An EFF Online newsletter previously reported highlights from a list of questions submitted to the NIST/NSA regarding Clipper. That entire document is now available on ftp.eff.org in pub/EFF/legislation/clipper-answers. It makes reference to attachments on chip specifications that are not present in the text file. Overall, the document has rather numerous typographical errors for a government document, and it's unclear whether this is the result of the EFF scanning or whether they are in the original document. Also, at this point in the swift-moving arena, the responses are fairly dated, coming out long before the close of the expert review of the algorithm and a CSSPAB meeting at the end of July. Items in this review of the Clipper comments: - encryption regulation - constitutionality - Mycotronx, VLSI rationale, history of Clipper - Presidential directive & review procedure - key escrow in software - history of Skipjack - identification information in key escrow databases - notes on wiretap protocol - NSA cryptographic control wish list - Capstone capabilities - policy review - Clipper: a status report Encryption Regulation --- The major revelation in this document as reported here previously is the statement that the Administration has progressed far enough in the `policy review' to determine that `regulating private encryption' would be `imprudent' and `drastic' and that no new legilsation will be proposed to `limituse of encryption technology'. Unfortunately, in the characteristically maddening bureacratic doublespeak of the NSA, the previous statements suggest that this is the case only `because these measures may be sufficient to make key escrow encryption [widespread]'. Nevertheless the statement is extremely significant given various ominous sound bites in the media that suggested very clearly that cryptographic regulation was definitely `on the table' for consideration. Constitutionality --- The other major revelations as reported in the EFF document are the explicit attention to constitutional issues. However, the response is not very meaningful except to deny that any are relevant. In particular, it does not indicate the constitutionality of any enforcement or regulation in the area.

The key escrow technology only ensures that government agencies, will be able to decrypt intercepted communications when lawfully authorized. It neither expands nor contracts federal, state or local law enforcement authority to access and decrypt communications. The key escrow technology simply assures the continued feasibility of lawful electronic surveillance under statutes that have long since been determined to be constitutional.

Mostly the document is just a reformulation of the following idea in various ways:

it became clear that a strategy was needed that could accommodate the needs of the private sector for top notch communications security; of U.S. industry to remain competitive in the world's secure communications market; and of U.S. law enforcement to conduct lawfully-authorized electronic surveillance.

Clearly, the writers' favorite words are `authorized' and `lawful' and here we are doubly reassured. Mycotronx, VLSI --- Here are a few other significant details in the response. For the first time there is official confirmation that the proposal goes back far previous to the Clinton administration:

The logic design contract for the microcircuit was awarded to MYKOTRONIX, Inc. of Torrance, California, in late 1991

Mykotronx was chosen because:

This company provided a unique combination of (i) expertise to quickly design custom cryptographic chips, (ii) secure facilities, and (iii) the cleared personnel (At the TOP SECRET level) necessary for the successful execution of the contract requirements.

Which makes me wonder. Has anyone with any serious sway in the NSA noticed the stolen Mycotronx documents yet? I would love to see the response to an FOIA inquiry on this one. Do they care? Did any heads roll at Mycotronx?

VLSI Technology of San Jose, California, was chosen as the chip foundry based primarily on its technological capabilities to fabricate microcircuits resistant to reverse engineering Selection of the vendors was in accordance with U.S. government rules for sole source procurement. other manufacturers that wish to enter the market and can satisfy the technology and security requirements will be approved to manufacture these microcircuits.

Here we have the highly implausible suggestion that other companies will be considered to manufacture the microcircuits. Fat chance. Presidential Directive --- The document gives more detail about the Presidential Review Directive and Presidential Decision Directive behind Clipper.

The PRD called for interagency studies examining a number of issues including, for example, the impact of the key escrow strategy and the feasibility of implementing the key escrow technique in software. Another issue to be addressed in the course of the review is the impact of advanced telecommunications on law enforcement. While analogous in the sense that both encryption and advanced telecommunications technology can impede the effectiveness of authorized law enforcement electronic surveillance, the two technologies present different issues and are being treated separately. The results of the reviews are expected early this fall.

Hence, the `feasibility of implementing the key escrow technique in software' is `under review.' Later in the document, we have the point:

Because software is easy to change, secure software implementations of the key escrow technique have been difficult to devise. We would welcome the participation of the software industry in a cooperative effort to meet this technical challenge. of course, users may continue to use existing software encryption products.

I don't recommend cooperating with the NSA in trying to devise `secure software' -- first of all, the suggestion that they will even have `security' in chip hardware is a fantasy and illusion; secondly, software is inherently free and unchained and nothing the NSA invents can ever change that; thirdly, cooperating with the NSA can be hazardous to one's economic health; and finally, probably no one in the NSA seriously believes that secure software implementations are possible, and are just throwing this out for cynical effect. Skipjack --- Information on SKIPJACK, confirming suggestions by some (e.g. A. Walker on sci.crypt) that the algorithm is based on earlier defense-oriented schemes in a long line of development:

Was the encryption algorithm specifically designed for the key escrow initiative?

