[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Info Security News article on Clipper (fwd)
- To: [email protected]
- Subject: Info Security News article on Clipper (fwd)
- From: Anonymous <[email protected]>
- Date: Wed, 1 Sep 93 20:43:48 -0500
- Organization: Yoohoo Chocolate Beverage
Info Security News
Volume 4, Number 5
September/October 1993
page 14
---
D.C. Dateline
---
New Crypto Standards in Contention
by Charlotte Adams
Experts are hotly debating the Clipper initiative, a plan to
standardize on a voice-encryption device with built-in
law-enforcement access. Although de facto or mandatory
acceptance of Clipper or similar hardware now seems remote, the
potential cost of such action makes it worth considering.
The rationale for Clipper was to maintain the government's
information-eavesdropping capability as the use of encryption
spreads. The hope was that the market would follow the
government's lead, making Clipper the de facto standard.
The National Institute of Standards and Technology sees
benefits in making Clipper the accepted standard. "If we deny
[criminals] the use of the national communications net, [that's
a] nontrivial accomplishment," says Ray Kammer, NIST's acting
director. If the network standard is Clipper, he reasons,
criminals would "have to set up their own [communications]
system, an interesting and formidible task."
NIST is pushing ahead with a proposed Escrowed Encryption
Standard. If all goes well, this Federal Information Processing
Standard could be in place by October, an important step toward
widespread use by the federal government. The key-escrow
mechanism should be in place by autumn, government sources say.
A related issue is NIST's Digital Signature Standard, which
was developed in secret by the National Security Agency. NIST
added a new issue to the DSS debate last summer when the agency
announced a proposed settlement with Public Key Partners giving
PKP control over commercial use of the standard.
Clipper pros and cons.
The key-escrow concept, allowing access to law-enforcment
agencies, will have to become mandatory because it makes no sense
on a voluntary basis, critics say. "It clearly has implications
for data transmission, as well," says Phil Karn of Qualcomm, a
San Diego maker of cellular telephones.
Government contractors, in fact, are already fine-tuning
another chip, called Capstone, which will be much more convenient
for data-security applications. Capstone will add the NIST's
secure hash, digital signature and key-exchange algorithms to
Clipper's Skipjack encryption algorithm and escrow support.
"Clipper is good for voice, for telephony, but not as a
coprocessor inside a PC, selectively encrypting fields," says
Richard Ankney, a technical consultant with Fischer International
Systems Corp. "Capstone is better in that regard."
The trouble with Capstone is that it is big and expensive, a
full custom, very-large scale-integration ciruit design, says
John Droge, vice president of program development for chip
designer, Mykotronx Inc., of Torrance, Calif. VLSI Technology
Inc., in San Jose, is actually fabricating the chip.
Mykotronx expects the chips initially to sell at $100 apiece
in quantities of 10,000. PCMCIA (Personal Computer Memory Card
International Association) cards initially will sell in the $300
range, he predicts. That's a far cry from the government's $100
target price for the PCMCIA module.
If the hardware becomes mandatory, space would have to be
found for the chips inside notebooks and palmtops, as well as in
laptop and desktop computers. Estimates on the markup to
customers vary from 25 to 200 percent.
The cost of retrofitting Clipper or Capstone into existing
machines would be tremendous, says Fred Gluck, director of
marketing for control products with Datamedia Corp., a Nashua,
N.H. security software and token vendor. Simply multiply the $25
to $30 per half-hour you pay for technical people times the 100
million or so PCs out there, he says.
But much of the cost may be hidden from the end user, Ankney
counters. "You could take the hit and not raise the price at
all."
The Digital Signature Standard.
Although eclipsed by the Clipper controversy, DSS nevertheless
remains an issue. Even though its algorithm is not secret, NSA
"played a very dominant role" in creating it, says David Sobel,
legal counsel for the Computer Professionals for Social
Responsibilty. The secrecy surrounding NSA's role in DSS goes
beyond the will of Congress in the Computer Security Act of 1987
for the "[standards] development process to be open and
accountable," Sobel says.
The PKP angle is also a problem, CPSR says. The arrangement
by which NIST allows PKP to control commercial use of the
Digital Signature Standard "really comes down to ... almost
paying them off," says Marc Rotenberg, director of CPSR's
Washington office.
People shouldn't read too much into the proposal, NIST says.
"It means ... the government wants to move on and get this out of
the way ... without any acknowledgement of [the validity of the
PKP] infringement action," explains F. Lynn McNulty, NIST's
associate director for computer security.
The "big payoff" of the proposed agreement is that individual
citizens communicating with the government won't have to pay
royalties, he says.
More information needed.
Almost everyone agrees that more information is necessary
before a policy decision can be made. "Are we talking about
completely revamping the communications infrastructure to
facilitate 800 wiretaps?" asks Daniel Weitzner, senior counsel
for the Electronic Frontier Foundation. EFF coordinates the
activities of the Digital Privacy and Security Working Group, a
coalition of information security technology companies and
non-profit groups that has raised many questions about Clipper.
"We want a real, solid understanding of the problems from [the
administration's] perspective and a fact-based risk assessment,"
Weitzner says.
NIST's own security and privacy advisory panel refused to
rubberstamp the Clipper initiative at first sight and various
interest groups have demanded a more thoughtful and open review.
The Digital Privacy and Security Working Group has been asked
to contribute substantively to the ongoing interagency crypto
policy review, EFF's Weitzner says.
CPSR, however, is forming its own policy review group. The
administration's approach of taking outside imput is still
essentially a closed process, CPSR says. "The point we're trying
to make [is that] the public has an interest in its privacy and
consumers have an interest in what they ultimately might end up
paying, " Rotenberg says.
----------------------------------------
Charlotte Adams is a free-lance journalist covering technology
issues in the Washington D.C. area for a variety of magazines.
Copyright (c) 1993 by MIS Training Institute Press, Inc.
Ye olde Spooge Meister spooge /spooj/ 1. Inexplicable or arcane code
<[email protected]> or random and probably incorrect output
from a computer program.