💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › SURFPUNK › surf0103.txt captured on 2022-06-12 at 14:30:47.
-=-=-=-=-=-=-
Date: Sat, 5 Feb 94 19:16:10 PST
Reply-To: <surfpunk@versant.com>
Return-Path: <cocot@versant.com>
Message-ID: <surfpunk-0103@SURFPUNK.Technical.Journal>
Mime-Version: 1.0
Content-Type: text/plain
From: surfpunk@versant.com (gur Obfavn bs Gryrpbzzhavpngvbaf)
To: surfpunk@versant.com (SURFPUNK Technical Journal)
Subject: [surfpunk-0103] ESCROW: The Bosnia of Telecommunications
# [wrt Mitch Kabor and the Electronic Frontier Foundation]
#
# "The foundation promotes the hope of cheap, easy
# and equal access to a data highway constructed
# along the lines of the Internet, the impromptu net-
# work of 1.3 million computers in 40 countries that
# allows roughly 30 million people to talk to one
# another, read E-mail, post messages, download texts
# (from the Library of Congress as well as from most
# university libraries), play chess, conduct symposia,
# organize political rallies, tell jokes -- all with-
# out having to pay tolls, receive authorization, sub-
# mit a financial statement, or prove that they don't
# smoke."
#
# Lewis Latham writing in the January 1994
# issue of Harper's Magazine
#
######################################
We heard too little for too long. It seemed that Clipper was
losing steam. Industry has not been thrilled with the idea,
more and more major software companies are deploying non-Escrowed
RSA encryption in consumer products, comments received by NIST
ran like two-hundred-something to one against, Clipper was
widely criticized and parodied, people behind it were demoted, etc.
This batch of press releases makes it look to me like the Clinton
Administration is really determined to push it through. Bad News.
Some personal news: I've got my sun3 at home up and running live on
the Internet via The Little Garden (you remember the blurb we
surfpunked back in december) and I've almost got DNS working and its
domain name registered. I've been putting time into this and also into
writing cryptographic tools. I got my licensed copy of PGP from
ViaCrypt but still need a DOS box or emulator of my own to run it on.
(Call ViaCrypt in Phoenix AZ to order yours.) I'll continue
publishing Surfpunk as interesting material appears, but I'm not
scouring the net myself these days as much as I used to, and I just
haven't found that much I thought interesting enough to qualify for
Surfpunk. We'll probably continue to be low-volume for a while -- but
you probably get enough junk in the mail already, right? strick
________________________________________________________________________
________________________________________________________________________
From: Stanton McCandlish <mech>
Subject: Alert--Admin. names escrow agents, no compromise on Clipper - 7 files
EFF Press Release 04/04/94 * DISTRIBUTE WIDELY *
At two briefings, Feb. 4, 1994, the Clinton Administration and various
agencies gave statements before a Congressional committee, and later
representatives of civil liberties organizations, industry spokespersons
and privacy advocates. The Electronic Frontier Foundation's position,
based on what we have seen and heard from the Administration today, is
that the White House is set on a course that pursues Cold War national
security and law enforcement interests to the detriment of individual
privacy and civil liberties.
The news is grim. The Administration is:
* not backing down on Clipper
* not backing down on key escrow
* not backing down on selection of escrow agents
* already adamant on escrowed key access procedures
* not willing to elminate ITAR restrictions
* hiding behind exaggerated threats of "drug dealers" and "terrorists"
The material released to the industry and advocacy version of the briefing
have been placed online at ftp.eff.org (long before their online
availability from goverment access sites, one might add). See below for
specific details.
No information regarding the Congressional committee version of the briefing
has been announced. EFF Director Jerry Berman, who attended the private
sector meeting, reported the following:
"The White House and other officials briefed industry on its Clipper chip
and encryption review. While the review is not yet complete, they have
reached several policy conclusions. First, Clipper will be proposed as
a new Federal Information Processing Standard (FIPS) next Wednesday. [Feb.
