Hey guys, I think someone has been listening: --------------------------------------------------- Communications Daily April 30, 1993, Friday Immunity Needed; MARKEY PANEL SEES DARK SIDE OF ELECTRONIC FRONTIER Legislative intent met reality of technology Thurs. one-on-one before House Telecom Subcommittee. It was no contest: Technology won in seconds, on a knockout. Last year, Congress, concerned about cellular phone users' privacy, passed legislation outlawing scanners that pick up cellular channels, and last week FCC issued rules banning those scanners (CD April 23 p2). At hearing on privacy, computer cracking and related topics, it took San Diego Supercenter Center scientist Tsutomu Shimomura about 2 min. to take new cellular phone out of its box, turn it on and set device to test mode -- thus turning it into scanner that enabled those in House hearing room to hear snatches of live cellular conversations. Shimomura needed congressional immunity to conduct demonstration, which otherwise would have been illegal. FBI special agent was standing by to make sure no other laws were broken, as could have happened in technology demonstration. Event was practical demonstration of what Subcommittee Chmn. Markey (D-Mass.) called "the 'sinister side' to cyberspace." John Gage, dir. of science office of Sun Microsystems, who orchestrated that and other demonstrations that turned Rayburn Bldg. hearing room into media lab with HDTV setup, computers and other devices, held up phone and said that, in effect, legislation passed by Congress "has banned all cellular telephones in the United States." Gage said: "It's not safe to talk on a cellular phone." With right screwdriver and little adaptation, scanning capabilities of cellular phones can be made more impressive, he said. He said that cellular phones are little more than "good radios and terrible computers" that are designed to be scanners, because that's how cellular radios keep users in touch with switches. In moving products quickly to market, cellular manufacturers didn't want to spend money or take time to worry about privacy concerns or consider encryption technology, Gage said. Gage's general theme was that move to digital world posed challenges for policy-makers and for industry. He said KPIX San Francisco planned to store newscasts in computer in digital form for sound and pictures, to be made available over high-speed network in Bay area and over Internet, to be played back via computers whenever anyone called it up. What will that development do to concept of TV stations or networks? "There's no way to stop digital technology." Even as he spoke, Gage's equipment was transmitting images and sound from hearing room to Internet. Gage said export laws prohibit selling abroad of particular encryption computer programs. Yet he showed panel text of computer program pulled off Internet, from Finland, of prohibited source code for Data Encryption Standard (DES) used by U.S. govt. In that case, law wasn't broken because program was imported, not exported. Adding comma to code would route program to Moscow, Gage said, so he didn't add it because there was no immunity. Also set up in room was satellite hookup to Moscow using small earth station made by KGB, which was in contact with Russian satellite. Subcommittee members were impressed and dismayed. Rep. Tauzin (D-La.) asked what Congress could do to keep up with technology. Gage said it should stick to general principles and forget about legislating against specific technologies. He said that one solution for Digital Age was encryption, and that federal govt. should take lead, not by endorsing specific technology such as Clipper Chip (CD April 19 p2) that fits into telephones, fax machines, other devices. In reply to question from Rep. Boucher (D-Va.), Gage said federal govt. should support research on encryption. Following Gage's demonstration, Raymond Kammer, acting dir. of National Institute for Standards & Technology (NIST), defended govt. support for Clipper Chip and for DES standard. He said it would take powerful Cray supercomputer more than 200 years to solve DES key, and more than billion years to crack one Clipper Chip encryption key. Under Administration plan, users would have one key to chip and federal govt. would have other. Kammer endorsed plan as balance between law enforcement needs and privacy concerns. In April 28 letter to Markey in response to April 19 letter from chmn., Kammer said Clipper Chip technology has no "trap door" that could allow govt. to crack encyption code and said code would be offered to experts for evaluation. He wasn't asked for comment on Gage's demonstration. Fordham U. law Prof. Joel Reidenberg called for federal board that would set series of "fair information practices," as well as Data Protection Board for specific information standards. N.J. state investigator John Lucich warned of harm that comes from cracking of private business telephone and voice mail services and said sophistication of law enforcement is increasing. Science fiction author Bruce Sterling, who also wrote nonfiction book on govt. crackdown on computer hackers, testified about future issues. Hearing was first in series on privacy, computer and telecommunications issues. Others will examine automatic number identification, selling of marketing information, related topics. -------------------------------------------------------- CommunicationsWeek April 26, 1993 Encryption Policy Spurs Concern SHARON FISHER WASHINGTON Members of the networking and security community have expressed concern that a new government policy on data encryption may