Date: Thu, 29 Apr 93 20:15:55 PDT Reply-To: Return-Path: Message-ID: Mime-Version: 1.0 Content-Type: text/plain From: surfpunk@osc.versant.com (n dhvfyvat, be rira n fgreayvtug!) To: surfpunk@osc.versant.com (SURFPUNK Technical Journal) Subject: [surfpunk-0082] CRYPT: Tough Choices: PGP vs. RSA Data Security ! ! I recently heard an even better hypothetical that ! illustrates the issues raised by encryption: ! ! Suppose the only two navajo speakers left in the ! world were talking on the phone to plot the ! overthrow of the United States. If the FBI could ! not obtain a translator, would that mean the ! plotters could be compelled to hold their phone ! conversations in English? ! ! Mike Godwin Tim May is one the leftmost figure on the cover of WIRED #2. Several of these are by him. Most material found on cypherpunks. Mail a polite note to Cypherpunks-request@toad.com to join that list, but be prepared for 20 to 50 messages a day ... strick ________________________________________________________________________ ________________________________________________________________________ Date: Thu, 29 Apr 93 01:36:34 -0700 To: Cypherpunks@toad.com From: tcmay@netcom.com (Timothy C. May) Subject: Tough Choices: PGP vs. RSA Data Security Cypherpatriots, This is a tough posting to write. I may even be called a quisling, or even a sternlight! This may be the most important posting I make during this current Clipper-Big Brother Chip controversy. I suggest that we as a community seriously reconsider our basic support for PGP. Not because of any flaws in the program, but because of issues related to Clipper and the potential limits on crypto. Continuing use of PGP causes several problems: 1. If RSA fails to take actions against sites and users, it weakens their legal position with respect to their patents. The government does not need licenses in any case, but users of Clipperphones *do* (not the final end-users, but the suppliers of Clipperphones to non-government customers). (A case can be made that repudiation of the patents might be a good thing. I know I have argued this at times. It's hard to know.) 2. The "guerrilla crypto" aspect of the PGP community (and our group) is charming, but may be counterproductive. If we are viewed as outlaws, the target even of RSA, then we have almost no influence, save for underground subversion. (To put this another way, if we are seen as RSA Data's enemy, we lose a potential ally. I am suggesting that a coming war between strong crypto on one side and government snooping on the other will force all participants to choose up sides.) 3. Supporting a legal version of strong crypto, which RSA Data-approved programs are and PGP is *not*, is a much more solid foundation from which to fight possible restrictions on strong crypto. 4. Our time could better be spent by solidifying existing RSA programs, including RIPEM, RSAREF-derived programs, MailSafe, and so forth. This is the approach several major companies have taken (Apple, Lotus, Sun, etc.). I've urged Jim Bidzos to work toward some compromise with the PGP community (and I think everyone recognizes the positive aspects of this growing community). This might include creating translation programs so MailSafe or RIPEM can read PGP files, a reworking of PGP to conform to licensing requirements, etc. I'm hoping that Phil Zimmermann can see what the real battle is. The PGP community is not likely to win their battle in court, and the effect of such a court battle will be divisive and ultimately may help the government in its plans. Phil Z. is most unlikely to ever see any real revenues from PGP. I think the benefits of a strong, legal, supported crypto product are greater than the dubious benefits of having a "free" piece of software. At any reasonable hourly wage, the cost of MailSafe ($125, last time I checked) is dwarfed by the amount of time crypto activists like ourselves spend debating it, downloading it, awaiting patched versions, etc. (All is not rosy on the RSA Data side, either. RSA Data chose to concentrate on getting RSA built in to e-mail products from the major companies and chose not to devote much effort to PGP-like personal encryption products (such as MailSafe, which runs on DOS and UNIX only and which hasn't changed much since 1988). Support for RSA Data should mean more support for these kinds of products. We could essentially ask RSA for a commitment in this area.) I'm arguing that we should look carefully and see what the real issues are, who the real enemy is, and then make plans accordingly. Awaiting your feedback, -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, smashing of governments. Higher Power: 2^756839 | Public Key: MailSafe and PGP available. Waco Massacre + Big Brother Wiretap Chip = A Nazi Regime ________________________________________________________________________ From: Mike Godwin Subject: Some thoughts on Clipper and the Constitution To: e*c Date: Mon, 26 Apr 93 11:15:17 EDT Note: These notes were a response to a question during Saturday's Cypherpunks meeting about the possible implications of the Clipper Chip initiative on Fourth Amendment rights. Forward to anyone else who might think these interesting. --Mike Notes on Cryptography, Digital Telephony, and the Bill of Rights By Mike Godwin I. Introduction A. The recent announcement of the federal government's "Clipper Chip" has started me thinking again about what the principled "pure Constitutional" arguments a) opposed to Digital Telephony and b) in favor of the continuing legality of widespread powerful public-key encryption. B. These notes do *not* include many of the complaints that have already been raised about the Clipper Chip initiative, such as: 1. Failure of the Administration to conduct an inquiry before embracing a standard, 2. Refusal to allow public scrutiny of the chosen encryption algorithm(s), which is the normal procedure for testing a cryptographic scheme, and 