From: gnu
To: cypherpunks@toad.com
Message Hash: ebf068904664e81e6af6d1e7f3f2851cfd729c25b757da1a3659e1e097313c0b
Message ID: <9502132043.AA17858@toad.com>
Reply To: N/A
UTC Datetime: 1995-02-13 20:43:06 UTC
Raw Date: Mon, 13 Feb 95 12:43:06 PST
From: gnu
Date: Mon, 13 Feb 95 12:43:06 PST
To: cypherpunks@toad.com
Subject: CDT POLICY POST No.2 -- X9 TO DEVELOP TRIPLE-DES STANDARDS
Message-ID: <9502132043.AA17858@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
------------------------------------------------------------------------
****** ******** *************
******** ********* *************
** ** ** *** POLICY POST
** ** ** ***
** ** ** *** February 13, 1995
** ** ** *** Number 2
******** ********* ***
****** ******** ***
CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST 2/13/95 Number 2
CONTENTS: (1) X9 Committee Agrees to Develop 3x DES Encryption Standard
(2) About the Center for Democracy and Technology
This document may be re-distributed freely providing it remains in its
entirety.
------------------------------------------------------------------------
X9 COMMITTEE AGREES TO DEVELOP 3x DES ENCRYPTION STANDARD
Major Setback for NSA
The NSA's efforts to push the adoption the Clipper/Skipjack
government-escrowed encryption scheme encountered a major
setback earlier this month with the decision by the
Accredited Standards Committee X9 to proceed with the
development of a data security standard based on triple-DES.
The ASC X9 committee is responsible for setting data security
standards for the US banking and financial services
industries. These industries are heavy users of commercial
cryptography, and standards developed for this community tend
to drive the development of applications for the entire
market. As a result, the committee's decision to proceed
with a triple-DES standard has important implications for
future cryptographic standards and US cryptography policy
generally.
The NSA, a voting member of the X9 committee, had lobbied
hard against the proposal. In a November letter to committee
members, the NSA threatened to prevent the export of triple-
DES, citing existing US law and potential threats to national
security (see attached NSA letter).
The decision sets the stage for the development of a next
generation of security standards based on publicly available,
non-escrowed encryption schemes. A battle over the
exportability of triple-DES applications is also on the
horizon.
Through export controls on cryptography, the proposed Clipper
initiative, and interference in the standards setting
processes, US government policies have consistently sought to
make strong encryption and other privacy protecting
technologies unavailable to the general public. The X9
decision and development of triple-DES and other alternitives
to government-escrowed cryptography is an important victory
in that it will increase the public's access to strong,
privacy enhancing technologies.
BACKGROUND
Banks and other financial institutions use encryption to
protect the billions of dollars in transactions and fund
transfers which flow every day across the world's
communications networks.
The current encryption standard used by the banking industry
is based on DES, which has been available since the early
1970's. DES is widely trusted because it has been repeatedly
tested and is considered by experts to be unbreakable except
by brute force (trying every possible key combination). The
US government has also allowed the limited export of DES.
Despite its popularity, DES is considered to be reaching the
end of its useful life. The increasing speed and
sophistication of computer processing power has begun to
render DES vulnerable to brute force attacks. Cryptographers
have recently demonstrated that DES codes can be cracked in
as little as three hours with $1 million worth of currently
available equipment. As a result, the banking and financial
services industries have begun to explore alternatives to
DES.
Although there are many potential alternatives to DES,
triple-DES is widely seen as the most practical solution.
Triple-DES is based on DES, but has been enhanced by
increasing the key length and by encrypting through multiple
iterations. These enhancements make triple-DES less
vulnerable to brute force attacks. Triple-DES is also
popular because it can be easily incorporated into existing
DES systems and is based on standards and procedures familiar
to most users.
NSA SETBACK IS A VICTORY FOR CLIPPER OPPONENTS
In their November letter to X9 committee members, the NSA
attempted to undermine the attractiveness of triple-DES by
arguing that it is cryptographically unsound, a potential
threat to national security, and would not be exportable
under US law. The NSA, while offering no specific
alternative to triple-DES, seemed to be attempting to push
the committee to adopt the only currently available option --
Clipper.
