How I Would Ban Strong Crypto in the U.S.
At 12:18 AM 7/15/96, Dave Banisar wrote:
Its now up at http://www.epic.org/crypto/key_escrow/wh_cke_796.html
Thanks. I took an initial look, and it looks like the same old stuff. The report speaks of an "emerging consensus" (for key escrow). I see just the opposite, unless the report is speaking only of the U.S. intelligence and law enforcement community and its foreign counterparts. Business has made it clear (cf. the several recent reports) that it is opposed to the Administration's plan, and that if a market for some form of key escrow exists (as it certainly does, in specific contexts), that the market can supply the solution. And certainly the civil liberties groups and groups such as ourselves are not part of this "emerging consensus." Ditto for the "average man in the street," as evidenced by opinion polls (I recall 80% opposition reported by one of the newsweeklies, but don't quote me), by anecdotal reports (e.g., Zimmermann's tale of his discussions), and by opposition to Clipper I, Clipper II, and now Clipper III. A bunch of Congressmen, including the axis supporting the Burns bill, obviously are not part of this emerging consensus. The National Research Council report made it clear that a distinguished panel of cryptographers, computer scientists, and policy professionals did not think key escrow is desirable. And the hundreds of folks in attendance at recent SAFE and NRC travelling roadshows were obviously not in support of key escrow. Business, civil liberties groups, professional organizations, and most Net people are opposed to the Administration's key ecrow proposals (such as they are understood to be, in Clipper I/II/III). So, who is in this "emerging consensus"? Moving on to the wisdom of imposing a government solution to what either is or is not a market need, there is great danger in deploying even a nominally (at this time) "voluntary standard." This is a danger many of us have felt for years to be the main danger of nominally (and ostensibly) "voluntary" systems. Imagine a voluntary system supported and funded by the government, using its power to limit exports and to "jawbone" foreign governments. (No time here to examine the obvious issues--cf. the archives for many explications over the past several years.) Once widely deployed, and perhaps mandatory in countries like France, Singapore, Iraq, and the like, it would take very little more to simply pass a law restricting the non-escrowed alternative in the U.S. (Sure, such a law might be unconstitutional, for the reasons we so often discuss. Sure, there are many circumventions possible. Sure. The point is not to rehash these points again but to indicate why Cypherpunks and civil libertarians should NOT support any plan, even a "voluntary" plan, that puts such power to set standards in the hands of the government. Even a "signed promise" is not enough, given the dangers of "flipping a switch.") Is this a plausible scenario, though? Well, were I in the LEA/TLA community, this is what my fallback plan would probably be. Realizing that a full-frontal ban on strong crypto, or crypto without backdoors, would not fly at this time (unless Oklahoma II happens, in which case all bets are off), and realizing that the plans for Clippers I, II, and III have been fizzling, I would push for a relatively harmless-sounding "voluntary key escrow" plan. I would push hard on Netscape, Microsoft, Novell, Sun, Apple, and the other companies (but mainly on Netscape and MS, for obvious reasons) to bundle in "trusted third parties" and all that GAK stuff. Bundle it in, make it easy to use, make it easy to export, make it easy to spread in crypto-hostile countries, and hope like hell that it undermines the push for PGP and S/MIME. I would work closely with Mossad, GCHQ, SDECE, Chobetsu, Savak, and all the other secret policemen of the world to make sure that while America might remain an "island of strong crypto" for a while at least, that the same could not be said of other countries. That is, I would work to help them limit crypto use in their own countries to GAK-only forms. (Those pesky survivalists, militia members, and ACLU folks in America could keep using their Bass-o-matic and PGP tools, but most of the rest of the world would be mostly limited to GAK and New World Order software.) Then, in about 2002 or so, depending on how many more serious terrorist incidents have occurred, I would drop the hammer on strong crypto. Maybe an Executive Order, maybe a state of national emergency, maybe a liberal interpretation of the commerce clause, maybe an Act of Congress.... Once a New World Order-approved GAK system is widely deployed, outlawing of "rogue cryptography" in the U.S. is more manageable. That's what I would do. (But not being on that side of the ideological fence, I will instead fight GAK as I always have. And I will not be fooled by talk of how "Americans will always be free any form of cryptography." Not when those same reports from the Administration, and the testimony of Louis Freeh, etc., is in the same breath taling about the need to stop pornographers from encrypting their files, and so forth. Do they think we're stupid?) Don't be fooled. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 7:03 AM -0700 7/15/96, Michael Froomkin wrote:
On Sun, 14 Jul 1996, Timothy C. May wrote:
So, who is in this "emerging consensus"?
