[LONG] Churchill Club: 20th Anniversary PK Crypto

[frantz@netcom.com (Bill Frantz)]

The moderator, David Morris of Cylink, introduced the field by discussing
the problems of corporate espionage, and privacy concerns vs. public and
private databases.  He said that the old security paradigms present with
face to face business don't work with electronic commerce.

He introduced Jim Omura, who gave an overview of PK encryption and
introduced Martin Hellman, Ralph Merkle, and Whitfield Diffie.  Louis
Morris, Cylink CEO, presented them with inscribed glass trophies.

Hellman described the key to the early years as being willing to be a fool,
because you need to step out of the standard thought patterns.  Diffie
described the genesis from 1974 to 1978 as going from Merkle's paper,
"Secure Communication Over Insecure Channels", thru DH key exchange, to
RSA.  Since 1976 is the center of gravity of these steps, this year makes a
good 20th anniversary.  Merkle said it is most striking how long it has
taken to be adopted.  Networks lead to a need for security, lead to a
questioning of regulations on Crypto, which leads to changes in those
regulations.  Diffie said it is absolutely amazing that it is happening so
quickly.  "How wonderfully lucky it is we started working 20 years ago."

Senator Larry Pressler (R, SD) was introduced via video projector from
Washington D.C.  He talked about bad government rules and that government
should help or at least get out of the way.  He talked about the need for
exports and to assist US multi-national businesses.  The controls hurt US
companies.  Encryption is the future of industry.  If we don't fix the
export problem, there are two outcomes.  (1) Foreign competition will
provide the function, or (2) US companies will move the R&D offshore. 
Either will cost US jobs.  After listing his [off topic] pet bills, he
mentioned that he was talking about encryption in software.  He said
Senator Burns' bill will be introduced tomorrow.

Senator Conrad Burns (R, MT) spoke from the podium in a joke filled speech.
 He talked about the Telecom Bill as a way to do something about giving
more people access to the glass highway.  He talked about the problem of
how do we make sure that people have agreed to a deal on the highway and
supporting sales.  He said we need the crypto bill to support them.  His
bill provides for, (1) Export of publicly available software (e.g. PGP and
browsers), (2) no GAK, (3) limiting the authority of the Department of
Commerce to set standards, and (4) export to countries which equivalent
technology.  He wants to have public hearings in Silicon Valley.

Then questions came from the floor:

Q: Why are we streamlining the Department of Commerce when the Department
of State and NSA are the problem?
Burns: Legislation will deal with this problem and prevent them from
blocking export.  You may still need a license, but there should be no
fences.
Pressler: We need to streamline relations between State and Commerce in
this area.  We need to streamline trade in hi tech.  I don't think that
state and NSA should have the say.  Export is a trade problem.  It is a
"disaster for American exports."
Burns: We are going to need grass-roots support to pass this bill.

Q: Where do California's senators (Feinstein and Boxer) stand?
Burns: We don't know.
Pressler: We didn't have their support on tort reform.  Stick with your
friends and work for them.

Q: Who is against the bill?
Burns: People who listen to NSA.  People who feel the US needs to be able
to watch you.

Q: How do you expect administration opposition to show up?
A: We don't know yet.

Q: Currently encryption is classified as a munition.  Will your legislation
reclassify it.
Pressler: We don't see encryption as a threat to national security.  People
in Washington D.C. who make a living suppressing information oppose the
bill.
Burns: We need your knowledge to pass this bill.

The senators bid us goodbye and the Congressman Robert Goodlatte (R, VA)
was introduced.  He said that President Clinton testified for 4.5 hours
over an encrypted communication link on the McDougall trial.  His bill is
called Security And Freedom thru Encryption (SAFE).  Local congressmen
Campbell and Eshoo are co-sponsors.  We need to broaden the base of support
for this bill.  Everyone should talk to their customers/vendors/and
companies with web sites about this issue.  If we don't change the rules,
it could cost $60B in 2000.  There are 500 foreign encryption software
products.  He talked about how fast 40 and 56 bit encryption could be
cracked and said that, in his opinion, the administration's desire to read
everything, foreign and domestic is the greatest threat.  He argues it is
the wrong approach and we should be encouraging everyone to use encryption
routinely.  We need it for counter terrorism against attacks on computer
systems used in design, manufacturing and e.g. controlling nuclear power
plants.  We need your help getting the word out.  Write your member of
congress.  We will have hearings on the bill in the next month or two.

Q: What do you say to techies/CEOs who want to run for public office?
A: Well are you a Democrat or Republican? (laughter).  Seriously, congress
needs a variety of backgrounds to help with technical issues.  Get good
expert advice on running your campaign.


