The Cyphernomicon

9. Policy: Clipper,Key Escrow, and Digital Telephony

9.1. copyright
THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
1994-09-10, Copyright Timothy C. May. All rights reserved.
See the detailed disclaimer. Use short sections under «fair
use» provisions, with appropriate credit, but don’t put your
name on my words.

9.2. SUMMARY: Policy: Clipper,Key Escrow, and Digital Telephony
9.2.1. Main Points

  • Clipper has been a main unifying force, as 80% of all
    Americans, and 95% of all computer types, are opposed.
  • «Big Brother Inside»
    9.2.2. Connections to Other Sections
  • the main connections are legal
  • some possible implications for limits on crypto
    9.2.3. Where to Find Additional Information
  • There have been hundreds of articles on Clipper, in nearly
    all popular magazines. Many of these were sent to the
    Cypherpunks list and may be available in the archives. (I
    have at least 80 MB of Cypherpunks list stuff, a lot of it
    newspaper and magazine articles on Clipper!)
  • more Clipper information can be found at:
    • «A good source is the Wired Online Clipper Archive. Send
      e-mail to info-rama@wired.com. with no subject and the
      words ‘get help’ and ‘get clipper/index’ in the body of
      the message.» [students@unsw.EDU.AU, alt.privacy.clipper,
      1994-09-01]
      9.2.4. Miscellaneous Comments
  • As with a couple of other sections, I won’t try to be as
    complete as some might desire. Just too many thousands of
    pages of stuff to consider.

9.3. Introduction
9.3.1. What is Clipper?

  • government holds the skeleton keys
  • analogies to other systems
    9.3.2. Why do most Cypherpunks oppose Clipper?
  • fear of restrictions on crypto, derailing so many wonderful
    possibilities
    9.3.3. Why does Clipper rate its own section?
  • The announcement of the «Escrowed Encryption Standard,»
    EES, on April 16, 1993, was a galvanizing event for
    Cypherpunks and for a large segment of the U. S.
    population. The EES was announced originally as «Clipper,»
    despite the use of the name Clipper by two major products
    (the Intergraph CPU and a dBase software tool), and the
    government backed off on the name. Too late, though, as the
    name «Clipper» had become indelibly linked to this whole
    proposal.
    9.3.4. «Is stopping Clipper the main goal of Cypherpunks?»
  • It certainly seems so at times, as Clipper has dominated
    the topics since the Clipper announcement in April, 1993.
  • it has become so, with monkeywrenching efforts in several areas
    • lobbying and education against it (though informal, such
      lobbying has been successful…look at NYT article)
    • «Big Brother Inside» and t-shirts
    • technical monkeywrenching (Matt Blaze…hesitate to claim
      any credit, but he has been on our list, attended a
      meeting, etc.)
  • Although it may seem so, Clipper is just one
    aspect…step…initiative.
  • Developing new software tools, writing code, deploying
    remailers and digital cash are long-range projects of great
    importance.
  • The Clipper key escrow proposal came along (4-93) at an
    opportune time for Cypherpunks and became a major focus.
    Emergency meetings, analyses, etc.

9.4. Crypto Policy Issues
9.4.1. Peter Denning on crypto policy:

  • provided by Pat Farrell, 1994-08-20; Denning comments are 1992-01-22, presented at Computers, Freedom, and Privacy 2. Peter D. uses the metaphor of a «clearing,»as in a forest, for the place where people meet to trade, interact, etc. What others call markets, agoras, or just «cyberspace.»
    • «Information technology in producing a clearing in which
      individuals and corporations are key players besides
      government. Any attempt by government to control the flow
      of information over networks will be ignored or met with
      outright hostility. There is no practical way that
      government can control information except information
      directly involved in the business of governing. It
      should not try.» [Peter Denning, PUBLIC POLICY FOR THE
      21ST CENTURY, DRAFT 1/22/92]
  • No word on how this view squares with his wife’s control
    freak views.
    9.4.2. Will government and NSA in particular attempt to acquire some
    kind of control over crypto companies?
  • speculations, apparently unfounded, that RSA Data Security is influenced by NSA wishes
    • weaknesses in the DES keys picked?
  • and companies may be dramatically influenced by contracts
    (and the witholding of them)
    9.4.3. NIST and DSS
    9.4.4. Export restrictions, Munitions List, ITAR
    9.4.5. old crypto machines sold to Third World governments, cheaply
  • perhaps they think they can make some changes and outsmart
    the NSA (which probably has rigged it so any changes are
    detectable and can be factored in)
  • and just knowing the type of machine is a huge advantage
    9.4.6. 4/28/97 The first of several P-K and RSA patents expires
  • U.S. Patent Number: 4200770
    • Title: Cryptographic Apparatus and Method
    • Inventors: Hellman, Diffie, Merkle
    • Assignee: Stanford University
    • Filed: September 6, 1977
    • Granted: April 29, 1980
    • [Expires: April 28, 1997]
  • remember that any one of these several patents held by Public Key Partners (Stanford and M.I.T., with RSA Data Security the chief dispenser of licenses) can block an effort to bypass the others
    • though this may get fought out in court
      9.4.7. encryption will be needed inside computer systems
  • for operating system protection
  • for autonomous agents (active agents)
  • for electronic money

