Subject: RISKS DIGEST 14.80 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 11 August 1993 Volume 14 : Issue 80 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Article by Dorothy Denning on Clipper Chip (Al Stangenberger) SKIPJACK Review (Dorothy Denning) The Rule of Law and the Clipper Escrow Project (Peter Wayner) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 4 Aug 93 10:35:05 PDT From: forags@nature.berkeley.edu (Al Stangenberger) Subject: Article by Dorothy Denning on Clipper Chip The July-August issue of American Scientist (Amer. Scientist 81:319-323) has a column by Dorothy Denning describing the Clipper Encryption System. It is written from the Administration and law enforcement viewpoint and does not discuss the serious privacy issues which have been raised in RISKS. However, it does present a clear discussion of the system and might be useful in explaining the system to colleagues. Al Stangenberger Dept. of Env. Sci., Policy, & Mgt. forags@nature.berkeley.edu 145 Mulford Hall, Univ. of Calif. Berkeley CA 94720 ------------------------------ Date: Sun, 01 Aug 1993 21:16:56 -0400 (EDT) From: Dorothy Denning Subject: SKIPJACK Review SKIPJACK Review Interim Report The SKIPJACK Algorithm Ernest F. Brickell, Sandia National Laboratories Dorothy E. Denning, Georgetown University Stephen T. Kent, BBN Communications Corporation David P. Maher, AT&T Walter Tuchman, Amperif Corporation July 28, 1993 (copyright 1993) Executive Summary The objective of the SKIPJACK review was to provide a mechanism whereby persons outside the government could evaluate the strength of the classified encryption algorithm used in the escrowed encryption devices and publicly report their findings. Because SKIPJACK is but one component of a large, complex system, and because the security of communications encrypted with SKIPJACK depends on the security of the system as a whole, the review was extended to encompass other components of the system. The purpose of this Interim Report is to report on our evaluation of the SKIPJACK algorithm. A later Final Report will address the broader system issues. The results of our evaluation of the SKIPJACK algorithm are as follows: 1. Under an assumption that the cost of processing power is halved every eighteen months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive search will be equal to the cost of breaking DES today. Thus, there is no significant risk that SKIPJACK will be broken by exhaustive search in the next 30-40 years. 2. There is no significant risk that SKIPJACK can be broken through a shortcut method of attack. 3. While the internal structure of SKIPJACK must be classified in order to protect law enforcement and national security objectives, the strength of SKIPJACK against a cryptanalytic attack does not depend on the secrecy of the algorithm. 1. Background On April 16, the President announced a new technology initiative aimed at providing a high level of security for sensitive, unclassified communications, while enabling lawfully authorized intercepts of telecommunications by law enforcement officials for criminal investigations. The initiative includes several components: A classified encryption/decryption algorithm called "SKIPJACK." Tamper-resistant cryptographic devices (e.g., electronic chips), each of which contains SKIPJACK, classified control software, a device identification number, a family key used by law enforcement, and a device unique key that unlocks the session key used to encrypt a particular communication. A secure facility for generating device unique keys and programming the devices with the classified algorithms, identifiers, and keys. Two escrow agents that each hold a component of every device unique key. When combined, those two components form the device unique key. A law enforcement access field (LEAF), which enables an authorized law enforcement official to recover the session key. The LEAF is created by a device at the start of an encrypted communication and contains the session key encrypted under the device unique key together with the device identifier, all encrypted under the family key. LEAF decoders that allow an authorized law enforcement official to extract the device identifier and encrypted session key from an intercepted LEAF. The identifier is then sent to the escrow agents, who return the components of the corresponding device unique key. Once obtained, the components are used to reconstruct the device unique key, which is then used to decrypt the session key. This report reviews the security provided by the first component, namely the SKIPJACK algorithm. The review was performed pursuant to the President's direction that "respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their finding." The Acting Director of the National Institute of Standards and Technology (NIST) sent letters of invitation to potential reviewers. The authors of this report accepted that invitation. We attended an initial meeting at the Institute for Defense Analyses Supercomputing Research Center (SRC) from June 21-23. At that meeting, the designer of SKIPJACK provided a complete, detailed description of the algorithm, the rationale for each feature, and the