[Report Cover]

                  [Header all report pages:
              May 30, 1996, Prepublication Copy
           Subject to Further Editorial Correction]

               Cryptography's Role in Securing
                   the Information Society

            Kenneth Dam and Herbert Lin, Editors

       Committee to Study National Cryptography Policy
        Computer Science and Telecommunications Board
Commission on Physical Sciences, Mathematics, and Applications

                  National Research Council

                   National Academy Press
                    Washington, D.C. 1996


NOTICE: The project that is the subject of this report was
approved by the Governing Board of the National Research
Council, whose members are drawn from the councils of the
National Academy of Sciences, the National Academy of
Engineering, and the Institute of Medicine. The members of the
committee responsible for the report were chosen for their
special competences and with regard for appropriate balance.

   This report has been reviewed by a group other than the
authors according to procedures approved by a Report Review
Committee consisting of members of the National Academy of
Sciences, the National Academy of Engineering, and the
Institute of Medicine.

   The National Academy of Sciences is a private, nonprofit,
self-perpetuating society of distinguished scholars engaged in
scientific and engineering research, dedicated to the
furtherance of science and technology and to their use for the
general welfare. Upon the authority of the charter granted to
it by the Congress in 1863, the Academy has a mandate that
requires it to advise the federal government on scientific and
technical matters. Dr. Bruce Alberts is president of the
National Academy of Sciences.

   The National Academy of Engineering was established in
1964, under the charter of the National Academy of Sciences,
as a parallel organization of outstanding engineers. It is
autonomous in its administration and in the selection of its
members, sharing with the National Academy of Sciences the
responsibility for advising the federal government. The
National Academy of Engineering also sponsors engineering
programs aimed at meeting national needs, encourages education
and research, and recognizes the superior achievements of
engineers. Dr. Harold Liebowitz is president of the National
Academy of Engineering.

   The Institute of Medicine was established in 1970 by the
National Academy of Sciences to secure the services of eminent
members of appropriate professions in the examination of
policy maKers pertaining to the health of the public. The
Institute acts under the responsibility given to the National
Academy of Sciences by its congressional charter to be an
adviser to the federal government and, upon its own
initiative, to identify issues of medical care, research, and
education. Dr. Kenneth I. Shine is president of the Institute
of Medicine.

   The National Research Council was organized by the National
Academy of Sciences in 1916 to associate the broad community
of science and technology with the Academy's purposes of
furthering knowledge and advising the federal government.
Functioning in accordance with general policies determined by
the Academy, the Council has become the principal operating
agency of both the National Academy of Sciences and the
National Academy of Engineering in providing services to the
government, the public, and the scientific and engineering
communities. The Council is administered jointly by both
Academies and the Institute of Medicine. Dr. Bruce Alberts and
Dr. Harold Liebowitz are chairman and vice chairman,
respectively, of the National Research Council.

   Support for this project was provided by the Department of
Defense (under contract number DASW01-94-C-0178) and the
National Institute of Standards and Technology (under contract
number 50SBNB4C8089). Any opinions, findings, conclusions, or
recommendations expressed in this material are those of the
authors and do not necessarily reflect the views of the

Library of Congress Catalog Number 96-68943 International
Standard Book Number 0-309-05475-3

Additional copies of this report are available from:

National Academy Press 2101 Constitution Avenue, NW Box 285
Washington, DC 20055 800/624-6242 202/334-3313 (in the
Washington Metropolitan Area)

Copyright 1996 by the National Academy of Sciences. All rights

Printed in the United States of America


                     COMMITTEE TO STUDY

KENNETH W. DAM, University of Chicago Law School, Chair
W.Y. SMITH, Institute for Defense Analyses (retired), Vice
LEE BOLLINGER, Dartmouth College
ANN CARACRISTI, National Security Agency (retired)
BENJAMIN CIVILETTI, Venable, Baetjer, Howard and Civiletti
SAMUEL H. FULLER, Digital Equipment Corporation
LESLIE H. GELB, Council on Foreign Relations
RONALD GRAHAM, AT&T Bell Laboratories
MARTIN HELLMAN, Stanford University
JULIUS KATZ, Hills & Company
PETER G. NEUMANN, SRI International
RAYMOND OZZIE, Iris Associates
EDWARD SCHMULTS, General Telephone and Electronics (retired)
ELLIOT M. STONE, Massachusetts Health Data Consortium


HERBERT S. LIN, Study Director and Senior Staff Officer
JOHN M. GODFREY, Research Associate
GAIL E. PRITCHARD, Project Assistant



WILLIAM A. WULF, University of Virginia, Chair
FRANCES E. ALLEN, IBM T.J. Watson Research Center
DAVID CLARK, Massachusetts Institute of Technology
JEFF DOZIER, University of California at Santa Barbara
HENRY FUCHS, University of North Carolina
CHARLES GESCHKE, Adobe Systems Incorporated
JAMES GRAY, Microsoft Corporation
BARBARA GROSZ, Harvard University
JURIS HARTMANIS, Cornell University
DEBORAH A. JOSEPH, University of Wisconsin
BUTLER W. LAMPSON, Microsoft Corporation
BARBARA LISKOV, Massachusetts Institute of Technology
JOHN MAJOR, Motorola
ROBERT L. MARTIN, AT&T Network Systems
DAVID G. MESSERSCHMITT, University of California at Berkeley
WILLIAM PRESS, Harvard University
CHARLES L. SEITZ, Myricom Incorporated
EDWARD SHORTLIFFE, Stanford University School of Medicine
LESLIE L. VADASZ, Intel Corporation

HERBERT S. LIN, Senior Staff Officer
PAUL D. SEMENZA, Staff Officer
JERRY R. SHEEHAN, Staff Officer
JEAN E. SMITH, Program Associate
JOHN M. GODFREY, Research Associate
LESLIE M. WADE, Research Assistant
GLORIA P. BEMAH, Administrative Assistant
GAIL E. PRITCHARD, Project Assistant



ROBERT J. HERMANN, United Technologies Corporation, Chair
PETER M. BANKS, Environmental Research Institute of Michigan
SYLVIA T. CEYER, Massachusetts Institute of Technology L.
LOUIS HEGEDUS, W.R. Grace and Company (retired)
JOHN E. HOPCROFT, Cornell University
RHONDA J. HUGHES, Bryn Mawr College
SHIRLEY A. JACKSON, U.S. Nuclear Regulatory Commission
KENNETH I. KELLERMANN, National Radio Astronomy Observatory
KEN KENNEDY, Rice University
THOMAS A. PRINCE, California Institute of Technology
JEROME SACKS, National Institute of Statistical Sciences
L.E. SCRIVEN, University of Colorado
LEON T. SILVER, California Institute of Technology
CHARLES P. SLICHTER, University of Illinois at
ALVIN W. TRIVELPIECE, Oak Ridge National Laboratory
SHMUEL WINOGRAD, IBM T.J. Watson Research Center
CHARLES A. ZRAKET, MITRE Corporation (retired)

NORMAN METZGER, Executive Director




   For most of history, cryptography -- the art and science of
secret writing -- has belonged to governments concerned about
protecting their own secrets and about asserting their
prerogatives for access to information relevant to national
security and public safety. In the United States, cryptography
policy has reflected the U.S. government's needs for effective
cryptographic protection of classified and other sensitive
communications as well as its needs to gather intelligence for
national security purposes, needs that would be damaged by the
widespread use of cryptography. National security concerns
have motivated such actions as development of cryptographic
technologies, development of countermeasures to reverse the
effects of encryption, and control of cryptographic
technologies for export.

   In the last 20 years, a number of developments have brought
about what could be called the popularization of cryptography.
First, some industries -- notably financial services -- have
come to rely on encryption as an enabler of secure electronic
funds transfers. Second, other industries have developed an
interest in encryption for protection of proprietary and other
sensitive information. Third, the broadening use of computers
and computer networks has generalized the demand for
technologies to secure communications down to the level of
individual citizens and assure the privacy and security of
their electronic records and transmissions. Fourth, the
sharply increased use of wireless communications (e.g.,
cellular telephones) has highlighted the greater vulnerability
of such communications to unauthorized intercept as well as
the difficulty of detecting these intercepts.

   As a result, efforts have increased to develop encryption
systems for private sector use and to integrate encryption
with other information technology products. Interest has grown
in the commercial market for cryptographic technologies and
systems incorporating such technologies, and the nation has
witnessed a heightened debate over individual need for and
access to technologies to protect individual privacy.

   Still another consequence of the expectation of widespread
use of encryption is the emergence of law enforcement concerns
that parallel, on a civilian basis, some of the national
security concerns. Law enforcement officials fear that wide
dissemination of effective cryptographic technologies will
impede their efforts to collect information necessary for
pursuing criminal investigations. On the other side, civil
libertarians fear that controls on cryptographic technologies
will give government authorities both in the United States and
abroad unprecedented and unwarranted capabilities for
intrusion into the private lives of citizens.


   At the request of the U.S. Congress in November 1993, the
National Research Council's Computer Science and
Telecommunications Board (CSTB) formed the Committee to Study
National Cryptography Policy. In accordance with its
legislative charge (Box P.1), the committee undertook the
following tasks:

   + Framing the problem. What are the technology trends with
which national cryptography policy must keep pace? What is the
political environment? What are the significant changes in the
post-Cold War environment that call attention to the need for,
and should have an impact on, cryptography policy?

   + Understanding the underlying technology issues and their
expected development and impact on policy over time. What is
and is not possible with current cryptographic (and related)
technologies? How could these capabilities have an impact on
various U.S. interests?

   + Describing current cryptography policy. To the
committee's knowledge, there is no single document, classified
or unclassified, within the U.S. government that fully
describes national cryptography policy.

   + Articulating a framework for thinking about cryptography
policy. The interests affected by national cryptography policy
are multiple, varied, and related: they include personal
liberties and constitutional rights, the maintenance of public
order and national security, technology development, and U.S.
economic competitiveness and markets. At a minimum, policy
makers (and their critics) must understand how these interests
interrelate, although they may decide that one particular
policy configuration better serves the overall national
interest than does another.

   + Identifying a range offeasible policy options. The debate
over cryptography policy has been hampered by an incomplete
analysis and discussion of various policy options -- both
proponents of current policy and of alternative policies are
forced into debating positions in which it is difficult or
impossible to acknowledge that a competing view might have
some merit. This report attempts to discuss fairly the pros
and cons of a number of options.

   + Making recommendations regarding cryptography policy. No
cryptography policy will be stable for all time. That is, it
is unrealistic to imagine that this committee or any set of
policy makers could craft a policy that would not have to
evolve over time as the technological and political milieu
itself changes. Thus, the committee's recommendations are
framed in the context of a transition, from a world
characterized by slowly evolving technology, well-defined
enemies, and unquestioned U.S. technological, economic, and
geopolitical dominance to one characterized by rapidly
evolving technology, fuzzy lines between friend and foe, and
increasing technological, economic, and political
interdependencies between the United States and other nations
of the world.


 BOX P.1 Legislative Charge to the National Research Council

                     Public Law 103-160
       Defense Authorization Bill for fiscal Year 1994
                  Signed November 30, 1993


   (a)  Study by National Research Council. -- Not later than
90 days after the date of the enactment of this Act, the
Secretary of Defense shall request the National Research
Council of the National Academy of Sciences to conduct a
comprehensive study of cryptographic technologies and national
cryptography policy.

   (b)  Matters To Be Assessed in Study. -- The study shall

        (1)  the effect of cryptographic technologies on  --

             (A)  national security interests of the United
                  States Government
             (B)  law enforcement interests of the United
                  States Government
             (C)  commercial interests of United States
                  industry; and
             (D)  privacy interests of United States
                  citizens; and

        (2)  the effect on commercial interests of United
             States industry of export controls on
             cryptographic technologies.

   (c)  Interagency Cooperation With Study. -- The Secretary
   of Defense shall direct the National Security Agency, the
   Advanced Research Projects Agency, and other appropriate
   agencies of the Department of Defense to cooperate fully
   with the National Research Council in its activities in
   carrying out the study under this section. The Secretary
   shall request all other appropriate Federal departments and
   agencies to provide similar cooperation to the National
   Research Council.

   Given the diverse applications of cryptography, national
cryptography policy involves a very large number of important
issues. Important to national cryptography policy as well are
issues related to the deployment of a large-scale
infrastructure for cryptography and legislation and
regulations to support the widespread use of cryptography for
authentication and data integrity purposes (i.e., collateral
applications of cryptography), even though these issues have
not taken center stage in the policy debate.

   The committee focused its efforts primarily on issues
related to cryptography for confidentiality, because the
contentious problem that this committee was assembled to
address at the center of the public policy debate relates to
the use of cryptography in confidentiality applications. It
also addressed issues of cryptography policy related to
authentication and data integrity at a relatively high level,
casting its findings and recommendations in these areas in
fairly general terms. However, it notes that detailed
consideration of issues and policy options in these collateral
areas requires additional study at a level of detail and
thoroughness comparable to that of this report.

   In preparing this report, the committee reviewed and
synthesized relevant material from recent reports, took
written and oral testimony from government, industry, and
private individuals, reached out extensively to the affected
stakeholders to solicit input, and met seven times to discuss
the input from these sources as well as the independent
observations and findings of the committee members themselves.
In addition, this study built upon three prior efforts to
examine national cryptography policy: the Association for
Computing Machinery report *Codes, Keys, and Conflicts: Issues
in US. Crypto Policy*,(1) the Office of Technology Assessment
report *Information Security and Privacy in Network
Environments*,(2) and the JASON encryption study.(3) A number
of other examinations of cryptography and/or information
security policy were also important to the committee's


   (1)  Susan Landau et al., *Codes, Keys, and Conflicts:
Issues in U.S. Crypto Policy*, Association for Computing
Machinery Inc., New York, 1994.

   (2)  U.S. Congress, Office of Technology Assessment,
*Information Security and Privacy in Network Environments*,
OTA-TCT-606, U.S. Govemment Printing Office, Washington, D.C.,
September 1994.

   (3)  JASON Program Office, *JASON Encryption/Privacy
Study*, Report JSR-93-520 (unpublished), MITRE Corporation,
Reston, Va., August 18, 1993.

   (4)  These works include *Global Information
Infrastructure*, a joint report by the European Association of
Manufacturers of Business Machines and Information Technology
Industry, the U.S. Information Technology Industry Council,
and the Japan Electronic Industry Development Association
(EUROBIT-ITI-JEIDA), developed for the G-7 Summit on the
Global Information Society, Gll Tripartite Preparatory
Meeting, January 26-27, 1995, Brussels; the U.S. Council for
International Business statement titled "Business Requirements
for Encryption," October 10, 1994, New York; and the
International Chamber of Commerce position paper
"International Encryption Policy," Document No. 373/202 Rev.
and No. 373-30/9 Rev., Paris, undated. Important source
documents can be found in Lance J. Hoffman (ed.), *Building in
Big Brother*, SpringerVerlag, New York, 1995; and in the
cryptography policy source books published annually by the
Electronic Privacy Information Center in Washington, D.C.

                   WHAT THIS REPORT IS NOT

   The subject of national cryptography policy is quite
complex, as it figures importantly in many areas of national
interest. To keep the project manageable within the time,
resources, and expertise available, the committee chose not to
address in detail a number of issues that arose with some
nontrivial frequency during the course of its study.

   + This report is not a comprehensive study of the grand
trade-offs that might be made in other dimensions of national
policy to compensate for changes in cryptography policy. For
example, this report does not address matters such as relaxing
exclusionary rules that govern the court admissibility of
evidence or installing video cameras in every police helmet as
part of a package that also eliminates restrictions on
cryptography, though such packages are in principle possible.
Similarly, it does not address options such as increasing the
budget for counterterrorist operations as a quid pro quo for
relaxations on export controls of cryptography. The report
does provide information that would help to assess the impact
of various approaches to cryptography policy, although how
that impact should be weighed against the impact of policies
related to other areas is outside the scope of this study and
the expertise of the committee assembled for it.

   + This report is not a study on the future of the National
Security Agency (NSA) in the post-Cold War era. A
determination of what missions the NSA should be pursuing
and/or how it should pursue those missions was not in the
committee's charge. The report does touch lightly on
technological trends that affect the ability to undertake the
missions to which cryptography is relevant, but only to the
extent necessary to frame the cryptography issue.

   At the same time, this report does address certain
conditions of the political, social, and technological
environment that will affect the answers that anyone would
formulate to these questions, such as the potential impact on
policy of a world that offers many users the possibilities of
secure communications.

   + This report is not a study of computer and communications
security, although of course cryptography is a key element of
such security. Even the strongest cryptography is not very
useful unless it is part of a secure *system*, and those
responsible for security must be concerned about everything
from the trustworthiness of individuals writing the computer
programs to be used to the physical security of terminals used
to access the system. A report that addressed system
dimensions of computer security was the National Research
Council report *Computers at Risk*,(5) this current study
draws on that report and others to the extent relevant for its
analysis, findings, and conclusions about cryptography policy.

   + This report is not a study of the many patent disputes
that have arisen with respect to national cryptography policy
in the past several years. While such disputes may well be a
sign that the various holders expect cryptography to assume
substantial commercial importance in the next several years,
such disputes are in principle resolvable by the U.S.
Congress, which could simply legislate ownership by eminent
domain or by requiring compulsory licensing. Moreover, since
many of the key patents will expire in any case in the
relatively near future (i.e., before any infrastructure that
uses them becomes widely deployed), the issue will become moot
in any case.

   + This report is not exclusively a study of national policy
associated with the Clipper chip. While the Clipper chip has
received the lion's share of press and notoriety in the past
few years, the issues that this study was chartered to address
go far beyond those associated simply with the Clipper chip.
This study addresses the larger context and picture of which
the Clipper chip is only one part.


   (5)  Computer Science and Telecommunications Board,
National Research Council, *Computers at Risk: Safe Computing
in the Information Age*, National Academy Press, Washington,
D.C., 1991.



             For most of history, the science and technologies
associated with cryptography have been the purview of national
governments and/or heads of state. It is only in the last 25
years that cryptographic expertise has begun to diffuse into
the nongovernment world. Thus, it is not surprising that much
of the basis and rationale underlying national cryptography
policy has been and continues to be highly classified. Indeed,
in a 1982 article. then-Deputy Director of the Central
Intelligence Agency Bobby R. Imnan wrote that

   [o]ne sometimes hears the view that publication should not
   be restrained because "the government has not made its
   case," almost always referring to the absence of specific
   detail for public consumption. This reasoning is circular
   and unreasonable. It stems from a basic attitude that the
   government and its public servants cannot be trusted.
   Specific details about why information must be protected
   are more often than not even more sensitive than the basic
   technical information itself. Publishing examples, reasons
   and associated details would certainly damage the nation's
   interests. Public review and discussion of classified
   information which supports decisions is not feasible or

   Secrecy is a two-edged sword for a democratic nation -- on
the one hand, secrecy has a legitimate basis in those
situations in which fundamental national interests are at
stake (e.g., the preservation of American lives during
wartime). Moreover, the history of intelligence reveals many
instances in which the revelation of a secret, whether
intentional or inadvertent, has led to the compromise of an
information source or the loss qf a key battle.(7)

   On the other hand, secrecy has sometimes been used to
stifle public debate and conceal poorly conceived and
ill-informed national policies, and mistrust is therefore
quite common among many responsible critics of government
policy. A common refrain by defenders of policies whose
origins and rationales are secret is that "if you knew what we
knew, you would agree with us." Such a position may be true or
false, but it clearly does not provide much reassurance for
those not privy to those secrets for one very simple reason:
those who fear that government is hiding poorly-conceived
policies behind a wall of secrecy are not likely to trust the
government, yet in the absence of a substantive argument being
called for, the government's claim is essentially a plea for

   In pursuing this study, the committee has adopted the
position that some secrets are still legitimate in today's
global environment, but that its role is to illuminate as much
as possible without compromising those legitimate interests.
Thus, the committee has tried to act as a surrogate for
well-intentioned and well-meaning people who fear that the
worst is hiding behind the wall of secrecy -- it has tried to
ask the questions that these people would have asked if they
could have done so. Public Law 103-160 called for all defense
agencies, including the National Security Agency, to cooperate
fully with the National Research Council in this study.

   For obvious reasons, the committee cannot determine if it
did not hear a particular piece of information because an
agency withheld that information or because that piece of
information simply did not exist. But for a number of reasons,
the committee believes that to the best of its knowledge, the
relevant agencies have complied with Public Law 103-160 and
other agencies have cooperated with the committee. One
important reason is that several members of the committee have
had extensive experience (on a classified basis) with the
relevant agencies, and these members heard nothing in the
briefings held for the committee that was inconsistent with
that experience. A second reason is that these agencies had
every motivation and self-interest to make the best possible
case for their respective positions on the issues before the
committee. Thus, on the basis of agency assurances that the
cornrnittee has indeed received all inforrnation relevant to
the issue at hand, they cannot plausibly argue that "if the
committee knew what Agency X knew, it would agree with Agency
X's position."

   This unclassified report does not have a classified annex,
nor is there a classified version of it. After receiving a
number of classified briefings on material relevant to the
subject of this study, the fully cleared members of the
committee (13 out of the total of 16) agree that these
details, while necessarily important to policy makers who need
to decide tomorrow what to do in a specific case, are not
particularly relevant to the larger issues of why policy has
the shape and texture that it does today nor to the general
outline of how technology will and policy should evolve in the
future. For example, the committee was briefed on certain
intelligence activities of various nations. Policy makers care
that the activities of nation X (a friendly nation) fall into
certain categories and that those of nation Y (an unfriendly
nation) fall into other categories, because they must craft a
policy toward nation X in one way and one toward nation Y in
another way. But for analytical purposes, the exact names of
the nations involved are much less relevant than the fact that
there will always be nations friendly and unfriendly to the
United States. Committee members are prepared to respond on a
classified basis if necessary to critiques and questions that
involve classified material.(8)

   As for the time line of this study, the committee was
acutely aware of the speed with which the market and product
technologies evolve. The legislation called for a study to be
delivered within 2 years after the full processing of all
necessary security clearances, and the study committee
accelerated its work schedule to deliver a report in 18 months
from its first meeting (and only 13 months from the final
granting of the last clearance). The delivery date of this
study was affected by the fact that the contract to fund this
study was signed by the Department of Defense on September 30,


   (6)  Bobby Inman, "Classifying Science: A Government
Proposal ... ," *Aviation Week and Space Technology*, February
8, 1982, p. 10.

   (7)  For example, following press reports of deciphered
Libyan messages before and after a bombing in West Berlin in
which an American soldier died, Libya changed its
communications codes. A senior American official was quoted as
saying that the subsequent Libyan purchase of advanced
cryptographic equipment from a Swiss firm was "one of the
prices [the United States is] paying for having revealed, in
order to marshal support of our allies and public opinion,
that intercepted communications traffic provided evidence that
Libya was behind the bombing of the Berlin disco." See
"Libyans Buy Message-Coding Equipment," *Washington Post*,
April 22, 1986, p. A-8.

   (8)   The point of contact within the National Research
Council for such inquiries is the Computer Science and
Telecommunications Board, National Research Council, 2101
Constitution Avenue, N.W., Washington, D.C. Telephone
202-334-2605 or e-mail CSTB@NAS.EDU.


                    A NOTE FROM THE CHAIR

   The title of this report is *Cryptography's Role in
Securing the Information Society*. The committee chose this
title as one best describing our inquiry and report -- that
is, the committee has tried to focus on the role that
cryptography, as one of a number of tools and technologies,
can play in providing security for an information age society
through, among other means, preventing computer-enabled crimes
and enhancing national security. At the same time, the
committee is not unaware of the acronym for this report --
CRISIS -- and it believes that the acronym is apt.

   From my own standpoint as chair of the NRC Committee to
Study National Cryptography Policy, I believe that the crisis
is a policy crisis, rather than a technology crisis, an
industry crisis, a law enforcement crisis, or an
intelligence-gathering crisis.

   It is not a technology crisis because technologies have
always been two-edged swords. All technologies -- cryptography
included can be used for good or for ill. They can be used to
serve society or to harm it, and cryptography will no doubt be
used for both purposes by different groups. Public policy will
determine in large measure not just the net balance of benefit
and loss but also how much benefit will be derived from
constructive uses of this remarkable technology.

   It is not an industry crisis, nor a law enforcement crisis,
nor an intelligence-gathering crisis, because industry, law
enforcement, and the intelligence establishment have all had
to cope with rapid technological change, and for the most part
the vitality of these enterprises within the nation is a
testament to their successes in so coping.

   But a policy crisis is upon the nation. In the face of an
inevitably growing use of cryptography, our society, acting as
it must through our government as informed by the manifold
forums of our free private processes, has been unable to
develop a consensus behind a coherent national cryptography
policy, neither within its own ranks nor with the private
stakeholders throughout society -- the software industry,
those concerned with computer security, the civil liberties
community, and so on. Indeed, the committee could not even
find a clear written statement of national cryptography policy
that went beyond some very general statements.

   To be sure, a number of Administration proposals have seen
the light of day. The best known of these proposals, the
Clipper initiative, was an honest attempt to address some of
the issues underlying national cryptography policy, but one of
its primary effects was to polarize rather than bring together
the various stakeholders, both public and private. On the
other hand, it did raise public awareness of the issue. In
retrospect, many Administration officials have wished that the
discourse on national cryptography policy could have unfolded
differently, but in fairness we recognize that the
government's task is not easy in view of the deep cleavages of
interest reviewed in this report. In this context, we
therefore saw it as our task, commanded by our statutory
charge, to analyze the underlying reasons for this policy
crisis and the interests at stake, and then to propose an
intelligent, workable and acceptable policy.

   The Committee to Study National Cryptography Policy is a
group of 16 individuals with very diverse backgrounds, a broad
range of expertise, and differing perspectives on the subject.
The committee included individuals with extensive government
service and also individuals with considerable skepticism
about and suspicion of government; persons with great
technical expertise in computers, communications, and
cryptography; and persons with considerable experience in law
enforcement, intelligence, civil liberties, national security,
diplomacy, international trade, and other fields relevant to
the formation of policy in this area. Committee members were
drawn from industry, including telecommunications and computer
hardware and software, and from users of cryptography in the
for-profit and not-for-profit sectors; serving as well were
academics and think-tank experts.(9) The committee was by
design highly heterogeneous, a characteristic intended to
promote discussion and synergy among its members.

   At first, we wondered whether these different perspectives
would allow us to talk among ourselves at all, let alone come
to agreement. But the committee worked hard. The full
committee met for a total of 23 days in which we received
briefings and argued various points; ad hoc subcommittees
attended a dozen or so additional meetings to receive even
more briefings; members of the committee and staff held a
number of open sessions in which testimony from the interested
public was sought and received (including a very well attended
session at the Fifth Annual Conference on Computers, Freedom,
and Privacy in San Francisco in early 1995 and an open session
in Washington, D.C., in April 1995); and the committee
reviewed nearly a hundred e-mail messages sent in response to
its Internet call for input. The opportunity to receive not
only written materials but also oral briefings from a number
of government agencies, vendors, trade associations, and
assorted experts, as well as to participate in the first-ever
cryptography policy meeting of the Organization for Economic
Cooperation and Development and of its Business Industry
Advisory Council, provided the occasion for extended
give-and-take discussions with government officials and
private stakeholders.

   Out of this extended dialogue, we found that coming to a
consensus among ourselves -- while difficult -- was not
impossible. The nature of a consensus position is that it is
invariably somewhat different from a position developed,
framed, and written by any one committee member, particularly
before our dialogue and without comments from other committee
members. Our consensus is a result of the extended learning
and interaction process through which we lived rather than any
conscious effort to compromise or to paper over differences.
The committee stands fully behind its analysis, findings, and

   We believe that our report makes some reasonable proposals
for national cryptography policy. But a proposal is just that
-- a proposal for action. What is needed now is a public
debate, using and not sidestepping the full processes of
government, leading to a judicious resolution of pressing
cryptography policy issues and including, on some important
points, legislative action. Only in this manner will the
policy crisis come to a satisfactory and stable resolution.


   (9)   Note that the committee was quite aware of potential
financial conflicts of interest among several of its members.
In accordance with established National Research Council
procedures, these potential financial conflicts of interest
were thoroughly discussed by the committee; no one with a
direct and substantial financial stake in the outcome of the
report served on the committee.



   The full list of individuals (except for those who
explicitly requested anonymity) who provided input to the
cornmittee and the study project is contained in Appendix A.
However, a number of individuals deserve special mention.
Michael Nelson, Office of Science and Technology Policy, kept
us informed about the evolution of Administration policy.
Dorothy Denning of Georgetown University provided many useful
papers concerning the law enforcement perspective on
cryptography policy. Clinton Brooks and Ron Lee from the
National Security Agency and Ed Roback and Raymond Kammer from
the National Institute of Standards and Technology acted as
agency liaisons for the committee, arranging briefings and
providing other information. Marc Rotenberg from the
Electronic Privacy Information Center and John Gilmore from
Cygnus Support provided continuing input on a number of
subjects as well as documents released under Freedom of
Inforrnation Act requests. Rebecca Gould from the Business
Software Alliance, Steve Walker from Trusted Information
Systems, and Ollie Smoot from the Information Technology
Industry Council kept the committee informed from the business
perspective. Finally, the committee particularly acknowledges
the literally hundreds of suggestions and criticisms provided
by the reviewers of an early draft of this report. Those
inputs helped the committee to sharpen its message and
strengthen its presentation, but of course the content of the
report is the responsibility of the committee.

   The committee also received a high level of support from
the Nationai Research Council. Working with the Special
Security Office of the Office of Naval Research, Kevin Hale
and Kimberly Striker of the NRC's National Security Office had
the complex task of facilitating the prompt processing of
security clearances necessary to complete this study in a
timely manner and otherwise managing these security
clearances. Susan Maurizi worked under tight time constraints
to provide editorial assistance. Acting as primary staff for
the committee were Marjory Blumenthal, John Godfrey, Frank
Pittelli, Gail Pritchard, and Herb Lin. Marjory Blumenthal
directs the Computer Science and Telecommunications Board, the
program unit within the National Research Council to which
this congressional tasking was assigned. She sat with the
committee during the great majority of its meetings, providing
not only essential insight into the NRC process but also an
indispensable long-term perspective on how this report could
build on other CSTB work, most notably the 1991 NRC report
*Computers at Risk*. John Godfrey, research associate for
CSTB, was responsible for developing most of the factual
material in most of the appendixes as well as for tracking
down hundreds of loose ends, his prior work on a previous NRC
report on standards also provided an important point of
departure for the committee's discussion on standards as they
apply to cryptography policy. Frank Pittelli is a consultant
to CSTB, whose prior experience in computer and information
security was invaluable in framing a discussion of technical
issues in cryptography policy. Gail Pritchard, project
assistant for CSTB, handled logistical matters for the
committee with the utmost skill and patience as well as
providing some research support to the committee. Finally,
Herb Lin, senior staff officer for CSTB and study director on
this project, arranged briefings, crafted meeting agendas, and
turned the thoughts of committee members into drafts and then
report text. It is fair to say that this study could not have
been carried out nor this report written, especially on our
accelerated schedule, without his prodigious energy and his
extraordinary talents as study director, committee
coordinator, writer, and editor.

Kenneth Dam, Chair
Committee to Study National Cryptography Policy

Chicago, Illinois
March 29, 1996

A Channel for Feedback

   CSTB will be glad to receive comments on this report.
Please send them via Internet e-mail to CRYPTO@NAS.EDU, or via
regular mail to CSTB, National Research Council. 2101
Constitution Avenue NW, Washington, DC 20418.

[End Preface]




   Charge of the Committee to Study National Cryptography
   What This Report Is Not
   On Secrecy and Report Time Line
   A Note from the Chair





   1.1  The Technology Context of the Information Age

   1.2  Transitions to an Information Society--Increasing
        Interconnections and Interdependence

   1.3  Coping with Information Vulnerability

   1.4  The Business and Economic Perspective

        1.4.1  Protecting Important Business Information
        1.4.2  Ensuring the Nation's Ability to Exploit
               Global Markets

   1.5  Individual and Personal Interests in Privacy

        1.5.1  Privacy in an Information Economy
        1.5.2  Privacy for Citizens

   1.6  Special Needs of Government

   1.7  Recap


   2.1  Cryptography in Context

   2.2  What Is Cryptography and What Can It Do?

   2.3  How Cryptography Fits into the Big Security Picture

        2.3.1  Technical Factors Inhibiting Access to
        2.3.2  Factors Facilitating Access to Information

   2.4  The Market for Cryptography

        2.4.1  The Demand Side of the Cryptography Market
        2.4.2  The Supply Side of the Cryptography Market

   2.5  Infrastructure for Widespread Use of Cryptography

        2.5.1  Key Management Infrastructure
        2.5.2  Certificate Infrastructures

   2.6 Recap


   3.1  Terminology

   3.2  Law Enforcement: Investigation and Prosecution

        3.2.1  The Value of Access to Information for Law
        3.2.2  The Legal Framework Governing Surveillance
        3.2.3  The Nature of Surveillance Needs of Law
        3.2.4  The Impact of Cryptography and New Media on
               Law Enforcement (Stored and Communicated Data)

   3.3  National Security and Signals Intelligence

        3.3.1  The Value of Signals Intelligence
        3.3.2  The Impact of Cryptography on SIGINT

   3.4  Similarities and Differences Between Foreign
        Policy/National Security and Law Enforcement Needs for
        Communications Monitoring

        3.4.1  Similarities
        3.4.2  Differences

   3.5  Business and Individual Needs for Exceptional Access
        to Protected Information

   3.6  Other Types of Exceptional Access to Protected

   3.7  Recap



   4.1  Brief Description of Current Export Controls

        4.1.1  The Rationale for Export Controls
        4.1.2  General Description
        4.1.3  Discussion of Current Licensing Practices

   4.2  Effectiveness of Export Controls on Cryptography

   4.3  The Impact of Export Controls on U.S. Information
        Technology Vendors

        4.3.1  De Facto Restrictions on the Domestic
               Availability of Cryptography
        4.3.2  Regulatory Uncertainty Related to Export
        4.3.3  The Size of the Affected Market for
        4.3.4  Inhibiting Vendor Responses to User Needs

   4.4  The Impact of Export Controls on U.S. Economic and
        National Security Interests

        4.4.1  Direct Economic Harm to U.S. Businesses
        4.4.2  Damage to U.S. Leadership in Information

   4.5  The Mismatch Between the Perceptions of Government/
        National Security and Those of Vendors

   4.6  Export of Technical Data

   4.7  Foreign Policy Considerations

   4.8  Technology-Policy Mismatches

   4.9  Recap


   5.1  What Is Escrowed Encryption?

   5.2  Administration Initiatives Supporting Escrowed

        5.2.1  The Clipper Initiative and the Escrowed
               Encryption Standard
        5.2.2  The Capstone/Forteza (sic) Initiative
        5.2.3  The Relaxation of Export Controls on Software
               Products Using "Properly Escrowed" 64-bit
        5.2.4  Other Federal Initiatives in Escrowed

   5.3  Other Approaches to Escrowed Encryption

   5.4  The Impact of Escrowed Encryption on Information

   5.5  The Impact of Escrowed Encryption on Law Enforcement

        5.5.1  Balance of Crime Enabled vs. Crime Prosecuted
        5.5.2  Impact on Law Enforcement Access to

   5.6  Mandatory vs. Voluntary Use of Escrowed Encryption

   5.7  Process Through Which Policy on Escrowed Encryption
        Was Developed

   5.8  Affiliation and Number of Escrow Agents

   5.9  Responsibilities and Obligations of Escrow Agents and
        Users of Escrowed Encryption

        5.9.1  Partitioning Escrowed Information
        5.9.2  Operational Responsibilities of Escrow Agents
        5.9.3  Liabilities of Escrow Agents

   5.10 The Role of Secrecy in Ensuring Product Security

        5.10.1 Algorithm Secrecy
        5.10.2 Product Design and Implementation Secrecy

   5.11 The Hardware/Software Choice in Product Implementation

   5.12 Responsibility for Generation of Unit Keys

   5.13 Issues Related to the Administration Proposal to
        Exempt 64-bit Escrowed Encryption in Software

        5.13.1 The Definition of "Proper Escrowing"
        5.13.2 The Proposed Limitation of Key Lengths to 64
               Bits or Less

   5.14 Recap


   6.1  The Communications Assistance for Law Enforcement Act

        6.1.1  Brief Description of and Stated Rationale for
               the CALEA
        6.1.2  Reducing Resource Requirements for Wiretaps
        6.1.3  Obtaining Access to Digital Streams in the
        6.1.4  The CALEA Exemption of Information Service
               Providers and Distinctions Between Voice and
               Data Services

   6.2  Other Levers Used in National Cryptography Policy

        6.2.1  Federal Information Processing Standards
        6.2.2  The Government Procurement Process
        6.2.3  Implementation of Policy: Fear, Uncertainty,
               Doubt, Delay, Complexity
        6.2.4  R&D Funding
        6.2.5  Patents and Intellectual Property
        6.2.6  Formal and Informal Arrangements with Various
               Other Governments and Organizations
        6.2.7  Certification and Evaluation
        6.2.8  Nonstatutory Influence
        6.2.9  Interagency Agreements Within the Executive

   6.3  Organization of the Federal Government with Respect to
        Information Security

        6.3.1  Role of National Security vis-a-vis Civilian
               Information Infrastructures
        6.3.2  Other Government Entities with Influence on
               Information Security

   6.4  International Dimensions of Cryptography Policy

   6.5  Recap



   7.1  Export Control Options for Cryptography

        7.1.1  Dimensions of Choice for Controlling the
               Exportof Cryptography
        7.1.2  Complete Elimination of Export Controls on
        7.1.3  Transferral of All Cryptography Products to
               the Commerce Control List
        7.1.4  End-use Certification
        7.1.5  Nation-by-Nation Relaxation of Controls and
               Harmonization of U.S. Export Control Policy on
               Cryptography with Export/Import Policies of
               Other Nations
        7.1.6  Liberal Export for Strong Cryptography with
               Weak Defaults
        7.1.7  Liberal Export for Cryptographic Applications
               Programming Interfaces
        7.1.8  Liberal Export for Escrowable Products with
               Encryption Capabilities
        7.1.9  Alternatives to Government Certification of
               Escrow Agents Abroad
        7.1.10 Use of Differential Work Factors in
        7.1.11 Separation of Cryptography from Other Items on
               the U.S. Munitions List

   7.2  Alternatives for Providing Government Exceptional
        Access to Encrypted Data

        7.2.1  A Prohibition of the Use and Sale of
               Cryptography Lacking Features for Exceptional
        7.2.2  Criminalization of the Use of Cryptography in
               the Commission of a Crime
        7.2.3  Technical Non-Escrow Approaches for Obtaining
               Access to Information
        7.2.4  Network-based Encryption
        7.2.5  Distinguishing Between Encrypted Voice and
               Data Communications Services for Exceptional
        7.2.6  A Centralized Decryption Facility for
               Government Exceptional Access

   7.3  Looming Issues

        7.3.1  The Adequacy of Various Levels of Encryption
               Against High-Quality Attack
        7.3.2  Organizing the U.S. Government for Better
               Information Security on a National Basis

   7.4  Recap


   8.1  Synthesis and Findings

        8.1.1  The Problem of Information Vulnerability
        8.1.2  Cryptographic Solutions to Information
        8.1.3  The Policy Dilemma Posed by Cryptography
        8.1.4  National Cryptography Policy for the
               Information Age

   8.2  Recommendations

   8.3  Additional Work Needed

   8.4  Conclusion


A  Contributors to the NRC Project on National Cryptography

B  Glossary

C  A Brief Primer on Cryptography

D  An Overview of Electronic Surveillance: History and Current

E  A Brief History of Cryptography Policy

F  A Brief Primer on Intelligence

G  The International Scope of Cryptography Policy

H  Summary of Important Requirements for a Public-Key

I  Industry-Specific Dimensions of Security

J  Examples of Risks Posed by Unprotected Information

K  Cryptographic Applications Programming Interfaces

L  Laws, Regulations, and Documents Relevant to Cryptography

M  Other Looming Issues Related to Cryptography Policy

N  Federal Information Processing Standards

[End Contents]


                      Executive Summary

   In an age of explosive worldwide growth of electronic data
storage and communications, many vital national interests
require the effective protection of information. When used in
conjunction with other approaches to information security,
cryptography is a very powerful tool for protecting
information. Consequently, current U.S. policy should be
changed to promote and encourage the widespread use of
cryptography for the protection of the information interests
of individuals, businesses, government agencies, and the
nation as a whole, while respecting legitimate national needs
of law enforcement and intelligence for national security and
foreign policy purposes to the extent consistent with good
information protection.

                     BASIC POLICY ISSUES

              The Information Security Problem

   Today's information age requires U.S. businesses to compete
on a worldwide basis, sharing sensitive information with
appropriate parties while protecting that information against
competitors, vandals, suppliers, customers, and foreign
governments (Box ES.1). Private law-abiding citizens dislike
the ease with which personal telephone calls can be tapped,
especially those carried on cellular or cordless telephones.
Elements of the U.S. civilian infrastructure such as the
banking system, the electric power grid, the public switched
telecommunications network, and the air traffic control system
are central to so many dimensions of modern life that
protecting these elements must have a high priority. The
federal government has an important stake in assuring that its
important and sensitive political, economic, law enforcement,
and military information, both classified and unclassified, is
protected from foreign governments or other parties whose
interests are hostile to those of the United States.


   BOX ES.I The Foreign Threat to U.S. Business Ineerests

   Of the wide variety of information risks facing U.S.
companies operating internationally, those resulting from
electronic vulnerabilities appear to be the most significant.
The National Counterintelligence Center (NACIC). an arm of the
U.S. intelligence community established in 1994 by
presidential directive, concluded that "specialized technical
operations (including computer intrusions, telecommunications
targeting and intercept, and private-sector encryption
weaknesses) account for the largest portion of economic and
industrial information lost by U.S. corporations."
Specifically, the NACIC noted that

   [b]ecause they are so easily accessed and intercepted,
   corporate telecommunications --particularly international
   telecommunications -- provide a highly vulnerable and
   lucrative source for anyone interested in obtaining trade
   secrets or competitive information. Because of the
   increased usage of these links for bulk computer data
   transmission and electronic mail, intelligence collectors
   find telecommunications intercepts cost-effective. For
   example, foreign intelligence collectors intercept
   facsimile transmissions through government-owned telephone
   companies, and the stakes are large -- approximately half
   of all overseas telecommunications are facsimile
   transmissions. Innovative "hackers" connected to computers
   containing competitive information evade the controls and
   access companies' information. In addition, many American
   companies have begun using electronic data interchange, a
   system of transferring corporate bidding, invoice, and
   pricing data electronically overseas. Many foreign
   government and corporate intelligence collectors find this
   information invaluable.


SOURCE: National Counterintelligence Center, Annual Report
to Congress on Foreign Economic Collection and Industrial
Espionage, July 1995, pages 16-17.


 Cryptographic Dimensions of Information Security Solutions

   Information vulnerabilities cannot be eliminated through
the use of any single tool. For example, it is impossible to
prevent with technical means a party authorized to view
information from improperly disclosing that information to
someone else. However, as part of a comprehensive approach to
addressing information vulnerabilities, cryptography is a
powerful tool that can help to assure the confidentiality and
integrity of information in transit and in storage and to
authenticate the asserted identity of individuals and computer
systems. Information that has been properly encrypted cannot
be understood or interpreted by those lacking the appropriate
cryptographic "key"; information that has been integrity-
checked cannot be altered without detection. Properly
authenticated identities can help to restrict access to
information resources to those properly authorized individuals
and to take fuller advantage of audit trails to track down
parties who have abused their authorized access.

       Law Enforcement and National Security Dilemmas
                    Posed by Cryptography

   For both law enforcement and national security,
cryptography is a two-edged sword. The public debate has
tended to draw lines that frame the policy issues as the
privacy of individuals and businesses against the needs of
national security and law enforcement. While such a dichotomy
does have a kernel of truth, when viewed in the large, this
dichotomy is misleading. If cryptography can protect the trade
secrets and proprietary information of businesses and thereby
reduce economic espionage (which it can), it also supports in
a most important manner the job of law enforcement. If
cryptography can help protect nationally critical information
systems and networks against unauthorized penetration (which
it can), it also supports the national security of the United
States. Framing discussion about national cryptography policy
in this larger law enforcement and national security context
would help to reduce some of the polarization among the
relevant stakeholders.

   On the other hand, cryptography intended primarily to
maintain the confidentiality of information that is available
to the general public for legitimate purposes such as
defending against information theft is also available for
illegitimate purposes such as terrorism. Encryption thus does
poses a threat to the capability that law enforcement
authorities may seek under appropriate legal authorization to
gain access to information for the purpose of investigating
and prosecuting criminal activity. Encryption also poses a
threat to intelligence gathering for national security and
foreign policy purposes, an activity that depends on access to
information of foreign governments and other foreign entities.

   Note that other applications of cryptography -- for
purposes of assuring data integrity and authenticating
identities of users and computer systems -- do not pose
dilemmas for law enforcement and national security in the same
way that confidentiality does.

    National Cryptography Policy for the Information Age

   For many years, concern over foreign threats to national
security has been the primary driver of a national
cryptography policy that has sought to maximize the protection
of U.S. military and diplomatic communications while denying
the confidentiality benefits of cryptography to foreign
adversaries through the use of export controls on cryptography
and related technical data. More recently, the U.S. government
has aggressively promoted the domestic use of a certain kind
of cryptography escrowed encryption -- that would provide
strong protection for legitimate uses but would permit legally
authorized access by law enforcement officials when authorized
by law. Today, these and other dimensions of current national
cryptography policy generate considerable controversy.

   All of the various stakes are legitimate: privacy for
individuals, protection of sensitive or proprietary
information for businesses, ensuring the continuing
reliability and integrity of nationally critical information
systems and networks, law enforcement access to stored and
communicated information for purposes of investigating and
prosecuting crime, and national security access to information
stored or communicated by foreign powers or other entities and
organizations whose interests and intentions are relevant to
the national security and the foreign policy interests of the
United States. Informed public discussion of the issues must
begin by acknowledging the legitimacy both of information
gathering for law enforcement and national security purposes
and of information security for law-abiding individuals and

   The conduct of the debate regarding national cryptography
policy has been complicated because a number of participants
have often invoked classified information that cannot be made
public. However, the cleared members of the National Research
Council's Committee to Study National Cryptography Policy (13
of the 16 committee members) concluded that *the debate over
national cryptography policy can be carried out in a
reasonable manner on an unclassified basis*. Classified
material is often important to operational matters in specific
cases, but it is neither essential to the big picture of why
cryptography policy is the way it is nor required for the
general outline of how technology will and policy should
evolve in the future.

   The problems of information vulnerability, the legitimacy
of the various national interests described above, and trends
such as those outlined in Box ES.2 point to the need for a
concerted effort to protect vital information assets of the
United States. Cryptography is one important element of a
comprehensive U.S. policy for better information security.

   The committee believes that *U.S. national policy should be
changed to support the broad use of cryptography in ways that
take into account competing U.S. needs and desires for
individual privacy, international economic competitiveness,
law enforcement, national security, and world leadership*.
Because cryptography is an important tool for protecting
information and because it is very difficult for governments
to control, the committee believes that the widespread
nongovernment use of cryptography in the United States and
abroad is inevitable in the long run. Accordingly, the proper
role of national cryptography policy is to facilitate a
judicious transition between today's world of high information
vulnerability and a future world of greater information
security, while to the extent possible meeting the legitimate
needs of law enforcement and information gathering for
national security and foreign policy purposes.

   The committee found that *current national cryptography
policy is not adequate to support the information security
requirements of an information society*. Indeed, current
policy discourages the use of cryptography, whether
intentionally or not, and in so doing impedes the ability of
the nation to use cryptographic tools that would help to
remediate certain important vulnerabilities. National
cryptography policy should support three objectives:

   1.   Broad availability of cryptography to all legitimate
        elements of U.S. society;

   2.   Continued economic growth and leadership of key U.S.
        industries and businesses in an increasingly global
        economy, including but not limited to U.S. computer,
        software, and communications companies; and

   3.   Public safety and protection against foreign and
        domestic threats.

   Objectives 1 and 2 argue for a policy that places few
government restrictions on the use of cryptography and
actively promotes the use of cryptography on a broad front.
Objective 3 argues that some kind of government policy role in
the deployment and use of cryptography for confidentiality may
continue to be necessary for public safety and national
security reasons. These three objectives can be met within a
framework recognizing that *on balance, the advantages of more
widespread use of cryptography outweigh the disadvantages*.


       BOX ES.2 The Past and Future World Environment

Past                          Future Trends
_______________________       _________________________________
Computing and                 Computer and information
communications networks       acquisition, retrieval and
were expensive and            processing are inexpensive and
rare.                         ubiquitious. Rapid growth is
                              evident in the development and
                              deployment of diverse technology-
                              based services.

Communications networks       Communications networks are
were analog and voice         digital and oriented toward video
oriented;                     and data trasnmissions.
communications made           Communications made heavy use of
heavy use of dedicated        shared infrastructure and
lines.                        media (e.g., satellites,
                              wireless). Passive eavesdropping
                              is thus harder to detect.

Telecommunications was        Telecommunications involves a
controlled by a small         large number of players.
number of players.

The U.S. economy was          The U.S. economy is important but
unquestionably dominant       not dominant in the world, and it
in the world.                 is increasingly interlinked with
                              allies, customers, suppliers,
                              vendors, and competitors all over
                              the world.

The economy was               The economy is oriented toward
oriented toward               information and services.
material production.

The security threat was       Security threats are much more
relatively homogeneous        heterogeneous than in the Cold
(Soviet Union and Cold        War, both in origin and in
War).                         nature.

Cryptography was used         Cryptography has important
primarily for military        applications throughout all
and diplomatic                aspects of society.
purposes. Government          Nongovernmental entities have
had a relative monopoly       significant expertise and
on cryptographic              capability built on an open,
expertise and                 public, and expanding base of
capability.                   scientific and technical
                              knowledge about cryptography.


   The recommendations below address several critical policy
areas. In the interests of brevity, only short rationales for
the recommendations are given here. The reader is urged to
read Chapter 8 of the report for essential qualifications,
conditions, and explanations.


   The framework for national cryptography policy should
provide coherent structure and reduce uncertainty for
potential vendors and for nongovernment and government users
of cryptography in ways that policy does not do today.

*Recommendation 1: No law should bar the manufacture, sale, or
use of any form of encryption within the United States*.
Specifically, a legislative ban on the use of unescrowed
encryption would raise both technical and legal or
constitutional issues. Technically, many methods are available
to circumvent such a ban; legally, constitutional issues,
especially those related to free speech, would be almost
certain to arise, issues that are not trivial to resolve.
Recommendation 1 is made to reinforce this particular aspect
of the Administration's cryptography policy.

*Recommendation 2: National cryptography policy should be
developed by the executive and legislative branches on the
basis of open public discussion and governed by the rule of
law*. Only a national discussion of the issues involved in
national cryptography policy can result in the broadly
acceptable social consensus that is necessary for any policy
in this area to succeed. A consensus derived from such
deliberations, backed by explicit legislation when necessary,
will lead to greater degrees of public acceptance and trust,
a more certain planning environment, and better connections
between policy makers and the private sector on which the
nation's economy and social fabric rest.

*Recommendation 3: National cryptography policy affecting the
development and use of commercial cryptography should be more
closely aligned with market forces*. As cryptography has
assumed greater importance to nongovernment interests,
national cryptography policy has become increasingly
disconnected from market reality and the needs of parties in
the private sector. Experience with technology deployment
suggests that reliance on market forces is generally the most
effective way to promote the widespread use of a new
technology. Since the committee believes that widespread
deployment and use of cryptography are in the national
interest, it believes that national cryptography policy should
align itself with user needs and market forces to the maximum
feasible extent. Accordingly, national cryptography policy
should emphasize the freedom of domestic users to determine
cryptographic functionality, protection, and implementations
according to their security needs as they see fit; encourage
the adoption of cryptographic standards by the federal
government and private parties that are consistent with
prevailing industry practice; and support the use of
algorithms, product designs, and product implementations that
are open to public scrutiny.

                       EXPORT CONTROLS

   For many years, the United States has controlled the export
of cryptographic technologies, products, and related technical
information as munitions (on the U.S. Munitions List
administered by the State Department). However, the current
export control regime for cryptography is an increasing
impediment to the information security efforts of U.S. firms
competing and operating in world markets, developing strategic
alliances internationally, and forming closer ties with
foreign customers and suppliers. Export controls also have had
the effect of reducing the domestic availability of products
with strong encryption capabilities. Looking to the future,
both U.S. and foreign companies have the technical capability
to integrate high-quality cryptographic features into their
products and services. U.S. export controls may stimulate the
growth of significant foreign competition for U.S. vendors to
the detriment of both U.S. national security interests and
U.S. business and industry.

   Some relaxation of today's export controls on cryptography
is warranted. Relaxation would create an environment in which
U.S. and multinational firms and individuals could use the
same security products in the United States and abroad,
thereby supporting better information security for U.S. firms
operating internationally. It would also increase the
availability of good cryptography products in the United
States. Finally, it would help to solidify U.S. leadership in
a field critical to national security and economic

   At the same time, cryptography is inherently dual-use in
character, with important applications to both civilian and
military purposes. Because cryptography is a particularly
critical military application for which few technical
alternatives are available, retention of some export controls
on cryptography will mitigate the loss to U.S. national
security interests in the short term, allow the United States
to evaluate the impact of relaxation on national security
interests before making further changes, and "buy time" for
U.S. national security authorities to adjust to a new
technical reality.

*Recommendation 4: Export controls on cryptography should be
progressively relaxed but not eliminated*.

   *Recommendation 4.1 -- Products providing confidentiality
at a level that meets most general commercial requirements
should be easily exportable.(1) Today, products with
encryption capabilities that incorporate the 56-bit DES
algorithm provide this level of confidentiality and should be
easily exportable*. As a condition of export, vendors of
products covered under this recommendation 4.1 (and 4.2 below)
would be required to provide to the U.S. government full
technical specifications of their product and reasonable
technical assistance upon request in order to assist the U.S.
government in understanding the product's internal operations.

   *Recommendation 4.2 -- Products providing stronger
confidentiality should be exportable on an expedited basis to
a list of approved companies if the proposed product user is
willing to provide access to decrypted information upon
legally authorized request*. Firms on the list would agree to
abide by a set of requirements described in Chapter 8 that
would help to ensure the ability of the U.S. government to
obtain the plaintext of encrypted information upon
presentation of a proper law enforcement request. (Plaintext
is the information that was initially encrypted.)

   *Recommendation 4.3 -- The U.S. government should
streamline and increase the transparency of the export
licensing process for cryptography*. Greater efforts in this
area would reduce uncertainty regarding rules, time lines, and
the criteria used in making decisions about the exportability
of particular products. Chapter 8 describes specific possible
steps that might be taken.


   (1)  For purposes of Recommendation 4.1, a product that is
"easily exportable" will automatically qualify for treatment
and consideration (i.e., commodity jurisdiction, or CJ) under
the CCL. Automatic qualification refers to the same procedure
under which software products using RC2 or RC4 algorithms for
confidentiality with 40-bit key sizes currently qualify for
the CCL.



   As noted above, cryptography is helpful to some dimensions
of law enforcement and national security and harmful to
others. The committee accepts that the onset of an information
age is likely to create many new challenges for public safety,
among them the greater use of cryptography by criminal
elements of society. If law enforcement authorities are unable
to gain access to the encrypted communications and stored
information of criminals, some criminal investigations and
prosecutions will be significantly impaired. For these
reasons, specific steps should be taken to mitigate these
difficulties. In the realm of national security, new
capabilities are needed to better cope with the challenges
that cryptography presents.

   Since 1993, the approach of the U.S. government to these
problems has been an aggressive promotion of escrowed
encryption (see Chapter 5) as a pillar of the technical
foundation for national cryptography policy, primarily in
response to the law enforcement concerns described above.
Initiatives promoted by the U.S. government include the
Escrowed Encryption Standard (a voluntary Federal Information
Processing Standard for secure voice telephony), the
Capstone/Fortezza initiative that provides escrowed encryption
capabilities for secure data storage and communications, and
a recent proposal to liberalize export controls on certain
encryption products if the keys are "properly escrowed."

   The committee understands the Administration's rationale
for promoting escrowed encryption but believes that escrowed
encryption should be only one part of an overall strategy for
dealing with the problems that encryption poses for law
enforcement and national security. The committee's view of an
appropriate overall strategy is described below, and escrowed
encryption is the focus of Recommendation 5.3.

*Recommendation 5: The U.S. government should take steps to
assist law enforcement and national security to adjust to new
technical realities of the information age*. Over the past 50
years, both law enforcement and national security authorities
have had to cope with a variety of changing technological
circumstances. For the most part, they have coped with these
changes quite well. Today, however, "business as usual" will
not suffice to bring agencies responsible for law enforcement
and national security into the information age. At the same
time, both law enforcement and national security have
demonstrated considerable adaptability to new environments;
this record of adaptability provides considerable confidence
that they can adapt to a future of digital communications and
stored data as well.

   The specific subrecommendations that follow attempt to
build on this record. They are intended to support law
enforcement and national security missions in their totality
-- for law enforcement, in both crime prevention and crime
prosecution and investigation; for national security, in both
defense of nationally critical information systems and the
collection of intelligence information.

   *Recommendation 5.1 -- The U.S. government should actively
encourage the use of cryptography in nonconfidentiality
applications such as user authentication and integrity
checks*. These applications are particularly important in
addressing vulnerabilities of nationally critical information
systems and networks. Furthermore, these applications of
cryptography are important crime-fighting measures. To date,
national cryptography policy has not fully supported such
nonconfidentiality uses. Some actions have been taken in this
area, but these actions have sometimes conflicted with
government concerns about confidentiality. As importantly,
government has expressed considerably more concern in the
public debate regarding the deleterious impact of widespread
cryptography used for confidentiality than over the
deleterious impact of not deploying cryptographic capabilities
for user authentication and data integrity. Chapter 8 provides
a number of illustrative examples to demonstrate what specific
actions government can take to promote nonconfidentiality
applications of cryptography.

   *Recommendation 5.2 -- The U.S. government should promote
the security of the telecommunications networks more actively.
At a minimum, the U.S. government should promote the link
encryption of cellular communications (2) and the improvement
of security at telephone switches*. Such steps would not
diminish government access for lawfully authorized wiretaps
through the requirements imposed on carriers today to
cooperate with law enforcement in such matters. Furthermore,
by addressing public demands for greater security in voice
communications that are widely known to be nonsecure through
the telecommunications service providers, these measures would
also reduce the demand for (and thus the availability of)
devices used to provide end-to-end encryption of voice
communications. Without a ready supply of such devices, a
criminal user would have to go to considerable trouble to
obtain a device that could thwart a lawfully authorized

   *Recommendation 5.3 -- To better understand how escrowed
encryption might operate, the U.S. government should explore
escrowed encryption for its own uses. To address the critical
international dimensions of escrowed communications, the U.S.
government should work with other nations on this topic*.
Escrowed encryption has both benefits and risks. The benefits
for law enforcement and national security are that when
escrowed encryption is properly implemented and widely
deployed, law enforcement and national security authorities
will be able to obtain access to escrow-encrypted data in
specific instances when authorized by law. Escrowed encryption
also enables end users to recover encrypted stored data to
which access has been inadvertently lost. The risk to end
users is that escrowed encryption provides a potentially lower
degree of confidentiality because it is specifically designed
to permit exceptional access by parties not originally
intended to have access to the encrypted data.

   Aggressive government promotion of escrowed encryption is
not appropriate at this time for several reasons: the lack of
operational experience with how a large-scale infrastructure
for escrowed encryption would work; the lack of demonstrated
evidence that escrowed encryption will solve the most serious
problems that law enforcement authorities face; the likely
harmful impact on the natural market development of
applications made possible by new information services and
technologies; and the uncertainty of the market response to
such aggressive promotion. At the same time, many policy
benefits can be gained by an operational exploration of
escrowed encryption by the U.S. government for government
applications; such exploration would enable the U.S.
government to develop the base of experience on which to build
a more aggressive promotion of escrowed encryption should
circumstances develop in such a way that encrypted
communications come to pose a significant problem for law

   *Recommendation 5.4 -- Congress should seriously consider
legislation that would impose criminal penalties on the use of
encrypted communications in interstate commerce with the
intent to commit a federal crime*. The purpose of such a
statute would be to discourage the use of cryptography for
illegitimate purposes, thus focusing the weight of the
criminal justice system on individuals who were in fact guilty
of criminal activity rather than on law-abiding citizens and
criminals alike. Any statute in this area should be drawn

   *Recommendation 5.5 -- High priority should be given to
research, development, and deployment of additional technical
capabilities for law enforcement and national security to cope
with new technological challenges. Such R&D should be
undertaken during the time that it will take for cryptography
to become truly ubiquitous. These new capabilities are almost
certain to have a greater impact on future information
collection efforts than will aggressive attempts to promote
escrowed encryption to a resistant market.


   (2)  "Link encryption" refers to the practice of encrypting
information being communicated in such a way that it is
encrypted only in between the node from which it is sent and
the node where it is received; while the information is at the
nodes themselves, it is unencrypted. In the context of link
encryption for cellular communications, a cellular call would
be encrypted between the mobile handset and the ground
station. When carried on the landlines of the telephone
network, the call would be unencrypted.



   Although this report is concerned primarily with national
cryptography policy, any such policy is only one component of
a national information security policy. Without a
forward-looking and comprehensive national information
security policy, changes in national cryptography policy may
have little operational impact on U.S. information security.

*Recommendation 6: The U.S. government should develop a
mechanism to promote information security in the private
sector*. As is widely acknowledged, the U.S. government is not
well organized to meet the challenges presented by an
information society, and no government agency has the
responsibility to promote information security in the private
sector. Absent a coordinated approach to promoting information
security, the needs of many stakeholders may well be given
inadequate attention and notice; those who are pursuing
enhanced information security and those who have a need for
legal access to stored or communicated information must both
be included in a robust process for managing the
often-competing issues and interests that will inevitably
arise over time. Government has an important role in actively
promoting the security of information systems and networks
critical to the nation's welfare (e.g., the banking and
financial system, the public switched telecommunications
network, the air traffic control system, the electric power
grid). In other sectors of the economy, the role of the U.S.
government should be limited to providing information and
expertise. Chapter 8 provides some illustrative examples of
what the government might do to promote information security
in the private sector.


   The committee believes that its recommendations will lead
to enhanced confidentiality and protection of information for
individuals and companies, thereby reducing economic and
financial crimes and economic espionage from both domestic and
foreign sources. In addition, they will result in improved
security and assurance for the information systems and
networks used by the nation -- a more secure national
information infrastructure. While the recommendations will in
these ways contribute to the prevention of crime and enhance
national security, the committee recognizes that the spread of
cryptography will increase the burden of those in government
charged with carrying out certain specific law enforcement and
intelligence activities. It believes that widespread
commercial and private use of cryptography in the United
States and abroad is inevitable in the long run and that its
advantages, on balance, outweigh its disadvantages. Thus, the
committee concluded that the overall interests of the
government and the nation would best be served by a policy
that fosters a judicious transition toward the broad use of

[End Executive Summary]


               A Road Map Through This Report

   This report responds to a request made in the Defense
Authorization Act of FY 1994 by the U.S. Congress for the
National Research Council to conduct a comprehensive study of
national cryptography policy, a subject that has generated
considerable controversy in the past few years.

   This report is organized into three parts. Part I frames
the policy issues. Chapter 1 outlines the problem of growing
information vulnerability and the need for technology and
policy to mitigate this problem. Chapter 2 describes possible
roles for cryptography in reducing information vulnerability
and places cryptography into context as one element of an
overall approach to ensuring information security. Chapter 3
discusses nongovernment needs for access to encrypted
information and related public policy issues, specifically
those related to information gathering for law enforcement and
national security purposes.

   Part II of this report describes the instruments and goals
of current U.S. cryptography policy and some of the issues
raised by current policy. Chapter 4 is concerned primarily
with export controls on cryptography, a powerful tool that has
long been used in support of national security objectives but
whose legitimacy has come under increasing fire in the last
several years. Chapter 5 addresses escrowed encryption, an
approach aggressively promoted by the federal government as a
technique for balancing national needs for information
security with those of law enforcement and national security.
Chapter 6 discusses other dimensions of national cryptography
policy, including the Digital Telephony Act of 1995 (aka the
Communications Assistance for Law Enforcement Act) and a
variety of other levers used in national cryptography policy
that do not often receive much attention in the debate.

   Part III has two goals enlarging the space of possible
policy options, and offering findings and recommendations.
Chapter 7 discusses a variety of options for cryptography
policy, some of which have been suggested or mentioned in
different forums (e.g., in public and/or private input
received by the committee, or by various members of the
committee). These policy options include alternative export
control regimes for cryptography and alternatives for
providing third-party access capabilities when necessary. In
addition, Chapter 7 addresses several issues related to or
affected by cryptography that will appear on the horizon in
the foreseeable future. Chapter 8 describes the committee's
findings and recommendations.

   A set of appendixes provides more detail where needed.

[End Road Map]


[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]

                           Part I

                  Framing the Policy Issues

   Part I is intended to explicate the fundamental issues
underlying national cryptography policy. Chapter 1 outlines
basic elements of a critical problem facing the nation -- the
increasing vulnerability of information, a commodity that has
become essential to national well-being and future
opportunity. This vulnerability results from a number of
trends, including the explosive growth of digital
communications and data storage, the increasingly
international dimensions of business, and the growing
dependence of the nation on a number of critical information
systems and networks. Chapter 2 describes how cryptography can
play an important role in reducing the information
vulnerability of the nation, of businesses, and of private
individuals. Chapter 2 also places cryptography into context,
as one element of an overall approach to information security,
as a product that responds to factors related to both supply
and demand, and as a technology whose largescale use requires
a supporting infrastructure. Chapter 3 discusses public policy
issues raised by the need for access to encrypted information.
The prospect of near-absolute confidentialty of information --
a prospect enabled by modern cryptography -- is reassuring to
some and quite disturbing to others. Important public policy
issues are raised by law enforcement authorities, who regard
the ability to obtain information surreptitiously but legally
as essential to their crime-fighting abilities, and by
national security authorities, who place a high value on the
ability to monitor the communications of potential
adversaries. Even private individuals, who might wish to
encrypt records securely, may face the need to recover their
data as though they were outsiders if they have forgotten how
to gain "legitimate" access; the same is true for businesses
in some situations.



        Growing Vulnerability in the Information Age

   Chapter 1 frames a fundamental problem facing the United
States today -- the need to protect against the growing
vulnerability of information to unauthorized access and/or
change as the nation makes the transition from an industrial
age to an information age. Society's reliance on a changing
panoply of information technologies and technology-enabled
services, the increasingly global nature of commerce and
business, and the ongoing desire to protect traditional
freedoms as well as to ensure that government remains capable
of fulfilling its responsibilities to the nation all suggest
that future needs for information security will be large.
These factors make clear the need for a broadly acceptable
national cryptography policy that will help to secure vital
national interests.


   The information age is enabled by computing and
communications technologies (collectively known as information
technologies) whose rapid evolution is almost taken for
granted today. Computing and communications systems appear in
virtually every sector of the economy and increasingly in
homes and other locations. These systems focus economic and
social activity on information -- gathering, analyzing,
storing, presenting, and disseminating information in text,
numerical, audio, image, and video formats -- as a product
itself or as a complement to physical or tangible products.(1)

   Today's increasingly sophisticated information technologies
cover a wide range of technical progress:

   +    *Microprocessors and workstations* are increasingly
important to the computing infrastructure of companies and the
nation. Further increases in speed and computational power
today come from parallel or distributed processing with many
microcomputers and processors rather than faster

   +    *Special-purpose electronic hardware* is becoming
easier to develop. Thus, it may make good sense to build
specialized hardware optimized for performance, speed, or
security with respect to particular tasks; such specialized
hardware will in general be better adapted to these purposes
than general-purpose machines applied to the same tasks.

   +    *Media* for transporting digital information are
rapidly becoming faster (e.g., fiber optics instead of coaxial
cables), more flexible (e.g., the spread of wireless
communications media), and less expensive (e.g., the spread of
CD-ROMs as a vehicle for distributing digital information).
Thus, it becomes feasible to rely on the electronic
transmission of larger and larger volumes of information and
on the storage of such volumes on ever-smaller physical

   +    *Convergence* of technologies for communications and
for computing. Today, the primary difference between
communications and computing is the distance traversed by data
flows: in communications, the traversed distance is measured
in miles (e.g., two people talking to each other), while in
computing the traversed distance is measured in microns (e.g.,
between two subcomponents on a single integrated circuit). A
similar convergence affects companies in communications and in
computing -- their boundaries are blurring, their scopes are
changing, and their production processes overlap increasingly.

   +    *Software* is increasingly carrying the burden of
providing functionality in information technology. In general,
software is what gives hardware its functional capabilities,
and different software running on the same hardware can change
the functionality of that hardware entirely. Since software is
intangible, it can be deployed widely on a very short time
scale compared to that of hardware. Box 1.1 contains more
discussion of this point.

   As these examples suggest, information technologies are
ever more affordable and ubiquitous. In all sectors of the
economy, they drive demand for information systems; such
demand will continue to be strong and experience significant
growth rates. High-bandwidth and/or wireless media are
becoming more and more common. Interest in and use of the
Internet and similar public networks will continue to
experience very rapid growth.


   (1)  Citations to a variety of press accounts can be found
in Computer Science and Telecommunications Board (CSTB),
National Research Council, *Information Technology and
Manufacturing: A Research Agenda*, National Academy Press,
Washington, D.C., 1993; CSTB, *Information Technology in the
Service Society: A Twenty-First Century Lever*, 1993; CSTB,
*Realizing the Information Future: The Internet and Beyond*,
1994; CSTB, *Keeping the Computer and Communications Industry
Competitive: Convergence of Computing, Communications, and
Entertainment*, 1995; and CSTB, *The Unpredictable Certainty:
Information Infrastructure Through 2000*, 1996.



   As the availability and use of computer-based systems grow,
so, too, does their interconnection. The result is a shared
infrastructure of information, computing, and communications
resources that facilitates collaboration at a distance,
geographic dispersal of operations, and sharing of data. With
the benefits of a shared infrastructure also come costs.
Changes in the technology base have created more
vulnerabilities, as well as the potential to contain them. For
example, easier access for users in general implies easier
access for unauthorized users.

   The design, mode of use, and nature of a shared
infrastructure create vulnerabilities for all users. For
national institutions such as banking, new risks arise as the
result of greater public exposure through such
interconnections. For example, a criminal who penetrates one
bank interconnected to the world's banking system can steal
much larger amounts of money than are stored at that one bank.
(Box 1.2 describes a recent electronic bank robbery.) Reducing
vulnerability to breaches of security will depend on the
ability to identify and authenticate people, systems, and
processes and to assure with high confidence that information
is not improperly manipulated, corrupted, or destroyed.

   Although society is entering an era abounding with new
capabilities, many societal practices today remain similar to
those of the 1960s and 1970s, when computing was dominated by
large, centralized mainframe computers. In the 1980s and
1990s, they have not evolved to reflect the introduction of
personal computers, portable computing, and increasingly
ubiquitous communications networks. Thus, people continue to
relinquish control over substantial amounts of personal
information through credit card transactions, proliferating
uses of Social Security numbers, and participation in
frequent-buyer programs with airlines and stores.
Organizations implement trivial or no protection for
proprietary data and critical systems, trusting policies to
protect portable storage media or relying on simple passwords
to protect information.

   These practices have endured against a backdrop of
relatively modest levels of commercial and individual risk;
for example, the liability of a credit-card owner for credit
card fraud perpetrated by another party is limited by law to
$50. Yet most computer and communications hardware and
software systems are subject to a wide range of
vulnerabilities, as described in Box 1.3. Moreover,
information on how to exploit such vulnerabilities is often
easy to obtain. As a result, a large amount of information
that people say they would like to protect is in fact
available through entirely legal channels (e.g., purchasing a
credit report on an individual) or in places that can be
accessed improperly through technical attacks requiring
relatively modest effort.

   Today, the rising level of familiarity with computer-based
systems is combining with an explosion of experimentation with
information and communications infrastructure in industry,
education, health care, government, and personal settings to
motivate new uses of and societal expectations about the
evolving infrastructure. A key feature of the new environment
is connection or exchange: organizations are connecting
internal private facilities to external public ones; they are
using public networks to create virtual private networks, and
they are allowing outsiders such as potential and actual
customers, suppliers, and business allies to access their
systems directly. One vision of a world of electronic commerce
and what it means for interconnection is described in Box 1.4.

   Whereas a traditional national security perspective might
call for keeping people out of sensitive stores of information
or communications networks, national economic and social
activity increasingly involves the exact opposite: inviting
people from around the world to come in -- with varying
degrees of recognition that all who come in may not be
benevolent. Box 1.5 describes some of the tensions between
security and openness. Such a change in expectations and
perspective is unfolding in a context in which controls on
system access have typically been deficient, beginning with
weak operating system security. The distributed and
internetworked communications systems that are emerging raise
questions about protecting information regardless of the path
traveled (end-to-end security), as close to the source and
destination as possible.

   The international dimensions of business and the growing
importance of competitiveness in the global marketplace
complicate the picture further. Although "multinationals" have
long been a feature of the U.S. economy, the inherently
international nature of communications networks and the
growing capabilities for distributing and accessing
information worldwide are helping many activities and
institutions to transcend national boundaries. (See Box 1.6.)