James Freeman, Special Agent in Charge, San Francisco Office, FBI,
discussed the tools the FBI needs to do its job.  He talked about foreign
espionage on US companies.  He mentioned 800 cases involving 23 countries,
20% in the SF Bay area.  Counterfeit drugs cost US drug companies
$1.5B/year.  The FBI does not have adequate laws to pursue theft of
intellectual property.  It could use a computer fraud/abuse law.  

In the last few years, the FBI and local law enforcement have identified 9
gangs dealing in stolen electronic components thru undercover operations
and wiretaps.  Each set of arrests have reduced the rate of reported armed
robbery.  They used RICO to help prosecute these gangs.  He stated the FBI
can do the same for intellectual property given the right tools.

He stated that in some cases, foreign students are sent here to spy on US
corporations.  In some cases they are released from military service for
their spying.  Inside theft is responsible for most spying, but hacking and
computer intrusion are increasing.

He said that terrorists, money launders, drug dealers using crypto is a
serious threat, and he thinks GAK is a good solution.  If congress takes
GAK away from law enforcement, they will use the tools they have.  However
we need a balanced approach.

Q: If any high school student can implement unbreakable crypto, what can you do?
A: Regulation of crypto is the responsibility of congress.


Edward Kozel of Cisco Systems spoke about the problems they have had with
the export regulations.  He said that the Internet was important because it
lowered the barriers to market entry.  He offered the example that the big
3 American auto manufactures are requiring network links for their
suppliers.  He talked about attacks on hosts and networks.  He said that
right now, Atlanta is a boom area for telecommuting because Atlanta
companies fear the Olympics will bring gridlock this summer.  He suggested
micro payments as a solution to copyright problems.  We must see the
problem as a global problem.  PK is a fundamental component of commerce,
authentication, and non-repudiation.

Q (Dave Del Toro (sp?)): RSA patent license imposes significant limitations
on what we can do with RSA.  How can we overcome that barrier?
Morris (Cylink): Cylink owns the DH patents.  We are opening the technology
with no-cost licenses.  Patents should not be used to block the technology.
Kozel: We certainly support open dissemination.  In 1990 we couldn't export
routers to e.g. Russia.  So they used PCs and public domain software to
build their nets.  Now they are converting to routers.  Now is the time to
unleash encryption.

Q: What is the best way to go given the new laws and IPv6?
Kozel: 40 bits is no good.  Even people in rural Australia know that. 
Industry needs to recognize the need for controls, if only by the customer.
 The technology is moving to the mass market.  Encryption will be needed to
keep everyone from reading data on cable networks.


Paul Raines, Project Manager, United States Postal Service described the
post offices digital postmark and certificate services.  Cylink is the
technical developer.  The post office brings four things that private
industry can't: (1) The postal fraud statutes, (2) A long track record and
well established reputation, (3) 40,000 existing post offices (vs. 10,000
McDonald's), and (4) it can act as a trusted third party.

Q: How much will you charge for these services and when will they be available?
A: Postmarking: $.10, 7/96.  Certificates: $10-$15/person/year, 4Q96.

Q: Do you see the post office acting as an ISP?
A: Only to the extent necessary to provide electronic delivery of digital
postmarks and certificates.

Q: Do you see the post office going into transaction verification?  What
limits your future business directions?
A: We will make sure not to compete with private business.  Because we must
go through a rate commission to change prices makes it hard to compete.


The evening closed with a Diffie, Hellman, Merkle panel.

Hellman: After these 20 years, I feel less of a fool.  When we wrote "New
Directions in Cryptography" in 1976, we envisioned our ideas would be
widespread in five years.
Diffie: I was excessively optimistic about the spread of PKC in two of my
papers.
Hellman: We were off for two reasons.  (1) Lack of public concern.  With
cell phone fraud approaching 40% that may change.  And (2) ITAR.  This new
legislation will have a very positive effect.
Merkle: I wish I could pipe the comments this evening back 20 years.  I
would particular like to pipe them to my rejection letter from
Communications of the ACM which said my contribution was not mainstream. 
One is often over optimistic about the early rate of progress and under
optimistic about the later rate.  OK, I was wrong before, but things are
going to happen fast now.
Morris: Where are the new frontiers?
Diffie: Quantum computing (if it works).  Elliptic curve crypto.  The next
decade or so will be used to sort out the social effects.  Passive
listening by major governments is moving to active computer penetration. 
What will our high-level security specifications be?  What are fair rules
for intellectual property, privacy etc?


We closed with David Morris reading email from Phil Mellinger, Chief
Engineer, Government Securities Association.  He said the US and Canada are
discussing inter operability on Certificate authorities.  The government is
using DH with DES and SHA for government communications.  Short of the
automobile, PKC has had the largest effect on the world of any 20th century
technology.


Impressions:  In conversation afterwards, I noted that discussion of
personal privacy seemed to be politically incorrect in this group.  Unless
it directly supported corporate commerce, we didn't discuss it.


------------------------------------------------------------------------
Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA