Approval of Federal Information Processing Standards Publication
185, Escrowed Encryption Standard (EES): 59 FR 5997
VOL. 59, No. 27
DEPARTMENT OF COMMERCE (DOC)
National Institute of Standards and Technology (NIST)
Approval of Federal Information Processing Standards Publication 185,
Escrowed Encryption Standard (EES)
59 FR 5997
February 9, 1994
ACTION: The purpose of this notice is to announce that the Secretary of
Commerce has approved a new standard, which will be published as FIPS
Publication 185, Escrowed Encryption Standard.
SUMMARY: On July 30, 1993, notice was published in the Federal Register
(58 FR 40791) that a Federal Information Processing Standard for EES
was being proposed for Federal use. The written comments submitted by
interested parties and other material available to the Department
relevant to this standard were reviewed by NIST. On the basis of this
review, NIST recommended that the Secretary approve the standard as a
Federal Information Processing Standards Publication and prepared a
detailed justification document for the Secretary's review in support
of that recommendation. The detailed justification document which was
presented to the Secretary is part of the public record and is
available for inspection and copying in the Department's Central
Reference and Records Inspection Facility, room 6020, Herbert C. Hoover
Building, 14th Street between Pennsylvania and Constitution Avenues,
NW., Washington DC 20230.
This FIPS contains two sections: (1) An announcement section, which
provides information concerning the applicability, implementation, and
maintenance of the standard; and (2) a specifications section which
deals with the technical requirements of the standard. Both sections of
the standard are provided in this notice.
EFFECTIVE DATE: This standard is effective March 11, 1994.
ADDRESSES: Interested parties may purchase copies of this standard,
including the technical specifications section, from the National
Technical Information Service (NTIS). Specific ordering information
from NTIS for this standard is set out in the "Where to Obtain Copies"
section of the announcement section of the standards.
FOR FURTHER INFORMATION CONTACT: Michael R. Rubin, Deputy Chief Counsel
for the National Institute of Standards and Technology, (301) 975-2803,
room A1111, Administration Building, National Institute of Standards
and Technology, Gaithersburg, MD 20899.
SUPPLEMENTARY INFORMATION: This standard specifies a technology
developed by the Federal government to provide strong encryption
protection for unclassified information and to provide that the keys
used in the encryption and decryption processes are escrowed. This
latter feature will assist law enforcement and other government
agencies, under the proper legal authority, in the collection and
decryption of electronically transmitted information. The encryption
technology will be implemented in electronic devices.
The purpose of this standard is to facilitate the acquisition of
devices that implement escrowed encryption techniques by Federal
government agencies. This standard does not mandate the use of escrowed
encryption devices by Federal government agencies, the private sector
or other levels of government. The use of such devices is totally
voluntary. The standard provides a mechanism for Federal government
agencies to use when they wish to specify key escrowed encryption as a
requirement in their acquisition documents. Otherwise agencies would
have to formally waive the requirements of the recently reaffirmed
encryption standard, FIPS 46-2, Data Encryption Standard, if they
wanted to use escrowed encryption techniques.
Key escrow technology was developed to address the concern that
widespread use of encryption makes lawfully authorized electronic
surveillance difficult. In the past, law enforcement authorities have
encountered very little encryption because of the expense and
difficulty in using this technology. More recently, however, lower
cost, commercial encryption technology has become available for use by
U.S. industry and private citizens. The key escrow technology provided
by this standard addresses the needs of the private sector for top
notch communications security, and of U.S. law enforcement to conduct
lawfully authorized electronic surveillance.
Analysis of Comments
This FIPS was announced in the Federal Register (58 FR 40791 dated
July 30, 1993) and was also sent to Federal agencies for review.
Comments were received from 22 government organizations in the United
States, 22 industry organizations and 276 individuals. Of the 298
comments received from industry organizations and from individuals, 225
were forwarded to NIST by the Electronic Frontier Foundation which had
collected them as electronic mail messages.
The Federal government organizations submitting comments included 11
Cabinet departments and 11 other Federal organizations. The 22 industry
organizations included several large computer industry organizations, 4
trade associations, 2 professional societies, and several smaller
computer industry organizations. The individuals submitting comments
included computer systems, networks and software professionals;
consultants; professionals affiliated with universities and colleges;
students; and many individuals who did not identify their professions.
Comments were grouped for the purpose of this analysis in the
following major categories:
A. General comments concerning key escrow encryption;
B. Other general comments;
C. Patent infringement allegations;
D. Economic comments on the standard, including its potential cost
to Federal agencies and private organizations that adopt it, and the
effect that the standard may have upon the competitiveness of U.S.
firms in domestic and world markets; and,
E. Comments on the technical operation of the standard.
Each of these matters is discussed in turn below.
A. General Comments Concerning Key Escrow
Nearly all of the comments received from industry and individuals
opposed the adoption of the standard, raising concerns about a variety
of issues including privacy; the use of a secret algorithm; the
security of the technology; restrictions on software implementation;
impact on competitiveness; and lack of procedures for escrowing keys.