9] It will be "vountary" for government agencies and the private sector
to use. They are actively asking other vendors to jump in to make the
market a Clipper market. Export licensing processes will be speeded up but
export restrictions will not be lifted in the interests of national
security. The reason was stated bluntly at the briefing : to frustrate
competition with clipper by other powerful encryption schemes by making
them difficult to market, and to "prevent" strong encryption from leaving
the country thus supposedly making the job of law enforcement and
intelligence more difficult. Again in the interest of national security. Of
course, Clipper will be exportable but they would not comment on how other
governments will view this. Treasury and NIST will be the escrow agents
and Justice asserted that there was no necessity for legislation to
implement the escrow procedures.
"I asked if there would be a report to explain the rationale for choosing
these results - we have no explanation of the Administration's thinking, or
any brief in support of the results. They replied that there would be no
report because they have been unable to write one, due to the complexity of
the issue.
"One Administation spokesperson said this was the Bosnia of
Telecommunications. I asked, if this was so, how, in the absense of some
policy explanation, could we know if our policy here will be as successful
as our policy in Bosnia?"
The announcements, authorization procedures for release of escrowed keys,
and q-and-a documents from the private sector briefing are online at EFF.
They are:
"Statement of the [White House] Press Secretary" [White House]
file://ftp.eff.org/pub/EFF/Policy/Crypto/wh_press_secy.statement
"Statement of the Vice President" [very short - WH]
file://ftp.eff.org/pub/EFF/Policy/Crypto/gore_crypto.statement
"Attorney General Makes Key Escrow Encryption Announcements" [Dept. of Just.]
file://ftp.eff.org/pub/EFF/Policy/Crypto/reno_key_escrow.statement
"Authorization Procedures for Release pf Emcryption Key Components in
Conjunction with Intercepts Pursuant to Title III/State Statutes/FISA"
[3 docs. in one file - DoJ]
file://ftp.eff.org/pub/EFF/Policy/Crypto/doj_escrow_intercept.rules
"Working Group on Data Security" [WH]
file://ftp.eff.org/pub/EFF/Policy/Crypto/interagency_workgroup.announce
"Statement of Dr. Martha Harris Dep. Asst. Secy. of State for Polit.-Mil.
Affairs: Encryption - Export Control Reform" [Dept. of State]
file://ftp.eff.org/pub/EFF/Policy/Crypto/harris_export.statement
"Questions and Answers about the Clinton Administration's Encryption
Policy" [WH]
file://ftp.eff.org/pub/EFF/Policy/Crypto/wh_crypto.q-a
These files are available via anonymous ftp, or via WWW at:
http://www.eff.org/ in the "EFF ftp site" menu off the front page.
Gopher access:
gopher://gopher.eff.org/
Look in "EFF Files"/"Papers and Testimony"/"Crypto"
All 7 of these documents will be posted widely on the net immediately
following this notice.
--
Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist
F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G
O P E N P L A T F O R M O N L I N E R I G H T S
V I R T U A L C U L T U R E C R Y P T O
________________________________________________________________________
THE WHITE HOUSE
OFFICE OF THE VICE PRESIDENT
EMBARGOED UNTIL, 3: 00 PM EST CONTACT: 202/456-7035
February 4, 1994
STATEMENT OF THE VICE PRESIDENT
Today's announcements on encryption represent important steps in
the implementation of the Administration's policy on this critical
issue. Our policy is designed to provide better encryption to
individuals and businesses while ensuring that the needs of law
enforcement and national security are met.
Encryption is a law and order issue since it can be used by criminals
to thwart wiretaps and avoid detection and prosecution. It also has
huge strategic value. Encryption technology and cryptoanalysis
turned the tide in the Pacific and elsewhere during World War II.