   At the same time, export markets are at least as important
as domestic U.S. markets for a growing number of goods and
service producers, including producers of information
technology products as well as a growing variety of high- and
low-technology products. The various aspects of globalization
-- identifying product and merchandising needs that vary by
country; establishing and maintaining employment, customer,
supplier, and distribution relationships by country;
coordinating activities that may be dispersed among countries
but result in products delivered to several countries; and so
on -- place new demands on U.S.based and U.S.-owned
information, communication, organizational, and personal
resources and systems.


   Solutions to cope with the vulnerabilities described above
require both appropriate technology and user behavior and are
as varied as the needs of individual users and organizations.
Cryptography -- a technology described more fully in Chapter
2 and Appendix C -- is an important element of many solutions
to information vulnerability that can be used in a number of
different ways. National cryptography policy -- the focus of
this report -- concerns how and to what extent government
affects the development, deployment, and use of this important
technology. To date, public discussion of national
cryptography policy has focused on one particular application
of cryptography, namely its use in protecting the
confidentiality of information and communications.

   Accordingly, consideration of national cryptography policy
must take into account two fundamental issues:

   +    If the public information and communications
infrastructure continues to evolve with very weak security
throughout, reflecting both deployed technology and user
behavior, the benefits from cryptography for confidentiality
will be significantly less than they might otherwise be.

   +    The vulnerabilities implied by weak security overall
affect the ability of specific mechanisms such as cryptography
to protect not only confidentiality but also the integrity of
information and systems and the availability of systems for
use when sought by their users. Simply protecting (e.g.,
encrypting) sensitive information from disclosure can still
leave the rest of a system open to attacks that can undermine
the encryption (e.g., the lack of access controls that could
prevent the insertion of malicious software) or destroy the
sensitive information.

   Cryptography thus must be considered in a wider context. It
is not a panacea, but it is extremely important to ensuring
security and can be used to counter several vulnerabilities.

   Recognition of the need for system and infrastructure
security and demand for solutions are growing. Although demand
for solutions has yet to become widespread, the trend is away
from a marketplace in which the federal government (2) was the
only meaningful customer. Growing reliance on a shared
information and communications infrastructure means that all
individuals and organizations should be, and the committee
believes will become, the dominant customers for better
security. That observation is inherent in the concept of
infrastructure as something on which people rely.

   What may be less obvious is that as visions of ubiquitous
access and interconnection are increasingly realized,
individual, organizational, and governmental needs may become
aligned. Such an alignment would mark a major change from the
past. Again, sharing of a common infrastructure is the cause:
everyone, individual or organization, public or private
sector, is a user. As significantly, all of these parties face
a multitude of threats to the security of information (Box
1.7). Consideration of the nation's massive dependence on the
public switched telecommunications network, which is one of
many components of the information and communications
infrastructure, provides insight into the larger set of
challenges posed by a more complex infrastructure (Box 1.8).

   To illustrate the broad panorama of stakeholder interests
in which national cryptography policy is formulated, the next
several sections examine different aspects of society from the
standpoint of needs for information security.


   (2)  The more general statement is that the market
historically involved national governments in several
countries as the principal customers.



   For purposes of this report, the relationship of U.S.
businesses to the information society has two main elements.
One element is that of protecting information important to the
success of U.S. businesses in a global marketplace. The second
element is ensuring the nation's continuing ability to exploit
U.S. strengths in information technology on a worldwide basis.

       1.4.1 Protecting Important Business Information

   A wide range of U.S. companies operating internationally
are threatened by foreign information-collection efforts. The
National Counterintelligence Center (NACIC) reports that "the
U.S. industries that have been the targets in most cases of
economic espionage and other foreign collection activities
include biotechnology; aerospace; telecommunications; computer
hardware/software, advanced transportation and engine
technology; advanced materials and coatings; energy research;
defense and armaments technology; manufacturing processes; and
semiconductors."(3) Foreign collectors target proprietary
business information such as bid, contract, customer. and
strategy information, as well as corporate financial and trade
data. Of all of the information vulnerabilities facing U.S.
companies internationally (Box 1.7), electronic
vulnerabilities appear to be the most significant. For
example, the NACIC concluded that "specialized technical
operations (including computer intrusions, telecommunications
targeting and intercept, and private-sector encryption
weaknesses) account for the largest portion of economic and
industrial information lost by U.S. corporations." The NACIC

   Because they are so easily accessed and intercepted,
   corporate telecommunications -- particularly international
   telecommunications -- provide a highly vulnerable and
   lucrative source for anyone interested in obtaining trade
   secrets or competitive information. Because of the
   increased usage of these links for bulk computer data
   transmission and electronic mail, intelligence collectors
   find telecommunications intercepts cost-effective. For
   example, foreign intelligence collectors intercept
   facsimile transmissions through government-owned telephone
   companies, and the stakes are large -- approximately half
   of all overseas telecommunications are facsimile
   transmissions. Innovative "hackers" connected to computers
   containing competitive information evade the controls and
   access companies' information. In addition, many American
   companies have begun using electronic data interchange, a
   system of transferring corporate bidding, invoice, and
   pricing data electronically overseas. Many foreign
   government and corporate intel]igence collectors find this
   information invaluable.(4)

   Why is electronic information so vulnerable? The primary
reason is that it is computer-readable and thus much more
vulnerable to automated search than are intercepted voice or
postal mail transmissions. Once the information is collected
(e.g., through an existing wiretap or a protocol analyzer on
an Internet router), it is relatively simple for computers to
search streams of electronic information for word combinations
of interest (e.g., "IBM," "research," and "superconductivity"
in the same message). As the cost of computing drops, the cost
of performing such searches drops.(5) The threat posed by
automated search, coupled with the sensitivity of certain
communications that are critical for nongovernment users, is
at the root of nongovernment demand for security.(6)

   Note that solutions for coping with information-age
vulnerabilities may well create new responsibilities for
businesses. For example, businesses may have to ensure that
the security measures they take are appropriate for the
information they are protecting, and/or that the information
they are protecting remains available for authorized use.
Failure to discharge these responsibilities properly may
result in a set of liabilities that these businesses currently
do not face.

   Appendix I of this report elaborates issues of information
vulnerability in the context of key induskies such as banking
and financial services, health care, manufacturing, the
petroleum industry, pharmaceuticals, the entertainment
industry, and government.


   (3)  National Counterintelligence Center, *Annual Report to
Congress on Foreign Economic Collection and Industrial
Espionage*, Washington, D.C., July 1995, p. 15.

   (4)  From the National Counterintelligence Center, *Annual
Report to Congress on Foreign Economic Collection and
Industrial Espionage*, Washington, D.C., July 1995. Further,
intelligence collections by foreign powers are facilitated
when a hostile government interested in eavesdropping controls
the physical environment in which a U.S. company may be
operating. For example, the U.S. company may be in a nation in
which the telecommunications system is under the direct
control of the government. When a potentially hostile
government controls the territory on which a company must
operate, many more compromises are possible.

   (5)  As a rough rule of thumb, Martin Hellman estimates
that 10 billion (10^10) words can be searched for $1. This
estimate is based on an experiment in which Hellman used the
Unix utility program "fgrep" to search a 1 million (10^6)
character file for a specific string of 10 characters known to
be at the end of the file and nowhere else. It took the NeXT
workstation on which this experiment was run approximately 1
second to find these last 10 characters. Since there are
approximately 10^5 seconds in a day and 10^3 days (about 3
years) in the useful life of the workstation, it can search
roughly 10^13 over its life. Since such a workstation is worth
on the order of $1,000 today, this works out to 10^10 words
searched for $1. (With the use of specialized hardware, this
cost could be reduced significantly. For example, in the 1976
Book IV of the Senate Select Committee on Intelligence Report,
R.L. Garwin describes the use of "match registers" to
efficiently implement queries against a database.)

   (6)  Other noncomputer-based technology for the clandestine
gathering of information is widely available on the retail
market. In recent years, concern over the ready availability
of such equipment has grown. See, for example, Ross E. Milloy,
"Spying Toys for Adults or Supplies for Crimes?," *New York
Times*, August 28, 1995, p. A-10; Pam Belluck, "A Shadow over
the Spy-Shop Business," *New York Times*, September 22, 1995,
p. B-3; and James C. McKinley, Jr., "U.S. Agents Raid Stores
in 24 Cities to Seize Spy Gear," *New York Times*, April 6,
1995, p. A-1.


             1.4.2 Ensuring the Nation's Ability
                  to Exploit Global Markets

   With the increasing globalization of business operations,
information technology plays a key role in maintaining the
competitive strengths of U.S. business. In particular, U.S.
businesses have proven adept at exploiting information and
information technologies to create new market niches and
expand old ones. This pattern has deep roots. For example,
beginning in the 1960s, American Airlines pioneered in
computerized reservations systems and extended use of the
information captured and stored in such systems, generating an
entire new business that is more profitable than air kansport
services. More recently, creative uses of information
technology have advanced U.S. leadership in the production of
entertainment products (e.g., movies and videos, recorded
music, on-line services) for the world.

   U.S. innovation in using information technology reflects in
part the economic vitality that makes new technology
affordable. It also reflects proximity to the research and
production communities that supply key information technology
products, communities with which a variety of U.S. industries
have successfully exchanged talent, communicated their needs
as customers, and collaborated in the innovation process. In
other words, it is not an accident that innovation in both use
and production of information technology has blossomed in the
United States.

   The business advantages enjoyed by U.S. companies that use
information technology are one important reason that the
health of U.S. computer, telecommunications, and information
industries is important to the economy as a whole. A second
important reason is the simple fact that the U.S. information
technology sector (the set of industries that supply
information technology goods and services) is the world's
strongest.(7) The industry has an impressive record of product
innovation; key U.S. products are de facto world standards;
U.S. marketing and distribution capabilities for software
products are unparalleled; and U.S. companies have
considerable strengths in the manufacture of specialized
semiconductor technologies and other key components. A strong
information technology sector makes a significant contribution
to the U.S. balance of payments and is responsible for large
numbers of high-paying jobs. These strengths establish a firm
foundation for continued growth in sales for U.S. information
technology products and services as countries worldwide
assimilate these technologies into their economies.

   Finally, because of its technological leadership the United
States should be better positioned to extend that lead, even
if the specific benefits that may result are not known in
advance. The head start in learning how to use information
technology provides a high baseline on which U.S. individuals
and organizations can build.

   The committee believes that information technology is one
of a few high-technology areas (others might include aerospace
and electronics) that play a special role in the economic
health of the nation, and that leadership in this area is one
important factor underlying U.S. economic strength in the
world today.(8) To the extent that this belief is valid, the
economic dimension of national security and perhaps even
traditional national security itself may well depend
critically on a few key industries that are significant to
military capabilities, the industrial base, and the overall
economic health of the nation. Policy that acts against the
health and global viability of these industries or that
damages the ability of the private sector to exploit new
markets and identify niches globally thus deserves the most
careful scrutiny.

   Because it is inevitable that other countries will expand
their installed information technology bases and develop their
own innovations and entrepreneurial strengths, U.S. leadership
is not automatic. Already, evidence of such development is
available, as these nations build on the falling costs of
underlying technologies (e.g., microprocessors, aggregate
communications bandwidth) and worldwide growth in relevant
skills. The past three decades of information technology
history provide enough examples of both successful first
movers and strategic missteps to suggest that U.S. leadership
can be either reinforced or undercut: leadership is an asset,
and it is sensitive to both public policy and private action.

   Public and private factors affecting the competitive health
of U.S. information technology producers are most tightly
coupled in the arena of foreign trade.(9) U.S. producers place
high priority on ease of access to foreign markets. That
access reflects policies imposed by U.S. and foreign
governments, including governmental controls on what can be
exported to whom. Export controls affect foreign trade in a
variety of hardware, software, and communications systems.(10)
They are the subject of chronic complaints from industry, to
which government off1cials often respond by pointing to other,
industry-centered explanations (e.g., deficiencies in product
design or merchandising) for observed levels of foreign sales
and market shares. Chapter 4 addresses export controls in the
context of cryptography and national cryptography policy.


   (7)  For example, a staff study by the U.S. International
Trade Commission found that 8 of the world's top ten
applications software vendors, 7 of the world's top ten
systems software vendors, the top 5 systems integration firms,
and 8 of the top ten custom programming firms are U.S. firms;
the top nine global outsourcing firms have headquarters in the
U.S. See Office of Industries, U.S. International Trade
Commission, *Global Competitiveness of the U.S. Computer
Software and Service Industries*, Staff Research Study #21,
Washington, D.C., June 1995, Chapter 5.

   (8)  The committee acknowledges that there is a wide range
of judgment among responsible economists on this matter. Some
argue that the economy is so diverse that the fate of a single
industry or even a small set of industries has a relatively
small effect on broader economic trends. Others argue that
certain industries are important enough to warrant subsidy or
industrial policy to promote their interests. The committee
discussed this specific issue to a considerable extent and
found a middle ground between these two extremes -- that
information technology is one important industry among others,
and that the health and well-being of that industry are
important to the nation. This position is also supported by
the U.S. government, which notes that telecommunications and
computer hardware/software are among a number of industries
that are of "strategic interest to the United States ...
because they produce classified products for the government,
produce dual use technology used in both the public and
private sectors, and are responsible for leading-edge
technologies critical to maintaining U.S. economic security."
National Counterintelligence Center, *Annual Report to
Congress on Foreign Economic Collection and Industrial
Espionage*, Washington, D.C., July 1995, p. 15.

   (9)  Of course, many intrafirm and intraindustry factors
shape competitive strength, such as good management, adequate
financing, good fit between products and consumer preferences,
and so on.

   (10) See, for example, John Harvey et al, *A Common-Sense
Approach to High-Technology Export Controls*, Center for
International Security and Arms Control, Stanford University,
Stanford, California, March 1995; National Research Council,
*Finding Common Ground: US. Export Controls in a Changed
Global Environment*, National Academy Press, Washington, D.C.,
1991; Computer Science and Telecommunications Board, National
Research Council, *Global Trends in Computer Technology and
Their Impact on Export Control*, National Academy Press,
Washington, D.C., 1988.



   The emergence of the information age affects individuals as
well as businesses and other organizations. As numerous
reports argue, the nation's information infrastructure
promises many opportunities for self-education, social
exchange, recreation, personal business, cost-effective
delivery of social programs, and entrepreneurship.(11) Yet the
same technologies that enable such benefits may also convey
unwanted side effects. Some of those can be considered
automated versions of problems seen in the paper world; others
are either larger in scale or different in kind. For
individuals, the area relevant to this report is privacy and
the protection of personal information. Increasing reliance on
electronic commerce and the use of networked communication for
all manner of activities suggest that more information about
more people will be stored in network-accessible systems and
will be communicated more broadly and more often, thus raising
questions about the security of that information.

   Privacy is generally regarded as an important American
value, a right whose assertion has not been limited to those
"with something to hide." Indeed, assertion of the right to
privacy as a matter of principle (rather than as all
instrumental action) has figured prominently in U.S. political
and social history; it is not merely abstract or theoretical.

   In the context of an information age, an individual's
privacy can be affected on two levels: privacy in the context
of personal transactions (with businesses or other
institutions and with other individuals), and privacy
vis-a-vis governmental units. Both levels are affected by the
availability of tools, such as cryptography in the context of
information and communications systems, that can help to
preserve privacy. Today's information security technology, for
example, makes it possible to maintain or even raise the cost
of collecting information about individuals. It also provides
more mechanisms for government to help protect that
information. The Clinton Administration has recognized
concerns about the need to guard individual privacy,
incorporating them into the security and privacy guidelines of
its Information Infrastructure Task Force.(12) These
guidelines represent an important step in the process of
protecting individual privacy.


   (11) See, for example, Comnputer Science and
Telecommunications Board (CSTB), National Research Council,
*The Unpredictable Certainty: Information Infrastructure
Through 2000*, National Academy Press, Washington, D.C., 1996;
and CSTB, *The Unpredictable Certainty: Companion Volume of
White Papers*, 1996; CSTB, *The Changing Nature of
Telecommunications/Information Infrastructure*, National
Academy Press, Washington, D.C., 1995.

   (12) Information Infrastructure Task Force, National
Information Infrastructure Security Issues Forum, *NII
Security: The Federal Role*, Washington, D.C., June 5, 1995.


           1.5.1 Privacy in an Information Economy

   Today, the prospect for easier and more widespread
collection and use of personal data as a byproduct of ordinary
activities raises questions about inappropriate activities by
industry, nosy individuals, and/or criminal elements in
society. Criminals may obtain sensitive financial information
to defraud individuals (credit card fraud, for example,
amounts to approximately $20 per card per year). Insurance
companies may use health data collected on individuals to
decide whether to provide or deny health insurance -- putting
concerns about business profitability in possible conflict
with individual and public health needs. On the other hand,
much of the personal data in circulation is willingly divulged
by individuals for specific purposes; the difficulty is that
once shared, such information is available for additional
uses. Controlling the further dissemination of personal data
is a function both of procedures for how information should be
used and of technology (including but not limited to
cryptography) and procedures for restricting access to those

   Given such considerations, individuals in an information
age may wish to be able to:

   +    Keep specific information private. Disclosure of
information of a personal nature that could be embarrassing if
known, whether or not such disclosure is legal, is regarded as
an invasion of privacy by many people. A letter to Ann Landers
from a reader described his inadvertent eavesdropping on some
very sensitive financial transactions being conducted on a
cordless telephone.(13) A staff member of this study committee
has heard broadcasts of conversations that apparently emanate
from a next-door baby monitor whose existence has been
forgotten. Home banking services using telephone lines or
network connections and personal computers will result in the
flow on public networks of large amounts of personal
information regarding finances. Even the ad copy in some of
today's consumer catalogues contains references to information
security threats.(14)

   +    Ensure that a party with whom they are transacting
business is indeed the party he or she claims to be. Likewise,
they may seek to authenticate their own identity with
confidence that such authentication will be accepted by other
parties, and that anyone lacking such authentication will be
denied the ability to impersonate them.(15) Such a capability
is needed to transfer money among mutual funds with a
telephone call or to minimize unauthorized use of credit card
accounts.(16) In an electronic domain without face-to-face
communications or recognizable indicators such as voices and
speech patterns (as used today in telephone calls), forgery of
identity becomes increasingly easy.

   +    Prevent the false repudiation of agreed-to
transactions. It is undesirable for a party to a transaction
to be able to repudiate (deny) his agreement to the terms of
the transaction. For example, an individual may agree to pay
a certain price for a given product; he or she should not then
be able to deny having made that agreement (as he or she might
be tempted to do upon finding a lower price elsewhere).

   +    Communicate anonymously (i.e., carry out the opposite
of authenticated communication). Individuals may wish to
communicate anonymously to criticize the government or a
supervisor, report illegal or unethical activity without
becoming further involved, or obtain assistance for a problem
that carries a social stigma. In other instances, they may
simply wish to speak freely without fear of social reprisal or
for the entertainment value of assuming a new digital identity
in cyberspace.

   +    Ensure the accuracy of data that is relevant to them.
Many institutions such as banks, financial institutions, and
hospitals keep records on individuals. These individuals often
have no personal control of these records, even though the
integrity of the data in these records can be of crucial
significance. Occasional publicity attests to instances of the
inaccuracy of such data (e.g., credit records) and to the
consequences for individuals.

   Practical safeguards for privacy such as those outlined
above may be more compelling than abstract or principled
protection of a right to privacy.


   (13) Ann Landers. "Ann Landers," *Washington Post*,
Creators Syndicate, October 20, 1995, p. D-5.

   (14) For example, a catalogue from Comtrad Industries notes
that "burglars use 'Code Grabbers' to open electric garage
doors and break into homes," defining "code grabbers" as
"devices that can record and play back the signal produced
from your garage door remote control." Comtrad Industries, (p.
20, catalogue from 1995). The Herrington catalogue advertises
the "Enigma" phone scrambler by noting that "[a] recent Wall
Street Journal article documents the increasing acceptance and
prevalence of industrial espionage" and mentions as an
"example of the alarming intrusion of the federal government
into citizens' private lives" the fact that "the FBI
petitioned Congress to further expand its wiretapping
authority." Herrington, Winter 1996, p. 13. Note that both of
these mail-order firms cater to mainstream consumer sentiment.

   (15) Is For example, a journalist that had reported on the
trafficking of illegally copied software on America Online was
the victim of hackers that assumed his on-line identity,
thereby intercepting his e-mail messages and otherwise
impersonating him. See Peter Lewis, "Security Is Lost in
Cyberspace," *New York Times*, February 22, 1995, p. D-1.
Other cases of "stolen identities" have been reported in the
press, and while these cases remain relatively isolated, they
are still a matter of public concern. Thieves forge signatures
and impersonate identities of law-abiding citizens to steal
money from bank accounts and to obtain credit cards in the
name of those citizens; see Charles Hall, "A Personal Approach
to Stealing," *Washington Post*, April 1, 1996, p. A-1.

   (16) For example, a recent press article calls attention to
security concerns raised by the ease of access to 401(k)
retirement accounts (for which there is no cap on the
liability incurred if a third party with unauthorized access
to it transfers funds improperly). See Timothy Middleton,
"Will Thieves Crack Your Automated Nest Egg?," *New York
Times*, March 10, 1996, Business Section, p. 10. Another
article describes a half-dozen easy-to-apply methods that can
be used by criminals to undertake fraud. See Albert Crenshaw,
"Creative Credit Card Crooks Draw High-Tech Response,"
*Washington Post*, August 6, 1995, Business Section, p. H-1.


                 1.5.2 Privacy for Citizens

   Public protection of privacy has been less active in the
United States than in other countries, but the topic is
receiving increasing attention. In particular, it has become
an issue in the political agenda of people and organizations
that have a wide range of concerns about the role and
performance of government at all levels; it is an issue that
attracts advocates from across the spectrum of political
opinion. The politicization of privacy may inhibit the orderly
consideration of relevant policy, including cryptography
policy, because it revolves around the highly emotional issue
of trust in government. The trust issue surfaced in the
initial criticisms of the Clipper chip initiative proposal in
1993 (Chapter 5) and continues to color discussion of privacy
policy generally and cryptography policy specifically.

   To many people, freedom of expression and association,
protection against undue governmental, commercial, or public
intrusion into their personal affairs, and fair treatment by
various authorities are concems shaped by memories of highly
publicized incidents in which such rights were flouted.(17) It
can be argued that such incidents were detectable and
correctable precisely because they involved government units
that were obligated to be publicly accountable -- and indeed,
these incidents prompted new policies and procedures as well
as greater public vigilance. It is also easy to dismiss them
as isolated instances in a social system that for the most
part works well. But where these episodes involve government,
many of those skeptical about government believe that they
demonstrate a capacity of government to violate civil
liberties of Americans who are exercising their constitutional
rights.(18) This perception is compounded by attempts to
justify past incidents as having been required for purposes of
national security. Such an approach both limits public
scrutiny and vitiates policy-based protection of personal

   It is hard to determine with any kind of certainty the
prevalence of the sentiments described in this section. By
some measures, over half of the public is skeptical about
government in general,(19) but whether that skepticism
translates into widespread public concem about government
surveillance is unclear. The committee believes that most
people acting as private individuals feel that their
electronic communications are secure and do not generally
consider it necessary to take special precautions against
threats to the confidentiality of those communications. These
attitudes reflect the fact that most people, including many
who are highly knowledgeable about the risks, do not give much
conscious thought to these issues in their day-to-day

   At the same time, the committee acknowledges the concerns
of many law-abiding individuals about government surveillance.
It believes that such concerns and the questions they raise
about individual rights and government responsibilities must
be taken seriously. It would be inappropriate to dismiss such
individuals as paranoid or overly suspicious. Moreover, even
if only a minority is worried about government surveillance,
it is an important consideration, given the nation's history
as a democracy,(20) for determining whether and how access to
and use of cryptography may be considered a citizen's right
(Chapter 7).


   (17) Some incidents that are often cited include the
surveillance of political dissidents, such as Martin Luther
King, Jr., Malcolm X, and the Student Non-Violent Coordinating
Committee in the mid to late 1960s; the activities of the
Nixon "plumbers" in the late 1960s, including the harassment
and surveillance of sitting and fommer govemment officials and
joumalists and their associates in the name of preventing
leaks of sensitive national security information; U.S.
intelligence surveillance of the intemational cable and
telephone communications of U.S. citizens from the early 1940s
through the early 1970s in support of FBI and other domestic
law enforcement agencies; and the creation of FBI dossiers on
opponents of the Vietnam War in the mid-1960s. The description
of these events is taken largely from Frank J. Donner, *The
Age of Surveillance*, Alfred A. Knopf, Inc., New York, 1980
(surveillance of political dissidents, pp. 244-248; plumbers,
pp. 248-252; FBI dossiers on antiwar protesters, pp. 252-256;
NSA surveillance, pp. 276-277.) Donner's book documents many
of these events. See also *Final Report of the Senate Select
Committee to Study Governmental Operations with respect to
Intelligence Activities*, Book II, April 26, 1974, U.S.
Govemment Printing Office, Washington, D.C., p. 12.

   (18) For example, at the 4th Conference on Computers,
Freedom, and Privacy in Chicago, Illinois, held in 1994, a
government speaker asked the audience if they were more
concerned about govemment abuse and harassment or about
criminal activity that might be directed at them. An
overwhelming majority of the audience indicated greater
concern about the first possibility. For recent accounts that
give the flavor of concerns about malfeasance by law
enforcement officials, see Ronald Smothers, "Atlanta Holds Six
Policemen In Crackdown," *New York Times*, September 7, 1995,
p. 9; George James, "Police Officer Is Arrested on Burglary
Charges in Sting Operation," *New York Times*, September 7,
1995, p. B-5; Kenneth B. Noble, "Many Complain of Bias in Los
Angeles Police," *New York Times*, September 4, 1995, p. 11;
Kevin Sack, "Racism of a Rogue Officer Casts Suspicion on
Police Nationwide," *New York Times*, September 4, 1995, p. 1;
Gordon Witkin, "When the Bad Guys are Cops," *U.S. News &
World Report*, September 11, 1995, p. 20; Barry Tarlow, "Doing
the Fuhrman Shuffle," *Washington Post*, August 27, 1995, p.
C-2; David W. Dunlap, "F.B.I. Kept Watch on AIDS Group During
Protest Years," *New York Times*, May 16, 1995, p. B3.

   (19) For example, a national Harris poll in January 1994
asked "Which type of invasions of privacy worry you the most
in America today -- activities of government agencies or
businesses?" Fifty-two percent said that government agencies
were their greater worry, while 40% selected business. See
Center for Social and Legal Research, *Privacy & American
Business*, Volume 1(3), Hackensack, New Jersey, 1994, p. 7.

   (20) Protecting communications from government surveillance
is a time-honored technique for defending against tyranny. A
most poignant example is the U.S. insistence in 1945 that the
postwar Japanese constitution include protection against
government surveillance of the communications of Japanese
citizens. In the aftermath of the Japanese surrender in World
War II, the United States drafted a constitution for Japan.
The initial U.S. draft contained a provision saying that "[n]o
censorship shall be maintained, nor shall the secrecy of any
means of communication be violated." The Japanese response to
this provision was a revised provision stating that "[t]he
secrecy of letter and other means of communication is
guaranteed to all of the people, provided that necessary
measures to be taken for the maintenance of public peace and
order, shall be provided by law." General Douglas MacArthur,
who was supervising the drafting of the new Japanese
constitution, insisted that the original provision regarding
communications secrecy and most other provisions of the
original U.S. draft be maintained. The Japanese agreed, this
time requesting only minor changes in the U.S. draft, and
accepting fully the original U.S. provision on communications
secrecy. See Osamu Nishi, *Ten Days Inside General
Headquarters (GHQ): How the Original Draft of the Japanese
Constitution Was Written in 1946*, Seibundo Publishing Co.
Ltd., Tokyo, 1989.



   Government encompasses many functions that generate or
depend on information, and current efforts to reduce the scope
and size of government depend heavily on information
technology. In many areas of government, the information and
information security needs resemble those of industry (see
Appendix I). Government also has important responsibilities
beyond those of industry, including those related to public
safety. For two of the most important and least understood in
detail, law enforcement and national security, the need for
strong information security has long been recognized.

   Domestic law enforcement authorities in our society have
two fundamental responsibilities: preventing crime and
prosecuting individuals that have committed crimes. Crimes
committed and prosecuted are more visible to the public than
crimes prevented (see Chapter 3).

   The following areas relevant to law enforcement require
high levels of information security:

   +    *Prevention of information theft from businesses and
individuals*, consistent with the transformation of economic
and social activities outlined above.

   +    *Tactical law enforcement communications*. Law
enforcement officials working in the field need secure
communications. At present, police scanners available at
retail electronics stores can monitor wireless communications
channels used by police; criminals eavesdropping on such
communications can receive advance warning of police
responding to crimes that they may be committing.

   +    *Efficient use by law enforcement officials of the
large amounts of information compiled on criminal activity*.
Getting the most use from such information implies that it be
remotely accessible and not be improperly modified (assuming
its accuracy and proper context, a requirement that in itself
leads to much controversy (21) ).

   +    *Reliable authentication of law enforcement
officials*. Criminals have been known to impersonate law
enforcement officials for nefarious purposes, and the
information age presents additional opportunities.

   In the domain of national security, traditional missions
involve protection against military threats originating from
other nation-states and directed against the interests of the
United States or its friends and allies. These traditional
missions require strong protection for vital information.

   +    U.S. military forces require secure communications.
Without cryptography and other information security
technologies in the hands of friendly forces, hostile forces
can monitor the operational plans of friendly forces to gain
an advantage.(22)

   +    Force planners must organize and coordinate flows of
supplies, personnel, and equipment. Such logistical
coordination involves databases whose integrity and
confidentiality as well as remote access must be maintained.

   +    Sensitive diplomatic communications between the United
States and its representatives or allies abroad. and/or
between critical elements of the U.S. government, must be
protected as part of the successful conduct of foreign
affairs, even in peacetime.(23)

   In addition, the traditional missions of national security
have expanded in recent years to include protection against
terrorists (24) and international criminals, especially drug
cartels.(25) Furthermore, recognition has been growing that in
an information age, economic security is part of national

   More broadly, there is a practical convergence under way
among protection of individual liberties, public safety,
economic activity, and military security. For example, the
nation is beginning to realize that critical elements of the
U.S. civilian infrastructure -- including the banking system,
the air traffic control system, and the electric power grid --
must be protected against the threats described above, as must
the civilian information infrastructure that supports the
conduct of sensitive government communications. Because
civilian infrastructure provides a significant degree of
functionality on which the military and defense sector
depends, traditional national security interests are at stake
as well, and concerns have grown about the implications of
what has come to be known as information warfare (Box 1.9).
More generally, the need for more secure systems, updated
security policies, and effective procedural controls is taking
on truly nationwide dimensions.


   (21) See for example, U.S. General Accounting Office,
*National Crime Information Center: Legislation Needed to
Deter Misuse of Criminal Justice Information*,
GAO/T-GGD-93-41, 1993.

   (22) For example, the compromise of the BLACK code used by
Allied military forces in World War Il enabled German forces
in Africa in 1942, led by General Erwin Rommel, to determine
the British order of battle (quantities, types, and locations
of forces), estimate British supply and morale problems, and
know the tactical plans of the British. For example, the
compromise of one particular message enabled Rommel to thwart
a critical British counterattack. In July of that year, the
British switched to a new code, thus denying Rommel an
important source of strategic intelligence. Rommel was thus
surprised at the Battle of Alamein, widely regarded as a
turning point in the conflict in the African theater. See
David Kahn, *The Codebreakers: The Story of Secret Writing*,
MacMillan, New York, 1967, pp. 472-477.

   (23) An agreement on Palestinian self-rule was reached in
September 1995. According to public reports, the parties
involved, Yasir Arafat (leader of the Palestinian Liberation
Organization) and Shimon Peres (then Foreign Minister of
Israel), depended heavily on the telephone efforts of Dennis
Ross, a U.S. negotiator, in mediating the negotiations that
led to the agreement. Obviously, in such circumstances, the
security of these telephone efforts was critical. See Steven
Greenhouse, "Twist to Shuttle Diplomacy: U.S. Aide Mediated by
Phone," *New York Times*, September 25, 1995, p. 1.

   (24) Terrorist threats generally emanate from
nongovernmental groups, though at times involving the tacit or
implicit (but publicly denied) support of sponsoring national
governments. Furthermore, the United States is regarded by
many parties as a particularly important target for political
reasons by virtue of its prominence in world affairs. Thus,
terrorists in confrontation with a U.S. ally may wish to make
a statement by attacking the United States directly rather
than its ally.

   (25) See. for example, Phil Williams, "Transnational
Criminal Organizations and International Security,"
*Survival*, Volume 36(1), Spring 1994, pp. 96-113.


                          1.7 RECAP

   Chapter 1 underscores the need for attention to protecting
vital U.S. interests and values in an information age
characterized by a number of trends:

   +    The world economy is in the midst of a transition from
an industrial to an information age in which information
products are extensively bought and sold, information assets
provide leverage in undertaking business activities, and
communications assume evergreater significance in the lives of
ordinary citizens. At the same time, national economies are
increasingly interlinked across national borders, with the
result that international dimensions of public policy are

   +    Trends in information technology suggest an
ever-increasing panoply of technologies and technology-enabled
services characterized by high degrees of heterogeneity,
enormous computing power, and large data storage and
transmission capabilities.

   +    Given the transition to a global information society
and trends in information technology, the future of
individuals and businesses alike is likely to be one in which
information of all types plays a central role. Electronic
commerce in particular is likely to become a fundamental
underpinning of the information future.

   +    Government has special needs for information security
that arise from its role in society, including the protection
of classified information and its responsibility for ensuring
the integrity of information assets on which the entire nation

   Collectively, these trends suggest that future needs for
information security will be large. Threats to information
security will emerge from a variety of different sources, and
they will affect the confidentiality and integrity of data and
the reliable authentication of users; these threats do and
will affect businesses, government, and private individuals.

   Chapter 2 describes how cryptography may help to address
all of these problems.


        BOX 1.1 Communications and Computing Devices
                  and the Role of Software

   Communications and computing devices can be dedicated to a
single purpose or may serve multiple purposes. Dedicated
single-purpose devices are usually (though not always)
hardware devices whose functionality cannot be easily altered.
Examples include unprogrammable pocket calculators,
traditional telephones, walkie-talkies, pagers, fax machines,
and ordinary telephone answering machines.

   A multipurpose device is one whose functionality can be
altered by the end user. In some instances, a hardware device
may be "reprogrammed" to perform different functions simply by
the physical replacement of a single chip by another chip or
by the addition of a new circuit board. Open bus architectures
and standard hardware interfaces such as the PC Card are
intended to facilitate multipurpose functionality.

   Despite such interfaces and architectures for hardware,
software is the primary means for implementing multipurpose
functionality in a hardware device. With software, physical
replacement of a hardware component is unnecessary -- a new
software program is simply loaded and executed. Examples
include personal computers (which do word processing or
mathematical calculations, depending on what software the user
chooses to run), programmable calculators (which solve
different problems, depending on the programming given to
them), and even many modern telephones (which can be
programmed to execute functions such as speed dialing). In
these instances, the software is the medium in which the
expectations of the user are embedded.

   Today, the lines between hardware and software are
blurring. For example, some "hardware" devices are controlled
by programs stored in semi-permanent read-only memory.
"Read-only memory" (ROM) originally referred to memory for
storing instructions and data that could never be changed, but
this characteristic made ROM-controlled devices less flexible.
Thus, the electronics industry responded with "read-only"
memory whose contents take special effort to change (such as
exposing the memory chip to a burst of ultraviolet light or
sending only a particular signal to a particular pin on the
chip). The flexibility and cheapness of today's electronic
devices make them ubiquitous. Most homes now have dozens of
microprocessors in coffee makers, TVs, refrigerators, and
virtually anything that has a control panel.


     BOX 1.2 An Attempted Electronic Theft from Citicorp

   Electronic money transfers are among the most closely
guarded activities in banking. In 1994, an international group
of criminals penetrated Citicorp's computerized electronic
transfer system and moved about $12 million from legitimate
customer accounts to their own accounts in banks around the
world. According to Citicorp, this is the first time its
computerized cash-management system has been breached.
Corporate customers access the system directly to transfer
funds for making investments, paying bills, and extending
loans, among other purposes. The Citicorp system moves about
$500 billion worldwide each day. Authority to access the
system is verified with a cryptographic code that only the
customer knows.

   The case began in June 1994, when Vladimir Levin of St.
Petersburg, Russia, allegedly accessed Citicorp computers in
New York through the international telephone network, posing
as one of Citicorp's customers. He moved some customer funds
to a bank account in Finland, where an accomplice withdrew the
money in person. In the next few months, Levin moved various
Citicorp customers' funds to accomplices' personal or business
accounts in banks in St. Petersburg, San Francisco, Tel Aviv,
Rotterdam, and Switzerland.

   Accomplices had withdrawn a total of about $400,000 by
August 1994. By that time, bank officials and their customers
were on alert. Citicorp detected subsequent transfers quickly
enough to warn the banks into which funds were moved to freeze
the destination accounts. (Bank officials noted they could
have blocked some of these transfers, but they permitted and
covertly monitored them as part of the effort to identify the
perpetrators.) Other perpetrators were arrested in Tel Aviv
and Rotterdam; they revealed that they were working with
someone in St. Petersburg. An examination of telephone-company
records in St. Petersburg showed that Citicorp computers had
been accessed through a telephone line at AO Saturn, a
software company. A person arrested after attempting to make
a withdrawal from a frozen account in San Francisco
subsequently identified Levin, who was an AO Saturn employee.
Russia has no extradition treaty with the United States;
however, Levin traveled to Britain in March 1995 and was
arrested there. As of September 1995, proceedings to extradite
him for trial in the United States were in progress.

   Levin allegedly penetrated Citicorp computers using
customers' user identifications and passwords. In each case,
Levin electronically impersonated a legitimate customer, such
as a bank or an investment capital firm. Some investigators
suspect that an accomplice inside Citicorp provided Levin with
necessary information; otherwise, it is unclear how he could
have succeeded in accessing customer accounts. He is believed
to have penetrated Citicorp's computers 40 times in all.
Citicorp says it has upgraded its system's security to prevent
future break-ins.


SOURCES: William Carley and Timothy O'Brien, "Cyber Caper: How
Citicorp System Was Raided and Funds Moved Around World,"
*Wall Street Journal*, September 12, 1995, p. A-1; Saul
Hansell, "A $10 Million Lesson in the Risks of Electronic
Banking," *New York Times*, August 19, 1995, p. 31.


 BOX 1.3 Vulnerabilities in Information Systems and Networks

   Information systems and networks can be subject to four
generic vulnerabilities:

   1.   Eavesdropping or data browsing. By surreptitiously
obtaining the confidential data of a company or by browsing a
sensitive file stored on a computer to which one has obtained
improper access, an adversary could be in a position to
undercut a company bid, learn company trade secrets (e.g.,
knowledge developed through proprietary company research) that
would eliminate a competitive advantage of the company, or
obtain the company's client list in order to steal customers.
Moreover, stealth is not always necessary for damage to occur
-- many companies would be damaged if their sensitive data
were disclosed, even if they knew that such a disclosure had

   2.   Clandestine alteration of data. By altering a
company's data clandestinely, an adversary could destroy the
confidence of the company's customers in the company, disrupt
internal operations of the company, or subject the company to
shareholder litigation.

   3.   Spoofing. By illicitly posing as a company, an
adversary could place false orders for services, make
unauthorized commitments to customers, defraud clients, and
cause no end of public relations difficulties for the company.
Similarly, an adversary might pose as a legitimate customer,
and a company -- with an interest in being responsive to user
preferences to remain anonymous under a variety of
circumstances -- could then find itself handicapped in seeking
proper confirmation of the customer's identity.

   4.   Denial of service. By denying access to electronic
services, an adversary could shut down company operations,
especially time-critical ones. On a national scale, critical
infrastructures controlled by electronic networks (e.g., the
air traffic control system, the electrical power grid)
involving many systems linked to each other are particularly


      BOX 1.4 Electronic Commerce and the Implications
                    for Interconnectivity

   A number of reports have addressed the potential nature and
impact of electronic commerce.(1) Out of such reports, several
common elements can be distilled:

   +    The interconnection of geographically dispersed units
into a "virtual" company.

   +    The linking of customers, vendors, and suppliers
through videoconferencing, electronic data interchange, and
electronic networks.

   +    The creation of temporary or more permanent strategic
alliances for business purposes.

   +    A vastly increased availability of information and
information products on line, both free and for a fee, that is
useful to individuals and organizations.

   +    The electronic transaction of retail business,
beginning with today's toll-free catalog shopping and
extending to electronic network applications that enable
customers to:

        --  apply for bank loans;

        --  order tangible merchandise (e.g., groceries)
            for later physical delivery;

        --  order intangible merchandise (e.g. music,
            movies) for electronic delivery;

        --  obtain information and electronic documents
            (e.g., official documents such as driver's
            licenses and birth certificates).

   +    The creation of a genuinely worldwide marketplace that
matches buyers to sellers largely without intermediaries.

   +    New business opportunities for small entrepreneurs
that could sell low-value products to the large numbers of
potential customers that an electronic marketplace might

   In general, visions of electronic commerce writ large
attempt to leverage the competitive edge that information
technologies can provide for commercial enterprises.
Originally used exclusively to facilitate internal
communications, information technology is now used by
corporations to connect directly with their suppliers and
business partners.(2) In the future, corporate networks will
extend all the way to customers, enabling improvements in
customer service and more direct channels for customer
feedback. Furthermore, information technologies will
facilitate the formation of ad hoc strategic alliances among
diverse enterprises and even among competitors on a short time
scale, driven by changes in business conditions that demand
prompt action. This entire set of activities is already well
under way.

   In the delivery of services, the more effective use and
transmission of information has had dramatic effects. Today's
air transportation system would not exist without rapid and
reliable information flows regarding air traffic control,
sales, marketing, maintenance, safety, and logistics planning.
Retailers and wholesalers depend on the rapid collection and
analysis of sales data to plan purchasing and marketing
activities, to offer more differentiated services to
customers, and to reduce operational costs. The insurance
industry depends on rapid and reliable information flows to
its sales force and to customize policies and manage risks.
(See Computer Science and Telecommunications Board, National
Research Council, *Information Technology in the Service
Society,: A Twenty-First Century Lever*, National Academy
Press, Washington, D.C., 1994.)


   (1)  See for example, Cross-Industry Working Team,
*Electronic Cash, Tokens, and Payments in the National
Information Infrastructure*, Corporation for National Research
Initiatives, 1895 Preston White Drive, Suite 100, Reston,
Virginia 22091-5434 (Internet: info-xiwt@cnri.reston.va.us;
Tel: 703/620-8990), 1994; Office of Technology Assessment,
*Electronic Enterprises: Looking to the Future*, U.S.
Government Printing Office, Washington, D.C., July 1994.

   (2)  For example, in manufacturing, collaborative
information technologies can help to improve the quality of
designs and reduce the cost and time needed to revise designs;
product designers will be able to create a "virtual" product,
make extensive computer simulations of its behavior without
supplying all of its details, and "show" it to the customer
for rapid feedback. Networks will enable the entire
manufacturing enterprise to be integrated all along the supply
chain, from design shops to truck fleets that deliver the
finished products. (See Computer Science and
Telecommunications Board, National Research Council,
*Information Technology and Manufacturing: A Research Agenda*,
National Academy Press, Washington, D.C., 1995.)


       BOX 1.5 Tensions Between Security and Openness

   Businesses have long been concerned about the tension
between openness and security. An environment that is open to
everyone is not secure, while an environment that is closed to
everyone is highly secure but not useful. A number of trends
in business today tend to exacerbate this conflict. For

   +    Modern competitive strategies emphasize openness to
interactions with potential customers and suppliers. For
example, such strategies would demand that a bank present
itself as willing to do business with anyone, everywhere, and
at any time. However, such strategies also offer potential
adversaries a greater chance of success, because increasing
ease of access often facilitates the penetration of security
measures that may be taken.

   +    Many businesses today emphasize decentralized
management that pushes decision-making authority toward the
customer and away from the corporate hierarchy. Yet security
often has been (and is) approached from a centralized
perspective. (For example, access controls are necessarily
hierarchical (and thus centralized) if they are to be
maintained uniformly.)

   +    Many businesses rely increasingly on highly mobile
individuals. When key employees were tied to one physical
location, it made sense to base security on physical presence,
e.g., to have a user present a photo ID card to an operator at
the central corporate computer center. Today, mobile computing
and communications are common, with not even a physical wire
to ensure that the person claiming to be an authorized user is
accessing a computer from an authorized location or to prevent
passive eavesdropping on unencrypted transmissions with a
radio scanner.


             BOX 1.6 International Dimensions of
                 Business and Commerce Today

   U.S. firms increasingly operate in a global environment,
obtaining goods and services from companies worldwide,
participating in global virtual corporations, and working as
part of international strategic alliances. One key dimension
of increasing globalization has been the dismantling of
barriers to trade and investment. In the past 40 years,
tariffs among developed countries have been reduced by more
than two-thirds. After the Uruguay Round reductions are
phased-in, tariffs in these countries will be under 4%, with
43% of current trade free of any customs duties.

   While tariffs of developing countries are at higher levels,
they have recently begun to decline substantially. After the
Uruguay Round, tariffs in these countries will average 12.3%
by agreement and will be even lower as a result of unilateral
reductions. In response to the reductions in trade barriers,
trade has grown rapidly. From 1950 to 1993, U.S. and world
trade grew at an average compound rate of 10% annually.

   Investment has also grown rapidly in recent years,
stimulated by the removal of restrictions and by international
rules that provide assurances to investors against
discriminatory or arbitrary treatment. U.S. foreign direct
investment also has grown at almost 10% annually during the
past 20 years and now totals about half a trillion dollars.
Foreign direct investment in the United States has risen even
faster over the same period -- at almost 19% annually -- and
now also totals almost $500 billion.

   The expansion of international trade and investment has
resulted in a much more integrated and interdependent world
economy. For the United States, this has meant a much greater
dependence on the outside world. More than a quarter of the
U.S. gross domestic product is now accounted for by trade in
goods and services and returns on foreign investment. Over 11
million jobs are now directly or indirectly related to our
merchandise trade.

   Because the U.S. economy is mature, the maintenance of a
satisfactory rate of economic growth requires that the United
States compete vigorously for international markets,
especially in the faster growing regions of the world. Many
sectors of our economy are now highly dependent on export
markets. This is particularly the case for, but is not limited
to, high-technology goods, as indicated in the table below.

   A second international dimension is the enormous growth in
recent years of multinational enterprises. Such firms operate
across national boundaries, frequently in multiple countries.
According to the 1993 World Investment Report of the United
Nations, transnational corporations (TNCs) with varying
degrees of integration account for about a third of the
world's private sector productive assets.

   The number of TNCs has more than tripled in the last 20
years. At the outset of this decade, about 37,000 U.S. firms
had a controlling equity interest in some 170,000 foreign
affiliates. This does not include nonequity relationships,
such as management contracts, subcontracting, franchising or
strategic alliances. There are some 300 TNCs based in the
United States and almost 15,000 foreign affiliates, of which
some 10,000 are nonbank enterprises.

   The strategies employed by TNCs vary among firms. They may
be based on trade in goods and services alone or, more often,
involve more complex patterns of integrated production,
outsourcing, and marketing. One measure of the extent of
integration by U.S. firms is illustrated by the U.S. Census
Bureau, which reported that in 1994, 46% of U.S. imports and
32% of U.S. exports were between related firms. Of U.S.
exports to Canada and Mexico, 44% were between related
parties; for the European Union and Japan, the share was 37%.

   With respect to imports, the shares of related-party
transactions were 75.5% for Japan, 47.2% for the European
Union, 44.6% for Canada and 69.2% for Mexico. Among those
sectors with the highest levels of interparty trade are data
processing equipment, including computers, and parts and
telecommunications equipment, ranging from 50% to 90%.


                                          Exports As
   Area of Export                         a Percentage
                                          of U.S. Output

   Electronic computing and parts              52

   Semiconductors and related devices          47

   Magnetic and optical recording media
   (includes software products)                40


SOURCE: U.S. Department of Commerce, Commerce News. August 9,


                   BOX 1.7 Threat Sources

   +    *Foreign national agencies (including intelligence
services)*. Foreign intelligence operations target key U.S.
businesses. For example, two former directors of the French
intelligence service have confirmed publicly that the French
intelligence service collects economic intelligence
information, including classified government information and
information related to or associated with specific companies
of interest.(1) Foreign intelligence agencies may break into
facilities such as the foreign offices of a U.S. company or
the hotel suite of a U.S. executive and copy computer files
from within that facility (e.g., from a laptop computer in a
hotel room, a desktop computer connected to a network in an
office).(2) Having attained such access, they can also insert
malicious code that will enable future information theft.

   +    *Disgruntled or disloyal employees that work "from the
inside."* Such parties may collude with outside agents.
Threats involving insiders are particularly pernicious because
they are trusted with critical infommation that is not
available to outsiders. Such information is generally
necessary to understand the meaning of various data flows that
may have been intercepted, even when those data flows are
received in the clear.

   +    *Network hackers and electronic vandals* that are
having fun or making political statements through the
destruction of intellectual property without the intent of
theft. Information terrorists may threaten to bring down an
information network unless certain demands are met;
extortionists may threaten to bring down an information
network unless a ransom is paid. Disgruntled customers seeking
revenge on a company also fall into this category.

   +    *Thieves* attempting to steal money or resources from
businesses. Such individuals may be working for themselves or
acting as part of a larger conspiracy (e.g., in association
with organized crime). The spreading of electronic commerce
will increase the opportunities for new and different types of
fraud, as illustrated by the large increase in fraud seen as
the result of increased electronic filing to the Internal
Revenue Service. Even worse, customers traditionally regarded
as the first line of defense against fraud (because they check
their statements and alert the merchants or banks involved to
problems) may become adversaries as they seek to deny a
signature on a check or alter the amount of a transaction.

   It is difficult to know the prevalence of such threats,
because many companies do not discuss for the record specific
incidents of information theft. In some cases, they fear
stockholder ire and losses in customer confidence over
security breaches; in others, they are afraid of inspiring
"copy-cat" attacks or revealing security weaknesses. In still
other cases, they simply do not know that they have been the
victim of such theft. Finally, only a patchwork of state laws
applies to the theft of trade secrets and the like (and not
all states have such laws). There is no federal statute that
protects trade secrets or that address commercial information
theft, and federal authorities probing the theft of commercial
information must rely on proving violations of other statutes,
such as the wire and mail fraud laws, interstate transport of
stolen property, conspiracy, or computer fraud and abuse laws;
as a result, documentation of what would be a federal offense
if such a law were present is necessarily spotty. For all of
these reasons, what is known on the public record about
economic losses from information theft almost certainly
understates the true extent of the problem.


   (1)  Two former directors of the DGSE (the French
intelligence service), have publicly stated that one of the
DGSE's top priorities was to collect economic intelligence.
During a September 1991 NBC news program, Pierre Marion,
former DGSE Director, revealed that he had initiated an
espionage program against US businesses for the purpose of
keeping France internationally competitive. Marion justified
these actions on the grounds that the United States and
France, although political and military allies, are economic
and technological competitors. During an interview in March
1993, then DGSE Director Charles Silberzahn stated that
political espionage was no longer a real priority for France
but that France was interested in economic intelligence, "a
field which is crucial to the world's evolution." Silberzahn
advised that the French had some success in economic
intelligence but stated that much work is still needed because
of the growing global economy. Silberzahn advised during a
subsequent interview that theft of classified information, as
well as information about large corporations, was a long-term
French Government policy. These statements were seemingly
corroborated by a DGSE targeting document prepared in late
1989 and leaked anonymously to the US Government and the press
in May 1993. It alleged that French intelligence had targeted
numerous US Government agencies and corporations to collect
economic and industrial information. Industry leaders such as
Boeing, General Dynamics, Hughes Aircraft, Lockheed, McDonnell
Douglas, and Martin Marietta all were on the list. Heading the
US Government listing was the Office of the US Trade

   This unclassified paragraph can be found in the secret
version of the report, National Counterintelligence Center,
*Annual Report to Congress on Foreign Economic Collection and
Industrial Espionage*, Washington, D.C., July 1995.

   (2)  According to a report from the National Communications
System, countries that currently have significant intelligence
operations against the United States for national security
and/or economic purposes include Russia, the People's Republic
of China, Cuba, France, Taiwan, South Korea, India, Pakistan,
Israel, Syria, Iran, Iraq, and Libya. "All of the intelligence
organizations listed [above] have the capability to target
telecommunications and information systems for information or
clandestine attacks. The potential for exploitation of such
systems may be significantly larger." See National
Communications System (NCS), *The Electronic Intrusion Threat
to National Security and Emergency Preparedness
Telecommunications. An Awareness Document*,  2nd ed., NCS,
Alexandria, Va., December 5, 1994, pp. 2-20.


        BOX 1.8 Vulnerability of the Public Switched
                 Telecommunications Network

   The nation's single most critical national-level component
of information infrastructure vulnerable to compromise is the
public switched telecommunications network (PSTN). The PSTN
provides information transport services for geographically
dispersed and national assets such as the banking system and
financial markets,(1) and the air traffic control system.(2)
Even the traditional military (3) is highly dependent on the
PSTN. Parties connected to the PSTN are therefore vulnerable
to failure of the PSTN itself and to attacks transmitted over
the PSTN.

   The fundamental characteristic of the PSTN from the
standpoint of information vulnerability is that it is a highly
interconnected network of heterogeneously controlled and
operated computer-based switching stations. Network
connectivity implies that an attacker -- which might range
from a foreign government to a teen-aged hacker -- can in
principle connect to any network site (including sites of
critical importance for the entire network) from any other
network site (which may be geographically remote and even
outside the United States).(4) The sites of critical
importance for the PSTN are the switching nodes that channel
the vast majority of telecommunications traffic in the United
States. Access to these critical nodes, and to other switching
facilities, is supposed to be limited to authorized personnel,
but in practice these nodes are often vulnerable to
penetration. Once in place on a critical node, hostile and
unauthorized users are in a position to disrupt the entire

   The systemic vulnerabilities of the PSTN are the result of
many factors. One is the increasing accessibility of network
software to third parties other than the common carriers,
resulting from the Federal Communications Commission
requirement that the PSTN support open, equal access for
third-party providers of enhanced services as well as for the
common carriers; such accessibility offers intruders many
opportunities to capture user information, monitor traffic,
and remotely manipulate the network. A second reason is that
service providers are allowing customers more direct access to
network elements, in order to offer customer-definable
services such as call forwarding. A third reason is that
advanced services made possible by Signaling System 7 are
dependent on a common, out-of-band signaling system for
control of calls through a separate packet-switched data
network that adds to network vulnerability.(5) Finally,
space-based PSTN components (i.e., satellites) have few
control centers, are susceptible to electronic attack, and
generally do not encrypt their command channels, making the
systems vulnerable to hackers copying their commands and
disrupting service.(6) These conditions imply that the PSTN is
a system that would benefit from better protection of system
integrity and availability.

   Threats to the PSTN affect all national institutions whose
ability to function fully and properly depends on being able
to communicate, be it through telephony, data transmission,
video, or all of these. Indeed, many data networks operated
"privately" by large national corporations or national
institutions such as those described above are private only in
the sense that access is supposed to be limited to corporate
purposes; in fact, national institutions or corporations
generally use all forms of communications, including those
physically carried by the PSTN.(7) However, the physical and
computational infrastructure of these networks is in general
owned by the telecommunications service provider, and this
infrastructure is part of the larger PSTN infrastructure.
Thus, like the Internet, the "private" data network of a
national corporation, is in general not physically independent
of the PSTN. Similarly, it is dependence on the PSTN that has
led to failures in the air traffic control system and
important financial markets:

   +    In January 1991, the accidental severing of an AT&T
fiber-optic cable in Newark, New Jersey, led to the disruption
of FAA air traffic control communications in the
Boston-Washington corridor and the shutdown of the New York
Mercantile Exchange and several commodities exchanges. In May
1991, the severing of a fiber-optic cable led to the shutdown
of four of the Federal Aviation Administration's 20 major air
traffic control centers with "massive operational impact."(8)

   +    The 1991 failure of a PSTN component in New York
caused the loss of connectivity between a major securities
house and the Securities Industry Automation Corporation,
resulting in an inability to settle the day's trades over the

   Examples of small-scale activities by the computer
"underground" against the PSTN demonstrate capabilities that,
if coupled to an intent to wage serious information warfare
against the United States, pose a serious threat to the U.S.
information infrastructure:

   +    In 1990, several members of the Legion of Doom's
   Atlanta branch were charged with penetrating and disrupting
   telecommunications network elements. They were accused of
   planting "time bomb" programs in network elements in
   Denver, Atlanta, and New Jersey; these were designed to
   shut down major switching hubs, but were defused by
   telephone carriers before causing damage.(10)

   +    Members of a group known as MOD (various spell-outs)
   were indicted July 8, 1992, on 11 accounts. It is
   significant that they appear to have worked in a team.
   Among their alleged activities were developing and
   unleashing "programmed attacks" (see below) on telephone
   company computers and accessing telephone company computers
   to create new circuits and add services with no billing

   +    Reported (but not well documented) is a growing
   incidence of "programmed attacks."(12) These have been
   detected in several networks and rely on customized
   software targeting specific types of computers or network
   elements. They are rarely destructive, but rather seek to
   add or modify services. "The capability illustrated by this
   category of attacks has not fully matured. However, if a
   coordinated attack using these types of tools were directed
   at the PSTN with a goal of disrupting national
   security/emergency preparedness (NS/EP) telecommunications,
   the result could be significant."(13) (The same point
   probably applies to the goal of disrupting other kinds of
   telecommunications beyond those used for NS/EP.)

   A number of reports and studies (14) have called attention
to the vulnerability of components of the national
telecommunications infrastructure.


   (1)  These private networks for banking include Fedwire
(operated by the Federal Reserve banks), the Clearinghouse for
Interbank Payment Systems (CHIPS; operated by New York
Clearinghouse, an association of money center banks), the
Society for Worldwide Interbank Financial Telecommunication
(SWIFT; an intemational messaging system that carries
instructions for wire transfers between pairs of correspondent
banks), and the Automated Clearing House (ACH) systems for
domestic transfers, typically used for routine smaller
purchases and payments. In the 1980s, several U.S. banks
aggressively developed global networks with packet switches,
routers, and so on, to interconnect their local and wide area
networks; or, they used third-party service providers to
interconnect. In the 1990s, there are signs that U.S.
international banks are moving to greater use of carrier-
provided or hybrid networks because of the availability of
virtual private networks from carriers. Carrier-provided
networks are more efficient than networks built on top of
dedicated leased lines, because they can allocate demand
dynamically among multiple customers.

   (2)  The air traffic control system uses leased lines to
connect regional air traffic control centers.

   (3)  Over 95 percent of U.S. military and intelligence
community voice and data communications are carried over
facilities owned by public carriers. (See Joint Security
Commission, *Redefining Security: A Report to the Secretary of
Defense and the Director of Central Intelligence*, February
28, 1994, Chapter 8.) Of course, the 95% figure includes some
non-critical military communications; however, only 30 percent
of the telecommunications networks that would be used during
wartime operate in the classified environment (and are
presumably more secure), while the other 70 percent are based
on the use of unclassified facilities of public carriers. See
Richard Powers, *Information Warfare: A CSI Special Report*,
Computer Security Institute, Washington, D.C., Fall 1995.

   (4)  Clifford Stoll, *The Cuckoo's Egg*, Pocket Books, New
York, 1989.

   (5)  National Research Council, *Growing Vulnerability of
the Public Switched Networks: Implications for National
Security and Emergency Preparedness*, National Academy Press,
Washington, D.C., 1989), page 36; Reliability and
Vulnerability Working Group, Telecommunications Policy
Committee, Information Infrastructure Task Force, *Reliability
and Vulnerability of the NII: Capability Assessments*, from
the National Communications Svstem home page on WWW,

   (6)  Reliability and Vulnerability Working Group,
Telecommunications Policy Committee, Information
Infrastructure Task Force, *Reliability and Vulnerability of
the NII: Capability Assessments*, from the National
Communications System home paoe on WWW,

   (7)  Both shared circuits and private networks are expected
to grow dramatically in the next several years. See for
example, Michael Csenger, "Private lines dead? Don't buy those
flowers just yet," *Network World*, May 1, 1995, p. 1.

   (8)  *Software Engineering Notes*, Volume 17, January 1992,
as cited in Peter J. Neumann, *Computer Related Risks*,
Addison-Wesley, New York, 1995, p. 17.

   (9)  See Office of Technology Assessment, U.S. Congress,
*U.S. Banks and International Telecommunications -- Background
Paper*, OTA-BP-TCT-100, U.S. Government Printing Office,
Washington, D.C., September 1992, pp. 32-,3.

   (10) National Communications System (NCS), *The Electronic
Intrusion Threat to National Security and Emergency
Preparedness Telecommunications: An Awareness Document*, 2nd
ed., NCS, Alexandria, Va., December 5, 1994, p. 2-5.

   (11) NCS, *The Electronic Intrusion Threat to National
Security and Emergency Preparedness Telecommunications*, 1994,
pp. 2-8 to 2-9.

   (12) NCS, *The Electronic Intrusion Threat to National
Security and Emergency Preparedness Telecommunications*, 1994,
p. 2-6.

   (13) NCS, *The Electronic Intrusion Threat to National
Security and Emergency Preparedness Telecommunications*, 1994,
p. 2-6.

   (14) Joint Security Commission, *Redefining Security: A
Report to the Secretary of Defense and the Director of Central
Intelligence*, Washington, D.C., February 28, 1994; National
Research Council, *Growing Vulnerability of the Public
Switched Networks: Implications for National Security and
Emergency Preparedness*, National Academy Press, Washington,
D.C., 1989; NCS, *The Electronic Intrusion Threat to National
Security and Emergency Preparedness Telecommunications*, 1994;
Reliability and Vulnerability Working Group,
Telecommunications Policy Committee, Information
Infrastructure Task Force, *Reliability and Vulnerability of
the NII: Capability Assessments*, from the National
Communications System home page on WWW,


                 BOX 1.9 Information Warfare

             "Information warfare" is a term used in many different
ways. Of most utility for this report is the definition of
information warfare (IW) as hostile action that targets the
information systems and information infrastructure of an
opponent (i.e., offensive actions that attack an opponent's
communications, weapon systems, command and control systems,
intelligence systems, information components of the civil and
societal infrastructure such as the power grid and banking
system) coupled with simultaneous actions seeking to protect
U.S. and allied systems and infrastructure from such attacks.
Other looser uses of the term information warfare" include the

   +    The use of information and tactical intelligence to
apply weapon systems more effectively. IW may be used in
connection with information-based suppression of enemy air
defenses or "smart" weapons using sensor data to minimize the
volume of ordnance needed to destroy a target.

   +    The targeting of companies' information systems for IW
attacks. As industrial espionage spreads and/or international
competitiveness drives multinational corporations into
military-like escapades, the underlying notion of
information-based probing of and attack on a competitor's
information secrets could take on a flavor of intergovernment
military or intelligence activities.

   +    The fight against terrorism, organized crime, and even
street crime, which might be characterized as IW to the extent
that information about these subjects is used to prosecute the
battle. This usage is not widespread, although it may develop
in the future.

   Usage of the term has shifted somewhat as federal agencies,
notably the Department of Defense, struggle to fully
appreciate this new domain of warfare (or low-intensity
conflict) and to create relevant policy and doctrine for it.
Conversely, there is some discussion of the vulnerabilities of
the U.S. civil information infrastructure to such offense. The
ranoe of activities that can take place in information warfare
is broad:

   +    Physical destruction of information-handling
facilities to destroy or degrade functionality;

   +    Denial of use of an opponent's important information

   +    Degradation of effectiveness (e.g., accuracy, speed of
response) of an opponent's information systems;

   +    Insertion of spurious, incorrect, or otherwise
misleading data into an opponent's information systems (e.g.,
to destroy or modify data, or to subvert software processes
via improper data inputs);

   +    Withdrawal of significant tactical or strategic data
from an opponent's information systems;

   +    Insertion of malicious software into an opponent's
system to affect its intended behavior in various ways, and
perhaps, to do so at a time controlled by the aggressor; and

   +    Subversion of an opponent's software and/or hardware
installation to make it an in-place selfreporting mole for
intelligence purposes.

   As an operational activity, information warfare is clearly
related closely to, but yet distinct from, intelligence
functions that are largely analytical. IW is also related to
information security, since its techniques are pertinent both
to prosecutisn of offensive IW and to protection for defensive


[End Chapter 1]

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


              Roles, Market, and Infrastructure

   Cryptography is a technology that can play important roles
in addressing certain types of information vulnerability,
although it is not sufficient to deal with all threats to
information security. As a technology, cryptography is
embedded into products that are purchased by a large number of
users; thus, it is important to examine various aspects of the
market for cryptography. Chapter 2 describes cryptography as
a technology used in products, as a product within a larger
market context, and with reference to the infrastructure
needed to support its large-scale use.

                 2.1 CRYPTOGRAPHY IN CONTEXT

   Computer-system security, and its extension network
security, are intended to achieve many purposes. Among them
are safeguarding physical assets from damage or destruction
and ensuring that resources such as computer time, network
connections, and access to databases are available only to
individuals -- or to other systems or even software processes
-- authorized to have them.(1) Overall information security is
dependent on many factors, including various technical
safeguards, trustworthy and capable personnel, high degrees of
physical security, competent administrative oversight, and
good operational procedures. Of the available technical
safeguards, cryptography has been one of the least utilized to

   In general, the many security safeguards in a system or
network not only fulfill their principal task but also act
collectively to mutually protect one another. In particular,
the protection or operational functionality that can be
afforded by the various cryptographic safeguards treated in
this report will inevitably require that the hardware or
software in question be embedded in a secure environment. To
do otherwise is to risk that the cryptography might be
circumvented, subverted, or misused -- hence leading to a
weakening or collapse of its intended protection.

   As individual starld-alone computer systems have been
incorporated into ever larger networks (e.g., local-area
networks, wide-area networks, the Internet), the requirements
for cryptographic safeguards have also increased. For example,
users of the earliest computer systems were almost always
clustered in one place and could be personally recognized as
authorized individuals, and communications associated with a
computer system usually were contained within a single
building. Today, users of computer systems can be connected
with one another worldwide, through the public switched
telecommunications network, a local area network, satellites,
microwave towers, and radio transmitters. Operationally, an
individual or a software process in one place can request
service from a system or a software process in a far distant
place. Connectivity among systems is impromptu and occurs on
demand; the Internet has demonstrated how to achieve it. Thus,
it is now imperative for users and systems to identify
themselves to one another with a high degree of certainty and
for distant systems to know with certainty what privileges for
accessing databases or software processes a remote request
brings. Protection that could once be obtained by geographic
propinquity and personal recognition of users must now be
provided electronically and with extremely high levels of


   (1)  The terms "information security" or shortened versions
such as INFOSEC, COMPSEC, and NETSEC are also in use.

   (2)  Other safeguards, in particular software safeguards,
are addressed in various standard texts and reports. See, for
example, National Institute of Standards and Technology, *An
Introduction to Computer Security*, NIST Special Publication
800-12, Department of Commerce, October 1995; *Trusted
Computer System Evaluation Criteria*, Department of Defense,
August 15, 1983; Computer Science and Telecommunications Board
(CSTB), National Research Council, *Computers at Risk: Safe
Computing in the Information Age*, National Academy Press,
Washington, D.C., 1991.



   The word "cryptography" is derived from Greek words that
mean secret writing. Historically, cryptography has been used
to hide information from access by unauthorized parties,
especially during communications when it would be most
vulnerable to interception. By preserving the secrecy, or
confidentiality, of information, cryptography has played a
very important role over the centuries in military and
national affairs.(3)

   In the traditional application of cryptography for
confidentiality, an originator (the first party) creates a
message intended for a recipient (the second party), protects
(encrypts) it by a cryptographic process, and transmits it as
ciphertext. The receiving party decrypls the received
ciphertext message to reveal its true content, the plaintext.
Anyone else (the third party) who wishes undetected and
unauthorized access to the message must penetrate (by
cryptanalysis) the protection afforded by the cryptographic

   In the classical use of cryptography to protect
communications, it is necessary that both the originator and
recipient(s) have common knowledge of the cryptographic
process (the algorithm or cryptographic algorithm) and that
both share a secret common element -- typically, the key or
cryptographic key, which is a piece of information, not a
material object. In the encryption process, the algorithm
transforms the plaintext into the ciphertext, using a
particular key, the use of a different key results in a
different ciphertext. In the decryption process, the algorithm
transforms the ciphertext into the plaintext, using the key
that was used to encrypt (4) the original plaintext. Such a
scheme, in which both communicating parties must have a common
key, is now called *symmetric cryptography* or *secret-key
cryptography*; it is the kind that has been used for centuries
and written about widely.(5) It has the property, usually an
operational disadvantage, of requiring a safe method of
distributing keys to relevant parties (*key distribution* or
*key management*).

   It can be awkward to arrange for symmetric and secret keys
to be available to all parties with whom one might wish to
communicate, especially when the list of parties is large.
However, a scheme called *asymmetric cryptography* (or,
equivalently, *public-key cryptography*), developed in the
mid-1970s, helps to mitigate many of these difficulties
through the use of different keys for encryption and
decryption.(6) Each participant actually has two keys. The
public key is published, is freely available to anyone, and is
used for encryption; the private key is held in secrecy by the
user and is used for decryption.(7) Because the two keys are
inverses, knowledge of the public key enables the derivation
of the private key in theory. However, in a well-designed
public-key system, it is computationally infeasible in any
reasonable length of time to derive the private key from
knowledge of the public key.

   A significant operational difference between symmetric and
asymmetric cryptography is that with asymmetric cryptography
anyone who knows a given person's public key can send a secure
message to that person. With symmetric cryptography, only a
selected set of people (those who know the private key) can
communicate. While it is not mathematically provable, all
known asymmetric cryptographic systems are slower than their
symmetric cryptographic counterparts, and the more public
nature of asymmetric systems lends credence to the belief that
this will always be true. Generally, symmetric cryptography is
used when a large amount of data needs to be encrypted or when
the encryption must be done within a given time period;
asymmetric cryptography is used for short messages, for
example, to protect key distribution for a symmetric
cryptographic system.

   Regardless of the particular approach taken, the
applications of cryptography have gone beyond its historical
roots as secret writing; today, cryptography serves as a
powerful tool in support of system security. Cryptography can
provide many useful capabilities:

   +    *Confidentiality* -- the characteristic that
information is protected from being viewed in transit during
communications and/or when stored in an information system.
With cryptographically provided confidentiality, encrypted
information can fall into the hands of someone not authorized
to view it without being compromised. It is almost entirely
the confidentiality aspect of cryptography that has posed
public policy dilemmas.

   The other capabilities, described below, can be considered
collectively as nonconfidentiality or collateral uses of

   +    *Authentication* -- cryptographically based assurance
that an asserted identity is valid for a given person (or
computer system). With such assurance, it is difficult for an
unauthorized party to impersonate an authorized one.

   +    *Integrity check* -- cryptographically based assurance
that a message or computer file has not been tampered with or
altered.(8) With such assurance, it is difficult for an
unauthorized party to alter data.

   +    *Digital signature* -- cryptographically based
assurance that a message or file was sent or created by a
given person. A digital signature cryptographically binds the
identity of a person with the contents of the message or file,
thus providing nonrepudiation -- the inability to deny the
authenticity of the message or file. The capability for
nonrepudiation results from encrypting the digest (or the
message or file itself) with the private key of the signer.
Anyone can verify the signature of the message or file by
decrypting the signature using the public key of the sender.
Since only the sender should know his or her own private key,
assurance is provided that the signature is valid and the
sender cannot later repudiate the message. If a person
divulges his or her private key to any other party, that party
can impersonate the person in all electronic transactions.

   +    *Digital date/time stamp* -- cryptographically based
assurance that a message or file was sent or created at a
given date and time. Generally, such assurance is provided by
an authoritative organization that appends a date/time stamp
and digitally signs the message or file.

   These cryptographic capabilities can be used in
complementary ways. For example, authentication is basic to
controlling access to system or network resources. For
example, a person may use a password to authenticate his own
identity; only when the proper password has been entered will
the system allow the user to "log on" and obtain access to
files, email, and so on.(9) But passwords have many
limitations as an access control measure (e.g., people tell
others their passwords or a password is learned via
eavesdropping), and cryptographic authentication techniques
can provide much better and more effective mechanisms for
limiting system or resource access to authorized parties.

   Access controls can be applied at many different points
within a system. For example, the use of a dial-in port on an
information system or network can require the use of
cryptographic access controls to ensure that only the proper
parties can use the system or network at all. Many systems and
networks accord privileges or access to resources depending on
the specific identity of a user; thus, a hospital information
system may grant physicians access that allows entering orders
for patient treatment, whereas laboratory technicians may not
have such access. Authentication mechanisms can also be used
to generate an audit trail identifying those who have accessed
particular data, thus facilitating a search for those known to
have compromised confidential data.

