[72144,1426] Lib: 6 PGPW31.ZIP Bin, Bytes: 435954, Count: 4, 03-Jan-95(04-Jan-95) Title : WinPGP(tm) 3.1 Windows Shell for PGP Keywords: PGP WINPGP ENCRYPTION SECURITY EMAIL FILES Latest version as of 1/2/95. WinPGP(tm) 3.1 has toolbar buttons, true Windows Help, an improved Clipboard, full Key management capability and now multi-file encryption. Features that many other Windows shells don't have in one program. Registration still $29US, upgrades still free. Now 5% of the net registration goes to the Phil Zimmermann Legal Defense Fund. [76004,1762] Sysop earle robinson Lib: 6 PGP262.ZIP Bin, Bytes: 283630, Count: 4, 13-Nov-94 Title : PGP ver 2.61 Program files Keywords: PGP ENCRYPTION DOS PGP ver. 2.62. Source code PGP ver 2.62. Pretty good privacy, encryption/decryption program. Program files. See PG262S.ZIP if you wish the source code, and PG262D.ZIP for the documentation. This file may legally be downloaded only by USA residents [76500,1116] Lib: 6 PGPM30.ZIP Bin, Bytes: 53466, Count: 2, 28-Oct-94 Title : PGPMENU 3.0 FREE cursor operated DOS menu with n Keywords: PGP MENU BASS PGPMENU 3.0 - FREE - for all versions of PGP - cursor operated DOS menu with new "comment" feature. Call your text editor from the menu. Custom design your own color configuration. Includes explanation of the mathematics of public key encryption and the RSA algorithm. [72254,3556] Lib: 6 PGPSHE.ZIP Bin, Bytes: 74802, Count: 2, 06-Jun-94 Title : PGP Shell 3.1 Keywords: PGP SHELL MENU ENCRYPT DECRYPT SECURITY A shell program for simplifying the use of the PGP cryptography program. Can be used in DOS or Windows. Subject: Notes on key escrow meeting with NSA From: Matt Blaze , Feb. 2 1994 A group from NSA and FBI met the other day with a group of us at Bell Labs to discuss the key escrow proposal. They were surprisingly forthcoming and open to discussion and debate, and were willing to at least listen to hard questions. They didn't object when asked if we could summarize what we learned to the net. Incidentally, the people at the meeting seemed to base a large part of their understanding of public opinion on Usenet postings. Postings to sci.crypt and talk.politics.crypto seem to actually have an influence on our government. A number of things came out at the meeting that we didn't previously know or that clarified previously released information. What follows is a rough summary; needless to say, nothing here should be taken as gospel, or representing the official positions of anybody. Also, nothing here should be taken as an endorsement of key escrow, clipper, or anything else by the authors; we're just reporting. These notes are based on the collective memory of Steve Bellovin, Matt Blaze, Jack Lacy, and Mike Reiter; there may be errors or misunderstandings. Please forgive the rough style. Note also the use of "~ ~" for 'approximate quotes' (a marvelous Whit Diffie-ism). NSA's stated goals and motives for all this: * DES is at the end of its useful life * Sensitive, unclassified government data needs protection * This should be made available to US Citizens * US business data abroad especially needs protection * The new technology should not preclude law enforcement access They indicated that the thinking was not that criminals would use key escrowed crypto, but that they should not field a system that criminals could easily use against them. The existence of key escrow would deter them from using crypto in the first place. The FBI representative said that they expect to catch "~only the stupid criminals~" through the escrow system. Another stated reason for key escrow is that they do not think that even government-spec crypto devices can be kept physically secure. They do expect enough to be diverted to the black market that they feel they need a response. NSA's emphasis was on the foreign black market... There seems to be a desire to manipulate the market, by having the fixed cost of key escrow cryptography amortized over the government market. Any private sector devices would have to sell a much larger number of units to compete on price. (This was somewhere between an implication and an explicit statement on their part.) When asked about cryptography in software, "~...if you want US government cryptography, you must do it with hardware~". The NSA people were asked whether they would consider evaluating ciphers submitted by the private sector as opposed to simply proposing a new cipher as a "black box" as they did with Skipjack. They said they can't do this because, among other things, of the extraordinary effort required to properly test a new cipher. They said that it often takes from 8-12 years to design, evaluate and certify a new algorithm, and that Skipjack began development "~about 10 years ago.~" I asked if we should infer anything from that about the value of the (limited time and resource) civilian Skipjack review. They accepted the question with good humor, but they did say that the civilian review was at least presented with and able to evaluate some of the results of NSA's previous internal reviews. Clipper chips should be available (to product vendors) in June. You can't just buy loose chips - they have to be installed in approved products. Your application interface has to be approved by NIST for you to get your hands on the chips. An interesting point came up about the reverse-engineering resistance of the chips: they are designed to resist non-destructive reverse engineering. It was not clear (from the information presented at the meeting) whether the chips are equally resistant to destructive reverse-engineering. That is, the chips are designed to resist non-destructive reverse engineering to obtain the unit keys. They do not believe that it is possible to obtain the unit key of a particular chip without destroying the chip. They did not present any assertions about resistance to destructive reverse engineering, such that several chips can be taken apart and destroyed in the process, to learn the Skipjack algorithm. They said the algorithm was patented, but they may have been joking. ("~And if that doesn't scare you enough, we'll turn the patent over to PKP.~") The resistance to reverse engineering is not considered absolute by NSA. They do feel that "~it would require the resources of a national laboratory, and anyone with that much money can design their own cryptosystem that's just as strong.~" They repeated several times that there are "~no plans to regulate the use of alternate encryption within the US by US citizens.~" They also indicated they "~weren't naive~" and didn't think that they could if they wanted to. There were 919 authorized wiretaps, and 10,000 pen register monitors, in 1992. They do not have any figures yet on how often cryptography was used to frustrate wiretaps. They do not yet have a production version of the "decoder" box used by law enforcement. Initially, the family key will be split (by the same XOR method) and handled by two different people in the athorized agencies. There is presently only one family key. The specifications of the escrow exploitation mechanism are not yet final, either; they are considering the possibility of having the central site strip off the outer layers of encryption, and only sending the session key back to the decoder box. The escrow authorities will NOT require presentation of a court order prior to releasing the keys. Instead, the agency will fill out a form certifying that they have a legal authorization. This is also backed up with a separate confirmation from the prosecutor's office. The escrow agencies will supply any key requested and will not themselves verify that the keys requested are associated with the particular court order. As an aside, we've since been informed by a member of the civilian Skipjack review committee that the rationale for not having the escrow agency see the actual wiretap order is so that they do not have access to the mapping between key serial numbers and people/telephones. Regarding the scale of the escrow exploitation system, they said that they did not yet have a final operational specification for the escrow protocols, but did say that the escrow agencies would be expected to deliver keys "~within about 2 hours~" and are aiming for "~close to real time.