CDT POLICY POST No.2 -- X9 TO DEVELOP TRIPLE-DES STANDARDS

gnu gnu
Mon Feb 13 12:43:06 PST 1995


------------------------------------------------------------------------
   ******    ********    *************
  ********   *********   *************   
  **         **      **       ***               POLICY POST  
  **         **      **       ***               
  **         **      **       ***               February 13, 1995
  **         **      **       ***               Number 2
  ********    *********       ***              
   ******    ********         ***
                
  CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
  A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST 2/13/95                                     Number 2

CONTENTS: (1) X9 Committee Agrees to Develop 3x DES Encryption Standard
          (2) About the Center for Democracy and Technology

This document may be re-distributed freely providing it remains in its 
entirety.
------------------------------------------------------------------------

X9 COMMITTEE AGREES TO DEVELOP 3x DES ENCRYPTION STANDARD 

Major Setback for NSA

The NSA's efforts to push the adoption the Clipper/Skipjack 
government-escrowed encryption scheme encountered a major 
setback earlier this month with the decision by the 
Accredited Standards Committee X9 to proceed with the 
development of a data security standard based on triple-DES.    

The ASC X9 committee is responsible for setting data security 
standards for the US banking and financial services 
industries.   These industries are heavy users of commercial 
cryptography, and standards developed for this community tend 
to drive the development of applications for the entire 
market.  As a result, the committee's decision to proceed 
with a triple-DES standard has important implications for 
future cryptographic standards and US cryptography policy 
generally.

The NSA, a voting member of the X9 committee, had lobbied 
hard against the proposal.  In a November letter to committee 
members, the NSA threatened to prevent the export of triple-
DES, citing existing US law and potential threats to national 
security (see attached NSA letter).

The decision sets the stage for the development of a next 
generation of security standards based on publicly available, 
non-escrowed encryption schemes.   A battle over the 
exportability of triple-DES applications is also on the 
horizon.

Through export controls on cryptography, the proposed Clipper 
initiative, and interference in the standards setting 
processes, US government policies have consistently sought to 
make strong encryption and other privacy protecting 
technologies unavailable to the general public.  The X9 
decision and development of triple-DES and other alternitives 
to government-escrowed cryptography is an important victory 
in that it will increase the public's access to strong, 
privacy enhancing technologies.

BACKGROUND

Banks and other financial institutions use encryption to 
protect the billions of dollars in transactions and fund 
transfers which flow every day across the world's 
communications networks.  

The current encryption standard used by the banking industry 
is based on DES, which has been available since the early 
1970's.  DES is widely trusted because it has been repeatedly 
tested and is considered by experts to be unbreakable except 
by brute force (trying every possible key combination).  The 
US government has also allowed the limited export of DES.

Despite its popularity, DES is considered to be reaching the 
end of its useful life.   The increasing speed and 
sophistication of computer processing power has begun to 
render DES vulnerable to brute force attacks.  Cryptographers 
have recently demonstrated that DES codes can be cracked in 
as little as three hours with $1 million worth of currently 
available equipment.  As a result, the banking and financial 
services industries have begun to explore alternatives to 
DES.  

Although there are many potential alternatives to DES, 
triple-DES is widely seen as the most practical solution.  
Triple-DES is based on DES, but has been enhanced by 
increasing the key length and by encrypting through multiple 
iterations.   These enhancements make triple-DES less 
vulnerable to brute force attacks.  Triple-DES is also 
popular because it can be easily incorporated into existing 
DES systems and is based on standards and procedures familiar 
to most users.   

NSA SETBACK IS A VICTORY FOR CLIPPER OPPONENTS

In their November letter to X9 committee members, the NSA 
attempted to undermine the attractiveness of triple-DES by 
arguing that it is cryptographically unsound, a potential 
threat to national security, and would not be exportable 
under US law.   The NSA, while offering no specific 
alternative to triple-DES, seemed to be attempting to push 
the committee to adopt the only currently available option -- 
Clipper.