9.5. Motivations for Crypto Laws
9.5.1. «What are the law enforcement and FBI worries?»

  • «FBI Director Louis Freeh is worried. The bad guys are
    beginning to see the light, and it is digital. … Freeh
    fears some pretty nasty folks have discovered they can
    commit highway robbery and more, without even leaving home.
    Worse, to Freeh and other top cops, by using some pretty
    basic technologies, savvy criminals can do their crimes
    without worrying about doing time. «Some crooks, spies, drug traffickers, terrorists and
    frauds already use the tools of the information age to
    outfox law enforcement officers. Hackers use PBXs to hide
    their tracks as they rip off phone companies and poke
    around in other people’s files. Reprogrammed cellular
    phones give cops fits.» [LAN Magazine,»Is it 1984?,» by Ted
    Bunker, August 1994]
  • Their fears have some validity…in the same way that the
    rulers in Gutenberg’s time could have some concerns about
    the implications of books (breaking of guilds, spread of
    national secrets, pornography, atheism, etc.).
    9.5.2. «What motivated Clipper? What did the Feds hope to gain?»
  • ostensibly to stop terrorists (only the unsophisticated
    ones, if alternatives are allowed)
  • to force a standard on average Americans
  • possibly to limit crypto development
  • Phil Karn provides an interesting motivation for Clipper:
    «Key escrow exists only because the NSA doesn’t want to
    risk blame if some terrorist or drug dealer were to use an
    unescrowed NSA-produced …..The fact that a terrorist or
    drug dealer can easily go elsewhere and obtain other strong
    or stronger algorithms without key escrow is irrelevant.
    The NSA simply doesn’t care as long as they can’t be
    blamed for whatever happens. Classic CYA, nothing
    more…..A similar analysis applies to the export control
    regulations regarding cryptography.» [Phil Karn, 1994-08-
    31]
    • Bill Sommerfeld notes: «If this is indeed the case, Matt
      Blaze’s results should be particularly devastating to
      them.» [B.S., 1994-09-01]
      9.5.3. Steve Witham has an interesting take on why folks like
      Dorothy Denning and Donn Parker support key escrow so
      ardently:
  • «Maybe people like Dot and Don think of government as a
    systems-administration sort of job. So here they are,
    security experts advising the sys admins on things like… setting permissions
    allocating quotas
    registering users and giving them passwords…..
    deciding what utilities are and aren’t available
    deciding what software the users need, and installing it
    (grudgingly, based on who’s yelling the loudest)
    setting up connections to other machines
    deciding who’s allowed to log in from «foreign hosts»
    getting mail set up and running
    buying new hardware from vendors
    specifying the hardware to the vendors
    … «These are the things computer security experts advise on.
    Maybe hammer experts see things as nails. «Only a country is not a host system owned and administered
    by the government, and citizens are not guests or users.»
    [Steve Witham, Government by Sysadmin, 1994-03-23] 9.5.4. Who would want to use key escrow?
    9.5.5. «Will strong crypto really thwart government plans?»
  • Yes, it will give citizens the basic capabilities that
    foreign governments have had for many years
  • Despite talk about codebreakes and the expertise of the
    NSA, the plain fact is that no major Soviet ciphers have
    been broken for many years
    • recall the comment that NSA has not really broken any
      Soviet systems in many years
    • except for the cases, a la the Walker case, where
      plaintext versions are gotten, i.e., where human
      screwups occurred
  • the image in so many novels of massive computers breaking
    codes is absurd: modern ciphers will not be broken (but the
    primitive ciphers used by so many Third World nations and
    their embassies will continue to be child’s play, even for
    high school science fair projects…could be a good idea
    for a small scene, about a BCC student who has his project
    pulled)
    9.5.6. «Why does the government want short keys?»
  • Commercial products have often been broken by hackers. The
    NSA actually has a charter to help businesses protect their
    secrets; just not so strongly that the crypto is
    unbreakable by them. (This of course has been part of the
    tension between the two sides of the NSA for the past
    couple of decades.)
  • So why does the government want crippled key lengths?
    • «The question is: how do you thwart hackers while
      permitting NSA access? The obvious answer is strong
      algorithm(s) and relatively truncated keys.» [Grady Ward,
      sci.crypt, 1994-08-15]

9.6. Current Crypto Laws
9.6.1. «Has crypto been restricted in countries other than the
U.S.?»

  • Many countries have restrictions on civilian/private use of
    crypto. Some even insist that corporations either send all
    transmissions in the clear, or that keys be provided to the
    government. The Phillipines, for example. And certainly
    regimes in the Communists Bloc, or what’s left of it, will
    likely have various laws restricting crypto. Possibly
    draconian laws….in many cultures, use of crypto is
    tantamount to espionage.

9.7. Crypto Laws Outside the U.S.
9.7.1. «International Escrow, and Other Nation’s Crypto Policies?»

  • The focus throughout this document on U.S. policy should
    not lull non-Americans into complacency. Many nations
    already have more Draconian policies on the private use of
    encryption than the U.S. is even contemplating
    (publically). France outlaws private crypto, though
    enforcement is said to be problematic (but I would not want
    the DGSE to be on my tail, that’s for sure). Third World
    countries often have bans on crypto, and mere possession of
    random-looking bits may mean a spying conviction and a trip
    to the gallows.
  • There are also several reports that European nations are
    preparing to fall in line behind the U.S. on key escrow
    • Norway
    • Netherlands
    • Britain
  • A conference in D.C. in 6/94, attended by Whit Diffie (and
    reported on to us at the 6/94 CP meeting) had internation
    escrow arrangements as a topic, with the crypto policy
    makers of NIST and NSA describing various options
    • bad news, because it could allow bilateral treaties to
      supercede basic rights
    • could be plan for getting key escrow made mandatory
    • there are also practical issues
    • who can decode international communications?
      • do we really want the French reading Intel’s
        communications? (recall Matra-Harris)
    • satellites? (like Iridium)
    • what of multi-national messages, such as an encrypted
      message posted to a message pool on the Internet…is
      it to be escrowed with each of 100 nations?
      9.7.2. «Will foreign countries use a U.S.-based key escrow system?»
  • Lots of pressure. Lots of evidence of compliance.
    9.7.3. «Is Europe Considering Key Escrow?»
  • Yes, in spades. Lots of signs of this, with reports coming
    in from residents of Europe and elsewhere. The Europeans
    tend to be a bit more quiet in matters of public policy (at
    least in some areas).
  • «The current issue of `Communications Week International’
    informs us that the European Union’s Senior Officials Group
    for Security of Information Systems has been considering
    plans for standardising key escrow in Europe. «Agreement had been held up by arguments over who should
    hold the keys. France and Holland wanted to follow the
    NSA’s lead and have national governments assume this role;
    other players wanted user organisations to do this.» [
    rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow
    in Europe too, 1994-06-29]
    9.7.4. «What laws do various countries have on encryption and the
    use of encryption for international traffic?»
  • «Has France really banned encryption?»
    • There are recurring reports that France does not allow
      unfettered use of encryption.
    • Hard to say. Laws on the books. But no indications that
      the many French users of PGP, say, are being prosecuted.
    • a nation whose leader, Francois Mitterand, was a Nazi
      collaborationist, working with Petain and the Vichy
      government (Klaus Barbie involved)
  • Some Specific Countries
    • (need more info here)
    • Germany
    • BND cooperates with U.S.
    • Netherlands
    • Russia
  • Information
    • «Check out the ftp site at csrc.ncsl.nist.gov for a
      document named something like «laws.wp» (There are
      several of these, in various formats.) This contains a
      survey of the positions of various countries, done for
      NIST by a couple of people at Georgetown or George
      Washington or some such university.» [Philip Fites,
      alt.security.pgp, 1994-07-03]
      9.7.5. France planning Big Brother smart card?
  • «PARIS, FRANCE, 1994 MAR 4 (NB) — The French government
    has confirmed its plans to replace citizen’s paper-based ID
    cards with credit card-sized «smart card» ID cards.
    …..
    «The cards contain details of recent transactions, as well
    as act as an «electronic purse» for smaller value
    transactions using a personal identification number (PIN)
    as authorization. «Purse transactions» are usually separate
    from the card credit/debit system, and, when the purse is
    empty, it can be reloaded from the card at a suitable ATM
    or retailer terminal.» (Steve Gold/19940304)» [this was
    forwarded to me for posting]
    9.7.6. PTTs, local rules about modem use
    9.7.7. «What are the European laws on «Data Privacy» and why are
    they such a terrible idea?»
  • Various European countries have passed laws about the
    compiling of computerized records on people without their
    explicit permission. This applies to nearly all
    computerized records–mailing lists, dossiers, credit
    records, employee files, etc.–though some exceptions exist
    and, in general, companies can find ways to compile records
    and remain within the law.
  • The rules are open to debate, and the casual individual who
    cannot afford lawyers and advisors, is likely to be
    breaking the laws repeatedly. For example, storing the
    posts of people on the Cypherpunks list in any system
    retrievable by name would violate Britain’s Data Privacy
    laws. That almost no such case would ever result in a
    prosecution (for practical reasons) does not mean the laws
    are acceptable.
  • To many, these laws are a «good idea.» But the laws miss
    the main point, give a false sense of security (as the real
    dossier-compilers are easily able to obtain exemptions, or
    are government agencies themselves), and interfere in what
    people do with information that properly and legally comes
    there way. (Be on the alert for «civil rights» groups like
    the ACLU and EFF to push for such data privacy laws. The
    irony of Kapor’s connection to Lotus and the failed
    «Marketplace» CD-ROM product cannot be ignored.)
  • Creating a law which bans the keeping of certain kinds of
    records is an invitation to having «data inspectors»
    rummaging through one’s files. Or some kind of spot checks,
    or even software key escrow.
  • (Strong crypto makes these laws tough to enforce. Either
    the laws go, or the counties with such laws will then have
    to limit strong crypto….not that that will help in the
    long run.)
  • The same points apply to well-meaning proposals to make
    employer monitoring of employees illegal. It sounds like a
    privacy-enhancing idea, but it tramples upon the rights of
    the employer to ensure that work is being done, to
    basically run his business as he sees fit, etc. If I hire a
    programmer and he’s using my resources, my network
    connections, to run an illegal operation, he exposes my
    company to damages, and of course he isn’t doing the job I
    paid him to do. If the law forbids me to monitor this
    situation, or at least to randomly check, then he can
    exploit this law to his advantage and to my disadvantage.
    (Again, the dangers of rigid laws, nonmarket
    solutions,(lied game theory.)
    9.7.8. on the situation in Australia
  • Matthew Gream [M.Gream@uts.edu.au] informed us that the
    export situation in Oz is just as best as in the U.S. [1994-
    09-06] (as if we didn’t know…much as we all like to dump
    on Amerika for its fascist laws, it’s clear that nearly all
    countries are taking their New World Order Marching Orders
    from the U.S., and that many of them have even more
    repressive crypto laws alredy in place…they just don’t
    get the discussion the U.S. gets, for apparent reasons)
    • «Well, fuck that for thinking I was living under a less
      restrictive regime — and I can say goodbye to an
      international market for my software.]
    • (I left his blunt language as is, for impact.)
      9.7.9. «For those interested, NIST have a short document for FTP,
      ‘Identification & Analysis of Foreign Laws & Regulations
      Pertaining to the Use of Commercial Encryption Products for
      Voice & Data Communications’. Dated Jan 1994.» [Owen Lewis,
      Re: France Bans Encryption, alt.security.pgp, 1994-07-07]

