Here are my raw, unedited, incomplete, and not to be trusted, notes from the SAFE meeting, July 1, 1996, at Stanford. (ps. thanks to the folk who did an amazing amount of work to put this on.) burns: fbi, cia, nsa presented to senate/congress: said nothing that wasn't already in public record (newspapers) telia (Swedish Telecom) representative (Mattias Soederholm) -- can't import strong encryption as NSA claims it would harass company. doesn't like having to tell customers that USA will read their mail. Whit Diffie - nuclear non-proliferation: proliferation of crypto does more good than harm: make sure that weapons are under your control: extensive development since Kennedy administration. Positive control over nuclear weapon: crypto. ---- Technical panel ---- whit diffie, eric thompson (forced decryption, fbi is a client), bruce schneier, tom parenty (sybase), matt blaze. We came to discuss policics, but were charged with discussing technology. key lengths -- too much jargon. question is work factor: how much work to break system. public keys used only for signatures; actual encryption uses "normal" crypto. 40 bits == 2^40 operations to get a key. First: two different points of view: security officer: every message must be secure, even against strong opponent. intelligence agency wants to read every message. 30, 60, 90, 120. 2^30 == one billion. any pc can recover any key. billion billion == des. very clear that can do it, not easy, however. 90 bits billion billion billion. won't be do-able in lifetime of business personal data. 120 bits can't be do-able in forseeable future. but, point of view of an intercept organization; meet in the middle? won't satisfy either party's interest. 40 bit can be exported. last year, demonstrated that can break 40 bit keys. Takes on order of few weeks to a month of Sun workstations. intercept device spends most of its time deciding whether to record data. has a fraction of a second to look at a message, 40 bits too large for intercept on that basis. eric thompson. access data. cryptanalysis -- break codes, build hardware to aid in this. specialize in defining parts and pieces to break e.g., rc40 amd2905 chips on a board breaks in $8,400 engineering cost. Sell under $20,000. little company, not well-funded government agency. des fpga about $1M/7 days per key. off the shelf design using 5 year old chips. what's realistic to expect the nsa, fbi can do? bruce schneier: foreign crypto. is it any good? yes. more done outside usa than inside. many countries asia, europe, pacific have strong groups. algorithm conferences: 90% of papers from outside usa. hard to get funding in usa. more academic research overseas. products with more options. here, products are hamstrung by baggage: key length, escrow. other countries can write without restrictions. best products from former yugoslavian folk working in swedish university. usa corp's cant compete: no talent, government restrictions. losing our share of research, developement, products. as internet becomes ubiquitious, we lose market share. restrictions won't stop, will only hurt us. tom parenty; worked for NSA: "in God we trust, the rest we monitor." key escrow ineffective. can today buy over 500 products from 60 countries. no usa monopoly. www.cypto.com home page; list of pointers for our favorite foreign crypto products (for some value of "our" and some value of "favorite.") crypto controls don't keep crypto out of child pronographer hands. keeps out of hands of legitimate individuals and corporations. criminal, terrorist, can layer foreign crypto on anything usa gov't does. will give protection. moral equiv of wiretaps? no! criminals: criminals talk to criminals, criminals talk to rest of world. crim to crim: use strong crypto. crim to airline, car rental, hotel: can go to airline etc. and subpeona their records: crypto buys nothing for wiretap. solve crimes, prevent crimes? would key escrow prevent oklahoma bombing? but without strong crypto, foreigner working outside usa can take plane down, grab medical records. etc., by hacking insecure networks. matt blaze: key escrow. ignore politics; doesn't make technical sense. fundamental flaws software engineering can't technically solve in a sensible way. first: enormous increase of engineering complexity. difficult to design even simply secure (alice, bob, eve + detective dorothy) system engineering. key escrow makes this even more difficult. engineering problem is too complex. classified world not far ahead of unclassified: blaze discovered protocol failure in clipper chip design -- can circumvent escrow field, can forge messages. reason failures occur not because nsa incompetent, but because problem is extremely difficult. second fundamental problem: operating key escrow center economically and technically difficult. 