No Subject

17 Dec 2003

      The original paper is available at:
http://www.cisco.com/warp/public/146/july98/2.html

For any precise analysis, use the original document at the aforementionned address.

------------- begin "cut and paste" text ---------------
White Paper

The Export of Certain Networking Encryption Products under ELAs As An Alternative to
"Key Escrow/Recovery Products" under KMI: A Networking Industry White Paper on
Encryption Export Controls

by
Elizabeth Kaufman, Cisco Systems, Inc. and
Roszel C. Thomsen II, Thomsen & Burke LLP

     Encryption Press Release
     PR Contact: Doug Wills, (408) 527-9475, dwills@cisco.com

Executive Summary

The Clinton Administration's export control policy is designed to promote development of cryptographic products that provide law enforcement agencies with
access to encrypted data. Products that implement key escrow/recovery to provide such access are broadly exportable under License Exception KMI.
Although some customers have indicated interest in products that implement key escrow/recovery for stored data, customers generally oppose mandatory key
escrow/recovery for data in transit. This White Paper proposes that certain networking encryption products that provide for authorized access without key
recovery should also be eligible for broad export under appropriate Encryption Licensing Arrangements.

The Administration's export control policy must also reflect the equities of the intelligence community. Therefore, the proposed Encryption Licensing
Arrangements should be approved subject to riders and conditions designed to prevent the export of strong encryption products to military end-users, for
military end-uses, or to any government ministry, agency or department of certain countries.

The operational characteristics of networking encryption products to be eligible for export under appropriate Encryption Licensing Arrangements are not
complex. Simply stated, the operator action model delivers a 'private door-bell,' not a 'house-key' to parties lawfully seeking access to data. Qualifying
products must incorporate an operator-controlled management interface that enables dynamic, real-time access to specified network traffic prior to
encryption, or after decryption, at a designated access point.

Background

In Executive Order 13026 of November 15, 1996, President Clinton said that cryptographic products implementing the Key Management Infrastructure
("KMI") would be eligible for export without licenses after a one-time technical review.1 On December 30, 1996, the Commerce Department's Bureau of
Export Administration ("BXA") published an interim rule amending the Export Administration Regulations ("EAR", 15 CFR Part 730 et seq.) that implements
Executive Order 13026.2

The better-known provision of this interim rule states that "key escrow or key recovery products" are exportable under License Exception KMI. The term
"key escrow or key recovery products" is defined in great detail in Section 740.8(d)(1)(i) and Supplement No. 4 to Part 742 of the EAR.

A lesser-known provision of this interim rule states that "other recoverable encryption products" shall receive "favorable consideration" for export. The term
"other recoverable encryption items" is defined briefly in Section 740.8(d)(1)(ii) of the EAR, and the type of "favorable consideration" that should be accorded
to such products is not defined at all. The ambiguity of this provision provides an opportunity to explore new approaches to exporting cryptographic products.

Overview

Industry has studied the technical, market and policy issues surrounding the KMI. These studies suggest that there may be market demand for products
implementing key escrow/recovery techniques for retrieval of encrypted stored data. Such products would also appear to meet law enforcement's
requirements for retrieval of encrypted stored data. However, no market demand exists for products implementing key escrow/recovery techniques for
retrieval of encrypted transient data. Eminent cryptographers have argued that key escrow/recovery techniques create unnecessary risks for encrypted
transient data.3 The National Security Agency ("NSA") has confirmed these findings.4

The networking industry proposes that certain networking encryption products described in this White Paper may receive wide market acceptance and meet
the requirements of law enforcement with respect to transient data without implementing key recovery. The intelligence community's equities, though not
reflected in the EAR, must be respected as well.

Analysis of Market Requirements

In order to meet market requirements, networking encryption products must: (1) provide strong security, (2) adhere to open standards, and (3) support an
operator-controlled management mechanism to specify encrypted flows.

Strong security is essential for products that encrypt transient data. Customers, particularly service providers, have stated repeatedly and emphatically that they
will not purchase products that encrypt transient data, if those products also facilitate unauthorized, covert surveillance by third parties. The government should
encourage the deployment of products that implement strong security, because such products will deter certain kinds of crimes, like theft of trade secrets by
third parties.