Foreign governments? (Process of elimination, not inside info...)
Perhaps. And the vast inside-the-Beltway policy community, most of whom are more like Dorothy Denning than Tim May. And the vast business community that prefers automated escrow in standard systems. What I mean by that is software or chips automatically escrowed to, say, Price Waterhouse. Business is comfortable dealing with such firms in a trusted relationship, and such firms will honor a valid court order to produce records or the equivalent--a probable cause court-order for a wiretap. It really depends on how the issue is presented. If it is presented as preserving law enforcement access, escrow follows. The problem is that like the nose of the camel, each new piece of legislation establishes a new status quo baseline of principle from which to argue, and though we all kicked and screamed about it here, the new baseline is the Digital Telephony Act. As for the only counterargument to the above, that bad guys aren't going to use escrowed systems, nothing is perfect, goes the argument, and the FBI has caught plenty of bad guys who presumably should have known better, via wiretaps. If you look into it, you will find that most people with criminal minds don't expect to get caught. Given the nature of this group it perhaps needs saying that the above is a competitor analysis, not an argument nor my own position on mandatory domestic key escrow. I'm agin it. David
At 6:58 AM -0700 7/15/96, Raph Levien wrote:
2. The battle for key management has not yet been fought. The lack of a key management infrastructure is the main reason why people don't use PGP widely. This is demonstrated quite clearly by the fact that only a few of the people I correspond with, including many premail users, actually encrypt messages on a routine basis. If the key management stuff were in place, it would "just work."
It is about to be fought. I've got my money not on the government but on Verisign, which has been issuing site certificates for some time now, and just started issuing personal certificates which will permit message encryption using certified, Netscape-generated public keys, among other things. I think they and the free market will win, over the government, hands down. In that context (and in that context only), a lot of the heat from PGP fans against heirarchical certification is counter-productive to the above battle, in that it diffuses the crispness with which successful secure (BBN boxes, etc.) trusted heirarchical certification authorities will become the de facto standard and freeze the government out (absent some new draconian laws).
3. Anybody can write an application that supports strong encryption algorithms. Witness SSH, a very impressive and useful program, which was basically done by one person, Tatu Ylonen. However, building a key management infrastructure will take lots of money, hard work, and cooperation.
Verisign and RSA have already made the investment and the mechanism is now in place and working automatically (except for the higher assurance certification for which you need to appear before a notary if you're not in a corporate heirarchy). They've cleverly automated a validation of moderate-assurance certificate applicants' claims by automatically hitting the Equifax data base, and the low-assurance (persona) certification is automated so you need to "just ask". This won't cover everyone, but will cover so many as to make little difference to widespread acceptance.
3a. Consider a future scenario in which a key management infrastructure allowed big, unescrowed keys to be distributed widely, but that export controls on clients prohibited the use of secure symmetric algorithms. Such a situation would not be stable - the incremental cost of uncrippled clients would be so small, and so tempting, that they would spread like wildfire.
Depends on the organizations. Big corporations (which carry considerable influence) aren't going to violate local laws. Thus we may see a "have" and "have not" escrow-less crypto world outside the US rather than the hoped-for-nirvana, depending on local laws and individuals' willingness to violate them.
4. Thus, the best leverage for the TLAs to win is to guide the development of a key management infrastructure with the following property: if you don't register your key, you can't play. I believe that this is the true meaning of the word "voluntary:" you're free to make the choice not to participate.
That is exactly what the NRC report recommended and why I opposed it so vigorously despite its other good features.
5. This is _important_. If you can't get the keys for your correspondents, you can't use encryption. If they build a key management infrastructure that actually works, people will use it.
6. Export is a two player game. The other country has to allow import of the stuff, too. If the Burns bill passes, the "administration" would strong-arm other countries to prohibit import of strong crypto, still leaving US developers with no market.