~" Initially, the FBI would have the decoder box, but eventually, depending on costs and demand, any law enforcement agency authorized to conduct wiretaps would be able to buy one. The two escrow agencies will be responsible for verifying the certification from and securely delivering the key halves to any such police department. The NSA did not answer a question as to whether the national security community would obtain keys from the same escrow mechanism for their (legally authorized) intelligence gathering or whether some other mechanism would exist for them to get the keys. The masks for the Clipper/Capstone chip are unclassified (but are protected by trade secret) and the chips can be produced in an unclassified foundry. Part of the programming in the secure vault includes "~installing part of the Skipjack algorithm.~" Later discussion indicated that the part of the algorithm installed in the secure vault are the "S-tables", suggesting that perhaps unprogrammed Clipper chips can be programmed to implement other 80-bit key, 32 round ciphers. The Capstone chip includes an ARM-6 RISC processor that can be used for other things when no cryptographic functions are performed. In particular, it can be used by vendors as their own on-board processor. The I/O to the processor is shut off when a crypto operation is in progress. They passed around a Tessera PCMCIA (type 1) card. These cards contain a Capstone chip and can be used by general purpose PC applications. The cards themselves might not be export controlled. (Unfortunately, they took the sample card back with them...) The card will digitally sign a challenge from the host, so you can't substitute a bogus card. The cards have non-volatile onboard storage for users' secret keys and for the public keys of a certifying authority. They are building a library/API for Tessera, called Catapult, that will provide an interface suitable for many different applications. They have prototype email and ftp applications that already uses it. They intend to eventually give away source code for this library. They responded favorably to the suggestion that they put it up for anonymous ftp. Applications (which can use the library and which the NSA approves for government use) will be responsible for managing the LEAF field. Note that they intend to apply key escrowed Skipjack to other applications, including mail and file encryption. The LEAF would be included in such places as the mail header or the file attributes. This implies that it is possible to omit sending the LEAF -- but the decrypt chip won't work right if it doesn't get one. When asked, they indicated that it might be possible wire up a pair of Clipper/Capstone chips to not transmit the LEAF field, but that the way to do this is "~not obvious from the interface we give you~" and "~you'd have to be careful not to make mistakes~". They gave a lot of attention to obvious ways to get around the LEAF. The unit key is generated via Skipjack itself, from random seeds provided by the two escrow agencies (approximately monthly, though that isn't certain yet). They say they prefer a software generation process because its correct behavior is auditable. Capstone (but not Clipper) could be configured to allow independent loading of the two key halves, in separate facilities. "~It's your money [meaning American taxpayers].~" The LEAF field contains 80 bits for the traffic key, encrypted via the unit key in "~a unique mode ~", 32 bits for the unit id, and a 16 bit checksum of some sort. (We didn't waste our breath asking what the checksum algorithm was.) This is all encrypted under the family key using "~another mode ~". They expressed a great deal of willingness to make any sort of reasonable changes that vendors needed for their products. They are trying *very* hard to get Skipjack and key escrow into lots of products. Finally, I should make clear that "Clipper" is more properly called the "MYK- 78T". EFF ANNOUNCES ITS OFFICIAL POLICY ON CRYPTOGRAPHY AND PRIVACY EFF strongly opposes original Clipper/Skipjack plan, reiterates the need to lift restrictions on encryption December 8, 1993 The Electronic Frontier Foundation is pleased to announce its formal policy on encryption. This is particularly timely, because yesterday the New York Times announced that the Digital Privacy and Security Working Group had proposed to trade support for the administration's proposed Clipper Chip for a lifting of the long-standing export embargo on robust domestic encryption. This was a misunderstanding of what the DPSWG offered the administration in this proposal, leading to the belief that both the DPSWG (a coalition of over 50 computer, communications, and privacy organizations and associations) and its principal coordinating organization, the Electronic Frontier Foundation, have offered to ease their opposition to Clipper. We see it as a pragmatic effort to get the government to wiggle on these issues: one step in the right direction, with many more to follow. This step is that we insist that use of Clipper and key escrow must be completely voluntary. It's not voluntary if users of the Skipjack algorithm are forced to use key escrow. It's not voluntary if users who do choose escrow are forced to use the government's choice of escrow agents. It's not voluntary if manufacturers such as AT&T are pressured into withdrawing competing products. It's not voluntary when competing products can't be sold in a worldwide market. It's not voluntary if the public can't see the algorithm they are "volunteering" to use. It's not voluntary if the government will require anyone to use Skipjack or escrow, even when communicating with the government. The Working Group chose to state this in a diplomatic fashion by applauding "repeated statements by Administration officials that there is no intent to make the clipper chip mandatory". They were diplomatic for two reasons. First, they believe the Administration has gotten this message. Clipper was announced in April and was supposed to be available in the Summer. It is December, the escrow system is still uncertain, and the Administration is still drafting a report which was due in July. If they still don't get it, the coalition has a 100 page white paper documenting the case against clipper and the case for lifting export controls, which they will release in response to any Administration position favoring Clipper. The second reason is that the coalition was trying to use the introduction of the Rep. Cantwell's bill eliminating many export controls on crypto to try, one more time, to urge the Administration to make voluntariness meaningful by unilaterally lifting export controls. Even if the Working Group and the Administration can't agree on Clipper, EFF and the Working Group needed to continue pressing the export issue. But NSA is digging in, and a legislative fight looks more likely. If diplomacy fails, EFF must fight for our rights. Thus, we are going to need all the allies we can find, from IBM, Apple, Lotus, and Sun, to