[NOTE: A critique follows the body of the article itself.]
THE FUTURE OF CRYPTOGRAPHY
Dorothy E. Denning
Georgetown University
Revised January 6, 1996
A few years ago, the phrase crypto anarchy was coined to suggest the
impending arrival of a Brave New World in which governments, as we
know them, have crumbled, disappeared, and been replaced by virtual
communities of individuals doing as they wish without interference.
Proponents argue that crypto anarchy is the inevitable -- and highly
desirable -- outcome of the release of public key cryptography into
the world. With this technology, they say, it will be impossible for
governments to control information, compile dossiers, conduct
wiretaps, regulate economic arrangements, and even collect taxes.
Individuals will be liberated from coercion by their physical
neighbors and by governments. This view has been argued recently by
Tim May [1].
Behind the anarchists' vision is a belief that a guarantee of absolute
privacy and anonymous transactions would make for a civil society
based on a libertarian free market. They ally themselves with
Jefferson and Hayek who would be horrified at the suggestion that a
society with no government control would be either civil or free. Adam
Ferguson once said "Liberty or Freedom is not, as the origin of the
name may seem to imply, an exemption from all restraints, but rather
the most effectual applications of every just restraint to all members
of a free society whether they be magistrates or subjects." Hayek
opens The Fatal Conceit, The Errors of Socialism (The University of
Chicago Press, 1988, ed. W.W. Bartley III) with Ferguson's quote.
Although May limply asserts that anarchy does not mean lawlessness and
social disorder, the absence of government would lead to exactly these
states of chaos.
I do not want to live in an anarchistic society -- if such could be
called a society at all -- and I doubt many would. A growing number of
people are attracted to the market liberalism envisioned by Jefferson,
Hayek, and many others, but not to anarchy. Thus, the crypto
anarchists' claims come close to asserting that the technology will
take us to an outcome that most of us would not choose.
This is the claim that I want to address here. I do not accept crypto
anarchy as the inevitable outcome. A new paradigm of cryptography, key
escrow, is emerging and gaining acceptance in industry. Key escrow is
a technology that offers tools that would assure no individual
absolute privacy or untraceable anonymity in all transactions. I argue
that this feature of the technology is what will allow individuals to
choose a civil society over an anarchistic one. I will review this
technology as well as what it will take to avoid crypto anarchy.
First, however, I will review the benefits, limitations, and drawbacks
of cryptography and current trends leading toward crypto anarchy.
Cryptography's Benefits, Limitations, and Drawbacks
The benefits of cryptography are well recognized. Encryption can
protect communications and stored information from unauthorized access
and disclosure. Other cryptographic techniques, including methods of
authentication and digital signatures, can protect against spoofing
and message forgeries. Practically everyone agrees that cryptography
is an essential information security tool, and that it should be
readily available to users. I take this as a starting assumption and,
in this respect, have no disagreement with the crypto anarchists.
Less recognized are cryptography's limitations. Encryption is often
oversold as the solution to all security problems or to threats that
it does not address. For example, the headline of Jim Warren's op-ed
piece in the San Jose Mercury News reads "Encryption could stop
computer crackers" [2]. Unfortunately, encryption offers no such
aegis. Encryption does nothing to protect against many common methods
of attack including those that exploit bad default settings or
vulnerabilities in network protocols or software -- even encryption
software. In general, methods other than encryption are needed to keep
out intruders. Secure Computing Corporation's Sidewinder[TM] system
defuses the forty-two "bombs" (security vulnerabilities) in Cheswick
and Bellovin's book, Firewalls and Network Security (Addison Wesley,
1994), without making use of any encryption [3].
Moreover, the protection provided by encryption can be illusory. If
the system where the encryption is performed can be penetrated, then
the intruder may be able to access plaintext directly from stored
files or the contents of memory or modify network protocols,
application software, or encryption programs in order to get access to
keys or plaintext data or to subvert the encryption process. For
example, PGP (Pretty Good Privacy) could be replaced with a Trojan
horse that appears to behave like PGP but creates a secret file of the
user's keys for later transmission to the program's owner much like a
Trojan horse login program collects passwords. A recent penetration
study of 8932 computers by the Defense Information Systems Agency
showed 88% of the computers could be successfully attacked. Using PGP
to encrypt data transmitted from or stored on the average system could
be like putting the strongest possible lock on the back door of a
building while leaving the front door wide open. Information security
requires much more than just encryption -- authentication,
configuration management, good design, access controls, firewalls,
auditing, security practices, and security awareness training are a
few of the other techniques needed.
The drawbacks of cryptography are frequently overlooked as well. The
widespread availability of unbreakable encryption coupled with
anonymous services could lead to a situation where practically all
communications are immune from lawful interception (wiretaps) and
documents from lawful search and seizure, and where all electronic
transactions are beyond the reach of any government regulation or
oversight. The consequences of this to public safety and social and
economic stability could be devastating. With the government
essentially locked out, computers and telecommunications systems would
become safe havens for criminal activity. Even May himself
acknowledges that crypto anarchy provides a means for tax evasion,
money laundering, espionage (with digital dead drops), contract
killings, and implementation of data havens for storing and marketing
illegal or controversial material. Encryption also threatens national
security by interfering with foreign intelligence operations. The
United States, along with many other countries, imposes export
controls on encryption technology to lessen this threat.
Cryptography poses a threat to organizations and individuals too. With
encryption, an employee of a company can sell proprietary electronic
information to a competitor without the need to photocopy and handle
physical documents. Electronic information can be bought and sold on
"black networks" such as Black-Net [1] with complete secrecy and
anonymity -- a safe harbor for engaging in both corporate and
government espionage. The keys that unlock a corporation's files may
be lost, corrupted, or held hostage for ransom, thus rendering
valuable information inaccessible.
When considering the threats posed by cryptography, it is important to
recognize that only the use of encryption for confidentiality,
including anonymity, presents a problem. The use of cryptography for
data integrity and authentication, including digital signatures, is
not a threat. Indeed, by strengthening the integrity of evidence and
binding it to its source, cryptographic tools for authentication are a
forensic aid to criminal investigations. They also help enforce
accountability. Because different cryptographic methods can be
employed for confidentiality and authentication, any safeguards that
might be placed on encryption to counter the threats need not affect
authentication mechanisms or system protocols that rely on
authentication to protect against system intrusions, forgeries, and
substitution of malicious code.
The Drift Toward Crypto Anarchy
Crypto anarchy can be viewed as the proliferation of cryptography that
provides the benefits of confidentiality protection but does nothing
about its harms. It is government-proof encryption which denies access
to the government even under a court order or other legal order. It
has no safeguards to protect users and their organizations from
accidents and abuse. It is like an automobile with no brakes, no seat
belts, no pollution controls, no license plate, and no way of getting
in after you've locked your keys in the car.
The crypto anarchist position is that cyberspace is on a non-stop
drift toward crypto anarchy. Powerful encryption algorithms, including
the Data Encryption Standard (DES), triple-DES, RSA, and IDEA are
readily available at no charge through Internet servers as stand-alone
programs or as part of packages providing file or electronic mail
encryption and digital signatures. Among these, PGP, which uses RSA
and IDEA for encrypting files and electronic mail messages, has become
particularly popular. Software that will turn an ordinary PC into a
secure phone is posted on the Internet for free downloading. These
systems have no mechanisms for accommodating authorized government
decryption. Export controls have little effect as the programs can be
posted in countries that have no such controls.
In addition to the free encryption programs being distributed on the
net, encryption is becoming a basic service integrated into commercial
applications packages and network products. The IP Security Working
Group of the Internet Engineering Task Force has written a document
that calls for all compliant IPv6 (Internet Protocol, version 6)
implementations to incorporate DES cryptography.
Anonymous remailers, which allow users to send or post messages
without disclosing their identity or host system, have also become
popular on the Internet. May reports that there are about 20
cypherpunk-style remailers on the Internet, with more being added
monthly. These remailers allow unlimited nesting of remailing, with
PGP encryption at each nesting level. Anonymous digital cash, which
would provide untraceability of electronic payments, is on the
horizon.
The potential harms of cryptography have already begun to appear. As
the result of interviews I conducted in May, 1995, I found numerous
cases where investigative agencies had encountered encrypted
communications and computer files. These cases involved child
pornography, customs violations, drugs, espionage, embezzlement,
murder, obstruction of justice, tax protestors, and terrorism. At the
International Cryptography Institute held in Washington in September,
1995, FBI Director Louis Freeh reported that encryption had been
encountered in a terrorism investigation in the Philippines involving
an alleged plot to assassinate Pope John Paul II and bomb a U.S.
airliner [4].
AccessData Corp., a company in Orem, Utah which specializes in
providing software and services to help law enforcement agencies and
companies recover data that has been locked out through encryption,
reports receiving about a dozen and a half calls a day from companies
with inaccessible data. About one-half dozen of these calls result
from disgruntled employees who left under extreme situations and
refused to cooperate in any transitional stage by leaving necessary
keys (typically in the form of passwords). Another half dozen result
from employees who died or left on good terms, but simply forgot to
leave their keys. The third half dozen result from loss of keys by
current employees.
The Emergence of Key Escrow as an Alternative
The benefits of strong cryptography can be realized without following
the crypto anarchy path to social disorder. One promising alternative
is key escrow encryption, also called escrowed encryption [5]. The
idea is to combine strong encryption with an emergency decryption
capability. This is accomplished by linking encrypted data to a data
recovery key which facilitates decryption. This key need not be (and
typically is not) the one used for normal decryption, but it must
provide access to that key. The data recovery key is held by a trusted
fiduciary, which could conceivably be a governmental agency, court, or
trusted and bonded private organization. A key might be split among
several such agencies. Organizations registered with an escrow agent
can acquire their own keys for emergency decryption. An investigative
or intelligence agency seeking access to communications or stored
files makes application through appropriate procedures (which normally
includes getting a court order) and, upon compliance, is issued the
key. Legitimate privacy interests are protected through access
procedures, auditing, and other safeguards.
In April, 1993, as response to a rising need for and use of encryption
products, the Clinton Administration announced a new initiative to
promote encryption in a way that would not prohibit lawful decryption
when investigative agencies are authorized to intercept communications
or search computer files [6]. Government agencies were directed to
develop a comprehensive encryption policy that would accommodate the
privacy and security needs of citizens and businesses, the ability of
authorized government officials to access communications and data
under proper court or other legal order, the effective and timely use
of modern technology to build the National Information Infrastructure,
and the need of U.S. companies to manufacture and export high
technology products. The goal was not to prevent citizens from having
access to encryption or "to stigmatize cryptography as something only
criminals would use" [7]. As part of this encryption initiative, the
government developed an escrowed encryption chip called the Clipper
Chip.
Each Clipper Chip has a unique key that is programmed onto the chip
and used to recover data encrypted by that chip. This key is split
into two components, and the two components are held by two separate
government agencies: the National Institute of Standards and
Technology and the Department of Treasury Automated Systems Division.