3. Failure of the administration to address the policy questions raised by the Clipper Chip, such as whether the right balance between privacy and law-enforcement needs has been struck. C. In other words, they do not address complaints about the federal government's *process* in embracing the Clipper Chip system. They do, however, attempt to address some of the substantive legal and Constitutional questions raised by the Clipper Chip and Digital Telephony initiatives. II. Hard Questions from Law Enforcement A. In trying to clarify my own thinking about the possible Constitutional issues raised by the government's efforts to guarantee access to public communications between individuals, I have spoken and argued with a number of individuals who are on the other side of the issues from me, including Dorothy Denning and various respresentatives of the FBI, including Alan McDonald. B. McDonald, like Denning and other proponents both of Digital Telephony and of a standard key-escrow system for cryptography, is fond of asking hard questions: What if FBI had a wiretap authorization order and couldn't implement it, either because it was impossible to extract the right bits from a digital-telephony data stream, or because the communication was encrypted? Doesn't it make sense to have a law that requires the phone companies to be able to comply with a wiretap order? C. Rather than respond to these questions, for now at least let's ask a different question. Suppose the FBI had an authorization order for a secret microphone at a public restaurant. Now suppose it planted the bug, but couldn't make out the conversation it was authorized to "seize" because of background noise at the restaurant. Wouldn't it make sense to have a law requiring everyone to speak more softly in restaurants and not to clatter the dishes so much? D. This response is not entirely facetious. The Department of Justice and the FBI have consistently insisted that they are not seeking new authority under the federal wiretap statutes ("Title III"). The same statute that was drafted to outline the authority for law enforcement to tap telephonic conversations was also drafted to outline law enforcement's authority to capture normal spoken conversations with secret or remote microphones. (The statute was amended in the middle '80s by the Electronic Communications Privacy Act to protect "electronic communications," which includes e-mail, and a new chapter protecting _stored_ electronic communications was also added.) E. Should we understand the law the way Digital Telephony proponents insist we do--as a law designed to mandate that the FBI (for example) be guaranteed access to telephonic communications? Digital Telephony supporters insist that it merely "clarifies" phone company obligations and governmental rights under Title III. If they're right, then I think we have to understand the provisions regarding "oral communications" the same way. Which is to say, it would make perfect sense to have a law requiring that people speak quietly in public places, so as to guarantee that the government can bug an oral conversation if it needs to. F. But of course I don't really take Digital Telephony as an initiative to "clarify" governmental prerogatives. It seems clear to me that Digital Telephony, together with the "Clipper" initiative, prefigure a government strategy to set up an information regime that precludes truly private communications between individuals who are speaking in any way other than face-to-face. This I think is an expansion of government authority by almost any analysis. III. Digital Telephony, Cryptography, and the Fourth Amendment A. In talking with law enforcement representatives such as Gail Thackeray, one occasionally encounters the view that the Fourth Amendment is actually a _grant_ of a Constitutional entitlement to searches and seizures. This interpretation is jolting to those who have studied the history of the Fourth Amendment and who recognize that it was drafted as a limitation on government power, not as a grant of government power. But even if one doesn't know the history of this amendment, one can look at its language and draw certain conclusions. B. The Fourth Amendment reads: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." C. Conspicuously missing from the language of this amendment is any guarantee that the government, with properly obtained warrant in hand, will be _successful_ in finding the right place to be searched or persons or things to be seized. What the Fourth Amendment is about is _obtaining warrants_--similarly, what the wiretap statutes are about is _obtaining authorization_ for wiretaps and other interceptions. Neither the Fourth Amendment nor Title III nor the other protections of the ECPA constitute an law-enforcement _entitlement_ for law enforcement. D. It follows, then, that if digital telephony or widespread encryption were to create new burdens for law enforcement, this would not, as some law-enforcement representatives have argued, constitute an "effective repeal" of Title III. What it would constitute is a change in the environment in which law enforcement, along with the rest of us, has to work. Technology often creates changes in our social environment--some, such as the original innovation of the wiretap, may aid law enforcement, while others, such as powerful public-key cryptography, pose the risk of inhibiting law enforcement. Historically, law enforcement has responded to technological change by adapting. (Indeed, the original wiretaps were an adaptation to the widespread use of the telephone.) Does it make sense for law enforcement suddenly to be able to require that the rest of society adapt to its perceived needs? IV. Cryptography and the First Amendment A. Increasingly, I have come to see two strong links between the the use of cryptography and the First Amendment. The two links are freedom of expression and freedom of