NIST Responses to Questions from the Senate Subcommittee on Technology and the Law 1. Q: How long has the key escrow encryption standard been in development? Which agency originated these concepts? A: The concept of key escrow has been in development, as a solution to meeting the needs for information protection while not harming the government's ability to conduct lawful electronic surveillance, for about five years. The final development and approval process of the Escrowed Encryption Standard (Federal Information Processing Standard 185) began following the President's decision announced on April 16, 1993. The concepts were developed at the National Security Agency, in response to requirements of law enforcement agencies and following discussions with NIST. 2. Q: Before NIST recommended the key escrow encryption method for nonclassified information, did it consider commercially-available encryption methods? If so, why were they rejected? A: The voluntary key escrow encryption chip was developed specifically because no other products, commercial or otherwise, met the needs of the government for protecting its sensitive information in voice grade telephone communications while at the same time protecting its lawful electronic surveillance capabilities. 3. Q: The Administration recently established an interagency Working Group on Encryption and Telecommunications "to develop new encryption technologies" and "to review and refine Administration policies regarding encryption." Is this Group reviewing the Clipper Chip program? A: This group is monitoring on-going development of the voluntary key escrow encryption initiative (e.g., alternative methods, better implementations, etc.). It is not reviewing the President's decision to commit the government to promote voluntary key escrow encryption for voice grade telephone communications. 3.1 Q: Has this Working Group yet recommended any changes to the Clipper Chip program? If so, what are those recommendations? A: The Working group continues to pursue voluntary key escrow encryption technologies -- and stands ready to work with interested industry firms to do so. It has not recommended any specific changes to the current program. 3.2 Q: What refinements to the Clipper Chip program is this Group considering? A: It is examining organizations outside the Cabinet Departments to serve as alternative escrow agents. It is also examining issues involving international law enforcement cooperation on voluntary key escrow encryption matters. 3.3 Q: When will this Working Group complete its review of the Clipper Chip program? A: While there is no re-examination of the Administration's commitment to the key escrow encryption initiative, the review of its implementation will likely continue for some time. This reflects the need to monitor both the voluntary key escrow encryption program and other encryption developments. 4. Q: NIST is supposed to be leading efforts to work with industry to improve on the key escrow chips, to develop a key-escrow software and to examine alternatives to Clipper Chip. Could you describe NIST's progress on each of these three tasks? Specifically, what are the improvements and alternatives to Clipper Chip that NIST is considering? A: The key escrow encryption software working group, which includes several industry representatives, has met several times to: 1) specify and structure the problems to be solved; 2) study the overall system integrity requirements for an acceptable solution; 3) develop and list criteria for evaluating alternative proposed solutions; and 4) begin defining software-based alternatives to the voluntary Clipper Chip key escrow system. This research work can reasonably be expected to last at least two-three years. Regarding hardware improvements, no working group has yet been formed, but the Administration has repeatedly expressed its willingness to work with interested industry participants to develop improvements and alternatives. 5. Q: The Defense Authorization Bill for Fiscal Year 1994 has authorized $800,000 to be spent by the National Research Council of the National Academy of Sciences to conduct a two-year study of federal encryption policy. Do you think this study is necessary? A: While we believe that the Administration's review of these issues was thorough, this study may identify new approaches for privacy while preserving lawful electronic surveillance capabilities which would be useful. The NRC's report will receive careful study. 5.1 Q: Why is the Administration not waiting to implement its key escrow encryption program until the National Research Council's study is completed? A: The Administration's key escrow encryption initiative was announced on April 16, 1993, over seven months before the enactment of the National Defense Authorization Act for FY-94, which authorized the NRC study. The NRC study, which will consider issues substantially broader than those involved in key escrow encryption, will not be completed for at least two more years. The Administration's voluntary key escrow encryption initiative seeks to ensure that in setting new federal standards, lawful electronic surveillance capabilities are not undermined. Delaying our standards would harm federal agencies' capabilities to protect their information. Setting good encryption standards without key escrowing would harm lawful surveillance capabilities. 5.2 Q: Should this study be expedited? A: NIST is not participating directly in the study, which is not yet underway. We do not know whether the study could be expedited without diminishing its thoroughness and accuracy. 6. Q: The Government wants the key escrow encryption standard to become the de facto industry standard in the United States, but has assured industry that use of the key escrow chips is voluntary. Would the Government abandon the Clipper Chip program if it is shown to be unsuccessful beyond Government use? A: The key escrow encryption initiative successfully provides for excellent protection of federal information (and that of other users), without undermining the ability of law enforcement to conduct lawful electronic surveillance. Since it meets these goals successfully, the Escrowed Encryption Standard will continue to be a highly satisfactory method of protecting sensitive federal information and, therefore, should remain in effect regardless of its level of adoption within the private sector. 