restrict the use of the technology. The White House earlier this month called for the implementation of a special encryption chip that offers a "back door" for decryption by federal law enforcement agencies. The chip uses a secret algorithm called "Skipjack" that prevents users from encoding data in such a way that it cannot be read by law enforcement officials. Under the new policy, electronic keys will be stored in two "escrow" locations for release to law enforcement organizations that have been warranted to wiretap and decrypt voice transmissions. The escrow locations have not been named. The encryption chip was initially called the Clipper chip, but the government has received complaints from Intergraph Corp., which holds a registered trademark on a product called Clipper chip, according to John Droge, vice president of program development for Mykotronx Inc., Torrance, Calif., which developed the chip. "We call it the MYK-78," he said. AT&T has already announced a device based on the chip that attaches to a telephone to let users encrypt telephone calls. The AT&T Telephone Security Device will cost around $1,195 and will be available at the end of the second quarter. In addition, Mykotronx is working on a more complex chip, called the Capstone or MYK-80, that adds a key exchange algorithm, digital signature standard and other technologies to the MYK-78, Droge said. Key exchange lets two devices agree on a common encryption key; digital signature is a way to guarantee the identity of the originator of the message. Industry members expressed concern that the federal government's policy review on encryption, privacy protection and law enforcement could result in further changes or restrictions to communications technology. The review is taking place under a classified Presidential directive that does not publicly state its exact scope or procedure. The review, which will be managed and directed by the National Security Council, calls for an interim report by the end of June and a final report in late August or early September, said Lynn McNulty, associate director for computer security for the National Institute of Standards and Technology, Gaithersburg, Md. Many members of the encryption community are concerned that a policy review might result in restrictions on encryption technology already in use. There are currently no restrictions in the United States on the use of encryption technology. "Why (else) would the government go through all this time and trouble and expense to do this?" said Jim Bidzos, president of RSA Data Security Inc., a Redwood City, Calif., company that licenses encryption and key technology to vendors such as Apple Computer Inc., Lotus Development Corp. and Novell Inc. "I'm not sure anybody has a complaint with the FBI wanting to wiretap with a legitimate court order, but when the FBI says it's so important that we need to force a new communications system on the country, I have a problem with that," Bidzos said. "I am afraid, from the FBI's viewpoint, if this is the solution, how can it work unless you eliminate the other kinds of use?" But McNulty said such an expanded policy was not likely. "Those concerns are not well-founded," he said, though he said the issue probably will be addressed in the policy review. "I don't think in our society that people would accept that restriction on their technology and freedoms. It's absolutely the last recommendation that would be made." ----------------------------------------------------- CommunicationsWeek April 26, 1993 Editor's View; WHAT GOOD IS SECURITY IF IT MAKES US INSECURE? The federal government, under the guise of President Clinton's new Public Encryption Management directive, promises to improve the security and privacy of communications systems. The directive is likely, however, to result in the eventual disappearance of private encryption and the erosion of personal freedom. The directive was announced two weeks ago by the White House and the National Institute of Standards and Technology. It requests suppliers of communications equipment to base encryption on the " Clipper Chip, " a microcircuit developed by the National Security Agency. The Clipper Chip will be manufactured by Mykotronx Inc., a military contractor in Torrance, Calif. An 80-bit, split-key escrowed encryption scheme used to lock and unlock data transmissions will be built into each chip. The encryption scheme will also be kept in a "key-escrow" database monitored by two independent government agencies. Unlike effective public encryption techniques, such as RSA Data Security's triple-Data Encryption Standard (DES), which are available for analysis and testing, the Clipper Chip's key algorithm will not be released to the public. Based on explanations provided in official documents, it seems that the government doesn't care about improving secure communications. Reliable encryption already exists. Indeed, in the view of agencies like the NSA, standards such as DES are too good because they are hard to crack. Clinton's directive has only one real agenda-to make it easier for government agencies to snoop on private communications. Keys will be made available to government agencies who request access in the same manner that Federal judges grant telephone taps. The initiative hides behind the excuse of creating means to monitor "terrorists, drug dealers, and other criminals." This isn't the first time that the government has proposed an authoritarian scheme that goes after a few peoples' crimes while stomping on the majority's civil liberties. Public scrutiny helps to pinpoint weaknesses and allow