history of the design. The head of the NSA evaluation team described the evaluation process and its results. Other NSA staff briefed us on the LEAF structure and protocols for use, generation of device keys, protection of the devices against reverse engineering, and NSA's history in the design and evaluation of encryption methods contained in SKIPJACK. Additional NSA and NIST staff were present at the meeting to answer our questions and provide assistance. All staff members were forthcoming in providing us with requested information. At the June meeting, we agreed to integrate our individual evaluations into this joint report. We also agreed to reconvene at SRC from July 19-21 for further discussions and to complete a draft of the report. In the interim, we undertook independent tasks according to our individual interests and availability. Ernest Brickell specified a suite of tests for evaluating SKIPJACK. Dorothy Denning worked at NSA on the refinement and execution of these and other tests that took into account suggestions solicited from Professor Martin Hellman at Stanford University. NSA staff assisted with the programming and execution of these tests. Denning also analyzed the structure of SKIPJACK and its susceptibility to differential cryptanalysis. Stephen Kent visited NSA to explore in more detail how SKIPJACK compared with NSA encryption algorithms that he already knew and that were used to protect classified data. David Maher developed a risk assessment approach while continuing his ongoing work on the use of the encryption chip in the AT&T Telephone Security Device. Walter Tuchman investigated the anti-reverse engineering properties of the chips. We investigated more than just SKIPJACK because the security of communications encrypted with the escrowed encryption technology depends on the security provided by all the components of the initiative, including protection of the keys stored on the devices, protection of the key components stored with the escrow agents, the security provided by the LEAF and LEAF decoder, protection of keys after they have been transmitted to law enforcement under court order, and the resistance of the devices to reverse engineering. In addition, the success of the technology initiative depends on factors besides security, for example, performance of the chips. Because some components of the escrowed encryption system, particularly the key escrow system, are still under design, we decided to issue this Interim Report on the security of the SKIPJACK algorithm and to defer our Final Report until we could complete our evaluation of the system as a whole. 2. Overview of the SKIPJACK Algorithm SKIPJACK is a 64-bit "electronic codebook" algorithm that transforms a 64-bit input block into a 64-bit output block. The transformation is parameterized by an 80-bit key, and involves performing 32 steps or iterations of a complex, nonlinear function. The algorithm can be used in any one of the four operating modes defined in FIPS 81 for use with the Data Encryption Standard (DES). The SKIPJACK algorithm was developed by NSA and is classified SECRET. It is representative of a family of encryption algorithms developed in 1980 as part of the NSA suite of "Type I" algorithms, suitable for protecting all levels of classified data. The specific algorithm, SKIPJACK, is intended to be used with sensitive but unclassified information. The strength of any encryption algorithm depends on its ability to withstand an attack aimed at determining either the key or the unencrypted ("plaintext") communications. There are basically two types of attack, brute-force and shortcut. 3. Susceptibility to Brute Force Attack by Exhaustive Search In a brute-force attack (also called "exhaustive search"), the adversary essentially tries all possible keys until one is found that decrypts the intercepted communications into a known or meaningful plaintext message. The resources required to perform an exhaustive search depend on the length of the keys, since the number of possible keys is directly related to key length. In particular, a key of length N bits has 2^N possibilities. SKIPJACK uses 80-bit keys, which means there are 2^80 (approximately 10^24) or more than 1 trillion trillion possible keys. An implementation of SKIPJACK optimized for a single processor on the 8-processor Cray YMP performs about 89,000 encryptions per second. At that rate, it would take more than 400 billion years to try all keys. Assuming the use of all 8 processors and aggressive vectorization, the time would be reduced to about a billion years. A more speculative attack using a future, hypothetical, massively parallel machine with 100,000 RISC processors, each of which was capable of 100,000 encryptions per second, would still take about 4 million years. The cost of such a machine might be on the order of $50 million. In an even more speculative attack, a special purpose machine might be built using 1.2 billion $1 chips with a 1 GHz clock. If the algorithm could be pipelined so that one encryption step were performed per clock cycle, then the $1.2 billion machine could exhaust the key space in 1 year. Another way of looking at the problem is by comparing