[end of statement]
________________________________________________________________________
Department of Justice
EMBARGOED FOR 3 P.M. RELEASE AG
FRIDAY, FEBRUARY 4, 1994 (202) 616-2771
ATTORNEY GENERAL MAKES KEY ESCROW ENCRYPTION ANNOUNCEMENTS
Attorney General Janet Reno today announced selection of the two
U.S. Government entities that will hold the escrowed key
components for encryption using the key escrow encryption method.
At the same time, the Attorney General made public procedures
under which encryption key components will be released to
government agencies for decrypting communications subject to
lawful wiretaps.
Key Escrow Encryption (formerly referred to as Clipper Chip )
strikes an excellent balance between protection of communications
privacy and protection of society. It permits the use in
commercial telecommunications products of chips that provide
extremely strong encryption, but can be decrypted, when necessary,
by government agencies conducting legally authorized wiretaps.
Decryption is accomplished by use of keys--80-bit binary numbers--
that are unique to each individual encryption chip. Each unique
key is in turn split into two components, which must be recombined
in order to decrypt communications. Knowing one component does not
make decryption any more feasible than not knowing either one.
The two escrow agents are the National Institute of Standards and
Technology (NIST), a part of the Department of Commerce, and the
Automated Systems Division of the Department of the Treasury. The
two escrow agents were chosen because of their abilities to
safeguard sensitive information, while at the same time being able
to respond in a timely fashion when wiretaps encounter encrypted
communications. In addition, NIST is responsible for establishing
standards for protection of sensitive, unclassified information in
Federal computer systems.
The escrow agents will act under strict procedures, which are
being made public today, that will ensure the security of the key
components and govern their release for use in conjunction with
lawful wiretaps. They will be responsible for holding the key
components: for each chip, one agent will hold one of the key
components, and the second agent will hold the other. Neither will
release a key component, except to a government agency with a
requirement to obtain it in connection with a lawfully authorized
wiretap. The system does not change the rules under which
government agencies are authorized to conduct wiretaps.
When an authorized government agency encounters suspected key-
escrow encryption, a written request will have to be submitted to
the two escrow agents. The request will, among other things, have
to identify the responsible agency and the individuals involved;
certify that the agency is involved in a lawfully authorized
wiretap; specify the wiretap's source of authorization and its
duration; and specify the serial number of the key-escrow
encryption chip being used. In every case, an attorney involved in
the investigation will have to provide the escrow agents assurance
that a validly authorized wiretap is being conducted.
Upon receipt of a proper request, the escrow agents will transmit
their respective key components to the appropriate agency. The
components will be combined within a decrypt device, which only
then will be able to decrypt communications protected by key-
escrow encryption. When the wiretap authorization ends, the device
s ability to decrypt communications using that particular chip
will also be ended.
The Department of Justice will, at the various stages of the
process, take steps to monitor compliance with the procedures.
________________________________________________________________________
>From the White House
Embargoed until 3:00 p.m. EST Feb. 4, 1994
QUESTIONS AND ANSWERS ABOUT THE
CLINTON ADMINISTRATION'S ENCRYPTION POLICY
Q. What were the findings of the encryption technology review?
A. The review confirmed that sound encryption technology is
needed to help ensure that digital information in both computer
and telecommunications systems is protected against unauthorized
disclosure or tampering. It also verified the importance of
preserving the ability of law enforcement to understand encrypted
communications when conducting authorized wiretaps. Key escrow
technology meets these objectives.
Specific decisions were made to enable federal agencies and the
private sector to use the key escrow technology on a voluntary
basis and to allow the export of key escrow encryption products.
In addition, the Department of State will streamline export
licensing procedures for products that can be exported under
current regulations in order to help U.S. companies to sell their
products abroad.
To meet the critical need for ways to verify the author and sender
of an electronic message -- something that is crucial to business
applications for the National Information Infrastructure -- the
federal government is committed to ensuring the availability of a
royalty-free, public-domain Digital Signature Standard.