9.8. Digital Telephony
9.8.1. «What is Digital Telephony?»

  • The Digital Telephony Bill, first proposed under Bush and
    again by Clinton, is in many ways much worse than Clipper.
    It has gotten less attention, for various reasons.
  • For one thing, it is seen as an extension by some of
    existing wiretap capabilities. And, it is fairly abstract,
    happening behind the doors of telephone company switches.
  • The implications are severe: mandatory wiretap and pen
    register (who is calling whom) capaibilities, civil
    penalties of up to $10,000 a day for insufficient
    compliance, mandatory assistance must be provided, etc.
  • If it is passed, it could dictate future technology. Telcos
    who install it will make sure that upstart technologies
    (e.g., Cypherpunks who find ways to ship voice over
    computer lines) are also forced to «play by the same
    rules.» Being required to install government-accessible tap
    points even in small systems would of course effectively
    destroy them.
  • On the other hand, it is getting harder and harder to make
    Digital Telephony workable, even by mandate. As Jim
    Kallstrom of the FBI puts it: «»Today will be the cheapest
    day on which Congress could fix this thing,» Kallstrom
    said. «Two years from now, it will be geometrically more
    expensive.»» [LAN Magazine,»Is it 1984?,» by Ted Bunker,
    August 1994]
  • This gives us a goal to shoot for: sabotage the latest
    attempt to get Digital Telephony passed into law and it may
    make it too intractable to ever be passed.
  • «Today will be the cheapest day on which
    • Congress could fix this thing,» Kallstrom said. «Two
      years from now,
    • it will be geometrically more expensive.»
  • The message is clear: delay Digital Telephony. Sabotage it
    in the court of public opinion, spread the word, make it
    flop. (Reread your «Art of War» for Sun Tsu’s tips on
    fighting your enemy.)

    9.8.2. «What are the dangers of the Digital Telephony Bill?»
  • It makes wiretapping invisible to the tappee.
  • If passed into law, it makes central office wiretapping trivial, automatic.
    • «What should worry people is what isn’t in the news (and
      probably never will until it’s already embedded in comm
      systems). A true ‘Clipper’ will allow remote tapping on
      demand. This is very easily done to all-digital
      communications systems. If you understand network routers
      and protocol it’s easy to envision how simple it would be
      to ‘re-route’ a copy of a target comm to where ever you
      want it to go…» [domonkos@access.digex.net (andy
      domonkos), comp.org.eff.talk, 1994-06-29]
      9.8.3. «What is the Digital Telephony proposal/bill?
  • proposed a few years ago…said to be inspiration for PGP
  • reintroduced Feb 4, 1994
  • earlier versrion:
  • «1) DIGITAL TELEPHONY PROPOSAL
    • «To ensure law enforcement’s continued ability to conduct
      court-
    • authorized taps, the administration, at the request of
      the
    • Dept. of Justice and the FBI, proposed ditigal telephony
    • legislation. The version submitted to Congress in Sept.
      1992
    • would require providers of electronic communication
      services
    • and private branch exchange (PBX) operators to ensure
      that the
    • government’s ability to lawfully intercept communications
      is not
    • curtailed or prevented entirely by the introduction of
      advanced
    • technology.»

9.9. Clipper, Escrowed Encyption Standard
9.9.1. The Clipper Proposal

  • A bombshell was dropped on April 16, 1993. A few of us saw
    it coming, as we’d been debating…
    9.9.2. «How long has the government been planning key escrow?»
  • since about 1989
  • ironically, we got about six months advance warning
  • my own «A Trial Balloon to Ban Encryption» alerted the
    world to the thinking of D. Denning….she denies having
    known about key escorw until the day before it was
    announced, which I find implausible (not calling her a
    liar, but…)
  • Phil Karn had this to say to Professor Dorothy Denning, several weeks prior to the Clipper announcement:
    • «The private use of strong cryptography provides, for the
      very first time, a truly effective safeguard against this
      sort of government abuse. And that’s why it must continue
      to be free and unregulated.
    • «I should credit you for doing us all a very important
      service by raising this issue. Nothing could have lit a
      bigger fire under those of us who strongly believe in a
      citizens’ right to use cryptography than your proposals
      to ban or regulate it. There are many of us out here who
      share this belief and have the technical skills to turn
      it into practice. And I promise you that we will fight
      for this belief to the bitter end, if necessary.» [Phil
      Karn, 1993-03-23]