Over 80 percent of the industry and individual responses repeated the
following points which were also made by the Electronic Frontier
(1) Five industry organizations and 200 individuals said that
guarantees are needed to assure that this standard is not a first step
toward prohibition against other forms of encryption. In response, NIST
notes that the standard is a specification for voluntary use by the
Federal government in the acquisition of devices for escrowed
encryption. There is no requirement that the public use this standard.
Further, the Administration has announced that it will not propose new
legislation to limit the use of encryption technology.
(2) Three industry organizations and 164 individuals said that there
had been insufficient technical and operational information available
to allow full public comment. Also, seven Federal government
organizations, 19 industry organizations, and 213 individuals expressed
concern that the details of the escrowed encryption system had not been
announced when the FIPS was proposed. Other related concerns included:
the escrow agents have not been identified; the operating procedures
are unclear; the system will not be secure if the keys are not
protected; the system must allow for enforcement of expiration of
wiretap authority. One member of the NIST Computer Privacy and Security
Advisory Board stated that the notice was "content-free".
In response, NIST notes that the standard is a technical one, for
implementation in electronic devices and use in protection of certain
unclassified government communications when such protection is
required. It adopts encryption technology developed by the Federal
government to provide strong protection for unclassified information
and to enable the keys used in the encryption and decryption processes
to be escrowed. The technical aspects of the Escrowed Encryption
Standard have been set forth in detail, and the classified algorithm
has been examined by independent experts.
The responsibility for designation of the key component escrow
agents lies with the Attorney General, rather than the Secretary of
Commerce. In addition, the Attorney General is charged with reviewing
for legal sufficiency the procedures by which an agency establishes its
authority to acquire the content of communications encrypted with
electronic devices using the Escrowed Encryption Standard. Designation
of the key component escrow agents, and approval of procedures for
acquisition of key components to facilitate decryption of
communications, are separate from the establishment of the technical
parameters of this standard. Necessarily, protection of the information
encrypted by use of the Escrowed Encryption Standard requires that the
key components and other aspects of the system be accorded strict
security. Procedures to provide strict security in the programming,
storage, and transmission of key components have been developed;
however, the security procedures for the key components are beyond the
scope of this rule.
Even were the identity of the key component escrow agents, or the
procedures under which escrowed key components will be maintained and
released for use in conjunction with lawfully authorized interceptions
relevant to the technical standards established in the instant rule,
the Department of Commerce has found, consistent with 5 U.S.C.
553(b)(B), that notice and public procedure thereon is unnecessary. The
technical aspects of the Escrowed Encryption Standard themselves,
coupled with the strength of the algorithm and the privacy protections
afforded by the Constitution and relevant statutes, afford adequate
assurance of the efficacy of the standard for the protection of
sensitive unclassified Federal government information, without the need
for specifying the identities of key component escrow agents or
detailing the procedures respecting maintenance or release of key
(3) One Federal government organization, 10 industry organizations,
and 199 individuals were concerned that the escrowed encryption system
may infringe on individual rights. Some said that the government cannot
act as an independent escrow agent. One industry organization and 6
individuals said that the government cannot be trusted to run the
The technical capabilities afforded by the Escrowed Encryption
Standard permit protection of certain sensitive, but unclassified
Federal government information at a level far stronger than that of the
Data Encryption Standard, while at the same time permitting decryption
of communications in conjunction with electronic surveillance when
authorized by law. These comments address policy issues separate from
the technical aspects of the Escrowed Encryption Standard established
herein. The technical benefits accruing to a Federal government system
using the Escrowed Encryption Standard are independent of the identity
of the entities serving as key component escrow agents.
With respect to the suggestions that the system may infringe
individual rights, the purpose of the escrowing of key components is to
permit decryption only in those circumstances in which interception of
communications is lawfully authorized, consistent with the Constitution
and relevant statutes. To this end, the Attorney General is to review
for legal sufficiency the procedures by which an agency establishes its
authority to acquire the contents of such communications. The
Department of Justice has assured NIST, therefore, that the Escrowed
Encryption Standard is fully consistent with protection of individual
(4) Fifteen industry organizations and 193 individuals were
concerned that the standard uses a secret algorithm. Some said that
since the algorithm is secret, it is not possible to evaluate it. Some
said that the algorithm is flawed and is subject to compromise. Two
individuals said that the algorithm has severe technical problems, and
that the algorithm for generating the unit keys is too predictable. One
individual said that in addition to possible decryption via escrowed
keys, the algorithm has a back door. Others said that people will not
use encryption that they cannot trust, and that the risks of using the
EES have not been assessed. One government organization, two industry
organizations and 7 individuals said that the technology will not be
accepted internationally if the algorithm is not known.
