The Impact of a Secret Cryptographic Standard
on Encryption, Privacy, Law Enforcement
11 May 1993
I'd like to begin by expressing my thanks to Congressman
Boucher, the other members of the committee, and the committee staff
for giving us the opportunity to appear before the committee and
express our views.
On Friday, the 16th of April, a sweeping new proposal for
both the promotion and control of cryptography was made public on the
front page of the New York Times and in press releases from the White
House and other organizations.
This proposal was to adopt a new cryptographic system as a
federal standard, but at the same time to keep the system's
functioning secret. The standard would call for the use of a tamper
resistant chip, called Clipper, and embody a `back door' that
will allow the government to decrypt the traffic for law enforcement
and national security purposes.
So far, available information about the chip is minimal and to
some extent contradictory, but the essence appears to be this: When a
Clipper chip prepares to encrypt a message, it generates a short
preliminary signal rather candidly entitled the Law Enforcement
Exploitation Field. Before another Clipper chip will decrypt the
message, this signal must be fed into it. The Law Enforcement
Exploitation Field or LEEF is tied to the key in use and the two must
match for decryption to be successful. The LEEF in turn, when
decrypted by a government held key that is unique to the chip,
will reveal the key used to encrypt the message.
The effect is very much like that of the little keyhole in the
back of the combination locks used on the lockers of school children.
The children open the locks with the combinations, which is supposed
to keep the other children out, but the teachers can always look in
the lockers by using the key.
In the month that has elapsed since the announcement, we have
studied the Clipper chip proposal as carefully as the available
information permits. We conclude that such a proposal is at best
premature and at worst will have a damaging effect on both business
security and civil rights without making any improvement in law
To give you some idea of the importance of the issues this
raises, I'd like to suggest that you think about what are the most
essential security mechanisms in your daily life and work. I believe
you will realize that the most important things any of you ever do by
way of security have nothing to do with guards, fences, badges, or
safes. Far and away the most important element of your security is
that you recognize your family, your friends, and your colleagues.
Probably second to that is that you sign your signature, which
provides the people to whom you give letters, checks, or documents,
with a way of proving to third parties that you have said or promised
something. Finally you engage in private conversations, saying things
to your loved ones, your friends, or your staff that you do not wish
to be overheard by anyone else.
These three mechanisms lean heavily on the physical: face to
face contact between people or the exchange of written messages.
At this moment in history, however, we are transferring our medium
of social interaction from the physical to the electronic at a pace
limited only by the development of our technology. Many of us spend
half the day on the telephone talking to people we may visit in person
at most a few times a year and the other half exchanging electronic
mail with people we never meet in person.
Communication security has traditionally been seen as an
arcane security technology of real concern only to the military and
perhaps the banks and oil companies. Viewed in light of the
observations above, however, it is revealed as nothing less than the
transplantation of fundamental social mechanisms from the world of
face to face meetings and pen and ink communication into a world of
electronic mail, video conferences, electronic funds transfers,
electronic data interchange, and, in the not too distant future,
digital money and electronic voting.
No right of private conversation was enumerated in the
constitution. I don't suppose it occurred to anyone at the time that
it could be prevented. Now, however, we are on the verge of a world
in which electronic communication is both so good and so inexpensive
that intimate business and personal relationships will flourish
between parties who can at most occasionally afford the luxury of
traveling to visit each other. If we do not accept the right of these
people to protect the privacy of their communication, we take a long
step in the direction of a world in which privacy will belong only
to the rich.
The import of this is clear: The decisions we make about
communication security today will determine the kind of society
we live in tomorrow.
The objective of the administration's proposal can be simply
They want to provide a high level of security to their
friends, while being sure that the equipment cannot be
used to prevent them from spying on their enemies.
Within a command society like the military, a mechanism of
this sort that allows soldiers' communications to be protected from
the enemy, but not necessarily from the Inspector General, is an
entirely natural objective. Its imposition on a free society,
however, is quite another matter.
Let us begin by examining the monitoring requirement and ask
both whether it is essential to future law enforcement and what
measures would be required to make it work as planned.
Eavesdropping, as its name reminds us, is not a new phenomenon.
