Page 249

7 Policy Options for the Future

Current national cryptography policy defines only one point in the space of possible policy options. A major difficulty in the public debate over cryptography policy has been incomplete explanation of why the government has rejected certain policy options. Chapter 7 explores a number of possible alternatives to current national cryptography policy, selected by the committee either because they address an important dimension of national cryptography policy or because they have been raised by a particular set of stakeholders. Although in the committee's judgment these alternatives deserve analysis, it does not follow that they necessarily deserve consideration for adoption. The committee's judgments about appropriate policy options are discussed in Chapter 8.

7.1 EXPORT CONTROL OPTIONS FOR CRYPTOGRAPHY

7.1.1 Dimensions of Choice for Controlling the Export of Cryptography

An export control regime—a set of laws and regulations governing what may or may not be exported under any specified set of circumstances—has many dimensions that can be considered independently. These dimensions include:

• The type of export license granted. Three types of export licenses are available:

—A general license, under which export of an item does not in gen-



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 249
Page 249 7 Policy Options for the Future Current national cryptography policy defines only one point in the space of possible policy options. A major difficulty in the public debate over cryptography policy has been incomplete explanation of why the government has rejected certain policy options. Chapter 7 explores a number of possible alternatives to current national cryptography policy, selected by the committee either because they address an important dimension of national cryptography policy or because they have been raised by a particular set of stakeholders. Although in the committee's judgment these alternatives deserve analysis, it does not follow that they necessarily deserve consideration for adoption. The committee's judgments about appropriate policy options are discussed in Chapter 8. 7.1 EXPORT CONTROL OPTIONS FOR CRYPTOGRAPHY 7.1.1 Dimensions of Choice for Controlling the Export of Cryptography An export control regime—a set of laws and regulations governing what may or may not be exported under any specified set of circumstances—has many dimensions that can be considered independently. These dimensions include: • The type of export license granted. Three types of export licenses are available: —A general license, under which export of an item does not in gen-

OCR for page 249
Page 250 eral require prior government approval but nonetheless is tracked under an export declaration; —A special license, under which prior government approval is required but which allows multiple and continuing transactions under one license validation; and —An individual license, under which prior government approval is required for each and every transaction. As a general rule, only individual licenses are granted for the export of items on the U.S. Munitions List, which includes ''strong" cryptography.1 • The strength of a product's cryptographic capabilities. Current policy recognizes the difference between RC2/RC4 algorithms using 40-bit keys and other types of cryptography, and places fewer and less severe restrictions on the former. • The default encryption settings on the delivered product. Encryption can be tacitly discouraged, but not forbidden, by the use of appropriate settings.2 • The type of product. Many different types of products can incorporate encryption capabilities. Products can be distinguished by medium (e.g., hardware vs. software) and/or intended function (e.g., computer vs. communications). • The extent and nature of features that allow exceptional access. The Administration has suggested that it would permit the export of encryption software with key lengths of 64 bits or less if the keys were "properly escrowed."3 Thus, inclusion in a product of a feature for exceptional access could be made one condition for allowing the export of that product. In addition, the existence of specific institutional arrangements (e.g., which specific parties would hold the information needed to implement exceptional access) might be made a condition for the export of these products. • The ultimate destination or intended use of the delivered product. U.S. 1 However, as noted in Chapter 4, the current export control regime for cryptography involves a number of categorical exemptions as well as some uncodified "in-practice" exemptions. 2 Software, and even software-driven devices, commonly have operational parameters that can be selected or set by a user. An example is the fax machine that allows many user choices to be selected by keyboard actions. The parameters chosen by a manufacturer before it ships a product are referred to as the "defaults" or "default condition." Users are generally able to alter such parameters at will. 3 At the time of this writing, the precise definition of "properly escrowed" is under debate and review in the Administration. The most recent language on this definition as of December 1995 is provided in Chapter 5.

OCR for page 249
Page 251 export controls have long distinguished between exports to "friendly" and "hostile" nations. In addition, licenses have been granted for the sale of certain controlled products only when a particular benign use (e.g., financial transactions) could be certified. A related consideration is the extent to which nations cooperate with respect to re-export of a controlled product and/or export of their own products. For example, CoCom member nations4 in principle agreed to joint controls on the export of certain products to the Eastern bloc; as a result, certain products could be exported to CoCom member nations much more easily than to other nations. At present, there are few clear guidelines that enable vendors to design a product that will have a high degree of assurance of being exportable (Chapters 4 and 6). Table 7.1 describes various mechanisms that might be used to manage the export of products with encryption capabilities. This remainder of Section 7.1 describes a number of options for controlling the export of cryptography, ranging from the sweeping to the detailed. 7.1.2 Complete Elimination of Export Controls on Cryptography The complete elimination of export controls (both the USML and the Commerce Control List controls) on cryptography is a proposal that goes beyond most made to date, although certainly such a position has advocates. If export controls on cryptography were completely eliminated, it is possible that within a short time most information technology products exported from the United States would have encryption capabilities. It would be difficult for the U.S. government to influence the capabilities of these products, or even to monitor their deployment and use worldwide, because numerous vendors would most probably be involved. Note, however, that the simple elimination of U.S. export controls on cryptography does not address the fact that other nations may have import controls and/or restrictions on the use of cryptography internally. Furthermore, it takes time to incorporate products into existing infrastructures, and slow market growth may encourage some vendors to take their time in developing new products. Thus, simply eliminating U.S. export controls on cryptography would not ensure markets abroad for U.S. products with encryption capabilities; indeed, the elimination of U.S. 4 CoCom refers to the Coordinating Committee, a group of Western nations (and Japan) that agreed to a common set of export control practices during the Cold War to control the export of militarily useful technologies to Eastern bloc nations. CoCom was disbanded in March 1994, and a successor regime known as the New Forum is being negotiated as this report is being written.