The algorithm was developed originally as a classified algorithm for
the U.S. Government to provide highly effective communications
security. It is still used for that purpose. There are no trap doors or
any known weaknesses in it. A classified algorithm is essential to the
effectiveness of the key escrow solution. The use of a classified
algorithm assures that no one can produce devices that use the
algorithm without the key escrow feature and thereby frustrate the
ability of government agencies to acquire the content of communications
encrypted with the algorithm, in conjunction with lawfully authorized
interception. NIST finds that, because the algorithm needs to remain
secret in order to preserve the utility of the key escrow feature, it
would be neither practicable nor in the public interest to publish the
(5) Eight industry organizations and 181 individuals said that it
was premature to adopt the EES as a standard until policy decisions on
encryption are made.
The Federal government is committed to protection of sensitive
information of all kinds, particularly sensitive, but unclassified
information outside the scope of the Warner Amendment. The Escrowed
Encryption Standard gives Federal managers the ability to afford their
agencies' sensitive but unclassified information protection
substantially stronger than possible with the Data Encryption Standard.
This standard permits, but does not mandate, the use of the Escrowed
Encryption Standard by Federal managers; it in no way mandates use of
the standard outside the Federal government. Issuance of the standard
at this time is fully consistent with the President's Directive on
B. Other General Comments
Twelve individuals questioned the role of the National Security
Agency in the development of the standard. In response, NIST notes that
NSA, because of its expertise in the field of cryptography and its
statutory role as a technical advisor to U.S. government agencies
concerning the use of secure communications, developed the technical
basis for the standard which allows for the widespread use of
encryption technology while affording law enforcement the capability to
access encrypted communications under lawfully authorized conditions.
NSA worked in cooperation with the Department of Justice, the FBI and
NIST to develop the escrowed encryption standard.
Seven individuals said that there is other technology available for
protecting information that is more cost effective and that the EES is
not the best solution for the problems identified. NIST notes that use
of the standard is voluntary. The standard states that a risk analysis
should be performed to determine potential threats and risk and that
the costs of providing encryption using this standard as well as
alternative methods and their respective costs should be projected. A
decision to use this standard should be based on the risk and cost
One individual said that the government should not broaden its
access to private communications. NIST notes that the standard does not
broaden access to private communications, Access must be legally
One government organization, 4 industry organizations and 28
individuals said that the standard hinders security of information and
will not help law enforcement activities. NIST responds that, as noted
in the President's directive on "Public Encryption Management," new
communications technology can frustrate lawful government electronic
surveillance and, when exported abroad, thwart foreign intelligence
activities critical to our national interests. The Escrowed Encryption
Standard provides substantially stronger encryption protection than is
currently available under the Data Encryption Standard, and its
implementation in hardware is expected to permit ease and transparency
of use. It is anticipated that security will be enhanced by the
combination of robust encryption with technology easily usable even in
circumstances that have not, in the past, readily lent themselves to
encryption. The Escrowed Encryption Standard permits the protection of
sensitive information with strong encryption, while at the same time
permitting protection of the public safety by decryption in conjunction
with lawfully authorized electronic surveillance. The key escrowing
technique in this standard will allow the government to gain access to
encrypted information only with appropriate legal authorization.
Four industry organizations and 17 individuals said that the
standard does not respond to any user requirement. NIST responds that
the standard provides substantially stronger protection for sensitive,
but unclassified Federal government information than is currently
available under the DATA Encryption Standard. Moreover, the standard
permit law enforcement entities to protect the public safety by gaining
access to encrypted information in conjunction with lawfully authorized
One industry organization and 20 individuals said that it is
unlikely that people engaged in illegal activities will use the
standard. NIST notes that the Administration has chosen to encourage
the widespread use of key escrow devices to make strong encryption
broadly available and affordable.
One individual said that the key escrow program will be funded by
asset forfeiture and therefore will not be subject to Congressional
review. The Federal government will acquire a number of key
escrow-equipped devices, for some of which funds from the Department of
Justice Asset Forfeiture Super Surplus Fund will be utilized. NIST
notes that the asset forfeiture program is subject to Congressional
review and oversight, and to General Accounting Office reviews and
audits, if requested by the Congress. There are, however, no plans to
use asset forfeiture funds for other aspects of the key-escrow
One industry organization stated that the applicability of the
standard should be limited to telephony. NIST notes that the standard
is applicable to voice, facsimile, and computer information
communicated in a telephone system.
One industry organization said that the recommended FIPS deviates
from the FIPS process. In response, NIST notes that it uses a variety
of methods to develop needed standards, including working closely with
other Federal agencies as mandated by the Computer Security Act of
1987. NIST followed its usual procedures in announcing the proposed
standard and soliciting comments from government and private sector
organizations, as well as from interested members of the public. All
comments received to the Federal Register notice announcing the
proposed standard have been made part of the public record and are
available for inspection and copying at the Central Reference and
Records Inspection Facility in the Department of Commerce. The
justification document which was presented to the Secretary of Commerce
is part of the public record as well.
