Subject: RISKS DIGEST 14.61 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Saturday 15 May 1993 Volume 14 : Issue 61 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Opel Corsa Stops for Mobile Phones (O\ystein Gulbrandsen) Re: Analog vs Digital Speedometers (Roger Crew) Re: New NIST/NSA Revelations (Dorothy Denning) Clipper - A Trojan Horse (Bill Nicholls) Testimony to Boucher's House Science Subcommittee (Whitfield Diffie) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Fri, 14 May 93 09:09:52 +0200 From: oysteing@taskon.no (Gulbrandsen) Subject: Opel Corsa Stops for Mobile Phones >From Motor, the Norwegian AAA monthly: While testing the new Opel Corsa, we brought along a mobile phone. One conversation was enough to kill the motor completely. The phone was of the new nordic 450-system, and the antenna was in the front seat. At first we took it for a coincidence, but it proved to be repeatable: when calling out or receiving a call, the car abruptly halted. The signals from the phone apparently confused the electronics in the car. When we later moved the antennae to the back seat, we only felt a slight "tug" from the engine, and with the antennae on the roof, there was no ill effect. The importer has passed the message to Opel, Germany, and we expect it to be fixed ASAP, he says. The translation is by me, but I hope the meaning gets through. [TNX. PGN] \ystein Gulbrandsen Taskon A/S ------------------------------ Date: Wed, 12 May 93 00:14:22 PDT From: Roger Crew Subject: Re: Analog vs Digital Speedometers Digital speedometers have other interesting properties. I am reminded of one night when I was out driving on one of the more desolate portions of [...pick your favorite interstate...], noticed another car going absurdly fast and decided to follow it for a bit to see just how fast (...well okay, I had just recently bought my car and was about to yield to the temptation to "push the envelope" a bit...). The speed turned out to be 85 mph. Oddly enough, the speed remained quite constant. For the first few minutes, I attributed this to the other car having a very good cruise control. I thought it was rather stupid to be setting a cruise control that high, but then, who was I to talk? A bit more thought and observation revealed that my speed was quite independent of what I was doing with my accelerator pedal or the general terrain I was driving on. I let up on the gas quite abruptly and this time could actually feel the car slowing down --- and still I was going 85 mph. At this point I noticed the tachometer descending through 4000 rpm and decided I had definitely had enough fun for one night. And then I remembered... My car is 1982 model. In 1982 there was a federal (US) law in force forbidding speedometers from showing speeds higher than 85 mph. This is all well and good if you have an analog speedometer and can SEE the needle PEGGED against the upper end. It had never occurred to me until that moment that someone would actually build a digital speedometer that pegs. (very) shortly thereafter I had gotten down to a relatively sedate 50mph with 2000 rpm on the tachometer. The rest is left as an exercise for the reader... Roger Crew crew@CS.Stanford.EDU ------------------------------ Date: Wed, 12 May 93 10:20:42 EDT From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: New NIST/NSA Revelations David Sobel, CPSR Legal Council, wrote in RISKS DIGEST 14.59: The proposed DSS was widely criticized within the computer industry for its perceived weak security and inferiority to an existing authentication technology known as the RSA algorithm. Many observers have speculated that the RSA technique was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm and because the RSA technique could also be used to encrypt data very securely. This is terribly misleading. NIST issued the DSS proposal along with a public call for comments as part of their normal practice with proposed standards. The community responded, and NIST promptly addressed the security concerns. Among other things, the DSS now accommodates longer keys (up to 1024 bits). As a result of the revisions, the DSS is now considered to be just as strong as RSA. Dorothy Denning ------------------------------ Date: 12 May 1993 13:11:05 -0400 (EDT) From: Bill Nicholls Subject: Clipper - A Trojan Horse I've been following the discussion in RISKS about the Clipper chip with great interest, and have learned a lot about what is planned as well as what weaknesses may exist, and why. But I have gradually become aware of an uneasy feeling, as though I was missing something important about this chip. After some thought about the situation, I have come to the conclusion that Clipper is in fact a Trojan Horse, in the classic sense. This morning I was thinking about why anyone would use the Clipper chip when existing software security could be much better than what Clipper offers. I can see why NSA and FBI are unhappy about the reality of not being able to crack a really secure system such as the RSA or DES with a 128 bit key, or a one time pad on a floppy disk or CD-ROM. In fact it is quite clear that current techniques are more than adequate to secure messages beyond even NSA's ability to break economically. The simple fact is that fast microprocessors can generate complexity faster than even huge parallel processors can break it. In my opinion, the balance of privacy has gone over to the individual who uses one of these techniques, and this is a sea change - one that cannot be reversed. I think NSA, being expert in this domain, recognized this before anyone else. Clipper is clearly an attempt to turn back the clock to an era when they could crack