Subject: RISKS DIGEST 13.61 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 1 July 1992 Volume 13 : Issue 61 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Houston Chronicle Crypto Article (Joe Abernathy) [in RISKS-13.60] The NSA Papers (Joe Abernathy) [in RISKS-13.61] The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. If you cannot read RISKS on-line, try FAX! For info, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 24 Jun 92 18:10:02 CDT From: Joe.Abernathy@houston.chron.com (Joe Abernathy) Subject: The NSA Papers The following is the written response to my request for an interview with the NSA. To the best of my knowledge, and according to their claims, it is the government's first complete answer to the many questions and allegations that have been made in regards to the matter of cryptography. I would like to invite reaction from any qualified readers who care to address any of the issues raised herein. Please mail to edtjda@chron.com (713) 220-6845. NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE Serial: Q43-11-92 9 10 June 1992 Mr. Joe Abernathy Houston Chronicle P.O. Box 4260 Houston, TX 77210 Dear Mr. Abernathy: Thank you for your inquiry of 3 June 1992 on the subject of cryptography. Attached please find answers to the questions that you provided our Agency. If any further assistance is needed, please feel free to contact me or Mr. Jerry Volker of my staff on (xxx) xxx-xxxx. Sincerely, MICHAEL S.CONN Chief, Information Policy ENCL: 1. Has the NSA ever imposed or attempted to impose a weakness on any cryptographic code to see if it can thus be broken? One of NSA's missions is to provide the means for protecting U.S. government and military communications and information systems related to national security. In fulfilling this mission we design cryptologic codes based on an exhaustive evaluation process to ensure to the maximum extent possible that information systems security products that we endorse are free from any weaknesses. Were we to intentionally impose weaknesses on cryptologic codes for use by the U.S. government, we would not be fulfilling our mission to provide the means to protect sensitive U.S. government and military communications and our professional integrity would be at risk. 2. Has the NSA ever imposed or attempted to impose a weakness on the DES or DSS? Regarding the Data Encryption Standard (DES), we believe that the public record from the Senate Committee for Intelligence's investigation in 1978 into NSA's role in the development of the DES is responsive to your question. That committee report indicated that NSA did not tamper with the design of the algorithm in any way and that the security afforded by the DES was more than adequate for at least a 5-10 year time span for the unclassified data for which it was intended. In short, NSA did not impose or attempt to impose any weakness on the DES. Regarding the draft Digital Signature Standard (DSS), NSA never imposed any weakness or attempted to impose any weakness on the DSS. 3. Is the NSA aware of any weaknesses in the DES or the DSS? The RSA? We are unaware of any weaknesses in the DES or the DSS when properly implemented and used for the purposes for which they both are designed. We do not comment on nongovernment systems. Regarding the alleged trapdoor in the DSS. We find the term trapdoor somewhat misleading since it implies that the messages sent by the DSS are encrypted and with access via a trapdoor one could somehow decrypt (read) the message without the sender's knowledge. The DSS does not encrypt any data. The real issue is whether the DSS is susceptible to someone forging a signature and therefore discrediting the entire system. We state categorically that the chances of anyone - including NSA - forging a signature with the DSS when it is properly used and implemented is infinitesimally small. Furthermore, the alleged trapdoor vulnerability is true for ANY public key-based authentication system, including RSA. To imply somehow that this only affects the DSS (a popular argument in the press) is totally misleading. The issue is one of implementation and how one goes about selecting prime numbers. We call your attention to a recent EUROCRYPT conference which had a panel discussion on the issue of trapdoors in the DSS. Included on the panel was one of the Bellcore researchers who initially raised the trapdoor allegation, and our understanding is that the panel -- including the person from Bellcore -- concluded that the alleged trapdoor was not an issue for the DSS. Furthermore, the general consensus appeared to be that the trapdoor issue was trivial and had been overblown in the press. However, to try to respond to the trapdoor allegation, at NIST's request, we have designed a prime generation process which will ensure that one can avoid selection of the relatively few weak primes which could lead to weakness in using the DSS. Additionally, NIST intends to allow for larger modulus sizes up to 1024 which effectively negates the need to even use the prime generation process to avoid weak primes. An additional very important point that is often overlooked is that with the DSS the primes are PUBLIC and therefore can be subject to public examination. Not all public key systems provide for this same type of examination. The integrity of any information security system requires attention to proper implementation. With the myriad of vulnerabilities possible given the differences among users, NSA has traditionally insisted on centralized trusted centers as a way to minimize risk to the system. While we have designed technical modifications to the DSS to meet NIST's requests for a more decentralized approach, we still would