   In the event that access controls are successfully
bypassed, the use of encryption on data stored and
communicated in a system provides an extra layer of
protection. Specifically, if an intruder is denied easy access
to stored files and communications, he may well find it much
more difficult to understand the internal workings of the
system and thus be less capable of causing damage or reading
the contents of encrypted inactive data files that may hold
sensitive information. Of course, when an application opens a
data file for processing, that data is necessarily unencrypted
and is vulnerable to an intruder that might be present at that

   Authentication and access control can also help to protect
the privacy of data stored on a system or network. For
example, a particular database application storing data files
in a specific format could allow its users to view those
files. If the access control mechanisms are set up in such a
way that only certain parties can access that particular
database application, access to the database files in question
can be limited, and thus the privacy of data stored in those
databases protected. On the other hand, an unauthorized user
may be able to obtain access to those files through a
different, uncontrolled application, or even through the
operating system itself. Thus, encryption of those files is
necessary to protect them against such "back-door" access.(10)

   The various cryptographic capabilities described above may
be used within a system in order to accomplish a set of tasks.
For example, a banking system may require confidentiality and
integrity assurances on its communications links,
authentication assurances for all major processing functions,
and integrity and authentication assurances for high-value
transactions. On the other hand, merchants may need only
digital signatures and date/time stamps when dealing with
external customers or cooperating banks when establishing
contracts. Furthermore, depending on the type of capability to
be provided, the underlying cryptographic algorithms may or
may not be different.

   Finally, when considering what cryptography can do, it is
worth making two practical observations. First, the initial
deployment of any technology often brings out unanticipated
problems, simply because the products and artifacts embodying
that technology have not had the benefit of successive cycles
of failure and repair. Similarly, human procedures and
practices have not been tested against the demands of
real-life experience. Cryptography is unlikely to be any
different, and so it is probable that early large-scale
deployments of cryptography will exhibit exploitable

   The second point is that against a determined opponent that
is highly motivated to gain unauthorized access to data, the
use of cryptography may well simply lead that opponent to
exploit some other vulnerability in the system or network on
which the relevant data is communicated or stored, and such an
exploitation may well be successful. But the use of
cryptography can help to raise the cost of gaining improper
access to data and may prevent a resource-poor opponent from
being successful at all.

   More discussion of cryptography can be found in Appendix C.


   (3)  The classic work on the history of cryptography is
David Kahn, *The Codebreakers*, MacMillan, New York, 1967.

   (4)  This report uses the term "encrypt" to describe the
act of using an encryption algorithm with a given key to
transform one block of data, usually plaintext, into another
block, usually ciphertext.

   (5)  Historical perspective is provided in David Kahn,
*Kahn on Codes*, MacMillan, New York, 1983; F.W. Winterbotham,
*The Ultra Secret*, Harper & Row, New York, 1974; and Ronald
Lewin, *Ultra Goes to War*, Hutchinson & Co., London, 1978. A
classic reference on the fundamentals of cryptography is
Dorothy Denning, *Cryptography and Data Security*,
Addison-Wesley, Reading, Mass., 1982.

   (6)  Gustavus J. Simmons (ed.), *Contemporary Cryptology.
The Science of Information Integrity*, IEEE Press, Piscataway,
New Jersey, 1992; Whitfield Diffie, "The First Ten Years of
Public-Key Cryptography," *Proceedings of the IEEE*, Vol. 76,
1988, pp. 560-577.

   (7)  The seminal paper on public-key cryptography is
Whitfield Diffie and Martin Hellman, "New Directions in
Cryptography," *IEEE Transactions on Information Theory*,
Volume IT-22, 1976, pp. 644-654.

   (8)  Digital signatures and integrity checks use a
condensed form of a message or file -- called a digest --
which is created by passing the message or file through a
one-way hash function. The digest is of fixed length and is
independent of the size of the message or file. The hash
function is designed to make it highly unlikely that different
messages (or files) will yield the same digest, and to make it
computationally very difficult to modify a message (or file)
but retain the same digest.

   (9)  An example more familiar to many is that the entry of
an appropriate personal identification number into an
automatic teller machine (ATM) gives the ATM user access to
account balances or cash.

   (10) The measure-countermeasure game can continue
indefinitely. In response to file encryption, an intruder can
insert into an operating system a Trojan horse program that
waits for an authorized user to access the encrypted database.
Since the user is authorized, the database will allow the
decryption of the relevant file and the intruder can simply
"piggy-back" on that decryption. Thus, those responsible for
system security must provide a way to check for Trojan horses,
and so the battle goes round.

   (11) For a discussion of this point, see Ross Anderson,
"Why Cryptosystems Fail," *Communications of the ACM*, Volume
37(11), November, 1994, pp. 32-40.



   In the context of confidentiality, the essence of
information security is a battle between information
protectors and information interceptors. Protectors -- who may
be motivated by "good" reasons (if they are legitimate
businesses) or "bad" reasons (if they are criminals) -- wish
to restrict access to information to a group that they select.
Interceptors -- who may also be motivated by "bad" reasons (if
they are unethical business competitors) or "good" reasons (if
they are law enforcement agents investigating serious crimes)
-- wish to obtain access to the information being protected
whether or not they have the permission of the information
protectors. It is this dilemma that is at the heart of the
public policy controversy and is addressed in greater detail
in Chapter 3.

   From the perspective of the information interceptor,
encryption is only one of the problems to be faced. In
general, the complexity of today's information systems poses
many technical barriers (Section 2.3.1). On the other hand,
the information interceptor may be able to exploit product
features or specialized techniques to gain access (Section

             2.3.1 Technical Factors Inhibiting
                 Access to Information (12)

   Compared to the task of tapping an analog telephone line,
obtaining access to the content of a digital information
stream can be quite difficult. With analog "listening"
(traditional telephony or radio interception), the technical
challenge is obtaining access to the communications channel.
When communications are digitized, gaining access to the
charmel is only the first step: one must then unravel the
digital format, a task that can be computationally very
complex. Furthermore, the complexity of the digital format
tends to increases over time, because more advanced
information technology generally implies increased
functionality and a need for more efficient use of available
communications capacity.

   Increased complexity is reflected in particular in the
interpretation of the digital stream that two systems might
use to communicate with each other or the format of a file
that a system might use to store data. Consider, for example,
one particular sequence of actions used to cormnunicate
information. The original application in the sending system
might have started with a plaintext message, and then
compressed it (to make it smaller); encrypted it (to conceal
its meaning); and appended error-control bits to the
compressed, encrypted message (to prevent errors from creeping
in during transmission).(13) Thus, a party attempting to
intercept a communication between the sender and the receiver
could be faced with a data stream that would represent the
combined output of many different operations that transform
the data stream in some way. The interceptor would have to
know the error-control scheme and the decompression algorithms
as well as the key and the algorithm used to encrypt the

   When an interceptor moves onto the lines that carry bulk
traffic, isolating the bits associated with a particular
communication of interest is itself quite difficult.(14) A
high-bandwidth line (e.g., a long-haul fiber-optic cable)
typically carries hundreds or thousands of different
communications; any given message may be broken into distinct
packets and intermingled with other packets from other
contemporaneously operating applications.(15) The traffic on
the line may be encrypted "in bulk" by the line provider, thus
providing an additional layer of protection against the
interceptor. Moreover, since a message traveling from point A
to point B may well be broken into packets that traverse
different physical paths en route, an interceptor at any given
point in between A and B may not even see all of the packets
pass by.

   Another factor inhibiting access to information is the use
of technologies that facilitate anonymous communications. For
the most part, intercepted communications are worthless if the
identity of the communicating parties is not known. In
telephony, call forwarding and pager callbacks from pay
telephones have sometimes frustrated the efforts of law
enforcement officials conducting wiretaps. In data
communications, so-called anonymous remailers can strip out
all identifying information from an Internet e-mail message
sent from person A to person B in such a way that person B
does not know the identity of person A. Some remailers even
support return communications from person B to person A
without the need for person B to know the identity of person

   Access is made more difficult because an information
protector can switch communications from one medium to another
very easily without changing end-user equipment. Some forms of
media may be easily accessed by an interceptor (e.g.
conventional radio), whereas other forms may be much more
challenging (e.g. fiber-optic cable, spread-spectrum radio).
The proliferation of different media that can interoperate
smoothly even at the device level will continue to complicate
the interceptor's attempts to gain access to communications.

   Finally, obtaining access also becomes more difficult as
the number of service providers increases (Box 2.1). In the
days when AT&T held a monopoly on voice communications and
criminal communications could generally be assumed to be
carried on AT&T-operated lines, law enforcement and national
security authorities needed only one point of contact with
whom to work. As the telecommunications industry becomes
increasingly heterogenous, law enforcement authorities may
well be uncertain about what company to approach about
implementing a wiretap request.


   (12) This section addresses technical factors that inhibit
access to information. But technical measures are only one
class of techniques that can be used to improve information
security. For example, statutory measures can help contribute
to information security. Laws that impose criminal penalties
for unauthorized access to computer systems have been used to
prosecute intruders. Such laws are intended to deter attacks
on information systems, and to the extent that individuals do
not exhibit such behavior, system security is enhanced.

   (13) Error control is a technique used both to detect
errors in transmission and sometimes to correct them as well.

   (14) This point is made independently in a report that came
to the attention of the committee as this report was going to
press. A staff study of the Permanent Select Committee on
Intelligence, House of Representatives concluded that "the
ability to filter through the huge volumes of data and to
extract the information from the layers of formatting,
multiplexing, compression, and transmission protocols applied
to each message is the biggest challenge of the future,
[while] increasing amounts and sophisitication of encryption
add another layer of complexity." *IC21 Intelligence Community
in the 21st Century*, p. 121.

   (15) Paul Haskell and David G. Messerschmitt, "In Favor of
an Enhanced Network Interface for Multimedia Services,"
submitted to *IEEE Multimedia Magazine*.


      2.3.2 Factors Facilitating Access to Information

System or Product Design

   Unauthorized access to protected information can
inadvertently be facilitated by product or system features
that are intended to provide legitimate access but instead
create unintentional loopholes or weaknesses that can be
exploited by an interceptor. Such points of access that may be
deliberately incorporated into product or system designs
include the following:

   +    *Maintenance and monitoring ports*.(16) For example,
many telephone switches and computer systems have dial-in
ports that are intended to facilitate monitoring and remote
maintenance and repair by off-site technicians.

   +    *Master keys*. A product can have a single master key
that allows its possessor to decrypt all ciphertext produced
by the product.

   +    *Mechanisms for key escrow or key backup*. A third
party, for example, may store an extra copy of a private key
or a master key. Under appropriate circumstances, the third
party releases the key to the appropriate individual(s), who
is (are) then able to decrypt the ciphertext in question. This
subject is discussed at length in Chapter 5.

   +    *Weak encryption defaults*. A product capable of
providing very strong encryption may be designed in such a way
that users invoke those capabilities only infrequently. For
example, encryption on a secure telephone may be designed so
that the use of encryption depends on the user pressing a
button at the start of a telephone call. The requirement to
press a button to invoke encryption is an example of a weak
default, because the telephone could be designed so that
encryption is invoked automatically when a call is initiated;
when weak defaults are designed into systems, many users will
forget to press the button.

   Despite the good reasons for designing systems and products
with these various points of access (e.g., facilitating remote
access through maintenance ports to eliminate travel costs of
system engineers), any such point of access can be exploited
by unauthorized individuals as well.

Methods Facilitating Access to Information

   Surreptitious access to communications can also be gained
by methods such as the following:

   +    *Interception in the ether*. Many point-to-point
communications make use of a wireless (usually radio) link at
some point in the process. Since it is impossible to ensure
that a radio broadcast reaches only its intended receiver(s),
communications carried over wireless links -- such as those
involving cellular telephones and personal pagers -- are
vulnerable to interception by unauthorized parties.

   +    *Use of pen registers*. Telephone communications
involve both the content of a call and call-setup information
such as numbers called, originating number, time and length of
call and so on. Setup information is often easily accessible,
some of it even to end users.

   +    *Wiretapping*. To obtain the contents of a call
carried exclusively by nonwireless means, the information
carried on a circuit (actually, a replica of the information)
is sent to a monitoring station. A call can be wiretapped when
an eavesdropper picks up an extension on the same line, hooks
up a pair of alligator clips to the right set of terminals, or
obtains the cooperation of telephone company officials in
monitoring a given call at a chosen location.

   +    *Exploitation of related data*. A great deal of useful
information can be obtained by examining in detail a digital
stream that is associated with a given communication. For
example, people have developed communications protocol
analyzers that examine traffic as it flows by a given point
for passwords and other sensitive information.

   +    *Reverse engineering*. Decompilation or disassembly of
software can yield deep understanding of how that software
works. One implication is that any algorithm built into
software cannot be assumed to be secret for very long, since
disassembly of the software will inevitably reveal it to a
technically trained individual.

   +    *Cryptanalysis* (discussed in greater detail in
Appendix C). Cryptanalysis is the task of recovering the
plaintext corresponding to a given ciphertext without
knowledge of the decrypting key. Successful cryptanalysis can
be the result of:

        --  *Inadequately-sized keys*. A product with
            encryption capabilities that implements a
            strong cryptographic algorithm with an
            inadequately sized key is vulnerable to a
            "brute-force" attack.(18) Box 2.2 provides
            more detail.

        --  *Weak encryption algorithms or poorly designed
            products*. Some encryption algorithms and
            products have weaknesses that, if known to an
            attacker, require the testing of only a small
            fraction of the keys that could in principle
            be the proper key.

   +    *Product penetration*. Like weak encryption, certain
design choices such as limits on the maximum size of a
password, the lack of a reasonable lower bound on the size of
a password, or use of a random-number generator that is not
truly random may lead to a product that presents a work factor
for an attacker that is much smaller than the theoretical
strength implied by the algorithm it uses.(19)

   +    *Monitoring of electronic emissions*. Most electronic
communications devices emit electromagnetic radiation that is
highly correlated with the information carried or displayed on
them. For example, the contents of an unshielded computer
display or terminal can in principle be read from a distance
(estimates range from tens of meters to hundreds of meters) by
equipment specially designed to do so. Coined by a U.S.
government program, TEMPEST is the name of a class of
techniques to safeguard against monitoring of emissions.

   +    *Device penetration*. A software-controlled device can
be penetrated in a number of ways. For example, a virus may
infect it, making a clandestine change. A message or a file
can be sent to an unwary recipient who activates a hidden
program when the message is read or the file is opened; such
a program, once active, can record the keystrokes of the
person at the keyboard, scan the mass storage media for
sensitive data and transmit it, or make clandestine
alterations to stored data.

   +    *Infrastructure penetration*. The infrastructure used
to carry communications is often based on software-controlled
devices such as routers. Router sohware can be modified as
described above to copy and forward all (or selected) traffic
to an unauthorized interceptor.

   The last two techniques can be categorized as invasive,
because they alter the operating environment in order to
gather or modify information. In a network environment, the
most common mechanisms of invasive attacks are called viruses
and Trojan horses. A virus gains access to a system, hides
within that system, and replicates itself to infect other
systems. A Trojan horse exploits a weakness from within a
system. Either approach can result in intentional or
unintentional denial of services for the host system.(20)
Modern techniques for combining both techniques to covertly
exfiltrate data from a system are becoming increasingly
powerful and difficult to detect.(21) Such attacks will gain
in popularity as networks become more highly interconnected.


   (16) A port is a point of connection to a given information
system to which another party (another system, an individual)
can connect.

   (17) "Caller ID," a feature that identifies the number of
the calling party, makes use of call-setup information carried
on the circuit.

   (18) A brute-force attack against an encryption algorithm
is a computer-based test of all possible keys for that
algorithm undertaken in an effort to discover the key that
actually has been used. Hence, the difficulty and time to
complete such attacks increase markedly as the key length
grows (specifically, the time doubles for every bit added to
the key length).

   (19) Work factor is used in this report to mean a measure
of the difficulty of undertaking a brute-force test of all
possible keys against a given ciphertext (and known
algorithm). A 40-bit work factor means that a brute-force
attack must test at most 2^40 keys to be certain that the
corresponding plaintext message is retrieved. In the
literature, the term "work factor" is also used to mean the
ratio of work needed for brute-force cryptanalysis of an
encrypted message to the work needed to encrypt that message.

   (20) On November 2, 1988, Robert T. Morris, Jr., released
a "worm" program that spread itself throughout the Internet
over the course of the next day. At trial, Morris maintained
that he had not intended to cause the effects that had
resulted, a belief held by many in the Internet community.
Morris was convicted on a felony count of unauthorized access.
See Peter G. Neumann, *Computer Related Risks*, Addison
Wesley, Reading, Mass., 1995, p. 133.

   (21) The popular World Wide Web provides an environment in
which an intruder can act to steal data. For example, an
industrial spy wishing to obtain data stored on the
information network of a large aerospace company can set up a
Web page containing information of interest to engineers at
the aerospace company (e.g., information on foreign aerospace
business contracts in the making), thereby making the page an
attractive site for those engineers to visit through the Web.
Once an engineer from the company has visited the spy's Web
page, a channel is set up by which the Web page could send
back a Trojan horse (TH) program for execution on the
workstation being used to look at the page. The TH could be
passed as part of any executable program (Java and Postscript
provide two such vehicles) that otherwise did useful things
but on the side collected data resident on that workstation
(and any other computers to which it might be connected). Once
the data was obtained, it could be sent back to the spy's Web
page during the same session, or e-mailed back, or sent during
the next session used to connect to that Web page.
Furthermore, because contacts with a Web page by design
provide the specific address from which the contact is coming,
the TH could be sent only to the aerospace company (and to no
one else), thus reducing the likelihood that anyone else would
stumble upon it. Furthermore, the Web page contact also
provides information about the workstation that is making the
contact, thus permitting a customized and specially debugged
TH to be sent to that workstation.



   Cryptography is a product as well as a technology. Products
offering cryptographic capabilities can be divided into two
general classes:

   +    *Security-specific or stand-alone* products that are
generally add-on items (often hardware, but sometimes
software) and often require that users perform an
operationally separate action to invoke the encryption
capabilities. Examples include an add-on hardware board that
encrypts messages or a program that accepts a plaintext file
as input and generates a ciphertext file as output.

   +    *Integrated* (often "general-purpose") products in
which cryptographic functions have been incorporated into some
software or hardware application package as part of its
overall functionality. An integrated product is designed to
provide a capability that is useful in its own right, as well
as encryption capabilities that a user may or may not use.
Examples include a modem with on-board encryption or a word
processor with an option for protecting (encrypting) files
with passwords.(22)

   In addition, an integrated product may provide sockets or
hooks to user-supplied modules or components that offer
additional cryptographic functionality. An example is a
software product that can call upon a user-supplied package
that performs certain types of file manipulation such as
encryption or file compression. Cryptographic sockets are
discussed in Chapter 7 as cryptographic applications
programming interfaces.

   A product with cryptographic capabilities can be designed
to provide data confidentiality, data integrity, and user
authentication in any combination; a given commercial
cryptographic product may implement functionality for any or
all of these capabilities. For example, a PC-Card may
integrate cryptographic functionality for secure
authentication and for encryption onto the same piece of
hardware, even though the user may choose to invoke these
functions independently. A groupware program for remote
collaboration may implement cryptography for confidentiality
(by encrypting messages sent between users) and cryptography
for data integrity and user authentication (by appending a
digital signature to all messages sent between users).
Further, this program may be implemented in a way that these
features can operate independently (either, both, or neither
may be operative at the same time).

   Because cryptography is usable only when it is incorporated
into a product, whether integrated or security-specific,
issues of supply and demand affect the use of cryptography.
The remainder of this section addresses both demand and supply
perspectives on the cryptography market.


   (22) From a system design perspective, it is reasonable to
assert that word processing and database applications do not
have an intrinsic requirement for encryption capabilities and
that such capabilities could be better provided by the
operating system on which these applications operate. But as
a practical matter, operating systems often do not provide
such capabilities, and so vendors have significant incentives
to provide encryption capabilities that are useful to
customers who want better security.


      2.4.1 The Demand Side of the Cryptography Market

   Chapter 1 discussed vulnerabilities that put the
information assets of businesses and individuals at risk. But
despite the presence of such risks, many organizations do not
undertake adequate information security efforts, whether those
efforts involve cryptography or any other tool. This section
explores some of the reasons for this behavior.

Lack of Security Awareness (and/or Need)

   Most people who use electronic communications behave as
though they regard their electronic communications as
confidential. Even though they may know in some sense that
their communications are vulnerable to compromise, they fail
to take precautions to prevent breaches in communications
security. Even criminals aware that they may be the subjects
of wiretaps have been overheard by law enforcement officials
to say, "This call is probably being wiretapped, but ... ,"
after which they go on to discuss incriminating topics.(23)

   The impetus for thinking seriously about security is
usually an event that is widely publicized and significant in
impact.(24) An example of responding to publicized problems is
the recent demand for encryption of cellular telephone
communications. In the past several years, the public has been
made aware of a number of instances in which traffic carried
over cellular telephones was monitored by unauthorized parties
(Appendix J). In addition, cellular telephone companies have
suffered enormous financial losses as the result of "cloning,"
an illegal practice in which the unencrypted ID numbers of
cellular telephones are recorded off the air and placed into
cloned units, thereby allowing the owner of the cloned unit to
masquerade as the legitimate user.(25) Even though many users
today are aware of such practices and have altered their
behavior somewhat (e.g., by avoiding discussion of sensitive
information over cellular telephone lines), more secure
systems such as GSM (the European standard for mobile
telephones) have gained only a minimal foothold in the U.S.

   A second area in which people have become more sensitive to
the need for information security is in international
commerce. Many international business users are concerned that
their international business communications are being
monitored, and indeed such concerns motivate a considerable
amount of today's demand for secure communications.

   It is true that the content of the vast majority of
telephone communications in the United States (e.g., making a
dinner date, taking an ordinary business call) and data
communications (e.g., transferring a file from one computer to
another, sending an e-mail message) is simply not valuable
enough to attract the interest of most eavesdroppers.
Moreover, most communications links for point-to-point
communications in the United States are hard wired (e.g.,
fiber-optic cable) rather than wireless (e.g., microwave);
hardwired links are much more secure than wireless links.26 In
some instances, compromises of information security do not
directly damage the interests of the persons involved. For
example, an individual whose credit card number is improperly
used by another party (who may have stolen his wallet or
eavesdropped on a conversation) is protected by a legal cap on
the liability for which he is responsible.


   (23) A case in point is that the officers charged in the
Rodney King beating used their electronic communications
system as though it were a private telephone line, even though
they had been warned that all traffic over that system was
recorded. In 1992, Rodney King was beaten by members of the
Los Angeles Police Department. A number of transcripts of
police radio conversations describing the incident were
introduced as evidence at the trial. Had they been fully
cognizant at the moment of the fact that all conversations
were being recorded as a matter of department policy, the
police officers in question most likely would not have said
what they did. Personal communication, Sara Kiesler, Carnegie
Mellon University, 1993.

   (24) It is widely believed that only a few percent of
computer break-ins are detected. See for example, Jane Bird,
"Hunting Down the Hackers," *Management Today*, July, 1994, p.
64 (reports that 1% of attacks are detected); Bob Brewin,
"Info Warfare Goes on Attack," *Federal Computer Week*, Volume
9(31), October 23, 1995, p. 1 (reports 2% detection); and Gary
Anthes, "Hackers Try New Tacks", *ComputerWorld*, January 30,
1995, p. 12 (reports 5% detection).

   (25) See for example, Bryan Miller, "Web of Cellular Phone
Fraud Widens," *New York Times*, July 20, 1995, p. C-1; and
George James, "3 Men Accused of Stealing Cellular Phone ID
Numbers," *New York Times*, October 19, 1995, p. B-3.


Other Barriers Influencing Demand for Cryptography

   Even when a user is aware that communications security is
threatened and wishes to take action to forestall the threat,
a number of practical considerations can affect the decision
to use cryptographic protection. These considerations include
the following:

   +    *Lack of critical mass*. A secure telephone is not of
much use if only one person has it. Ensuring that
communications are secure requires collective action -- some
critical mass of interoperable devices is necessary in order
to stimulate demand for secure communications. To date, such
a critical mass has not yet been achieved.

   +    *Uncertainties over government policy*. Policy often
has an impact on demand. A number of government policy
decisions on cryptography have introduced uncertainty, fear,
and doubt into the marketplace and have made it difficult for
potential users to plan for the future. Seeing the controversy
surrounding policy in this area, potential vendors are
reluctant to bring to market products that support security,
and potential users are reluctant to consider products for
security that may become obsolete in the future in an unstable
legal and regulatory environment.

   +    *Lack of a supporting infrastructure*. The mere
availability of devices is not necessarily sufficient. For
some applications such as secure interpersonal communications,
a national or international infrastructure for managing and
exchanging keys could be necessary. Without such an
infrastructure, encryption may remain a niche feature that is
usable only through ad hoc methods replicating some of the
functions that an infrastructure would provide and for which
demand would thus be limited. Section 2.5 describes some
infrastructure issues in greater detail.

   +    *High cost*. To date, hardware-based cryptographic
security has been relatively expensive, in part, becaus of the
high cost of stand-alone products made in relatively small
numbers. A user that initially deploys a system without
security features and subsequently wants to add them can be
faced with a very high cost barrier, and consequently there is
a limited market for security add-on products.

   On the other hand, the marginal cost of implementing
cryptographic capabilities in software at the outset is
rapidly becoming a minor part of the overall cost, and so
cryptographic capabilities are likely to appear in all manner
and types of integrated software products where there might be
a need.

   +    *Reduced performance*. The implementation of
cryptographic functions often consumes computational resources
(e.g., time, memory). In some cases, excessive consumption of
resources makes encryption too slow or forces the user to
purchase additional memory. If encrypting the communications
link over which a conversation is carried delays that
conversation by more than a few tenths of a second, users may
well choose not to use the encryption capability.

   +    *A generally insecure environment*. A given network or
operating system may be so inherently insecure that the
addition of cryptographic capabilities would do little to
improve overall security. Moreover, retrofitting security
measures atop an inherently insecure system is generally

   +    *Usability*. A product's usability is a critical
factor in its market acceptability. Products with encryption
capabilities that are available for use but are in fact unused
do not increase information security. Such products may be
purchased but not used for the encryption they provide because
such use is too inconvenient in practice, or they may not be
purchased at all because the capabilities they provide are not
aligned well with the needs of their users. In general, the
need to undertake even a modest amount of extra work or to
tolerate even a modest inconvenience for cryptographic
protection that is not directly related to the primary
function of the device is likely to discourage the use of such
protection.(27) When cryptographic features are well
integrated in a way that does not demand case-bycase user
intervention, i.e., when such capabilities can be invoked
transparently to the average user, demand may well increase.

   +    *Lack of independent certification or evaluation of
products*. Certification of a product's quality is often
sought by potential buyers who lack the technical expertise to
evaluate product quality or who are trying to support certain
required levels of security (e.g., as the result of bank
regulations). Many potential users are also unable to detect
failures in the operation of such products.(28) With one
exception discussed in Chapter 6, independent certification
for products with integrated encryption capabilities is not
available, leading to market uncertainty about such products.

   +    *Electronic commerce*. An environment in which secure
communications were an essential requirement would do much to
increase the demand for cryptographic security.(29) However,
the demand for secure communications is currently nascent.

   +    *Uncertainties arising from intellectual property
issues*. Many of the algorithms that are useful in
cryptography (especially public-key cryptography) are
protected by patents. Some vendors are confused by the fear,
uncertainty, and doubt caused by existing legal arguments
among patent holders. Moreover, even when a patent on a
particular algorithm is undisputed, many users may resist its
use because they do not wish to pay the royalties.(30)

   +    *Lack of interoperability and standards*. For
cryptographic devices to be useful, they must be
interoperable. In some instances, the implementation of
cryptography can affect the compatibility of systems that may
have interoperated even though they did not conform strictly
to interoperability standards. In other instances, the
specific cryptographic algorithm used is yet another function
that must be standardized in order for two products to
interoperate. Nevertheless, an algorithm is only one piece of
a cryptographic device, and so two devices that implement the
same cryptographic algorithm may still not interoperate.(31)
Only when two devices conform fully to a single
interoperability standard (e.g., a standard that would specify
how keys are to be exchanged, the formatting of the various
data streams, the algorithms to be used for encryption and
decryption, and so on) can they be expected to interoperate

   An approach gaining favor among product developers is
protocol negotiation,(32) which calls for two devices or
products to mutually negotiate the protocol that they will use
to exchange information. For example, the calling device may
query the receiving device to determine the right protocol to
use. Such an approach frees a device from having to conform to
a single standard and also facilitates the upgrading of
standards in a backward-compatible manner.

   +    *The heterogeneity of the communications
infrastructure*. Communications are ubiquitous, but they are
implemented through a patchwork of systems and technologies
and communications protocols rather than according to a single
integrated design. In some instances, they do not conform
completely to the standards that would enable full
interoperability. In other instances, interoperability is
achieved by intermediate conversion from one data format to
another. The result can be that transmission of encrypted data
across interfaces interferes with achieving connectivity among
disparate systems. Under these circumstances, users may be
faced with a choice of using unencrypted communications or not
being able to communicate with a particular other party at


   (26) A major U.S. manufacturer reported to the committee
that in the late 1980s, it was alerted by the U.S. government
that its microwave communications were vulnerable. In
response, this manufacturer took steps to increase the
capacity of its terrestrial communication links, thereby
reducing its dependence on microwave communications. A similar
situation was faced by IBM in the 1970s. See William Broad,
"Evading the Soviet Ear at Glen Cove," *Science*, Volume
217(3), 1982, pp. 910-911.

   (27) For example, experience with current secure telephones
such as the STU-III suggests that users of such phones may be
tempted, because of the need to contact many people, to use
them in a nonsecure mode more often than not.

   (28) Even users who do buy security products may still be
unsatisfied with them. For example, in two consecutive surveys
in 1993 and 1994, a group of users reported spending more and
being less satisfied with the security products they were
buying. See Dave Powell, "Annual Infosecurity Industry
Survey," *Infosecurity News*, March/April, 1995, pp. 20-27.

   (29) AT&T plans to take a non-technological approach to
solving some of the security problems associated with retail
Internet commerce. AT&T has announced that it will insure its
credit-card customers against unauthorized charges, as long as
those customers were using AT&T's service to connect to the
Internet. This action was taken on the theory that the real
issue for consumers is the fear of unauthorized charges,
rather than fears that confidential data per se would be
compromised. See Thomas Weber, "AT&T Will Insure Its Card
Customers on Its Web Service," *Wall Street Journal*, February
7, 1996, pp. B-5.

   (30) See for example, James Bennett, "The Key to Universal
Encryption," *Strategic Investment*, December 20, 1995, pp.

   (31) Consider the Data Encryption Standard (DES) as an
example. DES is a symmetric encryption algorithm, first
published in 1975 by the U.S. govemment, that specifies a
unique and well-defined transformation when given a specific
56-bit key and a block of text, but the various details of
operation within which DES is implemented can lead to
incompatibilities with other systems that include DES, with
stand-alone devices incorporating DES, and even with
software-implemented DES.

   Specifically, how the infommation is prepared prior to
being encrypted (e.g., how it is blocked into chunks) and
after the encryption (how the encrypted data is modulated on
the communications line) will affect the interoperability of
communications devices that may both use DES. In addition, key
management may not be identical for DES-based devices
developed independently. DES-based systems for file encryption
generally require a user-generated password to generate the
appropriate 56-bit DES key, but since the DES standard does
not specify how this aspect of key management is to be
performed, the same password used on two independently
developed DES-based systems may not result in the same 56-bit
key. For these and similar reasons, independently developed
DES-based systems cannot necessarily be expected to

   (32) Transmitting a digital bit stream requires that the
hardware carrying that stream be able to interpret it.
Interpretation means that regardless of the content of the
communications (e.g., voice, pictures), the hardware must know
what part of the bit stream represents information useful to
the ultimate receiver and what part represents information
useful to the carrier. A communications protocol is an
agreed-upon convention about how to interpret any given bit
stream and includes the specification of any encryption
algorithm that may be used as part of that protocol.

   (33) An analogous example is the fact that two Internet
users may find it very difficult to use e-mail to transport a
binary file between them, because the e-mail systems on either
end may well implement standards for handling binary files
differently, even though they may conform to all relevant
standards for carrying ASCII text.


      2.4.2 The Supply Side of the Cryptography Market

   The supply of products with encryption capabilities is
inherently related to the demand for them. Cryptographic
products result from decisions made by potential vendors and
users as well as standards determined by industry and/or
government. Use depends on availability as well as other
important factors such as user motivation, relevant learning
curves, and other nontechnical issues. As a general rule, the
availability of products to users depends on decisions made by
vendors to build or not to build them, and all of the
considerations faced by vendors of all type of products are
relevant to products with encryption capabilities.

   In addition to user demand, vendors need to consider the
following issues before deciding to develop and market a
product with encryption capabilities:

   +    *Accessibility of the basic knowledge underlying
cryptography*. Given that various books, technical articles,
and government standards on the subject of cryptography have
been published widely over the past 20 years, the basic
knowledge needed to design and implement cryptographic systems
that can frustrate the best attempts of anyone (including
government intelligence agencies) to penetrate them is
available to government and nongovernment agencies and parties
both here and abroad. For example, because a complete
description of DES is available worldwide, it is relatively
easy for anyone to develop and implement an encryption system
that involves multiple uses of DES to achieve much stronger
security than that provided by DES alone.

   +    *The skill to implement basic knowledge of
cryptography*. A product with encryption capabilities involves
much more than a cryptographic algorithm. An algorithm must be
implemented in a system, and many design decisions affect the
quality of a product even if its algorithm is mathematically
sound. Indeed, efforts by multiple parties to develop products
with encryption capabilities based on the same algorithm could
result in a variety of manufactured products with varying
levels of quality and resistance to attack.

   For example, although cryptographic protocols are not part
and parcel of a cryptographic algorithm per se, these
protocols specify how critical aspects of a product will
operate. Thus, weaknesses in cryptographic protocols -- such
as a key generation protocol specifying how to generate and
exchange a specific encryption key for a given message to be
passed between two parties or a key distribution protocol
specifing how keys are to be distributed to users of a given
product can compromise the confidentiality that a real product
actually provides, even though the cryptographic algorithm and
its implementation are flawless.(34)

   +    *The skill to integrate the cryptography into a usable
product*. Even a product that implements a strong
cryptographic algorithm in a competent manner is not valuable
if the product is unusable in other ways. For integrated
products with encryption capabilities, the noncryptographic
functions of the product are central, because the primary
purpose of an integrated product is to provide some useful
capability to the user (e.g., word processing, database
management, communications) that does not involve cryptography
per se; if cryptography interferes with this primary
functionality, it detracts from the product's value.

   In this area, U.S. software vendors and system integrators
have distinct strengths, (35) even though engineering talent
and cryptographic expertise are not limited to the United
States. For example, foreign vendors do not market integrated
products with encryption capabilities that are sold as
mass-market software, whereas many such U.S. products are

   +    *The cost of developing maintaining, and upgrading an
economically viable product with encryption capabilities*. The
technical aspects of good encryption are increasingly well
understood. As a result, the incremental cost of designing a
software product so that it can provide cryptographic
functionality to end users is relatively small. As cost
barriers to the inclusion of cryptographic functionality are
reduced dramatically, the long-term likelihood increases that
most products that process digital information will include
some kinds of cryptographic functionality.

   +    *The suitability of hardware vs. software* as a medium
in which to implement a product with encryption capabilities.
The duplication and distribution costs for software are very
low compared to those for hardware, and yet, trade secrets
embedded in proprietary hardware are easier to keep than those
included in software. Moreover, software cryptographic
functions are more easily disabled.

   +    *Nonmarket considerations and export controls*.
Vendors may withhold or alter their products at government
request. For example, a well-documented instance is the fact
that AT&T voluntarily deferred the introduction of its 3600
Secure Telephone Unit (STU) at the behest of government (see
Appendix E on the history of current cryptography policy and
Chapter 6 on government influence.) Export controls also
affect decisions to make products available even for domestic
use, as described in Chapter 4.


   (34) An incident that demonstrates the importance of the
nonalgorithm aspects of a product is the failure of the
key-generation process for the Netscape Navigator Web browser
that was discovered in 1995; a faulty random number generation
used in the generation of keys would enable an intruder
exploiting this flaw to limit a brute-force search to a much
smaller number of keys than would generally be required by the
40-bit key length used in this product. See John Markoff,
"Security Flaw Is Discovered in Software Used in Shopping,"
*New York Times*, September 19, 1995, p. A1. A detailed
discussion of protocol failures can be found in Gustavus
Simmons, "Cryptanalysis and Protocol Failures,"
*Communications of the ACM*, Volume 37(11), 1994, pp. 56-65.

   (35) Computer Science and Telecommunications Board (CSTB),
National Research Council, *Keeping the U.S. Computer Industry
Competitive: Systems Integration*, National Academy Press,
Washington, D.C., 1992.

   (36) For example, the Department of Commerce and the
National Security Agency found no general-purpose software
products with encryption capability from non-U.S.
manufacturers. See Department of Commerce and National
Security Agency, *A Study of the International Market for
Computer Software with Encryption*, January 11, 1996, p.



   The widespread use of cryptography requires a support
infrastructure that can service organizational or individual
user needs with regard to cryptographic keys.

             2.5.1 Key Management Infrastructure

   In general, to enable use of cryptography across an
enterprise, there must be a mechanism that:

   +    Periodically supplies all participating locations with
keys (typically designated for use during a given calendar or
time period -- the crypto-period) for either stored materials
or communications; or

   +    Permits any given location to generate keys for itself
as needed (e.g., to protect stored files); or

   +    Can securely generate and transmit keys among
communicating parties (e.g., for data transmissions, telephone

   In the most general case, any given location will have to
perform all three functions. With symmetric systems, the
movement of keys from place to place obviously must be done
securely and with a level of protection adequate to counter
the threats of concern to the using parties. Whatever the
distribution system, it clearly must protect the keys with
appropriate safeguards and must be prepared to identify and
authenticate the source. The overall task of securely assuring
availability of keys for symmetric applications is often
called key management.

   If all secure communications take place within the same
corporation or among locations under a common line of
authority, key management is an internal or possibly a joint
obligation. For parties that communicate occasionally or
across organizational boundaries, mutual arrangements must be
formulated for managing keys. One possibility might be a
separate trusted entity whose line of business could be to
supply keys of specified length and format, on demand and for
a fee.

   With asymmetric systems, the private keys are usually
self-generated, but they may also be generated from a central
source, such as a corporate security office. In all cases,
however, the handling of private keys is the same for
symmetric and asymmetric systems, they must be guarded with
the highest levels of security. Although public keys need not
be kept secret, their integrity and association with a given
user are extremely important and should also be supported with
extremely robust measures.

   The costs of a key management infrastructure for national
use are not known at this time. One benchmark figure is that
the cost of the Defense Department infrastructure needed to
generate and distribute keys for approximately 320,000 STU-III
telephone users is somewhere in the range of $10 million to
$13 million per year.(37)


   (37) William Crowell, deputy director, National Security
Agency, personal communication, April 1995.


              2.5.2 Certificate Infrastructures

   The association between key information (such as the name
of a person and the related public key) and an individual or
organization is an extremely important aspect of a
cryptographic system. That is, it is undesirable for one
person to be able to impersonate another. To guard against
impersonation, two general types of solutions have emerged: an
organization-centric approach consisting of certificate
authorities and a user-centric approach consisting of a web of

   A certificate authority serves to validate information that
is associated with a known individual or organization.
Certificate authorities can exist within a single
organization, across multiple related organizations, or across
society in general. Any number of certificate authorities can
coexist, and they may or may not have agreements for
crosscertification, whereby if one authority certifies a given
person, then another authority will accept that certification
within its own structure. Certificate authority hierarchies
are defined in the Internet RFCs 1421-1424, the X.509
standard, and other emerging commercial standards, such as
that proposed by MasterCar/Visa. A number of private
certificate authorities, such as VeriSign, have also begun
operation to service secure massmarket software products, such
as the Netscape Navigator Web browser.

   Among personal acquaintances validation of public keys can
be passed along from person to person or organization to
organization, thus creating a web of trust in which the entire
ensemble is considered to be trusted based on many individual
instances of trust. Such a chain of trust can be established
between immediate parties, or from one party to a second to
establish the credentials of a third. This approach has been
made popular by the Pretty Good Privacy (PGP) software
product; all users maintain their own "key-ring," which holds
the public keys of everyone with whom they want to

   Importantly, it should be noted that both the certificate
authority approach and the web of trust approach replicate the
pattern of trust that already exists among participating
parties in societal and business activities. In a sense, the
certificate infrastructure for cryptography simply formalizes
and makes explicit what society and its institutions are
already accustomed to.

   At some point, banks, corporations, and other organizations
already generally trusted by society will start to issue
certificates. At that time, individuals especially may begin
to feel more comfortable about the cryptographic undergirding
of society's electronic infrastructure, at which point the
webs of trust can be expected to evolve according to
individual choices and market forces. However, it should be
noted that different certificates will be used for different
functions, and it is unlikely that a single universal
certificate infrastructure will satisfy all societal and
business needs. For example, because an infrastructure
designed to support electronic commerce and banking may do no
more than identify valid purchasers, it may not be useful for
providing interpersonal communication or corporate access

   Certificate authorities already exist within some
businesses, especially those that have moved vigorously into
an electronic way of life. Generally, there is no sense of a
need for a legal framework to establish relationships among
organizations, each of which operates its own certificate
function. Arrangements exist for them to cross-certify one
another; in general, the individual(s) authorizing the
arrangement will be a senior officer of the corporation, and
the decision will be based on the existence of other legal
agreements already in place, notably, contracts that define
the relationships and obligation among organizations.

   For the general business world in which any individual or
organization wishes to conduct a transaction with any other
individual or organization, such as the sale of a house, a
formal certificate infrastructure has yet to be created. There
is not even one to support just a digital signature
application within government. Hence, it remains to be seen
how, in the general case, individuals and organizations will
make the transition to an electronic society.

   Certificate authorities currently operate within the
framework of contractual law. That is, if some problem arises
as the result of improper actions on the part of the
certification authority, its subscribers would have to pursue
a civil complaint. As certificate authorities grow in size and
service a greater part of society, it will probably be
necessary to regulate their actions under law, much like those
of any major societal institutions.(38) It is interesting to
observe that the legal and operational environment that will
have to exist for certificate organizations involves the same
set of issues that are pertinent to escrow organizations (as
discussed in Chapter 5).


   (38) Shimshon Berkovits et al., *Public Key Infrastructure
Study: Final Report*, National Institute of Standards and
Technology, Gaithersburg, Maryland, April 1994. Performed
under contract to MITRE, this study is summarized in Appendix


                          2.6 RECAP

   Cryptography provides important capabilities that can help
deal with the vulnerabilities of electronic information.
Cryptography can help to assure the integrity of data, to
authenticate the identity of specific parties, to prevent
individuals from plausibly denying that they have signed
something, and to preserve the confidentiality of information
that may have improperly come into the possession of
unauthorized parties. At the same time, cryptography is not a
silver bullet, and many technical and human factors other than
cryptography can improve or detract from information security.
In order to preserve information security, attention must be
given to all of these factors. Moreover, people can use
cryptography only to the extent that it is incorporated into
real products and systems; unimplemented cryptographic
algorithms cannot contribute to information security. Many
factors other than raw mathematical knowledge contribute to
the supply of and demand for products with cryptographic
functionality. Most importantly, the following aspects
influence the demand for cryptographic functions in products:

   +    Critical mass in the marketplace,

   +    Government policy,

   +    Supporting infrastructure,

   +    Cost,

   +    Performance,

   +    Overall security environment,

   +    Usability,

   +    Quality certification and evaluation, and

   +    Interoperability standards.

Finally, any large-scale use of cryptography, with or without
key escrow (discussed later in Chapter 5), depends on the
existence of a substantial supporting infrastructure, the
deployment of which raises a different set of problems and


  BOX 2.1 The Evolution of the Telecommunications Industry

   Prior to 1984, the U.S. telecommunications industry was
dominated by one primary player -- AT&T. An elaborate
regulatory structure had evolved in the preceding decades to
govern what had become an essential national service on which
private citizens, govemment, and business had come to rely.

   By contrast, the watchword in telecommunications a mere
decade later has become competition. AT&T is still a major
player in the field, but the regional Bell operating companies
(RBOCs), separated from AT&T as part of the divestiture
decision of 1984, operate entirely independently, providing
local services. Indeed, the current mood in Congress toward
deregulation is already causing increasingly active
competition and confrontation among all of the players
involved, including cable TV companies, cellular and mobile
telephone companies, the long-distance telecommunications
companies (AT&T, MCI, Sprint, and hundreds of others), the
RBOCs and other local exchange providers, TV and radio
broadcast companies, entertainment companies, and satellite
communications companies. Today, all of these players compete
for a share of the telecommunications pie in the same
geographic area; even railroads and gas companies (which own
geographic rights of way along which transmission lines can be
laid) and power companies (which have wires going to every
house) have dreams of profiting from the telecommunications
boom. The playing field is even further complicated by the
fact of reselling -- institutions often buy telecommunications
services from "primary" providers in bulk to serve their own
needs and resell the excess to other customers.

   In short, today's telecommunications industry is highly
heterogeneous and widely deployed with multiple public and
private service providers, and will become more so in the


       BOX 2.2 Fundamentals of Cryptographic Strength

   Cryptographic strength depends on two factors: the size of
the key, and the mathematical structure of the algorithm
itself. For well-designed symmetric cryptographic systems,
"brute-force" exhaustive search -- trying all possible keys
with a given decryption algorithm until the (meaningful)
plaintext appears -- is the best publicly known cryptanalytic
method. For such systems the work factor (i.e., the time to
cryptanalyze) grows exponentially with key size. Hence, with
a sufficiently long key, even an eavesdropper with very
extensive computing resources would have to take a very long
time (longer than the age of the universe) to test all
possible combinations. Adding one binary digit (bit) to the
length of a key doubles the length of time it takes to
undertake a brute-force attack while adding only a very small
increment to the time it takes to encrypt the plaintext.

   How long is a "long" key? To decipher by brute force a
message encrypted with a 40-bit key requires 2^40
(approximately 10^12) tests. If each test takes 10^-6 seconds
to conduct, 1 million seconds of testing time on a single
computer are required to conduct a brute-force attack, or
about 11.5 days. A 56-bit key increases this time by a factor
of 2^16, or 65,536; under the same assumptions, a brute-force
attack on a message encrypted with a 56-bit key would take
over 2,000 years.

   Two important considerations mitigate the bleakness of this
conclusion from the perspective of the interceptor. One is
that computers can be expected to grow more powerful over
time. Speed increases in the underlying silicon technology
have exhibited a predictable pattern for the past 50 years --
computational speed doubles every 18 months (Moore's law),
equivalent to increasing by a factor of 10 every 5 years.
Thus, if a single test takes 10^-6 seconds today, in 15 years,
it can be expected to take 10^-9 seconds. Additional speedup
is possible using parallel processing. Some supercomputers use
tens of thousands of microprocessors in parallel, and
cryptanalytic problems are particularly well-suited to
parallel processing. Even 1,000 processors working in
parallel, each using the underlying silicon technology of 15
years hence, would be able to decrypt a single 56-bit
encrypted message in 18 hours.

   As for the exploitation of alternatives to brute-force
search, all known asymmetric (i.e., public-key) cryptographic
systems allow shortcuts to exhaustive search. Because more
information is public in such systems, it is also likely that
shortcut attacks will exist for any new systems invented.
Shortcut attacks also exist for poorly designed symmetric
systems. Newly developed shortcut attacks constitute
unforeseen breakthroughs, and so by their very nature
introduce an unpredictable "wild card" into the effort to set
a reasonable key size. Because such attacks are applicable
primarily to public-key systems, larger key sizes and larger
safety margins are needed for such systems than for symmetric
cryptographic systems. For example, factoring a 512-bit number
by exhaustive search would take 2^256 tests (since at least
one factor must be less than 2^256); known shortcut attacks
would allow such numbers to be factored in approximately 2^65
operations, a number on the order of that required to
undertake a brute-force exhaustive search of a message
encrypted with a 64-bit symmetric cryptographic system. While
symmetric 64-bit systems are considered relatively safe, fear
of future breakthroughs in cryptanalyzing public-key systems
has led many cryptographers to suggest a minimum key size of
1,024 bits for public-key systems, thereby providing in key
length a factor-of-two safety margin over the safety afforded
by 512-bit keys.

   More discussion of this topic can be found in Appendix C.

[End Chapter 2]


[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


          Needs for Access to Encrypted Information

   Information protected for confidentiality (i.e., encrypted
information) is stored or communicated for later use by
certain parties with the authorization of the original
protector. However, it may happen for various legitimate and
lawfully authorized reasons that other parties may need to
recover this information as well. This chapter discusses needs
for access to encrypted information under exceptional
circumstances for legitimate and lawfully authorized purposes
from the perspectives of businesses, individuals, law
enforcement, and national security. Businesses and individuals
may want access to encrypted data or communications for their
own purposes, and thus may cooperate in using products to
facilitate such access, while law enforcement and national
security authorities may want access to the encrypted data or
communications of criminals and parties hostile to the United

                       3.1 TERMINOLOGY

   It is useful to conceptualize data communications and data
storage using the language of transactions. For example, one
individual may telephone another; the participants in the
transaction are usually referred to as the calling party and
the called party. Or, a person makes a purchase; the
participants are called the buyer and seller. Or, a sender
mails something to the recipient. Adopting this construct,
consider communications in which the first party (Party A)
sends a message and the second party (Party B) receives it.
"Party" does not necessarily imply a person; a "party" can be
a computer system, a communication system, a software process.
In the case of data storage, Party A stores the data, while
Party B retrieves it. Note that Party A and Party B can be the
same party (as is the case when an individual stores a file
for his or her own later use).

   Under some circumstances, a third party may be authorized
for access to data stored or being communicated. For example,
law enforcement authorities may be granted legal authorization
to obtain surreptitious access to a telephone conversation or
a stored data file or record without the knowledge of Parties
A or B. The employer of Party A may have the legal right to
read all data files for which Party A is responsible or to
monitor all communications in which Party A participates.
Party A might inadvertently lose access to a data file and
wish to recover that access.

   In cases when the data involved is unencrypted, the
procedures needed to obtain access can be as simple as
identifying the relevant file name or as complex as seeking a
court order for legal authorization. But when the data
involved is encrypted, the procedures needed to obtain access
will require the possession of certain critical pieces of
information, such as the relevant cryptographic keys.

   Third-party access has many twists and turns. When it is
necessary for clarity of exposition or meaning, this report
uses the phrase "exceptional access" to stress that the
situation is not one that was included within the intended
bounds of the original transaction, but is an unusual
subsequent event. Exceptional access refers to situations in
which an authorized party needs and can obtain the plaintext
of encrypted data (for storage or communications). The word
"exceptional" is used in contrast to the word "routine" and
connotes something unusual about the circumstances under which
access is required.

   Exceptional access can be divided into three generic

   +    *Government exceptional access* refers to the case in
which government has a need for access to information under
specific circumstances authorized by law. For example, a
person might store data files that law enforcement authorities
need to prosecute or investigate a crime. Alternatively, two
people may be communicating with each other in the planning or
commission of a serious crime. Government exceptional access
thus refers to the government's need to obtain the relevant
information under circumstances authorized by law, and
requires a court order (for access to voice or data
communications) or a subpoena or search warrant (for access to
stored records). Government exceptional access is the focus of
Section 3.2.

   +    *Employer (or corporate) exceptional access* refers to
the case in which an employer (i.e., the corporate employer)
has the legal right to access to information encrypted by an
employee. If an employee who has encrypted a file is
indisposed on a certain day, for example, the company may need
exceptional access to the contents of the file. Alternatively,
an employee may engage in communications whose content the
company may have a legitimate need to know (e.g., the employee
may be leaking proprietary information). Employer exceptional
access would then refer to the company's requirement to obtain
the key necessary to obtain the contents of the file or
communications, and may require the intervention of another
institutional entity. Employer or corporate exceptional access
is the focus of Section 3.5.

   +    *End-user exceptional access* refers to the case in
which the parties primarily intended to have access to
plaintext have lost the means to obtain such access. For
example, a single user may have stored a file for later
retrieval, but encrypted it to ensure that no other party
would have access to it while it was in storage. However, the
user might also lose or forget the key used to encrypt that
file. End-user exceptional access refers to such a user's
requirement to obtain the proper key, and may require that the
individual who has lost a key prove his identify to a party
holding the backup key and verify his authorization to obtain
a duplicate copy of his key. End-user exceptional access is
also discussed in Section 3.5.

   The need for exceptional access when the information stored
or communicated is encrypted has led to an examination of a
concept generically known as escrowed encryption (the subject
of Chapter 5), which, loosely speaking, uses agents other than
the parties participating in the communication or data storage
to hold copies of or otherwise have access to relevant
cryptographic keys "in escrow" so that needs for end-user,
corporate, and government exceptional access can be met; these
agents are called escrow agents.


   Obtaining information (both evidence and intelligence) has
always been a central element in the conduct of law
enforcement investigations and prosecutions. Accordingly,
criminals have always wished to protect the information
relevant to their activities from law enforcement authorities.

          3.2.1 The Value of Access to Information
                     for Law Enforcement

   Many criminals keep records related to their activities;
such records can be critical to the investigation and
prosecution of criminal activity. For example, criminals
engaged in white-collar crimes such as fraud often leave paper
trails that detail fraudulent activities; drug dealers often
keep accounting records of clients, drop-offs, supplies, and
income. Reconstruction of these paper trails is often a
critical element in building a case against these individuals.
The search-and-seizure authority of law enforcement to obtain
paper records is used in a large fraction of criminal cases.
Law enforcement officials believe that wiretapping is a
crucial source for information that could not be obtained in
any other way or obtained only at high risk (Box 3.2). For
example, the FBI has testified that

   [w]ithout law enforcement's ability to effectively execute
   court orders for electronic surveillance, the country would
   be unable to protect itself against foreign threats,
   terrorism, espionage, violent crime, drug trafficking,
   kidnapping, and other crimes. We may be unable to intercept
   a terrorist before he sets off a devastating bomb; unable
   to thwart a foreign spy before he can steal secrets that
   endanger the entire country; and unable to arrest drug
   traffickers smuggling in huge amounts of drugs that will
   cause widespread violence and death. Court-approved
   electronic surveillance is of immense value, and often is
   the only way to prevent or solve the most serious crimes
   facing today's society.(1)

   Criminals often discuss their past criminal activity and
plans for future criminal activity with other parties.
Obtaining "inside information" on such activities is often a
central element of building a case against the perpetrators.
A defendant that describes in his own words how he committed
a crime or the extent to which he was involved in it gives
prosecutors a powerful weapon that juries tend to perceive as

   Other methods of obtaining "inside information" have
significant risks associated with them:

   +    Informants are often used to provide inside
information. However, the credibility of informants is often
challenged in court, either because the informants have shady
records themselves or because they may have made a deal with
prosecutors by agreeing to serve as informants in return for
more lenient treatment.(3) By contrast, challenges to evidence
obtained through wiretaps are far more frequently based on
their admissibility in court rather than their intrinsic
credibility. Informants may also be more difficult to find
when a criminal group is small in size.

   +    Surreptitiously planted listening devices are also
used to obtain inside information. However, they generally
obtain only one side of a conversation (use of a speaker-phone
presents an exception). Further, since listening devices
require the use of an agent to plant them, installation of
such devices is both highly intrusive (arguably more so than
wiretapping) for the subject of the device and risky for the
planting agent. Requests for the use of such devices are
subject to the same judicial oversight and review as wiretaps.

   This discussion is not intended to suggest that wiretaps
are a perfect source of information and always useful to law
enforcement. An important difficulty in using wiretaps is that
context is often difficult for listeners to establish when
they are monitoring a telephone conversation that assumes
shared knowledge between the communicators.(4)

   Because of the legal framework regulating wiretaps, and the
fact that communications are by definition transient whereas
records endure, wiretapping is used in far fewer criminal
cases than is seizure of records. Although the potential
problems of denying law enforcement access to communications
has been the focus of most of the public debate, encryption of
data files in a way that denies law enforcement authorities
access to data files relevant to criminal activity arguably
presents a much larger threat to their capabilities.


   (1)  Statement of James K. Kallstrom, Special Agent in
Charge, Special Operations Division, New York Field Division,
Federal Bureau of Investigation on "Security Issues in
Computers and Communications," before the Subcommittee on
Technology, Environment, and Aviation of the Committee on
Science, Space, and Technology, U.S. House of Representatives,
May 3, 1994.

   (2)  For example, see Edward Walsh, "Reynolds Guilty on All
Counts," *Washington Post*, August 23, 1995, p. 1.

   (3)  See for example, Sharon Walsh, "Whistle-Blower
Quandry: Will Testimony Fly?," *Washington Post*, August 23,
1995, p. F-3; Richard Perez-Pena, "An Informer's Double Life:
Blows Come from 2 Sides," *New York Times*, October 15, 1995,
p. 35; Joseph P. Fried, "Undermining a Bomb-Trial Witness,"
*New York Times*, April 9, 1995, p. 42; and Stephen Labaton,
"The Price Can Be High for Talk That's Cheap," *New York
Times*, Week in Review, April 2, 1995, p. 3.

   (4)  Indeed, in some instances, wiretap evidence has been
used to *exculpate* defendants. See for example, Peter Marks,
"When the Best Defense is the Prosecution's Own Tapes," *New
York Times*, June 30, 1995, p. D-20. According to Roger Shuy,
professor of linguistics at Georgetown University, there are
many difficulties in ascribing meaning to particular
utterances that may be captured on tape recordings of
conversations. See Roger Shuy, *Language Crimes*, Blackwell
Publishers, Cambridge, Mass., 1993. Shuy's book is mostly
focused on tapes made by "wires" carried by informants or
"bugs" placed near a subject, but the basic principle is the


      3.2.2 The Legal Framework Governing Surveillance

   An evolving legal framework governs the authority of
government authorities to undertake surveillance of
communications that take place within the United States or
that involve U.S. persons. Surveillance within the United
States is authorized only for certain legislatively specified
purposes: the enforcement of certain criminal statutes and the
collection of foreign intelligence. A more extended
description of this framework (with footnoted references) is
contained in Appendix D.

Domestic Communications Surveillance
for Domestic Law Enforcement Purposes

   Communications surveillance can involve surveillance for
traffic analysis and/or surveillance for content; these
separate activities are governed by different laws and
regulations. Traffic analysis, a technique that establishes
patterns of connections and communications, is performed with
the aid of pen registers that record the numbers dialed from
a target telephone, and trap-and-trace devices that identify
the numbers of telephones from which calls are placed to the
target telephone. Orders for the use of these devices may be
requested by any federal attorney and granted by any federal
district judge or magistrate, and are granted on a more or
less pro forma basis.

   Surveillance of communications for content for purposes of
domestic law enforcement is governed by Title 18, United
States Code, Sections 2510-2521 concerning "wire and
electronic communications interceptions and interception of
all communications," generally known as Title III. These
sections of the U.S. code govern the use of listening devices
(usually known as "bugs"); wiretaps of communications
involving human speech (called "oral communications" in Title
III) carried over a wire or wire-like cable, including optical
fiber; and other forms of electronically transmitted
communication, including various forms of data, text, and
video that may be communicated between or among people as well
as computers or communications devices. Under Title III, only
certain federal crimes may be investigated (e.g., murder,
kidnapping, child molestation, racketeering, narcotics
offenses) through the interception of oral communications. In
addition, 37 states have passed laws that are similar to Title
III, but they include such additional restrictions as allowing
only a fixed number of interceptions per year (Connecticut) or
only for drugrelated crimes (California). State wiretaps
account for the majority of wiretaps in the United States.

   Surveillance of oral communications governed under Title
III in general requires a court order (i.e., a warrant)
granted at the discretion of a judge.(5) Because electronic
surveillance of oral communications is both inherently
intrusive and clandestine, the standards for granting a
warrant for such surveillance are more stringent than those
required by the Fourth Amendment. These additional
requirements are specified in Title III and are enforced by
criminal and civil penalties applicable to law enforcement
officials or private citizens, and by a statutory exclusionary
rule that violations of the central features of requirements
may lead to suppression of evidence in a later trial, even if
such evidence meets the relevant Fourth Amendment test.

   Because of the resources required, the administrative
requirements for the application procedure, and the legal
requirement that investigators exhaust other means of
obtaining information, wiretaps are not often used.
Approximately 1,000 orders (both federal and state) are
authorized yearly (a number small compared to the number of
felonies investigated, even if such felonies are limited to
those specified in Title III as eligible for investigation
with wiretaps).(6) About 2,500 conversations are intercepted
per order, and the total number of conversations intercepted
is a very small fraction of the annual telephone traffic in
the United States.

   Surveillance of nonvoice communications, including fax and
electronic communications, is also governed by Title III.(7)
The standard for obtaining an intercept order for electronic
communications is less stringent than that for intercepting
voice communications. For example, any federal felony may be
investigated through electronic interception. In addition, the
statutory exclusionary rule of Title III for oral and wire
communications does not apply to electronic communications.

   Despite the legal framework outlined above, it is
nevertheless possible that unauthorized or unlawful
surveillance, whether undertaken by rogue law enforcement
officials or overzealous private investigators, also occurs.
Concerns over such activity are often expressed by critics of
the current administration policy, and they focus on two

   +    With current telephone technology, it is sometimes
technically possible for individuals (e.g., private
investigators, criminals, rogue law enforcement personnel) to
undertake wiretaps on their own initiative (e.g., by placing
alligator clips on the proper terminals in the telephone box
of an apartment building). Such wiretaps would subject the
personnel involved to Title III criminal penalties, but
detection of such wiretaps might well be difficult. On the
other hand, it is highly unlikely that such a person could
obtain the cooperation of major telephone service providers
without a valid warrant or court order, and so these wiretaps
would have to be conducted relatively close to the target's
telephone, and not in a telephone switching office.

   +    Information obtained through a wiretap in violation of
Title III can be suppressed in court, but such evidence may
still be useful in the course of an investigation.
Specifically, such evidence may cue investigators regarding
specific areas that would be particularly fruitful to
investigate, and if the illegal wiretap is never discovered,
a wiretap that provides no court-admissible evidence may still
prove pivotal to an investigation.(8) (Even if it is
discovered, different judges apply the doctrine of discarding
"the fruit of the poisonous tree" with different amounts of

   The extent to which these and similar scenarios actually
occur is hard to determine. Information provided by the FBI to
the committee indicates a total of 187 incidents of various
types (including indictment/complaints and convictions/
pretrial diversions) involving charges of illegal electronic
surveillance (whether subsequently confimed or not) over the
past 5 fiscal years (1990 through 1994).(9)


   (5)  Emergency intercepts may be performed without a
warrant in certain circumstances, such as physical danger to
a person or conspiracy against the national security. There
has been "virtually no use" of the emergency provision, and
its constitutionality has not been tested in court. Wayne R.
LaFave and Jerold H. Israel, *Criminal Procedure*, West
Publishing Company, St. Paul, Minnesota, 1992, p. 254.

   (6)  Some analysts critical of the U.S. government position
on wiretaps have suggested that the actual distribution of
crimes investigated under Title Ill intercept or surveillance
orders may be somewhat inconsistent government claims of the
high value of such orders. (See, for example, testimony of
David B. Kopel, Cato Institute, "Hearings on Wiretapping and
Other Terrorism Proposals," Committee on the Judiciary, U.S.
Senate, May 24, 1995, also available on line at
http://www.cato.org/ct5-24-5.html.) For example, Table D.3 in
Appendix D indicates that no cases involving arson,
explosives, or weapons were investigated using Title III
wiretaps in 1988. The majority of Title III orders have
involved drug and gambling crimes.

   (7)  Note that when there is no reasonable expectation of
privacy, law enforcement officials are not required to
undertake any special procedure to monitor such
communications. For example, a law enforcement official
participating in an on line "chat" group is not required to
identify himself as such, nor must he obtain any special
permission at all monitor the traffic in question. However, as
a matter of policy, the FBI does not systematically monitor
electronic forums such as Internet relay chats.

   (8)  Such concerns are raised by reports of police
misconduct as described in Chapter 1.

   (9)  The committee recognizes the existence of controversy
over the question of whether such reports should be taken at
face value. For example, critics of the U.S. government who
believe that law enforcement authorities are capable of
systematically abusing wiretap authority argue that law
enforcement authorities would not be expected to report
figures that reflected such abuse. Alternatively, it is also
possible that cases of improper wiretaps are in fact more
numerous than reported and have simply not come to the
attention of the relevant authorities. The committee discussed
such matters and concluded that it had no reason to believe
that the information it received on this subject from law
enforcement authorities was in any way misleading.


Domestic Communications Surveillance
for Foreign Intelligence Purposes

   The statute governing interception of electronic
communications for purposes of protecting national security is
known as the Foreign Intelligence Surveillance Act (FISA),
which has been codified as Sections 1801 to 1811 in Title 18
of the U.S. Code. Passed in 1978, FISA was an attempt to
balance Fourth Amendment rights against the constitutional
responsibility of the executive branch to maintain national
security. FISA is relevant only to communications occurring at
least partly within the United States (wholly, in the case of
radio communications), although listening stations used by
investigating officers may be located elsewhere, and FISA
surveillance may be performed only against foreign powers or
their agents. Interception of communications, when the
communications occur entirely outside the United States,
whether or not the participants include U.S. persons, is not
governed by FISA, Title III, or any other statute. However,
when a U.S. person is outside the United States, Executive
Order 12333 governs any communications intercepts targeted
against such individuals.

   The basic framework of FISA is similar to that of Title
III, with certain important differences, among which are the

   +    The purpose of FISA surveillance is to obtain foreign
intelligence information, defined in terms of U.S. national
security, including defense against attack, sabotage,
terrorism, and clandestine intelligence activities, among
others. The targeted communications need not relate to any
crime or be relevant as evidence in court proceedings.

   +    In most instances, a FISA surveillance application
requires a warrant based on probable cause that foreign
intelligence information will be collected.(10) Surveillance
of a U.S. person (defined as a U.S. citizen, U.S. corporation
or association, or legal resident alien) also requires
probable cause showing that the person is acting as a foreign
agent. Political and other activities protected by the First
Amendment may not serve as the basis for treating a U.S.
person as a foreign agent.

   +    Targets of FISA surveillance might never be notified
that communications have been intercepted.

   Since 1979, there have been an average of over 500 FISA
orders per year. In 1992, 484 were issued. Other information
about FISA intercepts is classified.


   (10) Surveillance may take place without a court order for
up to 1 year if the Attorney General certifies that there is
very little likelihood of intercepting communications
involving U.S. persons and that the effort will target
facilities used exclusively by foreign powers. Under limited
circumstances, emergency surveillance may be performed before
a warrant is obtained. Clifford S. Fishman, *Wiretapping and
Eavesdropping: Cumulative Supplement*, Clark Boardman
Callaghan, Deerfield, Ill., November 1994 sections 361, 366.


           3.2.3 The Nature of Surveillance Needs
                     of Law Enforcement

   In cooperation with the National Technical Investigators
Association, the FBI has articulated a set of requirements for
its electronic surveillance needs (Box 3.3). Of course, access
to surveillance that does not meet all of these requirements
is not necessarily useless. For example, surveillance that
does not meet the transparency requirement may still be quite
useful in certain cases (e.g., if the subjects rationalize the
lack of transparency as "static on the line"). The basic point
is that these requirements constitute a set of continuous
metrics by which the quality of a surveillance capability can
be assessed, rather than a list that defines what is or is not
useful surveillance. Of these requirements, the real-time
requirement is perhaps the most demanding. The FBI has noted

   [s]ome encryption products put at risk efforts by federal,
   state and local law enforcement agencies to obtain the
   contents of intercepted communications by precluding
   real-time decryption. Real-time decryption is often
   essential so that law enforcement can rapidly respond to
   criminal activity and, in many instances, prevent serious
   and life-threatening criminal acts.(11)

   Real-time surveillance is generally less important for
crimes that are prosecuted or investigated than for crimes
that are prevented because of the time scales involved.
Prosecutions and investigations take place on the time scales
of days or more, whereas prevention may take place on the time
scale of hours. In some instances, the longer time scale is
relevant: because Title III warrants can be issued only when
"probable cause" exists that a crime has been committed, the
actual criminal act is committed before the warrant is issued,
and thus prevention is no longer an issue. In other instances,
information obtained under a valid Title III warrant issued to
investigate a specific criminal act can be used to prevent a
subsequent criminal act, in which case the shorter time scale
may be relevant. The situation is similar under FISA, in which
warrants need not necessarily be obtained in connection with
any criminal activity. A good example is terrorism cases, in
which it is quite possible that real-time surveillance could
provide actionable information useful in thwarting an imminent
terrorist act.


   (11) Statement of James K. Kallstrom, Special Agent in
Charge, Special Operations Division, New York Field Division,
Federal Bureau of Investigation on "Security Issues in
Computers and Communications," before the Subcommittee on
Technology, Environment, and Aviation of the Committee on
Science, Space, and Technology, U.S. House of Representatives,
May 3, 1994. An illustrative example is an instance in which
the FBI was wiretapping police officers who were allegedly
guarding a drug shipment. During that time, the FBI overheard
a conversation between the police chief and several other
police officials that the FBI believes indicated a plot to
murder a certain individual who had previously filed a police
brutality complaint against the chief. (However, the FBI was
unable to decode the police chief's "street slang and police
jargon" in time to prevent the murder.) See Paul Keegan, "The
Thinnest Blue Line," *New York Times Magazine*, March 31,
1996, pp. 32-35.


       3.2.4 The Impact of Cryptography and New Media
      on Law Enforcement (Stored and Communicated Data)

   Cryptography can affect information collection by law
enforcement officials in a number of ways. However, for
perspective, it is important to keep in mind a broader context
-- namely that advanced information technologies (of which
cryptography is only one element) have potential impacts
across many different dimensions of law enforcement; Box 3.4
provides some discussion of this point.

Encrypted Communications

             As far as the committee has been able to determine,
criminal use of digitally encrypted voice communications has
not presented a significant problem to law enforcement to
date.(12) On rare occasions, law enforcement officials
conducting a wiretap have encountered "unknown signals" that
could be encrypted traffic or simply a data stream that was
unrecognizable to the intercept equipment. (For example, a
high-speed fax transmission might be transported on a
particular circuit; a monitoring agent might be unable to
distinguish between the signal of the fax and an encrypted
voice signal with the equipment available to him.)

   The lack of criminal use of encryption in voice
communications most likely reflects the lack of use of
encryption by the general public. Moreover, files are more
easily encrypted than communications, simply because the use
of encrypted communications presumes an equally sophisticated
partner, whereas only one individual must be knowledgeable to
encrypt files. As a general rule, criminals are most likely to
use what is available to the general public, and the
encryption available to and usable by the public has to date
been minimal. At the same time, sophisticated and wealthy
criminals (e.g., those associated with drug cartels) are much
more likely to have access to and to use cryptography.(13)

   In data communications, one of the first publicized
instances of law enforcement use of a Title III intercept
order to monitor a suspect's electronic mail occurred in
December 1995, when the customer of an on-line service
provider was the subject of surveillance during a criminal
investigation.(14) E-mail is used for communications; a
message is composed at one host, sent over a communications
link, and stored at another host. Two opportunities exist to
obtain the contents of an e-mail message -- the first while
the message is in transit over the communications link, and
the second while it is resident on the receiving host. From a
technical perspective, it is much easier to obtain the message
from the receiving host, and this is what happened in the
December 1995 instance. (Appendix D contains more detail on
how electronic communications are treated under Title III.)

   Federal law enforcement authorities believe that encryption
of communications (whether voice or data) will be a
significant problem in the future. FBI Director Louis Freeh
has argued that "unless the issue of encryption is resolved
soon, criminal conversations over the telephone and other
communications devices will become indecipherable by law
enforcement. This, as much as any issue, jeopardizes the
public safety and national security of this country. Drug
cartels, terrorists, and kidnappers will use telephones and
other communications media with impunity knowing that their
conversations are immune from our most valued investigative
technique." l5 In addition, the initial draft of the digital
telephony bill called for telephone service providers to
deliver the plaintext of any encrypted communications they
carried, a provision that was dropped in later drafts of the


   (12) In this regard, it is important to distinguish between
"voice scramblers" and encrypted voice communications. Voice
scramblers are a relatively old and widely availab]e
technology for concealing the contents of a voice
communication; they transform the analog waveform of a voice
and have nothing to do with encryption per se. True encryption
is a transformation of digitally represented data. Voice
scramblers have been used by criminals for many years, whereas
devices for digital encryption remain rare.

   (13) For example, police raids in Colombia on offices of
the Cali cartel resulted in the seizure of advanced
communications devices, including radios that distort voices,
videophones to provide visual authentication of callers'
identities, and devices for scrambling computer modem
transmissions. The Colombian defense minister was quoted as
saying that the CIA had told him that the technological
sophistication of the Cali cartel was about equal to that of
the KGB at the time the Soviet Union's collapse. See James
Brooke, "Crackdown Has Cali Drug Cartel on the Run," *New York
Times*, June 27, 1995, p. A-1.

   (14) See Gautam Naik, "U.S., Using E-Mail Tap, Charges
Three with Operating Cellular-Fraud Ring," *Wall Street
Journal*, January 2, 1996, p. B-16.

   (15) See the Prepared Statement of Louis J. Freeh,
Director, Federal Bureau of Investigation, for the Federal
Drug Law Enforcement Hearing before the House Judiciary
Committee, Subcommittee on Crime, U.S. House of
Representatives, March 30, 1995.

   (16) The final bill provides that "a telecommunications
carrier shall not be responsible for decrypting, or ensuring
the government's ability to decrypt, any communication
encrypted by a subscriber or customer, unless the encryption
was provided by the carrier and the carrier possesses the
information necessary to decrypt the communication."