OCR for page 249
Page 252 TABLE 7.1 Mechanisms of Export Management Type Description When Appropriate Total embargo All or most exports of cryptography to target country prohibited (this would be more restrictive than today's regime). Hypothetical example: no products with encryption capabilities can be exported to Vietnam, Libya, Iraq, Iran. Appropriate during wartime or other acute national emergency or when imposed pursuant to United Nations or other broad international effort. Selective export prohibitions Certain products with encryption capabilities barred for export to target country. Hypothetical example: nothing cryptographically stronger than40-bit RC4 can be exported to South Africa. Appropriate when supplier countries agree on items for denial and cooperate on restrictions. Selective activity prohibitions Exports of cryptography for use in particular activities in target country prohibited. Hypothetical example: PGP allowed for export to pro- democracy groups in People's Republic of China but not for government use. Appropriate when supplier countries identify proscribed operations and agree to cooperate on restrictions. Transactional licensing Products with encryption capabilities require government agency licensing for export to a particular country or country group. Hypothetical example: State Department individual validated license for a DES encryption product. Licensing actions may be conditioned on end-use verification or postexport verification. Appropriate when product is inherently sensitive for export to any destination, or when items have both acceptable and undesired potential applications. Also requires an effective multilateral control regime

OCR for page 249
Page 253 Bulk licensing Exporter obtains government authority to export categories of products with encryption capabilities to particular consignees for a specified time period. Hypothetical examples: Commerce Department distribution license, ITAR foreign manufacturing license. Note that categories can be determined with considerable freedom. Enforcement may rely on after-the-fact audits. Same as preceding circumstances, but when specific transaction facts are not critical to effective export control. Preexport notification Exporter must prenotify shipment; government agency may prohibit, impose conditions, or exercise persuasion. Hypothetical example: requirement imposed on vendors of products with encryption capabilities to notify the U.S. government prior to shipping product overseas. Generally regarded as an inappropriate export control measure because exporter cannot accept last-minute uncertainty. Conditions on general authority or right to export Exporter not required to obtain government agency license but must meet regulatory conditions that preclude high-risk exports. (In general, 40-bit RC2/RC4 encryption falls into this category once the Commodity Jurisdiction procedure has determined that a particular product with encryption capabilities may be governed by the CCL. Hypothetical example: Commerce Department general licenses. Appropriate when risk of diversion or undesired use is low. Postexport recordkeeping While no license may be necessary, exporter must keep records of particulars of exports for specified period and submit or make available to government agency. Hypothetical example: vendor is required to keep records of foreign sales of 40-bit RC2/RC4 encryption products under a Shippers Export Declaration. Appropriate when it is possible to monitor exports of weak cryptography for possible diversion. SOURCE: Adapted from National Research Council, Finding Common Ground: U.S. Export Controls in a Changed Global Environment, National Academy Press, Washington, D.C., 1990, p. 109.

OCR for page 249
Page 254 export controls could in itself stimulate foreign nations to impose import controls more stringently. Appendix G contains more discussion of these issues. The worldwide removal of all controls on the export, import, and use of products with encryption capabilities would likely result in greater standardization of encryption techniques. Standardization brought about in this manner would result in: • Higher degrees of international interoperability of these products; • Broader use, or at least more rapid spread, of encryption capabilities as the result of the strong distribution capabilities of U.S. firms; • Higher levels of confidentiality, as a result of greater ease in adopting more powerful algorithms and longer keys as standards; and • Greater use of cryptography by hostile, criminal, and unfriendly parties as they, too, begin to use commercial products with strong encryption capabilities. On the other hand, rapid, large-scale standardization would be unlikely unless a few integrated software products with encryption capabilities were able to achieve worldwide usage very quickly. Consider, for example, that although there are no restrictions on domestic use of cryptography in the United States, interoperability is still difficult, in many cases owing to variability in the systems in which the cryptography is embedded.  Likewise, many algorithms stronger than DES are well known, and there are no restrictions in place on the domestic use of such algorithms, and yet only DES even remotely approaches common usage (and not all DES-based applications are interoperable). For reasons well articulated by the national security and law enforcement communities (see Chapter 3) and accepted by the committee, the complete elimination of export controls on products with encryption capabilities does not seem reasonable in the short term. Whether export controls will remain feasible and efficacious in the long term has yet to be seen, although clearly, maintaining even their current level of effectiveness will become increasingly difficult. 7.1.3 Transfer of All Cryptography Products to the Commerce Control List As discussed in Chapter 4, the Commerce Control List (CCL) complements the U.S. Munitions List (USML) in controlling the export of cryptography. (Box 4.2 in Chapter 4 describes the primary difference between the USML and the CCL.) In 1994, Representative Maria Cantwell (D-Washington) introduced legislation to transfer all mass-market software products involving cryptographic functions to the CCL. Although this

