%%%%%s[Head note all pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] Part III Policy Options, Findings and Recommendations Part III consists of two chapters. Chapter 7 considers a wide range of policy options, ranging in scope and scale from large to small. Not every item described in Chapter 7 has been deemed worthy for adoption by the committee, but the committee hopes to broaden the public understanding of cryptography policy by discussing ideas that at least have the support of respectable and responsible elements of the various stakeholding communities. Chapter 8 is a synthesizing chapter that brings together threads of the previous seven chapters and presents the committee's findings and recommendations. ____________________________________________________________ 7 Policy Options for the Future Current national cryptography policy defines only one point in the space of possible policy options. A major difficulty in the public debate over cryptography policy has been incomplete explanation of why the govermnent has rejected certain policy options. Chapter 7 explores a number of possible alternatives to current national cryptography policy, selected by the committee either because they address an important dimension of national cryptography policy or because they have been raised by a particular set of stakeholders. Although in the committee's judgment these alternatives deserve analysis, it does not follow that they necessarily deserve consideration for adoption. The committee's judgments about appropriate policy options are discussed in Chapter 8. 7.1 EXPORT CONTROL OPTIONS FOR CRYPTOGRAPHY 7.1.1 Dimensions of Choice for Controlling the Export of Cryptography An export control-regime -- a set of laws and regulations governing what may or may not be exported under any specified set of circumstances -- has many dimensions that can be considered independently. These dimensions include: + *The type of export license granted*. Three types of export licenses are available: -- A general license, under which export of an item does not in general require prior government approval but nonetheless is tracked under an export declaration; -- A special license, under which prior government approval is required but which allows multiple and continuing transactions under one license validation; and -- An individual license, under which prior government approval is required for each and every transaction. As a general rule, only individual licenses are granted for the export of items on the U.S. Munitions List, which includes "strong" cryptography.(1) + *The strength of a product's cryptographic capabilities*. Current policy recognizes the difference between RC2/RC4 algorithms using 40-bit keys and other types of cryptography, and places fewer and less severe restrictions on the former. + *The default encryption settings on the delivered product*. Encryption can be tacitly discouraged, but not forbidden, by the use of appropriate settings.(2) + *The type of product*. Many different types of products can incorporate encryption capabilities. Products can be distinguished by medium (e.g., hardware vs. software) and/or intended function (e.g., computer vs. communications). + *The extent and nature of features that allow exceptional access*. The Administration has suggested that it would permit the export of encryption software with key lengths of 64 bits or less if the keys were "properly escrowed."(3) Thus, inclusion in a product of a feature for exceptional access could be made one condition for allowing the export of that product. In addition, the existence of specific institutional arrangements (e.g., which specific parties would hold the information needed to implement exceptional access) might be made a condition for the export of these products. + *The ultimate destination or intended use of the delivered product*. U.S. export controls have long distinguished between exports to "friendly" and "hostile" nations. In addition, licenses have been granted for the sale of certain controlled products only when a particular benign use (e.g., financial transactions) could be certified. A related consideration is the extent to which nations cooperate with respect to re-export of a controlled product and/or export of their own products. For example, CoCom member nations(4) in principle agreed to joint controls on the export of certain products to the Eastern bloc; as a result, certain products could be exported to CoCom member nations much more easily than to other nations. At present, there are few clear guidelines that enable vendors to design a product that will have a high degree of assurance of being exportable (Chapters 4 and 6). Table 7.1 describes various mechanisms that might be used to manage the export of products with encryption capabilities. This remainder of Section 7.1 describes a number of options for controlling the export of cryptography, ranging from the sweeping to the detailed. ---------- (1) However, as noted in Chapter 4, the current export control regime for cryptography involves a number of categorical exemptions as well as some uncodified "in-practice" exemptions. (2) Software, and even software-driven devices, commonly have operational parameters that can be selected or set by a user. An example is the fax machine that allows many user choices to be selected by keyboard actions. The parameters chosen by a manufacturer before it ships a product are referred to as the "defaults" or "default condition." Users are generally able to alter such parameters at will. (3) As the time of this writing, the precise definition of "properly escrowed" is under debate and review in the Administration. The most recent language on this definition as of December 1995 is provided in Chapter5. (4) CoCom refers to the Coordinating Committee, a group of Western nations (and Japan) that agreed to a common set of export control practices during the Cold War to control the export of militarily useful technologies to Eastern bloc nations. CoCom was disbanded in March 1994, and a successor regime known as the New Forum is being negotiated as this report is being written. ____________________________________________________________ 7.1.2 Complete Elimination of Export Controls on Cryptography The complete elimination of export controls (both the USML and the Commerce Control List controls) on cryptography is a proposal that goes beyond most made to date, although certainly such a position has advocates. If export controls on cryptography were completely eliminated, it is possible that within a short time, most information technology products exported from the United States would have encryption capabilities. It would be difficult for the U.S. government to influence the capabilities of these products, or even to monitor their deployment and use worldwide, because numerous vendors would most probably be involved. Note, however, that the simple elimination of U.S. export controls on cryptography does not address the fact that other nations may have import controls and/or restrictions on the use of cryptography internally. Furthermore, it takes time to incorporate products into existing infrastructures, and slow market growth may encourage some vendors to take their time in developing new products. Thus, simply eliminating U.S. export controls on cryptography would not ensure markets abroad for U.S. products with encryption capabilities; indeed, the elimination of U.S. export controls could in itself stimulate foreign nations to impose import controls more stringently. Appendix G contains more discussion of these issues. The worldwide removal of all controls on the export, import, and use of products with encryption capabilities would likely result in greater standardization of encryption techniques. Standardization brought about in this manner would result in: + Higher degrees of international interoperability of these products; + Broader use, or at least more rapid spread, of encryption capabilities as the result of the strong distribution capabilities of U.S. firms; + Higher levels of confidentiality, as a result of greater ease in adopting more powerful algorithms and longer keys as standards; and + Greater use of cryptography by hostile, criminal, and unfriendly parties as they, too, begin to use commercial products with strong encryption capabilities. On the other hand, rapid, large-scale standardization would be unlikely unless a few integrated software products with encryption capabilities were able to achieve worldwide usage very quickly. Consider, for example, that although there are no restrictions on domestic use of cryptography in the United States, interoperability is still difficult, in many cases owing to variability in the systems in which the cryptography is embedded. Likewise, many algorithms stronger than DES are well known, and there are no restrictions in place on the domestic use of such algorithms, and yet only DES even remotely approaches common usage (and not all DES-based applications are interoperable). For reasons well articulated by the national security and law enforcement communities (see Chapter 3) and accepted by the committee, the complete elimination of export controls on products with encryption capabilities does not seem reasonable in the short term. Whether export controls will remain feasible and efficacious in the long-term has yet to be seen, although clearly, maintaining even their current level of effectiveness will become increasingly difficult. 