Finally, an interagency working group has been established to
continue to address these issues and to maintain a dialogue with
industry and public interest groups.
Q. Who has been consulted during this review? The Congress?
Industry? What mechanism is there for continuing consultation?
A. Following the President's directive announced on April 16,
1993, extensive discussions have been held with Congress,
industry, and privacy rights groups on encryption issues. Formal
public comment was solicited on the Escrowed Encryption Standard
and on a wide variety of issues related to the review through the
Computer System Security and Privacy Advisory Board.
The White House Office of Science and Technology Policy and the
National Security Council will chair the interagency working
group. The group will seek input from the private sector both
informally and through several existing advisory committees. It
also will work closely with the Information Policy Committee of
the Information Infrastructure Task Force, which is responsible
for coordinating Administration telecommunications and information
policy.
Q. If national security and law enforcement interests require
continued export controls of encryption, what specific benefits
can U.S. encryption manufacturers expect?
A. The reforms will simplify encryption product export licensing
and speed the review of encryption product exports. Among other
benefits, manufacturers should see expedited delivery of products,
reduced shipping and reporting costs, and fewer individual license
requests -- especially for small businesses that cannot afford
international distributors. A personal exemption for business
travellers using encryption products will eliminate delays and
inconvenience when they want to take encryption products out of
the U.S. temporarily.
Q. Why is the key escrow standard being adopted?
A. The key escrow mechanism will provide Americans and
government agencies with encryption products that are more secure,
more convenient, and less expensive than others readily available
today -- while at the same time meeting the legitimate needs of
law enforcement.
Q. Will the standard be mandatory?
A. No. The Administration has repeatedly stressed that the key
escrow technology, and this standard, is for voluntary use by
federal and other government agencies and by the private sector.
The standard that is being issued only applies to federal agencies
-- and it is voluntary.
Does this approach expand the authority of government agencies to
listen in on phone conversations?
No Key escrow technology provides government agencies with no
[sic] new authorities to access the content of the private
conversations of Americans.
Q. Will the devices be exportable? Will other devices that use
the government hardware?
A. Yes. After an initial review of the product, the State
Department will permit the export of devices incorporating key
escrow technology to most end users. One of the attractions of
this technology is the protection it can give to U.S. companies
operating at home and abroad.
Q. Suppose a law enforcement agency is conducting a wiretap on a
drug smuggling ring and intercepts a conversation encrypted using
the device. What would they have to do to decipher the message?
A. They would have to obtain legal authorization, normally a
court order, to do the wiretap in the first place. They would then
present documentation, including a certification of this
authorization, to the two entities responsible for safeguarding
the keys. (The key is split into component parts, which are stored
separately in order to ensure the security of the key escrow
system.) They then obtain the components for the keys for the
device being used by the drug smugglers. The components are then
combined and the message can be read.
Q. Who will hold the escrowed keys?
A. The Attorney General has selected two U.S. agencies to hold
the escrowed key components: the Treasury Department's Automated
Systems Division and the Commerce Department's National Institute
of Standards and Technology.
Q. How strong is the security in the device? How can I be sure
how strong the security is?
A. This system is more secure than many other voice encryption
system readily available today. While the algorithm upon which the
Escrowed Encryption Standard is based will remain classified to
protect the security of the system, an independent panel of
cryptography experts found that the algorithm provides significant
protection. In fact, the panel concluded that it will be 36 years
until the cost of breaking the algorithm will be equal to the cost
of breaking the current Data Encryption Standard now being used.
Q. Is there a "trap door" that would allow unauthorized access
to the keys?
A. No. There is no trapdoor.
Q. Whose decision was it to propose this product?
A. The National Security Council, the Justice Department, the
Commerce Department, and other key agencies were involved in this
decision. The approach has been endorsed by the President, the
Vice President, and appropriate Cabinet officials.