OCR for page 249
Page 255 legislation never passed, it resulted in the promise and subsequent delivery of an executive branch report on the international market for computer software with encryption.5 The Cantwell bill was strongly supported by the software industry because of the liberal consideration afforded products controlled for export by the CCL. Many of the bill's advocates believed that a transfer of jurisdiction to the Commerce Department would reflect an explicit recognition of cryptography as a commercial technology that should be administered under a dual-use export control regime. Compared to the USML, they argued that the CCL is a more balanced regime that still has considerable effectiveness in limiting exports to target destinations and end users. On the other hand, national security officials regard the broad authorities of the Arms Export Control Act (AECA) as essential to the effective control of encryption exports. The AECA provides authority for case-by-case regulation of exports of cryptography to all destinations, based on national security considerations. In particular, licensing decisions are not governed by factors such as the country of destination, end users, end uses, or the existence of bilateral or multilateral agreements that often limit the range of discretionary action possible in controlling exports pursuant to the Export Administration Act. Further, the national security provisions of the AECA provide a basis for classifying the specific rationale for any particular export licensing decision made under its authority, thus protecting what may be very sensitive information about the particular circumstances surrounding that decision. Although sympathetic to the Cantwell bill's underlying rationale, the committee believes that the bill does not address the basic dilemma of cryptography policy. As acknowledged by some of the bill's supporters, transfer of a product's jurisdiction to the CCL does not mean automatic decontrol of the product, and national security authorities could still have considerable input into how exports are actually licensed. In general, the committee believes that the idea of split jurisdiction, in which some types of cryptography are controlled under the CCL and others under the USML, makes considerable sense given the various national security implications of widespread use of encryption. However, where the split should be made is a matter of discussion; the committee expresses its own judgments on this point in Chapter 8. 5 Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, prepared for the Interagency Working Group on Encryption and Telecommunications Policy, Office of the Secretary of Commerce, released January 11, 1996.

OCR for page 249
Page 256 7.1.4 End-use Certification Explicitly exempted under the current International Traffic in Arms Regulations (ITAR) is the export of cryptography for ensuring the confidentiality of financial transactions, specifically for cryptographic equipment and software that are "specially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions."6 In addition, according to senior National Security Agency (NSA) officials, cryptographic systems, equipment, and software are in general freely exportable for use by U.S.-controlled foreign companies and to banking and financial institutions for purposes other than financial transactions, although NSA regards these approvals as part of the case-by-case review associated with equipment and products that do not enjoy an explicit exemption in the ITAR. In principle, the ITAR could explicitly exempt products with encryption capabilities for use by foreign subsidiaries of U.S. companies, foreign companies that are U.S.-controlled, and banking and financial institutions. Explicit "vertical" exemptions for these categories could do much to alleviate confusion among users, many of whom are currently uncertain about what cryptographic protection they may be able to use in their international communications, and could enable vendors to make better informed judgments about the size of a given market. Specific vertical exemptions could also be made for different industries (e.g., health care or manufacturing) and perhaps for large foreignowned companies that would be both the largest potential customers and the parties most likely to be responsible corporate citizens. Inhibiting the diversion to other uses of products with encryption capabilities sold to these companies could be the focus of explicit contractual language binding the recipient to abide by certain terms that would be required of any vendor as a condition of sale to a foreign company, as it is today under USML procedures under the ITAR. Enforcement of end-use restrictions is discussed in Chapter 4. 7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations The United States could give liberal export consideration to products with encryption capabilities intended for sale to recipients in a select set of nations;7 exports to nations outside this set would be restricted. Na- 6 International Traffic in Arms Regulations, Section 121.1, Category XIII (b)(1)(ii). 7 For example, products with encryption capabilities can be exported freely to Canada without the need of a USML export license if intended for domestic Canadian use.

OCR for page 249
Page 257 tions in the select set would be expected to have a more or less uniform set of regulations to control the export of cryptography, resulting in a more level playing field for U.S. vendors. In addition, agreements would be needed to control the re-export of products with encryption capabilities outside this set of nations. Nation-by-nation relaxation of controls is consistent with the fact that different countries generally receive different treatment under the U.S. export control regime for military hardware. For example, exports of U.S. military hardware have been forbidden to some countries because they were terrorist nations, and to others because they failed to sign the nuclear nonproliferation treaty. A harmonization of export control regimes for cryptography would more closely resemble the former CoCom approach to control dual-use items than the approach reflected in the unilateral controls on exports imposed by the USML. From the standpoint of U.S. national security and foreign policy, a serious problem with harmonization is the fact that the relationship between the United States and almost all other nations has elements of both competition and cooperation that may change over time. The widespread use of U.S. products with strong encryption capabilities under some circumstances could compromise U.S. positions with respect to these competitive elements, although many of these nations are unlikely to use U.S. products with encryption capabilities for their most sensitive communications. Finally, as is true for other proposals to liberalize U.S. export controls on cryptography, greater liberalization may well cause some other nations to impose import controls where they do not otherwise exist. Such an outcome would shift the onus for impeding vendor interests away from the U.S. government; however, depending on the nature of the resulting import controls, U.S. vendors of information technology products with encryption capabilities might be faced with the need to conform to a multiplicity of import control regimes established by different nations. 7.1.6 Liberal Export for Strong Cryptography with Weak Defaults An export control regime could grant liberal export consideration to products with encryption capabilities designed in such a way that the defaults for usage result in weak or nonexistent encryption (Box 7.1), but also so that users could invoke options for stronger encryption through an affirmative action. For example, such a product might be a telephone designed for endto-end security. The default mode of operation could be set in two different ways. One way would be for the telephone to establish a secure connection if the called party has a comparable unit. The second way