Privacy advocates also lobbied the X9 committee.  In a letter 
sent in advance of the December 1994 ballot, CDT Deputy 
Director Daniel Weitzner (then EFF Deputy Policy Director) 
and EFF board member John Gilmore, an expert in this field, 
sent a letter to X9 committee members urging them to adopt 
the triple-DES standard. A copy of the letter is appended at 
the end of this post.

By agreeing to develop a triple-DES standard, the X9 
committee has clearly and decisively rejected Clipper as a 
solution. This vote thus represents a further repudiation to 
Clipper and yet another victory for opponents of government 
efforts to establish Clipper or other government-escrowed 
solutions as a national standard.

NEXT STEPS

X9F, a subcommittee of the X9 committee, will now develop 
technical standards for implementing triple-DES based 
applications.  This process is expected to take one or two 
years to complete.  Once technical standards are developed, 
the full X9 committee will vote as to whether to implement 
the subcommittee's technical recommendations.

The availability of triple-DES applications received a 
further boost recently with the announcement by AT&T and VLSI 
Technologies that they were developing new data security 
products based on triple-DES. This will presumably provide 
additional options for X9 committee members, but the 
exportability of these products is still in doubt.

The stage is thus set for a further battle between the NSA 
and the X9 committee over the exportability of triple-DES and 
final approval of the X9 standard.  As a sitting member of 
the committee, NSA will presumably continue to lobby against 
efforts by the committee to develop triple-DES applications.  
Furthermore, the banking and financial services industries 
must still persuade the government to allow for the export of 
triple-DES.  

As an opponent of government-escrowed cryptography, CDT 
applauds the recent actions of the X9 committee.  While CDT 
supports the development of a variety of security standards 
and alternatives to DES, we recognize the need of the banking 
and financial services industries to develop temporary stop-
gap solution. CDT will continue to work towards the 
relaxation of export controls on cryptography and will 
support X9 committee members in their efforts to gain the 
ability to export triple-DES applications.  

For more information contact:

Daniel J. Weitzner, Deputy Director       <djw at cdt.org>
Jonah Seiger, Policy Analyst              <jseiger at cdt.org>

+1.202.637.9800

----------------------------------------------------------

GILMORE/WEITZNER LETTER TO X9 COMMITTEE MEMBERS

November 18, 1994

Dear Accredited Standards Committee-X9 Member:

The X9 Committee is currently voting as to whether to 
recommend the development of a standard for triple-DES (ballot number 
X9/94-LB#28).  The Electronic Frontier Foundation (EFF) strongly urges you to 
vote in favor of the triple-DES standard.

EFF supports the development of a variety of new data 
security standards and alternatives to DES.  We believe the triple-DES standard 
provides the best immediate short term alternative because:

        * The basic algorithm, DES, is strong and has been 
          tested repeatedly.

        * There are no known attacks that succeed against 
          triple-DES.

        * It is clearly no less secure than DES.

        * It eliminates the brute-force problem completely by 
          tripling the key length.

        * It runs at high speeds in easy-to-build chips.

        * It can be easily incorporated into existing systems.

NSA's opposition to triple-DES appears to be an indirect attempt to push
Clipper by eliminating credible alternatives. Clipper is not a viable
alternative to triple-DES, and carries substantial liabilities. There has
been no evidence of foreign acceptance of the standard and the skipjact
algorithm is classified. The likelihood of any government accepting secret
standards developed by a foreign security agency is slim. Clinton
Administration efforts, through the NSA, to push Clipper as a domestic
standard over the past two years have failed.  

We urge you to carefully consider the alternatives before you 
cast your ballot.  We believe that the triple-DES issue should be 
decided on its own merits.

Sincerely, 

John Gilmore                            
Board of Directors                      
Electronic Frontier Foundation  

Daniel J. Weitzner
Deputy Policy Director
Electronic Frontier Foundation

-------------------------------------------------------------

NSA LETTER TO X9 COMMITTEE MEMBERS

X9 Member:

I will be casting a NO vote on the NWI for triple-DES, Letter 
Ballot X9/94-LB#28.  The reasons are set forth below.  You 
may find these useful as you determine your position.

Jerry Rainville

                NSA REASONS FOR A NEGATIVE VOTE

While NSA supports the use of DES in the global financial 
sector, we believe that standardization of triple-DES is ill-
advised for a number of reasons.

