From: pfarrell@netcom.com (Pat Farrell)
To: pfarrell@netcom.com
Message Hash: a3f85d058e28b15d05d836f963ce27cac7d59c07174202180e6741c8d105083b
Message ID: <199512101904.LAA20587@netcom3.netcom.com>
Reply To: N/A
UTC Datetime: 1995-12-10 19:07:21 UTC
Raw Date: Sun, 10 Dec 95 11:07:21 PST
From: pfarrell@netcom.com (Pat Farrell)
Date: Sun, 10 Dec 95 11:07:21 PST
To: pfarrell@netcom.com
Subject: NIST GAK meeting writeup, LONG part 3 of 3
Message-ID: <199512101904.LAA20587@netcom3.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
NIST Key Export meeting, December 5, 1995 Long version
Part 3 of 3.
This covers the notes on agent criteria, and the
industry presentations.
Part 2 of three hasn't been written, it is supposed to
address the issues related to interoperability. I
decided it was better to get this part out than to
wait.
Items on the criteria themselves that I think were under
reported in my first reports:
Ed Appel: the LEA's are very interested in Criteria #5
(two ended decryption) as they have more than 100
international offices.
Miles Smid described a trick for meeting Criteria #5,
if you encrypt the session key with your own public
key, in addition to the key of your destination, and
if you have escrowed your private key with an Escrow
Agent, then nearly any approach meets criteria #5.
*********
On agent criteria:
*********
Geoff G. says that the discussions on agent criteria
are simply a follow-on to the main criteria #3.
The criteria themselves have been spam'd to the list.
They are also available at url:
<a href="http:/www.isse.gmu.edu/~pfarrell/nist/escagent.html">
There was a lot of reactions to the SECRET clearance
requirement, which they claimed was to handle
secure investigations (e.g. FISA). This has already
been discussed on the list, so I'll skip it here.
David Lesher asked a series of questions concerning
the requirement that the Key Escrow Entity employ a
person with a SECRET clearance. They included: what
agency will issue the clearance? Who will authorize
for the BI (background investigation)? Who will pay
for it? Who does the existing RBOC clearances? Geoff
dodged nearly all of them. He acknowledged that "they"
will have to pay, but made no effort to define who
"they" are.
Geoff said that they may want legislation support for
protecting against illegal release of keys, failure to
release, etc.
A fair number of the agent criteria would be considered
professional business practice (no single point of
failure, dual locations, etc.) if you thought that
escrowing keys was a good thing.
*********
User/Industry presentations
Bill Sweet of TIS
Bill gave a presentation about his CKE product, and
how hard he is working to "find a global solution."
This is actually the same product that Bill talked
about in September when he worked for National
Semiconductor. It was impressive then (private keys
are NOT escrowed, only session keys, etc.) and is
still not approved for export.
Bill talked about "information owners," they
ultimately decide which security systems get deployed
"in spite of various government requirements around the
world." He said that "if rational key escrow systems
are not offered, or do not adequately protect their
information, owners will use unescrowed encryption
from whatever sources available (Germany, et al)."
Bill talked about a UK University (Royal Holloway)
study on UK/European needs for key escrow. He said
that there was a lot of overlap with the NIST
criteria, but that there were criteria that were
judged as totally unacceptable. The first and loudest
finding was:
"the use of the scheme should provide visible benefits
to the user."
This begs the obvious question, what
visible benefits to the user does GAK bring?
Two other interesting findings in the study were:
- - An entity with a warrant should not be able to
fabricate false evidence."
- - Abuse by either side should be detectable by the
other.
He suggested that these criteria be added to the NIST
list of 10.
Bill went on to look at the NIST criteria. He said,
concerning Criteria #3 (agents certified by US
Government or reciprocal agreement), that "this is a
show stopper!" because:
- -- no reciprocal agreements exist today, anywhere.
- -- what about countries where justice systems are
different, and what about where "these agreements are
not desirable (e.g. Nigeria, Mexico, Saudi Arabia,
Argentina, Poland, etc.)?
- -- even for NATO countries, agreements will be
different (Germany has data privacy laws, in Greece),
or we may not want to be reciprocal (in Greece, the
government likes to bug the opposition)
He also says that Criteria #7, 64-bit keys, is
unacceptable. CE Infosys currently sells a PCMCIA (PC
Card) encryptor that does triple-DES at T1 speeds. TIS
uses it, and sells it in the US. [as an aside, I was
told that they can import and resell them, but when
one breaks, TIS can't ship it back to Germany for
repairs. Sigh.]
