US CRYPTOGRAPHIC POLICY A Truly National Review is Needed Stephen T. Walker President Trusted Information Systems, Inc. The recent introduction of the Clipper Chip encryption algorithm has been hailed by the Government as an appropriate compromise between the right of citizens to protect their privacy and that of the law enforcement community to defend against criminal elements. To some, Clipper and its companion, Capstone, would imply a solution to the long standing issues of cryptography in the United States. More than likely, however, these innovations add only one more confusing element to the complicated and often illogical policies of the US Government regarding the use of cryptography by the Government and private citizens/ organizations. This paper attempts to describe the confusion that exists now in US cryptographic policy and to propose some ways to resolve the confusion through a national review of all the issues. For the past twenty years, the need for a national policy on cryptography has been apparent. Conflicting signals from a succession of Administrations have led many to be very confused as to what US citizens have a right to expect from cryptographic technologies and what capabilities the US Government would prefer its citizens have available. In addition, the recent Clipper announcement also called for a Government interagency review of the issues, with limited public input, in a very short time frame. Unless a truly national review is held with considerable public input over a reasonable time frame (e.g., six months), the frustration felt by all sides of this issue will continue to increase. The confusion we face with respect to the use of cryptography in the US is not hard to understand, even if it may be very difficult to resolve. The public (private citizens, private companies, and civilian government organizations) is saying, "What this country needs is a set of good exportable encryption algorithms that are widely available in commercial products," while the national security/law enforcement communities have been saying (before the Clipper announcement), "You can have them, but not widely available," and (after the Clipper announcement), "The public should only have cryptography that the US Government can read." Among the questions that deserve to be examined as part of a national review of cryptography are: If the Data Encryption Standard (DES) were exportable today, would we have all the controversy and confusion that exist now in US cryptographic policy? If DES had been exportable five years ago, would we now have widespread use of cryptography throughout Government and the private sector, world wide? Does the need for US industry to protect sensitive information in a world wide economy out weigh whatever cost widespread availability of cryptography might pose to the US (and other) Governments? Answers to these questions may help resolve where we should be going from here. But first we must understand where we are now and how we got here. Before Clipper: Confusion Well before April 16, 1993, when Clipper was announced, the US policy on cryptography was already confused. A little over a year ago, there were two main elements to the cryptography puzzle in the US (Figure 1). One of two elements was a set of encryption devices to protect US Government classified information (called Type I cryptography). These devices use hardware implementations of classified encryption algorithms and are generally not exportable. They are reserved for use only in approved US Government and contractor facilities. DES and RSA The other element was a set of algorithms intended for the protection of unclassified sensitive information. This set includes US Government sanctioned cryptography such as the DES, a Federal standard for the past fifteen years, approved only in hardware implementations but widely available in software. Export of DES is restricted, even though the algorithm itself is openly published and readily available worldwide. This set also includes cryptography not sanctioned by the US Government such as the RSA public key encryption algorithm which, while not a Federal standard, is also readily available worldwide, primarily in software. Export of RSA is restricted above certain key lengths and, in the US at least, is a patented algorithm which requires licensing. DSS Two years ago, the Federal Government introduced the Digital Signature Standard (DSS), a competing algorithm to RSA, good only for digital signatures and not for providing confidentiality. DSS is different from RSA. It is not necessarily better in any particular way (and some believe it may be worse in some respects); it is just different. Some speculate that it was introduced primarily to prevent even wider acceptance of RSA. Many people believed, two years ago, that this dichotomy of "high grade" cryptography for the military and an array of "good quality" cryptography for unclassified sensitive information was complex enough in its own right. However, in the last two years, a series of announcements of new capabilities has further complicated the picture (Figure 2). SPA In July 1992, the Software Publishers Association (SPA) reached an agreement with the US Government which gave general approval for the export of cryptography for confidentiality when the key length was restricted to 40-bits. Two algorithms, RC2 and RC4, have been approved for export in confidentiality applications