association. B. By "freedom of expression" I mean the traditionally understood freedoms of speech and the press, as well as freedom of inquiry, which has also long been understood to be protected by the First Amendment. It is hard to see how saying or publishing something that happens to be encrypted could not be protected under the First Amendment. It would be a very poor freedom of speech indeed that dictated that we could *never* choose the form in which we speak. Even the traditional limitations on freedom of speech have never reached so far. My decision to encrypt a communication should be no more illegal than my decision to speak in code. To take one example, suppose my mother and I agree that the code "777", when sent to me through my pager, means "I want you to call me and tell me how my grandchild is doing." Does the FBI have a right to complain because they don't know what "777" means? Should the FBI require pager services never to allow such codes to be used? The First Amendment, it seems to me, requires that both questions be answered "No." C. "Freedom of association" is a First Amendment right that was first clearly articulated in a Supreme Court case in 1958: NAACP v. Alabama ex rel. Patterson. In that case, the Court held that Alabama could not require the NAACP to disclose a list of its members residing in Alabama. The Court accepted the NAACP's argument that disclosure of its list would lead to reprisals on its members; it held such forced disclosures, by placing an undue burden on NAACP members' exercise of their freedoms of association and expression, effectively negate those freedoms. (It is also important to note here that the Supreme Court in effect recognized that anonymity might be closely associated with First Amendment rights.) D. If a law guaranteeing disclosure of one's name is sufficiently "chilling" of First Amendment rights to be unconstitutional, surely a law requiring that the government be able to read any communications is also "chilling," not only of my right to speak, but also of my decisions on whom to speak to. Knowing that I cannot guarantee the privacy of my communications may mean that I don't conspire to arrange any drug deals or kidnapping-murders (or that I'll be detected if do), but it also may mean that I choose not to use this medium to speak to a loved one, or my lawyer, or to my psychiatrist, or to an outspoken political activist. Given that computer-based communications are likely to become the dominant communications medium in the next century, isn't this chilling effect an awfully high price to pay in order to keep law enforcement from having to devise new solutions to new problems? V. Rereading the Clipper Chip announcements A. It is important to recognize that the Clipper Chip represents, among other things, an effort by the government to pre-empt certain criticisms. The language of announcements makes clear that the government wants us to believe it has recognized all needs and come up with a credible solution to the dilemma many believe is posed by the ubiquity of powerful cryptography. B. Because the government is attempting to appear to take a "moderate" or "balanced" position to the issue, its initiative will tend to pre-empt criticisms of the government's proposal on the grounds of *process* alone. C. But there is more to complain about here than bad process. My rereading of the Clipper Chip announcements will reveal that the government hopes to develop a national policy that includes limitations on some kinds of cryptography. Take the following two statements, for example: D. 'We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities.' E. 'The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." ' F. It is clear that neither Digital Telephony nor the Clipper Chip make any sense without restrictions on other kinds of encryption. Widespread powerful public-key encryption, for example, would render useless any improved wiretappability in the communications infrastructure, and would render superfluous any key-escrow scheme. G. It follows, then, that we should anticipate, consistent with these two initiatives, an eventual effort to prevent or inhibit the use of powerful private encryption schemes in private hands. H. Together with the Digital Telephony and Clipper Chip initiatives, this effort would, in my opinion, constitute an attempt to shift the Constitutional balance of rights and responsibilities against private entities and individuals and in favor of law enforcement. They would, in effect, create _entitlements_ for law enforcement where none existed before. I. As my notes here suggest, these initiatives may be, in their essence, inconsistent with Constitutional guarantees of expression, association, and privacy. ________________________________________________________________________ Date: Mon, 26 Apr 93 12:09:01 -0700 To: Cypherpunks@toad.com From: tcmay@netcom.com (Timothy C. May) Subject: MEETING SUMMARY: 4-24-93 Cypherpunks Meeting Cc: tcmay@netcom.com, jim@rsa.com, tenney@netcom.com Several people have asked for summaries (or minutes) for our physical Cypherpunks meetings, especially for our "Emergency Ad Hoc Meeting" a few days ago. Some Reasons NOT to do Minutes: * it formalizes a fundamentally informal meeting (recall that Cypherpunks have no legal status, no structure, no voting procedures, no officers, etc.). * some folks may be leery of having their names appear. * the credit assignment problem: as soon as summaries are written, people begin to complain that someone else got the credit for their idea, that their views weren't mentioned in the summary, and so forth. * somebody has to take the notes needed to generate the summary. Some Reasons IN FAVOR of Minutes: * with 40 people at our last meeting (counting the audio conference call, via Internet, to Boston and Washington, D.C.), with more than 400 on our mailing list, and with the Wiretap Chip events, these are historic times. (Fortunately, the list itself is a valuable archive of our history. Let's hope good archives are being kept by someone!) * folks who cannot attend physical meetings may still want to know what's basically going on. (And perhaps other groups will nucleate and grow.) * even folks who were at the meeting may want a summary, to keep their memories refreshed. So, some pros and cons to writing up a summary. What I plan to do here is to just write up a very brief snapshot summary, oriented more toward informing the non-attendees than to reminding the attendees of action items or things they agreed to do. Anyone with additions to make is of course encouraged to do so. Using the "MEETING SUMMARY:" prefix might be useful. 