But in spite of the fact that police and spies have been doing it for
a long time, it has acquired a whole new dimension since the invention
of the telegraph. Prior to electronic communication, it was a hit or
miss affair. Postal services as we know them today are a fairly new
phenomenon and messages were carried by a variety of couriers,
travelers, and merchants. Sensitive messages in particular, did
not necessarily go by standardized channels. Paul Revere, who is
generally remembered for only one short ride, was the American
Revolution's courier, traveling routinely from Boston to
Philadelphia with his saddle bags full of political broadsides.
Even when a letter was intercepted, opened, and read, there was
no guarantee, despite some people's great skill with flaps and seals,
that the victim would not notice the intrusion.
The development of the telephone, telegraph, and radio have
given the spies a systematic way of intercepting messages. The
telephone provides a means of communication so effective and
convenient that even people who are aware of the danger routinely put
aside their caution and use it to convey sensitive information.
Digital switching has helped eavesdroppers immensely in automating
their activities and made it possible for them to do their listening a
long way from the target with negligible chance of detection.
Police work was not born with the invention of wiretapping and at
present the significance of wiretaps as an investigative tool is quite
limited. Even if their phone calls were perfectly secure, criminals
would still be vulnerable to bugs in their offices, body wires on
agents, betrayal by co-conspirators who saw a brighter future in
cooperating with the police, and ordinary forensic inquiry.
Moreover, cryptography, even without intentional back doors,
will no more guarantee that a criminal's communications are secure
than the Enigma guaranteed that German communications were secure
in World War II. Traditionally, the richest source of success in
communications intelligence is the ubiquity of busts: failures to
use the equipment correctly.
Even if the best cryptographic equipment we know how to build
is available to them, criminal communications will only be secure to
the degree that the criminals energetically pursue that goal. The
question thus becomes, ``If criminals energetically pursue secure
communications, will a government standard with a built in inspection
port, stop them.
It goes without saying that unless unapproved cryptography is
outlawed, and probably even if it is, users bent on not having their
communications read by the state will implement their own encryption.
If this requires them to forgo a broad variety of approved products,
it will be an expensive route taken only by the dedicated, but this
sacrifice does not appear to be necessary.
The law enforcement function of the Clipper system, as it has
been described, is not difficult to bypass. Users who have faith in
the secret Skipjack algorithm and merely want to protect themselves
from compromise via the Law Enforcement Exploitation Field, need only
encrypt that one item at the start of transmission. In many systems,
this would require very small changes to supporting programs already
present. This makes it likely that if Clipper chips become as freely
available as has been suggested, many products will employ them in
ways that defeat a major objective of the plan.
What then is the alternative? In order to guarantee that
the government can always read Clipper traffic when it feels the need,
the construction of equipment will have to be carefully controlled
to prevent non-conforming implementations. A major incentive that
has been cited for industry to implement products using the new
standard is that these will be required for communication with the
government. If this strategy is successful, it is a club that few
manufacturers will be able to resist. The program therefore threatens
to bring communications manufacturers under an all encompassing
It is noteworthy that such a regime already exists to govern
the manufacture of equipment designed to protect `unclassified but
sensitive' government information, the application for which Clipper
is to be mandated. The program, called the Type II Commercial COMSEC
Endorsement Program, requires facility clearances, memoranda of
agreement with NSA, and access to secret `Functional Security
Requirements Specifications.' Under this program member companies
submit designs to NSA and refine them in an iterative process before
they are approved for manufacture.
The rationale for this onerous procedure has always been, and
with much justification, that even though these manufacturers build
equipment around approved tamper resistant modules analogous to the
Clipper chip, the equipment must be carefully vetted to assure that
it provides adequate security. One requirement that would likely be
imposed on conforming Clipper applications is that they offer no
alternative or additional encryption mechanisms.
Beyond the damaging effects that such regulation would have
on innovation in the communications and computer industries, we must
also consider the fact that the public cryptographic community has
been the principal source of innovation in cryptography. Despite
NSA's undocumented claim to have discovered public key cryptography,
evidence suggests that, although they may have been aware of the
mathematics, they entirely failed to understand the significance. The
fact that public key is now widely used in government as well as
commercial cryptographic equipment is a consequence of the public
community being there to show the way.
