[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NRC Report Contents



 
                       [Report Cover] 
 
                     [Header all pages] 
              May 30, 1996, Prepublication Copy 
           Subject to Further Editorial Correction 
 
 
 
               Cryptography's Role in Securing 
                   the Information Society 
 
 
 
            Kenneth Dam and Herbert Lin, Editors 
 
       Committee to Study National Cryptography Policy 
        Computer Science and Telecommunications Board 
Commission on Physical Sciences, Mathematics, and Applications 
 
                  National Research Council 
 
 
                   National Academy Press 
                    Washington, D.C. 1996 
 
____________________________________________________________ 
 
                          Contents 
 
 
PREFACE 
 
   Introduction 
   Charge of the Committee to Study National Cryptography 
   Policy 
   What This Report Is Not 
   On Secrecy and Report Time Line 
   A Note from the Chair 
   Acknowledgments 
 
EXECUTIVE SUMMARY 
 
A ROAD MAP THROUGH THIS REPORT 
 
 
 
             PART I -- FRAMING THE POLICY ISSUES 
 
 
1  GROWING VULNERABILITY IN THE INFORMATION AGE 
 
   1.1  The Technology Context of the Information Age 
 
   1.2  Transitions to an Information Society -- Increasing 
        Interconnections and Interdependence 
 
   1.3  Coping with Information Vulnerability 
 
   1.4  The Business and Economic Perspective 
 
        1.4.1  Protecting Important Business Information 
        1.4.2  Ensuring the Nation's Ability to Exploit 
               Global Markets 
 
   1.5  Individual and Personal Interests in Privacy 
 
        1.5.1  Privacy in an Information Economy 
        1.5.2  Privacy for Citizens 
 
   1.6  Special Needs of Government 
 
   1.7  Recap 
 
 
2  CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE 
 
   2.1  Cryptography in Context 
 
   2.2  What Is Cryptography and What Can It Do? 
 
   2.3  How Cryptography Fits into the Big Security Picture 
 
        2.3.1  Technical Factors Inhibiting Access to 
               Information 
        2.3.2  Factors Facilitating Access to Information 
 
   2.4  The Market for Cryptography 
 
        2.4.1  The Demand Side of the Cryptography Market 
        2.4.2  The Supply Side of the Cryptography Market 
 
   2.5  Infrastructure for Widespread Use of Cryptography 
 
        2.5.1  Key Management Infrastructure 
        2.5.2  Certificate Infrastructures 
 
   2.6 Recap 
 
 
3  NEEDS FOR ACCESS TO ENCRYPTED INFORMATION 
 
   3.1  Terminology 
 
   3.2  Law Enforcement: Investigation and Prosecution 
 
        3.2.1  The Value of Access to Information for Law 
               Enforcement 
        3.2.2  The Legal Framework Governing Surveillance 
        3.2.3  The Nature of Surveillance Needs of Law 
               Enforcement 
        3.2.4  The Impact of Cryptography and New Media on 
               Law Enforcement (Stored and Communicated Data) 
 
   3.3  National Security and Signals Intelligence 
 
        3.3.1  The Value of Signals Intelligence 
        3.3.2  The Impact of Cryptography on SIGINT 
 
   3.4  Similarities and Differences Between Foreign 
        Policy/National Security and Law Enforcement Needs for 
        Communications Monitoring 
 
        3.4.1  Similarities 
        3.4.2  Differenees 
 
   3.5  Business and Individual Needs for Exceptional Access 
        to Protected Information 
 
   3.6  Other Types of Exceptional Access to Protected 
        Information 
 
   3.7  Recap 
 
 
 
                PART II -- POLICY INSTRUMENTS 
 
 
4  EXPORT CONTROLS 
 
   4.1  Brief Description of Current Export Controls 
 
        4.1.1  The Rationale for Export Controls 
        4.1.2  General Description 
        4.1.3  Discussion of Current Licensing Practices 
 