1. The Meeting Itself. Saturday, 24 April 1993, 12 noon to past 6 p.m. (when I had to leave). Offices of Cygnus Support, in Mountain View. Approximately 25-30 in attendance, including several new faces. John Gilmore was selling issues of "Wired" at cost. An amazing conference call was made to sites in Northern Virginia (Bob Stafford, Paul Ferguson, others) and to Boston (Marc Horowitz, Derek Atkins, others). What was amazing was that the audio went through the Internet and was DES-encrypted (for a while at least, until complaints by one of the sites about the audio quality caused us to turn off the encryption). Still, seeing an encrypted Internet conference call was something...a small step toward the world of Vinge's "True Names." Jim Bidzos, President of RSA Data Security, intended to just speak briefly about the Clipper Chip, Capstone, and the view of RSA, but ended up staying and participating for several hours. Mike Godwin, of EFF, was present at the Boston (I think) site. Glenn Tenney, organizers of the Hackers Conference and general activist, was also present for the first time. The other usual folks were there, including many active in cryptography and data security. (My apologies for not mentioning any other luminaries here.) All in all, a stimulating meeting. 2. The Theme: The Clipper Chip. This of course dominated the discussion all day, and was the explicit reason for the emergency meeting. There's too much to cover here in detail. Jim Bidzos and Arthur Abraham both presented information on the Clipper Chip, including a long data sheet from Mykrotronx (sent to Arthur) on their Myk-78 chip. (Copies distributed, and also faxed to the remote sites.) There was some debate about who Mykotronx was and whether it was really independent from the NSA. Capstone, the follow-on program, is a superset of Clipper and contains the DSS signature standard (which RSA Data led the fight against...and most of thought it was a dead issue--then it appeared here!). No public key methods are known to be incorporated, thought they may be. (Lots of analysis and question-asking still to be done.) Reverse-engineering was also discussed. VLSI Technology, the chip company, is a partner with Mykrotronx and apparently has a tamper-resistant chip technology. 3. What Motivated the Clipper Chip? It appears the Clipper/Capstone program is initially intended to "buy market share" as quickly as possible, with government offices requiring Clipperphones (and probably for those they do business with). Perhaps the intent is undercut competing models and make Clipper the de facto standard, which can then be made the de jure standard. Some think the key escrow features were added _late_ in the proposal and may even be _expected_ to fail (fail in the sense of key escrow agencies never getting rolling, issues never getting resolved, etc.). This fits with the idea of built-in backdoor to the enciphered traffic. The Agency may be more interested in quickly proliferating a breakable "standard" for voice encryption than in implementing the key escrow idea. (Left unanswered in this speculation is how court-ordered wiretaps would then be executed...would the FBI and NSA simply acknowledge the weakness? I don't think so.) The secrecy of the Clipper/Capstone project was quite impressive. Bidzos confirmed again, and convincingly, that he knew *nothing* of this whole effort until the announcement (or possibly the night before, when a reporter called him?). Apparently John Markoff, who sometimes reads this list and can comment if he wishes, had figured out some aspects or had been told them by a source, and was preparing an article for the "NY Times." This may've prompted the announcement timing. Several people commented that several previously-puzzling events become clearer in retrospect, such as the then-unknown Mykrotronx sniffing around to get an RSA license (which they don't yet have). I can't recap all the discussion, much of which was similar to what's been going on in sci.crypt and elsewhere. Everyone agreed that this was a seminal event, that the Clipper/Capstone announcement is a crucial event. 3. Lobbying Against the Clipper Chip The profound consequences call for major efforts. We discussed boycotting products, spreading negative reports, and reverse engineering the algorithm and publishing it so software solutions can spoof/imitate _part_ of the system (i.e., so someone with a SoundBlaster board or other system can talk to someone with one of these Clipperphones without escrowing keys or being wiretappable) John Gilmore has already posted to the list the results of our brainstorming session to come up with questions to ask the FBI, NIST, NSA, Congress, and the Administration. Mike Godwin argued that a lot of embarrassing questions could quickly derail the plan. Others confirmed that the NSA mathematicians seemed to be put on the spot by the many questions. That is, it's conceivable this plan could begin to unravel fairly soon. 4. Educating the Public. The Boston group took this as their focus of the rest of the meeting (we went offline after about an hour or so on the conference call). I haven't heard the results. 