From the other side, NSA officials realized they would have a difficult time getting public support to suppress publication of what
https://medium.com/stanford-select/keeping-secrets-84a7697bf89f "Keeping Secrets" Four decades ago, university researchers figured out the key to computer privacy, sparking a battle with the National Security Agency that continues today. BY HENRY CORRIGAN-GIBBS WHAT IF your research could help solve a looming national problem, but government officials thought publishing it would be tantamount to treason? A Stanford professor and his graduate students found themselves in that situation 37 years ago, when their visionary work on computer privacy issues ran afoul of the National Security Agency. At the time, knowledge of how to encrypt and decrypt information was the domain of government; the NSA feared that making the secrets of cryptography public would severely hamper intelligence operations. But as the researchers saw it, society’s growing dependence on computers meant that the private sector would also need effective measures to safeguard information. Both sides’ concerns proved prescient; their conflict foreshadowed what would become a universal tug-of-war between privacy-conscious technologists and security-conscious government officials. A Controversial Symposium The International Symposium on Information Theory is not known for its racy content or politically charged presentations, but the session at Cornell University on October 10, 1977, was a special case. In addition to talks with titles like “Distribution-Free Inequalities for the Deleted and Holdout Error Estimates,” the conference featured the work of a group from Stanford that had drawn the ire of the National Security Agency and the attention of the national press. The researchers in question were Martin Hellman, then an associate professor of electrical engineering, and his students Steve Pohlig, MS ’75, PhD ’78, and Ralph Merkle, PhD ’79. A year earlier, Hellman had published “New Directions in Cryptography” with his student Whitfield Diffie, Gr. ’78. The paper introduced the principles that now form the basis for all modern cryptography, and its publication rightfully caused a stir among electrical engineers and computer scientists. As Hellman recalled in a 2004 oral history, the nonmilitary community’s reaction to the paper was “ecstatic.” In contrast, the “NSA was apoplectic.” The fact that Hellman and his students were challenging the U.S. government’s longstanding domestic monopoly on cryptography deeply annoyed many in the intelligence community. The NSA acknowledged that Diffie and Hellman had come up with their ideas without access to classified materials. Even so, in the words of an internal NSA history declassified in 2009 and now held in the Stanford Archives, “NSA regarded the [Diffie-Hellman] technique as classified. Now it was out in the open.” The tension between Hellman and the NSA only worsened in the months leading up to the 1977 symposium. In July, someone named J. A. Meyer sent a shrill letter to the Institute of Electrical and Electronics Engineers, which had published Hellman’s papers and was holding the conference. It began: I have noticed in the past months that various IEEE Groups have been publishing and exporting technical articles on encryption and cryptology — a technical field which is covered by Federal Regulations, viz: ITAR (International Traffic in Arms Regulations, 22 CFR 121–128). Meyer’s letter asserted that the IEEE and the authors of the relevant papers might be subject to prosecution under federal laws prohibiting arms trafficking, communication of atomic secrets and disclosure of classified information. Without naming Hellman or his co-authors, Meyer specified the issues of IEEE’s Transactions on Information Theory journal and Computer magazine in which Hellman’s articles appeared. Meyer concluded ominously that “these modern weapons technologies, uncontrollably disseminated, could have more than academic effect.” Meyer’s letter alarmed many in the academic community and drew coverage by Science and the New York Times for two main reasons. First, the letter suggested that merely publishing a scientific paper on cryptography would be the legal equivalent of exporting nuclear weapons to a foreign country. If Meyer’s interpretation of the law was correct, it seemed to place severe restrictions on researchers’ freedom to publish. Second, Deborah Shapley and Gina Kolata of Science magazine discovered that Meyer was an NSA employee. As soon as Hellman received a copy of the letter, he recognized that continuing to publish might put him and his students in legal jeopardy, so he sought advice from Stanford University counsel John Schwartz. In his memo to Schwartz, Hellman made a lucid case for the value of public-domain cryptography research. Astutely, Hellman first acknowledged that the U.S. government’s