Privacy advocates also lobbied the X9 committee. In a letter
sent in advance of the December 1994 ballot, CDT Deputy
Director Daniel Weitzner (then EFF Deputy Policy Director)
and EFF board member John Gilmore, an expert in this field,
sent a letter to X9 committee members urging them to adopt
the triple-DES standard. A copy of the letter is appended at
the end of this post.
By agreeing to develop a triple-DES standard, the X9
committee has clearly and decisively rejected Clipper as a
solution. This vote thus represents a further repudiation to
Clipper and yet another victory for opponents of government
efforts to establish Clipper or other government-escrowed
solutions as a national standard.
NEXT STEPS
X9F, a subcommittee of the X9 committee, will now develop
technical standards for implementing triple-DES based
applications. This process is expected to take one or two
years to complete. Once technical standards are developed,
the full X9 committee will vote as to whether to implement
the subcommittee's technical recommendations.
The availability of triple-DES applications received a
further boost recently with the announcement by AT&T and VLSI
Technologies that they were developing new data security
products based on triple-DES. This will presumably provide
additional options for X9 committee members, but the
exportability of these products is still in doubt.
The stage is thus set for a further battle between the NSA
and the X9 committee over the exportability of triple-DES and
final approval of the X9 standard. As a sitting member of
the committee, NSA will presumably continue to lobby against
efforts by the committee to develop triple-DES applications.
Furthermore, the banking and financial services industries
must still persuade the government to allow for the export of
triple-DES.
As an opponent of government-escrowed cryptography, CDT
applauds the recent actions of the X9 committee. While CDT
supports the development of a variety of security standards
and alternatives to DES, we recognize the need of the banking
and financial services industries to develop temporary stop-
gap solution. CDT will continue to work towards the
relaxation of export controls on cryptography and will
support X9 committee members in their efforts to gain the
ability to export triple-DES applications.
For more information contact:
Daniel J. Weitzner, Deputy Director <djw@cdt.org>
Jonah Seiger, Policy Analyst <jseiger@cdt.org>
+1.202.637.9800
----------------------------------------------------------
GILMORE/WEITZNER LETTER TO X9 COMMITTEE MEMBERS
November 18, 1994
Dear Accredited Standards Committee-X9 Member:
The X9 Committee is currently voting as to whether to
recommend the development of a standard for triple-DES (ballot number
X9/94-LB#28). The Electronic Frontier Foundation (EFF) strongly urges you to
vote in favor of the triple-DES standard.
EFF supports the development of a variety of new data
security standards and alternatives to DES. We believe the triple-DES standard
provides the best immediate short term alternative because:
* The basic algorithm, DES, is strong and has been
tested repeatedly.
* There are no known attacks that succeed against
triple-DES.
* It is clearly no less secure than DES.
* It eliminates the brute-force problem completely by
tripling the key length.
* It runs at high speeds in easy-to-build chips.
* It can be easily incorporated into existing systems.
NSA's opposition to triple-DES appears to be an indirect attempt to push
Clipper by eliminating credible alternatives. Clipper is not a viable
alternative to triple-DES, and carries substantial liabilities. There has
been no evidence of foreign acceptance of the standard and the skipjact
algorithm is classified. The likelihood of any government accepting secret
standards developed by a foreign security agency is slim. Clinton
Administration efforts, through the NSA, to push Clipper as a domestic
standard over the past two years have failed.
We urge you to carefully consider the alternatives before you
cast your ballot. We believe that the triple-DES issue should be
decided on its own merits.
Sincerely,
John Gilmore
Board of Directors
Electronic Frontier Foundation
Daniel J. Weitzner
Deputy Policy Director
Electronic Frontier Foundation
-------------------------------------------------------------
NSA LETTER TO X9 COMMITTEE MEMBERS
X9 Member:
I will be casting a NO vote on the NWI for triple-DES, Letter
Ballot X9/94-LB#28. The reasons are set forth below. You
may find these useful as you determine your position.