Encrypted Data Files

   Encryption by criminals of computer-based records that
relate to their criminal activity is likely to pose a
significant problem for law enforcement in the future. FBI
Director Freeh has noted publicly(17) two instances in which
encrypted files have already posed a problem for law
enforcement authorities: a terrorist case in the Philippines
involving a plan to blow up a U.S. airliner as well as a plan
to assassinate the Pope in late 1994,(18) and the "Innocent
Images" child pornography case of 1995 in which encrypted
images stood in the way of grand jury access procedures.(19)
Furthermore, Director Freeh told the committee that the use of
stored records in criminal prosecutions and investigations was
much more frequent than the use of wiretaps.

   The problem of encrypted data files is similar to the case
in which a criminal keeps books or records in a code or a
language that renders them unusable to anyone else -- in both
instances, the cooperation of the criminal (or someone else
with access to the key) is necessary to decipher the records.
The physical records as well as any recorded version of the
key, if such a record exists, are available through a number
of standard legal mechanisms, including physical search
warrants and subpoenas. On the other hand, while the nature of
the problem itself is the same in both instances, the ease and
convenience of electronic encryption, especially if performed
automatically, may increase the frequency with which
encryption is encountered and/or the difficulties faced by law
enforcement in cryptanalyzing the material in question without
the cooperation of the criminal.

   Finally, the problem of exceptional access to stored
encrypted information is more easily solved than the problem
of exceptional access to encrypted communications. The reason
is that for file decryption, the time constraints are
generally less stringent. A file may have existed for many
days or weeks or even years, and the time within which
decryption is necessary (e.g., to build a criminal case) is
measured on the time scale of investigatory activities; by
contrast, the relevant time scale in the case of decrypting
communications may be the time scale of operations, which
might be as short as minutes or hours.


   (17) Speech of FBI Director Louis Freeh, before the
International Cryptography Institute, Washington, D.C.,
September 21, 1995.

   (18) A general discussion of this case is found in Phillip
Shenon, "World Trade Center Suspect Linked to Plan to Blow Up
2 Planes," *New York Times*, March 26, 1995, p. 37.

   (19) A general discussion of the Innocent Images case is
found in Kara Swisher, "On-Line Child Pornography Charged As
12 Are Arrested," *Washington Post*, September 14, 1995, p. 1.



   Cryptography is a two-edged sword for U.S. national
security interests. Cryptography is important in maintaining
the security of U.S. classified information (Appendix I), and
the U.S. government has developed its own cryptographic
systems to meet these needs. At the same time, the use of
cryptography by foreign adversaries also hinders U.S.
acquisition of communications intelligence. This section
discusses the latter. (Appendix F contains a short primer on

         3.3.1 The Value of Signals Intelligence(21)

   Signals intelligence (SIGINT) is a critically important arm
of U.S. intelligence, along with imagery intelligence (IMINT)
and intelligence information collected directly by people,
i.e., human intelligence (HUMINT). SIGINT also provides timely
tip-off and guidance to IMINT and HUMINT collectors and is, in
turn, tipped off by them. As in the case of law enforcement,
the information contained in a communications channel treated
by an opponent as secure is likely to be free of intentional

   The committee has received both classified and unclassified
assessments of the current value of SIGINT and finds that the
level of reporting reflects a continuing capability to produce
both tactical and strategic information on a wide range of
topics of national intelligence interest. SIGINT production is
responding to the priorities established by Presidential
Decision Directive 35. As publicly described by President Bill
Clinton in remarks made to the staff of the CIA and
Intelligence Community, the priorities are as follows:

   +    "First, the intelligence need of our military during
an operation ...,

   +    Second, political, economic and military intelligence
about countries hostile to the United States. We must also
compile all-source information on major political and economic
powers with weapons of mass destruction who are potentially
hostile to us,

   +    Third, intelligence about specific trans-national
threats to our security, such as weapons proliferation,
terrorism, drug trafficking, organized crime, illicit trade
practices and environmental issues of great gravity."(22)

   SIGINT is one valuable component of the overall U.S.
intelligence capability. It makes important contributions to
ensure an informed, alert, and secure environment for U.S. war
fighters and policy makers.


   (20) One note on terminology: In the signals intelligence
community, the tenn "access" is used to refer to obtaining the
desired signals, whether those signals are encrypted or not.
This use conflicts with the usage adopted in this report, in
which "access" generally means obtaining the information
contained in a signal (or message or file).

   (21) This report deals only with the communications
intelligence (COMINT) aspects of SIGINT; see Appendix F for a
discussion of electronic intelligence (ELINT) and its
relationship to COMINT.

   (22) Office of the Press Secretary, The White House,
"Remarks by the President to Staff of the CIA and Intelligence
Community," Central Intelligence Agency, McLean, Virginia,
July 14, 1995.


SIGINT Support of Military Operations

   SIGINT is important to both tactical and strategic
intelligence. Tactical intelligence provides operational
support to forces in the field, whether these forces are
performing military missions or international law enforcement
missions (e.g., as in drug eradication raids in Latin America
conducted in cooperation with local authorities). The tactical
dimensions were most recently demonstrated in the Gulf War
through a skillfully orchestrated interaction of SIGINT,
IMINT, and HUMINT that demonstrated the unequaled power of
U.S. intelligence. SIGINT produced timely command and control
intelligence and specific signal information to support
electronic warfare; IMINT provided precise locating
information to permit precision bombing, together with HUMINT;
SIGINT and IMINT provided the field commands with an
unprecedented degree of battlefield awareness.

   History also demonstrates many instances in which SIGINT
has proven decisive in the conduct of tactical military
operations. These instances are more easily identified now
because the passage of time has made the information less

   +    The American naval victory at the Battle of Midway and
the destruction of Japanese merchant shipping resulted, in
part, from Admiral C.W. Nimitz's willingness to trust the
SIGINT information he received from his intelligence staff.
General George Marshall wrote that as the result of this
SIGINT information, "we were able to concentrate our limited
forces to meet [the Japanese] naval advance on Midway when
otherwise we almost certainly would have been some 3,000 miles
out of place."(23)

   +    The shoot-down in April 1943 of the commander-in-chief
of the Japanese Navy, Admiral Isoroku Yamamoto, was the direct
result of a signals intercept that provided his detailed
itinerary for a visit to the Japanese front lines.(24)

   +    The U.S. Navy was able to compromise the operational
code used by German U-boats in the Atlantic in 1944, with the
result that large numbers of such boats were sunk.(25)

   +    Allied intercepts of German army traffic were
instrumental in the defense of the Anzio perimeter in Italy in
February 1944, a defense that some analysts believe was a
tuming point in the Italian campaign; these intercepts
provided advance knowledge of the German timing, direction,
and weight of assault, and enabled Allied generals to
concentrate their resources in the appropriate places.(26)

   While these examples are 50 years old, the nature of
warfare is not so different today as to invalidate the utility
of successful SIGINT. A primary difference between then and
now is that the speed of warfare has increased substantially,
placing a higher premium on real-time or near-real-time
intercepts. Since the end of World War II, SIGINT has provided
tactical support to every military operation involving U.S.

   Other types of tactical intelligence to which SIGINT can
contribute include indications and warning efforts (detecting
an adversary's preparations to undertake armed hostilities);
target identification, location, and prioritization (what
targets should be attacked, where they are, and how important
they are); damage assessment (how much damage an attacked
target sustained); and learning the enemy's rules of
engagement (under what circumstances an adversary is allowed
to engage friendly forces).


   (23) A good discussion of these topics is given in Kahn,
*The Codebreakers*, 1967, pp. 561-573 (Midway) and pp. 593-594
(merchant shipping).

   (24) See Kahn, *The Codebreakers*, 1967, pp. 595-601.

   (25) Kahn, *The Codebreakers*, 1967, pp 504-507.

   (26) See Ralph Bennett, *Ultra and Mediterranean Strategy*,
William Morrow and Company, New York, 1989, pp. 265-269.

   (27) See Kahn. *The Codebreakers*, 1967, pp. 358-359.


SIGINT Support of Strategic Intelligence

   Strategic (or national) intelligence is intended to provide
analytical support to senior policy makers, rather than field
commanders. In this role, strategic or national intelligence
serves foreign policy, national security, and national
economic objectives. Strategic intelligence focuses on foreign
political and economic events and trends, as well as on
strategic military concerns such as plans, doctrine,
scientific and technical resources, weapon system
capabilities, and nuclear program development. History also
demonstrates the importance of SIGINT in a diplomatic,
counter-intelligence, and foreign policy context:

   +    In the negotiations following World War I over a
treaty to limit the tonnage of capital ships (the Washington
Conference on Naval Arms Limitations), the U.S. State
Department was able to read Japanese diplomatic traffic
instructing its diplomats. One particular decoded intercept
provided the bottom line in the Japanese position, information
that was useful in gaining Japanese concessions.(27)

   +    Recently Director of Central Intelligence John Deutch
unveiled the so-called VENONA material, decrypted Soviet
intelligence service messages of the mid-1940s that revealed
Soviet espionage against the U.S. atomic program.(28)
Intelligence about the Cuban missile crisis has been released.
Although primarily a story about U-2 photography, the role of
SIGINT is included as well.

   +    Decrypted intercepts of allied communications in the
final months of World War II played a major role in assisting
the United States to achieve its goals at the conference
called to decide on the United Nations charter. American
policy makers knew the negotiating positions of nearly all of
the participating nations and thus were able to control the
debate to a considerable degree.(29)

   +    During the Cold War, SIGINT provided information about
adversary military capabilities, weapons production, command
and control, force structure and operational planning, weapons
testing, and activities of missile forces and civil defense.

   In peacetime as in combat, each of the intelligence
disciplines can contribute critical information in support of
national policy. Former Director of Central Intelligence
Admiral Stansfield Turner has pointed out that "[e]lectronic
intercepts may be even more useful [than human agents] in
discerning intentions. For instance, if a foreign official
writes about plans in a message and the United States
intercepts it, or if he discusses it and we record it with a
listening device, those verbatim intercepts are likely to be
more reliable than second-hand reports from an agent."(30) He
also noted that "as we increase emphasis on securing economic
intelligence, we will have to spy on the more developed
countries -- our allies and friends with whom we compete
economically -- but to whom we turn first for political and
military assistance in a crisis. This means that rather than
instinctively reaching for human, on-site spying, the United
States will want to look to those impersonal technical
systems, primarily satellite photography and intercepts."(31)

   Today, the United States conducts the largest SIGINT
operation in the world in support of information relevant to
conventional military threats; the proliferation of weapons of
mass destruction; terrorism; enforcement of international
sanctions; protection of U.S. economic and trade interests;
and political and economic developments abroad.

   +    U.S. intelligence has been used to uncover unfair
trade practices (as determined by U.S. law and custom) of
other nations whose industries compete with U.S. businesses,
and has helped the U.S. government to ensure the preservation
of a level economic playing field. According to the NSA, the
economic benefits of SIGINT contributions to U.S. industry
taken as a whole have totaled tens of billions of dollars over
the last several years.

   +    In sanctions-monitoring and enforcement, intelligence
intercepts of Serbian communications are reported to have been
the first indication for U.S. authorities that an F-16 pilot
enforcing a no-fly zone over Serbia and shot down in June 1995
was in fact alive,(32) and an important element in his rescue.
If the pilot had indeed been captured, U.S. options in Serbia
could have been greatly constrained.

   +    SIGINT that has been made public or that has been
tacitly acknowledged includes information about the shoot-down
of the Korean airliner KAL 007 on September 1, 1983, and the
bombing of La Belle Discotheque in West Berlin ordered by
Libya in April 1986.

   +    In foreign policy, accurate and timely intelligence
has been, and remains vital to, U.S. efforts to avert
conflicts between nations.

   +    In September 1988, President Ronald Reagan made the
decision to disclose NSA decrypts of Iraqi military
communications "to prove that, despite their denials, Iraqi
armed forces had used poison gas against the Kurds."(33)

   The information provided by SIGINT has helped to produce
information on weapons proliferation, providing indications of
violations of treaties or embargo requirements. SIGINT has
collected information on international terrorism and foreign
drug trafficking, thereby assisting in the detection of drug
shipments intended for delivery to the United States.

   Similarly, such information will continue to be a source of
important economic intelligence.

   In conducting these intelligence-gathering operations, a
wide variety of sources may be targeted, including the
communications of governments, nongovernment institutions, and
individuals. For example, banking is an international
enterprise, and the U.S. government may need to know about
flows of money for purposes of counter-terrorism or sanctions

   Although the value of SIGINT to military operations and to
law enforcement is generally unquestioned, senior decision
makers have a wide range of opinions on the value of strategic
and/or political intelligence. Some decision makers are
voracious consumers of intelligence reports. They believe that
the reports they receive provide advance notice of another
party's plans and intentions, and that their own decisions are
better for having such information. These decision makers find
that almost no amount of information is too much, and any
given piece of information has the potential to be helpful.

   To illustrate the value of SIGINT to some senior policy
makers, it is helpful to recall President Clinton's remarks to
the intelligence community on July 14, 1995, at the CIA: he
said that "in recent months alone you warned us when Iraq
massed its troops against the Kuwaiti border. You provided
vital support to our peacekeeping and humanitarian missions in
Haiti and Rwanda. You helped to strike a blow at a Colombian
drug cartel. You uncovered bribes that would have cheated
American companies out of billions of dollars." On a previous
occasion, then-President George Bush gave his evaluation of
SIGINT when he said that "... over the years I've come to
appreciate more and more the full value of SIGINT. As
President and Commander-in-Chief, I can assure you, signals
intelligence is a prime factor in the decision making process
by which we chart the course of this nation's foreign

   Some policy makers, generally less senior than the
President, have stated that while intelligence reports are
occasionally helpful, they do not in general add much to their
decision-making ability because they contribute to information
overload, are not sufficiently timely in the sense that the
information is revealed shortly in any event, lack necessary
context-setting information, or do not provide much
information beyond that available from open sources. Even
among the members of the committee who have served in senior
government positions, this range of opinion is

   The perceived value of strategic SIGINT (as with many other
types of intelligence) depends largely on the judgment and
position of the particular individuals whom the intelligence
community is serving. These individuals change over time as
administrations come and go, but intelligence capabilities are
built up over a time scale longer than the election cycle. The
result is that the intelligence community gears itself to
serve those decision makers who will demand the most from it,
and is loath to surrender sources and/or capabilities that may
prove useful to decision makers.

   Since the benefits of strategic intelligence are so
subjective, formal cost-benefit analysis caImot be used to
justify a given level of support for intelligence. Rather,
intelligence tends to be supported on a "level-of-effort"
basis, that is, a political judgment about what is
"reasonable," given other defense and nondefense pressures on
the overall national budget.


   (28) Center for Cryptologic History, National Security
Agency, *Introductory History of VENONA and Guide to the
Translations*, Fort George G. Meade, Maryland, undated. VENONA
material is also available from the Web site of the National
Security Agency at

   (29) Stephen Schlesinger, "Cryptanalysis for Peacetime:
Codebreaking and the Birth and Structure of the United
Nations," *Cryptologia*, Volume 19(3), July 1995, pp. 217-235.

   (30) Stansfield Turner, "Intelligence for a New World
Order," *Foreign Affairs*, Fall 1991, pp. 150-166.

   (31) Turner, "Intelligence for a New World Order," 1991,
pp. 150-166.

   (32) Daniel Williams, "'I'm Ready to Get the Hell Out of
Here,"' *Washington Post*, July 9, 1995, p. A-1.

   (33) Christopher Andrew, *For the President's Eyes Only*,
HarperCollins, New York, 1995.

   (34) *Public Papers of the Presidents*, U.S. Government
Printing, Office, Washington, D.C., 1991, as quoted by Andrew
in *For the President's Eyes Only*, 1995, p. 526.

   (35) For an open-source report on the value of intelligence
as perceived by different policy makers, see David E. Sanger,
"Emerging Role for the C.l.A.: Economic Spy," *New York
Times*, October 15, 1995, p. 1; David E. Sanger, "When Spies
Look Out for the Almighty Buck," *New York Times*, October 22,
1995, p. 4.


          3.3.2 The Impact of Cryptography on SIGINT

   Cryptography poses a threat to SIGINT for two separate but
related reasons:

   +    Strong cryptography can prevent any given message from
being read or understood. Strong cryptography used primarily
by foreign governments with the discipline to use those
products on a regular and consistent basis presents the United
States with a formidable challenge. Some encrypted traffic
regularly intercepted by the United States is simply
undecipherable by any known means.

   +    Even weak cryptography, if practiced on a widespread
basis by foreign governments or other entities, increases the
cost of exploitation dramatically.(36) When most messages that
are intercepted are unencrypted, the cost to determine whether
an individual message is interesting is quite low. However, if
most intercepted messages are encrypted, each one has to be
cryptanalyzed individually, because the interceptor does not
know if it is interesting or not.(37)

   According to administration officials who testified to the
committee, the acquisition and proper use of cryptography by
a foreign adversary could impair the national security
interests of the United States in a number of ways:

   +    Cryptography used by adversaries on a wide scale would
significantly increase the cost and difficulty of intelligence
gathering across the full range of U.S. national security

   +    Cryptography used by governments and foreign companies
can increase an adversary's capability to conceal the
development of missile delivery systems and weapons of mass

   +    Cryptography can improve the ability of an adversary
to maintain the secrecy of its military operations to the
detriment of U.S. or allied military forces that might be
similarly engaged.

   The above comments suggest that the deployment of strong
cryptography that is widely used will diminish the
capabilities of those responsible for SIGINT. Today, there is
a noticable trend toward better and cheaper encryption that is
steadily closing the window of exploitation of unencrypted
communications. The growth of strong encryption will reduce
the availability of such intelligence. Using capabilities and
techniques developed during the Cold War, the SIGINT system
will continue its efforts to collect against countries and
other entities newly hostile to the United States. Many
governments and parties in those nations, however, will be
potential customers for advanced cryptography as it becomes
available on world markets. In the absence of improved
cryptanalytic methods, cooperative arrangements with foreign
governments, and new ways of approaching the information
collection problem, it is likely that losses in traditional
SIGINT capability would result in a diminished effectiveness
of the U.S. intelligence community.


   (36) This point is echoed in Susan Landau et al., *Codes,
Keys, and Conflicts: Issues in U.S. Crypto Policy*, 1994, p.

   (37) For example, assume that 1 out of every 1,000 messages
is interesting, and the cost of intercepting a message is X
and the cost of decrypting a message is Y. Thus, each
interesting message is acquired at a cost of 1,000 X + Y.
However, if every message is encrypted, the cost of each
interesting message is 1,000 (X + Y), which is approximately
1,000 Y larger. In other words, the cryptanalyst must do 1,000
times more work for each interesting message.



   It is instructive to consider the similarities in and
differences between national security and law enforcement
needs for communications monitoring.

                     3.4. 1 Similarities

   +    *Secrecy*. Both foreign policy and law enforcement
authorities regard surreptitiously intercepted communications
as a more reliable source than information produced through
other means. Surveillance targets usually believe (however
falsely) that their communications are private; therefore,
eavesdropping must be surreptitious and the secrecy of
monitoring maintained. Thus, the identity and/or nature of
specific SIGINT sources are generally very sensitive pieces of
information, and are divulged only for good cause.

   +    *Timeliness*. For support of tactical operations,
near-real-time information may be needed (e.g., when a crime
or terrorist operation is imminent, when hostile forces are
about to be engaged).

   +    *Resources available to targets*. Many parties
targeted for electronic surveillance for foreign policy
reasons or by law enforcement authorities lack the resources
to develop their own security products, and are most likely to
use what they can purchase on the commercial market.

   +    *Allocation of resources for collection*. The size of
the budget allocated to law enforcement and to the U.S.
intelligence community is not unlimited. Available resources
constrain both the amount of surveillance law enforcement
officials can undertake and the ability of the U.S. SIGINT
system to respond to the full range of national intelligence
requirements levied upon it.

        --     Electronic surveillance, although in many cases
        critical, is only one of the tools available to U.S.
        law enforcement. Because it is manpower intensive, it
        is a tool used sparingly; thus, it represents a
        relatively small percentage of the total investment.
        The average cost of a wiretap order is $57,000 (see
        Appendix D) or approximately one-half of a
        full-time-equivalent agent-year.

        --     The U.S. SIGINT system is a major contributor
        to the overall U.S. intelligence collection capability
        and represents a correspondingly large percentage of
        the foreign intelligence budget. Although large, the
        U.S. system is by no means funded to "vacuum clean"
        the world's communications. It is sized to gather the
        most potentially lucrative foreign signals and
        targeted very selectively to collect and analyze only
        those communications most likely to yield information
        relating to highest priority intelligence needs.

   +    Perceptions of the problem. The volume of electronic
traffic and the use of encryption are both expected to grow,
but how the growth of one will compare to that of the other is
unclear at present. If the overall growth in the volume of
unencrypted electronic traffic lags the growth in the use of
cryptography, those conducting surveillance for law
enforcement or foreign policy reasons may perceive a loss in
access because the fraction of intercepts available to them
will decrease, even if the absolute amount of information
intercepted has increased as the result of larger volumes of
information. Of course, if the communicating parties take
special care to encrypt their sensitive communications, the
absolute amount of useful information intercepted may decrease
as well.

                      3.4.2 Differences

   +    *Protection of sources*. While the distinction is not
hard and fast, law enforcement authorities conducting an
electronic surveillance are generally seeking specific items
of evidence that relate to a criminal act and that can be
presented in open court, which implies that the source of such
information (i.e., the wiretap) will be revealed (and possibly
challenged for legal validity). By contrast, national security
authorities are usually seeking a body of intelligence
information over a longer period of time and are therefore far
more concerned with preserving the secrecy of sources and

   +    *Definition of interests*. There is a consensus,
expressed in law, about the specific types of domestic crimes
that may be investigated through the use of wiretapping. Even
internationally, there is some degree of consensus about what
activities are criminal; the existence of this consensus
enables a considerable amount of law enforcement cooperation
on a variety of matters. National security interests are
defined differently and are subject to refinement in a
changing world, and security interests often vary from nation
to nation. However, a community of interest among NATO allies
and between the United States and the major nations of the
free world makes possible fruitful intelligence relationships,
even though the United States may at times target a nation
that is both ally and competitor.

   +    *Volume of potentially relevant communications*. The
volume of communications of interest to law enforcement
authorities is small compared to the volume of interest to
national security authorities.

   +    *Legal framework*. Domestic law enforcement
authorities are bound by constitutional protections and
legislation that limit their ability to conduct electronic
surveillance. National security authorities operate under far
fewer legal constraints in monitoring the communications of
foreign parties located outside the United States.

   +    *Perceptions of vulnerability to surveillance*.
Parties targeted by national security authorities are far more
likely to take steps to protect their communications than are
most criminals.


   As noted above in Section 3.1, an employer may need access
to data that has been encrypted by an employee. Corporations
that use cryptography for confidentiality must always be
concerned with the risk that keys will be lost, corrupted,
required in some emergency situation, or otherwise be
unavailable, and they have a valid interest in defending their
interests in the face of these eventualities.(38)
             Cryptography can present problems for companies attempting
to satisfy their legitimate business interests in access to
stored and communicated information:

   +    *Stored data*. For entirely legitimate business
reasons, an employee might encrypt business records, but due
to circumstances such as vacation or sick leave, the employer
might need to read the contents of these records without the
employee's immediate assistance. Then again, an employee might
simply forget the relevant password to an encrypted file, or
an employee might maliciously refuse to provide the key (e.g.,
if he has a grudge against his employer), or might keep
records that are related to improper activities but encrypt
them to keep them private; a business undertaking an audit to
uncover or investigate these activities might well need to
read these records without the assistance of the employee. For
example, in a dispute over alleged wrongdoing of his
superiors, a Washington, D.C., financial analyst changed the
password on the city's computer and refused to share it.(39)
In another incident, the former chief financial officer of an
insurance company, Golden Eagle Group Ltd, installed a
password known only to himself and froze out operations. He
demanded a personal computer that he claimed was his, his
final paycheck, a letter of reference, and a $100 fee --
presumably for revealing the password.(40) While technical
fixes for these problems are relatively easy, they do
demonstrate the existence of motivation to undertake such
actions. Furthermore, it is poor management practice that
allows a single employee to control critical data, but that is
beyond the scope of this study.

   +    Communications. A number of corporations provided
input to the committee indicating that for entirely legitimate
business reasons (e.g., for resolution of a dispute between
the corporation and a customer), an employer might need to
learn about the content of an employee's communications.
Alternatively, an employee might use company communications
facilities as a means for conducting improper activities
(e.g., leaking company-confidential information, stealing
corporate assets, engaging in kickback or fraud schemes,
inappropriately favoring one supplier over another). A
business undertaking an audit to uncover or investigate these
activities might well need to monitor these communications
without the consent of the employee (Box 3.1)(41) but would be
unable to do so if the communications were encrypted. In other
instances, a comparly might wish to assist law enforcement
officials in investigating information crimes against it(42)
but would not be able to do so if it could not obtain access
to unsanctioned employee-encrypted files or communications.
Many, though certainly not all, businesses require prospective
employees to agree as a condition of employment that their
communications are subject to employer monitoring under
various circumstallces.(43)

   It is a generally held view among businesses that
provisions for corporate exceptional access to stored data are
more important than such provisions for communications.(44)
For individuals, the distinction is even sharper. Private
individuals as well as businesses have a need to retrieve
encrypted data that is stored and for which they may have lost
or forgotten the key. For example, a person may have lost the
key to an encrypted will or financial statement and wish to
retrieve the data. However, it is much more difficult to
imagine circumstances under which a person might have a
legitimate need for the real-time monitoring of


   (38) While users may lose or corrupt keys used for user
authentication, the procedures needed in this event are
different than if the keys in question are for encryption. For
example, a lost authentication key creates a need to revoke
the key, so that another party that comes into possession of
the authentication key cannot impersonate the original owner.
By contrast, an encryption key that is lost creates a need to
recover the key.

   (39) Peter G. Neumann, *Computer-Related Risks*,
Addison-Wesley, New York, 1995, p. 154.

   (40) Neumann, *Computer-Related Risks*, 1995, p. 154.

   (41) For example, employees with Internet access may spend
so much time on nonwork-related Internet activities that their
productivity is impaired. Concerns such problems have about
led some companies to monitor the Internet activities of their
employees, and spawned products that covertly monitor and
record Internet use. See Laurie Flynn, "Finding On-Line
Distractions, Employers Strive to Keep Workers in Line," *New
York Times*, November 6, 1995, p. D-5.

   (42) A number of examples of such cooperation can be found
in Peter Schweizer, *Friendly Spies*, The Atlantic Monthly
Press, New York, 1993.

   (43) The legal ramifications of employer access to
on-thejob communications of employees are interesting, though
outside the scope of this report. For example, a company
employee may communicate with another company employee using
cryptography that denies employer access to the content of
those communications; such use may be contrary to explicit
company policy. May an employee who has violated company
policy in this manner be discharged legally? In general,
employer access to on-thejob communications raises many issues
of ethics and privacy, even if such access is explicitly
permitted by contract or policy.

   (44) This distinction becomes somewhat fuzzy when
considering technologies such as e-mail that serve the purpose
of communications but that also involve data storage. Greater
clarity is possible if one distinguishes between the
electronic bits of a message in transit (e.g., on a wire) and
the same bits that are at rest (e.g., in a file). With e-mail,
the message is sent and then stored; thus, e-mail can be
regarded as a stored communication. These comments suggest
that a need for exceptional access to e-mail is much more
similar to that for storage than for communications, because
it is much more likely that a need will arise to read an e-
mail message after it has been stored than while it is in
transit. A likely scenario of exceptional access to email is
that a user may receive e-mail encrypted with a public key for
which he no longer has the corresponding private key (that
would enable him to decrypt incoming messages). While this
user could in principle contact the senders and inform them of
a new public key, an alternative would be to develop a system
that would permit him to obtain exceptional access without
requiring such actions.



   The discussion of exceptional access above involves only
the question of encryption for confidentiality. While it is
possible to imagine legitimate needs for exceptional access to
encrypted data (for purposes of ensuring secrecy), it is
nearly impossible to imagine a legitimate need for exceptional
access to cryptography used for the purposes of user
authentication, data integrity, or nonrepudiation. In a
business context, these cryptographic capabilities implement
or support long-standing legal precepts that are essential to
the conduct of commerce.

   +    Without unforgeable digital signatures, the concept of
a binding contract is seriously weakened.

   +    Without trusted digitally notarized documents,
questions of time precedence might not be legally resolvable.

   +    Without unforgeable integrity checks, the notion of a
certifiably accurate and authentic copy of digital documents
is empty.

   +    Without strong authentication and unquestionable
nonrepudiation, the analog of registered delivery in postal
systems is open to suspicion.(45)

   With exceptional access to the cryptography implementing
such features or to the private keys associated with them, the
legal protection that such features are intended to provide
might well be called into question. At a minimum, there would
likely be a questioning of the validity or integrity of the
protective safeguards, and there might be grounds for legal
challenge. A businessperson might have to demonstrate, for
example, that he has properly and adequately protected the
private keys used to digitally sign his contracts to the
satisfaction of a court or jury.

   It is conceivable that the government, for national
security purposes, might seek exceptional access to such
capabilities for offensive information warfare (see Chapter
2); however, public policy should not promote these
capabilities, because such access could well undermine public
confidence in such cryptographic mechanisms.


   (45) In fact, digital signatures and nonrepudiation provide
a stronger guarantee than does registered delivery; the former
can be used to assure the delivery of the contents of an
"envelope," whereas postal registered delivery can only be
used to assure the delivery of the envelope.


                          3.7 RECAP

   In general, cryptography for confidentiality involves a
party undertaking an encryption (to protect information by
generating ciphertext from plaintext) and a party authorized
by the encryptor to decrypt the ciphertext and thus recover
the original plaintext. In the case of information that is
communicated, these parties are in general different
individuals. In the case of information that is stored, the
first party and the second party are in general the same
individual. However, circumstances can and do arise in which
third parties (i.e., decrypting parties that are not
originally authorized or intended by the encrypting party to
recover the information involved) may need access to such
information. These needs for exceptional access to encrypted
information may arise from businesses, individuals, law
enforcement, and national security, and these needs are
different depending on the parties in question. Encryption
that renders such information confidential threatens the
ability of these third parties to obtain the necessary access.

   How the needs for confidentiality and exceptional access
are reconciled in a policy context is the subject of Part II.


           BOX 3.1 Examples of Business Needs for
            Exceptional Access to Communications

   +    A major Fortune 1000 corporation was the subject of
various articles in the relevant trade press. These articles
described conditions within the corporation (e.g., employee
morale) that were based on information supplied by employees
of this corporation acting in an unauthorized manner and
contrary to company policy; moreover, these articles were
regarded by corporate management as being highly embarrassing
to the company. The employees responsible were identified
through a review of tapes of all their telephone conversations
in the period immediately preceding publication of the
damaging articles, and were summarily dismissed. As a
condition of employment, these employees had given their
employer permission to record their telephone calls.

   +    Executives at a major Fortune 1000 corporation had
made certain accommodations in settling the accounts of a
particular client that, while legal, materially distorted an
accounting audit of the books of that client. A review of the
telephone conversations in the relevant period indicated that
these executives had done so knowingly, and they were
dismissed. As a condition of employment, these executives had
given their employer permission to record their telephone

   +    Attempting to resolve a dispute about the specific
terms of a contract to sell oil at a particular price, a
multinational oil company needed to obtain all relevant
records. Given the fact that oil prices fluctuate
significantly on a minute-by-minute basis, most such trades
are conducted and agreed to by telephone. All such calls are
recorded, in accordance with contracts signed by traders as a
condition of employment. Review of these voice records
provided sufficient information to resolve the dispute.

   +    A multinational company was notified by a law
enforcement agency in Nation A regarding its suspicions that
an employee of the company was committing fraud against the
company. This employee was a national of Nation B. The company
began an investigation of this individual in cooperation with
law enforcement authorities in Nation B, and in due course,
legal authorization for a wiretap on this individual using
company facilities was obtained. The company cooperated with
these law enforcement authorities in the installation of the


SOURCE: Anonymous testimony to the committee.


        BOX 3.2 Examples of the Utility of Wiretapping

   +    The El Rukn Gang in Chicago, acting as a surrogate for
the Libyan government and in support of terrorism, planned to
shoot down a commercial airliner within the United States
using a stolen military weapon. This act of terrorism was
prevented through the use of telephone wiretaps.

   +    The 1988 "Ill Wind" public corruption and defense
department fraud investigation relied heavily on court-ordered
telephone wiretaps. To date, this investigation has resulted
in the conviction of 65 individuals and more than a quarter of
a billion dollars in fines, restitutions, and recoveries.

   +    Numerous drug trafficking and money laundering
investigations, such as the "Polar Cap" and "Pizza Connection"
cases, utilized extensive telephone wiretaps in the successful
prosecution of large-scale national and international drug
trafficking organizations. "Polar Cap" resulted in the arrest
of 33 subjects and the recovery of $50 million in assets
seized. Additionally, in a 1992 Miami raid, which directly
resulted from wiretaps, agents confiscated 15,000 pounds of
cocaine and arrested 22 subjects.

   +    The investigation of convicted spy Aldrich Ames relied
heavily on wiretaps ordered under FISA authority.

   +    In a 1990 "Sexual Exploitation of Children"
investigation, the FBI relied heavily on wiretaps to prevent
violent individuals from abducting, torturing, and murdering
a child in order to make a "Snuff Murder" film.


SOURCE: Federal Bureau of Investigation.


            BOX 3.3 Law Enforcement Requirements
      for the Surveillance of Electronic Communications

   +    Prompt and expeditious access both to the contents of
the electronic communications and "setup" information
necessary to identify the calling and called parties.

   +    Real-time, full-time monitoring capability for
intercepts. Such capability is particularly important in an
operational context, in which conversations among either
criminal conspirators (e.g., regarding a decision to take some
terrorist action) or criminals and innocent third parties
(e.g.. regarding a purchase order for explosives from a
legitimate dealer) may have immediate significance.

   +    Delivery of intercepted communications to specified
monitoring facilities.

   +    Transparent access to the communications, i.e., access
that is undetectable to all parties to the communications
(except to the monitoring parties) and implementation of
safeguards to restrict access to intercept information.

   +    Verification that the intercepted communications are
associated with the intercept subject.

   +    Capabilities for some number of simultaneous
intercepts to be determined through a cooperative industry/law
enforcement effort.

   +    Reliability of the services supporting the intercept
at the same (or higher) level of the reliability of the
communication services provided to the intercept subject.

   +    A quality of service for the intercept that complies
with the performance standards of the service providers.


SOURCE: Law Enforcement Requirements for the Surveillance of
Electronic Communications*, FBI in cooperation with the
National Technical Investigators Association, June 1994.


          BOX 3.4 How Noncryptography Applications
   of Information Technology Could Benefit Law Enforcement

   As acknowledged elsewhere in the main text, encryption in
ubiquitous use would create certain difficulties for law
enforcement. Nevertheless, it is important to place into
context the overall impact on law enforcement of the digital
information technologies that enable encryption and other
capabilities that are not the primary subject of this report.
Chapter 2 suggested how encryption capabilities can be a
positive force for more effective law enforcement (e.g.,
secure police communications). But information technology is
increasingly ubiquitous and could appear in a variety of other
applications less obvious than encryption. For example:

   +    Video technology has become increasingly inexpensive.
Thus, it is easy to imagine police cruisers with video cameras
that are activated upon request when police are responding to
an emergency call. Monitoring those cameras at police
headquarters would provide a method for obtaining timely
information regarding the need of the responding officers for
backup. Equipping individual police officers with even smaller
video cameras attached to their uniforms and recording such
transmissions would provide objective evidence to corroborate
(or refute) an officer's description of what he saw at a crime

   +    The number of users of cellular telephones and
wide-area wireless communications services will grow rapidly.
As such technologies enable private citizens to act as
responsible eyes and ears that observe and report emergencies
in progress, law enforcement officials will be able to respond
more quickly. (See, for example, Chana Schoenberger, "The
Pocket-Size Protector; Feeling Safe, not Stylish, with
Cellular Phones," *Washington Post*, August 29, 1995, page

   +    Electronically mediated sting operations help to
preserve cover stories of law enforcement officials. For
example, the Cybersnare sting operation resulted in the arrest
of six individuals who allegedly stole cellular telephone
numbers en masse from major companies, resulting in millions
of dollars of industry losses. Cybersnare was based on an
underground bulletin board that appealed to cellular telephone
and credit card thieves. Messages were posted offering for
sale cellular telephone "cloning" equipment and stolen
cellular telephone numbers, and included contact telephone
numbers that were traced to the individuals in question. (See
Gautam Naik, "Secret Service Agents Arrest Six Hackers in
Cellular-Phone Sting in Cyberspace," *Wall Street Journal*,
September 12, 1995, page B6.)

   +    The locations of automobiles over a metropolitan area
could be tracked automatically, either passively or actively.
An active technique might rely on a coded beacon that would
localize the position of the automobile on which it was
mounted. A passive technique might rely on automatic scanning
for license plates that were mounted on the roofs of cars. As
an investigative technique, the ability to track the location
of a particular automobile over a period of time could be
particularly important.

   Even today, information technology enables law enforcement
officials to conduct instant background checks for handgun
purchases and arrest records when a person is stopped for a
traffic violation. Retail merchants guard against fraud by
using information technology to check driving records when
cars are rented and credit checks for big purchases. The
Department of the Treasury uses sophisticated information
technology to detect suspicious patterns that might indicate
large-scale money laundering by organized crime.

   All such possibilities involve important social as well as
technical issues. For example, the first two examples featured
above seem relatively benign, while the last two raises
serious entrapment and privacy issues. Even the "instant
background checks" of gun buyers have generated controversy.
The mention of these applications (potential and actual) is
not meant as endorsement, recommendation, or even suggestion;
they do, however, place into better context the potentialities
of information technology in some overall sense to improve the
capabilities of law enforcement while at the same time
illustrating that concerns about excessive government power
are not limited to the issue of cryptography.


[End Chapter 3]

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]

                           Part II

                     Policy Instruments

   To the best of the committee's knowledge, the goals of U.S.
cryptography policy have not been explicitly formalized and
articulated within the government. However, senior government
officials have indicated that U.S. cryptography policy seeks
to promote the following objectives:

   +    Deployment of encryption adequate and strong enough to
protect electronic commerce that may be transacted on the
future information infrastructure;

   +    Development and adoption of global (rather than
national) standards and solutions;

   +    Widespread deployment of capabilities into products
with encryption capabilities for confidentiality that enables
legal access for law enforcement and national security
purposes; and

   +    Avoidance of the development of de facto cryptography
standards (either domestically or globally) that do not permit
access for law enforcement and national security purposes,
thus ensuring that the use of such products remains relatively

   Many analysts believe that these goals are irreconcilable.
To the extent that this is so, the U.S. government is thus
faced with a policy problem requiring a compromise among these
goals that is tolerable, though by assumption not ideal with
respect to any individual goal. Such has always been the case
with many issues that generate social controversy -- balancing
product safety against the undesirability of burdensome
regulation on product vendors, public health against the
rights of individuals to refuse medical treatment, and so on.

   As this report is being written, U.S. cryptography policy
is still evolving, and the particular laws, regulations, and
other levers that govermnent uses to influence behavior and
policy are under review or being developed.

   Chapter 4 is devoted to the subject of export controls,
which dominate industry concerns about national cryptography
policy. Many senior executives in the information technology
industry perceive these controls as a major limitation on
their ability to export products with encryption capabilities.
Furthermore, because exports of products with encryption
capabilities are governed by the regime applied to
technologies associated with munitions, reflecting the
importance of cryptography to national security, they are
generally subject to more stringent controls than exports of
other computer-related technologies.

   Chapter 5 addresses the subject of escrowed encryption.
Escrowed eneryption is a form of encryption intended to
provide strong protection for legitimate uses but also to
permit exceptional access by government officials, by
corporate employers, or by end users under specified
circumstances. Since 1993, the Clinton Administation has
aggressively promoted escrowed encryption as a basic pillar of
national cryptography policy. Public concerns about escrowed
encryption have focused on the possibilities for failure in
the mechanisms intended to prevent improper access to
encrypted information, leading to losses of confidentiality.

   Chapter 6 addresses a variety of other aspect of national
cryptography policy and public concerns that these aspects
have raised.



                       Export Controls

   Export controls on cryptography and related technical data
have been a pillar of national cryptography policy for many
years. Increasingly, they have generated controversy because
they pit the needs of national security to conduct signals
intelligence against the information security needs of
legitimate U.S. businesses and the markets of U.S.
manufacturers whose products might meet these needs. Chapter
4 describes the current state of export controls on
cryptography and issues that these controls raise, including
their effectiveness in achieving their stated objectives;
negative effects that the export control regime has on U.S.
businesses and U.S. vendors of information technology that
must be weighed against the positive effects of reducing the
use of cryptography abroad; the mismatch between vendor and
government perceptions of export controls; and various other
aspects of the export control process as it is experienced by
those subject to it.


   Many advanced industrialized nations maintain controls on
exports of cryptography, including the United States. The
discussion below focuses on U.S. export controls; Appendix G
addresses foreign export control regimes on cryptography.

           4.1.1 The Rationale for Export Controls

   On the basis of discussion with senior government officials
and its own deliberations, the committee believes that the
current U.S. export control regime on products with encryption
capabilities for confidentiality is intended to serve two
primary purposes:

   +    To delay the spread of strong cryptographic
capabilities and the use of those capabilities throughout the
world. Senior intelligence officials recognize that in the
long run, the ability of intelligence agencies to engage in
signals intelligence will inevitably diminish due to a variety
of technological trends, including the greater use of

   +    To give the U.S. government a tool for monitoring and
influencing the commercial development of cryptography. Since
any U.S. vendor that wishes to export a product with
encryption capabilities for confidentiality must approach the
U.S. government for permission to do so, the export license
approval process is an opportunity for the U.S. government to
learn in detail about the capabilities of such products.
Moreover, the results of the license approval process have
influenced the cryptography that is available on the
international market.


   (1)  Although the committee came to this conclusion on its
own, it is consistent with that of the Office of Technology
Assessment, *Information Security and Privacy in Network
Environments*, Washington, D.C., September 1994.


                4.1.2 General Description(2)

   Authority to regulate imports and exports of products with
cryptographic capabilities to and from the United States
derives from two items of legislation: the Arms Export Control
Act (AECA) of 1949 (intended to regulate munitions) and the
Export Administration Act (EAA; intended to regulate so-called
dual-use products(3)). The AECA is the legislative basis for
the International Traffic in Arms Regulations (ITAR), in which
the U.S. Munitions List (USML) is defined and specified. Items
on the USML are regarded for purposes of import and export as
munitions, and the ITAR are administered by the Department of
State. The EAA is the legislative basis for the Export
Administration Regulations (EAR), which define dual-use items
on a list known as the Commerce Control List (CCL)(4); the EAR
are administered by the Department of Commerce. The EAA lapsed
in 1994 but has been continued under executive order since
that time. Both the AECA and the EAA specify sanctions that
can be applied in the event that recipients of goods exported
from the United States fail to comply with all relevant
requirements, such as agreements to refrain from reexport (Box

   At present, products with encryption capabilities can be
imported into the United States without restriction, although
the President does have statutory authority to regulate such
imports if appropriate. Exports are a different matter. Any
export of an item covered by the USML requires a specific
affirmative decision by the State Department's Office of
Defense Trade Controls, a process that can be time-consuming
and cumbersome from the perspective of the vendor and
prospective foreign purchaser.

   The ITAR regulate and control exports of all "cryptographic
systems, equipment, assemblies, modules, integrated circuits,
components or software with the capability of maintaining
secrecy or confidentiality of information or information
systems", in addition, they regulate information about
cryptography but not implemented in a product in a category
known as "technical data."(5)

   Until 1983, USML controls were maintained on all
cryptography products. However, since that time, a number of
relaxations in these controls have been implemented (Box 4.2),
although many critics contend that such relaxation has lagged
significantly behind the evolving marketplace. Today, the ITAR
provide a number of certain categorical exemptions that allow
for products in those categories to be regulated as dual-use
items and controlled exclusively by the CCL. For products that
do not fall into these categories and for which there is some
question about whether it is the USML or the CCL that governs
their export, the ITAR also provide for a procedure known as
commodity jurisdiction,(6) under which potential exporters can
obtain judgments from the State Department about which list
governs a specific product. A product granted commodity
jurisdiction to the CCL falls under the control of the EAR and
the Department of Commerce. Note that commodity jurisdiction
to the CCL is generally granted for products with encryption
capabilities using 40-bit keys regardless of the algorithm
used, although these decisions are made on a product-by-
product basis. In addition, when a case-by-case export
licensing decision results in CCL jurisdiction for a software
product, it is usually only the object code, which cannot be
modified easily, that is transferred, the source code of the
product (embedding the identical functionality but more easily
modified) generally remains on the USML.

   As described in Box 4.3, key differences between the USML
and the CCL have the effect that items on the CCL enjoy more
liberal export consideration than items on the USML. (This
report uses the term "liberal export consideration" to mean
treatment under the CCL.) Most importantly, a product
controlled by the CCL is reviewed only once by the U.S.
government, thus drastically simplifying the marketing and
sale of the product overseas.

   The most important of these explicit categorical exemptions
to the USML for cryptography are described in Box 4.4. In
addition, the current export control regime provides for an
individual case-by-case review of USML licensing applications
for products that do not fall under the jurisdiction of the
CCL. Under current practice, USML licenses to acquire and
export for internal use products with encryption capabilities
stronger than that provided by 40-bit RC2/RC4 encryption
(hereafter in this chapter called "strong encryption"(7)) are
generally granted to U.S.-controlled firms (i.e., U.S. firms
operating abroad, a U.S.-controlled foreign firms, or foreign
subsidiaries of a U.S. firm). In addition, banks and financial
institutions (including stock brokerages and insurance
companies), whether U.S.-controlled or owned or foreign-owned,
are generally granted USML licenses for strong cryptography
for use in internal communications and communications with
other banks even if these communications are not limited
strictly to banking or money transactions.

   In September 1994, the Administration promulgated
regulations that provided for U.S. vendors to distribute
approved products with encryption capabilities for
confidentiality directly from the United States to foreign
customers without using a foreign distributor and without
prior State Department approval for each export.(8) It also
announced plans to finalize a "personal use exemption" to
allow license-free temporary exports of products with
encryption capabilities when intended for personal use; a
final rule on the personal use exemption was announced in
early 1996 and is discussed below in Section 4.3.2. Lastly, it
announced a number of actions intended to streamline the
export control process to provide more rapid turnaround for
certain "preapproved" products.

   In August 1995, the Administration announced a proposal to
liberalize export controls on software products with
encryption capabilities for confidentiality that use
algorithms with a key space of 64 or fewer bits, provided that
the key(s) required to decrypt messages and files are
"properly escrowed"; such products would be transferred to the
CCL. However, since an understanding of this proposal requires
some background in escrowed encryption, discussion of it is
deferred to Chapter 5.


   (2)  Two references that provide detailed descriptions of
the U.S. export control regime for products with encryption
capability are a memorandum by Fred Greguras of the law firm
Fenwick & West (Palo Alto, Calif.), dated March 6, 1995, and
titled "Update on Current Status of U.S. Export Administration
Regulations on Software" (available on
http://www.batnet.com/oikoumene/SftwareEU.html), and a paper
by Ira Rubenstein ("Export Controls on Encryption Software,"
in *Coping with U.S. Export Controls 1994*, October 18, 1995
(PLI Com. Law & Practice Course Handbook Series No. A-733,
1995).). The Greguras memorandum focuses primarily on the
requirements of products controlled by the Commerce Control
List, while the Rubenstein paper focuses primarily on how to
move a product from the Munitions List to the Commerce Control

   (3)  A dual-use item is one that has both military and
civilian applications.

   (4)  The CCL is also commonly known as the Commodity
Control List.

   (5)  However, all encryption products intended for domestic
Canadian use in general do not require export licenses.

   (6)  Commodity jurisdiction is also often known by its
acronym, CJ.

   (7)  How much stronger than 40-bit RC2/RC4 is unspecified.
Products incorporating the 56-bit DES algorithm are often
approved for these informal exemptions, and at times even
products using larger key sizes have been approved. But the
key size is not unlimited, as may be the case under the
explicit categorical exemptions specified in the ITAR.

   (8)  Prior to this rule, almost every encryption export
required an individual license. Only those exports covered by
a distribution arrangement could be shipped without an
individual license. This distribution arrangement required a
U.S. vendor of products with cryptographic capabilities to
export to a foreign distributor that could then resell them to
multiple end users. The distribution arrangement had to be
approved by the State Department and included some specific
language. Under the new rule, a U.S. vendor without a foreign
distributor can essentially act as his own distributor, and
avoid having to obtain a separate license for each sale.
Exporters are required to submit a proposed arrangement
identifying, among other things, specific items to be shipped,
proposed end users and end use, and countries to which the
items are destined. Upon approval of the arrangement,
exporters are permitted to ship the specified products
directly to end users in the approved countries based on a
single license. See Bureau of Political-Military Affairs,
Department of State, "Amendment to the International Traffic
in Arms Regulations," *Federal Register*, September 2, 1994.


       4.1.3 Discussion of Current Licensing Practices

The Categorical Exemptions

   The categorical exemptions described in Box 4.4 raise a
number of issues:

   +    In the case of the 40-bit limitation, the committee
was unable to find a specific analytical basis for this
figure. Most likely, it was the result of a set of compromises
that were politically driven by all of the parties
involved.(9) However, whatever the basis for this key size,
recent successful demonstrations of the ability to undertake
brute-force cryptanalysis on messages encrypted with a 40-bit
key (Box 4.5) have led to a widespread perception that such
key sizes are inadequate for meaningful information security.

   +    In the case of products intended for use only in
banking or money transactions, the exemption results from the
recognition by national security authorities that the
integrity of the world's financial system is worth protecting
with high levels of cryptographic security. Given the primacy
of the U.S. banking community in international financial
markets, such a conclusion makes eminent sense. Furthermore,
at the time this exemption was promulgated, the financial
community was the primary customer for products with
encryption capabilities.

   This rationale for protecting banking and money
transactions naturally calls attention to the possibilities
inherent in a world of electronic commerce, in which routine
communications will be increasingly likely to include
information related to financial transactions. Banks (and
retail shops, manufacturers, suppliers, end customers, and so
on) will engage in such communications across national
borders. In a future world of electronic commerce, connections
among nonfinancial institutions may become as important as the
banking networks are today. At least one vendor has been
granted authority to use strong encryption in software
intended for export that would support international
electronic commerce (though under the terms of the license,
strong encryption applies only to a small portion of the
transaction message).(10)

   +    In the case of products useful only for user
authentication, access control, and data integrity, the
exemption resulted from a judgment that the benefits of more
easily available technology for these purposes outweigh
whatever costs there might be to such availability. Thus, in
principle, these nonconfidentiality products from U.S. vendors
should be available overseas without significant restriction.

   In practice, however, this is not entirely the case. Export
restrictions on confidentiality have some "spillover" effects
that reduce somewhat the availability of products that are
intended primarily for authentication.(11)

   Another spillover effect arises from a desire among vendors
and users to build and use products that integrate multiple
cryptographic capabilities (for confidentiality and for
authentication/integrity) with general-purpose functionality.
In many instances, it is possible for cryptography for
authentication/integrity and cryptography for confidentiality
to draw on the same algorithm. Export control regulations may
require that a vendor weaken or even eliminate the encryption
capabilities of a product that also provides
authentication/integrity capabilities, with all of the
consequent costs for users and vendors (as described in
Section 4.3).

   Such spillover effects suggest that government actions that
discourage capabilities for confidentiality may also have some
negative impact on the development and use of products with
authentication/integrity capabilities even if there is no
direct prohibition or restriction on export of products with
capabilities only for the latter.

Informal Noncodified Practices

   As described above, it is current practice to grant USML
licenses for exports of strong cryptography to firms in a
number of categories described in Box 4.4. However, the fact
that this practice is not explicitiy codified contributes to
a sense of uncertainty among vendors and users about the
process and in practice leads to unnecessary delays in license

   In addition, there is uncertainty about whether or not a
given foreign company is "controlled" by a U.S. firm.
Specifically, vendors often do not know (and cannot find out
in advance) whether a proposed sale to a particular foreign
company falls under the protection of this unstated exemption.
As a practical rule, the U.S. government has a specific set of
guidelines that are used to make this determination.(12) But
these rules require considerable interpretation and thus do
not provide clear guidance for U.S. vendors.

   A third issue that arises with current practice is that the
lines between "foreign" and "U.S." companies are blurring in
an era of transnational corporations, ad hoc strategic
alliances, and close cooperation between suppliers and
customers of all types. For example, U.S. companies often team
with foreign companies in global or international ventures. It
would be desirable for U.S. products with encryption
capabilities to be used by both partners to conduct business
related to such alliances without requiring a specific export
licensing decision.(13)

   In some instances, USML licenses have granted U.S.
companies the authority to use strong encryption rather freely
(e.g., in the case of a U.S. company with worldwide
suppliers). But these licenses are still the result of a
lengthy case-by-case review whose outcome is uncertain.
Finally, the State Department and NSA explicitly assert
control over products without any cryptographic capability at
all but developed with "sockets," or more formally,
cryptographic applications programming interfaces into which
a user can insert his own cryptography. Such products are
regarded as having an inherent cryptographic capability
(although such capability is latent rather than manifest), and
as such are controlled by the USML, even though the text of
the ITAR does not mention these items explicitly.(14) In
general, vendors and users understand this to be the practice
and do not challenge it, but they dislike the fact that it is
not explicit.


   (9)  It is worth noting a common argument among many
nongovernment observers that any level of encryption that
qualifies for export (e.g., that qualifies for control by the
CCL, or that is granted an export license under the USML) must
be easily defeatable by NSA, or else NSA would not allow it to
leave the country. The subtext of this argument is that such
a level of encryption is per force inadequate. Of course,
taken to its logical conclusion, this argument renders
impossible any agreement between national security authorities
and vendors and users regarding acceptable levels of
encryption for export.

   (10) "Export Approved for Software to Aid Commerce on
Internet," *New York Times*, May 8, 1995, p. D-7. " For
example, the Kerberos operating system is designed to provide
strong cryptographic authentication of users (and hence strong
access control for system resources). Typically, Kerberos is
distributed in the United States in source code through the
Internet to increase its usability on a wide range of
platforms, to accommodate diverse user needs, and to increase
maintainability; source code distribution is a common practice
on the Internet. However, since Kerberos uses the DES
algorithm as the cryptographic engine to support its
authentication features, the source code for Kerberos is
controlled under the USML and is not available through the
Internet to foreign end users. It is thus fair to say that
Kerberos is less used by foreign users than it might be if
there were no export controls on products with encryption
capabilities, even though the primary purpose of Kerberos is
authentication. Note that Kerberos is also designed with
operating system calls that support confidentiality. These
calls are stripped out of the exportable version of Kerberos,
which is only available in object form in any event.

   A second example was provided in testimony to the committee
from a company that had eliminated all cryptographic
capabilities from a certain product because of its perceptions
of the export control hurdles to be overcome. The capabilities
eliminated included those for authentication. While it can be
argued that the company was simply ignorant of the exemptions
in the ITAR for products providing authentication
capabilities, the fact remains that much of the vendor
community is either not familiar with the exemptions or does
not believe that they represent true "fast-track" or
"automatic" exceptions.

   (12) Under Defense Department guidelines for determining
foreign ownership, control, or influence (FOCI), a U.S.
company is considered under FOCI "whenever a foreign interest
has the power, direct or indirect, whether or not exercised,
and whether or not exercisable through the ownership of the
U.S. company's securities, by contractual arrangements or
other means, to direct or decide matters affecting the
management or operations of that company in a manner which may
result in unauthorized access to classified information or may
affect adversely the performance of classified contracts." A
FOCI determination for a given company is made on the basis of
a number of factors, including whether a foreign person
occupies a controlling or dominant minority position; the
identification of immediate, intermediate and ultimate parent
organizations. (See Department of Defense, *National
Industrial Security Program Operating Manual*, DOD-5220.22-M,
January 1995, pp. 2-3-1 to 2-3-2.) According to ITAR
Regulation 122.2, "ownership" means that more than 50 percent
of the outstanding voting securities of the firm are owned by
one or more foreign persons. "Control" means that one or more
foreign persons have the authority or ability to establish or
direct the general policies or day-to-day operations of the
firm. Control is presumed to exist where foreign persons own
25 percent or more of the outstanding voting securities if no
U.S. persons control an equal or larger percentage. The
standards for control specified in 22 CFR 60.2(c) also provide
guidance in determining whether control in fact exists.
Defense Department Form 4415, August 1990, requires answers to
11 questions in order for the Defense Department to make a
FOCI determination for any given company.

   (13) In one instance reported to the committee, a major
multinational company with customer support offices in China
experienced a break-in in which Chinese nationals apparently
copied paper documents and computer files. File encryption
would have mitigated the impact associated with this "bag
job." Then-current export restrictions hampered deployment of
encryption to this site because the site was owned by a
foreign (Chinese) company rather than a U.S.-controlled
company and therefore not easily covered under then-current



   One of the most contentious points in the debate over
export controls on cryptography concerns their effectiveness
in delaying the spread of strong cryptographic capabilities
and the use of those capabilities throughout the world.
Supporters of the current export control regime believe that
these controls have been effective, and they point to the fact
that encryption is not yet in widespread commercial use abroad
and that a significant fraction of the traffic intercepted
globally is unencrypted. Further, they argue that U.S.
products with encryption capabilities dominate the
international market to an extent that impeding the
distribution of U.S. products necessarily affects worldwide
usage. Critics of current policy assert that export controls
have not been effective in limiting the availability of
cryptography abroad. For example, based on its ongoing survey
of cryptography products worldwide (a study widely cited by
critics of current policy), Trusted Information Systems Inc.
has noted that:

   [w]e have now identified 1181 products worldwide [as of
   March 30, 1996], and we're continuing to learn about new
   products, both domestic and foreign, on a daily basis.
   We've also obtained numerous products from abroad and are
   examining these products to assess their functionality and
   security. The survey results show that cryptography is
   indeed widespread throughout the world. Export controls
   outside of the U.S. appear to be less restrictive. The
   quality of foreign products seems to be comparable to that
   of U.S. products.(15)

   Furthermore, critics of U.S. export controls argue that
sources other than U.S. commercial vendors (specifically
foreign vendors, the in-house expertise of foreign users,
Internet software downloads, and pirated U.S. software) are
capable of providing very good cryptography that is usable by
motivated foreign users.

   In assessing the arguments of both supporters and critics
of the current export control regime, it is important to keep
in mind that the ultimate goal of export controls on
cryptography is to keep strong cryptography out of the hands
of potential targets of signals intelligence. Set against this
goal, the committee believes that the arguments of both
supporters and critics have merit but require qualification.

   The supporters of the current export regime are right in
asserting that U.S. export controls have had a nontrivial
impact in retarding the use of cryptography worldwide. This
argument is based on three linked factors.

   +    U.S. export controls on cryptography have clearly
limited the sale of U.S. products with encryption capabilities
in foreign markets; indeed, it is this fact that drives the
primary objection of U.S. information technology vendors to
the current export control regime on cryptography.

   +    Very few foreign vendors offer integrated products
with encryption capabilities.(16) U.S. information technology
products enjoy a very high reputation for quality and
usability, and U.S. information technology vendors, especially
those in the mass-market software arena, have marketing and
distribution skills that are as yet unparalleled by their
foreign counterparts. As a result, foreign vendors have yet to
fill the void left by an absence of U.S. products.

   +    U.S. information technology products account for a
large fraction of global sales. For example, a recent U.S.
International Trade Commission staff report points out that
over half of all world sales in information technology come
from the United States.'' Actions that impede the flow of U.S.
products to foreign consumers are bound to have significant
effects on the rate at which those products are purchased and

   On the other hand, it is also true that some foreign
targets of interest to the U.S. government today use
encryption that is for all practical purposes unbreakable;
major powers tend to use "home-grown" cryptography that they
procure on the same basis that the United States procures
cryptography for its own use, and export controls on U.S.
products clearly cannot prevent these powers from using such

   Furthermore, the fact that cryptography is not being widely
used abroad does not necessarily imply that export controls
are effective--or will be in the near future--in restraining
the use of cryptography by those who desire the protection it
can provide. The fact is that cryptography is not used widely
either in the United States or abroad, and so it is unclear
whether it is the lack of information security consciousness
described in Chapter 2 or the U.S. export control regime for
cryptography that is responsible for such non-use; most
probably, it is some combination of these two factors.

   The critics of the current export regime are right in
asserting that foreign suppliers of cryptography are many and
varied, that software products with encryption capabilities
are quite available through the Internet (probably hundreds of
thousands of individuals have the technical skill needed to
download such products), and that cryptography does pose
special difficulties for national authorities wishing to
control such technology (Box 4.6). Yet, most products with
encryption capabilities available on the Internet are not
integrated products; using security-specific products is
generally less convenient than using integrated products (as
described in Chapter 2), and because such products are used
less often, their existence and availability pose less of a
threat to the collection of signals intelligence.

   Furthermore, Internet products are, as a general rule,
minimally supported and do not have the backing of reputable
and established vendors.(18) Users who download software from
the Internet may or may not know exactly what code the product
contains and may not have the capability to test it to ensure
that it functions as described.(19) Corporate customers, the
primary driver for large-scale deployment of products, are
unlikely to rely on products that are not sold and supported
by reputable vendors, and it is products with a large
installed base (i.e., those created by major software vendors)
that would be more likely to have the high-quality encryption
that poses a threat to signals intelligence. Box 4.7 describes
the primary differences between commercial products and
"freeware" available on the Internet.

   The committee's brief survey of product literature
describing foreign stand-alone security-specific products with
encryption capabilities (Box 4.8) also indicated many
implementations that were unsound from a security standpoint,
even taking for granted the mathematical strength of the
algorithms involved and the proper implementation of the
indicated algorithms.(20) The committee has no reason to
believe that the stand-alone security-specific products with
encryption capabilities made by U.S. vendors are on average
better at providing security,(21) although the large
established software vendors in the United States do have
reputations for providing relatively high quality in their
products for features unrelated to security.(22) Without an
acceptable product certification service, most users have no
reliable way of determining the quality of any given product
for themselves.

   As a general rule, a potential user of cryptography faces
the choice of buying commercially available products with
encryption capabilities on the open market (perhaps
custom-made, perhaps produced for a mass market) or developing
and deploying those products independently. The arguments
discussed above suggest that global dissemination of knowledge
about cryptography makes independent development an option,
but the problems of implementing knowledge as a usable and
secure product drive many potential users to seek products
available from reputable vendors. In general, the greater the
resources available to potential users and the larger the
stakes involved, the more likely they are to attempt to
develop their own cryptographic resources. Thus, large
corporations and First World governments are, in general, more
likely than small corporations and Third World governments to
develop their own cryptographic implementations.

   Finally, the text of the ITAR seems to allow a number of
entirely legal actions that could have results that the
current export control regime is intended to prevent (see Box
4.9). For example, RSA Data Security Inc. has announced a
partnership with the Chinese government to fund an effort by
Chinese government scientists to develop new encryption
software. This software may be able to provide a higher degree
of confidentiality than software that qualifies today for
liberal export consideration under the CCL.(23)


   (14) Specifically, the ITAR place on the USML
"cryptographic devices, software, and components specifically
designed or modified therefor, including: cryptographic
(including key management) systems, equipment, assemblies,
modules, integrated circuits, components or software with the
capability of maintaining secrecy or confidentiality of
information or information systems." Note that these
categories do not explicitly mention systems without
cryptography but with the capability of accepting "plug-in"

   (15) Available on line from the TIS home page,
http://www.tis.com; at the time of its presentation to the
committee, TIS had identified 450 such products available from
foreign nations. Testimony on this topic was first presented
by Steven Walker, president of Trusted Information Systems, to
the House Committee on Foreign Affairs, Subcommittee on
Economic Policy, Trade, and Environment, on October 12, 1993.
TIS briefed the committee on December 15, 1994, and July 19,
1995. The survey mentioned in testimony to the committee
continues, and regularly updated figures can be found on the
TIS Web page (http://www.tis.com/crypto-survey).

   (16) The Department of Commerce and the National Security
Agency found no general-purpose software products with
encryption capability from non-U.S. manufacturers. See
Department of Commerce and National Security Agency, *A Study
of the International Market for Computer Software with
Encryption*, January 11, 1996, p. 111-9.

   (17) Office of Industries, U.S. International Trade
Commission, *Global Competitiveness of the U.S. Computer
Software and Service Industries*. Staff Research Study #21,
Washington, D.C., June 1995, executive summary.

   (18) Whether major vendors will continue to avoid the
Internet as a distribution medium remains to be seen. Even
today, a number of important products, including Adobe's
Acrobat Reader, Microsoft's Word Viewer and Internet
Assistant, and the Netscape Navigator are distributed through
the Internet. Some vendors make products freely available in
limited functionality versions as an incentive for users to
obtain full-featured versions; others make software products
freely available to all takers in order to stimulate demand
for other products from that vendor for which customers pay.

   (19) Indeed, the lack of quality control for
Internet-available software provides an opportunity for those
objecting to the proliferation of good products with
encryption capability to flood the market with their own
products anonymously or pseudonymously; such products may
include features that grant clandestine access with little

   (20) The committee's analysis of foreign stand-alone
products for cryptography was based on material provided to
the committee by TIS, which TIS had collected through its
survey. This material was limited to product brochures and
manuals, which the committee believes puts the best possible
face on a product's quality. Thus, the committee's
identification of security defects in these products is
plausibly regarded as a minimum estimate of their
weaknesses--more extensive testing (e.g., involving
disassembly) would be likely to reveal additional weaknesses,
since implementation defects would not be written up in a
product brochure. Moreover, the availability of a product
brochure does not ensure the availability of the corresponding
product; TIS has brochures for all of the 800-plus products
identified in its survey, but due to limited resources, it has
been able to obtain physical versions (e.g., a disk, a circuit
board) of fewer than 10 percent of the products described in
those brochures.

   (21) An "amateur" review of encryption for confidentiality
built into several popular U.S. mass-market software programs
noted that the encryption facilities did not provide
particularly good protection. The person who reviewed these
programs was not skilled in cryptography but was competent in
his understanding of programming and how the Macintosh manages
files. By using a few commonly available programming tools (a
file compare program, a "debugger" that allows the user to
trace the flow of how a program executes, and a "disassembler"
that turns object code into source code that can be examined),
the reviewer was able to access in less than two hours the
"protected" files generated by four out of eight programs. See
Gene Steinbert, "False Security,"* MACWORLD*, November 1995,
pp. 118-121.

   One well-publicized cryptographic security flaw found in
the Netscape Corporation's Navigator Web browser is discussed
in footnote 34 in Chapter 2. Because of a second flaw,
Netscape Navigator could also enable a sophisticated user to
damage information stored on the host computer to which
Navigator is connected. (See Jared Sandberg, "Netscape
Software for Cruising Internet Is Found to Have Another
Security Flaw," *Wall Street Journal*, September 25, 1995, p.

   (22) In addition, a product with a large installed base is
subject to a greater degree of critical examination than a
product with a small installed base, and hence flaws in the
former are more likely to be noticed and fixed. Large
installed bases are more characteristic for products produced
by established vendors than of freeware or shareware

   (23) See Don Clark, "China, U.S. Firm Challenge U.S. on
Encryption-Software Exports," *Wall Street Journal*, February
8, 1996, p. A-10.



   U.S. export controls have a number of interrelated effects
on the economic health of U.S. vendors and on the level of
cryptographic protection available to U.S. firms operating
domestically. (The impact of foreign import controls on U.S.
vendors is discussed in Chapter 6 and Appendix G.)

                 4.3.1 De Facto Restrictions
         on the Domestic Availability of Cryptography

   Current law and policy place no formal restrictions
whatever on products with encryption capabilities that may be
sold or used in the United States. In principle, the domestic
market can already obtain any type of cryptography it wants.
For stand-alone security-specific products, this principle is
true in practice as well. But the largest markets are not for
stand-alone security-specific products, but rather for
integrated products with encryption capabilities.

   For integrated products with encryption capabilities,
export controls do have an effect on domestic availability.
For example,

   +    The Netscape Communications Corporation distributes a
version of Netscape Navigator over the Internet and sells a
version as shrink-wrapped software. Because the Internet
version can be downloaded from abroad, its encryption
capabilities are limited to those that will allow for liberal
export consideration, the shrink-wrapped version is under no
such limitation and in fact is capable of much higher levels
of encryption.(24) Because it is so much more convenient to
obtain, the Internet version of Netscape Navigator is much
more widely deployed in the United States than is the
shrink-wrapped version, with all of the consequences for
information security that its weaker encryption capability

   +    The Microsoft Corporation recently received permission
to ship Windows NT Version 4, a product that incorporates a
cryptographic applications programming interface approved by
the U.S. government for commodity jurisdiction to the CCL.
However, this product is being shipped worldwide with a
cryptographic module that provides encryption capabilities
using 40-bit RC4.25 While domestic users may replace the
default module with one providing stronger encryption
capabilities, many will not, and the result is a weaker
encryption capability for those users.

   +    A major U.S. software vendor distributes its major
product in modular form in such a way that the end user can
assemble a system configuration in accordance with local
needs. However, since the full range of USML export controls
on encryption is applied to modular products into which
cryptographic modules may be inserted, this vendor has not
been able to find a sensible business approach to distributing
the product in such a way that it would qualify for liberal
export consideration. The result has been that the encryption
capabilities provided to domestic users of this product are
much less than they would otherwise be in the absence of
export controls.

   What factors underlie the choices made by vendors that
result in the outcomes described above? At one level, the
examples above are simply the result of market decisions and
preferences. At a sufficiently high level of domestic market
demand, U.S. vendors would find it profitable and appropriate
to develop products for the domestic market alone. Similarly,
given a sufficiently large business opportunity in a foreign
country (or countries) that called for a product significantly
different from that used by domestic users, vendors would be
willing to develop a customized version of a product that
would meet export control requirements. Furthermore, many
other manufacturers of exportable products must cope with a
myriad of different requirements for export to different
nations (e.g., differing national standards for power, safety,
and electromagnetic interference), as well as differing
languages in which to write error messages or user manuals.
From this perspective, export controls are simply one more
cost of doing business outside the United States.

   On the other hand, the fact that export controls are an
additional cost of doing business outside the United States is
not an advantage for U.S. companies planning to export
products. A vendor incurs less expense and lower effort for a
single version of a product produced for both domestic and
foreign markets than it does when multiple versions are
involved. While the actual cost of developing two different
versions of a product with different key lengths and different
algorithms is relatively small, a much larger part of the
expense associated with multiple versions relates to
marketing, manufacture, support, and maintenance of multiple
product versions after the initial sale has been made.(26)

   Since a vendor may be unable to export a given product with
encryption capabilities to foreign markets, domestic market
opportunities must be that much greater to warrant a
domestic-only version. (Given that about half of all sales of
U.S. information technology vendors are made to foreign
customers, the loss of foreign markets can be quite damaging
to a U.S. vendor.(27)) When they are not, vendors have every
incentive to develop products with encryption capabilities
that would easily qualify for liberal export consideration. As
a result, the domestic availability of products with strong
encryption capability is diminished.

   While a sufficiently high level of domestic market demand
would make it profitable for U.S. vendors to develop products
for the domestic market alone, the "sufficiently" qualifier is
a strong one indeed, given the realities of the market into
which vendors must sell and compete, and one infrequently met
in practice.

   Users are also affected by an export control regime that
forces foreign and domestic parties in communication with each
other to use encryption systems based on different algorithms
and/or key lengths. In particular, an adversary attempting to
steal information will seek out the weakest point. If that
weakest point is abroad because of the weak cryptography
allowed for liberal export, then that is where the attack will
be. In businesses with worldwide network connections, it is
critical that security measures be taken abroad, even if key
information repositories and centers of activity are located
in the continental United States. Put differently, the use of
weak cryptography abroad means that sensitive information
communicated by U.S. businesses to foreign parties faces a
greater risk of compromise abroad because stronger
cryptography integrated into U.S. information technology is
not easily available abroad.

   Finally, the export licensing process can have a
significant impact on how a product is developed. For example,
until recently, products developed to permit the user to
substitute easily his own cryptography module were subject to
the USML and the ITAR.(28) One vendor pointed out to the
committee that its systems were designed to be assembled "out
of the box" by end users in a modular fashion, depending on
their needs and computing environment. This vendor believed
that such systems would be unlikely to obtain liberal export
consideration, because of the likelihood that a foreign user
would be able to replace an "export-approved" cryptography
module with a cryptography module that would not pass export
review. Under these circumstances, the sensible thing from the
export control perspective would be to deny exportability for
the modularized product even if its capabilities did fall
within the "safe harbor" provisions for products with
encryption capabilities.

   The considerations above led the committee to conclude that
U.S. export controls have had a negative impact on the
cryptographic strength of many integrated products with
encryption capabilities available in the United States.(29)
Export controls tend to drive major vendors to a "least common
denominator" cryptographic solution that will pass export
review as well as sell in the United States. The committee
also believes that export controls have had some impact on the
availability of cryptographic authentication capabilities
around the world. Export controls distort the global market
for cryptography, and the product decisions of vendors that
might be made in one way in the absence of export controls
may well be made another way in their presence.

   Some of the reasons for this vendor choice are explored in
the next section.


