At 10:51 AM 9/2/97 -0700, Tim May wrote:
Now, Ray, you're being too harsh. When NSA/NIST sought the analysis of Clipper/Tessera several years ago, the distinguished panel met for a weekend in a D.C. area hotel and concluded...drum roll...that Clipper/Tessera was secure.
No, they put out an interim report asserting that Skipjack was secure, promising to do a final report covering the Clipper chip, the escrow system, the key-loading charade in the vault, and all the other things that make Clipper, and hyped the <expletive deleted> out of how secure Skipjack was, implying that you should trust Clipper and the friendly NSA that gave it to you. Of course, N years later, they haven't come out with that final report, and in context issuing the Skipjack interim part was a blatantly dishonest ploy, as well as being too short an analysis to be anything resembling thorough, even if Skipjack is fairly strong (which it probably is, for 80 bit Feistel.)
Of course, Matt Blaze broke the Tessera version a few months later....
Not an extremely practical break, but good enough to show the fundamental shoddiness of the Clipper system and embarass them at a time that a good heavy-duty embarassment was politically damaging.
Some believe they have a role in helping industry to secure its communications. I don't agree. The NSA has no business getting involved in business. Period.
I think they've got a role in making sure that defense contractors making products for the US military, whether the contractors are handling militarily sensitive information or especially building tools that the military will use to handle sensitive information, are adequately secure. You could argue that that's a job for some other centralized expert agency that's under better civilian control or Pentagon control rather than being out of control (as the CIA is), perhaps National Science Foundation, but it's also arguable that the only people who can do an adequate job of protecting secrets are people with lots of practice cracking them, and that's something pretty much like an NSA. There's also a potential role, though it's a much tougher sell, for NSA or similar experts helping the State Department, and perhaps civilian Federal agencies that handle private information about citizens, do a good job at protecting it, though the military models of security are often not a good match for civilian data protection. My past experience with the NSA "helping" the State Department was a 3-year debacle in the late 80s, where they provided a bunch of unrealistic wish-list advice to a bunch of, ummm, technically challenged Wang administrators about how to build a secure world-wide network, which gradually fell apart in turf battles because the main Embassy customers for highly secure communications don't really work for State and they wanted their secure network provided by Real Spooks, and they may not have had the budget or political clout to get a network built but they could sure spoil a procurement :-) But other than supporting Federal customers, they ought to leave business alone, at least until they get privatized.... # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)