The financial community should be planning to transition to a 
new generation of cryptographic algorithms.  When DES was 
first introduced, it represented the "only game in town".  It 
supported encryption, authentication, key management, and 
secure hashing applications.  With a broader interest in 
security, the market can now support optimized algorithms by 
application.  Going through the expense of installing a stop-
gap can only serve to delay progress in achieving 
interoperable universal appropriate solutions.

While we understand the appeal of a snap-in upgrade, our 
experience has been that any change is expensive, especially 
one where the requirements on the key management system 
change.  We do not agree that replacing DES with triple-DES 
is significantly less expensive than upgrading to more 
appropriate technology.

Tripling of any algorithm is cryptographically unsound.  
Notice that tripling DES, at best, only doubles the length of 
the cryptovariable (key).  Phrased another way, the DES was 
optimized for security at 56 bits.  We cannot vouch that any 
of the schemes for doubling the cryptovariable length of DES 
truly squares security.

We understand the financial community has concerns with 
current key escrow based encryption, however, we are 
committed to searching for answers to those concerns.  But 
the government is also committed to key escrow encryption, 
and we do not believe that the proposal for triple DES is 
consistent with this objective.

US export control policy does not allow for general export of 
DES for encryption, let alone triple-DES.  Proceeding with 
this NWI would place X9 at odds with this long standing 
policy.  It also violates the newly accepted X9 cryptographic 
policy.

The US government has not endorsed triple-DES; manufacturers 
and users may be reluctant to use triple-DES products for 
fear of possible liability.

Finally, further proliferation of triple-DES is counter to 
national security and economic objectives.  We would welcome 
the opportunity to discuss these concerns with an appropriate 
executive of your institution.

---------------------------------------------------------------------

ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY

The Center for Democracy and Technology is a non-profit public interest
organization. The Center's mission is to develop and advocate public
policies that advance constitutional civil liberties and democratic 
values in new computer and communications technologies. 

Contacting us:

General information on CDT can be obtained by sending mail to <info at cdt.org>

www/ftp/gopher archives are currently under construction, and should be up
and running by the middle of March. 

                                 ###
------------------------------------------------------------------------
   ******    ********    *************
  ********   *********   *************   
  **         **      **       ***               POLICY POST  
  **         **      **       ***               
  **         **      **       ***               February 13, 1995
  **         **      **       ***               Number 2
  ********    *********       ***              
   ******    ********         ***
                
  CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
  A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST 2/13/95                                     Number 2

CONTENTS: (1) X9 Committee Agrees to Develop 3x DES Encryption Standard
          (2) About the Center for Democracy and Technology

This document may be re-distributed freely providing it remains in its 
entirety.
------------------------------------------------------------------------

X9 COMMITTEE AGREES TO DEVELOP 3x DES ENCRYPTION STANDARD 

Major Setback for NSA

The NSA's efforts to push the adoption the Clipper/Skipjack 
government-escrowed encryption scheme encountered a major 
setback earlier this month with the decision by the 
Accredited Standards Committee X9 to proceed with the 
development of a data security standard based on triple-DES.    

The ASC X9 committee is responsible for setting data security 
standards for the US banking and financial services 
industries.   These industries are heavy users of commercial 
cryptography, and standards developed for this community tend 
to drive the development of applications for the entire 
market.  As a result, the committee's decision to proceed 
with a triple-DES standard has important implications for 
future cryptographic standards and US cryptography policy 
generally.

The NSA, a voting member of the X9 committee, had lobbied 
hard against the proposal.  In a November letter to committee 
members, the NSA threatened to prevent the export of triple-
DES, citing existing US law and potential threats to national 
security (see attached NSA letter).

The decision sets the stage for the development of a next 
generation of security standards based on publicly available, 
non-escrowed encryption schemes.   A battle over the 
exportability of triple-DES applications is also on the 
horizon.

Through export controls on cryptography, the proposed Clipper 
initiative, and interference in the standards setting 
processes, US government policies have consistently sought to 
make strong encryption and other privacy protecting 
technologies unavailable to the general public.  The X9 
decision and development of triple-DES and other alternitives 
to government-escrowed cryptography is an important victory 
in that it will increase the public's access to strong, 
privacy enhancing technologies.