a brute force attack on SKIPJACK with one on DES, which uses 56-bit keys. Given that no one has demonstrated a capability for breaking DES, DES offers a reasonable benchmark. Since SKIPJACK keys are 24 bits longer than DES keys, there are 2^24 times more possibilities. Assuming that the cost of processing power is halved every eighteen months, then it will not be for another 24 * 1.5 = 36 years before the cost of breaking SKIPJACK is equal to the cost of breaking DES today. Given the lack of demonstrated capability for breaking DES, and the expectation that the situation will continue for at least several more years, one can reasonably expect that SKIPJACK will not be broken within the next 30-40 years. Conclusion 1: Under an assumption that the cost of processing power is halved every eighteen months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive search will be equal to the cost of breaking DES today. Thus, there is no significant risk that SKIPJACK will be broken by exhaustive search in the next 30-40 years. 4. Susceptibility to Shortcut Attacks In a shortcut attack, the adversary exploits some property of the encryption algorithm that enables the key or plaintext to be determined in much less time than by exhaustive search. For example, the RSA public-key encryption method is attacked by factoring a public value that is the product of two secret primes into its primes. Most shortcut attacks use probabilistic or statistical methods that exploit a structural weakness, unintentional or intentional (i.e., a "trapdoor"), in the encryption algorithm. In order to determine whether such attacks are possible, it is necessary to thoroughly examine the structure of the algorithm and its statistical properties. In the time available for this review, it was not feasible to conduct an evaluation on the scale that NSA has conducted or that has been conducted on the DES. Such review would require many man-years of effort over a considerable time interval. Instead, we concentrated on reviewing NSA's design and evaluation process. In addition, we conducted several of our own tests. 4.1 NSA's Design and Evaluation Process SKIPJACK was designed using building blocks and techniques that date back more than forty years. Many of the techniques are related to work that was evaluated by some of the world's most accomplished and famous experts in combinatorics and abstract algebra. SKIPJACK's more immediate heritage dates to around 1980, and its initial design to 1987. SKIPJACK was designed to be evaluatable, and the design and evaluation approach was the same used with algorithms that protect the country's most sensitive classified information. The specific structures included in SKIPJACK have a long evaluation history, and the cryptographic properties of those structures had many prior years of intense study before the formal process began in 1987. Thus, an arsenal of tools and data was available. This arsenal was used by dozens of adversarial evaluators whose job was to break SKIPJACK. Many spent at least a full year working on the algorithm. Besides highly experienced evaluators, SKIPJACK was subjected to cryptanalysis by less experienced evaluators who were untainted by past approaches. All known methods of attacks were explored, including differential cryptanalysis. The goal was a design that did not allow a shortcut attack. The design underwent a sequence of iterations based on feedback from the evaluation process. These iterations eliminated properties which, even though they might not allow successful attack, were related to properties that could be indicative of vulnerabilities. The head of the NSA evaluation team confidently concluded "I believe that SKIPJACK can only be broken by brute force; there is no better way." In summary, SKIPJACK is based on some of NSA's best technology. Considerable care went into its design and evaluation in accordance with the care given to algorithms that protect classified data. 4.2 Independent Analysis and Testing Our own analysis and testing increased our confidence in the strength of SKIPJACK and its resistance to attack. 4.2.1 Randomness and Correlation Tests A strong encryption algorithm will behave like a random function of the key and plaintext so that it is impossible to determine any of the key bits or plaintext bits from the ciphertext bits (except by exhaustive search). We ran two sets of tests aimed at determining whether SKIPJACK is a good pseudo random number generator. These tests were run on a Cray YMP at NSA. The results showed that SKIPJACK behaves like a random function and that ciphertext bits are not correlated with either key bits or plaintext bits. Appendix A gives more details. 