C. Patent Infringement Allegations
In addition to the above comments, NIST has received two allegations
of patent infringement for the key escrow technology adopted by the
EES. The first allegation was from the older of an issued patent, the
second was from an inventor who had recently filed a patent application
with the Patent and Trademark Office. Also, one government organization
observed that the patent status of the EES is not clear and may result
in cost impacts due to payment of royalties, should EES be found to
infringe upon any privately held patent. Based upon information
received to date, NIST has not been persuaded that any patent of which
it is aware will lead to a successful claim against any use of the EES,
including U.S. Government users, for payment of royalties. An
infringement study was conducted upon the first infringement
allegation, with the result that no infringement was found. When the
patent relevant to the second allegation was issued in January of this
year, an infringement study was begun on that patent.
D. Economic Effects of the Standard
Public comments were received on three economic aspects of the
proposed standard, including concerns about the cost to the government
and the private sector of implementing the standard; the effect of the
standard upon the competitiveness of U.S. software firms in world
markets; and suggestions that the government has bestowed an unfair
economic benefit upon the contractor that has been selected to
manufacture the escrow encryption semiconductor chips that are called
for in the standard. Each of these matters is addressed in turn below.
A number of comments were received concerning the possible cost of
implementing the Escrowed Encryption Standard. Thus, one government
agency, two industry organizations and nine individuals expressed
concern about the cost of administration of the escrow database, or
about the cost, availability, implementation and maintenance of the
equipment needed to support the standard. Indeed, one Federal
organization said that it did not support the standard because there
would be an adverse impact if the organization had to replace or modify
its current equipment. An industry organization suggested that the
standard would impose costs on the private sector if private parties
need to use the standard to communicate with the government.
NIST estimates the cost of establishing the escrow system to be
approximately $ 14 million. The cost of operating the key escrow
facility is estimated to be $ 16 million annually.
These costs figures are based upon a number of factors. NIST notes
that use of the standard is voluntary for Federal agencies, and that
agencies are not required to implement it. Agencies will determine
whether to use this standard based on their analyses of the risk of
unauthorized disclosure of their sensitive data and the cost of using
this standard to protect the data. NIST does not expect the wholesale
replacement of the current base of equipment that conforms to FIPS
46-2, Data Encryption Standard. Rather, the implementation of this
standard appears most likely to occur as the Federal government
replaces old and obsolete equipment. NIST believes that as the Federal
government replaces old and obsolete equipment, the additional costs of
implementing this standard in electronic devices will prove to be
negligible compared to the costs of equivalent encryption protection
which would be implemented in encryption devices which do not comply
with this standard.
NIST also notes that the standard has no direct applicability to
entities that do not operate Federal computer systems. Thus,
businesses, universities and other nonprofit organizations and
individual citizens are free to use products that conform to the
standard, or to ignore the standard if they see fit.
Eight industry organizations and 28 individuals said that the
standard will reduce the competitiveness of U.S. computer hardware and
software companies in foreign markets. NIST notes that approval of the
Escrowed Encryption Standard will not prevent U.S. manufacturers from
making other encryption products for the private sector. While export
controls may affect the sales of U.S. encryption products abroad, key
escrow products are already exportable to U.S. industry and individuals
operating abroad in accordance with proper export licensing through the
Department of State. Further, a comprehensive policy review on
commercial encryption is now underway by the Administration. This
review will consider, among other topics, broader export options for
key escrow products. Again, approval of the Escrowed Encryption
Standard for broader export will not restrict exports of other
encryption products. The overseas market for these products will depend
on a variety of factors including any restrictions other countries
place on imports of encryption technology.
3. Unfair Competitive Advantage
One industry organization and two individuals said that the standard
gives an economic advantage to the one company that has been selected
by the Government to date to manufacture semiconductor chips which
conform to this standard. NIST notes that the company that designed the
microcircuit was selected because of its expertise in design of custom
cryptographic chips, its secure facilities, and employment of cleared
personnel. The company that developed the microcircuit was selected for
its technological capabilities to fabricate microcircuits resistant to
reverse engineering. Other manufacturers that wish to enter the market
and can satisfy the technology and security requirements will be
approved to manufacture the microcircuits.
E. Technical Recommendations and Editorial Changes
A wide range of technical issues were raised in the public comment
process. Each issue, and a NIST response follows below.
Four industry organizations and 7 individuals said that the required
hardware implementation of the escrowed encryption standard was not
optimum. Software implementation would be more useful and cost
effective. NIST notes that because software is easy to change, secure
software implementations of the key escrow technique have been
difficult to devise. On August 24, 1993 (58 FR 44662) NIST invited the
participation of the software industry in cooperative efforts to meet
this challenge. Several organizations have indicated that they wish to
collaborate with NIST in this area. NIST will try to establish
cooperative partnerships to investigate the implementation of the EES
Three Federal government organizations and one individual said that
applicability of the standard should not be restrictive, and that it
should allow for other applications and data rates. NIST notes that the
scope of applicability was established to address the immediate need
for improved telephone security while preserving the law enforcement
capability of decrypting intercepted telecommunications that have been
lawfully authorized. Use of the standard is voluntary. Use of the
standard for other purposes is not prohibited in the standard.