Clipper's data encryption algorithm, Skipjack, is a classified
algorithm designed by the National Security Agency [8]. It has a key
size of 80 bits. The general specifications for the Clipper Chip were
adopted in February, 1994, as the Escrowed Encryption Standard (EES)
[9], which is a voluntary government standard for telephone
communications, including voice, fax, and data. Implementations of the
EES are required to use tamper-resistant hardware in order to protect
the classified algorithms. The chip and associated key escrow system
have been designed with extensive safeguards, including two person
control and auditing, to protect against any unauthorized use of keys
[10]. Clipper's key escrow system does not provide user data recovery
services.
The National Security Agency also designed a more advanced chip called
Capstone as part of the Multilevel Information System Security
Initiative (MISSI). Capstone implements the EES plus algorithms for
the Digital Signature Standard (DSS) and for establishing session
keys. It has been embedded in the Fortezza card (a PCMCIA card) where
it is used to provide the cryptographic services needed for
communications and file security. The private keys used for key
establishment and digital signatures, which are stored on the Fortezza
card, are not stored in Clipper's key escrow system. They are,
however, escrowed with the user's public-key certificate authority so
that they can be recovered in case the card becomes corrupted. This
allows encrypted files and previously received electronic mail
messages to be read. Fortezza cards are available with or without a
modem capability. The modem cards allow encryption and decryption to
be performed as part of the communications protocols or as independent
service calls (e.g., for encrypting the content of an e-mail message
or file).
The government has not been alone in its pursuit of key escrow
technology. Some type of key escrow is a feature or option of several
commercial products including Fisher Watchdog®, Nortel's Entrust,
PC Security Stoplock KE, RSA Secure[TM], and TECSEC Veil[TM].
Escrowing is done within the user's organization and serves primarily
to protect against data loss.
Several companies have proposed designs for commercial key escrow
systems where the escrow agents could be trusted third parties that
provide emergency decryption services for both registered users and
authorized government officials. Such escrow agents might be licensed,
with licenses granted to organizations demonstrating the capability to
administer key escrow encryption and safeguard keys and other
sensitive information. Some of the proposed systems have been designed
with the objective of being suitable for international use.
One such example is a proposal from Bankers Trust for an international
commercial key escrow system for secure communications [11]. Their
proposal uses a combination of hardware and software, unclassified
algorithms, and public-key cryptography for key establishment and key
escrow functions. Each user has a trusted encryption device, a
public-private signature key pair, and a public-private encryption key
pair that is used for establishing session keys and for data recovery.
The private encryption keys are escrowed through a device registration
process, and may be split among several escrow agents.
Trusted Information Systems (TIS) has proposed a commercial software
key escrow system intended primarily for file encryption [12]. A
commercial entity serves as a key escrow agent and operates a data
recovery center. To use the services of a particular center, a user
must register with the center. Emergency decryption is possible
through a key that is private to the center. The key is not released
to users or the government; instead, the center participates in the
decryption of each file that is encrypted under a distinct file
encryption key. TIS would franchise their data recovery centers to
interested organizations. National Semiconductor and TIS have jointly
proposed Commercial Automated Key Escrow (CAKE), which combines a
CAKE-enabled PersonaCard[TM] token (National's PCMCIA cryptographic
card) with a TIS data recovery center [13]. The goal is an exportable,
strong encryption alternative using accepted public encryption
algorithms such as DES, triple DES, and RSA.
Under current U.S. export regulations, encryption products with key
lengths greater than 40 bits are not generally exportable when used
for confidentiality protection. One of the attractions of key escrow
encryption is that by providing a mechanism for authorized government
decryption, it can enable the export of products with strong
encryption. For example, Clipper/Capstone devices are generally
exportable, even though the encryption algorithm is strong and uses
80-bit keys. Commercial key escrow approaches that use some form of
hardware token are good candidates for export as they can provide
reasonable protection against modifications to bypass the key escrow
functions. The Bankers Trust and National/TIS proposals take that
approach. Fortress U & T, Ltd. also has proposed a token-based
approach to key escrow [14].
Hardware encryption generally offers greater security than software.
Nevertheless, there is a large market for software encryption. On
August 17, 1995, the Clinton Administration announced a proposal to
allow ready export of software encryption products with key lengths up
to 64 bits when combined with an acceptable key escrow capability.
This policy would allow export of DES, for example, which uses 56-bit
keys, but not triple DES. Keys would be held by government-approved
trusted parties within the private sector, where they would support
both user data recovery and legitimate government decryption. The
proposal, which is still undergoing refinement as of December, is
expected to be implemented in early 1996.
Key escrow encryption has been a topic of growing interest in the
research community. Most of this work is reviewed in [5]. Silvio
Micali's proposal for "fair cryptosystems" [15] has influenced several
designs including the Bankers Trust proposal. Karlsruhe University's
TESS system uses smart cards for user keys which are escrowed [16]. A
proposal from Royal Holloway integrates escrow with the trusted third
parties that serve as certificate authorities [17].
Some type of escrow facility might be used to control anonymity
services as well as encryption. For example, escrow could be used with
digital cash and anonymous remailers to ensure traceability when there
is a court order or other legal authorization for information about
the originator of a transaction. Ernie Brickell, Peter Gemmell, and
David Kravitz propose a system for electronic cash that would
incorporate trustee-based tracing in an otherwise anonymous cash
system [18].
Alternatives to Key Escrow
Key escrow is not the only way of accommodating authorized government
access. Another approach is weak encryption. The data encryption keys
are short enough that a key can be determined by trying all
possibilities. From the user's perspective, key escrow encryption has
an advantage over weak encryption of allowing the use of strong
encryption algorithms that are not vulnerable to attack. However, for
applications where such a high level of security is not needed, weak
encryption offers a less costly alternative. A disadvantage of weak
encryption (unless it is extremely weak) from a law enforcement
perspective is that it can preclude real-time decryption in an
emergency situation (e.g., kidnaping).
A third approach is link encryption. Communications are encrypted
between network nodes but not across nodes. Thus, plaintext
communications can be accessed in the network switching nodes. One
major advantage of link encryption is that it allows someone with a
cellular phone to protect the over-the-air connection into the phone
system without requiring that the other party have a compatible
encryption device or, indeed, use any encryption at all. Global System
for Mobile (GSM), a world-wide standard for mobile radio
telecommunications, encrypts communications transmitted over the radio
link, but they are decrypted before being transmitted through the rest
of the network. The disadvantage of link encryption is that plaintext
data are exposed in, potentially, many intermediate nodes. By
contrast, key escrow encryption can support secure end-to-end
encryption.
Crypto Anarchy is Not Inevitable
In the United States, there are no restrictions on the import,
manufacture, or use of cryptographic products (except that government
agencies are required to use government standards). The question is:
Are such controls needed or will voluntary key escrow, combined with
weak encryption and link encryption where appropriate, be sufficient
to avoid crypto anarchy?
Several factors will facilitate the adoption of key escrow. Because
key escrow products will be exportable, under appropriate conditions,
vendors will have a strong incentive to adopt key escrow, as it will
enable them to integrate strong cryptography into a single product
line for both domestic and international sales. Currently, vendors
must either install weak cryptography, which does not meet the needs
of many customers, or develop two sets of products, which greatly
increases costs and prohibits interoperability between domestic and
foreign customers. Users will have an incentive to purchase key escrow
products, because such products will protect them against lost or
damaged keys. The government's own commitment to key escrow will
ensure a large market for escrowed encryption products. As the market
develops, many users will choose key escrow products in order to
communicate with those using such products. Concern over the social
consequences of crypto anarchy will also motivate some people to
develop or use key escrow products. Finally, the adoption of key
escrow might be facilitated by legislation that would specify the
qualifications, responsibilities, and liabilities of
government-approved escrow agents. This legislation could define
unlawful acts relating to the compromise or abuse of escrowed keys
(e.g., deliberately releasing a key to someone who is not authorized
to receive it). Such legislation could ensure that at least approved
escrow agents satisfy the requirements of users and the government. It
also could allay the privacy concerns of those using approved escrow
agents.
International interest is key escrow will also contribute to its
success. There is growing recognition on the part of governments and
businesses worldwide of the potential of key escrow to meet the needs
of both users and law enforcement. In addition to providing
confidentiality and emergency backup decryption, escrowed encryption
is seen as a way of overcoming export restrictions, common to many
countries, which have limited the international availability of strong
encryption in order to protect national security interests. With key
escrow, strong exportable cryptography can be standardized and made
available internationally to support the information security needs of
international business. Key escrow could be a service provided by
trusted parties that manage the public-key infrastructure and issue
X.509 certificates. Some products and proposals for key escrow use
this approach
At a meeting sponsored by the Organization for Economic Development
(OECD) and the International Chamber of Commerce (ICC) in December,
1995 in Paris, representatives from the international business
community and member governments agreed to work together to develop
encryption policy guidelines based on agreed upon principles that
accommodate their mutual interests. The INFOSEC Business Advisory
Group (IBAG) issued a statement of seventeen principles that they
believe can form the basis of a detailed agreement [19]. IBAG is an
association of associations (mostly European) representing the
information security interests of users.
The IBAG principles acknowledge the right of businesses and
individuals to protect their information and the right of law-abiding
governments to intercept and lawfully seize information when there is
no practical alternative. Businesses and individuals would lodge keys
with trusted parties who would be liable for any loss or damage
resulting from compromise or misuse of those keys. The trusted parties
could be independently accredited entities or accredited entities
within a company. The keys would be available to businesses and
individuals on proof of ownership and to governments and law
enforcement agencies under due process of law and for a limited time
frame. The process of obtaining and using keys would be auditable.
Governments would be responsible for ensuring that international
agreements would allow access to keys held outside national
jurisdiction. The principles call for industry to develop open
voluntary, consensus, international standards and for governments,
businesses, and individuals to work together to define the
requirements for those standards. The standards would allow choices
about algorithm, mode of operation, key length, and implementation in
hardware or software. Products conforming to the standards would not
be subject to restrictions on import or use and would be generally
exportable.
EUROBIT (European Association of Manufacturers of Business Machines
and Information Technology Industry), ITAC (Information Technology
Industry Association of Canada), ITI (Information Technology Industry
Council, U.S.), and JEIDA (Japan Electronic Industry Development
Association) also issued a statement of principles for global
cryptography policy at the OECD meeting [20]. The quadripartite group
accounts for more than 90% of the worldwide revenue in information
technology. Acknowledging the needs of both users and governments,
their principles call for harmonization of national cryptography
policies and industry-led international standards.
It is conceivable that domestic and international efforts will be
sufficient to avoid crypto anarchy, particularly with support from the
international business community. However, it is possible that they
will not be enough. Many companies are developing products with strong
encryption that do not accommodate government access, standards groups
are adopting non-key escrow standards, and software encryption
packages such as PGP are rapidly proliferating on the Internet, which
is due, in part, to the crypto anarchists whose goal is to lock out
the government. Since key escrow adds to the development and operation
costs of encryption products, the price advantage of unescrowed
encryption products could also be a factor which might undermine the
success of a completely voluntary approach. If escrow is integrated
into the public-key infrastructure, however, cost might not be a
significant factor.