   4.2  Effectiveness of Export Controls on Cryptography 
 
   4.3  The Impact of Export Controls on U.S. Information 
        Technology Vendors 
 
        4.3.1  De Facto Restrictions on the Domestic 
               Availability of Cryptography 
        4.3.2  Regulatory Uncertainty Related to Export 
               Controls 
        4.3.3  The Size of the Affected Market for 
               Cryptography 
        4.3.4  Inhibiting Vendor Responses to User Needs 
 
   4.4  The Impact of Export Controls on U.S. Economic and 
        National Security Interests 
 
        4.4.1  Direct Economic Harm to U.S. Businesses 
        4.4.2  Damage to U.S. Leadership in Information 
               Technology 
 
   4.5  The Mismatch Between the Perceptions of Government/ 
        National Security and Those of Vendors 
 
   4.6  Export of Technical Data 
 
   4.7  Foreign Policy Considerations 
 
   4.8  Technology-Policy Mismatches 
 
   4.9  Recap 
 
 
5  ESCROWED ENCRYPTION AND RELATED ISSUES 
 
   5.1  What Is Escrowed Encryption? 
 
   5.2  Administration Initiatives Supporting Escrowed 
        Encryption 
 
        5.2.1  The Clipper Initiative and the Escrowed 
               Encryption Standard 
        5.2.2  The Capstone/Forteza (sic) Initiative 
        5.2.3  The Relaxation of Export Controls on Software 
               Products Using "Properly Escrowed" 64-bit 
               Encryption 
        5.2.4  Other Federal Initiatives in Escrowed 
               Encryption 
 
   5.3  Other Approaches to Escrowed Encryption 
 
   5.4  The Impact of Escrowed Encryption on Information 
        Security 
 
   5.5  The Impact of Escrowed Encryption on Law Enforcement 
 
        5.5.1  Balance of Crime Enabled vs. Crime Prosecuted 
        5.5.2  Impact on Law Enforcement Access to 
               Information 
 
   5.6  Mandatory vs. Voluntary Use of Escrowed Encryption 
 
   5.7  Process Through Which Policy on Escrowed Encryption 
        Was Developed 
 
   5.8  Affiliation and Number of Escrow Agents 
 
   5.9  Responsibilities and Obligations of Escrow Agents and 
        Users of Escrowed Encryption 
 
        5.9.1  Partitioning Escrowed Information 
        5.9.2  Operational Responsibilities of Escrow Agents 
        5.9.3  Liabilities of Escrow Agents 
 
   5.10 The Role of Secrecy in Ensuring Product Security 
 
        5.10.1 Algorithm Secrecy 
        5.10.2 Product Design and Implementation Secrecy 
 
   5.11 The Hardware/Software Choice in Product Implementation 
 
   5.12 Responsibility for Generation of Unit Keys 
 
   5.13 Issues Related to the Administration Proposal to 
        Exempt 64-bit Escrowed Encryption in Software 
 
        5.13.1 The Definition of "Proper Escrowing" 
        5.13.2 The Proposed Limitation of Key Lengths to 64 
               Bits or Less 
 
   5.14 Recap 
 
 
6  OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY 
 
   6.1  The Communications Assistance for Law Enforcement Act 
 
        6.1.1  Brief Description of and Stated Rationale for 
               the CALEA 
        6.1.2  Reducing Resource Requirements for Wiretaps 
        6.1.3  Obtaining Access to Digital Streams in the 
               Future 
        6.1.4  The CALEA Exemption of Information Service 
               Providers and Distinctions Between Voice and 
               Data Services 
 
   6.2  Other Levers Used in National Cryptography Policy 
 
        6.2.1  Federal Information Processing Standards 
        6.2.2  The Government Procurement Process 
        6.2.3  Implementation of Policy: Fear, Uncertainty, 
               Doubt, Delay, Complexity 
        6.2.4  R&D Funding 
        6.2.5  Patents and Intellectual Property 
        6.2.6  Formal and Informal Arrangements with Various 
               Other Governments and Organizations 
        6.2.7  Certification and Evaluation 
        6.2.8  Nonstatutory Influence 
        6.2.9  Interagency Agreements Within the Executive 
               Branch 
 
