Return-Path: From: rivest@theory.lcs.mit.edu (Ron Rivest) Date: Sat, 23 Jul 94 16:06:24 EDT To: jim@rsa.com Cc: Whitfield.Diffie@eng.sun.com, markoff@nyt.com, hellman@isl.stanford.edu, hal@MIT.EDU Subject: Government crypto policy Hi Jim -- Here's some thoughts on the evolution (?) of government crypto policy; feel free to pass them around... The original intent of Clipper was to make available government (i.e., NSA) crypto technology (i.e., SKIPJACK) in a way that could not be exploited by criminals or foreign nationals. NIST and NSA wanted to help out by making some of their technology available to US industry, but wanted to do so in a way that didn't hurt other US government operations (intelligence, law enforcement). Key-escrowed clipper is the result. This is what Brent Morris and Mark Unkerholtz of NSA said in a public lecture at MIT in spring '94. They stressed the point that their main goal was not to catch crooks or do foreign intelligence better, but only to help out in a way that was not hurtful to these other operations. They didn't really expect that Clipper would catch a lot of crooks. (As is widely believed, any sensible crook will avoid using Clipper equipment.) The goal is to get their technology out, and a secondary requirement is that it be done in a way that doesn't hurt their other operations. Note that the above position is entirely consistent with an entirely voluntary use of other cryptographic techniques by industry. Trying to force industry to use Clipper, or to use key-escrowed techniques, would be equivalent to an assertion that the primary goal IS to assist law enforcement and foreign intelligence in their operations, and is thus contrary to the above position. I now concerned that the administration's recent announcement represents a serious revision of the above position. Probably the reasoning for NIST and NSA is going something like this: -- Congress (and parts of industry) wants the government to propose crypto standards. -- NIST, the FBI, and the NSA can't push forward with a standard that is non-escrowed, because their jobs are on the line if any significant use of government standards is made by "bad guys". -- They propose Skipjack/Clipper, which attempts to be "helpful" (it has a new algorithm) in a way that doesn't hurt (key escrow). But then, we have -- Significant opposition to escrowed standards by almost everyone except Dorothy Denning. Also, opposition to secret algorithms in standards. So, what do they do? -- Announce that they are reconsidering their policy on Clipper, while keeping their commitment to escrowed crypto standards. Invite proposals from industry for escrowed crypto standards suitable for software. The crypto algorithms could be public, etc. At this point, we have lost the only real contribution of the original proposal (the secret Skipjack algorithm is shelved), and the role of the government is now back just to trying to set some sort of standard. That is, they are no longer contributing technology, but only acting as a standard-setting body. However, the fixation on escrow techniques persists; no bureaucrat wants to have his job on the line for helping some "bad guy" that someday chooses to use the US crypto standard. But at this point, we have a government position that doesn't hang together. (The original position made more sense, although it didn't result in a reasonable policy.) Without government technical contributions to protect (e.g. Skipjack), the only motivations for preserving key-escrow are (1) protecting the jobs of the policy-makers should some fairly visible bad guy use government standard crypto someday, or (2) a reversal of the original policy: catching crooks and assisting foreign intelligence are now elevated from secondary constraints (due to reason (1)) to a primary goal. But it is well-recognized that catching crooks and assisting foreign intelligence in such a manner requires the *mandatory* use of an escrowed standard. Without legal requirements to do so, most manufacturers won't bother with the escrow capability. Moreover, with an adoption of public crypto standards, anyone (e.g. foreign businesses) would be free to produce their own non-escrowed implementations of the adopted crypto algorithms, and sell them in the US. It has been well argued that key escrow technology is not an effective or cost-effective means of law enforcement, etc. I think that mandating the use of key escrow technology would be unacceptable to most of the country (viz the current debate, which is running 1000 to 1 against even voluntary key escrow standards), too expensive, and too much sticky tar spread on our nascent information highway. I think everyone realizes that mandating key escrow is not desirable or realistic. Thus, we have a situation where there are four apparent choices left: (1) No government-approved crypto standards. (2) Government-approved public crypto standards with key-escrow mandatory for government use and voluntary elsewhere. (3) Government-approved public crypto standards with key-escrow voluntary for all users. (4) Government-approved public crypto standards with no key escrow. The other choices, involving secret algorithms, are not viable. I also think that (1) is not viable, although one might suspect that many government actions (and non-actions) were really directed at that goal. This leaves (2)--(4). Policy (2) makes no sense. Given the freedom to easily use the standard algorithms in non-escrowed manners (since they are public); policy (2) is not effective for law-enforcement, etc. It has considerable cost, and no justification other than the attempt of the policy-makers to try to do something that pretends not to hurt other government activities. Policy (3) might be workable. There is no mandated use of escrowed technology (even for government purchases) but manufacturers and users may voluntarily implement escrowing capabilities if they wish. Government agencies (NIST, the FBI, and the NSA) may develop and publish escrowing techniques, and support and encourage escrowing activities, as long as escrowing is not required by standards, government purchases, or routine export control policy. (I haven't mentioned export control policy before, but think that it falls in the same general category as requiring escrow for government purchases---it is an attempt to affect the (foreign) market by limiting what (US) manufacturers can do, rather than by affecting what products are offered through government purchasing power. In both cases, the government's power to affect the market is limited by the activities of other manufacturers and purchasers. Export control in support of specific policies against hostile countries (e.g., Libya?) is, in my opinion, not unreasonable, but telling our information highway manufacturers they can't export crypto is like telling our automobile manufacturers that they can export cars, but only if they contain no bolts, fasteners, or opaque trunk lids: for crypto is the "nuts and bolts" of an information system -- it links together separate components in a secure manner, and is also the means of protecting your information goods from prying eyes.) Finally, there is policy (4) -- no escrowing at all. This is, in the end, the most workable. It makes explicit that trying to achieve law-enforcement and foreign intelligence objectives by affecting government crypto standards is misguided and ultimately, harmful. Comments appreciated.... Cheers, Ron