Considering the explosive growth of telecommunications and the
encryption market, it will be necessary to closely watch the impact of
encryption on law enforcement. If government-proof encryption begins
to seriously undermine the ability of law enforcement agencies to
carry out their missions and fight organized crime and terrorism, then
legislative controls over encryption technology may be desirable. One
possibility would be to license encryption products but not their use.
Licenses could be granted only for products that reasonably satisfy
law enforcement and national security requirements for emergency
decryption and provide privacy protections for users. The exact
requirements might be those that evolve from the current efforts of
the OECD and international business community to develop common
principles and standards. The manufacture, distribution, import, and
export of unlicensed encryption products would be illegal, but no
particular method of encryption would be mandated. Individuals would
be allowed to develop their own encryption systems for personal or
educational use without obtaining licenses, though they could not
distribute them to others. France and Russia have adopted licensing
programs, though of a somewhat different nature. Both countries
require licenses to use encryption.
Under this licensing program, commercial encryption products,
including programs distributed through public network servers, would
comply with government regulations. These products would not support
absolute privacy or completely anonymous transactions. Mainstream
applications would assure accountability and protect societal and
organizational interests. Although non-compliant products might be
distributed through underground servers and bulletin boards, such
products would not interoperate with licensed ones, so their use would
be limited.
Such an approach would not prevent the use of government-proof
encryption products by criminals and terrorists. They could develop
their own or acquire the products illegally. But an approach of this
type would make it considerably more difficult than it is at present.
Had such controls been adopted several years ago -- before programs
such as DES and PGP were posted on the Internet -- the encryption
products on the market today would support key escrow or some other
method for government access. It would not be possible to acquire
strong, government-proof encryption from reputable vendors or network
file servers. The encryption products available through underground
servers and the black market would most likely not possess as high a
quality as products developed through the legitimate market.
Underground products could have security vulnerabilities or be less
user friendly. They would not be integrated into standard applications
or network software.
Summary
Crypto anarchy is an international threat which has been stimulated by
international communications systems including telephones and the
Internet. Addressing this threat requires an international approach
that provides for both secure international communications crossing
national boundaries and electronic surveillance by governments of
criminal and terrorist activity taking place within their
jurisdictions. The adoption of an international approach is critical
in order to avoid a situation where the use of encryption seriously
endangers the ability of law enforcement agencies, worldwide, to fight
terrorism and crime. The result will not be worldwide suppression of
communications and encryption tools, as May asserts, but rather the
responsible use of such tools lest they lead to social disorder. Our
information superways require responsible conduct just as our
interstate highways require.
Key escrow encryption has emerged as one approach that can meet the
confidentiality and data recovery needs of organizations while
allowing authorized government access to fight terrorism and crime. It
can facilitate the promulgation of standards and products that support
the information security requirements of the global information
infrastructure. The governments of the OECD nations are working with
the international business community to find specific approaches that
are mutually agreeable.
Acknowledgments
An earlier version of this article was published in Internet Security
Review, Oct. 1995. Thanks to Bill Baugh and Peter Denning for helpful
comments on a draft of the article.
About the Author
Dorothy E. Denning is professor of computer science at Georgetown
University, where she is currently working on policy and technical
issues related to encryption and law enforcement. Address: Computer
Science Department, Georgetown University, 225 Reiss, Washington, DC,
20057; 202-687-5703; fax: 202-687-6067; e-mail:
denning@cs.georgetown.edu; http://www.cosc.georgetown.edu/~denning.
References and Notes
1. Tim May, "Crypto Anarchy and Virtual Communities," Internet
Security, April 1995, pp. 4-12.
2. Jim Warren, "Is Phil Zimmermann being persecuted? Why? By whom?
Who's next?," Internet Security, April 1995, pp. 15-21.
3. Secure Computing Corporation, "Answers to Frequently Asked
Questions About Network Security," Roseville, MN, Oct. 1994.
4. Louis J. Freeh, Keynote talk at International Cryptography
Institute, Sept. 1995. Available through
http://www.fbi.gov/crypto.htm.
5. For a description of the characteristics of key escrow encryption
systems and different proposals, see Dorothy E. Denning and Dennis K.
Branstad, "A Taxonomy of Key Escrow Encryption," Comm. of the ACM, to
appear in March, 1996. More detailed descriptions of 30 systems can be
found through http://www.cosc.georgetown.edu/~denning/crypto. See also
Dorothy E. Denning, "Key Escrow Encryption: The Third Paradigm,"
Computer Security Journal, Summer, 1995 and Dorothy E. Denning,
"Critical Factors of Key Escrow Encryption Systems," Proc. National
Information Systems Security Conf., Oct. 1995.
6. Statement by the Press Secretary, The White House, April 16, 1993.
7. John A. Thomas, "Can the F.B.I. Stop Private Cryptography?,"
Internet Security, April 1995, pp. 13-14.
8. Because the algorithm is classified and not open to public review,
outside experts were invited to examine the algorithm and report their
findings to the public. See Ernest F. Brickell, Dorothy E. Denning,
Stephen T. Kent, David P. Maher, and Walter Tuchman, "The SKIPJACK
Review, Interim Report: The SKIPJACK Algorithm," July 28, 1993;
available through http://www.cosc.georgetown.edu/~denning/crypto.
9. National Institute for Standards and Technology, "Escrowed
Encryption Standard (EES)," Federal Information Processing Standards
Publication (FIPS PUB) 185, 1994.
10. For a technical description of the Clipper Chip and its key escrow
system, see Dorothy E. Denning and Miles Smid, "Key Escrowing Today,"
IEEE Communications, Vol. 32, No. 9, Sept. 1994, pp. 58-68. For a
less technical description and discussion of some of the issues
surrounding Clipper, see Dorothy E. Denning, "The Case for Clipper,"
MIT Technology Review, July 1995, pp. 48-55. Both articles can be
accessed through http://www.cosc.georgetown.edu/~denning/crypto.
11. Bankers Trust Electronic Commerce, "Private Key Escrow System,"
presentation at the SPA/AEA Cryptography Policy Workshop, Aug. 17, and
at the International Cryptography Institute 1995: Global Challenges,
Sept. 21-22, 1995.
12. Stephen T. Walker, Steven B. Lipner, Carl M. Ellison, and David M.
Balenson, "Commercial Key Escrow," to appear in Comm. ACM, Mar. 1996.
Also available from Trusted Information Systems, Inc., Glenwood, MD,
1995.
13. William B. Sweet and Stephen T. Walker, "Commercial Automated Key
Escrow (CAKE): An Exportable Strong Encryption Alternative," National
Semiconductor, iPower Business Unit, Sunnyvale, CA, June 4, 1995.
14. Carmi Gressel, Ran Granot, and Itai Dror, "International
Cryptographic Communication without Key Escrow; KISS: Keep the
Invaders (of Privacy) Socially Sane, presented at the International
Cryptography Institute 1995: Global Challenges, Sept. 21-22, 1995.
15. Silvio Micali, "Fair Cryptosystems," MIT/LCS/TR-579.c, Laboratory
for Computer Science, Massachusetts Institute of Technology,
Cambridge, MA, August 1994.
16. Thomas Beth, Hans-Joachim Knoblock, Marcus Otten, Gustavus J.
Simmons, and Peer Wichmann, "Clipper Repair Kit - Towards Acceptable
Key Escrow Systems," Proc. 2nd ACM Conf. on Communications and
Computer Security, 1994.
17. Nigel Jefferies, Chris Mitchell, and Michael Walker, "A Proposed
Architecture for Trusted Third Party Services," Royal Holloway,
University of London, 1995.
18. Ernie Brickell, Peter Gemmell, and David Kravitz, "Trustee-based
Tracing Extensions to Anonymous Cash and the Making of Anonymous
Change," Proc. Sixth Annual ACM-SIAM Symp. on Discrete Algorithms,
1995, pp. 457-466.
19. INFOSEC Business Advisory Group (IBAG) Statement. Available
through http://www.cosc.georgetown.edu/~denning/crypto.
20. EUROBIT-ITAC-ITI-JEIDA Statement. Available through
http://www.cosc.georgetown.edu/~denning/crypto.
[end Denning article, begin critique.]
From: Stanton McCandlish
Subject: Critique of Denning screed
Date: Mon, 29 Jan 1996 10:34:56 -0800 (PST)
> THE FUTURE OF CRYPTOGRAPHY
>
> Behind the anarchists' vision is a belief that a guarantee of absolute
> privacy and anonymous transactions would make for a civil society
> based on a libertarian free market. They ally themselves with
> Jefferson and Hayek who would be horrified at the suggestion that a
> society with no government control would be either civil or free. Adam
> Ferguson once said "Liberty or Freedom is not, as the origin of the
> name may seem to imply, an exemption from all restraints, but rather
> the most effectual applications of every just restraint to all members
> of a free society whether they be magistrates or subjects." Hayek
> opens The Fatal Conceit, The Errors of Socialism (The University of
> Chicago Press, 1988, ed. W.W. Bartley III) with Ferguson's quote.
>
> Although May limply asserts that anarchy does not mean lawlessness and
> social disorder, the absence of government would lead to exactly these
> states of chaos.
I have to point out that this is just as limp an assertion. I *agree*
with you on it, but as logical debate, this is flawed.
> I do not want to live in an anarchistic society -- if such could be
> called a society at all -- and I doubt many would. A growing number of
> people are attracted to the market liberalism envisioned by Jefferson,
> Hayek, and many others, but not to anarchy. Thus, the crypto
Agreed again. You might be surprised that EFFers aren't anarchists. ;)
> anarchists' claims come close to asserting that the technology will
> take us to an outcome that most of us would not choose.
Somewhat shakey - depends entirely on the definition of "anarchy" you
choose, and I doubt seriously that the definition chosen by the
cypherpunks would mesh very well with the defintion you probably have in
mind here. But this may be a nitpick.
> This is the claim that I want to address here. I do not accept crypto
> anarchy as the inevitable outcome. A new paradigm of cryptography, key
> escrow, is emerging and gaining acceptance in industry. Key escrow is
> a technology that offers tools that would assure no individual
> absolute privacy or untraceable anonymity in all transactions. I argue
That's for sure. I still don't understand why you support the idea of a
key surrender system. It's not key escrow. My law firm holding for me
(hypothically an attorney) my work-related crypto key so that in the
event of my death or termination, they can still access my files, and the
cases I was working on can continue - that is escrow (the holding of
property, such as as keys or money, *for a client* who owns the escrowed
items), a two-party transaction. What you and NSA call key "escrow" is a
3-party transaction in which the user's property is surrendered to the
government or govt.-controlled "escrow" agent, for the government's own use,
not for the benefit of the property owner. That's not escrow.
