1995-09-07 - Notes from NIS&T Key Escrow Export conference.

Header Data

From: “Pat Farrell” <pfarrell@netcom.com>
To: dccp@eff.org
Message Hash: 46933fbde325eed69e8f8b2f47ef14f4b2e9d9f0b494ac7d20ec2d985df0f647
Message ID: <26714.pfarrell@netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-07 11:26:42 UTC
Raw Date: Thu, 7 Sep 95 04:26:42 PDT

Raw message

From: "Pat Farrell" <pfarrell@netcom.com>
Date: Thu, 7 Sep 95 04:26:42 PDT
To: dccp@eff.org
Subject: Notes from NIS&T Key Escrow Export conference.
Message-ID: <26714.pfarrell@netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Here are my noted and remembered impressions from Wedensday's NIS&T 
conference on key escrow (aka GAK) export. Please note that there is 
a separate conference next week on creating a FIPS PUB standard for 
key escrow. That standard will be promulgated, just as GOSIP, POSIX 
and Clipper/Skipjack were promulgated. This export conference was 
separate from that FIPS standardization process.

I got stuck in a construction traffic jam, and missed the introductory
speaches. Perhaps one of the other c'punks can fill us all in on what I

The first item is that the export criteria will be changed. A small number
of bits will be added to unescrowed crypto, and 64-bit escrow'd (GAK'd)
systems will be allowed. They don't care which algorithm is used, DES, RC4,
blowfish, etc. They care about key length. If it is short enough, it is

The conference seemed to be an attempt to co-opt industry into agreeing
that 64-bit GAK is much better than the current situation. After all,
it would be too strong for a "hacker in France" to break it.

When they opened the floor, there were a few comments/questions
that indicated that not everyone was convinced that this was a good thing.
I pointed out some graduate students don't consider "hacker" a compliment,
and that I thought Damian did a great job breaking RC4-40. I also pointed
out that it was broken again in 31 hours with a "bunch of commercial
systems, Sun and Pentiums" with no need for suaercomputers. 

I then asked if the criteria were fixed, as setting criteria controls the
result. The NIS&T approved board said that changes to the criteria was 
part of why the conference was being held.

The next hour and a half was presentation from "industry." Essentially
comments on the proposal. Nearly all of the spokesmen said that the criteria
were flawed. Some said that they already had commercial products
that met most of the real needs of the industry (key recovery) but they
didn't meet the NIS&T/NSA "criteria." Probably the strongest was the
condamnation by Robert Holleyman of the Business Software Alliance.

Hollyman said that BSA represents firms such as Microsoft, Novell, Lotus,
Sybase, SCO, Autodesk, and Intergraph. He said that current policy "directly
threatens" the industry because of "The US Government's continuing refusal
to adopt realistic export control policies." He went on and on.
It was clear that his position is that the proposed policy is a mistake.

After the presentations, there were more questions. I proposed one
additional criteria (based on email that I received from the c'punks):
How do we expire court approved access to encrypted data, so that once the
court orders are over, the LEAs no longer have the ability to decrypt.
The answer was that with clipper, special hardware is needed, and it goes
away when the court order does. I asked how that model worked in a software
only world. There were mumbled statements about adding it as a criteria.

The conference then broke for lunch and breakout groups. The one I was in
discussed criterias 5 and 6 of Topic 3, published in my URL
They are short enought to reproduce here.

5.    The product shall be resistant to any alteration that would
      disable or circumvent the key escrow mechanism, to include
      being designed so that the key escrow mechanism cannot be
      disabled by a static patch, (i.e., the replacement of a
      block of code by a modified block).

6.    The product shall not decrypt messages or files encrypted
      by non-escrowed products, including products whose key
      escrow mechanisms have been altered or disabled.

After I commented that the person writing the notes has the ability to
detirmine what was said, the folks from NSA and NIS&T asked me to take 
the notes. I love it; but I did try to be objective.

In the middle of this discussion, a government-generated, but anonymnous
paper was distributed. It had "Example Suggested Solutions." It suggeeted
that source code not be available for products suitable for export. It also
suggested other ideas, such as storing a checksum/hash and having the
system "check the cryptographic code several times during its use." There 
was a strong reaction against these suggestions, not because they were
bad ideas, but because the paper was delivered with no prior publication.
This precluded any planned response to its ideas.

We reworded #5 to say "want to Trust the Product." This means that it 
is untampered, works as expected, etc. We then hashed out ways to 
know this. The list ended up looking like:
1. is available only as object code
2. contains some "hash" function to check for modifications
3. contains some unique hash, with uniqueness based upon something 
        like "site," "per copy" or "per release" 
4. Contains policies against modification, such as liscense language        
        against decompilation.
5. OS-related security, such as runs "protected mode" instead of as a 
        wild DOS program.

Of course, the software vendors went wild against "per copy" identifiers,
saying it would add two orders of magnitude worth of problems to 

The items on the list were not "must have all of these" rather it was
a pick-and-chose menu. We also required that the standard allow
for technical innovation to keep up with the evolving state of the art.