      9.9.3. Technically, the «Escrowed Encryption Standard,» or EES. But
      early everyone still calls it «Clipper, » even if NSA
      belatedly realized Intergraph’s won product has been called
      this for many years, a la the Fairchild processor chip of the
      same name. And the database product of the same name. I
      pointed this out within minutes of hearing about this on
      April 16th, 1993, and posted a comment to this effect on
      sci.crypt. How clueless can they be to not have seen in many
      months of work what many of us saw within seconds?
      9.9.4. Need for Clipper
      9.9.5. Further «justifications» for key escrow
  • anonymous consultations that require revealing of identities
    • suicide crisis intervention
    • confessions of abuse, crimes, etc. (Tarasoff law)
  • corporate records that Feds want to look at
  • Some legitimate needs for escrowed crypto
    • for corporations, to bypass the passwords of departed,
      fired, deceased employees,
      9.9.6. Why did the government develop Clipper?
      9.9.7. «Who are the designated escrow agents?»
  • Commerce (NIST) and Treasury (Secret Service).
    9.9.8. Whit Diffie
  • Miles Schmid was architect
  • international key escrow
    • Denning tried to defend it….
      9.9.9. What are related programs?
      9.9.10. «Where do the names «Clipper» and «Skipjack» come from?
  • First, the NSA and NIST screwed up big time by choosing the
    name «Clipper,» which has long been the name of the 32-bit
    RISC processor (one of the first) from Fairchild, later
    sold to Intergraph. It is also the name of a database
    compiler. Most of us saw this immediately.
  • Clippers are boats, so are skipjacks («A small sailboat having a
    • bottom shaped like a flat V and vertical sides» Am
      Heritage. 3rd).
    • Suggests a nautical theme, which fits with the
      Cheseapeake environs of
    • the Agency (and small boats have traditionally been a way
      for the
    • Agencies to dispose of suspected traitors and spies).
    • However, Capstone is not a boat, nor is Tessera, so the
      trend fails.

9.10. Technical Details of Clipper, Skipjack, Tessera, and EES
9.10.1. Clipper chip fabrication details

  • ARM6 core being used
    • but also rumors of MIPS core in Tessera
  • MIPS core reportedly being designed into future versions
  • National also built (and may operate) a secure wafer fab
    line for NSA, reportedly located on the grounds of Ft.
    Meade–though I can’t confirm the location or just what
    National’s current involvement still is. May only be for
    medium-density chips, such as key material (built under
    secure conditions).
    9.10.2. «Why is the Clipper algorithm classified?»
  • to prevent non-escrow versions, which could still use the
    (presumably strong) algorithm and hardware but not be
    escrowed
  • cryptanalysis is always easier if the algorithms are known
    :-}
  • general government secrecy
  • backdoors?
    9.10.3. If Clipper is flawed (the Blaze LEAF Blower), how can it
    still be useful to the NSA?
  • by undermining commercial alternatives through subsidized
    costs (which I don’t think will happen, given the terrible
    PR Clipper has gotten)
  • mandated by law or export rules
  • and the Blaze attack is–at present–not easy to use (and
    anyone able to use it is likely to be sophisticated enough
    to use preencryption anyway)
    9.10.4. What about weaknesses of Clipper?
  • In the views of many, a flawed approach. That is, arguing
    about wrinkles plays into the hands of the Feds.
    9.10.5. «What are some of the weaknesses in Clipper?»
  • the basic idea of key escrow is an infringement on liberty
  • access to the keys
    • «
    • «There’s a big door in the side with a
    • big neon sign saying «Cops and other Authorized People
      Only»;
    • the trapdoor is the fact that anybody with a fax
      machine can make
    • themselves and «Authorized Person» badge and walk in.
  • possible back doors in the Skipjace algorithm
  • generation of the escrow keys –
    • «There’s another trapdoor, which is that if you can
      predict the escrow
    • keys by stealing the parameters used by the Key
      Generation Bureau to
    • set them, you don’t need to get the escrow keys from
      the keymasters,
    • you can gen them yourselves. «
      9.10.6. Mykotronx
  • MYK-78e chip, delays, VTI, fuses
  • National Semiconductor is working with Mykotronx on a
    faster implementation of the
    Clipper/Capstone/Skipjack/whatever system. (May or may not
    be connected directly with the iPower product line. Also,
    the MIPS processor core may be used, instead of the ARM
    core, which is said to be too slow.)
    9.10.7. Attacks on EES
  • sabotaging the escrow data base
  • stealing it, thus causing a collapse in confidence
    • Perry Metzger’s proposal
  • FUD
    9.10.8. Why is the algorithm secret?
    9.10.9. Skipjack is 80 bits, which is 24 bits longer than the 56 bits
    of DES. so
    9.10.10. «What are the implications of the bug in Tessera found by
    Matt Blaze?»
  • Technically, Blaze’s work was done on a Tessera card, which
    implements the Skipjace algorithm. The Clipper phone system
    may be slightly different and details may vary; the Blaze
    attack may not even work, at least not practically.
  • » The announcement last month was about a discovery that,
    with a half-hour or so of time on an average PC, a user
    could forge a bogus LEAF (the data used by the government
    to access the back door into Clipper encryption). With such
    a bogus LEAF, the Clipper chip on the other end would
    accept and decrypt the communication, but the back door
    would not work for the government.» [ Steve Brinich,
    alt.privacy.clipper, 1994-07-04]
  • «The «final» pre-print version (dated August 20, 1994) of
    my paper, «Protocol Failure in the Escrowed Encryption
    Standard» is now available. You can get it in PostScript
    form via anonymous ftp from research.att.com in the file
    /dist/mab/eesproto.ps . This version replaces the
    preliminary draft (June 3) version that previously occupied
    the same file. Most of the substance is identical,
    although few sections are expanded and a few minor errors
    are now corrected.» [Matt Blaze, 1994-09-04]

9.11. Products, Versions — Tessera, Skipjack, etc.
9.11.1. «What are the various versions and products associated with
EES?»

  • Clipper, the MYK-78 chip.
  • Skipjack.
  • Tessera. The PCMCIA card version of the Escrowed Encryption Standard.
    • the version Matt Blaze found a way to blow the LEAF
    • National Semiconductor «iPower» card may or may not
      support Tessera (conflicting reports).
      9.11.2. AT&T Surety Communications
  • NSA may have pressured them not to release DES-based
    products
    9.11.3. Tessera cards
  • iPower
  • Specifications for the Tessera card interface can be found
    in several places, including » csrc.ncsl.nist.gov»–see the
    file cryptcal.txt [David Koontz, 1994-08-08].

9.12. Current Status of EES, Clipper, etc.
9.12.1. «Did the Administration really back off on Clipper? I heard
that Al Gore wrote a letter to Rep. Cantwell, backing off.»

