The RISKS Digest
Volume 14 Issue 80

Wednesday, 11th August 1993

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Article by Dorothy Denning on Clipper Chip
Al Stangenberger
SKIPJACK Review
Dorothy Denning
The Rule of Law and the Clipper Escrow Project
Peter Wayner
Info on RISKS (comp.risks)

Article by Dorothy Denning on Clipper Chip

Al Stangenberger <forags@nature.berkeley.edu>
Wed, 4 Aug 93 10:35:05 PDT
The July-August issue of American Scientist (Amer. Scientist 81:319-323) has a
column by Dorothy Denning describing the Clipper Encryption System.  It is
written from the Administration and law enforcement viewpoint and does not
discuss the serious privacy issues which have been raised in RISKS.  However,
it does present a clear discussion of the system and might be useful in
explaining the system to colleagues.

Al Stangenberger            Dept. of Env. Sci., Policy, & Mgt.
forags@nature.berkeley.edu  145 Mulford Hall, Univ. of Calif. Berkeley CA 94720


SKIPJACK Review

Dorothy Denning <DENNING@guvax.acc.georgetown.edu>
Sun, 01 Aug 1993 21:16:56 -0400 (EDT)
                            SKIPJACK Review
                             Interim Report
                        The SKIPJACK Algorithm

           Ernest F. Brickell, Sandia National Laboratories
               Dorothy E. Denning, Georgetown University
            Stephen T. Kent, BBN Communications Corporation
                          David P. Maher, AT&T
                  Walter Tuchman, Amperif Corporation

                              July 28, 1993
                            (copyright 1993)

Executive Summary

The objective of the SKIPJACK review was to provide a mechanism whereby
persons outside the government could evaluate the strength of the
classified encryption algorithm used in the escrowed encryption devices
and publicly report their findings.  Because SKIPJACK is but one
component of a large, complex system, and because the security of
communications encrypted with SKIPJACK depends on the security of the
system as a whole, the review was extended to encompass other
components of the system.  The purpose of this Interim Report is to
report on our evaluation of the SKIPJACK algorithm.  A later Final
Report will address the broader system issues.

The results of our evaluation of the SKIPJACK algorithm are as
follows:

  1. Under an assumption that the cost of processing power is halved
     every eighteen months, it will be 36 years before the cost of
     breaking SKIPJACK by exhaustive search will be equal to the cost
     of breaking DES today.  Thus, there is no significant risk that
     SKIPJACK will be broken by exhaustive search in the next 30-40
     years.

  2. There is no significant risk that SKIPJACK can be broken through a
     shortcut method of attack.

  3. While the internal structure of SKIPJACK must be classified in
     order to protect law enforcement and national security objectives,
     the strength of SKIPJACK against a cryptanalytic attack does not
     depend on the secrecy of the algorithm.



1.  Background

On April 16, the President announced a new technology initiative aimed
at providing a high level of security for sensitive, unclassified
communications, while enabling lawfully authorized intercepts of
telecommunications by law enforcement officials for criminal
investigations.  The initiative includes several components:

    A classified encryption/decryption algorithm called "SKIPJACK."

    Tamper-resistant cryptographic devices (e.g., electronic chips),
    each of which contains SKIPJACK, classified control software, a
    device identification number, a family key used by law enforcement,
    and a device unique key that unlocks the session key used to
    encrypt a particular communication.

    A secure facility for generating device unique keys and programming
    the devices with the classified algorithms, identifiers, and keys.

    Two escrow agents that each hold a component of every device unique
    key.  When combined, those two components form the device unique
    key.

    A law enforcement access field (LEAF), which enables an authorized
    law enforcement official to recover the session key.  The LEAF is
    created by a device at the start of an encrypted communication and
    contains the session key encrypted under the device unique key
    together with the device identifier, all encrypted under the family
    key.

    LEAF decoders that allow an authorized law enforcement official to
    extract the device identifier and encrypted session key from an
    intercepted LEAF.  The identifier is then sent to the escrow
    agents, who return the components of the corresponding device
    unique key.  Once obtained, the components are used to reconstruct
    the device unique key, which is then used to decrypt the session key.