Farsightedness continues to characterize public research in
cryptography, with steady progress toward acceptable schemes for
digital money, electronic voting, distributed contract negotiation,
and other elements of the computer mediated infrastructure of the
Even in the absence of a draconian regulatory framework, the
effect of a secret standard, available only in a tamper resistant
chip, will be a profound increase in the prices of many computing
devices. Cryptography is often embodied in microcode, mingled on
chips with other functions, or implemented in dedicated, but standard,
microprocessors at a tiny fraction of the tens of dollars per chip
that Clipper is predicted to cost.
What will be the effect of giving one or a small number of
companies a monopoly on tamper resistant parts? Will there come a
time, as occurred with DES, when NSA wants the standard changed even
though industry still finds it adequate for many applications? If
that occurs will industry have any recourse but to do what it is told?
And who will pay for the conversion?
One of the little noticed aspects of this proposal is the
arrival of tamper resistant chips in the commercial arena. Is this
tamper resistant part merely the precursor to many? Will the open
competition to improve semiconductor computing that has characterized
the past twenty-years give way to an era of trade secrecy? Is it
perhaps tamper resistance technology rather than cryptography that
should be regulated?
Recent years have seen a succession of technological
developments that diminish the privacy available to the individual.
Cameras watch us in the stores, x-ray machines search us at the
airport, magnetometers look to see that we are not stealing from the
merchants, and databases record our actions and transactions. Among
the gems of this invasion is the British Rafter technology that
enables observers to determine what station a radio or TV is
receiving. Except for the continuing but ineffectual controversy
surrounding databases, these technologies flourish without so much as
talk of regulation.
Cryptography is perhaps alone in its promise to give us more
privacy rather than less, but here we are told that we should forgo
this technical benefit and accept a solution in which the government
will retain the power to intercept our ever more valuable and intimate
communications and will allow that power to be limited only by policy.
In discussion of the FBI's Digital Telephony Proposal --- which
would have required communication providers, at great expense to
themselves, to build eavesdropping into their switches --- it was
continually emphasized that wiretaps were an exceptional investigative
measure only authorized when other measures had failed. Absent was
any sense that were the country to make the proposed quarter billion
dollar inventment in intercept equipment, courts could hardly fail to
accept the police argument that a wiretap would save the people
thousands of dollars over other options. As Don Cotter, at one time
director of Sandia National Laboratories, said in respect to military
strategy: ``Hardware makes policy.''
Law, technology, and economics are three central elements of
society that must all be kept in harmony if freedom is to be secure.
An essential element of that freedom is the right to privacy, a right
that cannot be expected to stand against unremitting technological
attack. Where technology has the capacity to support individual
rights, we must enlist that support rather than rejecting it on the
grounds that rights can be abused by criminals. If we put the desires
of the police ahead of the rights of the citizens often enough, we
will shortly find that we are living in police state. We must instead
assure that the rights recognized by law are supported rather than
undermined by technology.
At NSA they believe in something they call `security in depth.'
Their most valuable secret may lie encrypted on a tamper resistant
chip, inside a safe, within a locked office, in a guarded building,
surrounded by barbed wire, on a military base. I submit to you that
the most valuable secret in the world is the secret of democracy; that
technology and policy should go hand in hand in guarding that secret;
that it must be protected by security in depth.
There is a crying need for improved security in American
communication and computing equipment and the Administration is
largely correct when it blames the problem on a lack of standards.
One essential standard that is missing is a more secure conventional
algorithm to replace DES, an area of cryptography in which NSA's
expertise is probably second to none.
I urge the committee to take what is good in the
Administration's proposal and reject what is bad.
The Skipjack algorithm and every other aspect of this proposal
should be made public, not only to expose them to public
scrutiny but to guarantee that once made available as
standards they will not be prematurely withdrawn.
Configuration control techniques pioneered by the public
community can be used to verify that some pieces of equipment
conform to government standards stricter than the commercial
where that is appropriate.
I likewise urge the committee to recognize that the right
to private conversation must not be sacrificed as we move
into a telecommunicated world and reject the Law Enforcement
Exploitation Function and the draconian regulation that would
necessarily come with it.
I further urge the committee to press the Administration
to accept the need for a sound international security
technology appropriate to the increasingly international
character of the world's economy.