   (24) The shrink-wrapped version of Netscape Navigator sold
within the United States and Canada supports several different
levels of encryption, including 40-bit RC4, 128-bit RC4,
56-bit DES, and triple-DES. The default for a domestic client
communicating with a domestic server is 128-bit RC4. Source:
Jeff Weinstein, Netscape Communications Corporation, Mountain
View, California, personal communication.

   (25) See Jason Pontin, "Microsoft Encryption API to Debut
in NT Workstation Beta," *Infoworld*, January 29, 1996, p. 25.

   (26) Note that development and support concerns are even
more significant when a given product is intended for
cross-platform use (i.e., for use in different computing
environments such as Windows, Mac OS, Unix, and so on), as is
the case for many high-end software products (such as database
retrieval systems): when a product is intended for use on 5O
different platforms, multiplying by a factor of two the effort
required on the part of the vendor entails much more of an
effort by the vendor than if the product were intended for use
on only one platform.

   (27) See footnote 17.

   (28) Note, however, that the use of object-oriented
software technology can in general facilitate the use of
applications programming interfaces that provide "hooks" to
modules of the user's choosing. A number of vendors have
developed or are developing general-purpose applications
programming interfaces that will allow the insertion of a
module to do almost anything. Since these programming
interfaces are not specialized for cryptography, but instead
enable many useful functions (e.g., file compression,
backups), it is very difficult to argue the basis on which
applications incorporating these interfaces should be denied
export licenses simply because they *could* be used to support

   A further discussion of recent developments involving
cryptography modules and cryptographic applications
programming interfaces is contained in Chapter 7.

   (29) A similar conclusion was reached by the FBI, whose
testimony to the committee noted that "the use of export
controls may well have slowed the speed, proliferation, and
volume of encryption products sold un the U.S." Written
Statement of "FBI Input to the NRC's National Cryptographic
Study Committee," received December 1, 1995.


                4.3.2 Regulatory Uncertainty
                 Related to Export Controls

   A critical factor that differentiates the costs of
complying with export controls from other costs of doing
business abroad is the unpredictability of the export control
licensing process. (Other dimensions of uncertainty for
vendors not related to export controls are discussed in
Chapter 6.) A company must face the possibility that despite
its best efforts, a USML export license or a commodity
jurisdiction to the CCL will not be granted for a product.
Uncertainties about the decisions that will emerge from the
export control regime force vendors into very conservative
planning scenarios. In estimating benefits and costs,
corporate planners must take into account the additional costs
that could be incurred in developing two largely independent
versions of the same product or limit the size of the
potential market to U.S. purchasers. When such planning
requirements are imposed, the number of product offerings
possible is necessarily reduced.

   USML licensing is particularly unpredictable, because the
reasons that a license is denied in any given instance are not
necessariiy made available to the applicant; in some cases,
the rationale for specific licensing decisions is based on
considerations that are highly classified and by law cannot be
made available to an uncleared applicant. Since such
rationales cannot be discussed openly, an atmosphere of
considerable uncertainty pervades the development process for
vendors seeking to develop products for overseas markets.
Furthermore, there is no independent adjudicating forum to
which a negative licensing decision can be appealed.

   Since USML licensing is undertaken on a case-by-case basis,
it requires the exercise of judgment on the part of the
regulatory authorities. A judgment-based approach has the
disadvantage that it requires a considerable degree of trust
between the regulated and the regulator.(30) To the extent
that an individual regulated party believes that the regulator
is acting in the best interests of the entire regulated
community, it is natural that it would be more willing to
accept the legitimacy of the process that led to a given
result. However, in instances in which those that are
regulated do not trust the regulator, judgments of the
regulator are much more likely to be seen as arbitrary and

   This situation currently characterizes the relationship
between cryptography vendors/users and national security
authorities responsible for implementing the U.S. export
control regime for cryptography. In input received by the
committee, virtually all industry representatives, from large
to small companies, testified about the unpredictability of
the process. From the vendor point of view, the resulting
uncertainty inhibits product development and allows negative
decisions on export to be rendered by unknown forces and/or
government agencies with neither explanation nor a reasonable
possibility of appeal.

   The need to stay far away from the vague boundaries of what
might or might not be acceptable is clearly an inhibitor of
technological progress and development. Vendor concerns are
exacerbated in those instances in which export control
authorities are unwilling to provide a specific reason for the
denial of an export license or any assurance that a similarly
but not identically configured product with encryption
capabilities would pass export review. Even worse from the
vendor perspective, product parameters are not the only
determinant of whether a licensing decision will be favorable
except in a very limited and narrow range of cryptographic

   The uncertainty described above is not limited to new and
inexperienced vendors encountering the U.S. export control
regime for the first time; large and sophisticated
institutions with international connections have also
encountered difficulties with the current export control
regime. For example, a representative from a major U.S. bank
with many international branches reported that export controls
affect internally developed bank software with encryption
capabilities; a U.S. citizen who works on bank software with
encryption capabilities in England may "taint" that software
so that it falls under U.S. export control guidelines. Thus,
despite the fact that the current export control regime treats
banks and other financial institutions relatively liberally,
major banks have still struggled under the limitations of the
export control regime.

   The situation is worse for smaller companies. While large
companies have experience and legal staffs that help them to
cope with the export control regime, small companies do not.
New work on information technology often begins in garage-shop
operations, and the export control regime can be particularly
daunting to a firm with neither the legal expertise nor the
contacts to facilitate compliance of a product with all of the
appropriate regulations. These companies in particular are the
ones most likely to decide in the end to avoid entirely the
inclusion of cryptographic features due to concern of running
afoul of the export control rules.

   The following three examples illustrate how the
unpredictability of the export control licensing process has
affected U.S. vendors and their products.


   As noted above, cryptographic applications programming
interfaces that are directly and easily accessible to the user
are in general subject to USML licensing. However, even
"closed" interfaces that are not easily accessible to the user
are sometimes perceived to pose a risk for the vendor. One
major product vendor reported to the committee that it was
reluctant to use modular development for fear that even an
internal module interface could keep a product from passing
export control review. Any software product that uses modular
techniques to separate the basic product functionality from
the cryptography has a well-defined interface between the two.
Even when the software product is converted to object code,
that interface is still present (though it is hidden from the
casual user). However, the interface cannot in general be
hidden from a person with strong technical skills, and such a
person would be able to find it and tamper with it in such a
way that a different cryptography module could be used.(32) A
number of similar considerations apply for hardware products,
in which the cryptographic capabilities might be provided by
a "plug-in" chip.

   The alternative to the use of modular techniques in the
development of integrated products would complicate the
"swap-in/swap-out" of cryptographic capabilities: lines of
code (if software) and wires (if hardware) that implemented
cryptographic capabilities would be highly interwoven with
lines of code and wires that implemented the primary
capabilities of the product. On the other hand, this approach
would be tantamount to the development of two largely distinct
products with little overlap in the work that was required to
produce them.

   The NSA has spoken publicly about its willingness to
discuss with vendors from the early stages of product design
features and capabilities of proposed products with encryption
capabilities for confidentiality so that the export license
approval process can be facilitated, and its willingness to
abide by nondisclosure agreements to reassure vendors that
their intellectual property rights will be protected.(33)
Nonetheless, the receipt of an export control license useful
for business purposes is not guaranteed by such cooperation.
For example, while decisions about commodity jurisdiction
often provide CCL jurisdiction for object code and USML
jurisdiction for source code (and thus need not inhibit
modular product development if the product is to be
distributed in object form only), the fact remains that such
decisions are part of a case-by-case review whose outcome is
uncertain. Different vendors are willing to tolerate different
levels of risk in this regard, depending on the magnitude of
the investments involved.

   As a general rule, NSA does not appear willing to make
agreements in advance that will assure licenses for a product
that has not yet been instantiated or produced. Such a
position is not unreasonable given NSA's stance toward
products with encryption capabilities in general, and the fact
that the true capabilities of a product may depend strongly on
how it is actually implemented in hardware or software. Thus,
vendors have no indemnification against the risk that a
product might not be approved.(34)

The Definition of Export

   There is uncertainty about what specific act constitutes
the "export" of software products with encryption
capabilities. It is reasonably clear that the act of mailing
to a foreign country a disk with a product with encryption
capabilities on it constitutes an export of that product. But
if that product is uploaded to an Internet site located in the
United States and is later downloaded by a user located in
another country, is the act of export theupload or the
download? What precautions must be taken by the uploader to
remain on the legal side of the ITAR?

   The committee has been unable to find any formal document
that indicates answers to these questions. However, a March
1994 letter from the State Department Office of Defense Trade
Controls appears to indicate that a party could permit the
posting of cryptographic software on an Internet host located
in the United States if "(a) the host system is configured so
that only people originating from nodes in the United States
and Canada can access the cryptographic software, or (b) if
the software is placed in a file or directory whose name
changes every few minutes, and the name of the file or
directory is displayed in a publicly known and readable file
containing an explicit notice that the software is for U.S.
and Canadian use only."(35) Of course, such a letter does not
provide formal guidance to parties other than the intended
addressee (indeed, under the ITAR, advisory opinions provided
to a specific party with a given set of circumstances are not
binding on the State Department even with respect to that
party), and so the issue remains murky.

The Speed of the Licensing Process

   Uncertainty is also generated by a lengthy licensing
process without time lines that allow vendors to make
realistic schedules. Box 4.10 describes some of the problems
reported to the committee. To summarize, the perceptions of
many vendors about the excessive length of time it takes to
obtain a license reflects the time required for discussions
with NSA about a product before an application is formally
submitted; the prospect of facing the export control process
deters some vendors entirely from creating certain products at
all. By contrast, NSA starts the clock only when it receives
a formal application, and in fact the usual time between
receipt of a formal application and rendering of a decision is
relatively short (a few weeks). The reason that such a fast
turnaround is possible is that by the time the application is
received, enough is known about the product involved that
processing is routine because there is no need for negotiation
about how the product must be changed for a license to be

   In response to some of these concerns, the U.S. government
has undertaken a number of reforms of the export control
regime (described in Section 4.1) to reduce the hassle and red
tape involved in obtaining export licenses.(36) These reforms
are important. Nevertheless, the pace at which new information
technology products develop and the increasing complexity of
those products will complicate product review efforts in the
future. Given relatively fixed staffing, these factors will
tend to increase the length of time needed to conduct product
reviews at a time when vendors are feeling pressures to
develop and market products more rapidly.

   One particular reform effort that deserves discussion is
the "personal use" exemption. For many years, Americans
traveling abroad were required under the ITAR to obtain
"temporary export licenses" for products with encryption
capabilities carried overseas for their personal use.(37) The
complexity of the procedure for obtaining such a license was
a considerable burden for U.S. businesspeople traveling
abroad, and these individuals were subject to significant
criminal penalties for an act that was widely recognized to be
harmless and well within the intent of the export control

   In February 1994, the Administration committed itself to
promulgating regulations to support a personal-use exemption
from the licensing requirement. Two years later, on February
16, 1996, the *Federal Register* contained a notice from the
Department of State, Bureau of Political Military Affairs,
announcing final rule of an amendment to the International
Traffic in Arms Regulation (ITAR) allowing U.S. persons to
temporarily export cryptographic products for personal use
without the need for an export license.(38)

   Some critics of government policy have objected to the
particular formulation of the record-keeping requirement. All
parties involved--including senior Administration
officials--have agreed that 2 years was far too long a period
for promulgation of so simple a rule.


   (30) In contrast to a judgment-based approach, a
clarity-based approach would start from the premise that
regulations and laws should be as clear as possible, so that
a party that may be affected knows with a high degree of
certainty what is and is not permitted or proscribed. The
downside of a clarity-based approach is that affected parties
tend to go "right up to the line" of what is prohibited and
may seek ways to "design around" any stated limitations.
Furthermore, a clarity-based approach would require the
specification, in advance, of all acts that are prohibited,
even when it may not be possible to define in advance all acts
that would be undesirable.

   (31) For example, critics of the uncertainty engendered by
the export regime point out that uncertainty is helpful to
policy makers who wish to retain flexibility to modify policy
without the work or publicity required for a formal regulatory

   (32) Of course, such considerations obviously apply to
software products with cryptographic capabilities that are
designed to be shipped in source code; not only can the
cryptographic module be easily identified and replaced, but it
can also be pulled out and adapted to other purposes. This
point was also raised in footnote 11 of this chapter.

   (33) For example, NSA representatives made comments to this
effect at the RSA Data Security Conference in San Francisco,
California, in January 1995.

   (34) Although other industries also have to deal with the
uncertainties of regulatory approval regarding products and
services, the export control process is particularly opaque,
because clear decisions and rationales for those decisions are
often not forthcoming (and indeed are often classified and/or
unrelated to the product per se).

   (35) Letter from Clyde Bryant, Office of Defense Trade
Controls, U.S. Department of State, Washington, D.C., to
Daniel Appelman, Heller, Ehrman, White & McAuliffe, dated
March 11, 1994.

   (36) For example, according to NSA, the detailing of an NSA
representative to work with the State Department Office of
Defense- Trade Controls has resulted in a considerable
reduction in the time needed to process a license.

   (37) For a description of how this process worked in
practice, see Matt Blaze, *My Life As an International Arms
Courier*, e-mail message circulated by Matt Blaze
(mab@research.att.com) on January 6, 1995. A news article
based on Blaze's story is contained in Peter H. Lewis,
"Between a Hacker and a Hard Place: DataSecurity Export Law
Puts Businesses in a Bind," *New York Times*, April 10, 1995,
p. D-1.

   (38) According to the regulation, the product must not be
intended for copying, demonstration, marketing, sale,
re-export, or transfer of ownership or control. It must remain
in the possession of the exporting person, which includes
being locked in a hotel room or safe. While in transit, it
must be with the person's accompanying baggage. Exports to
certain countries are prohibited--currently Cuba, Iran, Iraq,
Libya, North Korea, Sudan, and Syria. The exporter must
maintain records of each temporary export for 5 years. See
*Federal Register*, Volume 61(33), Friday, February 16, 1996,
Public Notice 2294, pp. 6111-6113.


            4.3.3 The Size of the Affected Market
                      for Cryptography

   Since export controls on products with encryption
capabilities constrain certain aspects of sales abroad,
considerable public attention has focused on the size of the
market that may have been affected by export controls. Vendors
in particular raise the issue of market share with
considerable force:

   +    "The only effect of the export controls is to cause
economic harm to US software companies that are losing market
share in the global cryptography market to companies from the
many countries that do not have export controls."(39)

   +    "[The government's current policy on encryption] is
anti-competitive. The government's encryption export policy
jeopardizes the future of the software industry, one of the
fastest growing and most successful industries."(40)

   The size of the market for products with encryption
capabilities cuts across many dimensions of cryptography
policy, but since it is raised most often in the context of
the export control debate, it is addressed in this section.

   Plausible arguments can be made that the market ranges from
no more than the value of the security-specific products sold
annually (i.e., several hundred million dollars per year--a
low-end estimate)(41) to the total value of all hardware and
software products that might include encryption capabilities
(many tens of billions of dollars--a high-end estimate).(42)
The committee was unable to determine the size of the
information technology market directly affected by export
controls on encryption to within a factor of more than 100, a
range of uncertainty that renders any estimate of the market
quite difficult to use as the basis for a public policy

   Nevertheless, although it is not large enough to be
decisive in the policy debate, the floor of such estimates--a
few hundred million dollars per year--is not a trivial sum.
Furthermore, all trends point to growth in this number, growth
that may well be very large and nonlinear in the near future.
To the extent that both of these observations are valid, it is
only a matter of a relatively short time before even the floor
of any estimate will be quite significant in economic terms.

   The next three subsections describe some of the factors
that confound the narrowing of the large range of uncertainty
in any estimate of the size of the market affected by export

Defining a "Lost Sale"

   A number of vendors have pointed to specific instances of
lost sales as a measure of the harm done to the vendors as the
result of export controls on cryptography.(43) National
security officials believe that these figures are considerably
overstated. Administration officials and congressional staff
have expressed considerable frustration in pinning down a
reliable estimate of lost sales. It is important to begin with
the understanding that the concept of a "lost sale" is
intrinsically soft. Trying to define the term "lost sales"
raises a number of questions

   +     What events count as a sale lost because of export
restrictions? Several possibilities illustrate the

        -- A U.S. vendor is invited along with foreign vendors
        to bid on a foreign project that involves
        cryptography, but declines because the bid
        requirements are explicit and the U.S. vendor knows
        that the necessary export licenses will not be
        forthcoming on a time scale compatible with the

        -- A U.S. vendor is invited along with foreign vendors
        to bid on a foreign project that involves
        cryptography. In order to expedite export licensing,
        the U.S. vendor offers a bid that involves 40-bit
        encryption (thus ignoring the bid requirements), and
        the bid is rejected.

        -- A U.S. vendor is invited along with foreign vendors
        to bid on a foreign project that involves
        cryptography. A foreign vendor emerges as the winner.
        The sale is certainly a lost sale, but since customers
        often make decisions with a number of reasons in mind
        and may not inform losing vendors of their reasons, it
        is difficult to determine the relationship of export
        controls to the lost sale.

        -- No U.S. vendor is invited to bid on a foreign
        project that involves cryptography. In such an
        instance, the potential foreign customer may have
        avoided U.S. vendors, recognizing that the
        cryptography would subject the sale to U.S. export
        control scrutiny, possibly compromising sensitive
        information or delaying contract negotiations
        inordinately. On the other hand, the potential
        customer may have avoided U.S. vendors for other
        reasons, e.g., because the price of the U.S. product
        was too high.

   +     What part of a product's value is represented by the
cryptographic functionality that limits a product's sales when
export controls apply? As noted in Chapter 2, standalone
products with encryption capabilities are qualitatively
different from general-purpose products integrated with
encryption capabilities. A security-specific stand-alone
product provides no other functionality, and so the value of
the cryptography is the entire cost of the product. But such
sales account for a very small fraction of information
technology sales. Most sales of information technology
products with encryption capabilities are integrated products.
Many word processing and spreadsheet programs may have
encryption capabilities, but users do not purchase such
programs for those capabilities -- they purchase them to
enhance their ability to work with text and numbers.
Integrated products intended for use in networked environments
(e.g., "groupware") may well have encryption capability, but
such products are purchased primarily to serve collaboration
needs rather than encryption functions. In these instances, it
is the cost of the entire integrated product (which may not be
exportable if encryption is a necessary but secondary feature)
that counts as the value lost.

   +     How does a vendor discover a "lost sale"? In some
cases, a specific rejection counts as evidence. But in general
there is no systematic way to collect reliable data on the
number or value of lost sales.

   +     An often-unnoticed dimension of "lost sales" does not
involve product sales at all, but rather services whose
delivery may depend on cryptographic protection. For example,
a number of U.S. on-line service providers (e.g., America
Online, Compuserve, Prodigy) are intending to offer or expand
access abroad;(44) the same is true for U.S. providers of
telecommunications services.(45) To the extent that
maintaining the security of foreign interactions with these
service providers depends on the use of strong cryptography,
the ability of these companies to provide these services may
be compromised by export restrictions and thus sales of
service potentially reduced.

Latent vs. Actual Demand

   In considering the size of the market for cryptography, it
is important to distinguish between "actual" demand and
"latent" demand.

   +     Actual demand reflects what users spend on products
with encryption capabilities. While the value of "the market
for cryptography" is relatively well defined in the case of
stand-alone security-specific products (it is simply the value
of all of the sales of such products), it is not well defined
when integrated products with encryption capabilities are
involved. The reason is that for such products, there is no
demand for cryptography per se. Rather, users have a need for
products that do useful things; cryptography is a feature
added by designers to protect users from outside threats to
their work, but as a purely defensive capability, cryptography
does not so much add functional value for the user as protect
against reductions in the value that the user sees in the
product. Lotus Notes, for example, would not be a viable
product in the communications software market without its
encryption capabilities, but users buy it for the group
collaboration capabilities that it provides rather than for
the encryption per se.

   +     Latent demand (i.e., inherent demand that users do
not realize or wish to acknowledge but that surfaces when a
product satisfying this demand appears on the market) is even
harder to measure or assess. Recent examples include Internet
usage and faxes; in these instances, the underlying technology
has been available for many years, but only recently have
large numbers of people been able to apply these technologies
for useful purposes. Lower prices and increasing ease of use,
prompted in part by greater demand, have stimulated even more
demand. To the extent that there is a latent demand for
cryptography, the inclusion of cryptographic features into
integrated products might well stimulate a demand for
cryptography that grows out of knowledge and practice, out of
learning by doing.

   Determining the extent of latent demand is complicated
greatly by the fact that latent demand can be converted into
actual demand on a relatively short time scale. Indeed, such
growth curves -- very slow growth in use for a while and then
a sudden explosion of demand -- characterize many critical
mass phenomena: some information technologies (e.g., networks,
faxes, telephones) are valuable only if some critical mass of
people use them. Once that critical mass is reached, other
people begin to use those technologies, and demand takes off.
Linear extrapolations 5 or 10 years into the future based on
5 or 10 years in the past miss this very nonlinear effect.

   Of course, it is difficult to predict a surge in demand
before it actually occurs. In the case of cryptography, market
analysts have been predicting significantly higher demand for
many years; today, growth rates are high, but demand for
information security products including cryptography is not
yet ubiquitous.

   Two important considerations bearing directly on demand are
increasing system complexity and the need for
interoperability. Users must be able to count on a high degree
of interoperability in the systems and software they purchase
if they are to operate smoothly across national boundaries (as
described in Chapter 1). Users understand that it is more
difficult to make different products interoperate, even if
they are provided by the same vendor, than to use a single
product. For example, the complexity of a product generally
rises as a function of the number of products with which it
must interoperate, because a new product must interoperate
with already-deployed products. Increased complexity almost
always increases vulnerabilities in the system or network that
connects those products. In addition, more complex products
tend to be more difficult to use and require greater technical
skill to maintain and manage; thus, purchasers tend to shy
away from such products. This reluctance, in turn, dampens
demand, even if the underlying need is still present.

   From the supply side, vendors feel considerable pressure
from users to develop interoperable products. But greater
technical skills are needed by vendors to ensure
interoperability among different product versions than to
design a single product that will be used universally, just as
they are for users involved in operation and maintenance of
these products. Requirements for higher degrees of technical
skill translate into smaller talent pools from which vendors
can draw and thus fewer products available that can meet
purchasers' needs for interoperability.

   Problems relating to interoperability and system
complexity, as well as the size of the installed base, have
contributed to the slow pace of demand to date for products
with encryption capabilities.

   Nevertheless, the committee believes it is only a matter of
time until a surge occurs, at the same time acknowledging the
similarity between this prediction and other previous
predictions regarding demand. This belief is based on
projections regarding the growth of networked applications(46)
and the trends discussed in Chapter 1--increasing demand for
all kinds of information technology, increasing geographic
dispersion of businesses across international boundaries,
increasing diversity of parties wishing/needing to communicate
with each other, and increasing diversity in information
technology applications and uses in all activities of a
business. Further, the committee believes that computer users
the world over have approximately the same computing needs as
domestic users, and so domestic trends in computing (including
demand for more information security) will be reflected
abroad, though perhaps later (probably years later but not
decades later).

Market Development

   A third issue in assessing the size of the market for
cryptography is the extent to which judgments should be made
on the basis of today's market conditions (which are known
with a higher certainty) rather than markets that may be at
risk tomorrow (which are known with a much lower degree of

   The market for certain types of software tends to develop
in a characteristic manner. In particular, the long-term
success of infrastructure software (i.e., software that
supports fundamental business operations such as operating
systems or groupware) depends strongly on the product's market
timing; once such software is integrated into the
infrastructure of the installing organization, demands for
backward-compatibility make it difficult for the organization
to install any alternative.(47) In other words, an existing
software infrastructure inhibits technological change even if
better software might be available. It is for this reason that
in some software markets, major advantages accrue to the first
provider of a reasonable product.

   These pressures complicate life for government policy
makers who would naturally prefer a more deliberate approach
to policy making, because it is only during a small window of
time that their decisions are relevant--the sooner they act,
the better. The longer they wait, the higher will be the
percentage of companies that have already made their
technology choices, and these companies will face large
changeover costs if policy decisions entail incompatible
alternatives to their currently deployed infrastructure. If
the initial choices of companies involve putting non-U.S.
software in place, U.S. vendors fear that they will have lost
huge future market opportunities.(48)


   (39) Jim Hassert, *Washington Connections*, Software
Publishers Association, Washington, D.C., Chapter 9. Available
on-line at http://www.spa.org.

   (40) Business Software Alliance, *Information and Data
Security: The Encryption Update.* Available on-line from

   (41)  U.S. Department of Commerce and National Security
Agency, *A Study of the International Market for Computer
Software with Encryption*, prepared for the Interagency
Working Group on Encryption and Telecommunications Policy,
Office of the Secretary of Commerce, January 11, 1996, p.
III-I. Note, however, that this report does not arrive at this
estimate independently; rather, it cites other estimates made
in the private sector.

   (42)  Of course, it is a matter of speculation what
fraction of the information technology market (on the order of
$193 billion in 1993; see below) might usefully possess
encryption capabilities; good arguments can made to suggest
that this fraction is very small or very large. A number of
information technology trade organizations have also made
estimates. The Software Publishers Association cited a survey
by the National Computer Security Association that quoted a
figure of $160 million in aggregate known losses in 1993
because of export controls; see "Written Testimony of the
Software Publishers Association to the National Research
Council," Washington, D.C., July 19, 1995. In 1993, the
Business Software Alliance estimated that "approximately $6-9
billion in U.S. company revenues are currently at risk because
of the inability of those companies to be able to sell world
wide generally available software with encryption capabilities
employing DES or other comparable strength algorithms;" see
Testimony of Ray Ozzie, president, Iris Associates, on behalf
of the Business Software Alliance, "The Impact on America's
Software Industry of Current U.S. Government Munitions Export
Controls," before the Economic Policy, Trade and Environment
Subcommittee, House Committee on Foreign Affairs, Washington,
D.C., October 12, 1993. The Computer Systems Policy Project
(CSPP) estimated that in 2000, the potential annual revenue
exposure for U.S. information technology vendors would range
from $3 billion to $6 billion on sales of cryptographic
products, including both hardware and software; CSPP also
estimated $30 billion to 60 billion in potential revenue
exposure on sales of associated computer systems; see The
Computer Systems Policy Project, William F. Hagerty IV, The
Management Advisory Group, *The Growing Need for Cryptography:
The Impact of Export Control Policy on U.S. Competitiveness*,
Study Highlights (viewgraphs), Bethesda, Maryland, December
15, 1995.

   The $193 billion figure is taken from Department of
Commerce, *U.S. Industrial Outlook 1994*, and includes
computers and peripherals ($62.5 billion, p. 26-1), packaged
software ($32.0 billion, p. 27-1), information services ($13.6
billion, p. 25-1), data processing and network services ($46.4
billion, p. 25-1), and systems integration/custom programming
services ($38.7 billion, p. 25-5). Note that this figure does
not include some other industry sectors that could, in
principle, be affected by regulations regarding secure
communications; in 1993, U.S. companies provided
telecommunications services valued at $10.4 billion to foreign
nations (p. 29-1) and shipped $17.5 billion (1987 dollars) in
telephone equipment worldwide (p. 30-3).

   (43)  For example, in a presentation to the committee on
July 19, 1995, the Software Publishers' Association documented
several specific instances in which a U.S. company had lost a
sale of a product involving cryptography to a foreign firm.
These instances included a company that lost one-third of its
total revenues because export controls on DES-based encryption
prevented sales to a foreign firm; a company that could not
sell products with encryption capability to a European company
because that company re-sold products to clients other than
financial institutions; a U.S. company whose European division
estimated at 50 percent the loss of its business among
European financial institutions, defense industries,
telecommunications companies, and government agencies because
of inadequate key sizes; and a U.S. company that lost the sale
of a DESbased system to a foreign company with a U.S.
subsidiary. Sofware Publishers' Association, "Presentation on
Impacts of Export Control on Encryption before the NRC
National Cryptography Policy Committee," July 19, 1995 .

   (44) See for example, Kara Swisher, "Old World, New
Frontier in Cyberspace," *Washington Post*, December 12, 1995,
p. C-1; Victoria Shannon, "U.S. On-Line Services Fall Short on
International Reach," *Washington Post*, April 3, 1995,
Washington Business, p. 20. For more detail on AOL plans, see
Elizabeth Cocoran, "America Online to Offer Access in Europe,"
*Washington Post*, May 19, 1995, p. F-3.

   (45) See for example, U.S. Congress, Office of Technology
Assessment, *U.S. Telecommunications Services in European
Markets*, OTA-TCT-548, U S. Government Printing Office,
Washington, D.C., August 1993.

   (46) For example, a survey by the International Data
Corporation indicated that the installed base of users for
work-group applications (involving communications among
physically separated users) is expected to grow at a rate of
about 74 percent annually between 1993 and 1998. See Ann
Palermo and Darby Johnson, Analysts, International Data
Corporation, *Workgroup ,Applications Software: Market Review
and Forecast, 1993-1998*, Framingham, Massachusetts, (date).
It is true that a considerable amount of remote collaboration
is done via e-mail without cryptographic protection, but
work-group applications provide much higher degrees of
functionality for collaboration because they are specifically
designed for that purpose. As these applications become more
sophisticated (e.g., as they begin to process large assemblies
of entire documents rather than the short messages for which
e-mail is best suited), the demand for higher degrees of
protection is likely to increase.

   (47) Many products require backward-compatibility for
marketplace acceptance. Demands for backward-compatibility
even affect products intended for operation in a stand-alone
environment -- an institution with 2 million spreadsheet files
is unlikely to be willing to switch to a product that is
incompatible with that existing database unless the product
provides reasonable translation facilities for migrating to
the new product. Network components are even harder to change,
because stations on a network must interoperate. For example,
most corporate networks have servers deployed with
workstations that communicate with those servers. Any change
to the software for the servers must not render it impossible
for those workstations to work smoothly with the upgrade.

   (48) The deployment of Lotus Notes provides a good example.
Lotus marketing data suggests fairly consistently that once
Notes achieves a penetration of about 200 users in a given
company, an explosion of demand follows, and growth occurs
until Notes is deployed company-wide.


       4.3.4 Inhibiting Vendor Responses to User Needs

   In today's marketing environment, volume sales (licensing)
to large corporate or government customers, rather than
purchases by individuals, tend to drive sales of business
software products.(49) Since corporate customers have large
leverage in the marketplace (because one purchasing decision
can result in thousands of product sales to a single
corporation), major software vendors are much more responsive
to the needs of corporate users. Of particular relevance to
the export control debate are three perceptions of corporate

   +     Corporate users do not see that different levels of
encryption strength (as indicated, for example, by the key
length of foreign and domestic versions of a product) provide
differential advantages. Put differently, the market reality
is that users perceive domestic-strength versions as the
standard and liberally exportable versions of cryptography as
weak, rather than seeing liberally exportable versions of
cryptography as the standard and domestic-strength versions as

   +     Corporate users weigh all features of a product in
deciding whether or not to buy it. Thus, the absence of a
feature such as strong encryption that is desired but not
easily available because of U.S. export controls counts as a
distinct disadvantage for a U.S. product. Although other
features may help to compensate for this deficiency, the
deficiency may pose enough of a barrier a product's acceptance
abroad that sales are significantly reduced.

   +     Corporate users see cryptographic strength as an
important parameter in their assessments of the information
security that products offer. It is true that cryptography is
only one dimension of information security, that export
controls do not affect certain approaches to increasing
overall information security, and that vendors often do not
address these other approaches. But cryptography is a visible
aspect of the information security problem, and vendors feel
an obligation to respond to market perceptions even if these
perceptions may not be fully justified by an underlying
technical reality. Moreover, many of the information security
measures that do not involve export controls are more
difficult and costly than cryptography to implement, and so it
is natural for vendors to focus their concerns on export
controls on cryptography.

   U.S. vendors that are unable to respond in a satisfactory
manner to these perceptions have a natural disadvantage in
competing against vendors that are able to respond.


   (49) The Department of Commerce noted that "civil use of
software-based encryption will significantly increase in the
next five years, with corporate customers dominating this new
marketplace." See U.S. Department of Commerce and National
Security Agency, *A Study of the International Market for
Computer Software with Encryption*, prepared for the
Interagency Working Group on Encryption and Telecommunications
Policy, Office of the Secretary of Commerce, January 11, 1996,
p. 111-2.



   By affecting U.S. industries abroad that might use
cryptography to protect their information interests and U.S.
vendors of a critical technology (namely, information
technology), export controls have a number of potentially
negative effects on national security that policy makers must
weigh against the positive effects of reducing the use of cry
ptography by hostile parties.

        4.4.1 Direct Economic Harm to U.S. Businesses

   While acknowledging economic benefits to U.S. business from
signals intelligence (as described in Chapter 3), the
committee notes that protection of the information interests
of U.S. industries is also a dimension of national security,
especially when the threats emanate from foreign sources.

   If the potential value of proprietary information is
factored into the debate over export controls, it dominates
all other figures of merit. A figure of $280 billion to $560
billion was placed by the Computer Systems Policy Project on
the value of future revenue opportunities as the result of
electronic distribution and commerce and future opportunities
to reengineer business processes by 2000.(50) Opponents of
export controls on cryptography argue that if electronic
channels and information systems are perceived to be
vulnerable, businesses may well be discouraged from exploiting
these opportunities, thereby placing enormous potential
revenues at risk.

   On the other hand, it is essentially impossible to
ascertain with any degree of confidence what fraction of
proprietary information would be at risk in any practical
sense if businesses did move to exploit these opportunities.
Current estimates of industrial and economic espionage provide
little guidance. The most authoritative publication on the
subject to date, the *Annual Report to Congress on Foreign
Economic Collection and Industrial Espionage*,(51) noted that

   [i]n today's world in which a country's power and stature
   are often measured by its economic/industrial capability,
   foreign government ministries--such as those dealing with
   finance and trade--and major industrial sectors are
   increasingly looked upon to play a more prominent role in
   their respective country's collection efforts.... An
   economic competitor steals a US company's proprietary
   business information or government trade strategies, [and]
   foreign companies and commercially oriented government
   ministries are the main beneficiaries of US economic
   information. The aggregate losses that can mount as a
   result of such efforts can reach billions of dollars per
   year, constituting a serious national security concern.

   The report went on to say that "[t]here is no formal
mechanism for determining the full qualitative and
quantitative scope and impact of the loss of this targeted
information. Industry victims have reported the loss of
hundreds of millions of dollars, lost jobs, and lost market
share." Thus, even this report, backed by all of the
counterintelligence efforts of the U.S. government, is unable
to render a definitive estimate to within an order of
magnitude. Of course, it may well be that these estimates of
loss are low, because companies are reluctant to publicize
occurrences of foreign economic and industrial espionage as
such publicity can adversely affect stock values, customers'
confidence, and ultimately competitiveness and market share,
or also because clandestine theft of information may not be
detected. Furthermore, because all business trends point to
greater volumes of electronically stored and communicated
information in the future, it is clear that the potential for
information compromises will grow--the value of information
that could be compromised through electronic channels is only
going to increase.


   (50) William F. Hagerty IV, The Management Advisory Group,
Computer Systems Policy Project, *The Growing Need for
Cryptography: The Impact of Export Control Policy on U.S
Competitiveness*, Study Highlights (viewgraphs), Bethesda,
Maryland, December 15, 1995.

   (51)  National Counterintelligence Center, *Annual Report
to Congress on Foreign Economic Collection and Industrial
Espionage*, Washington, D.C., July 1995.


               4.4.2 Damage to U.S. Leadership
                  in Information Technology

   The strength of the U.S. information technology industry
has been taken as a given for the past few decades. But as
knowledge and capital essential to the creation of a strong
information technology industry become more available around
the world, such strength can no longer be taken for
granted.(52) If and when foreign products become widely
deployed and well integrated into the computing and
communications infrastructure of foreign nations, even better
versions of U.S. products will be unable to achieve
significant market penetration. One example of such a
phenomenon may be the growing interest in the United States in
personal communications systems based on GSM, the European
standard for digital cellular voice communications. Further,
as the example of Microsoft vis-a-vis IBM in the 1980s
demonstrated, industry dominance once lost is quite difficult
to recover in rapidly changing fields.

   The development of foreign competitors in the information
technology industry could have a number of disadvantageous
consequences from the standpoint of U.S. national security

   +     Foreign vendors, by assumption, will be more
responsive to their own national governments than to the U.S.
government. To the extent that foreign governments pursue
objectives involving cryptography that are different from
those of the United States, U.S. interests may be adversely
affected. Specifically, foreign vendors could be influenced by
their governments to offer for sale to U.S. firms products
with weak or poorly implemented cryptography. If these vendors
were to gain significant market share, the information
security of U.S. firms could be adversely affected.
Furthermore, the United States is likely to have less
influence and control over shipments of products with
encryption capabilities between foreign nations than it has
over similar U.S. products that might be shipped abroad;
indeed, many foreign nations are perfectly willing to ship
products (e.g., missile parts, nuclear reactor technology) to
certain nations in contravention to U.S. or even their own
interests. In the long run, the United States may have even
less control over the products with encryption capabilities
that wind up on the market than it would have if it
promulgated a more moderate export control regime.

   +     Detailed information about the workings of foreign
products with encryption capabilities is much less likely to
be available to the U.S. government than comparable
information about similar U.S. products that are exported.
Indeed, as part of the export control administration process,
U.S. products with encryption capabilities intended for export
are examined thoroughly by the U.S. government; as a result,
large amounts of information about U.S. products with
encryption capabilities are available to it.(53)

   Export controls on cryptography are not the only factor
influencing the future position of U.S. information technology
vendors in the world market. Yet, the committee believes that
these controls do pose a risk to their future position that
cannot be ignored, and that relaxation of controls will help
to ensure that U.S. vendors are able to compete with foreign
vendors on a more equal footing.


   (52)  Obviously, it is impossible to predict with certainty
whether export controls will stimulate the growth of
significant foreign competition for U.S. information
technology vendors. But the historical evidence suggests some
reason for concern. For example, a 1991 report (National
Research Council, *Finding Common Ground: U.S. Export Controls
in a Changed Global Environment*, National Academy Press,
1991) found that "unilateral embargoes on exports [of
technologies for commercial aircraft and jet engines] to
numerous countries not only make sales impossible but actually
encourage foreign competitors to develop relationships with
the airlines of the embargoed countries. By the time the U.S.
controls are lifted, those foreign competitors may have
established a competitive advantage" (page 22). The same
report also found that for computer technology, "marginal
supplier disadvantages can lead to significant losses in
market position, and it is just such marginal disadvantages
that can be introduced by export controls" (page 23). An
earlier study (Charles Ferguson, "High Technology Product Life
Cycles, Export Controls, and International Markets," in
*Working Papers* of the National Research Council report
*Balancing the National Interest, U.S. National Security
Export Controls and Global Economic Competition*, National
Academy Press, 1987), pointed out that the emergence of strong
foreign competition in a number of high-technology areas
appeared in close temporal proximity to the enforcement of
strong export controls in these areas for U.S. vendors. While
the correlation does not prove that export controls
necessarily influenced or stimulated the growth of foreign
competition, the history suggests that they may have had some
causal relationship. In the financial arena (not subject to
export controls), U.S. financial controls associated with the
Trading-with-the-Enemy Act may have led to the rise of the
Eurodollar market, a set of foreign financial institutions,
markets, and instruments that eroded the monopoly held on
dollar-denominated instruments and dollar-dominated
institutions by U.S. firms.

   The likelihood of foreign competition being stimulated for
cryptography may be larger than suggested by some of these
examples, because at least in the software domain, product
development and distribution are less capital-intensive than
in traditional manufacturing industries; lower capital
intensity would mean that competitors would be more likely to

   Finally, while it is true that some foreign nations also
impose export controls on cryptography, those controls tend to
be less stringent than those of the United States as discussed
in Appendix G. In particular, it is more difficult to export
encryption from the United States to the United Kingdom than
the reverse, and the U.S. market is an important market for
foreign vendors. Further, it takes only one nation with weak
or nonexistent controls to spawn a competitor in an industry
such as software.

   (53) For example, U.S. vendors are more likely than foreign
vendors to reveal source code of a program to the U.S.
government (for purposes of obtaining export licenses). While
it is true that the object code of a software product can be
decompiled, decompiled object code is always much more
difficult to understand than the original source code that
corresponds to it.



   As the committee proceeded in its study, it observed what
can only be called a disconnect between the perceptions of the
national security authorities that administer the export
control regulations on cryptography and the vendors that are
affected by it. This disconnect was apparent in a number of

   +     National security authorities asserted that export
controls did not injure the interests of U.S. vendors in the
foreign sales of products with encryption capabilities. U.S.
vendors asserted that export controls had a significant
negative effect on their foreign sales.

   +     National security authorities asserted that nearly
all export license applications for a product with encryption
capabilities are approved. Vendors told the committee that
they refrained from submitting products for approval because
they had been told on the basis of preliminary discussions
that their products would not be approved for export.

   +     National security authorities presented data showing
that the turnaround time for license decisions had been
dramatically shortened (to a matter of days or a few weeks at
most). Vendors noted that these data took into account only
the time from the date of formal submission of an application
to the date of decision, and did not take into account the
much greater length of time required to negotiate product
changes that would be necessary to receive approval. (See
Section 4.3.2 for more discussion.)

   +     National security authorities asserted that they
wished to promote good information security for U.S.
companies, pointing out the current practice described in
Section 4.1.2 that presumes the granting of USML licenses for
stronger cryptography to U.S.-controlled companies and banking
and financial institutions. Vendors pointed to actions taken
by these authorities to weaken the cryptographic security
available for use abroad, even in business ventures in which
U.S. firms had substantial interests. Potential users often
told the committee that even under presumptive approval,
licenses were not forthcoming, and that for practical
purposes, these noncodified categories were not useful.

   +     National security authorities asserted that they took
into account foreign competition and the supply of products
with encryption capabilities when making decisions on export
licenses for U.S products with encryption capabilities.
Vendors repeatedly pointed to a substantial supply of foreign
products with encryption capabilities.

   +     National security authorities asserted that they
wished to maintain the worldwide strength and position of the
U.S. information technology industry. Vendors argued that when
they are prevented from exploiting their strengths--such as
being the first to develop integrated products with strong
encryption capabilities -- their advantages are in fact being

   The committee believes that to some extent, these
differences can be explained as the result of rhetoric by
parties intending to score points in a political debate. But
the differences are not merely superficial; they reflect
significantly different institutional perspectives. For
example, when national security authorities "take into account
foreign supplies of cryptography," they focus naturally on
what is available at the time the decision is being made. On
the other hand, vendors are naturally concerned about
incorporating features that will give their products a
competitive edge, even if no exactly comparable foreign
products with cryptography are available at the moment. Thus,
different parties focus on different areas of
concern--national security authorities on the capabilities
available today, and vendors on the capabilities that might
well be available tomorrow.

   NSA perceptions of vendors and users of cryptography may
well be clouded by an unwillingness to speak publicly about
the full extent of vendor and user unhappiness with the
current state of affairs. National security authorities
asserted that their working relationships with vendors of
products with encryption capabilities are relatively
harmonious. Vendors contended that since they are effectively
at the mercy of the export control regulators, they have
considerable incentive to suppress any public expression of
dissatisfaction with the current process. A lack (or small
degree) of vendor outcry against the cryptography export
control regime cannot be taken as vendor support for it. More
specifically, the committee received input from a number of
private firms on the explicit condition of confidentiality.
For example:

   +     Companies with interests in cryptography affected by
export control were reluctant to express fully their
dissatisfaction with the current rules governing export of
products with encryption capabilities or how these rules were
actually implemented in practice. They were concerned that any
explicit connection between critical comments and their
company might result in unfavorable treatment of a future
application for an export license for one of their products.

   + Companies that had significant dealings with the
Department of Defense were reluctant to express fully their
unhappiness with policy that strongly promoted classified
encryption algorithms and government-controlled key-escrow
schemes. These companies were concerned that expressing their
unhappiness fully might result in unfavorable treatment in
competinG for future DOD business.

   Many companies have expressed dissatisfaction publicly,
although a very small number of firms did express to the
committee their relative comfort with the way in which the
current export control regime is managed. The committee did
not conduct a systematic survey of all firms affected by
export regulations, and it is impossible to infer the position
of a company that has not provided input on the matter.(54)


   (54) The Department of Commerce study is the most
systematic attempt to date to solicit vendors' input on how
they have been affected by export controls, and the
solicitation received a much smaller response than expected.
See U.S. Department of Commerce and National Security Agency,
*A Study of the International Market for Computer Software
with Encryption*, prepared for the Interagency Working Group
on Encryption and Telecommunications Policy, Office of the
Secretary of Commerce, January 11, 1996.


                4.6 EXPORT OF TECHNICAL DATA

   The rules regarding "technical data" are particularly
difficult to understand. A cryptographic algorithm (if
described in a manner that is not machine-executable) is
counted as technical data, whereas the same algorithm if
described in machine-readable form (i.e., source or object
code) counts as a product. Legally, the ITAR regulate products
with encryption capabilities differently than technical data
related to cryptography, although the differences are
relatively small in nature. For example, technical data
related to cryptography enjoys an explicit exemption when
distributed to U.S.-controlled foreign companies, whereas
products with encryption capabilities are in principle subject
to a case by-case review in such instances (although in
practice, licenses for products with encryption capabilities
under such circumstances are routinely granted).

   Private citizens and academic institutions and vendors are
often unclear about the legality of actions such as:

   +     Discussing cryptography with a foreign citizen in the

   +     Giving away software with encryption capabilities
over the Internet (see Section 4.8);

   +     Shipping products with encryption capabilities to a
foreign company within the United States that is controlled
but not owned by a U.S. company;

   +     Selling a U.S. company that makes products with
strong encryption capabilities to a foreign company;

   +     Selling products with encryption capabilities to
foreign citizens on U.S. soil;

   +     Teaching a course on cryptography that involves
foreign graduate students;

   +     Allowing foreign citizens residing in the United
States to work on the source code of a product that uses
embedded cryptography.(55)

   Box 4.11 provides excerpts from the only document known to
the committee that describes the U.S. government explanation
of the regulations on technical data related to cryptography.
In practice, these and other similar issues regarding
technical data do not generally pose problems because these
laws are for the most part difficult to enforce and in
fact are not generally enforced. Nevertheless, the vagueness
and broad nature of the regulations may well put people in
jeopardy and unknowingly.(56)


   (55) For example, one vendor argues that because foreign
citizens hired by U.S. companies bring noncontrolled knowledge
back to their home countries anyway, the export control
regulations on technical data make little sense as a technique
for limiting the spread of knowledge. In addition, other
vendors note that in practice the export control regulations
on technical data have a much more severe impact on the
employees that they may hire than on academia, which is
protected at least to some extent by presumptions of academic

   (56) A suit filed in February 1995 seeks to bar the
government from restricting publication of cryptographic
documents and software through the use of the export control
laws. The plaintiff in the suit is Dan Bernstein, a graduate
student in mathematics at the University of California at
Berkeley. Bernstein developed an encryption algorithm that he
wishes to publish and to implement in a computer program
intended for distribution, and he wants to discuss the
algorithm and program at open, public meetings. Under the
current export control laws, any individual or company that
exports unlicensed encryption software may be in violation of
the export control laws that forbid the unlicensed export of
defense articles, and any individual that discusses the
mathematics of cryptographic algorithms may be in violation of
the export control laws that forbid the unlicensed export of
"technical data." The lawsuit argues that the export control
scheme as applied to encryption software is an "impermissible
prior restraint on speech, in violation of the First
Amendment" and that the current export control laws are vague
and overbroad in denying people the right to speak about and
publish information about cryptography freely. A decision by
the Northern District Court of California on April 15, 1996,
by Judge Marilyn Patel, denied the government's motion to
dismiss this suit, and found that for the purposes of First
Amendment analysis, source code should be treated as speech.
The outcome of this suit is unknown as the time of this
writing (spring 1996). The full text of this decision and
other related documents can be found at

   The constitutionality of export controls on technical data
has not been determined by the U.S. Supreme Court. A ruling by
the U.S. Ninth Circuit Court of Appeals held that the ITAR,
when construed as "prohibiting only the exportation of
technical data significantly and directly related to specific
articles on the Munitions List, do not interfere with
constitutionally protected speech, are not overbroad and the
licensing provisions of the Act are not an unconstitutional
prior restraint on speech." (See 579 F.2d 516, U.S. vs. Edler,
United States Court of Appeals, Ninth Circuit, July 31, 1978.)
Another suit filed by Philip Karn directly challenging the
constitutionality of the ITAR was dismissed by the U.S.
District Court for the District of Columbia on March 22, 1996.
(The issue at hand was the fact that Karn had been denied CCL
jurisdiction for a set of floppy diskettes containing source
code for cryptographic confidentiality identical to that
contained in Schneier's book (which had received CCL
jurisdiction). See http://www.qualcomm.com/people/
pkarn/export/index.html for the running story (Karn is
appealing this decision); this Web page also contains the
District Court's opinion on this lawsuit.) Some scholars argue
to the contrary that export controls on technical data may
indeed present First Amendment problems, especially if these
controls are construed in such a way that they inhibit
academic discussions of cryptography with foreign nationals or
prevent academic conferences on cryptography held in the
United States from inviting foreign nationals. See, for
example, Allen M. Shinn, Jr., "First Amendment and Export
Laws: Free Speech on Scientific and Technical Matters," *The
George Washington Law Review*, January 1990, pp. 368-403, and
Kenneth J. Pierce, "Public Cryptography, Arms Export Controls,
and the First Amendment: A Need for Legislation," *Cornell
International Law Journal*, Volume 17(19), pp. 197-237.



   A common perception within the vendor community is that the
National Security Agency is the sole "power behind the scenes"
for enforcing the export control regime for cryptography.
While NSA is indeed responsible for making judgments about the
national security impact of exporting products with encryption
capabilities, it is by no means the only player in the export
license application process.

   The Department of State plays a role in the export control
process that is quite important. For example, makers of
foreign policy in the U.S. government use economic sanctions
as a tool for expressing U.S. concern and displeasure with the
actions of other nations; such sanctions most often involve
trade embargoes of various types. Violations of human rights
by a particular nation, for example, represent a common issue
that can trigger a move for sanctions. Such sanctions are
sometimes based on presidential determinations (e.g., that the
human rights record of country X is not acceptable to the
United States) undertaken in accordance with law; in other
cases, sanctions against specific nations are determined
directly by congressional legislation; in still other cases,
sanctions are based entirely on the discretionary authority of
the President.

   The imposition of sanctions is often the result of
congressional action that drastically limits the discretionary
authority of the State Department. In such a context, U.S.
munitions or articles of war destined for particular offending
nations (or to the companies in such nations) are the most
politically sensitive, and in practice the items on the USML
are the ones most likely to be denied to the offending
nations. In all such cases, the State Department must
determine whether a particular item on the USML should or
should not qualify for a USML license. A specific example of
such an action given to the committee in testimony involved
the export of cryptography by a U.S. bank for use in a branch
located in the People's Republic of China. Because of China's
human rights record, the Department of State delayed the
export, and the contract was lost to a Swiss firm. The sale of
cryptographic tools that are intended to protect the interests
of a U.S. company operating in a foreign nation was subject to
a foreign policy stance that regarded such a sale as
equivalent to supplying munitions to that nation.

   Thus, even when NSA has been willing to grant an export
license for a given cryptography product, the State Department
has sometimes denied a license because cryptography is on the
USML. In such cases, NSA takes the blame for a negative
decision, even when it had nothing to do with it.

   Critics of the present export control regime have made the
argument that cryptography, as an item on the USML that is
truly dual-use, should not necessarily be included in such
sanctions. Such an argument has some intellectual merit, but
under current regulations it is impossible to separate
cryptography from the other items on the USML.


   Two cases are often cited in the cryptography community as
examples of the mismatch between the current export control
regime and the current state of cryptographic technology (Box
4.12). Moreover, they are often used as evidence that the
government is harassing innocent law-abiding citizens.

   Taken by themselves and viewed from the outside, both of
the cases outlined in Box 4.12 suggest an approach to national
security with evident weaknesses. In the first instance,
accepting the premise that programs for cryptography cannot
appear on the Internet because a foreigner might download them
seems to challenge directly the use of the Internet as a forum
for exchanging information freely even within the United
States. Under such logic (claim the critics), international
telephone calls would also have to be shut down because a U.S.
person might discuss cryptography with a foreign national on
the telephone. In the second instance, the information
contained in the book (exportable) is identical to that on the
disk (not exportable). Since it is the information about
cryptography that is technically at issue (the export control
regulations make no mention of the medium in which that
information is represented), it is hard to see why one would
be exportable and the other not.

   On the other hand, taking the basic assumptions of the
national security perspective as a given, the decisions have
a certain logic that is not only the logic of selective
prosecution or enforcement.

   +    In the case of Zimmermann, the real national security
issue is not the program itself, but rather the fact that a
significant PGP user base may be developing. Two copies of a
good encryption program distributed abroad pose no plausible
threat to national security. But 20 million copies might well
pose a threat. However, the export control regulations as
written do not mention potential or actual size of the user
base, and so the only remaining leverage is the broad language
that brings cryptography under the export control laws.

   +     In the case of Schneier, the real national security
issue relates to the nature of any scheme intended to deny
capabilities to an adversary. Typing the book's source code
into the computer is an additional step that an adversary must
take to implement a cryptography program and a step at which
an adversary could make additional errors. No approach to
denial can depend on a single "silver bullet"; instead, denial
rests on the erection of multiple barriers, all of which taken
together are expected to result in at least a partial denial
of a certain capability. Moreover, if one begins from the
premise that export controls on software encryption represent
appropriate national policy, it is clear that allowing the
export of the source code to Schneier's book would set a
precedent that would make it very difficult to deny permission
for the export of other similar software products with
encryption capabilities. Finally, the decision is consistent
with a history of commodity jurisdiction decisions that
generally maintains USML controls on the source code of a
product whose object code implementation of confidentiality
has been granted commodity jurisdiction to the CCL.

   These comments are not intended to excoriate or defend the
national security analysis of these cases. But the controversy
over these cases does suggest quite strongly that the
traditional national security paradigm of export controls on
cryptography (one that is biased toward denial rather than
approval) is stretched greatly by current technology. Put
differently, when the export control regime is pushed to an
extreme, it appears to be manifestly ridiculous.

                          4.9 RECAP

   Current export controls on products with encryption
capabilities are a compromise between (1) the needs of
national security to conduct signals intelligence and (2) the
needs of U.S. and foreign businesses operating abroad to
protect information and the needs of U.S. information
technology vendors to remain competitive in markets involving
products with encryption capabilities that might meet these
needs. These controls have helped to delay the spread of
strong cryptographic capabilities and use of those
capabilities throughout the world, to impede the development
of standards for cryptography that would facilitate such a
spread, and to give the U.S. government a tool for monitoring
and influencing the commercial development of cryptography.
Export controls have clearly been effective in limiting the
foreign availability of products with strong encryption
capabilities made by U.S. manufacturers, although enforcement
of export controls on certain products with encryption
capabilities appears to have created many public relations
difficulties for the U.S. government, and circumventions of
the current regulations appear possible. The dollar cost of
limiting the availability of cryptography abroad is hard to
estimate with any kind of confidence, since even the
definition of what counts as a cost is quite fuzzy. At the
same time, a floor of a few hundred million dollars per year
for the market affected by export controls on encryption seems
plausible, and all indications are that this figure will only
grow in the future.

   A second consideration is the possibility that export
controls on products with encryption capabilities may well
have a negative impact on U.S. national security interests by
stimulating the growth of important foreign competitors over
which the U.S. government has less influence, and possibly by
damaging U.S. competitive advantages in the use and
development of information technology. In addition, the export
control regime is clouded by uncertainty from the vendor
standpoint, and there is a profound mismatch between the
perceptions of government/national security and those of
vendors on the impact of the export control regime. Moreover,
even when a given product with encryption capabilities may be
acceptable for export on national security grounds,
nonnational security considerations may play a role in
licensing decisions.

   Partly in response to expressed concerns about export
controls, the export regime has been gradually loosened since
1983. This relaxation raises the obvious question of how much
farther and in what directions such loosening could go without
significant damage to national security interests. This
subject is addressed in Chapter 7.


                BOX 4.1 Enforcing Compliance
                   with End-Use Agreements

   In general, a U.S. Munitions List (USML) license is granted
to a U.S. exporter for the shipping of a product, technical
data, or service covered by the USML to a particular foreign
recipient for a set of specified end uses and subject to a
number of conditions (e.g., restrictions on reexport to
another nation, nontransfer to a third party). The full range
of ITAR sanctions is available against the U.S. exporter and
the foreign recipient outside the United States.

   The ITAR specify that as a condition of receiving a USML
license, the U.S. exporter must include in the contract with
the foreign recipient language that binds the recipient to
abide by all appropriate end-use restrictions. Furthermore,
the U.S. exporter that does not take reasonable steps to
enforce the contract is subject to ITAR criminal and civil
sanctions. But how can end-use restrictions be enforced for a
foreign recipient?

   A number of sanctions are available to enforce the
compliance of foreign recipients of USML items exported from
the United States. The primary sanctions available are the
criminal and civil liabilities established by the Arms Export
Control Act (AECA); the foreign recipient can face civil
and/or criminal charges in U.S. federal courts for violating
the AECA. Although different U.S. courts have different views
on extraterritoriality claims asserted for U.S. Iaw, a
criminal conviction or a successful civil lawsuit could result
in the imposition of criminal penalties on individuals
involved and/or seizure of any U.S. assets of the foreign
recipient. (When there are no U.S. assets, recovering fines or
damages can be highly problematic, although some international
agreements and treaties provide for cooperation in such
cases.) Whether an individual could be forced to return to the
United States for incarceration would depend on the existence
of an appropriate extradition treaty between the United States
and the foreign nation to whose jurisdiction the individual is

   A second avenue of enforcement is that the foreign
recipient found to be in violation can be denied all further
exports from the United States. In addition, the foreign
violator can be denied permission to compete for contracts
with the U.S. government. From time to time, proposals are
made to apply sanctions against violators that would deny
privileges for them to export products to the United States,
though such proposals often create political controversy.

   A third mechanism of enforcement may proceed through
diplomatic channels. Depending on the nation to whose
jurisdiction the foreign recipient is subject, the U.S.
government may well approach the government of that nation to
seek its assistance in persuading or forcing the recipient to
abide by the relevant end-use restrictions.

   A fourth mechanism of enforcement is the sales contract
between the U.S. exporter and the foreign recipient, which
provides a mechanism for civil action against the foreign
recipient. A foreign buyer who violates the end-use
restrictions is in breach of contract with the U.S. exporter,
who may then sue for damages incurred by the U.S. company.
Depending on the language of the contract, the suit may be
carried out in U.S. or foreign courts; alternatively, the
firms may submit to binding arbitration.

   The operation of these enforcement mechanisms can be
cumbersome, uncertain, and slow. But they exist, and they are
used. Thus, while some analysts believe that they do not
provide sufficient protection for U.S. national security
interests, others defend them as a reasonable but not perfect
attempt at defending those interests.


               BOX 4.2 Licensing Relaxations
              on Cryptography: A Short History

   Prior to 1983, all cryptography exports required individual
license from the State Department. Since then, a number of
changes have been proposed and mostly implemented.

Year    Change

1983    Distribution licenses established allowing exports to
        multiple users under a single license 1987
        Nonconfidentiality products moved to Department of
        Commerce (DOC) on a case-by-case basis 1990 ITAR
        amended -- all nonconfidentiality products under DOC

1990    Mass-market general-purpose software with encryption
        for confidentiality moved to DOC on case-by-case basis

1992    Software Publishers Association agreement providing
        for 40-bit RC2/RC4-based products under DOC

1993    Mass-market hardware products with encryption
        capabilities moved to DOC on case-by-case basis

1994    Reforms to expedite license processing at Department
        of State

1995    Proposal to move to DOC software products with 64-bit
        cryptography for confidentiality with "properly
        escrowed" keys

1996    "Personal use" exemption finalized

SOURCE: National Security Agency.


           BOX 4.3 Important Differences Between
                the U.S. Munitions List and
                 the Commodity Control List


For Items on U.S.            For Items of Commerce
Munitions List (USML):       Control List (CCL):

Department of State has      Department of Commerce may
broad leeway to take         limit exports only to the
national security            extent that they would make "a
considerations into          significant contribution to the
account in licensing         military potential of any other
decisions; indeed, national  country which would prove
security and foreign         detrimental to the national
policy considerations        security of the United States."
are the driving force        or "where necessary to further
behind the Arms Export       significantly the foreign policy
Control Act.                 of the United States."
                             The history of the Export
                             Administration Act strongly
                             suggests that its national
                             security purpose is to deny dual-
                             use items to countries of
                             Communist Block nations, nations
                             of concern with respect to
                             proliferation of weapons of mass
                             destruction, and other rogue

Items are included on the    Performance parameters rather
USML if the item is          than broad categories define
"inherently military in      included items.
character"; the end use
is irrelevant in such
a determination. Broad
categories of product are

Decisions about export can   Decisions about export must be
take as long as necessary.   completed within 120 days.

Export licenses can be       Export licenses can be denied
denied on very general       only on very specific
grounds (e.g., the export    grounds (e.g., high
would be against the U.S.    likelihood of diversion to
national interest).          proscribed nations).

Individually validated       General licenses are often
licenses are generally       issued, although general
required, although           licenses do not convey
distribution and bulk        blanket authority for export
licenses are possible        (see Note 2 below).
(see Note I below).

Prior government approval    Prior government approval is
is needed for export.        generally not needed for export.

Licensing decisions are not  Licensing decisions are subject
subject to judicial review.  to judicial review by a federal
                             judge or an administrative law

Foreign availability may     Foreign availability of items
or may not be a              that are substantially
consideration in granting    equivalent is, by law,
a license at the discretion  a consideration in a licensing
of the State Department.     decision.

Items included on the        Items included on the CCL must
USML are not subject         be reviewed periodically.
to periodic review.

A Shipper's Export           An SED may be required, unless
Declaration (SED)            exemption from the requirement
is required in all           is granted under the Export
instances.                   Administration Regulations.


   Note 1: Bulk licenses authorize multiple shipments without
requiring individual approval. Distribution licenses authorize
multiple shipments to a foreign distributor. In each case,
record-keeping requirements are imposed on the vendor. In
practice, a distribution license shifts the burden of export
restrictions from vendor to distributor. Under a distribution
license, enforcement of restrictions on end use and on
destination nations and post-shipment record-keeping
requirements are the responsibility of the distributor;
vendors need not seek an individual license for each specific

   Note 2: Even if an item is controlled by the CCL, U.S.
exporters are not allowed to ship such items if the exporter
knows that it will be used directly in the production of
weapons of mass destruction or ballistic missiles by a certain
group of nations. Moreover, U.S. exports from the CCL are
prohibited entirely to companies and individuals on a list of
"Specially Designated Nationals" designated as agents of Cuba,
Libya, Iraq, North Korea, or Yugoslavia or to a list of
companies and individuals on the Bureau of Export
Administration's Table of Denial Orders (including some
located in the United States and Europe).


               BOX 4.4 Categorical Exceptions
           on the USML for Products Incorporating
            Cryptography and Informal Practices
                     Governing Licensing

                   Categorical Exemptions

The ITAR provide for a number of categorical exemptions,

   +     Mass-market software products that use 40-bit key
lengths with the RC2 or RC4 algorithm for confidentiality.
(See Note I below.)

   +    Products with encryption capabilities for
confidentiality (of any strength) that are specifically
intended for use only in banking or money transactions.
Products in this category may have encryption of arbitrary

   +    Products that are limited in cryptographic
functionality to providing capabilities for user
authentication, access control, and data integrity.

   Products in these categories are automatically granted
commodity jurisdiction to the Commerce Control List (CCL).

               Informal Noncodified Exemptions

   The current export control regime provides for an
individual case-by-case review of USML licensing applications
for products that do not fall under the jurisdiction of the
CCL. Under current practice, certain categories of firm will
generally be granted a USML license through the individual
review process to acquire and export for its own use products
with encryption capabilities stronger than that provided by
40-bit RC2/RC4 encryption (see Note 2 below):

   +    A U.S.-controlled firm (i.e., a U.S. firm operating
abroad, a U.S.-controlled foreign firm, or a foreign
subsidiary of a U.S. firm);

   +    Banks and financial institutions (including stock
brokerages and insurance companies), whether U.S.-controlled
or owned or foreign-owned, if the products involved are
intended for use in internal communications and communications
with other banks even if these communications are not limited
strictly to banking or money transactions.


   Note 1: The RC2 and RC4 algorithms are symmetric-key
encryption algorithms developed by RSA Data Security Inc.
(RSADSI). They are both proprietary algorithms, and
manufacturers of products using these algorithms must enter
into a licensing arrangement with RSADSI. RC2 and RC4 are also
trademarks owned by RSADSI, although both algorithms have
appeared on the Internet. A product with capabilities for
confidentiality will be automatically granted commodity
jurisdiction to the CCL if it meets a certain set of
requirements the most important of which are the following:

   a. The software includes encryption for data
confidentiality and uses the RC4 and/or RC2 algorithms with a
key space of 40 bits.

   b. If both RC4 and RC2 are used in the same software, their
functionality must be separate; that is, no data can be
operated on by both routines.

   c. The software must not allow the alteration of the data
encryption mechanism and its associated key spaces by the user
or by any other program.

   d. The key exchange used in the data encryption must be
based on either a public-key algorithm with a key space less
than or equal to a 512-bit modulus and/or a symmetrical
algorithm with a key space less than or equal to 64 bits.

   e. The software must not allow the alteration of the key
management mechanism and its associated key space by the user
or any other program.

   To ensure that the software has properly implemented the
approved encryption algorithm(s), the State Department
requires that the product pass a "vector test," in which the
vendor receives test data (the vector) and a random key from
the State Department, encrypts the vector with the product
using the key provided, and returns the result to the State
Department; if the product-computed result is identical to the
known correct answer, the product automatically qualifies for
jurisdiction under the CCL.

   Note that the specific technical requirements described in
this footnote are not contained in the *Federal Register*;
rather, they were described in a State Department document
whose change is not subject to an official procedure for
public comment. (These conditions were first published in
"Defense Trade News," Volume 3(4), October 1992, pages 11-15.
"Defense Trade News" is a newsletter published by the Office
of Defense Trade Controls at the Department of State.)

   Note 2: How much stronger than 40-bit RC2/RC4 is
unspecified. Products incorporating the 56-bit DES algorithm
are often approved for these informal exemptions, and at times
even products using larger key sizes have been approved. But
the key size is not unlimited, as may be the case under the
explicit categorical exemptions specified in the ITAR.


              BOX 4.5 Successful Challenges to
                      40-bit Encryption

   In the summer of 1995, a message encoded with the 40-bit
RC4 algorithm was successfully decrypted without prior
knowledge of the key by Damien Doligez of the INRIA
organization in France. The message in question was a record
of an actual submission of form data that was sent to
Netscape's electronic shop order form in "secure" mode
(including a fictitious name and address). The challenge was
posed to break the encryption and recover the name and address
information entered in the forrn and sent securely to
Netscape. Breaking the encryption was accomplished by a
brute-force search on a network of about 120 workstations and
a few parallel computers at INRIA, Ecole Polytechnique, and
ENS. The key was found after scanning a little more than half
the key space in 8 days, and the message was successfully
decrypted. Doligez noted that many people have access to the
amount of computing power that he used, and concluded that the
exportable Secure Sockets Layer protocol is not strong enough
to resist the attempts of amateurs to decrypt a "secure"

   In January 1996, an MIT undergraduate student used a single
$83,000 graphics computer to perform the same task in 8 days.
Testing keys at an average rate of more than 830,000 keys per
second, the program running on this computer would take 15
days to test every key.


                  BOX 4.6 Difficulties in
                  Controlling Cryptography

   Hardware products with encryption capabilities can be
controlled on approximately the same basis as traditional
munitions. But software products with encryption capabilities
are a different matter. A floppy disk containing programs
involving cryptography is visually indistinguishable from one
containing any other type of program or data files.
Furthermore, software products with encryption capabilities
can be transported electronically, with little respect for
physical barriers or national boundaries, over telephone lines
and the Internet with considerable ease. Cryptographic
algorithms, also controlled by the International Traffic in
Arms Regulations as "technical data," represent pure knowledge
that can be transported over national borders inside the heads
of people or via letter.

   As is true for all other software products, software
products with encryption capabilities are infinitely
reproducible at low cost and with perfect fidelity; hence, a
controlled item can be replicated at a large number of points.
This fact explains how vast amounts of software piracy can
occur both domestically and abroad. In principle, one software
product with encryption capabilities taken abroad can serve as
the seed for an unlimited number of reproductions that can
find their way to hostile parties. Finally, it can be argued
that the rogue nations that pose the most important targets
for U.S. signals intelligence collection are also the least
likely to refrain from pirating U.S. software.


              BOX 4.7 Key Differences Between
             Commercial Products and "Freeware"


                                     Commercial   "Freeware"
                                     Vendors       Products

Stake of reputation of               Higher         Lower
product offer

Scale of operation                   Larger         Smaller

Cost of distribution                 Higher         Lower

Support for products                 Greater        Lesser

Role of profit-making motive         Higher         Lower

Ability to integrate cryptography    Greater        Lesser
into useful and sophisticated
general-purpose software

Vulnerablity to regulatory and       Higher         Lower
legal constraints

Likelihood of market                 Higher         Lower
"staying power"

Likelihood of wide distribution      Higher         Lower
and use

Financial liability for              Higher         Lower
poor product performance

Cost of entry into markets           Higher         Lower

NOTE: All of the characterizations listed are tendencies
rather than absolutes, and are relative (i.e. determined by
comparing products from major commercial vendors to freeware).


                BOX 4.8 A Partial Survey of
        Foreign Encryption Products on the TIS Survey

   +    A British product manual notes that "a key can be any
word, phrase, or number from 1 to 78 characters in length,
though for security purposes keys shorter than six characters
are not recommended." Only alphanumeric characters are used in
the key, and alpha characters do not distinguish between upper
and lower case. While the longer pass phrases can produce keys
with the full 56 bits of uncertainty [changing "can" to "do"
would require more extensive tests], passwords of even six
characters are woefully inadequate. It is dangerous to allow
users to enter such keys, much less the single-character keys
allowed by this product.

   +    One British product is a DES implementation that
recommends cipher block chaining, but uses electronic codebook
(ECB) mode as the default. The use of ECB as the default is
dangerous because ECB is less secure than cipher block

   +    A Danish product uses DES with an 8-character key, but
limits each character to alphanumeric and punctuation symbols.
Hence the key is less than a full 56 bits long. With this
restriction, many users are likely to use only upper or lower
case alpha characters, resulting in a key less than 40 bits

   +    A foreign product uses the FEAL algorithm as well as
a proprietary algorithm. Aside from the question of algorithm
strength, the key is 1 to 8 characters long and does not
distinguish between upper and lower case. The result is a
ridiculously short key, a problem that is compounded by the
recommendation in the manual to use a 6- to 8-letter
artificial word as the key (e.g., it suggests that for the
name Bill, "billbum" might be used as the key).

   +    A product from New Zealand uses DES plus a public-key
system similar to RSA, but based on Lucas functions. The
public-key portion limits the key size to 1,024 bits, but does
not seem to have a lower bound, a potentially dangerous
situation. The DES key can be 1 to 24 characters in length. If
the key is 1 to 8 characters, then single DES is used,
otherwise triple DES is used. The lack of a lower bound on key
length is dangerous.

   +    An Israeli product uses DES or QUICK, a proprietary
algorithm. The minimum key length is user selectable between
0 and 8 characters. Allowing such small lower bounds on key
length is dangerous. The product also has a "super-password"
supplied by the vendor, another potentially dangerous
situation. This product is available both in hardware and in

   +    A German hardware product has user-settable S-boxes,
and the key can be entered either as 8 characters or 16
hexadecimal characters to yield a true 64-bit key (which will
be reduced by the algorithm to 56 bits). The use of 16
hexadecimal character keys will result in higher security, but
if the key can also be entered as 8 alphanumeric characters,
many users are likely to do so, thus severely reducing the
security level. User-selectable S-boxes can have advantages
(if they are unknown to a cryptanalyst) and disadvantages (if
they are poorly chosen and either are known to or can be
guessed by a cryptanalyst). On balance, the danger is arguably
greater than the advantage.

   +     British product recommends one master key per
organization so that files can be shared across personal
computers. This practice is very dangerous.

   To summarize, the defects in these products are related to
poor key management practices, because they either employ or
allow poor key management that would enable a determined and
knowledgeable adversary to penetrate the security they offer
with relative ease. As noted in Section 4.2 of the text, U.S.
products are not necessarily more secure.


SOURCE: Committee examination and synthesis of materials
provided by Trusted Information Systems Inc.


             BOX 4.9 Circumventions of the ITAR

   Current export controls on cryptography can apparently be
circumvented in a number of entirely legal and/or
hard-to-detect ways. For example:

   +     U.S. company can develop a product without encryption
capabilities and then sell the source code of the product to
a friendly foreign company that incorporates additional source
code for encryption into the product for resale from that
foreign country (assuming that that country has no (or weaker)
export controls on cryptography).

   +    A U.S. company possessing products with encryption
capabilities can be bought by a foreign company; in general,
no attempt is made to recover those products.

   +    A U.S. company can work with legally independent
counterparts abroad that can incorporate cryptographic
knowledge available worldwide into products.