5. Lobbying the Legislature and Officials. Similarly, the D.C. group took this as their area of involvement. No feedback yet. 6. What Happens if Clipper Flops? An interesting discussion out in the lobby (and I probably missed many such interesting discussions!) had to do with scenarios for how Clipper may fail. Whit Diffie described how the failure could either so greatly embarrass the Administration that they'd be loathe to try it again (the Viet Nam Syndrome, applied to crypto) or that it could provoke them to tighten restrictions even further, perhaps even to the point of an outright ban on the use of unapproved encryption at *any* level. (Issues of enforceability, detectability, Constitutional issues, etc., of course exist and will be points of attack on any such comprehensive ban.) (The question of whether Clipper and Capstone applies, either now or later, to *data* came up several times. The Capstone chip is rated at "10-16 Mbps," which implies it is targeted for Ethernet-type speeds, and hence data. There was general agreement by all I heard that the Clipper/Capstone program is indeed intended to target more than just voice encryption and that our fears about restrictions on strong crypto are justified.) 7. Other Miscellaneous Topics * Since Jim Bidzos was there, the topic of PGP naturally came up several times. Eric Hughes let this run for a while, then moved the discussion back to Clipper. Jim Bidzos clearly had some strong opinions, but also did not want this to be the forum for debating patents and the legality and ethics of PGP. He did acknowledge, in my opinion, the point that RSA Data Security had somewhat neglected the individual end-user (in products such as MailSafe, which hasn't changed since 1988), in favor of the many large deals with Lotus, Microsoft, Apple, etc., to get RSA installed in their e-mail software. He acknowledged that in some sense this left an ecological niche for a product like PGP to fill, though he insisted that such a product could be legally developed and distributed if it used the "RSAREF" package and wasn't sold commercially. (There are lots of threads and keywords here: RSAREF, RIPEM, TIPEM, B-SAFE, Apple's OCE, etc.) (Some of us continue to hope some accommodation can be reached between RSA Data and the PGP community. The upcoming battle over strong crypto is a bigger issue than this squabble. I remain convinced that RSA Data Security is "on our side" in this fight for continued access to strong crypto. In fact, in my opinion, the Clipper/Capstone program looks to be a complete end-run around RSA and public key techniques, a thinly disguised attempt to seize control of the crypto market from RSA. In this battle, RSA may be fighting for their economic survival!) * The issue of the name of our group, the Cypherpunks name, was not discussed. The U.K. group has apparently picked "U.K. Cryptoprivacy Group" as their name. * The normal schedule for meetings will continue, with the next regular Cypherpunks (Bay Area) meeting on Saturday, 8 May. Well, this is my summary. Feedback is welcome. While I don't want to take meticulous notes the way a "Recording Secretary" is supposed to, I don't mind writing up these kinds of snapshot summaries. May you live in interesting times, indeed! -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, smashing of governments. Higher Power: 2^756839 | Public Key: MailSafe and PGP available. Waco Massacre + Big Brother Wiretap Chip = A Nazi Regime ________________________________________________________________________ Date: Mon, 26 Apr 1993 12:17:26 -0500 To: cypherpunks@toad.com From: matt@oc.com (Matthew Lyle) Subject: MacWeek article on Clipper/Capstone MacWEEK 04.26.93 Page 1 SECURITY CHIPS TRIGGER ALARM Clipper and Capstone open digital back door. By Mitch Ratcliffe Washington -- The White House and National Security Agency, as part of a wide-ranging retooling of U.S. privacy policies, are preparing two encryption chips for use in the computer and telecommunications industries. Privacy advocates cried foul last week because the chips include a back door that allows police to monitor communications. The Clipper chip announced this month can encrypt voice and data communications at up to 16Mbps. Clipper is due to debut in secure telephones from AT&T Co. this summer. The second chip, called Capstone and currently under development at the NSA, is a superset of Clipper that will implement the much-criticized Digital Signature Standard to add authentication capabilities. Its existence was revealed during a briefing at the Massachusetts Institute of Technology in Cambridge last week. President Clinton ordered the National Institute of Standards and Technology to establish Clipper as a federal standard. Since the government is the largest computer customer in the world, its Federal Information Processing Standards (FIPS) often are imposed on the industry as de facto standards. If Capstone follows Clipper into the FIPS requirements, DSS could usurp RSA Data Security Inc.'s public-key encryption scheme, which Apple licensed for AOCE (Apple Open Collaboration Environment). But Apple's representative at the NSA briefing, Gursharan Sidhu, technical director of collaborative computer and leader of the AOCE project, said he is not worried that the government will force an encryption scheme on the industry. "We were given the impression that they are very open to suggestions," Sidhu said, adding that the government is faced with a growing conundrum as it tries to simultaneously protect privacy and maintain its ability to tap lawbreakers' communications. "People have the idea that in cellular the security of communications had gone away, so there is pressure to encrypt. [Without a back door], even the casual criminal would be able to communicate with invincible security," Sidhu said. "Law-enforcement agencies wouldn't be able to collect intelligence." A spokesman for NIST said Capstone will not be introduced unless the