  • No, though Clipper has lost steam (corporations weren’t
    interested in buying Clipper phones, and AT&T was very late
    in getting «Surety» phones out).
  • The Gore announcement may actually indicate a shift in
    emphasis to «software key escrow» (my best guess).
  • Our own Michael Froomkin, a lawyer, writes: «The letter is
    a nullity. It almost quotes from testimony given a year
    earlier by NIST to Congress. Get a copy of Senator Leahy’s
    reaction off the eff www server. He saw it for the empty
    thing it is….Nothing has changed except Cantwell dropped
    her bill for nothing.» [A.Michael Froomkin,
    alt.privacy.clipper, 1994-09-05]

9.13. National Information Infrastructure, Digital Superhighway
9.13.1. Hype on the Information Superhighway

  • It’s against the law to talk abou the Information
    Superhighway without using at least one of the overworked
    metaphors: road kill, toll boths, passing lanes, shoulders,
    on-ramps, off-ramps, speeding, I-way, Infobahn, etc.
  • Most of what is now floating around the suddenly-trendy
    idea of the Digital Superduperway is little more than hype.
    And mad metaphors. Misplaced zeal, confusing tangential
    developments with real progress. Much like libertarians
    assuming the space program is something they should somehow
    be working on.
  • For example, the much-hyped «Pizza Hut» on the Net (home
    pizza pages, I guess). It is already being dubbed «the
    first case of true Internet commerce.» Yeah, like the Coke
    machines on the Net so many years ago were examples of
    Internet commerce. Pure hype. Madison Avenue nonsense. Good
    for our tabloid generation.
    9.13.2. «Why is the National Information Infrastructure a bad idea?»
  • NII = Information Superhighway = Infobahn = Iway = a dozen
    other supposedly clever and punning names
  • Al Gore’s proposal:
    • links hospitals, schools, government
    • hard to imagine that the free-wheeling anarchy of the
      Internet would persist..more likely implications:
    • «is-a-person» credentials, that is, proof of identity,
      and hence tracking, of all interactions
    • the medical and psychiatric records would be part of
      this (psychiatrists are leery of this, but they may
      have no choice but to comply under the National Health
      Care plans being debated)
  • There are other bad aspects:
    • government control, government inefficiency, government
      snooping
    • distortion of markets («universal access’)
    • restriction of innovation
    • is not needed…other networks are doing perfectly well,
      and will be placed where they are needed and will be
      locally paid for
      9.13.3. NII, Video Dialtone
  • «Dialtone»
    • phone companies offer an in-out connection, and charge
      for the connection, making no rulings on content (related
      to the «Common Carrier» status)
    • for video-cable, I don’t believe there is an analogous
      set-up being looked at
    • cable t.v.
      • Carl Kadie’s comments to Sternlight
        9.13.4. The prospects and dangers of Net subsidies
  • «universal access,» esp. if same happens in health care
  • those that pay make the rules
  • but such access will have strings attached
    • limits on crypto
  • universal access also invites more spamming, a la the
    «Freenet» spams, in which folks keep getting validated as
    new users: any universal access system that is not pay-as-
    you-go will be sensitive to this or will result in calls
    for universal ID system (is-a-person credentialling)
    9.13.5. NII, Superhighway, I-way
  • crypto policy
  • regulation, licensing

9.14. Government Interest in Gaining Control of Cyberspace
9.14.1. Besides Clipper, Digital Telephony, and the National
Information Infrastructure, the government is interested in
other areas, such as e-mail delivery (US Postal Service
proposal) and maintenance of network systems in general.
9.14.2. Digital Telephony, ATM networks, and deals being cut

  • Rumblings of deals being cut
  • a new draft is out [John Gilmore, 1994-08-03]
  • Encryption with hardware at full ATM speeds
  • and SONET networks (experimental, Bay Area?)
    9.14.3. The USPS plans for mail, authentication, effects on
    competition, etc.
  • This could have a devastating effect on e-mail and on cyberspace in general, especially if it is tied in to other government proposals in an attempt to gain control of cyberspace.
    • Digital Telelphony, Clipper, pornography laws and age
      enforcement (the Amateur Action case), etc.
  • «Does the USPS really have a monopoly on first class mail?»
    • and on «routes»?
    • «The friendly PO has recently been visiting the mail
      rooms of 2) The friendly PO has recently been visiting
      the mail rooms of corporations in the Bay Area, opening
      FedX, etc. packages (not protected by the privacy laws of
      the PO’s first class mail), and fining companies ($10,000
      per violation, as I recall), for sending non-time-
      sensitive documents via FedX when they could have been
      sent via first-class mail.» [Lew Glendenning, USPS
      digital signature annoucement, sci.crypt, 1994-08-23] (A
      citation or a news story would make this more credible,
      but I’ve heard of similar spot checks.)
  • The problems with government agencies competing are well-
    known. First, they often have shoddy service..civil service
    jobs, unfireable workers, etc. Second, they often cannot be
    sued for nonperformance. Third, they often have government-
    granted monopolies.
  • The USPS proposal may be an opening shot in an attempt to gain control of electronic mail…it never had control of e- mail, but its monopoly on first-class mail may be argued by them to extend to cyberspace.
    • Note: FedEx and the other package and overnight letter
      carriers face various restrictions on their service; for
      example, they cannot offer «routes» and the economies
      that would result in.
    • A USPS takeover of the e-mail business would mean an end
      to many Cypherpunks objectives, including remailers,
      digital postage, etc.
    • The challenge will be to get these systems deployed as
      quickly as possible, to make any takeover by the USPS all
      the more difficult.

9.15. Software Key Escrow
9.15.1. (This section needs a lot more)
9.15.2. things are happening fast….
9.15.3. TIS, Carl Ellison, Karlsruhe
9.15.4. objections to key escrow

  • «Holding deposits in real estate transactions is a classic
    example. Built-in wiretaps are not escrow, unless the
    government is a party to your contract. As somebody on the
    list once said, just because the Mafia call themselves
    «businessmen» doesn’t make them legitimate; calling
    extorted wiretaps «escrow» doesn’t make them a service. «The government has no business making me get their
    permission to talk to anybody about anything in any
    language I choose, and they have no business insisting I
    buy «communication protection service» from some of their
    friends to do it, any more than the aforenamed
    «businessmen» have any business insisting I buy «fire
    insurance» from them.» [Bill Stewart, 1994-07-24]
    9.15.5. Micali’s «Fair Escrow»
  • various efforts underway
  • need section here
  • Note: participants at Karlsruhe Conference report that a
    German group may have published on software key escrow
    years before Micali filed his patent (reports that NSA
    officials were «happy»)

