OK. This time this should work. The previous file had some periods
on lines by themselves; this was causing my sendmail overhere to think
the end of transmission had arrived. Damn in-band signalling.
Eric
-----------------------------------------------------------------------------
Date: Mon, 17 May 93 14:04:46 PDT
From: jim(a)RSA.COM (Jim Bidzos)
Subject: [ROBACK(a)ECF.NCSL.NIST.GOV: Answers to Your Questions]
FYI. NIST has responded to my questions. Feel free to distribute.
-Jim
Date: Mon, 17 May 1993 16:44:28 -0400 (EDT)
From: ROBACK(a)ECF.NCSL.NIST.GOV
Subject: Answers to Your Questions
To: jim(a)RSA.COM
X-Vmsmail-To: SMTP%"jim(a)rsa.com"
To: Mr. Jim Bidzos, RSA Data Security, Inc.
From: Ed Roback, NIST
Mr. Ray Kammer asked me to forward to you our answers to the questions you
raised in your e-mail of 4/27.
We've inserted our answers in your original message.
------------------------------------------------------
From: SMTP%"jim(a)RSA.COM" 27-APR-1993 03:13:12.75
To: clipper(a)csrc.ncsl.nist.gov
CC:
Subj: Clipper questions
Date: Tue, 27 Apr 93 00:11:50 PDT
From: jim(a)RSA.COM (Jim Bidzos)
Here are some questions about the Clipper program I would like to
submit.
Much has been said about Clipper and Capstone (the term Clipper will
be used to describe both) recently. Essentially, Clipper is a
government-sponsored tamper-resistant chip that employs a classified
algorithm and a key escrow facility that allows law enforcement, with
the cooperation of two other parties, to decipher Clipper-encrypted
traffic. The stated purpose of the program is to offer
telecommunications privacy to individuals, businesses, and government,
while protecting the ability of law enforcement to conduct
court-authorized wiretapping.
The announcement said, among other things, that there is currently no
plan to attempt to legislate Clipper as the only legal means to
protect telecommunications. Many have speculated that Clipper, since
it is only effective in achieving its stated objectives if everyone
uses it, will be followed by legislative attempts to make it the only
legal telecommunications protection allowed. This remains to be seen.
>>>> NIST: There are no current plans to legislate the use of Clipper.
Clipper will be a government standard, which can be - and
likely will be - used voluntarily by the private sector. The
option for legislation may be examined during the policy
review ordered by the President.
The proposal, taken at face value, still raises a number of serious
questions.
What is the smallest number of people who are in a position to
compromise the security of the system? This would include people
employed at a number of places such as Mikotronyx, VSLI, NSA, FBI,
and at the trustee facilities. Is there an available study on the
cost and security risks of the escrow process?
>>>> NIST: It will not be possible for anyone from Mykotronx, VLSI,
NIST, NSA, FBI (or any other non-escrow holder) to
compromise the system. Under current plans, it would be
necessary for three persons, one from each of the escrow
trustees and one who knows the serial number of the Clipper
Chip which is the subject of the court authorized electronic
intercept by the outside law enforcement agency, to conspire
in order to compromise escrowed keys. To prevent this, it
is envisioned that every time a law enforcement agency is
provided access to the escrowed keys there will be a record
of same referencing the specific lawful intercept
authorization (court order). Audits will be performed to
assure strict compliance. This duplicates the protection
afforded nuclear release codes. If additional escrow agents
are added, one additional person from each would be required
to compromise the system. NSA's analysis on the security
risks of the escrow system is not available for public
dissemination.
How were the vendors participating in the program chosen? Was the
process open?
>>>> NIST: The services of the current chip vendors were obtained in
accordance with U.S. Government rules for sole source
procurement, based on unique capabilities they presented.
Criteria for selecting additional sources will be
forthcoming over the next few months.
AT&T worked with the government on a voluntary basis to use
the "Clipper Chip" in their Telephone Security Device. Any
vendors of equipment who would like to use the chips in
their equipment may do so, provided they meet proper
government security requirements.
A significant percentage of US companies are or have been the subject
of an investigation by the FBI, IRS, SEC, EPA, FTC, and other
government agencies. Since records are routinely subpoenaed, shouldn't
these companies now assume that all their communications are likely
compromised if they find themselves the subject of an investigation by
a government agency? If not, why not?
