[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clipper article (and an OCR check)




Cypherpunks,

  This may be old news to  most of you, but I just got my
HP ScanJet IIc working with Caere's OmniPage Pro 2.1, and
thought I'd scan this in to give it a try.

  Note to D.C. Cypherpunks (or anyone else, for that matter):
I'll be happy to scan any documents or newsclippings you
send my way.  I'm located in Columbia, Maryland.  I'm reachable
by UUCP e-mail at uunet!anagld!ftgcorp!dan.


From Network World, issue date May 31, 1993.


OPINIONS
SECURITY PERSPECTIVES
BY MICHEL KABAY

Vigilance is needed to keep Clipper Chip in check

  Last month, the federal government endorsed a new encryption
technology based on the Clipper Chip. The Clipper Chip will give
federal agencies a key to unlock users' encrypted voice and data
communications.  Network users can live with this situation, but
only if they're vigilant about preventing any attempt to make the
Clipper Chip the only legal encryption mechanism available in
the U.S.

  The Clipper Chip will serve some legitimate needs. As the
U.S. builds its National Information Infrastructure, increasing
amounts of data will flow electronically throughout the nation.
Users will need encryption to protect their sensitive data. In
a multivendor world, having a common encryption standard,
such as the Clipper Chip, will simplify protection so users
won't even notice their communications being encrypted.

  However, users have many questions and concerns about the Clipper
Chip, as well.

  Internet users are curious about how the chip was
developed: specifically, what companies and individuals were
consulted and how the initial manufacturer, Mykotronx, Inc.
of Torrance, Calif., was selected.  This information might cast
light on the quality of the chip and the price to be charged.

  Internet users also wonder why the algorithm is being kept
secret. Without free access to the algorithm, many argue, the
scientific community will not be sure that the algorithm actually
functions as claimed.

  Defenders of the plan point to a proposed examination by selected
experts, but any closed process leaves open the question of whether
there is a back door to decryption.

A major user concern involves key escrow, which is at the heart of the
administration's proposal. Government agencies would hold pairs of
incomplete decryption keys for every Clipper Chip installed in the U.S.
To decrypt private communications, a government agency would need to get
a warrant to obtain the two parts of the decryption key.
         
INSET:   Clipper Chip will give
         federal agencies a key
         to users' encrypted
         communications

  Anyone who discovers the key pairs for a specific Clipper
Chip could decode all encrypted communications initiated by
that device, even after the warrant expires. Therefore, the
trustworthiness of the key escrow agencies is crucial to avoid
abuses of the decryption keys.

   The partial keys might be stored in databases or generated
by black-box decryption devices.  Any party involved in creating
these databases or devices would be a vulnerable point in
the control over decryption.

  It would be valuable to know whether the federal government
has studied the risks and estimated the costs of providing
adequate protection. If so, many users would want to evaluate
such studies independently.

  Key escrow for foreign purchasers of the Clipper Chip and
for foreign manufacturers will also cause problems. If other
countries use the technology and have all the keys in escrow,
U.S. users may find their own security compromised by legal
systems beyond their control.

  But the biggest concern regarding this technology is that it
could lead to a ban on all unauthorized encryption technology
in the U.S. A few years from now, anyone using a non-Clipper
Chip encryption method could be assumed to be engaging in
crime. Political pressure to ban all non-Clipper Chip encryption
could become intense.

  Making non-Clipper Chip encryption illegal would lead to
enforcement problems. Applying the technology only to voice
transmissions would raise the popularity of data transmission
-- that is, digitally encoded voice file transfers. So it would
have to be applied to data, too.

  But failure to produce clear text using the Clipper Chip decryption
could be construed as evidence of illegal encryption,
even if the original data stream was not, in fact, interpretable.

  The prospect of astronomers being arrested because law enforcement
officials couldn't make sense of their data on elemental composition
of supernovas is pretty funny--if you like that kind of joke.

  I urge all users to fight any attempt to make the Clipper Chip
the only legal encryption mechanism in the U.S. For further
developments in the ongoing debate, users should follow the
dialogues on the Internet in the Risks forum, the Privacy forum
and the new alt.privacy.clipper news group.

END 

Kabay is director of education with the National Computer Security
Association in Carlisle, Pa. He can be reached at (717) 258-1816 or
on the Internet at [email protected].


--
[email protected] (Dan Veeneman)
Fountainhead Title Group