7. Q: If a user first encrypts a message with software using DES, and then transmits the message "double encrypted" with a key escrow chip, can you tell from looking at the cipher, or encrypted text, that the underlying message was encrypted? A: No. The only way to tell that a message has been "double encrypted" in this way would be to decrypt the "outer layer" of encryption (i.e., that done with Clipper). Only then would one be able to tell that the message had first been encrypted with something else. 8. Q: Capstone is the Skipjack implementation for use with data transmitted electronically. Has the Capstone chip been incorporated in any product currently being marketed? When will the Capstone chip be released? A: Capstone chips are just now becoming available. The Capstone chip is being incorporated into a personal computer memory card ("PCMCIA card") for use in providing security for sensitive government information in the Defense Message System. This is the only product actually in production using Capstone. The Capstone chip technically can be used for many security applications, not just computer data. 9. Q: As computer and telecommunications technology advances, we are able to send more information at higher speeds. The speed and reliability of our telecommunications infrastructure gives American businesses the necessary edge in our global marketplace. The specifications for Clipper Chip indicate that it is designed to work on phone systems that transmit information no faster than 14,400 bits per second or on basic-rate ISDN lines, which transmit information at about 64,000 bits per second. Do the Clipper and Capstone Chips work fast enough for advanced telecommunications systems? Will Clipper Chip be able to keep up with the increasing speeds of telecommunications networks? Can the Skipjack algorithm be "scaled" to work at higher speeds?" A: (See combined answer to questions 9 and 10 below.) 10: Q: Other commercially available encryption methods, like the Data Encryption Standard, have encryption rates much higher than Clipper Chip. Current high speed DES processors have encryption rates of approximately 200 million bits per second, which dwarfs the Clipper Chip's maximum throughput of 15 million bits per second. How will the Clipper Chip technology be able to compete with other encryption methods that can keep up with the higher speeds of emerging technologies? Combined answer to Questions 9 and 10: A: The Clipper Chip as a hardware device was specially designed for end-to-end encryption of low-speed applications such as digitized voice. It is more than fast enough for this purpose, even if encrypted traffic is carried on the most advanced, high-speed telecommunications backbones. Capstone also was designed for end-to-end encryption of user data. Neither Clipper nor Capstone was designed to perform bulk encryption of high-speed telecommunications backbones. The Skipjack algorithm, like the DES algorithm, is suitable for use at much higher speeds than implemented in Clipper and Capstone, and Skipjack-based hardware can be designed for higher-speed link-encryption applications as the need arises. As the speeds of the newest telecommunications technologies continue to grow, new key escrow devices will be developed as needed. Key escrow encryption technology will be able to compete with most other encryption methods for very high-speed applications. 11. Q: The Administration has assured industry that the key escrow technology will be enhanced to keep pace with future data requirements. What is the Administration doing to develop key escrow technology that can work with emerging high-speed communications technologies? A: The Administration is working to identify needs for higher-speed applications of key escrow technology and will work to develop key escrow encryption devices to meet those needs. The technology for escrowing keys is readily adaptable to emerging high-speed applications. 12. Q: Openly available devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because everyone was free to try to build a better version. Given the restrictions on who can build key escrow encryption chips, how will these chips keep up with advances in semiconductor speed, power, capacity and integration? A: Despite the requirements that a firm must meet to produce key escrow encryption chips, we expect that there will be a number of manufacturers competing against each other to produce the best product, and that such competition will drive them to keep up with the latest technological advances. It is worth noting that only a few companies can produce the sophisticated microprocessors you reference, yet the competition in that market has driven them to achieve remarkable advances in that technology. 13. Q: NIST estimates the cost of establishing the key escrow facilities to be $14 million and the cost of operating the key escrow facilities will be about $16 million annually. What is your statutory authority for these expenditures? A: Under the Computer Security Act of 1987, NIST is responsible not only for developing Federal Information Processing Standards for the protection of sensitive federal government information, but also for providing assistance in using the Standards and applying the results of program activities under the Act. Most directly applicable are sections 278g-3(b) (1) and (3) of title 15 of the U.S. Code. Subsection (3) authorizes NIST to provide technical assistance in implementing the Act to operators of federal systems. Subsection (1) authorizes NIST to assist the private sector in "using and applying" the results of NIST's programs under the Act, thus showing that the scope of the assistance authorized by the Act includes help in applying the standards NIST develops. This section indicates that NIST may provide technical assistance to the private sector rather than just to the federal agencies that must comply with the standards. 