to EFFector via email, send message body of "subscribe effector-online" (no quotes) to listserve@eff.org, which will add you a subscription to the EFFector mailing list. To get the latest issue, send any message to er@eff.org, and it will be mailed to you automagically. You can also get ftp.eff.org, /pub/EFF/Newsletters/EFFector/current. ------------------------------ Internet Contact Addresses -------------------------- Membership & donations: membership@eff.org Legal services: ssteele@eff.org Hardcopy publications: pubs@eff.org Technical questions/problems, access to mailing lists: eff@eff.org General EFF, legal, policy or online resources queries: ask@eff.org End of EFFector Online v07 #12 ****************************** $$ From comp.org.eff.news Mon Jul 25 21:26:37 1994 Path: utcsri!utnut!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: comp.org.eff.news Subject: EFF Analysis of Vice-President Gore's Letter on Cryptography Policy Date: 22 Jul 1994 18:25:55 -0500 Organization: UTexas Mail-to-News Gateway Lines: 174 Sender: nobody@cs.utexas.edu Approved: mech@eff.org Distribution: inet Message-ID: <199407222325.TAA26059@eff.org> NNTP-Posting-Host: news.cs.utexas.edu EFF Analysis of Vice-President Gore's Letter on Cryptography Policy ------------------------------------------------------------------- July 22, 1994 Two days ago, Vice-President Al Gore signaled a major setback in the Administration's Clipper program, and a willingness to engage in serious negotiations leading to a comprehensive new policy on digital privacy and security. Many questions remain about the future, but one thing is certain: Clipper is a dead end, and those of us who are concerned about digital privacy have won a new opportunity to shape a better policy. The Vice-President's letter to Rep. Maria Cantwell (D-WA) made it clear that while Clipper might have a small place in the telephone security market, it has no future in the digital world. "...[T]he Clipper Chip is an approved federal standard for telephone communications and not for computer networks and video networks. For that reason, we are working with industry to investigate other technologies for those applications.... We welcome the opportunity to work with industry to design a more versatile, less expensive system. Such a key escrow system would be implementable in software, firmware, hardware, or any combination thereof, would not rely upon a classified algorithm, would be voluntary, and would be exportable." Clipper does not meet most of these criteria, so, according to the Vice- President, it is a dead end. END OF THE LINE FOR CLIPPER -- LONG-RUN EFFORT TO DRIVE MARKET WILL FAIL The premise of the Clipper program was that the government could drive the market toward use of encryption products which incorporated government-based key escrow agents. A series of subtle and not so subtle government actions would encourage private citizens to use this technology, thus preserving law enforcement access to encrypted communications. Clipper was originally announced as the first element of a family of hardware-based, government key escrow encryption devices that would meet security needs for both voice and data communications on into the future. Clipper itself was purely a voice and low-speed data product, but other members of the Skipjack family, including Tessera and Capstone, were to be compatible with Clipper and were intended to lead the way from escrowed encryption in voice to escrowed encryption for data. Plans are already announced, in fact, to use Tessera and Capstone in large government email networks. At the time, the hope was that government use of this technology would push private sector users toward key escrow systems as well. Now, the announcement that the Administration is re-thinking plans for data encryption standards leaves Clipper a stranded technology. No one wants to buy, or worse yet, standardize on, technology which has no upgrade path. As a long-run effort to force the market toward government-escrowed encryption standards, Clipper is a failure. WE STILL MUST WORK FOR VOLUNTARY, OPEN, EXPORTABLE STANDARDS The fight for privacy and security in digital media is by no means over. Though the Administration has backed away from Clipper, and expressed willingness to talk about other solutions, we are pursuing serious progress on the following issues: * Improved telephone encryption standards For the reasons listed by the Vice-President, in addition to the inherent problems of making copies of all your keys available, Clipper is a poor choice for telephone encryption. Industry should develop a standard for truly secure and private telephones, make them available from multiple manufacturers worldwide, and make them interoperate securely with audio conferencing software on multimedia PC's. * Truly voluntary standards Any cryptographic standard adopted by