7.1.3 Transfer of All Cryptography Products to the Commerce Control List As discussed in Chapter 4, the Commerce Control List (CCL) complements the U.S. Munitions List (USML) in controlling the export of cryptography. (Box 4.2 in Chapter 4 describes the primary difference between the USML and the CCL.) In 1994, Representative Maria Cantwell (D-Washington) introduced legislation to transfer all massmarket software products involving cryptographic functions to the CCL. Although this legislation never passed, it resulted in the promise and subsequent delivery of an executive branch report on the international market for computer software with encryption.(5) The Cantwell bill was strongly supported by the software industry because of the liberal consideration afforded products controlled for export by the CCL. Many of the bill's advocates believed that a transfer of jurisdiction to the Commerce Department would reflect an explicit recognition of cryptography as a commercial technology that should be administered under a dual-use export control regime. Compared to the USML, they argued that the CCL is a more balanced regime that still has considerable effectiveness in limiting exports to target destinations and end users. On the other hand, national security officials regard the broad authorities of the Arms Export Control Act (AECA) as essential to the effective control of encryption exports. The AECA provides authority for case-by-case regulation of exports of cryptography to all destinations, based on national security considerations. In particular, licensing decisions are not governed by factors such as the country of destination, end users, end uses, or the existence of bilateral or multilateral agreements that often limit the range of discretionary action possible in controlling exports pursuant to the Export Administration Act. Further, the national security provisions of the AECA provide a basis for classifying the specific rationale for any particular export licensing decision made under its authority, thus protecting what may be very sensitive information about the particular circumstances surrounding that decision. Although sympathetic to the Cantwell bill's underlying rationale, the committee believes that the Cantwell bill does not address the basic dilemma of cryptography policy. As acknowledged by some of the bill's supporters, transfer of a product's jurisdiction to the CCL does not mean automatic decontrol of the product, and national security authorities could still have considerable input into how exports are actually licensed. In general, the committee believes that the idea of split jurisdiction, in which some types of cryptography are controlled under the CCL and others under the USML, makes considerable sense given the various national security implications of widespread use of encryption. However, where the split should be made is a matter of discussion; the committee expresses its own judgments on this point in Chapter 8. ---------- (5) U.S. Department of Commerce and National Security Agency, *A Study of the International Market for Computer Software with Encryption*, prepared for the Interagency Working Group on Encryption and Telecommunications Policy, undated (released on January 11, 1996, by the U.S. Department of Commerce, Office of the Secretary). ____________________________________________________________ 7.1.4 End-use Certification Explicitly exempted under the current International Traffic in Arms Regulations (ITAR) is the export of cryptography for ensuring the confidentiality of financial transactions, specifically for cryptographic equipment and software that are "specially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions."(6) In addition, according to senior National Security Agency (NSA) officials, cryptographic systems, equipment, and software are in general freely exportable for use by U.S.-controlled foreign companies and to banking and financial institutions for purposes other than financial transactions, although NSA regards these approvals as part of the case-by-case review associated with equipment and products that do not enjoy an explicit exemption in the ITAR. In principle, the ITAR could explicitly exempt products with encryption capabilities for use by foreign subsidiaries of U.S. companies, foreign companies that are U.S.controlled, and banking and financial institutions. Explicit "vertical" exemptions for these categories could do much to alleviate confusion among users, many of whom are currently uncertain about what cryptographic protection they may be able to use in their international communications, and could enable vendors to make better informed judgments about the size of a given market. Specific vertical exemptions could also be made for different industries (e.g., health care or manufacturing) and perhaps for large foreign-owned companies that would be both the largest potential customers and the parties most likely to be responsible corporate citizens. Inhibiting the diversion to other uses of products with encryption capabilities sold to these companies could be the focus of explicit contractual language binding the recipient to abide by certain terms that would be required of any vendor as a condition of sale to a foreign company, as it is today under USML procedures under the ITAR. Enforcement of end-use restrictions is discussed in Chapter 4. ---------- (6) International Traffic in Arms Regulations, Section 121.1, Category XIII (b)(1)(ii). ____________________________________________________________ 7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations The United States could give liberal export consideration to products with encryption capabilities intended for sale to recipients in a select set of nations,(7) exports to nations outside this set would be restricted. Nations in the select set would be expected to have a more or less uniform set of regulations to control the export of cryptography, resulting in a more level playing field for U.S. vendors. In addition, agreements would be needed to control the re-export of products with encryption capabilities outside this set of nations. Nation-by-nation relaxation of controls is consistent with the fact that different countries generally receive different treatment under the U.S. export control regime for military hardware. For example, exports of U.S. military hardware have been forbidden to some countries because they were terrorist nations, and to others because they failed to sign the nuclear nonproliferation treaty. A harmonization of export control regimes for cryptography would more closely resemble the former CoCom approach to control dual-use items than the approach reflected in the unilateral controls on exports imposed by the USML. From the standpoint of U.S. national security and foreign policy, a serious problem with harmonization is the fact that the relationship between the United States and almost all other nations has elements of both competition and cooperation that may change over time. The widespread