cryptographers, cypherpunks, and folks on the net. EFF wants the public and the Administration to know (as we have frequently stated to them face to face) that the Electronic Frontier Foundation would fight to the end any attempt by the Administration to do any more than let companies use Clipper if they want and to let people buy it if they want -- and only in a market which has other strong encryption schemes available because export controls have been lifted. Under truly voluntary conditions, the EFF would be proud to say, "We have expressed ... tentative acceptance of the Clipper Chip's encryption scheme ... only if it is available as a voluntary alternative to widely-available, commercially-accepted encryption programs and products." We would applaud the Government for employing NSA's substantial expertise to devise improved encryption schemes -- like DES and Skipjack -- and deploying them to improve our society's privacy and security. We hope that the Clinton Administration can agree to take this single step. Here is the whole journey we'd like to begin. If you share our path, we need your help and support -- please join EFF. Send the end of this document for details. Electronic Frontier Foundation Policy on Cryptography & Privacy (Approved November 11, 1993) Digital technology is rapidly rendering our commercial activities and communications -- indeed, much of our personal lives -- open to scrutiny by strangers. Our medical records, political opinions, personal financial transactions, and intimate affairs now pass over digital networks where governments, employers, insurance companies, business competitors, and others who might turn our private lives against us can examine them with increasing ease and detail. The Electronic Frontier Foundation believes that Americans must be allowed access to the cryptographic tools necessary to protect their own privacy. We will work toward making the following principles the official policies of the U. S. Government: 1. Private access to cryptography must be unhindered: * There must be no laws restricting domestic use of cryptography. * There must be no restrictions on the export of products, services, or information because they contain cryptographic algorithms. 2. Cryptography policy and technical standards must be set in open, public forums: * All participants in the policy debate on these issues, particularly law enforcement and national security agencies, must submit their arguments to public scrutiny. * Any civilian encryption standard must be published and exposed to rigorous public challenge. 3. Encryption must become a part of the information infrastructure to provide security, to protect privacy, and to provide each individual control over his or her own identity. * Each user must be free to choose whether or not to use key escrow, and who should have copies of their keys, if anyone. * Government at all levels should explore cryptography's potential to replace identity-based or dossier-based systems, such as driver's licenses, credit cards, checks, and passports with less invasive technology. 4. New technologies must not erode constitutional protections, particularly the right to speak, publish, and assemble, and to be free from unreasonable searches and seizures . * There must be no broadening of governmental access to private communications and records, through wiretap law or otherwise, unless there is a public consensus that the risks to safety outweigh the risks to liberty and that our safety will actually be increased by the broadened access. *** The Electronic Frontier Foundation recognizes that the combination of digital communications and encryption technology does indeed threaten some of law enforcement's current investigative techniques. We also recognize that encryption will prevent many of the online crimes that will likely occur without it. We further believe that these technologies will create new investigative tools for law enforcement, even as they obsolete old ones. Entering this new environment, private industry, law enforcement, and private citizens must work together to balance the requirements of both liberty and security. But technology halts for no one, not even the law. *** For Electronic Frontier Foundation membership info, send email to membership@eff.org. For basic EFF details, send email to info@eff.org. Other queries should be sent to ask@eff.org. EFF Press Release Feb 4 '94 * DISTRIBUTE WIDELY * At two briefings, Feb. 4, 1994, the Clinton Administration and various agencies gave statements before a Congressional committee, and later representatives of civil liberties organizations, industry spokespersons and privacy advocates. The Electronic Frontier Foundation's position, based on what we have seen and heard from the Administration today, is that the White House is set on a course that pursues Cold War national security and law enforcement interests to the detriment of individual privacy and civil liberties. The news is grim. The Administration is: * not backing down on Clipper * not backing down on key escrow * not backing down on selection of escrow agents * already adamant on escrowed key access procedures * not willing to elminate ITAR restrictions * hiding behind exaggerated threats of "drug dealers" and "terrorists" The material released to the industry and advocacy version of the briefing have been placed online at ftp.eff.org (long before their online availability from goverment access sites, one might add). See below for specific details. No information regarding the Congressional committee version of the briefing has been announced. EFF Director Jerry Berman, who attended the private sector meeting, reported the following: "The White House and other officials briefed industry on its Clipper chip and encryption review. While the review is not yet complete, they have reached several policy conclusions. First, Clipper will be proposed as a new Federal Information Processing Standard (FIPS) next Wednesday. [Feb. 9] It will be "vountary" for government agencies and the private sector to use. They are actively asking other vendors to jump in to make the market a Clipper market. Export licensing processes will be speeded up but export restrictions will not be lifted in the interests of national security. The reason was stated bluntly at the briefing : to frustrate competition with clipper by other powerful encryption schemes by making them difficult to market, and to "prevent" strong encryption from leaving the country thus supposedly making the job of law enforcement and intelligence more difficult. Again in the interest of national security. Of course, Clipper will be exportable but they would not comment on how other governments will view this. Treasury and NIST will be the escrow agents and Justice asserted that there was no necessity for legislation to implement the escrow procedures. "I asked if there would be a report to explain the rationale for choosing these results - we have no explanation of the Administration's thinking, or any brief in support of the results. They replied that there would be no report because they have been unable to write one, due to the complexity of the issue. "One Administation spokesperson said this was the Bosnia of Telecommunications. I asked, if this was so, how, in the absense of some policy explanation, could we know if our policy here will be as successful as our policy in Bosnia?" The announcements, authorization procedures for release of escrowed keys, and q-and-a documents from the private sector briefing are online at EFF. They are: "Statement of the [White House] Press Secretary" [White House] file://ftp.eff.org/pub/EFF/Policy/Crypto/wh_press_secy.statement "Statement of the Vice President" [very short - WH] file://ftp.eff.org/pub/EFF/Policy/Crypto/gore_crypto.statement "Attorney General Makes Key Escrow Encryption Announcements" [Dept. of Just.] file://ftp.eff.org/pub/EFF/Policy/Crypto/reno_key_escrow.statement "Authorization Procedures for Release pf Emcryption Key Components in Conjunction with Intercepts Pursuant to Title III/State Statutes/FISA" [3 docs. in one file - DoJ] file://ftp.eff.org/pub/EFF/Policy/Crypto/doj_escrow_intercept.rules "Working Group on Data Security" [WH] file://ftp.eff.org/pub/EFF/Policy/Crypto/interagency_workgroup.announce "Statement of Dr. Martha Harris Dep. Asst. Secy. of State for Polit.