One individual stated that the standard should require two or more
escrow agents and that the standard should state that all the
components of the device unique key are independent and all are needed
to form the key. A change was made to state that the Device Unique Key
shall be composed of two components (each 80 bits long) and each
component shall be independently generated and stored by an escrow
agent. This change provides for the two escrow agents envisioned by the
Department of Justice, and two key components, each 80 bits long.
One individual said that the name of Device Identifier (DID) should
be device Unique Identifier (UID). Since DID is used elsewhere for
another purpose, NIST changed the name of Device Identifier (DID) to
device Unique Identifier (UID).
One individual said that the standard should provide for access to
both sides of a real-time conversation. NIST notes that if the two keys
are different, either a law enforcement official must obtain a court
order for both parties of a two-day communication or it can only
decrypt one part of a conversation. Therefore, the standard was changed
to state that the session key used to encrypt transmitted information
shall be the same as the session key used to decrypt received
information in a two-way simultaneous communication.
One industry organization said that the standard should specify a
register for Leaf Creation Methods. NIST changed the standard to state
that the Leaf Creation Method (LCM) shall be registered in the NIST
Computer Security Object Register (e.g., LCM-1). Additional LCM's may
be created in the future.
One industry organization said that the Cryptographic Protocol Field
(CPF) has not been defined and should be removed from the standard
since it is an incomplete specification. NIST changed the standard to
state that the Cryptographic Protocol Field (CPF) shall be registered
in the NIST Computer Security Object Register. This will enable the
details on the CPF to be formalized later.
Four Federal government organizations and two individuals said that
the standard is not an interoperability standard, that it does not
specify parameter lengths and formats and placement in communications,
and that the standard provides insufficient technical information for
implementation. NIST added information to the standard to explain that
it is not an interoperability standard. It does not provide sufficient
information to design and implement a security device or equipment.
Other specifications and standards will be required to assure
interoperability of EES devices in various applications. Specifications
of a particular EES device must be obtained from the manufacturer in
order to use it in an application.
One industry commenter said that the standard should specify a
register of family keys, such as "FBI Family Key 1," to provide some
assurance of interoperability. NIST changed the standard to state that
the family key shall have an identifier (KF-ID). The identifier of a
family key shall be registered in the NIST Computer Security Object
Register. As a result, if more than one family key exists (reasonable
assumption), it should be identified so that law enforcement agencies
can decrypt the LEAF.
One industry organization and one individual stated that the
standard should reference technical specifications explicity (even if
they are classified). NIST changed the standard to provide specific
information on how to obtain the technical specifications for the
SKIPJACK algorithm and the LEAF Creation Method 1.
One industry organization said that parameters (input, output,
status, errors) are not specified in the standard, and that diversity
of sources of implementations cannot be established. NIST notes that
various devices meeting this standard are anticipated. Therefore, the
implementations will depend on a number of factors, including physical,
electrical and application requirements.
One industry organization said that the standard should state that
DID is transmitted in the LEAF. NIST notes that the standard does state
One individual said that the reverse engineering protection for the
algorithm is not prefect. NIST notes that the standard specifies that
the encryption algorithm and the LEAF creation method shall be
implemented in electronic devices highly resistant to reverse
engineering. It does not specify how the reverse engineering is to be
prevented (or deterred). It also does not specify a metric for
measuring the prevention (or deterrence). These are difficult to
quantify and to specify and depend greatly on the implementation. A
study is being performed to evaluate the protection provided by one of
the current implementations of the standard (MYK-78). Estimates of the
protection provided are 1-4 years of protection against attacks by
specialized laboratories investing $ 1M to $ 4M.
One industry organization stated that 2**80 keys is sufficient for
session key, but it is not sufficient for lifetime keys (family and
unique keys). NIST notes that the length of the family key and the
device unique key are presently 80 bits for the SKIPJACK algorithm. The
session key is also 80 bits. While the security lifetime of a session
key is normally much shorter than the security lifetime of a master key
(also called Key Encrypting Key), it is convenient to use keys of the
same length for all purposes. Present implementations of the EES use
one length key for all three types of keys (i.e., 80 bits). This is
expected to be sufficiently long for unclassified data encryption for
many years. However, the length of the family key and device unique key
can be increased in future implementations and future LEAF creation
methods. Some provisions for these have been made in the standard.
One industry organization was concerned that disclosure of the
Device Unique Key could allow decryption of ALL information ever
encrypted with that device (all past and all future), and that this
condition could technically be prevented. NIST believes that key escrow
procedures intended to administratively control the use of the device
Unique Key are outside the scope of standard. Technical controls were
not included in the initial design of the MYK-78 but could be added in
One individual was concerned that two party control is not truly
implemented in the "chip." NIST acknowledges that two party control was
not in the original design criteria of the chip. Administrative
controls are to be used to assure two party control for present design.
This two party control feature could be added to future designs.