most any system if there was sufficient incentive. Like all such attempts, this too will fail. Why then would it be proposed? It was proposed because hidden inside the Clipper chip proposal are a number of Trojan Horses, some we are meant to find, and some we are not. Many people jumped on the key security issue, and I believe that was intended to attract our attention and tie up our resources. Several good points have been made about that item, which I will not repeat here. Another Trojan that we were meant to find is the 'weak' crypto issue, the Clipper algorithm being unknown and not available for public review. It may well have a hidden trapdoor that would not be found easily, yet if it were public, it would be found eventually. If it were found, the public outcry could well cause a big shift in political power. Beyond those Trojans there are others which I believe we were not meant to find. Consider how the proposal surfaced. After lengthy *secret* meetings between NIST and NSA, a Presidential order appears putting Clipper into play. What is notable about this? Clipper is the first proposal for encryption that *requires* registration of the keys. Why? Because, as I said earlier, our ability to encrypt has vastly outstripped the government's ability to decrypt. Registration puts this even, from the government's point of view. So where's the Trojan? The Trojan is the required registration of keys, mandated by presidential order. Once this precedent is established, the government could say "Sure, use any method you like, but register the algorithm and escrow the keys". This new requirement to register methods and keys now has the force of law without ever having been through the proper process - that is the passing of such a law by our elected representatives in the House and Senate, plus a public signing by the President. I think it is clear that no such law would pass, since it is a infringement on our liberty (IMHO), for which a vague hand waving and repeat of the 'National Security' mantra does NOT suffice to justify. The first hidden Trojan is the attempted end run around the legislative process. There is a second Trojan in the Clipper proposal that I have not seen discussed. It is the establishment of a fixed (but unknown) method, with a fixed (but knowable) key as the basis for a 'secure' communication. On the surface, this looks acceptable if the key security issues can be resolved. But it really isn't acceptable if you think about how the real world operates. Entirely aside from the security of the keys is the nature of how people handle security. Given even the suspicion of a compromised security, most people will change their passwords instantly, just to be safe. But what do you do when the change requires justification to management that funds for a new instrument, or more than one, be expended for replacement on the basis of a suspicion? Even if you *know* that an instrument has been decoded, in many cases management will simply accept the government's word that the keys were destroyed rather than replace the instrument(s). What I suspect would really happen is that compromised instruments would generally remain in place because of human nature to underestimate the potential threat. It may well be that compromising one instrument can make other instruments compromised through some trapdoor we don't know about. So a single compromised instrument could compromise *unknowingly and beyond the key safeguards* any other instrument that had a conversation with it. It seems possible that one legal wiretap could cascade into a lot of illegal wiretaps. Given the ease with which secure communications can be done today, both voice and data, for no more than the cost of a mid-range PC and some software, I can understand why the FBI and NSA are concerned. I can easily sympathize with their problem because they are carrying heavy responsibilities for the nation. But I believe the attempt to turn back the clock is the wrong answer. When the Enigma machine was compromised and better methods invented, no one suggested that everyone be forced to use Enigma machines so the government could still break them if needed. But this is exactly what the Clipper chip proposal is attempting to do, and it has no more chance of succeeding than forcing Enigma on everyone would. Worse, it obscures the fact that a sea change has occurred and ignores the need to deal with the new reality. The new reality, for some years now, is that methods exist that are secure from everyone from a *technical breaking* point of view. The clear conclusion I draw from this is that the FBI and NSA must give new attention to other methods of access to the data they require for security and law enforcement. This may well mean a return to the days of (heavens) spies, listening devices, photographic/video recon and other methods. While the cold war was still on, this would probably be unacceptable, but now I think we can accept the possible handicap to law enforcement and national security rather than yield our own privacy. In addition, whatever we do as a nation does not prevent other nations from using unbreakable methods, so in any event, both NSA and the FBI need to address the 'other methods' issue to remain effective. Clipper Chip: It isn't needed, we already have better secure methods. It isn't wanted, except by the government. It isn't effective, since anyone can use better methods. It isn't useful because it doesn't address the real problem. Let's toss this Trojan horse, this bad idea, on the scrap heap of obscurity. ------------------------------ Date: Thu, 13 May 1993 at 14h15 From: whitfield.diffie@eng.sun.com Subject: Testimony