tight control over cryptographic techniques proved enormously useful in World War II: Allied forces used confidential cryptographic discoveries to improve their own encryption systems while denying those same cryptographic benefits to Axis powers. Even so, Hellman argued that circumstances had changed. [T]here is a commercial need today that did not exist in the 1940’s. The growing use of automated information processing equipment poses a real economic and privacy threat. Although it is a remote possibility, the danger of initially inadvertent police state type surveillance through computerization must be considered. From that point of view, inadequate commercial cryptography (which our publications are trying to avoid) poses an internal national security threat. In the memo, Hellman described how his earlier attempts to prevent “stepping on [the] toes” of the NSA failed when the agency’s staffers would not even disclose which areas of cryptography research Hellman should avoid. Responding to Hellman a few days later, Schwartz opined that publishing cryptography research would not in itself violate federal law. His findings had a strong legal basis: Two regulations governed classified information in the United States at the time — an executive order and the Atomic Energy Act of 1954 — and neither seemed to prevent the publication of unclassified research on cryptography. SHARING THE STEALTH: Merkle, Hellman and Diffie ended government’s monopoly on cryptography. (Photo by Chuck Painter/Stanford News Service) There was only one other likely legal tool that the federal government could use to prevent the Stanford group from disseminating their work: the Arms Export Control Act of 1976, which regulated the export of military equipment. Under a generous interpretation of the law, giving a public presentation on cryptographic algorithms could constitute “export” of arms. It was not clear, however, that a prosecution under this act would stand up to a legal challenge on First Amendment grounds. Evaluating these laws together, Schwartz concluded that Hellman and his students could legally continue to publish. At the same time, Schwartz noted wryly, “at least one contrary view [of the law] exists” — that of Joseph A. Meyer. Hellman later recalled Schwartz’s less-than-comforting informal advice: “If you are prosecuted, Stanford will defend you. But if you’re found guilty, we can’t pay your fine and we can’t go to jail for you.” The Cornell symposium was to begin three days after Schwartz offered his legal opinion; Hellman, Merkle and Pohlig had to quickly decide whether to proceed with their presentations in spite of the threat of prosecution, fines and jail time. Graduate students typically present their own research at academic conferences, but according to Hellman, Schwartz recommended against it in this case. Since the students were not employees of Stanford, it might be more difficult for the university to justify paying their legal bills. Schwartz also reasoned that dealing with a lengthy court case would be harder for a young PhD student than for a tenured faculty member. Hellman left the decision up to the students. According to Hellman, Merkle and Pohlig at first said, “We need to give the papers, the hell with this.” After speaking with their families, though, the students agreed to let Hellman present on their behalf. In the end, the symposium took place without incident. Merkle and Pohlig stood on stage while Hellman gave the presentation. The fact that the conference went ahead as planned, Science observed, “left little doubt that the work [in cryptography] has been widely circulated.” That a group of nongovernmental researchers could publicly discuss cutting-edge cryptographic algorithms signaled the end of the U.S. government’s domestic control of information on cryptography. The View from Fort Meade Vice Adm. Bobby Ray Inman took over as director of the NSA in the summer of 1977. Inman was an experienced naval intelligence officer with allies in both political parties. If his qualifications for the job were good, his timing was not. He had barely warmed his desk chair when he was thrust into the center of what he recently described as “a huge media uproar” over the J. A. Meyer letter — written the very first day of Inman’s tenure. Although Inman was concerned about the impact that publication of these new cryptographic techniques would have on the NSA’s foreign eavesdropping capabilities, he was also puzzled. As he explained, the primary consumers of cryptographic equipment in the 1970s were governments. Apart from that, “the only other people early on . . . who were buying encryption to use were the drug dealers.” Since the NSA already had “incredibly able people working on building the systems to be used by the U.S. government” and the NSA had no interest in protecting the communications of drug dealers, Inman wanted to find