I appreciate your honesty in stating up front that government access to
keys (GAK) - key surrender - does not provide anyone with absolute
privacy or anonymity, but I have to say that I feel that continuing to
use the term "key escrow" in the context of key surrender is
disingenuous and propagandistic. You may like GAK, but you'll continue
to be attacked on this point by all opponents until you quit doing it; I
cannot see how it profits you to continue doing so. Call it key
surrender, which it is.
> that this feature of the technology is what will allow individuals to
> choose a civil society over an anarchistic one. I will review this
> technology as well as what it will take to avoid crypto anarchy.
It won't take anything to avoid crypto-anarchy, because it won't happen. :)
> First, however, I will review the benefits, limitations, and drawbacks
> of cryptography and current trends leading toward crypto anarchy.
>
>
>
> Cryptography's Benefits, Limitations, and Drawbacks
>
>
>
> The benefits of cryptography are well recognized. Encryption can
> protect communications and stored information from unauthorized access
> and disclosure. Other cryptographic techniques, including methods of
> authentication and digital signatures, can protect against spoofing
> and message forgeries. Practically everyone agrees that cryptography
> is an essential information security tool, and that it should be
> readily available to users. I take this as a starting assumption and,
> in this respect, have no disagreement with the crypto anarchists.
>
You also leave out several things, such as the ability to not only
protect against forgery but to abosolutely ascertain identity and
authenticity; and the ability to provide the relatively aboslute (and
well established) anonymity of cash transactions, in the realm of
electronic transactions.
> Less recognized are cryptography's limitations. Encryption is often
> oversold as the solution to all security problems or to threats that
> it does not address. For example, the headline of Jim Warren's op-ed
> piece in the San Jose Mercury News reads "Encryption could stop
> computer crackers" [2]. Unfortunately, encryption offers no such
> aegis. Encryption does nothing to protect against many common methods
> of attack including those that exploit bad default settings or
> vulnerabilities in network protocols or software -- even encryption
> software. In general, methods other than encryption are needed to keep
> out intruders. Secure Computing Corporation's Sidewinder[TM] system
> defuses the forty-two "bombs" (security vulnerabilities) in Cheswick
> and Bellovin's book, Firewalls and Network Security (Addison Wesley,
> 1994), without making use of any encryption [3].
>
>
>
> Moreover, the protection provided by encryption can be illusory. If
> the system where the encryption is performed can be penetrated, then
> the intruder may be able to access plaintext directly from stored
> files or the contents of memory or modify network protocols,
> application software, or encryption programs in order to get access to
> keys or plaintext data or to subvert the encryption process. For
> example, PGP (Pretty Good Privacy) could be replaced with a Trojan
> horse that appears to behave like PGP but creates a secret file of the
> user's keys for later transmission to the program's owner much like a
> Trojan horse login program collects passwords. A recent penetration
> study of 8932 computers by the Defense Information Systems Agency
> showed 88% of the computers could be successfully attacked. Using PGP
> to encrypt data transmitted from or stored on the average system could
> be like putting the strongest possible lock on the back door of a
> building while leaving the front door wide open. Information security
> requires much more than just encryption -- authentication,
> configuration management, good design, access controls, firewalls,
> auditing, security practices, and security awareness training are a
> few of the other techniques needed.
>
Well said.
>
> The drawbacks of cryptography are frequently overlooked as well. The
> widespread availability of unbreakable encryption coupled with
> anonymous services could lead to a situation where practically all
> communications are immune from lawful interception (wiretaps) and
> documents from lawful search and seizure, and where all electronic
> transactions are beyond the reach of any government regulation or
> oversight. The consequences of this to public safety and social and
This is completely and totally contradicted by the previous paragraph,
which clearly shows that the security afforded by encryption hardly
produces "immunity" except in very carefully controlled circumstances.
Even a child can see this. I strongly suggest a re-write of these
sections, as they defy basic reasoning. (I don't mean to be overly
critical here - sometimes I write silly things too! I do however thing
you should fix this part or no one will take this paper seriously.)
Additionally, you ignore the distinct possibility that it will be legally
possible to force disclosure of encryption keys, given a court order. I
know of no case that establishes 5th Am. protection for encryption keys.
That's not to say that there will never be such protection, but the issue
is not yet settled, and you owe it to less-informed readers to make
clear that your scenario only holds water *if* encryption keys cannot be
forced to be disclosed in the manner of documents or other computer
files. And that's really, incidentally, where the majority of
opposition to GAK is coming from. Most people who oppose GAK are not
crypto-anarchists - those folks are a distinct minority who mainly
congregate on one mailing list. The rest of us oppose it because it
gives easy and security-breaking access, more-or-less on a whim, to
encryption keys for law enforcement, with no requirement for a court
order to yield up the keys. I see little likelihood that the courts
will rule crypto keys protected under the Fifth, and as a result I see
no supportable rationale for GAK, other than the illegimate (ab)use we
fear and you try to pretend is not possible.
> economic stability could be devastating. With the government
"Could" is the important word here. I think this is actually entirely
unlikely. As you well know, few wiretaps are conducted, and far fewer
ever yield useful information, much less result in convictions. The
world existed just fine, and society was plenty stable, during the time
that phones were widespread but wiretapping was not yet developed and
authorized. Wiretapping is demonstrably not a necessary law enforcement
function, but rather a convenience.
> essentially locked out, computers and telecommunications systems would
> become safe havens for criminal activity. Even May himself
This is so limp an assertion, it falls flat on its face.
> acknowledges that crypto anarchy provides a means for tax evasion,
> money laundering, espionage (with digital dead drops), contract
> killings, and implementation of data havens for storing and marketing
> illegal or controversial material. Encryption also threatens national
So does meeting with people in seedy bars or talking to them on street
corners in code words, or even quietly in plain English.
have everyone's tongue cut out?
> security by interfering with foreign intelligence operations. The
> United States, along with many other countries, imposes export
> controls on encryption technology to lessen this threat.
>
This is absolutely false. The export controls were imposed to prevent the
export of what was then considered to be a weapon of war. Civilian use for
criminal purposes had nothing to do with it, and continues to have
nothing to do with the law itself, only with it's unconstitional
enforcement. That's why crypto is on the *munitions* list.
> Cryptography poses a threat to organizations and individuals too. With
That's an irrational statement. People pose threats, inanimate objects
do not. A knife is a kitchen tool or a camping utility object until you
threaten someone with one.
> encryption, an employee of a company can sell proprietary electronic
> information to a competitor without the need to photocopy and handle
> physical documents.
Whoop-de-doo. They can also do this *without* encryption. This is
really, really nonsensical.
> Electronic information can be bought and sold on
> "black networks" such as Black-Net [1] with complete secrecy and
> anonymity -- a safe harbor for engaging in both corporate and
Black-Net was a silly idea Tim May and friends came up with, at least half-
jokingly. It does nothing. They've been reading too many Gibson and
Sterling books. Maybe you have too, if you think that's a viable idea.
> government espionage. The keys that unlock a corporation's files may
> be lost, corrupted, or held hostage for ransom, thus rendering
> valuable information inaccessible.
B.S.! Fundamental rule of encryption: Keep a backup copy of keys (and all
keys for that matter) in physically secured locations.
Anyone that gets burned this way got burned by their own stupidity. What
is a lot more likely is that the information will be copied and
disseminated to others, rather than left to rot. And this, too, is solved
by the same *basic* solution: keep keys in a physically secure location
(secure meaning secure enough to satisfy your level of paranoia. If you
are the DoD, that better be somewhere with guards and ID checkpoints.
For me, considerably less security, since my secrets are not worth that
much to me. For the Church of Scientology, it'd probably be even more
secure that the DoD. >:)
> When considering the threats posed by cryptography,
It is clear that they are negligible at best, and far outweighed by the
benefits.
> it is important to
> recognize that only the use of encryption for confidentiality,
> including anonymity,
Which you don't discuss here. Why? Because society and the law has
historically been very tolerant of anonymity?
> presents a problem. The use of cryptography for
> data integrity and authentication, including digital signatures, is
> not a threat.
Sure it is (or rather the misapplication or abuse of it is). Ask any
whistleblower if they would reveal government corruption or bad
practices, e.g. via alt.whistleblowers or comp.risks,
if every message they sent was not only denied anonymity but
incontrovertibly proven to be sent by them! Misapplication of digital
signature, e.g. by making it required or automatic, would be disastrous.
You do readers a serious disservice here by ignoring that fact.
> Indeed, by strengthening the integrity of evidence and
> binding it to its source, cryptographic tools for authentication are a
> forensic aid to criminal investigations. They also help enforce
Is the world of criminal investigation the only one you see any value at
all in? I'm sure it can't be, but it seems that way from what you say here.
> accountability. Because different cryptographic methods can be
> employed for confidentiality and authentication, any safeguards that
> might be placed on encryption to counter the threats need not affect
> authentication mechanisms or system protocols that rely on
> authentication to protect against system intrusions, forgeries, and
> substitution of malicious code.
>
I'm not sure I belive this. In fact I think I can counteract it with a
single example: The administration of the ITAR export regs restricts the
export of all encryption technology to small key lenghts, including tech.
solely intended for authentication if it is even vaguely possible to
adapt that technology for other uses. As a result, the weak authentication
technology is (relatively) easily crackable, and ergo insecure. Thus,
the "safegard" placed on privacy-enhancing encryption to "counter" the
so-called threats has indeed negatively affected authentication crypto.
> The Drift Toward Crypto Anarchy
>
What evidence have you of any such drift?
> Crypto anarchy can be viewed as the proliferation of cryptography that
> provides the benefits of confidentiality protection but does nothing
> about its harms. It is government-proof encryption which denies access
> to the government even under a court order or other legal order. It
> has no safeguards to protect users and their organizations from
> accidents and abuse. It is like an automobile with no brakes, no seat
> belts, no pollution controls, no license plate, and no way of getting
> in after you've locked your keys in the car.
>
This is all irrelevant, because crypto-anarchy is an unrealistic and
utopian idea. It has nothing to do with the real-world crypto debate.
> The crypto anarchist position is that cyberspace is on a non-stop
> drift toward crypto anarchy. Powerful encryption algorithms, including
*Who cares*? The Flat Earth Society position is that all the pictures of
the earth from space are fakes. Doodle-doodle-dee, wubba-wubba-wubba.
> the Data Encryption Standard (DES), triple-DES, RSA, and IDEA are
> readily available at no charge through Internet servers as stand-alone
> programs or as part of packages providing file or electronic mail
> encryption and digital signatures. Among these, PGP, which uses RSA
> and IDEA for encrypting files and electronic mail messages, has become
Got that backwards; it uses, respectively, RSA and IDEA for encrypting
email and files. More accurately (since email really is files), it uses RSA
for public-key encryption and IDEA for private, single-key encryption.
