1993-08-17 - Call for Clipper Comments

Header Data

From: Dave Banisar <banisar@washofc.cpsr.org>
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Message Hash: 2b5a63f96154fca0be998a3367911733180d5b03c9c2101e2622026ef15de462
Message ID: <00541.2828442468.4792@washofc.cpsr.org>
Reply To: N/A
UTC Datetime: 1993-08-17 19:30:22 UTC
Raw Date: Tue, 17 Aug 93 12:30:22 PDT

Raw message

From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Tue, 17 Aug 93 12:30:22 PDT
To: CYPHERPUNKS <CYPHERPUNKS@toad.com>
Subject: Call for Clipper Comments
Message-ID: <00541.2828442468.4792@washofc.cpsr.org>
MIME-Version: 1.0
Content-Type: text/plain


  Call for Clipper Comments

The National Institute of Standards and Technology (NIST) has 
issued a request for public comments on its proposal to establish 
the "Skipjack" key-escrow system as a Federal Information 
Processing Standard (FIPS).  The deadline for the submission of 
comments is September 28, 1993.  The full text of the NIST notice 
follows.

CPSR is urging all interested individuals and organizations to 
express their views on the proposal and to submit comments 
directly to NIST.  Comments need not be lengthy or very detailed; 
all thoughtful statements addressing a particular concern will 
likely contribute to NIST's evaluation of the key-escrow proposal.  

The following points could be raised about the NIST proposal
(additional materials on Clipper and the key escrow proposal may 
be found at the CPSR ftp site, cpsr.org):

* The potential risks of the proposal have not been assessed and 
many questions about the implementation remain unanswered.  The 
NIST notice states that the current proposal "does not include 
identification of key escrow agents who will hold the keys for the 
key escrow microcircuits or the procedures for access to the 
keys."  The key escrow configuration may also create a dangerous 
vulnerability in a communications network.  The risks of misuse of 
this feature should be weighed against any perceived benefit.

* The classification of the Skipjack algorithm as a "national 
security" matter is inappropriate for technology that will be used 
primarily in civilian and commercial applications.  Classification 
of technical information also limits the computing community's 
ability to evaluate fully the proposal and the general public's 
right to know about the activities of government.
 
* The proposal was not developed in response to a public concern 
or a business request.  It was put forward by the National 
Security Agency and the Federal Bureau of Investigation so that 
these two agencies could continue surveillance of electronic 
communications. It has not been established that is necessary for 
crime prevention.  The number of arrests resulting from wiretaps 
has remained essentially unchanged since the federal wiretap law 
was enacted in 1968.

* The NIST proposal states that the escrow agents will provide the 
key components to a government agency that "properly demonstrates 
legal authorization to conduct electronic surveillance of 
communications which are encrypted."  The crucial term "legal 
authorization" has not been defined.  The vagueness of the term 
"legal authorization" leaves open the possibility that court-
issued warrants may not be required in some circumstances.  This 
issue must be squarely addressed and clarified. 

* Adoption of the proposed key escrow standard may have an adverse 
impact upon the ability of U.S. manufacturers to market 
cryptographic products abroad.  It is unlikely that non-U.S. users 
would purchase communication security products to which the U.S. 
government holds keys.


Comments on the NIST proposal should be sent to:

Director, Computer Systems Laboratory
ATTN: Proposed FIPS for Escrowed Encryption Standard
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD 20899

Submissions must be received by September 28, 1993.  CPSR has 
asked NIST that provisions be made to allow for electronic 
submission of comments.

Please also send copies of your comments on the key escrow 
proposal to CPSR for inclusion in the CPSR Internet Library, our 
ftp site.  Copies should be sent to <clipper@washofc.cpsr.org>.