We don't have to strong-arm anyone. Harbingers in the UK, the European Parliament (or is it the Council?), the Netherlands, and the existing situation in France provide little reason for optimism.
7. Building this stuff is too much of a task for the TLAs. They tried it with Clipper, and it failed. They hoped that building the Tessera card would be enough - that once they threw it over the wall, it would be eagerly snapped up by industry.
Remains to be seen. Netscape has a version they did for the government which uses Tessera PCMCIA cards. If some big corporation adopts it, others will follow. Don't count your chickens, etc.
8. Thus, they're going to cajole, bribe, and coerce software companies to play along. This fact is quite nakedly exposed in the document (good thing the injunction against the CDA is still in force :-).
They don't have to do any of the above. All they have to do is legitimately contract for their own needs. This will get the costs down (by paying off the costs of entry/capital costs) so that civilian offerings from the same technology base could be quite price-attractive. The use of government market purchasing power to influence events is now very well understood--we (and Arthur D. Little) first studied it in connection with stimulating energy conserving buildings back in 1970 when I was in the Department of Commerce.
But, most importantly, neither of these systems can actually be used on a widespread basis, because of the lack of a key management infrastructure.
You will find it instructive to check out the Verisign web site, download the public beta 5 of Netscape 3.0, generate some keys and get some certificates, and in two or three months check out the promised Netscape 4.0 beta which will have e-mail encryption. David
There has been some discussion at the last couple of crypto conferences about possible ways around this plan. (I guess the idea goes back at least a year or two.)
One idea is to register a 2048 bit public key. You have to give the secret key to the government in order to use the registry. But what you do is to create a second key and embed it in the first. It is, say, a 1024 bit key which is the lower half of the 2048 bit key. It has different secret factors that nobody but you knows. Then when people send you messages they encrypt using this modulus rather than the official one.
You get the benefit of the government-sponsored key certificate infrastructure, but the government is not able to crack your communications.
Sorry, but the government generates all keys. Otherwise people might mess up and choose insecure keys.
Tim May:
At 12:18 AM 7/15/96, Dave Banisar wrote:
Its now up at http://www.epic.org/crypto/key_escrow/wh_cke_796.html
{}
The report speaks of an "emerging consensus" (for key escrow). I see just the opposite, unless the report is speaking only of the U.S. intelligence and law enforcement community....{} {} So, who is in this "emerging consensus"?
Don't be so sure the FI community has any consensus within *its* ranks, much less with the LE community. I've heard comments from insiders that were 180 out with that concept. [Not to mention that, in general, intercene warfare in the Community is a much-practiced art.] -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sun, 14 Jul 1996, Timothy C. May wrote:
So, who is in this "emerging consensus"?
Foreign governments? (Process of elimination, not inside info...) A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.
Not really. At the last OECD meeting in Paris a couple of weeks ago, there was no great love by quite a few countries for key escrow. The scandavian countries were pretty united against and all sorts of other raised objections. (tho some of those objections were to the US ramrodding key escrow through OECD). BTW. Those wizards at Wired have gotten our favorite spook Stewart Baker to write an article for an upcome issue talking about how the rest of the world save Japan loves key escrow and those big bad Japanese are thwarting the rest of the worlds "consensus". Its quite a load of inaccurate shit but our effort to rebut it was rejected by wired (I guess it wasnt trite enough for them). -d On Mon, 15 Jul 1996, Michael Froomkin wrote:
On Sun, 14 Jul 1996, Timothy C. May wrote:
So, who is in this "emerging consensus"?
Foreign governments? (Process of elimination, not inside info...)
A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.
Excerpts from internet.cypherpunks: 17-Jul-96 Intl consensus (was Re: How.. by Dave Banisar@mindvox.com
BTW. Those wizards at Wired have gotten our favorite spook Stewart Baker to write an article for an upcome issue talking about how the rest of the world save Japan loves key escrow and those big bad Japanese are thwarting the rest of the worlds "consensus". Its quite a load of inaccurate shit but our effort to rebut it was rejected by wired (I guess it wasnt trite enough for them).