for mass market products, with expedited State Department approval procedures. Unfortunately, a 40-bit key with any algorithm is so weak and can be broken so easily with an exhaustive key search that it is embarrassing for the US Government to have endorsed such an approach for protecting anything of real value. PMSP/MOSAIC In 1992, the Department of Defense introduced a program called PMSP (now called MOSAIC) which utilizes a hardware chip (Capstone) to afford protection for unclassified sensitive information within the Government. This hardware chip is not exportable, involves a secret algorithm, and presumably has key escrow features similar to Clipper Chip. CLIPPER Then on April 16, 1993, the President announced Clipper Chip for the protection of unclassified sensitive information, apparently primarily for telephonic applications, with key escrow provisions, available in hardware only, not exportable except to subsidiaries of US companies, and with a secret algorithm. The picture that appeared somewhat complex two years ago is now vastly more complicated. The only pattern that seems consistent through all of this is that the US Government does not want widespread use of "good quality" cryptography. Call for a National Review on Cryptography in the US The Computer Security Act of 1987 created the Computer System Security and Privacy Advisory Board (CSSPAB) to advise the government (both the Executive Branch and Congress) on emerging technology issues in computer security. In March 1992, the Board recommended that a national level review of the use of cryptography in the United States be held. The Board recognized the dilemma between the national security/law enforcement interests and those of the civilian/commercial world for the protection of their sensitive data. The Board recommended that the review involve Government (national security, law enforcement, and civilian interests) and industry (users and vendors). Throughout 1992, the board pressed for this review with presentations and discussions from industry representatives and associations. National Policy on Use of Cryptography One potential outcome of such a review could be a national policy on the use of cryptography. One such policy that has been proposed is: - High grade cryptography shall be available solely for the use of the US Government national security and law enforcement interests. - Good quality cryptography shall be available for private individuals and organizations without government restriction. - "Good quality cryptography" is exemplified by the Data Encryption Standard (for symmetric key encryption) and the Digital Signature Standard or RSA algorithm limited to a 512-bit modulus (for asymmetric key encryption). - "Without government restriction" is defined as without export control restriction (other than conventional Department of Commerce commodity licensing) or any other government control measures, such as key escrow or other similar procedures. This policy calls for the existence of good quality cryptography without export or other government restriction for average citizens, industry, and civilian government. The policy acknowledges the right of individuals to good cryptography and focuses the debate on what constitutes good quality cryptography. As stated here, DES with 56-bit keys is considered good quality because it represents a strong encryption algorithm, which, even after fifteen years as a Federal Standard, has not been broken. It is also a de facto standard, widely available throughout the world. Others would argue the SPA 40-bit key agreement already satisfies this policy statement. Unfortunately, the 40-bit key is far too weak to provide good quality cryptography. Enter Clipper: More Confusion On April 16, 1993, with the announcement of the Clipper Chip, the US Government attempted to define good quality cryptography as being based on a supposedly strong but secret algorithm using 80- bit keys which can be readily decrypted by the US Government under appropriate circumstances. It is important to note that the confusion that existed prior to April 16, relative to a complex array of algorithms for protecting unclassified sensitive information, was not reduced in any way by the introduction of Clipper. Rather, all the issues that were there before still exist with the addition of serious civil liberty concerns relative to the government decryption and key escrow procedures. "Voluntary" Use If the US Government intends only to "request" vendors to include Clipper Chips in their products, then it may succeed within a limited market for devices such as telephone security boxes. Where hardware must be utilized in any case, which chip one uses (DES or Clipper) really does not matter so long as one is willing to ignore key escrow issues. In the computer application area, however, DES and RSA are already so widely used in software versions that most users will not even consider converting to Clipper or Capstone simply because of the additional hardware expense. Software versions of DES and RSA running on high speed personal computers can operate at very fast speeds, and there is no longer a need to resort to a hardware board to perform cryptographic functions. Also, international limitations on the export of Clipper and Capstone will severely limit their usefulness even in the US because they have only a domestic market. Key Escrow Clipper and Capstone contain a unique new capability