> particularly popular. Software that will turn an ordinary PC into a
> secure phone is posted on the Internet for free downloading. These
> systems have no mechanisms for accommodating authorized government
> decryption.
Sure they do: The cops can get a court order to turn over the crypto key.
Until and unless this is prohibited, you have no argument, and even if
crypto keys are eventually determined to be protected by the Fifth
Amendment in some circumstances, there is no evidence that law enforcement
would not be able to do its collective job. That fact that this job
would be marginally less convenient is red herring. The same logic
would also require that we all be branded with ID numbers, implanted
with location devices, and monitored by cameras in our bathrooms.
Again, let's not be silly.
> Export controls have little effect as the programs can be
> posted in countries that have no such controls.
Precisely, and this is why GAK and ITAR will never work.
> In addition to the free encryption programs being distributed on the
> net, encryption is becoming a basic service integrated into commercial
> applications packages and network products. The IP Security Working
> Group of the Internet Engineering Task Force has written a document
> that calls for all compliant IPv6 (Internet Protocol, version 6)
> implementations to incorporate DES cryptography.
Thankfully.
> Anonymous remailers, which allow users to send or post messages
> without disclosing their identity or host system, have also become
> popular on the Internet. May reports that there are about 20
This is disingenuous. Remailers are used by very few people. I'd hardly
call them "popular". As other writers[*] have explained in some detail, one
of the main benefits that attracts people to the online world is the fact
that their opinions can be aired; part of that value is of course the fact
that one's name is attached to one's messages. Remailers can be abused,
both by annoying etiquette violators, and by people with criminal
intentions, but the same is true of all, including the US mail and pay
phones, not to mention ice picks and gasoline.
[* See _The_Virtual_Community_ by Howard Rheingold, in particular.]
> cypherpunk-style remailers on the Internet, with more being added
> monthly. These remailers allow unlimited nesting of remailing, with
> PGP encryption at each nesting level. Anonymous digital cash, which
This too is disingenuous. The total number of remailers in operation has
hardly grown in the last two years. Many remailers go out of operation
as well. Also, not all remailers handle encryption; only some of them
do. And not all of them are absolutely anonymous (c.f. the warrant served
on anon.penet.fi.)
> would provide untraceability of electronic payments, is on the
> horizon.
>
It's already here. Ever heard of DigiCash? Have you noticed that world
has yet to collapse in a ball of fire now that DigiCash is available?
Gosh, golly, but nothing earth-shaking has happened at all, other than
people now being able to spend money online without some nosy credit card
company poring over their purchases and putting them on the mailing lists
they sell to marketers looking to target certain kinds of "consumers."
> The potential harms of cryptography have already begun to appear. As
> the result of interviews I conducted in May, 1995, I found numerous
> cases where investigative agencies had encountered encrypted
> communications and computer files. These cases involved child
Cite them.
> pornography, customs violations, drugs, espionage, embezzlement,
> murder, obstruction of justice, tax protestors, and terrorism. At the
> International Cryptography Institute held in Washington in September,
> 1995, FBI Director Louis Freeh reported that encryption had been
> encountered in a terrorism investigation in the Philippines involving
> an alleged plot to assassinate Pope John Paul II and bomb a U.S.
> airliner [4].
1) Demonstrate that the investigations or prosecutions failed because of
encryption
2) Demonstrate that, in the event of any such failures (there probably
are none) that the harm to society is so great that we must all sacrifice
privacy to resolve this supposed problem.
3) Demonstrate, if you can demonstrate 1) and 2), that the proposed
solutions (GAK and crypto export controls) will actually solve the
problem, given that some of the best encyption is made outside the US in
countries with no export restrictions, and that such laws will be
unenforceable except within particular jurisdictions.
Can you not see that *no matter how much you fear encryption*, the
proposals to control it so far are worthless? No matter how much you may
stand for a position, it is irrational to support a proposal to implement
that position if the proposal is not viable. This is precisely why the
majority of Christians do not support the extremists' Internet censorship
legislation when they understand what it means in detail - they see that
is is flawed, and no matter how much any of them may agree with the
sentiment behind it (e.g. that "indecent" material is "bad"), they cannot
bring themselves to lend their support to a dismal and doomed proposal.
> AccessData Corp., a company in Orem, Utah which specializes in
> providing software and services to help law enforcement agencies and
> companies recover data that has been locked out through encryption,
> reports receiving about a dozen and a half calls a day from companies
How many law enforcement agencies, hmm?
> with inaccessible data. About one-half dozen of these calls result
> from disgruntled employees who left under extreme situations and
> refused to cooperate in any transitional stage by leaving necessary
> keys (typically in the form of passwords).
Another question is begged here: In how many of these cases are the
companies in question trying to decrypt material that has nothing to do
with them, but rather the private files of former employees? You might
be surprised by the answer.
> Another half dozen result
> from employees who died or left on good terms, but simply forgot to
> leave their keys. The third half dozen result from loss of keys by
> current employees.
This is all completely and totally irrelevant. All of this could be
solved with *real* (2-party, private sector) key escrow, which you can do
right now. Every company that uses crypto and will need to be able to
access *company* material encrypted by employees in the event of their
deaths or employment terminations, should institute a policy requiring
escrow of company keys either with another part of the company or an
outside trusted agency *that holds the keys for, and solely for, the
company*. Such a policy has nothing legitimate to say about employees' own
keys for encrypting personal material - if that is foreseen as a problem,
the policy should clearly forbid personal, non-work-related use of
company computing resources. And such a policy would have nothing
whatsoever to do with GAK.
At any rate, I think you do your readers the greatest disservice so far
by attempting to confuse true key escrow with 3-party Goverment Access to
Keys (key surrender). That's beyond disingenuous.
>
> The Emergence of Key Escrow as an Alternative
>
>
>
> The benefits of strong cryptography can be realized without following
> the crypto anarchy path to social disorder. One promising alternative
> is key escrow encryption, also called escrowed encryption [5]. The
> idea is to combine strong encryption with an emergency decryption
> capability. This is accomplished by linking encrypted data to a data
> recovery key which facilitates decryption. This key need not be (and
> typically is not) the one used for normal decryption, but it must
> provide access to that key. The data recovery key is held by a trusted
> fiduciary, which could conceivably be a governmental agency, court, or
> trusted and bonded private organization. A key might be split among
> several such agencies. Organizations registered with an escrow agent
> can acquire their own keys for emergency decryption. An investigative
> or intelligence agency seeking access to communications or stored
And again you try to equate the holding of keys by one private party
for a 2nd party, with holding by one party of the keys of a 2nd, for the
use of a third, the government. These are *not* the same thing, and you
know it. There is no logical connection between them whatsoever. I
cannot believe you try to insinuate such a falsehood into readers minds
that true key escrow, such as that needed by companies for emergency
decryption of company files, is in any way related to, or necessitates, a
system in which keys are held explicitly for spy and police agencies.
It's certainly logical (or at least consistent with our current legal
regime; there is in fact a distinction) that, given no 5th Am.
protection, and given a court-issued warrant, that police be able to
seize *specific* escrowed keys, just as they can seize other papers and
effects, but there's a major difference between the voluntary,
commercial true-escrow system and the key surrender systems devised by
the NSA and it's playthings: to wit, the latter system is not voluntary
in any meaningful sense of the word - the govt. is using export and other
issues as a stick to beat the public and industry into compliance;
and the system provides no service whatsoever for the key owner - the
surrendered key agecies respond solely to police and spy demands, and do
not (as so far proposed in the last 3 or 4 years, at any rate) provide
the service you tout as so important, above: the ability to provide *to
key owners* copies of their own keys for emergency decryption.
If anyone reading this has difficulty conceptualizing the difference,
here's an analogy:
Real key escrow is a service, like telephone service, which subscribers
voluntarily use and pay for. Law enforcement, in both cases, can seek
court orders to have the service turn over the goods. GAK, by contrast,
is analogous to a Wiretapping Bureau, through which all telephone calls,
regardless of telephone company, must pass, where they are recorded and
saved forever, *just in case* law enforcement might at some time need to see
what you said. The Wiretapping Bureau, of course, will not give you a
copy of your own past conversations if you happen to request them, but
exists solely to ensure that spooks and detectives have access to your
communications, come hell or high water.
> files makes application through appropriate procedures (which normally
> includes getting a court order) and, upon compliance, is issued the
This is also disingenous - the only documentation on this topic, drafts
of procedures from the Justice Dept., made no mention of court orders
whatsoever, and appeared to refer to subpoenas and other "authorization"
considerably easier to obtain and "prove" than court orders such as writs
of seizure. Court orders have fairly stringent requirements, such as
probable cause, and for good reason. The proposed rules in fact, would
have crippled other laws that protect the public, such as the rules that
prohibit the use in court of illegally obtained evidence. Given this, I
think the likelihood that a court order was intended as a definition of
"authorization" to be very, very slim. It was certainly not specifically
mentioned.
> key. Legitimate privacy interests are protected through access
> procedures, auditing, and other safeguards.
Yeah right. See above. The only draft access procedures so far produced,
to my knowledge, not only failed dismally to do this, but *specifically
let off-the-hook anyone that violated the access procedures*, in effect
giving precisely zero incentive to follow any of the rules, and in fact
giving quite a bit of incentive for agents to file improper requests, to
lie about destroying keys after they were used for the authorized
purpose, and to build "collections" of illegally obtained keys by which
to conduct illegal investigations and privacy violations for which they
could not be prosecuted - especially since all evidence they found that
way would have been perfectly admissible in court.
I have yet to meet anyone online or offline, with one exception, that
finds this reasonable.
>
>
> In April, 1993, as response to a rising need for and use of encryption
> products, the Clinton Administration announced a new initiative to
> promote encryption in a way that would not prohibit lawful decryption
> when investigative agencies are authorized to intercept communications
> or search computer files [6]. Government agencies were directed to
This is also misleading. It implies that other "initiatives to promote
encryption" would prohibit lawful decryption when cops have a warrant.
This is false. I am aware of no "initiatives to promote encryption" that
aim to prohibit law enforcement from doing anything (though some
encryption packages might make it difficult for police to decrypt).
> develop a comprehensive encryption policy that would accommodate the
> privacy and security needs of citizens and businesses, the ability of
Which GAK fails to do, and will always fail to do, because it is by
definition insecure - it is pre-compromised encryption, and it defeats
its own purpose.
> authorized government officials to access communications and data
> under proper court or other legal order, the effective and timely use
> of modern technology to build the National Information Infrastructure,
Nice, but meaningless, buzz words. The "National Information
Infrastructure" already exists. It's called the Internet. Even Gore
dropped this act a long time ago. And as you yourself pointed out, the
next version of the Internet protocols will include encryption[*], so no
action on the part of the White House is necessary here (even assuming
that NIST or other exec. branch agencies are in a good position to be
developing modern Internet standards, which is highly questionable.)
[* If it supports DES it can also support Triple-DES or any other
more-secure encryption scheme.]
> and the need of U.S. companies to manufacture and export high
> technology products.