One individual said that one "tamperproofing session" is supported
by the Mykotronics implementation of the EES. However, the second
escrow agent entering a key could read first escrow agent's key and
hence have both keys. NIST notes that the present method of reverse
engineering protection provides for one "programming session" in which
device unique parameters are put into the device. The parameters are
"locked" after being entered and verified. The present technology
allows this to be done only once. Other technologies may be developed
which allow two or more independed "program sessions" which prevent
reading of previously entered parameters while other parameters are
being entered. Future implementations may be have this feature but such
requirements at the present time are outside the scope of this
One industry organization recommended that the following should be
put into the standard: "The Session Key (80 bits) shall be encrypted
with the device Unique Key. The encrypted Session Key is concatenated
with the Device Identifier (DID) (xx bits) and the Escrow Authenticator
(EA) (yy bits). This result is then encrypted with the Family Key to
generate a 128 bit LEAF. The 128 bit LEAF along with a 64 bit
Initialization Vector shall be transmitted with the cipher text." NIST
acknowledges that this is a general description of the LEAF creation
method specified in this standard. The complete specifications are
classified. Classified specifications must be obtained in order to
implement the standards. Users of devices meeting this standard do not
need to know the specifics of the LEAF creation method in order to use
security devices meeting this standard. There is, therefore, no purpose
in providing this general specification in the standard.
One industry organization recommended that Modes of Operation be
developed for the EES, including Counter Addressing or Long Cycle Mode,
and that the LFSR should be included. NIST notes that four modes of
operation are specified in FIPS-81. Subsets of these four modes are
specified in the EES. Other subsets are implemented in various devices
implementing this standard. For example, the Output Feedback (OFB) mode
is implemented in the MYK-78T while all subsets specified in the
standard are implemented in the MYK-80. The Linear Feedback Shift
Register (LFSR) mode has been used in some devices but was not included
in the Modes of Operation for DES. OFB can be used in the same
applications. National security interests were considered when
selecting the modes of operation.
One industry organization said that the standard should state length
of Family Key. NIST notes that the length of the family key (80 bits)
may increase in future implementations, and therefore flexibility is
needed in the standard.
Dated: February 4, 1994.
Federal Information Processing Standards Publication 185
Announcing the Escrowed Encryption Standard (EES)
Federal Information Processing Standards Publications (FIPS PUBS)
are issued by the National Institute of Standards and Technology (NIST)
after approval by the Secretary of Commerce pursuant to section 111(d)
of the Federal Property and Administrative Services Act of 1949 as
amended by the Computer Security Act of 1987, Public Law 100-235.
Name of Standard: Escrowed Encryption Standard (EES).
Category of Standard: Telecommunications Security.
Explanation: This Standard specifies use of a symmetric-key
encryption (and decryption) algorithm (SKIPJACK) and a Law Enforcement
Access Field (LEAF) creation method (one part of a key escrow system)
which provides for decryption of encrypted telecommunications when
interception of the telecommunications is lawfully authorized. Both the
SKIPJACK algorithm and the LEAF creation method are to be implemented
in electronic devices (e.g., very large scale integration chips). The
devices may be incorporated in security equipment used to encrypt (and
decrypt) sensitive unclassified telecommunications data. Decryption of
lawfully intercepted telecommunications may be achieved through the
acquisition and use of the LEAF, the decryption algorithm and the two
escrowed key components.
One definition of "escrow" means that something (e.g., a document,
an encryption key) is "delivered to a third person to be given to the
grantee only upon the fulfillment of a condition" (Webster's Seventh
New Collegiate Dictionary). The term, "escrow", for purposes of this
standard, is restricted to this dictionary definition.
A key escrow system, for purposes of this standard, is one that
entrusts the two components comprising a cryptographic key (e.g., a
device unique key) to two key component holders (also called "escrow
agents"). In accordance with the above definition of "escrow", the key
component holders provide the components of a key to a "grantee" (e.g.,
a law enforcement official) only upon fulfillment of the condition that
the grantee has properly demonstrated legal authorization to conduct
electronic surveillance of telecommunications which are encrypted using
the specific device whose device unique key is being requested. The key
components obtained through this process are then used by the grantee
to reconstruct the device unique key and obtain the session key which
is then used to decrypt the telecommunications that are encrypted with
that session key.
The SKIPJACK encryption/decryption algorithm has been approved for
government applications requiring encryption of sensitive but
unclassified data telecommunications as defined herein. The specific
operations of the SKIPJACK algorithm and the LEAF creation method are
classified and hence are referenced, but not specified, in this
Data for purposes of this standard includes voice, facsimile and
computer information communicated in a telephone system. A telephone
system for purposes of this standard is limited to a system which is
circuit switched and operating at data rates of standard commercial
modems over analog voice circuits or which uses basic-rate ISDN or a
similar grade wireless service.
Data that is considered sensitive by a responsible authority should
be encrypted if it is vulnerable to unauthorized disclosure during
telecommunications. A risk analysis should be performed under the
direction of a responsible authority to determine potential threats and
risks. The costs of providing encryption using this standard as well as
alternative methods and their respective costs should be projected. A
responsible authority should then make a decision, based on the risk
and cost analyses, whether or not to use encryption and then whether or
not to use this standard.
Approving Authority: Secretary of Commerce.
Maintenance Agency: Department of Commerce, National Institute of
Standards and Technology.
