I'm sorry that this is so late, but I got backed up doing too many other things. Feel free to go to the anonymous mailers and post sarcastic remarks, straight-forward discussions or other comments. --Peter ----------------------- Here's my report from what I saw attending the Computer System Security and Privacy Advisory Board meeting on September 1st and 2nd in Baltimore, MD. This group is a Congressionally chartered organization with the responsibity to render advice on questions of cryptography and computer security. It's members are made up of people from government and industry. One member must be a representative from the National Security Agency. The meeting this time was at the Hyatt in Baltimore and there were several differences between this meeting and the last two which were held at the National Institute of Standards and Technology in Gaithersburg, MD. First, there were coffee, juice and doughnuts available in the morning. Second, I did not notice any recording devices or stenographers keeping track of what was said. Previous meetings at NIST had been both video and audio taped. There were two major parts to the meeting: 1) listening presentations from a variety of different people and 2) debating resolutions about the government's proposed Key Escrow standard. I attended most of the presentations, but I skipped most of the debate about the resolutions. The remarks that follow are basically my personal recollections. The most interesting bit of information I learned on the first day concerned a software version of the Key Escrow system. The strongest and least controversial arguments against deploying all revolve around the fact that the proposed chips we've seen so far are all based in hardware. Adding an additional chip to computers and phones costs money ($25-100), adds weight (bad for portable phones) and increases power consumption. None of these are desirable attributes. More importantly, a hardware standard not very flexible and the nation's entire computer system could be compromised for 6 months to a year if the key escrow agents went bad. That's my estimate for the amount of time it would take us to replace all the chips. NIST, in recognition of these facts, has announced a "Cooperative Research and Development" plan (called CRADA-- the "A" might stand for agreement). This would allow members of industry and academia to join together with NIST and the NSA to try and discover a good, software based, Key Escrow scheme. Ray Bonner, deputy director of NIST, discussed the plan and said that he wasn't sure that it would lead to anything but that it was worth a try. He also said that we should keep a copy of the Federal Register containing the announcement (Vol 58, #162, Tues, Aug 24 1993, pg 44662) because it could be the only CRADA ever involving the NSA. It could become a collectors item. If anyone is interested in getting involved with this project, they should call Dennis Branstad at NIST (301-975-2913). To me, it seems like it is easy to accomplish a key escrow plan in software. It just depends how many features you want to add. A simple method is to encrypt the session key with the government's public key(s)and append this in a LEAF. If the cops wanted to listen in, they could decrypt the LEAF using the private key(s that would be kept by the escrow agency. Naturally, this could be compromised if the keys got out. More sophisticated methods could involve a three-way Diffie-Hellman key exchange at the start of each conversation on the phone system. Or the government might want to explore Silvio Micali's work at MIT. It would also be possible to use Gus Simmon's subliminal channels to implement a signature/escrow scheme. The LEAF would be a DSS signature and the session key would be held in subliminal channel. The other half of the conversation would be able to verify that the LEAF was there and the conversation was authentic, and the LE people could get the key if they so desired. (This could be easily broken. I can't remember the details of Simmons's solution at this moment.) There are several other answers that come to mind. The traditional objections to software implementations of the Key Escrow plan are (1) easy tamperability and (2) publication of NSA secrets. While software may be easier to change, people have also proposed very simple ways to circumvent Clipper. If both halves of the conversation coordinate themselves beforehand, any amount of duplicity is possible whether or not a hardware chip is part of the standard. It is possible to super-encrypt the entire data stream in software and the LEAF would be foiled. It doesn't seem as if there is that much difference on a relative scale. The critical problem to developing a software key escrow system is finding a way to prevent a modified piece of software from working with an unmodified piece of software. This would stop people from establishing links without prior arrangements for extra security. I believe that this may be possible to do this using two different types of LEAFS and shifting session keys every so often. Of course, sending out a software version of an algorithm will leak information from the NSA-- something that really worries them. But the CRADA says that the NSA will work on the software Key escrow plan on a complete unclassifed basis. People on the CSSAB made light of the strangeness of all of this. Other Presentations Most of the rest of the meeting was devoted to people not saying anything on purpose. The plan to give the DSS to the RSA to resolve patent differences and give the nation a standard has not generated any new facts. Mike Rubin, the lawyer in charge, was not at the meeting and he is apparently processing the public comments as I write. Some summarized the comments as uniformly stating, "Free is good, paying is bad." A group of computer scientists from NIST came to