14. Q: What has been spent to date on Skipjack, Capstone and Clipper Chip? A: NIST's FY-94 expenditures through the end of April are approximately $268,000. FY-93 expenditures regarding the Clipper Chip and key escrow encryption technologies involved a significant portion of NIST's computer security budget, specifically the level of resources devoted to this technology was approximately four years of professional staff time and travel expenses of about $10,000. NSA will provide their funding information separately to the Committee. No cost figure can be assigned to the NSA's development of the SKIPJACK algorithm, in part because it was developed as a family of classified algorithms over a period of years. 15. Q: NIST has explained that the single company manufacturing the Clipper Chips was selected because of its expertise in designing custom encryption chips, as well as its secure facilities and employees with high security clearances. How long will it take for the Government to certify another vendor of Clipper Chip? What progress, if any, has the Administration made on finding another vendor? A: Several firms have expressed interest in becoming vendors of key escrow encryption chips. So far, one of these (other than the current company) has demonstrated that it has the technical expertise, secure facilities, and cleared personnel necessary to do the job. We expect that this firm would be able to commence production by early 1996. 16. Q: Once a given chip has been compromised due to use of the escrowed keys, is there any mechanism or program to re-key or replace compromised hardware? Is there any method for a potential acquiring party to verify whether the keys on a given chip have been compromised? A: It should be emphasized that release of escrowed key components to law enforcement agencies for use in conjunction with lawfully authorized electronic surveillance does not constitute compromise of the particular chip associated with those key components. Upon completion of electronic surveillance, the law enforcement agency's ability to decrypt communications with the particular chip ends, and therefore, those communications again become undecryptable unless and until the key components are released once more. There is no way to re-key chips for which escrowed keys have been used. If a chip could be re-keyed, it might be possible for users to replace the chip unique key, thus defeating the law enforcement access field. The hardware can be replaced with new hardware for which keys have not been released from escrow. 17. Q: The Skipjack algorithm itself is classified, but the halves of the keys held by the escrow agents cannot be since they will be released upon presentation of a court order. Will the databases maintained by the escrow agents to hold the keys be subject to the Freedom of Information Act? What exception will you rely upon to justify withholding requests for information under FOIA? A: As a matter of clarification, it should be noted that the key components are not themselves part of the SKIPJACK algorithm, nor do they, in combination with each other or with any other group of binary numbers, generate the algorithm, or provide any information regarding its characteristics. We understand your question regarding the Freedom of Information Act as relating to the electronically stored key components held by NIST as an escrow agent, which information associates each particular chip- unique ID number with one of the components of its unique key. Release of these key components would permit a FOIA requestor to circumvent the protections that NIST is required to develop and promulgate as Federal Information Processing Standards under the Computer Security Act of 1987 (P.L. 100-235). Under 5 U.S.C. 552(b)(2), agencies are authorized to withhold information the disclosure of which would risk the circumvention of a statute or agency regulation. Therefore, the key escrow materials are protectible under 5 U.S.C. 552(b)(2). 18. Q: Normal security procedures involve changing cryptography keys periodically, in case one has been compromised. For example, those of us who use E-mail systems are accustomed to periodically changing our password for access to the system. But Clipper Chip's family and unique key cannot be changed by the user. If these keys are compromised, it will not matter how frequently the user changed their session keys. Does the long use of the same family and unique keys increase the likelihood that these keys will be compromised while they are still in use? Does this eliminate a significant degree of the user's control of the level of security that the system provides? A: No. As discussed in the answers to other questions, access to the key escrow components will be highly controlled. In addition, these components themselves will be encrypted. Extensive audit procedures have been designed into the system to guard against any unauthorized access. Given these and other extensive protections, it is very unlikely that long use of the same chip unique or family key will have any negative impact upon users' security. 19. Q: How secure is the Clipper Chip if someone gets unauthorized access to half the key? A: Knowledge of only one key component provides no information about the chip unique key and, therefore, does not in any way harm the security of the user. 20. Q: Every Clipper Chip has the same Family Key programmed into it. When conversations encrypted with Clipper Chip are intercepted, this Family Key is used to decode the intercepted serial number, or unique identifier, which the targeted chip transmits at the beginning of every conversation. With the serial number, the law enforcement agency can get the government set of key components from the escrow agents. Who has access to the Chip Family Key? Is it going to be distributed to all law enforcement agencies so they can quickly decipher serial numbers of chips that may become the target of a wiretap order? Will the Chip Family Key be protected in any way and, if so, how? A: With respect to the first question, access to the family key is very closely held. The family key is the combination of two binary numbers independently and randomly