Sweet had two recommendations:
- -- develop a tiered crypto policy, with hardware and
software under differing levels of rules,
- -- allow a pilot project, where TIS can sell VPN
(virtual private networks) using strong encryption. A
VPN is the use of the Internet as a private network
for a corporation by adding appropriate firewalls,
encryption, etc.
It seems to me that while TIS' CKE doesn't meet the
criteria, it could be made to, with a few changes.
They've have to change the design to allow GAK
for any one target. (Criteria #5) This would mean
for generating one DRF (ie., LEEF) for each recipient
as well as for the sender (as opposed to just for
the sender) The neat thing about CKE is that each
LEEF holds only the session key -- so you never
give away your private key. (I think the govenment
really expects that we'll be willing to
escrow our private keys. Fat chance!)
But this is a bit of a catch 22, because
to follow all the criteria, you can't stop there.
- -- For each encryption, you generate a DRF for the
sender and each recipient
- -- For each DRF generated, you must have and check
a certificate chain for the chosen DRC and
refuse to encrypt unless all recipients and
the sender have validly certified (ie., USGovt
approved) DRC public keys.
- -- Each receiving application must refuse to
decrypt unless every other recipient and
the sender have validly certified DRC
public keys. This gets into the interoperability
issues that I need to write up...
- -- I don't know how they can meet the revised #6. It
seems to be designed specifically to break CKE.
To get govie approval, each DRC needs to meet all the
key escrow agent entity criteria. I'm really not at
all convinced that it is actually practical. This is
sad, because CKE is obviously designed with the spirit
of the government at heart, with just some modifications
to make it marketable. Guess TIS needs an Ireland office
too.
Ken Mendelson of TIS
Ken gave a solid presentation describing how all of
the Government's need for data about key escrow agents
could be met with a commercial "vendor registration"
approach instead of a Government mandated
"certification" scheme. This would be in keeping with
the current "spend less money, have less government
bureaucratic rules" political climate. I have copies
of his slides, I'd rather not type them in. With any
luck, he'll put them up on the TIS web site url:
http://www.tis.com
Dorothy Denning of Georgetown University
Dorothy Denning gave a presentation on an article that
will be published in the March 96 Communications of
the ACM. It analyzes currently available products (and
vapor products) and sees how well they meet Criteria
#5. It says that eight of the sixteen approaches that
she surveyed currently meet Criteria #5. She lists her
web page as http://www.cosc.georgetown.edu/~denning,
but as of Sunday 12/10, the text is not available.
Melanie Janin, US Council for International Business
Ms. Janin's speech presented the US Council for
International Business' comments on GAK. They are a NY
based trade group, representing 300 clients. They
don't like GAK. She called for a coherent policy on
all encryption. Major topics in the presentation
include:
- - free choice
- - open to the public
- - international acceptance
- - flexibility of implementation
- - User key management
- - Key escrow (where they "embrace key escrow as one
possible method of managing encryption keys.")
- - Liability
Ed Scheidt, Tecsec
Presented both comments on the criteria and his
company's VEIL and Export VEIL Version 2.0 products.
He raised a number of points, including:
- - how do we protect our commercial information unless
we have the best cryptography?
- - we need "constructive key management technology" to
manage keys, key splits, and different algorithms for
extended data separation.
- - solution must address issues such as international
trust in a key escrow.
He said that his "Export VEIL 2.0" product meets "the
intent of 11/95 export criteria today."
Daniel Weitzner of CDT
Mr. Weitzner agreed to shorten his presentation so
that he could yield some time to VTW.
He opened by pointing out that while the schedule had
both him and Jerry Berman were supposed to talk, Jerry
was too busy to make the meeting. "Jerry is out
defending pornographers, so I'll be here defending
terrorists."
I expect that his text will be on CDT's webpage, url:
http://www.cdt.org. I'll just enter the key points.
The first thing he said is that "this is the wrong
forum" and that "the [NIST] process will not work." He
proposed a open, privately sponsored forum to develop
alternatives that will work.