OCR for page 249
Page 258 BOX 7.1 Possible Examples of Weak Encryption Defaults • The product does not specify a minimum password length. Many users will generate short, and thus poor or weak, passwords. • The product does not perform link encryption automatically. The user on either side of the communication link must select an option explicitly to encrypt the communications before encryption happens. • The product requires user key generation rather than simple passwords and retains a user key or generates a record of one. Users might well accidentally compromise it and make it available, even if they had the option to delete it. • The product generates a key and instructs the user to register it. • E-mail encryption is not automatic. The sender must explicitly select an encryption option to encrypt messages. would be for the telephone always to establish an insecure connection; establishing a secure connection would require an explicit action by the user. All experience suggests that the second way would result in far fewer secure calls than the first way.8 An export policy favoring the export of encryption products with weak defaults benefits the information-gathering needs of law enforcement and signals intelligence efforts because of user psychology. Many people, criminals and foreign government workers included, often make mistakes by using products "out of the box" without any particular attempt to configure them properly. Such a policy could also take advantage of the distribution mechanisms of the U.S. software industry to spread weaker defaults. Experience to date suggests that good implementations of cryptography for confidentiality are transparent and automatic and thus do not require positive user action. Such implementations are likely to be chosen by organizations that are most concerned about confidentiality and that have a staff dedicated to ensuring confidentiality (e.g., by resetting weak vendor-supplied defaults). End users that obtain their products with encryption capabilities on the retail store market are the most likely to be affected by this proposal, but such users constitute a relatively small part of the overall market. 8 Of course, other techniques can be used to further discourage the use of secure modes. For example, the telephone could be designed to force the user to wait several seconds for establishment of the secure mode.

OCR for page 249
Page 259 7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces A cryptographic applications programming interface (CAPI; see Appendix K) is a well-defined boundary between a baseline product (such as an operating system, a database management program, or a word processing program) and a cryptography module that provides a secure set of cryptographic services such as authentication, digital signature generation, random number generation, and stream or block mode encryption. The use of a CAPI allows vendors to support cryptographic functions in their products without actually providing them at distribution. Even though such products have no cryptographic functionality per se and are therefore not specifically included in Category XIII of the ITAR (see Appendix N), license applications for the export of products incorporating CAPIs have in general been denied. The reason is that strong cryptographic capabilities could be deployed on a vast scale if U.S. vendors exported applications supporting a common CAPI and a foreign vendor then marketed an add-in module with strong encryption capabilities.9 To meet the goals of less restrictive export controls, liberal export consideration could be given to products that incorporate a CAPI designed so that only "certified" cryptographic modules could be incorporated into and used by the application. That is, the application with the CAPI would have to ensure that the CAPI would work only with certified cryptographic modules. This could be accomplished by incorporating into the application a check for a digital signature whose presence would indicate that the add-on cryptographic module was indeed certified; if and only if such a signature were detected by the CAPI would the product allow use of the module. One instantiation of a CAPI is the CAPI built into applications that use the Fortezza card (discussed in Chapter 5). CAPI software for Fortezza is available for a variety of operating systems and PC-card reader types; such software incorporates a check to ensure that the device being used is itself a Fortezza card. The Fortezza card contains a private Digital Signature Standard (DSS) key that can be used to sign a challenge from the workstation. The corresponding DSS public key is made available in the 9 This discussion refers only to "documented" or "open" CAPIs, i.e., CAPIs that are accessible to the end user. Another kind of CAPI is "undocumented" and "closed"; that is, it is inaccessible to the end user, though it is used by system developers for their own convenience. While a history of export licensing decisions and practices supports the conclusion that most products implementing "open'' CAPIs will not receive export licenses, history provides no consistent guidance with respect to products implementing CAPIs that are inaccessible to the end user.

