1993-06-17 - Second epistle of Whit apostle to Congress

Header Data

From: whitfield.diffie@Eng.Sun.COM
To: cypherpunks@toad.com
Message Hash: bab3c5e3c3fe75a1ae8628457b1e7ed1c0c4ed76b627dbb8717f4c95525be455
Message ID: <9306170230.AA03298@ushabti.Eng.Sun.COM>
Reply To: N/A
UTC Datetime: 1993-06-17 02:28:04 UTC
Raw Date: Wed, 16 Jun 93 19:28:04 PDT

Raw message

From: whitfield.diffie@Eng.Sun.COM
Date: Wed, 16 Jun 93 19:28:04 PDT
To: cypherpunks@toad.com
Subject: Second epistle of Whit apostle to Congress
Message-ID: <9306170230.AA03298@ushabti.Eng.Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain



    Here is what I told Markey's telecommunications committee last
Wednesday about the business impact of key escrot.  What follows
has been corrected for a major error for which I apologize to CPSR.
I had carelessly cited EFF as the extractor of some documents under
FOIA.  It also makes some minor corrections; the changes are shown
at the end.
				Whit


                          TESTIMONY BEFORE THE 
                          HOUSE SUBCOMMITTEE ON 
                      TELECOMMUNICATIONS AND FINANCE
                                     
                               9 June 1993
                                     
                  The Impact of Regulating Cryptography
              on the Computer and Communications Industries
                                     
                             Whitfield Diffie
                          Distinguished Engineer
                          Sun Microsystems, Inc.
                                      
                                     
     I'd like to begin by expressing my thanks to Chairman Markey, the
other members of the committee, and the committee staff for giving us
the opportunity to appear before the committee and express our views.

     We stand at a moment in history when an amazing coincidence of
developments in technology and world politics is showing us
opportunities in both business and personal life that no one could
have anticipated.  These developments rest on two closely related
cornerstones: communication and internationalism.

     Business today is characterized by an unprecedented freedom and
volume of travel by both people and goods.  It is an era of rapid
inexpensive transportation coupled with declining trade barriers.  All
this movement is made possible, however, by the reality of instant
telecommunication between places thousands of miles apart, conveying
voices, images, and data wherever they are needed.

     Ease of communication, both physical and electronic, has ushered
in an era of international markets and multinational corporations.  No
country is large enough that its industries can concentrate on the
domestic market to the exclusion of all others.  When foreign sales
rival or exceed domestic ones, the structure of the corporation
follows suit with new divisions placed in proximity to markets,
materials, or labor.

     The result is a world in which much of the population enjoys a
standard of material wealth and freedom of action previously unknown.
It is also a world in which no company, community, or country can
afford not to compete in the global market.


     Security of communication and computing is essential to this
telecommunication driven environment.  The communication system must
ensure that orders for goods and services are genuine, guarantee that
payments are credited to the proper accounts, and protect the privacy
of business plans and personal information.

     In the past, these diverse assurances have been provided by an ad
hoc patchwork that has evolved slowly over the century and a half
since the invention of the telegraph, but two factors are now making
that patchwork obsolete.

     The first is the rise in importance of intellectual property.
Much of what is now bought and sold is information that varies from
computer programs to surveys of customer buying habits.  Information
security has become an end in itself rather than just a means for
insuring the security of people and property.

     The second is the universal demand for mobility in
communications.  Traveling corporate computer users sit down at
workstations they have never seen before and expect the same
environment that is on the desks in their offices.  They carry
cellular telephones and communicate constantly by radio.  They haul
out portable PCs and dial their home computers from locations around
the globe.  With each such action they expose their information to
threats of eavesdropping and falsification barely known a decade ago.

     It is the lack of security for these increasingly common
activities that we encounter when we hear that most cellular telephone
calls in major metropolitan areas are overheard or even recorded by
eavesdroppers with scanners; that a new computer virus is destroying
data on the disks of PCs; or that industrial spies have broken into a
database half a world away.