"The NIST proposal will not provide adequate security,
privacy, promote secure communications worldwide, or
guarantee user privacy." Major issues are:
- - Inadequate security
- - No viable policy framework for the long-term
- - Hinders the deployment of globally interoperable
secure systems
- - not necessarily voluntary
- - not viable in the marketplace
- - no constitutional privacy protections
- - will not meet the needs of law enforcement, since it
will "not deny criminals or terrorists access to
strong encryption, the stated objective of the
policy."
Shaber Safdar, Voters Telecommunication Watch
Described the results of an Internet-based, non-
scientific survey that the VTW recently made. Not
surprisingly, those who replied were overwhelmingly
against the NIST proposal. I don't have the slides,
but VTW has a website with most of their information.
The url is http://www.vtw.org
There were 26 respondents to the survey. 24 out of 26
said that they would never buy products with law
enforcement access. 16 out of 24 are already using
security products.
He described a Technology Pledge that VTW is
presenting to politicians (available at url:
http://www.vtw.org/pledge/) and stated that Rep.
Ronald Wyden (D-OR) signed the pledge with pro-
freedom, pro-market answers.
David Sobol, EPIC
As expected, EPIC doesn't like much about the NIST
proposal. Their comments are on their web page, url:
http://www.epic.org/crypto/EPIC_Statement.html
A key statement is "Given the reality that users are
unlikely to adopt key escrow systems on a voluntary
basis, we believe that the current policy will result
in the eventual prohibition of non-escrowed products.
Indeed, documents released to EPIC under the Freedom
of Information Act (FOIA) reveal that NSA and FBI
concluded nearly three years ago that
'Technological solutions such as they are, will
only work if they are incorporated into all
encryption products.'"
Major points
- --Public comment is frequently solicited but never
heeded.
- --Relevant information has not been released.
- --The proposal conceals the attempt to expand
wiretapping capability
As a result, EPIC proposes the following Policy
Recommendations
- --Relax export controls on encryption and permit the
free flow of encryption products across national
borders
- --Withdraw FIPS 185 (the Clipper standard for voice,
fax,... and low speed data networks in the
federal government)
- --Remove "cryptology" from items that may be
classified ... under executive order
- --Do not fund the Telephone Carrier Compliance Program
(the "Digital Telephony" proposal)
- --Do not permit the use of classified algorithms for
public networks
- --Examine the activities of the National Security
Agency ... since passage of the Computer Security
Act of 1987.
NOTE: during Mr. Sobel's discussion, a FBI
representative sitting at the head table said that
the issues addressed by key escrow are "not just
wiretapping, they include search and seizure of all
stored media." I was not able to identify the person.
He was sitting at Ed Appel's seat, but did not have a
namecard. No one sitting near me recognized him
either.
Padgett Petersen, Lockheed Martin
Noted Internet personality, Padgett Petersen took a
rarely held position, he spoke as a Security officer
of Lockheed Martin, rather than speaking as a private
net-citizen.
He said that "these criteria are acceptable and can be
made to work." He also said that "without US
agreements, there is no reason to be concerned with
export." Lockheed Martin was looking forward to
participating in using and buying the escrowed
products that will hit the market as a result of this
process.
Robert Hollyman, Business Software Alliance
Mr. Hollyman said that "the facts are clear, companies
are unanimous against" the NIST proposal. His members
agree that:
- - security is critical
- - 40 bit is not viable
- - the 1992 government review requires a change in
policy.
He recommended:
- -- immediate approval of DES or equal strength
alternative for export.
- -- encourage companies to build encryption software by
submitting code to NIST (under non-disclosure) for
review
- -- add two bits ever three years to allowable key
lengths in recognition of Moore's law. He called this
a COCA allowance (cost of cracking algorithms).
- -- removal of restrictions on interoperability because
they are artificial and antithetical to the Global
Information Infrastructure.
He stated that the current criteria are vague, and
will take years for approval. Yet he notes that in
industry, the average life cycle of software is 18
months.
Alex McIntosh, PC Security
PC Security sells key management systems. Shell is a
customer. He addresses a couple of areas that his
commercial customers ask.
The first question is "why encrypt?" He said that the
answer is to protect confidential data. These data
include email, PC files, and archival data.
This leads to the obvious question, why use key
management? The two separate answers are to have
operational backup and to allow compliance with
internal and external law enforcement.
He said that he has a surprise for the NIST folks
concerning key escrow agents. The corporate customer
is the key escrow agent.
