Info Security News Volume 4, Number 5 September/October 1993 page 14 --- D.C. Dateline --- New Crypto Standards in Contention by Charlotte Adams Experts are hotly debating the Clipper initiative, a plan to standardize on a voice-encryption device with built-in law-enforcement access. Although de facto or mandatory acceptance of Clipper or similar hardware now seems remote, the potential cost of such action makes it worth considering. The rationale for Clipper was to maintain the government's information-eavesdropping capability as the use of encryption spreads. The hope was that the market would follow the government's lead, making Clipper the de facto standard. The National Institute of Standards and Technology sees benefits in making Clipper the accepted standard. "If we deny [criminals] the use of the national communications net, [that's a] nontrivial accomplishment," says Ray Kammer, NIST's acting director. If the network standard is Clipper, he reasons, criminals would "have to set up their own [communications] system, an interesting and formidible task." NIST is pushing ahead with a proposed Escrowed Encryption Standard. If all goes well, this Federal Information Processing Standard could be in place by October, an important step toward widespread use by the federal government. The key-escrow mechanism should be in place by autumn, government sources say. A related issue is NIST's Digital Signature Standard, which was developed in secret by the National Security Agency. NIST added a new issue to the DSS debate last summer when the agency announced a proposed settlement with Public Key Partners giving PKP control over commercial use of the standard. Clipper pros and cons. The key-escrow concept, allowing access to law-enforcment agencies, will have to become mandatory because it makes no sense on a voluntary basis, critics say. "It clearly has implications for data transmission, as well," says Phil Karn of Qualcomm, a San Diego maker of cellular telephones. Government contractors, in fact, are already fine-tuning another chip, called Capstone, which will be much more convenient for data-security applications. Capstone will add the NIST's secure hash, digital signature and key-exchange algorithms to Clipper's Skipjack encryption algorithm and escrow support. "Clipper is good for voice, for telephony, but not as a coprocessor inside a PC, selectively encrypting fields," says Richard Ankney, a technical consultant with Fischer International Systems Corp. "Capstone is better in that regard." The trouble with Capstone is that it is big and expensive, a full custom, very-large scale-integration ciruit design, says John Droge, vice president of program development for chip designer, Mykotronx Inc., of Torrance, Calif. VLSI Technology Inc., in San Jose, is actually fabricating the chip. Mykotronx expects the chips initially to sell at $100 apiece in quantities of 10,000. PCMCIA (Personal Computer Memory Card International Association) cards initially will sell in the $300 range, he predicts. That's a far cry from the government's $100 target price for the PCMCIA module. If the hardware becomes mandatory, space would have to be found for the chips inside notebooks and palmtops, as well as in laptop and desktop computers. Estimates on the markup to customers vary from 25 to 200 percent. The cost of retrofitting Clipper or Capstone into existing machines would be tremendous, says Fred Gluck, director of marketing for control products with Datamedia Corp., a Nashua, N.H. security software and token vendor. Simply multiply the $25 to $30 per half-hour you pay for technical people times the 100 million or so PCs out there, he says. But much of the cost may be hidden from the end user, Ankney counters. "You could take the hit and not raise the price at all." The Digital Signature Standard. Although eclipsed by the Clipper controversy, DSS nevertheless remains an issue. Even though its algorithm is not secret, NSA "played a very dominant role" in creating it, says David Sobel, legal counsel for the Computer Professionals for Social Responsibilty. The secrecy surrounding NSA's role in DSS goes beyond the will of Congress in the Computer Security Act of 1987 for the "[standards] development process to be open and accountable," Sobel says. The PKP angle is also a problem, CPSR says. The arrangement by which NIST allows PKP to control commercial use of the Digital Signature Standard "really comes down to ... almost paying them off," says Marc Rotenberg, director of CPSR's Washington office. People shouldn't read too much into the proposal, NIST says. "It means ... the government wants to move on and get this out of the way ... without any acknowledgement of [the validity of the PKP] infringement action," explains F. Lynn McNulty, NIST's associate director for computer security. The "big payoff" of the proposed agreement is that individual citizens communicating with the government won't have to pay royalties, he says. More information needed. Almost everyone agrees that more information is necessary before a policy decision can be made. "Are we talking about completely revamping the communications infrastructure to facilitate 800 wiretaps?" asks Daniel Weitzner, senior counsel for the Electronic Frontier Foundation. EFF coordinates the activities of the Digital Privacy and Security Working Group, a coalition of information security technology companies and non-profit groups that has raised many questions about Clipper. "We want a real, solid understanding of the problems from [the administration's] perspective and a fact-based risk assessment," Weitzner says. NIST's own security and privacy advisory panel refused to rubberstamp the Clipper initiative at first sight and various interest groups have demanded a more thoughtful and open review. The Digital Privacy and Security Working Group has been asked to contribute substantively to the ongoing interagency crypto policy review, EFF's Weitzner says. CPSR, however, is forming its own policy review group. The administration's approach of taking outside imput is still essentially a closed process, CPSR says. "The point we're trying to make [is that] the public has an interest in its privacy and consumers have an interest in what they ultimately might end up paying, " Rotenberg says. ---------------------------------------- Charlotte Adams is a free-lance journalist covering technology issues in the Washington D.C. area for a variety of magazines. Copyright (c) 1993 by MIS Training Institute Press, Inc. Ye olde Spooge Meister spooge /spooj/ 1. Inexplicable or arcane code <spooge@dev.null.net> or random and probably incorrect output from a computer program.