From: fergp@sytex.com (Paul Ferguson)
To: cypherpunks@toad.com
Message Hash: 81150b9c5a5e599d0bff900a9102113f5ec3e5ea6c45a92f7a7416dcc6a14ca7
Message ID: <HTPo7B2w165w@sytex.com>
Reply To: N/A
UTC Datetime: 1993-07-14 21:56:09 UTC
Raw Date: Wed, 14 Jul 93 14:56:09 PDT
From: fergp@sytex.com (Paul Ferguson)
Date: Wed, 14 Jul 93 14:56:09 PDT
To: cypherpunks@toad.com
Subject: The right to be secure (fwd Computerworld article)
Message-ID: <HTPo7B2w165w@sytex.com>
MIME-Version: 1.0
Content-Type: text/plain
ComputerWorld
Volume 27, Number 28
July 12, 1993
page 28
Advanced Technology
The right to be secure
Government-backed data security standard raises Big Brother issues
By James Daly
Two months ago, the Clinton administration dropped a bomb on the
world of computer security.
In an effort to assist law enforcement officers looking for a
legal back door into coded criminal communications, officials
from the National Institute of Standards and Technology (NIST)
and the National Security Agency (NSA) said they intend to
establish as a federal standard an approach to voice and data
encryption called "key escrow." This method would require the
technology needed to unlock a coded conversation to be kept by
government-approved agencies and retrieved in the event of
government-approved wiretaps.
Data encryption would be done in silicon via a device called the
"Clipper chip," which would be installed in machines needing its
coding and decoding capabilities.
To put it mildly, the Clipper chip proposal has generated a lot
of excitement among privacy advocates who fear abuses by a
technologically empowered Big Brother.
Computerworld recently tried to talk with officials from both the
NIST and the NSA to further explore the Clipper issue, but
neither allowed a face-to-face interview with a staff member.
Instead, we had to submit written questions.
Here are the answers provided by officials from the NIST and the
NSA.
Q. The proposed Clipper chip technology has generated an awful
lot of acrimony since it was announced in April. Has the
government lessened its level of commitment to the chip?
A. The administration remains committed too the initiative and is
proceeding with the following actions: the acquisition of key
escrow encryption devices by law enforcement agencies; the
naming of key escrow agents to hold the keys for the key
escrow microcircuits and the establishment of procedures by
the attorney general for the access of the keys; the
evaluation of the key escrow encryption algorithm by respected
experts; the promulgation of a standard by the secretary of
commerce to facilitate the procurement and use of key escrow
encryption devices in federal communications systems; and the
comprehensive review of encryption policy.
In addition, discussions with industry and other concerned
groups have proved very productive. The administration does
not intend to arbitrarily end its study of the issue while
helpful consultations are under way.
It should also be understood that the use of products
implementing the key escrow encryption microcircuit is
voluntary. There has been no attempt to either mandate its use
or to deny the entry of other encryption technologies into the
marketplace.
Q. Privacy advocates say that if the keys needed to de-crypt
data are placed in the hands of government authorities, there
is the potential for abuse. What kinds of safeguards would be
implemented to prevent this?
A. The government may conduct electronic surveillance only when
lawfully authorized. Moreover, the key escrow procedures being
developed provide that each key will be split into two parts,
and different key escrow authorities will hold each part.
Neither part alone can be used to decrypt messages.
To obtain the key needed to unlock the encryption, law
enforcement must present evidence of its authority for a key,
typically a court order, to both key escrow authorities.
Finally, the system will be designed to ensure that law
enforcement destroys the keys it receives when its authority
to conduct the electronic surveillance has expired.
Q. Vendors who have extensive business overseas say they would
not be able to sell Clipper-equipped machines on foreign
shores. How do you respond?
A. Key-escrowed products will be exportable to U.S. persons and
companies operating overseas. One issue under consideration in
the presidential review is whether a broader export policy is
advisable. Should a broader export policy be adopted, we
believe products implementing the key escrow technology will
find favor among consumers who desire the superb encryption
security offered.
Q. If Clipper would be the standard, would the use of non-Clipper
encryption devices be outlawed? If so, how would you find out
who was using these non-Clipper devices?
A. No. Use of key-escrowed products by the private sector would
be entirely voluntary. Federal agencies will have the option
of using this technology once it becomes a Federal Information
Processing Standard. DES [Data Encryption Standard], the
existing federal encryption standard, will still be available
for use in federal systems.
Q. Regarding DES, some security experts say that with powerful
chips such as Pentium already on the market and the 686 and
786 in design stages, DES is getting near to being crackable.
Is DES nearing the end of its useful life?
A. NIST will recommend that DES be renewed for another five years
as a Federal Information Processing Standard. We do recognize,
however, that as computer technology advances, the expected
effort needed to break DES-encrypted messages decreases. In
time, DES will become less valuable for securing sensitive
information.
Q. What eventually made DES and other cryptosystems acceptable was
their ease of use in software. Do you feel companies will be
willing to go back to the hassle and additional expenses of
hardware-based cryptography?
A. Again, we must emphasize that use of this technology is
voluntary. Software containing other cryptosystems is still
available to consumers. As for use of this technology in
hardware, new products are already being developed to lessen
the "hassle" of hardware-based cryptography. One example would
be its use of PCMCIA [Personal Computer Memory Card
International Association] cards. Moreover, encryption
implemented in software generally provides less security than
hardware encryption.
Q. What happens when the Clipper chip's technology cannot keep up
with faster networks and becomes a bottleneck? Do we then have
to have a multiyear review process wherein we select a
Clipper-2 chip and retrofit all the devices across the
country?
A. We expect the key escrow microcircuits will be enhanced to keep
pace with future data requirements. As with the introduction
of any next-generation technology, consumers will decide the
extent to which they require, and are willing to pat for, the
new technology. We do not envision an "across the country"
retrofit of all devices.
Q. What should the role of the government, if any, in developing
a nationwide computer security policy guideline?
A. The government has a strong interest in computer security
policies in light of the federal agencies' need to protect
their own information: for law enforcement agencies to
conduct lawfully authorized electronic intercepts in order to
combat crime and terrorism; to protect national security
through export controls of cryptographic technologies; and the
growing U.S. economic interest in protecting corporations and
citizens' information that is stored and transmitted
electronically.
That does not mean, however, that a government-imposed
security policy is appropriate. Government must be actively
involved in setting computer security standards for its own
use and making its technology, expertise and guidance
available to the private sector when requested and
appropriate. Private sector organizations can then make
appropriate risk-based, cost-effective decisions as to
protecting their information assets.
Paul Ferguson | "Confidence is the feeling you get
Network Integrator | just before you fully understand
Centreville, Virginia USA | the problem."
fergp@sytex.com | - Murphy's 7th Law of Computing
Quis Custodiet Ipsos Custodes?
Return to July 1993
Return to “fergp@sytex.com (Paul Ferguson)”
1993-07-14 (Wed, 14 Jul 93 14:56:09 PDT) - The right to be secure (fwd Computerworld article) - fergp@sytex.com (Paul Ferguson)