1993-09-16 - CSSPAB meeting of September 1 and 2.

Header Data

From: Peter Wayner <pcw@access.digex.net>
To: cypherpunks@toad.com
Message Hash: 64fe1108af271eb9f7b483f108b9ed09f050b2ebe3bc0c004c5b0d3975991624
Message ID: <199309161955.AA19000@access.digex.net>
Reply To: N/A
UTC Datetime: 1993-09-16 19:59:21 UTC
Raw Date: Thu, 16 Sep 93 12:59:21 PDT

Raw message

From: Peter Wayner <pcw@access.digex.net>
Date: Thu, 16 Sep 93 12:59:21 PDT
To: cypherpunks@toad.com
Subject: CSSPAB meeting of September 1 and 2.
Message-ID: <199309161955.AA19000@access.digex.net>
MIME-Version: 1.0
Content-Type: text/plain

I'm sorry that this is so late, but I got backed up doing too many
other things. Feel free to go to the anonymous mailers and post
sarcastic remarks, straight-forward discussions or other comments.



Here's my report from what I saw attending the Computer System
Security and Privacy Advisory Board meeting on September 1st and
2nd in Baltimore, MD. This group is a Congressionally chartered
organization with the responsibity to render advice on questions
of cryptography and computer security. It's members are made
up of people from government and industry. One member must be
a representative from the National Security Agency. 

The meeting this time was at the Hyatt in Baltimore and there were
several differences between this meeting and the last two which
were held at the National Institute of Standards and Technology
in Gaithersburg, MD. First, there were coffee, juice and doughnuts
available in the morning. Second, I did not notice any recording
devices or stenographers keeping track of what was said. Previous
meetings at NIST had been both video and audio taped. 

There were two major parts to the meeting: 1) listening presentations
from a variety of different people and 2) debating resolutions about
the government's proposed Key Escrow standard. I attended most of the
presentations, but I skipped most of the debate about the resolutions.
The remarks that follow are basically my personal recollections.

The most interesting bit of information I learned on the first day
concerned a software version of the Key Escrow system. The strongest
and least controversial arguments against deploying all revolve around
the fact that the proposed chips we've seen so far are all based in
hardware. Adding an additional chip to computers and phones costs
money ($25-100), adds weight (bad for portable phones) and increases
power consumption. None of these are desirable attributes. More
importantly, a hardware standard not very flexible and the nation's
entire computer system could be compromised for 6 months to a year
if the key escrow agents went bad. That's my estimate for the amount
of time it would take us to replace all the chips. 

NIST, in recognition of these facts, has announced a "Cooperative
Research and Development" plan (called CRADA-- the "A" might
stand for agreement). This would allow members of industry and
academia to join together with NIST and the NSA to try and discover
a good, software based, Key Escrow scheme. Ray Bonner, deputy director
of NIST, discussed the plan and said that he wasn't sure that it 
would lead to anything but that it was worth a try. He also said
that we should keep a copy of the Federal Register containing the
announcement (Vol 58, #162, Tues,  Aug 24 1993, pg 44662) because
it could be the only CRADA ever involving the NSA. It could become
a collectors item. 

If anyone is interested in getting involved with this project, they
should call Dennis Branstad at NIST (301-975-2913). To me, it seems
like it is easy to accomplish a key escrow plan in software. It
just depends how many features you want to add. A simple method is
to encrypt the session key with the government's public key(s)and
append this in a LEAF. If the cops wanted to listen in, they could
decrypt the LEAF using the private key(s that would be kept by the
escrow agency. Naturally, this could be compromised if the keys got

More sophisticated methods could involve a three-way Diffie-Hellman
key exchange at the start of each conversation on the phone system.
Or the government might want to explore Silvio Micali's work at MIT.
It would also be possible to use Gus Simmon's subliminal channels to
implement a signature/escrow scheme. The LEAF would be a DSS signature
and the session key would be held in subliminal channel. The other
half of the conversation would be able to verify that the LEAF was
there and the conversation was authentic, and the LE people could
get the key if they so desired. (This could be easily broken. I can't 
remember the details of Simmons's solution at this moment.) There
are several other answers that come to mind. 

The traditional objections to software implementations of the Key
Escrow plan are (1) easy tamperability and (2) publication of NSA
secrets. While software may be easier to change, people have also
proposed very simple ways to circumvent Clipper. If both halves of the
conversation coordinate themselves beforehand, any amount of duplicity
is possible whether or not a hardware chip is part of the standard. It
is possible to super-encrypt the entire data stream in software and
the LEAF would be foiled. It doesn't seem as if there is that much
difference on a relative scale.

The critical problem to developing a software key escrow system is
finding a way to prevent a modified piece of software from working
with an unmodified piece of software. This would stop people from
establishing links without prior arrangements for extra security.
I believe that this may be possible to do this using two different
types of LEAFS and shifting session keys every so often. 

Of course, sending out a software version of an algorithm will
leak information from the NSA-- something that really worries
them. But the CRADA says that the NSA will work on the software
Key escrow plan on a complete unclassifed basis. People on the CSSAB
made light of the strangeness of all of this.