4.2.2 Differential Cryptanalysis Differential cryptanalysis is a powerful method of attack that exploits structural properties in an encryption algorithm. The method involves analyzing the structure of the algorithm in order to determine the effect of particular differences in plaintext pairs on the differences of their corresponding ciphertext pairs, where the differences are represented by the exclusive-or of the pair. If it is possible to exploit these differential effects in order to determine a key in less time than with exhaustive search, an encryption algorithm is said to be susceptible to differential cryptanalysis. However, an actual attack using differential cryptanalysis may require substantially more chosen plaintext than can be practically acquired. We examined the internal structure of SKIPJACK to determine its susceptibility to differential cryptanalysis. We concluded it was not possible to perform an attack based on differential cryptanalysis in less time than with exhaustive search. 4.2.3 Weak Key Test Some algorithms have "weak keys" that might permit a shortcut solution. DES has a few weak keys, which follow from a pattern of symmetry in the algorithm. We saw no pattern of symmetry in the SKIPJACK algorithm which could lead to weak keys. We also experimentally tested the all "0" key (all 80 bits are "0") and the all "1" key to see if they were weak and found they were not. 4.2.4 Symmetry Under Complementation Test The DES satisfies the property that for a given plaintext-ciphertext pair and associated key, encryption of the one's complement of the plaintext with the one's complement of the key yields the one's complement of the ciphertext. This "complementation property" shortens an attack by exhaustive search by a factor of two since half the keys can be tested by computing complements in lieu of performing a more costly encryption. We tested SKIPJACK for this property and found that it did not hold. 4.2.5 Comparison with Classified Algorithms We compared the structure of SKIPJACK to that of NSA Type I algorithms used in current and near-future devices designed to protect classified data. This analysis was conducted with the close assistance of the cryptographer who developed SKIPJACK and included an in-depth discussion of design rationale for all of the algorithms involved. Based on this comparative, structural analysis of SKIPJACK against these other algorithms, and a detailed discussion of the similarities and differences between these algorithms, our confidence in the basic soundness of SKIPJACK was further increased. Conclusion 2: There is no significant risk that SKIPJACK can be broken through a shortcut method of attack. 5. Secrecy of the Algorithm The SKIPJACK algorithm is sensitive for several reasons. Disclosure of the algorithm would permit the construction of devices that fail to properly implement the LEAF, while still interoperating with legitimate SKIPJACK devices. Such devices would provide high quality cryptographic security without preserving the law enforcement access capability that distinguishes this cryptographic initiative. Additionally, the SKIPJACK algorithm is classified SECRET NOT RELEASABLE TO FOREIGN NATIONALS. This classification reflects the high quality of the algorithm, i.e., it incorporates design techniques that are representative of algorithms used to protect classified information. Disclosure of the algorithm would permit analysis that could result in discovery of these classified design techniques, and this would be detrimental to national security. However, while full exposure of the internal details of SKIPJACK would jeopardize law enforcement and national security objectives, it would not jeopardize the security of encrypted communications. This is because a shortcut attack is not feasible even with full knowledge of the algorithm. Indeed, our analysis of the susceptibility of SKIPJACK to a brute force or shortcut attack was based on the assumption that the algorithm was known. Conclusion 3: While the internal structure of SKIPJACK must be classified in order to protect law enforcement and national security objectives, the strength of SKIPJACK against a cryptanalytic attack does not depend on the secrecy of the algorithm. [The appendix in LaTeX form is available from Dorothy. PGN] ------------------------------ Date: Tue, 3 Aug 1993 09:40:00 -0400 From: Peter Wayner Subject: The Rule of Law and the Clipper Escrow Project Last Thursday, I attended the first day of the Computer System Ssecurity and Privacy Advisory Board in Washington. This is a group of industry experts who discuss topics in computer security that should affect the public and industry. Some of the members are from users like banks and others are from service providing companies like Trusted Information Services. Lately, their discussion has centered on the NSA/NIST's Clipper/Capstone/Skipjack project and the effects it will have on society. At the last meeting, the public was invited to make comments and they were almost unanimously skeptical and critical. They ranged from political objections to the purely practical impediments. Some argued that this process of requiring the government to have the key to all conversations was a violation of the fourth amendment of the constitution prohibiting warrantless searches. Others noted that a software solution was much simpler and cheaper even if the chips were going to cost a moderate $25. There were many different objections, but practically everyone felt that a standard security system was preferable. This meeting was largely devoted to the rebuttals from the government. The National Security Association, the Department of Justice, the FBI, the national