the government for private sector use must be truly voluntary. Voluntary means, to us, that there are statutory guarantees that no citizen will be required or pressured into using the standard for communications with the government, or with others. No government benefits, services, or programs should be conditioned on use of a particular standard, especially if it involves government or private key escrow. * Open standards Standards chosen must be developed in an open, public process, free from classified algorithms. The worldwide independent technical community must be able to create and evaluate draft standards, without restriction or government interference, and without any limits on full participation by the international cryptographic community. * No government escrow systems Any civilian encryption standard which involves government getting copies of all the keys poses grave threats to privacy and civil liberties, and is not acceptable in a free society. * Liberalization of export controls Lifting export controls on cryptography will make the benefits of strong cryptography widely available to our own citizens. U.S. hardware, software and consumer electronics manufacturers will build encryption into affordable products once they are given access to a global marketplace. Today's widespread availability of "raw" cryptographic technology both inside and outside the United States shows that the technology will always be available to "bad guys". The real question is whether our policies will allow encryption to be built into the fabric of our national and international infrastructure, to provide significantly increased individual privacy, improved financial privacy, increased financial security, enhanced freedom of association, increased individual control over identity, improved security and integrity of documents, contracts, and licenses, reduced fraud and counterfeiting, the creation of significant new markets for buying and selling of intellectual property, and a lessened ability to detect and prosecute victimless crimes. These benefits are not free, however. EFF does recognize that new communications technologies pose real challenges to the work of law enforcement. Just as the automobile, the airplane, and even the telephone created new opportunities for criminal activity, and new difficulties for law enforcement, encryption technology will certainly require changes in traditional investigative techniques. We also recognize that encryption will prevent many of the online crimes that will likely occur without it. We further believe that these technologies will create new investigative tools for law enforcement, even as they obsolete old ones. Entering this new environment, private industry, law enforcement, and private citizens must work together to balance the requirements of both liberty and security. Finally, the export controls used today to attempt to control this technology are probably not Constitutional under the First Amendment; if the problems of uncontrolled export are too great, a means of control must be found which does not restrict free expression. CONGRESSIONAL LEADERSHIP TOWARD COMPREHENSIVE POLICY FRAMEWORK IS CRITICAL The efforts of Congresswoman Maria Cantwell, Senator Patrick Leahy, and other members of Congress, show that comprehensive policies on privacy, security and competitiveness in digital communication technologies can only be achieved with the active involvement of Congress. Unilateral policy efforts by the Executive branch, such as Clipper and misguided export control policies, will not serve the broad interests of American citizens and businesses. So, we are pleased to see that the Vice-President has pledged to work with the Congress and the private sector in shaping a forward-looking policy. We see the Vice-President's letter to Congresswoman Cantwell as an important opening for dialogue on these issues. The principles of voluntariness and open standards announced in the Vice- President's letter, as well as those mentioned here, must be incorporated into legislation. We believe that under the leadership of Senator Leahy, Reps. Cantwell, Valentine, Brooks and others, this will be possible in the next congress. EFF is eager to work with the Congress, the Administration, along with other private sector organizations to help formulate a new policy. EFF is also pleased to be part of the team of grass roots activism, industry lobbying, and public interest advocacy which has yielded real progress on these issues. FOR MORE INFORMATION CONTACT: Jerry Berman, Executive Director Daniel J. Weitzner, Deputy Policy Director For the full text of the Gore/Cantwell letter, see: ftp.eff.org, /pub/Alerts/gore_clipper_retreat_cantwell_072094.letter gopher.eff.org, 1/Alerts, gore_clipper_retreat_cantwell_072094.letter http://www.eff.org/pub/Alerts/gore_clipper_retreat_cantwell_072094.letter