From: Peter Wayner <pcw@access.digex.net>
Date: Thu, 5 Aug 93 06:39:51 PDT
To: cypherpunks@toad.com
Subject: No Subject
Message-ID: <199308051338.AA26748@access.digex.net>
MIME-Version: 1.0
Content-Type: text/plain




The Rule of Law and the Clipper Escrow Project

Last Thursday, I attended the first day of the Computer System Ssecurity
and Privacy Advisory Board in Washington. This is a group of industry
experts who discuss topics in computer security that should affect the
public and industry. Some of the members are from users like banks and
others are from service providing companies like Trusted Information
Services. Lately, their discussion has centered on the NSA/NIST's
Clipper/Capstone/Skipjack project and the effects it will have on
society.

At the last meeting, the public was invited to make comments and they
were almost unanimously skeptical and critical. They ranged from
political objections to the purely practical impediments. Some argued
that this process of requiring the government to have the key to all
conversations was a violation of the fourth amendment of the
constitution prohibiting warrentless searches. Others noted that a
software solution was much simpler and cheaper even if the chips were
going to cost a moderate $25. There were many different objections,
but practically everyone felt that a standard security system was
preferable.

This meeting was largely devoted to the rebutals from the
government. The National Security Association, the Department of
Justice, the FBI, the national association of District Attorneys
and Sheriffs and several others were all testifying today. 

The board itself runs with a quasi-legal style they make a point of
making both video and audio tapes of the presentations. The entire
discussion is conducted with almost as much gravity as Congressional
hearings.  The entire meeting was suffused with an air of ernest
lawfullness that came these speakers. All of them came from the upper
ranks of the military or legal system and a person doesn't rise to
such a position without adopting the careful air of the very diligent
bureaucrat. People were fond of saying things like, "Oh, it's in the
Federal Register.  You can look it up." This is standard operating
procedure in Washington agencies and second nature to many of the
day's speakers.

Dorothy Denning was one of the first speakers and she reported on
the findings of the committee of five noted public cryptologists
who agreed to give the Clipper standard a once-over. Eleven people
were asked, but six declined for a variety of reasons. The review
was to be classified "Secret" and some balked at this condition
because they felt it would compromise their position in public. 

The talk made clear that the government intended to keep the 
standard secret for the sole purpose of preventing people from
making unauthorized implementations without the law enforcement
back door. Dr. Denning said that everyone at the NSA believes
that the algorithm could withstand public knowledge with no trouble.
The review by the panel revealed no reason why they shouldn't trust
this assessment. 

Although lack of time lead the panel to largely rubberstamp
the more extensive review by the NSA, they did conduct a few tests
of their own. They programmed the algorithm on a Cray YMP, which
incidentally could process 89,000 encryptions per second in single
processor mode. This implementation was used for a cycling test which
they found seemed to imply that there was good randomness. The test
is done by repeatedly encrypting one value of data until a cycle occurs.
The results agreed with what a random process should generate.

They also tested the system for strength against a differential 
cryptanalysis attack and found it worthy. There was really very
little other technical details in the talk. Saying more would
have divulged something about the algorithm.

My general impression is that the system is secure. Many people
have played paranoid and expressed concerns that the classified
algorithm might be hiding a trapdoor. It became clear to me that
these concerns were really silly. There is a built-in trapdoor
to be used by the government when it is "legal authorized" to
intercept messages. The NSA has rarely had trouble in the past
exercising either its explicitly granted legal authority  or
its implied authority. The phrase "national security" is a
powerful pass phrase around Washington and there is no reason
for me to believe that the NSA wouldn't get all of the access
to the escrow database that it needs to do its job. Building in
a backdoor would only leave a weakness for an opponent to exploit
and that is something that is almost as sacrilidgeous at the NSA
as just putting the classified secrets in a Fed Ex package to 
Saddam Hussein.

Next there was a report from Geoff Greiveldinger , the man from the
Department of Justice with the responsibility of implementing the the
Key Escrow plan. After the Clipper/Capstone/SkipJack chips are
manufactured, they will be programmed with an individual id number and
a secret, unique key. A list is made of the id, key pairs and this
list is split into two halves by taking each unique key, k, and
finding two numbers a and b such that a+b=k. (+ represents XOR). One
new list will go to one of the escrow agencies and one will go to the
other. It will be impossible to recover the secret key without getting
the list entry from both agencies.