to Boucher's House Science Subcommittee, 11 May 1993 The Impact of a Secret Cryptographic Standard on Encryption, Privacy, Law Enforcement and Technology Whitfield Diffie Sun Microsystems 11 May 1993 I'd like to begin by expressing my thanks to Congressman Boucher, the other members of the committee, and the committee staff for giving us the opportunity to appear before the committee and express our views. On Friday, the 16th of April, a sweeping new proposal for both the promotion and control of cryptography was made public on the front page of the New York Times and in press releases from the White House and other organizations. This proposal was to adopt a new cryptographic system as a federal standard, but at the same time to keep the system's functioning secret. The standard would call for the use of a tamper resistant chip, called Clipper, and embody a `back door' that will allow the government to decrypt the traffic for law enforcement and national security purposes. So far, available information about the chip is minimal and to some extent contradictory, but the essence appears to be this: When a Clipper chip prepares to encrypt a message, it generates a short preliminary signal rather candidly entitled the Law Enforcement Exploitation Field. Before another Clipper chip will decrypt the message, this signal must be fed into it. The Law Enforcement Exploitation Field or LEEF is tied to the key in use and the two must match for decryption to be successful. The LEEF in turn, when decrypted by a government held key that is unique to the chip, will reveal the key used to encrypt the message. The effect is very much like that of the little keyhole in the back of the combination locks used on the lockers of school children. The children open the locks with the combinations, which is supposed to keep the other children out, but the teachers can always look in the lockers by using the key. In the month that has elapsed since the announcement, we have studied the Clipper chip proposal as carefully as the available information permits. We conclude that such a proposal is at best premature and at worst will have a damaging effect on both business security and civil rights without making any improvement in law enforcement. To give you some idea of the importance of the issues this raises, I'd like to suggest that you think about what are the most essential security mechanisms in your daily life and work. I believe you will realize that the most important things any of you ever do by way of security have nothing to do with guards, fences, badges, or safes. Far and away the most important element of your security is that you recognize your family, your friends, and your colleagues. Probably second to that is that you sign your signature, which provides the people to whom you give letters, checks, or documents, with a way of proving to third parties that you have said or promised something. Finally you engage in private conversations, saying things to your loved ones, your friends, or your staff that you do not wish to be overheard by anyone else. These three mechanisms lean heavily on the physical: face to face contact between people or the exchange of written messages. At this moment in history, however, we are transferring our medium of social interaction from the physical to the electronic at a pace limited only by the development of our technology. Many of us spend half the day on the telephone talking to people we may visit in person at most a few times a year and the other half exchanging electronic mail with people we never meet in person. Communication security has traditionally been seen as an arcane security technology of real concern only to the military and perhaps the banks and oil companies. Viewed in light of the observations above, however, it is revealed as nothing less than the transplantation of fundamental social mechanisms from the world of face to face meetings and pen and ink communication into a world of electronic mail, video conferences, electronic funds transfers, electronic data interchange, and, in the not too distant future, digital money and electronic voting. No right of private conversation was enumerated in the constitution. I don't suppose it occurred to anyone at the time that it could be prevented. Now, however, we are on the verge of a world in which electronic communication is both so good and so inexpensive that intimate business and personal relationships will flourish between parties who can at most occasionally afford the luxury of traveling to visit each other. If we do not accept the right of these people to protect the privacy of their communication, we take a long step in the direction of a world in which privacy will belong only to the rich. The import of this is clear: The decisions we make about communication security today will determine the kind of society we live in tomorrow. The objective of the administration's proposal can be simply stated: They want to provide a high level of security to their friends, while being sure that the equipment cannot be used to prevent them from spying on their enemies. Within a command society like the military, a mechanism of this sort that allows soldiers' communications to be protected from the enemy, but not necessarily from the Inspector General, is an entirely natural objective. Its imposition on a free society, however, is quite another matter. Let us begin by examining the monitoring requirement and ask both whether it is essential to future law enforcement and what measures would be required to make it work as planned. Eavesdropping, as its name reminds us, is not a new phenomenon. But in spite of the fact that