Deployment of products that encrypt transient data requires open standards. Without open standards, different vendors' products will not inter-operate, and
broad deployment will not be possible. The government should encourage the deployment of standards-compliant products, because it has a shared interest in
a common cross-vendor solution and the rapid deployment of strong new viable technologies.

Some customers also have indicated that operator-control of encryption flows is a useful feature for network diagnostics and reporting, and for allowing the
efficient transmission of non-sensitive data. Customers in regulated industries, such as banking and securities, also may need to monitor their employees'
communications from time-to-time. Most customers also desire the ability to respond to a court order without exposing all of their data across the Internet or
the public switched telephone network.

Analysis of Government Requirements

The EAR describes key escrow/recovery products primarily in terms of their utility to law enforcement. The government's interests, however, are not
monolithic. The law enforcement and intelligence communities have different requirements.

Law enforcement's main priority has been to establish procedures for access to encrypted data in transit that are comparable to existing procedures for voice
communications and therefore capable of introduction into evidence in a court of competent jurisdiction. The technical characteristics of the networking
encryption products described in this White Paper will be of greatest interest to law enforcement, because these technical characteristics are the key to
meeting law enforcement's requirements for access to plaintext.

The intelligence community, on the other hand, has not shown much confidence that key escrow/recovery will meet its requirements since the secret Skipjack
algorithm and governmental escrow agents featured in the original Clipper Chip were abandoned in favor of vendor-selected algorithms and commercial
escrow agents. Its primary concern currently appears to be the broad deployment of encryption technology that does not interfere with current best
operational practices. In this regard, the technical characteristics of qualifying products may be of secondary importance to the intelligence community, and
proposed riders and conditions on the ELA may be of greater importance. 

An Alternative to Key Escrow/Recovery for Networking Products

Although key escrow/recovery is not acceptable for data in transit, some customers require a mechanism that can reveal real-time plaintext for network
diagnostics and reporting, the transmission of non-sensitive data, occasional employee monitoring, and to support law enforcement. The proposed alternative
to key escrow/recovery does not require weakened cryptography, yet provides access similar to that currently available for voice communications.

Packet switched data networks handle traffic differently than circuit-switched voice networks. Circuit switched voice networks are characterized by the
opening of a dedicated circuit where communications are transferred in "real time." Packet switched networks are a statistically-multiplexed environment where
communications are routed packet-by-packet, so that data is fragmented but delivered in near real time. In spite of these differences, packet switched data
networks can, with some limitations, enable real-time access to plaintext. The proposed alternative to key recovery provides customers with full-strength
encryption, while simultaneously enabling the dynamic creation of an access point that allows real-time interception of plaintext based upon the target's source
or destination, whether the product is located within an enterprise or at a service provider's premises.

Two Access Scenarios: Access in the Enterprise, and Access at a Service Provider's Premises

The access point concept is not a perfect solution for all products. For example, it does not easily apply to user-to-user desktop applications. However, it
does appear to offer a reasonable alternative to key recovery on many classes of network applications and platforms. Specifically, it is a viable approach to
access to plaintext for devices where the individual responsible for data creation/reception is not the same individual responsible for platform operation. Such
devices constitute a significant percentage of the available networked platforms, including firewalls, routers, switches and other networking devices.

Classes of Network Devices

            Self-managed
                              3rd party-managed
 Single-user
            Home PC
                              Enterprise desktop
                              Enterprise telephone
                              Set-top box
                              Service Provider VPN
                              Outsourced firewall
 Multi-user
            Enterprise network
            Enterprise server
            Multi-user workstation

