From: jya@pipeline.com (John Young)
Date: Sat, 1 Jun 1996 21:45:36 +0800
To: cypherpunks@toad.com
Subject: NYT on NRC Report
Message-ID: <199606011049.KAA14185@pipe2.t1.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   The New York Times, May 31, 1996, p. D2. 
 
 
   White House Challenged on Data Security 
 
   By John Markoff 
 
 
   The United States Government should immediately relax 
   export controls on electronic data coding products and 
   allow the computer, software and telecommunications 
   industries to set data security standards, a new report 
   urged yesterday. 
 
   The report, commissioned by Congress and prepared for the 
   National Research Council of the National Academy of 
   Sciences, stands in direct opposition to existing Clinton 
   Administration proposals for data security standards and 
   for linking the relaxation of export controls to the 
   adoption of such standards. The report calls for the 
   widespread commercial adoption of technologies used to 
   prevent illegal wiretapping of computer data, telephone, 
   cellular and other wireless communications. The National 
   Research Council provides science and technology advice 
   under a Congressional charter. 
 
   The report also states that despite creating potential 
   problems for law enforcement agencies by making it easier 
   for criminals to shield their communications from 
   Government wiretappers, cryptography would also help 
   prevent crime by sheltering communications and electronic 
   transactions from the prying eyes of electronic 
   interlopers. 
 
   "Without information security, computer crime in this 
   country will rise very rapidly," said Kenneth W. Dam, the 
   chairman of the panel that prepared the report. Mr. Dam, 
   Deputy Secretary of State during the Reagan Administration, 
   is also professor of American and foreign law at the 
   University of Chicago. 
 
   The report, industry executives said, is likely to become 
   a key weapon in the battle between the Federal Government 
   and industry and civil liberties groups. 
 
   "It echoes things we have been saying for some time," said 
   Jim Bidzos, chief executive of RSA Data Security Inc., a 
   developer of computer security software. "The next 
   battleground is going to be Capitol Hill because the 
   Administration isn't going to give up easily." 
 
   In particular, the report takes issue with Administration 
   efforts to force the use of data-scrambling systems using 
   "escrowed" keys that would let law enforcement and 
   intelligence agencies use built-in backdoors to read coded 
   information. 
 
   Cryptography, once used only by spies and the military, has 
   become an increasingly vital technology for insuring 
   security in electronic commerce and personal privacy. It 
   relies on the use of mathematical formulas to scramble 
   electronic information so that it cannot be read without 
   the proper digital "key." 
 
   Key escrow systems like those proposed by the 
   Administration in its Clipper chip program would split the 
   key and have trusted third parties like the Treasury 
   Department hold parts of it, making it possible for law 
   enforcement agencies to generate keys without consulting 
   the sources of the data. 
 
   As recently as two weeks ago, the Administration was 
   pushing for key escrow coding approaches to data 
   scrambling. A draft White.House policy paper has proposed 
   linking relaxation of export controls to systems that 
   included key escrowing. The recent paper also indicated 
   that the Government was willing to accept "self-escrow" 
   systems for some large corporations that would allow them 
   to to hold all parts of the keys. 
 
   Critics of key escrow management technology note that it 
   can be abused by agencies that wish to exceed their 
   surveillance authority and that the technology is 
   vulnerable to a single point of failure. If a so-called 
   master key is stolen, they say, the entire coding system 
   can be compromised. 
 
   Because strong cryptography would complicate the mission of 
   United States intelligence agencies, the Federal Government 
   currently places tight controls on the export of software 
   and hardware that offer stronger cryptographic protection 
   than 40-bit keys. Such keys are made up of a binary number 
   that is 40 digits long. Computer experts have shown that 
   40-bit keys are vulnerable to attacks. 
 
   The report released yesterday, "Cryptography's Role in 
   Securing the Information Society," calls for dropping stiff 
   export controls on products that use the Data Encryption 
   Standard, which relies on a 56-bit key and offers stronger 
   protection against computerized attacks than a 40-bit key. 
 
   [End]