________________________________________________________________________
U.S. Department of Justice
Washington, D.C. 20530
February 4, 1994
AUTHORIZATION PROCEDURES FOR RELEASE OF ENCRYPTION KEY COMPONENTS
IN CONJUNCTION WITH INTERCEPTS PURSUANT TO TITLE III
The following are the procedures for the release of escrowed key
components in conjunction with lawfully authorized interception of
communications encrypted with a key-escrow encryption method.
These procedures cover all electronic surveillance conducted
pursuant to Title III of the Omnibus crime Control and Safe
Streets Act of 1968, as amended (Title III), Title 18, United
States Code, Section 2510 et seq.
1) In each case there shall be a legal authorization for the
interception of wire and/or electronic communications.
2) All electronic surveillance court orders under Title III
shall contain provisions authorizing after-the-fact minimization,
pursuant to 18 U.S.C. 2518(5), permitting the interception and
retention of coded communications, including encrypted
communications.
3) In the event that federal law enforcement agents discover
during the course of any lawfully authorized interception that
communications encrypted with a key escrow encryption method are
being utilized, they may obtain a certification from the
investigative agency conducting the investigation, or the Attorney
General of the United States or designee thereof. Such
certification shall
(a) identify the law enforcement agency or other
authority conducting the interception and the person providing the
certification;
(b) certify that necessary legal authorization has been
obtained to conduct electronic surveillance regarding these
communications;
(c) specify the termination date of the period for which
interception has been authorized;
(d) identify by docket number or other suitable method
of specification the source of the authorization;
(e) certify that communications covered by that
authorization are being encrypted with a key-escrow encryption
method;
(f) specify the identifier (ID) number of the key escrow
encryption chip providing such encryption; and
(g) specify the serial (ID) number of the key-escrow
decryption device that will be used by the law enforcement agency
or other authority for decryption of the intercepted
communications.
4) The agency conducting the interception shall submit this
certification to each of the designated key component escrow
agents. If the certification has been provided by an investigative
agency, as soon thereafter as practicable, an attorney associated
with the United States Attorney's Office supervising the
investigation shall provide each of the key component escrow
agents with written confirmation of the certification.
5) Upon receiving the certification from the requesting
investigative agency, each key component escrow agent shall
release the necessary key component to the requesting agency. The
key components shall be provided in a manner that assures they
cannot be used other than in conjunction with the lawfully
authorized electronic surveillance for which they were requested.
6) Each of the key component escrow agents shall retain a
copy of the certification of the requesting agency, as well as the
subsequent confirmation of the United States Attorney's Office. In
addition, the requesting agency shall retain a copy of the
certification and provide copies to the following for retention in
accordance with normal record keeping requirements:
(a) the United States Attorney's Office supervising the
investigation, and
(b) the Department of Justice, Office of Enforcement
Operations.
7) Upon, or prior to, completion of the electronic
surveillance phase of the investigation, the ability of the
requesting agency to decrypt intercepted communications shall
terminate, and the requesting agency may not retain the key
components.
8) The Department of Justice shall, in each such case,
(a) ascertain the existence of authorizations for
electronic surveillance in cases for which escrowed key components
have been released;
(b) ascertain that key components for a particular key
escrow encryption chip are being used only by an investigative
agency authorized to conduct electronic surveillance of
communications encrypted with that chip; and
(c) ascertain that, no later than the completion of the
electronic surveillance phase of the investigation, the ability of
the requesting agency to decrypt intercepted communications is
terminated.
9) In reporting to the Administrative Office of the United
States Courts pursuant to 18 U.S.C. Section 2519(2), the Assistant
Attorney General for the Criminal Division shall, with respect to
any order for authorized electronic surveillance for which
escrowed encryption components were released and used for
decryption, specifically note that fact.
These procedures do not create, and are not intended to create,
any substantive rights for individuals intercepted through
electronic surveillance, and noncompliance with these procedures
shall not provide the basis for any motion to suppress or other
objection to the introduction of electronic surveillance evidence
lawfully acquired.