================================================================= 

                         FEDERAL REGISTER
                         VOL. 58, No. 145
 
                     DEPARTMENT OF COMMERCE (DOC)
        National Institute of Standards and Technology (NIST)

                     Docket No. 930659-3159
                         RIN 0693-AB19

A Proposed Federal Information Processing Standard for an Escrowed 
Encryption Standard (EES)

                        58 FR 40791

                     Friday, July 30, 1993

Notice; request for comments.

SUMMARY: A Federal Information Processing Standard (FIPS) for an 
Escrowed Encryption Standard (EES) is being proposed. This 
proposed standard specifies use of a symmetric-key 
encryption/decryption algorithm and a key escrowing method which 
are to be implemented in electronic devices and used for 
protecting certain unclassified government communications when 
such protection is required. The algorithm and the key escrowing 
method are classified and are referenced, but not specified, in 
the standard.

   This proposed standard adopts encryption technology developed 
by the Federal government to provide strong protection for 
unclassified information and to enable the keys used in the 
encryption and decryption processes to be escrowed. This latter 
feature will assist law enforcement and other government agencies, 
under the proper legal authority, in the collection and decryption 
of electronically transmitted information. This proposed standard 
does not include identification of  key escrow  agents who will 
hold the keys for the  key escrow  microcircuits or the procedures 
for access to the keys. These issues will be addressed by the 
Department of Justice.

   The purpose of this notice is to solicit views from the public, 
manufacturers, and Federal, state, and local government users so 
that their needs can be considered prior to submission of this 
proposed standard to the Secretary of Commerce for review and 
approval.

   The proposed standard contains two sections: (1) An 
announcement section, which provides information concerning the 
applicability, implementation, and maintenance of the standard; 
and (2) a specifications section which deals with the technical 
aspects of the standard. Both sections are provided in this 
notice.


DATES: Comments on this proposed standard must be received on or 
before September 28, 1993.


ADDRESSES: Written comments concerning the proposed standard 
should be sent to: Director, Computer Systems Laboratory, ATTN: 
Proposed FIPS for Escrowed Encryption Standard, Technology 
Building, room B-154, National Institute of Standards and 
Technology, Gaithersburg, MD 20899.

   Written comments received in response to this notice will be 
made part of the public record and will be made available for 
inspection and copying in the Central Reference and Records 
Inspection Facility, room 6020, Herbert C. Hoover Building, 14th 
Street between Pennsylvania and Constitution Avenues, NW., 
Washington, DC 20230.


FOR FURTHER INFORMATION CONTACT: Dr. Dennis Branstad, National 
Institute of Standards and Technology, Gaithersburg, MD 20899, 
telephone (301) 975-2913.


   SUPPLEMENTARY INFORMATION: This proposed FIPS implements the 
initiative announced by the White House Office of the Press 
Secretary on April 16, 1993. The President of the U.S. approved a 
Public Encryption Management directive, which among other actions, 
called for standards to facilitate the procurement and use of 
encryption devices fitted with  key-escrow  microcircuits in 
Federal communication systems that process sensitive, but 
unclassified information.

   Dated: July 26, 1993.

 Arati Prabhakar,
 Director.(NIST)


----------------------------------------------------
 Federal Information Processing Standards Publication XX
 1993 XX
 Announcing the Escrowed Encryption Standard (EES)

   Federal Information Processing Standards Publications (FIPS 
PUBS) are issued by the National Institute of Standards and 
Technology (NIST) after approval by the Secretary of Commerce 
pursuant to section 111(d) of the Federal Property and 
Administrative Services Act of 1949 as amended by the Computer 
Security Act of 1987, Public Law 100-235.
 
 Name of Standard: Escrowed Encryption Standard (EES).

 Category of Standard: Telecommunications Security.

 Explanation: This Standard specifies use of a symmetric-key 
encryption (and decryption) algorithm and a Law Enforcement Access 
Field (LEAF) creation method (one part of a  key escrow  system) 
which provide for decryption of encrypted telecommunications when 
interception of the telecommunications is lawfully authorized. 
Both the algorithm and the LEAF creation method are to be 
implemented in electronic devices (e.g., very large scale 
integration chips). The devices may be incorporated in security 
equipment used to encrypt (and decrypt) sensitive unclassified 
telecommunications data. Decryption of lawfully intercepted 
telecommunications may be achieved through the acquisition and use 
of the LEAF, the decryption algorithm and escrowed key components.