Can provide access to plaintext without the end user's knowledge

Meeting Law Enforcement Requirements

In order to be exportable under the proposed Encryption Licensing Arrangements, networking encryption products must contain a management interface that
dynamically controls encryption by source and destination address, and by network protocol, to enable real-time access to selected network traffic prior to
encryption or after decryption. The operational characteristics of these products may be summarized below:

     a) A qualifying network encryption product must incorporate an encryption management interface that:
     i) is remotely accessible;
     ii) controls the encryption configuration of the platform;
     iii) configures encryption policy by source and destination network address;
     iv) enables a remote operator to modify the encryption configuration dynamically;
     v) enables the interception of network traffic between a specific source and destination either prior to encryption or after decryption at a defined access
     point;

     b) A qualifying network encryption product may:
     i) be hardware, software, or a combination of hardware and software;
     ii) encrypt any network protocol and/or at any network layer;
     iii) support any
          a) encryption algorithm
          b) key length
          c) key generation mechanism
          d) key management scheme;
     iv) be standalone, or integrated with other functions;
     v) be a single user, multi-user or infrastructure platform;
     vi) enable interception on the wire, on media (such as a hard disk), via a specialized communications port, or at another defined access point.

Two figures that illustrate how qualifying products may provide access to plaintext are set forth in Figures 1 and 2 of this paper.

Meeting Intelligence Community's Requirements

Current best operational practices are not widely understood by the public, and they may be compromised by the broad deployment of networking encryption
products, whether of US or of foreign manufacture. However, the possible loss of access to plaintext communications due to use of commercial cryptography
must be analyzed within the broader framework of advances in new technologies. As one eminent cryptographer testified before the Senate Judiciary
Subcommittee on Technology and the Law, "Advances in emitter identification, network penetration techniques, and the implementation of cryptanalytic or
crypto-diagnostic operations within intercept equipment are likely to provide more new sources of intelligence than are lost as a result of commercial use of
cryptography."5

In further recognition of and deference to the intelligence community's equities, industry is not requesting authorization to export products with key lengths
exceeding 56 bits to military end-users or for military end-uses, or to any government ministry, agency or department of the countries listed in "Tier 3" (as
defined for purposes of computer export controls). Exports of products exceeding 56 bits to these end-users would require a separate license issued by BXA
after full inter-agency review under applicable Executive Orders. The differences between the proposed ELA and export under License Exception KMI are
summarized in the chart below:

                 License Exception KMI
                                                        Proposed ELA
 Eligible Products
                 Key recovery products
                                                        Products providing access to plaintext at intermediate stations of the data network
 Territory
                 All except Cuba, Iran, Iraq, Libya, North Korea,
                 Sudan and Syria
                                                        Same as KMI
 Eligible End-users
                 All end-users are eligible
                                                        (1) All end-users are eligible for 56 bit products,
                                                        HOWEVER,
                                                        (2) Products exceeding 56 bits would not be eligible for government agencies and
                                                        military end-users in Tier 3 countries
 Duration
                 Indefinite
                                                        Three years, renewable in three year increments
 Reporting
                 Biannual
                                                        Same as KMI

                                                     Conclusion

This White Paper has defined a class of networking encryption products that should be authorized for export under appropriate Encryption Licensing
Arrangements. The operational characteristics of qualifying products ensure that law enforcement will continue to enjoy authorized real-time access to plaintext

References:
1. 61 FR 58767.
2. 61 FR 68572.
3. The Risk of Key Recovery, Key Escrow and Trusted Third Party Encryption,
H.Abelson et al. on June, 1998.
4. Threat and Vulnerability Model for Key Recovery (KR), NSA, X3
on February 18, 1998.
5. Key Escrow: Its Impact and Alternatives, testimony of Dr. Whitfield Diffie,
Distinguished Engineer, Sun Microsystems, Inc. before the Senate Judiciary
Subcommittee on Technology and Law on May 3, 1994.

Cisco Systems

Cisco Systems, Inc. (NASDAQ: CSCO) is the worldwide leader in networking for the Internet. News and information are available at
http://www.cisco.com.

For more information visit Cisco PR Contacts

All contents copyright © 1992--1998 Cisco Systems Inc. Important notices.
---------- end of "cut and paste" text ---------------

Jean-Francois Avon, B.Sc. Physics, Montreal, Canada
  DePompadour, Société d'Importation Ltée
     Limoges fine porcelain and french crystal
  JFA Technologies, R&D physicists & engineers
     Instrumentation & control, LabView programming
PGP keys: http://bs.mit.edu:8001/pks-toplev.html
PGP ID:C58ADD0D:529645E8205A8A5E F87CC86FAEFEF891
PGP ID:5B51964D:152ACCBCD4A481B0 254011193237822C