[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject




Hey guys, I think someone has been listening:
 
---------------------------------------------------
                              Communications Daily
 
                             April  30, 1993, Friday
 
Immunity Needed;
MARKEY PANEL SEES DARK SIDE OF ELECTRONIC FRONTIER
 
   Legislative intent met reality of technology Thurs. one-on-one before House
Telecom Subcommittee. It was no contest: Technology won in seconds, on a
knockout.
 
   Last year, Congress, concerned about cellular phone users' privacy, passed
legislation outlawing scanners that pick up cellular channels, and last week FCC
issued rules banning those scanners (CD April 23 p2). At hearing on privacy,
computer cracking and related topics, it took San Diego Supercenter Center
scientist Tsutomu Shimomura about 2 min. to take new cellular phone out of its
box, turn it on and set device to test mode -- thus turning it into scanner that
enabled those in House hearing room to hear snatches of live cellular
conversations. Shimomura needed congressional immunity to conduct demonstration,
which otherwise would have been illegal. FBI special agent was standing by to
make sure no other laws were broken, as could have happened in technology
demonstration. Event was practical demonstration of what Subcommittee Chmn.
Markey (D-Mass.) called "the 'sinister side' to cyberspace."
 
   John Gage, dir. of science office of Sun Microsystems, who orchestrated that
and other demonstrations that turned Rayburn Bldg. hearing room into media lab
with HDTV setup, computers and other devices, held up phone and said that, in
effect, legislation passed by Congress "has banned all cellular telephones in
the United States." Gage said: "It's not safe to talk on a cellular phone." With
right screwdriver and little adaptation, scanning capabilities of cellular
phones can be made more impressive, he said. He said that cellular phones are
little more than "good radios and terrible computers" that are designed to be
scanners, because that's how cellular radios keep users in touch with switches.
In moving products quickly to market, cellular manufacturers didn't want to
spend money or take time to worry about privacy concerns or consider encryption
technology, Gage said.
 
   Gage's general theme was that move to digital world posed challenges for
policy-makers and for industry. He said KPIX San Francisco planned to store
newscasts in computer in digital form for sound and pictures, to be made
available over high-speed network in Bay area and over Internet, to be played
back via computers whenever anyone called it up. What will that development do
to concept of TV stations or networks? "There's no way to stop digital
technology." Even as he spoke, Gage's equipment was transmitting images and
sound from hearing room to Internet.
   Gage said export laws prohibit selling abroad of particular encryption
computer programs. Yet he showed panel text of computer program pulled off
Internet, from Finland, of prohibited source code for Data Encryption Standard
(DES) used by U.S. govt. In that case, law wasn't broken because program was
imported, not exported. Adding comma to code would route program to Moscow, Gage
said, so he didn't add it because there was no immunity. Also set up in room was
satellite hookup to Moscow using small earth station made by KGB, which was in
contact with Russian satellite.
 
   Subcommittee members were impressed and dismayed. Rep. Tauzin (D-La.) asked
what Congress could do to keep up with technology. Gage said it should stick to
general principles and forget about legislating against specific technologies.
He said that one solution for Digital Age was encryption, and that federal govt.
should take lead, not by endorsing specific technology such as  Clipper Chip
(CD April 19 p2) that fits into telephones, fax machines, other devices. In
reply to question from Rep. Boucher (D-Va.), Gage said federal govt. should
support research on encryption.
 
   Following Gage's demonstration, Raymond Kammer, acting dir. of National
Institute for Standards & Technology (NIST), defended govt. support for
 Clipper Chip  and for DES standard. He said it would take powerful Cray
supercomputer more than 200 years to solve DES key, and more than billion years
to crack one  Clipper Chip  encryption key. Under Administration plan, users
would have one key to chip and federal govt. would have other. Kammer endorsed
plan as balance between law enforcement needs and privacy concerns. In April 28
letter to Markey in response to April 19 letter from chmn., Kammer said
 Clipper Chip  technology has no "trap door" that could allow govt. to crack
encyption code and said code would be offered to experts for evaluation. He
wasn't asked for comment on Gage's demonstration.
 
   Fordham U. law Prof. Joel Reidenberg called for federal board that would set
series of "fair information practices," as well as Data Protection Board for
specific information standards. N.J. state investigator John Lucich warned of
harm that comes from cracking of private business telephone and voice mail
services and said sophistication of law enforcement is increasing. Science
fiction author Bruce Sterling, who also wrote nonfiction book on govt. crackdown
on computer hackers, testified about future issues. Hearing was first in series
on privacy, computer and telecommunications issues. Others will examine
automatic number identification, selling of marketing information, related
topics.
--------------------------------------------------------
 
                               CommunicationsWeek
 
                                 April  26, 1993
 
Encryption Policy Spurs Concern
 
SHARON FISHER
 
    WASHINGTON Members of the networking and security community have expressed
concern that a new government policy on data encryption may restrict the use of
the technology.
 