              BOX 4.10 Problems Arising from a
              Lengthy Export Licensing Process

   +    Some foreign customers know it will take a long time
to obtain a positive licensing decision, and as a consequence
do not bother to approach U.S. vendors at all.

   +    Products to market are delayed; even when export
licenses are eventually granted, they are often granted too
late to be useful, because the area of information technology
is so fast-moving.

   +    Rapid decisions are not rendered. In one instance
reported to the committee, a U.S. information technology
company wanted permission to use its own software (with strong
encryption capabilities) to communicate with its foreign
offices. Such cases are in theory expedited because of a
presumptive approval in these circumstances; this vendor's
government contacts agreed that "such an application would be
no problem"' and that an approval would be a rapid
"rubber-stamp" one, but in fact, this vendor is still awaiting
a license after more than a year.

   +    System integrators intending to ship complete systems
rather than individual products face particular difficulties
in obtaining a speedy turnaround, because the task for
national security authorities involves an assessment of the
entire system into which a given product (or products) with
encryption capabilities will be integrated, rather than an
assessment of just the products with encryption capabilities

   +    Even vendors that manufacture cryptographic software
not intended for export are required to register with the
State Department Office of Defense Trade Controls, primarily
"to provide the U.S. government with necessary information on
who is involved in certain manufacturing and exporting


   (1)  International Traffic in Arms Regulations, Section
122.1 (c).


                 BOX 4.11 On The Export of
           Technical Data Related to Cryptography

   "Cryptologic technical data ... refers ... only [to] such
information as is designed or intended to be used, or which
reasonably could be expected to be given direct application,
in the design, production, manufacture, repair, overhaul,
processing, engineering, development, operation, maintenance
or reconstruction of items in such categories. This
interpretation includes, in addition to engineering and design
data, information designed or reasonably expected to be used
to make such equipment more effective, such as encoding or
enciphering techniques and systems, and communications or
signal security techniques and guidelines, as well as other
cryptographic and cryptanalytic methods and procedures. It
does not include general mathematical, engineering or
statistical information, not purporting to have or reasonably
expected to be given direct application to equipment in such
categories. It does not include basic theoretical research
data. It does, however, include algorithms and other
procedures purporting to have advanced cryptologic

   "The public is reminded that professional and academic
presentations and informal discussions, as well as
demonstrations of equipment, constituting disclosure of
cryptologic technical data to foreign nationals are prohibited
without the prior approval of this office. Approval is not
required for publication of data within the United States as
described in Section 125.11(a)(1). Footnote 3 to section
125.11 does not establish a prepublication review requirement.

   "The interpretation set forth in this newsletter should
exclude from the licensing provisions of the ITAR most basic
scientific data and other theoretical research information,
except for information intended or reasonably expected to have
a direct cryptologic application. Because of concerns
expressed to this office that licensing procedures for
proposed disclosures of cryptologic technical data contained
in professional and academic papers and oral presentations
could cause burdensome delays in exchanges with foreign
scientists, this office will expedite consideration as to the
application of ITAR to such disclosures. If requested, we
will, on an expedited basis provide an opinion as to whether
any proposed disclosure, for other than commercial purposes,
of information relevant to cryptology, would require licensing
under the ITAR."


SOURCE: Office of Munitions Control, Department of State,
"Cryptography/Technical Data," in *Munitions Control
Newsletter*, Number 80, February 1980. (The Office of
Munitions Control is now the Office of Defense Trade


             BOX 4.12 Two Export Control Cases

                   The Zimmermann PGP Case

   Philip Zimmermann is the author of a software program known
as PGP (for Pretty Good Privacy). PGP is a program that is
used to encrypt mail messages end-to-end based on public-key
cryptography. Most importantly, PGP includes a system for key
management that enables two users who have never interacted to
communicate securely based on a set of trusted intermediaries
that certify the validity of a given public key. Across the
Internet, PGP is one of the most widely used systems for
secure e-mail communication.

   Zimmermann developed PGP as a "freeware" program to be
distributed via diskette. Another party subsequently posted
PGP to a USENET newsgroup.(1) (A commercial version licensed
from but not supplied by Zimmermann has since emerged.) In
1993, Zimmermann was determined to be the target of a criminal
investigation probing possible violations of the export
control laws.(2) Zimmermann was careful to state that PGP was
not to be used or downloaded outside the United States, but of
course international connections to the Internet made for easy
access to copies of PGP located within the United States. In
January 1996, the U.S. Department of Justice closed its
investigation of Zimmermann without filing charges against

       The Bruce Schneier-*Applied Cryptography* Case

   Bruce Schneier wrote a book called *Applied
Cryptography*(4) that was well received in the cryptography
community. It was also regarded as useful in a practical sense
because it contained printed on its pages source code that
could be entered into a computer and compiled into a working
cryptography program. In addition, when distributed within the
United States, the book contained a floppy disk that contained
source code identical to the code found in the book. However,
when another party (Philip Karn) requested a ruling on the
exportability of the book, he (Karn) received permission to
export the book but not the disk. This decision has been
greeted with considerable derision in the academic
cryptography community, with comments such as "They think that
terrorists can't type?" expressing the general dismay of the


   (1)  A USENET newsgroup is in effect a mailing list to
which individuals around the world may subscribe. Posting is
thus an act of transmission to all list members.

   (2)  John Schwartz, "Privacy Program: An On-Line Weapon?,"
*Washington Post*, April 3, 1995, p. A-l.

   (3)  Elizabeth Cocoran, "U.S. Closes Investigation in
Computer Privacy Case," *Washington Post*, January 12, 1996,
p. A-11.

   (4)  Bruce Schnier, *Applied Cryptography*, John Wiley and
Sons, 1994.


[End Chapter 4]

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


           Escrowed Encryption and Related Issues

   Chapter 5 describes a tool escrowed encryption -- that
responds to the needs described in Chapter 3 for exceptional
access to encrypted information. Escrowed encryption is the
basis for a number of Administration proposals that seek to
reconcile needs for information security against the needs of
law enforcement and to a lesser extent national security. As
in the case of export controls, escrowed encryption generates
considerable controversy.


   The term "escrow," as used conventionally, implies that
some item of value (e.g., a trust deed, money, real property,
other physical object) is delivered to an independent trusted
party that might be a person or an organization (i.e., an
escrow agent) for safekeeping, and is accompanied by a set of
rules provided by the parties involved in the transaction
governing the actions of the escrow agent. Such rules
typically specify what is to be done with the item, the
schedule to be followed, and the list of other events that
have to occur. The underlying notion is that the escrow agent
is a secure haven for temporary ownership or possession of the
item, is legally bound to comply with the set of rules for its
disposition, functions as a disinterested extratransaction
party, and bears legal liability for malfeasance or mistakes.

   Usually, the rules stipulate that, all conditions set forth
in the escrow rules having been fulfilled, there will
eventually be delivery of the item to a specified party (e.g.,
possibly the original depositing party, an estate, a judicial
officer for custody, one or more individuals or
organizations). In any event, the salient point is that all
terms and conditions and functioning of an escrow process are,
or can be, visible to the parties involved; moreover, the
behavior and performance of formal escrow agents are governed
by legally established obligations.

   As it applies to cryptography, the term "escrow" was
introduced by the government's April 1993 Clipper initiative
in the context of encryption keys. Prior to this time, the
term "escrow" had not been widely associated with
cryptography, although the underlying concepts had been known
for some time (as described below). The Clipper initiative
promoting escrowed encryption was intended "to improve the
security and privacy of telephone communications while meeting
the legitimate needs of law enforcement."(1) In this original
context, the term "escrowed encryption" had a very specific
and narrow meaning: escrowed encryption was a mechanism that
would assure law enforcement access to the voice
communications underlying encrypted intercepts from wiretaps.

   However, during 3 years of public debate and dialogue,
"escrow," "key escrow," and "escrowed encryption" have become
terms with a much broader meaning. Indeed, many different
schemes for "escrowed encryption" are quite different from
"escrowed encryption" as the term was used in the Clipper

   As is so often the case in computer-related matters,
terminology for escrowed systems is today not clearly
established and can be confusing or misleading. While new
terminology could be introduced in an effort to clarify
meaning, the fact is that the present policy and public and
technical dialogues all use "escrow" and "escrowed encryption"
in a very generic and broad sense. It is no longer the very
precise restricted concept embodied in the Clipper initiative
and described in Section 5.2.1. Escrow as a concept now
applies not only to the initial purpose of assuring law
enforcement access to encrypted materials, but also to
possible end-user or organizational requirements for a
mechanism to protect against lost, corrupted, or unavailable
keys. It can also mean that some process such as authority to
decrypt a header containing a session key is escrowed with a
trusted party, or it can mean that a corporation is ready to
cooperate with law enforcement to access encrypted materials.

   This report conforms to current usage, considering escrowed
encryption as a broad concept that can be implemented in many
ways; Section 5.3 addresses forms of escrowed encryption other
than that described in the Clipper initiative. Also, escrowed
encryption is only one of several approaches to providing
exceptional access to encrypted information; nonescrow
approaches to providing exceptional access are discussed in
Chapter 7.2.

   Finally, the relationship between "strong encryption" and
"escrowed encryption" should be noted. As stated above,
escrowed encryption refers to an approach to encryption that
enables exceptional access to plaintext without requiring a
third party (e.g., government acting with legal authorization,
a corporation acting in accordance with its contractual rights
vis-a-vis its employees, an individual who has lost an
encryption key) to perform a cryptanalytic attack. At the same
time, escrowed encryption can involve cryptographic algorithms
that are strong or weak and keys that are long or short. Some
participants in the public debate appear to believe that
escrowed encryption is necessarily equivalent to weak
encryption, because it does not prevent third parties from
having access to the relevant plaintext. But this is a
mischaracterization of the intent behind escrowed encryption,
since all escrowed encryption schemes proposed to date are
intended to provide very strong cryptographic confidentiality
(strong algorithms, relatively long keys) for users against
unauthorized third parties, but no confidentiality at all
against third parties who have authorized exceptional access.


   (1)  See Statement by the Press Secretary, The White House,
April 16, 1993. Reprinted in David Banisar (ed.). 1994.
"Statement by the Press Secretary, The White House, April 16,
1993," *1994 Cryptography and Privacy Sourcebook*, Electronic
Privacy Information Center, Diane Publishing, Upland,
Pennsylvania, Part II. The name "Clipper" initially selected
as the name of this effort proved later to be a trademark
whose holder relinquished it to public use.

   (2)  In the more general meaning of escrowed encryption,
exceptional access refers to access to plaintext by a party
other than the originator and the recipient of encrypted
communications. For the case of stored information,
exceptional access may refer to access to the plaintext of an
encrypted file by someone not designated by the original
encryptor of the file to decrypt it or even by persons so
designated who have forgotten how to do so. See also Chapter

   Contrast the meaning of third-party access in the original
Clipper context, in which third-party access refers to assured
access, under proper court authorization, by law enforcement
to the plaintext of an encrypted voice conversation. The
Clipper initiative was intended to support a system that
provided a technically convenient means to assure fulfillment
of such a requirement. Note that this meaning is much narrower
than the use of the more general term "exceptional access"
described in the previous paragraph.



   Since inheriting the problem of providing law enforcement
access to encrypted telephony from the outgoing Bush
Administration in late 1992, Clinton Administration officials
have said that as they considered the not-so-distant future of
information technology and information security along with the
stated needs of law enforcement and national security for
access to information, they saw three alternatives.(3)

   +    To do nothing, resulting in the possible proliferation
of products with encryption capabilities that would seriously
weaken, if not wholly negate, the authority to wiretap
embodied in the Wiretap Act of 1968 (Title III) and damage
intelligence collection for national security and foreign
policy reasons;

   +    To support an approach based on weak encryption,
likely resulting in poor security and cryptographic
confidentiality for important personal and business
information; and

   +    To support an approach based on strong but escrowed
encryption. If widely adopted and properly implemented,
escrowed encryption could provide legitimate users with high
degrees of assurance that their sensitive information would
remain secure but nevertheless enable law enforcement and
national security authorities to obtain access to
escrow-encrypted data in specific instances when authorized
under law. Moreover, the Administration hoped that by meeting
legitimate demands for better information security, escrowed
encryption would dampen the market for unescrowed encryption
products that would deny access to law enforcement and
national security authorities even when they sought access for
legitimate and lawfully authorized purposes.

   The Administration chose the last, and since April 1993,
the U.S. government has advanced a number of initiatives to
support the insertion of key escrow features into products
with encryption capabilities that will become available in the
future. These include the Clipper initiative and the Escrowed
Encryption Standard, the Capstone/Fortezza initiative, and the
proposal to liberalize export controls on products using
escrowed encryption. These initiatives raise a number of
important issues that are the focus of Sections 5.3 to 5.13.


   (3)  See, for example, statement of Raymond Kammer, deputy
director, National Institute of Standards and Technology,
before the Committee on the Judiciary, U.S. Senate, May 3,
1994. Available on line from


              5.2.1 The Clipper Initiative and
              the Escrowed Encryption Standard

   As noted above, the Clipper initiative was conceived as a
way for providing legal access by law enforcement authorities
to encrypted telephony.(4) The Escrowed Encryption Standard
(EES; a Federal Information Processing Standard, FIPS-185) was
promulgated in February 1994 as the key technological
component of the Clipper initiative (Box 5.1). Specifically,
the EES called for the integration of special microeleckonic
integrated circuit chips (called "Clipper chips") into devices
used for voice communications, these chips, as one part of an
overall system, provide voice confidentiality for the user and
exceptional access to law enforcement authorities. To provide
these functions, the Clipper chip was designed with a number
of essential characteristics:

   +    Confidentiality would be provided by a classified
algorithm known as Skipjack. Using an 80-bit key, the Skipjack
algorithm would offer considerably more protection against
brute-force attacks than the 56-bit DES algorithm (FIPS 46-1).
The Skipjack algorithm was reviewed by several independent
experts, all with the necessary security clearances. In the
course of an investigation limited by time and resources, they
reported that they did not find short-cuts that would
significantly reduce the time to perform a cryptanalytic
attack below what would be required by brute force.(5)

   +    The chip would be protected against reverse
engineering and other attempts to access its technical

   +    The chip would be factory-programmed with a
chip-unique secret key, the "unit key" or "device key,"(6) at
the time of fabrication. Possession of this key would enable
one to decrypt all communications sent to and from the
telephone unit in which the chip was integrated.

   +    A law enforcement access field (LEAF) would be a
required part of every transmission and would be generated by
the chip. The LEAF would contain two items: (a) the current
session key,(7) encrypted with a combination of the
device-unique unit key, and (b) the chip serial number. The
entire LEAF would itself be encrypted by a different but
secret "family key" also permanently embedded in the chip. The
family key would be the same in all Clipper chips produced by
a given manufacturer; in practice, all Clipper chips
regardless of manufacturer are programmed today by the
Mykotronx Corporation with the same family key.

   To manage the use of the LEAF, the U.S. government would
undertake a number of actions:

   +    The unit key, known at the time of manufacture and
unchangeable for the life of chip, would be divided into two
components, each of which would be deposited with and held
under high security by two trusted government escrow agents
located within the Departments of Commerce and Treasury.

   +    These escrow agents would serve as repositories for
all such materials, releasing the relevant information to law
enforcement authorities upon presentation of the unit
identification and lawfully obtained court orders.

   When law enforcement officials encountered a Clipper-
encrypted conversation on a wiretap, they would use the LEAF
to obtain the serial number of the Clipper chip performing the
encryption and the encrypted session key.(8) Upon presentation
of the serial number and court authorization for the wiretap
to the escrow agents, law enforcement officials could then
obtain the proper unit-key components, combine them, recover
the session key, and eventually decrypt the encrypted voice
communications.(9) Only one key would be required in order to
obtain access to both sides of the Clipper-encrypted
conversation. The authority for law enforcement to approach
escrow agents and request unit-key components was considered
to be that granted by Title III and the Foreign Intelligence
Surveillance Act (FISA).(10)

   As a FIPS, the EES is intended for use by the federal
government and has no legal standing outside the federal
government. Indeed, its use is optional even by federal
agencies. In other words, federal agencies with a requirement
for secure voice communications have a choice about whether or
not to adopt the EES for their own purposes. More importantly,
the use of EES-compliant devices by private parties cannot in
general be compelled by executive action alone; private
consumers are free to decide whether or not to use
EES-compliant devices to safeguard communications and are free
to use other approaches to communications security should they
so desire." However, if consumers choose to use EES-compliant
devices, they must accept key escrow as outlined in procedures
promulgated by the government. This characteristic -- that
interoperability requires acceptance of key escrow -- is a
design choice; a different specification could permit the
interoperability of devices with or without features for key

   The EES was developed by communications security experts
from the National Security Agency (NSA), but the escrow
features of the EES are intended to meet the needs of law
enforcement -- i.e., its needs for clandestine surveillance of
electronic and wire communications as described in Chapter 3.
NSA played this development role because of its technical
expertise. EES-compliant devices are also approved for
communicating classified information up to and including
SECRET. In speaking with the committee, Administration
officials described the Clipper initiative as more or less
irrelevant to the needs of signals intelligence (SIGINT) (Box

   As of early 1996, AT&T has sold about 10,000 to 15,000
units of the Surity Telephone Device 3600. These include four
configurations: Model C, containing only the Clipper chip,
which has been purchased primarily by U.S. government
customers; Model F, containing only an AT&T-proprietary
algorithm that is exportable; Model P, containing an
AT&T-proprietary nonexportable algorithm in addition to the
exportable algorithm; and Model S, with all three of the
above. Only units with the Clipper chip have a key-escrow
feature. All the telephones are interoperable -- they
negotiate with each other to settle on a mutually available
algorithm at the beginning of a call.(12) In addition, AT&T
and Cycomm International have agreed to jointly develop and
market Clipper-compatible digital voice encryption attachments
for Motorola's Micro-Tac series of handheld cellular
telephones; these products are expected to be available in the
second quarter of 1996.(13) Finally, AT&T makes no particular
secret of the fact that its Surity line of secure voice
communication products employs Clipper chip technology, but
that fact is not featured in the product literature; potential
consumers would have to know enough to ask a knowledgeable
sales representative.


   (4)  Dorothy Denning and Miles Smid, "Key Escrowing Today,"
*IEEE Communications*, Volume 32, 1994, pp. 58-68. Available
on-line from http://www.cosc.georgetown.edu/~denning/

   (5)  See Ernest Brickell et al., *SKIPJACK Review: Interim
Report*, July 28, 1993. Posted to the "sci.crypt" newsgroup on
August 1, 1993, by Dorothy Denning and available from
Reprinted in Lance Hoffman (ed.), *Building in Big Brother:
The Cryptographic Policy Debate*, Springer-Verlag, New York,
1995, pp. 119-130.

   (6)  The device key or unit key is used to open the
encryption that protects a session key. Hence, possession of
the unit key allows the decryption of all messages or files
encrypted with that unit or device. "Session key" is defined
in footnote 7.

   (7)  "Session," as in computer science, denotes a period of
time during which one or more computer-based processes are
operational and performing some function; typically two or
more of systems, end users, or software processes are involved
in a session. It is analogous to a meeting among these things.
For cryptography, a session is the plaintext data stream on
which the cryptographic process operates. The session key is
the actual key that is needed to decrypt the resulting
ciphertext. In the context of an encrypted data transmission
or telephone call, the session key is the key needed to
decrypt the communications stream. For encrypted data storage,
it is the key needed to decrypt the file. Note that in the
case of symmetric encryption (discussed in Chapter 2), the
decryption key is identical to the encryption key. Since
asymmetric encryption for confidentiality is efficient only
for short messages or files, symmetric encryption is used for
session encryption of telephony, data transmissions, and data

   (8)  Because the family key would be known to law
enforcement officials, obtaining the unencrypted LEAF would
present no problems.

   (9)  Questions have arisen about NSA access to escrowed
keys. NSA has stated for the record to the committee that "key
escrow does not affect either the authorities or restrictions
applicable to NSA's signals intelligence activities. NSA's
access to escrowed keys will be tied to collection against
legitimate foreign intelligence targets. The key holder must
have some assurance that NSA is involved in an authorized
intelligence collection activity and that the collection
activity will be conducted in accordance with the appropriate
restrictions." For a description of these restrictions, see
Appendix D of this report.

   (10) Dorothy Denning and Miles Smid, "Key Escrowing Today,"
*IEEE Communications*, Volume 32, 1994, pp. 58-68. Available
on-line from http://www.cosc.georgetown.edu/~denning/

   Given its initial intent to preserve law enforcement's
ability to conduct wire taps, it follows that Clipper key
escrow would be conducted without the knowledge of parties
whose keys had been escrowed, and would be conducted by a set
of rules that would be publicly known but not changeable by
the affected parties. Under the requirements of Title III, the
affected parties would be notified of the tapping activity at
its conclusion, unless the information were to become the
basis for a criminal indictment or an ongoing investigation.
In the latter case, the accused would learn of the wiretaps,
and hence the law enforcement use of escrowed keys, through
court procedures.

   (11) For example, an opinion issued by the Congressional
Research Service argues that legislation would be required to
mandate the use of the Clipper chip beyond Federal computer
systems. Memorandum from the American Law Division,
Congressional Research Service, *Current Legal Authority to
Mandate Adoption of "Clipper Chip" Standards By Private
Parties*, Library of Congress, Washington, D.C., October 4,

   (12) AT&T Secure Communications product literature,
available on-line from http://www.att.com/press/0694/
940613.pdb.html, and personal communication with Bruce Bailey,
AT&T Secure Communications Systems, Greensboro, N.C., March
29, 1996.

   (13) AT&T News Release, "AT&T, Cycomm International Develop
Digital Voice Encryption," November 1, 1995. Available on-line
from http://www.att.com/press/1195/951101.mma.html.


         5.2.2 The Capstone/Fortezza Initiative(14)

   The Capstone/Forteza effort supports escrowed encryption
for data storage and communications, although a FIPS for this
application has not been issued. Specifically, the Capstone
chip is an integrated-circuit chip that provides a number of
encryption services for both stored computer data and data
communications. For confidentiality, the Capstone chip uses
the Skipjack algorithm, the same algorithm that is used in the
Clipper chip (which is intended only for voice communications,
including low-speed data and fax transmission across the
public switched telephone network, and the same mechanism to
provide for key escrowing. The agents used to hold Capstone
keys are also identical to those for holding Clipper keys --
namely the Departments of Treasury and Commerce. In addition,
the Capstone chip (in contrast to the Clipper chip) provides
services that conform to the Digital Signature Standard
(FIPS-186) to provide digital signatures that authenticate
user identity and the Secure Hash Standard (FIPS-180); the
chip also implements a classified algorithm for key exchange
(usually referred to as the Key Exchange Algorithm (KEA)) and
a random number generator.

   The Capstone chip is the heart of the Forteza card.(15) The
Fortezza card is a PC-card (formerly known as a PCMCIA card)
intended to be plugged into any computer with a PC-card
expansion slot and appropriate support software; with the card
in place, the host computer is able to provide reliable user
authentication and encryption for confidentiality and certify
data-kansmission integrity in any communication with any other
computer so equipped. The Fortezza card is an example of a
hardware token that can be used to ensure proper
authentication.(16) Note also that there are other hardware PC
cards that provide cryptographic functionality similar to that
of Forteza but without the escrow features.(17)

   To date, the NSA has issued two major solicitations for
Fortezza cards, the second of which was for 750,000 cards.(18)
These cards will be used by those on the Defense Messaging
System, a communications network that is expected to
accommodate up to 2 million Defense Department users in 2005.
In addition, Fortezza cards are intended to be available for
private sector use. The extent to which Fortezza cards will be
acceptable in the commercial market remains to be seen,
although a number of product vendors have decided to
incorporate support for Fortezza cards in some products.(19)


   (14) Technically speaking, Clipper and Capstone/Fortezza
are not separate initiatives. The Capstone program had been
under way for a number of years prior to the public
announcement of the Clipper chip in 1993, and the Clipper chip
is based entirely on technology developed under the Capstone
program. The Clipper chip was developed when the incoming
Clinton Administration felt it had to address the problem of
voice encryption. However, while Clipper and Capstone/Fortezza
are not technically separate programs, the public debate has
engaged Clipper to a much greater degree than it has Capstone.
For this reason, this report discusses Clipper and
Capstone/Fortezza separately.

   (15) The Fortezza card was previously named the Tessera
card; the name was changed when previous trademark claims on
"Tessera" were discovered.

   (16) To ensure that the holder of the Fortezza card is in
fact the authorized holder, a personal identification number
(PIN) is associated with the card: only when the proper PIN is
entered will the Fortezza card activate its various functions.
While concerns have been raised in the security literature
that passwords and PINs are not secure when transmitted over
open communications lines, the PIN used by the Fortezza card
is never used outside of the confines of the user's system.
That is, the PIN is never transmitted over any network link;
the sole function of the PIN is to turn on the Fortezza card,
after which an automated protocol ensures secure

   (17) For example, such devices are made by Cylink and
Telequip. See *Government Computer News*, "Security Device is
007 in Your Pocket," August 7, 1995, p. 6.

   (18) Paul Constance, "DoD Plans to Install 750,000 Fortezza
Cards," *Government Computer News*, July 31, 1995, p. 1 for
the solicitation.

   (19) For example, the Netscape Communications Corporation
has announced that it will support Fortezza in the next
version of its Web browser, while the Oracle Corporation will
support Fortezza in the next version of its Secure Network
Services product. See Elizabeth Sikorovsky, "Netscape and
Oracle Products Support Fortezza Card," *Federal Computer
Week*, October 23, 1995, p. 36.


         5.2.3 The Relaxation of Export Controls on
         Software Products Using "Properly Escrowed"
                      64-bit Encryption

   As noted in Chapter 4, the Administration has proposed to
treat software products using a 64-bit encryption key as it
currently treats products with encryption capabilities that
are based on a 40-bit RC2 or RC4 algorithm, providing that
products using this stronger encryption are "properly
escrowed." This change is intended to facilitate the global
sale of U.S. software products with significantly stronger
cryptographic protection than is available from U.S. products
sold abroad today.

   To work out the details of what is meant by "properly
escrowed," the National Institute of Standards and Technology
held workshops in September and December 1995 at which the
Administration released a number of draft criteria for export
control (Box 5.3). These criteria are intended to ensure that
a product's key escrow mechanism cannot be readily altered or
bypassed so as to defeat the purposes of key escrowing. The
Administration has expressed its intent to move forward
rapidly with its proposal and seeks to finalize export
criteria and make formal conforming modifications to the
export regulations "soon" (at the time of this writing by
early 1996).

   5.2.4 Other Federal Initiatives in Escrowed Encryption

   In addition to the initiatives described above, the
Administration has announced plans for new Federal Information
Processing Standards in two other areas:

   +    FIPS-185 will be modified to include escrowed
encryption for data in both communicated and stored forms. The
modified FIPS is expected in late 1996; how this modification
will relate to Capstone/Fortezza is as yet uncertain.

   +    A FIPS for key escrow will be developed that will,
among other things, specify performance requirements for
escrow agents and for escrowed encryption products. How this
relates to the existing or modified FIPS-185 is also uncertain
at this time.


   A general concept akin to escrowed encryption has long been
familiar to some institutions, notably banks, that have for
years purchased information systems allowing them to retrieve
the plaintext of encrypted files or other stored information
long after the immediate need for such information has
passed.(20) However, only since the initial announcement of
the Clipper initiative in April 1993 has escrowed encryption
gained prominence in the public debate.

   Denning and Branstad describe a number of different
approaches to implementing an escrowed encryption scheme, all
of which have been discussed publicly since 1993.(21) Those
and other different approaches vary along the dimensions
discussed below:

   +    Number of escrow agents required to provide
exceptional access. For example, one proposal called for
separation of Clipper unit keys into more than two
components.(22) A second proposal called for the k-of-n
arrangement described in Section 5.9.1.

   +    Affiliation of escrow agents. Among the possibilities
are government in the executive branch, government in the
judicial brarlch, commercial institutions, product
manufacturers, and customers.

   +    Ability of parties to obtain exceptional access. Under
the Clipper initiative, the key-escrowing feature of the EES
is available only to law enforcement authorities acting under
court order; users never have access to the keys.

   +    Authorities vested in escrow agents. In the usual
discussion, escrow agents hold keys or components of keys. But
in one proposal, escrow agents known as Data Recovery Centers
(DRCs) do not hold user keys or user key components at all.
Products escrowed with a DRC would include in the ciphertext
of a transmission or a file the relevant session key encrypted
with the public key of that DRC and the identity of the DRC in
plaintext. Upon presentation of an appropriate request (e.g.,
valid court order for law enforcement authorities, a valid
request by the user of the DRC-escrowed product), the DRC
would retrieve the encrypted session key, decrypt it, and give
the original session key to the authorized third party, who
could then recover the data encrypted with that key.(23)

   +    Hardware vs. software implementation of products.

   +    Partial key escrow.(24) Under a partial key escrow, a
product with encryption capabilities could use keys of any
length, except that all but a certain number of bits would be
escrowed. For example, a key might be 256 bits long, and 216
bits (256 - 40) of the key would be escrowed, 40 bits would
remain private. Thus, decrypting ciphertext produced by this
product would require a 256-bit work factor for those without
the escrowed bits, and a 40-bit work factor for those
individuals in possession of the escrowed bits. Depending on
the number of private bits used, this approach would protect
users against disclosure of keys to those without access to
the specialized decryption facilities required to conduct an
exhaustive search against the private key (in this case, 40

   Box 5.4 describes a number of other conceptial approaches
to escrowed encryption.


   (20) An example first announced in 1994 is Northern
Telecom's "Entrust," which provides for file encryption and
digital signature in a corporate network environment using RSA
public-key cryptography. "Entrust" allows master access by a
network administrator to all users' encrypted files, even
after a user has left the company. A product review for a
recent version of "Entrust" can be found in Stephen Cobb,
"Encryption for the Enterprise," *Network World*, March 11,
1996, p. 57.

   (21) All of these examples are taken from Dorothy Denning
and Dennis Branstad, "A Taxonomy of Key Escrow Encryption,"
*Communications of the ACM*, Volume 39, March, 1996.

   (22) This comment was probably made during the meetings of
July, August, and September, 1993 by the Computer System
Security and Privacy Advisory Board to solicit public views on
the Clipper initiative. Transcripts of the meetings are
available from the National Institute of Standards and

   (23) Stephen T. Walker et al., *Commercial Key Escrow:
Something for Everyone Now and for the Future*, Report #541,
Trusted Information Systems, Glenwood, Md., January, 1995.

   (24) Adi Shamir, "Partial Key Escrow: A New Approach to
Software Key Escrow," summary of presentation at NIST FIPS Key
Escrow Workshop, National Institute of Standards and
Technology, Gaithersburg, Md., September 15, 1995. Available
on-line at http://reality.sgi.com/employees/chrisr_corp/


                   ON INFORMATION SECURITY

   In the debate over escrowed encryption, the dimension of
information security that has received the largest amount of
public attention has been confidentiality. Judgments about the
impact of escrowed encryption on confidentiality depend on the
point of comparison. If the point of comparison is taken to be
the confidentiality of data available today, then the wide use
of escrowed encryption does improve confidentiality. The
reason is that most information today is entirely unprotected.

   Consider first information in transit (communications).
Most communications today are unencrypted. For example,
telephonic communications can be tapped in many different
ways, including through alligator clips at a junction box in
the basement of an apartment house or on top of a telephone
pole, off the air when some part of a telephonic link is
wireless (e.g., in a cellular call), and from the central
switching office that is carrying the call. Calls made using
EES-compliant telephones would be protected against such
surveillance, except when surveillance parties (presumably law
enforcement authorities) had obtained the necessary keys from
escrow agents. As for information in storage, most files on
most computers are unencrypted. Escrowed encryption applied to
these files would protect them against threats such as casual
snoops, although individuals with knowledge of the
vulnerabilities of the system on which those files reside
might still be able to access them.

   On the other hand, if the point of comparison is taken to
be the level of confidentiality that could be possible using
unescrowed encryption, then escrowed encryption offers a lower
degree of confidentiality. Escrowed encryption by design
introduces a system weakness (i.e., it is deliberately
designed to allow exceptional access), and so if the
procedures that protect against improper use of that access
somehow fail, information is left unprotected.(25) For
example, EES-compliant telephones would offer less
confidentiality for telephonic communications than would
telephones that could be available with the same encryption
algorithm and implementation but without the escrow feature,
since such telephones could be designed to provide
communications confidentiality against all eavesdroppers,
including rogue police, private investigators, or (and this is
the important point) legally authorized law enforcement

   More generally, escrowed encryption weakens the
confidentiality provided by an encryption system by providing
an access path that can be compromised.(26) Yet escrowed
encryption also provides a hedge against the loss of access to
encrypted data by those authorized for access; for example, a
user may lose or forget a decryption key. Assurances that
encrypted data will be available when needed are clearly
greater when a mechanism has been installed to facilitate such
access. Reasonable people may disagree about how to make that
trade-off in any particular case, thus underscoring the need
for end users themselves to make their own risk-benefit
assessments regarding the loss of authorized access (against
which escrowed encryption can protect by guaranteeing key
recovery) vs. the loss of confidentiality to unauthorized
parties (whose likelihood is increased by the use of escrowed

   A point more specifically related to EES is that escrowed
encryption can also be used to enhance certain dimensions of
Title III protection. For example, the final procedures for
managing law enforcement access to EES-protected voice
conversations call for the hardware providing exceptional
access to be designed in such a way that law enforcement
officials would decrypt communications only if the
communications were occurring during the time window specified
in the initial court authorization. The fact that law
enforcement officials will have to approach escrow agents to
obtain the relevant key means that there will be an audit
trail for wiretaps requiring decryption, thus deterring
officials who might be tempted or able to act on their own in
obtaining a wiretap without legal authorization.


   (25) Even worse, it is not just future communications that
are placed at risk, but past communications as well. For
example, if encrypted conversations are recorded and the
relevant key is not available, they are useless. However, once
the unit key is obtained, those recordings become decipherable
if they are still available. Such recording would be illegal,
because legal authorization for the wiretap would have been
necessary to obtain the key, but since these circumstances
presume a breakdown of escrow procedures in the first place,
the fact of illegality is not particularly relevant.


                     ON LAW ENFORCEMENT

   Box 5.5 describes the requirements for escrowed encryption
that law enforcement authorities (principally the FBI) would
like product vendors to accommodate. But two additional
high-level questions must be addressed before escrowed
encryption is accepted as an appropriate solution to the
stated law enforcement problem.

     5.5.1 Balance of Crime Enabled vs. Crime Prosecuted

   One question is the following: Does the benefit to law
enforcement from access to encrypted information through an
escrow mechanism outweigh the damage that might occur due to
the failure of procedures intended to prevent unauthorized
access to the escrow mechanism? Since government authorities
believe that the implementation of these procedures can be
made robust (and thus the anticipated expectation of failure
is slight), they answer the question in the affirmative.
Critics of government initiatives promoting escrowed
encryption raise the concern that the risk of failure may be
quite large, and thus their answer to the question ranges from
"maybe" to "strongly negative." These parties generally prefer
to rely on technologies and procedures that they fully
understand and control to maintain the security of their
information, and at best, they believe that any escrow
procedures create a potentially serious risk of misuse that
must be stringently counteracted, diligently monitored, and
legally constrained. Moreover, they believe that reliance on
government-established procedures to maintain proper access
controls on escrowed keys invites unauthorized third parties
to target those responsible for upholding the integrity of the
escrow system.

   History suggests that procedural risks materialize as real
problems over the long run,(27) but in practice, a base of
operational experience is necessary to determine if these
risks are significant.


   (26) For example, if a party external to the corporation
has the keys that provide access to that corporation's
encrypted information, the corporation is more vulnerable to
a loss of confidentiality, because the external party can
become the target of theft, extortion, blackmail, and the like
by unauthorized parties who are seeking that information. Of
course, the corporation itself is vulnerable, but since only
one target (either the corporation or any external key-holding
party) needs to be compromised, more targets lead to greater
vulnerability. Of course, if keys are split among a number of
external parties, the likelihood of compromise through this
route is reduced, but the overall risk of compromise is still

   (27) See, for example, Peter Neumann, *Computer-Related
Risks*, Addison Wesley, New York, 1995; and Charles Perrow,
*Normal Accidents: Living With High-Risk Technologies*, Basic
Books, New York, 1984. Neumann describes a large number of
computer-related reliability and safety problems and security
vulnerabilities that have arisen from combinations of
defective system implementation, flawed system design, and
human error in executing procedures. Perrow describes a number
of accidents that have occurred in other domains (e.g.,
maritime shipping, air traffic control, nuclear power plant
operation) that have resulted from a similar set of problems.


    5.5.2 Impact on Law Enforcement Access to Information

   Even if escrowed encryption were to achieve significant
market penetration and were widely deployed, the question
would still remain regarding the likely effectiveness of a law
enforcement strategy to preserve wiretapping and data recovery
capabilities through deployments of escrowed encryption built
around voluntary use.(28) This question has surfaced most
strongly in the debate over EES, but as with other aspects of
the cryptography debate, the answer depends on the scenario in

   +    Many criminals will reach first for devices and tools
that are readily at hand because they are so much more
convenient to use than those that require special efforts to
obtain. Criminals who have relatively simple and
straightforward needs for secure communications may well use
EES-compliant devices if they are widely available. In such
cases, they will simply have forgotten (or not taken
sufficient conscious account of) the fact that these "secure"
devices have features that provide law enforcement access,(29)
and law enforcement officials will obtain the same level and
quality of information they currently obtain from legal
wiretaps. Indeed, the level and quality of information might
be even greater than what is available today because criminals
speaking on EES-compliant devices might well have a false
sense of security that they could not be wiretapped.

   +    Criminals whose judgment suggests the need for extra
and nonroutine security are likely to use secure
communications devices without features for exceptional
access. In these cases, law enforcement officials may be
denied important information. However, the use of these
communications devices is likely to be an ad hoc arrangement
among participants in the criminal activity. Since many
criminal activities often require participants to communicate
with people outside the immediate circle of participants,
"secondary" wiretap information might be available if
nonsecure devices were used to communicate with others not
directly associated with the activity.

   Senior Administration officials have recognized that the
latter scenario is inevitable -- it is impossible to prevent
all uses of strong unescrowed encryption by criminals and
terrorists. However, the widespread deployment of strong
encryption without features for exceptional access would mean
that even the careless criminal would easily obtain
unbreakable encryption, and thus the Administration's
initiatives are directed primarily at the first scenario.

   Similar considerations would apply to escrowed encryption
products used to store data -- many criminals will use
products with encryption capabilities that are easily
available to store files and send e-mail. If these products
are escrowed, law enforcement officials have a higher
likelihood of having access to those criminal data files and
e-mail. On the other hand, some criminals will hide or conceal
their stored data through the use of unescrowed products or by
storing them on remote computers whose location is known only
to them, with the result that the efforts of law enforcement
authorities to obtain information will he frustrated.

   (28) "Voluntary" has been used ambiguously in the public
debate on key escrow. It can mean voluntary use of key escrow
in any context or implementation, or it can mean voluntary use
of EES-compliant products. In the latter situation, of course,
the key-escrow feature would be automatic. Usually, the
context of its use will clarify which interpretation
of"voluntary" is intended.

   (29) Cf. point in Chapter 2 regarding behavior of criminals
with respect to wiretapped telephone calls.


                     ESCROWED ENCRYPTION

   As noted above, the federal government cannot compel the
private sector to use escrowed encryption in the absence of
legislation, whether for voice communications or any other
application. However, EES raised the very important public
concern that the use of encryption without features for
exceptional access might be banned by statute. The
Administration has stated that it has no intention of
outlawing the use of such cryptography or of regulating in any
other way the domestic use of cryptography. Nevertheless, no
administration can bind future administrations, and Congress
can change a law at any time. More importantly, widespread
acceptance of escrowed encryption, even if voluntary, would
put into place an infrastructure that would support such a
policy change. Thus, the possibility that a future
administration and/or Congress might support prohibitions on
unescrowed encryption cannot be dismissed. This topic is
discussed in depth in Chapter 7.

   With respect to the federal government's assertion of
authority in the use of the EES by private parties, there are
a number of gray areas. For example, a federal agency that has
adopted the EES for secure telephonic communications clearly
has the right to require all contractors that interact with it
to use EES-compliant devices as a condition of doing business
with the government;(30, 31) this point is explored further in
Chapter 6. More problematic is the question of whether an
agency that interacts with the public at large without a
contractual arrangement may require such use.

   A second important gray area relates to the establishment
of EES as a de facto standard for use in the private sector
through mechanisms described in Chapter 6. In this area,
Administration officials have expressed to the committee a
hope that such would be the case. If EES-compliant devices
were to become very popular, they might well drive potential
competitors (specifically, devices for secure telephonic
communications without features for exceptional access) out of
the market for reasons of cost and scarcity. Under such
circumstances, it is not clear that initially voluntary use of
the EES would in the end leave room for a genuine choice for


   (30) For example, at present the Department of Defense
requires that contractors acquire and employ STU-III secure
telephones for certain sensitive telephonic communication with
DOD personnel. The Federal Acquisition Regulations (FAR) were
modified to allow the costs of such telephones to be charged
against contracts, to further encourage purchase of these

   (31) One major manufacturer noted to the committee that
meeting federal requirements for encryption also reduces its
ability to standardize on a single solution in distributed
networks. Government-mandated key escrow could differ
substantially enough from key escrow systems required for
commercial operations that two separate key escrow systems
could be needed.



   Much criticism of the Clipper initiative has focused on the
process through which the standard was established.
Specifically, the Clipper initiative was developed out of the
public eye, with minimal if any connection to the relevant
stakeholders in industry and the academic community, and
appeared to be "sprung" on them with an announcement in the
*New York Times*. Furthermore, a coherent approach to the
international dimensions of the problem was not developed, a
major failing since business communications are global in
nature. After the announcement of the Clipper initiative, the
federal government promulgated the EES despite a
near-unanimous condemnation of the proposed standard in the
public comments on it.

   Similar comments have been expressed with respect to the
August-September 1995 Administration proposal to relax export
controls on 64-bit sofStware products if they are properly
escrowed. This proposal, advertised by the Administration as
the follow-up to the Gore-Cantwell letter of July 1994,(32)
emerged after about a year of virtual silence from the
Administration during which public interactions with industry
were minimal.

   The result has been a tainting of escrowed encryption that
inhibits unemotional discussion of its pros and cons and makes
it difficult to reach a rational and well-balanced decision.


   (32) On July 20, 1994, Vice President Al Gore wrote to
Representative Maria Cantwell (D-Washington) expressing a
willingness to enter into "a new phase of cooperation among
government, industry representatives and privacy advocates
with a goal of trying to develop a key escrow encryption
system that will provide strong encryption, be acceptable to
computer users worldwide, and address our national security
needs as well." The Vice President went on to say that "we
welcome the opportunity to work with industry to design a more
versatile, less expensive system. Such a key escrow system
would be implementable in software, firmware, hardware, or any
combination thereof, would not rely upon a classified
algorithm, would be voluntary, and would be exportable.... We
also recognize that a new key escrow encryption system must
permit the use of private-sector key escrow agents as one
option... Having a number of escrow agents would give
individuals and businesses more choices and flexibility in
meeting their needs for secure communications." Letter
reprinted in Lance Hoffman (ed.), *Building in Big Brother:
The Cryptographic Policy Debate*, Springer-Verlag, New York,
1995, pp. 236-238.



   Any deployment of escrowed encryption on a large scale
raises the question of who the escrow agents should be. (The
equally important question of their responsibilities and
liabilities is the subject of Section 5.9.) The original
Clipper/Capstone escrow approach called for agencies of the
executive branch to be escrow agents; at this writing, the
Administration's position seems to be evolving to allow
parties in the private sector to be escrow agents. Different
types of escrow agents have different advantages and

   The use of executive branch agencies as escrow agents has
a number of advantages. Executive branch escrow agents can be
funded directly and established quickly, rather than depending
on the existence of a private sector market or business for
escrow agents. Their continuing existence depends not on
market forces but on the willingness of the U.S. Congress to
appropriate money to support them. Executive branch escrow
agents may well be more responsive than outside escrow agents
to authorized requests from law enforcement for keys.
Executive branch escrow agents can be enjoined more easily
from divulging to the target of a surveillance the fact that
they turned over a key to law enforcement officials, thereby
helping to ensure that a surveillance can be performed
surreptitiously. In the case of FISA intercepts, executive
branch escrow agents may be more protective of associated
classified information (such as the specific target of the
intercept). Under sovereign immunity, executive branch escrow
agents can disavow civil liability for unauthorized disclosure
of keys.

   Of course, from a different standpoint, most of these
putative advantages can be seen as disadvantages. If direct
government subsidy is required to support an escrow operation,
by definition it lacks the support of the market.(33) The high
speed with which executive branch escrow agents were
established suggested to critics that the Administration was
attempting to present the market with a fait accompli with
respect to escrow. A higher degree of responsiveness to
requests for keys may well coincide with greater disregard for
proper procedure; indeed, since one of the designated escrow
agencies (Treasury) also has law enforcement jurisdiction and
the authority to conduct wiretaps under some circumstances, a
Treasury escrow agent might well be faced with a conflict of
interest in managing keys. The obligation to keep the fact of
key disclosure secret might easily lead to circumvention and
unauthorized disclosures. The lack of civil liability and of
criminal penalties for improper disclosure might reduce the
incentives for compliance with proper procedure. Most
importantly, all executive branch workers are in principle
responsible to a unitary source of authority (the President).
Thus, concerns are raised that any corruption at the top
levels of government might diffuse downward, as exemplified by
past attempts by the Executive Office of the President to use
the Internal Revenue Service to harass its political enemies.
One result might be that executive branch escrow agents might
divulge keys improperly; a second result might be that
executive branch escrow agents could be more likely to reveal
the fact of key disclosure to targets in the executive branch
under investigation.

   Some of the concerns described above could be mitigated by
placement of escrow agents in the judiciary branch of
government on the theory that since judicial approval is
needed to conduct wiretaps, giving the judiciary control of
escrowed keys would in fact give it a way of enforcing the
Title III requirements for legal authorization. On the other
hand, the judiciary branch would have to rule on procedures
and misuse, thereby placing it at risk of a conflict of
interest should alleged misdeeds in the judiciary branch come
to light. Matters related to separation of powers between the
executive and judicial branches of government are also

   The best argument for government escrow agents is that
government can be held politically accountable. When a
government does bad things, the government can be replaced.
Escrow agents must be trustworthy, and the question at root is
whether it is more appropriate to trust government or a
private party; the views on this point are diverse and often
vigorously defended.

   The committee believes that government-based escrow agents
present few problems when used to hold keys associated with
government work. Nonetheless, mistrust of government-based
escrow agents has been one of the primary criticisms of the
EES. If escrowed encryption is to serve broad social purposes
across government and the private sector, it makes sense to
consider other possible escrow agents in addition to
government escrow agents:

   +    Private organizations established to provide key
registration services (on a fee-for-service basis). Given that
some business organizations have certain needs for data
retrieval and monitoring of communications as described in
Chapter 3, such needs might create a market for private escrow
agents. Some organizations might charge more and provide users
with bonding against failure or improper revelations of keys;
other organizations might charge less and not provide such

   +    Vendors of products with encryption capabilities and
features for exceptional access. Vendors acting as escrow
agents would face a considerable burden in having to comply
with registration requirements and might be exposed to
liability.(34) At the same time, vendors could register keys
at the time of manufacture or by default at some additional

   +    Customers themselves. In the case of a corporate
customer, a specially trusted department within the
corporation that purchases escrowed encryption products could
act as an escrow agent for the corporation. Such "customer
escrow" of a corporation's own keys may be sufficient for its
needs; customer escrow would also enable the organization to
know when its keys have been revealed. Since legal entities
such as corporations will continue to be subject to extant
procedures of the law enforcement court order or subpoena, law
enforcement access to keys under authorized circumstances
could be assured. In the case of individual customers who are
also the end users of the products they purchase, the
individual could simply store a second copy of the relevant
keys as a form of customer escrow.

   Note especially that site licenses(36) to corporations
account for the largest portion of vendor sales in
software.(37) In a domestic context, corporations are entities
that are subject to legal processes in the United States that
permit law enforcement authorities to obtain information in
the course of a criminal investigation. In a foreign context,
exports to certain foreign corporations can be conditioned on
a requirement that the foreign corporation be willing to
escrow its key in such a manner that U.S. law enforcement
authorities would be able to have access to that information
under specified circumstances and in a manner to be determined
by a contract binding on the corporation. (The use of contract
law in this manner is discussed further in Chapter 7.) In
short, sales of escrowed encryption to foreign and domestic
corporate users could be undertaken in such a way that a very
large fraction of the installed user base would in fact be
subject to legal processes for obtaining information on keys.

   Nongovernment escrow agents are subject to the laws of the
government under whose jurisdiction they operate. In addition,
they raise other separate questions. For example, a criminal
investigation may target the senior officials of a
corporation, who may themselves be the ones authorized for
access to customer-escrowed keys; they might then be notified
of the fact of being wiretapped. The same would be true of end
users controlling their own copies of keys. Private
organizations providing key-holding services might be
infiltrated or even set up by criminal elements that would
frustrate lawful attempts to obtain keys or would even use the
keys in their possession improperly. Private organizations may
be less responsive to government requests than government
escrow agents. Finally, private organizations motivated by
profit and tempted to cut corners might be less responsible in
their conduct.

   A second important issue regarding escrow agents deals with
their number. Concentrating escrow arrangements in a few
escrow agents may make law enforcement access to keys more
convenient, but also focuses the attention of those who may
attempt to compromise those facilities -- the "big, fat
target" phenomenon -- because the aggregate value of the keys
controlled by these few agents is, by assumption, large.(38)
On the other hand, given a fixed budget, concentrating
resources on a few escrow agents may enable them to increase
the security against compromise, whereas spreading resources
among many escrow agents may leave each one much more open to
compromise. Indeed, the security of a well-funded and
well-supported escrow agent may be greater than that of the
party that owns the encryption keys; in this case, the
incremental risk that a key would be improperly compromised by
the escrow agent would be negligible. Increasing the number of
escrow agents so that each would be responsible for a
relatively small number of keys reduces the value of
compromising any particular escrow agent but increases the
logistical burdens, overhead, and expense for the nation. The
net impact on security against compromise of keys is very


   (33) The original Clipper/Capstone proposal made no
provision for parties other than law enforcement authorities
to approach escrow agents, and in this context could be
regarded as a simple law enforcement initiative with no
particular relevance to the private sector. However, in light
of the Administration's arguments concerning the desirability
of escrowed encryption to meet the key backup needs of the
private sector, the importance of relevance to the private
sector is obvious.

   (34) For example, in the early days of an offering by AT&T
to provide picture-phone meeting services, the question arose
as to whether AT&T or the end user should provide security.
The business decision at the time was that AT&T should not
provide security because of the legal implications -- a
company that guaranteed security but failed to provide it was
liable. (Ironically, at least one major computer vendor
declined to provide encryption services for data
communications and storage on the grounds that encryption
would be provided by AT&T.) While today's AT&T support for the
PictureTel product line for videoconferencing (which provides
encryption capabilities) may suggest a different AT&T
perspective on the issue of who is responsible for providing
security, companies will have to decide for themselves their
own tolerable thresholds of risk for liability.

   (35) The cost of vendor registration would be high in the
case of certain software products. Specifically, products that
are distributed by CD-ROM must be identical, because it would
be very expensive (relative to current costs) to ship CD-ROMs
with unique serial numbers or keys. To some extent, the same
is true of products distributed by network -- it is highly
convenient and desirable from the vendor's perspective to have
just one file that can be downloaded upon user request,
although it is possible and more expensive to provide numbered
copies of software distributed by network.

   (36) Under a site license, a corporation agrees with a
vendor on a price for a certain (perhaps variable) number of
licenses to use a given software package. Site licenses also
include agreements on and conditions for support and

   (37) The dominance of corporate sales over sales to
individuals was cited in the NSA/Department of Commerce
survey. See p. III-2.

   (38) Note also that maintaining the physical security of
escrow agents, especially government escrow agents, may be
especially critical; sabotage or destruction of an escrow
agent facility might well be seen in some segments of society
as a blow for freedom and liberty.

   (39) A similar issue arises with respect to certificate
authorities for authentication. As discussed in Chapter 2, a
cryptography-based authentication of an individual's identity
depends on the existence of an entity -- a certification
authority -- that is trusted by third parties as being able to
truly certify the identity of the individual in question.
Concentration of certification authority into a single entity
would imply that an individual would be vulnerable to any
penetration or malfeasance of the entity and thus to all of
the catastrophic effects that tampering with an individual's
digital identity would imply.



   Regardless of who the escrow agents are, they will hold
certain information and have certain responsibilities and
obligations.(40) Users of escrowed encryption also face
potential liabilities.

           5.9.1 Partitioning Escrowed Information

   Consider what precisely an escrow agent would hold. In the
simplest case, a single escrow agent would hold all of the
information needed to provide exceptional access to encrypted
information. (In the Clipper case, two escrow agents would be
used to hold the unit keys to all EES-compliant telephones.)

   A single escrow agent for a given key poses a significant
risk of single-point failure -- that is, the compromise of
only one party (the single escrow agent) places at risk all
information associated with that key. The Clipper/Capstone
approach addresses this point by designating two executive
branch agencies (Commerce and Treasury), each holding one
component (of two) of the unit key of a given Clipper/
Capstone-compliant device. Reconstruction of a unit key
requires the cooperation of both agencies. This approach was
intended to give the public confidence that their keys were
secure in the hands of the government.

   In the most general case, an escrow system can be designed
to separate keys into n components but with the mathematics of
the separation process arranged so that exceptional access
would be possible if the third party were able to acquire any
k (for k less than or equal to n) of these components.(41)
This approach is known as the "k-of-n" approach. For the
single escrow agent, k = 1 and n = 1; for the Clipper/Capstone
system, k = 2 and n = 2. But it is possible to design systems
where k is any number less than n; for example, the consent of
any three (k) of five (n) escrow agents could be sufficient to
enable exceptional access. Obviously, the greater the number
of parties that are needed to consent, the more cumbersome
exceptional access becomes.

   It is a policy or business decision as to what the specific
values of k and n should be, or if indeed the choice about
specific values should be left to users. The specific values
chosen for k and n reflect policy judgments about needs for
recovery of encrypted data relative to user concerns about
improper exceptional access. Whose needs? If a national policy
decision determines k and n, it is the needs of law
enforcement and national security weighed against user
concerns. If the user determines k and n, it is the needs of
the user weighed against law enforcement and national security


   (40) Nothing in this discussion is intended to preclude the
possibility that an organization serving as an escrow agent
might also have responsibilities as a certification authority
(for authentication purposes, as described in Chapter 2).

   (41) See for example, Silvio Micali, "Fair Public-Key
Cryptosystems," in *Advances in Cryptology -- Crypto '92*,
Springer-Verlag, Heidelberg, 1993, pp. 113-138.


     5.9.2 Operational Responsibilities of Escrow Agents

   For escrowed encryption to play a major national role in
protecting the information infrastructure of the nation and
the information of businesses and individuals, users must be
assured about the operational obligations and procedures of
escrow agents. Clear guidelines will be required to regulate
the operational behavior of escrow agents, and clear
enforcement mechanisms must be set into place to ensure that
the escrow agents comply with those guidelines. While these
guidelines and mechanisms might come into existence through
normal market forces or cooperative agreements within
industries, they are more likely to require a legal setting
that would also include criminal penalties for malfeasance.

   Guidelines are needed to assure the public and law
enforcement agencies of two points:

   +    That information relevant to exceptional access (the
full key or a key fragment) will be divulged upon proper legal
request and that an escrow agent will not notify the key owner
of disclosure until it is legally permissible to do so, and

   +    That information relevant to exceptional access will
be divulged only upon proper legal request.

   Note that the fulfillment of the second requirement has
both an "abuse of authority" component and a technical and
procedural component. The first relates to an individual (an
"insider") who is in a position to give out the relevant
information but also to abuse his position by giving out that
information without proper authorization. The second relates
to the fact that even if no person in the employ of an escrow
agent improperly gives out the relevant information, an
"outsider" may be able to penetrate the security of the escrow
agent and obtain the relevant information without compromising
any particular individual. Such concerns are particularly
relevant to the extent that escrow agents are connected
electronically, since they would then be vulnerable in much
the same ways that all other parties connected to a network
are vulnerable. The security of networked computer systems is
difficult to assure with high confidence,(42) and the security
level required of escrow agents must be high, given the value
of their holdings to unauthorized third parties.

   Thus, those concerned about breaches of confidentiality
must be concerned about technical and procedural weaknesses of
the escrow agent infrastructure that would enable outsiders to
connect remotely to these sites and obtain keys, as well as
about insiders abusing their positions of trust. Either
possibility could lead not just to individual keys being
compromised, but also to wholesale compromise of all of the
keys entrusted to escrow agents within that infrastructure.
From a policy standpoint, it is necessary to have a
contingency plan that would facilitate recovery from wholesale

   Box 5.6 describes law enforcement views on the
responsibilities of escrow agents. Box 5.7 describes draft
Administration views on requirements for maintaining the
integrity and security of escrow agents; Box 5.8 describes
draft Administration views on requirements for assuring access
to escrowed keys.


   (42) See, for example, Computer Science and
Telecommunications Board (CSTB), National Research Council,
*Computers at Risk: Safe Computing in the Information Age*,
National Academy Press, Washington, D.C., 1991.


               5.9.3 Liabilities of Escrow Agents

   In order to assure users that key information entrusted to
escrow agents remains secure and authorized third parties that
they will be able to obtain exceptional access to encrypted
data when necessary, escrow agents and their employees must be
held accountable for improper behavior and for the use of
security procedures and practices that are appropriate to the
task of protection.

   Liabilities can be criminal or civil (or both). For
example, criminal penalties could be established for the
disclosure of keys or key fragments to unauthorized parties or
for the refusal to disclose such information to appropriately
authorized parties. It is worth noting that the implementing
regulations accompanying the EES proposal run counter to this
position, in the sense that they do not provide specific
penalties for failure to adhere to the procedures for
obtaining keys (which only legislation could do). The
implementing regulations specifically state that "these
procedures do not create, and are not intended to create, any
substantive rights for individuals intercepted through
electronic surveillance, and noncompliance with these
procedures shall not provide the basis for any motion to
suppress or other objection to the introduction of electronic
surveillance evidence lawfully acquired."(43)

   Questions of civil liability are more complex. Ideally,
levels of civil liability for improper disclosure of keys
would be commensurate with the loss that would be incurred by
the damaged party. For unauthorized disclosure of keys that
encrypt large financial transactions, this level is
potentially very large.(44) On the other hand, as a matter of
public policy, it is probably inappropriate to allow such
levels of damages. More plausible may be a construct that
provides what society, as expressed through the U.S. Congress,
thinks is reasonable (Box 5.9). Users of escrow agents might
also be able to buy their own insurance against unauthorized
disclosure. Note that holding government agencies liable for
civil damages might require an explicit change in the Federal
Tort Claims Act that waives sovereign immunity in certain
specified instances, or other legislative changes.

   On the other hand, the amount of liability associated with
compromising information related to data communications is
likely to dwarf the analogous volume for voice communications.
If escrowed encryption is adopted widely in data
communications, compromise of escrow agents holding keys
relevant to network encryption may be catastrophic, and may
become easier as the number of access points that can be
penetrated becomes larger.

   Note that liability of escrow agents may be related to the
voluntary use of escrow. A party concerned about large
potential losses would have alternatives to escrowed
encryption -- namely, unescrowed encryption -- that would
protect the user against the consequences of improper key
disclosure. Under these circumstances, a user whose key was
compromised could be held responsible for his loss because he
did not choose to use unescrowed encryption; an escrow agent's
exposure to liability would be limited to the risks associated
with parties that use its services. On the other hand, if
escrowed encryption were the only cryptography permitted to be
used, then by assumption the user would have no alternatives,
and so in that case, an escrow agent would shoulder a larger

   Another aspect of liability could arise if the escrow
agents were also charged with the responsibilities of
certificate authorities. Under some circumstances, it might be
desirable for the functions of escrow agents and certificate
authorities to be carried out by the same organization. Thus,
these dual-purpose organizations would have all of the
liabilities carried by those who must certify the authenticity
of a given party.


   (43) U.S. Department of Justice, *Authorization Procedures
for Release of Encryption Key Components in Conjunction with
Intercepts Pursuant to Title 111 and FISA*, February 4, 1994.
Reprinted in Lance J. Hoffman (ed.), *Building in Big
Brother*, 1995, pp. 243-246.

   (44) Even if these transactions are authenticated (as most
large transactions would be), large transactions that are
compromised could lead to loss of bids and the like by the
firms involved in the transaction.



   The fact that EES and the Fortezza card involve classified
algorithms has raised the general question of the relationship
between secrecy and the maintenance of a product's
trustworthiness in providing security. Specifically, the
Clipper/Capstone approach is based on a secret (classified)
encryption algorithm known as Skipjack. In addition, the
algorithm is implemented in hardware (a chip) whose design is
classified. The shroud of secrecy surrounding the hardware and
algorithms needed to implement EES and Fortezza makes skeptics
suspect that encrypted communications could be decrypted
through some secret "back door" (i.e., without having the
escrowed key).(45)

   Logically, secrecy can be applied to two aspects of an
encryption system: the algorithms used and the nature of the
implementation of these algorithms. Each is addressed in turn.
Box 5.10 describes a historical perspective on cryptography
and secrecy that is still valid today.


   (45) A kind of de facto secret back door can result from
the fact that vendors of security products employing Clipper
or Capstone technology are not likely to advertise the fact
that the relevant encryption keys are escrowed with the U.S.
government. Thus, even if the escrowing capability is "open"
in the sense that no one involved makes any attempt to hide
that fact, a user that does not know enough to ask about the
presence or absence of escrowing features may well purchase
such products without realizing their presence. Functionally,
escrowing of which the user is ignorant is equivalent for that
user to a "secret" back door.


                  5.10.1 Algorithm Secrecy

   The use of secret algorithms for encryption has advantages
and disadvantages. From an information security standpoint, a
third party who knows the algorithm associated with a given
piece of ciphertext has an enormous advantage over one who
does not -- if the algorithm is unknown, cryptanalysis is much
more difficult. Thus, the use of a secret algorithm by those
concerned about information security presents an additional
(and substantial) barrier to those who might be eavesdropping.
From a signals intelligence (SIGINT) standpoint, it is
advantageous to keep knowledge of good encryption out of the
hands of potential SIGINT targets. Thus, if an algorithm
provides good cryptographic security, keeping the algorithm
secret prevents the SIGINT target from implementing it. In
addition, if an algorithm is known to be good, studying it in
detail can reveal a great deal about what makes any algorithm
good or bad. Algorithm secrecy thus helps to keep such
information out of the public domain.(46)

   On the other hand, algorithm secrecy entails a number of
disadvantages as well. One is that independent analysis of a
secret algorithm by the larger community is not possible.
Without such analysis, flaws may remain in the algorithm that
compromise the security it purports to provide. If these flaws
are kept secret, users of the algorithm may unknowingly
compromise themselves. Even worse, sophisticated users who
need high assurances of security are unable to certify for
themselves the security it provides (and thus have no sense of
the risks they are taking if they use it). In most cases, the
real issue is whether the user chooses to rely on members of
the academic cryptography communities publishing in the open
literature, or upon members of the classified military
community or members of the commercial cryptography community
who are unable to fully disclose what they know about a
subject because it is classified or proprietary.

   A second disadvantage of algorithm secrecy is the fact that
if a cryptographic infrastructure is based on the assumption
of secrecy, public discovery of those secrets can compromise
the ends to be served by that infrastructure. For example, if
a cryptographic infrastructure based on a secret algorithm
were widely deployed, and if that algorithm contained a secret
and unannounced "back door" that allowed those with knowledge
of this back door easy access to encrypted data, that
infrastructure would be highly vulnerable and could be
rendered untrustworthy in short order by the public disclosure
of the back door.

   A third disadvantage is that a secret algorithm cannot be
implemented in software with any degree of assurance that it
will remain secret. Software, as it exists ready for actual
installation on a computer (so-called object code or
executable code), can usually be manipulated with special
software tools to yield an alternate form (namely, source
code) reflecting the way the creating programmer designed it,
and therefore revealing many, even most, of its operational
details, including any algorithm embedded within it. This
process is known as "decompiling" or "disassembly" and is a
standard technique in the repertoire of software

   All of the previous comments apply to secrecy whether it is
the result of government classification decisions or vendor
choices to treat an algorithm as a trade secret. In addition,
vendors may well choose to treat an algorithm as a trade
secret to obtain the market advantages that proprietary
algorithms often bring. Indeed, many applications of
cryptography for confidentiality in use today are based on
trade-secret algorithms such as RC2 and RC4.


   (46) Of course, if other strong algorithms are known
publicly, the force of this argument is weakened from a
practical standpoint. For example, it is not clear that the
disclosure of Skipjack would be harmful from the standpoint of
making strong algorithms public, because triple-DES is already
publicly known, and triple-DES is quite strong.

   (47) As one example, the RC2 encryption algorithm,
nominally a trade secret owned by RSA Data Security Inc. was
posted to the Internet in early 1996, apparently as the result
of an apparent "disassembly" of a product embedding that
algorithm. Personal communication, Robert Baldwin, RSA Data
Security Inc., May 16, 1996.


      5.10.2 Product Design and Implementation Secrecy

   Product design and implementation secrecy has a number of
advantages. For example, by obscuring how a product has been
designed, secrecy makes it more difficult for an outsider to
reverse-engineer the product in such a way that he could
understand it better or, even worse, modify it in some way.
Since vulnerabilities sometimes arise in implementation,
keeping the implementation secret makes it harder for an
attacker to discover and then exploit those vulnerabilities.
Design and implementation secrecy thus protects any secrets
that may be embedded in the product for a longer time than if
they were to be published openly.

   On the other hand, it is taken as an axiom by those in the
security community that it is essentially impossible to
maintain design or implementation secrecy indefinitely. Thus,
the question of the time scale of reverse engineering is
relevant -- given the necessary motivation, how long will it
take and how much in resources will be needed to reverse-
engineer a chip or a product?

   +    For software, reverse engineering is based on
decompilation or disassembly (as described in Section 5.10.1).
The larger the software product, the longer it takes to
understand the original program; even a small one can be
difficult to understand, especially if special techniques have
been used to obscure its functionality. Modification of the
original program can present additional technical difficulties
(the product may be designed in such a way that disassembling
or decompiling the entire product is necessary to isolate
critical features that one might wish to modify). Certain
techniques can be used to increase the difficulty of making
such modifications,(48) but there is virtual unanimity in the
computer community that modification cannot be prevented
forever. How robust must these anti-reverse-engineering
features be? The answer is that they must be robust enough
that the effort needed to overcome them is greater than the
effort needed to develop an encryption system from scratch.

   +    For hardware, reverse engineering takes the form of
physical disassembly and/or probing with x-rays of the
relevant integrated circuit chips. Such chips can be designed
to resist reverse engineering in a way that makes it difficult
to understand what various components on the chip do. For
example, the coating on a die used to fabricate a chip may be
designed so that removal of the coating results in removal of
one or more layers of the chip, thus destroying portions of
what was to be reverse-engineered. The chip may also be
fabricated with decoy or superfluous elements that would
distract a reverse engineer. For all of these reasons, reverse
engineering for understanding a chip's functions is difficult
(though not impossible), and under some circumstances, it is
possible to modify a chip. In general, reverse engineering of
the circuits and devices inside a chip requires significant
expertise and access to expensive tools.(49)

   An important factor that works against implementation
secrecy is the wide distribution of devices or products whose
implementation is secret. It is difficult to protect a device
against reverse engineering when millions of those devices are
distributed around the world without any physical barriers
(except those on the implementation itself) to control access
to them. Everyone with an EES-compliant telephone or a
Foretzza card, for example, will have access to the chip that
provides encryption and key escrow services.

   The comments above refer to the feasibility of maintaining
implementation secrecy. But there are issues related to its
desirability as well. For example, implementation secrecy
implies that only a limited number of vendors can be trusted
to produce a given implementation. Thus, foreign production of
Clipper/Capstone-compliant devices under classification
guidelines raises problems unless foreign producers are
willing to abide by U.S. security requirements.

   A more important point is that implementation secrecy also
demands trust between user and supplier/vendor. Within the
government, users within government agencies generally trust
other parts of the government to provide adequate services as
a supplier. But in the private sector, such trust is not
necessarily warranted. Users that are unable to determine for
themselves what algorithms are embedded in computer and
communications products used must trust the vendor to have
provided algorithms that do what the user wants done, and the
vast majority of users fall into this category. Such opacity
functions as a de facto mechanism of secrecy that also impedes
user knowledge about the inner workings and that is exploited
by the distributors of computer viruses and worms. As a
result, choosing between the use of self-implemented source
code and a pre-packaged program to perform certain functions
is in many ways analogous to choosing between use of
unclassified and classified algorithms.

   An information security manager with very high security
needs must make trade-offs of assurance vs. cost. In general,
the only way to be certain that the algorithms used are the
ones claimed to be used is to implement them on one's own. Yet
if the manager lacks the necessary knowledge and experience,
a self-implementation may not be as secure or as capable as
one developed by a trusted vendor. A self-implementer also
carries the considerable burden of development costs that a
commercial vendor can amortize over many sales.

   As a result, security-conscious users of products whose
inner workings are kept secret must (1) trust the vendor
implicitly (based on factors such as reputation), or (2) face
the possibility of various extreme scenarios. Here are two:

   +    The hardware of a secret device can be dynamically
modified; for example, electrically erasable read-only
memories can direct the operation of a processor. One possible
scenario with secret hardware is that a chip that initially
provides Clipper-chip functionality might be reprogrammed when
it first contacts a Clipper/Capstone-compliant device to allow
a nonescrowed but unauthorized access to it; such a means of
"infection" is common with computer viruses. In other words,
the Skipjack algorithm may have been embedded in the chip when
it was first shipped, but after the initial contact, the
algorithm controlling the chip is no longer Skipjack.

   +    An algorithm that is not Skipjack is embedded by the
manufacturer in chips purporting to be Clipper or Capstone
chips. Since the utility of a vector test depends on the
availability of an independent implementation of the
algorithm, it is impossible for the user to perform this test
independently if the user has no reference point. As a result,
the user has no access to an independent test of the chip that
is in the user's "Clipper/Capstone-compliant" device, and so
any algorithm might have been embedded.(50)

   Any technically trained person can invent many other such
scenarios. Thus, public trust in the technical desirability of
the EES and Fortezza for exceptional access depends on a high
degree of trust in the government, entirely apart from any
fears about compromising escrow agents wherever they are

   Of course, some of the same considerations go beyond the
Skipjack algorithm and the Clipper/Capstone approach. In
general, users need confidence that a given product with
encryption capabilities indeed implements a given algorithm.
Labeling a box with the letters "DES" does not ensure that the
product inside really implements DES. In this case, the fact
that the DES algorithm is publicly known facilitates testing
to verify that the algorithm is implemented correctly.(51) If
its source code is available for inspection, other
security-relevant aspects of a software product can be
examined to a certain extent, at least up to the limits of the
expertise of the person checking the source code. But for
software products without source code, and especially for
hardware products that cannot easily be disassembled, and even
more so for hardware products that are specifically designed
to resist disassembly, confidence in the nonalgorithm security
aspects of the product is more a matter of trusting the vendor
than of the user making an independent technical verification
of an implementation.(52) In some sectors (e.g., banking,
classified military applications), however, independent
technical verification is regarded as essential.

   Finally, a given product may properly implement an
algorithm but still be vulnerable to attacks that target the
part of the product surrounding the implementation of the
algorithm. Such vulnerabilities are most common in the initial
releases of products that have not been exposed to public test
and scrutiny. For example, a security problem with the
Netscape Navigator's key-generation facility could have been
found had the implementation in which the key generator was
embedded been available for public examination prior to its
release, even though the encryption algorithm itself was
properly implemented.(53)


   (48) For example, Trusted Information Systems Inc. of
Glenwood, Maryland, has advocated an approach to preventing
modification that relies on the placement of integrity locks
at strategic locations. With such an approach, a change to the
disassembled source code would have to be reflected properly
in all relevant integrity locks; doing so might well involve
disassembly of an entire product rather than of just one
module of the product. Nevertheless, such an approach cannot
prevent modification, although it can make modification more
difficult. Such anti-reverse-engineering features may also
increase the difficulty of vendor maintenance of a product.
Increased difficulty may be a price vendors must pay in order
to have secure software implementations.

   (49) Estimates of the cost to reverse-engineer the Clipper
chip nondestructively cover a wide range, from "doable in
university laboratories with bright graduate students and
traditions of reverse engineering" (as estimated by a number
of electrical engineers in academia with extensive experience
in reverse engineering) to as much as $30 million to $50
million (as estimated in informal conversations between JASON
members and DOD engineers). The cost may well be lower if
large numbers of chips are available for destructive

   (50) According to Dorothy Denning, the review team for
Skipjack (see footnote 5 of this chapter) compared the output
from Clipper chips with output from the software version of
Skipjack that the review team obtained for review to verify
that the algorithm on the chips was the same as the software
version. Personal communication, Dorothy Denning, Georgetown

   (51) As described in Chapter 4, the product tester can use
the product to encrypt a randomly chosen set of values with a
randomly chosen key, and compare the cncrypted output to the
known correct result obtained through the use of a product
known to implement the algorithm correctly. This is known as
a vector test.