use of U.S. products with strong encryption capabilities under some circumstances could compromise U.S. positions with respect to these competitive elements, although many of these nations are unlikely to use U.S. products with encryption capabilities for their most sensitive communications. Finally, as is true for other proposals to liberalize U.S. export controls on cryptography, greater liberalization may well cause some other nations to impose import controls where they do not otherwise exist. Such an outcome would shift the onus for impeding vendor interests away from the U.S. government; however, depending on the nature of the resulting import controls, U.S. vendors of information technology products with encryption capabilities might be faced with the need to conform to a multiplicity of import control regimes established by different nations. ---------- (7) For example, products with encryption capabilities can be exported freely to Canada without the need of a USML export license if intended for domestic Canadian use. ____________________________________________________________ 7.1.6 Liberal Export for Strong Cryptography with Weak Defaults An export control regime could grant liberal export consideration to products with encryption capabilities designed in such a way that the defaults for usage result in weak or non-existent encryption (Box 7.1), but also so that users could invoke options for stronger encryption through an affirmative action. For example, such a product might be a telephone designed for end-to-end security. The default mode of operation could be set in two different ways. One way would be for the telephone to establish a secure connection if the called party has a comparable unit. The second way would be for the telephone always to establish an insecure connection; establishing a secure connection would require an explicit action by the user. All experience suggests that the second way would result in far fewer secure calls than the first way.(8) An export policy favoring the export of encryption products with weak defaults benefits the information-gathering needs of law enforcement and signals intelligence efforts because of user psychology. Many people, criminals and foreign government workers included, often make mistakes by using products "out of the box" without any particular attempt to configure them properly. Such a policy could also take advantage of the distribution mechanisms of the U.S. software industry to spread weaker defaults. Experience to date suggests that good implementations of cryptography for confidentiality are transparent and automatic and thus do not require positive user action. Such implementations are likely to be chosen by organizations that are most concerned about confidentiality and that have a staff dedicated to ensuring confidentiality (e.g., by resetting weak vendor-supplied defaults). End users that obtain their products with encryption capabilities on the retail store market are the most likely to be affected by this proposal, but such users constitute a relatively small part of the overall market. ---------- (8) Of course, other techniques can be used to further discourage the use of secure modes. For example, the telephone could be designed to force the user to wait several seconds for establishment of the secure mode. ____________________________________________________________ 7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces A cryptographic applications programming interface (CAPI; see Appendix K) is a well-defined boundary between a baseline product (such as an operating system, a database management program, or a word-processing program) and a cryptography module that provides a secure set of cryptographic services such as authentication, digital signature generation, random number generation, and stream or block mode encryption. The use of a CAPI allows vendors to support cryptographic functions in their products without actually providing them at distribution. Even though such products have no cryptographic functionality per se and are therefore not specifically included in Category XIII of the ITAR (see Appendix L), license applications for the export of products incorporating CAPIs have in general been denied. The reason is that strong cryptographic capabilities could be deployed on a vast scale if U.S. vendors exported applications supporting a common CAPI and a foreign vendor then marketed an add-in module with strong encryption capabilities.(9) To meet the goals of less restrictive export controls, liberal export consideration could be given to products that incorporate a CAPI designed so that only "certified" cryptographic modules could be incorporated into and used by the application. That is, the application with the CAPI would have to ensure that the CAPI would work only with certified cryptographic modules. This could be accomplished by incorporating into the application a check for a digital signature whose presence would indicate that the add-on cryptographic module was indeed certified; if and only if such a signature were detected by the CAPI would the product allow use of the module. One instantiation of a CAPI is the CAPI built into applications that use the Fortezza card (discussed in Chapter 5). CAPI software for Fortezza is available for a variety of operating systems and PC-card reader types; such software incorporates a check to ensure that the device being used is itself a Fortezza card. The Fortezza card contains a private Digital Signature Standard (DSS) key that can be used to sign a challenge from the workstation. The corresponding DSS public key is made available in the CAPI, and thus the CAPI is able to verify the authenticity of the Fortezza card. A second approach to the use of a CAPI has been proposed by Microsoft and is now eligible for liberal export consideration by the State Department (Box 7.2). The Microsoft approach involves three components: an operating system with a CAPI embedded within it, modules providing cryptographic services through the CAPI, and applications that can call on the modules through the CAPI provided by the operating system. In principle, each of these components is the responsibility of different parties: Microsoft is responsible for the operating system, cryptography vendors are responsible for the modules, and independent applications vendors are responsible for the applications that run on the operating system. From the standpoint of national security authorities, the effectiveness of an approach based on the use of a certified CAPI/module combination depends on a number of factors. For example, the product incorporating the CAPI should be known to be implemented in a manner that enforces the appropriate constraints on crypto-modules that it calls; furthermore, the code that provides such enforcement should not be trivially bypassed. The party certifying the crypto-module should protect the private signature key used to sign it. Vendors would still be required to support domestic and exportable versions of an application if the domestic version was allowed to use any module while the export version was restricted in the set of modules that would be accepted, although the amount of effort required to develop these two different versions would be quite small. The use of CAPIs that check for appropriate digital signatures would shift the burden for export control from the applications or systems vendors to the vendors of the cryptographic modules. This shift could benefit both the government and vendors, because of the potential to reduce the number of players engaged in the process. For example, all of the hundreds of e-mail applications on the market could quickly support encrypted e-mail by supporting a CAPI developed by a handful of software and/or hardware cryptography vendors. The cryptography vendors would be responsible for dealing with the export and import controls of various countries, leaving e-mail application vendors to export freely anywhere in the world. Capabilities such as escrowed encryption could be supported within the cryptography module itself, freeing the applications or system vendor from most technical, operational, and political issues related to export control. A trustworthy CAPI would also help to support cryptography policies that might differ among nations. In particular, a given nation might specify certain performance requirements for all cryptography modules used or purchased within its borders.