|The Case for Clipper (Clipper Chip offers escrowed encryption)|
|by Dorothy E. Denning, MIT's Technology Review (07/1995)|
|THE U.S. GOVERNMENT
HAS LAUNCHED A PROGRAM TO EXPAND SECURITY AND PRIVACY PROTECTION FOR ELECTRONIC
COMMUNICATIONS WHILE PRESERVING THE GOVERNMENT'S ABILITY TO CONDUCT AUTHORIZED
WIRETAPS. DESPITE ATTACKS FROM CIVIL LIBERTARIANS, THE APPROACH IS THE BEST
WAY TO BALANCE INDIVIDUAL PRIVACY WITH THE SOCIAL GOOD.
Imagine you are the program manager for a new, energy-efficient airplane. You fax the design plans to the manager of an overseas plant that will manufacture parts of the plane. You also discuss the design by phone with engineers in the plant. A few months later, your company loses a bid for a fleet of planes to an overseas competitor who proposed a nearly identical design. The rival stole your plans by intercepting your voice and fax communications.
Fortunately, electronic communication can be protected against such industrial espionage with encryption - scrambling of data in such a manner that they are unintelligible to anyone other than the intended receiver. In today's digital world, communications are first converted into ones and zeroes. An encryption algorithm mathematically transforms these bits into a stream of digits that seems random. Performing the transformation requires a secret key - which is also a random-seeming string of ones and zeroes; the receiver uses this key to decrypt and recover the original message. The more digits there are in this key, the more secure the protection; each additional bit doubles the number of possible combinations that a would be snooper must try.
Encryption has been used in the United States primarily to protect classified state and military secrets from foreign governments. However, its use outside the government has been steadily increasing ever since the Data Encryption Standard (DES) was adopted as a federal standard in 1977. DES, which is based on a 56-bit key, is now used extensively by the banking industry to protect money transfers and by some corporations to protect sensitive communications transmitted through company networks or the telephone system. As individuals and companies swarm onto the Internet, they are also beginning to encrypt electronic mail and computer files.
But encryption is a dual-edged sword. The spread of high-quality encryption could undermine the value of wiretaps - a technology that has helped ensnare organized crime figures and other menaces to society. With the government essentially locked out, computers and telecommunications systems would become safe havens for outlaws and terrorists. In one recent child pornography case in California, evidence was concealed in encrypted computer files that could not be broken.
Encryption also could interfere with U.S. intelligence abroad, because it could allow a country like Iraq to operate behind a wall of electronic secrecy. Encryption technology is therefore subject to export controls: products that incorporate DES or other strong encryption methods cannot generally be exported. This has been a sore point with U.S. industry, which has argued that since DES-based products are manufactured overseas also, the controls have succeeded only in putting U.S. industry at a disadvantage. However, even though export controls have not prevented DES and other methods of encryption from being implemented elsewhere, the controls have protected valuable and fragile intelligence capabilities.
Encryption poses a threat to organizations and individuals, too. For effective secrecy, a minimal number of people should be allowed to know the encryption key. This practice invites disaster, though, as valuable information stored in encrypted files could become inaccessible if the key were accidentally lost or corrupted, intentionally destroyed, or maybe even held for ransom by a disgruntled employee or former employee. Encryption also could enable an employee to transmit corporate secrets to a competitor or to cover up fraud, embezzlement, and other illegal activity.
Despite such problems, almost everyone agrees that individuals and organizations need access to encryption technology. With the spread of computer networks, people are conducting more and more of their personal and business affairs through computer and telephone networks. Encryption is essential for erecting a wall of privacy around those communications.
To resolve the encryption dilemma, the Clinton administration in 1993 proposed a new approach, called "key-escrow" encryption. The idea is to make broadly available an essentially unbreakable encryption scheme. The catch: to allow for emergency access to information, the keys to unlock the keys to unlock the encrypted data would be held by the U.S. government.
The idea is to allow the most secure encryption, but with a built-in emergency decryption capability that allows authorized officials, with the cooperation of one or more trusted parties who hold keys, to decrypt data. The initial embodiment of this system is a microelectronic device called the Clipper chip, and its escrow agents are the National Institute of Standards and Technology (NIST) and the Department of Treasury's Automated Systems Division. In principle, commercial organizations also could serve as escrow agents.