-Mil. Affairs: Encryption - Export Control Reform" [Dept. of State] file://ftp.eff.org/pub/EFF/Policy/Crypto/harris_export.statement "Questions and Answers about the Clinton Administration's Encryption Policy" [WH] file://ftp.eff.org/pub/EFF/Policy/Crypto/wh_crypto.q-a These files are available via anonymous ftp, or via WWW at: http://www.eff.org/ in the "EFF ftp site" menu off the front page. Gopher access: gopher://gopher.eff.org/ Look in "EFF Files"/"Papers and Testimony"/"Crypto" All 7 of these documents will be posted widely on the net immediately following this notice. Contacts: Digital Privacy: Jerry Berman, Exec. Director Daniel J. Weitzner, Sr. Staff Counsel Archives: Stanton McCandlish, Online Activist General EFF Information: info@eff.org From the White House ***************************************************************** Embargoed until 3:00 p.m. EST Feb. 4, 1994 QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S ENCRYPTION POLICY Q. What were the findings of the encryption technology review? A. The review confirmed that sound encryption technology is needed to help ensure that digital information in both computer and telecommunications systems is protected against unauthorized disclosure or tampering. It also verified the importance of preserving the ability of law enforcement to understand encrypted communications when conducting authorized wiretaps. Key escrow technology meets these objectives. Specific decisions were made to enable federal agencies and the private sector to use the key escrow technology on a voluntary basis and to allow the export of key escrow encryption products. In addition, the Department of State will streamline export licensing procedures for products that can be exported under current regulations in order to help U.S. companies to sell their products abroad. To meet the critical need for ways to verify the author and sender of an electronic message -- something that is crucial to business applications for the National Information Infrastructure -- the federal government is committed to ensuring the availability of a royalty-free, public-domain Digital Signature Standard. Finally, an interagency working group has been established to continue to address these issues and to maintain a dialogue with industry and public interest groups. Q. Who has been consulted during this review? The Congress? Industry? What mechanism is there for continuing consultation? A. Following the President's directive announced on April 16, 1993, extensive discussions have been held with Congress, industry, and privacy rights groups on encryption issues. Formal public comment was solicited on the Escrowed Encryption Standard and on a wide variety of issues related to the review through the Computer System Security and Privacy Advisory Board. The White House Office of Science and Technology Policy and the National Security Council will chair the interagency working group. The group will seek input from the private sector both informally and through several existing advisory committees. It also will work closely with the Information Policy Committee of the Information Infrastructure Task Force, which is responsible for coordinating Administration telecommunications and information policy. Q. If national security and law enforcement interests require continued export controls of encryption, what specific benefits can U.S. encryption manufacturers expect? A. The reforms will simplify encryption product export licensing and speed the review of encryption product exports. Among other benefits, manufacturers should see expedited delivery of products, reduced shipping and reporting costs, and fewer individual license requests -- especially for small businesses that cannot afford international distributors. A personal exemption for business travellers using encryption products will eliminate delays and inconvenience when they want to take encryption products out of the U.S. temporarily. Q. Why is the key escrow standard being adopted? A. The key escrow mechanism will provide Americans and government agencies with encryption products that are more secure, more convenient, and less expensive than others readily available today -- while at the same time meeting the legitimate needs of law enforcement. Q. Will the standard be mandatory? A. No. The Administration has repeatedly stressed that the key escrow technology, and this standard, is for voluntary use by federal and other government agencies and by the private sector. The standard that is being issued only applies to federal agencies -- and it is voluntary. Q. Does this approach expand the authority of government agencies to listen in on phone conversations? A. No. Key escrow technology provides government agencies with no [sic] new authorities to access the content of the private conversations of Americans. Q. Will the devices be exportable? Will other devices that use the government hardware? A. Yes. After an initial review of the product, the State Department will permit the export of devices incorporating key escrow technology to most end users. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. Q. Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A. They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation, including a certification of this authorization, to the two entities responsible for safeguarding the keys. (The key is split into component parts, which are stored separately in order to ensure the security of the key escrow system.) They then obtain the components for the keys for the device being used by the drug smugglers. The components are then combined and the message can be read. Q. Who will hold the escrowed keys? A. The Attorney General has selected two U.S. agencies to hold the escrowed key components: the Treasury Department's Automated Systems Division and the Commerce Department's National Institute of Standards and Technology. Q. How strong is the security in the device? How can I be sure how strong the security is? A. This system is more secure than many other voice encryption system readily available today. While the algorithm upon which the Escrowed Encryption Standard is based will remain classified to protect the security of the system, an independent panel of cryptography experts found that the algorithm provides significant protection. In fact, the panel concluded that it will be 36 years until the cost of breaking the algorithm will be equal to the cost of breaking the current Data Encryption Standard now being used. Q. Is there a "trap door" that would allow unauthorized access to the keys? A. No. There is no trapdoor. Q. Whose decision was it to propose this product? A. The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. The approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. CLIPPER CHIP TECHNOLOGY CLIPPER is an NSA developed, hardware oriented, cryptographic device that implements a symmetric encryption/decryption algorithm and a law enforcement satisfying key escrow system. While the escrow management system design is not completely designed, the cryptographic algorithm (SKIPJACK) is completely specified (and classified SECRET). The cryptographic algorithm (called CA in this paper) has the following characteristics: 1. Symmetric, 80-bit key encryption/decryption algorithm; 2. Similar in function to DES (i.e., basically a 64-bit code book transformation that can be used in the same four modes of operation as specified for DES in FIPS 81); 3. 