(10) International interoperability problems resulting from conflicting national cryptography policies would still remain. ---------- (9) This discussion refers only to "documented" or "open" CAPIs, i.e., CAPls that are accessible to the end user. Another kind of CAPI is "undocumented" and "closed", that is, it is inaccessible to the end user, though it is used by system developers for their own convenience. While a history of export licensing decisions and practices supports the conclusion that most products implementing "open" CAPls will not receive export licenses, history provides no consistent guidance with respect to products implementing CAPls that are inaccessible to the end user. (10) An approach to this effect is the thrust of a proposal from Hewlett-Packard. The Hewlett-Packard International Cryptography Framework (ICF) proposal includes a stamp size "policy card" (smart card) that would be inserted into a cryptographic unit that is a part of a host system. Cryptographic functions provided within the cryptographic unit could be executed only with the presents of a valid policy card. The policy card could be configured to enable only those cryptographic functions that are consistent with government export and local policies. The "policy card" allows for managing the use of the integrated cryptography down to the application specific level. By obtaining a new policy card, customers could be upgraded to take advantage of varying cryptographic capabilities as government policies or organizational needs change. As part of an ICF solution, a network security server could be implemented to provide a range of different security services including verification of the other three service elements (the card, the host system, the cryptographic unit). Sources: Carl Snyder, Hewlett-Packard, testimony to the NRC committee in February 1995; Hewlett-Packard, *International Cryptography Framework White Paper*, February 1994. ____________________________________________________________ 7.1.8 Liberal Export for Escrowable Products with Encryption Capabilities As discussed in Chapter 5, the Administration's proposal of August 17, 1995, would allow liberal export consideration for software products with encryption capabilities whose keys are "properly escrowed." In other words, strong cryptography would be enabled for these products only when the keys were escrowed with appropriate escrow agents. An escrowed encryption product differs from what might be called an "escrowable" product. Specifically, an escrowed encryption product is one whose key must be escrowed with a registered, approved agent before the use of (strong) cryptography can be enabled, whereas an escrowable product is one that provides full cryptographic functionality that includes optional escrow features for the user. The user of an escrowable product can choose whether or not to escrow the relevant keys, but regardless of the choice, the product still provides its full suite of encryption capabilities.(11) Liberal export consideration for escrowable products could be granted and incentives promulgated to encourage the use of escrow features. While the short-term disadvantage of this approach from the standpoint of U.S. national security is that it allows encryption stronger than the current 40-bit RC2/RC4 encryption allowed under present regulations to diffuse into foreign hands, it has the long-term advantage of providing foreign governments with a tool for influencing or regulating the use of cryptography as they see fit. Currently, most products with encryption capabilities do not have built-in features to support escrow built into them. However, if products were designed and exported with such features, governments would have a hook for exercising some influence. Some governments might choose to require the escrowing of keys, while others might simply provide incentives to encourage escrowing. In any event, the diffusion of escrowable products abroad would raise the awareness of foreign governments, businesses, and individuals about encryption and thus lay a foundation for international cooperation on the formulation of national cryptography policies. ---------- (11) For example, an escrowable product would not enable the user to encrypt files with passwords. Rather, the installation of the product would require the user to create a key or set of named keys, and these keys would be used when encrypting files. The installation would also generate a protected "safe copy" of the keys with instructions to the user that they should register the key "somewhere." It would be up to the user to decide where or whether to register the key. ____________________________________________________________ 7.1.9 Alternatives to Government Certification of Escrow Agents Abroad As discussed in Chapter 5, the Administration's August 1995 proposal focuses on an implementation of escrowed encryption that involves the use of "escrow agents certified by the U.S. government or by foreign governments with which the U.S. government has formal agreements consistent with U.S. law enforcement and national security requirements."(12) This approach requires foreign customers of U.S. escrowed encryption products to use U.S. escrow agents until formal agreements can be negotiated that specify the responsibilities of foreign escrow agents to the United States for law enforcement and national security purposes. Skeptics ask what incentives the U.S. government would have to conclude the formal agreements described in the August 1995 proposal if U.S. escrow agents would, by default, be the escrow agents for foreign consumers. They believe that the most likely result of adopting the Administration's proposal would be U.S. foot-dragging and inordinate delays in the consummation of formal agreements for certifying foreign escrow agents. Appendix G describes some of the U.S. government efforts to date to promote a dialogue on such agreements. The approaches described below address problems raised by certifying foreign escrow agents: + *Informal arrangements for cooperation*. One alternative is based on the fact that the United States enjoys strong cooperative law enforcement relationships with many nations with which it does not have formal agreements regarding cooperation. Negotiation of a formal agreement between the United States and another nation could be replaced by presidential certification that strong cooperative law enforcement relationships exist between the United States and that nation. Subsequent cooperation would be undertaken on the same basis that cooperation is offered today. + *Contractual key escrow*. A second alternative is based on the idea that formal agreements between nations governing exchange of escrowed key information might be replaced by private contractual arrangements.(13) A user that escrows key information with an escrow agent, wherever that agent is located, would agree contractually that the U.S. government would have access to that information under a certain set of carefully specified circumstances. A suitably designed exportable product would provide strong encryption only upon receipt of affirmative confirmation that the relevant key information had been deposited with escrow agents requiring such contracts with users. Alternatively, as a condition of sale, end users could be required to deposit keys with escrow agents subject to such a contractual requirement. ---------- (12) See Box 5.3, Chapter 5. (13) Henry Perritt, "Transnational Key Escrow," paper presented at the International Cryptography Institute, Washington, D.C., September 22, 1995. ____________________________________________________________ 7.1.10 Use of Differential Work Factors in Cryptography Differential work factor cryptography is an approach to cryptography that presents different work factors to different parties attempting to cryptanalyze a given piece of encrypted information.