------- Forwarded Message Geer Zolot White Paper: Clipper Initiative On April 16, 1993, the U.S. Government issued a "Public Encryption Management" directive, requesting that communications vendors install into their products chips that implement a secret algorithm with controversial key-escrow facilities. These chips (called "Clipper" and "Capstone") stem from work by the NSA (National Security Agency) and its contractors; they implement the SKIPJACK algorithm, which is classified SECRET and is therefore not available for public review. For more information on the initiative, consult the National Institute of Standards and Technology (NIST) Computer Security BBS at 301.948.5717 or via Internet ftp to csrc.ncsl.nist.gov in the /pub/nistnews directory. The Government states that one motivation for this initiative is to allow authorized wiretapping of encrypted communications by escrowing the keys corresponding to individual components. A pair of "entities" (choices not announced) will have responsibility for keeping keys secure and releasing them only to government officials who have received legal authorization to perform a wiretap. The Government recommends use of the chips instead of already existing cryptographic algorithms, such as the secret-key DES algorithm (a Federal Information Processing Standard and the basis of Kerberos and other network security tools) and the public-key RSA algorithm. Since DES and RSA have been subject to public scrutiny, experts have tested and confirmed their strength, which has led to their adoption within internationally-agreed networking standards; since SKIPJACK is secret and can never receive this scrutiny, it is unlikely that it will ever have such acceptance. Further, DES and RSA can run in both hardware and software, which satisfies performance and system integration requirements; the Government has limited Clipper/Capstone to hardware, which restricts the range of systems that may use it. For now, the Government is recommending that equipment vendors use the chips on a voluntary basis; however, some observers regard the initiative as an attempt to establish a precedent that could later lead to governmental restrictions on the availability and use of open cryptographic systems. This could limit innovation in cryptographic technology. Further, user organizations could lose control over protecting and managing the keys on which their security depends. This summer, the Government plans inter-agency discussions of future policies in this area; observers have noted that policy development should also reflect private sector interests. Concerns about personal privacy raise additional controversy. Significant debate on these topics is likely in upcoming months. Geer Zolot Associates believes that availability of open and exportable cryptography serves our clients' interests. Because of this, we are concerned about the implications of the "Public Encryption Management" initiative, and of its possible chilling effect on development, availability, and use of cryptographic technology. The initiative raises many issues, including: o If the Government mandates enclosing cryptography in hardware modules, this will surely delay the vital process of enhancing the security of today's distributed computing base--it could even prevent some systems from being secured at all. We want to avoid the prospect of our clients being forced to choose between systems that satisfy their operational needs and other systems containing Government-provided hardware encryption components. o Introducing a requirement for procurement, integration, and use of special-purpose components (which manufacturers must separately handle and program on a per-unit basis) will increase the cost of security integration. o If flaws in the hardware-implemented Clipper/Capstone cryptographic algorithms ever come to light, users of the chips will have been subjected to a data compromise from which no clear recovery path exists. o It appears that gaining access to a Clipper/Capstone chip's escrowed keys, through whatever means (authorized or unauthorized), may reveal the contents of all its encrypted traffic (past, present, and future). Effectively, this is analogous to binding an unchangeable password into hardware, an undesirable characteristic. o It appears unlikely that international telecommunications users and providers will reach uniform agreement on an encryption technology whose algorithms are known only to the US Government. As a result, the initiative may force companies engaging in international commerce to use and support different encryption systems, depending on the parties involved in the communication. Such a course of action will lead to increased costs in hardware, software, user training, and systems management. We invite and encourage you to consider the Government initiative, including its impact on your organizations and distributed system security plans, and that you submit comments to your representatives. If your business plans rely on open cryptographic systems, based on publicly documented algorithms and available in hardware or software form, we encourage you to make this clear to your representatives. If you wish to share any of your comments or observations with us, we would welcome them. Further, we are happy to serve as an organizer for assembling and coordinating such information. Please indicate whether we may identify your organization (specifically or generically) as the information's source. John Linn & Dan Geer ------- End of Forwarded Message this is forwarded to the cypherpunks mailing list with dan geer's permission. peter