discuss their plan for the Federal Criteria for secure systems and the new "Common Criteria" that may emerge. This is an updated version of the old Orange Book classification scheme of C2 and B1 and stuff like that. The scientists said the draft is being finished but it isn't ready for release. But now, they're working on "Something Better." This is a new plan to standardize the grading of secure systems with other countries and evolve a "Common Criteria." In general, the board groused about the fact that the public and industry have never been invited to give comments during the process. The summary of this talk is: "We might be able to tell you something someday." Geoff Greiveldinger took up a whole hour in the afternoon to tell us that it would be impolite for him to discuss the key escrow system with the CSSAB before talking about it with Congress. He is the lawyer from the Justice department responsible for setting up the system. Some members of the board mentioned that the board was chartered by Congress and so he could speak freely, but others refused to be so impolite as to question his polite excuse. He filled the hour with more descriptions with all of the restrictions that they place on wiretaps at the Justice department. Once again, I found myself wondering why they are going through so much trouble over something that just seems to cause them grief. The taps cost money. They divert manpower. Etc. Yet, the FBI and the rest of the community is willing to go through a full court press on this topic. The taps are essential in crime encapsulated in conversations (i.e. influence peddling, bribery). Perhaps those of us outside of government (sadly only 4 out 5 people) should quit worrying about this topic. The crimes we're likely to commit all involve action: grand theft auto, drunk driving, pickpocketting, murder, rape, illegal parking etc. No one really cares what we say. It's just if we _do_ something and violate a property right. Usually, members of the government are the ones who could break the law just by openning their mouth. Some people from the Social Security Agency came to tell the board about their internal security procedures that they use to track down people inside the agency generating information for outsiders like private detectives. They routinely run sting operations where they call up information brokers and ask them to get a Social Security file for an individual. Then they watch for accesses to that record and flag the miscreant. One of the old hobbies at the agency was looking up the records of stars. (When your job is sitting around watching people get old, you've got to have something to do.) The agency keeps a watch list of the celebrity's real name and SS number. Special programs now watch for inquiries into these records. A nice guy from ARPA (Steve Squires) came and showed us complicated slides representing the various factions at ARPA who are going about developing the National Information Infrastructure. It seemed to be more a polite introduction than a fact-based briefing about what might come out of Al Gore's dreams. Dorothy Denning came to say that there was no final report from the outside team performing an outside review of the Clipper algorithm. In general, she said that the comments have been favorable to their work. Several members of the board questioned the independence of the review given that it was done at the NSA using NSA's computers and NSA's programmers. They also wondered about the depth of the review because it was apparent that Denning leaned heavily on the NSA's analysis. The EFF and Clipper The final presentation came from Jerry Berman from the EFF. In reality, he was representing the "Digital Privacy and Security Working Group" which is a group of industry and political groups that have joined together to say something about Clipper. This was the last presentation of the meeting and it became sort of a climax because people kept saying, "We'll see what the EFF has to say." Their statement was simple. The group feels that it can accept Clipper if any participation in the key escrow program is completely volutary. They proposed to test the administration's committment to volunteerism by noting whether they relaxed export requirements. To me, the statement was little more than a political gambit. All of the companies involved in the DPSWG really, really, really want export restrictions eased. So they offered their support for Clipper as a quid pro quo. Let us export anything (not just Clipper) and we'll support it. If you ask me, they shouldn't have been so bald about their horse trading, but then I'm not a regular in Washington log rolling. It should be possible to make a statement about Clipper without involving the other issue, but maybe it's a smart deal. The main members of the group are companies and the group had to standardize its message on what its members want. The Debate The rest of the meeting was centered around the debate on the board's resolution on Clipper. I missed most of this because it really seemed very petty. Most of the board wanted to say that the Clipper chip was a pain in the neck that wasn't worth the trouble but they couldn't come up with the right words. Is it "expensive", "more expensive than software", "more expensive than other alternatives", etc. The fight seemed to break down between government employees and non-government employees. Those outside the government kept arguing for stronger language and those inside kept saying things like, "But expensive relative to what? We don't have any concrete cost estimates." In the end, they passed resolutions that recorded reservations and a call for "public" debate on the topic including a decision by Congress on the needs of key escrow. If you have any questions about this summary, feel free to contact me at pcw@access.digex.com. --Peter Wayner