generated and held, respectively, by the Department of Justice and the FBI. The combined family key is held under tightly controlled conditions in a dual-control safe at the programming facility for use in the programming process. When needed for a programming run, the family key is extracted from storage by specially designated employees of the programming facility, in the presence of representatives of the escrow agents, and entered into the programmer. At the end of a programming run, the programmer is again cleared of the family key. In addition, the family key is programmed into all law enforcement decrypt processors to discern the particular chip ID number when necessary. With respect to the question regarding availability of the family key, the foregoing explanation indicates the extraordinary limitations on access to the family key. Agencies desirous of learning whether a particular communication is encrypted with key escrow encryption and, if so, learning the particular chip ID number will have access to the family key only as programmed into the decrypt processor. This may require a particular agency not possessing such a processor to provide to an agency that does hold one the communications suspected of being encrypted, so that the initial determination can be made. It should be emphasized, however, that an agency's determination of whether communications are being encrypted, and of the ID number of the chip performing the encryption, would occur in conjunction with the conduct of a lawfully authorized surveillance -- not, as the question may imply, as part of activities preceding such authorization. Further questions on the protection of the family key are best directed to the U.S. Department of Justice. 21. Q: The Chip Family Key is built into the chip when it is programmed and cannot be changed. In the event that someone got unauthorized access to the Chip Family Key, what could that person do with it? A: In the very unlikely event that someone were able to gain access to the family key and were able to figure out a means to use it, the only information that could be obtained would be the serial numbers of the EES devices used for a telecommunication. Of course, intercepting such a telecommunication without lawful authorization would be a felony offense. 22. Q: Clipper Chip design data will need to be released to manufacturers in order for them to incorporate the chip into security devices. How will we be assured that this design information, in itself, will not allow the key escrow chips to be compromised? A: The only design data which will need to be released to manufacturers of devices using the chip are its interface specifications, such as size, power requirements, data input, and the like. None of these data can in any way be used to determine the encryption algorithm or any other information affecting the security of the encryption. 23. Q: A decrypt device will be used to receive an electronic transmittal of the two key halves from the escrow agents. The decrypt device will then be able to decrypt the intercepted message, until the wiretap authorization ends, when it will automatically turn itself off. How many of these decrypt devices will be built? Will the decrypt devices be maintained in a central secure facility? If so, who will maintain custody of the devices and how will they be distributed to the law enforcement agencies that need them? A: Termination of a decrypt processor's ability to decrypt communications using a particular key escrow chip is a fundamental protection built into the system and law enforcement agencies that have received key components will be required to certify such termination. In the prototype model of the decrypt processor, that termination is effected manually; automatic termination will be available in later versions. The number of decrypt processors that will ultimately be produced will probably be in large measure a function of the number of key escrow equipped devices in use throughout the country and the number of times key escrow encryption is encountered in the course of wiretaps. For the foreseeable future, when it is likely that the number of decryption processors will be small, it is likely that they would be centrally held by the FBI, to be made available for use in the field on an as-needed basis. 24. Q: The key escrow approach is designed to ensure the ability of the American government to access confidential data. What would make key escrow chips manufactured in America an attractive encryption method for foreign customers? A: The key escrow initiative was undertaken to provide users with robust security without undermining lawfully authorized wiretaps. This point is important to emphasize as the market for this product very much depends on who users perceive as a threat to intercept their communications. The potential export market for encryption products can be divided into two categories: exports for foreign government use and exports for non-government use. The most likely government users of commercial encryption products would be countries that have a relatively low degree of technical sophistication, lack other resources necessary to develop their own encryption products, and do not perceive the United States as a primary threat. Such countries might be primarily concerned about access to their communications by neighboring countries, terrorists, criminal elements, or domestic political opponents. Such government users might view a vulnerability to possible eavesdropping by the United States as a price worth paying in return for security against those more immediate threats. However, we do not expect such users to constitute a major export market for key escrow encryption products. The non-government sector represents a much greater potential export market for key escrow encryption products. While some prospective users abroad may steer clear of key escrow products because the United States will retain access, there may be many who believe they are unlikely to be targeted by U.S. intelligence in any case or for whom the superior security offered by key escrow encryption products against threats of greater concern may make key escrow products an attractive option. (For example, a distributor of pay-TV programming may depend on encryption to ensure that only those viewers who pay for the service can decrypt the TV signal. Such a distributor probably would not be concerned about the threat of access by the United States Government, and might favor key escrow encryption over competing products that use weaker encryption algorithms.) In addition, others may be attracted to key escrow encryption products in part by the need to interoperate with other users of such products, especially businesses in the United States. 