   (52) Such a comment is not meant to preclude the
possibility of an independent certifying authority, a kind of
"Consumers' Reports" for crypto equipment and products. Such
organizations have been proposed to evaluate and certify
computer security, and as of this writing, three U.S. firm
have received NIST approval to evaluate the conformance of
products to FIPS-140-1, the FIPS for cryptography modules.

   (53) This security problem is referenced in footnote 34,
Chapter 2. The lack of prior vetting for Netscape Navigator is
described by Kathleen Murphy, "A Second Security Breach," *Web
Week*, Volume 1(6), October 1995, p. 8.



   After the Clipper initiative was announced, and as the
debate over escrowed encryption broadened to include the
protection of data communications arld stored data, the mass
market software industry emphasized that a hardware solution
to cryptographic security -- as exemplified by the Clipper
chip -- would not be satisfactory. They argued with some force
that only a software-based approach would encourage the
widespread use of encryption envisioned for the world's
electronic future, making several points:

   +    Customers have a strong preference for using
integrated cryptographic products. While stand-alone products
with encryption capabilities could be made to work, in general
they lack operational convenience for the applications that
software and systems vendors address.

   +    Compared to software, hardware is expensive to
manufacture. In particular, the relevant cost is not simply
the cost of the hardwale encryption device compared to a
software encryption package,(54) but also the cost of any
modifications to the hardware environment needed to accept the
hardware encryption device.(55) For example, one major company
noted to the committee that the adoption of the Fortezza card,
a card that fits into the PC-card slots available on most
laptop computers, would be very expensive in their desktop
computing environment, because most of their desktop computers
do not have a PC-card slot and would have to be modified to
accept a Fortezza card. By contrast, a software encryption
product can simply be loaded via common media (e.g., a CD-ROM
or a floppy disk) or downloaded via a network.

   +    The fact that hardware is difficult to change means
that problems found subsequent to deployment are more
difficult to fix. For example, most users would prefer to
install a software fix by loading a CD-ROM into their
computers than to open up their machines to install a new chip
with a hardware fix.

   +    Hardware-based security products have a history of
being market-unfriendly. Hardware will, in general, be used
only to the extent that the required hardware (and its
specific configuration) is found in user installations.
Moreover, hardware requirements can be specified for software
only when that hardware is widely deployed. For example, a
technical approach to the software piracy problem has been
known for many years; the approach requires the installation
of special-purpose hardware that is available only to those
who obtain the software legitimately. This "solution" has
failed utterly in the marketplace, and software piracy remains
a multibillion-dollar-per-year problem.

   +    Hardware for security consumes physical space and
power in products. For example, a hardware-based encryption
card that fits into an expansion slot on a computer takes up
a slot permanently, unless the user is willing to install and
deinstall the card for every use. It also creates an
additional power demand on electronic devices where power and
battery life are limited.

   In general, products with encryption capabilities today use
software or hardware or both to help ensure security.(56) The
crux of the hardware-software debate is what is good enough to
ensure security. The security needed to manage electronic cash
in the international banking system needs to be much stronger
than the security to protect wordprocessing files created by
private individuals. Thus, software-based cryptography might
work for the latter, while hardware-based cryptography might
be essential for the former.

   Products with encryption capabilities must be capable of
resisting attack. But since such products are often embedded
in operating environments that are themselves insecure, an
attacker may well choose to attack the environment rather than
the product itself. For example, a product with encryption
capabilities may be hardware-based, but the operating
environment may leave the encryption keys or the unencrypted
text exposed.(57) More generally, in an insecure environment,
system security may well not depend very much on whether the
cryptography per se is implemented in hardware or software or
whether it is weak or strong.

   In the context of escrowed encryption, a second security
concern arises -- a user of an escrowed encryption product may
wish to defeat the escrow mechanism built into the product.
Thus, the escrow features of the product must be bound to the
product in a way that cannot be bypassed by some
reverse-engineered modification to the product. This
particular problem is known as binding or, more explicitly,
escrow binding; escrow binding is an essential element of any
escrow scheme that is intended to provide exceptional access.

   Concern over how to solve the escrow binding problem was
the primary motivation for the choice of a hardware approach
to the Clipper initiative. As suggested in Section 5.10, the
functionality of a hardware system designed to resist change
is indeed difficult to change, and so hardware implementations
have undeniable advantages for solving the escrow binding
problem.(58) An EES-compliant device would be a telephone
without software accessible to the user, and would provide
high assurance that the features for exceptional access would
not be bypassed.

   As the debate has progressed, ideas for software-based
escrow processes have been proposed. The primary concern of
the U.S. government about software implementations is that
once a change has been designed and developed that can bypass
the escrow features ("break the escrow binding"), such a
change can be easily propagated through many different
channels and installed with relatively little difficulty. In
the committee's view, the important question is whether
software solutions to the escrow binding problem can provide
an acceptable level of protection against the reverse
engineer. Whether an escrowed encryption product is
implemented in software (or hardware for that matter), the
critical threshold is the difficulty of breaking the escrow
binding (i.e., bypassing the escrowing features) compared to
the effort necessary to set up an independent unescrowed
encryption system (perhaps as part of an integrated product).
If it is more difficult to bypass the escrow features than to
build an unescrowed system, then "rogues" who want to defeat
exceptional access will simply build an unescrowed system. The
bottom line is that an escrowed encryption product does not
have to be perfectly resistant to breaking the escrow binding.

   A possible mitigating factor is that even if a software
"patch" is developed that would break the escrow binding of an
escrowed encryption software product, it may not achieve wide
distribution even among the criminals that would have the most
to gain from such a change. Experience with widely deployed
software products (e.g., operating systems) indicates that
even when a software fix is made available for a problem in a
product, it may not be implemented unless the anomalous or
incorrect software behavior is particularly significant to an
end user. If this is the case for products that are as
critical as operating systems, it may well be true for
products with more specialized applications. On the other side
of the coin, many parties (e.g., criminals) may care a great
deal about the presence of escrowing and thus be highly
motivated to find "fixes" that eliminate escrowing.


   (54) In a recent contract, a vendor agreed to provide
Fortezza cards at $69 per card. See Paul Constance, "After
Complaining $99 Was Too Low, Forteza Vendors Come in at $69,"
*Government Computer News*, October 2, 1995, p. 6.

   (55) One vendor is manufacturing a circuit board for
encryption that fits into a 3.5" floppy disk drive. However,
this device does not employ the Capstone/Fortezza approach.
See Elizabeth Sikorovsky, "Device Offers Alternative to PC
Card-Based Encryption," *Federal Computer Week*, November 13,
1995, pp. 29 and 35.

   (56) Note that the dividing line between hardware and
software is not always clear. In particular, product designers
use the term "firmware" to refer to a design approach that
enters software into a special computer memory (an integrated
circuit chip) that usually is subsequently unchangeable
(read-only memory; ROM). Sometimes an alternate from of memory
is used that does permit changes under controlled conditions
(electrically programmable ROM; EPROM). Such software-
controlled hardware (microprogrammed hardware) has the
convenience that the functionality of the item can be updated
or changed without redesign of the hardware portion.

   (57) Peter G. Neumann, *Can Systems Be Trustworthy with
Software-Implemented Cryptography?*, SRI International, Menlo
Park, California, October 28, 1994.

   (58) A device controlled by software stored in a
programmable read-only memory is for all intents and purposes
the same as "pure hardware" in this context.



   Key generation is the process by which cryptographic keys
are generated. Two types of keys are relevant:

   +    A session key is required for each encryption of
plaintext into ciphertext; this is true whether the
information is to be stored or communicated. Ultimately, the
intended recipients of this information (those who retrieve it
from storage or those who receive it at the other end of a
communications channel) must have the same session key. For
maximum information security, a new session key is used with
every encryption. (See footnote 7 of this chapter for more

   +    A unit key is a cryptographic key associated with a
particular product or device owned or controlled by a specific
individual. Unit keys are often used to protect session keys
from casual observation in escrowed encryption products, but
precisely how they are used depends on the specifics of a
given product.

   In the most general case, the session key is a random
number, and a different one is generated anew for each
encryption. But the unit key is a cryptographic variable that
typically changes on a much longer time scale than does the
session key. In many escrowed encryption schemes, knowledge of
the unit key enables a third party to obtain the session key
associated with any given encryption.

   The Clipper/Capstone approach requires that the unit key be
generated by the manufacturer at the time of manufacture ("at
birth") and then registered prior to sale with escrow agents
in accordance with established procedures. Such an approach
has one major advantage from the standpoint of those who may
require exceptional access in the future -- it guarantees
registration of keys, because users need not take any action
to ensure registration.

   At the same time, since the Clipper/Capstone approach is
based on a hardware-based implementation that is not
user-modifiable, a given device has only one unit key for its
entire lifetime, although at some cost, the user may change
the Clipper chip embedded in the device.(59) If the unit key
is compromised, the user's only recourse is to change the
chip. A user who does not do so violates one basic principle
of information security -- frequent changing of keys (or
passwords).(60) In addition, the fact that all unit keys are
known at the time of manufacture raises concerns that all keys
could be kept (perhaps surreptitiously) in some master
databank that would be accessible without going to the
designated escrow agents. The implication is that the user is
forced to trust several organizations and individuals involved
with the manufacturing process. Such trust becomes an implicit
aspect of the secrecy associated with EES-compliant devices.

   One alternative to unit key generation at birth is the
generation (or input) of a new unit key at user request. This
approach has the advantage that the user can be confident that
no one else retains a copy of the new key without his or her
knowledge. The disadvantage is that escrow of that key would
require explicit action on the user's part for that purpose.

   An alternative that has some of the advantages of each
approach is to install and register a unit key at birth, but
to design the product to allow the user to change the unit key
later. Thus, all products designed in this manner would have
"default" unit keys installed by the manufacturer and recorded
with some escrow agent; each of these keys would be different.
Users who took the trouble to install a new unit key would
have to take an explicit action to escrow it, but in many
cases, the inconvenience and bother of changing the unit key
would result in no action being taken. Thus, valid unit keys
would be held by escrow agents in two cases -- for products
owned by users who did not change the unit key, and for
products owned by users who chose to register their new keys
with escrow agents.

   Who is responsible for the collection of unit keys? Under
the Clipper/Capstone approach, the responsible party is the
U.S. government. But if nongovemment agencies were to be
responsible for escrowing keys (see Section 5.8), a large
market with many vendors producing many different types of
encryption products in large volume could result in a large
administrative burden on these vendors.

   The specific implementation of EES also raises an
additional point. As proposed, EES requires that unit keys be
given to government authorities upon presentation of legal
authorization. If these keys are still available to the
authorities after the period of legal authorization has
expired, the EES device is forever open to government
surveillance. To guard against this possibility,
Administration plans for the final Clipper key escrow system
provide for automatic key deletion from the decrypting
equipment upon expiration of the authorized period. Key
deletion is to be implemented on the tamper-resistant device
that law enforcement authorities will use to decrypt
Clipper-encrypted traffic. However, by early 1996, the
deployed interim key escrow system had not been upgraded to
include that feature.


   (59) A Clipper chip costs about $10 when bought in large
lots. (Personal communication, March 22, 1996, Jimmy Dolphin,
Mykotronx.) Even when including retail mark-up costs and
labor, the cost of changing a Clipper chip is likely to be
less than $100.

   (60) However, since the Skipjack algorithm is classified,
simple knowledge of the unit key (or the session key) would
enable only those with knowledge of the algorithm to decrypt
the session key (or the session).



   As noted in Chapter 4, the Administration has proposed to
treat software products with 64-bit encryption using any
algorithm as it currently treats products that are based on
40-bit RC2/RC4 algorithms, providing that products using this
stronger encryption are "properly escrowed." This change is
intended to make available to foreign customers of U.S.
software products stronger cryptographic protection than they
currently have today.

   This proposal has raised several issues.

         5.13.1 The Definition of "Proper Escrowing"

   The definition of "proper escrowing" (as the phrase is used
in the Administration's proposed new export rules in Box 5.3)
is that keys should be escrowed only with "escrow agent(s)
certified by the U.S. Government, or certified by foreign
governments with which the U.S. Government has formal
agreements consistent with U.S. law enforcement and national
security requirements." These agents would not necessarily be
govermnent agencies, although in principle they could be.

   The obvious question is whether foreign consumers will be
willing to purchase U.S. products with encryption capabilities
when it is openly announced that the information security of
those products could be compromised by or with the assistance
of escrow agents certified by the U.S. government. While the
draft definition does envision the possibility that escrow
agents could be certified by foreign governments (e.g., those
in the country of sale), formal agreements often take a long
time to negotiate, during which time U.S. escrow agents would
hold the keys, or the market for such products would fail to

   For some applications (e.g., U.S. companies doing business
with foreign suppliers), interim U.S. control of escrow agents
may prove acceptable. But it is easy to imagine other
applications for which it would not, and in any case a larger
question is begged: What would be the incentive for foreign
users to purchase such products from U.S. vendors if
comparably strong but unescrowed foreign products with
encryption capabilities were available? As the discussion in
Chapter 2 points out, integrated products with encryption
capabilities are generally available today from U.S. vendors.
However, how long the U.S. monopoly in this market will last
is an open question.

   The issue of who holds the keys in an international context
is explored further in Appendix G.

              5.13.2 The Proposed Limitation of
               Key Lengths to 64 Bits or Less

   The most important question raised by the 64-bit limitation
is this: If the keys are escrowed and available to law
enforcement and national security authorities, why does it
matter how long the keys are? In response to this question,
senior Administration officials have said that the limitation
to 64 bits is a way of hedging against the possibility of
finding easily proliferated ways to break the escrow binding
built into software, with the result that U.S. software
products without effective key escrow would become available
worldwide. Paraphrasing the remarks of a senior Administration
official at the 1995 International Cryptography Institute,
"The 64-bit limit is there because we might have a chance of
dealing with a breakdown of software key escrow 10 to 15 years
down the line; but if the key length implied a work factor of
something like triple-DES, we would *never* [emphasis in
original] be able to do it."

   Two factors must be considered in this argument. One is the
likelihood that software key escrow can in fact be
compromised. This subject is considered in Sections 5.10.2 and
5.11. But a second point is the fact that the 64-bit limit is
easily circumvented by multiple encryption under some
circumstances. Specifically, consider a stand-alone
security-specific product for file encryption that is based on
DES and is escrowed. Such a product -- in its unaltered state
-- meets all of the proposed draft criteria for export. But
disassembly of the object code of the program (to defeat the
escrow binding) may also reveal the code for DES encryption in
the product. Once the source code for the DES encryption is
available, it is a technically straightforward exercise to
implement a package that will use the product to implement a
triple-DES encryption on a file.

                         5.14 RECAP

   Escrowed encryption is one of several approaches to
providing exceptional access to encrypted information. The
U.S. government has advanced a number of initiatives to
support the insertion of escrow features into products with
encryption capabilities that will become available in the
future, including the Escrowed Encryption Standard, the
Capstone/Fortezza initiative, and a proposal to liberalize
export controls on products using escrowed encryption. Its
support of escrowed encryption embodies the government's
belief that the benefit to law enforcement and national
security from exceptional access to encrypted information
outweighs the damage owing to loss of confidentiality that
might occur with the failure of procedures intended to prevent
unauthorized access to the escrow mechanism.

   Escrowed encryption provides *more* confidentiality than
leaving information unprotected (as most information is
today), but less confidentiality than what could be provided
by good implementations of unescrowed cryptography. On the
other hand, escrowed encryption provides more capability for
exceptional access under circumstances of key loss or
unavailability than does unescrowed encryption. All users will
have to address this trade-off between level of
confidentiality and key unavailability.

   The central questions with respect to escrowed encryption
are the following:

   +    With what degree of confidence is it possible to
ensure that third parties will have access to encrypted
information only under lawfully authorized circumstances?

   +    What is the trade-off for the user between potentially
lower levels of confidentiality and higher degrees of
confidence that encrypted data will be available when


             BOX 5.1 Key Technical Attributes of
                   the Clipper Initiative

   1. A chip-unique secret key, the "unit key" or "device key"
or "master key" would be embedded in the chip at the time of
fabrication and could be obtained by law enforcement officials
legally authorized to do so under Title III.

   2. Each chip-unique device key would be split into two

   3. The component parts would be deposited with and held
under high security by two trusted thirdparty escrow agents
proposed to be agencies of the U.S. government. Note:
"Third-party" is used here to indicate parties other than
those participating in the communication.

   4. A law enforcement access field (LEAF) would be a
required part of every transmission. The LEAF would contain
(a) the current session key, encrypted with a combination of
the device-unique master key and a different but secret
"family key" also permanently embedded in the chip and (b) the
chip serial number, also protected by encryption with the
family key.

   5. Law enforcement could use the information in the LEAF to
identify the particular device of interest, solicit its
master-key components from the two escrow agents, combine
them, recover the session key, and eventually decrypt the
encrypted traffic.

   6. The encryption algorithm on the chip would be secret.

   7. The chip would be protected against reverse engineering
and other attempts to access its technical details.


SOURCE: Dorothy Denning and Miles Smid, "Key Escrowing Today,"
*IEEE Communications*, Volume 32(9), September 1994, pp.
58-68. Available on-line from http://www.cosc.georgetown.edu/~
denning/ crypto/Key-Escrowing-Today.txt.


                BOX 5.2 The Relationship of
                Escrowed Encryption to SIGINT

   Escrowed encryption -- especially the EES and the Clipper
initiative -- is a tool of law enforcement more than of
signals intelligence. The EES was intended primarily for
domestic use, although exports of EES-compliant devices have
not been particularly discouraged. Given that the exceptional
access feature of escrowed encryption has been openly
announced, purchase by foreign governments for secure
communications is highly unlikely.

   On the other hand, the U.S. government has classified the
Skipjack algorithm to keep foreign adversaries from learning
more about good cryptography. In addition, wide deployment and
use of escrowed encryption would complicate the task of
signals intelligence, simply because individual keys would
have to be obtained one by one for communications that might
or might not be useful. (Still, EES devices would be better
for SIGINT than unescrowed secure telephones, in the sense
that widely deployed secure telephones without features for
exceptional access would be much harder to penetrate.)

   Finally, the impact of escrowed encryption on intelligence
collection abroad depends on the specific terms of escrow
agent certification. Even assuming that all relevant escrow
agents are located within the United States (a question
addressed at greater length in Appendix G), the specific
regulations governing their behavior are relevant.
Intelligence collections of digital data can proceed with few
difficulties if regulations permit escrow agents to make keys
available to national security authorities on an automated
basis and without the need to request keys one by one. On the
other hand, if the regulations forbid wholesale access to keys
(and the products in question do not include a "universal key"
that allows one key to decrypt messages produced by many
devices), escrowed encryption would provide access primarily
to specific encrypted communications that are known to be
intrinsically interesting (e.g., known to be from a particular
party of interest). However, escrowed encryption without
wholesale access to keys would not provide significant
assistance to intelligence collections undertaken on a large


           BOX 5.3 Administration's Draft Software
         Key Escrow Export Criteria -- November 1995

                     Key Escrow Feature

   1. The key(s) required to decrypt the product's key escrow
cryptographic functions' ciphertext shall be accessible
through a key escrow feature.

   2. The product's key escrow cryptographic functions shall
be inoperable until the key(s) is escrowed in accordance with

   3. The product's key escrow cryptographic functions' key(s)
shall be escrowed with escrow agent(s) certified by the U.S.
Government, or certified by foreign governments with which the
U.S. Government has formal agreements consistent with U.S. law
enforcement and national security requirements.

   4. The product's key escrow cryptographic functions'
ciphertext shall contain, in an accessible format and with a
reasonable frequency, the identity of the key escrow agent(s)
and information sufficient for the escrow agent(s) to identify
the key(s) required to decrypt the ciphertext.

   5. The product's key escrow feature shall allow access to
the key(s) needed to decrypt the product's ciphertext
regardless of whether the product generated or received the

   6. The product's key escrow feature shall allow for the
recovery of multiple decryption keys during the period of
authorized access without requiring repeated presentations of
the access authorization to the key escrow agent(s).

                     Key Length Feature

   7. The product's key escrow cryptographic functions shall
use an unclassified encryption algorithm with a key length not
to exceed sixty-four (64) bits.

   8. The product's key escrow cryptographic functions shall
not provide the feature of multiple encryption (e.g.,

                  Interoperability Feature

   9. The product's key escrow cryptographic functions shall
interoperate only with key escrow cryptographic functions in
products that meet these criteria, and shall not interoperate
with the cryptographic functions of a product whose key escrow
encryption function has been altered, bypassed, disabled, or
otherwise rendered inoperative.

      Design, Implementation, and Operational Assurance

   10. The product shall be resistant to anything that could
disable or circumvent the attributes described in #1 through


SOURCE: National Institute of Standards and Technology, *Draft
Software Key Escrow Encryption Export Criteria*, November 6,
1995. Available on line from http://csrc.ncsl.nist.gov/
keyescrow/criteria.txt (11/95 version; NIST Web page).


    BOX 5.4 Non-Clipper Proposals for Escrowed Encryption

   AT&T CryptoBackup. CryptoBackup is an AT&T proprietary
design for a commercial or private key-escrow encryption
system. The data encryption key for a document is recovered
through a backup recovery vector (BRV), which is stored in the
document header. The BRV contains the document key encrypted
under a master public key of the escrowed agent(s). (David P.
Maher, "Crypto Backup and Key Escrow," *Communications of the
ACM*, March 1996.)

   Bankers Trust Secure Key Escrow Encryption System
(SecureKEES). Employees of a corporation register their
encryption devices (e.g., smart card) and private encryption
keys with one or more commercial escrow agents selected by the
corporation. (SecureKEES product literature, CertCo, Bankers
Trust Company.)

   Bell Atlantic Yaksha System. An on-line key security server
generates and distributes session keys and file keys using a
variant of the RSA algorithm. The server transmits the keys to
authorized parties for data recovery purposes. (Ravi Ganesan,
"The Yaksha Security System," *Communications of the ACM*,
March 1996.)

   Royal Holloway Trusted Third Party Services. This proposed
architecture for a public key infrastructure requires that the
trusted third parties associated with pairs of communicating
users share parameters and a secret key. (Nigel Jefferies,
Chris Mitchell, and Michael Walker, *A Proposed Architecture
for Trusted Third Party Services*, Royal Holloway, University
of London, 1995.)

   RSA Secure(TM). This file encryption product provides data
recovery through an escrowed master public key, which can be
split among up to 255 trustees using a threshold scheme. (RSA
Secure(TM), product literature from RSA Data Security Inc.)

   Nortel Entrust. This commercial product archives users'
private encryption keys as part of the certificate authority
function and public-key infrastructure support. (Warwick Ford,
"Entrust Technical Overview," White Paper, Nortel Secure
Networks, October 1994.)

   National Semiconductor CAKE. This proposal combines a TIS
Commercial Key Escrow (CKE) with National Semiconductor's
PersonaCard(TM). (W.B. Sweet, "Commercial Automated Key Escrow
(CAKE): An Exportable Strong Encryption Proposal," National
Semiconductor, iPower Business Unit. June 4. 1995.)

   TIS Commercial Key Escrow (CKE). This is a commercial key
escrow system for stored data and file transfers. Data
recovery is enabled through master keys held by a Data
Recovery Center. (Stephen T. Walker, Stephen B. Lipner, Carl
M. Ellison, and David M. Balenson, "Commercial Key Recovery,"
*Communications of the ACM*, March 1996.)

   TECSEC VEIL(TM). This commercial product provides file (and
object) encryption. Private key escrow is built into the key
management infrastructure. (Edward M. Scheidt and Jon L.
Roberts, "Private Escrow Key Management," TECSEC Inc., Vienna,
Va. See also TECSEC VEIL(TM), product literature.)

   Viacrypt PGP/BE (Business Edition). Viacrypt is a
commercialized version of PGP, the free Internet-downloadable
software package for encrypted communications. The Business
Edition of Viacrypt optionally enables an employer to decrypt
all encrypted files or messages sent or received by an
employee by carrying the session key encrypted under a
"Corporate Access Key" in the header for the file or message.
(See http://www.viacrypt.com.)


SOURCE: Most of these examples are taken from Dorothy Denning
and Miles Smid, "Key Escrowing Today," *IEEE Communications*,
Volume 32, 1994, pp. 58-68. Available on line from


          BOX 5.5 Law Enforcement Requirements for
                Escrowed Encryption Products

                 Information Identification

   +    The product is unable to encrypt/decrypt data unless
the necessary information to allow law enforcement to decrypt
communications and stored information is available for release
to law enforcement.

   +    A field is provided that readily identifies the
information needed to decrypt each message, session, or file
generated or received by the user of the product.

   +    Repeated involvement by key escrow agents [KEAs] is
not required to obtain the information needed to decrypt
multiple conversations and data messages (refer to expeditious
information release by KEA's) during a period of authorized
communications interception.

           Provision of Subject's Information Only

   +    Only information pertaining to the communications or
stored information generated by or for the subject is needed
for law enforcement decryption.

            Subversions of Decryption Capability

   +    The product is resistant against alterations that
disable or bypass law enforcement decryption capabilities.

   +    Any alteration to the product to disable or bypass law
enforcement's decryption capability requires a significant
level of effort regardless of whether similar alterations have
been made to any other identical version of that product.


   +    The decryption of an intercepted communication is
transparent to the intercept subject and all other parties to
the communication except the investigative agency and the key
escrow agent.

               Access to Technical Details to
                 Develop Decrypt Capability

   +    Law enforcement may need access to a product's
technical details to develop a key escrow decrypt capability
for that product.


SOURCE: Federal Bureau of Investigation, viewgraphs of
presentation to *International Cryptography Institute 1995*,
September 22, 1995.


   BOX 5.6 Law Enforcement Requirements for Escrow Agents

                  Information Availability

   +    The information necessary to allow law enforcement the
ability to decrypt communications and stored information is
available. KEAs [key escrow agents] should maintain or be
capable of generating all the necessary decrypt (key)

   +    Key and/or related information needed to decrypt
communications and stored information is retained for extended
time periods. KEAs should be able to decrypt information
encrypted with a device or product's current and/or former
key(s) for a time period that may vary depending on the
application (e.g., voice vs. stored files).

   +    A backup capability exists for key and other
information needed to decrypt communications and stored
information. Thus, a physically separate backup capability
should be available to provide redundancy of resources should
the primary capability fail.

            Key Escrow Agent (KEA) Accessibility

   +    KEAs should be readily accessible. For domestic
products, they should reside and operate in the United States.
They should be able to process proper requests at any time;
most requests will be submitted during normal business hours,
but exigent circumstances (e.g., kidnappings, terrorist
threats) may require submission of requests during nonbusiness

                 Information Release by KEAs

   +    The information needed for decryption is expeditiously
released upon receipt of a proper request. Since
communications intercepts require the ability to decrypt
multiple conversations and data messages sent to or from the
subject (i.e., access to each session or message key) during
the entire intercept period, only one initial affirmative
action should be needed to obtain the relevant information.
Exigent circumstances (e.g. kidnappings, terrorist threats)
will require the release of decrypt information within a
matter of hours.

       Confidentiality and Safeguarding of Information

   +    KEAs should safeguard and maintain the confidentiality
of information pertaining to the request for and the release
of decrypt information. KEAs should protect the
confidentiality of the person or persons for whom a key escrow
agent holds keys or components thereof, and protect the
confidentiality of the identity of the agency requesting
decrypt information or components thereof and all information
concerning such agency's access to and use of encryption keys
or components thereof.

   For law enforcement requests, KEA personnel knowledgeable
of an interception or decryption should be of good character
and have not been convicted of crimes of moral turpitude or
otherwise bearing on their trustworthiness. For national
security requests, KEA personnel viewing and or storing
classified requests must meet the applicable U.S. Government
requirements for accessing and or storing classified
information. Efforts are ongoing to examine unclassified

   +    KEAs should be legitimate organizations without ties
to criminal enterprises, and licensed to conduct business in
the United States. KEAs for domestic products should not be a
foreign corporation, a foreign country, or an entity thereof.


SOURCE: Federal Bureau of Investigation, viewgraphs of
presentation to *International Cryptography Institute 1995*,
September 22, 1995.


      BOX 5.7 Proposed U.S. Government Requirements for
        Ensuring Escrow Agent Integrity and Security

   1. Escrow agent entities shall devise and institutionalize
policies, procedures, and mechanisms to ensure the
confidentiality, integrity, and availability of key escrow
related information.

   a. Escrow agent entities shall be designed and operated so
   that a failure by a single person, procedure, or mechanism
   does not compromise the confidentiality, integrity or
   availability of the key and/or key components (e.g., two
   person control of keys, split keys, etc.)

   b. Unencrypted escrowed key and or key components that are
   stored and or transmitted electronically shall be protected
   (e.g., via encryption) using approved means.

   c. Unencrypted escrowed key and or key components stored
   and/or transferred via other media/methods shall be
   protected using approved means (e.g., safes).

   2. Escrow agent entities shall ensure due form of escrowed
key access requests and authenticate the requests for escrowed
key and or key components.

   3. Escrow agent entities shall protect against disclosure
of information regarding the identity of the person/
organization whose key and/or key components is requested, and
the fact that a key and/or key component was requested or

   4. Escrow agent entities shall enter keys/key components
into the escrowed key database immediately upon receipt.

   5. Escrow agent entities shall ensure at least two copies
of any key and/or key component in independent locations to
help ensure the availability of such key and or key components
due to unforeseen circumstances.

   6. Escrow agent entities that are certified by the U.S.
government shall work with developers of key escrow encryption
products and support a feature that allows products to verify
to one another that the products' keys have been escrowed with
a U.S.-certified agent.


SOURCE: National Institute of Standards and Technology, *Draft
Software Key Escrow Encryption Export Criteria*, November 6,
1995. Available on line from http://csrc.ncsl.nist.gov/
keyescrow/criteria.txt (11/95 version; NIST Web page).


        BOX 5.8 Requirements for Ensuring Key Access

   7. An escrow agent entity shall employ one or more persons
who possess a SECRET clearance for purposes of processing
classified (e.g., FISA) requests to obtain keys and/or key

   8. Escrow agent entities shall protect against unauthorized
disclosure of information regarding the identity of the
organization requesting the key or key components.

   9. Escrow agent entities shall maintain data regarding all
key escrow requests received, key escrow components released,
database changes, system administration accesses, and dates of
such events, for purposes of audit by appropriate government
officials or others.

   10. Escrow agent entities shall maintain escrowed keys
and/or key components for as long as such keys may be required
to decrypt information relevant to a law enforcement

   11. Escrow agent entities shall provide key/key components
to authenticated requests in a timely fashion and shall
maintain a capability to respond more rapidly to emergency
requirements for access.

   12. Escrow agent entities shall possess and maintain a
Certificate of Good Standing from the State of incorporation
(or similar local/national authority).

   13. Escrow agent entities shall provide to the U.S.
government a Dun & Bradstreet/TRW number or similar credit
report pointer and authorization.

   14. Escrow agent entities shall possess and maintain an
Errors & Omissions insurance policy.

   15. Escrow agent entities shall provide to the U.S.
government a written copy of, or a certification of the
existence of a corporate security policy governing the key
escrow agent entity's operation.

   16. Escrow agent entities shall provide to the U.S.
government a certification that the escrow agent will comply
with all applicable federal, state, and local laws concerning
the provisions of escrow agent entity services.

   17. Escrow agent entities shall provide to the U.S.
government a certification that the escrow agent entity will
transfer to another approved escrow agent the escrow agent
entity's equipment and data in the event of any dissolution or
other cessation of escrow agent entity operations.

   18. Escrow agent entities for products sold in the United
States shall not be a foreign country or entity thereof, a
national of a foreign country, or a corporation of which an
alien is an officer or more than one-fourth of the stock which
is owned by aliens or which is directly or indirectly
controlled by such a corporation. Foreign escrow agent
entities for products exported from the United States will be
approved on a case by case basis as law enforcement and
national security agreements can be negotiated.

   19. Escrow agent entities shall provide to the U.S.
government a certification that the escrow agent entity will
notify the U.S. government in writing of any changes in the
forgoing information.

   20. Fulfillment of these and the other criteria are subject
to periodic recertification.


SOURCE: National Institute of Standards and Technology, *Draft
Key Escrow Agent Criteria*, December 1, 1995. Available on
line from http://csrc.ncsl.nist.gov/keyescrow/agent-criteria.


         BOX 5.9 Statutory Limitations on Liability

   Government can promote the use of specific services and
products by assuming some of the civil liability risks
associated with them. Three examples follow:

   +    The Atomic Energy Damages Act, also called the
Price-Anderson Act, limits the liability of nuclear power
plant operators for harm caused by a nuclear incident (such as
an explosion or radioactive release). To operate a nuclear
power plant, a licensee must show the U.S. Nuclear Regulatory
Commission (U.S. NRC) that it maintains financial protection
(such as private insurance, self-insurance, or other proof of
financial responsibility) equal to the maximum amount of
insurance available at reasonable cost and reasonable terms
from private sources, unless the U.S. NRC sets a lower
requirement on a case-specific basis. The U.S. NRC indemnifies
licensees from all legal liability arising from a nuclear
incident, including a precautionary evacuation, which is in
excess of the required financial protection, up to a maximum
combined licensee-and-government liability of $560 million.
Incidents that cause more than $560 million in damage will
trigger review by the Congress to determine the best means to
compensate the public, including appropriating funds.

   +    The Commercial Space Launch Act provides similar
protection to parties licensed to launch space vehicles or
operate launch sites, but with a limit on the total liability
the United States accepts. The licensee must obtain financial
protection sufficient to compensate the maximum probable loss
that third parties could claim for harm or damage, as
determined by the secretary of transportation. The most that
can be required is $500 million or the maximum liability
insurance available from private sources, whichever is lower.
The United States is obligated to pay successful claims by
third parties in excess of the required protection, up to $1.5
billion, unless the loss is related to the licensee's willful
misconduct. The law also requires licensees to enter into
reciprocal waivers of claims with their contractors and
customers, under which each party agrees to be responsible for
losses it sustains.

   +    The swine flu vaccination program of 1976 provides an
example in which the United States accepted open-ended
liability and paid much more than expected. Doctors predicted
a swine flu epidemic, and Congress appropriated money for the
Department of Health, Education, and Welfare (HEW) to pay four
pharmaceutical manufacturers for vaccines to be distributed
nationwide. The manufacturers' inability to obtain liability
insurance delayed the program until Congress passed
legislation (P.L. 94-380) in which the United States assumed
all liability other than manufacturer negligence. The
government's liability could thus include, for example,
harmful side effects. Claims against the United States would
be processed under the Federal Tort Claims Act (which provides
for trial by judge rather than jury and no punitive damages,
among other distinctions). Some of the 45 million people who
were immunized developed complications, such as Guillain-Barre
syndrome; consequently, the program was canceled. By September
1977. 815 claims had been filed. The United States ultimately
paid more than $100 million to settle claims, and some
litigation is still pending today. Manufacturers, who by law
were liable only for negligence, were not sued.


    BOX 5.10 Perspectives on Secrecy and System Security

   The distinction between the general system (i.e., a
product) and the specific key (of an encrypted message) was
first articulated by Auguste Kerckhoffs in his historic book
*La Cryptographie Militaire*, published in 1883. Quoting David
Kahn in *The Codebreakers*:

   Kerckhoffs deduced [that] ... compromise of the system
   should not inconvenience the correspondents.... Perhaps the
   most startling requirement, at first glance, was the second
   .... Kerckhoffs explained that by "system" he meant "the
   material part of the system; tableaux, code books, or
   whatever mechanical apparatus may be necessary," and not
   "the key proper." Kerckhoffs here makes for the first time
   the distinction, now basic to cryptology, between the
   general system and the specific key. Why must the general
   system "not require secrecy"? ... Because Kerckhoffs said,
   "it is not necessary to conjure up imaginary phantoms and
   to suspect the incorruptibility of employees or subalterns
   to understand that, if a system requiring secrecy were in
   the hands of too large a number of individuals, it could be
   compromised at each engagement.... This has proved to be
   true, and Kerckhoffs' second requirement has become widely
   accepted under a form that is sometimes called the
   fundamental assumption of military cryptography: that the
   enemy knows the general system. But he must still be unable
   to solve messages in it without knowing the specific key.
   In its modern formulation, the Kerckhoffs doctrine states
   that secrecy must reside solely in the keys."(1)

   A more modern expression of this sentiment is provided by
Dorothy Denning:

   The security of a cryptosystem should depend only on the
   secrecy of the keys and not on the secrecy of the
   algorithms.... This requirement implies the algorithms must
   be inherently strong; that is, it should not be possible to
   break a cipher simply by knowing the method of
   encipherment. This requirement is needed because the
   algorithms may be in the public domain, or known to a


   (1)  David Kahn, *The Codebreakers*, Macmillan, New York,
1967, p. 235.

   (2)  Dorothy Denning, *Cryptography and Data Security*,
Addison-Wesley, Reading, Mass., 1982, p. 8.


[End chapter 5]

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


      Other Dimensions of National Cryptography Policy

   In addition to export controls and escrowed encryption,
current national policy on cryptography is affected by
government use of a large number of levers available to it,
including the Communications Assistance for Law Enforcement
Act, the standards-setting process, R&D funding, procurement
practices, education and public jawboning, licenses and
certification, and arrangements both formal and informal with
various other governments (state, local, and foreign) and
organizations (e.g., specific private companies). All of these
are controversial because they embody judgments about how the
interests of law enforcement and national security should be
reconciled against the needs of the private sector. In
addition, the international dimensions of cryptography are
both critical (because cryptography affects communications and
communications are fundamentally international) and enormously
difficult (because national interests differ from government
to government).

                   FOR LAW ENFORCEMENT ACT

   The Communications Assistance for Law Enforcement Act
(CALEA) was widely known as the "digital telephony" bill
before its formal passage. The CALEA is not explicitly
connected to national cryptography policy, but it is an
important aspect of the political context in which national
cryptography policy has been discussed and debated.

                 6.1.1 Brief Description of
             and Stated Rationale for the CALEA

General Description

   The Communications Assistance for Law Enforcement Act
(CALEA) was passed in October 1994. The act imposes on
telecommunications carriers four requirements in connection
with those services or facilities that allow customers to
originate, terminate, or direct communications:

   +    To expeditiously isolate and enable the government to
intercept, pursuant to court order or other lawful
authorization, all wire and electronic communications in the
carrier's control to or from the equipment, facilities, or
services of a subscriber, in real time or at any later time
acceptable to the government. Carriers are not responsible for
decrypting encrypted communications that are the subject of
court-ordered wiretaps, unless the carrier provided the
encryption and can decrypt it. Moreover, carriers are not
prohibited from deploying an encryption service for which it
does not retain the ability to decrypt communications for law
enforcement access.

   +    To expeditiously isolate and enable the government to
access, pursuant to court order or other lawful authorization,
reasonably available call-identifying information about the
origin and destination of communications. Access must be
provided in such a manner that the information may be
associated with the communication to which it pertains and is
provided to the government before, during, or immediately
after the communication's transmission to or from the

   +    To make intercepted communications and
call-identifying information available to government, pursuant
to court order or other lawful authorization, so that they may
be transmitted over lines or facilities leased or procured by
law enforcement to a location away from the carrier's

   +    To meet these requirements with a minimum of
interference with the subscriber's service and in such a way
that protects the privacy of communications and
call-identifying information that are not targeted by
electronic surveillance orders, and that maintains the
confidentiality of the government's interceptions.

   The CALEA also authorizes federal money for retrofitting
common carrier systems to comply with these requirements. As
this report is being written, no money has yet been
appropriated for this task.

   The CALEA requirements apply only to those services or
facilities that enable a subscriber to make, receive, or
direct calls. They do not apply to information services, such
as the services of electronic mail providers; on-line services
such as Compuserve or America Online; or Internet access
providers; or to private networks or services whose sole
purpose is to interconnect carriers. Furthermore, the CALEA
requires law enforcement authorities to use carrier employees
or personnel to activate a surveillance. The CALEA also
provides that a warrant is needed to tap a cordless telephone;
wiretaps on cellular telephones are already governed by Title
III or the Foreign Intelligence Surveillance Act.

The Stated Rationale for the CALEA

   Historically, telecommunications service providers have
cooperated with law enforcement officials in allowing access
to communications upon legal authorization. New
telecommunications services (e.g., call forwarding, paging,
cellular calls) and others expected in the future have
diminished the ability of law enforcement agencies to carry
out legally authorized electronic surveillance. The primary
impact of the CALEA is to ensure that within 4 years,
telecommunications service providers will still be able to
provide the assistance necessary to law enforcement officials
to conduct surveillance of wire and electronic communications
(both content and call-identifying information) controlled by
the carrier, regardless of the nature of the particular
services being offered.

      6.1.2 Reducing Resource Requirements for Wiretaps

   Once a surveillance order has been approved judicially, it
must be implemented. In practice, the implementation of a
surveillance order requires the presence of at least two
agents around the clock. Such a presence is required if
real-time minimization requirements are to be met.(1) As a
result, personnel requirements are the most expensive aspect
of electronic surveillance. The average cost of a wiretap
order is $57,000 (Appendix D), or approximately one-half of a
full-time-equivalent agent-year. Such costs are not incurred
lightly by law enforcement agencies.

   Under these circumstances, procedures and/or technologies
that could reduce the labor required to conduct wiretaps pose
a potential problem for individuals concerned about excessive
use of wiretaps. Specifically, these individuals are concerned
that the ability to route wiretapped calls to a central
location would enable a single team of agents to monitor
multiple conversations.(2) Such time sharing among monitoring
teams could lower wiretap costs significantly. From the
standpoint of law enforcement, these savings would could be
used for other law enforcement purposes, and they would have
the additional effect of eliminating an operational constraint
on the frequency with which wiretap authority is sought today.

   Technologies that would enable minimization without human
assistance are in their infancy today. For example, the
technology of speech recognition for the most part cannot cope
with speech that is speaker-independent and continuous, and
artificial intelligence programs today and for the foreseeable
future will be unable to distinguish between the criminally
relevant and nonrelevant parts of a conversation. Human agents
are an essential component of a wiretap, and law enforcement
officials have made three key points in response to the
concern raised above.

   +    Most importantly, today's wiretaps are performed
generally with law enforcement agencies paying
telecommunications service providers for delivering the
intercepted communications to a point of law enforcement's

   +    From an operational standpoint, the real-time
minimization of wiretapped conversations requires agents that
are personally familiar with the details of the case under
investigation, so that they know when the subjects are engaged
in conversations related to the case -- agents exceed their
authority if they monitor unrelated conversations.

   +    Procedural rules require that all evidence be
maintained through a proper chain of custody and in a manner
such that the authenticity of evidence can be established. Law
enforcement officials believe that the use of one team to
monitor different conversations could call into question the
ability to establish a clear chain of custody.


   (1)  Minimization refers to the practice, required by Title
III, of monitoring only those portions of a conversation that
are relevant to the crime under investigation. If a subject
discusses matters that are strictly personal, such discussions
are not subject to monitoring. In practice, a team of agents
operate a tape recorder on the wiretapped line. Minimization
requires agents to turn off the tape recorder and to cease
monitoring the conversation for a short period of time if they
overhear nonrelevant discussions. At the end of that time
period, they are permitted to resume monitoring. For obvious
reasons, this practice is conducted in real time. When agents
encounter a foreign language with which they are unfamiliar,
they are allowed to record the entire conversation; the tape
is then "minimized" after the fact of wiretapping. Additional
discussion of the requirements imposed on wiretapping by Title
III are contained in Appendix D.

   (2)  For example, such a concern was raised at the Fifth
Conference on Computers, Freedom, and Privacy held in San
Francisco in March 1995. The argument goes as follows. While
the CALEA authorizes $500 million to pay for existing in-place
telephone switch conversions to implement the capabilities
desired by law enforcement, this amount is intended as a
one-time cost; upgrades of switching systems are expected to
implement these capabilities without government subsidy.
(Moreover, the Congress has not yet appropriated this money.)
The point is that additional wiretap orders would not pose an
additional incremental cost (though the original cost of
$57,000 would still obtain), and the barrier of incremental
cost would not impede more wiretap orders. In short, critics
argue that it would make good economic sense to make
additional use of resources if such use can "piggy-back" on an
already-made investment.


                 6.1.3 Obtaining Access to
                Digital Streams in the Future

   In the conduct of any wiretap, the first technical problem
is simply gaining access to the relevant traffic itself,
whether encrypted or not. For law enforcement, products with
encryption capabilities and features that allow exceptional
access are useless without access to the traffic in question.
The CALEA was an initiative spearheaded by law enforcement to
deal with the access problem created by new telecommunications

   The problems addressed by the CALEA will inevitably
resurface as newer communications services are developed and
deployed for use by common carriers and private entities
(e.g., corporations) alike. It is axiomatic that the
complexity of interactions among communications systems will
continually increase, both as a result of increased
functionality and the need to make more efficient use of
available bandwidth. Consequently, isolation of the digital
streams associated with the party or parties targeted by law
enforcement will become increasingly difficult if the
cooperation of the service provider is not forthcoming, for
all of the reasons described in Chapter 2. (It is for this
reason that the CALEA applies to parties that are not common
carriers today upon appropriate designation by the Federal
Communications Commission.)

   Moreover, even when access to the digital stream of an
application is assured, the structure of the digital stream
may be so complex that it would be extremely costly to
determine all of the information present without the
assistance of the application developer. Tools designed to
isolate the relevant portions of a given digital stream
transmitted on open systems will generally be less expensive
than tools for proprietary systems, but since both open and
proprietary systems will be present in any future
telecommunications environment, law enforcement authorities
will need tools for both. The development of such tools will
require considerable technical skill, skill that is most
likely possessed by the application developers; cooperation
with product developers may decrease the cost of developing
these tools.

   Finally, as the telecommunications system becomes more and
more heterogeneous, even the term "common carrier" will become
harder to define or apply. The routing of an individual data
communication through the "network" will be dynamic and may
take any one of a number of paths, decisions about which are
not under the user's control. While only one link in a given
route need be a common carrier for CALEA purposes, identifying
that common carrier in practice may be quite difficult.

          6.1.4 The CALEA Exemption of Information
             Service Providers and Distinctions
               Between Voice and Data Services

   At present, users of data communications services access
networks such as the Internet either through private networks
(e.g., via their employers) or through Internet service
providers that provide connections for a variety of
individuals and organizations. Both typically make use of
lines owned and operated by telecommunications service
providers. In the former case, law enforcement access to the
digital stream is more or less the same problem as it is for
the employer (and law enforcement has access through the legal
process to the employer). In the latter case, the CALEA
requires the telephone service provider to provide to law
enforcement authorities a copy of the digital stream being

   The CALEA exempts on-line information service providers
such as America Online and Compuserve from its requirements.
In the future, other CALEA issues may arise as the
capabilities provided by advanced information technologies
grow more sophisticated. For example, the technological
capability exists to use Internet-based services to supply
real-time voice communications.(3) Even today, a number of
Internet and network service providers are capable of
supporting (or are planning to support) real-time
"push-to-talk" voice communications. The CALEA provides that
a party providing communications services that in the judgment
of the FCC are "a replacement for a substantial portion of the
local telephone exchange service" may be deemed a carrier
subject to the requirements of the CALEA. Thus, one possible
path along which telecommunications services may evolve could
lead to the imposition of CALEA requirements on information
service providers, even though they were exempted as an
essential element of a legislative compromise that enabled the
CALEA to pass in the first place.

   These possibilities are indicative of a more general
problem: the fact that lines between "voice" and "data"
services are being increasingly blurred. This issue is
addressed in greater detail in Chapter 7.


   (3)  Fred Hapgood, "IPHONE," *Wired*, October 1995, p. 140;
and Lawrence M. Fisher, "Long-Distance Phone Calls in the
Internet," *New York Times*, March 14, 1995, p. D-6.


                  6.2 OTHER LEVERS USED IN

   The government has a number of tools to influence the
possession and use of cryptography domestically and abroad.
How the government uses these tools in the context of national
cryptography policy reflects the government's view of how to
balance the interests of the various stakeholders affected by

       6.2.1 Federal Information Processing Standards

   Federal Information Processing Standards (FIPSs) are an
important element of national cryptography policy, and all
federal agencies are encouraged to cite FIPSs in their
procurement specifications. (Box 6.1 contains a brief
description of all FIPSs related to cryptography). The
National Institute of Standards and Technology (NIST) is
responsible for issuing FIPSs.

   FIPSs can have enormous significance to the private sector
as well, despite the face that the existence of a FIPS does
not legally compel a private party to adopt it. One reason is
that to the extent that a FIPS is based on existing
private-sector standards (which it often is), it codifies
standards of existing practice and contributes to a planning
environment of greater certainty. A second reason is that a
FIPS is often taken as a government endorsement of the
procedures, practices, and algorithms contained therein, and
thus a FIPS may set a de facto "best practices" standard for
the private sector. A third reason is related to procurements
that are FIPS-compliant as discussed in the next section.

   NIST has traditionally relied on private sector standards-
setting processes when developing FIPSs. Such practice
reflects NIST's recognition of the fact that the standards it
sets will be more likely to succeed -- in terms of reducing
procurement costs, raising quality, and influencing the
direction of information technology market development -- if
they are supported by private producers and users.(4)

   The existence of widely accepted standards is often an
enormous boon to interoperability of computers and
communication devices, and the converse is generally true as
well: the absence of widely accepted standards often impedes
the growth of a market.

   In the domain of cryptography, FIPSs have had a mixed
result. The promulgation of FIPS 46-1, the Data Encryption
Standard (DES) algorithm for encrypting data, was a boon to
cryptography and vendors of cryptographic products. On the
other hand, the two cryptography-related FIPSs most recently
produced by NIST (FIPS-185, the Escrowed Encryption Standard
(EES), and FIPS-186, the Digital Signature Standard (DSS))
have met with a less favorable response. Neither was
consistent with existing de facto industry standards or
practice, and both met with significant negative response from
private industry and users.(5)

   The promulgation of the EES and the DSS, as well as current
Administration plans to promulgate a modification of the EES
to accommodate escrowed encryption for data storage and
communications and another FIPS for key escrow to performance
requirements for escrow agents and for escrowed encryption
products, has generated a mixed market reaction. Some
companies see the promulgation of these standards as a market
opportunity, while others see these standards as creating yet
more confusion and uncertainty in pushing escrowed encryption
on a resistant market.

   Appendix N contains a general discussion of FIPSs and the
standards-setting process.


   (4)  Cargill, *Information Technology Standardization*, p.

   (5)  The story of resistance to the EES is provided in
Susan Landau et al., *Codes, Keys, and Conflicts*, Association
for Computing Machinery, Washington, D.C., June 1994, p. 48;
to DSS, in Landau et al., 1994, pp. 41-43. In the case of DSS,
a de facto industry standard had already emerged based on
RSA's public-key algorithm.


          6.2.2 The Government Procurement Process

   Government procurement occurs in two domains. One domain is
special-purpose equipment and products, for which government
is the only consumer. Such products are generally classified
in certain ways; weapons and military-grade cryptography are
two examples. The other domain is procurement of products that
are useful in both the private and public sectors.

   Where equipment and products serve both government and
private sector needs, in some instances the ability of the
government to buy in bulk guarantees vendors a large enough
market to take advantage of mass production, thereby driving
down for all consumers the unit costs of a product that the
government was buying in bulk. Through its market power,
government has some ability to affect the price of products
that are offered for sale on the open market. Furthermore,
acceptance by the government is often taken as a "seal of
approval" for a given product that reassures potential buyers
in the private sector.

   History offers examples with variable success in promoting
the widespread public use of specific information technologies
through the use of government standards.

   +    The DES was highly successful. DES was first adopted
as a cryptographic standard for federal use in 1975. Since
then, its use has become commonplace in cryptographic
applications around the world, and many implementations of DES
now exist worldwide.

   +    A less successful standard is GOSIP, the Government
OSI Profile, FIPS-146.(6) The GOSIP was intended to specify
the details of an OSI configuration for use in the government
so that interoperable OSI network products could be procured
from commercial vendors and to encourage the market
development of products. GOSIP has largely failed in this
effort, and network products based on the TCP/IP protocols now
dominate the market.(7)

   In the case of the EES, the government chose not to seek
legislation outlawing cryptography without features for
exceptional access, but chose instead to use the EES to
influence the marketplace for cryptography. This point was
acknowledged by Administration officials to the committee on
a number of occasions. Specifically, the government hoped that
the adoption of the EES to ensure secure communications within
the government and for communications of other parties with
the federal government would lead to a significant demand for
EES-compliant devices, thus making possible production in
larger quantities and thereby driving unit costs down and
making EES-compliant devices more attractive to other users.
A secondary effect would be the fact that two nongovernmental
parties wishing to engage in secure communications would be
most likely to use EES-compliant devices if they already own
them rather than purchase other devices. As part of this
strategy to influence the market, the government persuaded
AT&T in 1992 to base a secure telephone on the EES.

   In the case of the Fortezza card, the large government
procurement for use with the Defense Messaging System may well
lower unit costs sufficiently that vendors of products
intended solely for the commercial nondefense market will
build support for the Fortezza card into their products.(8)
Given the wide availability of PC-Card slots on essentially
all notebook and laptop computers, it is not inconceivable
that the security advantages offered by hardware-based
authentication would find a wide commercial market. At the
same time, the disadvantages of hardware-based cryptographic
functionality discussed in Chapter 5 would remain as well.


   (6)  OSI refers to Open Systems Interconnect, a
standardized suite of international networking protocols
developed and promulgated in the early 1980s.

   (7)  See CSTB, *Realizing the Information Future*, 1994,
Chapter 6.

   (8)  In a recent contract, a vendor agreed to provide
Fortezza cards at $69 per card. See Paul Constance, "After
Complaining $99 Was Too Low, Fortezza Vendors Come in at $69,"
*Government Computer News*, October 2, 1995, p. 6.


               6.2.3 Implementation of Policy:
         Fear, Uncertainty, Doubt, Delay, Complexity

   The implementation of policy contributes to how those
affected by policy will respond to it. This important element
is often unstated, and it refers to the role of government in
creating a climate of predictability. A government that speaks
with multiple voices on a question of policy, or one that
articulates isolated elements of policy in a piecemeal
fashion, or one that leaves the stakeholders uncertain about
what is or is not permissible, creates an environment of fear,
uncertainty, and doubt that can inhibit action. Such an
environment can result from a deliberate choice on the part of
policy makers, or it can be inadvertent, resulting from
overlapping and/or multiple sources of authority that may have
at least partial responsibility for the policy area in
question. Decisions made behind closed doors and protected by
government security classifications tend to reinforce the
concerns of those who believe that fear, uncertainty, and
doubt are created deliberately rather than inadvertently.

   The committee observes that cryptography policy has indeed
been shrouded in secrecy for many years and that many agencies
have partial responsibility in this area. It also believes
that fear, uncertainty, and doubt are common in the
marketplace. For example, the introduction of nonmarket-driven
standards such as the DSS and the EES may have created market
uncertainty that impeded the rapid proliferation of
high-quality products with encryption capabilities both
internationally and domestically. Uncertainty over whether or
not the federal government would recertify the DES as a FIPS
has plagued the marketplace in recent years, because
withdrawal of the DES as a FIPS could cause considerable
consternation among some potential buyers that might suddenly
be using products based on a decertified standard, although in
fact the government has recertified the DES in each case. On
the other hand, the DES is also a standard of the American
National Standards Institute and the American Banking
Association, and if these organizations retain their
endorsement of the DES, the DES will arguably represents a
viable algorithm for a wide range of products.

   Many parties in industry believe that the complexity and
opacity of the decisionmaking process with respect to
cryptography are major contributors to this air of
uncertainty. Of course, the creation of uncertainty may be
desirable from the perspective of policy makers if their goal
is to retard action in a given area. Impeding the spread of
high-quality products with encryption capabilities
internationally is the stated and explicit goal of export
controls; on the domestic front, impeding the spread of
high-quality products with encryption capabilities has been a
desirable outcome from the standpoint of senior officials in
the law enforcement community.

   A very good example of the impact of fear, uncertainty, and
doubt on the marketplace for cryptography can be found in the
impact of government action (or more precisely, inaction) with
respect to authentication. As noted in Chapter 2, cryptography
supports digital signatures, a technology that provides high
assurance for both data integrity and user authentication.
However, federal actions in this area have led to considerable
controversy. One example is that the federal government failed
to adopt what was (and still is) the de facto commercial
standard algorithm on digital signatures, namely the RSA
algorithm. Government sources told the committee that the fact
that the RSA algorithm is capable of providing strong
confidentiality as well as digital signatures was one reason
that the government deemed it inappropriate for promulgation
as a FIPS.(9) Further, the government's adoption of the
Digital Signature Standard(10) in 1993 occurred despite
widespread opposition from industry to the specifics of that


                      6.2.4 R&D Funding

   An agency that supports research (and/or conducts such
research on its own in-house) in a given area of technology is
often able to shape the future options from which the private
sector and policy makers will choose. For example, an agency
that wishes to maintain a monopoly of expertise in a given
area may not fund promising research proposals that originate
from outside. Multiple agencies active in funding a given area
may thus yield a broader range of options for future policy

   In the context of cryptography and computer and
communications security, it is relevant that the National
Security Agency (NSA) has been the main supporter and
performer of R&D in this area.(11) The NSA's R&D orientation
has been, quite properly, on technologies that would help it
to perform more effectively and efficiently its two basic
missions: (1) defending national security by designing and
deploying strong cryptography to protect classified
information and (2) performing signals intelligence against
potential foreign adversaries. In the information security
side of the operation, NSA-developed technology has
extraordinary strengths that have proven well suited to the
protection of classified information relevant to defense or
foreign policy needs.

   How useful such technologies will prove for corporate
information security remains to be seen. Increasing needs for
information security in the private sector suggest that NSA
technology may have much to offer, especially if such
technology can be made available to the private sector without
limitation. At the same time, the environment in which private
sector information security needs are manifested may be
different enough from the defense and foreign policy worlds
that these technologies may not be particularly relevant in
practice to the private sector. Furthermore, the rapid pace of
commercial developments in information technology may make it
difficult for the private sector to use technologies developed
for national security purposes in a less rapidly changing

   These observations suggest that commercial needs for
cryptographic technology may be able to draw on NSA
technologies for certain applications, and most certainly will
draw on nonclassified R&D work in cryptography (both in the
United States and abroad); even the latter will have a high
degree of sophistication. Precisely how the private sector
will draw on these two sources of technology will depends on
policy decisions to be made in the future. Finally, it is
worth noting that nonclassified research on cryptography
appearing in the open literature has been one of the most
important factors leading to the dilemma that policy makers
face today with respect to cryptography.


   (9)  The specific concern was that widespread adoption of
RSA as a signature standard would result in an infrastructure
that could support the easy and convenient distribution of DES
keys. The two other reasons for the government's rejection of
RSA were the desire to promulgate an approach to digital
signatures that would be royalty-free (RSA is a patented
algorithm) and the desire to reduce overall system costs for
digital signatures. For a discussion of the intellectual
issues involved in the rejection of the RSA algorithm and the
concern over confidentiality, see Office of Technology
Assessment, *Information Security and Privacy in Network
Environments*, Washington, D.C., September 1994, pp. 167-168
and pp. 217-222.

   (10) The Digital Signature Standard (DSS) is based on an
unclassified algorithm known as the Digital Signature
Algorithm that does not explicitly support confidentiality.
However, the DSS and its supporting documentation do amount to
U.S. government endorsement of a particular one-way hash
function, and document in detail how to generate the
appropriate number-theoretic constants needed to implement it.
Given this standard, it is possible to design a
confidentiality standard that is as secure as the DSS. In
other words, the DSS is a road map to a confidentiality
standard, although it is not such a standard explicitly.
Whether an ersatz confidentiality standard would pass muster
in the commercial market remains to be seen.

   (11) It is important to distinguish between R&D undertaken
internally and externally to NSA. Internal R&D work can be
controlled and kept private to NSA; by contrast, it is much
more difficult to control the extent to which external R&D
work is disseminated. Thus, decisions regarding specific
external cryptography-related R&D projects could promote or
inhibit public knowledge of cryptography.


           6.2.5 Patents and Intellectual Property

   A number of patents involving cryptography have been
issued. Patents affect cryptography because patent protection
can be used by both vendors and governments to keep various
patented approaches to cryptography out of broad use in the
public domain.(12)

   The DES, first issued in 1977, is an open standard, and the
algorithm it uses is widely known. According to NIST, devices
implementing the DES may be covered by U.S. and foreign
patents issued to IBM (although the original patents have by
now expired).(13) However, IBM granted nonexclusive,
royalty-free licenses under the patents to make, use, and sell
apparatus that complies with the standard.

   RSA Data Security Inc. (RSA) holds the licensing rights to
RC2, RC4, and RC5, which are variable-key-length ciphers
developed by Ronald Rivest.(14) RC2 and RC4 are not patented,
but rather, are protected as trade secrets (although their
algorithms have been published on the Internet without RSA's
approval). RSA has applied for a patent for RC5 and has
proposed it as a security standard for the Internet. Another
alternative for data encryption is IDEA, a block cipher
developed by James Massey and Xueija Lai of the Swiss Federal
Institute of Technology (ETH), Zurich. The patent rights to
IDEA are held by Ascom Systec AG, a Swiss firm. IDEA is
implemented in the software application, PGP.

   In addition to the above patents, which address
symmetric-key encryption technologies, there are several
important patent issues related to public-key cryptography.
The concept of public-key cryptography, as well as some
specific implementing methods, are covered by U.S. Patents
4,200,770 (M. Hellman, W. Diffie, and R. Merkle, 1980) and
4,218,582 (M. Hellman and R. Merkle, 1980), both of which are
owned by Stanford University. The basic patent for the RSA
public-key crypto-system, U.S. Patent 4,405,829 (R. Rivest, A.
Shamir, and L. Adleman, 1983), is owned by the Massachusetts
Institute of Technology. The -582 patent has counterparts in
several other countries. These basic public-key patents and
related ones have been licensed to many vendors worldwide.
With the breakup of the partnership that administered the
licensing of Stanford University's and MIT's patents, the
validity of the various patents has become the subject of
current litigation. In any event, the terms will expire in
1997 for the first two of the above patents and in 2000 for
the third.(15)

   In 1994, NIST issued the Digital Signature Standard, FIPS
186. The DSS uses the NIST-developed Digital Signature
Algorithm, which according to NIST is available for use
without a license. However, during the DSS's development,
concern arose about whether the DSS might infringe on the
public-key patents cited above, as well as a patent related to
signature verification held by Claus Schnorr of Goethe
University in Frankfurt, Germany.(16) NIST asserts that the
DSS does not infringe on any of these patents.(17) At the
least, U.S. government users have the right to use public-key
cryptography without paying a license fee for the Stanford and
MIT patents because the concepts were developed at these
universities with federal research support. However, there
remains some disagreement about whether commercial uses of the
DSS (for example, in a public-key infrastructure) will require
a license from one or more of the various patent holders.

   A potential patent dispute regarding the key-escrow
features of the EES may have been headed off by NIST's
negotiation of a nonexclusive licensing agreement with Silvio
Micali in 1994.(18) Micali has patents that are relevant to
dividing a key into components that can be separately
safeguarded (e.g., by escrow agents) and later combined to
recover the original key.

   A provision of the U.S. Code (Title 35, US Code 181) allows
the Patent and Trademark Office (PTO) to withhold a patent and
order that the invention be kept secret if publication of the
patent is detrimental to national security. Relevant to
cryptography is the fact that a patent application for the
Skipjack encryption algorithm was filed on February 7, 1994.
This application was examined and all of the claims allowed,
and notification of the algorithm's patentability was issued
on March 28, 1995. Based on a determination by NSA, the Armed
Services Patent Advisory Board issued a secrecy order for the
Skipjack patent application; the effect of the secrecy order
is that even though Skipjack can be patented, a patent will
not be issued until the secrecy order is rescinded. Since
applications are kept in confidence until a patent is issued,
no uninvolved party can find out any information concerning
the application. In this way, the patentability of the
algorithm has been established without having to disclose the
detailed information publicly.(19) Since Title 35 USC 181 also
provides that the PTO can rescind the secrecy order upon
notification that publication is no longer detrimental to
national security, compromise and subsequent public revelation
of the Skipjack algorithm (e.g., through reverse-engineering
of a Clipper chip) might well cause a patent to be issued for
Skipjack that would give the U.S. overnment control over its
subsequent use in products.


   (12) See footnote 9.

   (13) National Institute of Standards and Technology, "FIPS
46-2: Announcing the Data Encryption Standard," December 30,

   (14) See RSA Data Security Inc., home page, at

   (15) In 1994, Congress changed patent terms from 17 years
after issuance to 20 years from the date of filing the patent
application; however, applications for these patents were
filed in or before 1977, and so they will not be affected.

   (16) See Office of Technology Assessment, *Information
Security and Privacy in Network Environments*, September 1994,
p. 220.

   (17) National Institute of Standards and Technology,
"Digital Signature Standard," *Computer Systems Laboratory
(CSL) Bulletin*, NIST, Gaithersburg, Maryland, November 1994.
Available on line from http://csrc.ncsl.nist.gov/nistbul/

   (18) National Institute of Standards and Technology press
release, "Patent Agreement Removes Perceived Barrier to
Telecommunications Security System," NIST, Gaithersburg,
Maryland, July 11, 1994. Available on line from

   (19) Clinton C. Brooks, National Security Agency, provided
this information to the committee in an e-mail message dated
May 23, 1995.


           6.2.6 Formal and Informal Arrangements
      with Various Other Governments and Organizations

   International agreements can be an important part of
national policy. For example, for many years the CoCom nations
cooperated in establishing a common export control policy on
militarily significant items with civilian purposes, including
cryptography (Appendix G has more details).

   International agreements can take a variety of different
forms. The most formal type of agreement is a treaty between
(or among) nations that specifies the pemmissible, required,
and prohibited actions of the various nations. Treaties
require ratification by the relevant national political bodies
as well as signature before entry into force. In the United
States treaties must be approved by the Senate by a two-thirds
vote. Sometimes treaties are self-executing, but often they
need to be followed by implementing legislation enacted by the
Congress in the normal manner for legislation.

   Another type of agreement is an executive agreement. In the
United States, executive agreements are, as the name implies,
entered into by the executive branch. Unlike the treaty, no
Senate ratification is involved, but the executive branch has
frequently sought approval by a majority of both houses of the
Congress. For all practical purposes executive agreements with
other countries bind the United States in international law
just as firmly as treaties do, although the treaty may carry
greater weight internally due to the concurrence by a
two-thirds vote of the Senate. Executive agreements can also
be changed with much greater flexibility than treaties.

   Finally, nations can agree to cooperate through diplomacy.
Even though cooperation is not legally required under such
arrangements, informal understandings can work very
effectively so long as relationships remain good and the
countries involved continue to have common goals. In fact,
informal understanding is the main product of much diplomacy
and is the form that most of the world's business between
governments takes. For example, although the United States
maintains formal mutual legal assistance treaties with a
number of nations, U.S. law enforcement agencies cooperate
(sometimes extensively) with foreign counterparts in a much
larger number of nations. Indeed, in some instances, such
cooperation is stronger, more reliable, and more extensive
than is the case with nations that are a party to a formal
mutual legal assistance treaty with the United States.

   Note that the more formal the agreement, the more public is
the substance of the agreement; such publicity often leads to
attention that may compromise important and very sensitive
matters, such as the extent to which a nation supports a given
policy position or the scope and nature of a nation's
capabilities. When informal arrangements are negotiated and
entered into force, they may not be known by all citizens or
even by all parts of the governments involved. Because they
are less public, informal arrangements also allow more
latitude for governments to make decisions on a case-by-case
basis. In conducting negotiations that may involve sensitive
matters or agreements that may require considerable
flexibility, governments are often inclined to pursue more
informal avenues of approach.

             6.2.7 Certification and Evaluation

   Analogous to Good Housekeeping seals of approval or "check
ratings" for products reviewed in Consumer Reports,
independent testing and certification of products can provide
assurance in the commercial marketplace that a product can
indeed deliver the services and functionality that it purports
to deliver. For example, the results of government crash tests
of automobiles are widely circulated as data relevant to
consumer purchases of automobiles. Government certification
that a commercial airplane is safe to fly provides significant
reassurance to the public about flight safety. At the same
time, while evaluation and certification would in principle
help users to avoid products that implement a sound algorithm
in a way that undermines the security offered by the
algorithm, the actual behavior of users demonstrates that
certification of a product is not necessarily a selling point.
Many of the DES products in the United States have never been
evaluated relative to FS-1027 or FIPS 140-1, and yet such
products are used by many parties.

   The government track record in the cryptography and
computer security domain is mixed. For example, a number of
DES products were evaluated with respect to FS-1027 (the
precursor to FIPS 140-1) over several years and a number of
products were certified by NSA. For a time, government
agencies purchased DES hardware only if it met FS-1027, or
FIPS-140. Commercial clients often required compliance because
it provided the only assurance that a product embodying DES
was secure in a broader sense. In this case, the alignment
between government and commercial security requirements seems
to have been reasonably good and thus this program had some
success. Two problems with this evaluation program were that
it addressed only hardware and that it lagged in allowing use
of public-key management technology in products (in the
absence of suitable standards).

   A second attempt to provide product evaluation was
represented by the National Computer Security Center (NCSC),
which was established by the Department of Defense for the
purpose of certifying various computer systems for security.
The theory underlying the center was that the government
needed secure systems but could not afford to build them. The
quid pro quo was that industry would design and implement
secure operating systems that the government would test and
evaluate at no cost to industry, systems meeting government
requirements would receive a seal of approval.

   Although the NCSC still exists, the security evaluation
program it sponsors, the Trusted Product Evaluation Program
(TPEP), has more or less lapsed into disuse. In the judgment
of many, the TPEP was a relative failure because of an
underlying premise that the information security problems of
the civil government and the private sector were identical to
those of the defense establishment. In fact, the private
sector has for the most part found a military approach to
computer security inadequate for its needs. A second major
problem was that the time scale of the evaluation process was
much longer than the private sector could tolerate, and
products that depended on NCSC evaluation would reach market
already on the road to obsolescence, perhaps superseded by a
new version to which a given evaluation would not necessarily
apply. In late 1995, articles in the trade press reported that
the Department of Defense was attempting to revive the
evaluation program in a way that would involved private

   A recent attempt to provide certification services is the
Cryptographic Module Validation Program (CMVP) to test
products for conformance to FIPS 140-1, *Security Requirements
for Cryptographic Modules*.(21) FIPS 140-1 provides a broad
framework for all NIST cryptographic standards, specifying
design, function, and documentation requirements for
cryptographic modules -- including hardware, software,
"firmware," and combinations thereof -- used to protect
sensitive, unclassified information in computer and
telecommunication systems.(22) The CMVP was established in
July 1995 by NIST and the Communications Security
Establishment of the government of Canada.

   The validation program is currently optional: agencies may
purchase products based on the vendor's written assurance of
compliance with the standard. However, beginning in 1997, U.S.
federal procurement will require cryptographic products to be
validated by an independent, third party. Under the program,
vendors will submit their product for testing by an
independent, NIST-accredited laboratory.(23)

   Such a laboratory evaluates both the product and its
associated documentation against the requirements in FIPS
140-1. NIST has also specified test procedures for all aspects
of the standard. Examples include attempting to penetrate
tamper-resistant coatings and casings, inspecting software
source code and documentation, attempting to bypass protection
of stored secret keys, and statistically verifying the
performance of random number generators.(24) The vendor sends
the results of independent tests to NIST, which determines
whether these results show that the tested product complies
with the standard and then issues validation certificates for
products that do. Time will tell whether the CMVP will prove
more successful than the NCSC.


   (20) See for example, Paul Constance, "Secure Products List
Gets CPR," *Government Computing News*, November 13, 1995, p.

   (21) National Institute of Standards and Technology press
release, "Cryptographic Module Validation Program Announced,"
NIST, Gaithersburg, Maryland, July 17, 1995.

   (22) National Institute of Standards and Technology,
*Federal Information Processing Standards Publication 140-1:
Security Requirements for Cryptographic Modules*, NIST,
Gaithersburg, Maryland, January 11, 1994.

   (23) As of September 1995, the National Institute of
Standards and Technology's National Voluntary Laboratory
Accreditation Program had accredited three U.S. companies as
competent to perform the necessary procedures: CygnaCom
Solutions Laboratory (McLean, Va.), DOMUS Software Limited
(Ottawa, Canada), and InfoGard Laboratories (San Luis Obispo,
Calif.). A current list of these companies is available from

   (24) National Institute of Standards and Technology,
*Derived Test Requirements for FIPS PUB 140-1*, NIST,
Gaithersburg, Maryland, March 1995.


                6.2.8 Nonstatutory Influence

   By virtue of its size and role in society, government has
considerable ability to influence public opinion and to build
support for policies. In many cases, this ability is not based
on specific legislative authority, but rather on the use of
the "bully pulpit." For example, the government can act in a
convening role to bring focus and to stimulate the private
sector to work on a problem.(25) The bully pulpit can be used
to convey a sense of urgency that is tremendously important in
how the private sector reacts, especially large companies that
try to be good corporate citizens and responsive to informal
persuasion by senior government officials. Both vendors and
users can be influenced by such authority.(26)

   In the security domain, the Clinton Administration has
sponsored several widely publicized public meetings to address
security dimensions of the national information infrastructure
(NII). These meetings were meetings of the NII Security Issues
Forum, held in 1994 and 1995.(27) They were announced in the
*Federal Register* and were intended to provide a forum in
which members of the interested public could air their
concerns about security.