police and spies have been doing it for a long time, it has acquired a whole new dimension since the invention of the telegraph. Prior to electronic communication, it was a hit or miss affair. Postal services as we know them today are a fairly new phenomenon and messages were carried by a variety of couriers, travelers, and merchants. Sensitive messages in particular, did not necessarily go by standardized channels. Paul Revere, who is generally remembered for only one short ride, was the American Revolution's courier, traveling routinely from Boston to Philadelphia with his saddle bags full of political broadsides. Even when a letter was intercepted, opened, and read, there was no guarantee, despite some people's great skill with flaps and seals, that the victim would not notice the intrusion. The development of the telephone, telegraph, and radio have given the spies a systematic way of intercepting messages. The telephone provides a means of communication so effective and convenient that even people who are aware of the danger routinely put aside their caution and use it to convey sensitive information. Digital switching has helped eavesdroppers immensely in automating their activities and made it possible for them to do their listening a long way from the target with negligible chance of detection. Police work was not born with the invention of wiretapping and at present the significance of wiretaps as an investigative tool is quite limited. Even if their phone calls were perfectly secure, criminals would still be vulnerable to bugs in their offices, body wires on agents, betrayal by co-conspirators who saw a brighter future in cooperating with the police, and ordinary forensic inquiry. Moreover, cryptography, even without intentional back doors, will no more guarantee that a criminal's communications are secure than the Enigma guaranteed that German communications were secure in World War II. Traditionally, the richest source of success in communications intelligence is the ubiquity of busts: failures to use the equipment correctly. Even if the best cryptographic equipment we know how to build is available to them, criminal communications will only be secure to the degree that the criminals energetically pursue that goal. The question thus becomes, ``If criminals energetically pursue secure communications, will a government standard with a built in inspection port, stop them. It goes without saying that unless unapproved cryptography is outlawed, and probably even if it is, users bent on not having their communications read by the state will implement their own encryption. If this requires them to forgo a broad variety of approved products, it will be an expensive route taken only by the dedicated, but this sacrifice does not appear to be necessary. The law enforcement function of the Clipper system, as it has been described, is not difficult to bypass. Users who have faith in the secret Skipjack algorithm and merely want to protect themselves from compromise via the Law Enforcement Exploitation Field, need only encrypt that one item at the start of transmission. In many systems, this would require very small changes to supporting programs already present. This makes it likely that if Clipper chips become as freely available as has been suggested, many products will employ them in ways that defeat a major objective of the plan. What then is the alternative? In order to guarantee that the government can always read Clipper traffic when it feels the need, the construction of equipment will have to be carefully controlled to prevent non-conforming implementations. A major incentive that has been cited for industry to implement products using the new standard is that these will be required for communication with the government. If this strategy is successful, it is a club that few manufacturers will be able to resist. The program therefore threatens to bring communications manufacturers under an all encompassing regulatory regime. It is noteworthy that such a regime already exists to govern the manufacture of equipment designed to protect `unclassified but sensitive' government information, the application for which Clipper is to be mandated. The program, called the Type II Commercial COMSEC Endorsement Program, requires facility clearances, memoranda of agreement with NSA, and access to secret `Functional Security Requirements Specifications.' Under this program member companies submit designs to NSA and refine them in an iterative process before they are approved for manufacture. The rationale for this onerous procedure has always been, and with much justification, that even though these manufacturers build equipment around approved tamper resistant modules analogous to the Clipper chip, the equipment must be carefully vetted to assure that it provides adequate security. One requirement that would likely be imposed on conforming Clipper applications is that they offer no alternative or additional encryption mechanisms. Beyond the damaging effects that such regulation would have on innovation in the communications and computer industries, we must also consider the fact that the public cryptographic community has been the principal source of innovation in cryptography. Despite NSA's undocumented claim to have discovered public key cryptography, evidence suggests that, although they may have been aware of the mathematics, they entirely failed to understand the significance. The fact that public key is now widely used in government as well as commercial cryptographic equipment is a consequence of the public community being there to show the way. Farsightedness continues to characterize public research