OCR for page 249
Page 282 BOX 7.5 Two Primary Rate and Service Models for Telecommunications Today Regulated Common Carrier Telephony Services Regulated common carrier telephony services are usually associated with voice telephony, including fax and low-speed modem data communications. If a "common carrier" provision applies to a given service provider, the provider must provide service to anyone who asks at a rate that is determined by a public utilities commission. Common carriers often own their own transport facilities (e.g., fiber-optic cables, telephone wires, and so on), and thus the service provider exerts considerable control over the routing of a particular communication. Pricing of service for the end user is often determined on the basis of actual usage. The carrier also provides value-added services (e.g., call waiting) to enhance the value of the basic service to the customer. Administratively, the carrier is usually highly centralized. Bulk Data Transport Bulk services are usually associated with data transport (e.g., data sent from one computer to another) or with "private" telephony (e.g., a privately owned or operated branch exchange for telephone service within a company). Pricing for bulk services is usually a matter of negotiation between provider and customer and may be based on statistical usage, actual usage, reliability of transport, regional coverage, or other considerations. Policy for use is set by the party that pays for the bulk service, and thus, taken over the multitude of organizations that use bulk services, is administratively decentralized. In general, the customer provides value-added services. Routing paths are often not known in advance, but instead may be determined dynamically. • Demand for secure telephone communications, at least domestically, is relatively small, if only because most users consider today's telephone system to be relatively secure. A similar perception of Internet security does not obtain today, and thus the demand for highly secure data communications is likely to be relatively greater and should not be the subject of government interference. Under the JASON proposal, attempts to influence the inclusion of escrow features could affect only the hardware devices that characterize telephony today (e.g., a dedicated fax device, an ordinary telephone). In general, these devices do now allow user programming or additions and, in particular, lack the capability enabling the user to provide encryption easily. The JASON study also recognized that technical trends in telecommunications are such that telephony will be increasingly indistinguish-

OCR for page 249
Page 283 able from data communications. One reason is that communications are becoming increasingly digital. A bit is a bit, whether it was originally part of a voice communication or part of a data communication, and the purpose of a communications infrastructure is to transport bits from Point A to Point B, regardless of the underlying information content; reconstituting the transported bits into their original form will be a task left to the parties at Point A and Point B. Increasingly, digitized signals for voice, data, images, and video will be transported in similar ways over the same network facilities, and often they will be combined into single multiplexed streams of bits as they are carried along.35 For example, a voice-generated analog sound wave that enters a telephone may be transmitted to a central switching office, at which point it generally is converted into a digital bit stream and merged with other digital traffic that may originally have been voices, television signals, and high-speed streams of data from a computer. The network transports all of this traffic across the country by a fiber-optic cable and converts the bits representing voice back into an analog signal only when it reaches the switching office that serves the telephone of the called party. To a contemporary user of the telephone, the conversation proceeds just as it might have done 30 years ago (although probably with greater fidelity), but the technology used to handle the call is entirely different. Alternatively, a computer connected to a data network can be converted into the functional equivalent of a telephone.36 Some on-line service providers will be offering voice communications capability in the near future, and the Internet itself can be used today to transport realtime voice and even video communications, albeit with relatively low fidelity and reliability but also at very low cost.37 Before these modalities 35 Note, however, that the difficulty of searching for a given piece of information does depend on whether it is voice or text. It is quite straightforward to search a given digital stream for a sequence of bits that represents a particular word as text, but quite difficult to search a digital stream for a sequence of bits that represents that particular word as voice. 36 For example, an IBM catalogue offers for general purchase a "DSP Modem and Audio Card" with "Telephony Enhancement" that provides a full-duplex speaker telephone for $254. The card is advertised as being able to make the purchaser's PC into "a telephone communications center with telephone voice mail, caller ID, and full duplex speakerphone capability (for true simultaneous, two-way communications)." See The IBMPC Direct Source Book, Fall 1994, p. 43. An article in the Hewlett-Packard Journal describes the ease with which a telephone option card was developed for a workstation; see S. Paul Tucker, "HP TeleShare: Integrating Telephone Capabilities on a Computer Workstation," Hewlett-Packard Journal, April 1995, pp. 69-74. 37 In January 1996, it was estimated that approximately 20,000 people worldwide are users of Internet telephone service. See Mike Mills, "It's the Net's Best Thing to Being There," Washington Post, January 23, 1996, p. C1.

OCR for page 249
Page 284 become acceptable for mainstream purposes, the Internet (or its successor) will have to implement on a wide scale new protocols and switching services to eliminate current constraints that involve time delays and bandwidth limitations. A second influence that will blur the distinction between voice and data is that the owners of the devices and lines that transport bits today are typically the common carriers—firms originally formed to carry long-distance telephone calls and today subject to all of the legal requirements imposed on common carriers (see Box 7.5). But these firms sell transport capacity to parties connecting data networks, and much of today's bulk data traffic is carried over communications links that are owned by the common carriers. The Telecommunications Reform Act of 1996 will further blur the lines among service providers. The lack of a technical boundary between telephony and data communications results from the way today's networks are constructed. Networks are built on a protocol "stack" that embodies protocols at different layers of abstraction. At the very bottom are the protocols for the physical layer that define the voltages and other physical parameters that represent ones and zeros. On top of the physical layer are other protocols that provide higher-level services by making use of the physical layer. Because the bulk of network traffic is carried over a physical infrastructure designed for voice communications (i.e., the public switched telecommunications network), interactions at the physical layer can be quite naturally regarded as being in the domain of "voice." But interactions at higher layers in the stack are more commonly associated with "data." Acknowledging these difficulties, the JASON study concluded that limiting efforts to promote escrowed encryption products to those associated with voice communications had two important virtues. First, it would help to preserve law enforcement needs for access to a communications mode—namely telephony—that is widely regarded as important to law enforcement. Second, it would avoid premature government regulation in the data services area (an area that is less important historically to criminal investigation and prosecution than is telephony), thus avoiding the damage that could be done to a strong and rapidly evolving U.S. information technology industry. It would take—several years to a decade—for the technical "loopholes" described above to become significant, thus giving law enforcement time to adapt to a new technical reality. 7.2.6 A Centralized Decryption Facility for Government Exceptional Access Proposed procedures to implement the retrieval of keys escrowed under the Clipper initiative call for the escrowed key to be released by the