Fails dismally at this too, since not only is the product in question
inherently insecure, it's also of little or no interest as a product
to any significant number of customers in the export market, who will
avoid GAKware like the plague, just as US customers would be disinclined
to buy broken encryption software designed specifically to be tappable by
Fidel Casto's secret police. Even if you never intend to go to Cuba,
there's just something fundamentally disconcerting about that kind of
thing to most people. It doesn't matter if you don't think that way. The
customers do, and as a result the product is not viable.
This is why security products like PGP, FolderBolt, and the like either
support foreign, strong crypto directly (e.g. IDEA is PGP's single-key
encryption) or they allow people to pick what crypto they want (e.g.
Folderbold allows the user to swap Triple-DES or whatever in place of the
known-crackable DES if you want to.)
> The goal was not to prevent citizens from having
> access to encryption or "to stigmatize cryptography as something only
> criminals would use" [7].
Right. The goal was to prevent citizens having good encryption, and to
stigmatize good cryptography that is not pre-broken as something only
criminals would want.
> As part of this encryption initiative, the
> government developed an escrowed encryption chip called the Clipper
> Chip.
>
A direly flawed proposal. Not only buggy, but a bad idea from the outset,
rejected utterly by the vast majority of the industry and the informed
public, for many good reasons.
>
> Each Clipper Chip has a unique key that is programmed onto the chip
> and used to recover data encrypted by that chip. This key is split
> into two components, and the two components are held by two separate
> government agencies: the National Institute of Standards and
> Technology and the Department of Treasury Automated Systems Division.
> Clipper's data encryption algorithm, Skipjack, is a classified
> algorithm designed by the National Security Agency [8]. It has a key
> size of 80 bits. The general specifications for the Clipper Chip were
> adopted in February, 1994, as the Escrowed Encryption Standard (EES)
> [9], which is a voluntary government standard for telephone
Against the advice and demands of over 90% of the respondents to the
request for comments on the issue. It's easy to see here that NIST
and NSA simply do not give a rat's ass what anyone thinks about this, and
that their decisions were neither informed nor supported by even a
middling minority of anyone with a stake in this issue, including the
software industry, academia, cryptographic intellectual property holders,
online service providers, the media, or the general public. Given this,
I don't think the establishment of EES as a FIPS is in any way
significant other than as an example of irresponsible government in need
of a hell of a lot more oversight.
> communications, including voice, fax, and data. Implementations of the
> EES are required to use tamper-resistant hardware in order to protect
> the classified algorithms.
Whoop-de-doo. "Nothing is ever foolproof, because fools are so ingenous".
You can swap "child" for "fool", as the parents of the many children
killed by prescription medications in "child-resistant" bottles can tell you.
You can also replace "fool" with "cracker" or "reverse-engineering
specialist", as any sysadmin, or Intel, can tell you.
> The chip and associated key escrow system
> have been designed with extensive safeguards, including two person
> control and auditing, to protect against any unauthorized use of keys
See previous notes on this topic. The "safeguards" are the furthest thing
from "extensive", in anything other than the red-tape and paperwork
sense, and they almost explicity encourage their own breakage, by
providing immunity to those who don't follow the "safeguards", and
providing for any ill-gotten-gains from the resulting illegal monitoring
to be used in court anyway.
> [10]. Clipper's key escrow system does not provide user data recovery
> services.
>
No kidding. As such is it NOT an escrow system.
>
> The National Security Agency also designed a more advanced chip called
> Capstone as part of the Multilevel Information System Security
> Initiative (MISSI). Capstone implements the EES plus algorithms for
> the Digital Signature Standard (DSS) and for establishing session
> keys. It has been embedded in the Fortezza card (a PCMCIA card) where
Fortezza was previously known as Tessera. Tessera (pl. tesserae) is a
Latin word, and referrs to the chains and markers worn around the necks
of slaves in the Roman empire. Maybe NSA thinks that was a funny joke,
but the rest of the world is not laughing.
> it is used to provide the cryptographic services needed for
> communications and file security. The private keys used for key
> establishment and digital signatures, which are stored on the Fortezza
> card, are not stored in Clipper's key escrow system. They are,
> however, escrowed with the user's public-key certificate authority so
> that they can be recovered in case the card becomes corrupted. This
And so that spies and cops can decrypt your data, of course.
[...]
> The government has not been alone in its pursuit of key escrow
> technology. Some type of key escrow is a feature or option of several
> commercial products including Fisher Watchdog®, Nortel's Entrust,
> PC Security Stoplock KE, RSA Secure[TM], and TECSEC Veil[TM].
> Escrowing is done within the user's organization and serves primarily
> to protect against data loss.
Bingo.
>
>
> Several companies have proposed designs for commercial key escrow
> systems where the escrow agents could be trusted third parties that
> provide emergency decryption services for both registered users and
> authorized government officials. Such escrow agents might be licensed,
> with licenses granted to organizations demonstrating the capability to
> administer key escrow encryption and safeguard keys and other
> sensitive information. Some of the proposed systems have been designed
> with the objective of being suitable for international use.
In other words, they are proposing the same unnecessary mish-mash you've
concocted here: a combination of true key escrow, and key-surrender to
government. The question that begs asking, is how many of these
companies came up with these proposals because they were pressured into
doing so by the selective use of (or threat of use of) export controls.
I bet you *all* of them did. Well, OK, I'll grant maybe one or two who
actually thought it was a good idea themselves. I futher predict that any
such exceptions will be either in the banking or credit industry (or some
other industry that thrives on obtaining and using other people's
personal information) or that they are government contractors. 'Nuff said.
A story we've heard from many people in the industry is this: "NSA (or
NIST, or the State Dept., or the White House) told us that either we do a
GAK system, or they'll deny us export approval for every security product
we ever make." (paraphrased, of course).
> One such example is a proposal from Bankers Trust for an international
> commercial key escrow system for secure communications [11]. Their
> proposal uses a combination of hardware and software, unclassified
> algorithms, and public-key cryptography for key establishment and key
> escrow functions. Each user has a trusted encryption device, a
> public-private signature key pair, and a public-private encryption key
> pair that is used for establishing session keys and for data recovery.
> The private encryption keys are escrowed through a device registration
> process, and may be split among several escrow agents.
>
NB: The banking industry is already very comformable with providing
detailed information on customer transactions to law enforcement. Of
course they'd endorse something like this.
> Trusted Information Systems (TIS) has proposed a commercial software
> key escrow system intended primarily for file encryption [12]. A
> commercial entity serves as a key escrow agent and operates a data
> recovery center. To use the services of a particular center, a user
> must register with the center. Emergency decryption is possible
> through a key that is private to the center. The key is not released
> to users or the government; instead, the center participates in the
> decryption of each file that is encrypted under a distinct file
> encryption key. TIS would franchise their data recovery centers to
> interested organizations. National Semiconductor and TIS have jointly
> proposed Commercial Automated Key Escrow (CAKE), which combines a
> CAKE-enabled PersonaCard[TM] token (National's PCMCIA cryptographic
> card) with a TIS data recovery center [13]. The goal is an exportable,
> strong encryption alternative using accepted public encryption
> algorithms such as DES, triple DES, and RSA.
>
I suppose this is interesting...but it's kind of pointless for what we're
talking about here. TIS has come up with a hardware based system for a
very narrow market (PCMCIA-compatible computers, most of which are
laptops). This has no relevance to the larger market for encryption
software. It's also notable that TIS has produced non-escrowed products,
such as TIS-PEM, which are far more widely available and frequently used.
> Under current U.S. export regulations, encryption products with key
> lengths greater than 40 bits are not generally exportable when used
> for confidentiality protection. One of the attractions of key escrow
> encryption is that by providing a mechanism for authorized government
> decryption, it can enable the export of products with strong
> encryption. For example, Clipper/Capstone devices are generally
This is the carrot counterpart to the ITAR stick I've mentioned. It's
not a good deal though - the carrot is not a reward but bare sustenance. The
ITAR export controls are crippling US companies' ability to compete *at
all* in the global encryption market. As a result, some of them are so
desperate they may accept bad deals like this because at least they can
do *something*. It's like starving your donkey right to the verge of
death so that it will do anything at all to get a carrot, rather than
feeding it and keeping it healthy, and giving it carrots as a reward.
The end result is that the donkey - and the US side of the crypto market
- are going to be in bad health and very near death, even if the
carrot-and-stick weilder gets them to do some pointless tricks. It's a
crazy, zero-sum game.
The thing is, though, that GAK doesn't "allow" the export of better crypto.
Bureaucrats allow or disallow it, and several key legal cases are very
likely to remove that capricious prerogative as unconstutional. When that
happens, GAK will die a very messy death indeed, trampled to pieces under
the running feet of market-starved entrepreneurs who'll finally have
access to the food trough - the world market for crypto.
Casting GAK in the role of helper to poor software producers who can't
export is a bunch of bunk. GAK is just a bone thrown to a starving dog.
It may make them shut up for a while, but it won't feed the industry.
Most of the these people know it, and this is why you'll find the vast
majority of the crypto and software industry completely opposed to this
idea, and its also why NIST had to pack it's key escrow "summits" with
government representatives - when the majority consisted of industry
people, they just didn't cooperate, and many of them openly denounced
the entire thing. Even this didn't work. The reports I've seen of the
most recent such meeting indicate that the industry people have largely
abandoned it, and relegated it all to the dust bin, with NIST getting
only 1/3 or less of the previous attendance level. And many of the
people that did show up were anti-GAK activists.
[...]
> Hardware encryption generally offers greater security than software.
> Nevertheless, there is a large market for software encryption. On
> August 17, 1995, the Clinton Administration announced a proposal to
> allow ready export of software encryption products with key lengths up
> to 64 bits when combined with an acceptable key escrow capability.
> This policy would allow export of DES, for example, which uses 56-bit
> keys, but not triple DES. Keys would be held by government-approved
> trusted parties within the private sector, where they would support
> both user data recovery and legitimate government decryption. The
> proposal, which is still undergoing refinement as of December, is
> expected to be implemented in early 1996.
Too little too late. People don't want DES anymore, they want 3DES.
They sure as hell don't want DES with GAK built in.
Again, GAK is all just a really stupid idea. This is simple, basic
macro-economics 101 here. There is little demand for hardware crypto
devices, and a whole lot of demand for software based encryption that is
really secure, not pretend secure. You do the math.
> Key escrow encryption has been a topic of growing interest in the
> research community. Most of this work is reviewed in [5]. Silvio
> Micali's proposal for "fair cryptosystems" [15] has influenced several
> designs including the Bankers Trust proposal. Karlsruhe University's
> TESS system uses smart cards for user keys which are escrowed [16]. A
> proposal from Royal Holloway integrates escrow with the trusted third
> parties that serve as certificate authorities [17].
>
I certainly hope readers are not inclined by this to believe in any new
consensus here. What you neglect to mention is that the vast majority of
cryptosystems, implemented and still on paper, are in the opposite direction.