The discussion of #6 was more lively. We took a long time figuring out what
it said. For instance, could ViaCrypt sell a product that was compatible
with PGP 2.6.2 (non-escrowed) that also worked with the new escrowed
ciphers? It seems to me, and a lot of other folks there, that such a product
would be non-exportable. We simplified the criteria to:
  "right products won't talk to wrong products."
with "right products" meaning those that are exportable, and wrong products
being those that aren't, or are hacked, or ...

We then developed "goals" including:
1. One version for sale worldwide
2. Allow development in the US
3. Domestic Law Enforcement Agencies want Escrowed (I almost wrote GAK :-)
4. Must interoperate with everything
5. Receiver can only decrypt if escrow agencies can decrypt.

This leads to a bunch of issues and observations, including:
a. Can goals 1, 2, and 4 be met simultaneously?

There was a suggestion of a "friendly man-in-the-middle" who would
receive a GAK'd conversation, and strip off the GAK parts, and reencrypt
it, and retransmit it to a non-GAK user. Which leads to:
b. Can we prohibit a friendly MITM?

The big issue was:
c. Startup compatibility. No one will buy products unless they have
sales attractiveness. This means compatibility with existing systems.
Yet the criteria #6 seems to say that approved products must refuse
backwards compatibility.

This was labeled a "non starter" by the group.

The consensus was that companies can develop a substantial competitive
advantage by developing off-shore and offering both escrowed encryption
and compatibility with existing systems.

There was a discussion of grandfathering in some technologies.
This was to help interoperability. The conversation became fuzzy,
Grandfather technologies included DES, 3-DES, IDEA, and long key RC4.

One key idea was that it may make sense to allow software that encrypts with
escrowed keys, but can also decrypt with any algorithm. This allows the LEA's
to access outgoing messages, while allowing interoperability.

The discussions frequently wandered to discuss the language of the criteria.
The wording was considered simultaneously too subjective  and impractical.
For example, we considered the phrase "tamper resistant" to be preferable 
to the original "prevent tampering," because it is impossible to absolutly
prevent modification to software.

The issue of interoperability was raised repeatedly. 
It is critical that exportable products interoperate with other,
existing export products. 

The last issue in the session was that the length of the key, 64-bits,
was defined in criteria #1. There was no discussion at the conference on
this criteria. It seems that the NIS&T and NSA folks believe that
this is a closed topic. The folks in the session did not agree. They
felt that 64-bits was not enough.

Once the breakout session was over, the entire conference met together, 
and the "reporter" from each session reported their comments and findings.

All breakout sessions had suggested changes. The group that discussed
criteria #9 recommended removing it. The group that discussed criteria #2 
(no multiple encryption) reported that industry was working on a general 
solution to the problem of key recovery, and that their solution would 
probably appear as quickly without the government's "help." 

Several groups identified that there are at least two separate 
problem domains: communications and data storage. Communications 
typically is short term, and has unique keys for each session. 
Data storage has far fewer keys that are used
for long periods. Several speakers suggested that while communications
keys were not suited to be escrowed, there was a large need for
key recovery for data storage. There was no response from the government
representatives to any of these points. One government speaker
did say that there would be a Federal key escrow standard, period.

After the combined session, there were more break-out sessions. In the one
that I attended, the folks from National Semiconductor described their
CAKE system. This is a smartcard/PCMCIA device that uses 2000+ bit 
public/private key encryption and signatures. They are hoping for export
approval; it is necessary for the project to be viable.  The system looks
pretty interesting, but it too complicated to describe here. In short, 
random session keys are generated and signed with a Data Recovery Center's
public key. The LEAs could then send encrypted session keys to the DRC, 
which would decrypt them, and return the unencrypted session keys which
the LEA could then used to decrypt the messages.

While this is a hardware system, its concepts could be transfered to 
a software implementation.

One obvious problem is that NS' system doesn't meet criteria #8 (retuiring
repeated involvement of the escrow agent), since it may require
hundreds or thousands of session key decipherments. It also has
a number of attractive features, such as never sending the private
key anywhere, only the session key is escrowed.

The general discussion showed concerns that in the international
community, requiring government escrow may cause lose of valuable data,
as some foriegn governments are not as trustworthy as the US. It was
the consensus that requiring users to have 50 or more escrow centers was
unworkable. Yet this could be required for large multinational companies
working in 50 or more countries, if each required a local key escrow service.

The NS model would allow both date stamping of session keys, and periodic
rekeying. Either would satisfy my "unaccepted" Citeria #11, technical
limits to the time that a court ordered decryption could be executed.

There was a discussion of changing the criteria so that only the transmission
of data was concerned with escrow. This would simplify the issue of
multinational escrow. We did not resolve whether this would be sufficient
or acceptable.

Today, we will talk about suitable escrow agencies.


Version: 2.6


Pat Farrell    Grad Student      http://www.isse.gmu.edu/students/pfarrell
Info. Systems & Software Engineering, George Mason University, Fairfax, VA
PGP key available on homepage               #include <standard.disclaimer>