(14) Iris Associates, the creator of Notes, proposed such an approach for Lotus Notes Version 4 to facilitate its export, and the U.S. govermnent has accepted it. Specifically, the international edition of Lotus Notes Version 4 is designed to present a 40-bit work factor to the U.S. government and a 64-bit work factor to all other parties. It implements this differential work factor by encrypting 24 bits of the 64-bit key with the public-key portion of an RSA key pair held by the U.S. government. Because the U.S. government can easily decrypt these 24 bits, it faces only a 40-bit work factor when it needs access to a communications stream overseas encrypted by the international edition. All other parties attempting to cryptanalyze a message face a 64-bit work factor. Differential work factor cryptography is similar to partial key escrow (described in Chapter 5) in that both provide very strong protection against most attackers but are vulnerable to attack by some specifically chosen authority. However, they are different in that differential work factor cryptography does not require user interaction with an escrow agent, and so it can offer strong cryptography "out of the box." Partial key escrow offers all of the strengths and weaknesses of escrowed encryption, including the requirement that the enabling of strong cryptography does require interaction with an escrow agent. ---------- (14) Recall from Chapter 2 that a work factor is a measure of the amount of work that it takes to undertake a brute-force exhaustive cryptanalytic search. ____________________________________________________________ 7.1.11 Separation of Cryptography from other Items on the U.S. Munitions List As noted in Chapter 4, the inclusion of products with encryption capabilities on the USML puts them on a par with products intended for strictly military purposes (e.g., tanks, missiles). An export control regime that authorized the U.S. government to separate cryptography -- a true dual-use technology -- from strictly military items would provide much needed flexibility in dealing with nations on which the United States wishes to place sanctions. 7.2 ALTERNATIVES FOR PROVIDING GOVERNMENT EXCEPTIONAL ACCESS TO ENCRYPTED DATA Providing government exceptional access to encrypted data is an issue with a number of dimensions, only some of which relate directly to encryption. 7.2.1 A Prohibition of the Use and Sale of Cryptography Lacking Features for Exceptional Access One obvious approach to ensuring government exceptional access to encrypted information is to pass legislation that forbids the use of cryptography lacking features for such access, presumably with criminal penalties attached for violation. (Given that escrowed cryptography appears to be the most plausible approach to providing govermnent exceptional access, the term "unescrowed cryptography" is used here as a synonym for cryptography without features for exceptional access.) Indeed, opponents of the Escrowed Encryption Standard (EES) and the Clipper chip have argued repeatedly that the EES approach would succeed only if alternatives were banned.(15) Many concerns have been raised about the prospect of a mandatory prohibition on the use of unescrowed cryptography. From a law enforcement standpoint, a legislative prohibition on the use of unescrowed encryption would have clear advantages. Its primary impact would be to eliminate the commercial supply of unescrowed products with encryption capabilities -- vendors without a market would most likely not produce or distribute such products, thus limiting access of criminals to unescrowed encryption and increasing the inconvenience of evading a prohibition on use of unescrowed encryption. At the same time, such a prohibition would leave law-abiding users with strong concerns about the confidentiality of their information being subject to procedures beyond their control. A legislative prohibition of the use of unescrowed encryption also raises specific technical, economic, and legal issues. Concerns About Personal Freedom The Clinton Administration has stated that it has no intention of outlawing unescrowed cryptography, and it has repeatedly and explicitly disavowed any intent to regulate the domestic use of cryptography. However, no administration can bind future administrations (a fact freely acknowledged by administration officials). Thus, some critics of the Administration position believe that the dynamics of the encryption problem may well drive the government -- sooner or later -- to prohibit the use of encryption without government access.(16) The result is that the Administration is simply not believed when it forswears any intent to regulate cryptography used in the United States. Two related concerns are raised: + *The "slippery slope.*" Many skeptics fear that current cryptography policy is the first step down a slippery slope toward a more restrictive policy regime under which government may not continue to respect limits in place at the outset. An oft-cited example is current use of the Social Security Number, which was not originally intended to serve as a universal identifier when the Social Security Act was passed in 1935 but has, over the last 50 years, come to serve exactly that role by default, simply because it was there to be exploited for purposes not originally intended by the enabling legislation. + *Misuse of deployed infrastructure for cryptography*. Many skeptics are concerned that a widely deployed infrastructure for cryptography could be used by a future administration or Congress to promulgate and/or enforce restrictive policies regarding the use of cryptography. With such an infrastructure in place, critics argue that a simple policy change might be able to transform a comparatively benign deployment of technology into an oppressive one. For example, critics of the Clipper proposal were concerned about the possibility that a secure telephone system with government exceptional access capabilities could, under a strictly voluntary program to encourage its purchase and use, achieve moderate market penetration. Such market penetration could then facilitate legislation outlawing all other cryptographically secure telephones.(17) Adding to these concerns are suggestions such as those made by a responsible and senior government official that even research in cryptography conducted in the civilian sector should be controlled in a legal regime similar to that which governs research with relevance to nuclear weapons design (Box 7.3). Ironically, former NSA Director Bobby Inman's comments on scientific research appeared in an article that called for greater cooperation between academic scientists and national security authorities and used as a model of cooperation an arrangement, recommended by the Public Cryptography Study Group, that has worked generally well in balancing the needs of academic science and those of national security.(18) Nevertheless, Inman's words are often cited as reflecting a national security mind-set that could lead to a serious loss of intellectual freedom and discourse. More recently, FBI Director Louis Freeh stated to the committee that "other approaches may be necessary" if technology vendors do not adopt escrowed encryption on their own. Moreover, the current Administration has explicitly rejected the premise that "every American, as a matter of right, is entitled to an unbreakable encryption product."