This report reviews the security provided by the first component, namely the
SKIPJACK algorithm.  The review was performed pursuant to the President's
direction that "respected experts from outside the government will be offered
access to the confidential details of the algorithm to assess its capabilities
and publicly report their finding."  The Acting Director of the National
Institute of Standards and Technology (NIST) sent letters of invitation to
potential reviewers.  The authors of this report accepted that invitation.

We attended an initial meeting at the Institute for Defense Analyses
Supercomputing Research Center (SRC) from June 21-23.  At that meeting, the
designer of SKIPJACK provided a complete, detailed description of the
algorithm, the rationale for each feature, and the history of the design.  The
head of the NSA evaluation team described the evaluation process and its
results.  Other NSA staff briefed us on the LEAF structure and protocols for
use, generation of device keys, protection of the devices against reverse
engineering, and NSA's history in the design and evaluation of encryption
methods contained in SKIPJACK.  Additional NSA and NIST staff were present at
the meeting to answer our questions and provide assistance.  All staff members
were forthcoming in providing us with requested information.

At the June meeting, we agreed to integrate our individual evaluations into
this joint report.  We also agreed to reconvene at SRC from July 19-21 for
further discussions and to complete a draft of the report.  In the interim, we
undertook independent tasks according to our individual interests and
availability.  Ernest Brickell specified a suite of tests for evaluating
SKIPJACK.  Dorothy Denning worked at NSA on the refinement and execution of
these and other tests that took into account suggestions solicited from
Professor Martin Hellman at Stanford University.  NSA staff assisted with the
programming and execution of these tests.  Denning also analyzed the structure
of SKIPJACK and its susceptibility to differential cryptanalysis.  Stephen
Kent visited NSA to explore in more detail how SKIPJACK compared with NSA
encryption algorithms that he already knew and that were used to protect
classified data.  David Maher developed a risk assessment approach while
continuing his ongoing work on the use of the encryption chip in the AT&T
Telephone Security Device.  Walter Tuchman investigated the anti-reverse
engineering properties of the chips.

We investigated more than just SKIPJACK because the security of communications
encrypted with the escrowed encryption technology depends on the security
provided by all the components of the initiative, including protection of the
keys stored on the devices, protection of the key components stored with the
escrow agents, the security provided by the LEAF and LEAF decoder, protection
of keys after they have been transmitted to law enforcement under court order,
and the resistance of the devices to reverse engineering.  In addition, the
success of the technology initiative depends on factors besides security, for
example, performance of the chips.  Because some components of the escrowed
encryption system, particularly the key escrow system, are still under design,
we decided to issue this Interim Report on the security of the SKIPJACK
algorithm and to defer our Final Report until we could complete our evaluation
of the system as a whole.


2.  Overview of the SKIPJACK Algorithm

SKIPJACK is a 64-bit "electronic codebook" algorithm that transforms a 64-bit
input block into a 64-bit output block.  The transformation is parameterized
by an 80-bit key, and involves performing 32 steps or iterations of a complex,
nonlinear function.  The algorithm can be used in any one of the four
operating modes defined in FIPS 81 for use with the Data Encryption Standard
(DES).

The SKIPJACK algorithm was developed by NSA and is classified SECRET.  It is
representative of a family of encryption algorithms developed in 1980 as part
of the NSA suite of "Type I" algorithms, suitable for protecting all levels of
classified data.  The specific algorithm, SKIPJACK, is intended to be used
with sensitive but unclassified information.

The strength of any encryption algorithm depends on its ability to withstand
an attack aimed at determining either the key or the unencrypted ("plaintext")
communications.  There are basically two types of attack, brute-force and
shortcut.


3.  Susceptibility to Brute Force Attack by Exhaustive Search

In a brute-force attack (also called "exhaustive search"), the adversary
essentially tries all possible keys until one is found that decrypts the
intercepted communications into a known or meaningful plaintext message.  The
resources required to perform an exhaustive search depend on the length of the
keys, since the number of possible keys is directly related to key length.  In
particular, a key of length N bits has 2^N possibilities.  SKIPJACK uses
80-bit keys, which means there are 2^80 (approximately 10^24) or more than 1
trillion trillion possible keys.

An implementation of SKIPJACK optimized for a single processor on the
8-processor Cray YMP performs about 89,000 encryptions per second.  At that
rate, it would take more than 400 billion years to try all keys.  Assuming the
use of all 8 processors and aggressive vectorization, the time would be
reduced to about a billion years.