association of District Attorneys and Sheriffs and several others were all testifying today. The board itself runs with a quasi-legal style they make a point of making both video and audio tapes of the presentations. The entire discussion is conducted with almost as much gravity as Congressional hearings. The entire meeting was suffused with an air of ernest lawfullness that came these speakers. All of them came from the upper ranks of the military or legal system and a person doesn't rise to such a position without adopting the careful air of the very diligent bureaucrat. People were fond of saying things like, "Oh, it's in the Federal Register. You can look it up." This is standard operating procedure in Washington agencies and second nature to many of the day's speakers. Dorothy Denning was one of the first speakers and she reported on the findings of the committee of five noted public cryptologists who agreed to give the Clipper standard a once-over. Eleven people were asked, but six declined for a variety of reasons. The review was to be classified "Secret" and some balked at this condition because they felt it would compromise their position in public. The talk made clear that the government intended to keep the standard secret for the sole purpose of preventing people from making unauthorized implementations without the law enforcement back door. Dr. Denning said that everyone at the NSA believes that the algorithm could withstand public knowledge with no trouble. The review by the panel revealed no reason why they shouldn't trust this assessment. Although lack of time lead the panel to largely rubberstamp the more extensive review by the NSA, they did conduct a few tests of their own. They programmed the algorithm on a Cray YMP, which incidentally could process 89,000 encryptions per second in single processor mode. This implementation was used for a cycling test which they found seemed to imply that there was good randomness. The test is done by repeatedly encrypting one value of data until a cycle occurs. The results agreed with what a random process should generate. They also tested the system for strength against a differential cryptanalysis attack and found it worthy. There was really very little other technical details in the talk. Saying more would have divulged something about the algorithm. My general impression is that the system is secure. Many people have played paranoid and expressed concerns that the classified algorithm might be hiding a trapdoor. It became clear to me that these concerns were really silly. There is a built-in trapdoor to be used by the government when it is "legal authorized" to intercept messages. The NSA has rarely had trouble in the past exercising either its explicitly granted legal authority or its implied authority. The phrase "national security" is a powerful pass phrase around Washington and there is no reason for me to believe that the NSA wouldn't get all of the access to the escrow database that it needs to do its job. Building in a backdoor would only leave a weakness for an opponent to exploit and that is something that is almost as sacriligeous at the NSA as just putting the classified secrets in a Fed Ex package to Saddam Hussein. Next there was a report from Geoff Greiveldinger , the man from the Department of Justice with the responsibility of implementing the the Key Escrow plan. After the Clipper/Capstone/SkipJack chips are manufactured, they will be programmed with an individual id number and a secret, unique key. A list is made of the id, key pairs and this list is split into two halves by taking each unique key, k, and finding two numbers a and b such that a+b=k. (+ represents XOR). One new list will go to one of the escrow agencies and one will go to the other. It will be impossible to recover the secret key without getting the list entry from both agencies. At this point, they include an additional precaution. Each list will be encrypted so even the escrow agency won't be able to know what is in its list. The key for decoding this list will be locked away in the evesdropping box. When a wiretap is authorized, each escrow agency will lookup the halves of the key that correspond to the phone being tapped and send these to evesdropping box where they will be decrypted and combined. That means that two clerks from the escrow agencies could not combine their knowledge. They would need access to a third key or an evesdropping box. It became clear that the system was not fully designed. It wasn't obvious how spontaneous and fully automated the system would be. Mr. Greiveldinger says that he is trying to balance the tradeoffs between security and efficiency. Officers are bound to be annoyed and hampered if they can't start a tap instanteneously. The kidnapping of a child is the prototypical example of when this would be necessary. The courts also grant authority for "roving" wiretaps that allow the police to intercept calls from any number of phones. A tap like this begs out for a highly automated system for delivering the keys. I imagine that the system as it's designed will consist of escrow computers with a few clerks who have nothing to do all day. When a tap is