MacWEEK 04.26.93 Page 1 SECURITY CHIPS TRIGGER ALARM Clipper and Capstone open digital back door. By Mitch Ratcliffe Washington -- The White House and National Security Agency, as part of a wide-ranging retooling of U.S. privacy policies, are preparing two encryption chips for use in the computer and telecommunications industries. Privacy advocates cried foul last week because the chips include a back door that allows police to monitor communications. The Clipper chip announced this month can encrypt voice and data communications at up to 16Mbps. Clipper is due to debut in secure telephones from AT&T Co. this summer. The second chip, called Capstone and currently under development at the NSA, is a superset of Clipper that will implement the much-criticized Digital Signature Standard to add authentication capabilities. Its existence was revealed during a briefing at the Massachusetts Institute of Technology in Cambridge last week. President Clinton ordered the National Institute of Standards and Technology to establish Clipper as a federal standard. Since the government is the largest computer customer in the world, its Federal Information Processing Standards (FIPS) often are imposed on the industry as de facto standards. If Capstone follows Clipper into the FIPS requirements, DSS could usurp RSA Data Security Inc.'s public-key encryption scheme, which Apple licensed for AOCE (Apple Open Collaboration Environment). But Apple's representative at the NSA briefing, Gursharan Sidhu, technical director of collaborative computer and leader of the AOCE project, said he is not worried that the government will force an encryption scheme on the industry. "We were given the impression that they are very open to suggestions," Sidhu said, adding that the government is faced with a growing conundrum as it tries to simultaneously protect privacy and maintain its ability to tap lawbreakers' communications. "People have the idea that in cellular the security of communications had gone away, so there is pressure to encrypt. [Without a back door], even the casual criminal would be able to communicate with invincible security," Sidhu said. "Law-enforcement agencies wouldn't be able to collect intelligence." A spokesman for NIST said Capstone will not be introduced unless the president's review of national encryption policy conclueds it is needed. But he also said the Department of Defense and NSA are already working to develope a PCMCIA card-based implementation of Capstone for a classified defense messaging system. The NSA confirmed it is working on Capstone but could not confirm the Capstone PCMCIA card project. Clipper and Capstone use a "key escrow" technology that lets law-enforcement agencies with a court order unscramble conversations and documents. To reduce the potential for wiretap abuse, two agencies to be named by Attorney General Janet Reno will hold half of each key. The NSA said the key escrow agents will not be law-enforcement agencies. Privacy advocates complained that the algorithms that perform Clipper scrambling functions will remain classified. Encryptin technologies typically gain acceptance only after cryptographers pore over the component algorithms and key management systems. "We can't protect the key escrow features if we reveal the algorithm to the public ... that's caused some heartburn," said John Podesta, staff secretary to President Clinton. "I'm not suggesting that the public should trust us any more than any other government agency, but we are doing a more comprehensive review [than any previous administration]." Podesta said the Clinton team is taking a free-market approach to encryption, in contrast to the previous administrations, which tried to legislate simplified approaches. "In the wireless communications environment, we have to more the ball forward on security and privacy," Podesta said. "The jury's still out on whether [Clipper] is the answer." Jim Bidzos, president of RSA Data Security of Redwood City, Calif., said the NSA is using Clipper and Capstone in an attempt to confuse the market for privacy-enhancing technologies. "It takes three or four years fo rthis kind of proposal to die." Bidzos said. Computer and communications companies might withhold support for any standard, giving the NSA more time to prepare for the encrypted world, he said. Computer Professionals for Social Responsibility, a Washington, D.C. based public-interest group, has filed 11 Freedom of Information Act requests for access to Clipper development records. The group suspects the NSA and NIST violated the Computer Security Act of 1987, whic limits the NSA's role in development of public encryption technologies to providing advice and assistance. NSA said it developed both chips.