emphasize that portion of the Federal Register notice for the DSS which states: While it is the intent of this standard to specify general security requirements for generating digital signatures, conformance to this standard does not assure that a particular implementation is secure. The responsible authority in each agency or department shall assure that an overall implementation provides an acceptable level of security. NIST will be working with government users to ensure appropriate implementations. Finally, we have read all the arguments purporting insecurities with the DSS, and we remain unconvinced of their validity. The DSS has been subjected to intense evaluation within NSA which led to its being endorsed by our Director of Information Systems Security for use in signing unclassified data processed in certain intelligence systems and even for signing classified data in selected systems. We believe that this approval speaks to the lack of any credible attack on the integrity provided by the DSS given proper use and implementation. Based on the technical and security requirements of the U.S. government for digital signatures, we believe the DSS is the best choice. In fact, the DSS is being used in a pilot project for the Defense Message System to assure the authenticity of electronic messages of vital command and control information. This initial demonstration includes participation from the Joint Chiefs of Staff, the military services, and Defense Agencies and is being done in cooperation with NIST. 4. Has the NSA ever taken advantage of any weaknesses in the DES or the DSS? We are unaware of any weaknesses in the DSS or in the DES when properly implemented and used for the purposes for which they both are designed. 5. Did the NSA play a role in designing the DSS? Why, in the NSA's analysis, was it seen as desirable to create the DSS when the apparently more robust RSA already stood as a de facto standard? Under the Computer Security Act of 1987, NIST is to draw upon computer systems technical security guidelines of NSA where appropriate and to coordinate closely with other agencies, including NSA, to assure: a. maximum use of all existing and planned programs, materials, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and b. that standards developed by NIST are consistent and compatible with standards and procedures developed for the protection of classified systems. Consistent with that law and based on a subsequent Memorandum of Understanding (MOU) between NSA and NIST, NSA's role is to be responsive to NIST's requests for assistance in developing, evaluating, or researching cryptographic algorithms and techniques. (See note at end). In 19??, NIST requested that NSA evaluate candidate algorithms proposed by NIST for a digital signature standard and that NSA provide new algorithms when existing algorithms did not meet U.S. government requirements. In the two-year process of developing a digital signature for U.S. government use, NIST and NSA examined various publicly-known algorithms and their variants, including RSA. A number of techniques were deemed to provide appropriate protection for Federal systems. The one selected by NIST as the draft Digital Signature Standard was determined to be the most suitable for reasons that were set forth in the Federal Register announcement. One such reason was to avoid issuance of a DSS that would result in users outside the government having to pay royalties. Even though the DSS is targeted for government use, eliminating potential barriers for commercial applications is useful to achieve economies of scale. Additionally, there are features of the DSS which make it more attractive for Federal systems that need to have a digital signature capability for large numbers of users. Chief among them are the number of trusted operation points and system management overhead that are minimized with the NIST proposed technique. 6. What national interests are served by limiting the power of cryptographic schemes used by the public? We call your attention to the House Judiciary committee hearing of 29 April 1992. The Director of the FBI expressed his concerns that law enforcement interests in meeting responsibilities given to them by Congress could be affected unless they had access to communications, as was given to them by statute in 1968 (court monitored, court sponsored, court reviewed and subject to Congressional oversight). The National Security Agency has no role in limiting the power of cryptographic schemes used by the public within the U.S. We have always been in favor of the use of information security technologies by U.S. businesses to protect their proprietary information, and when we had an information security role with private industry (prior to the Computer Security Act of 1987), we actively advocated use of such technologies. 7. What national interests are served by limiting the export of cryptographic technology? Cryptographic technology is deemed vital to national security interests. This includes economic, military, and foreign policy interests. We do not agree with the implications from the House Judiciary Committee hearing of 7 May 1992 and recent news articles that allege that U.S. export laws prevent U.S. firms' manufacture and use of top encryption equipment. We are unaware of any case where a U.S. firm has been prevented from manufacturing and using encryption equipment within this country or for use by the U.S. firm or its subsidiaries in locations outside the U.S. because of U.S. export restrictions. In fact, NSA has always supported the use of encryption by U.S. businesses operating domestically and overseas to protect sensitive information. For export to foreign countries, NSA