32 rounds of processing per single encrypt/decrypt operation; 4. Design started by NSA in 1985; evaluation completed in 1990. The CLIPPER CHIP is just one implementation of the CA. The CLIPPER CHIP designed for the AT&T commercial secure voice products has the following characteristics: 1. Functions specified by NSA; logic designed by MYKOTRONX; chip fabricated by VLSI, Inc.: manufactured chip programmed (made unique) by MYKOTRONX to security equipment manufacturers willing to follow proper security procedures for handling and storage of the programmed chip; equipment sold to customers; 2. Resistant to reverse engineering against a very sophisticated, well funded adversary; 3. 15-20 MB/S encryption/decryption constant throughout once cryptographic synchronization is established with distant CLIPPER Chip; 4. The chip programming equipment writes (one time) the following information into a special memory (called VROM or VIA-Link) on the chip: a. (unique) serial number b. (unique) unit key c. family key d. specialized control software 5. Upon generation (or entry) of a session key in the chip, the chip performs the following actions: a. Encrypts the 80-bit session key under the unit key producing an 80-bit intermediate result; b. Concatenates the 80-bit result with the 25-bit serial number and a 23-bit authentication pattern (total of 128 bits); c. Enciphers this 128 bits with family key to produce a 128-bit cipher block chain called the Law Enforcement Field (LEF); d. Transmits the LEF at least once to the intended receiving CLIPPER chip; e. The two communicating CLIPPER chips use this field together with a random IV to establish Cryptographic Synchronization. 6. Once synchronized, the CLIPPER chips use the session key to encrypt/decrypt data in both directions; 7. The chips can be programmed to not enter secure mode if the LEF field has been tampered with (e.g., modified, superencrypted, replaced); 8. CLIPPER chips will be available from a second source in the future; 9. CLIPPER chips will be modified and upgraded in the future; 10. CLIPPER chips presently cost $16.00 (unprogrammed) and $26.00 (programmed). 4/30/93 Digital Privacy and Security Working Group 666 Pennsylvania Ave, SE Suite 303 Washington, DC 20003 Jerry Berman or Daniel J. Weitzner 202/544-9237 Leah Gurowitz 202/544-6909 ISSUES AND QUESTIONS REGARDING THE ADMINISTRATION'S CLIPPER CHIP PROPOSAL A. Process by Which the Proposal Was Developed 1. Why the secrecy in which the encryption code scheme was developed? Were any members of the computer, communications, or security industries consulted? Were any privacy experts consulted? Has the Justice Department or the White House Office of Legal Counsel considered the constitutional implications? 2. The Administration's announcement implies that a policy review on encryption has been commenced; but at the same time, it appears that a decision has already been reached to support the Clipper proposal or some other key-escrow scheme. Is any review of the Clipper chip itself now underway? What progress has been made? When will this expedited review be complete? 3. What role has the National Security Agency played in the development and selection of the Clipper Chip and key escrow system? What will NSA's role be in the deployment and evaluation of the system? Are these roles consistent with the principle of civilian control of computer security, as required by the Computer Security Act of 1987? 4. What efforts are underway to improve the government's ability to decrypt non-Clipper algorithms which are likely to be used by criminals? Can the government decrypt all commercially available hardware sold domestically and abroad? If not, wouldn't it be a better policy to direct U.S. resources in that direction instead of the Clipper approach? 5. What percentage of the 800 to 900 annual Title III interceptions encounter encrypted communications? What percentage of law enforcement encountered encryption is estimated to be Clipper as opposed to the other encryption schemes? Is this a solution in search of a problem? 6. Did the government consider commercially-available encryption schemes and reject them? If so, why were they rejected, and is that analysis available? If not, why not? 7. Capstone is the successor to Clipper with the addition of public key exchange and digital signature capabilities. Is Clipper just an intermediate step before Capstone is released? Why did the White House press release not mention Capstone? 8. How will this relate to the FBI's Digital Telephony Proposal? Has the Administration committed to supporting, discarding or reintroducing the proposal in a new form? 9. What is the history of the proposal? How long has this been under consideration? 10. How long has the Clipper Chip and escrow concept been in development? Which agency originated these concepts? B. Secrecy of the Algorithm 11. Will the Clipper proposal have the same degree of public review that other NIST standards, such as DSS have gone through? 12. How can the public trust the security and reliability of an algorithm that is kept classified? 13. If American firms are not able to have their encryption experts examine the algorithm, how can they be sure that there is no "trap door" that would allow any Clipper Chip security system to be overridden? Dr. Kammer of NIST has said that "respected experts from outside the government will be offered access" to the algorithm. How do interested parties go about obtaining this access to the classified material about the Clipper algorithm and participate in the analysis of the design to search for trap doors and other weaknesses? What specific reports from this process will serve to reassure users regarding the integrity of the Clipper Chip? 14. What will be the consequence if the algorithm is published? Will it become less secure? If publication (i.e., de-classification) would make it less secure, how secure can it be? 15. If the Clipper Chip is too weak to protect classified government communications, why should it be used for sensitive proprietary private sector communications? 16. Executive Order 12356 has procedures on classification and declassification of information. Is the algorithm being classified under the framework of this order? What agency is in charge of classification/ declassification? 17. How much effort has the government put into the design and cryptoanalysis of the Clipper Chip as compared to the public analysis of the Data Encryption Standard during the last 16 years? 18. Is the Skipjack algorithm being used by the Clipper Chip derived from codes used in the management of our nuclear arsenal? Is this why the algorithm is being kept secret? If this is so, why are we using this secret system for a dubious commercial standard? If there is a national security justification to avoid having this encryption technique revealed, why risk compromising it by integrating it into publicly distributed products? 19. If the algorithm is classified, how will it be legal to distribute the chips to users not qualified to handle classified encryption equipment? This seems contrary to Facility Security Clearance procedures and the Personal Security Clearance requirements of DoD 5220.222-M, Industrial Security Manual for Safeguarding Classified Information. 