The Clipper chip uses an encryption algorithm called Skipjack and keys of 80 bits - 24 bits longer than DES keys. The extra 24 bits provides 2(24) or about 16 million times the security against trial-and-error guesses at keys. The Skipjack algorithm was designed by the National Security Agency (NSA) and is classified.
Some civil libertarians have adamantly opposed this plan, worrying that the key escrow system will put the communications of honest persons needlessly at risk. After all, they argue, criminals are not going to be dumb enough to use an encryption scheme to which the government holds the keys. The logical next step, they say, would be to outlaw other methods of encryption, striking a blow at citizens' right to communicate away from the government's eyes and ears. Thus, critics argue, Clipper heralds future erosions in privacy rights - Big Brother on a chip.
Actually, Clipper represents a more secure approach to encryption than the two other avenues that the government has considered. One approach would use an encryption method with short enough keys that it becomes practical for any eavesdropper to guess a key by trying all possibilities. The other would use long keys, but have a built-in "trapdoor" allowing someone familiar with the system to find the key. The problem with this approach is that someone else might discover the trapdoor. Clipper avoids these weaker methods, offering a high-security solution to the encryption dilemma.
HOLDING KEYS IN ESCROW
The specifications for Clipper were adopted last year as the Escrowed Encryption Standard for use with sensitive but unclassified telephone communications, including voice, fax, and data. The EES standard is voluntary; nongovernment agencies have no obligation to use it, and government agencies can choose between it and any other encryption standard, such as DES. With the U.S. government holding the keys, EES poses no threat to foreign intelligence operations and thus EES-based encryption products can be exported.
The first product to use the Clipper chip is a device that plugs into a standard phone between the handset and the base unit. Manufactured by AT&T, the device can encrypt any conversation as long as the party at the other end has a compatible device. After a call is established in the usual way, one party presses a button on the device to activate its "secure mode." The two devices then enter into a digital, behind-the-scenes conversation to establish a "session key" that is unique to the conversation. Each device passes this 80-bit session key to its Clipper chip; the Clipper uses this key to encrypt outgoing communications and decrypt incoming communications. Before encrypting any data, however, the chip computes and transmits a string of bits called the law enforcement access field (LEAF). The LEAF contains the session key for the conversation and is what enables authorized government officials to decrypt the data.
To protect the session key in the LEAF, it is itself encrypted. Each Clipper chip has a unique identifier (ID) and associated "device-unique key." The device-unique key is split into two components, each of which is given to a separate escrow agent. Using this device-unique key, the Clipper chip encrypts the session key. The encrypted session key is then put into the LEAF along with the chip ID. The entire LEAF is further encrypted under a common "family key" so that even the chip ID is not transmitted in the clear. These two layers of encryption provide a strong shield against an eavesdropper learning the session key and then decrypting the data.
Users of Clipper don't need to be aware of any of these details; they simply use their phones as always. The complexity surfaces when a law enforcement official encounters encrypted communications on a tapped phone line. First, the communications must be passed through a special device, known as a decrypt processor, to ascertain if they are Clipper communications. If they are, the processor locates and decrypts the LEAF, and then extracts the chip ID. (Because the same session key is used to encrypt both ends of the conversation, it is not necessary to obtain the chip ID for both parties.)
But knowledge of this chip ID alone will not allow the wiretap to be deciphered. What is needed are the two components of the device-unique key associated with this ID - and this information is what is held by the two key escrow agents. So the law enforcement officials, having obtained this ID, must request these components from the escrow agents. These key components are then entered into the decrypt processor, which combines them to form the device-unique key. This device-unique key, in turn, is used to decrypt the session key in the LEAF. Knowledge of this session key enables the conversation to be decrypted. If subsequent conversations on the intercepted line are encrypted, the decrypt processor can decrypt the session key directly, without going through the two escrow agents. This allows for real-time decryption.
Critics maintain that the very idea of a key escrow system raises the risk that encrypted messages will be decoded by the wrong people. Without proper safeguards, an intruder might break into a computer containing escrowed keys, download the keys, and use the keys to decrypt communications intercepted illegally. Alternatively, a corrupt employee of an escrow agent might use the keys to engage in illegal wiretapping or sell the keys to a foreign government or to the mafia.