A more speculative attack using a future, hypothetical, massively parallel
machine with 100,000 RISC processors, each of which was capable of 100,000
encryptions per second, would still take about 4 million years.  The cost of
such a machine might be on the order of $50 million.  In an even more
speculative attack, a special purpose machine might be built using 1.2 billion
$1 chips with a 1 GHz clock.  If the algorithm could be pipelined so that one
encryption step were performed per clock cycle, then the $1.2 billion machine
could exhaust the key space in 1 year.

Another way of looking at the problem is by comparing a brute force attack on
SKIPJACK with one on DES, which uses 56-bit keys.  Given that no one has
demonstrated a capability for breaking DES, DES offers a reasonable benchmark.
Since SKIPJACK keys are 24 bits longer than DES keys, there are 2^24 times
more possibilities.  Assuming that the cost of processing power is halved
every eighteen months, then it will not be for another 24 * 1.5 = 36 years
before the cost of breaking SKIPJACK is equal to the cost of breaking DES
today.  Given the lack of demonstrated capability for breaking DES, and the
expectation that the situation will continue for at least several more years,
one can reasonably expect that SKIPJACK will not be broken within the next
30-40 years.

Conclusion 1: Under an assumption that the cost of processing power is halved
every eighteen months, it will be 36 years before the cost of breaking
SKIPJACK by exhaustive search will be equal to the cost of breaking DES today.
Thus, there is no significant risk that SKIPJACK will be broken by exhaustive
search in the next 30-40 years.

4.  Susceptibility to Shortcut Attacks

In a shortcut attack, the adversary exploits some property of the encryption
algorithm that enables the key or plaintext to be determined in much less time
than by exhaustive search.  For example, the RSA public-key encryption method
is attacked by factoring a public value that is the product of two secret
primes into its primes.

Most shortcut attacks use probabilistic or statistical methods that exploit a
structural weakness, unintentional or intentional (i.e., a "trapdoor"), in the
encryption algorithm.  In order to determine whether such attacks are
possible, it is necessary to thoroughly examine the structure of the algorithm
and its statistical properties.  In the time available for this review, it was
not feasible to conduct an evaluation on the scale that NSA has conducted or
that has been conducted on the DES.  Such review would require many man-years
of effort over a considerable time interval.  Instead, we concentrated on
reviewing NSA's design and evaluation process.  In addition, we conducted
several of our own tests.

4.1  NSA's Design and Evaluation Process

SKIPJACK was designed using building blocks and techniques that date back more
than forty years.  Many of the techniques are related to work that was
evaluated by some of the world's most accomplished and famous experts in
combinatorics and abstract algebra.  SKIPJACK's more immediate heritage dates
to around 1980, and its initial design to 1987.

SKIPJACK was designed to be evaluatable, and the design and evaluation
approach was the same used with algorithms that protect the country's most
sensitive classified information.  The specific structures included in
SKIPJACK have a long evaluation history, and the cryptographic properties of
those structures had many prior years of intense study before the formal
process began in 1987.  Thus, an arsenal of tools and data was available.
This arsenal was used by dozens of adversarial evaluators whose job was to
break SKIPJACK.  Many spent at least a full year working on the algorithm.
Besides highly experienced evaluators, SKIPJACK was subjected to cryptanalysis
by less experienced evaluators who were untainted by past approaches.  All
known methods of attacks were explored, including differential cryptanalysis.
The goal was a design that did not allow a shortcut attack.

The design underwent a sequence of iterations based on feedback from the
evaluation process.  These iterations eliminated properties which, even though
they might not allow successful attack, were related to properties that could
be indicative of vulnerabilities.  The head of the NSA evaluation team
confidently concluded "I believe that SKIPJACK can only be broken by brute
force; there is no better way."

In summary, SKIPJACK is based on some of NSA's best technology.  Considerable
care went into its design and evaluation in accordance with the care given to
algorithms that protect classified data.

4.2  Independent Analysis and Testing

Our own analysis and testing increased our confidence in the strength
of SKIPJACK and its resistance to attack.

4.2.1  Randomness and Correlation Tests

A strong encryption algorithm will behave like a random function of the key
and plaintext so that it is impossible to determine any of the key bits or
plaintext bits from the ciphertext bits (except by exhaustive search).  We ran
two sets of tests aimed at determining whether SKIPJACK is a good pseudo
random number generator.  These tests were run on a Cray YMP at NSA.  The
results showed that SKIPJACK behaves like a random function and that
ciphertext bits are not correlated with either key bits or plaintext bits.
Appendix A gives more details.