20. Is it illegal to reverse engineer the Clipper Chip? If it were reverse engineered, would it then be illegal to reveal the algorithm? C. Voluntariness of Clipper System 21. Will this system be truly voluntary? If so, won't criminals and terrorists just use some other type of encryption? 22. If the use of the Clipper Chip is "voluntary," why would any party desiring privacy or secrecy of communications use it, knowing that the US. government has a process to allow decryption? If the Administration's ultimate goal is to ban other forms of encryption for use domestically, what is the legal basis for such an approach? 23. Isn't the Administration doing more than "encouraging" use of Clipper? (E.g., discontinuing DES at the end of the current certification cycle, directing NIST to adopt Clipper as a Federal standard, and maintaining export restrictions on hardware/software using different algorithms?) 24. Does the government have any plans to campaign for the implementation of the Clipper Chip as a standard for data cryptography? 25. What impact will the introduction of Clipper have on the market for other encryption technologies? Will the government otherwise try to discourage other cryptographic mechanisms from being marketed domestically and abroad? 26. Isn't the government dictating the design of technology into commercial products rather than allowing market demand to dictate? 27. What prevents a sender of information from encrypting with secure, easy to obtain software using DES or RSA algorithms before sending data through a channel encrypted with the Clipper system? 28. Would the Administration ever consider making the Clipper Chip or other key escrow system mandatory? D. Key Escrow System 29. How can the government assure us that the keys held in escrow are not compromised? What public or private agencies have sufficient integrity and public trust to serve as escrow agents? 30. How can the public be sure that keys will only be revealed upon proper warrant? Will there be clerks who actually operate the equipment who could get anyone's keys? Or will judges have personal keys, which would be directly authenticated to the escrow agents' equipment that protects the users' keys? 31. Once the keys are obtained from the escrow holders, is it envisioned that electronic surveillance can be done "real-time," or will recording and post- processing be required? 32. To hear both sides of a conversation, does law enforcement need the keys of both participants? 33. After law enforcement has properly obtained a pair of unit keys from the escrow agents and conducted a wiretap, will the keys be "returned" to the agents? What safeguards exist to prevent law enforcement from re-using the keys without authorization in the future? 34. Once in possession of the unit keys, can the government pretend to be ("spoof") the original unit owner? 35. What is the smallest number of people who would be in a position to compromise the security of the system? 36. Can an escrow agent exercise discretion in the release of key information? E.g., can they refuse an inappropriate request? (Phone companies ensure that court orders are facially valid.) Can they publicize an inappropriate request? Can they tell the person whose communications were intended to be violated? 37. Who will be responsible for auditing the escrow process and the use of revealed keys? 38. How will the government ensure that unanticipated uses of the escrow database are prevented in the long term? (E.g., the Census database was supposed to stay confidential for 75 years, but was released during World War Two to allow Japanese-Americans to be imprisoned without cause. What protections are in place to make sure that this never happens again? 39. What happens when one discovers that the keys have been captured through theft? How difficult would it be to change keys? What is done in the meanwhile? How difficult is it to reprogram the chip, or do you need a replacement? 40. If the chip can be reprogrammed, how do you prevent covert changes that will not be discovered until authorization to tap is received and execution of the warrant is forestalled? 41. It appears that once a given chip has been compromised due to use of the escrowed keys, the chip and the equipment it is used in are vulnerable forever. Is there any mechanism or program to re-key or replace compromised hardware? Is there any method for a potential acquiring party to verify whether the keys on a given chip have been compromised? Who should bear the cost of replacement or re- keying of compromised hardware? 42. What safeguards will be used when transporting the escrow keys? 43. What are the national security implications of widespread deployment of Clipper? Does it make our communications more susceptible to disruption or jamming? 44. Doesn't the two-escrowee approach make these locations targets of opportunity for any party or foreign government that wants to gain access to sensitive US. information? If an escrow location is compromised, all chip data contained there is compromised. Wouldn't these locations also become targets of opportunity for any criminal or terrorist organization that wanted to disrupt US. law enforcement? What back-up or physical security measures are envisioned? If multiple copies are kept, doesn't this increase the threat of compromise? E. Choice of Agents for the Keys 45. Who will be the agents for the keys? How secure will they be from the outside and from the inside? What is the cost of maintaining the escrow system? Who will pay? Who will profit? 46. When will the escrow agents be announced? Will there be a process to allow input into the selection of these individuals/agencies? 47. Although it has been reported that the escrow holders will not be the FBI, DoD, CIA or NSA, is it envisioned that one or both of the escrow locations will be non-government entities? Can one or both be private parties? What will the process be to determine what private party will be awarded the contract for key holder? 48. Can the set of escrow agents be changed after the initial selection? How can the government be prevented from moving the escrow contract to a more pliable escrow agent, if one of the agents stands up against the government for the rights of the people whose keys they are protecting? 49. Will escrow agents be immune from prosecution during their term of office, like Members of Congress, the President, and Justices of the Supreme Court? If not, what will prevent the government from harassing the agents during a dispute with the Justice Department? 50. Will there be a mechanism for particular people to keep their keys out of the key escrow database, or to obtain Clipper Chips with keys that have not been escrowed? (E.g. Judges, law enforcement officers, NSA officials, the President, etc.) F. Level of Security of Clipper Chip Encryption 51. How will the government assure American businesses that their proprietary information is not compromised? Given the extremely competitive nature of the high-tech industries, and the importance of intellectual property, how can American firms be adequately protected? 52. How will the government assure American citizens that the privacy of their electronic communications and the security of personal information that is transmitted in electronic form will all be secure under the Clipper Chip? 53. If the Administration is so confident about the level of security of the Clipper Chip scheme, why will classified information not be encrypted with it? 54. What warranty is the US. government prepared to make regarding the security of the Clipper Chip compared to other algorithms, and indemnity for failures for breaches of the algorithm, chips that are compromised due to failures in the security of the escrow system, or other failures in the Clipper approach? 