No. The algorithm chosen for the key escrow microcircuit was originally developed by NSA for use in U.S. government communications systems, albeit not in the management of our nuclear arsenal as some have speculated. Essentially the same cryptographic technology was under government development and analysis for more than ten years. Although NSA does not comment on the details of its design and analysis, the algorithm has undergone intense expert scrutiny comparable to that used in the analysis of cryptography intended for classified government systems. While the algorithm was originally developed for unclassified defense systems, it will be considered for certain classified applications in the future.

Key Escrow Databases --- What about identification associated with keys in the databases? The NSA is in a catch-22 here. If there is nothing but serial numbers in a database, how do the key escrow agencies ensure that key IDs requested for wiretapping are associated with the given entities named in warrants? If they are present, how could such a scheme be maintained in anything other than an Orwellian Totalitarian Dystopia? The following is the first explicit commitment to total lack of identification information in the databases:

Some have expressed concerns that personal information could be contained in the key escrow databases. The only information held by a key escrow agent will be the chip serial numbers and the key component associated with that number. Since the information in the key escrow databases will not be associated with any particular individual, the database would be of no use in identifying individuals or otherwise obtaining personal information about them. Therefore, a key escrow agent will have no information about the person owning or using equipment containing a microcircuit for which it holds keys. Requests for a key component will be for a particular chip identification number. No information regarding the identity of the target of the authorized electronic surveillance will be provided to the key escrow agents.

Wiretap Protocol --- Interestingly, they say that when a wiretapped device is moved to a new phone number, they don't have the authority to tap it any longer:

If the subject of A surveillance were to move the device to another location (and another telephone number), law enforcement authorities could not legally monitor communications at other locations. This is because, as noted above, electronic surveillance of wire or electronic communications must be directed at some identifiable telephone, cellular telephone, or computer facility. Therefore, before law enforcement authorities can legally monitor any other telephone number in an effort to locate the subject's encryption device, they must first satisfy a court that there is probable cause to believe that illegal communications will occur over that line.

Major criticism is based on the fact that once a given key has been released, a phone is forever in the future insecure. For the first time we have the assurance

As added protection, law enforcement will have access to a key only so long as it has authority to conduct a surveillance. Systems are being designed to ensure that keys are destroyed when the authority to conduct a particular electronic surveillance has expired.

NSA wish list --- We get a wish list of realms in which the NSA would like to control domestic cryptography:

Concerns have been expressed about use of this key escrow technology and these chips, in particular, across the panoply of new emerging technologies, such as ISDN, TDMA, Cellular, CDMA Cellular, ATM, SONET, SMDS, etc.

Don't forget PEM -- D.D. gets really excited about that one.

It impossible to design key escrow encryption techniques that are almost totally transparent to the system, given the transmission media together with its propagation characteristics. Optimally, the system should be designed with the encryption, if possible. The government intends to work cooperatively with industry toward this end.

Yes, just what every cryptography company wants, their personal NSA consultant breathing down their circuits. Capstone Capabilities --- Here's some notes on Capstone. Most capabilities also indicated by D.D. in her writings:

In addition to the key escrow technology contained in the encryption-only chip, the enhanced chip also includes a Digital Signature Algorithm proposed by NIST as a FIPS; a Secure Hashing Algorithm (SHA) recently approved as FIPS 180; a Key Exchange Algorithm based on a public key exchange, a general purpose exponentiation algorithm; and a general purpose, random number generator which uses a pure noise source. This chip is now being considered for installation in PCMCIA electronic cards and for use in the Defense Messaging System.

Personally, I wonder if the NSA intends to phase out Clipper from the beginning. The implementation could encrypt the law enforcement field under that more low-level chip. The Capstone chip will be the NSA's little `black box' miracle in every machine. Policy Review --- Finally, there are the indications that the `policy review' done in the Fall will cover the exportability of key escrow and the future cryptographic export control policy in the country concerning `marketability and foreign competition'. While everyone is desperate for a breakthrough here, the likely announcement will be that `no export restrictions will be placed on Clipper' and since the technology is completely suitable for all cryptographic applications (smirk) no other cryptographic devices will be approved for export. That's my guess, anyway. Clipper: a status report --- Current progress report on Clipper: the most serious hurdles for the NSA right now are imposing the Clipper FIPS standard and the DSA patent arrangement with PKP. The NSA has long demonstrated its complete obliviousness and imperviousness to public opinion no matter how loud or negative (consider early DSS endorsement). However, for the previous two standards, it has reached unprecedentedly screeching levels. The government will find it *extremely* difficult to go ahead with either in the face of almost uniformly hostile reception to both. Doing so is likely to raise a much larger outcry and warrant more desperate approaches on the side of the opposition (ala Zimmermann's `guerilla cryptography'). The future revelations in the DSS, Clipper, and `policy review' topics will be critical in indicating whether the NSA will take a more low-key and unobtrusive stance in regulation of domestic cryptography, with the original Clipper announcment its boldest step ever, or whether it will become even more paranoid and volatile in attempting to control and strangle natural, evolving domestic cryptographic developments. If you value your freedom, pray for the former.