   6.3  Organization of the Federal Government with Respect to 
        Information Security 
 
        6.3.1  Role of National Security vis-a-vis Civilian 
               Information Infrastructures 
        6.3.2  Other Government Entities with Influence on 
               Information Security 
 
   6.4  International Dimensions of Cryptography Policy 
 
   6.5  Recap 
 
 
 
   PART III--POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS 
 
 
7  POLICY OPTIONS FOR THE FUTURE 
 
   7.1  Export Control Options for Cryptography 
 
        7.1.1  Dimensions of Choice for Controlling the 
               Exportof Cryptography 
        7.1.2  Complete Elimination of Export Controls on 
               Cryptography 
        7.1.3  Transferral of All Cryptography Products to 
               the Commerce Control List 
        7.1.4  End-use Certification 
        7.1.5  Nation-by-Nation Relaxation of Controls and 
               Harmonization of U.S. Export Control Policy on 
               Cryptography with Export/Import Policies of 
               Other Nations 
        7.1.6  Liberal Export for Strong Cryptography with 
               Weak Defaults 
        7.1.7  Liberal Export for Cryptographic Applications 
               Programming Interfaces 
        7.1.8  Liberal Export for Escrowable Products with 
               Encryption Capabilities 
        7.1.9  Alternatives to Government Certification of 
               Escrow Agents Abroad 
        7.1.10 Use of Differential Work Factors in 
               Cryptography 
        7.1.11 Separation of Cryptography from Other Items on 
               the U.S. Munitions List 
 
   7.2  Alternatives for Providing Government Exceptional 
        Access to Encrypted Data 
 
        7.2.1  A Prohibition of the Use and Sale of 
               Cryptography Lacking Features for Exceptional 
               Access 
        7.2.2  Criminalization of the Use of Cryptography in 
               the Commission of a Crime 
        7.2.3  Technical Non-Escrow Approaches for Obtaining 
               Access to Information 
        7.2.4  Network-based Encryption 
        7.2.5  Distinguishing Between Encrypted Voice and 
               Data Communications Services for Exceptional 
               Access 
        7.2.6  A Centralized Decryption Facility for 
               Government Exceptional Access 
 
   7.3  Looming Issues 
 
        7.3.1  The Adequacy of Various Levels of Encryption 
               Against High-Quality Attack 
        7.3.2  Organizing the U.S. Government for Better 
               Information Security on a National Basis 
 
   7.4  Recap 
 
 
8  SYNTHESIS, FINDINGS, AND RECOMMENDATIONS 
 
   8.1  Synthesis and Findings 
 
        8.1.1  The Problem of Information Vulnerability 
        8.1.2  Cryptographic Solutions to Information 
               Vulnerabilities 
        8.1.3  The Policy Dilemma Posed by Cryptography 
        8.1.4  National Cryptography Policy for the 
               Information Age 
 
   8.2  Recommendations 
 
   8.3  Additional Work Needed 
 
   8.4  Conclusion 
 
 
                         APPENDIXES 
 
A  Contributors to the NRC Project on National Cryptography 
   Policy 
 
B  Glossary 
 
C  A Brief Primer on Cryptography 
 
D  An Overview of Electronic Surveillance: History and Current 
   Status 
 
E  A Brief History of Cryptography Policy 
 
F  A Brief Primer on Intelligence 
 
G  The International Scope of Cryptography Policy 
 
H  Summary of Important Requirements for a Public-Key 
   Infrastructure 
 
I  Industry-Specific Dimensions of Security 
 
J  Examples of Risks Posed by Unprotected Information 
 
K  Cryptographic Applications Programming Interfaces 
 
L  Laws, Regulations, and Documents Relevant to Cryptography 
 
M  Other Looming Issues Related to Cryptography Policy 
 
N  Federal Information Processing Standards 
 
[End Contents]