BACKGROUND

Banks and other financial institutions use encryption to 
protect the billions of dollars in transactions and fund 
transfers which flow every day across the world's 
communications networks.  

The current encryption standard used by the banking industry 
is based on DES, which has been available since the early 
1970's.  DES is widely trusted because it has been repeatedly 
tested and is considered by experts to be unbreakable except 
by brute force (trying every possible key combination).  The 
US government has also allowed the limited export of DES.

Despite its popularity, DES is considered to be reaching the 
end of its useful life.   The increasing speed and 
sophistication of computer processing power has begun to 
render DES vulnerable to brute force attacks.  Cryptographers 
have recently demonstrated that DES codes can be cracked in 
as little as three hours with $1 million worth of currently 
available equipment.  As a result, the banking and financial 
services industries have begun to explore alternatives to 
DES.  

Although there are many potential alternatives to DES, 
triple-DES is widely seen as the most practical solution.  
Triple-DES is based on DES, but has been enhanced by 
increasing the key length and by encrypting through multiple 
iterations.   These enhancements make triple-DES less 
vulnerable to brute force attacks.  Triple-DES is also 
popular because it can be easily incorporated into existing 
DES systems and is based on standards and procedures familiar 
to most users.   

NSA SETBACK IS A VICTORY FOR CLIPPER OPPONENTS

In their November letter to X9 committee members, the NSA 
attempted to undermine the attractiveness of triple-DES by 
arguing that it is cryptographically unsound, a potential 
threat to national security, and would not be exportable 
under US law.   The NSA, while offering no specific 
alternative to triple-DES, seemed to be attempting to push 
the committee to adopt the only currently available option -- 
Clipper.

Privacy advocates also lobbied the X9 committee.  In a letter 
sent in advance of the December 1994 ballot, CDT Deputy 
Director Daniel Weitzner (then EFF Deputy Policy Director) 
and EFF board member John Gilmore, an expert in this field, 
sent a letter to X9 committee members urging them to adopt 
the triple-DES standard. A copy of the letter is appended at 
the end of this post.

By agreeing to develop a triple-DES standard, the X9 
committee has clearly and decisively rejected Clipper as a 
solution. This vote thus represents a further repudiation to 
Clipper and yet another victory for opponents of government 
efforts to establish Clipper or other government-escrowed 
solutions as a national standard.

NEXT STEPS

X9F, a subcommittee of the X9 committee, will now develop 
technical standards for implementing triple-DES based 
applications.  This process is expected to take one or two 
years to complete.  Once technical standards are developed, 
the full X9 committee will vote as to whether to implement 
the subcommittee's technical recommendations.

The availability of triple-DES applications received a 
further boost recently with the announcement by AT&T and VLSI 
Technologies that they were developing new data security 
products based on triple-DES. This will presumably provide 
additional options for X9 committee members, but the 
exportability of these products is still in doubt.

The stage is thus set for a further battle between the NSA 
and the X9 committee over the exportability of triple-DES and 
final approval of the X9 standard.  As a sitting member of 
the committee, NSA will presumably continue to lobby against 
efforts by the committee to develop triple-DES applications.  
Furthermore, the banking and financial services industries 
must still persuade the government to allow for the export of 
triple-DES.  

As an opponent of government-escrowed cryptography, CDT 
applauds the recent actions of the X9 committee.  While CDT 
supports the development of a variety of security standards 
and alternatives to DES, we recognize the need of the banking 
and financial services industries to develop temporary stop-
gap solution. CDT will continue to work towards the 
relaxation of export controls on cryptography and will 
support X9 committee members in their efforts to gain the 
ability to export triple-DES applications.  

For more information contact:

Daniel J. Weitzner, Deputy Director       <djw at cdt.org>
Jonah Seiger, Policy Analyst              <jseiger at cdt.org>

+1.202.637.9800

----------------------------------------------------------

GILMORE/WEITZNER LETTER TO X9 COMMITTEE MEMBERS

November 18, 1994

Dear Accredited Standards Committee-X9 Member:

The X9 Committee is currently voting as to whether to 
recommend the development of a standard for triple-DES (ballot number 
X9/94-LB#28).  The Electronic Frontier Foundation (EFF) strongly urges you to 
vote in favor of the triple-DES standard.