Applicability: This standard is applicable to all Federal
departments and agencies and their contractors under the conditions
specified below. This standard may be used in designing and
implementing security products and systems, which Federal departments
and agencies use or operate or which are operated for them under
contract. These products may be used when replacing Type II and Type
III (DES) encryption devices and products owned by the government and
This standard may be used when the following conditions apply:
1. An authorized official or manager responsible for data security
or the security of a computer system decides that encryption is
required and cost justified as per OMB Circular A-130; and
2. The data is not classified according to Executive Order 12356,
entitled "National Security Information," or to its successor orders,
or to the Atomic Energy Act of 1954, as amended.
However, Federal departments or agencies which use encryption
devices for protecting data that is classified according to either of
these acts may use those devices also for protecting unclassified data
in lieu of this standard.
In addition, this standard may be adopted and used by non-Federal
Government organizations. Such use is encouraged when it provides the
Applications: This standard may be used in any unclassified
government and commercial communications. Use of devices conforming to
this standard is voluntary for unclassified government applications and
for commercial security applications.
Implementations: The encryption/decryption algorithm and the LEAF
creation method shall be implemented in electronic devices (e.g.,
electronic chip packages) which are protected against unauthorized
entry, modification and reverse engineering. Implementations which are
tested and validated by NIST will be considered as complying with this
standard. An electronic device shall be incorporated into a
cryptographic module in accordance with FIPS 140-1. NIST will test for
conformance with FIPS 140-1. Conforming cryptographic modules can then
be integrated into security equipment for sale and use in a security
application. Information about devices that have been validated,
procedures for testing equipment for conformance with NIST standards,
and information about approved security equipment are available from
the Computer Systems Laboratory, NIST, Gaithersburg, MD 20899.
Export Control: Implementations of this standard are subject to
Federal Government export controls as specified in Title 22, Code of
Federal Regulations, Parts 120 through 131 (International Traffic of
Arms Regulations-ITAR). Exporters of encryption devices, equipment and
technical data are advised to contact the U.S. Department of State,
Office of Defense Trade Controls for more information.
Patents: Implementations of this standard may be covered by U.S. and
Implementation Schedule: This standard becomes effective thirty days
following publication of this FIPS PUB.
Specifications: Federal Information Processing Standard (FIPS 185),
Escrowed Encryption Standard (EES) (affixed).
a. FIPS PUB 46-2, Data Encryption Standard.
b. FIPS PUB 81, Modes of Operation of the DES.
c. FIPS PUB 140-1, Security Requirements for Cryptographic Modules.
The following terms are used as defined below for purposes of this
Data-Unclassified voice, facsimile and computer information
communicated over a telephone system.
Decryption-Conversion of ciphertext to plaintext through the use of
a cryptographic algorithm.
Device (cryptographic)-An electronic implementation of the
encryption/decryption algorithm and the LEAF creation method as
specified in this standard.
Digital data-Data that have been converted to a binary
Encryption-Conversion of plaintext to ciphertext through the use of
a cryptographic algorithm.
Key components-The two values from which a key can be derived (e.g.,
KU, + KU sub 2).
Key escrow-The processes of managing (e.g., generating, storing,
transferring, auditing) the two components of a cryptographic key by
two key component holders.
LEAF Creation Method-A part of a key escrow system that is
implemented in a cryptographic device and creates a Law Enforcement
Type I cryptography-A cryptographic algorithm or device approved by
the National Security Agency for protecting classified information.
Type II cryptography-A cryptographic algorithm or device approved by
the National Security Agency for protecting sensitive unclassified
information in systems as specified in section 2315 of Title 10 United
States Code, or section 3502(2) of title 44, United States Code.
Type III cryptography-A cryptographic algorithm or device approved
as a Federal Information Processing Standard.
Type III(E) cryptography-A Type III algorithm or device that is
approved for export from the United States.
Qualifications: The protection provided by a security product or
system is dependent on several factors. The protection provided by the
SKIPJACK algorithm against key search attacks is greater than that
provided by the DES algorithm (e.g., the cryptographic key is longer).
However, provisions of this standard are intended to ensure that
information encrypted through use of devices implementing this standard
can be decrypted by a legally authorized entity.
Where to Obtain Copies of the Standard: Copies of this publication
are for sale by the National Technical Information Service, U.S.
Department of Commerce, Springfield, VA 22161. When ordering, refer to
Federal Information Processing Standards Publication 185 (FIPS PUB
185), and identify the title. When microfiche is desired, this should
be specified. Prices are published by NTIS in current catalogs and
other issuances. Payment may be made by check, money order, deposit
account or charged to a credit card accepted by NTIS.
Federal Information Processing Standards Publication 185
Specifications for the Escrowed Encryption Standard
This publication specifies Escrowed Encryption Standard (EES)
functions and parameters.