out why these young researchers were so focused on cryptography. In the tradition of intelligence professionals, Inman set out to gather some information for himself. He went to California to meet with faculty members and industry leaders at Berkeley, Stanford and elsewhere. Inman quickly discovered that the researchers at Stanford were designing cryptographic systems to solve an emerging problem that was not yet on the NSA’s radar: securing the growing number of commercial computer systems, which were subject to attack or compromise. The researchers’ position, Inman said, was that “there’s a whole new world emerging out there where there’s going to need to be cryptography, and it’s not going to be provided by the government.” Martin Hellman recently recounted their conversation in similar terms: “I was working on cryptography from an unclassified point of view because I could see — even in the mid-’70s — the growing marriage of computers and communication and the need therefore for unclassified knowledge of cryptography.” Inman realized that the California academics saw strong public cryptographic systems as a crucial piece of a functioning technological environment. Still, Inman was not excited about the prospect of high-grade encryption systems being available for purchase, especially abroad. “We were worried that foreign countries would pick up and use cryptography that would make it exceedingly hard to decrypt and read their traffic.” The level of public excitement surrounding the recent cryptography work made growth in the field of unclassified cryptography almost inevitable. In August 1977, Scientific American had published a description of the new RSA cryptosystem devised by Ron Rivest, Adi Shamir and Leonard Adleman of MIT. According to Steven Levy’s 2001 book Crypto, the researchers offered a copy of a technical report describing the scheme to anyone who would send a self-addressed stamped envelope to MIT. The authors received 7,000 requests. To reckon with the growing threat of unclassified cryptography, Inman convened an internal NSA panel for advice. As recounted in the declassified NSA history, the panel gave Inman three stark choices for how to control the publication of cryptography research: (a) Do nothing (b) Seek new legislation to impose additional government controls (c) Try non-legislative means such as voluntary commercial and academic compliance. The panel concluded that the damage was already so serious that something needed to be done. NSA documents and Hellman’s recollection both suggest that Inman first tried to get a law drafted to restrict cryptographic research, along the lines of the Atomic Energy Act. For political reasons, the NSA history says, Inman’s proposed bill was “dead on arrival.” “Congress [wanted to] unshackle U.S. commerce from any sort of Pentagon-imposed restriction on trade,” the history ruefully recounts, and the Carter administration “wanted to loosen Pentagon control of anything, especially anything that might affect individual rights and academic freedom.” Even if Inman could get a bill through Congress, Hellman said, the First Amendment would make it difficult to prevent researchers from speaking publicly about their work. If they didn’t publish their papers, “they’ll give 100 talks before they submit it for publication.” As a sort of last-ditch effort at compromise, Inman organized a voluntary system of prepublication review for cryptography research papers. A number of other scientific journals have attempted a similar system in recent years. “That’s really the best anyone has been able to come up with,” said Steven Aftergood of the Federation of American Scientists, an expert on government secrecy. The review process was used for a decade, but Inman recalled that it eventually “fell apart” because of “the explosion of . . . uses” for cryptography. As the world underwent a digital revolution, there was an accompanying “revolution in cryptography,” just as Diffie and Hellman had predicted in 1976. Aftermath It is tempting to view the outcome of the conflict between the Stanford researchers and the NSA as an unequivocal victory for freedom of speech and the beginning of the democratization of the tools of cryptography. There is a grain of truth in this characterization, but it misses the larger effect the run-in had on the academic cryptography community and on the NSA. Hellman and other academic researchers realized they could win the debate, as long as it took place in public. Newspapers and scientific journals found it much easier to sympathize with a group of quirky and passionate academics than with a shadowy and stern-faced intelligence agency. The issue of First Amendment rights, Hellman recalled in 2004, also gave the press and the researchers a common cause. “With the freedom of publication issue, the press was all on our side. There were editorials in the New York Times and