OCR for page 249
Page 285 escrow agencies to the requesting law enforcement authorities upon presentation of proper legal authorization, such as a court order. Critics have objected to this arrangement because it potentially compromises keys for all time—that is, once the key to a specific telephone has been divulged, it is in principle possible to eavesdrop forever on conversations using that telephone, despite the fact that court-ordered wiretaps must have a finite duration. To counter this criticism, Administration officials have designed a plan that calls for keys to be transmitted electronically to EES decryption devices in such a way that the decryption device will erase the key at the time specified in the court order. However, acceptance of this plan relies on assurances that the decryption device would indeed work in this manner. In addition, this proposal is relevant only to the final plan—the interim procedures specify manual key handling. Another way to counter the objection to potential long-lasting compromise of keys involves the use of a centralized government-operated decryption facility. Such a facility would receive EES-encrypted traffic forwarded by law enforcement authorities and accompanied by appropriate legal authorization. Keys would be made available by the escrow agents to the facility rather than to the law enforcement authorities themselves, and the plaintext would be returned to the requesting authorities. Thus, keys could never be kept in the hands of the requesting authorities, and concern about illicit retention of keys by law enforcement authorities could be reduced. Of course, concerns about retention by the decryption facility would remain, but since the number of decryption facilities would be small compared to the number of possible requesting law enforcement authorities, the problem would be more manageable. Since the decryption facilities would likely be under centralized control as well, it would be easier to promulgate and enforce policies intended to prevent abuse.38 38 The committee suspects that the likelihood of abusive exercise of wiretap authority is greater for parties that are farther removed from higher levels of government, although the consequences may well be more severe when parties closer to the top levels of government are involved. A single "bad apple" near the top of government can set a corrupt and abusive tone for an entire government, but at least "bad apples" tend to be politically accountable. By contrast, the number of parties tends to increase as those parties are farther and farther removed from the top, and the likelihood that at least some of these parties will be abusive seems higher. (Put differently, the committee believes that state/local authorities are more likely to be abusive in their exercise of wiretapping authority simply because they do the majority of the wiretaps. Note that while Title III calls for a report to be filed on every federal and state wiretap order, the majority of missing reports are mostly from state wiretap orders rather than federal orders. (See Administrative Office of the United States Courts, Wiretap Report, AOUSC, Washington, D.C., April 1995, Table 2.)

OCR for page 249
Page 286 One important aspect of this proposal is that the particular number of facilities constructed and the capacity of each could limit the number of simultaneous wiretaps possible at any given time. Such a constraint would force law enforcement authorities to exercise great care in choosing targets for interception, just as they must when they are faced with constraints on resources in prosecuting cases. A result could be greater public confidence that only wiretaps were being used only in important cases. On the other hand, a limit on the number of simultaneous wiretaps possible is also a potential disadvantage from the standpoint of the law enforcement official, who may not wish to make resource-driven choices about how and whom to prosecute or investigate. Making encryption keys directly available to law enforcement authorities allows them to conduct wiretaps unconstrained by financial and personnel limitations. A centralized decryption facility would also present problems of its own. For example, many people would regard it as more threatening to give a centralized entity the capability to acquire and decrypt all traffic than to have such capabilities distributed among local law enforcement agencies. In addition, centralizing all wiretaps and getting the communications out into the field in real time could require a complex infrastructure. The failure of a centralized facility would have more far-reaching effects than a local failure, crippling a much larger number of wiretaps at once. 7.3 LOOMING ISSUES Two looming issues have direct significance for national cryptography policy: determining the level of encryption needed to protect against high-quality attacks, and organizing the U.S. government for a society that will need better information security. Appendix M describes two other issues that relate but are not central to the current debate over cryptography policy: digital cash and the use of cryptography to protect intellectual property. 7.3.1 The Adequacy of Various Levels of Encryption Against High-Quality Attack What level of encryption strength is needed to protect information against high-quality attack? For purposes of analysis, this discussion considers only perfect implementations of cryptography for confidentiality (i.e., implementations without hidden "trap doors," installed on secure operating systems, and so on). Thus, the only issue of significance for this discussion is the size of the key and the algorithm used to encrypt the original plaintext.