9.16. Politics, Opposition
9.16.1. «What should Cypherpunks say about Clipper?»

  • A vast amount has been written, on this list and in dozens
    of other forums.
  • Eric Hughes put it nicely a while back:
  • «The hypothetical backdoor in clipper is a charlatan’s
    issue by comparison, as is discussion of how to make a key
    escrow system
    ‘work.’ Do not be suckered into talking about an issue
    that is not
    important. If someone want to talk about potential back
    doors, refuse to speculate. The existence of a front door
    (key escrow) make back door issues pale in comparison. «If someone wants to talk about how key escrow works,
    refuse to
    elaborate. Saying that this particular key escrow system
    is bad has a large measure of complicity in saying that
    escrow systems in general are OK. Always argue that this
    particular key escrow system is bad because it is a key
    escrow system, not because it has procedural flaws. «This right issue is that the government has no right to my
    private communications. Every other issue is the wrong
    issue and detracts from this central one. If we defeat one
    particular system without defeating all other possible such
    systems at the same time, we have not won at all; we have
    delayed the time of reckoning.» [ Eric Hughes, Work the
    work!, 1993-06-01]
    9.16.2. What do most Americans think about Clipper and privacy?»
  • insights into what we face
  • «In a Time/CNN poll of 1,000 Americans conducted last week
    by Yankelovich
    • Partners, two-thirds said it was more important to
      protect the privacy of phone
    • calls than to preserve the ability of police to conduct
      wiretaps.
    • When informed about the Clipper Chip, 80% said they
      opposed it.»
    • Philip Elmer-Dewitt, «Who Should Keep the Keys», Time,
      Mar. 4, 1994
      9.16.3. Does anyone actually support Clipper?
  • There are actually legitimate uses for forms of escrow:
    • corporations
    • other partnerships
      9.16.4. «Who is opposed to Clipper?»
  • Association for Computing Machinery (ACM). «The USACM urges
    the Administration at this point to withdraw the Clipper
    Chip proposal and to begin an open and public review of
    encryption policy. The escrowed encryption initiative
    raises vital issues of privacy, law enforcement,
    competitiveness and scientific innovation that must be
    openly discussed.» [US ACM, DC Office» usacm_dc@acm.org,
    USACM Calls for Clipper Withdrawal, press release, 1994-06-
    30]
    9.16.5. «What’s so bad about key escrow?»
  • If it’s truly voluntary, there can be a valid use for this.
    • Are trapdoors justified in some cases?
    • Corporations that wish to recover encrypted data
      • several scenarios
      • employee encrypts important files, then dies or is
        otherwise unavailable
      • employee leaves company before decrypting all files
        • some may be archived and not needed to be opened
          for many years
      • employee may demand «ransom» (closely related to
        virus extortion cases)
      • files are found but the original encryptor is
        unknown
    • Likely situation is that encryption algorithms will be mandated by corporation, with a «master key» kept available
      • like a trapdoor
      • the existence of the master key may not even be
        publicized within the company (to head off concerns
        about security, abuses, etc.)
    • Government is trying to get trapdoors put in
      • S.266, which failed ultimately (but not before
        creating a ruckus)
  • If the government requires it…
    • Key escrow means the government can be inside your home
      without you even knowing it
  • and key escrow is not really escrow…what does one get
    back from the «escrow» service?
    9.16.6. Why governments should not have keys
  • can then set people up by faking messages, by planting
    evidence
  • can spy on targets for their own purposes (which history
    tells us can include bribery, corporate espionage, drug-
    running, assassinations, and all manner of illegal and
    sleazy activities)
  • can sabotage contracts, deals, etc.
  • would give them access to internal corporate communications
  • undermines the whole validity of such contracts, and of
    cryptographic standards of identity (shakes confidence)
  • giving the King or the State the power to impersonate
    another is a gross injustice
  • imagine the government of Iran having a backdoor to read
    the secret journals of its subjects!
  • 4th Amendment
  • attorney-client privilege (with trapdoors, no way to know
    that government has not breached confidentiality)
    9.16.7. «How might the Clipper chip be foiled or defeated?»
  • Politically, market-wise, and technical
  • If deployed, that is
  • Ways to Defeat Clipper
    • preencryption or superencryption
    • LEAF blower
    • plug-compatible, reverse-engineered chip
    • sabotage
    • undermining confidence
    • Sun Tzu
      9.16.8. How can Clipper be defeated, politically?
      9.16.9. How can Clipper be defeated, in the market?
      9.16.10. How can Clipper be defeated, technologically?
      9.16.11. Questions
  • Clipper issues and questions
    • a vast number of questions, comments, challenges,
      tidbits, details, issues
    • entire newsgroups devoted to this
  • «What criminal or terrrorist will be smart enough to use
    encryption but dumb enough to use Clipper?»
    • This is one of the Great Unanswered Questions. Clipper’s
      supporter’s are mum on this one. Suggesting….
  • «Why not encrypt data before using the Clipper/EES?»
    • «Why can’t you just encrypt data before the clipper chip? Two answers: 1) the people you want to communicate with won’t have
      hardware to
      decrypt your data, statistically speaking. The beauty
      of clipper
      from the NSA point of view is that they are leveraging
      the
      installed base (they hope) of telephones and making it
      impossible
      (again, statistically) for a large fraction of the
      traffic to be
      untappable. 2) They won’t license bad people like you to make
      equipment like the
      system you describe. I’ll wager that the chip
      distribution will be
      done in a way to prevent significant numbers of such
      systems from
      being built, assuring that (1) remains true.» [Tom
      Knight, sci.crypt, 6-5-93]
  • What are the implications of mandatory key escrow?
    • «escrow» is misleading…
    • wrong use of the term
    • implies a voluntary, and returnable, situation
  • «If key escrow is «voluntary,» what’s the big deal?»
    • Taxes are supposedly «voluntary,» too.
    • A wise man prepares for what is possible and even
      likely, not just what is announced as part of public
      policy; policies can and do change. There is plenty of
      precedent for a «voluntary» system being made mandatory.
    • The form of the Clipper/EES system suggests eventual
      mandatory status; the form of such a ban is debatable.
  • «What is ‘superencipherment,’ and can it be used to defeat
    Clipper?»
    • preencrypting
    • could be viewed as a non-English language
    • how could Clipper chip know about it (entropy measures?)
    • far-fetched
    • wouldn’t solve traffic anal. problem
  • What’s the connection between Clipper and export laws?
  • «Doesn’t this make the Clipper database a ripe target?»
    • for subversion, sabotage, espionage, theft
    • presumably backups will be kept, and these will also be
      targets
  • «Is Clipper just for voice encryption?»
    • Clipper is a data encryption chip, with the digital data
      supplied by an ADC located outside the chip. In
      principle, it could thus be used for data encryption in
      general.
    • In practice, the name Clipper is generally associated
      with telephone use, while «Capstone» is the data standard
      (some differences, too). The «Skipjack» algorithm is used
      in several of these proposed systems (Tessera, also).
      9.16.12. «Why is Clipper worse than what we have now?»
  • John Gilmore answered this question in a nice essay. I’m
    including the whole thing, including a digression into
    cellular telephones, because it gives some insight–and
    names some names of NSA liars–into how NSA and NIST have
    used their powers to thwart true security.
    • «It’s worse because the market keeps moving toward
      providing real encryption. «If Clipper succeeds, it will be by displacing real
      secure encryption. If real secure encryption makes it
      into mass market communications products, Clipper will
      have failed. The whole point is not to get a few
      Clippers used by cops; the point is to make it a
      worldwide standard, rather than having 3-key triple-DES
      with RSA and Diffie-Hellman become the worldwide
      standard. «We’d have decent encryption in digital cellular phones
      now, except for the active intervention of Jerry
      Rainville of NSA, who `hosted’ a meeting of the standards
      committee inside Ft. Meade, lied to them about export
      control to keep committee documents limited to a small
      group, and got a willing dupe from Motorola, Louis
      Finkelstein, to propose an encryption scheme a child
      could break. The IS-54 standard for digital cellular
      doesn’t describe the encryption scheme — it’s described
      in a separate document, which ordinary people can’t get,
      even though it’s part of the official accredited
      standard. (Guess who accredits standards bodies though –
    • that’s right, the once pure NIST.) «The reason it’s secret is because it’s so obviously
      weak. The system generates a 160-bit «key» and then
      simply XORs it against each block of the compressed
      speech. Take any ten or twenty blocks and recover the
      key by XORing frequent speech patterns (like silence, or
      the letter «A») against pieces of the blocks to produce
      guesses at the key. You try each guess on a few blocks,
      and the likelihood of producing something that decodes
      like speech in all the blocks is small enough that you’ll
      know when your guess is the real key. «NSA is continuing to muck around in the Digital Cellular
      standards committee (TR 45.3) this year too. I encourage
      anyone who’s interested to join the committee, perhaps as
      an observer. Contact the Telecommunications Industry
      Association in DC and sign up. Like any standards
      committee, it’s open to the public and meets in various
      places around the country. I’ll lend you a lawyer if
      you’re a foreign national, since the committee may still
      believe that they must exclude foreign nationals from
      public discussions of cryptography. Somehow the crypto
      conferences have no trouble with this; I think it’s
      called the First Amendment. NSA knows the law here —
      indeed it enforces it via the State Dept — but lied to
      the committee.» [John Gilmore, «Why is clipper worse than
      «no encryption like we have,» comp.org.eff.talk, 1994-04-
      27]
      9.16.13. on trusting the government
  • «WHAT AM THE MORAL OF THE STORY, UNCLE REMUS?….When the
    government makes any announcement (ESPECIALLY a denial),
    you should figure out what the government is trying to get
    you to do–and do the opposite. Contrarianism with a
    vengance. Of all the advice I’ve offered on the
    Cypherpunks Channel, this is absolutely the most certain.»
    [Sandy Sandfort, 1994-07-17]
  • if the Founders of the U.S. could see the corrupt,
    socialist state this nation has degenerated to, they’d be
    breaking into missile silos and stealing nukes to use
    against the central power base.
  • can the government be trusted to run the key escrow system?
    • «I just heard on the news that 1300 IRS employees have
      been disciplined for unauthorized accesses to
      electronically filed income tax returns. ..I’m sure they
      will do much better, though, when the FBI runs the phone
      system, the Post Office controls digital identity and
      Hillary takes care of our health.» [Sandy Sandfort, 1994-
      07-19]
    • This is just one of many such examples: Watergate («I am
      not a crook!»), Iran-Contra, arms deals, cocaine
      shipments by the CIA, Teapot Dome, graft, payoffs,
      bribes, assassinations, Yankee-Cowboy War, Bohemian
      Grove, Casolaro, more killings, invasions, wars. The
      government that is too chicken to ever admit it lost a
      war, and conspicuously avoids diplomatic contact with
      enemies it failed to vanquish (Vietnam, North Korea,
      Cuba, etc.), while quickly becoming sugar daddy to the
      countries it did vanquish…the U.S. appears to be
      lacking in practicality. (Me, I consider it wrong for
      anyone to tell me I can’t trade with folks in another
      country, whether it’s Haiti, South Africa, Cuba, Korea,
      whatever. Crypto anarchy means we’ll have some of the
      ways of bypassing these laws, of making our own moral
      decisions without regard to the prevailing popular
      sentiment of the countries in which we live at the
      moment.)