a number of other publications. Science, I remember, had covered our work and was very helpful.” they considered dangerous research results. They turned instead to two aspects of nongovernmental cryptography over which they had near-total control: research funding and national standards. As of 2012, the federal government provided 60 percent of U.S. academic research and development funding. By choosing which projects to fund, grant-giving government agencies influence what research takes place. Even before the 1977 Symposium on Information Theory, the NSA reviewed National Science Foundation grant applications that might be relevant to signals intelligence or communications security. The purported reason for these reviews was for the NSA to advise the NSF on the proposals’ “technical merits,” but the agency appeared to use this process to exercise control over nongovernmental cryptography research. For instance, the NSA reviewed and approved an NSF grant application from Ron Rivest. Later, Rivest used the funds to develop the enormously influential RSA cryptosystem, which secures most encrypted Internet traffic today. An internal NSA history suggests that the agency would have tried to derail Rivest’s grant application if the reviewers had understood what Rivest would do with the money. The NSA missed this opportunity, the history complains, because the wording of Rivest’s proposal “was so general that the Agency did not spot the threat” posed by the project. In 1979, Leonard Adleman (another member of the RSA triumvirate) applied to the NSF for funding and had his application forwarded to the NSA. According to Whitfield Diffie and Susan Landau’s 2007 book, Privacy on the Line, the NSA offered to fund the research in lieu of the NSF. Fearing that his work would end up classified, Adleman protested and eventually received an NSF grant. Even though the NSF appears to have maintained some level of independence from NSA influence, the agency likely has had greater control over other federal funding sources. In particular, the Department of Defense funds research through the Defense Advanced Research Projects Agency (DARPA), the Office of Naval Research, the Army Research Office and other offices. After the run-in with the academic community in the late 1970s, the NSA history asserts that Vice Adm. Inman “secure[d] a commitment” that the Office of Naval Research would coordinate its grants with the NSA. Since funding agencies often need not explain why they have rejected a particular grant proposal, it is hard to judge the NSA’s effect on the grant-making process. The agency has a second tactic to prevent the spread of cryptographic techniques: keeping high-grade cryptography out of the national standards. To make it easier for different commercial computer systems to interoperate, the National Bureau of Standards (now called NIST) coordinates a semipublic process to design standard cryptographic algorithms. Vendors are hesitant to implement algorithms that are not in the NIST standards: Non-standard algorithms are harder to deploy in practice and are less likely to see adoption in the open marketplace. The first controversy over the NSA’s hand in these standards erupted in the 1970s when it persuaded the bureau to weaken the Data Encryption Standard (DES) algorithm, an NBS-designed cryptosystem widely used by banks, privacy-sensitive businesses and the public. Hellman and his then-student Diffie mounted a vigorous — and ultimately unsuccessful — public relations campaign to try to improve the strength of the DES algorithm. At the time, NSA leadership emphatically denied that it had influenced the DES design. In a public speech in 1979 aimed to quell some of the controversy, Inman asserted: “NSA has been accused of intervening in the development of the DES and of tampering with the standard so as to weaken it cryptographically. This allegation is totally false.” Recently declassified documents reveal that Inman’s statements were misleading, if not incorrect. The NSA tried to convince IBM (which had originally designed the DES algorithm) to reduce the DES key size from 64 to 48 bits. Reducing the key size would decrease the cost of certain attacks against the cryptosystem. The NSA and IBM eventually compromised, the history says, on using a weakened 56-bit key. Today, Inman acknowledges that the NSA was trying to strike a balance be-tween protecting domestic commercial communication and safeguarding its own ability to eavesdrop on foreign governments: “[T]he issue was to try to find a level of cryptography that ensured the privacy of individuals and companies against competitors. Against anyone other than a country with a dedicated effort and capability to break the codes.” The NSA’s influence over the standards process has been particularly effective at mitigating what it perceived as the risks of nongovernmental cryptography. By keeping