president's review of national encryption policy conclueds it is needed. But he also said the Department of Defense and NSA are already working to develope a PCMCIA card-based implementation of Capstone for a classified defense messaging system. The NSA confirmed it is working on Capstone but could not confirm the Capstone PCMCIA card project. Clipper and Capstone use a "key escrow" technology that lets law-enforcement agencies with a court order unscramble conversations and documents. To reduce the potential for wiretap abuse, two agencies to be named by Attorney General Janet Reno will hold half of each key. The NSA said the key escrow agents will not be law-enforcement agencies. Privacy advocates complained that the algorithms that perform Clipper scrambling functions will remain classified. Encryptin technologies typically gain acceptance only after cryptographers pore over the component algorithms and key management systems. "We can't protect the key escrow features if we reveal the algorithm to the public ... that's caused some heartburn," said John Podesta, staff secretary to President Clinton. "I'm not suggesting that the public should trust us any more than any other government agency, but we are doing a more comprehensive review [than any previous administration]." Podesta said the Clinton team is taking a free-market approach to encryption, in contrast to the previous administrations, which tried to legislate simplified approaches. "In the wireless communications environment, we have to more the ball forward on security and privacy," Podesta said. "The jury's still out on whether [Clipper] is the answer." Jim Bidzos, president of RSA Data Security of Redwood City, Calif., said the NSA is using Clipper and Capstone in an attempt to confuse the market for privacy-enhancing technologies. "It takes three or four years fo rthis kind of proposal to die." Bidzos said. Computer and communications companies might withhold support for any standard, giving the NSA more time to prepare for the encrypted world, he said. Computer Professionals for Social Responsibility, a Washington, D.C. based public-interest group, has filed 11 Freedom of Information Act requests for access to Clipper development records. The group suspects the NSA and NIST violated the Computer Security Act of 1987, whic limits the NSA's role in development of public encryption technologies to providing advice and assistance. NSA said it developed both chips. ________________________________________________________________________ Date: Tue, 27 Apr 1993 22:36:01 -0700 From: Arthur Abraham To: cypherpunks@toad.com Subject: MYK-78 I've been stalking Mykotronx with phone and smail since right after the announcement, and finally got through the guy who kept telling me that I'd undertand if I just knew a little more crypto, to the guy who really know what was going on and wanted to tell me. This is what I found out: Mykotronx MYK-78 has been identified as the Privacy "Clipper" chip. The "Clipper" name comes from Washington, and the guys at Mykotronx know about the Intergraph chip. The data sheets, as those of you who have read them know, are confusing, incomplete and internally inconsistent. This is evident even if you do not consider that they are to implement the social protocol described by Dorothy Denning (her 19-Apr-93 paper, as published in Cypherpunks). After some discussions with Mykotronx, I was able to convince them of the truth of the last paragraph and to have them explain just what the chip was designed to do. I would also like to emphasize that these discussions revealed that the poor quality of the documentation does not result from any attempt to obscure the operation of the chip, they were very forth coming and eager to discuss its operation. The deficiencies result more from the nature of a military contractor's relationship to its one customer: the customer understands how to use the chip so there's no pressure to get it described carefully. Going public was a bit of a surprise to them, in fact the announcement was made during their application engineer's vacation. I am sure there is an interesting story in this timing, but the people I was talking to didn't seem to know it. On to the chip: You don't just hook up a clear-text bit stream to one end and get a Denning-stream out the other. It needs a bit of care and feeding. At startup it requires a Random Seed (8 bytes/64-bits) and a crypto-variable CV (10 bytes/80-bits) for its DES-type algorithm. This is Denning's "skipjack" algorithm and, like DES, is a symmetric key block cypher, which performs in all the DES modes: 64-Bit Electronic Code Book (ECB) 64-Bit Cypher Block Chaining (CBC) 8/16/32/64 Bit Cypher Feedback 64-Bit Output Feedback (OFB) In the last three modes the encryption of each block is dependent on the previous blocks. (If you care to know more about DES modes, see FIPS-PUB 81 which is cited in the data sheets.) One other thing about Skipjack: Denning describes it as having "32 rounds of scrambling" and this is supported by the data sheet's timing charts, which note 64 clocks cycles to complete an encryption. Since this would operate on an 8-byte/64-bit block, with the 15MHz internal clock we appear to have roughly a 10M-bit/1.3MB transfer rate in encryption/decryption. This is fast enough for the average telephone, or several telephones, or maybe a stereo CD. It's probably just average performance for 1 micron technology and some units clock up to 30MHz (they expect 0.8 micron eventually, with improved performance). Back to the Crypto-Variable, CV. The CV is the session key, is selected off-chip, and must always be accompanied by a 3 byte/24-bit checkword. Where do you get the check word?... you ask the chip! If you load a CV with a bad checkword, the chip sets its ERROR line -- oh, sadness. But then you can read out a good checkword, and subsiquently reload the same CV with the good checkword (happy