Jerry Rainville
NSA REASONS FOR A NEGATIVE VOTE
While NSA supports the use of DES in the global financial
sector, we believe that standardization of triple-DES is ill-
advised for a number of reasons.
The financial community should be planning to transition to a
new generation of cryptographic algorithms. When DES was
first introduced, it represented the "only game in town". It
supported encryption, authentication, key management, and
secure hashing applications. With a broader interest in
security, the market can now support optimized algorithms by
application. Going through the expense of installing a stop-
gap can only serve to delay progress in achieving
interoperable universal appropriate solutions.
While we understand the appeal of a snap-in upgrade, our
experience has been that any change is expensive, especially
one where the requirements on the key management system
change. We do not agree that replacing DES with triple-DES
is significantly less expensive than upgrading to more
appropriate technology.
Tripling of any algorithm is cryptographically unsound.
Notice that tripling DES, at best, only doubles the length of
the cryptovariable (key). Phrased another way, the DES was
optimized for security at 56 bits. We cannot vouch that any
of the schemes for doubling the cryptovariable length of DES
truly squares security.
We understand the financial community has concerns with
current key escrow based encryption, however, we are
committed to searching for answers to those concerns. But
the government is also committed to key escrow encryption,
and we do not believe that the proposal for triple DES is
consistent with this objective.
US export control policy does not allow for general export of
DES for encryption, let alone triple-DES. Proceeding with
this NWI would place X9 at odds with this long standing
policy. It also violates the newly accepted X9 cryptographic
policy.
The US government has not endorsed triple-DES; manufacturers
and users may be reluctant to use triple-DES products for
fear of possible liability.
Finally, further proliferation of triple-DES is counter to
national security and economic objectives. We would welcome
the opportunity to discuss these concerns with an appropriate
executive of your institution.
---------------------------------------------------------------------
ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY
The Center for Democracy and Technology is a non-profit public interest
organization. The Center's mission is to develop and advocate public
policies that advance constitutional civil liberties and democratic
values in new computer and communications technologies.
Contacting us:
General information on CDT can be obtained by sending mail to <info@cdt.org>
www/ftp/gopher archives are currently under construction, and should be up
and running by the middle of March.
###
------------------------------------------------------------------------
****** ******** *************
******** ********* *************
** ** ** *** POLICY POST
** ** ** ***
** ** ** *** February 13, 1995
** ** ** *** Number 2
******** ********* ***
****** ******** ***
CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST 2/13/95 Number 2
CONTENTS: (1) X9 Committee Agrees to Develop 3x DES Encryption Standard
(2) About the Center for Democracy and Technology
This document may be re-distributed freely providing it remains in its
entirety.
------------------------------------------------------------------------
X9 COMMITTEE AGREES TO DEVELOP 3x DES ENCRYPTION STANDARD
Major Setback for NSA
The NSA's efforts to push the adoption the Clipper/Skipjack
government-escrowed encryption scheme encountered a major
setback earlier this month with the decision by the
Accredited Standards Committee X9 to proceed with the
development of a data security standard based on triple-DES.
The ASC X9 committee is responsible for setting data security
standards for the US banking and financial services
industries. These industries are heavy users of commercial
cryptography, and standards developed for this community tend
to drive the development of applications for the entire
market. As a result, the committee's decision to proceed
with a triple-DES standard has important implications for
future cryptographic standards and US cryptography policy
generally.
The NSA, a voting member of the X9 committee, had lobbied
hard against the proposal. In a November letter to committee
members, the NSA threatened to prevent the export of triple-
DES, citing existing US law and potential threats to national
security (see attached NSA letter).
The decision sets the stage for the development of a next
generation of security standards based on publicly available,
non-escrowed encryption schemes. A battle over the
exportability of triple-DES applications is also on the
horizon.