Other Presentations

Most of the rest of the meeting was devoted to people not saying
anything on purpose. The plan to give the DSS to the RSA to resolve
patent differences and give the nation a standard has not generated
any new facts. Mike Rubin, the lawyer in charge, was not at the meeting
and he is apparently processing the public comments as I write. Some
summarized the comments as uniformly stating, "Free is good, paying
is bad." 

A group of computer scientists from NIST came to discuss their plan
for the Federal Criteria for secure systems and the new "Common
Criteria" that may emerge. This is an updated version of the old
Orange Book classification scheme of C2 and B1 and stuff like that.
The scientists said the draft is being finished but it isn't ready
for release. But now, they're working on "Something Better." This
is a new plan to standardize the grading of secure systems with 
other countries and evolve a "Common Criteria." In general, the 
board groused about the fact that the public and industry have never
been invited to give comments during the process. The summary
of this talk is: "We might be able to tell you something someday." 

Geoff Greiveldinger took up a whole hour in the afternoon to tell
us that it would be impolite for him to discuss the key escrow system
with the CSSAB before talking about it with Congress. He is the 
lawyer from the Justice department responsible for setting up the
system. Some members of the board mentioned that the board was
chartered by Congress and so he could speak freely, but others
refused to be so impolite as to question his polite excuse. 

He filled the hour with more descriptions with all of the restrictions
that they place on wiretaps at the Justice department. Once again, I
found myself wondering why they are going through so much trouble 
over something that just seems to cause them grief. The taps cost
money. They divert manpower. Etc. Yet, the FBI and the rest of the 
community is willing to go through a full court press on this topic.
The taps are essential in crime encapsulated in conversations (i.e.
influence peddling, bribery). 

Perhaps those of us outside of government (sadly only 4 out 5 people)
should quit worrying about this topic. The crimes we're likely to
commit all involve action: grand theft auto, drunk driving,
pickpocketting, murder, rape, illegal parking etc. No one really cares
what we say. It's just if we _do_ something and violate a property
right. Usually, members of the government are the ones who could 
break the law just by openning their mouth. 

Some people from the Social Security Agency came to tell the board
about their internal security procedures that they use to track down
people inside the agency generating information for outsiders like
private detectives. They routinely run sting operations where they
call up information brokers and ask them to get a Social Security
file for an individual. Then they watch for accesses to that record
and flag the miscreant.

One of the old hobbies at the agency was looking up the records
of stars. (When your job is sitting around watching people get
old, you've got to have something to do.) The agency keeps a watch
list of the celebrity's real name and SS number. Special programs now
watch for inquiries into these records. 

A nice guy from ARPA (Steve Squires) came and showed us complicated
slides representing the various factions at ARPA who are going about
developing the National Information Infrastructure. It seemed to be
more a polite introduction than a fact-based briefing about what 
might come out of Al Gore's dreams. 

Dorothy Denning came to say that there was no final report from the
outside team performing an outside review of the Clipper algorithm.
In general, she said that the comments have been favorable to their
work. Several members of the board questioned the independence of the
review given that it was done at the NSA using NSA's computers and
NSA's programmers. They also wondered about the depth of the review
because it was apparent that Denning leaned heavily on the NSA's

The EFF and Clipper

The final presentation came from Jerry Berman from the EFF. In
reality, he was representing the "Digital Privacy and Security
Working Group" which is a group of industry and political groups
that have joined together to say something about Clipper. This 
was the last presentation of the meeting and it became sort of 
a climax because people kept saying, "We'll see what the EFF
has to say." 

Their statement was simple. The group feels that it can accept
Clipper if any participation in the key escrow program is completely
volutary. They proposed to test the administration's committment
to volunteerism by noting whether they relaxed export requirements.

To me, the statement was little more than a political gambit. All
of the companies involved in the DPSWG really, really, really want
export restrictions eased. So they offered their support for 
Clipper as a quid pro quo. Let us export anything (not just Clipper)
and we'll support it. 

If you ask me, they shouldn't have been so bald about their horse
trading, but then I'm not a regular in Washington log rolling. It should
be possible to make a statement about Clipper without involving
the other issue, but maybe it's a smart deal. The main members of the
group are companies and the group had to standardize its message on
what its members want.

The Debate

The rest of the meeting was centered around the debate on the board's
resolution on Clipper. I missed most of this because it really seemed
very petty. Most of the board wanted to say that the Clipper chip was
a pain in the neck that wasn't worth the trouble but they couldn't
come up with the right words. Is it "expensive", "more expensive than
software", "more expensive than other alternatives", etc. 

The fight seemed to break down between government employees and
non-government employees. Those outside the government kept arguing
for stronger language and those inside kept saying things like,
"But expensive relative to what? We don't have any concrete cost

In the end, they passed resolutions that recorded reservations and
a call for "public" debate on the topic including a decision by
Congress on the needs of key escrow. 

If you have any questions about this summary, feel free to contact
me at pcw@access.digex.com.

--Peter Wayner