From: Trei Family <trei@relay-1.ziplink.net>
Date: Sun, 12 Oct 1997 13:08:10 +0800
To: cypherpunks@toad.com
Subject: CMR paves the road to GAK, and provides no corporate security.
Message-ID: <3.0.1.32.19971012005421.007ab570@pop3.ziplink.net>
MIME-Version: 1.0
Content-Type: text/plain



I've been mulling over PGP5's CMR feature for a while, trying to
decide what I think of it. It hasn't been easy, but I've come down
against it. I'm restricting my discussion to the use of CMR in 
corporate email. I am not addressing stored data.

> Jon Callas (jon@pgp.com) writes:

> There are two things I will discuss in this missive:

> (1) The assertion that Corporate Message Recovery is "just like Clipper"
> and why this is not true.
> (2) The fear a number of people have expressed that Corporate Message
> Recovery (CMR) could be used by the US government to slide in GAK. 

> I think we're agreed that CMR isn't itself GAK and I'll talk some about why
> it isn't with (1).

I think that we're a lot more worried that the presence of features like CMR
will make it easier for governments to mandate GAK. It's much tougher to 
insist on GAK if a switch requires new software to be developed, and
for everyone to purchase, install, and use espionage-enabled software. If
CMR -
like facilities are already in the software, then GAK could be mandated
overnight 
by executive order.

The inclusion of CMR drastically lowers the barriers to mandated GAK.

>CMR isn't like Clipper:

>* Clipper was a 64-bit key. CMR symmetric keys are full-strength keys (128
>bits or more), backed with a full-strength public key.

A word of advice: don't try to discuss Clipper in this forum without checking
your facts. Clipper used an 80 bit key.

> * Clipper's key was set in hardware by the manufacturer, and users were
> required to use it. 

Actually, the chips left the manufacturer 'blank'. They were to have their
unit keys set by some ill-defined process involving government employees.
It never really got nailed down, since Clipper was killed before the
key escrow agencies and systems were ramped up beyond demonstration levels.

> A CMR key is a software-enabled key, no user is ever
> required to use it.

With a CMR feature in place, a government can say "Starting now, encrypt 
to this key or we'll throw you in jail." Without CMR, they can't really do
this.

> There are cases in which a user might "volunteer" to
> use a CMR because they work for someone who requires it, 

[or because the State says it will toss his sorry ass in jail if he
 does not]

> but that's a
> problem we'll address with the PGP Secure Resume Server which allows
> headhunters to securely and anonymously find people who've made bad career
> decisions.

[or bad citizenship decisions?]

> * A CMR key can be revoked, reissued, or changed. You can periodically
> change it as a matter of policy. You can even stop using it. Clipper's was,
> again, set in hardware, with no option of not using it. 

Once again, you're unlikely to do this if the State decides that that would
be a good reason to jail you.

> * The Clipper symmetric algorithm was secret; CMR keys use publicly
> available algorithms.

True, but the point is moot - most people beleive that the NSA is perfectly
competant to write secure symmetric ciphers without outside review, and 
since they had given themselves a backdoor, there was no reason to leave 
the window unlocked as well.

> * With Clipper, there was always a concern that an outside agency had the
> keys. This is true with a number of other systems (the so-called key
> recovery systems), and is the reason that a number of them are lumped
> together with the term GAK. Note that the user-organization creates a CMR
> key, and the end-user enables it. If any government gets access to this
> key, it is because either (1) they solved the Discrete Logarithm Problem,
> (2) they broke the public CMR key, (3) they black-bagged your CMR key, or
> (4) they are using a subpoena, warrant, or discovery to get the key. We're
> working on a way around (1), we can't do anything about (2) or (3), but
> these are fine reasons not to use CMR! If you're beset by (4), you need
> lawyers, not cryptographers.

If the State could do (1), they would not be asking for key recovery in the
first place. (2) and (3), are greatly aided by CMR, since CMR provides 
high value targets; breaking or black-bagging a single key gives you access
to a great deal of traffic, and in the case of (4), you lose 5th Amendment
protection, since a third party holds a key.

> * With Clipper, there was a central repository of all the keys. With CMR,
> there is not. I discussed that in detail in my message, "Why Corporate
> Message Recovery isn't Key Escrow."