9.17. Legal Issues with Escrowed Encryption and Clipper
9.17.1. As John Gilmore put it in a guest editorial in the «San
Francisco Examiner,» «…we want the public to see a serious
debate about why the Constitution should be burned in order
to save the country.» [J.G., 1994-06-26, quoted by S.
Sandfort]
9.17.2. «I don’t see how Clipper gives the government any powers or
capabilities it doesn’t already have. Comments?»
9.17.3. Is Clipper really voluntary?
9.17.4. If Clipper is voluntary, who will use it?
9.17.5. Restrictions on Civilian Use of Crypto
9.17.6. «Has crypto been restricted in the U.S.?»
9.17.7. «What legal steps are being taken?»

  • Zimmermann
  • ITAR
    9.17.8. reports that Department of Justice has a compliance
    enforcement role in the EES [heard by someone from Dorothy
    Denning, 1994-07], probably involving checking the law
    enforcement agencies…
    9.17.9. Status
  • «Will government agencies use Clipper?»
    • Ah, the embarrassing question. They claim they will, but
      there are also reports that sensitive agencies will not
      use it, that Clipper is too insecure for them (key
      lenght, compromise of escrow data, etc.). There may also
      be different procedures (all agencies are equal, but some
      are more equal than others).
    • Clipper is rated for unclassified use, so this rules out
      many agencies and many uses. An interesting double
      standard.
  • «Is the Administration backing away from Clipper?»
    • industry opposition surprised them
    • groups last summer, Citicorp, etc.
    • public opinion
    • editorial remarks
    • so they may be preparing alternative
    • and Gilmore’s FOIA, Blaze’s attack, the Denning
      nonreview, the secrecy of the algortithm
  • will not work
    • spies won’t use it, child pornographers probably won’t
      use it (if alternatives exist, which may be the whole
      point)
    • terrorists won’t use it
  • Is Clipper in trouble?
    9.17.10. «Will Clipper be voluntary?»
  • Many supporters of Clipper have cited the voluntary nature
    of Clipper–as expressed in some policy statements–and
    have used this to counter criticism.
  • However, even if truly voluntary, some issues
    • improper role for government to try to create a
      commercial standard
    • though the NIST role can be used to counter this point,
      partly
    • government can and does make it tough for competitors
    • export controls (statements by officials on this exist)
  • Cites for voluntary status:
    • original statement says it will be voluntary
    • (need to get some statements here)
  • Cites for eventual mandatory status:
    • «Without this initiative, the government will eventually
      become helpless to defend the nation.» [Louis Freeh,
      director of the FBI, various sources]
    • Steven Walker of Trusted Information Systems is one of
      many who think so: «Based on his analysis, Walker added,
      «I’m convinced that five years from now they’ll say ‘This
      isn’t working,’ so we’ll have to change the rules.» Then,
      he predicted, Clipper will be made mandatory for all
      encoded communications.» [
  • Parallels to other voluntary programs
    • taxes