Clipper's key escrow system is being developed with extensive controls to protect against such threats. One fundamental safeguard is key secrecy. Keys and key components are generated in computers and are never displayed or printed out in forms readable by humans. In addition, they are always stored and transmitted in encrypted form.
Physical security is used extensively to protect sensitive material. The computer workstations at NIST and the Department of Treasury that are used for key escrow functions are used for nothing else and are kept in secured facilities. The chips are programmed with their IDs and device-unique keys in a vault designed for handling classified information.
As the Clipper system develops, keys are stored on floppy disks in double-locked safes and carried manually, wrapped in tamper-detecting packages, from the facility where the chips are programmed to the escrow agents and from the escrow agents to the law enforcement facility that is tapping the call. Ultimately, the keys will be transmitted electronically - in encrypted form - between the chip-programming facility and escrow-agent workstations, and between those workstations and the law-enforcement decrypt processors. Separation of duties limits the power of a single person or agency. Different organizations operate the chip-programming facility (so far, Mykotronx Inc. of Torrance, Calif., runs the only one), the key escrow services (NIST and the Department of the Treasury), and the decrypt processors (law enforcement agencies). Escrow officers are not allowed to program the chips, operate a decrypt processor, or even have a decrypt processor in their possession. Law-enforcement officers have access to a decrypt processor but not to keys (keys cannot be extracted from a decrypt processor). Escrow officers will attach a "self-destruct" date, corresponding to the end of the period of authorized surveillance, to keys transmitted to a decrypt processor. This measure precludes the use of keys after a wiretap order expires.
To limit the power of a single individual to abuse the system, the key escrow system requires that at least two people be present whenever a critical function is performed or when sensitive data might be exposed. In fact, because each chip's device-unique key is split into two components, and each component is held by a separate key escrow agent, it is not possible for one person to act independently. Neither component by itself reveals any information about the key; to reconstruct and use the key, both escrow agents must supply their parts. Further, within each escrow agency, it takes two escrow officers to unlock the safes that contain the key components. Similar two-person control systems have worked successfully in the military to control nuclear-launch codes and in the banking world.
Detailed procedures govern all operations that involve escrowed keys, including generation of the keys, programming of the chips, storage and release of escrowed keys, and government decryption. For example, a request for escrowed key components must include certification that the official is authorized to conduct the wiretap (normally established by a court order). All operations that involve the generation, release, or use of escrowed keys are logged. From the logs, it should be possible to determine that keys are used only as authorized, and only to decrypt communications intercepted during a period of authorized surveillance.
The key escrow system is undergoing independent validation and verification. In addition to paid contractors, four individuals, including myself, have been voluntarily reviewing the system as an extension of our earlier review of the Skipjack algorithm, on which Clipper is based. Based on what I have seen so far of the design, I conclude that there is no significant risk of an insider or outsider acquiring unauthorized access to keys.
As the Clipper system proves to be strong and resistant to abuse, the technology will, I believe, become more widely accepted. The Department of Defense already uses Capstone - a more advanced chip that is built into a PC card named Fortezza - to provide security for electronic mail. Fortezza offers an attractive option for secure electronic commerce: it contains a mechanism for electronically "signing" a digital document so that the recipient can verify the sender's identity. The American National Standards Institute (ANSI) is developing banking standards that could use Fortezza technology.
WHO DO YOU TRUST?
These safeguards have not eased everyone's mind. One big concern is that the Skipjack encryption algorithm on which Clipper is based is classified. Because Skipjack is not open to public review, some people have questioned whether NSA might have intentionally sabotaged the algorithm with a trapdoor that would allow the government to decode encrypted communications while bypassing the escrow agents.
Critics also worry that this secret algorithm might harbor a design flaw that would leave it vulnerable to cracking. Such concerns have a legitimate base. Designing strong encryption algorithms is a difficult task. The only way to make sure that an algorithm is any good is to let many people analyze it and try to crack it over an extended period of time; many encryption schemes that appeared strong when first proposed later succumbed to attack.