Through export controls on cryptography, the proposed Clipper
initiative, and interference in the standards setting
processes, US government policies have consistently sought to
make strong encryption and other privacy protecting
technologies unavailable to the general public. The X9
decision and development of triple-DES and other alternitives
to government-escrowed cryptography is an important victory
in that it will increase the public's access to strong,
privacy enhancing technologies.
BACKGROUND
Banks and other financial institutions use encryption to
protect the billions of dollars in transactions and fund
transfers which flow every day across the world's
communications networks.
The current encryption standard used by the banking industry
is based on DES, which has been available since the early
1970's. DES is widely trusted because it has been repeatedly
tested and is considered by experts to be unbreakable except
by brute force (trying every possible key combination). The
US government has also allowed the limited export of DES.
Despite its popularity, DES is considered to be reaching the
end of its useful life. The increasing speed and
sophistication of computer processing power has begun to
render DES vulnerable to brute force attacks. Cryptographers
have recently demonstrated that DES codes can be cracked in
as little as three hours with $1 million worth of currently
available equipment. As a result, the banking and financial
services industries have begun to explore alternatives to
DES.
Although there are many potential alternatives to DES,
triple-DES is widely seen as the most practical solution.
Triple-DES is based on DES, but has been enhanced by
increasing the key length and by encrypting through multiple
iterations. These enhancements make triple-DES less
vulnerable to brute force attacks. Triple-DES is also
popular because it can be easily incorporated into existing
DES systems and is based on standards and procedures familiar
to most users.
NSA SETBACK IS A VICTORY FOR CLIPPER OPPONENTS
In their November letter to X9 committee members, the NSA
attempted to undermine the attractiveness of triple-DES by
arguing that it is cryptographically unsound, a potential
threat to national security, and would not be exportable
under US law. The NSA, while offering no specific
alternative to triple-DES, seemed to be attempting to push
the committee to adopt the only currently available option --
Clipper.
Privacy advocates also lobbied the X9 committee. In a letter
sent in advance of the December 1994 ballot, CDT Deputy
Director Daniel Weitzner (then EFF Deputy Policy Director)
and EFF board member John Gilmore, an expert in this field,
sent a letter to X9 committee members urging them to adopt
the triple-DES standard. A copy of the letter is appended at
the end of this post.
By agreeing to develop a triple-DES standard, the X9
committee has clearly and decisively rejected Clipper as a
solution. This vote thus represents a further repudiation to
Clipper and yet another victory for opponents of government
efforts to establish Clipper or other government-escrowed
solutions as a national standard.
NEXT STEPS
X9F, a subcommittee of the X9 committee, will now develop
technical standards for implementing triple-DES based
applications. This process is expected to take one or two
years to complete. Once technical standards are developed,
the full X9 committee will vote as to whether to implement
the subcommittee's technical recommendations.
The availability of triple-DES applications received a
further boost recently with the announcement by AT&T and VLSI
Technologies that they were developing new data security
products based on triple-DES. This will presumably provide
additional options for X9 committee members, but the
exportability of these products is still in doubt.
The stage is thus set for a further battle between the NSA
and the X9 committee over the exportability of triple-DES and
final approval of the X9 standard. As a sitting member of
the committee, NSA will presumably continue to lobby against
efforts by the committee to develop triple-DES applications.
Furthermore, the banking and financial services industries
must still persuade the government to allow for the export of
triple-DES.
As an opponent of government-escrowed cryptography, CDT
applauds the recent actions of the X9 committee. While CDT
supports the development of a variety of security standards
and alternatives to DES, we recognize the need of the banking
and financial services industries to develop temporary stop-
gap solution. CDT will continue to work towards the
relaxation of export controls on cryptography and will
support X9 committee members in their efforts to gain the
ability to export triple-DES applications.
For more information contact:
Daniel J. Weitzner, Deputy Director <djw@cdt.org>
Jonah Seiger, Policy Analyst <jseiger@cdt.org>
+1.202.637.9800
----------------------------------------------------------
GILMORE/WEITZNER LETTER TO X9 COMMITTEE MEMBERS
November 18, 1994
Dear Accredited Standards Committee-X9 Member:
The X9 Committee is currently voting as to whether to
recommend the development of a standard for triple-DES (ballot number
X9/94-LB#28). The Electronic Frontier Foundation (EFF) strongly urges you to
vote in favor of the triple-DES standard.
