[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NIST call for Comments on "Key-Escrow" (fwd)
- To: [email protected]
- Subject: NIST call for Comments on "Key-Escrow" (fwd)
- From: [email protected] (Paul Ferguson)
- Date: Tue, 17 Aug 93 21:09:37 EDT
- Organization: Sytex Communications, Inc
From: Dave Banisar <uunet!washofc.cpsr.org!banisar>
Date: Tue, 17 Aug 1993 14:23:16 EST
Subject: Call for Clipper Comments
Call for Clipper Comments
The National Institute of Standards and Technology (NIST) has
issued a request for public comments on its proposal to establish
the "Skipjack" key-escrow system as a Federal Information
Processing Standard (FIPS). The deadline for the submission of
comments is September 28, 1993. The full text of the NIST notice
CPSR is urging all interested individuals and organizations to
express their views on the proposal and to submit comments
directly to NIST. Comments need not be lengthy or very detailed;
all thoughtful statements addressing a particular concern will
likely contribute to NIST's evaluation of the key-escrow proposal.
The following points could be raised about the NIST proposal
(additional materials on Clipper and the key escrow proposal may
be found at the CPSR ftp site, cpsr.org):
* The potential risks of the proposal have not been assessed and
many questions about the implementation remain unanswered. The
NIST notice states that the current proposal "does not include
identification of key escrow agents who will hold the keys for the
key escrow microcircuits or the procedures for access to the
keys." The key escrow configuration may also create a dangerous
vulnerability in a communications network. The risks of misuse of
this feature should be weighed against any perceived benefit.
* The classification of the Skipjack algorithm as a "national
security" matter is inappropriate for technology that will be used
primarily in civilian and commercial applications. Classification
of technical information also limits the computing community's
ability to evaluate fully the proposal and the general public's
right to know about the activities of government.
* The proposal was not developed in response to a public concern
or a business request. It was put forward by the National
Security Agency and the Federal Bureau of Investigation so that
these two agencies could continue surveillance of electronic
communications. It has not been established that is necessary for
crime prevention. The number of arrests resulting from wiretaps
has remained essentially unchanged since the federal wiretap law
was enacted in 1968.
* The NIST proposal states that the escrow agents will provide the
key components to a government agency that "properly demonstrates
legal authorization to conduct electronic surveillance of
communications which are encrypted." The crucial term "legal
authorization" has not been defined. The vagueness of the term
"legal authorization" leaves open the possibility that court-
issued warrants may not be required in some circumstances. This
issue must be squarely addressed and clarified.
* Adoption of the proposed key escrow standard may have an adverse
impact upon the ability of U.S. manufacturers to market
cryptographic products abroad. It is unlikely that non-U.S. users
would purchase communication security products to which the U.S.
government holds keys.
Comments on the NIST proposal should be sent to:
Director, Computer Systems Laboratory
ATTN: Proposed FIPS for Escrowed Encryption Standard
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD 20899
Submissions must be received by September 28, 1993. CPSR has
asked NIST that provisions be made to allow for electronic
submission of comments.
Please also send copies of your comments on the key escrow
proposal to CPSR for inclusion in the CPSR Internet Library, our
ftp site. Copies should be sent to <[email protected]>.
VOL. 58, No. 145
DEPARTMENT OF COMMERCE (DOC)
National Institute of Standards and Technology (NIST)
Docket No. 930659-3159
A Proposed Federal Information Processing Standard for an Escrowed
Encryption Standard (EES)
58 FR 40791
Friday, July 30, 1993
Notice; request for comments.
SUMMARY: A Federal Information Processing Standard (FIPS) for an
Escrowed Encryption Standard (EES) is being proposed. This
proposed standard specifies use of a symmetric-key
encryption/decryption algorithm and a key escrowing method which
are to be implemented in electronic devices and used for
protecting certain unclassified government communications when
such protection is required. The algorithm and the key escrowing
method are classified and are referenced, but not specified, in
This proposed standard adopts encryption technology developed
by the Federal government to provide strong protection for
unclassified information and to enable the keys used in the
encryption and decryption processes to be escrowed. This latter
feature will assist law enforcement and other government agencies,
under the proper legal authority, in the collection and decryption
of electronically transmitted information. This proposed standard
does not include identification of key escrow agents who will
hold the keys for the key escrow microcircuits or the procedures
for access to the keys. These issues will be addressed by the
Department of Justice.