Will anyone else be rebutting it? -Declan (not speaking for WIRED, first I heard of this)
Timothy C. May wrote:
At 12:18 AM 7/15/96, Dave Banisar wrote:
Its now up at http://www.epic.org/crypto/key_escrow/wh_cke_796.html
Thanks to Dave for posting this URL. This is a _very_ important document, and I would recommend that all concerned cypherpunks read it carefully. Unlike many of its predecessors, it is clearly written and quite upfront about the "administration's" goals.
Thanks. I took an initial look, and it looks like the same old stuff.
It's not. There's a lot in this document that hadn't been clear to me before. I will try to summarize the highlights (these are all my interpretations, not actual points made in the document). 1. The battle over whether applications can contain strong encryption algorithms has basically been lost. For example, SSL-enabled applications are widely available over the world, thanks in large part to the work of Eric Young. The same will happen for any other encryption protocol that catches on. 2. The battle for key management has not yet been fought. The lack of a key management infrastructure is the main reason why people don't use PGP widely. This is demonstrated quite clearly by the fact that only a few of the people I correspond with, including many premail users, actually encrypt messages on a routine basis. If the key management stuff were in place, it would "just work." 3. Anybody can write an application that supports strong encryption algorithms. Witness SSH, a very impressive and useful program, which was basically done by one person, Tatu Ylonen. However, building a key management infrastructure will take lots of money, hard work, and cooperation. 3a. Consider a future scenario in which a key management infrastructure allowed big, unescrowed keys to be distributed widely, but that export controls on clients prohibited the use of secure symmetric algorithms. Such a situation would not be stable - the incremental cost of uncrippled clients would be so small, and so tempting, that they would spread like wildfire. 4. Thus, the best leverage for the TLAs to win is to guide the development of a key management infrastructure with the following property: if you don't register your key, you can't play. I believe that this is the true meaning of the word "voluntary:" you're free to make the choice not to participate. 5. This is _important_. If you can't get the keys for your correspondents, you can't use encryption. If they build a key management infrastructure that actually works, people will use it. 6. Export is a two player game. The other country has to allow import of the stuff, too. If the Burns bill passes, the "administration" would strong-arm other countries to prohibit import of strong crypto, still leaving US developers with no market. 7. Building this stuff is too much of a task for the TLAs. They tried it with Clipper, and it failed. They hoped that building the Tessera card would be enough - that once they threw it over the wall, it would be eagerly snapped up by industry. 8. Thus, they're going to cajole, bribe, and coerce software companies to play along. This fact is quite nakedly exposed in the document (good thing the injunction against the CDA is still in force :-). [much, much elided from Tim's post]
... and by opposition to Clipper I, Clipper II, and now Clipper III.
Is this Clipper III or Clipper IV? I seem to have lost count.
A bunch of Congressmen, including the axis supporting the Burns bill, obviously are not part of this emerging consensus.
So it's a "rough consensus" in the spirit of the IETF :-)
I would push hard on Netscape, Microsoft, Novell, Sun, Apple, and the other companies (but mainly on Netscape and MS, for obvious reasons) to bundle in "trusted third parties" and all that GAK stuff. Bundle it in, make it easy to use, make it easy to export, make it easy to spread in crypto-hostile countries, and hope like hell that it undermines the push for PGP and S/MIME.
You can count on the fact that NMNSA&c are already being wooed quite sweetly. Don't put too much stock in the push for PGP and S/MIME. Five million dollars later, PGP 3.0 is still stuck in the mud. S/MIME has serious protocol weaknesses that are still not being addressed. But, most importantly, neither of these systems can actually be used on a widespread basis, because of the lack of a key management infrastructure.
Don't be fooled.
Who? Us cypherpunks? Raph
Raph Levien <s_levien@research.att.com> writes:
4. Thus, the best leverage for the TLAs to win is to guide the development of a key management infrastructure with the following property: if you don't register your key, you can't play. I believe that this is the true meaning of the word "voluntary:" you're free to make the choice not to participate.
5. This is _important_. If you can't get the keys for your correspondents, you can't use encryption. If they build a key management infrastructure that actually works, people will use it.