OCR for page 249
Page 287 Any cryptanalysis problem can be solved by brute force given enough computers and time; the question is whether it is possible to assemble enough computational resources to allow a brute-force cryptanalysis on a time scale and cost reasonable for practical purposes. As noted in Chapter 4, a message encoded with a 40-bit RC4 algorithm was recently broken in 8 days by a brute-force search through the use of a single workstation optimized for speed in graphics processing. Even so, such a key size is adequate for many purposes (e.g., credit card purchases). It is also sufficient to deny access to parties with few technical skills, or to those with access to limited computing resources. But if the data being protected is valuable (e.g., if it refers to critical proprietary information), 40-bit keys are inadequate from an information security perspective. The reason is that for logistical and administrative reasons, it does not make sense to require a user to decide what information is or is not critical—the simplest approach is to protect both critical and noncritical information alike at the level required for protecting critical information. If this approach is adopted, the user does not run the risk of inadequately protecting sensitive information. Furthermore, the compromise of a single piece of information can be catastrophic, and since it is generally impossible to know if a particular piece of information has been compromised, those with a high degree of concern for the confidentiality of information must be concerned about protecting all information at a level higher than the thresholds offered by the 8-day cryptanalysis time described above. From an interceptor's point of view, the cryptanalysis times provided by such demonstrations are quite daunting, because they refer to the time needed to cryptanalyze a single message. A specific encrypted message cryptanalyzed in this time may be useful when it is known with high probability to be useful; however, such times are highly burdensome when many messages must be collected and processed to yield one useful message. An eavesdropper could well have considerable difficulty in finding the ciphertext corresponding to critical information, but the information security manager cannot take the chance that a critical piece of information might be compromised anyway.39 A larger key size increases the difficulty of a brute-force search. For 39 In general, information security managers must develop a model of the threat and respond to that threat, rather than simply assuming the worst (for which the only possible response would be to do "everything"). However, in the case of encryption and in the absence of governmental controls on technology, strong encryption costs about the same as weak encryption. Under such circumstances, it makes no sense at all for the information security manager to choose weak encryption.

OCR for page 249
Page 288 symmetric algorithms, a 56-bit key entails a work factor that is 216 (65,536) times larger than that of a 40-bit key, and implies a search time of about 1,430 years to accomplish (assuming that the algorithm using that key would take about the same time to execute as the RC4 algorithm). Using more computers could decrease the time proportionally. (A discussion of key lengths for asymmetric algorithms is contained in Chapter 2.) Large speed-up factors for search time would be possible through the use of special-purpose hardware, which can be optimized to perform specific tasks. Estimates have been made regarding the amount of money and time needed to conduct an exhaustive key search against a message encrypted using the DES algorithm. Recent work by Wiener in 1993,40 Dally in 1994,41 and Diffie et al. in 199642 suggest the feasibility of using special-purpose processors costing a few million dollars working in parallel or in a distributed fashion to enable a brute-force solution of a single 56-bit DES cipher on a time scale of hours. When the costs of design, operation, and maintenance are included (and these costs are generally much larger than the cost of the hardware itself), the economic burden of building and using such a machine would be significant for most individuals and organizations. Criminal organizations would have to support an infrastructure for cracking DES through brute-force search clandestinely, to avoid being targeted and infiltrated by law enforcement officials. As a result, developing and sustaining such an infrastructure would be even more difficult for criminals attempting to take that approach. Such estimates suggest that brute-force attack against 56-bit algorithms such as DES would require the significant effort of a well-funded adversary with access to considerable resources. Such attacks would be far more likely from foreign intelligence services or organized criminal cartels with access to considerable resources and expertise, for whom the plaintext information sought would have considerable value, than from the casual snoop or hacker who is merely curious or nosy. Thus, for routine information of relatively low or moderate sensitivity or value, 56-bit protection probably suffices at this time. But for information of high value, especially information that would be valuable to 40 M.J. Wiener, "Efficient DES Key Search," TR-244, May 1994, School of Computer Science, Carleton University, Ottawa, Canada; presented at the Rump Session of Crypto '93. 41 William P. Dally, Professor of Electrical Engineering, Massachusetts Institute of Technology, private communication to the committee, September 1995. 42 Matt Blaze, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Cryptographers and Computer Scientists," January 1996. Available on-line at http://www.bsa.org.

OCR for page 249
Page 289 foreign intelligence services or major competitors, the adequacy in a decade of 56-bit encryption against a determined and rich attacker is open to question. 7.3.2 Organizing the U.S. Government for Better Information Security on a National Basis As noted in Chapter 6, no organization or entity within the federal government has the responsibility for promoting information security in the private sector or for coordinating information security efforts between government and nongovernment parties. NIST is responsible for setting Federal Information Processing Standards, and from time to time the private sector adopts these standards, but NIST has authority for information security only in unclassified government information systems. Given the growing importance of the private nongovernment sector technologically and the dependence of government on the private information infrastructure, security practices of the private information infrastructure may have a profound effect on government activities, both civilian and military. How can coordination be pursued? Coherent policy regarding information assurance, information security, and the operation of the information infrastructure itself is needed. Business interests and the private sector need to be represented at the policy-making table, and a forum for resolving policy issues is needed. And, since the details of implementation are often critical to the success of any given policy, policy implementation and policy formulation must go hand in hand. Information security functions that may call for coordinated national action vary in scale from large to small: • Assisting individual companies in key commercial sectors at their own request to secure their corporate information infrastructures by providing advice, techniques, and analysis that can be adopted at the judgment and discretion of the company involved. In some key sectors (e.g., banking and telecommunications), conduits and connections for such assistance already exist as the result of government regulation of firms in those sectors. At present, the U.S. government will provide advice regarding information security threats, vulnerabilities, and solutions only to government contractors (and federal agencies).43 • Educating users both inside and outside government about vari- 43 This responsibility belongs to the NSA, as specified in the NSA-NIST Memorandum of Understanding of March 24, 1989 (reprinted in Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S. Government Printing Office, Washington, D.C., September 1994, and in Appendix N).

