[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments by Ron Rivest on Government crypto policy




These are some thoughts by Ron Rivest on government crypto policy and
the recent statement on Clipper.  I'm forwarding them to this list
with Ron's permission.

-- Hal Abelson

		    ******************************

The original intent of Clipper was to make available government (i.e.,
NSA) crypto technology (i.e., SKIPJACK) in a way that could not be
exploited by criminals or foreign nationals.  NIST and NSA wanted to
help out by making some of their technology available to US industry,
but wanted to do so in a way that didn't hurt other US government
operations (intelligence, law enforcement).  Key-escrowed clipper is
the result.  This is what Brent Morris and Mark Unkerholtz of NSA said
in a public lecture at MIT in spring '94.  They stressed the point
that their main goal was not to catch crooks or do foreign
intelligence better, but only to help out in a way that was not
hurtful to these other operations.  They didn't really expect that
Clipper would catch a lot of crooks.  (As is widely believed, any
sensible crook will avoid using Clipper equipment.)  The goal is to 
get their technology out, and a secondary requirement is that it be done
in a way that doesn't hurt their other operations.

Note that the above position is entirely consistent with an entirely
voluntary use of other cryptographic techniques by industry.  Trying
to force industry to use Clipper, or to use key-escrowed techniques,
would be equivalent to an assertion that the primary goal IS to assist
law enforcement and foreign intelligence in their operations, and is
thus contrary to the above position.

I now concerned that the administration's recent announcement represents a
serious revision of the above position.  Probably the reasoning for NIST and
NSA is going something like this:
	-- Congress (and parts of industry) wants the government to propose
	   crypto standards.
	-- NIST, the FBI, and the NSA can't push forward with a standard 
	   that is non-escrowed, because their jobs are on the line if any
	   significant use of government standards is made by "bad guys".
	-- They propose Skipjack/Clipper, which attempts to be "helpful"
	   (it has a new algorithm) in a way that doesn't hurt (key escrow).
But then, we have
	-- Significant opposition to escrowed standards by almost everyone
	   except Dorothy Denning.  Also, opposition to secret algorithms
	   in standards.

So, what do they do?

	-- Announce that they are reconsidering their policy on Clipper, while
	   keeping their commitment to escrowed crypto standards.  Invite
	   proposals from industry for escrowed crypto standards suitable for
	   software.  The crypto algorithms could be public, etc.

At this point, we have lost the only real contribution of the original proposal
(the secret Skipjack algorithm is shelved), and the role of the government is
now back just to trying to set some sort of standard.  That is, they are no
longer contributing technology, but only acting as a standard-setting body.
However, the fixation on escrow techniques persists; no bureaucrat wants to
have his job on the line for helping some "bad guy" that someday chooses to
use the US crypto standard.

But at this point, we have a government position that doesn't hang
together.  (The original position made more sense, although it didn't
result in a reasonable policy.)  Without government technical contributions
to protect (e.g. Skipjack), the only motivations for preserving key-escrow are

	(1) protecting the jobs of the policy-makers should some fairly visible
	    bad guy use government standard crypto someday, or

	(2) a reversal of the original policy: catching crooks and assisting 
	    foreign intelligence are now elevated from secondary constraints 
	    (due to reason (1)) to a primary goal.  

But it is well-recognized that catching crooks and assisting foreign
intelligence in such a manner requires the *mandatory* use of an
escrowed standard.  Without legal requirements to do so, most
manufacturers won't bother with the escrow capability.  Moreover, with
an adoption of public crypto standards, anyone (e.g. foreign
businesses) would be free to produce their own non-escrowed
implementations of the adopted crypto algorithms, and sell them in the
US.  It has been well argued that key escrow technology is not an
effective or cost-effective means of law enforcement, etc.  I think
that mandating the use of key escrow technology would be unacceptable
to most of the country (viz the current debate, which is running 1000
to 1 against even voluntary key escrow standards), too expensive, and
too much sticky tar spread on our nascent information highway.  I think
everyone realizes that mandating key escrow is not desirable or realistic.

Thus, we have a situation where there are four apparent choices left:
	(1) No government-approved crypto standards.
	(2) Government-approved public crypto standards with key-escrow
		mandatory for government use and voluntary elsewhere.
	(3) Government-approved public crypto standards with key-escrow
		voluntary for all users.
	(4) Government-approved public crypto standards with no key escrow.

The other choices, involving secret algorithms, are not viable.  I
also think that (1) is not viable, although one might suspect that
many government actions (and non-actions) were really directed at that
goal.  This leaves (2)--(4).  

Policy (2) makes no sense.  Given the freedom to easily use the
standard algorithms in non-escrowed manners (since they are public);
policy (2) is not effective for law-enforcement, etc.  It has
considerable cost, and no justification other than the attempt of the
policy-makers to try to do something that pretends not to hurt other
government activities.

Policy (3) might be workable.  There is no mandated use of escrowed
technology (even for government purchases) but manufacturers and users
may voluntarily implement escrowing capabilities if they wish.
Government agencies (NIST, the FBI, and the NSA) may develop and
publish escrowing techniques, and support and encourage escrowing
activities, as long as escrowing is not required by standards,
government purchases, or routine export control policy.   

(I haven't mentioned export control policy before, but think that it
falls in the same general category as requiring escrow for government
purchases---it is an attempt to affect the (foreign) market by
limiting what (US) manufacturers can do, rather than by affecting what
products are offered through government purchasing power.  In both
cases, the government's power to affect the market is limited by the
activities of other manufacturers and purchasers.  Export control in support
of specific policies against hostile countries (e.g., Libya?) is, in my
opinion, not unreasonable, but telling our information highway manufacturers
they can't export crypto is like telling our automobile manufacturers that
they can export cars, but only if they contain no bolts, fasteners, or 
opaque trunk lids: for crypto is the "nuts and bolts" of an information 
system -- it links together separate components in a secure manner, and is
also the means of protecting your information goods from prying eyes.)

Finally, there is policy (4) -- no escrowing at all.  This is, in the end,
the most workable.  It makes explicit that trying to achieve law-enforcement
and foreign intelligence objectives by affecting government crypto standards is
misguided and ultimately, harmful.

Comments appreciated....

	Cheers,

	Ron























--TAB24284.775191964/cygnus.com--