     In this troubling scenario, however, there is a large ray of
hope.  Most of the technology to provide the needed protection is
already available in the form of contemporary cryptography and its
allied disciplines.  Some of it has existed for nearly fifty years;
some dates from the last five.  It isn't in widespread use, but it
does exist.

     Why then are proper security measures not incorporated in every
cell phone, laptop, and workstation?  Part of the answer is economic.
Collecting intelligence by spying on information is so hard to detect
that most users are unaware that they are suffering from it and
unwilling to pay to protect themselves.  Another lies in a unique
problem of implementing security standards: security mechanisms are
designed to block access to everyone who does not conform exactly to
their demands.  This makes them very unforgiving of that flexibility
at the margins that makes much of standardization possible.
Compounding these internal difficulties is one that is entirely
external: a regulatory structure that goes back to the cold war and
does not recognize the realities of the present situation.

     In the United States, export control has been the major barrier.
Companies are deterred from building proper security mechanisms into
their products because to do so will limit their exports and subject
them to tedious administrative procedures required to comply with the
law.  The alternatives are to support two versions of each product,
one for domestic use and one for export or to dilute the security
measures in all products to a level whose export the government
permits.

     At Sun Microsystems, approximately half our customers are outside
the United States.  Were we to build a workstation and an operating
system embodying the best security we know how to provide and the
security that we believe is needed, we would not be permitted to
export them.  This would present us with insuperable problems in
maintaining distinct but somehow compatible domestic and foreign
product lines.  Not least of the consequences is that we are unable to
provide security features that elements of the U.S. Government would
like in the systems they buy, because that market does not come close
to making up for the one we would have to forgo.

     I believe we are typical of computer companies in these respects.
Digital Equipment after having made some outstanding contributions to
network security, appears to have abandoned its lead in the field.
Export issues were cited when it discontinued development of an
operating system designed to achieve an National Computer Security
Center A1 rating some five years back and I suspect they may have
played a role in its larger retreat from security as well.

     We have also suffered from the government's failure to take the
lead in championing security standards, both domestic and
international.  The first proposed federal standard in the area of
public key cryptography has appeared only after such techniques had
been employed for more than a decade and does not conform to the
conventional practice that has evolved both in the U.S. and abroad.
Some have even suggested that the government has actively worked to
block standardization citing the United States failure to vote for its
own national cryptographic standard (DES) in the International
Standards Organization and material on the working relationship
between NIST and NSA recently released to the Computer Professionals
for Social Responsibility under the Freedom of Information Act.


     Now we are faced with the greatest challenge to our ability to
secure the personal and business communications of the modern world
that we have yet encountered.  The administration proposes to adopt as
a federal standard a system that is not only secret, but incorporates
provisions for the government secretly to decode any person's
communications when it deems this necessary for law enforcement or
national security purposes.

     The effect is very much like that of the little keyhole in the
back of the combination locks used on the lockers of school children.
The children open the locks with the combinations, which is supposed
to keep the other children out, but the teachers can always look in
the lockers by using the key.

     The stated objective is to require the use of equipment based on
these new `key escrow' chips for certain communications within the
government and between the government and business.  If they are
successful in their objective, the latter provision could force the
inclusion of these chips in all devices used, for example, to
communicate with the government about contracts or taxes.


     What would be the effect of such broad inclusion?  

     We have been assured by NIST that the finished chips, once their
key escrow provisions have been programmed, will be available without
restriction for incorporation in any piece of domestic equipment, but
it is hard to see how either the security or wiretap objectives could
be achieved if this were the case.  It appears more likely that key
escrow chips will be available only to companies that agree to employ
them in approved ways.  Probably this will be done by using existing
regulatory machinery (called the Type II Commercial COMSEC Endorsement
Program) that requires the manufacturers to submit their designs to
NSA for approval.