    The White House earlier this month called for the implementation of a
special encryption chip that offers a "back door" for decryption by federal law
enforcement agencies. The chip uses a secret algorithm called "Skipjack" that
prevents users from encoding data in such a way that it cannot be read by law
enforcement officials.
 
    Under the new policy, electronic keys will be stored in two "escrow"
locations for release to law enforcement organizations that have been warranted
to wiretap and decrypt voice transmissions. The escrow locations have not been
named.
 
    The encryption chip was initially called the  Clipper chip,  but the
government has received complaints from Intergraph Corp., which holds a
registered trademark on a product called  Clipper chip,  according to John
Droge, vice president of program development for Mykotronx Inc., Torrance,
Calif., which developed the chip. "We call it the MYK-78," he said.
 
    AT&T has already announced a device based on the chip that attaches to a
telephone to let users encrypt telephone calls. The AT&T Telephone Security
Device will cost around $1,195 and will be available at the end of the second
quarter.
 
    In addition, Mykotronx is working on a more complex chip, called the
Capstone or MYK-80, that adds a key exchange algorithm, digital signature
standard and other technologies to the MYK-78, Droge said. Key exchange lets two
devices agree on a common encryption key; digital signature is a way to
guarantee the identity of the originator of the message.
 
    Industry members expressed concern that the federal government's policy
review on encryption, privacy protection and law enforcement could result in
further changes or restrictions to communications technology. The review is
taking place under a classified Presidential directive that does not publicly
state its exact scope or procedure.
 
    The review, which will be managed and directed by the National Security
Council, calls for an interim report by the end of June and a final report in
late August or early September, said Lynn McNulty, associate director for
computer security for the National Institute of Standards and Technology,
Gaithersburg, Md.
 
    Many members of the encryption community are concerned that a policy review
might result in restrictions on encryption technology already in use.  There are
currently no restrictions in the United States on the use of encryption
technology.
 
    "Why (else) would the government go through all this time and trouble and
expense to do this?" said Jim Bidzos, president of RSA Data Security Inc., a
Redwood City, Calif., company that licenses encryption and key technology to
vendors such as Apple Computer Inc., Lotus Development Corp. and Novell Inc.
 
    "I'm not sure anybody has a complaint with the FBI wanting to wiretap with a
legitimate court order, but when the FBI says it's so important that we need to
force a new communications system on the country, I have a problem with that,"
Bidzos said. "I am afraid, from the FBI's viewpoint, if this is the solution,
how can it work unless you eliminate the other kinds of use?"
 
    But McNulty said such an expanded policy was not likely.  "Those concerns
are not well-founded," he said, though he said the issue probably will be
addressed in the policy review. "I don't think in our society that people would
accept that restriction on their technology and freedoms. It's absolutely the
last recommendation that would be made."
-----------------------------------------------------
 
                               CommunicationsWeek
 
                                 April  26, 1993
 
Editor's View;
WHAT GOOD IS SECURITY IF IT MAKES US INSECURE?
 
    The federal government, under the guise of President Clinton's new Public
Encryption Management directive, promises to improve the security and privacy of
communications systems. The directive is likely, however, to result in the
eventual disappearance of private encryption and the erosion of personal
freedom.
 
    The directive was announced two weeks ago by the White House and the
National Institute of Standards and Technology. It requests suppliers of
communications equipment to base encryption on the " Clipper Chip, " a
microcircuit developed by the National Security Agency.
 
    The  Clipper Chip  will be manufactured by Mykotronx Inc., a military
contractor in Torrance, Calif. An 80-bit, split-key escrowed encryption scheme
used to lock and unlock data transmissions will be built into each chip. The
encryption scheme will also be kept in a "key-escrow" database monitored by two
independent government agencies.
 
    Unlike effective public encryption techniques, such as RSA Data Security's
triple-Data Encryption Standard (DES), which are available for analysis and
testing, the  Clipper Chip's  key algorithm will not be released to the public.
 
    Based on explanations provided in official documents, it seems that the
government doesn't care about improving secure communications.  Reliable
encryption already exists. Indeed, in the view of agencies like the NSA,
standards such as DES are too good because they are hard to crack.
 
    Clinton's directive has only one real agenda-to make it easier for
government agencies to snoop on private communications. Keys will be made
available to government agencies who request access in the same manner that
Federal judges grant telephone taps.
 
    The initiative hides behind the excuse of creating means to monitor
"terrorists, drug dealers, and other criminals." This isn't the first time that
the government has proposed an authoritarian scheme that goes after a few
peoples' crimes while stomping on the majority's civil liberties.
 
    Public scrutiny helps to pinpoint weaknesses and allow technical refinement.
In this case, we're being asked to trust the government, a notion that rubs most
rational people the wrong way.
 