EFF supports the development of a variety of new data
security standards and alternatives to DES. We believe the triple-DES standard
provides the best immediate short term alternative because:
* The basic algorithm, DES, is strong and has been
tested repeatedly.
* There are no known attacks that succeed against
triple-DES.
* It is clearly no less secure than DES.
* It eliminates the brute-force problem completely by
tripling the key length.
* It runs at high speeds in easy-to-build chips.
* It can be easily incorporated into existing systems.
NSA's opposition to triple-DES appears to be an indirect attempt to push
Clipper by eliminating credible alternatives. Clipper is not a viable
alternative to triple-DES, and carries substantial liabilities. There has
been no evidence of foreign acceptance of the standard and the skipjact
algorithm is classified. The likelihood of any government accepting secret
standards developed by a foreign security agency is slim. Clinton
Administration efforts, through the NSA, to push Clipper as a domestic
standard over the past two years have failed.
We urge you to carefully consider the alternatives before you
cast your ballot. We believe that the triple-DES issue should be
decided on its own merits.
Sincerely,
John Gilmore
Board of Directors
Electronic Frontier Foundation
Daniel J. Weitzner
Deputy Policy Director
Electronic Frontier Foundation
-------------------------------------------------------------
NSA LETTER TO X9 COMMITTEE MEMBERS
X9 Member:
I will be casting a NO vote on the NWI for triple-DES, Letter
Ballot X9/94-LB#28. The reasons are set forth below. You
may find these useful as you determine your position.
Jerry Rainville
NSA REASONS FOR A NEGATIVE VOTE
While NSA supports the use of DES in the global financial
sector, we believe that standardization of triple-DES is ill-
advised for a number of reasons.
The financial community should be planning to transition to a
new generation of cryptographic algorithms. When DES was
first introduced, it represented the "only game in town". It
supported encryption, authentication, key management, and
secure hashing applications. With a broader interest in
security, the market can now support optimized algorithms by
application. Going through the expense of installing a stop-
gap can only serve to delay progress in achieving
interoperable universal appropriate solutions.
While we understand the appeal of a snap-in upgrade, our
experience has been that any change is expensive, especially
one where the requirements on the key management system
change. We do not agree that replacing DES with triple-DES
is significantly less expensive than upgrading to more
appropriate technology.
Tripling of any algorithm is cryptographically unsound.
Notice that tripling DES, at best, only doubles the length of
the cryptovariable (key). Phrased another way, the DES was
optimized for security at 56 bits. We cannot vouch that any
of the schemes for doubling the cryptovariable length of DES
truly squares security.
We understand the financial community has concerns with
current key escrow based encryption, however, we are
committed to searching for answers to those concerns. But
the government is also committed to key escrow encryption,
and we do not believe that the proposal for triple DES is
consistent with this objective.
US export control policy does not allow for general export of
DES for encryption, let alone triple-DES. Proceeding with
this NWI would place X9 at odds with this long standing
policy. It also violates the newly accepted X9 cryptographic
policy.
The US government has not endorsed triple-DES; manufacturers
and users may be reluctant to use triple-DES products for
fear of possible liability.
Finally, further proliferation of triple-DES is counter to
national security and economic objectives. We would welcome
the opportunity to discuss these concerns with an appropriate
executive of your institution.
---------------------------------------------------------------------
ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY
The Center for Democracy and Technology is a non-profit public interest
organization. The Center's mission is to develop and advocate public
policies that advance constitutional civil liberties and democratic
values in new computer and communications technologies.
Contacting us:
General information on CDT can be obtained by sending mail to <info@cdt.org>
www/ftp/gopher archives are currently under construction, and should be up
and running by the middle of March.
###
Return to February 1995
Return to “m5@vail.tivoli.com (Mike McNally)”