     Were this to happen, the nation's computer manufacturers would be
trapped in a regulatory web more confining than any we have seen so
far.  If we at Sun were required by customers' needs to communicate
with the government to put the key escrow chip on the mother board of
our machine and by regulations to have the board design approved, the
government would have effective control of our development cycle.  One of
the requirements that would likely be imposed in these circumstances
would be that we not offer any other security mechanisms that could be
used to defeat the escrow provisions.  This would mean we could not
even maintain compatibility with our existing product line.

     It seems especially unlikely that customer acceptance of a chip
explicitly designed to provide only partial security could ever be
achieved other than by the coercive force of regulations. Nor does it
seem likely that a system to which the U.S. held the keys would ever
be accepted by more than a handful of other countries.  They do not
need it to achieve security, because an understanding of cryptography
is now global and developing rapidly.

     Faced with a choice between secret U.S. technology known to
embody a compromise and foreign systems of published function that at
least claim not to, customer response seems hardly in doubt.  The
result may give the government a devastating choice: accept the import
of foreign technology, losing both market share and the new law
enforcement capability or forbid the import of foreign cryptographic
systems altogether.  In the latter case, the U.S., currently a leader
in computers and software, seems likely to become a backwater, cut off
from one of the most profitable segments of the global economy.

     Another problem presented by the key escrow technology is cost.
No matter how essential it may be, security is still difficult to sell
and extremely price sensitive.  To require that cryptography not
merely be isolated in hardware (by and large a good security practice)
but that that hardware be a tamper resistant chip entirely dedicated
to one security function will push the prices of many products and
features beyond the reach of their potential markets.  Cryptography
can perfectly safely be embodied in microcode, implemented in cells
incorporated in multi-function chips, or programmed on dedicated, but
standard, microcontrollers at a tiny fraction of the tens of dollars
per chip that Clipper is predicted to cost.


     The effect of giving the government and one or a small number of
companies a monopoly control over an essential technology is also
troubling to contemplate.  The present key escrow chips operate in the
megabit range.  Can companies depend on NSA to have hundred megabit or
gigabit chips available just when they are needed or might U.S.
companies miss critical market windows while they wait for delivery of
parts over which they have no control?  Will there come a time, as
occurred with DES, when NSA wants the standard changed even though
industry still finds it adequate for many applications?  If that
occurs will industry have any recourse but to do what it is told?  And
if this happens who will pay for the conversion?


     Last month, before another committee of Congress, I discussed at
some length the impact that the key escrow proposal could have on
personal freedom, concluding that if it is adopted, we will take a big
step toward a world in which the right of private conversation belongs
only to those rich enough to travel to face to face meetings.  Rather
than repeat those arguments, I have attached my earlier testimony as
an appendix and focus here on a few essential points.

     It is clear that the costs of key escrow will be monumental
whether measured in dollars spent for computers, squandered business
opportunities, or lost liberties.  Even if these costs are accepted,
there remain two questions: can the law enforcement function be
achieved, and is it even necessary?

     In a world in which cryptographic expertise is widespread and
cryptography is readily implemented on small processors, rules seem no
more likely to keep security out of the hands of criminals than export
controls guarantee it will not be available to hostile nations.

     This, however, may not matter.  Despite the concern of law
enforcement that advancing technology will reduce the effectiveness of
wiretaps, that technology has been at least as much a blessing to the
police as a curse.  Even ignoring the contribution of police
communication systems and databases, modern telephone switches make
wiretaps more effective by supplying caller ID in real time under many
circumstances.  In a world in which conspiracies were conducted via
conference calls on secure phones, criminals could never be sure that
one of the participants was not an informer recording everything in
high fidelity without the risk of being caught wearing a body wire.


	Corrections to First Version Given to Congress

line  89 unaware of that ==> unaware that 

line 137 Electronic Frontiers Foundation ==> 
	 Computer Professionals for Social Responsibility

line 181 design cycle ==> development cycle

line 213 implemented in dedicated ==> programmed on dedicated







Thread