At this point, they include an additional precaution. Each list
will be encrypted so even the escrow agency won't be able to 
know what is in its list. The key for decoding this list will 
be locked away in the evesdropping box. When a wiretap is authorized,
each escrow agency will lookup the halves of the key that correspond
to the phone being tapped and send these to evesdropping box
where they will be decrypted and combined. That means that 
two clerks from the escrow agencies could not combine their
knowledge. They would need access to a third key or an evesdropping
box. 

It became clear that the system was not fully designed. It wasn't
obvious how spontenaeous and fully automated the system would
be. Mr. Greiveldinger says that he is trying to balance the tradeoffs
between security and efficiency. Officers are bound to be annoyed and
hampered if they can't start a tap instanteneously. The kidnapping of
a child is the prototypical example of when this would be necessary.

The courts also grant authority for "roving" wiretaps that allow
the police to intercept calls from any number of phones. A tap like
this begs out for a highly automated system for delivering the 
keys. 

I imagine that the system as it's designed will consist of escrow
computers with a few clerks who have nothing to do all day. When
a tap is authorized, the evesdropping box will be programmed with
a private key and shipped to the agents via overnight express. When
they figure out the id number of the phone being tapped, the evesdropping
box will probably phone the two escrow computers, perform a bit of
zero-knowledge authorization and then receive the two halves of the
key. This would allow them to switch lines and conduct roving
taps effectively. The NSA would presumably have a box that would
allow them to decrypt messages from foreign suspects.

At this point, I had just listened to an entirely logical presentation
from a perfect gentleman. We had just run though a system that had many
nice technological checks and balances in it. Subverting it seemed 
very difficult. You would need access to the two escrow agencies and
an evesdropping box. Mr. Greiveldinger said that there would be many
different "auditting" records that would be kept of the taps. It was
very easy to feel rather secure about the whole system in a nice, 
air-conditioned auditorium where clean, nice legally precise people
were speaking in measured tones. It was very easy to believe in 
the Rule of Law.

To counteract this, I tried to figure out the easiest way for me
to subvert the system. The simplest way is to be a police officer
engaged in a stakeout of someone for whom you've already received
a warrant. You request the Clipper evesdropping box on the off chance
that the suspect will buy a Clipper phone and then you "lend" it
to a friend who needs it. I think that the automation will allow
the person who possesses the box to listen in to whatever lines
that they want. The escrow agency doesn't maintain a list of people
and id numbers-- they only know the list matching the id number to
the secret key. There is no way that they would know that a request
from the field was unreasonable. Yes, the audit trails could be
used later to reconstruct what the box was used for, but that would
only be necessary if someone got caught. 

The bribe value of this box would probably be hard to determine,
but it could be very valuable. We know that the government of France
is widely suspected of using its key escrow system to evesdrop on 
US manufacturers in France. Would they be willing to buy evesdropping
time here in America? It is not uncommon to see reports of industrial
espionage where the spies get millions of dollars. On the other hand,
cops on the beat in NYC have been influenced for much less. The 
supply and demand theory of economics virtually guarantees that 
some deals are going to be done.

It is not really clear what real effect the key escrow system is going
to have on security. Yes, theives would need to raid two different
buildings and steal two different copies of the tapes. This is
good. But it is still impossible to figure out if the requests from
the field are legitimate-- at least within the time constraints posed
by urgent cases involving terrorism and kidnapping. 

The net effect of implementing the system is that the phone system
would be substantially strengthened against nieve intruders, but the
police (and those that bribe them) would still be able to evesdrop
with impunity. Everyone needs to begin to do a bit of calculus between
the costs and benefits of this approach. On one hand, not letting the
police intercept signals will let the crooks run free but on the other
hand, the crooks are not about to use Clipper phones for their secrets
if they know that they can be tapped.

The most interesting speaker was the assistant director of the National
Security Agency, Dr. Clint Brooks. He immediately admitted that the
entire Clipper project was quite unusual because the Agency was not
used to dealing with the open world. Speaking before a wide audience
was strange for him and he admitted that producing a very low cost
commercial competitive chip was also a new challenge for them. 

Never-the-less, I found him to be the deepest thinker at the conference.
He readily admitted that the Clipper system isn't intended to catch
any crooks. They'll just avoid the phones. It is just going to deny
them access to the telecommunications system. They just won't be able
to go into Radio Shack and buy a secure phone that comes off the line.

It was apparent that he was somewhat skeptical of the Clipper's potential
for success. He said at one point the possibilities in the system
made it worth taking the chance that it would succeed. If it could capture
a large fraction of the market then it could help many efforts of the
law enforcement and intelligence community.