EFF supports the development of a variety of new data 
security standards and alternatives to DES.  We believe the triple-DES standard 
provides the best immediate short term alternative because:

        * The basic algorithm, DES, is strong and has been 
          tested repeatedly.

        * There are no known attacks that succeed against 
          triple-DES.

        * It is clearly no less secure than DES.

        * It eliminates the brute-force problem completely by 
          tripling the key length.

        * It runs at high speeds in easy-to-build chips.

        * It can be easily incorporated into existing systems.

NSA's opposition to triple-DES appears to be an indirect attempt to push
Clipper by eliminating credible alternatives. Clipper is not a viable
alternative to triple-DES, and carries substantial liabilities. There has
been no evidence of foreign acceptance of the standard and the skipjact
algorithm is classified. The likelihood of any government accepting secret
standards developed by a foreign security agency is slim. Clinton
Administration efforts, through the NSA, to push Clipper as a domestic
standard over the past two years have failed.  

We urge you to carefully consider the alternatives before you 
cast your ballot.  We believe that the triple-DES issue should be 
decided on its own merits.

Sincerely, 

John Gilmore                            
Board of Directors                      
Electronic Frontier Foundation  

Daniel J. Weitzner
Deputy Policy Director
Electronic Frontier Foundation

-------------------------------------------------------------

NSA LETTER TO X9 COMMITTEE MEMBERS

X9 Member:

I will be casting a NO vote on the NWI for triple-DES, Letter 
Ballot X9/94-LB#28.  The reasons are set forth below.  You 
may find these useful as you determine your position.

Jerry Rainville

                NSA REASONS FOR A NEGATIVE VOTE

While NSA supports the use of DES in the global financial 
sector, we believe that standardization of triple-DES is ill-
advised for a number of reasons.

The financial community should be planning to transition to a 
new generation of cryptographic algorithms.  When DES was 
first introduced, it represented the "only game in town".  It 
supported encryption, authentication, key management, and 
secure hashing applications.  With a broader interest in 
security, the market can now support optimized algorithms by 
application.  Going through the expense of installing a stop-
gap can only serve to delay progress in achieving 
interoperable universal appropriate solutions.

While we understand the appeal of a snap-in upgrade, our 
experience has been that any change is expensive, especially 
one where the requirements on the key management system 
change.  We do not agree that replacing DES with triple-DES 
is significantly less expensive than upgrading to more 
appropriate technology.

Tripling of any algorithm is cryptographically unsound.  
Notice that tripling DES, at best, only doubles the length of 
the cryptovariable (key).  Phrased another way, the DES was 
optimized for security at 56 bits.  We cannot vouch that any 
of the schemes for doubling the cryptovariable length of DES 
truly squares security.

We understand the financial community has concerns with 
current key escrow based encryption, however, we are 
committed to searching for answers to those concerns.  But 
the government is also committed to key escrow encryption, 
and we do not believe that the proposal for triple DES is 
consistent with this objective.

US export control policy does not allow for general export of 
DES for encryption, let alone triple-DES.  Proceeding with 
this NWI would place X9 at odds with this long standing 
policy.  It also violates the newly accepted X9 cryptographic 
policy.

The US government has not endorsed triple-DES; manufacturers 
and users may be reluctant to use triple-DES products for 
fear of possible liability.

Finally, further proliferation of triple-DES is counter to 
national security and economic objectives.  We would welcome 
the opportunity to discuss these concerns with an appropriate 
executive of your institution.

---------------------------------------------------------------------

ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY

The Center for Democracy and Technology is a non-profit public interest
organization. The Center's mission is to develop and advocate public
policies that advance constitutional civil liberties and democratic 
values in new computer and communications technologies. 

Contacting us:

General information on CDT can be obtained by sending mail to <info at cdt.org>

www/ftp/gopher archives are currently under construction, and should be up
and running by the middle of March. 

                                 ###






More information about the cypherpunks-legacy mailing list