55. What effect does Clipper have on other NSA and DOD programs aimed at encryption and authentication of unclassified messages (e.g., MOSAIC)? 56. If Clipper is not approved for classified traffic, what government agencies will be utilizing Clipper, and for what applications? 57. Normal security procedures involve changing cryptography keys periodically, in case one has been compromised. But the family and unit keys cannot be changed by the user. If these keys are compromised, it won't matter how frequently the user changed their session keys. Doesn't the long use of the same family and unit keys increase the likelihood that these keys will be compromised while they are still in use? Doesn't this also eliminate a significant degree of the user's control of the level of security that their his or her system provides? 58. If the government discovered that the algorithm or family key had been discovered by a foreign government or private individuals, would it tell the public that the system had been compromised? Are there plans to restore privacy and authentication if the algorithm is compromised? 59. How secure is the Clipper algorithm if it is attacked by a person with half the key? G. Level of Privacy Protection 60. Given the dramatic growth in transmission and storage of personal information in electronic form, does the Administration recognize that private individuals, as well as large organizations, need access to affordable, robust encryption systems? 61. Is law enforcement permitted to identify the specific piece of communications equipment without obtaining a warrant? If encrypted communications include the serial number ("chip family key"), will law enforcement be able to keep track of communications traffic and track private citizens without even securing the keys from the escrow agents? 62. Does the Administration believe that all household phones are going to be replaced with secure versions over some period of time? At what cost? 63. It has been impossible to keep any large collection of information completely private, including Social Security records, tax information, police files, motor vehicle records, medical records, video rentals, highly classified military information, and information on abuses of power. How will users be able to tell when this happens to the key escrow information? H. Constitutional/Legal Implications 64. Has the Administration fully considered the constitutional implications of the Clipper Chip and other key escrow systems? 65. Does forcing someone to disclose a key for future law enforcement access infringe the fundamental right against self incrimination embodied in the Fifth Amendment? 66. Does requiring key disclosure in conjunction with a particular technology violate users' right to free speech under the First Amendment? Courts frown most severely on any government attempts to compel a particular form of speech. 67. Does the escrow system violate the letter or the spirit of the Fourth Amendment protections which safeguard citizens against intrusive law enforcement practices? 68. When the Administration says "nor is the U.S. saying that 'every American, as a matter of right, is entitled to an unbreakable commercial encryption product,'" are they therefore saying the inverse, that every American is not allowed to have an unbreakable commercial encryption product? 69. Does the Administration see the need for any new legislation to implement its Clipper Chip proposal? If so, specifically identify. 70. In the event that one or more escrow keys are obtained through unauthorized means, what liability, if any, might the equipment manufacturer have to bear? 71. What will be the relationship between Federal and state law enforcement? Will the policy pre-empt state law? How will state law enforcement access the "key" system? 72. What is the statutory authority for regulation of domestic encryption? Are any of these statutes cold war relics? Should the efficacy of all statutes that effect civilian encryption be reviewed? 73. What protections do we have against blackmailing by escrow agents, or by others who have gained possession of escrowed keys? Is there civil or criminal liability for escrow agents who reveal keys illegally? 74. What is the impact on society if the right to hold a truly private conversation is withdrawn? 75. Is strong encryption technology important for protecting intellectual property in a digital network environment? I. Logistics of Chip Development and Manufacture 76. Why weren't other Chip manufacturers given the chance to bid on the chip production process? Why was the choice made to have only one manufacturer? 77. Since the Clipper Chip design data will need to be released to manufacturers, how will we be assured that this information, in itself, will not allow the user systems to be compromised? 78. What assurances will there be that the manufacturer is not keeping a record of all keys issued? 79. We have read Dorothy Denning's explanation of how the two 80-bit keys will be created in the SCIF. Is this description accurate? If not, how would this process occur? If so, is the system feasible? What will the cost be for this process and for the increased security of the involved government agents? 80. The chips will be programmed in a Secure Compartmented Information Facility (SCIF). Does this suggest that the chips should at some point be classified Secret or Top Secret? What is the classification of the Clipper and Capstone chips and the Skipjack algorithm? How will these chips be declassified once leaving the SCIF? 81. Some of the press reports imply that AT&T has had access to this information in order to incorporate Clipper into some of its equipment designs. Is that implication accurate? 82. Can this scheme be implemented in software? If so, why haven't we seen information on that software? If not, were issues of how this hardware solution would affect continued use of software encryption adequately evaluated? Were the comparative costs of software and hardware encryption schemes evaluated? Is this evaluation available for analysis? 83. Current high speed DES processors have encryption rates of approximately 200 megabits per second, while the Clipper Chip has a throughput of 12.5 megabits per second. Within two to five years, 100 Mbs+ technologies, such as Fast Ethernet, FDDI and ATM, will become commonplace. How will the Clipper technology be used in environments where data is sent at 100 Mbs or faster? J. Feasibility/Implementation 84. What testing has been done to verify the ability of Clipper to work across the panoply of new emerging technologies? If the underlying digital transport protocol drops a bit or two, will that interfere with Clipper operation? How critical is synchronization of the bit stream for Clipper operation? Has this technology been tested with ISDN, TDMA, Cellular, CDMA Cellular, ATM, SONET, SMDS, etc. and other emerging technologies? What effect does Clipper have on the Cellular Authentication and Voice Encryption (CAVE) algorithm? Are these differences for key generation, authentication, or voice privacy? 85. Does the Administration seek to extend the Clipper Chip proposal to the TDMA and CDMA digital cellular standards? 86. When will the government publish the various Modes of Operation and other documents for Clipper, together with a physical implementation standard (similar to the old FS-1027)? 