   To escrow something (e.g., a document, an encryption key) means 
that it is "delivered to a third person to be given to the grantee 
only upon the fulfillment of a condition" (Webster's Seventh New 
Collegiate Dictionary). A key escrow  system is one that entrusts 
components of a key used to encrypt telecommunications to third 
persons, called key component escrow agents. In accordance with 
the common definition of "escrow", the key component escrow agents 
provide the key components to a "grantee" (i.e., a government 
agency) only upon fulfillment of the condition that the grantee 
properly demonstrates legal authorization to conduct electronic 
surveillance of communications which are encrypted using the 
specific device whose key component is requested. The key 
components obtained through this process are then used by the 
grantee to reconstruct the device unique key and obtain the 
session key (contained in the LEAF) which is used to decrypt the 
telecommunications that are encrypted with that device. The term, 
"escrow", for purposes of this standard, is restricted to the 
dictionary definition.

   The encryption/decryption algorithm has been approved for 
government applications requiring encryption of sensitive 
unclassified telecommunications of data as defined herein. The 
specific operations of the algorithm and the LEAF creation method 
are classified and hence are referenced, but not specified, in 
this standard.

   Data, for purposes of this standard, includes voice, facsimile 
and computer information communicated in a telephone system. 
Telephone system, for purposes of this standard, is limited to 
systems circuit-switched up to no more than 14.4 kbs or which use 
basic-rate ISDN, or to a similar grade wireless service.

   Data that is considered sensitive by a responsible authority 
should be encrypted if it is vulnerable to unauthorized disclosure 
during telecommunications. A risk analysis should be performed 
under the direction of a responsible authority to determine 
potential threats and risks. The costs of providing encryption 
using this standard as well as alternative methods and their 
respective costs should be projected. A responsible authority 
should then make a decision, based on the risk and cost analyses, 
whether or not to use encryption and then whether or not to use 
this standard.

 Approving Authority: Secretary of Commerce.

 Maintenance Agency: Department of Commerce, National Institute of 
Standards and Technology.

 Applicability: This standard is applicable to all Federal 
departments and agencies and their contractors under the 
conditions specified below. This standard may be used in designing 
and implementing security products and systems which Federal 
departments and agencies use or operate or which are operated for 
them under contract. These products may be used when replacing 
Type II and Type III (DES) encryption devices and products owned 
by the government and government contractors.

   This standard may be used when the following conditions apply:

   1. An authorized official or manager responsible for data 
security or the security of a computer system decides that 
encryption is required and cost justified as per OMB Circular A-
130; and

   2. The data is not classified according to the National 
Security Act of 1947, as amended, or the Atomic Energy Act of 
1954, as amended.

   However, Federal departments or agencies which use encryption 
devices for protecting data that is classified according to either 
of these acts may use those devices also for protecting 
unclassified data in lieu of this standard.

   In addition, this standard may be adopted and used by non-
Federal Government organizations. Such use is encouraged when it 
provides the desired security.
 
Applications: Devices conforming to this standard may be used for 
protecting unclassified communications.

 Implementations: The encryption/decryption algorithm and the LEAF 
creation method shall be implemented in electronic devices (e.g., 
electronic chip packages) that can be physically protected against 
unauthorized entry, modification and reverse engineering. 
Implementations which are tested and validated by NIST will be 
considered as complying with this standard. An electronic device 
shall be incorporated into a cyptographic module in accordance 
with FIPS 140-1. NIST will test for conformance with FIPS 140-1. 
Cryptographic modules can then be integrated into security 
equipment for sale and use in an application. Information about 
devices that have been validated, procedures for testing equipment 
for conformance with NIST standards, and information about 
obtaining approval of security equipment are available from the 
Computer Systems Laboratory, NIST, Gaithersburg, MD 20899.