now?). The checkword is actually just the first three bytes from an application of Skipjack to the CV. Do all this and the chip is loaded and ready for plaintext. You could just give it an Encryption command, and start pulling cyphertext out the other side, but who would understand it? First you have to get the key information out of the chip and send it to the chip on the other side of the link. Skipjack is DES-like so to run a decryption mode on the other chip we're going to have to send it the session key, CV, and the Initial Vector, IV, which is the starting state of the stream for the non-ECB modes of operation. We selected CV ourselves, and learned its checkword during the startup experience, but where's IV? Well, we generate it using "a feature not found in current DES chips" (data sheet, 1-3). And quite a feature it is, too. We use this command, Generate IV, and it makes all 8 bytes/64-bits of the IV, based on the Random Seed... But That's Not ALL! You issue the Generate IV command three (3) times to get the full 24 byte/192-bit LEEF block. LEEF = Law Enforcement Exploitation Field. (I wrote this down very carefully to be sure I had it right.) ...Actually, you issue a Read Data command after each Generate IV command, but I won't bore you with details. The first 8 bytes/64-bits are called L1 or LEEF-1, the second 8 bytes/64-bits are L2 or LEEF-2, and then here is the IV we've all been waiting for, in its full 8 byte/64-bit glory. You probably noticed that LEEF is 24 bytes/192-bits long, and has the structure [L1,L2,IV]. Mykotronx is not supposed to tell us the structure of L1,L2. The interesting thing is that [CV,checkword,L1,L2,IV] is a self-checking unit. The receiving chip checks it as it is loaded. If something is wrong, the chip sets its ERROR line. If CV is fermished, you have to get all the way to IV before you're rasberried. In transmitting this we are advised to encrypt CV because it is, after all, the session key. OK, so we are encrypting and the other chip is decrypting. Suppose something happens and the other chip wants to talk to us, so that it encrypts and we decrypt. It has all it needs to encrypt and we have all we need to decrypt, but one more thing has to be done. We need to save the state of the chaining cypher so we can resume it at the same place in the chain when we return to encrypting. Use the Save State command, which pops out 8 bytes/64-bits of Saved State, SS, or the current contents of the Skipjack encryption register. To make this a bit clearer, if we pulled the Saved State right after Generate IV, we'd find SS = IV. The chip's serial number is 4-bytes/32-bits long, not the 3.75 bytes/30-bits Denning reported, but don't worry, _you'll_ never see it. It and the family key are written in over pins Vpp1 and Vpp2, which are then burned out. All chips are currently planned to have the same family key, but if you happen to meet a chip with a different family key and it sends you [CV,checkword,L1,L2,IV], you could understand it. That's the main part of what's missing from the data sheets. The rest works pretty much as described, and is at a level of detail too fine to interest anyone except a compulsive hardware wonk. Oh, one more thing, on page 1-4 where the Configuration Register is shown with two "Arm CV" bits, the one at position D5 should be "Arm IV". -a2. ps: I will be at a meeting the rest of the week, so please don't expect me to respond to requests for clarification until I return. Sorry. -a2. ________________________________________________________________________ From: szabo@techbook.com (Nick Szabo) Subject: How to protect your electronic privacy -- consumer pamphlet To: cypherpunks@toad.com Date: Tue, 27 Apr 1993 03:20:30 -0700 (PDT) Here is a handout I've written for our next Portland-area libertarian meeting. Comments welcome. Feel free to distribute freely (you can edit out Portland-specific stuff) with attributions. ---------------------------------------------------------------- How to Protect Your Electronic Privacy Nick Szabo, April 30 1993 Distribute Freely We conduct more and more of our legal, political, and private business over the wires. Every decade, the number of phone calls that the government can record for later playback increases by a factor of ten. Commercial organizations gather and sell our transactions; marketers and governments cross-reference them, forming our vast electronic reputation. The number of e-mail messages doubles every year, and many political organizations are coming to rely on networks like Internet and LiberNet. Most e-mail users are unaware that it is the most public medium ever invented, and use it to write love letters, letters to their lawyer, discussion of illegal activities, etc. Vast volumes of e-mail can be stored on small magnetic tapes and searched in bulk for keywords, eg "mari[jh]uana". The good news is, the computer brings an even greater weapon to fight these threats to our privacy and political freedoms: widely available, automatic cryptography. Instead of developing phones allowing truly private conversations, which are now feasible, AT&T recently put a phone on the market that contains the NSA-designed "Clipper" wiretap chip. All users' encryption keys are registered with the U.S. government, giving it exclusive access to wiretapping this system's phones. The use of an unpublished algorithm and other features also make the system insecure. "Clipper" would also make traffic analysis (finding out who is calling whom, when, etc.) much easier. The goal of this government/Ma Bell collusion is to subsidize the creation of a standard that forces truly private phone systems off the market. By purposefully allowing a government backdoor in its "secure" phones, AT&T has demonstrated its contempt for its customers' privacy. Here are some other long-distance providers that may have more respect. All U.S. line providers are required to surrender to telephone taps