(19) Given concerns about possible compromises of personal and civil liberties, many skeptics of government in this area believe that the safest approach is for government to stay out of cryptography policy entirely. They argue that any steps in this area, no matter how well intentioned or plausible or reasonable, must be resisted strongly, because such steps will inevitably be the first poking of the camel's nose under the tent. Technical Issues Even if a legislative prohibition on the use of unescrowed encryption were enacted, it would be technically easy for parties with special needs for security to circumvent such a ban. In some cases, circumvention would be explicitly illegal, while in others it might well be entirely legal. For example: + Software for unescrowed encryption can be downloaded from the Internet; such software is available even today. Even if posting such software in the United States were to be illegal under a prohibition, it would nonetheless be impossible to prevent U.S. Internet users from downloading software that had been posted on sites abroad. + Superencryption can be used. Superencryption (sometimes also known as double encryption) is encryption of traffic before it is given to an escrowed encryption device or system. For technical reasons, superencryption is impossible to detect without monitoring and attempting to decrypt all escrow-encrypted traffic, and such large-scale monitoring would be seriously at odds with the selected and limited nature of wiretaps today. An additional difficulty with superencryption is that it is not technically possible to obtain escrow information for all layers simultaneously, because the fact of double and triple encryption cannot be known in advance. Even if the second (or third or fourth) layers of encryption were escrowed, law enforcement authorities would have to approach separately and sequentially the escrow agents holding key information for those layers. + Talent for hire is easy to obtain. A criminal party could easily hire a knowledgable person to develop needed software. For example, an out-of-work or underemployed scientist or mathematician from the former Soviet Union would find a retainer fee of $500 per month to be a king's ransom.(20) + Information can be stored remotely. An obvious noncryptographic circumvention is to store data on a remote computer whose Internet address is known only to the user. Such a computer could be physically located anywhere in the world (and might even automatically encrypt files that were stored there). But even if it were not encrypted, data stored on a remote computer would be impossible for law enforcement officials to access without the cooperation of the data's owner. Such remote storage could occur quite legally even with a ban on the use of unescrowed encryption. + Demonstrating that a given communication or data file is "encrypted" is fraught with ambiguities arising from the many different possibilities for sending information: -- An individual might use an obscure data format. For example, while ASCII is the most common representation of alphanumeric characters today, Unicode (a proposed 16-bit representation) and EBCDIC (a more-or-less obsolete 8-bit representation) are equally good for sending plain English text. -- An individual talking to another individual might speak in a language such as Navajo. -- An individual talking to another individual might speak in code phrases. -- An individual might send compressed digital data that could easily be confused with encrypted data despite having no purpose related to encryption. If, for example, an individual develops his own good compression algorithm and does not share it with anyone, that compressed bit stream may prove as difficult to decipher as an encrypted bit stream.(21) -- An individual might deposit fragments of a text or image that he wished to conceal or protect in a number of different Internet-accessible computers. The plaintext (i.e., the reassembled version) would be reassembled into a coherent whole only when downloaded into the computer of the user.(22) -- An individual might use steganography.(23) None of these alternative coding schemes provides confidentiality as strong as would be provided by good cryptography, but their extensive use could well complicate attempts by government to obtain plaintext information. Given so many different ways to subvert a ban on the use of unescrowed cryptography, emergence of a dedicated subculture is likely in which the nonconformists would use coding schemes or unescrowed cryptography impenetrable to all outsiders. Economic Concerns An important economic issue that would arise with a legislative prohibition on the use of unescrowed cryptography would involve the political difficulty of mandating abandonment of existing user investments in products with encryption capabilities. These investments, considerable even today, are growing rapidly, and the expense to users of immediately having to replace unescrowed encryption products with escrowed ones could be enormous;(24) a further expense would be the labor cost involved in decrypting existing encrypted archives and reencrypting them using escrowed encryption products. One potential mitigating factor for cost is the short product cycle of information technology products. Whether users would abandon nonconforming products in favor of new products with escrowing features -- knowing that they were specifically designed to facilitate exceptional access -- is open to question. Legal and Constitutional Issues Even apart from the issues described above, which in the committee's view are quite significant, a legislative ban on the domestic use of unescrowed encryption would raise constitutional issues. Insofar as a prohibition on unescrowed encryption were treated for constitutional purposes as a limitation on the content of communications, the government would have to come forward with a compelling state interest to justify the ban. To some, a prohibition on the use of unescrowed encryption would be the equivalent of a law proscribing use of a language (e.g., Spanish), which would almost certainly be unconstitutional. On the other hand, if such a ban were regarded as tantamount to eliminating a method of communication (i.e., were regarded as content-neutral), then the courts would employ a simple balancing test to determine its constitutionality. The government would have to show that the public interests were jeopardized by a world of unrestrained availability of encryption, and these interests would have to be weighed against the free speech interests sacrificed by the ban. It would also be significant to know what alternative forms of methods of anonymous communication would remain available with a ban and how freedom of speech would be affected by the specific system of escrow chosen by the government. These various considerations are difficult, and in some cases impossible, to estimate in advance of particular legislation and a particular case, but the First Amendment issues likely to arise with a total prohibition on the use of unescrowed encryption are not trivial.(25) A step likely to raise fewer constitutional problems, but not eliminate them, is one that would impose restrictions on the commercial sale of unescrowed products with encryption capabilities.(26) Under such a regime, products with encryption capabilities eligible for sale would have to conform to certain restrictions intended to ensure public safety, in much the same way that other products such as drugs, automobiles, and meat must satisfy particular government regulations. "Freeware" or home-grown products with encryption capabilities would be exempt from such regulations as long as they were used privately. The problem of already-deployed products would remain, but in a different form: new products would either interoperate or not interoperate with existing already-deployed products. If noninteroperability were required, users attempting to maintain and use two noninteroperating systems would be faced with enormous expenses. If interoperability were allowed, the intent of the ban would be thwarted. Finally, any national policy whose stated purpose is to prevent the use of unescrowed encryption preempts decision making that the committee believes properly belongs to users. As noted in Chapter 5, escrowed encryption reduces the level of assured confidentiality in exchange for allowing controlled exceptional access to parties that may need to retrieve encrypted data. Only in a policy regime of voluntary compliance can users decide how to make that trade-off. A legislative prohibition of the use or sale of unescrowed encryption would be a clear statement that law enforcement needs for exceptional access to information clearly outweigh user interests in having maximum possible protection for their information, a position that has yet to be defended or even publicly argued by any player in the debate. ---------- (15) For example, see Electronic Privacy Information Center, press release, August 16, 1995, available at http://www.epic.org. (16) For example, Senator Charles Grassley (R-IA) introduced legislation (The Anti-Electronic Racketeering Act of 1995) on June 27, 1995, to "prohibit certain acts involving the use of