Notes from SAFE meeting

[minow@apple.com (Martin Minow)]

Here are my raw, unedited, incomplete, and not to be trusted,
notes from the SAFE meeting, July 1, 1996, at Stanford.
(ps. thanks to the folk who did an amazing amount of work
to put this on.)

burns: fbi, cia, nsa presented to senate/congress: said nothing that wasn't
already in public record (newspapers)

telia (Swedish Telecom) representative (Mattias Soederholm) -- can't import
strong encryption as NSA claims it would harass company. doesn't like having
to tell customers that USA will read their mail.

Whit Diffie - nuclear non-proliferation: proliferation of crypto does
more good than harm: make sure that weapons are under your control: extensive
development since Kennedy administration. Positive control over nuclear
weapon: crypto.

----
Technical panel
----
whit diffie, eric thompson (forced decryption, fbi is a client), bruce
schneier, tom parenty (sybase), matt blaze. We came to discuss policics,
but were charged with discussing technology.

key lengths -- too much jargon. question is work factor: how much work
to break system. public keys used only for signatures; actual encryption
uses "normal" crypto. 40 bits == 2^40 operations to get a key. First:
two different points of view: security officer: every message must be
secure, even against strong opponent. intelligence agency wants to read
every message. 30, 60, 90, 120. 2^30 == one billion. any pc can recover
any key. billion billion == des. very clear that can do it, not easy,
however. 90 bits billion billion billion. won't be do-able in lifetime
of business personal data. 120 bits can't be do-able in forseeable future.

but, point of view of an intercept organization; meet in the middle? won't
satisfy either party's interest. 40 bit can be exported. last year, demonstrated
that can break 40 bit keys. Takes on order of few weeks to a month of Sun
workstations. intercept device spends most of its time deciding whether to
record data. has a fraction of a second to look at a message, 40 bits too
large for intercept on that basis.

eric thompson. access data. cryptanalysis -- break codes, build hardware
to aid in this. specialize in defining parts and pieces to break e.g., rc40
amd2905 chips on a board breaks in $8,400 engineering cost. Sell under $20,000.
little company, not well-funded government agency.

des fpga about $1M/7 days per key. off the shelf design using 5 year old chips.
what's realistic to expect the nsa, fbi can do?

bruce schneier: foreign crypto. is it any good? yes. more done outside usa
than inside. many countries asia, europe, pacific have strong groups. algorithm
conferences: 90% of papers from outside usa. hard to get funding in usa.
more academic research overseas. products with more options. here, products
are hamstrung by baggage: key length, escrow. other countries can write without
restrictions. best products from former yugoslavian folk working in swedish
university.  usa corp's cant compete: no talent, government restrictions. losing
our share of research, developement, products. as internet becomes ubiquitious,
we lose market share. restrictions won't stop, will only hurt us.

tom parenty; worked for NSA: "in God we trust, the rest we monitor."
key escrow ineffective. can today buy over 500 products from 60 countries.
no usa monopoly. www.cypto.com home page; list of pointers for our favorite
foreign crypto products (for some value of "our" and some value of "favorite.")
crypto controls don't keep crypto out of child pronographer hands. keeps out
of hands of legitimate individuals and corporations. criminal, terrorist, can
layer foreign crypto on anything usa gov't does. will give protection.

moral equiv of wiretaps? no! criminals: criminals talk to criminals, criminals
talk to rest of world. crim to crim: use strong crypto. crim to airline,
car rental, hotel: can go to airline etc. and subpeona their records:
crypto buys nothing for wiretap.

solve crimes, prevent crimes? would key escrow prevent oklahoma bombing?
but without strong crypto, foreigner working outside usa can take plane down,
grab medical records. etc., by hacking insecure networks.

matt blaze: key escrow. ignore politics; doesn't make technical sense.
fundamental flaws software engineering can't technically solve in a
sensible way. first: enormous increase of engineering complexity.
difficult to design even simply secure (alice, bob, eve + detective
dorothy) system engineering. key escrow makes this even more difficult.
engineering problem is too complex. classified world not far ahead of
unclassified: blaze discovered protocol failure in clipper chip design --
can circumvent escrow field, can forge messages. reason failures occur
not because nsa incompetent, but because problem is extremely difficult.

second fundamental problem: operating key escrow center economically and
technically difficult. 24/7/365, 2 hour response to law enforcement request.

key escrow doesn't distinguish between comm key, data storage keys, and
signature keys. releasing latter may be devistating.