The purpose of this notice is to solicit views from the public,
manufacturers, and Federal, state, and local government users so
that their needs can be considered prior to submission of this
proposed standard to the Secretary of Commerce for review and
The proposed standard contains two sections: (1) An
announcement section, which provides information concerning the
applicability, implementation, and maintenance of the standard;
and (2) a specifications section which deals with the technical
aspects of the standard. Both sections are provided in this
DATES: Comments on this proposed standard must be received on or
before September 28, 1993.
ADDRESSES: Written comments concerning the proposed standard
should be sent to: Director, Computer Systems Laboratory, ATTN:
Proposed FIPS for Escrowed Encryption Standard, Technology
Building, room B-154, National Institute of Standards and
Technology, Gaithersburg, MD 20899.
Written comments received in response to this notice will be
made part of the public record and will be made available for
inspection and copying in the Central Reference and Records
Inspection Facility, room 6020, Herbert C. Hoover Building, 14th
Street between Pennsylvania and Constitution Avenues, NW.,
Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT: Dr. Dennis Branstad, National
Institute of Standards and Technology, Gaithersburg, MD 20899,
telephone (301) 975-2913.
SUPPLEMENTARY INFORMATION: This proposed FIPS implements the
initiative announced by the White House Office of the Press
Secretary on April 16, 1993. The President of the U.S. approved a
Public Encryption Management directive, which among other actions,
called for standards to facilitate the procurement and use of
encryption devices fitted with key-escrow microcircuits in
Federal communication systems that process sensitive, but
Dated: July 26, 1993.
Federal Information Processing Standards Publication XX
Announcing the Escrowed Encryption Standard (EES)
Federal Information Processing Standards Publications (FIPS
PUBS) are issued by the National Institute of Standards and
Technology (NIST) after approval by the Secretary of Commerce
pursuant to section 111(d) of the Federal Property and
Administrative Services Act of 1949 as amended by the Computer
Security Act of 1987, Public Law 100-235.
Name of Standard: Escrowed Encryption Standard (EES).
Category of Standard: Telecommunications Security.
Explanation: This Standard specifies use of a symmetric-key
encryption (and decryption) algorithm and a Law Enforcement Access
Field (LEAF) creation method (one part of a key escrow system)
which provide for decryption of encrypted telecommunications when
interception of the telecommunications is lawfully authorized.
Both the algorithm and the LEAF creation method are to be
implemented in electronic devices (e.g., very large scale
integration chips). The devices may be incorporated in security
equipment used to encrypt (and decrypt) sensitive unclassified
telecommunications data. Decryption of lawfully intercepted
telecommunications may be achieved through the acquisition and use
of the LEAF, the decryption algorithm and escrowed key components.
To escrow something (e.g., a document, an encryption key) means
that it is "delivered to a third person to be given to the grantee
only upon the fulfillment of a condition" (Webster's Seventh New
Collegiate Dictionary). A key escrow system is one that entrusts
components of a key used to encrypt telecommunications to third
persons, called key component escrow agents. In accordance with
the common definition of "escrow", the key component escrow agents
provide the key components to a "grantee" (i.e., a government
agency) only upon fulfillment of the condition that the grantee
properly demonstrates legal authorization to conduct electronic
surveillance of communications which are encrypted using the
specific device whose key component is requested. The key
components obtained through this process are then used by the
grantee to reconstruct the device unique key and obtain the
session key (contained in the LEAF) which is used to decrypt the
telecommunications that are encrypted with that device. The term,
"escrow", for purposes of this standard, is restricted to the
The encryption/decryption algorithm has been approved for
government applications requiring encryption of sensitive
unclassified telecommunications of data as defined herein. The
specific operations of the algorithm and the LEAF creation method
are classified and hence are referenced, but not specified, in
Data, for purposes of this standard, includes voice, facsimile
and computer information communicated in a telephone system.
Telephone system, for purposes of this standard, is limited to
systems circuit-switched up to no more than 14.4 kbs or which use
basic-rate ISDN, or to a similar grade wireless service.
Data that is considered sensitive by a responsible authority
should be encrypted if it is vulnerable to unauthorized disclosure
during telecommunications. A risk analysis should be performed
under the direction of a responsible authority to determine
potential threats and risks. The costs of providing encryption
using this standard as well as alternative methods and their
respective costs should be projected. A responsible authority
should then make a decision, based on the risk and cost analyses,
whether or not to use encryption and then whether or not to use
Approving Authority: Secretary of Commerce.
Maintenance Agency: Department of Commerce, National Institute of
Standards and Technology.
Applicability: This standard is applicable to all Federal
departments and agencies and their contractors under the
conditions specified below. This standard may be used in designing
and implementing security products and systems which Federal
departments and agencies use or operate or which are operated for
them under contract. These products may be used when replacing
Type II and Type III (DES) encryption devices and products owned
by the government and government contractors.
This standard may be used when the following conditions apply:
1. An authorized official or manager responsible for data
security or the security of a computer system decides that
encryption is required and cost justified as per OMB Circular A-
2. The data is not classified according to the National
Security Act of 1947, as amended, or the Atomic Energy Act of
1954, as amended.
However, Federal departments or agencies which use encryption
devices for protecting data that is classified according to either
of these acts may use those devices also for protecting
unclassified data in lieu of this standard.
In addition, this standard may be adopted and used by non-
Federal Government organizations. Such use is encouraged when it
provides the desired security.
Applications: Devices conforming to this standard may be used for
protecting unclassified communications.
Implementations: The encryption/decryption algorithm and the LEAF
creation method shall be implemented in electronic devices (e.g.,
electronic chip packages) that can be physically protected against
unauthorized entry, modification and reverse engineering.
Implementations which are tested and validated by NIST will be
considered as complying with this standard. An electronic device
shall be incorporated into a cyptographic module in accordance
with FIPS 140-1. NIST will test for conformance with FIPS 140-1.
Cryptographic modules can then be integrated into security
equipment for sale and use in an application. Information about
devices that have been validated, procedures for testing equipment
for conformance with NIST standards, and information about
obtaining approval of security equipment are available from the
Computer Systems Laboratory, NIST, Gaithersburg, MD 20899.
Export Control: Implementations of this standard are subject to
Federal Government export controls as specified in title 22, Code
of Federal Regulations, parts 120 through 131 (International
Traffic of Arms Regulations -ITAR). Exporters of encryption
devices, equipment and technical data are advised to contact the
U.S. Department of State, Office of Defense Trade Controls for
more information. Patents: Implementations of this standard may
be covered by U.S. and foreign patents.
Implementation Schedule: This standard becomes effective thirty
days following publication of this FIPS PUB.
Specifications: Federal Information Processing Standard (FIPS
a. FIPS PUB 46-2, Data Encryption Standard.
b. FIPS PUB 81, Modes of Operation of the DES
c. FIPS PUB 140-1, Security Requirements for Cryptographic
The following terms are used as defined below for purposes of
Data-Voice, facsimile and computer information communicated in
a telephone system.
Decryption-Conversion of ciphertext to plaintext through the
use of a cryptographic algorithm.
Device (cryptographic)-An electronic implementation of the
encryption/decryption algorithm and the LEAF creation method as
specified in this standard.
Digital data-Data that have been converted to a binary
Encryption-Conversion of plaintext to ciphertext through the
use of a cryptographic algorithm.
Key components-The values from which a key can be derived
(e.g., KU sub 1 + KU sub 2).
Key escrow -A process involving transferring one or more
components of a cryptographic key to one or more trusted key
component escrow agents for storage and later use by government
agencies to decrypt ciphertext if access to the plaintext is
LEAF Creation Method 1-A part of a key escrow system that is
implemented in a cryptographic device and creates a Law
Enforcement Access Field.
Type I cryptography-A cryptographic algorithm or device
approved by the National Security Agency for protecting classified
Type II cryptography-A cryptographic algorithm or device
approved by the National Security Agency for protecting sensitive
unclassified information in systems as specified in section 2315
of Title 10 United State Code, or section 3502(2) of Title 44,
United States Code.
Type III cryptography-A cryptographic algorithm or device
approved as a Federal Information Processing Standard.
Type III(E) cryptography-A Type III algorithm or device that is
approved for export from the United States.
Qualifications. The protection provided by a security product or
system is dependent on several factors. The protection provided by
this standard against key search attacks is greater than that
provided by the DES (e.g., the cryptographic key is longer).
However, provisions of this standard are intended to ensure that
information encrypted through use of devices implementing this
standard can be decrypted by a legally authorized entity.
Where to Obtain Copies of the Standard: Copies of this
publication are for sale by the National Technical Information
Service, U.S. Department of Commerce, Springfield, VA 22161. When
ordering, refer to Federal Information Processing Standards
Publication XX (FIPS PUB XX), and identify the title. When
microfiche is desired, this should be specified. Prices are
published by NTIS in current catalogs and other issuances. Payment
may be made by check, money order, deposit account or charged to a
credit card accepted by NTIS.