4.2.2  Differential Cryptanalysis

Differential cryptanalysis is a powerful method of attack that exploits
structural properties in an encryption algorithm.  The method involves
analyzing the structure of the algorithm in order to determine the effect of
particular differences in plaintext pairs on the differences of their
corresponding ciphertext pairs, where the differences are represented by the
exclusive-or of the pair.  If it is possible to exploit these differential
effects in order to determine a key in less time than with exhaustive search,
an encryption algorithm is said to be susceptible to differential
cryptanalysis.  However, an actual attack using differential cryptanalysis may
require substantially more chosen plaintext than can be practically acquired.

We examined the internal structure of SKIPJACK to determine its susceptibility
to differential cryptanalysis.  We concluded it was not possible to perform an
attack based on differential cryptanalysis in less time than with exhaustive
search.

4.2.3  Weak Key Test

Some algorithms have "weak keys" that might permit a shortcut solution.  DES
has a few weak keys, which follow from a pattern of symmetry in the algorithm.
We saw no pattern of symmetry in the SKIPJACK algorithm which could lead to
weak keys.  We also experimentally tested the all "0" key (all 80 bits are
"0") and the all "1" key to see if they were weak and found they were not.

4.2.4  Symmetry Under Complementation Test

The DES satisfies the property that for a given plaintext-ciphertext pair and
associated key, encryption of the one's complement of the plaintext with the
one's complement of the key yields the one's complement of the ciphertext.
This "complementation property" shortens an attack by exhaustive search by a
factor of two since half the keys can be tested by computing complements in
lieu of performing a more costly encryption.  We tested SKIPJACK for this
property and found that it did not hold.

4.2.5  Comparison with Classified Algorithms

We compared the structure of SKIPJACK to that of NSA Type I algorithms used in
current and near-future devices designed to protect classified data.  This
analysis was conducted with the close assistance of the cryptographer who
developed SKIPJACK and included an in-depth discussion of design rationale for
all of the algorithms involved.  Based on this comparative, structural
analysis of SKIPJACK against these other algorithms, and a detailed discussion
of the similarities and differences between these algorithms, our confidence
in the basic soundness of SKIPJACK was further increased.

Conclusion 2:  There is no significant risk that SKIPJACK can be broken
through a shortcut method of attack.


5.   Secrecy of the Algorithm

The SKIPJACK algorithm is sensitive for several reasons.  Disclosure of the
algorithm would permit the construction of devices that fail to properly
implement the LEAF, while still interoperating with legitimate SKIPJACK
devices.  Such devices would provide high quality cryptographic security
without preserving the law enforcement access capability that distinguishes
this cryptographic initiative.  Additionally, the SKIPJACK algorithm is
classified SECRET  NOT RELEASABLE TO FOREIGN NATIONALS.  This classification
reflects the high quality of the algorithm, i.e., it incorporates design
techniques that are representative of algorithms used to protect classified
information.  Disclosure of the algorithm would permit analysis that could
result in discovery of these classified design techniques, and this would be
detrimental to national security.

However, while full exposure of the internal details of SKIPJACK would
jeopardize law enforcement and national security objectives, it would not
jeopardize the security of encrypted communications.  This is because a
shortcut attack is not feasible even with full knowledge of the algorithm.
Indeed, our analysis of the susceptibility of SKIPJACK to a brute force or
shortcut attack was based on the assumption that the algorithm was known.

Conclusion 3: While the internal structure of SKIPJACK must be classified in
order to protect law enforcement and national security objectives, the
strength of SKIPJACK against a cryptanalytic attack does not depend on the
secrecy of the algorithm.

  [The appendix in LaTeX form is available from Dorothy.  PGN]


The Rule of Law and the Clipper Escrow Project

Peter Wayner <pcw@access.digex.net>
Tue, 3 Aug 1993 09:40:00 -0400
Last Thursday, I attended the first day of the Computer System Ssecurity and
Privacy Advisory Board in Washington. This is a group of industry experts who
discuss topics in computer security that should affect the public and
industry. Some of the members are from users like banks and others are from
service providing companies like Trusted Information Services. Lately, their
discussion has centered on the NSA/NIST's Clipper/Capstone/Skipjack project
and the effects it will have on society.