   In the cryptography domain, the U.S. government has used
its convening authority to seek comments on various proposed
cryptographic starldards and to hold a number of workshops
related to key escrow (discussed in Chapter 5). Many in the
affected communities believe that these attempts at outreach
were too few and too late to influence anything more than the
details of a policy outline upon which government had already
decided. A second example demonstrating government's
nonstatutory influence was the successful government request
to AT&T to base the 3600 Secure Telephone Unit on the Clipper
chip instead of an unescrowed DES chip (as described in
Appendix E).


   (25) One advantage of government's acting in this way is
that it may provide some assurance to the private sector that
any coordinated action they may take in response to government
calls for action will be less likely to be interpreted by
government as a violation of antitrust provisions.

   (26) For example, in responding favorably to a request by
President Clinton for a particular action in a labor dispute,
the chairman of American Airlines noted, "He [President
Clinton] is the elected leader of the country. For any citizen
or any company or any union to say 'No, I won't do that' to
the President requires an awfully good reason." See Gwen
Ifill, "Strike at American Airlines; Airline Strike Ends as
Clinton Steps In," *New York Times*, November 23, 1993, p. 1.

   (27) Office of Management and Budget press release,
"National Information Infrastructure Security Issues Forum
Releases 'NII Security: The Federal Role,' " Washington, D.C.,
June 14, 1995. The subjects of these meetings were "Commercial
Security on the NII," which focused on the need for
intellectual property rights protection in the entertainment,
software, and computer industries; "Security of Insurance and
Financial Information"; "Security of Health and Education
Information"; "Security of the Electronic Delivery of
Government Services and Information"; "Security for
Intelligent Transportation Systems and Trade Information"; and
"The NII: Will It Be There When You Need It?," addressing the
availability and reliability of the Internet, the public
switched telecommunicatins network, and cable, wireless, and
satellite communications services. Available on line from


                6.2.9 Interagency Agreements
                 Within the Executive Branch

   Given that one government agency may have expertise or
personnel that would assist another agency in doing its job
better, government agencies often conclude agreements between
them that specify the terms and nature of their cooperative
efforts. In the domain of cryptography policy, NSA's technical
expertise in the field has led to memorandums of understanding
with NIST and with the FBI (Appendix L).

   The memorandum of understanding (MOU) between NIST and NSA
outlines several areas of cooperation between the two agencies
that are intended to implement the Computer Security Act of
1987; joint NIST-NSA activities are described in Box 6.2. This
MOU has been the subject of some controversy, with critics
believing that the MOU and its implementation cede too much
authority to NSA and defenders believing that the MOU is
faithful to both the spirit and letter of the Computer
Security Act of 1987.(28)

   The MOU between the FBI and NSA, declassified for the
National Research Council, states that the NSA will provide
assistance to the FBI upon request, when the assistance is
consistent with NSA policy (including protection of sources
and methods), and in accordance with certain administrative
requirements. Furthermore, if the assistance requested is for
the support of an activity that may be conducted only pursuant
to a court order or with the authorization of the Attorney
General, the FBI request to the NSA must include a copy of
that order or authorization.

   In 1995, the National Security Agency, the Advanced
Research Projects Agency, and the Defense Information Systems
Agency signed a memorandum of agreement (MOA) to coordinate
research and development efforts in system security. This MOA
provides for the establishment of the Information System
Security Research Joint Technology Office (ISSR-JTO). The role
of the ISSR-JTO is "to optimize use of the limited research
funds available, and strengthen the responsiveness of the
programs to DISA, expediting delivery of technologies that
meet DISA's requirements to safeguard the confidentiality,
integrity, authenticity, and availability of data in
Department of Defense information systems, provide a robust
first line of defense for defensive information warfare, and
permit electronic commerce between the Department of Defense
and its contractors."(29)


   (28) For more discussion of these critical perspectives,
see U.S. Congress, Office of Technology Assessment,
*Information Security and Privacy in Network Environments*,
OTA-TCT-606, U.S. Government Printing Office, Washington,
D.C., September 1994, Box 4-8, pp. 164-171.

   (29) See "Memorandum of Agreement Between the Advanced
Research Projects Agency, the Defense Information Systems
Agency, and the National Security Agency Concerning the
Information Systems Security Research Joint Technology
Office"; MOA effective April 2, 1995. The full text of the MOA
is available from http://www.ito.darpa.mil/ResearchAreas/



          6.3.1 Role of National Security vis-a-vis
            Civilian Information Infrastructures

   The extent to which the traditional national security model
is appropriate for an information infrastructure supporting
both civilian and military applications is a major point of
contention in the public debate. There are two schools of
thought on this subject:

   +    The traditional national security model should be
applied to the national information infrastructure, because
protecting those networks also protects services that are
essential to the military, and the role of the defense
establishment is indeed to protect important components of the
national infrastructure that private citizens and businesses
depend upon.(30)

   +    The traditional national security model should not be
applied to the national information infrastructure, because
the needs of civilian activities are so different from those
of the military, and the imposition of a national security
model would impose an unacceptable burden on the civilian
sector. Proponents of this view argue that the traditional
national security model of information security -- a top-down
approach to information security management -- would be very
difficult to scale up to a highly heterogeneous private sector
involving hundreds of millions of people and tens of millions
of computers in the United States alone.

   There is essential unanimity that the world of classified
information (both military and nonmilitary) is properly a
domain in which the DOD and NSA can and should exercise
considerable influence. But moving outside this domain raises
many questions that have a high profile in the public debate.
Specifically, what should the DOD and NSA role be in dealing
with the following categories of information:

   1.   Unclassified government information that is military
        in nature,

   2.   Unclassified government information that is
        nonmilitary in nature, and

   3.   Nongovernment information.

   To date, policy decisions have been made that give the DOD
jurisdiction in information security policy for category 1.
For categories 2 and 3, the debate continues. It is clear that
the security needs for business and for national security
purposes are both similar (Box 6.3) and different (Box 6.4).
In category 2, the argument is made that DOD and NSA have a
great deal of expertise in protecting information, and that
the government should draw on an enormous historical
investment in NSA expertise to protect all government
information. At the same time, NIST has the responsibility for
protecting such information under the Computer Security Act of
1987, with NSA's role being one of providing technical
assistance. Some commentators believe that NIST has not
received resources adequate to support its role in this

   In category 3, the same argument is made with respect to
nongovernment information on the grounds that the proper role
of government is to serve the needs of the entire nation. A
second argument is made that the military depends critically
on nongovernment information infrastructures (e.g., the public
switched telecommunications network) and that it is essential
to protect those networks not just for civilian use but also
for military purposes. (Note that NSA does not have broad
authority to assist private industry with information
security, although it does conduct for industry, upon request,
unclassified briefings related to foreign information security
threats; NSD-42 (text provided in Appendix L) also gives NSA
the authority to work with private industry when such work
involves national security information systems used by private


   (30) For example, the Joint Security Commission recommended
that "policy formulation for information systems security be
consolidated under a joint DoD/DCI security executive
committee, and that the committee oversee development of a
coherent network-oriented information systems security policy
for the DoD and the Intelligence Community that could also
serve the entire government." See Joint Security Commission,
*Redefining Security*, Washington, D.C., February 28, 1994, p.

   (31) For example, the Office of Technology Assessment
stated that "the current state of government security practice
for unclassified information has been depressed by the chronic
shortage of resources for NlST's computer security activities
in fulfillment of its government-wide responsibilities under
the Computer Security Act of 1987. Since enactment of the
Computer Security Act, there has been no serious (i.e.,
adequately funded and properly staffed), sustained effort to
establish a center of information-security expertise and
leadership outside the defense/intelligence communities." See
U.S. Congress, Office of Technology Assessment, *Issue Update
on Information Security and Privacy in Network Environments*,
OTA-BP-ITC-147, U.S. Government Printing Office, Washington,
D.C., June 1995, p. 42. A similar conclusion was reached by
the Board on Assessment of NIST Programs of the National
Research Council, which wrote that "the Computer Security
Division is severely understaffed and underfunded given its
statutory security responsibilities, the growing national
recognition of the need to protect unclassified but sensitive
information, and the unique role the division can play in
fostering security in commercial architectures, hardware, and
software." See Board on Assessment of NIST Programs, National
Research Council, *An Assessment of the National Institute of
Standards and Technology*, Fiscal Year 1993, National Academy
Press, Washington, D.C., 1994, p. 228.


            6.3.2 Other Government Entities with
              Influence on Information Security

   As noted above, NSA has primary responsibility for
information security in the classified domain, while NIST has
primary responsibility for information security in the
unclassified domain, but for government information only. No
organization or entity within the federal government has the
responsibility for promoting information security in the
private sector.(32)

   The Security Policy Board (SPB) does have a coordination
function. Specifically, the charge of the SPB is to consider,
coordinate, and recommend for implementation to the President
policy directives for U.S. security policies, procedures, and
practices, including those related to security for both
classified and unclassified government information. The SPB is
intended to be the principal mechanism for reviewing and
proposing legislation and executive orders pertaining to
security policy, procedures, and practices. The Security
Policy Advisory Board provides a nongovernmental perspective
on security policy initiatives to the SPB and independent
input on such matters to the President. The SPB does not have
operational responsibilities.

   Other entities supported by the federal government have
some influence over information security, though little actual
policy-making authority. These include:

   +    The Computer Emergency Response Team (CERT). CERT was
formed by the Defense Advanced Research Projects Agency
(DARPA) in November 1988 in response to the needs exhibited
during the Internet worm incident. CERT's charge is to work
with the Internet community to facilitate its response to
computer security events involving Internet hosts, to take
proactive steps to raise the community's awareness of computer
security issues, and to conduct research targeted at improving
the security of existing systems.(33) CERT offers
around-the-clock technical assistance for responding to
computer security incidents, educates users regarding product
vulnerability through technical documents and seminars, and
provides tools for users to undertake their own vulnerability

   +    The Information Infrastructure Task Force's (IITF)
National Information Infrastructure Security Issues Forum. The
forum is charged with addressing institutional, legal, and
technical issues surrounding security in the NII. A draft
report issued by the forum proposes federal actions to address
these issues.(34) The intent of the report, and of the
Security Issues Forum more generally, is to stimulate a
dialogue on how the federal government should cooperate with
other levels of government and the private sector to ensure
that participants can trust the NII. The draft report proposes
a number of security guidelines (proposed NII security
tenets), the adoption of Organization of Economic Cooperation
and Development security principles for use on the NII, and a
number of federal actions to promote security.

   +    The Computer System Security and Privacy Advisory
Board (CSSPAB). CSSPAB was created by the Computer Security
Act of 1987 as a statutory federal public advisory committee.
The law provides that the board shall identify emerging
managerial, technical, administrative, and physical safeguard
issues relative to computer systems security and privacy;
advise the National Institute of Standards and Technology and
the secretary of commerce on security and privacy issues
pertaining to federal computer systems; and report its
findings to the secretary of commerce, the directors of the
Office of Management and Budget and the National Security
Agency, and the appropriate committees of the Congress. The
board's scope is limited to federal computer systems or those
operated by a contractor on behalf of the federal government
and which process sensitive but unclassified information. The
board's authority does not extend to private sector systems,
systems that process classified information, or DOD
unclassified systems related to military or intelligence
missions as covered by the Warner Amendment (10 USC 2315). The
activities of the board bring it into contact with a broad
cross section of the nondefense agencies and departments;
consequently, it often deals with latent policy considerations
and societal consequences of information technology.

   +    The National Counterintelligence Center (NACIC).
Established in 1994 by Presidential Decision Directive NSC-24,
NACIC is primarily responsible for coordinating national-level
counterintelligence activities, and it reports to the National
Security Council. Operationally, the NACIC works with private
industry through an industry council (consisting of senior
security officials or other senior officials of major U.S.
corporations) and sponsors counterintelligence training and
awareness programs, seminars, and conferences for private
industry. NACIC also produces coordinated national-level,
all-source, foreign intelligence threat assessments to support
private sector entities having responsibility for the
protection of classified, sensitive, or proprietary
information, as well as such assessments for government

   In addition, a number of private organizations (e.g., trade
or professional groups) are active in information security.


   (32) This observation was also made in Computer Science and
Telecommunications Board (CSTB), National Research Council,
*Computers at Risk*, National Academy Press, Washington, D.C.,
1991, a report that proposed an Information Security
Foundation as the most plausible type of organization to
promote information security in the private sector.

   (33) Available on line at http://www.sei.cmu.edu/

   (34) Office of Management and Budget press release,
"National Information Infirastructure Security Issues Forum
Releases 'NII Security: The Federal Role,' " Washington, D.C.,
June 14, 1995. Available on line from gopher://ntiantl.

   (35) National Counterintelligence Center,
*Counterintelligence News and Developments*, Issue No. 1,
NACIC, Washington, D.C. This newsletter can be obtained from



   The cryptography policy of the United States must take into
account a number of international dimensions. Most
importantly, the United States does not have the unquestioned
dominance in the economic, financial, technological, and
political affairs of the world as it might have had at the end
of World War II. Indeed, the U.S. economy is increasingly
intertwined with that of other nations. To the extent that
these economically significant links are based on
communications that must be secure, cryptography is one aspect
of ensuring such security. Differing national policies on
cryptography that lead to difficulties in communicating
internationally work against overall national policies that
are aimed at opening markets and reducing commercial and trade

   Other nations have the option to maintain some form of
export controls on cryptography, as well as controls on
imports and use of cryptography; such controls form part of
the context in which U.S. cryptography policy must be
formulated. Specifically, foreign export control regimes more
liberal than that of the United States have the potential to
undercut U.S. export control efforts to limit the spread of
cryptography. On the other hand, foreign controls on imports
and use of cryptography could vitiate relaxation of U.S.
export control laws; indeed, relaxation of U.S. export
controls laws might well prompt a larger number of nations to
impose additional barriers on the import and use of
cryptography within their borders. Finally, a number of other
nations have no explicit laws regarding the use of
cryptography, but nevertheless have tools at their disposal to
discourage its use; such tools include laws related to the
postal, telephone, and telegraph (PTT) system, laws related to
content carried by electronic media, laws related to the
protection of domestic industries that discourage the entry of
foreign products, laws related to classification of patents,
and informal arrangements related to licensing of businesses.

   As a first step in harmonizing cryptography policies across
national boundaries, the Organization for Economic Cooperation
and Development (OECD) held a December 1995 meeting in France
among member nations to discuss how these nations were
planning to cope with the public policy problems posed by
cryptography. What the Paris meeting made clear is that many
OECD member nations are starting to come to grips with the
public policy problems posed by encryption, but that the
dialog on harmonizing policies across national borders has not
yet matured. Moreover, national policies are quite fluid at
this time, with various nations considering different types of
regulation regarding the use, export, and import of

   Appendix G contains more discussion of international issues
relevant to national cryptography policy.

                          6.5 RECAP

   While export controls and escrowed encryption are
fundamental pillars of current national cryptography policy,
many other aspects of government action also have some bearing
on it: The Communications Assistance for Law Enforcement
(Digital Telephony) Act calls attention to the relationship
between access to a communications stream and government
access to the plaintext associated with that digital stream.
The former problem must be solved (and was solved, by the
CALEA for telephone communications) before the latter problem
is relevant.

   The government can influence the deployment and use of
cryptography in many ways. Federal Information Processing
Standards often set a "best practice" standard for the private
sector, even though they have no official standing outside
government use. By assuring large-volume sales when a product
is new, government procurement practices can reduce the cost
of preferred cryptography products to the private sector,
giving these products a price advantage over possible
competitors. Policy itself can be implemented in ways that
instill action-inhibiting uncertainty in the private sector.
Government R&D funding and patents on cryptographic algorithms
can narrow technical options to some degree. Formal and
informal arrangements with various other governments and
organizations can promote various policies or types of
cooperation. Product certification can be used to provide the
information necessary for a flourishing free market in
products with encryption capabilities. Convening authority can
help to establish the importance of a topic or approach to

   In some ways, the debate over national cryptography policy
reflects a tension in the role of the national security
establishment with respect to information infrastructures that
are increasingly important to civilian use. In particular, the
use of cryptography has been the domain of national security
and foreign policy for most of its history, a history that has
led to a national cryptography policy that today has the
effect of discouraging the use of cryptography in the private


                BOX 6.1 Cryptography-related
          Federal Information Processing Standards

   FIPS 46, 46-1 and 46-2: Data Encryption Standard (DES).
Specification of DES algorithm and rules for implementing DES
in hardware. FIPS 46-1 recertifies DES and extends it for
software implementation. FIPS 46-2 reaffirms the Data
Encryption Standard algorithm until 1998 and allows for its
implementation in software, firmware or hardware. Several
other FlPSs address interoperability and security requirements
for using DES in the physical layer of data communications
(FIPS 139) and in fax machines (FIPS 141), guidelines for
implementing and using DES (FIPS 74), modes of operation of
DES (FIPS 81), and use of DES for authentication purposes
(FIPS 113).

   FIPS 180-1: Secure Hash Standard. This standard specifies
a Secure Hash Algorithm (SHA) that can be used to generate a
condensed representation of a message called a message digest.
The SHA is required for use with the Digital Signature
Algorithm (DSA) as specified in the Digital Signature Standard
(DSS) and whenever a secure hash algorithm is required for
federal applications. The SHA is used by both the transmitter
and intended receiver of a message in computing and verifying
a digital signature.

   FIPS 186: Digital Signature Standard. This standard
specifies a Digital Signature Algorithm (DSA) appropriate for
applications requiring a digital rather than a written
signature. The DSA digital signature is a pair of large
numbers represented in a computer as strings of binary digits.
The digital signature is computed using a set of rules (i.e.,
the DSA) and a set of parameters such that the identity of the
signatory and integrity of the data can be verified. The DSA
provides the capability to generate and verify signatures.

   FIPS 140-1: Security Requirements for Cryptographic
Modules. This standard provides specifications for
cryptographic modules which can be used within computer and
telecommunications systems to protect unclassified information
in a variety of different applications.

   FIPS 185: Escrowed Encryption Standard (see main text).

   FIPS 171: Key Management Using ANSI X9.17. This standard
specifies a selection of options for the automated distributed
of keying material by the federal government when using the
protocols of ANSI X9.17. The standard defines procedures for
the manual and automated management of keying materials and
contains a number of options. The selected options will allow
the development of cost-effective systems that will increase
the likelihood of interoperability.

   Other FlPSs address matters related more generally to
computer security.

   FIPS 48: Guidelines on Evaluation of Techniques for
Automated Personal Identification.
             FIPS 83: Guidelines on User Authentication Techniques for
Computer Network Access Control.

   FIPS 112: Password Usage.

   FIPS 113: Computer Data Authentication.

   FIPS 73: Guidelines for Security of Computer Applications.


        BOX 6.2 Overview of Joint NIST-NSA Activities

   The National Security Agency provides technical advice and
assistance to the National Institute of Standards and
Technology in accordance with Public Law 100-235, the Computer
Security Act of 1987. An overview of NIST-NSA activities

   National conference. NIST and NSA jointly sponsor,
organize, and chair the prestigious National Computer Security
Conference, held yearly for the past 16 years. The conference
is attended by over 2,000 people from government and private

   Common criteria. NSA is providing technical assistance to
NIST for the development of computer security criteria that
would be used by both the civilian and defense sides of the
government. Representatives from Canada and Europe are joining
the United States in the development of the criteria.

   Product evaluations. NIST and NSA are working together to
perform evaluations of computer security products. In the
Trusted Technology Assessment Program, evaluations of some
computer security products will be performed by NIST and its
laboratories, while others will be performed by NSA. NIST and
NSA engineers routinely exchange information and experiences
to ensure uniformity of evaluations.

   Standards development. NSA supports NIST in the development
of standards that promote interoperability among security
products. Sample standards include security protocol
standards, digital signature standards, key management
standards, and encryption algorithm standards (e.g., the DES,

   Research and development. Under the Joint R&D Technology
Exchange Program, NIST and NSA hold periodic technical
exchanges to share information on new and ongoing programs.
Research and development are performed in areas such as
security architectures, labeling standards, privilege
management, and identification and authentication. Test-bed
activities are conducted in areas related to electronic mail,
certificate exchange and management, protocol conformity, and
encryption technologies.


SOURCE: National Security Agency, April 1994 (as printed in
U.S. Congress, Office of Technology Assessment, *Information
Security and Privacy in Network Environments*, OTA-TCT-606,
U.S. Government Printing Office, Washington D.C., September
1994, Box 4-8, p. 165).


      BOX 6.3 Similarities in Commercial Security Needs
                 and National Security Needs

   +    Strong aversion to public discussion of security
breaches. Information about threats is regarded as highly
sensitive. Such a classification makes it very difficult to
conduct effective user education, because security awareness
depends on an understanding of the true scope and nature of a

   +    Need to make cost-benefit trade-offs in using security
technology. Neither party can afford the resources to protect
against an arbitrary threat model.

   +    Strong preference for self-reliance (government
relying on government, industry relying on industry) to meet
security needs.

   +    Strong need for high security. Both government and
industry need strong cryptography with no limitations for
certain applications. However, the best technology and tools
are often reserved for government and military use because
commercial deployment cannot be adequately controlled,
resulting in opportunities for adversaries to obtain and
examine the systems so that they can plan how to exploit them.

   +    Increasing reliance on commercial products in many
domains (business, Third-World nations).

   +    Increasing scale and sophistication of the security
threat for businesses, which is now approaching that posed by
foreign intelligence services and foreign governments.

   +    Possibility that exceptional access to encrypted
information and data may become important to commercial


      BOX 6.4 Differences in Commercial Security Needs
                 and National Security Needs

   +    Business wants market-driven cryptographic technology;
government is apprehensive about such technology. For example,
standards are a critical element of market-driven
cryptography. Market forces and the need to respond to rapidly
evolving dynamic new markets demand an approach to
establishing cryptographic standards; businesses want
standards for interoperability, and they want to create market
critical mass in order to lower the cost of cryptography.

   +    By its nature, the environment of business must
include potential adversaries within its security perimeter.
Commercial enterprises now realize that electronic delivery of
their products and services to their customers will increase.
They must design systems and processes explicitly so that
customers can enter into transactions with considerable ease.
Business strategies of today empower the customer through
software and technology. Enterprise networks have value in
allowing the maximum number of people to be attached to the
network. Customers will choose which enterprise to enter in
order to engage in electronic commerce, and making it
difficult for the customer will result in loss of business.
But adversaries masquerading as customers (or who indeed may
be customers themselves) can enter as well. By contrast, the
traditional national security model keeps potential
adversaries outside the security perimeter, allowing access
only to those with a real need. However, to the extent that
U.S. military forces work in collaboration with forces of
other nations, the security perimeter for the military may
also become similarly blurred.

   +    Business paradigms value teamwork, openness, trust,
empowerment, and speed. Such values are often difficult to
sustain in the national security establishment. The cultures
of the two worlds are different and are reflected in, for
example, the unwillingness of business to use multilevel
security systems designed for military use. Such systems
failed the market test, although they met Defense Department
criteria for security.

   +    National security resources (personnel with
cryptographic expertise, funding) are much larger than the
resources in nondefense government sectors and in private
industry and universities. As a result, a great deal of
cryptographic knowledge resides within the world of national
security. Industry wants access to this knowledge to ensure
appropriate use of protocols and strong algorithms, and
development of innovative new products and services.

   +    National security places considerable emphasis on
confidentiality as well as on authentication and integrity.
Today's commercial enterprises stress authentication of users
and data integrity much more than they stress confidentiality
(although this balance may shift in the future). For example,
improperly denying a junior military officer access to a
computer facility may not be particularly important in a
military context, whereas improperly denying a customer access
to his bank account because of a faulty authentication can
pose enormous problems for the bank.

   +    While both businesses and national security
authorities have an interest in safeguarding secrets, the
tools available to businesses to discourage individuals from
disclosing secrets (generally civil suits) are less stringent
than those available to national security authorities
(criminal prosecution).


[End Chapter 6]

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]

                          Part III

        Policy Options, Findings and Recommendations

   Part III consists of two chapters. Chapter 7 considers a
wide range of policy options, ranging in scope and scale from
large to small. Not every item described in Chapter 7 has been
deemed worthy for adoption by the committee, but the committee
hopes to broaden the public understanding of cryptography
policy by discussing ideas that at least have the support of
respectable and responsible elements of the various
stakeholding communities.

   Chapter 8 is a synthesizing chapter that brings together
threads of the previous seven chapters and presents the
committee's findings and recommendations.



                Policy Options for the Future

   Current national cryptography policy defines only one point
in the space of possible policy options. A major difficulty in
the public debate over cryptography policy has been incomplete
explanation of why the govermnent has rejected certain policy
options. Chapter 7 explores a number of possible alternatives
to current national cryptography policy, selected by the
committee either because they address an important dimension
of national cryptography policy or because they have been
raised by a particular set of stakeholders. Although in the
committee's judgment these alternatives deserve analysis, it
does not follow that they necessarily deserve consideration
for adoption. The committee's judgments about appropriate
policy options are discussed in Chapter 8.


         7.1.1 Dimensions of Choice for Controlling
                 the Export of Cryptography

   An export control-regime -- a set of laws and regulations
governing what may or may not be exported under any specified
set of circumstances -- has many dimensions that can be
considered independently. These dimensions include:

   +    *The type of export license granted*. Three types of
export licenses are available:

        -- A general license, under which export of an item
        does not in general require prior government approval
        but nonetheless is tracked under an export

        -- A special license, under which prior government
        approval is required but which allows multiple and
        continuing transactions under one license validation;

        -- An individual license, under which prior government
        approval is required for each and every transaction.

As a general rule, only individual licenses are granted for
the export of items on the U.S. Munitions List, which includes
"strong" cryptography.(1)

   +    *The strength of a product's cryptographic
capabilities*. Current policy recognizes the difference
between RC2/RC4 algorithms using 40-bit keys and other types
of cryptography, and places fewer and less severe restrictions
on the former.

   +    *The default encryption settings on the delivered
product*. Encryption can be tacitly discouraged, but not
forbidden, by the use of appropriate settings.(2)

   +    *The type of product*. Many different types of
products can incorporate encryption capabilities. Products can
be distinguished by medium (e.g., hardware vs. software)
and/or intended function (e.g., computer vs. communications).

   +    *The extent and nature of features that allow
exceptional access*. The Administration has suggested that it
would permit the export of encryption software with key
lengths of 64 bits or less if the keys were "properly
escrowed."(3) Thus, inclusion in a product of a feature for
exceptional access could be made one condition for allowing
the export of that product. In addition, the existence of
specific institutional arrangements (e.g., which specific
parties would hold the information needed to implement
exceptional access) might be made a condition for the export
of these products.

   +    *The ultimate destination or intended use of the
delivered product*. U.S. export controls have long
distinguished between exports to "friendly" and "hostile"
nations. In addition, licenses have been granted for the sale
of certain controlled products only when a particular benign
use (e.g., financial transactions) could be certified. A
related consideration is the extent to which nations cooperate
with respect to re-export of a controlled product and/or
export of their own products. For example, CoCom member
nations(4) in principle agreed to joint controls on the export
of certain products to the Eastern bloc; as a result, certain
products could be exported to CoCom member nations much more
easily than to other nations.

   At present, there are few clear guidelines that enable
vendors to design a product that will have a high degree of
assurance of being exportable (Chapters 4 and 6). Table 7.1
describes various mechanisms that might be used to manage the
export of products with encryption capabilities.

   This remainder of Section 7.1 describes a number of options
for controlling the export of cryptography, ranging from the
sweeping to the detailed.


   (1)  However, as noted in Chapter 4, the current export
control regime for cryptography involves a number of
categorical exemptions as well as some uncodified
"in-practice" exemptions.

   (2)  Software, and even software-driven devices, commonly
have operational parameters that can be selected or set by a
user. An example is the fax machine that allows many user
choices to be selected by keyboard actions. The parameters
chosen by a manufacturer before it ships a product are
referred to as the "defaults" or "default condition." Users
are generally able to alter such parameters at will.

   (3)  As the time of this writing, the precise definition of
"properly escrowed" is under debate and review in the
Administration. The most recent language on this definition as
of December 1995 is provided in Chapter5.

   (4)  CoCom refers to the Coordinating Committee, a group of
Western nations (and Japan) that agreed to a common set of
export control practices during the Cold War to control the
export of militarily useful technologies to Eastern bloc
nations. CoCom was disbanded in March 1994, and a successor
regime known as the New Forum is being negotiated as this
report is being written.


                7.1.2 Complete Elimination of
               Export Controls on Cryptography

   The complete elimination of export controls (both the USML
and the Commerce Control List controls) on cryptography is a
proposal that goes beyond most made to date, although
certainly such a position has advocates. If export controls on
cryptography were completely eliminated, it is possible that
within a short time, most information technology products
exported from the United States would have encryption
capabilities. It would be difficult for the U.S. government to
influence the capabilities of these products, or even to
monitor their deployment and use worldwide, because numerous
vendors would most probably be involved.

   Note, however, that the simple elimination of U.S. export
controls on cryptography does not address the fact that other
nations may have import controls and/or restrictions on the
use of cryptography internally. Furthermore, it takes time to
incorporate products into existing infrastructures, and slow
market growth may encourage some vendors to take their time in
developing new products. Thus, simply eliminating U.S. export
controls on cryptography would not ensure markets abroad for
U.S. products with encryption capabilities; indeed, the
elimination of U.S. export controls could in itself stimulate
foreign nations to impose import controls more stringently.
Appendix G contains more discussion of these issues.

   The worldwide removal of all controls on the export,
import, and use of products with encryption capabilities would
likely result in greater standardization of encryption
techniques. Standardization brought about in this manner would
result in:

   +    Higher degrees of international interoperability of
these products;

   +    Broader use, or at least more rapid spread, of
encryption capabilities as the result of the strong
distribution capabilities of U.S. firms;

   +    Higher levels of confidentiality, as a result of
greater ease in adopting more powerful algorithms and longer
keys as standards; and

   +    Greater use of cryptography by hostile, criminal, and
unfriendly parties as they, too, begin to use commercial
products with strong encryption capabilities.

   On the other hand, rapid, large-scale standardization would
be unlikely unless a few integrated software products with
encryption capabilities were able to achieve worldwide usage
very quickly. Consider, for example, that although there are
no restrictions on domestic use of cryptography in the United
States, interoperability is still difficult, in many cases
owing to variability in the systems in which the cryptography
is embedded. Likewise, many algorithms stronger than DES are
well known, and there are no restrictions in place on the
domestic use of such algorithms, and yet only DES even
remotely approaches common usage (and not all DES-based
applications are interoperable).

   For reasons well articulated by the national security and
law enforcement communities (see Chapter 3) and accepted by
the committee, the complete elimination of export controls on
products with encryption capabilities does not seem reasonable
in the short term. Whether export controls will remain
feasible and efficacious in the long-term has yet to be seen,
although clearly, maintaining even their current level of
effectiveness will become increasingly difficult.

         7.1.3 Transfer of All Cryptography Products
                to the Commerce Control List

   As discussed in Chapter 4, the Commerce Control List (CCL)
complements the U.S. Munitions List (USML) in controlling the
export of cryptography. (Box 4.2 in Chapter 4 describes the
primary difference between the USML and the CCL.) In 1994,
Representative Maria Cantwell (D-Washington) introduced
legislation to transfer all massmarket software products
involving cryptographic functions to the CCL. Although this
legislation never passed, it resulted in the promise and
subsequent delivery of an executive branch report on the
international market for computer software with encryption.(5)

   The Cantwell bill was strongly supported by the software
industry because of the liberal consideration afforded
products controlled for export by the CCL. Many of the bill's
advocates believed that a transfer of jurisdiction to the
Commerce Department would reflect an explicit recognition of
cryptography as a commercial technology that should be
administered under a dual-use export control regime. Compared
to the USML, they argued that the CCL is a more balanced
regime that still has considerable effectiveness in limiting
exports to target destinations and end users.

   On the other hand, national security officials regard the
broad authorities of the Arms Export Control Act (AECA) as
essential to the effective control of encryption exports. The
AECA provides authority for case-by-case regulation of exports
of cryptography to all destinations, based on national
security considerations. In particular, licensing decisions
are not governed by factors such as the country of
destination, end users, end uses, or the existence of
bilateral or multilateral agreements that often limit the
range of discretionary action possible in controlling exports
pursuant to the Export Administration Act. Further, the
national security provisions of the AECA provide a basis for
classifying the specific rationale for any particular export
licensing decision made under its authority, thus protecting
what may be very sensitive information about the particular
circumstances surrounding that decision.

   Although sympathetic to the Cantwell bill's underlying
rationale, the committee believes that the Cantwell bill does
not address the basic dilemma of cryptography policy. As
acknowledged by some of the bill's supporters, transfer of a
product's jurisdiction to the CCL does not mean automatic
decontrol of the product, and national security authorities
could still have considerable input into how exports are
actually licensed. In general, the committee believes that the
idea of split jurisdiction, in which some types of
cryptography are controlled under the CCL and others under the
USML, makes considerable sense given the various national
security implications of widespread use of encryption.
However, where the split should be made is a matter of
discussion; the committee expresses its own judgments on this
point in Chapter 8.


   (5)  U.S. Department of Commerce and National Security
Agency, *A Study of the International Market for Computer
Software with Encryption*, prepared for the Interagency
Working Group on Encryption and Telecommunications Policy,
undated (released on January 11, 1996, by the U.S. Department
of Commerce, Office of the Secretary).


                 7.1.4 End-use Certification

   Explicitly exempted under the current International Traffic
in Arms Regulations (ITAR) is the export of cryptography for
ensuring the confidentiality of financial transactions,
specifically for cryptographic equipment and software that are
"specially designed, developed or modified for use in machines
for banking or money transactions, and restricted to use only
in such transactions."(6) In addition, according to senior
National Security Agency (NSA) officials, cryptographic
systems, equipment, and software are in general freely
exportable for use by U.S.-controlled foreign companies and to
banking and financial institutions for purposes other than
financial transactions, although NSA regards these approvals
as part of the case-by-case review associated with equipment
and products that do not enjoy an explicit exemption in the

   In principle, the ITAR could explicitly exempt products
with encryption capabilities for use by foreign subsidiaries
of U.S. companies, foreign companies that are U.S.controlled,
and banking and financial institutions. Explicit "vertical"
exemptions for these categories could do much to alleviate
confusion among users, many of whom are currently uncertain
about what cryptographic protection they may be able to use in
their international communications, and could enable vendors
to make better informed judgments about the size of a given

   Specific vertical exemptions could also be made for
different industries (e.g., health care or manufacturing) and
perhaps for large foreign-owned companies that would be both
the largest potential customers and the parties most likely to
be responsible corporate citizens. Inhibiting the diversion to
other uses of products with encryption capabilities sold to
these companies could be the focus of explicit contractual
language binding the recipient to abide by certain terms that
would be required of any vendor as a condition of sale to a
foreign company, as it is today under USML procedures under
the ITAR. Enforcement of end-use restrictions is discussed in
Chapter 4.


   (6)  International Traffic in Arms Regulations, Section
121.1, Category XIII (b)(1)(ii).


        7.1.5 Nation-by-Nation Relaxation of Controls
     and Harmonization of U.S. Export Control Policy on
               Cryptography with Export/Import
                  Policies of Other Nations

   The United States could give liberal export consideration
to products with encryption capabilities intended for sale to
recipients in a select set of nations,(7) exports to nations
outside this set would be restricted. Nations in the select
set would be expected to have a more or less uniform set of
regulations to control the export of cryptography, resulting
in a more level playing field for U.S. vendors. In addition,
agreements would be needed to control the re-export of
products with encryption capabilities outside this set of

   Nation-by-nation relaxation of controls is consistent with
the fact that different countries generally receive different
treatment under the U.S. export control regime for military
hardware. For example, exports of U.S. military hardware have
been forbidden to some countries because they were terrorist
nations, and to others because they failed to sign the nuclear
nonproliferation treaty. A harmonization of export control
regimes for cryptography would more closely resemble the
former CoCom approach to control dual-use items than the
approach reflected in the unilateral controls on exports
imposed by the USML.

   From the standpoint of U.S. national security and foreign
policy, a serious problem with harmonization is the fact that
the relationship between the United States and almost all
other nations has elements of both competition and cooperation
that may change over time. The widespread use of U.S. products
with strong encryption capabilities under some circumstances
could compromise U.S. positions with respect to these
competitive elements, although many of these nations are
unlikely to use U.S. products with encryption capabilities for
their most sensitive communications.

   Finally, as is true for other proposals to liberalize U.S.
export controls on cryptography, greater liberalization may
well cause some other nations to impose import controls where
they do not otherwise exist. Such an outcome would shift the
onus for impeding vendor interests away from the U.S.
government; however, depending on the nature of the resulting
import controls, U.S. vendors of information technology
products with encryption capabilities might be faced with the
need to conform to a multiplicity of import control regimes
established by different nations.


   (7)  For example, products with encryption capabilities can
be exported freely to Canada without the need of a USML export
license if intended for domestic Canadian use.


                  7.1.6 Liberal Export for
           Strong Cryptography with Weak Defaults

   An export control regime could grant liberal export
consideration to products with encryption capabilities
designed in such a way that the defaults for usage result in
weak or non-existent encryption (Box 7.1), but also so that
users could invoke options for stronger encryption through an
affirmative action.

   For example, such a product might be a telephone designed
for end-to-end security. The default mode of operation could
be set in two different ways. One way would be for the
telephone to establish a secure connection if the called party
has a comparable unit. The second way would be for the
telephone always to establish an insecure connection;
establishing a secure connection would require an explicit
action by the user. All experience suggests that the second
way would result in far fewer secure calls than the first

   An export policy favoring the export of encryption products
with weak defaults benefits the information-gathering needs of
law enforcement and signals intelligence efforts because of
user psychology. Many people, criminals and foreign government
workers included, often make mistakes by using products "out
of the box" without any particular attempt to configure them
properly. Such a policy could also take advantage of the
distribution mechanisms of the U.S. software industry to
spread weaker defaults.

   Experience to date suggests that good implementations of
cryptography for confidentiality are transparent and automatic
and thus do not require positive user action. Such
implementations are likely to be chosen by organizations that
are most concerned about confidentiality and that have a staff
dedicated to ensuring confidentiality (e.g., by resetting weak
vendor-supplied defaults). End users that obtain their
products with encryption capabilities on the retail store
market are the most likely to be affected by this proposal,
but such users constitute a relatively small part of the
overall market.


   (8)  Of course, other techniques can be used to further
discourage the use of secure modes. For example, the telephone
could be designed to force the user to wait several seconds
for establishment of the secure mode.


                  7.1.7 Liberal Export for
      Cryptographic Applications Programming Interfaces

   A cryptographic applications programming interface (CAPI;
see Appendix K) is a well-defined boundary between a baseline
product (such as an operating system, a database management
program, or a word-processing program) and a cryptography
module that provides a secure set of cryptographic services
such as authentication, digital signature generation, random
number generation, and stream or block mode encryption. The
use of a CAPI allows vendors to support cryptographic
functions in their products without actually providing them at

   Even though such products have no cryptographic
functionality per se and are therefore not specifically
included in Category XIII of the ITAR (see Appendix L),
license applications for the export of products incorporating
CAPIs have in general been denied. The reason is that strong
cryptographic capabilities could be deployed on a vast scale
if U.S. vendors exported applications supporting a common CAPI
and a foreign vendor then marketed an add-in module with
strong encryption capabilities.(9)

   To meet the goals of less restrictive export controls,
liberal export consideration could be given to products that
incorporate a CAPI designed so that only "certified"
cryptographic modules could be incorporated into and used by
the application. That is, the application with the CAPI would
have to ensure that the CAPI would work only with certified
cryptographic modules. This could be accomplished by
incorporating into the application a check for a digital
signature whose presence would indicate that the add-on
cryptographic module was indeed certified; if and only if such
a signature were detected by the CAPI would the product allow
use of the module.

   One instantiation of a CAPI is the CAPI built into
applications that use the Fortezza card (discussed in Chapter
5). CAPI software for Fortezza is available for a variety of
operating systems and PC-card reader types; such software
incorporates a check to ensure that the device being used is
itself a Fortezza card. The Fortezza card contains a private
Digital Signature Standard (DSS) key that can be used to sign
a challenge from the workstation. The corresponding DSS public
key is made available in the CAPI, and thus the CAPI is able
to verify the authenticity of the Fortezza card.

   A second approach to the use of a CAPI has been proposed by
Microsoft and is now eligible for liberal export consideration
by the State Department (Box 7.2). The Microsoft approach
involves three components: an operating system with a CAPI
embedded within it, modules providing cryptographic services
through the CAPI, and applications that can call on the
modules through the CAPI provided by the operating system. In
principle, each of these components is the responsibility of
different parties: Microsoft is responsible for the operating
system, cryptography vendors are responsible for the modules,
and independent applications vendors are responsible for the
applications that run on the operating system.

   From the standpoint of national security authorities, the
effectiveness of an approach based on the use of a certified
CAPI/module combination depends on a number of factors. For
example, the product incorporating the CAPI should be known to
be implemented in a manner that enforces the appropriate
constraints on crypto-modules that it calls; furthermore, the
code that provides such enforcement should not be trivially
bypassed. The party certifying the crypto-module should
protect the private signature key used to sign it. Vendors
would still be required to support domestic and exportable
versions of an application if the domestic version was allowed
to use any module while the export version was restricted in
the set of modules that would be accepted, although the amount
of effort required to develop these two different versions
would be quite small.

   The use of CAPIs that check for appropriate digital
signatures would shift the burden for export control from the
applications or systems vendors to the vendors of the
cryptographic modules. This shift could benefit both the
government and vendors, because of the potential to reduce the
number of players engaged in the process. For example, all of
the hundreds of e-mail applications on the market could
quickly support encrypted e-mail by supporting a CAPI
developed by a handful of software and/or hardware
cryptography vendors. The cryptography vendors would be
responsible for dealing with the export and import controls of
various countries, leaving e-mail application vendors to
export freely anywhere in the world. Capabilities such as
escrowed encryption could be supported within the cryptography
module itself, freeing the applications or system vendor from
most technical, operational, and political issues related to
export control.

   A trustworthy CAPI would also help to support cryptography
policies that might differ among nations. In particular, a
given nation might specify certain performance requirements
for all cryptography modules used or purchased within its
borders.(10) International interoperability problems resulting
from conflicting national cryptography policies would still


   (9)  This discussion refers only to "documented" or "open"
CAPIs, i.e., CAPls that are accessible to the end user.
Another kind of CAPI is "undocumented" and "closed", that is,
it is inaccessible to the end user, though it is used by
system developers for their own convenience. While a history
of export licensing decisions and practices supports the
conclusion that most products implementing "open" CAPls will
not receive export licenses, history provides no consistent
guidance with respect to products implementing CAPls that are
inaccessible to the end user.

   (10) An approach to this effect is the thrust of a proposal
from Hewlett-Packard. The Hewlett-Packard International
Cryptography Framework (ICF) proposal includes a stamp size
"policy card" (smart card) that would be inserted into a
cryptographic unit that is a part of a host system.
Cryptographic functions provided within the cryptographic unit
could be executed only with the presents of a valid policy
card. The policy card could be configured to enable only those
cryptographic functions that are consistent with government
export and local policies. The "policy card" allows for
managing the use of the integrated cryptography down to the
application specific level. By obtaining a new policy card,
customers could be upgraded to take advantage of varying
cryptographic capabilities as government policies or
organizational needs change. As part of an ICF solution, a
network security server could be implemented to provide a
range of different security services including verification of
the other three service elements (the card, the host system,
the cryptographic unit). Sources: Carl Snyder,
Hewlett-Packard, testimony to the NRC committee in February
1995; Hewlett-Packard, *International Cryptography Framework
White Paper*, February 1994.


                  7.1.8 Liberal Export for
      Escrowable Products with Encryption Capabilities

   As discussed in Chapter 5, the Administration's proposal of
August 17, 1995, would allow liberal export consideration for
software products with encryption capabilities whose keys are
"properly escrowed." In other words, strong cryptography would
be enabled for these products only when the keys were escrowed
with appropriate escrow agents.

   An escrowed encryption product differs from what might be
called an "escrowable" product. Specifically, an escrowed
encryption product is one whose key must be escrowed with a
registered, approved agent before the use of (strong)
cryptography can be enabled, whereas an escrowable product is
one that provides full cryptographic functionality that
includes optional escrow features for the user. The user of an
escrowable product can choose whether or not to escrow the
relevant keys, but regardless of the choice, the product still
provides its full suite of encryption capabilities.(11)

   Liberal export consideration for escrowable products could
be granted and incentives promulgated to encourage the use of
escrow features. While the short-term disadvantage of this
approach from the standpoint of U.S. national security is that
it allows encryption stronger than the current 40-bit RC2/RC4
encryption allowed under present regulations to diffuse into
foreign hands, it has the long-term advantage of providing
foreign governments with a tool for influencing or regulating
the use of cryptography as they see fit. Currently, most
products with encryption capabilities do not have built-in
features to support escrow built into them. However, if
products were designed and exported with such features,
governments would have a hook for exercising some influence.
Some governments might choose to require the escrowing of
keys, while others might simply provide incentives to
encourage escrowing. In any event, the diffusion of escrowable
products abroad would raise the awareness of foreign
governments, businesses, and individuals about encryption and
thus lay a foundation for international cooperation on the
formulation of national cryptography policies.


   (11) For example, an escrowable product would not enable
the user to encrypt files with passwords. Rather, the
installation of the product would require the user to create
a key or set of named keys, and these keys would be used when
encrypting files. The installation would also generate a
protected "safe copy" of the keys with instructions to the
user that they should register the key "somewhere." It would
be up to the user to decide where or whether to register the


       7.1.9 Alternatives to Government Certification
                   of Escrow Agents Abroad

   As discussed in Chapter 5, the Administration's August 1995
proposal focuses on an implementation of escrowed encryption
that involves the use of "escrow agents certified by the U.S.
government or by foreign governments with which the U.S.
government has formal agreements consistent with U.S. law
enforcement and national security requirements."(12) This
approach requires foreign customers of U.S. escrowed
encryption products to use U.S. escrow agents until formal
agreements can be negotiated that specify the responsibilities
of foreign escrow agents to the United States for law
enforcement and national security purposes.

   Skeptics ask what incentives the U.S. government would have
to conclude the formal agreements described in the August 1995
proposal if U.S. escrow agents would, by default, be the
escrow agents for foreign consumers. They believe that the
most likely result of adopting the Administration's proposal
would be U.S. foot-dragging and inordinate delays in the
consummation of formal agreements for certifying foreign
escrow agents. Appendix G describes some of the U.S.
government efforts to date to promote a dialogue on such

   The approaches described below address problems raised by
certifying foreign escrow agents:

   +    *Informal arrangements for cooperation*. One
alternative is based on the fact that the United States enjoys
strong cooperative law enforcement relationships with many
nations with which it does not have formal agreements
regarding cooperation. Negotiation of a formal agreement
between the United States and another nation could be replaced
by presidential certification that strong cooperative law
enforcement relationships exist between the United States and
that nation. Subsequent cooperation would be undertaken on the
same basis that cooperation is offered today.

   +    *Contractual key escrow*. A second alternative is
based on the idea that formal agreements between nations
governing exchange of escrowed key information might be
replaced by private contractual arrangements.(13) A user that
escrows key information with an escrow agent, wherever that
agent is located, would agree contractually that the U.S.
government would have access to that information under a
certain set of carefully specified circumstances. A suitably
designed exportable product would provide strong encryption
only upon receipt of affirmative confirmation that the
relevant key information had been deposited with escrow agents
requiring such contracts with users. Alternatively, as a
condition of sale, end users could be required to deposit keys
with escrow agents subject to such a contractual requirement.


   (12)  See Box 5.3, Chapter 5.

   (13)  Henry Perritt, "Transnational Key Escrow," paper
presented at the International Cryptography Institute,
Washington, D.C., September 22, 1995.


           7.1.10 Use of Differential Work Factors
                       in Cryptography

   Differential work factor cryptography is an approach to
cryptography that presents different work factors to different
parties attempting to cryptanalyze a given piece of encrypted
information.(14) Iris Associates, the creator of Notes,
proposed such an approach for Lotus Notes Version 4 to
facilitate its export, and the U.S. govermnent has accepted
it. Specifically, the international edition of Lotus Notes
Version 4 is designed to present a 40-bit work factor to the
U.S. government and a 64-bit work factor to all other parties.
It implements this differential work factor by encrypting 24
bits of the 64-bit key with the public-key portion of an RSA
key pair held by the U.S. government. Because the U.S.
government can easily decrypt these 24 bits, it faces only a
40-bit work factor when it needs access to a communications
stream overseas encrypted by the international edition. All
other parties attempting to cryptanalyze a message face a
64-bit work factor.

   Differential work factor cryptography is similar to partial
key escrow (described in Chapter 5) in that both provide very
strong protection against most attackers but are vulnerable to
attack by some specifically chosen authority. However, they
are different in that differential work factor cryptography
does not require user interaction with an escrow agent, and so
it can offer strong cryptography "out of the box." Partial key
escrow offers all of the strengths and weaknesses of escrowed
encryption, including the requirement that the enabling of
strong cryptography does require interaction with an escrow


   (14) Recall from Chapter 2 that a work factor is a measure
of the amount of work that it takes to undertake a brute-force
exhaustive cryptanalytic search.


           7.1.11 Separation of Cryptography from
           other Items on the U.S. Munitions List

   As noted in Chapter 4, the inclusion of products with
encryption capabilities on the USML puts them on a par with
products intended for strictly military purposes (e.g., tanks,
missiles). An export control regime that authorized the U.S.
government to separate cryptography -- a true dual-use
technology -- from strictly military items would provide much
needed flexibility in dealing with nations on which the United
States wishes to place sanctions.


   Providing government exceptional access to encrypted data
is an issue with a number of dimensions, only some of which
relate directly to encryption.

           7.2.1 A Prohibition of the Use and Sale
   of Cryptography Lacking Features for Exceptional Access

   One obvious approach to ensuring government exceptional
access to encrypted information is to pass legislation that
forbids the use of cryptography lacking features for such
access, presumably with criminal penalties attached for
violation. (Given that escrowed cryptography appears to be the
most plausible approach to providing govermnent exceptional
access, the term "unescrowed cryptography" is used here as a
synonym for cryptography without features for exceptional
access.) Indeed, opponents of the Escrowed Encryption Standard
(EES) and the Clipper chip have argued repeatedly that the EES
approach would succeed only if alternatives were banned.(15)
Many concerns have been raised about the prospect of a
mandatory prohibition on the use of unescrowed cryptography.

   From a law enforcement standpoint, a legislative
prohibition on the use of unescrowed encryption would have
clear advantages. Its primary impact would be to eliminate the
commercial supply of unescrowed products with encryption
capabilities -- vendors without a market would most likely not
produce or distribute such products, thus limiting access of
criminals to unescrowed encryption and increasing the
inconvenience of evading a prohibition on use of unescrowed
encryption. At the same time, such a prohibition would leave
law-abiding users with strong concerns about the
confidentiality of their information being subject to
procedures beyond their control.

   A legislative prohibition of the use of unescrowed
encryption also raises specific technical, economic, and legal

Concerns About Personal Freedom

   The Clinton Administration has stated that it has no
intention of outlawing unescrowed cryptography, and it has
repeatedly and explicitly disavowed any intent to regulate the
domestic use of cryptography. However, no administration can
bind future administrations (a fact freely acknowledged by
administration officials). Thus, some critics of the
Administration position believe that the dynamics of the
encryption problem may well drive the government -- sooner or
later -- to prohibit the use of encryption without government
access.(16) The result is that the Administration is simply
not believed when it forswears any intent to regulate
cryptography used in the United States. Two related concerns
are raised:

   +    *The "slippery slope.*" Many skeptics fear that
current cryptography policy is the first step down a slippery
slope toward a more restrictive policy regime under which
government may not continue to respect limits in place at the
outset. An oft-cited example is current use of the Social
Security Number, which was not originally intended to serve as
a universal identifier when the Social Security Act was passed
in 1935 but has, over the last 50 years, come to serve exactly
that role by default, simply because it was there to be
exploited for purposes not originally intended by the enabling

   +    *Misuse of deployed infrastructure for cryptography*.
Many skeptics are concerned that a widely deployed
infrastructure for cryptography could be used by a future
administration or Congress to promulgate and/or enforce
restrictive policies regarding the use of cryptography. With
such an infrastructure in place, critics argue that a simple
policy change might be able to transform a comparatively
benign deployment of technology into an oppressive one. For
example, critics of the Clipper proposal were concerned about
the possibility that a secure telephone system with government
exceptional access capabilities could, under a strictly
voluntary program to encourage its purchase and use, achieve
moderate market penetration. Such market penetration could
then facilitate legislation outlawing all other
cryptographically secure telephones.(17)

   Adding to these concerns are suggestions such as those made
by a responsible and senior government official that even
research in cryptography conducted in the civilian sector
should be controlled in a legal regime similar to that which
governs research with relevance to nuclear weapons design (Box
7.3). Ironically, former NSA Director Bobby Inman's comments
on scientific research appeared in an article that called for
greater cooperation between academic scientists and national
security authorities and used as a model of cooperation an
arrangement, recommended by the Public Cryptography Study
Group, that has worked generally well in balancing the needs
of academic science and those of national security.(18)
Nevertheless, Inman's words are often cited as reflecting a
national security mind-set that could lead to a serious loss
of intellectual freedom and discourse. More recently, FBI
Director Louis Freeh stated to the committee that "other
approaches may be necessary" if technology vendors do not
adopt escrowed encryption on their own. Moreover, the current
Administration has explicitly rejected the premise that "every
American, as a matter of right, is entitled to an unbreakable
encryption product."(19)

   Given concerns about possible compromises of personal and
civil liberties, many skeptics of government in this area
believe that the safest approach is for government to stay out
of cryptography policy entirely. They argue that any steps in
this area, no matter how well intentioned or plausible or
reasonable, must be resisted strongly, because such steps will
inevitably be the first poking of the camel's nose under the

Technical Issues

   Even if a legislative prohibition on the use of unescrowed
encryption were enacted, it would be technically easy for
parties with special needs for security to circumvent such a
ban. In some cases, circumvention would be explicitly illegal,
while in others it might well be entirely legal. For example:

   +    Software for unescrowed encryption can be downloaded
from the Internet; such software is available even today. Even
if posting such software in the United States were to be
illegal under a prohibition, it would nonetheless be
impossible to prevent U.S. Internet users from downloading
software that had been posted on sites abroad.

   +    Superencryption can be used. Superencryption
(sometimes also known as double encryption) is encryption of
traffic before it is given to an escrowed encryption device or
system. For technical reasons, superencryption is impossible
to detect without monitoring and attempting to decrypt all
escrow-encrypted traffic, and such large-scale monitoring
would be seriously at odds with the selected and limited
nature of wiretaps today.

   An additional difficulty with superencryption is that it is
not technically possible to obtain escrow information for all
layers simultaneously, because the fact of double and triple
encryption cannot be known in advance. Even if the second (or
third or fourth) layers of encryption were escrowed, law
enforcement authorities would have to approach separately and
sequentially the escrow agents holding key information for
those layers.

   +    Talent for hire is easy to obtain. A criminal party
could easily hire a knowledgable person to develop needed
software. For example, an out-of-work or underemployed
scientist or mathematician from the former Soviet Union would
find a retainer fee of $500 per month to be a king's

   +    Information can be stored remotely. An obvious
noncryptographic circumvention is to store data on a remote
computer whose Internet address is known only to the user.
Such a computer could be physically located anywhere in the
world (and might even automatically encrypt files that were
stored there). But even if it were not encrypted, data stored
on a remote computer would be impossible for law enforcement
officials to access without the cooperation of the data's
owner. Such remote storage could occur quite legally even with
a ban on the use of unescrowed encryption.

   +    Demonstrating that a given communication or data file
is "encrypted" is fraught with ambiguities arising from the
many different possibilities for sending information:

        -- An individual might use an obscure data format. For
        example, while ASCII is the most common representation
        of alphanumeric characters today, Unicode (a proposed
        16-bit representation) and EBCDIC (a more-or-less
        obsolete 8-bit representation) are equally good for
        sending plain English text.

        -- An individual talking to another individual might
        speak in a language such as Navajo.

        -- An individual talking to another individual might
        speak in code phrases.

        -- An individual might send compressed digital data
        that could easily be confused with encrypted data
        despite having no purpose related to encryption. If,
        for example, an individual develops his own good
        compression algorithm and does not share it with
        anyone, that compressed bit stream may prove as
        difficult to decipher as an encrypted bit stream.(21)

        -- An individual might deposit fragments of a text or
        image that he wished to conceal or protect in a number
        of different Internet-accessible computers. The
        plaintext (i.e., the reassembled version) would be
        reassembled into a coherent whole only when downloaded
        into the computer of the user.(22)

        -- An individual might use steganography.(23)

   None of these alternative coding schemes provides
confidentiality as strong as would be provided by good
cryptography, but their extensive use could well complicate
attempts by government to obtain plaintext information.

   Given so many different ways to subvert a ban on the use of
unescrowed cryptography, emergence of a dedicated subculture
is likely in which the nonconformists would use coding schemes
or unescrowed cryptography impenetrable to all outsiders.

Economic Concerns

   An important economic issue that would arise with a
legislative prohibition on the use of unescrowed cryptography
would involve the political difficulty of mandating
abandonment of existing user investments in products with
encryption capabilities. These investments, considerable even
today, are growing rapidly, and the expense to users of
immediately having to replace unescrowed encryption products
with escrowed ones could be enormous;(24) a further expense
would be the labor cost involved in decrypting existing
encrypted archives and reencrypting them using escrowed
encryption products. One potential mitigating factor for cost
is the short product cycle of information technology products.
Whether users would abandon nonconforming products in favor of
new products with escrowing features -- knowing that they were
specifically designed to facilitate exceptional access -- is
open to question.

Legal and Constitutional Issues

   Even apart from the issues described above, which in the
committee's view are quite significant, a legislative ban on
the domestic use of unescrowed encryption would raise
constitutional issues. Insofar as a prohibition on unescrowed
encryption were treated for constitutional purposes as a
limitation on the content of communications, the government
would have to come forward with a compelling state interest to
justify the ban. To some, a prohibition on the use of
unescrowed encryption would be the equivalent of a law
proscribing use of a language (e.g., Spanish), which would
almost certainly be unconstitutional. On the other hand, if
such a ban were regarded as tantamount to eliminating a method
of communication (i.e., were regarded as content-neutral),
then the courts would employ a simple balancing test to
determine its constitutionality. The government would have to
show that the public interests were jeopardized by a world of
unrestrained availability of encryption, and these interests
would have to be weighed against the free speech interests
sacrificed by the ban. It would also be significant to know
what alternative forms of methods of anonymous communication
would remain available with a ban and how freedom of speech
would be affected by the specific system of escrow chosen by
the government. These various considerations are difficult,
and in some cases impossible, to estimate in advance of
particular legislation and a particular case, but the First
Amendment issues likely to arise with a total prohibition on
the use of unescrowed encryption are not trivial.(25)

   A step likely to raise fewer constitutional problems, but
not eliminate them, is one that would impose restrictions on
the commercial sale of unescrowed products with encryption
capabilities.(26) Under such a regime, products with
encryption capabilities eligible for sale would have to
conform to certain restrictions intended to ensure public
safety, in much the same way that other products such as
drugs, automobiles, and meat must satisfy particular
government regulations. "Freeware" or home-grown products with
encryption capabilities would be exempt from such regulations
as long as they were used privately. The problem of
already-deployed products would remain, but in a different
form: new products would either interoperate or not
interoperate with existing already-deployed products. If
noninteroperability were required, users attempting to
maintain and use two noninteroperating systems would be faced
with enormous expenses. If interoperability were allowed, the
intent of the ban would be thwarted.

   Finally, any national policy whose stated purpose is to
prevent the use of unescrowed encryption preempts decision
making that the committee believes properly belongs to users.
As noted in Chapter 5, escrowed encryption reduces the level
of assured confidentiality in exchange for allowing controlled
exceptional access to parties that may need to retrieve
encrypted data. Only in a policy regime of voluntary
compliance can users decide how to make that trade-off. A
legislative prohibition of the use or sale of unescrowed
encryption would be a clear statement that law enforcement
needs for exceptional access to information clearly outweigh
user interests in having maximum possible protection for their
information, a position that has yet to be defended or even
publicly argued by any player in the debate.


   (15) For example, see Electronic Privacy Information
Center, press release, August 16, 1995, available at

   (16) For example, Senator Charles Grassley (R-IA)
introduced legislation (The Anti-Electronic Racketeering Act
of 1995) on June 27, 1995, to "prohibit certain acts involving
the use of computers in the furtherance of crimes." The
proposed legislation makes it unlawful "to distribute computer
software that encodes or encrypts electronic or digital
communications to computer networks that the person
distributing the software knows or reasonably should know, is
accessible to foreign nationals and foreign governments,
regardless of whether such software has been designated as
nonexportable," except for software that uses "a universal
decoding device or program that was provided to the Department
of Justice prior to the distribution."

   (17) By contrast, a deployed infrastructure could have
characteristics that would make it quite difficult to
implement policy changes on a short time scale. For example,
it would be very difficult to implement a policy change that
would change the nature of the way in which people use today's
telephone system. Not surprisingly, policy makers would prefer
to work with infrastructures that are quickly responsive to
their policy preferences.

   (18) The arrangement recommended by the Public Cryptography
Study Group called for voluntary prepublication review of all
cryptography research undertaken in the private sector. For
more discussion of this arrangement, see Public Cryptography
Study Group, *Report of the Public Cryptography Study Group*,
American Council on Education, Washington, D.C., February,
1981. A history leading to the formation of the Public
Cryptography Study group can be found in National Research
Council, "Voluntary Restraints on Research With National
Security Implications: The Case of Cryptography, 1972-1982,"
in *Scientifc Communication and National Security*, National
Academy Press, Washington, D.C., 1982, Appendix E, pp.
120-125. The ACM study on cryptography policy concluded that
this prepublication arrangement has not resulted in any
chilling effects in the long term (see Susan Landau et al.,
*Codes, Keys and Conflicts: Issues in U.S. Crypto Policy*,
ACM, New York, 1994, p. 39.)

   (19) "Questions and Answers About the Clinton
Administration's Telecommunications Initiative," undated
document. Released on April 16, 1993, with the "Statement by
the Press Secretary on the Clipper Chip." See *The Third CPSR
Cryptography and Privacy Conference Source Book*, June 7,
1993, Part III.

   (20) Alan Cooperman and Kyrill Belianinov, "Moonlighting by
Modem in Russia," *U.S. News & World Report*, April 17, 1995,
pp. 45-48. In addition, many high-technology jobs are moving
overseas in general, not just to the former Soviet Union. See
for example, Keith Bradsher, "Skilled Workers Watch Their Jobs
Migrate Overseas," *New York Times*, August 28, 1995, p. 1.

   (21) A discussion of using text compression for
confidentiality purposes can be found in Ian Whitten and John
Cleary, "On the Privacy Afforded by Adaptive Text
Compression," *Computers and Security*, July 1988, Volume
7(4), pp. 397-408. One problem in using compression schemes as
a technique for ensuring confidentiality is that almost any
practical compression scheme has the characteristic that
closely similar plaintexts would generate similar ciphertexts,
thereby providing a cryptanalyst with a valuable advantage not
available if a strong encryption algorithm is used.

   (22) Jaron Lanier, "Unmuzzling the Internet: How to Evade
the Censors and Make a Statement, Too," OpEd, *New York
Times*, January 2, 1996, p. A-15.

   (23) Steganography is the name given to techniques for
hiding a message within another message. For example, the
first letter of each word in a sentence or a paragraph can be
used to spell out a message, or a photograph can be
constructed so as to conceal information. Specifically, most
black-and-white pictures rendered in digital form use at most
2^16 (65,536) shades of gray, because the human eye is
incapable of distinguishing any more shades. Each element of
a digitized black-and-white photo would then be associated
with 16 bits of information about what shade of gray should be
used. If a picture were digitized with 24 bits of gray scale,
the last 8 bits could be used to convey a concealed message
that would never appear except for someone who knew to look
for it. The digital size of the picture would be 50% larger
than it would ordinarily be, but no one but the creator of the
image would know.

   (24) Existing unescrowed encryption products could be kept
in place if end users could be made to comply with a
prohibition of the use of such products. In some cases, a
small technical fix might suffice to disable the cryptography
features of a system; such fixes would be most relevant in a
computing environment in which the software used by end users
is centrally administered (as in the case of many
corporations) and provides system administrators with the
capability for turning off encryption. In other cases, users
-- typically individual users who had purchased their products
from retail store outlets -- would have to be trusted to
refrain from using encryption.

   (25) For a view arguing that relevant Fourth and Fifth
Amendment issues would be resolved against a constitutionality
of such a prohibition, see Michael Froomkin, "The Metaphor Is
the Key: Cryptography, The Clipper Chip and the Constitution,"
*University of Pennsylvania Law Review*, Volume 143(3),
January 1995, pp. 709-897. The committee takes no position on
these Fourth and Fifth Amendment issues.

   (26) Such a scheme has been suggested by Dorothy Denning in
"The Future of Cryptography," *Internet Security Monthly*,
October 1995, p. 10. (Also available from
http://www.cosc.georgetown.edu/~denning/crypto.) Denning's
paper does not suggest that "freeware" be exempt, although her
proposal would provide an exemption for personally developed
software used to encrypt personal files.


      7.2.2 Criminalization of the Use of Cryptography
                in the Commission of a Crime

   Proposals to criminalize the use of cryptography in the
commission of a crime have the advantage that they focus the
weight of the criminal justice system on the "bad guy" without
placing restrictions on the use of cryptography by "good
guys." Further, deliberate use of cryptography in the
commission of a crime could result in considerable damage,
either to society as a whole or to particular individuals, in
circumstances suggesting premeditated wrongdoing, an act that
society tends to view as worthy of greater punishment than a
crime committed in the heat of the moment.

   Two approaches could be taken to criminalize the use of
cryptography in the commission of a crime:

   +    Construct a specific list of crimes in which the use
of cryptography would subject the criminal to additional
penalties. For example, using a deadly weapon in committing a
robbery or causing the death of someone during the commission
of a crime are themselves crimes that lead to additional

   +    Develop a blanket provision stating that the use of
cryptography for illegal purposes (or for purposes contrary to
law) is itself a felony.

   In either event, additional penalties for the use of
cryptography could be triggered by a conviction for a primary
crime, or they could be imposed independently of such a
conviction. Precedents include the laws criminalizing mail
fraud (fraud is a crime, generally a state crime, but mail
fraud -- use of the mails to commit fraud -- is an additional
federal crime) and the use of a gun during the commission of
a felony.

   Intentional use of cryptography in the concealment of a
crime could also be criminalized. Since the use of
cryptography is a prima facie act of concealment, such an
expansion would reduce the burden of proof on law enforcement
officials, who would have to prove only that cryptography was
used intentionally to conceal a crime. Providers of
cryptography would be criminally liable only if they had
knowingly provided cryptography for use in criminal activity.
On the other hand, a law of more expansive scope might well
impose additional burdens on businesses and raise civil
liberties concerns.

   In considering legal penalties for misuse of cryptography,
the question of what it means to "use" cryptography must be
addressed. For example, if and when encryption capabilities
are integrated seamlessly into applications and are invoked
automatically without effort on the part of a user, should the
use of these applications for criminal purposes lead to
additional penalties or to a charge for an additional offense?
Answering yes to this question provides another avenue for
prosecuting a criminal (recall that Al Capone was convicted
for income tax evasion rather than bank robbery). Answering no
leaves open the possibility of prosecutorial abuse. A second
question is what counts as "cryptography." As noted above in
the discussion of prohibiting unescrowed encryption, a number
of mathematical coding schemes can serve to obscure the
meaning of plaintext even if they are not encryption schemes
in the technical sense of the word. These and related
questions must be addressed in any serious consideration of
the option for criminalizing the use of cryptography in the
commission of a crime.

            7.2.3 Technical Non-Escrow Approaches
             for Obtaining Access to Information

   Escrowed encryption is not the only means by which law
enforcement can gain access to encrypted data. For example, as
advised by Department of Justice guidelines for searching and
seizing computers, law enforcement officials can approach the
software vendor or the Justice Department computer crime
laboratory for assistance in cryptanalyzing encrypted files.
These guidelines also advise that "clues to the password [may
be found] in the other evidence seized -- stray notes on
hardware or desks; scribble in the margins of manuals or on
the jackets of disks. Agents should consider whether the
suspect or someone else will provide the password if
requested."(27) Moreover, product designs intended to
facilitate exceptional access can include alternatives with
different strengths and weaknesses such as link encryption,
weak encryption, hidden back doors, and translucent

Link Encryption

   With link encryption, which applies only to communications
and stands in contrast to end-to-end encryption (Box 7.4), a
plaintext message enters a communications link, is encrypted
for transmission through the link, and is decrypted upon
exiting the link. In a communication that may involve many
links, sensitive information can be found in plaintext form at
the ends of each link (but not during transit). Thus, for
purposes of protecting sensitive information on an open
network accessible to anyone (the Internet is a good example),
link encryption is more vulnerable than end-to-end encryption,
which protects sensitive information from the moment it leaves
party A to the moment it arrives at party B. However, from the
standpoint of law enforcement, link encryption facilitates
legally authorized intercepts, because the traffic of interest
can always be obtained from one of the nodes in which the
traffic is unencrypted.

   On a relatively closed network or one that is used to
transmit data securely and without direct user action, link
encryption may be cost-effective and desirable. A good example
is encryption of the wireless radio link between a GSM
cellular telephone and its ground station; the cellular
handset encrypts the voice signal and transmits it to the
ground station, at which point it is decrypted and fed into
the land-based network. Thus, the landbased network carries
only unencrypted voice traffic, even though it was transmitted
by an encrypted cellular telephone. A second example is the
"bulk" encryption of multiple channels -- each individually
unencrypted -- over a multiplexed fiber-optic link. In both of
these instances of link encryption, only those with access to
carrier facilities -- presumably law enforcement officials
acting under proper legal authorization -- would have the
opportunity to tap such traffic.

Weak Encryption

   Weak encryption allowing exceptional access would have to
be strong enough to resist brute-force attack by unauthorized
parties (e.g., business competitors) but weak enough to be
cracked by authorized parties (e.g., law enforcement
agencies). However, "weak" encryption is a moving target. The
difference between cracking strong and weak encryption by
brute-force attack is the level of computational resources
that can be brought to such an attack, and those resources are
ever increasing. In fact, the cost of brute-force attacks on
cryptography drops exponentially over time, in accordance with
Moore's law.(28)

   Widely available technologies now enable multiple
distributed workstations to work collectively on a
computational problem at the behest of only a few people; Box
4.6 in Chapter 4 discusses the brute-force cryptanalysis of
messages encrypted with the 40-bit RC4 algorithm, and it is
not clear that the computational resources of unauthorized
parties can be limited in any meaningful way. In today's
environment, unauthorized parties will almost always be able
to assemble the resources needed to mount successful
brute-force attacks against weak cryptography, to the
detriment of those using such cryptography. Thus, any
technical dividing line between authorized and unauthorized
decryption would change rather quickly.

Hidden Back Doors

   A "back door" is an entry point to an application that
permits access or use by other than the normal or usual means.
Obviously, a back door known to government can be used to
obtain exceptional access. Back doors may be open or hidden.
An open back-door is one whose existence is announced
publicly; an example is an escrowed encryption system, which
everyone knows is designed to allow exceptional access.(29) By
its nature, an open back-door is explicit; it must be
deliberately and intentionally created by a designer or

   A hidden back-door is one whose existence is not widely
known, at least upon initial deployment. It can be created
deliberately (e.g., by a designer who insists on retaining
access to a system that he may have created) or accidentally
(e.g., as the result of a design flaw). Often, a user wishing
access through a deliberately created hidden back-door must
pass through special system-provided authorization services.
Almost by definition, an accidentally created hidden back-door
requires no special authorization for its exploitation,
although finding it may require special knowledge. In either
case, the existence of hidden back-doors may or may not be
documented; frequently, it is not.

   Particularly harmful hidden back-doors can appear when
"secure" applications are implemented using insecure operating
systems; more generally, "secure" applications layered on top
of insecure systems may not be secure in practice.
Cryptographic algorithms implemented on weak operating systems
present another large class of back doors that can be used to
undermine the integrity and the confidentiality that
cryptographic implementations are intended to provide. For
example, a database application that provides strong access
control and requires authorization for access to its data
files but is implemented on an operating system that allows
users to view those files without going through the database
application does not provide strong confidentiality. Such an
application may well have its data files encrypted for

   The existence of back doors can pose high-level risks. The
shutdown or malfunction of life-critical systems, loss of
financial stability in electronic commerce, and compromise of
private information in database systems can all have serious
consequences. Even if back doors are undocumented, they can be
discovered and misused by insiders or outsiders. Reliance on
"security by obscurity" is always dangerous, because trying to
suppress knowledge of a design fault is generally very
difficult. If a back door exists, it will eventually be
discovered, and its discoverer can post that knowledge
worldwide. If systems containing a discovered back door were
on the Internet or were accessible by modem, massive
exploitation could occur almost instantaneously, worldwide. If
back doors lack a capability for adequate authentication and
accountability, then it can be very difficult to detect
exploitation and to identify the culprit.

Translucent Cryptography

   Translucent cryptography has been proposed by Ronald Rivest
as an alternative to escrowed encryption.(30) The proposed
technical scheme, which involves no escrow of unit keys, would
ensure that any given message or file could be decrypted by
the government with probability p; the value of p (0