>>>> NIST: No. First of all, there is strict and limited use of
subpoenaed material under the Federal Rules of Criminal
Procedure and sanctions for violation. There has been no
evidence to date of Governmental abuse of subpoenaed
material, be it encrypted or not. Beyond this, other
Federal criminal and civil statutes protect and restrict the
disclosure of proprietary business information, trade
secrets, etc. Finally, of all the Federal agencies cited,
only the FBI has statutory authority to conduct authorized
electronic surveillance. Electronic surveillance is
conducted by the FBI only after a Federal judge agrees that
there is probable cause indicating that a specific
individual or individuals are using communications in
furtherance of serious criminal activity and issues a court
order to the FBI authorizing the interception of the
communications.
What companies or individuals in industry were consulted (as stated
in the announcement) on this program prior to its announcement? (This
question seeks to identify those who may have been involved at the
policy level; certainly ATT, Mikotronyx and VLSI are part of
industry, and surely they were involved in some way.)
>>>> NIST: To the best of our knowledge: AT&T, Mykotronx, VLSI, and
Motorola. Other firms were briefed on the project, but not
"consulted," per se.
Is there a study available that estimates the cost to the US
government of the Clipper program?
>>>> NIST: No studies have been conducted on a government-wide basis to
estimate the costs of telecommunications security
technologies. The needs for such protection are changing
all the time.
There are a number of companies that employ non-escrowed cryptography
in their products today. These products range from secure voice,
data, and fax to secure email, electronic forms, and software
distribution, to name but a few. With over a million such products in
use today, what does the Clipper program envision for the future of
these products and the many corporations and individuals that have
invested in and use them? Will the investment made by the vendors in
encryption-enhanced products be protected? If so, how? Is it
envisioned that they will add escrow features to their products or be
asked to employ Clipper?
>>>> NIST: Again, the Clipper Chip is a government standard which can
be used voluntarily by those in the private sector. We also
point out that the President's directive on "Public
Encryption Management" stated: "In making this decision, I
do not intend to prevent the private sector from developing,
or the government from approving, other microcircuits or
algorithms that are equally effective in assuring both
privacy and a secure key-escrow system." You will have to
consult directly with private firms as to whether they will
add escrow features to their products.
Since Clipper, as currently defined, cannot be implemented in
software, what options are available to those who can benefit from
cryptography in software? Was a study of the impact on these vendors
or of the potential cost to the software industry conducted? (Much of
the use of cryptography by software companies, particularly those in
the entertainment industry, is for the protection of their
intellectual property.)
>>>> NIST: You are correct that, currently, Clipper Chip functionality
can only be implemented in hardware. We are not aware of a
solution to allow lawfully authorized government access when
the key escrow features and encryption algorithm are
implemented in software. We would welcome the participation
of the software industry in a cooperative effort to meet
this technical challenge. Existing software encryption use
can, of course, continue.
Banking and finance (as well as general commerce) are truly global
today. Most European financial institutions use technology described
in standards such as ISO 9796. Many innovative new financial
products and services will employ the reversible cryptography
described in these standards. Clipper does not comply with these
standards. Will US financial institutions be able to export Clipper?
If so, will their overseas customers find Clipper acceptable? Was a
study of the potential impact of Clipper on US competitiveness
conducted? If so, is it available? If not, why not?
>>>> NIST: Consistent with current export regulations applied to the
export of the DES, we expect U.S. financial institutions
will be able to export the Clipper Chip on a case by case
basis for their use. It is probably too early to ascertain
how desirable their overseas customers will find the Clipper
Chip. No formal study of the impact of the Clipper Chip has
been conducted since it was, until recently, a classified
technology; however, we are well aware of the threats from
economic espionage from foreign firms and governments and we
are making the Clipper Chip available to provide excellent
protection against these threats. As noted below, we would
be interested in such input from potential users and others
affected by the announcement. Use of other encryption
techniques and standards, including ISO 9796 and the ISO
8730 series, by non-U.S. Government entities (such as
European financial institutions) is expected to continue.
I realize they are probably still trying to assess the impact of
Clipper, but it would be interesting to hear from some major US
financial institutions on this issue.
>>>> NIST: We too would be interested in hearing any reaction from
these institutions, particularly if such input can be
received by the end of May, to be used in the
Presidentially-directed review of government cryptographic
policy.
Did the administration ask these questions (and get acceptable
answers) before supporting this program? If so, can they share the
answers with us? If not, can we seek answers before the program is
launched?
>>>> NIST: These and many, many others were discussed during the
development of the Clipper Chip key escrow technology and
the decisions-making process. The decisions reflect those
discussions and offer a balance among the various needs of
corporations and citizens for improved security and privacy
and of the law enforcement community for continued legal
access to the communications of criminals.