From: matt@oc.com (Matthew Lyle)
Date: Mon, 26 Apr 93 10:18:24 PDT
To: cypherpunks@toad.com
Subject: MacWeek article on Clipper/Capstone
Message-ID: <199304261717.AA24952@ra.oc.com>
MIME-Version: 1.0
Content-Type: text/plain


MacWEEK 04.26.93

Page 1

SECURITY CHIPS TRIGGER ALARM

Clipper and Capstone open digital back door.

By Mitch Ratcliffe

Washington -- The White House and National Security Agency, as part of
a wide-ranging retooling of U.S. privacy policies, are preparing two
encryption chips for use in the computer and telecommunications
industries.  Privacy advocates cried foul last week because the chips 
include a back door that allows police to monitor communications.

The Clipper chip announced this month can encrypt voice and data 
communications at up to 16Mbps.  Clipper is due to debut in secure
telephones from AT&T Co. this summer.  The second chip, called Capstone
and currently under development at the NSA, is a superset of Clipper that 
will implement the much-criticized Digital Signature Standard to add
authentication capabilities.  Its existence was revealed during a briefing 
at the Massachusetts Institute of Technology in Cambridge last week.

President Clinton ordered the National Institute of Standards and 
Technology to establish Clipper as a federal standard.  Since the
government is the largest computer customer in the world, its Federal
Information Processing Standards (FIPS) often are imposed on the industry
as de facto standards.

If Capstone follows Clipper into the FIPS requirements, DSS could usurp RSA
 Data Security Inc.'s public-key encryption scheme, which Apple licensed
for  AOCE (Apple Open Collaboration Environment).

But Apple's representative at the NSA briefing, Gursharan Sidhu, technical
director of collaborative computer and leader of the AOCE project, said
he is not worried that the government will force an encryption scheme
on the industry.

"We were given the impression that they are very open to suggestions," 
Sidhu said, adding that the government is faced with a growing conundrum as
it tries to simultaneously protect privacy and maintain its ability
to tap lawbreakers' communications.

"People have the idea that in cellular the security of communications
had gone away, so there is pressure to encrypt. [Without a back door], even
the  casual criminal would be able to communicate with invincible
security," Sidhu said.  "Law-enforcement agencies wouldn't be able to
collect intelligence."

A spokesman for NIST said Capstone will not be introduced unless the
president's review of national encryption policy conclueds it is needed.
But he also said the Department of Defense and NSA are already working
to develope a PCMCIA card-based implementation of Capstone for a 
classified defense messaging system.

The NSA confirmed it is working on Capstone but could not confirm
the Capstone PCMCIA card project.

Clipper and Capstone use a "key escrow" technology that lets 
law-enforcement agencies with a court order unscramble conversations 
and documents.  To reduce the potential for wiretap abuse, two agencies 
to be named by Attorney General Janet Reno will hold half of each key.  The
NSA said the key escrow agents will not be law-enforcement agencies.

Privacy advocates complained that the algorithms that perform Clipper 
scrambling functions will remain classified.  Encryptin technologies
typically  gain acceptance only after cryptographers pore over the
component algorithms and key management systems.

"We can't protect the key escrow features if we reveal the algorithm
to the public ... that's caused some heartburn," said John Podesta, staff
secretary to President Clinton.  "I'm not suggesting that the public
should trust us any more than any other government agency, but we are
doing a more comprehensive review [than any previous administration]."

Podesta said the Clinton team is taking a free-market approach to
encryption, in contrast to the previous administrations, which tried to
legislate simplified approaches.

"In the wireless communications environment, we have to more the ball
forward on security and privacy," Podesta said.  "The jury's still out on 
whether [Clipper] is the answer."

Jim Bidzos, president of RSA Data Security of Redwood City, Calif.,
said the NSA is using Clipper and Capstone in an attempt to confuse the 
market for privacy-enhancing technologies.  "It takes three or four
years fo rthis kind of proposal to die." Bidzos said.  Computer and 
communications companies might withhold support for any standard,
giving the NSA more time to prepare for the encrypted world, he said.

Computer Professionals for Social Responsibility, a Washington, D.C.
based public-interest group, has filed 11 Freedom of Information Act
requests for access to Clipper development records.  The group suspects
the NSA and NIST violated the Computer Security Act of 1987, whic limits
the NSA's role in development of public encryption technologies to
providing advice and assistance.  NSA said it developed both chips.