 Export Control: Implementations of this standard are subject to 
Federal Government export controls as specified in title 22, Code 
of Federal Regulations, parts 120 through 131 (International 
Traffic of Arms Regulations -ITAR). Exporters of encryption 
devices, equipment and technical data are advised to contact the 
U.S. Department of State, Office of Defense Trade Controls for 
more information.   Patents: Implementations of this standard may 
be covered by U.S. and foreign patents.

 Implementation Schedule: This standard becomes effective thirty 
days following publication of this FIPS PUB.

 Specifications: Federal Information Processing Standard (FIPS 
XXX)(affixed).

 Cross Index:

   a. FIPS PUB 46-2, Data Encryption Standard.

   b. FIPS PUB 81, Modes of Operation of the DES

   c. FIPS PUB 140-1, Security Requirements for Cryptographic 
Modules.


 Glossary:

   The following terms are used as defined below for purposes of 
this standard:

   Data-Voice, facsimile and computer information communicated in 
a telephone system.

   Decryption-Conversion of ciphertext to plaintext through the 
use of a cryptographic algorithm.

   Device (cryptographic)-An electronic implementation of the 
encryption/decryption algorithm and the LEAF creation method as 
specified in this standard.

   Digital data-Data that have been converted to a binary 
representation.

   Encryption-Conversion of plaintext to ciphertext through the 
use of a cryptographic algorithm.

   Key components-The values from which a key can be derived 
(e.g., KU sub 1 + KU sub 2).

   Key escrow -A process involving transferring one or more 
components of a cryptographic key to one or more trusted key 
component escrow agents for storage and later use by government 
agencies to decrypt ciphertext if access to the plaintext is 
lawfully authorized.

   LEAF Creation Method 1-A part of a  key escrow  system that is 
implemented in a cryptographic device and creates a Law 
Enforcement Access Field.

   Type I cryptography-A cryptographic algorithm or device 
approved by the National Security Agency for protecting classified 
information.

   Type II cryptography-A cryptographic algorithm or device 
approved by the National Security Agency for protecting sensitive 
unclassified information in systems as specified in section 2315 
of Title 10 United State Code, or section 3502(2) of Title 44, 
United States Code.

   Type III cryptography-A cryptographic algorithm or device 
approved as a Federal Information Processing Standard.

   Type III(E) cryptography-A Type III algorithm or device that is 
approved for export from the United States.

 Qualifications. The protection provided by a security product or 
system is dependent on several factors. The protection provided by 
this standard against key search attacks is greater than that 
provided by the DES (e.g., the cryptographic key is longer). 
However, provisions of this standard are intended to ensure that 
information encrypted through use of devices implementing this 
standard can be decrypted by a legally authorized entity.

 Where to Obtain Copies of the Standard: Copies of this 
publication are for sale by the National Technical Information 
Service, U.S. Department of Commerce, Springfield, VA 22161. When 
ordering, refer to Federal Information Processing Standards 
Publication XX (FIPS PUB XX), and identify the title. When 
microfiche is desired, this should be specified. Prices are 
published by NTIS in current catalogs and other issuances. Payment 
may be made by check, money order, deposit account or charged to a 
credit card accepted by NTIS.
 Specifications for the Escrowed Encryption Standard


 1. Introduction

   This publication specifies Escrowed Encryption Standard (EES) 
functions and parameters.


 2. General

   This standard specifies use of the SKIPJACK cryptographic 
algorithm and the LEAF Creation Method 1 (LCM-1) to be implemented 
in an approved electronic device (e.g., a very large scale 
integration electronic chip). The device is contained in a logical 
cryptographic module which is then integrated in a security 
product for encrypting and decrypting telecommunications.