A noteworthy example is the RSA algorithm, named after Ronald Rivest, Adi Shamir, and Len Adleman, all of whom were at MIT when they invented it in 1977. Breaking RSA requires the solution of a difficult mathematical problem: given a large number, what are the prime numbers that must be multiplied together to yield that number? A very simple example, with a low number, would be to find the prime factors of 1,261; a few minutes with a pocket calculator, or a trivial computer program, will reveal the answer: 13 and 97. But as the number to be factored increases in length, this task seems to get exponentially more difficult. When the algorithm was first introduced, Rivest predicted that it would take a quadrillion years to factor a 125-digit number using the fastest factoring methods then known. But factoring methods have advanced rapidly, and in 1994 a 129-digit number was factored in 8 months through the use of some 1,600 computers scattered around the world. RSA still appears to be very strong for numbers that are 200 digits or more.
To address the concerns about weaknesses and trap-doors in Skipjack, the government invited outside experts to independently review the algorithm and report their findings. I participated in that review along with four other cryptographers in 1993. We examined NSA's internal design and evaluation of Skipjack and found them to be the same as used with algorithms that protect the country's most sensitive classified information. Skipjack underwent thorough evaluation over many years following its initial design in 1987, and the specific structures used in the algorithm have an even longer history of intense study. We also conducted some analysis and experiments of our own to determine if the algorithm had any properties that might make it susceptible to attack. Based on our analysis and experiments, we concluded that there was no significant risk that Skipjack contained a trapdoor or could be broken.
Although publication of Skipjack would enable more people to confirm its strength, NSA is unlikely to do so; declassifying Skipjack would benefit foreign adversaries and allow the algorithm to be used without the key escrow features. Even if Skipjack were made public, it would probably be years before skeptics would accept its strength. When DES was introduced in 1975, it was similarly distrusted because of some NSA involvement even though the algorithm was developed by IBM and made public.
Still, Clipper's use of a classified algorithm does limit its acceptability. There are many people who will never trust the NSA; for them, Clipper is tainted goods. In addition, many potential foreign buyers will not accept a classified algorithm or keys held by the U.S. government, although Mykotronx has reported that some potential foreign buyers are not concerned about these factors. Agreements might be reached that would allow some other governments to hold the keys or have access to the classified technology, but such agreements would likely be limited to a few countries.
Moreover, as long as the algorithm is supposed to remain secret, it must be implemented in tamper-resistant hardware. That's because there is no known way of hiding classified information in software. This precludes software implementations, which are generally cheaper. On the other hand, hardware generally provides greater security for keys and greater integrity for the algorithms than software, so some customers will want hardware products.
Although key escrow is voluntary, critics say that the introduction of Clipper points national policy in a disturbing direction. The main premise here is that the criminals that Clipper is meant to uncover would be unlikely to choose an encryption scheme to which the U.S. government holds the keys. Many forms of unescrowed encryption are already on the market, and more are being developed. One file encryption package, called Pretty Good Privacy (PGP), is spreading as free software through the Internet and becoming popular for encrypting e-mail. Unescrowed encryption with time-tested algorithms such as DES and RSA is also being integrated into commercial products. The only way to accomplish the goals of Clipper, skeptics therefore maintain, would be to ban unescrowed encryption systems - a prospect that enrages some defenders of electronic privacy.
But it is not self-evident that criminals will shun Clipper. Whether they use the escrowed encryption system will depend in part on what else is available - and in particular what other forms of encryption are built into the most widely used commercial products. While PGP has a certain grassroots appeal, many organizations will be reluctant to trust their assets to software obtained over the Internet.
Over time, market forces could easily favor escrowed encryption. Some organizations might choose to use Clipper because the high quality of its encryption outweighs the slight risk that information will fall into the wrong hands. Vendors might favor key escrow because they will be able to build it into products that are exported. And the government's adoption of escrowed encryption will set a de facto standard; any company that needs to exchange encrypted information with federal agencies will need to use compatible encryption. If escrowed encryption becomes a business standard, many criminals will tend to use it - the convenience will outweigh the risk.
Even if criminals do not use Clipper, the government's voluntary initiative serves a useful purpose. If the government instead promoted strong encryption without key escrow, this would accelerate the spread of encryption that the government could not decrypt and the use of such encryption by criminals. The government decided that it would not be responsible to use its own expertise and resources to pursue encryption standards that fundamentally subvert law enforcement and threaten public safety and national security.