At the last meeting, the public was invited to make comments and they were
almost unanimously skeptical and critical. They ranged from political
objections to the purely practical impediments. Some argued that this process
of requiring the government to have the key to all conversations was a
violation of the fourth amendment of the constitution prohibiting warrantless
searches. Others noted that a software solution was much simpler and cheaper
even if the chips were going to cost a moderate $25. There were many different
objections, but practically everyone felt that a standard security system was
preferable.

This meeting was largely devoted to the rebuttals from the government. The
National Security Association, the Department of Justice, the FBI, the
national association of District Attorneys and Sheriffs and several others
were all testifying today.

The board itself runs with a quasi-legal style they make a point of making
both video and audio tapes of the presentations. The entire discussion is
conducted with almost as much gravity as Congressional hearings.  The entire
meeting was suffused with an air of ernest lawfullness that came these
speakers. All of them came from the upper ranks of the military or legal
system and a person doesn't rise to such a position without adopting the
careful air of the very diligent bureaucrat. People were fond of saying things
like, "Oh, it's in the Federal Register.  You can look it up." This is
standard operating procedure in Washington agencies and second nature to many
of the day's speakers.

Dorothy Denning was one of the first speakers and she reported on
the findings of the committee of five noted public cryptologists
who agreed to give the Clipper standard a once-over. Eleven people
were asked, but six declined for a variety of reasons. The review
was to be classified "Secret" and some balked at this condition
because they felt it would compromise their position in public.

The talk made clear that the government intended to keep the standard secret
for the sole purpose of preventing people from making unauthorized
implementations without the law enforcement back door. Dr. Denning said that
everyone at the NSA believes that the algorithm could withstand public
knowledge with no trouble.  The review by the panel revealed no reason why
they shouldn't trust this assessment.

Although lack of time lead the panel to largely rubberstamp the more extensive
review by the NSA, they did conduct a few tests of their own. They programmed
the algorithm on a Cray YMP, which incidentally could process 89,000
encryptions per second in single processor mode. This implementation was used
for a cycling test which they found seemed to imply that there was good
randomness. The test is done by repeatedly encrypting one value of data until
a cycle occurs.  The results agreed with what a random process should
generate.

They also tested the system for strength against a differential cryptanalysis
attack and found it worthy. There was really very little other technical
details in the talk. Saying more would have divulged something about the
algorithm.

My general impression is that the system is secure. Many people have played
paranoid and expressed concerns that the classified algorithm might be hiding
a trapdoor. It became clear to me that these concerns were really silly. There
is a built-in trapdoor to be used by the government when it is "legal
authorized" to intercept messages. The NSA has rarely had trouble in the past
exercising either its explicitly granted legal authority or its implied
authority. The phrase "national security" is a powerful pass phrase around
Washington and there is no reason for me to believe that the NSA wouldn't get
all of the access to the escrow database that it needs to do its job. Building
in a backdoor would only leave a weakness for an opponent to exploit and that
is something that is almost as sacriligeous at the NSA as just putting the
classified secrets in a Fed Ex package to Saddam Hussein.

Next there was a report from Geoff Greiveldinger , the man from the Department
of Justice with the responsibility of implementing the the Key Escrow plan.
After the Clipper/Capstone/SkipJack chips are manufactured, they will be
programmed with an individual id number and a secret, unique key. A list is
made of the id, key pairs and this list is split into two halves by taking
each unique key, k, and finding two numbers a and b such that a+b=k. (+
represents XOR). One new list will go to one of the escrow agencies and one
will go to the other. It will be impossible to recover the secret key without
getting the list entry from both agencies.

At this point, they include an additional precaution. Each list will be
encrypted so even the escrow agency won't be able to know what is in its list.
The key for decoding this list will be locked away in the evesdropping box.
When a wiretap is authorized, each escrow agency will lookup the halves of the
key that correspond to the phone being tapped and send these to evesdropping
box where they will be decrypted and combined. That means that two clerks from
the escrow agencies could not combine their knowledge. They would need access
to a third key or an evesdropping box.