technical refinement. In this case, we're being asked to trust the government, a notion that rubs most rational people the wrong way. Congress passed the Computer Security Act in 1987 to open the development of non-military computer security standards to public scrutiny to limit-not expand-the NSA's role in their development. The directive makes no mention of a particular communication session's key-escrow. Once your keys have been released, all past and future traffic is open to examination. The administration said it would not prohibit private encryption, "nor is the U.S. saying that every American, as a matter of right, is entitled to an unbreakable commercial encryption product." If the program succeeds, it probably will drive private encryption vendors out of the marketplace. Commercial encryption products already provide excellent network security. Contact the White House and let policy-makers know that we appreciate their concern about crime control, but prefer that the government stay out of the security-control business. Send your reactions to DBUERGER on MCI Mail, DBUERGERCUP.PORTAL.COM on the Internet or by fax, 516-562-5055. ---------------------------------------------------- Network World April 26, 1993 NSA has public-key chip to complement Clipper Chip; Uses same controversial key escrow system. By Ellen Messmer, Senior Correspondent WASHINGTON, D.C. The algorithm developed by the National Security Agency (NSA) for use with the government's newly proposed Clipper Chip private-key encryption system will also show up in Capstone, a chip for public-key encryption, Network World has learned. Like Clipper Chip, Capstone will use a key escrow system that will enable the government to eavesdrop on encrypted information. Vendors of Capstone-based encryption products will have to register decryption keys with a federal agency that other agencies can retrieve through legal means. Although Capstone has not been publicly announced, it is at the heart of the encryption system that is to be used in the upcoming Defense Message System (DMS) (see story, p.1). With the public-key Capstone system, one key is made public, while another is kept secret; the message recipient and sender do not have to exchange keys as they do in private-key systems such as the Data Encryption Standard and Clipper Chip. With Capstone, key management is much simpler. Clipper Chip, for example, enables users to encrypt electronic documents before sending them to the intended recipient, but the recipient must have received the sender's secret key beforehand in order to decrypt the document. In addition, Capstone will provide the electronic digital signature for "signing" documents electronically, something private-key systems cannot do. Mykotronx, Inc., the Torrance, Calif., firm that designed Clipper Chip, is also supplying the Capstone chipset. John Droge, vice president of marketing at Mykotronx, an authorized NSA Communications Security vendor, said the firm has already shipped 10,000 Capstone and 20,000 Clipper Chip chipsets. The NSA intends to equip military users of the DMS with cryptocards -- dubbed Tessera cards -- containing the Capstone chips so users can enter and activate the public-key encryption and signing features. The Tessera cards are based on the new industry standard PCMCIA, named after the Personal Computer Memory Card International Association, which created the standard. Mykotronx is currently the sole Tessera card supplier. Last week, the NSA acknowledged that the private-key algorithm to be used with Capstone in the DMS is the same as that used in Clipper Chip. "The [DMS] Type 2 algorithm is the same as the Clipper Chip announced by the Clinton administration," said John Nagengast, chief of strategic systems at the NSA, speaking last week at the Information Systems Security Association's trade show CardTech/SecureTech in Arlington, Va. "It will enable us to go across the government with a common algorithm." User reaction The key escrow concept behind both Clipper Chip and Capstone have left many users and vendors worried. Sandra Lambert, vice president of information security at Citibank, N.A., and Samuel Epstein, president of Racal-Guardata, Inc., said the key escrow system raises the issue of security vulnerability, which could result from a break-in at the site where the escrow keys will be stored. The Electronic Frontier Foundation (EFF), a public advocacy group based here, has taken the position that the public should not have to rely on the government as the sole source for encryption chips. Last week, the EFF began pulling together a coalition of vendors and users under the banner of its Digital Privacy and Security Working Group to address the issues raised by Clipper Chip. AT&T, which announced that it would include Clipper Chip in its Secure Telephone Device, will participate in the EFF forum. Government sources last week said AT&T rushed out with its Clipper Chip announcement because the Department of Justice wants to purchase AT&T telephone security devices with Clipper Chip. Last week, AT&T said it based its decision to include the Clipper Chip chipset on faith rather than knowledge. "We've told the government there's a need to establish the credibility of the standard," said Mike Agee, marketing manager for secure products at AT&T. Although publication of the Clipper Chip specification would not compromise the effectiveness of the algorithm, the NSA said it intends to keep the algorithm secret. "The plan is we would share it with academia on a limited basis," Nagengast said. "I don't believe it's ever intended to be published."