   Approved implementations may be procured by authorized 
organizations for integration into security equipment. Devices 
must be tested and validated by NIST for conformance to this 
standard. Cryptographic modules must be tested and validated by 
NIST for conformance to FIPS 140-1.


 3. Algorithm Specifications

   The specifications of the encryption/decryption algorithm 
(SKIPJACK) and the LEAF Creation Method 1 (LCM-1) are classified. 
The National Security Agency maintains these classified 
specifications and approves the manufacture of devices which 
implement the specifications. NIST tests for conformance of the 
devices implementing this standard in cryptographic modules to 
FIPS 140-1 and FIPS 81.


 4. Functions and Parameters


 4.1 Functions

   The following functions, at a minimum, shall be implemented:

   1. Data Encryption: A session key (80 bits) shall be used to 
encrypt plaintext information in one or more of the following 
modes of operation as specified in FIPS 81: ECB, CBC, OFB (64) CFB 
(1, 8, 16, 32, 64).

   2. Data Decryption: The session key (80 bits) used to encrypt 
the data shall be used to decrypt resulting ciphertext to obtain 
the data.

   3.  Key Escrow:  The Family Key (KF) shall be used to create 
the Law Enforcement Access Field (LEAF) in accordance with the 
LEAF Creation Method 1 (LCM-1). The Session Key shall be encrypted 
with the Device Unique Key and transmitted as part of the LEAF. 
The security equipment shall ensure that the LEAF is transmitted 
in such a manner that the LEAF and ciphertext may be decrypted 
with legal authorization. No additional encryption or modification 
of the LEAF is permitted.


 4.2 Parameters

   The following parameters shall be used in performing the 
prescribed functions:

   1. Device Identifier (DID): The identifier unique to a 
particular device and used by the  Key Escrow  System.

   2. Device Unique Key (KU): The cryptographic key unique to a 
particular device and used by the  Key Escrow  System.

   3. Cryptographic Protocol Field (CPF): The field identifying 
the registered cryptographic protocol used by a particular 
application and used by the  Key Escrow  System (reserved for 
future specification and use).

   4. Escrow Authenticator (EA): A binary pattern that is inserted 
in the LEAF to ensure that the LEAF is transmitted and received 
properly and has not been modified, deleted or replaced in an 
unauthorized manner.

   5. Initialization Vector (IV): A mode and application dependent 
vector of bytes used to initialize, synchronize and verify the 
encryption, decryption and key escrow  functions.

   6. Family Key (KF): The cryptographic key stored in all devices 
designated as a family that is used to create the LEAF.

   7. Session Key (KS): The cryptographic key used by a device to 
encrypt and decrypt data during a session. 

   8. Law Enforcement Access Field (LEAF): The field containing 
the encrypted session key and the device identifier and the escrow 
authenticator.


 5. Implementation

   The Cryptographic Algorithm and the LEAF Creation Method shall 
be implemented in an electronic device (e.g., VLSI chip) which is 
highly resistant to reverse engineering (destructive or non-
destructive) to obtain or modify the cryptographic algorithms, the 
DID, the KF, the KU, the EA, the CPF, the operational KS, or any 
other security or  Key Escrow  System relevant information. The 
device shall be able to be programmed/personalized (i.e., made 
unique) after mass production in such a manner that the DID, KU 
(or its components), KF (or its components) and EA fixed pattern 
can be entered once (and only once) and maintained without 
external electrical power.

   The LEAF and the IV shall be transmitted with the ciphertext. 
The specifics of the protocols used to create and transmit the 
LEAF, IV, and encrypted data shall be registered and a CPF 
assigned. The CPF shall then be transmitted in accordance with the 
registered specifications.

   The specific electric, physical and logical interface will vary 
with the implementation. Each approved, registered implementation 
shall have an unclassified electrical, physical and logical 
interface specification sufficient for an equipment manufacturer 
to understand the general requirements for using the device. Some 
of the requirements may be classified and therefore would not be 
specified in the unclassified interface specification.









Thread