certain cryptosystems out of the NBS/NIST standards, the NSA facilitated its mission of eavesdropping on communications traffic. Reflections on Secrecy There are a few salient questions to consider when looking back at these first conflicts between the intelligence community and academic researchers in cryptography. A starting point for this analysis, said Aftergood, is to consider “whether in retrospect, [the government’s] worst fears were realized.” According to Inman, the uptake of the research community’s cryptographic ideas came at a much slower pace than he had expected. As a result, less foreign traffic ended up being encrypted than the agency had projected, and the consequences for national security were not as dramatic as he had feared. Essentially, Inman recalled, “there was no demand” for encryption systems outside of governments, even though many high-grade systems eventually became available. “You had a supply but no demand for it.” Even those people who try to use high-grade cryptographic tools, Hellman said, often make mistakes that render their traffic easy for an intelligence agency to decrypt: “People still make a lot of mistakes: use wrong, bad keys, or whatever else.” A second question is whether Hellman was right to worry that a lack of strong cryptography could become an “economic and privacy threat” in a computerized economy. In an unexpected turn, today Inman is as worried about protecting nongovernmental computer systems as Hellman was in the 1970s. When asked if he would make the same decisions about nongovernmental cryptography now as he did then, Inman replied, “Rather than being careful to make sure they were[n’t] going to damage [our collection capabilities] . . . I would have been interested in how quickly they were going to be able to make [cryptosystems] available in a form that would protect proprietary information as well as government information.” The theft of portions of the designs for the F-35 jet, Inman said, demonstrates that weak nongovernmental encryption and computer security practices can grievously harm national security. Even though history has vindicated Martin Hellman, he adamantly refuses to gloat over the accuracy of his predictions and the far-reaching impact of his technical work. On the contrary, Hellman is still deeply troubled by the way he engaged in the debate with the NSA over the publication of his papers and the DES encryption standard. Rather than trying to understand both sides of the issue and make the “right” decision, Hellman said that in the heat of the controversy, he listened to his ego instead. “The thought just popped into my head: Forget about what’s right. Go with this, you’ve got a tiger by the tail. You’ll never have more of an impact on society.” Aftergood said that this sort of ego-driven reasoning is a hallmark of debates over secrecy in research: “If you’re a researcher and you’ve achieved some kind of breakthrough, you’re going to want to let people know. So you’re not a neutral, impartial, disinterested party. You’re an interested party.” It was not until Hellman watched Day After Trinity, a documentary about the development of the atomic bomb, that he realized how dangerous his decision-making process had been. The moment in the film that troubled him most, he recalled, was when the Manhattan Project scientists tried to explain why they continued to work on the bomb after Hitler had been defeated and the threat of a German atom bomb had disappeared. The scientists “had figured out what they wanted to do and had then come up with a rationalization for doing it, rather than figuring out the right thing to do and doing it whether or not it was what they wanted to do. . . . I vowed I would never do that again,” Hellman said. “Thinking it through even now, I still would have done most of what I did. But it could have been something as bad as inventing nuclear weapons, and so I vowed I would never do that again.” Making good decisions in these situations, Aftergood said, requires a large dose of “internal restraint” and a certain “degree of trust” between researchers and government officials, “which is often lacking in practice.” Although Hellman and Inman forged an unlikely friendship in the wake of the conflict in the late 1970s, trust between the academic cryptography community and the NSA is at its nadir. Inman said of the new NSA director, “He has a huge challenge on his plate. How does he . . . can he, in fact, reestablish a sense of trust?” Diffie and Hellman’s now-legendary key-exchange algorithm has an elegant one-line representation. Debates over academic freedom and government secrecy do not lend themselves to such a concise formulation. “It’s not a neat, simple calculation,” Aftergood said. “There are competing interests on all sides, and somehow one just has to muddle through.” HENRY CORRIGAN-GIBBS is a second-year PhD student in computer science.