The basic concept of key escrow does not necessarily depend on handing the keys to government agencies. Private-sector organizations - licensed and bonded - could serve as key escrow agents instead. Although nongovernment escrow agents are unlikely to provide any greater protection than government ones operating under the controls stipulated for the Clipper system, they could be more widely accepted by who are particularly concerned about government abuse. In addition, commercial escrow agents could make their services available to the private sector so that individuals and organizations could acquire their own keys for data recovery purposes. Clipper's key escrow system does not have this capability.
Some encryption products already have private key escrow capabilities whereby an organization can escrow its own keys. In addition, several companies and individuals have proposed commercial key escrow approaches, with third party agents. Some of these proposals, for example, one from Trusted Information Systems of Glenwood, Md., use software with unclassified algorithms. Commercial key escrow might achieve greater acceptability than Clipper and encourage the adoption of key escrow over unescrowed encryption. For that reason, the government has been working with industry to find alternatives to Clipper that might better meet the needs of industry and users.
For commercial key escrow to work, legislation may be required to deal with issues relating to liability and jurisdiction. What happens, for instance, if a state or local law enforcement agency needs keys held by an escrow agent located in another state? Normally, a warrant cannot be taken across state boundaries except during federal investigations.
Another important question surrounding commercial key escrow is whether such systems will be exportable. Companies that make encryption products would like to be able to manufacture a single product line for both domestic and international sales. Moreover, the opening of an export market would help expand the market for key escrow encryption - indirectly, at least, lowering the chances that criminals will use unescrowed encryption. So far, the U.S. government has not said whether it would permit the export of commercial key escrow or software-based systems. At issue is whether the government is assured that it will have a way to decrypt information when it deems it necessary to do so.
An exportable encryption scheme would also facilitate an international encryption standard - an important goal, given that organizations often need to communicate securely with customers, suppliers, and partners outside the United States. So far, no international encryption standard provides end-to-end protection of confidentiality. DES is used worldwide, especially by the financial industry, but mainly for authenticating financial transactions rather than shrouding messages in secrecy. Many countries around the world have adopted a system called Global System for Mobile to keep mobile radio communications secure. But GSM encrypts only the over-the-air link between a mobile phone and a base station. Communications that travel through wires and cables therefore remain vulnerable to interception.
Key escrow encryption offers the best hope for an international standard that would facilitate such international communications. In fact, an encryption method that does not provide a capability for government access is unlikely to be accepted as an international standard; other countries share the U.S. desire not to be left in the electronic lurch. Each country could designate its own escrow agents, which could be either government or commercial organizations. Users might have the option of choosing an escrow agent from this list. Bankers Trust has outlined a proposal for just such an approach. Like Clipper, the Bankers Trust system would use hardware for its greater security; unlike Clipper, however, the algorithm would be unclassified and therefore more suitable for commercial and international use.
WILL CLIPPER CATCH ON?
Much opposition to Clipper stems from the belief that the government has an insatiable and unsavory desire to gather information about its law-abiding citizens. Clipper, say critics, is a bad idea because it permits such activity. Despite the system's safeguards, some people are concerned that a future administration or corrupt police officer could obtain keys to conduct questionable if not outright illegal wiretaps.
At a forum held at MIT last September, professor Rivest argued that the fundamental question Clipper raises is: Should American citizens have the right to have communications and records that the government cannot access even when properly authorized? A case can be made that from a constitutional standpoint, no such absolute right exists. The Fourth Amendment specifically protects against unreasonable searches and seizures while allowing those conducted with a court order.
While abuse of the Clipper system cannot be ruled out, it is unlikely. Neither the public nor Congress has tolerated such activity in the past, and federal wiretap laws, government regulations and procedures, and congressional committees have been established to protect against their occurrence in the future. Wiretaps are conducted under tight controls and subject to considerable oversight. Clipper includes an additional layer of protection since anyone wishing to conduct a wiretap must also acquire a special decrypt processor and keys from the escrow agents.
The opposition to Clipper makes its widespread adoption by no means assured. But escrowed encryption offers the best hope for reaping the benefits of encryption while minimizing its potential harm. Rejection of key escrow would have profound implications for criminal justice. As computer networks continue to expand into every area of society and commerce, court-ordered wiretaps and seizures of records could become tools of the past, and the information superhighway a safe haven for criminal activity.