computers in the furtherance of crimes." The proposed legislation makes it unlawful "to distribute computer software that encodes or encrypts electronic or digital communications to computer networks that the person distributing the software knows or reasonably should know, is accessible to foreign nationals and foreign governments, regardless of whether such software has been designated as nonexportable," except for software that uses "a universal decoding device or program that was provided to the Department of Justice prior to the distribution." (17) By contrast, a deployed infrastructure could have characteristics that would make it quite difficult to implement policy changes on a short time scale. For example, it would be very difficult to implement a policy change that would change the nature of the way in which people use today's telephone system. Not surprisingly, policy makers would prefer to work with infrastructures that are quickly responsive to their policy preferences. (18) The arrangement recommended by the Public Cryptography Study Group called for voluntary prepublication review of all cryptography research undertaken in the private sector. For more discussion of this arrangement, see Public Cryptography Study Group, *Report of the Public Cryptography Study Group*, American Council on Education, Washington, D.C., February, 1981. A history leading to the formation of the Public Cryptography Study group can be found in National Research Council, "Voluntary Restraints on Research With National Security Implications: The Case of Cryptography, 1972-1982," in *Scientifc Communication and National Security*, National Academy Press, Washington, D.C., 1982, Appendix E, pp. 120-125. The ACM study on cryptography policy concluded that this prepublication arrangement has not resulted in any chilling effects in the long term (see Susan Landau et al., *Codes, Keys and Conflicts: Issues in U.S. Crypto Policy*, ACM, New York, 1994, p. 39.) (19) "Questions and Answers About the Clinton Administration's Telecommunications Initiative," undated document. Released on April 16, 1993, with the "Statement by the Press Secretary on the Clipper Chip." See *The Third CPSR Cryptography and Privacy Conference Source Book*, June 7, 1993, Part III. (20) Alan Cooperman and Kyrill Belianinov, "Moonlighting by Modem in Russia," *U.S. News & World Report*, April 17, 1995, pp. 45-48. In addition, many high-technology jobs are moving overseas in general, not just to the former Soviet Union. See for example, Keith Bradsher, "Skilled Workers Watch Their Jobs Migrate Overseas," *New York Times*, August 28, 1995, p. 1. (21) A discussion of using text compression for confidentiality purposes can be found in Ian Whitten and John Cleary, "On the Privacy Afforded by Adaptive Text Compression," *Computers and Security*, July 1988, Volume 7(4), pp. 397-408. One problem in using compression schemes as a technique for ensuring confidentiality is that almost any practical compression scheme has the characteristic that closely similar plaintexts would generate similar ciphertexts, thereby providing a cryptanalyst with a valuable advantage not available if a strong encryption algorithm is used. (22) Jaron Lanier, "Unmuzzling the Internet: How to Evade the Censors and Make a Statement, Too," OpEd, *New York Times*, January 2, 1996, p. A-15. (23) Steganography is the name given to techniques for hiding a message within another message. For example, the first letter of each word in a sentence or a paragraph can be used to spell out a message, or a photograph can be constructed so as to conceal information. Specifically, most black-and-white pictures rendered in digital form use at most 2^16 (65,536) shades of gray, because the human eye is incapable of distinguishing any more shades. Each element of a digitized black-and-white photo would then be associated with 16 bits of information about what shade of gray should be used. If a picture were digitized with 24 bits of gray scale, the last 8 bits could be used to convey a concealed message that would never appear except for someone who knew to look for it. The digital size of the picture would be 50% larger than it would ordinarily be, but no one but the creator of the image would know. (24) Existing unescrowed encryption products could be kept in place if end users could be made to comply with a prohibition of the use of such products. In some cases, a small technical fix might suffice to disable the cryptography features of a system; such fixes would be most relevant in a computing environment in which the software used by end users is centrally administered (as in the case of many corporations) and provides system administrators with the capability for turning off encryption. In other cases, users -- typically individual users who had purchased their products from retail store outlets -- would have to be trusted to refrain from using encryption. (25) For a view arguing that relevant Fourth and Fifth Amendment issues would be resolved against a constitutionality of such a prohibition, see Michael Froomkin, "The Metaphor Is the Key: Cryptography, The Clipper Chip and the Constitution," *University of Pennsylvania Law Review*, Volume 143(3), January 1995, pp. 709-897. The committee takes no position on these Fourth and Fifth Amendment issues. (26) Such a scheme has been suggested by Dorothy Denning in "The Future of Cryptography," *Internet Security Monthly*, October 1995, p. 10. (Also available from http://www.cosc.georgetown.edu/~denning/crypto.) Denning's paper does not suggest that "freeware" be exempt, although her proposal would provide an exemption for personally developed software used to encrypt personal files. ____________________________________________________________ 7.2.2 Criminalization of the Use of Cryptography in the Commission of a Crime Proposals to criminalize the use of cryptography in the commission of a crime have the advantage that they focus the weight of the criminal justice system on the "bad guy" without placing restrictions on the use of cryptography by "good guys." Further, deliberate use of cryptography in the commission of a crime could result in considerable damage, either to society as a whole or to particular individuals, in circumstances suggesting premeditated wrongdoing, an act that society tends to view as worthy of greater punishment than a crime committed in the heat of the moment. Two approaches could be taken to criminalize the use of cryptography in the commission of a crime: + Construct a specific list of crimes in which the use of cryptography would subject the criminal to additional penalties. For example, using a deadly weapon in committing a robbery or causing the death of someone during the commission of a crime are themselves crimes that lead to additional penalties. + Develop a blanket provision stating that the use of cryptography for illegal purposes (or for purposes contrary to law) is itself a felony. In either event, additional penalties for the use of cryptography could be triggered by a conviction for a primary crime, or they could be imposed independently of such a conviction. Precedents include the laws criminalizing mail fraud (fraud is a crime, generally a state crime, but mail fraud -- use of the mails to commit fraud -- is an additional federal crime) and the use of a gun during the commission of a felony. Intentional use of cryptography in the concealment of a crime could also be criminalized. Since the use of cryptography is a prima facie act of concealment, such an expansion would reduce the burden of proof on law enforcement officials, who would have to prove only that cryptography was used intentionally to conceal a crime. Providers of cryptography would be criminally liable only if they had knowingly provided cryptography for use in criminal activity. On the other hand, a law of more expansive scope might well impose additional burdens on businesses and raise civil liberties concerns. In considering legal penalties for misuse of cryptography, the question of what it means to "use" cryptography must be addressed. For example, if and when encryption capabilities are integrated seamlessly into applications and are invoked automatically without effort on the part of a user, should the use of these applications for criminal purposes lead to additional penalties or to a charge for an additional offense? Answering yes to this question provides another avenue for prosecuting a criminal (recall that Al Capone was convicted for income tax evasion rather than bank robbery). Answering no leaves open the possibility of prosecutorial abuse. A second question is what counts as "cryptography." As noted above in the discussion of prohibiting unescrowed encryption, a number of mathematical coding schemes can serve to obscure the meaning of plaintext even if they are not encryption schemes in the technical sense of the word. These and related questions must be addressed in any serious consideration of the option for criminalizing the use of cryptography in the commission of a crime. 