It became clear that the system was not fully designed. It wasn't obvious how
spontaneous and fully automated the system would be. Mr. Greiveldinger says
that he is trying to balance the tradeoffs between security and efficiency.
Officers are bound to be annoyed and hampered if they can't start a tap
instanteneously. The kidnapping of a child is the prototypical example of when
this would be necessary.

The courts also grant authority for "roving" wiretaps that allow the police to
intercept calls from any number of phones. A tap like this begs out for a
highly automated system for delivering the keys.

I imagine that the system as it's designed will consist of escrow computers
with a few clerks who have nothing to do all day. When a tap is authorized,
the evesdropping box will be programmed with a private key and shipped to the
agents via overnight express. When they figure out the id number of the phone
being tapped, the evesdropping box will probably phone the two escrow
computers, perform a bit of zero-knowledge authorization and then receive the
two halves of the key. This would allow them to switch lines and conduct
roving taps effectively. The NSA would presumably have a box that would allow
them to decrypt messages from foreign suspects.

At this point, I had just listened to an entirely logical presentation from a
perfect gentleman. We had just run though a system that had many nice
technological checks and balances in it. Subverting it seemed very difficult.
You would need access to the two escrow agencies and an evesdropping box. Mr.
Greiveldinger said that there would be many different "auditting" records that
would be kept of the taps. It was very easy to feel rather secure about the
whole system in a nice, air-conditioned auditorium where clean, nice legally
precise people were speaking in measured tones. It was very easy to believe in
the Rule of Law.

To counteract this, I tried to figure out the easiest way for me to subvert
the system. The simplest way is to be a police officer engaged in a stakeout
of someone for whom you've already received a warrant. You request the Clipper
eavesdropping box on the off chance that the suspect will buy a Clipper phone
and then you "lend" it to a friend who needs it. I think that the automation
will allow the person who possesses the box to listen in to whatever lines
that they want. The escrow agency doesn't maintain a list of people and id
numbers-- they only know the list matching the id number to the secret key.
There is no way that they would know that a request from the field was
unreasonable. Yes, the audit trails could be used later to reconstruct what
the box was used for, but that would only be necessary if someone got caught.

The bribe value of this box would probably be hard to determine, but it could
be very valuable. We know that the government of France is widely suspected of
using its key escrow system to eavesdrop on US manufacturers in France. Would
they be willing to buy eavesdropping time here in America? It is not uncommon
to see reports of industrial espionage where the spies get millions of
dollars. On the other hand, cops on the beat in NYC have been influenced for
much less. The supply and demand theory of economics virtually guarantees that
some deals are going to be done.

It is not really clear what real effect the key escrow system is going to have
on security. Yes, thieves would need to raid two different buildings and steal
two different copies of the tapes. This is good. But it is still impossible to
figure out if the requests from the field are legitimate-- at least within the
time constraints posed by urgent cases involving terrorism and kidnapping.

The net effect of implementing the system is that the phone system would be
substantially strengthened against naive intruders, but the police (and those
that bribe them) would still be able to eavesdrop with impunity. Everyone needs
to begin to do a bit of calculus between the costs and benefits of this
approach. On one hand, not letting the police intercept signals will let the
crooks run free but on the other hand, the crooks are not about to use Clipper
phones for their secrets if they know that they can be tapped.

The most interesting speaker was the assistant director of the National
Security Agency, Dr. Clint Brooks. He immediately admitted that the entire
Clipper project was quite unusual because the Agency was not used to dealing
with the open world. Speaking before a wide audience was strange for him and
he admitted that producing a very low cost commercial competitive chip was
also a new challenge for them.

Nevertheless, I found him to be the deepest thinker at the conference.  He
readily admitted that the Clipper system isn't intended to catch any crooks.
They'll just avoid the phones. It is just going to deny them access to the
telecommunications system. They just won't be able to go into Radio Shack and
buy a secure phone that comes off the line.

It was apparent that he was somewhat skeptical of the Clipper's potential for
success. He said at one point the possibilities in the system made it worth
taking the chance that it would succeed. If it could capture a large fraction
of the market then it could help many efforts of the law enforcement and
intelligence community.

When I listened, though, I began to worry about what is going to happen as we
begin to see the eventual blurring of data and voice communications systems.
Right now, people go to Radio Shack to buy a phone. It's the only way you can
use the phone system. In the future, computers, networks and telephones are
going to be linked in much more sophisticated ways.  I think that Intel and
Microsoft are already working on such a technology.