Only a small minority are GAK systems, though most would work fine in
real 2-party escrow systems.
>
> Some type of escrow facility might be used to control anonymity
> services as well as encryption. For example, escrow could be used with
> digital cash and anonymous remailers to ensure traceability when there
> is a court order or other legal authorization for information about
> the originator of a transaction. Ernie Brickell, Peter Gemmell, and
> David Kravitz propose a system for electronic cash that would
> incorporate trustee-based tracing in an otherwise anonymous cash
> system [18].
>
I cannot help but wonder how much of what you are talking about here and
above is actually voluntary, useful, 2-party true escrow, and how much (if
any) of it is GAK key-surrender.
>
>
> Alternatives to Key Escrow
>
>
>
> Key escrow is not the only way of accommodating authorized government
> access. Another approach is weak encryption. The data encryption keys
> are short enough that a key can be determined by trying all
> possibilities. From the user's perspective, key escrow encryption has
> an advantage over weak encryption of allowing the use of strong
> encryption algorithms that are not vulnerable to attack. However, for
> applications where such a high level of security is not needed, weak
> encryption offers a less costly alternative. A disadvantage of weak
Since when is good crypto costly? Crypto that the NSA probably can't
break is available for free right now, and in more user-friendly
implementations for prices less than most computer games.
> encryption (unless it is extremely weak) from a law enforcement
> perspective is that it can preclude real-time decryption in an
> emergency situation (e.g., kidnaping).
So can speaking in obscure foreign languages or code words. The very old
anti-GAK satire, "Why not make it illegal to speak anything but English"
[in America; French in France, etc.] still decimates these kinds of weak
arguments. It's certainly very sad that police will never be able to
solve every violent crime, but this is a fact of life, and more to the
point, its a fact of a free society.
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, _Historical_Review_of_Pennsylvania_, 1759.
>
>
>
> Crypto Anarchy is Not Inevitable
>
No kidding. And you don't need GAK to prevent it.
>
> In the United States, there are no restrictions on the import,
> manufacture, or use of cryptographic products (except that government
> agencies are required to use government standards). The question is:
> Are such controls needed or will voluntary key escrow, combined with
> weak encryption and link encryption where appropriate, be sufficient
> to avoid crypto anarchy?
>
If you really believe crypto-anarchy will result from a lack of GAK (or
link encryption, or whatever backdoor strikes your fancy), I surmise that
you are even more paranoid that the cypherpunks.
>
> Several factors will facilitate the adoption of key escrow. Because
> key escrow products will be exportable, under appropriate conditions,
All crypto products are likely to be exportable *without* GAK after the
Karn and Bernstein cases are finished blowing holes in the ITAR. If GAK
ever gets any significant acceptance at all, it will be very short-lived.
> line for both domestic and international sales. Currently, vendors
> must either install weak cryptography, which does not meet the needs
> of many customers, or develop two sets of products, which greatly
> increases costs and prohibits interoperability between domestic and
> foreign customers.
This is silly. This argument only works if you pretend that only the US
produces software. We are a world leader at it, but we have no monopoly,
and the rest of the world is catching up. And we don't have anything near a
monopoly on crypto. There are two other avenues here: 1) European,
Asian and other companies will fill the niche (and there are no *import*
restrictions on crypto here), or 2) US companies or their allies will
develop strong crypto outside the US (PGP was written this way). Either
one of these defeats the entire GAK/ITAR carrot-and-stick scam - and
both, not just one or the other, are *already happening now.*
> Users will have an incentive to purchase key escrow
> products, because such products will protect them against lost or
> damaged keys.
This is not true of GAK, which provides no such key recovery; and it is
only true of real key escrow within a segment of the market (and not the
segment the spies and police care about.) Additionally, expect many if
not most companies to escrow their own employee work-related keys internally.
It will suit their purposes and be more cost-effective. When serious
and valuable trade secrets are involved, you may have some potential
customers for external escrow companies, but only if the customers are
very convinced of the security and accountability of the entire system -
something severely lacking in the proposals to date. Do you think Intel,
especially after already losing ground in the trade secrets area to Cyrix
and AMD, would even for a moment consider having its crypto keys escrowed
by an outside party? Highly unlikely.
> The government's own commitment to key escrow will
> ensure a large market for escrowed encryption products. As the market
> develops, many users will choose key escrow products in order to
> communicate with those using such products. Concern over the social
> consequences of crypto anarchy will also motivate some people to
> develop or use key escrow products.
I believe both of these to be very wishful thinking. If I've noticed one
thing in the last decade it is a huge increase in distrust of government,
at all levels. I've also noticed lately a remarkable trend away from
government setting standards to the private sector doing so. As for
social responsibility, I think you'll have a hard time convincing people
that "the anarchists are coming, the anarchists are coming!" Hell the
Libertarian Party can't even convince that many people that they are
headed the right direction, and they're far more moderate than anarchists. I
don't know how you expect people to buy the idea that anarchist cypherpunks
are going to inherit the earth. And if industry were concerned,
by-and-large, about social consequences, the various organizations that
are spending their time watchdogging all the dire health problems of
polution and so forth would not be here.
Dream on.
> Finally, the adoption of key
> escrow might be facilitated by legislation that would specify the
> qualifications, responsibilities, and liabilities of
> government-approved escrow agents. This legislation could define
> unlawful acts relating to the compromise or abuse of escrowed keys
> (e.g., deliberately releasing a key to someone who is not authorized
> to receive it). Such legislation could ensure that at least approved
> escrow agents satisfy the requirements of users and the government. It
> also could allay the privacy concerns of those using approved escrow
> agents.
Maybe so. Would sure beat the heck out of the Exec. branch's proposed rules!
> International interest is key escrow will also contribute to its
> success. There is growing recognition on the part of governments and
> businesses worldwide of the potential of key escrow to meet the needs
> of both users and law enforcement. In addition to providing
If you mean *real* key escrow, sure, and I don't disagree with you that
we'll see a small market for such stuff. But, again, you are mixing apples
and oranges. You imply here broad global support for GAK. There is no such
support. What there is, is an increased loathing of this idea,
*especially* abroad, after our government began trying to push Clipper on
foreign governments.
> It is conceivable that domestic and international efforts will be
> sufficient to avoid crypto anarchy, particularly with support from the
> international business community. However, it is possible that they
> will not be enough. Many companies are developing products with strong
> encryption that do not accommodate government access, standards groups
> are adopting non-key escrow standards, and software encryption
> packages such as PGP are rapidly proliferating on the Internet, which
> is due, in part, to the crypto anarchists whose goal is to lock out
> the government. Since key escrow adds to the development and operation
What is all this conspiracy theory nonsense? PGP has spead far and wide
because it serves a purpose and people want it. Notably, the world has
*not* suddenly gone to shit as a result. That paragraph of yours up there
has to be one of the stranger ones I've read in some time. It's
"conveivable" that a bunch of bureacrats passing unenforceable and
unworkable regulations will stop something that isn't coming anyway?
Whatever do you mean by this?
Of course companies and individual authors are producing software that
does not have Big Brother inside. It's the only sane thing to do, given
the insanity of proposals like Clipper and the latest round of NIST GAKware.
This is also why GAK is doomed. As long as one person somewhere in the
world has a strong encryption program and internet access, the genie remains
out of the bottle. Really, I see only a few possible resolutions for
those who don't like the idea of people having access to crypto that
spies and cops can't decrypt for convenience's sake:
1) Get over it.
2) Kill everyone in the world
3) Destroy the Internet
4) develop some super new technique that renders crypto worthless (e.g.
mass mindreading, or a supercomputer so incredible that it can crack any
crypto.)
I think only the first option is feasible, unless I've missed something.
> costs of encryption products, the price advantage of unescrowed
> encryption products could also be a factor which might undermine the
> success of a completely voluntary approach. If escrow is integrated
> into the public-key infrastructure, however, cost might not be a
> significant factor.
What are you talking about? What "public-key infrastructure"? The only
public key infrastructure there is was built, on a volunteer basis,
globally, quite some time ago. It is decidedly not GAK compatible. It's
called the PGP Key Server system.
Anyway, none of that really makes a difference. No matter how you slice
it, key escrow of any sort, especially GAK, will add to costs and
overhead. I have no idea why you think that having an "infrastructure"
will have any effect at all on the costs of producing support for that
infrastructure. If it takes 2 weeks to integrate code into my software to
support transmission of pictures via email, it makes no difference
whatsoever whether there is an "infrastructure" to support that feature.
It could be MIME, or it could be a "standard" I invented myself the day
before. The time, and therefore money, to add that capability has still
been spent. Again, this is just basic economics.
> >
> Considering the explosive growth of telecommunications and the
> encryption market, it will be necessary to closely watch the impact of
> encryption on law enforcement. If government-proof encryption begins
> to seriously undermine the ability of law enforcement agencies to
> carry out their missions and fight organized crime and terrorism, then
> legislative controls over encryption technology may be desirable. One
Sadly, this is likely to happen in many places. In the US, we have this
thingamajig called the First Amendment, though.
> Such an approach would not prevent the use of government-proof
> encryption products by criminals and terrorists. They could develop
> their own or acquire the products illegally. But an approach of this
> type would make it considerably more difficult than it is at present.
What a load! I'll say this one more time. Learn it. Know it.
*AS LONG AS ONE PERSON ANYWHERE IN THE WORLD CAN POST A SOLID ENCRYPTION
PACKAGE ON THE NET, YOU CANNOT STOP THE SPREAD OF SOLID ENCRYPTION.*
Same goes for "indecency" or anything else. Legislators and regulators and
pundits are just going to have to come to terms with this
incontrovertible fact and get over it.
"Such an approach" as you outline above will NOT make it more difficult
for Bad Guys(TM) to get crypto. It will just make it more difficult for
plain ol' law abiding citizens to get it. The criminally minded who
need/want crypto for their "occupations" will be willing and able to
devote considerable time and resources to getting it (not that they'll
need to try hard - unless every country in the world bans non-GAK crypto,
and destroys all archives of things like PGP source code in existence
anywhere in the world - which will entail quite a bit of real,
honest-to-goodness bookburning, and the raiding of a few million homes, it
will always be availble somewhere, and readily findable in a matter of
seconds from Internet search services like Lycos or WebCrawler.) Mom and
pop who just want to keep their credit card numbers safe or whatever are
not going to be able or willing to devote much time to finding the
crypto they need - though it won't be much time. These phantasmal and
nebulous criminals you see swarming everywhere will have no problem doing so.
It's clear and obvious to me and to most other people who give this issue
any thought at all that the real goal of GAK is not to thwart the
Four Horsemen of the Infobahn (organized crime, terrorists, child
pornographers/molesters/stalkers, and drug dealers, all of whom are far
less hazardous in reality that drunk drivers) from having unbreakable
crypto, which GAK very certainly will not at all prevent; but rather the
purpose of GAK is to prevent the general populace from having strong
crypto. I don't think I need to elaborate on why that's not a Good Thing.