There has been some discussion at the last couple of crypto conferences about possible ways around this plan. (I guess the idea goes back at least a year or two.) One idea is to register a 2048 bit public key. You have to give the secret key to the government in order to use the registry. But what you do is to create a second key and embed it in the first. It is, say, a 1024 bit key which is the lower half of the 2048 bit key. It has different secret factors that nobody but you knows. Then when people send you messages they encrypt using this modulus rather than the official one. You get the benefit of the government-sponsored key certificate infrastructure, but the government is not able to crack your communications. The discussion at the crypto conferences has centered on how to design key systems which don't have this "subliminal key" property, where it is impossible to create pairs of keys such that publishing one reveals the other. I think they were looking at some of the discrete log systems since in RSA it is pretty easy to do what I have described above. You just create the 1024 bit key first, at random, then choose the 2048 bit key so its modulus matches the 1024 bit key in its low bits. This is the same basic method as the so-called "dead beef" attacks against PGP key ID's which were published earlier this year. So it will be interesting to see whether any government sponsored PK infrastructure takes care to avoid subliminal keys. Hal
At 09:58 AM 7/15/96 -0400, about six months ago, when Clipper III was new, Raph Levien wrote:
1. The battle over whether applications can contain strong encryption algorithms has basically been lost. For example, SSL-enabled applications are widely available over the world, thanks in large part to the work of Eric Young. The same will happen for any other encryption protocol that catches on.
Unfortunately, the Government hasn't given up on this one; Peter Gutman's recent articles on export policy in New Zealand and Australia suggest that Our Public Servants are trying an end-run by getting those countries to stop export and development by productive crypto authors, targeting the toolkits that are being widely used inside and outside the US.
2. The battle for key management has not yet been fought.
Yeah. I haven't heard much from Clipper III recently, since they've been trumpeting Clipper IV "Key Recovery" recently, but that doesn't mean it's not going on. Unlike politican efforts such as Key Recovery, infrastructure attacks such as PKI may require long-term technical development - the Cooperative Research and Development Alliances (CRADAs) are not just to bribe otherwise-valuable companies to stay out of the way, they're to do things that may be sprung on us later; I'd predict this coming summer. For instance, back in July, John Young quoted a Business Wire article about = Toronto -- Certicom Corp. a leading information security = company, today announced that it will participate in an = initiative by the U.S. Commerce Department's National = Institute of Standards and Technology (NIST) which will = lead to the development of the elements of a public key = infrastructure (PKI). Certicom are the folks who do Elliptic Curve Cryptosystems, which haven't been used much due to patent questions and RSA's dominance, but which allow much shorter public keys and may have some speed advantages, both of which are quite important for smartcard use.
3. Anybody can write an application that supports strong encryption algorithms. Witness SSH, a very impressive and useful program, which was basically done by one person, Tatu Ylonen. However, building a key management infrastructure will take lots of money, hard work, and cooperation. .... 4. Thus, the best leverage for the TLAs to win is to guide the development of a key management infrastructure with the following property: if you don't register your key, you can't play. I believe that this is the true meaning of the word "voluntary:" you're free to make the choice not to participate. .. 6. Export is a two player game. The other country has to allow import of the stuff, too. If the Burns bill passes, the "administration" would strong-arm other countries to prohibit import of strong crypto, still leaving US developers with no market.
It failed, and they've now got an Ambassador strong-arming other countries to prohibit export.
7. Building this stuff is too much of a task for the TLAs. They tried it with Clipper, and it failed. They hoped that building the Tessera card would be enough - that once they threw it over the wall, it would be eagerly snapped up by industry.
8. Thus, they're going to cajole, bribe, and coerce software companies to play along. This fact is quite nakedly exposed in the document (good thing the injunction against the CDA is still in force :-).
Yeah. Clipper IV is getting a lot of people jumping on the bandwagon to get export permission for their 56-bit software. Many of the people who are most vocal about it are the usual suspects anyway, but it's closer to commercial usability that industry's more cooperative this round, especially with more Internet money fever.
Don't be fooled. Who? Us cypherpunks? Raph :-)
# Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)
participants (10)
-
Bill Stewart -
Dave Banisar -
David Lesher -
David Sternlight -
Declan B. McCullagh -
Hal -
Michael Froomkin -
Raph Levien -
tcmay@got.net -
Yap Remailer