Once again, you haven't checked the record. Clipper keys were to be split, 
with different halves going to different government agencies. There were
fairly elaborate plans to prevent posession of only one half giving an
attacker an advantage. Thus there were *two* repositories, not one. 
(From the point of view of the paranoid, this was not much of a
comfort - both repositories belonged to the same entity.)

> I have noticed that a number of people have the tacit assumption that
> business people and corporations are in cahoots with the FBI, waiting to
> hand over everyone's secret key. As in all parts of life, there are many,
> many businesspeople and corporate execs who are not particularly moral. But
> I don't think that their immorality takes this form. If we could examine
> the dark, secret thoughts of a corporate scumwaffle -- the ones that he
> *really* hopes don't hit the papers -- I sincerely doubt that, "Oh, Louis,
> I love it when you rummage my drawers" is among them.

Here's an alternative interpretation. 

I think that 'business people and corporations' feel (with considerable 
justification, I might add) that they have a moral right to control the 
information which flows in and out of their worksites, just as they 
have a right to control to flow of material goods on and off of their 
premises. 

To control the flow of material goods, companies install security systems,
guards, metal detectors, etc. Depending on the type of good and it's value,
these more or less work, though they're never perfect; when the marginal cost
of improving security exceeds the loss that the improvement would prevent, 
you stop adding security. In the extreme case, the diamond workers of Namibia
have to undergo a full-body X-ray whenever they leave the diamond reserve.

Companies would like to be able to able to exercise similar control over data.
However, bits behave differently than do atoms. Physical barriers are almost
perfectly transparent. An employee can slip a multi-gigabyte DAT tape in
a shirt pocket, or transfer stego'd data undetected inside innocent cover
data,
perhaps with non-CMR'd superencryption.

For data, physical barriers - firewalls, passwords, isolated lans, access
controls
encryption, et al, can work more or less effectively to prevent
unauthorized outsiders
from acquiring data they should not. 

However, there is *no* way in which you can prevent a person you have
authorized to
receive data from making whatever use of it they desire, even if those uses
are 
opposed to your reasons for giving them the data.

CMR serves to give corporate executives the illusion that they can control the
uncontrollable. It lets them think they can monitor the expression of their
employess, while they can not. It lets them beleive that they can use
technology
to protect corporate proprietary data from theft by disloyal employees, while 
they can not. The only way to protect data is to make sure that employees 
share the goals and ends of the corporation; ie, give them a reason to be
loyal 
and trustworthy.

Classified agencies know this. In the classified world, there is a huge effort
to protect data from outside attack. There is a similarly intense effort to 
check that only loyal, reliable, trustworthy people get clearances, and 
strong 'need to know' controls to restrict what data even they can see.
However,
once a cleared person has acheived properly authorized access to classified 
data, there is (in my observation) remarkably little done to prevent them 
from deliberately walking off with it.

CMR provides an illusion that this loss can be prevented. It looks good in a
chief security officer's report; it gives warm fuzzies to senior management.
However, it provides no real security. In fact, it actually weakens security, 
since anyone with licit or illicit access to the CMR key(s) can read the data.

> Now then, the next topic is the fear that CMR will be used in some
> insidious government plot to slip in GAK everywhere.

> I worry about this, too. But I don't think it's feasible that CMR can be a
> stalking horse for GAK. If the government wants to GAK-enable all PGP,
> they'll have to have a plan similar to this:

[Strawman GAK plan deleted]

Here's a more realistic scenario.

1. OpenPGP with CMR becomes a standard, and is widely accepted and
installed. PGP gets
rich. (Are you going to claim that this could never happen?)

2. An executive order is signed by the President, ordering that all encrypted 
email include the FBI public key as a recipient. He notes that this will be
no 
burden to industry, since it's a freebie with the industry standard CMR
facility.

To summarize:

1. CMR cannot prevent disloyal employees from sending messages that their
   employers would want to prevent.

2. CMR, widely deployed, would greatly ease a transition to mandated GAK.

Given CMR's inability to provide an a desirable goal (improve corporate
security),
coupled with the severe downside (paving the road to GAK), I have decided that
I must oppose it.

> Jon Callas jon@pgp.com

Peter Trei
trei@ziplink.net