as a component of the Department of Defense (along with the Department of State and the Department of Commerce) reviews export licenses for information security technologies controlled by the Export Administration Regulations or the international Traffic in Arms Regulations. Similar export control systems are in effect in all the Coordinating Committee for Multilateral Export Controls (CoCom) countries as well as many non-CoCom countries as these technologies are universally considered as sensitive. Such technologies are not banned from export and are reviewed on a case-by-case basis. As part of the export review process, licenses may be required for these systems and are reviewed to determine the effect such export could have on national security interests - including economic, military, and political security interests. Export licenses are approved or denied based upon the type of equipment involved, the proposed end-use and the end-user. Our analysis indicates that the U.S. leads the world in the manufacture and export of information security technologies. Of those cryptologic products referred to NSA by the Department of State for export licenses, we consistently approve over 90%. Export licenses for information security products under the jurisdiction of the Department of Commerce are processed and approved without referral to NSA or DoD. This includes products using such techniques as the DSS and RSA which provide authentication and access control to computers or networks. In fact, in the past NSA has played a major role in successfully advocating the relaxation of export controls on RSA and related technologies for authentication purposes. Such techniques are extremely valuable against the hacker problem and unauthorized use of resources. 8. What national interests are at risk, if any, if secure cryptography is widely available? Secure cryptography widely available outside the United States clearly has an impact on national security interests including economic, military, and political. Secure cryptography within the United States may impact law enforcement interests. 9. What does the NSA see as its legitimate interests in the area of cryptography? Public cryptography? Clearly one of our interests is to protect U.S. government and military communications and information systems related to national security. As part of that mission, we stay abreast of activities in public cryptography. 10. How did NSA enter into negotiations with the Software Publishers Association regarding the export of products utilizing cryptographic techniques? How was this group chosen, and to what purpose? What statute or elected representative authorized the NSA to engage in the discussions? The Software Publishers Association (SPA) went to the National Security Advisor to the President to seek help from the Administration to bring predictability, clarity, and speed to the process for exporting mass market software with encryption. The National Security Advisor directed NSA to work with the mass market software representatives on their request. ii. What is the status of these negotiations? These negotiations are ongoing. 12. What is the status of export controls on products using cryptographic techniques? How would you respond to those who point to the fact that the export of RSA from the U.S. is controlled, but that its import into the U.S. is not? To the best of our knowledge, most countries who manufacture cryptographic products regulate the export of such products from their countries by procedures similar to those existing within the U.S. Some even control the import into their countries. The U.S. complies with the guidelines established by CoCom for these products. Regarding the export of RSA from the U.S., we are unaware of any restrictions that have been placed on the export of RSA for authentication purposes. 13. What issues would you like to discuss that I have not addressed? None. 14. What question or questions would you like to pose of your critics? None. NOTE: To clarify misunderstandings regarding this Memorandum of Understanding (MOU); this MOU does not provide NSA any veto power over NIST proposals. As was discussed publicly in 1989, the MOU provides that if there is an issue that can not be resolved between the two agencies, then such an issue may be referred to the President for resolution. Enclosed please find a copy of subject MOU which has been made freely available in the past by both NSA and NIST to all requestors. At the House Judiciary Committee hearings on 7 May 1992, the Director of NIST responded that he had never referred an issue to the White House since his assumption of Directorship in 1990. MEMORANDUM OF UNDERSTANDING BETWEEN THE DIRECTOR OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY AND THE DIRECTOR OF THE NATIONAL SECURITY AGENCY CONCERNING THE IMPLEMENTATION OF PUBLIC LAW 100-235 Recognizing that: A. Under Section 2 of the Computer Security Act of 1987 (Public Law 100-235), (the Act), the National Institute of Standards and Technology (NIST) has the responsibility within the Federal Government for: 1. Developing technical, management, physical, and administrative standards and guidelines for the cost-effective security ad privacy of sensitive information in Federal computer systems as defined in the Act; and, 2. Drawing on the computer system technical security guidelines of the National Security Agency (NSA) in tis regard where appropriate. B. Under Section 3 of the Act, the NIST is to coordinate closely with other agencies and offices, including the NSA, to assure: 1. Maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and, - 2. To the maximum extent feasible, that standards developed by the NIST under the