in cryptography, with steady progress toward acceptable schemes for digital money, electronic voting, distributed contract negotiation, and other elements of the computer mediated infrastructure of the future. Even in the absence of a draconian regulatory framework, the effect of a secret standard, available only in a tamper resistant chip, will be a profound increase in the prices of many computing devices. Cryptography is often embodied in microcode, mingled on chips with other functions, or implemented in dedicated, but standard, microprocessors at a tiny fraction of the tens of dollars per chip that Clipper is predicted to cost. What will be the effect of giving one or a small number of companies a monopoly on tamper resistant parts? Will there come a time, as occurred with DES, when NSA wants the standard changed even though industry still finds it adequate for many applications? If that occurs will industry have any recourse but to do what it is told? And who will pay for the conversion? One of the little noticed aspects of this proposal is the arrival of tamper resistant chips in the commercial arena. Is this tamper resistant part merely the precursor to many? Will the open competition to improve semiconductor computing that has characterized the past twenty-years give way to an era of trade secrecy? Is it perhaps tamper resistance technology rather than cryptography that should be regulated? Recent years have seen a succession of technological developments that diminish the privacy available to the individual. Cameras watch us in the stores, x-ray machines search us at the airport, magnetometers look to see that we are not stealing from the merchants, and databases record our actions and transactions. Among the gems of this invasion is the British Rafter technology that enables observers to determine what station a radio or TV is receiving. Except for the continuing but ineffectual controversy surrounding databases, these technologies flourish without so much as talk of regulation. Cryptography is perhaps alone in its promise to give us more privacy rather than less, but here we are told that we should forgo this technical benefit and accept a solution in which the government will retain the power to intercept our ever more valuable and intimate communications and will allow that power to be limited only by policy. In discussion of the FBI's Digital Telephony Proposal --- which would have required communication providers, at great expense to themselves, to build eavesdropping into their switches --- it was continually emphasized that wiretaps were an exceptional investigative measure only authorized when other measures had failed. Absent was any sense that were the country to make the proposed quarter billion dollar inventment in intercept equipment, courts could hardly fail to accept the police argument that a wiretap would save the people thousands of dollars over other options. As Don Cotter, at one time director of Sandia National Laboratories, said in respect to military strategy: ``Hardware makes policy.'' Law, technology, and economics are three central elements of society that must all be kept in harmony if freedom is to be secure. An essential element of that freedom is the right to privacy, a right that cannot be expected to stand against unremitting technological attack. Where technology has the capacity to support individual rights, we must enlist that support rather than rejecting it on the grounds that rights can be abused by criminals. If we put the desires of the police ahead of the rights of the citizens often enough, we will shortly find that we are living in police state. We must instead assure that the rights recognized by law are supported rather than undermined by technology. At NSA they believe in something they call `security in depth.' Their most valuable secret may lie encrypted on a tamper resistant chip, inside a safe, within a locked office, in a guarded building, surrounded by barbed wire, on a military base. I submit to you that the most valuable secret in the world is the secret of democracy; that technology and policy should go hand in hand in guarding that secret; that it must be protected by security in depth. Recommendations There is a crying need for improved security in American communication and computing equipment and the Administration is largely correct when it blames the problem on a lack of standards. One essential standard that is missing is a more secure conventional algorithm to replace DES, an area of cryptography in which NSA's expertise is probably second to none. I urge the committee to take what is good in the Administration's proposal and reject what is bad. \begdis o The Skipjack algorithm and every other aspect of this proposal should be made public, not only to expose them to public scrutiny but to guarantee that once made available as standards they will not be prematurely withdrawn. Configuration control techniques pioneered by the public community can be used to verify that some pieces of equipment conform to government standards stricter than the commercial where that is appropriate. o I likewise urge the committee to recognize that the right to private conversation must not be sacrificed as we move into a telecommunicated world and reject the Law Enforcement Exploitation Function and the draconian regulation that would necessarily come with it. o I further urge the committee to press the Administration to accept the need for a sound international security technology appropriate to the increasingly international character of the world's economy. ------------------------------ End of RISKS-FORUM Digest 14.61 ************************