under government "authorization", but some require more "authorization" than others, or otherwise make a greater fuss about it. Local wiretaps are beyond the control of long-distance companies, but long-distance eavesdropping is much more difficult if the company uses fiber optic instead of microwave links. Ask company representatives for details. Allnet Long Distance Services 1-800-783-2020 MCI, commercial 1-800-888-0800 MCI, residential 1-800-950-5555 Metromedia Communications Corp. 1-800-275-2273 One-2-One Communications 1-800-293-4121 Sprint, residential 1-800-877-7746 Sprint, business 1-800-733-5566 Real phone privacy can be obtained with a veil of encryption, by using pairs of phones containing privacy chips, which scramble the signals *and* keep the keys private. Contact your local business telephone dealers for privacy phones from Ericson, Cylink and other companies. Keep your eye out for portable-computer-based software with voice input that can be used to encrypt voice mail and send it over the networks like e-mail; these may be appearing on the market or as freeware within six months. Data privacy can be obtained with public-key encryption features which have been added to some of the newer e-mail packages from Microsoft, Apple, Novell, etc. Beware: most software encryption has been restricted by the U.S. government to very weak algorithms. "Cypherpunks" enjoy writing programs to crack the weakened file encryption in Word Perfect, Lotus, etc. Be sure the software contains the new "RSA" public-key algorithm, which probably cannot be cracked by anybody, even the NSA with their buildings full of supercomputers. A strong freeware RSA package is also available called Pretty Good Privacy (PGP); this is the international standard on the Internet. PGP can also be used for protecting the files on your PC. On an Internet machine type "archie pgp" to find out where PGP is available for download. Several BBS systems also have PGP available. In public key encryption, there are two keys, one used to lock (really scramble) the data, the other to unlock (unscramble) the data. To join the fun, publish or send your freinds your public key, and they can then send you messages only you can unlock with your private key. You collect other's public keys and do the same. PGP key distribution is based on an informal, voluntary web of trust instead of the government's rigid heirarchy which is vulnerable to failure at the top. Just as today's businessmen trade business cards, tommorrow's businessmen will trade public keys -- if the government doesn't ban them first. For more detailed information on electronic privacy, see: * Your local phone dealer. If he does not know about privacy issues and phone privacy products, ask him to find out! * The May/June issue of "Wired" magazine featuring "crypto-rebels" on the cover. A history computer cryptography and the "cypherpunk" movement, whose goal is to break the government monopoly on cryptography and to restore our right to privacy in the electronic age. * "Mondo 2000" #9 (most recent) features two good articles on PGP, and a third article on protecting our financial privacy from governments. * The Winter/Spring issue of "Extropy" features and article on digital cash. Unlike current electronic funds transfer, digital cash increases financial privacy. * On the Internet, the cypherpunks mailing list (cypherpunks-request@toad.com) and the newsgroups sci.crypt. In the Portland area two Internet providers are agora (293-1772 data) and techbook (220-0636 data). * Organizations helping lobby for electronic privacy: Electronic Frontier Foundation (eff.org), Computer Professionals for Social Responsibility (cpsr.org), Privacy International. These are not entirely libertarian (eg EFF tends to support Gore's socialist "Data Highway".) * James Bamford, _The Puzzle Palace_, 1983: A classic expose of the National Security Agency. Nick Szabo szabo@techbook.com ________________________________________________________________________ From: tcmay@netcom.com (Timothy C. May) Subject: COMP.RISKS is where the action seems to be To: cypherpunks@toad.com Date: Mon, 26 Apr 93 22:25:14 PDT Comp.risks is carrying extensive coverage of the Clipper Chip issue, including Dorothy Denning attempting to defend the Clipper. Sci.crypt and alt.security.clipper still have more messages, but comp.risks seems to be the place I check first. Being a digest, though, a new one only appears a few times a week. -Tim -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. ________________________________________________________________________ ________________________________________________________________________ The SURFPUNK Technical Journal is a dangerous multinational hacker zine originating near BARRNET in the fashionable western arm of the northern California matrix. Quantum Californians appear in one of two states, spin surf or spin punk. Undetected, we are both, or might be neither. ________________________________________________________________________ Send postings to , subscription requests to . MIME encouraged. Xanalogical archive access soon. Charming, but may be counterproductive. ________________________________________________________________________ ________________________________________________________________________ # The language we will be using for displaying # messages to the user. # # Available languages: # en = English (default), es = Spanish, fr = French, # de = German, nl = Dutch, it = Italian, esp = Esperanto, # lv = Latvian, lt3 = Lithuanian, sv = Swedish, ru = Russian # # Languages not yet available: # fi = Finnish, hu = Hungarian, no = Norwegian, pt = Portugese, # pt - Portugese, da = Danish, is = Icelandic, # zh = Chinese, ko = Korean, ar = Arabic, iw = Hebrew, # el = Greek, tr = Turkish, ja = Japanese # # Most of these codes are the ISO 639-1988 2-letter "Codes for # Representation of Names of Languages" # Language = en