87. Will the government consider the development of alternate sources for the chip or will vendors be limited to a single, monopoly supplier? 88. Initially, the Clipper Chip is being proposed for telephone technology, but the White House specifically mentions that the technology will be used for electronic data transmission. What is the timetable for implementing this? 89. What is the scope that the Administration envisions for the Clipper Chip's algorithm use? What about Capstone? Is it limited to choice, or does it encompass electronic mail, network encryption, security modems, long-haul bulk encryptors, video applications, computer password protection, Intelligent Vehicle Highway Systems ("IVHS"), satellite communications -- both transport and control, electronic funds transfers, etc.? 90. What is the Administration's policy on other security mechanisms beyond privacy, such as message authentication codes for banking and EFT, and for integrity and digital signatures for sender authentication and non-repudiation? What is the impact on international standards such as X.500 and X.509? 91. Since Clipper, as currently defined, cannot be implemented in software, what options are available to those who can benefit from cryptography in software? Was a study of the impact on these vendors or of the potential cost to the software industry conducted? 92. What is are the success criterion for the Clipper initiative? Would the government abandon its initiative if the Clipper is shown to be unsuccessful beyond government use? 93. What is the expected useful lifetime of the Clipper technology? What do you expect will render it useless at some point? 94. Is it true that the name "Clipper Chip" is the intellectual property of another company? K. Impact on American Competitiveness 95. As the key-escrow approach is designed to ensure the ability of the American government to access confidential data, do NIST and NSA expect overseas customers (who do not have the protection of due process) to purchase the chip for data protection? 96. In testimony before the House Telecommunications Subcommittee, Mr. Kammer of NIST indicated that if he were a foreign customer, he would not purchase devices that included the Clipper Chip. Doesn't this raise serious balance-of- trade problems? 97. Will the technology, or the Chip itself, be shared with other allied governments (e.g., the UK), or will US. producers of data security products, forced by government standards to develop clipper-based products for the US. market, be permanently closed out of the overseas security market? 98. If Clipper won't be commercially accepted abroad, and export controls continue to prohibit the exportation of other encryption schemes, isn't the US. government limiting American companies to a US. market? 99. Given the restrictions on who can build Clipper devices, how will Clipper keep up with advances in semiconductor speed, power, capacity and integration? Openly available devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because everyone was free to try to build a better version. 100. Will the Clipper Chip be used nationally and internationally? How will multinational operations accommodate this new system? 101. Banking and finance are truly global today. Most European financial institutions use technology described in standards such as ISO 9796. Many innovative new financial products and services will employ the reversible cryptography described in these standards. Clipper does not comply with these standards. Will US. financial institutions be able to export Clipper? If so, will their overseas customers find Clipper acceptable? 102. If overseas companies provide systems based on algorithms that do not have key escrow schemes that encrypt faster and more securely, how will we compete internationally? We are market leaders in applications software and operating systems. our world leadership in operating systems is dependent on integrating security in internationally distributed systems. 103. Internet Privacy Enhanced Mail (PEM) is becoming an internationally recognized system for encrypting Electronic Mail. Would Skipjack encryption become a US. standard for encrypting electronic mail while the rest of the world used PEM? How would E-mail traffic between the US. and other countries be encrypted? L. Effect on Export Control Policy 104. In light of the Clipper initiative, will export restrictions on hardware and software encryption regimes using DES and RSA algorithms (which are widely available abroad) remain in place? 105. Will American firms be allowed to sell devices containing the Clipper Chip abroad? Under which governmental regulatory regime would exports of devices containing the Clipper Chip fall? What conditions would be applied to exports of devices containing the Clipper Chip? (E.g., would American firms be allowed to export devices to non-US. customers without the escrow requirement? If not, who would hold the keys?) 106. What governmental regulations will apply to imports of devices containing the Clipper Chip? Given that most US. companies source most customer premise equipment (e.g., telephones, fax machines, etc.) offshore, how will the logistics be handled for the export of the Clipper Chip as a component, and the subsequent import of the device containing the chip? Will the US. permit non-US. manufacturers to have the Clipper algorithm? If not, how will the Administration justify this trade barrier? 107. If the Clipper Chip cannot be reverse-engineered, and if the US. government is capable of decrypting, why would there be any reason to limit Clipper products from being exported? 108. If Clipper is allowed to be exported, does the US. government foresee a problem with other governments? Would the US. government's access to escrow keys be viewed as an exercise of extraterritorial jurisdiction? M. Implications for Installed-Base/Existing Products 109. What are the implications of NSA/NIST withdrawing the certification of DES? Although it may -- at some point in the future -- no longer be used for government purposes, that is not going to effect commercial or private users' applications of DES. What about the embedded base of DES hardware? 110. Will existing systems need to be replaced? 111. What efforts were spent to make the new encryption approach compatible with the embedded base of equipment? If DES was becoming weak (vulnerable), wouldn't merely extending the DES key length to 80 bits have solved that problem? 112. There are a number of companies that employ non-escrowed cryptography in their products today. These products range from secure voice, data, and fax, to secure e-mail, electronic forms, and software distribution, to name but a few. With over a million such products in use today, what does the Clipper scheme foretell for these products and the many corporations and individuals that are invested in them and use them? Will the investment made by the vendors in encryption-enhanced products be protected? If so, how? Is it envisioned that they will add escrow features to their products or be asked to employ Clipper? N. Process by which Input Will Be Received from Industry/Public Interest Groups 113. If the outcome of the policy review is not pre-ordained, then the process to analyze the issues and arrive at solutions would seem to need a great deal of definition. What roles have been identified for Congress, the private sector, and other interested parties? Who is coordinating the process? 114. Why does the Presidential directive on the review process remain classified?