OCR for page 249
Page 290 ous aspects of better information security. For example, many product vendors and potential users are unaware of the fact that there are no legal barriers to the use of cryptography domestically. Outreach efforts could also help in publicizing the information security threat. • Certifying appropriate entities that perform some cryptographic service. For example, a public-key infrastructure for authentication requires trusted certification authorities (Appendix H). Validating the bona fides of these authorities (e.g., through a licensing procedure) will be an essential aspect of such an infrastructure. In the event that private escrow agents become part of an infrastructure for the wide use of cryptography, such agents will need to be approved or certified to give the public confidence in using them. • Setting de jure standards for information security. As noted above, the NIST charter prevents it from giving much weight to commercial or private sector needs in the formulation of Federal Information Processing Standards if those needs conflict with those of the federal government, even when such standards affect practice in the private sector. Standards of technology and of practice that guide the private sector should be based on private sector needs, both to promote ''best practices" for information security and to provide a legitimate defense in liability cases involving breaches of information security. How such functions should be implemented is another major question. The committee does not wish to suggest that the creation of a new organization is the only possible mechanism for performing these functions; some existing organization or entity could well be retooled to service these purposes. But it is clear that whatever entity assumes these functions must be highly insulated from political pressure (arguing for a high degree of independence from the executive branch), broadly representative (arguing for the involvement of individuals who have genuine policy-making authority drawn from a broad range of constituencies, not just government), and fully capable of hearing and evaluating classified arguments if necessary (arguing the need for security clearances).44 One proposal that has been discussed for assuming these responsibilities is based on the Federal Reserve Board. The Federal Reserve Board oversees the Federal Reserve System (FRS), the nation's central bank. The 44 As noted in the preface to this report, the committee concluded that the broad outlines of national cryptography policy can be argued on an unclassified basis. Nevertheless, it is a reality of decision making in the U.S. government on these matters that classified information may nevertheless be invoked in such discussions and uncleared participants asked to leave the room. To preclude this possibility, participating members should have the clearances necessary to engage as full participants in order to promote an effective interchange of views and perspectives.

OCR for page 249
Page 291 FRS is responsible for setting monetary policy (e.g., setting the discount rate), the supervision of banking organizations and open market operations, and providing services to financial institutions. The Board of Governors is the FRS's central coordinating body. Its seven members are appointed by the President of the United States and confirmed by the Senate for 14-year terms. These terms are staggered to insulate the governors from day-to-day political pressure. Its primary function is the formulation of monetary policy, but the Board of Governors also has supervisory and regulatory responsibilities over the activities of banking organizations and the Federal Reserve Banks. A second proposal has been made by the Cross-Industry Working Team (XIWT) of the Corporation for National Research Initiatives for the U.S. government to establish a new Joint Security Technology Policy Board as an independent agency of the government.45 Under this proposal, the board would be an authoritative agency and coordination body officially chartered by statute or executive order "responsible and answerable" for federal performance across all of its agencies, and for promotion of secure information technology environments for the public. In addition, the board would solicit input, analysis, and recommendations about security technology policy concerns from private sector groups and government agencies, represent these groups and agencies within the board, disseminate requests and inquiries and information back to these groups and agencies, review draft legislation in cognizant areas and make recommendations about the legislation, and represent the U.S. government in international forums and other activities in the domain of international security technology policy. The board would be chaired by the Vice President of the United States and would include an equal number of members appointed from the private sector and the federal government. A third proposal, perhaps more in keeping with the objective of minimal government, could be to utilize existing agencies and organizational structures. The key element of the proposal would be to create an explicit function in the government, that of domestic information security. Because information policy intersects with the interests and responsibilities of several agencies and cabinet departments, the policy role should arguably reside in the Executive Office of the President. Placing the policy function there would also give it the importance and visibility it requires. It might also be desirable to give specific responsibility for the initiation and coordination of policy to a Counselor to the President for Domestic Informa- 45 Cross-Industry Working Team, A Process for Information Security Technology: An XIWT Report on Industry-Government Cooperation for Effective Public Policy, March 1995. Available from Corporation for National Research Initiatives, Reston, Va., or on-line at http:// www.cnri.reston.va.us.

OCR for page 249
Page 292 tion Security (DIS). This individual could chair an interagency committee consisting of agencies and departments with a direct interest in and responsibilities for information security matters, including the operating agency, economic policy agencies (Departments of Treasury and Commerce), law enforcement agencies (FBI; Drug Enforcement Administration; Bureau of Alcohol, Tobaccco, and Firearms), and international affairs and intelligence agencies (Departments of State and Defense, CIA). Operationally, a single agency could have responsibility for standards setting, certification of escrow agents, approval of certificate holders for authentication purposes, public education on information security, definition of "best practices," management of cryptography on the Commerce Control List, and so on. The operating agency could be one with an economic policy orientation, such as the Department of Commerce. An alternative point of responsibility might be the Treasury Department, although its law enforcement responsibilities could detract from the objective of raising the economic policy profile of the information security function. The public advisory committee, which is an essential element of this structure, could be made up of representatives of the computing, telecommunications, and banking industries, as well as "public" members from academia, law, and so on. This committee could be organized along the lines of the President's Foreign Intelligence Advisory Board and could report to the Counselor for DIS. 7.4 RECAP This chapter describes a number of possible policy options but does not attempt to pull together how these options might fit together in a coherent policy framework. That is the function of Chapter 8.