24/7/365, 2 hour response to law enforcement request. key escrow doesn't distinguish between comm key, data storage keys, and signature keys. releasing latter may be devistating. --- diffie: if you collect data; it will be used (census data used to round up Japanese in California, Jews in Germany, Holland, Denmark). schneier: data harvesting: insurance company wants to know who filled perscription for AZT. crpyto prevents against non-invasive attack; not against fbi entering house to install bugs. diffie: crypto requirements of bad people: terrorists need tight-knit, unified in purpose. tools to secure communication are readily available "closed crypto." ordinary folk need open crypto; delayed by government restrictions. --- legal issues: ken bass: counsel for telecom policy: national security? non-escrowed strong encryption? balance? costs? what are they, what do we lose? escrow born by nsa mission. didn't hear law enforcement concerns initially; now nsa stands behind shield of fbi. nsa/fbi has created arms race among cryptographers. most people would have been happy with des, which nsa can probably break, but not others. nsa discovered it was doing itself great damage by pursuing export controls: but biggest danger to nsa is explosion of protocols, routings, etc. nsa wants to read everything to see what it wants to look at. fbi, however, knows what it wants to see. nsa knows that crypto puts it out of business. nsa needs to preserve fiction of crypto (i.e, that they can read, but you think they can't). fbi wants to preserve status quo. law enforcement can't undertake survelience until it knows who the target is. don't need crypto to find crooks. needed only after you know who the crooks are. fbi foolish to try to convince us that crypto (escrow) is golden bullet of law enforcement. why does fbi need to have crypto to monitor people for whom they already have probable cause (that they need in order to get warrant to wiretap). jim lucire: americans for tax reform. IRS doesn't follow constitutional protections. barry steinhardt (ACLU). law enforcement concerned to preserve its wiretap capability. wiretap happy administration. set records for number of wiretaps (both in criminal and national security). law requiring wiretap capability in telecom infrastructure. additional crimes where wiretap allowed. Janet Reno: four challenges -- threat that encryption poses to law enforcement; ability to search for stored information. wiretapping. why does aclu find it so odious. fourth amendement "particularized suspicion" -- government must have a reason to search you. wiretapping is a "generalized search." in 1970's, 50% of wiretaps produced useful information. now 17% reveal useful info. warrant to search 100 homes to find criminal info in 17 homes? ability to continue wiretapping is in question. what is cost to individuals who are wiretapped? cindy cohn, lawyer: export problems with ITAR: scientists lose. bernstein case (can export crypto research): export rules squelch discussion and reseach: first amendment; right of people to talk about science, art, literature; not just politics. broadness: IATR is overlly broad. defines export to prevent publication. prevents export to "ordinary" people, but only intended to prevent export to terrorist. procedural problems: no hard boundaries. barbara simons (acm) -- copyright? net community suprised when CDA was passed. major voices heard are those of lobbiests; not technology focus; focussed only on their lobby-needs. monitor net? only to preserve copyright. goals will work only if you shut down the net. copyright legislation makes illegal to manufacture device to violate copyright (camera? vcr?) john gilmore (eff): can we trust the courts? won't be won on a single front: need to keep pressure up. "for purposes of first amendment analysis, court finds that source code is speech." will go to supreme court. need help from legislature. want to bring light into export control process. want to have clear rules so you can read rules, build product and export it. michael froomkin (law school, univ of miami): legal status of privacy? can't count on courts. don't take wait and see attitude. wiretap still has some value. Legal status of no export has been successful: no strong crypto in w/95. ken bass question: froomkin: crypto is a constitutional right (200 pages). very few nsa cases; mostly 4th amendment ('drug exception to constituion). korn case, bernstein case. briefs in cases required reading for congress (first amendment). crypto useful to protect free speech (Phil Zimmerman talked about human rights people in Burma who use PGP to protect their messages from government.) [representative zoe lofgren (Dem CA) -- someone proposed 4th amendment in congressional debate amending criminal law. Defeated on party lines.] implication for information sharing between cia/fbi/nsa with foreign intelligence agency? guatamala tragedy example of problem. the dumb criminal theory? blow up buildings with trucks they rent in their own names. --- With apologies for incoherence, errors, and incompleteness --- Martin Minow minow@apple.com