    Congress passed the Computer Security Act in 1987 to open the development of
non-military computer security standards to public scrutiny to limit-not
expand-the NSA's role in their development.
 
    The directive makes no mention of a particular communication session's
key-escrow. Once your keys have been released, all past and future traffic is
open to examination.
 
    The administration said it would not prohibit private encryption, "nor is
the U.S. saying that every American, as a matter of right, is entitled to an
unbreakable commercial encryption product."
 
    If the program succeeds, it probably will drive private encryption vendors
out of the marketplace.
 
    Commercial encryption products already provide excellent network security.
Contact the White House and let policy-makers know that we appreciate their
concern about crime control, but prefer that the government stay out of the
security-control business.
 
    Send your reactions to DBUERGER on MCI Mail, DBUERGERCUP.PORTAL.COM on the
Internet or by fax, 516-562-5055.
 
----------------------------------------------------
                                 Network World
 
                                 April  26, 1993
 
NSA has public-key chip to complement  Clipper Chip;
Uses same controversial key escrow system.
 
By Ellen Messmer, Senior Correspondent
 
WASHINGTON, D.C.
 
   The algorithm developed by the National Security Agency (NSA) for use with
the government's newly proposed  Clipper Chip  private-key encryption system
will also show up in Capstone, a chip for public-key encryption, Network World
has learned.
 
   Like  Clipper Chip,  Capstone will use a key escrow system that will enable
the government to eavesdrop on encrypted information.  Vendors of Capstone-based
encryption products will have to register decryption keys with a federal agency
that other agencies can retrieve through legal means.
 
   Although Capstone has not been publicly announced, it is at the heart of the
encryption system that is to be used in the upcoming Defense Message System
(DMS) (see story, p.1).
 
   With the public-key Capstone system, one key is made public, while another is
kept secret; the message recipient and sender do not have to exchange keys as
they do in private-key systems such as the Data Encryption Standard and
 Clipper Chip.   With Capstone, key management is much simpler.
 
    Clipper Chip,  for example, enables users to encrypt electronic documents
before sending them to the intended recipient, but the recipient must have
received the sender's secret key beforehand in order to decrypt the document.
 
   In addition, Capstone will provide the electronic digital signature for
"signing" documents electronically, something private-key systems cannot do.
 
   Mykotronx, Inc., the Torrance, Calif., firm that designed  Clipper Chip,  is
also supplying the Capstone chipset.  John Droge, vice president of marketing at
Mykotronx, an authorized NSA Communications Security vendor, said the firm has
already shipped 10,000 Capstone and 20,000  Clipper Chip  chipsets.
 
   The NSA intends to equip military users of the DMS with cryptocards -- dubbed
Tessera cards -- containing the Capstone chips so users can enter and activate
the public-key encryption and signing features. The Tessera cards are based on
the new industry standard PCMCIA, named after the Personal Computer Memory Card
International Association, which created the standard. Mykotronx is currently
the sole Tessera card supplier.
 
   Last week, the NSA acknowledged that the private-key algorithm to be used
with Capstone in the DMS is the same as that used in  Clipper Chip.  "The [DMS]
Type 2 algorithm is the same as the  Clipper Chip  announced by the Clinton
administration," said John Nagengast, chief of strategic systems at the NSA,
speaking last week at the Information Systems Security Association's trade show
CardTech/SecureTech in Arlington, Va. "It will enable us to go across the
government with a common algorithm."
 
User reaction
 
   The key escrow concept behind both  Clipper Chip  and Capstone have left many
users and vendors worried.
 
   Sandra Lambert, vice president of information security at Citibank, N.A., and
Samuel Epstein, president of Racal-Guardata, Inc., said the key escrow system
raises the issue of security vulnerability, which could result from a break-in
at the site where the escrow keys will be stored.
 
   The Electronic Frontier Foundation (EFF), a public advocacy group based here,
has taken the position that the public should not have to rely on the government
as the sole source for encryption chips.  Last week, the EFF began pulling
together a coalition of vendors and users under the banner of its Digital
Privacy and Security Working Group to address the issues raised by  Clipper
 Chip.   AT&T, which announced that it would include  Clipper Chip  in its
Secure Telephone Device, will participate in the EFF forum.
 
   Government sources last week said AT&T rushed out with its  Clipper Chip
announcement because the Department of Justice wants to purchase AT&T telephone
security devices with  Clipper Chip.  Last week, AT&T said it based its decision
to include the  Clipper Chip  chipset on faith rather than knowledge. "We've
told the government there's a need to establish the credibility of the
standard," said Mike Agee, marketing manager for secure products at AT&T.
 
   Although publication of the  Clipper Chip  specification would not compromise
the effectiveness of the algorithm, the NSA said it intends to keep the
algorithm secret. "The plan is we would share it with academia on a limited
basis," Nagengast said. "I don't believe it's ever intended to be published."