Act are consistent and compatible with standards and procedures developed for the protection of classified information in Federal computer systems. C. Under the Act, the Secretary of Commerce has the responsibility, which he has delegated to the Director of NIST, for appointing the members of the Computer System Security and Privacy Advisory Board, at least one of whom shall be from the NSA. Therefore, in furtherance of the purposes of this MOU, the Director of the NIST and the Director of the NSA hereby agree as follows: The NIST will: 1. Appoint to the Computer Security and Privacy Advisory Board at least one representative nominated by the Director of the NSA. 2. Draw upon computer system technical security guidelines developed -by the NSA to the extent that the NIST determines that such guidelines are consistent with the requirements tor protecting sensitive information in Federal computer systems. 3. Recognize the NSA-certified rating of evaluated trusted systems under the Trusted Computer Security Evaluation Criteria Program without requiring additional evaluation. 4. Develop telecommunications security standards for protecting sensitive unclassified computer data, drawing upon the expertise and products of the National Security Agency, to the ratest extent possible, in meeting these responsibilities in a timely and cost effective manner 5. Avoid duplication where possible in entering into mutually agreeable arrangements with NSA for NSA support. 6. Request the NSA's assistance on all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development valuation, or endorsement. II. The NSA will: 1. Provide the NIST with technical guidelines in trusted technology, telecommunications security, and personal -identification that may be used in cost-effective systems for protecting sensitive computer data. 2. Conduct or initiate research and development programs in trusted technology, telecommunications security, cryptographic techniques and personal identification methods. 3. Be responsive to the NIST's requests for assistance in respect to all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development, evaluation, or endorsement. 4. Establish the standards and endorse products for application to secure systems covered in 10 USC Section 2315 (the Warner Amendment). 5 Upon request by Federal agencies, their contractors and other government-sponsored entities, conduct assessments of the hostile intelligence threat to Federal information systems, and provide technical assistance and recommend endorsed products for application to secure systems against that threat. III. The NIST and the NSA shall: 1. Jointly review agency plans for the security and privacy of computer systems submitted to NIST and NSA pursuant to section 6(b) of the Act. 2. Exchange technical standards and guidelines as necessary to achieve the purposes of the Act. 3. Work together to achieve the purposes of this memorandum with the greatest efficiency possible, avoiding unnecessary duplication of effort. 4. Maintain an ongoing, open dialogue to ensure that each organization remains abreast of emerging technologies and issues effecting automated information system security in computer-based systems. 5. Establish a Technical Working Group to review and analyze issues of mutual interest pertinent to protection of systems that process sensitive or other unclassified-information. The Group shall be composed of six Federal employees, three each selected by NIST and NSA and to be augmented as necessary by representatives of other agencies. Issues may be referred to the group by either the NSA Deputy Director for Information Security or the NIST Deputy Director or may be generated -and addressed by the group upon approval by the NSA DDI or NIST Deputy Director. Within days of the referral of an issue to the Group by either the NSA Deputy Director for Information Security or the NIST Deputy Director, the Group will respond with a progress report and plan for further analysis, if any. 6. Exchange work plans on an annual basis on all research and development projects pertinent to protection of systems that process sensitive or other unclassified information, including trusted technology, technology for protecting the integrity and availability of data, telecommunications security and personal identification methods. Project updates will be exchanged quarterly, and project reviews will be provided by either party upon request of the other party. 7. Ensure the Technical Working Group reviews prior to public disclosure all matters regarding technical-systems security techniques to be developed for use in protecting sensitive information in Federal computer systems to ensure they are consistent with the national security of the United States. If NIST and NSA are unable to resolve such an issue within 60 days, either agency may elect to raise the issue to the Secretary of Defense and the Secretary of Commerce. It is recognized that such an issue may be referred to the President through the NSC for resolution. No action shall be taken on such an issue until it is resolved. 8. Specify additional operational agreements in annexes to this MOU as they. are agreed to by NSA and NIST. IV. Either party may elect to terminate this MOU upon six months written notice. This MOU is effective upon approval of both signatories. RAYMOND G. KAMMER W. O. STUDEMAN Acting Director, Vice Admiral U.S. Navy, National Institute of Director, National Security Agency Standards and Technology [If any garbles remain, they are due either to the scanning process or to PGN trying to fix the originally very buggy scanned version. PGN] ------------------------------ End of RISKS-FORUM Digest 13.61 ************************