[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NRC Report Contents
[Report Cover]
[Header all pages]
May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction
Cryptography's Role in Securing
the Information Society
Kenneth Dam and Herbert Lin, Editors
Committee to Study National Cryptography Policy
Computer Science and Telecommunications Board
Commission on Physical Sciences, Mathematics, and Applications
National Research Council
National Academy Press
Washington, D.C. 1996
____________________________________________________________
Contents
PREFACE
Introduction
Charge of the Committee to Study National Cryptography
Policy
What This Report Is Not
On Secrecy and Report Time Line
A Note from the Chair
Acknowledgments
EXECUTIVE SUMMARY
A ROAD MAP THROUGH THIS REPORT
PART I -- FRAMING THE POLICY ISSUES
1 GROWING VULNERABILITY IN THE INFORMATION AGE
1.1 The Technology Context of the Information Age
1.2 Transitions to an Information Society -- Increasing
Interconnections and Interdependence
1.3 Coping with Information Vulnerability
1.4 The Business and Economic Perspective
1.4.1 Protecting Important Business Information
1.4.2 Ensuring the Nation's Ability to Exploit
Global Markets
1.5 Individual and Personal Interests in Privacy
1.5.1 Privacy in an Information Economy
1.5.2 Privacy for Citizens
1.6 Special Needs of Government
1.7 Recap
2 CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE
2.1 Cryptography in Context
2.2 What Is Cryptography and What Can It Do?
2.3 How Cryptography Fits into the Big Security Picture
2.3.1 Technical Factors Inhibiting Access to
Information
2.3.2 Factors Facilitating Access to Information
2.4 The Market for Cryptography
2.4.1 The Demand Side of the Cryptography Market
2.4.2 The Supply Side of the Cryptography Market
2.5 Infrastructure for Widespread Use of Cryptography
2.5.1 Key Management Infrastructure
2.5.2 Certificate Infrastructures
2.6 Recap
3 NEEDS FOR ACCESS TO ENCRYPTED INFORMATION
3.1 Terminology
3.2 Law Enforcement: Investigation and Prosecution
3.2.1 The Value of Access to Information for Law
Enforcement
3.2.2 The Legal Framework Governing Surveillance
3.2.3 The Nature of Surveillance Needs of Law
Enforcement
3.2.4 The Impact of Cryptography and New Media on
Law Enforcement (Stored and Communicated Data)