When I listened, though, I began to worry about what is going to happen
as we begin to see the eventual blurring of data and voice communications
systems. Right now, people go to Radio Shack to buy a phone. It's the
only way you can use the phone system. In the future, computers, networks
and telephones are going to be linked in much more sophisticated ways.
I think that Intel and Microsoft are already working on such a technology.

WHen this happens, programmable phones are going to emerge. People
will be able to pop a new ROM in their cellular digital phone or
install new software in their computer/video game/telephone. This
could easily be a proprietary encryption system that scrambles
everything. The traditional way of controlling technology by
controlling the capital intensive manufacturing sites will be gone. Sure,
the NSA and the police will go to Radio Shack and say "We want your
cooperation" and they'll get it. But it's the little, slippery ones
that will be trouble in the new, software world.

The end of the day was dominated by a panel of Law Enforcement specialists
from around the country. These were sheriffs, district attorneys,
FBI agents and other officers from different parts of the system. 
Their message was direct and they didn't hesitate to compare encryption
with assault rifles. One even said, "I don't want to see the officers
outgunned in a technical arena." 

They repeatedly stressed the incredible safe guards placed upon 
the wiretapping process and described the hurdles that the officers
must go through to use the system. One DA from New Jersey said that
in his office, they process about 10,000 cases a year, but they only
do one to two wiretaps on average. It just seems like a big hassle
and expense for them.

It is common for the judges to require that the officers have very
good circumstantial evidence from informers before giving them
the warrant. This constraint coupled with the crooks natural hesitation
to use the phone meant that wiretaps weren't the world's greatest
evidence producers. 

One moment of levity came when a board member asked what the criminals
favorite type of encryption was. The police refused to answer this one
and I'm not that sure if they've encountered enough cases to build a 
profile. 

At the end of all of the earnestness and "support-the-cop-on-the-beat",
I still began to wonder if there was much value to wiretaps at all. The
police tried to use the low numbers of wiretaps as evidence that they're not
out there abusing the system, but I kept thinking that this was mainly
caused by the high cost and relatively low utility of the technique. 

It turns out that there is an easy way to check the utility of these
devices. Only 37 states allow their state and local police to use
wiretaps in investigations. One member of the panel repeated the rumor
that this is supposedly because major politicians were caught with
wiretaps. The state legislatures in these states supposedly
realized that receipients of graft and influence peddlers were the main
target of wiretaps. Evesdropping just wasn't a tool against muggers.
So they decided to protect themselves. 

It would be possible to check the crime statistics from each of these
states and compare them against the evesdropping states to discover
which has a better record against crime. I would like to do this
if I can dig up the list of states that allow the technique.
I'm sure that this would prove little, but it could possibly clarify
something about this technique.

It is interesting to note that the House of Representative committee
on the Judiciary was holding hearings on abuses of the National Crime
Information Center. They came in the same week as the latest round 
of Clipper hearings before the CSAB. The NCIC is a large computer 
system run by the FBI to provide all the police departments with a 
way to track down the past records of people. The widespread access
to the system makes it quite vulnerable to abuse.

In the hearings, the Congress heard many examples of unauthorized
access. Some were as benign as people checking out employees. The
worst was an ex-police officer who used the system to track down his
ex-girlfriend and kill her. They also heard of a woman who looked
up clients for her drug-dealing boyfriend so he could avoid the 
undercover cops. 

These hearings made it obvious that there were going to be problems
determining the balance of grief. For every prototypical example of
a child kidnapped to make child pornography, there is a rengade 
police officer out to knock off his ex-girlfriend. On the whole, the
police may be much more trustworthy than the criminals, but we need
to ask how often a system like Clipper will aid the bad guys. 


In the end, I reduced the calculus of the decision about Clipper to be
a simple tradeoff. If we allow widespread, secure encryption, will the
criminals take great advantage of this system? The secure phones won't
be useful in rapes and random street crime, but they'll be a big aid
to organized endeavors. It would empower people to protect their own
information unconditionally, but at the cost of letting the criminals
do the same.

Built-in back doors for the law enforcement community, on the other
hand, will deny the power of off-the-shelf technology to crooks, 
but it would also leave everyone vulnerable to organized attacks
on people. 

I began to wonder if the choice between Clipper and totally secure
encryption was moot. In either case, there would be new opportunities
for both the law-abiding and the law-ignoring. The amount of crime
in the country would be limited only by the number of people who 
devote their life to the game-- not by any new fangled technology
that would shift the balance.




I did not attend the Friday meeting so someone else will need to summarize
the details.