25. Q: If key escrow chips are not commercially accepted abroad, and export controls continue to restrict the export of other strong encryption schemes, is the U.S. Government limiting American companies to a U.S. market? A: U.S. firms have long been major players in the international commercial encryption market despite export controls on encryption products. We do not impose a blanket embargo on products which encrypt data or voice. Encryption products undergo a one-time technical review, the results of which are used in decisions as to whether a given product can be exported to particular end users consistent with U.S. interests. After the one-time review, products are given expedited licensing treatment. Some are licensed for export to virtually all end users. Some products are licensed less widely. Overall, over 95% of export license applications for encryption products are approved. Any encryption product can be exported by U.S. businesses for use in their facilities abroad. In addition, the President recently directed that a number of changes be made in the licensing process to expedite licensing and to ease the regulatory burden on exporters. In short, we have every reason to expect that the U.S. will continue to be a major exporter of commercial encryption products, regardless of the commercial success of key escrow encryption products. 26. Q: Is the key escrow encryption system compatible with existing encryption methods in use? A: As is true among devices using different algorithms (e.g., DES, RSA, RC4, etc.) key escrow encryption products will not interoperate with other products using a different algorithm. Note also that many commercial products that use the same algorithm do not interoperate due to other constraints (e.g., transmission rates, voice-digitization process, other protocols, etc.). 27. Q: As part of NIST's continuing review of the key escrow encryption scheme, is NIST considering any new encryption approach that would be compatible with the embedded base of equipment? A: No new approaches are being considered with the specific goal of compatibility with some installed devices. Note that no encryption approach would be consistent with the entire installed base of equipment. It is too widely varied. 28. Q: Critics of U.S. export restrictions on strong encryption technology argue that these restrictions have the effect of reducing the domestic availability of user-friendly encryption, which could otherwise be routinely incorporated in software and telecommunications equipment. What is the Administration's response to this criticism? A: We do not believe that export controls have reduced the domestic availability of encryption. Encryption products have been commercially available in this country for a long time, especially since the adoption of the Data Encryption Standard (DES) as a Federal Information Processing Standard in 1977. However, demand for such products has been limited, with government purchases comprising the bulk of the encryption market. As public interest in and understanding of the need for security increases, we are moving aggressively to make available to the public, on a voluntary basis, the voluntary key escrow encryption technology needed to provide strong encryption without sacrificing the public's interest in effective law enforcement. Far from reducing the domestic availability of encryption, government actions, from adopting the DES standard to development of key escrow encryption technology, and even in driving the market during the years when there was little commercial interest, have greatly increased the domestic availability of encryption products, rather than reducing it. ----------------------------------------- SENATOR LARRY PRESSLER SENATE JUDICIARY COMMITTEE SUBCOMMITTEE ON TECHNOLOGY & THE LAW HEARING ON THE "CLIPPER CHIP" KEY ESCROW ENCRYPTION PROGRAM MAY 3, 1994 QUESTIONS FOR PANEL I Raymond Kammer - Deputy Director, National Institute of Standards and Technology (NIST) NIST has approved the use of the Clipper Chip as the federal standard for encoding federal communications involving sensitive but unclassified information. Is there a reason why the Clipper Chip is not approved for classified information as well? If so, please explain. A: The National Security Agency approves encryption systems for the protection of classified information, and is considering approval of Clipper for selected classified applications. The encryption algorithm used in the Clipper Chip, called SKIPJACK, is one of a family of encryption algorithms developed by NSA for use in protecting classified information. -------------------------------------------- SENATOR PATTY MURRAY SENATE JUDICIARY COMMITTEE SUBCOMMITTEE ON TECHNOLOGY AND THE LAW HEARING ON THE "CLIPPER CHIP" KEY ESCROW ENCRYPTION PROGRAM MAY 3, 1994 1. In my office in the Hart building this February, I downloaded from the Internet an Austrian program that uses DES encryption. This was on a laptop computer, using a modem over a phone line. The Software Publishers' Association says there are at least 120 DES or comparable programs worldwide. However, U.S. export control laws prohibit American exporters from selling comparable DES programs abroad. With at least 20 million people hooked up to the Internet, how do U.S. export controls actually prevent criminals, terrorists or whoever from obtaining DES encryption software? A: On the matter of export controls on encryption software (including DES), NIST defers to the National Security Agency, which, we understand, has been asked the same question.