> Had such controls been adopted several years ago -- before programs
> such as DES and PGP were posted on the Internet -- the encryption
> products on the market today would support key escrow or some other
> method for government access. It would not be possible to acquire
> strong, government-proof encryption from reputable vendors or network
> file servers. The encryption products available through underground
So f'ing what! Do you think any significant number of people care at all
(or can even tell) whether an Internet file server is 'reputable',
whatever that means? Maybe you don't know this, but half the time when
people grab files off the net, *they have no idea where they are getting
it from*. They just click a button, wait a few minutes and there it is.
Do you remember when the PGP v. RSA patent law flap was going on, or when
the news broke that Phil Zimmermann, author of PGP, was under
investigation for ITAR export violation? Do you realize that a lot more
people have and use PGP now than they did before these events? Doesn't this
indicate anything to you?
> servers and the black market would most likely not possess as high a
> quality as products developed through the legitimate market.
What a crock! There are no "underground" servers. If it's on the net,
it's on the net. Net search engines will find it. You also presume some
kind of magical alliance between every country on earth to ban crypto.
Get real! Maybe in Star Trek, but this is the real world. There's not even
that kind of agreement on *murder* (for example it is, or was until
recently, legal in Brazil to kill a spouse if you caught them in bed
conducting an extramarital affair.)
And the notion that products produced by what you call an "underground"
would not be good is just plain silly. PGP itself is a great example.
It's very good, and so good that in fact the commercial sector has
adopted it, with companies like ViaCrypt licensing it to sell commercially!
Wishful thinking, Dr. Denning.
> Underground products could have security vulnerabilities or be less
> user friendly. They would not be integrated into standard applications
> or network software.
I know of no crypto product more integratable into existing applications
than PGP. It is not particularly user friendly, but was not written to
be. Other parties provide what are called "shells" to make it user friendly.
As an archivist of this kind of material, I'd guesstimate there are
probably at least 30 of these, and several for almost all computer platforms.
The net result is *more* user friendliness, because people can pick
whichever shell (or "front-end") suits them the best, rather than having
to settle for whatever they get out of the box.
As *basic programming* - not just Microsoft-level 40-person megaproject
coding - increasinly turns toward object orientation, plug-and-play
libraries, and the like, expect an increase, not a decrease, in the
interoperability, compatibility and user-friendliness of independently
authored (or "underground" as you call it) software. This isn't a
prediction, really, but an observation of ongoing fact.
As for security, I know of no security holes in PGP (other than the
vulnerabilities it shares with all other encryption software, such as key
loss or theft, etc.) The bugs that have been discovered in previous
versions have been fixed almost instantly, if not by the software's original
authors, then by other users. This is made possible because the source
code is available - not the situation with the Microsofts and Broderbunds
of the world, who save up bug fixes for months, sometimes years, before
releasing a new version.
Your faith in big-name software houses (whose products are in fact
notoriously buggy for the most part) and lack of faith in independent
software authors (well known for speedy bug fixes and immediate release
of those fixes) is based on a number of myths about software, I'm afraid.
> Summary
>
>
>
> Crypto anarchy is an international threat which has been stimulated by
> international communications systems including telephones and the
> Internet.
This is silly, paranoid rambling. I'm serious. You could be doing
incalculable harm to your reputation and career by writing stuff like this.
You've been had.
> Addressing this threat requires an international approach
That will never happen in a million years. You may get a few blocs here
and there, but never the entire globe, and that's what it would take to
pull off the scheme you imagine (which *still* wouldn't work, because
it's essentially physically impossible to monitor all of the net all of
the time. Trust me: people believe in privacy enough that they would
continue to pass around good, real encryption software, especially given
the unenforeable nature of laws that would try to censor the Internet.)
If you don't believe this, I encourage you to have a look at the present.
I challenge you to find any encryption software on the net that has not
been exported out of the US. People blatantly disregard the ITAR regs,
and will continue to do so, because privacy is more important to them
than compliance with an irrational and unconstitutional law.
> that provides for both secure international communications crossing
But it *wouldn't* provide that. Where is it coming from, this persistent
myth that a system that the government can crack is somehow magically
invulnerable to any other attack? Where is it coming from this even more
persistent and even more unsupportable belief that the government is
always on the right side, that police and spy agencies do not violate the
rights of citizens on a daily if not hourly or minutely basis? I could
almost forgive this as (barely) understandable, but nonetheless self-
delusional hyper-patriotism if you were just advocating GAK for the U.S.,
but you are advocating it everywhere, internationally...including places
where totalitarian regimes are in power, where people are shot or
mutilated for expressing dissident political beliefs, where the
government already has so much power that people live under a constant
cloud of fear for their very lives.
As Phil Zimmermann can tell you, people have written to thank him for
writing PGP, because it *saved their lives*. Somehow I really doubt every
one of these people are lying. And I really doubt they give a hoot at
all about the ITAR regs, or feel sorry for spies who actually have to
work a little harder to snoop.
> national boundaries and electronic surveillance by governments of
> criminal and terrorist activity taking place within their
> jurisdictions.
Like that perpetrated by their very own secret police maybe? Or maybe
you mean "terrorist activity" as defined by the People's Republic of
China...heinous crimes like demanding to be able to vote?
And let's not forget surveillance by governments of communications taking
place well outside their jurisdictions. Maybe you've forgotten this
fact, but that's what the NSA exists for. It's called Signals
Intelligence or SIGINT, and it means spying on the world's
communications. It doesn't even matter if you think NSA is great and
have the interests of Americans like you and me in mind. NSA is not the
only entity doing this, and those other entities do not have our
interests in mind.
> The adoption of an international approach is critical
> in order to avoid a situation where the use of encryption seriously
> endangers the ability of law enforcement agencies, worldwide, to fight
> terrorism and crime.
Where are you getting this from? Law enforcement hardly uses wiretaps at
all (except in some other countries with even worse governments - I'm
talking about the US), and they don't help nearly as much as you seem
to think they do. Only a fraction of the people that are wiretapped are
ever convicted. Somehow this doesn't strike me as much of a threat.
And how many terrorist incidents have been thwarted by the wiretapping
you feel to be so endangered? There may be a few, but OKC and the World
Trade Center sure as hell weren't among them. The fact is that most
terrorism is combatted quite effectually without wiretapping. And I
dare you to find any case, anywhere, of a terrorist incident being
stopped by monitoring email, or of such an incident failing to be
stopped because email could not be decrypted.
"You are all optimizing against the imaginable, not the probable. And the
imaginable, especially the imaginable evil, has no inertia at all. There
is no limit to what it might do and therefore, there is no limit to what one
must do to prevent it...If we are to design all of our policies around the
worst thing that could possibly happen, if we are trying to achieve a
world of such absolute safety that no one in power can ever be blamed for
a human-caused catastrophe, we will have to endow law enforcement with
powers of surveillance which will make a police state not just imaginable
but probable."
- EFF co-founder John Perry Barlow, in a letter to Administration staffers
regarding the Clipper and Digital Telephony surveillance scheme, on
which the Administration refused to back down, citing 1) fear of
terrorists using untappable communications to plan a nuclear bombing
of the World Trade Center, and 2) the reaction the voting public
would have toward the Adminstration in the event of such terrorism.
> The result will not be worldwide suppression of
> communications and encryption tools, as May asserts, but rather the
Sure it would, and I can prove it with basic logic:
We have (non-escrowed) encryption tools, some of which are also
communications tools. You would take them away or render them
compromised. That's supression. You would do this internationally.
That means worldwide. There you have it: Worldwide supression of
communications and encryption tools. End of argument.
> responsible use of such tools lest they lead to social disorder. Our
> information superways require responsible conduct just as our
> interstate highways require.
This is counterfactual. You are not proposing anything to do with
responsible use of a tool, you are proposing taking away one tool and
replacing it with another. Taking away my metal hammer and giving me a
rubber mallet that will not hammer the nails I want to hammer, just because
metal hammers can potentially be used to hit people in the head, is not
encouraging my responsible use of a metal hammer, it's supressing my
quite proper and legitimate use of the tool.
>
> Key escrow encryption has emerged as one approach that can meet the
> confidentiality and data recovery needs of organizations while
> allowing authorized government access to fight terrorism and crime.
Horsehocky. Key escrow has emerged as one approach that can meet the
confidentiality and data recovery needs of certain kinds of customers,
while on the other hand key surrender has not emerged as anything but a
bad idea, though it is being pushed as means of allowing "authorized"
government access for whatever reason is sufficient to get the
"authorization" (e.g. "Hey sarge, I need a subpoena"), with no
protections against abuse, and certainly no clear evidence that it would
do anything to stop terrorism or other crimes in a significant way; but
given the increased incidence of police abuses of authority and
corruption - even downright national-security-threatening treason - in the
intelligence community, would probably be used for unethical, illegal
and totalitarian ends.
Key escrow and key surrender are not the same, but certain people like
you and some folks at NSA and NIST would like to marry the ideas and
produce some kind of mutant offspring. Fortunately, most mutations do
not survive.
> It
> can facilitate the promulgation of standards and products that support
> the information security requirements of the global information
> infrastructure.
More horsehockey. This is already happening, as you admit yourself in
discussing the fast spread of PGP and the inclusion of crypto in new IP
standards, without any help (and quite a bit of hindrance) from
restrictions on encryption.
> The governments of the OECD nations are working with
> the international business community to find specific approaches that
> are mutually agreeable.
Mutually agreeable to a few players, but by no means even a fair-size
minority of them.
Sorry to be harsh, but this is my privacy you're talking about.
PS: If, as you and the Administration suggest, GAK would be completely
voluntary (I won't even go into how this cannot be true, other than to
say that the criminally minded will simply opt out), then there is a
clear solution that requires no new regulations, no new laws, nothing at
all really. People can voluntarily surrender their crypto keys - the
exact effect of the current propsal if you believe all the pooh-poohing
and hype - quite easily *RIGHT NOW*. Anyone who wishes to voluntarily
"escrow" their keys for police and spy use can simply send the NSA and
the FBI a copy of their secret key and passphrase. It's really that simple.
I'm sure you'll laugh at this suggestion and say it's silly. And thereby
are you hoisted high by your own petard. Either this simple key surrender
system (which proposes precisely the same thing, in effect, as the
oh-so-voluntary Clipper and NIST "Commercial Key Escrow" GAK systems)
is sufficient, *or* you and NSA are either self-deluded or outright
lying about the nature and purpose of GAK. This is simply incontrovertible.
Either it's voluntary or it isn't. If it's voluntary, people can
volunteer to do it, no GAK needed. If it's not voluntary, then you need
something like GAK to force it on the public and the industry.
DISCLAIMER: This is a personal, not organizational, opinion, and does not
represent EFF statements or policies.
--
Stanton McCandlish
mech@eff.org
Electronic Frontier Foundation
Online Activist