When this happens, programmable phones are going to emerge. People will be
able to pop a new ROM in their cellular digital phone or install new software
in their computer/video game/telephone. This could easily be a proprietary
encryption system that scrambles everything. The traditional way of
controlling technology by controlling the capital intensive manufacturing
sites will be gone. Sure, the NSA and the police will go to Radio Shack and
say "We want your cooperation" and they'll get it. But it's the little,
slippery ones that will be trouble in the new, software world.

The end of the day was dominated by a panel of Law Enforcement specialists
from around the country. These were sheriffs, district attorneys, FBI agents
and other officers from different parts of the system.  Their message was
direct and they didn't hesitate to compare encryption with assault rifles. One
even said, "I don't want to see the officers outgunned in a technical arena."

They repeatedly stressed the incredible safeguards placed upon the wiretapping
process and described the hurdles that the officers must go through to use the
system. One DA from New Jersey said that in his office, they process about
10,000 cases a year, but they only do one to two wiretaps on average. It just
seems like a big hassle and expense for them.

It is common for the judges to require that the officers have very good
circumstantial evidence from informers before giving them the warrant. This
constraint coupled with the crooks natural hesitation to use the phone meant
that wiretaps weren't the world's greatest evidence producers.

One moment of levity came when a board member asked what the criminals
favorite type of encryption was. The police refused to answer this one and I'm
not that sure if they've encountered enough cases to build a profile.

At the end of all of the earnestness and "support-the-cop-on-the-beat", I
still began to wonder if there was much value to wiretaps at all. The police
tried to use the low numbers of wiretaps as evidence that they're not out
there abusing the system, but I kept thinking that this was mainly caused by
the high cost and relatively low utility of the technique.

It turns out that there is an easy way to check the utility of these devices.
Only 37 states allow their state and local police to use wiretaps in
investigations. One member of the panel repeated the rumor that this is
supposedly because major politicians were caught with wiretaps. The state
legislatures in these states supposedly realized that recipients of graft and
influence peddlers were the main target of wiretaps.  Eavesdropping just
wasn't a tool against muggers.  So they decided to protect themselves.

It would be possible to check the crime statistics from each of these states
and compare them against the eavesdropping states to discover which has a
better record against crime. I would like to do this if I can dig up the list
of states that allow the technique.  I'm sure that this would prove little,
but it could possibly clarify something about this technique.

It is interesting to note that the House of Representative committee on the
Judiciary was holding hearings on abuses of the National Crime Information
Center. They came in the same week as the latest round of Clipper hearings
before the CSAB. The NCIC is a large computer system run by the FBI to provide
all the police departments with a way to track down the past records of
people. The widespread access to the system makes it quite vulnerable to
abuse.

In the hearings, the Congress heard many examples of unauthorized access. Some
were as benign as people checking out employees. The worst was an ex-police
officer who used the system to track down his ex-girlfriend and kill her. They
also heard of a woman who looked up clients for her drug-dealing boyfriend so
he could avoid the undercover cops.

These hearings made it obvious that there were going to be problems
determining the balance of grief. For every prototypical example of a child
kidnapped to make child pornography, there is a renegade police officer out to
knock off his ex-girlfriend. On the whole, the police may be much more
trustworthy than the criminals, but we need to ask how often a system like
Clipper will aid the bad guys.


In the end, I reduced the calculus of the decision about Clipper to be a
simple tradeoff. If we allow widespread, secure encryption, will the criminals
take great advantage of this system? The secure phones won't be useful in
rapes and random street crime, but they'll be a big aid to organized
endeavors. It would empower people to protect their own information
unconditionally, but at the cost of letting the criminals do the same.

Built-in back doors for the law enforcement community, on the other hand, will
deny the power of off-the-shelf technology to crooks, but it would also leave
everyone vulnerable to organized attacks on people.

I began to wonder if the choice between Clipper and totally secure encryption
was moot. In either case, there would be new opportunities for both the
law-abiding and the law-ignoring. The amount of crime in the country would be
limited only by the number of people who devote their life to the game-- not
by any new fangled technology that would shift the balance.

I did not attend the Friday meeting so someone else will need to summarize
the details.

Please report problems with the web pages to the maintainer

x
Top