Other key observations:
- -- Companies, such as Shell, often do business in
countries where they can not trust the government.
- -- Shell handles over a million email messages a day.
This defines engineering requirements for any system
to meet.
- -- Liability is a huge issue, and the amounts are
huge. Geologic information, market strategies, etc.
are worth staggering amounts of money. The "US
Government can NOT cover Shell's liabilities."
Doug Miller, Software Publishers Association
Mr. Miller said that his members need immediate relief
from the current encryption export policies. "our
members are poised, but cannot leap, because of the
barriers that U.S. cryptographic policy continues to
impose." He wants to be able to export 56-bit DES. His
position paper says, "we believe the discussion should
also include assessment of the exportability of
products employing the DES algorithm. DES-strength
(56-bit) products can compete with 179 foreign
products (80 of which are software products) that
employ DES. Liberalization of the export restrictions
of software with encryption capabilities is essential
if U.S. companies are to compete with strong, widely
available non-escrowed products."
Viktor Hampel, Hampel Consulting
Proposed "a 'Consumer Protection Act for Digital
Products' to support electronic commerce and to
control the increasing abuse and lack of security on
the national information highways." A copy can be
obtained from Hampel Consulting, 1515 Jefferson Davis
Highway, Crystal Square Suite 913, Arlington VA 22202-
3312.
In his remarks, Mr. Hampel said that trust is
important between business. Business worries about
issues as varied as what accountability is in the
system and how much is the per minute interest on a
billion dollar money transfer? These cause business to
need solutions that NIST hasn't raised.
He recommended that a public key infrastructure be
included into the Uniform Commercial Code.
Closing comments.
Mike Nelson noted that the meeting had some time for
floor questions.
He was asked what is the timeframe for finishing the
process. He danced, saying that promising a fixed date
for policy decisions is bad for your career, but
thought it would be done in a couple of months.
Someone asked about the "Personal Use" export process
(the one that will allow you to export PGP on a laptop
computer for personal use, and that was promised for
"in a couple of weeks" at the September NIST meeting).
They said that it is about to go to the Federal
Register, and should be available within weeks.
Nelson was asked about foreign escrow agents. He said
that "if there exists bilateral diplomatic agreements,
then the US will allow specification of Foreign Escrow
agents." [Of course, no such agreements exist now.]
Ed Appel of the White House said that the intent is to
make export "as easy as 40-bit" is under the existing
policies. The existing export policies will continue.
He also said "so far, we are only controlling export"
and that "the government has very strong cryptography
available to them, so they are not worried about
export." He said they hope to control export in two
ways, first by applying the combined purchasing power
of the US Government to encourage the market, and by
controlling export.
*********
After the meeting closed, I invited both Mike Nelson
and Ed Appel to the next DC Cypherpunks meeting.
Somehow I expect it when they declined.
********
A note on quoting within this document: I did not take a
tape recorder to the meeting. Words in quotes were taken
from either my hardcopy of handouts, words in documents
on cited webpages, or from my noted. I tried hard to
keep the words accurate and in context. There may be some
cases where my quotes are incorrect. If I've misquoted
anyone, it is not delibrate, and if told, I'll post
corrections.
Pat
Copyright (c) 1995, Pat Farrell.
Permission granted to electronically redistribute, provided
it is transmitted in the whole and unaltered.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBMMsugLCsmOInW9opAQGWSAP/QC3Xja8kE56XGximmiiIVEv3ihJI1uY5
2eWZSVUGOxATc3jbwtLS5bqmkDnSXhQaaD6Slk/zA9IGlNhzi4tMV1xsrKwj4l4d
0KefEWOTinVze+6SQFsIVizGb9WzRaTrGwCV9RY7RRbC0dYa+cb21JXvlZOxYk/Q
wGfkSY5/H0Y=
=hJvT
-----END PGP SIGNATURE-----
Pat Farrell grad student http://www.isse.gmu.edu/students/pfarrell
Infor. Systems and Software Engineering, George Mason University, Fairfax, VA
PGP key available via finger or request #include standard.disclaimer
Return to December 1995
Return to “pfarrell@netcom.com (Pat Farrell)”
1995-12-10 (Sun, 10 Dec 95 11:07:21 PST) - NIST GAK meeting writeup, LONG part 3 of 3 - pfarrell@netcom.com (Pat Farrell)