This standards specifies use of the SKIPJACK cryptographic algorithm
and a LEAF Creation Method to be implemented in an approved electronic
device (e.g., a very large scale integration electronic chip). The
device is contained in a logical cryptographic module which is then
integrated in a security product for encrypting and decrypting
Approved implementations may be procured by authorized organizations
for integration into security equipment. Devices must be tested and
validated by NIST for conformance to this standard. Cryptographic
modules must be tested and validated by NIST for conformance to FIPS
3. Algorithm Specifications
The specifications of the encryption/decryption algorithm (SKIPJACK)
and LEAF Creation Method 1 (LCM-1) are classified. The National
Security Agency maintains these classified specifications and approves
the manufacture of devices which implement the specifications. NIST
tests for conformance of the devices implementing this standard in
cryptographic modules to FIPS 140-1 and FIPS 81.
4. Functions and Parameters
The following functions, at a minimum, shall be implemented:
1. Data Encryption: A session key (80 bits) shall be used to encrypt
plaintext information in one or more of the following modes of
operation as specified in FIPS 81: ECB, CBC, OFB (64), CFB (1, 8, 16,
2. Data Decryption: The session key (80 bits) used to encrypt the
data shall be used to decrypt resulting ciphertext to obtain the data.
3. LEAF Creation: A Family Key (e.g., KF-1) shall be used to create
a Law Enforcement Access Field (LEAF) in accordance with a LEAF
Creation Method (e.g., LCM-1). the security equipment shall ensure that
the LEAF is transmitted in such a manner that the LEAF and ciphertext
may be decrypted with legal authorization. No additional encryption or
modification of the LEAF is permitted.
The following parameters shall be used in performing the prescribed
1. Device Unique Identifier (UID): The identifier unique to a
particular device and used by the Key Escrow System.
2. Device Unique Key (KU): The cryptographic key unique to a
particular device and used by the Key Escrow System.
3. Cryptographic Protocol Field (CPF): The field identifying the
registered cryptographic protocol used by a particular application and
used by the Key Escrow System (reserved for future specification and
4. Escrow Authenticator (EA): A binary pattern that is inserted in
the LEAF to ensure that the LEAF is transmitted and received properly
and has not been modified, deleted or replaced in an unauthorized
5. Initialization Vector (IV): A mode and application dependent
vector of bytes used to initialize, synchronize and verify the
encryption, decryption and key escrow functions.
6. Family Key (KF): The cryptographic key stored in all devices
designated as a family that is used to create a LEAF.
7. Session Key (KS): The cryptographic key used by a device to
encrypt and decrypt data during a session.
8. Law Enforcement Access Field (LEAF): The field containing the
encrypted session key and the device identifier and the escrow
The Cryptographic Algorithm (i.e. SKIPJACK) and a LEAF Creation
Method (e.g., LCM-1) shall be implemented in an electronic device
(e.g., VLSI chip) which is highly resistant to reverse engineering
(destructive or non-destructive) to obtain or modify the cryptographic
algorithm, the UID, the KF, the KU, the EA, the CPF, the operational
KS, and any other security or Key Escrow System relevant information.
The device shall be able to be programmed/personalized (i.e., made
unique) after mass production in such a manner that the UID, KU (or its
components), KF (or its components) and EA fixed pattern can be entered
once (and only once) and maintained without external electrical power.
The LEAF and the IV shall be transmitted with the ciphertext. The
specifics of the protocols used to create and transmit the LEAF, IV,
and encrypted data shall be registered and a CPF assigned. The CPF (and
the KF-ID, LCM-ID) shall then be transmitted in accordance with the
Various devices implementing this standard are anticipated. The
implementation may vary with the application. The specific electric,
physical and logical interface will vary with the implementation. Each
approved, registered implementation shall have an unclassified
electrical, physical and logical interface specification sufficient for
an equipment manufacturer to understand the general requirements for
using the device. Some of the requirements may be classified and
therefore would not be specified in the underclassified interface
The device Unique Key shall be composed of two components (each a
minimum of 80 bits long) and each component shall be independently
generated and stored by an escrow agent. The session key used to
encrypt transmitted information shall be the same as the session key
used to decrypt received information in a two-way simultaneous
communication. The Lead Creation Method (LCM), the Cryptographic
Protocol Field (CPF), and the Family Key Identifier (KF-ID) shall be
registered in the NIST Computer Security Object Register.
This standard is not an interoperability standard. It does not
provide sufficient information to design and implement a security
device or equipment. Other specifications standards will be required to
assure interoperability of EES devices in various applications.
Specifications of a particular EES device must be obtained from the
The specification for the SKIPJACK algorithm are contained in the
R21 Informal Technical Report entitled "SKIPJACK" (S), R21-TECH-044-91,
May 21, 1991. The specifications for LEAF Creation Method 1 are
contained in the R21 Informal Technical Report entitled "Law
Enforcement Access Field for the Key Escrow Miscrocircuit" (S).
Organizations holding an appropriate security clearance and entering
into a Memorandum of Agreement with the National Security Agency
regarding implementation of the standard will be provided access to the
classified specifications. Inquiries may be made regarding the
Technical Reports and this program to Director, National Security
Agency, Fort George G. Meade