---
diffie: if you collect data; it will be used (census data used to round
up Japanese in California, Jews in Germany, Holland, Denmark).

schneier: data harvesting: insurance company wants to know who filled
perscription for AZT. crpyto prevents against non-invasive attack; not
against fbi entering house to install bugs.

diffie: crypto requirements of bad people: terrorists need tight-knit,
unified in purpose. tools to secure communication are readily available
"closed crypto." ordinary folk need open crypto; delayed by government
restrictions.

---
legal issues:

ken bass: counsel for telecom policy:
national security? non-escrowed strong encryption? balance? costs? what are
they, what do we lose? escrow born by nsa mission. didn't hear law enforcement
concerns initially; now nsa stands behind shield of fbi. nsa/fbi has created
arms race among cryptographers. most people would have been happy with des,
which nsa can probably break, but not others. nsa discovered it was doing
itself great damage by pursuing export controls: but biggest danger to
nsa is explosion of protocols, routings, etc. nsa wants to read everything
to see what it wants to look at. fbi, however, knows what it wants to see.
nsa knows that crypto puts it out of business. nsa needs to preserve
fiction of crypto (i.e, that they can read, but you think they can't).
fbi wants to preserve status quo. law enforcement can't undertake survelience
until it knows who the target is. don't need crypto to find crooks. needed
only after you know who the crooks are. fbi foolish to try to convince us
that crypto (escrow) is golden bullet of law enforcement. why does fbi
need to have crypto to monitor people for whom they already have probable
cause (that they need in order to get warrant to wiretap).

jim lucire: americans for tax reform. IRS doesn't follow constitutional
protections.

barry steinhardt (ACLU). law enforcement concerned to preserve its
wiretap capability. wiretap happy administration. set records for number
of wiretaps (both in criminal and national security). law requiring wiretap
capability in telecom infrastructure. additional crimes where wiretap
allowed. Janet Reno: four challenges  -- threat that encryption poses to
law enforcement; ability to search for stored information. wiretapping.
why does aclu find it so odious. fourth amendement "particularized
suspicion" -- government must have a reason to search you. wiretapping
is a "generalized search." in 1970's, 50% of wiretaps produced useful
information. now 17% reveal useful info. warrant to search 100 homes to
find criminal info in 17 homes? ability to continue wiretapping is in
question. what is cost to individuals who are wiretapped?

cindy cohn, lawyer: export problems with ITAR: scientists lose. bernstein
case (can export crypto research): export rules squelch discussion and
reseach: first amendment; right of people to talk about science, art,
literature; not just politics. broadness: IATR is overlly broad. defines
export to prevent publication. prevents export to "ordinary" people, but
only intended to prevent export to terrorist. procedural problems: no
hard boundaries.

barbara simons (acm) -- copyright? net community suprised when CDA
was passed. major voices heard are those of lobbiests; not technology
focus; focussed only on their lobby-needs. monitor net? only to
preserve copyright. goals will work only if you shut down the net.
copyright legislation makes illegal to manufacture device to violate
copyright (camera? vcr?)

john gilmore (eff): can we trust the courts? won't be won on a single
front: need to keep pressure up. "for purposes of first amendment
analysis, court finds that source code is speech." will go to supreme
court. need help from legislature. want to bring light into export
control process. want to have clear rules so you can read rules, build
product and export it.

michael froomkin (law school, univ of miami): legal status of privacy?
can't count on courts. don't take wait and see attitude. wiretap still
has some value. Legal status of no export has been successful: no strong
crypto in w/95.

ken bass question: froomkin: crypto is a constitutional right (200 pages).
very few nsa cases; mostly 4th amendment ('drug exception to constituion).
korn case, bernstein case. briefs in cases required reading for congress
(first amendment). crypto useful to protect free speech (Phil Zimmerman
talked about human rights people in Burma who use PGP to protect their
messages from government.)

[representative zoe lofgren (Dem CA) -- someone proposed 4th amendment
in congressional debate amending criminal law. Defeated on party lines.]

implication for information sharing between cia/fbi/nsa with foreign
intelligence agency? guatamala tragedy example of problem.

the dumb criminal theory? blow up buildings with trucks they rent in
their own names.

--- With apologies for incoherence, errors, and incompleteness ---

Martin Minow
minow@apple.com