Specifications for the Escrowed Encryption Standard
This publication specifies Escrowed Encryption Standard (EES)
functions and parameters.
This standard specifies use of the SKIPJACK cryptographic
algorithm and the LEAF Creation Method 1 (LCM-1) to be implemented
in an approved electronic device (e.g., a very large scale
integration electronic chip). The device is contained in a logical
cryptographic module which is then integrated in a security
product for encrypting and decrypting telecommunications.
Approved implementations may be procured by authorized
organizations for integration into security equipment. Devices
must be tested and validated by NIST for conformance to this
standard. Cryptographic modules must be tested and validated by
NIST for conformance to FIPS 140-1.
3. Algorithm Specifications
The specifications of the encryption/decryption algorithm
(SKIPJACK) and the LEAF Creation Method 1 (LCM-1) are classified.
The National Security Agency maintains these classified
specifications and approves the manufacture of devices which
implement the specifications. NIST tests for conformance of the
devices implementing this standard in cryptographic modules to
FIPS 140-1 and FIPS 81.
4. Functions and Parameters
The following functions, at a minimum, shall be implemented:
1. Data Encryption: A session key (80 bits) shall be used to
encrypt plaintext information in one or more of the following
modes of operation as specified in FIPS 81: ECB, CBC, OFB (64) CFB
(1, 8, 16, 32, 64).
2. Data Decryption: The session key (80 bits) used to encrypt
the data shall be used to decrypt resulting ciphertext to obtain
3. Key Escrow: The Family Key (KF) shall be used to create
the Law Enforcement Access Field (LEAF) in accordance with the
LEAF Creation Method 1 (LCM-1). The Session Key shall be encrypted
with the Device Unique Key and transmitted as part of the LEAF.
The security equipment shall ensure that the LEAF is transmitted
in such a manner that the LEAF and ciphertext may be decrypted
with legal authorization. No additional encryption or modification
of the LEAF is permitted.
The following parameters shall be used in performing the
1. Device Identifier (DID): The identifier unique to a
particular device and used by the Key Escrow System.
2. Device Unique Key (KU): The cryptographic key unique to a
particular device and used by the Key Escrow System.
3. Cryptographic Protocol Field (CPF): The field identifying
the registered cryptographic protocol used by a particular
application and used by the Key Escrow System (reserved for
future specification and use).
4. Escrow Authenticator (EA): A binary pattern that is inserted
in the LEAF to ensure that the LEAF is transmitted and received
properly and has not been modified, deleted or replaced in an
5. Initialization Vector (IV): A mode and application dependent
vector of bytes used to initialize, synchronize and verify the
encryption, decryption and key escrow functions.
6. Family Key (KF): The cryptographic key stored in all devices
designated as a family that is used to create the LEAF.
7. Session Key (KS): The cryptographic key used by a device to
encrypt and decrypt data during a session.
8. Law Enforcement Access Field (LEAF): The field containing
the encrypted session key and the device identifier and the escrow
The Cryptographic Algorithm and the LEAF Creation Method shall
be implemented in an electronic device (e.g., VLSI chip) which is
highly resistant to reverse engineering (destructive or non-
destructive) to obtain or modify the cryptographic algorithms, the
DID, the KF, the KU, the EA, the CPF, the operational KS, or any
other security or Key Escrow System relevant information. The
device shall be able to be programmed/personalized (i.e., made
unique) after mass production in such a manner that the DID, KU
(or its components), KF (or its components) and EA fixed pattern
can be entered once (and only once) and maintained without
external electrical power.
The LEAF and the IV shall be transmitted with the ciphertext.
The specifics of the protocols used to create and transmit the
LEAF, IV, and encrypted data shall be registered and a CPF
assigned. The CPF shall then be transmitted in accordance with the
The specific electric, physical and logical interface will vary
with the implementation. Each approved, registered implementation
shall have an unclassified electrical, physical and logical
interface specification sufficient for an equipment manufacturer
to understand the general requirements for using the device. Some
of the requirements may be classified and therefore would not be
specified in the unclassified interface specification.
Paul Ferguson | "Government, even in its best state,
Network Integrator | is but a necessary evil; in its worst
Centreville, Virginia USA | state, an intolerable one."
[email protected] | - Thomas Paine, Common Sense
Type bits/keyID Date User ID
pub 1024/1CC04D 1993/03/15 Paul Ferguson <[email protected]>
Key fingerprint = EE D2 93 7D 04 6D C6 05 AC 36 AD 9D 8E 4F 41 58