7.2.3 Technical Non-Escrow Approaches for Obtaining Access to Information Escrowed encryption is not the only means by which law enforcement can gain access to encrypted data. For example, as advised by Department of Justice guidelines for searching and seizing computers, law enforcement officials can approach the software vendor or the Justice Department computer crime laboratory for assistance in cryptanalyzing encrypted files. These guidelines also advise that "clues to the password [may be found] in the other evidence seized -- stray notes on hardware or desks; scribble in the margins of manuals or on the jackets of disks. Agents should consider whether the suspect or someone else will provide the password if requested."(27) Moreover, product designs intended to facilitate exceptional access can include alternatives with different strengths and weaknesses such as link encryption, weak encryption, hidden back doors, and translucent cryptography. Link Encryption With link encryption, which applies only to communications and stands in contrast to end-to-end encryption (Box 7.4), a plaintext message enters a communications link, is encrypted for transmission through the link, and is decrypted upon exiting the link. In a communication that may involve many links, sensitive information can be found in plaintext form at the ends of each link (but not during transit). Thus, for purposes of protecting sensitive information on an open network accessible to anyone (the Internet is a good example), link encryption is more vulnerable than end-to-end encryption, which protects sensitive information from the moment it leaves party A to the moment it arrives at party B. However, from the standpoint of law enforcement, link encryption facilitates legally authorized intercepts, because the traffic of interest can always be obtained from one of the nodes in which the traffic is unencrypted. On a relatively closed network or one that is used to transmit data securely and without direct user action, link encryption may be cost-effective and desirable. A good example is encryption of the wireless radio link between a GSM cellular telephone and its ground station; the cellular handset encrypts the voice signal and transmits it to the ground station, at which point it is decrypted and fed into the land-based network. Thus, the landbased network carries only unencrypted voice traffic, even though it was transmitted by an encrypted cellular telephone. A second example is the "bulk" encryption of multiple channels -- each individually unencrypted -- over a multiplexed fiber-optic link. In both of these instances of link encryption, only those with access to carrier facilities -- presumably law enforcement officials acting under proper legal authorization -- would have the opportunity to tap such traffic. Weak Encryption Weak encryption allowing exceptional access would have to be strong enough to resist brute-force attack by unauthorized parties (e.g., business competitors) but weak enough to be cracked by authorized parties (e.g., law enforcement agencies). However, "weak" encryption is a moving target. The difference between cracking strong and weak encryption by brute-force attack is the level of computational resources that can be brought to such an attack, and those resources are ever increasing. In fact, the cost of brute-force attacks on cryptography drops exponentially over time, in accordance with Moore's law.(28) Widely available technologies now enable multiple distributed workstations to work collectively on a computational problem at the behest of only a few people; Box 4.6 in Chapter 4 discusses the brute-force cryptanalysis of messages encrypted with the 40-bit RC4 algorithm, and it is not clear that the computational resources of unauthorized parties can be limited in any meaningful way. In today's environment, unauthorized parties will almost always be able to assemble the resources needed to mount successful brute-force attacks against weak cryptography, to the detriment of those using such cryptography. Thus, any technical dividing line between authorized and unauthorized decryption would change rather quickly. Hidden Back Doors A "back door" is an entry point to an application that permits access or use by other than the normal or usual means. Obviously, a back door known to government can be used to obtain exceptional access. Back doors may be open or hidden. An open back-door is one whose existence is announced publicly; an example is an escrowed encryption system, which everyone knows is designed to allow exceptional access.(29) By its nature, an open back-door is explicit; it must be deliberately and intentionally created by a designer or implementer. A hidden back-door is one whose existence is not widely known, at least upon initial deployment. It can be created deliberately (e.g., by a designer who insists on retaining access to a system that he may have created) or accidentally (e.g., as the result of a design flaw). Often, a user wishing access through a deliberately created hidden back-door must pass through special system-provided authorization services. Almost by definition, an accidentally created hidden back-door requires no special authorization for its exploitation, although finding it may require special knowledge. In either case, the existence of hidden back-doors may or may not be documented; frequently, it is not. Particularly harmful hidden back-doors can appear when "secure" applications are implemented using insecure operating systems; more generally, "secure" applications layered on top of insecure systems may not be secure in practice. Cryptographic algorithms implemented on weak operating systems present another large class of back doors that can be used to undermine the integrity and the confidentiality that cryptographic implementations are intended to provide. For example, a database application that provides strong access control and requires authorization for access to its data files but is implemented on an operating system that allows users to view those files without going through the database application does not provide strong confidentiality. Such an application may well have its data files encrypted for confidentiality. The existence of back doors can pose high-level risks. The shutdown or malfunction of life-critical systems, loss of financial stability in electronic commerce, and compromise of private information in database systems can all have serious consequences. Even if back doors are undocumented, they can be discovered and misused by insiders or outsiders. Reliance on "security by obscurity" is always dangerous, because trying to suppress knowledge of a design fault is generally very difficult. If a back door exists, it will eventually be discovered, and its discoverer can post that knowledge worldwide. If systems containing a discovered back door were on the Internet or were accessible by modem, massive exploitation could occur almost instantaneously, worldwide. If back doors lack a capability for adequate authentication and accountability, then it can be very difficult to detect exploitation and to identify the culprit. Translucent Cryptography Translucent cryptography has been proposed by Ronald Rivest as an alternative to escrowed encryption.(30) The proposed technical scheme, which involves no escrow of unit keys, would ensure that any given message or file could be decrypted by the government with probability p; the value of p (0