authorized, the evesdropping box will be programmed with a private key and shipped to the agents via overnight express. When they figure out the id number of the phone being tapped, the evesdropping box will probably phone the two escrow computers, perform a bit of zero-knowledge authorization and then receive the two halves of the key. This would allow them to switch lines and conduct roving taps effectively. The NSA would presumably have a box that would allow them to decrypt messages from foreign suspects. At this point, I had just listened to an entirely logical presentation from a perfect gentleman. We had just run though a system that had many nice technological checks and balances in it. Subverting it seemed very difficult. You would need access to the two escrow agencies and an evesdropping box. Mr. Greiveldinger said that there would be many different "auditting" records that would be kept of the taps. It was very easy to feel rather secure about the whole system in a nice, air-conditioned auditorium where clean, nice legally precise people were speaking in measured tones. It was very easy to believe in the Rule of Law. To counteract this, I tried to figure out the easiest way for me to subvert the system. The simplest way is to be a police officer engaged in a stakeout of someone for whom you've already received a warrant. You request the Clipper eavesdropping box on the off chance that the suspect will buy a Clipper phone and then you "lend" it to a friend who needs it. I think that the automation will allow the person who possesses the box to listen in to whatever lines that they want. The escrow agency doesn't maintain a list of people and id numbers-- they only know the list matching the id number to the secret key. There is no way that they would know that a request from the field was unreasonable. Yes, the audit trails could be used later to reconstruct what the box was used for, but that would only be necessary if someone got caught. The bribe value of this box would probably be hard to determine, but it could be very valuable. We know that the government of France is widely suspected of using its key escrow system to eavesdrop on US manufacturers in France. Would they be willing to buy eavesdropping time here in America? It is not uncommon to see reports of industrial espionage where the spies get millions of dollars. On the other hand, cops on the beat in NYC have been influenced for much less. The supply and demand theory of economics virtually guarantees that some deals are going to be done. It is not really clear what real effect the key escrow system is going to have on security. Yes, thieves would need to raid two different buildings and steal two different copies of the tapes. This is good. But it is still impossible to figure out if the requests from the field are legitimate-- at least within the time constraints posed by urgent cases involving terrorism and kidnapping. The net effect of implementing the system is that the phone system would be substantially strengthened against naive intruders, but the police (and those that bribe them) would still be able to eavesdrop with impunity. Everyone needs to begin to do a bit of calculus between the costs and benefits of this approach. On one hand, not letting the police intercept signals will let the crooks run free but on the other hand, the crooks are not about to use Clipper phones for their secrets if they know that they can be tapped. The most interesting speaker was the assistant director of the National Security Agency, Dr. Clint Brooks. He immediately admitted that the entire Clipper project was quite unusual because the Agency was not used to dealing with the open world. Speaking before a wide audience was strange for him and he admitted that producing a very low cost commercial competitive chip was also a new challenge for them. Nevertheless, I found him to be the deepest thinker at the conference. He readily admitted that the Clipper system isn't intended to catch any crooks. They'll just avoid the phones. It is just going to deny them access to the telecommunications system. They just won't be able to go into Radio Shack and buy a secure phone that comes off the line. It was apparent that he was somewhat skeptical of the Clipper's potential for success. He said at one point the possibilities in the system made it worth taking the chance that it would succeed. If it could capture a large fraction of the market then it could help many efforts of the law enforcement and intelligence community. When I listened, though, I began to worry about what is going to happen as we begin to see the eventual blurring of data and voice communications systems. Right now, people go to Radio Shack to buy a phone. It's the only way you can use the phone system. In the future, computers, networks and telephones are going to be linked in much more sophisticated ways. I think that Intel and Microsoft are already working on such a technology. When this happens, programmable phones are going to emerge. People will be able to pop a new ROM in their cellular digital phone or install new software in their computer/video game/telephone. This could easily be a proprietary