9.18. Concerns
9.18.1. Constitutional Issues

  • 4th Amend
  • privacy of attorney-client, etc.
  • Feds can get access without public hearings, records
    • secret intelligence courts
    • «It is uncontested (so far as I have read) that under
      certain circum-
    • stances, the Federal intelligence community wil be
      permitted to
    • obtain Clipper keys without any court order on public
      record. Only
    • internal, classified proceedings will protect our
      privacy.»
      9.18.2. «What are some dangers of Clipper, if it is widely adopted?»
  • sender/receiver ID are accessible without going to the key
    escrow
    • this makes traffic analysis, contact lists, easy to
      generate
  • distortions of markets («chilling effects») as a plan by
    government
    • make alternatives expensive, hard to export, grounds for
      suspicion
    • use of ITAR to thwart alternatives (would be helped if
      Cantwell bill to liberalize export controls on
      cryptography (HR 3627) passes)
    • VHDL implementations possible
    • speculates Lew Glendenning, sci.crypt, 4-13-94
    • and recall MIPS connection (be careful here)
      9.18.3. Market Isssues
      9.18.4. «What are the weaknesses in Clipper?»
  • Carl Ellison analyzed it this way:
    • «It amuses the gallows-humor bone in me to see people
      busily debating the quality of Skipjack as an algorithm
      and the quality of the review of its strength. Someone proposes to dangle you over the Grand Canyon
      using sewing thread tied to
      steel chain
      tied to
      knitting yarn and you’re debating whether the steel chain has been X-
      rayed properly to see if there are flaws in the metal. «Key generation, chip fabrication, court orders,
      distribution of keys once acquired from escrow agencies
      and safety of keys within escrow agencies are some of the
      real weaknesses. Once those are as strong as my use of
      1024-bit RSA and truly random session keys in keeping
      keys on the two sides of a conversation with no one in
      the middle able to get the key, then we need to look at
      the steel chain in the middle: Skipjack itself.» [Carl
      Ellison, 1993-08-02]
    • Date: Mon, 2 Aug 93 17:29:54 EDT
      From: cme@ellisun.sw.stratus.com (Carl Ellison)
      To: cypherpunks@toad.com
      Subject: cross-post
      Status: OR Path: transfer.stratus.com!ellisun.sw.stratus.com!cme
      From: cme@ellisun.sw.stratus.com (Carl Ellison)
      Newsgroups: sci.crypt
      Subject: Skipjack review as a side-track
      Date: 2 Aug 1993 21:25:11 GMT
      Organization: Stratus Computer, Marlboro MA
      Lines: 28
      Message-ID: <23k0nn$8gk@transfer.stratus.com>
      NNTP-Posting-Host: ellisun.sw.stratus.com It amuses the gallows-humor bone in me to see people
      busily debating the
      quality of Skipjack as an algorithm and the quality of
      the review of its
      strength. Someone proposes to dangle you over the Grand Canyon
      using sewing thread tied to
      steel chain
      tied to
      knitting yarn and you’re debating whether the steel chain has been X-
      rayed properly
      to see if there are flaws in the metal. Key generation, chip fabrication, court orders,
      distribution of keys once
      acquired from escrow agencies and safety of keys within
      escrow agencies are
      some of the real weaknesses. Once those are as strong as
      my use of
      1024-bit RSA and truly random session keys in keeping
      keys on the two sides
      of a conversation with no one in the middle able to get
      the key, then we
      need to look at the steel chain in the middle: Skipjack
      itself.
    • «Key generation, chip fabrication, court orders,
      distribution of keys once acquired from escrow agencies
      and safety of keys within escrow agencies are some of
      the real weaknesses. Once those are as strong as my
      use of 1024-bit RSA and truly random session keys in
      keeping keys on the two sides of a conversation with no
      one in the middle able to get the key, then we need to
      look at the steel chain in the middle: Skipjack
      itself.»
      9.18.5. What it Means for the Future
      9.18.6. Skipjack
      9.18.7. National security exceptions
  • grep Gilmore’s FOIA for mention that national security
    people will have direct access and that this will not be
    mentioned to the public
  • «The «National Security» exception built into the Clipper
    proposal
    • leaves an extraordinarily weak link in the chain of
      procedures designed
    • to protect user privacy. To place awesome powers of
      surveillance
    • technologically within the reach of a few, hoping that so
      weak a chain
    • will bind them, would amount to dangerous folly. It
      flies in the face
    • of history.
      9.18.8. In my view, any focus on the details of Clipper instead of
      the overall concept of key escrow plays into their hands.
      This is not to say that the work of Blaze and others is
      misguided….in fact, it’s very fine work. But a general
      focus on the details of Skipjack does nothing to allay my
      concerns about the principle of government-mandated crypto.
    If it were «house key escrow» and there were missing details
    about the number of teeth allowed on the keys, would be then
    all breathe a sigh of relief if the details of the teeth were
    clarified? Of course not. Me, I will never use a key escrow
    system, even if a blue ribbon panel of hackers and
    Cypherpunks studies the design and declares it to be
    cryptographically sound.
    9.18.9. Concern about Clipper
  • allows past communications to be read
  • authorities could–maybe–read a lot of stuff, even
    illegally, then use this for other investigations (the old
    «we had an anonymous tip» ploy)
    • «The problem with Clipper is that it provides police
      agencies with dramatically enhanced target acquistion.
      There is nothing to prevent NSA, ATF, FBI (or the Special
      Projects division of the Justice Department) from
      reviewing all internet traffic, as long as they are
      willing to forsake using it in a criminal prosecution.»
      [dgard@netcom.com, alt.privacy.clipper, 1994-07-05]
      9.18.10. Some wags have suggested that the new escrow agencies be
      chosen from groups like Amnesty International and the ACLU.
      Most of us are opposed to the «very idea» of key escrow
      (think of being told to escrow family photos, diaries, or
      house keys) and hence even these kinds of skeptical groups
      are unacceptable as escrow agents.

9.19. Loose Ends
9.19.1. «Are trapdoors–or some form of escrowed encryption–
justified in some cases?»

  • Sure. There are various reasons why individuals, companies, etc. may want to use crypto protocols that allow them to decrypt even if they’ve lost their key, perhaps by going to their lawyer and getting the sealed envelope they left with him, etc.
    • or using a form of «software key escrow» that allows them
      access
  • Corporations that wish to recover encrypted data
    • several scenarios
    • employee encrypts important files, then dies or is
      otherwise unavailable
    • employee leaves company before decrypting all files
      • some may be archived and not needed to be opened for
        many years
    • employee may demand «ransom» (closely related to virus
      extortion cases)
    • files are found but the original encryptor is unknown
  • Likely situation is that encryption algorithms will be mandated by corporation, with a «master key» kept available
    • like a trapdoor
    • the existence of the master key may not even be
      publicized within the company (to head off concerns about
      security, abuses, etc.)
  • The mandatory use of key escrow, a la a mandatory Clipper
    system, or the system many of us believe is being developed
    for software key escrow (SKE, also called «GAK,» for
    «government access to keys, by Carl Ellison) is completely
    different, and is unacceptable. (Clipper is discussed in
    many places here.)
    9.19.2. DSS
  • Continuing confusion over patents, standards, licensing, etc.
    • «FIPS186 is DSS. NIST is of the opinion that DSS does not
      violate PKP’s patents. PKP (or at least Jim Bidzos) takes
      the position that it does. But for various reasons, PKP
      won’t sue the government. But Bidzos threatens to sue
      private parties who infringe. Stay tuned….» [Steve
      Wildstrom, sci.crypt, 1994-08-19]
    • even Taher ElGamal believes it’s a weak standard
  • subliminal channels issues
    9.19.3. The U.S. is often hypocritical about basic rights
  • plans to «disarm» the Haitians, as we did to the Somalians
    (which made those we disarmed even more vulnerable to the
    local warlords)
  • government officials are proposing to «silence» a radio
    station in Ruanda they feel is sending out the wrong
    message! (Heard on «McNeil-Lehrer News Hour,» 1994-07-21]
    9.19.4. «is-a-person» and RSA-style credentials
  • a dangerous idea, that government will insist that keys be linked to persons, with only one per person
    • this is a flaw in AOCE system
    • many apps need new keys generated many times

Descubre más desde Anonimato, Privacidad, Hacking & ++

Suscríbete y recibe las últimas entradas en tu correo electrónico.

Páginas: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

Los comentarios están cerrados.

Blog de WordPress.com.

Subir ↑