3.3 National Security and Signals Intelligence
3.3.1 The Value of Signals Intelligence
3.3.2 The Impact of Cryptography on SIGINT
3.4 Similarities and Differences Between Foreign
Policy/National Security and Law Enforcement Needs for
Communications Monitoring
3.4.1 Similarities
3.4.2 Differenees
3.5 Business and Individual Needs for Exceptional Access
to Protected Information
3.6 Other Types of Exceptional Access to Protected
Information
3.7 Recap
PART II -- POLICY INSTRUMENTS
4 EXPORT CONTROLS
4.1 Brief Description of Current Export Controls
4.1.1 The Rationale for Export Controls
4.1.2 General Description
4.1.3 Discussion of Current Licensing Practices
4.2 Effectiveness of Export Controls on Cryptography
4.3 The Impact of Export Controls on U.S. Information
Technology Vendors
4.3.1 De Facto Restrictions on the Domestic
Availability of Cryptography
4.3.2 Regulatory Uncertainty Related to Export
Controls
4.3.3 The Size of the Affected Market for
Cryptography
4.3.4 Inhibiting Vendor Responses to User Needs
4.4 The Impact of Export Controls on U.S. Economic and
National Security Interests
4.4.1 Direct Economic Harm to U.S. Businesses
4.4.2 Damage to U.S. Leadership in Information
Technology
4.5 The Mismatch Between the Perceptions of Government/
National Security and Those of Vendors
4.6 Export of Technical Data
4.7 Foreign Policy Considerations
4.8 Technology-Policy Mismatches
4.9 Recap
5 ESCROWED ENCRYPTION AND RELATED ISSUES
5.1 What Is Escrowed Encryption?
5.2 Administration Initiatives Supporting Escrowed
Encryption
5.2.1 The Clipper Initiative and the Escrowed
Encryption Standard
5.2.2 The Capstone/Forteza (sic) Initiative
5.2.3 The Relaxation of Export Controls on Software
Products Using "Properly Escrowed" 64-bit
Encryption
5.2.4 Other Federal Initiatives in Escrowed
Encryption
5.3 Other Approaches to Escrowed Encryption
5.4 The Impact of Escrowed Encryption on Information
Security
5.5 The Impact of Escrowed Encryption on Law Enforcement
5.5.1 Balance of Crime Enabled vs. Crime Prosecuted
5.5.2 Impact on Law Enforcement Access to
Information
5.6 Mandatory vs. Voluntary Use of Escrowed Encryption
5.7 Process Through Which Policy on Escrowed Encryption
Was Developed
5.8 Affiliation and Number of Escrow Agents
5.9 Responsibilities and Obligations of Escrow Agents and
Users of Escrowed Encryption
5.9.1 Partitioning Escrowed Information
5.9.2 Operational Responsibilities of Escrow Agents
5.9.3 Liabilities of Escrow Agents
5.10 The Role of Secrecy in Ensuring Product Security
5.10.1 Algorithm Secrecy
5.10.2 Product Design and Implementation Secrecy
5.11 The Hardware/Software Choice in Product Implementation
5.12 Responsibility for Generation of Unit Keys
5.13 Issues Related to the Administration Proposal to
Exempt 64-bit Escrowed Encryption in Software
5.13.1 The Definition of "Proper Escrowing"
5.13.2 The Proposed Limitation of Key Lengths to 64
Bits or Less
5.14 Recap
6 OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY
6.1 The Communications Assistance for Law Enforcement Act
6.1.1 Brief Description of and Stated Rationale for
the CALEA
6.1.2 Reducing Resource Requirements for Wiretaps
6.1.3 Obtaining Access to Digital Streams in the
Future
6.1.4 The CALEA Exemption of Information Service
Providers and Distinctions Between Voice and
Data Services
6.2 Other Levers Used in National Cryptography Policy
6.2.1 Federal Information Processing Standards
6.2.2 The Government Procurement Process
6.2.3 Implementation of Policy: Fear, Uncertainty,
Doubt, Delay, Complexity
6.2.4 R&D Funding
6.2.5 Patents and Intellectual Property
6.2.6 Formal and Informal Arrangements with Various
Other Governments and Organizations
6.2.7 Certification and Evaluation
6.2.8 Nonstatutory Influence
6.2.9 Interagency Agreements Within the Executive
Branch
6.3 Organization of the Federal Government with Respect to
Information Security
6.3.1 Role of National Security vis-a-vis Civilian
Information Infrastructures
6.3.2 Other Government Entities with Influence on
Information Security
6.4 International Dimensions of Cryptography Policy
6.5 Recap
PART III--POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS
7 POLICY OPTIONS FOR THE FUTURE
7.1 Export Control Options for Cryptography
7.1.1 Dimensions of Choice for Controlling the
Exportof Cryptography
7.1.2 Complete Elimination of Export Controls on
Cryptography
7.1.3 Transferral of All Cryptography Products to
the Commerce Control List
7.1.4 End-use Certification
7.1.5 Nation-by-Nation Relaxation of Controls and
Harmonization of U.S. Export Control Policy on
Cryptography with Export/Import Policies of
Other Nations
7.1.6 Liberal Export for Strong Cryptography with
Weak Defaults
7.1.7 Liberal Export for Cryptographic Applications
Programming Interfaces
7.1.8 Liberal Export for Escrowable Products with
Encryption Capabilities
7.1.9 Alternatives to Government Certification of
Escrow Agents Abroad
7.1.10 Use of Differential Work Factors in
Cryptography
7.1.11 Separation of Cryptography from Other Items on
the U.S. Munitions List
7.2 Alternatives for Providing Government Exceptional
Access to Encrypted Data
7.2.1 A Prohibition of the Use and Sale of
Cryptography Lacking Features for Exceptional
Access
7.2.2 Criminalization of the Use of Cryptography in
the Commission of a Crime
7.2.3 Technical Non-Escrow Approaches for Obtaining
Access to Information
7.2.4 Network-based Encryption
7.2.5 Distinguishing Between Encrypted Voice and
Data Communications Services for Exceptional
Access
7.2.6 A Centralized Decryption Facility for
Government Exceptional Access
7.3 Looming Issues
7.3.1 The Adequacy of Various Levels of Encryption
Against High-Quality Attack
7.3.2 Organizing the U.S. Government for Better
Information Security on a National Basis
7.4 Recap
8 SYNTHESIS, FINDINGS, AND RECOMMENDATIONS
8.1 Synthesis and Findings
8.1.1 The Problem of Information Vulnerability
8.1.2 Cryptographic Solutions to Information
Vulnerabilities
8.1.3 The Policy Dilemma Posed by Cryptography
8.1.4 National Cryptography Policy for the
Information Age
8.2 Recommendations
8.3 Additional Work Needed
8.4 Conclusion
APPENDIXES
A Contributors to the NRC Project on National Cryptography
Policy
B Glossary
C A Brief Primer on Cryptography
D An Overview of Electronic Surveillance: History and Current
Status
E A Brief History of Cryptography Policy
F A Brief Primer on Intelligence
G The International Scope of Cryptography Policy
H Summary of Important Requirements for a Public-Key
Infrastructure
I Industry-Specific Dimensions of Security
J Examples of Risks Posed by Unprotected Information
K Cryptographic Applications Programming Interfaces
L Laws, Regulations, and Documents Relevant to Cryptography
M Other Looming Issues Related to Cryptography Policy
N Federal Information Processing Standards
[End Contents]