encryption system that scrambles everything. The traditional way of controlling technology by controlling the capital intensive manufacturing sites will be gone. Sure, the NSA and the police will go to Radio Shack and say "We want your cooperation" and they'll get it. But it's the little, slippery ones that will be trouble in the new, software world. The end of the day was dominated by a panel of Law Enforcement specialists from around the country. These were sheriffs, district attorneys, FBI agents and other officers from different parts of the system. Their message was direct and they didn't hesitate to compare encryption with assault rifles. One even said, "I don't want to see the officers outgunned in a technical arena." They repeatedly stressed the incredible safeguards placed upon the wiretapping process and described the hurdles that the officers must go through to use the system. One DA from New Jersey said that in his office, they process about 10,000 cases a year, but they only do one to two wiretaps on average. It just seems like a big hassle and expense for them. It is common for the judges to require that the officers have very good circumstantial evidence from informers before giving them the warrant. This constraint coupled with the crooks natural hesitation to use the phone meant that wiretaps weren't the world's greatest evidence producers. One moment of levity came when a board member asked what the criminals favorite type of encryption was. The police refused to answer this one and I'm not that sure if they've encountered enough cases to build a profile. At the end of all of the earnestness and "support-the-cop-on-the-beat", I still began to wonder if there was much value to wiretaps at all. The police tried to use the low numbers of wiretaps as evidence that they're not out there abusing the system, but I kept thinking that this was mainly caused by the high cost and relatively low utility of the technique. It turns out that there is an easy way to check the utility of these devices. Only 37 states allow their state and local police to use wiretaps in investigations. One member of the panel repeated the rumor that this is supposedly because major politicians were caught with wiretaps. The state legislatures in these states supposedly realized that recipients of graft and influence peddlers were the main target of wiretaps. Eavesdropping just wasn't a tool against muggers. So they decided to protect themselves. It would be possible to check the crime statistics from each of these states and compare them against the eavesdropping states to discover which has a better record against crime. I would like to do this if I can dig up the list of states that allow the technique. I'm sure that this would prove little, but it could possibly clarify something about this technique. It is interesting to note that the House of Representative committee on the Judiciary was holding hearings on abuses of the National Crime Information Center. They came in the same week as the latest round of Clipper hearings before the CSAB. The NCIC is a large computer system run by the FBI to provide all the police departments with a way to track down the past records of people. The widespread access to the system makes it quite vulnerable to abuse. In the hearings, the Congress heard many examples of unauthorized access. Some were as benign as people checking out employees. The worst was an ex-police officer who used the system to track down his ex-girlfriend and kill her. They also heard of a woman who looked up clients for her drug-dealing boyfriend so he could avoid the undercover cops. These hearings made it obvious that there were going to be problems determining the balance of grief. For every prototypical example of a child kidnapped to make child pornography, there is a renegade police officer out to knock off his ex-girlfriend. On the whole, the police may be much more trustworthy than the criminals, but we need to ask how often a system like Clipper will aid the bad guys. In the end, I reduced the calculus of the decision about Clipper to be a simple tradeoff. If we allow widespread, secure encryption, will the criminals take great advantage of this system? The secure phones won't be useful in rapes and random street crime, but they'll be a big aid to organized endeavors. It would empower people to protect their own information unconditionally, but at the cost of letting the criminals do the same. Built-in back doors for the law enforcement community, on the other hand, will deny the power of off-the-shelf technology to crooks, but it would also leave everyone vulnerable to organized attacks on people. I began to wonder if the choice between Clipper and totally secure encryption was moot. In either case, there would be new opportunities for both the law-abiding and the law-ignoring. The amount of crime in the country would be limited only by the number of people who devote their life to the game-- not by any new fangled technology that would shift the balance. I did not attend the Friday meeting so someone else will need to summarize the details. ------------------------------ End of RISKS-FORUM Digest 14.80 ************************