that allows legal wire tap decryption of information encrypted by a Clipper/Capstone device. The Government's arguments for legal wire tapping sound contrived. In presentations to the public, the Government has indicated that on average over the past 10 years, only 800 legal wire taps have been performed annually, 60% by the Federal Government and 40% by state and local organizations. When asked how many of these wire taps encountered encrypted data, the answer given was "very few." When questioned further, the stated premise of the escrow process is that the US Government is "doing this to get ahead of a problem we know will be big in the future." This does not make sense. One suspects there must be much more behind all this. There are many concerns about the escrow approach, in addition to its not being fully thought out prior to the April 16 announcement. There are concerns about how the escrow process will actually be established, but even if it is administered properly, there are additional serious concerns. What happens after the wire tap court order has been received and the key is in the hands of routine law enforcement officials? The holder of the key can then read all of the communications of the wire tap subject, including those present, future, and in the past. Once the wire tap order has been issued and the unique key is revealed, the device is irrevocably compromised. Unfortunately, the owner will not know until well after his/her device has been compromised and can never be confident that his communications are in fact protected. One concludes from this that anyone who is seriously seeking to protect sensitive information will use alternative methods, either instead of or in addition to the Clipper/Capstone Chips. Clearly this applies to those who are operating outside of the law who can buy the best available, either legally or illegally. If all this is so, why are we going to this expensive hardware solution and experiencing this confusion over escrowed keys? Clipper Chip did not solve any of the complicated issues we were facing before. Rather, it has introduced a great deal of additional complexity. Non "Voluntary" Use If the US Government intends to do more than "request" the use of Clipper Chip by restricting other uses of cryptography, it must be prepared for a firestorm of protest and massive resistance. Sampling comments from various industry groups over the last few weeks indicates that the average computer user will not agree to any form of restriction of present cryptographic capabilities. Software encryption is the norm in the computer industry and can not be eliminated by legislation or executive order. Interagency Review of Cryptography Along with the announcement of Clipper Chip, the President stated that there would be a Government Interagency Review of cryptography. It has been publicly stated that this review will "seek the facts before coming up with sensible policies." It must be noted that this review would have been much more credible had it been held before the Clipper Chip announcement, rather than just after the announcement. Unfortunately, the time frame recently announced for this review is so short (draft report by the end of June, final by the end of August) that it will not allow serious analysis of the issues. This proposed Interagency review falls far short of what is needed. The government is not the only interested party here. Industry and individual citizens have a vital stake in the outcome of this debate. The government has an absolute obligation to take industry needs into consideration in such a review. Unless civilian and commercial interests are included, the review will be at best useless and perhaps highly detrimental. It appears at this time that the CSSPAB, together with other private sector groups, will be invited to participate at some level in this Interagency review. It is strongly recommended that such industry and civilian involvement be included and be listened to. The only way that the outcome of such a review will be acceptable to the public at large is if the public has the firm belief that its views are being heard. Unfortunately, the short time frame envisioned for the review severely limits its potential effectiveness. Summary The lack of a stated national policy on the use of cryptography has impeded progress on the development and use of information security products for the past twenty years. The often conflicting guidance in this area over the years leads some to conclude that there must be an unstated national policy opposing the widespread availability of cryptography for private citizens/organizations and unclassified government use. The series of announcements of new encryption capabilities for unclassified use over the past year (e.g., SPA, MOSAIC, Clipper) only add to the confusion. Escrowed keys pose an additional set of civil liberty questions without resolving any of the other existing concerns. A national review of the use of cryptography as called for by the CSSPAB is vitally needed. A major goal of such a review should be the establishment of a national policy which clearly delineates the rights of private individuals/organizations to develop and use encryption techniques without government restrictions. The proposed Government Interagency Review will likely fall short of the much needed national review if it does not allow for adequate public input over a reasonable amount of time.