The Future of Cryptography
 
by Dorothy E. Denning, Internet Security Review (10/1995)

 
(Revised January 6, 1996)

A few years ago, the phrase crypto anarchy was coined to suggest the impending arrival of a Brave New World in which governments, as we know them, have crumbled, disappeared, and been replaced by virtual communities of individuals doing as they wish without interference. Proponents argue that crypto anarchy is the inevitable -- and highly desirable -- outcome of the release of public key cryptography into the world. With this technology, they say, it will be impossible for governments to control information, compile dossiers, conduct wiretaps, regulate economic arrangements, and even collect taxes. Individuals will be liberated from coercion by their physical neighbors and by governments. This view has been argued recently by Tim May [1].

Behind the anarchists' vision is a belief that a guarantee of absolute privacy and anonymous transactions would make for a civil society based on a libertarian free market. They ally themselves with Jefferson and Hayek who would be horrified at the suggestion that a society with no government control would be either civil or free. Adam Ferguson once said "Liberty or Freedom is not, as the origin of the name may seem to imply, an exemption from all restraints, but rather the most effectual applications of every just restraint to all members of a free society whether they be magistrates or subjects." Hayek opens The Fatal Conceit, The Errors of Socialism (The University of Chicago Press, 1988, ed. W.W. Bartley III) with Ferguson's quote.

Although May limply asserts that anarchy does not mean lawlessness and social disorder, the absence of government would lead to exactly these states of chaos.

I do not want to live in an anarchistic society -- if such could be called a society at all -- and I doubt many would. A growing number of people are attracted to the market liberalism envisioned by Jefferson, Hayek, and many others, but not to anarchy. Thus, the crypto anarchists' claims come close to asserting that the technology will take us to an outcome that most of us would not choose.


This is the claim that I want to address here. I do not accept crypto anarchy as the inevitable outcome. A new paradigm of cryptography, key escrow, is emerging and gaining acceptance in industry. Key escrow is a technology that offers tools that would assure no individual absolute privacy or untraceable anonymity in all transactions. I argue that this feature of the technology is what will allow individuals to choose a civil society over an anarchistic one. I will review this technology as well as what it will take to avoid crypto anarchy. First, however, I will review the benefits, limitations, and drawbacks of cryptography and current trends leading toward crypto anarchy.


Cryptography's Benefits, Limitations, and Drawbacks


The benefits of cryptography are well recognized. Encryption can protect communications and stored information from unauthorized access and disclosure. Other cryptographic techniques, including methods of authentication and digital signatures, can protect against spoofing and message forgeries. Practically everyone agrees that cryptography is an essential information security tool, and that it should be readily available to users. I take this as a starting assumption and, in this respect, have no disagreement with the crypto anarchists.


Less recognized are cryptography's limitations. Encryption is often oversold as the solution to all security problems or to threats that it does not address. For example, the headline of Jim Warren's op-ed piece in the San Jose Mercury News reads "Encryption could stop computer crackers" [2]. Unfortunately, encryption offers no such aegis. Encryption does nothing to protect against many common methods of attack including those that exploit bad default settings or vulnerabilities in network protocols or software -- even encryption software. In general, methods other than encryption are needed to keep out intruders. Secure Computing Corporation's Sidewinder[TM] system defuses the forty-two "bombs" (security vulnerabilities) in Cheswick and Bellovin's book, Firewalls and Network Security (Addison Wesley, 1994), without making use of any encryption [3].


Moreover, the protection provided by encryption can be illusory. If the system where the encryption is performed can be penetrated, then the intruder may be able to access plaintext directly from stored files or the contents of memory or modify network protocols, application software, or encryption programs in order to get access to keys or plaintext data or to subvert the encryption process. For example, PGP (Pretty Good Privacy) could be replaced with a Trojan horse that appears to behave like PGP but creates a secret file of the user's keys for later transmission to the program's owner much like a Trojan horse login program collects passwords. A recent penetration study of 8932 computers by the Defense Information Systems Agency showed 88% of the computers could be successfully attacked. Using PGP to encrypt data transmitted from or stored on the average system could be like putting the strongest possible lock on the back door of a building while leaving the front door wide open. Information security requires much more than just encryption -- authentication, configuration management, good design, access controls, firewalls, auditing, security practices, and security awareness training are a few of the other techniques needed.


The drawbacks of cryptography are frequently overlooked as well. The widespread availability of unbreakable encryption coupled with anonymous services could lead to a situation where practically all communications are immune from lawful interception (wiretaps) and documents from lawful search and seizure, and where all electronic transactions are beyond the reach of any government regulation or oversight. The consequences of this to public safety and social and economic stability could be devastating. With the government essentially locked out, computers and telecommunications systems would become safe havens for criminal activity. Even May himself acknowledges that crypto anarchy provides a means for tax evasion, money laundering, espionage (with digital dead drops), contract killings, and implementation of data havens for storing and marketing illegal or controversial material. Encryption also threatens national security by interfering with foreign intelligence operations. The United States, along with many other countries, imposes export controls on encryption technology to lessen this threat.


Cryptography poses a threat to organizations and individuals too. With encryption, an employee of a company can sell proprietary electronic information to a competitor without the need to photocopy and handle physical documents. Electronic information can be bought and sold on "black networks" such as Black-Net [1] with complete secrecy and anonymity -- a safe harbor for engaging in both corporate and government espionage. The keys that unlock a corporation's files may be lost, corrupted, or held hostage for ransom, thus rendering valuable information inaccessible.


When considering the threats posed by cryptography, it is important to recognize that only the use of encryption for confidentiality, including anonymity, presents a problem. The use of cryptography for data integrity and authentication, including digital signatures, is not a threat. Indeed, by strengthening the integrity of evidence and binding it to its source, cryptographic tools for authentication are a forensic aid to criminal investigations. They also help enforce accountability. Because different cryptographic methods can be employed for confidentiality and authentication, any safeguards that might be placed on encryption to counter the threats need not affect authentication mechanisms or system protocols that rely on authentication to protect against system intrusions, forgeries, and substitution of malicious code.


The Drift Toward Crypto Anarchy


Crypto anarchy can be viewed as the proliferation of cryptography that provides the benefits of confidentiality protection but does nothing about its harms. It is government-proof encryption which denies access to the government even under a court order or other legal order. It has no safeguards to protect users and their organizations from accidents and abuse. It is like an automobile with no brakes, no seat belts, no pollution controls, no license plate, and no way of getting in after you've locked your keys in the car.


The crypto anarchist position is that cyberspace is on a non-stop drift toward crypto anarchy. Powerful encryption algorithms, including the Data Encryption Standard (DES), triple-DES, RSA, and IDEA are readily available at no charge through Internet servers as stand-alone programs or as part of packages providing file or electronic mail encryption and digital signatures. Among these, PGP, which uses RSA and IDEA for encrypting files and electronic mail messages, has become particularly popular. Software that will turn an ordinary PC into a secure phone is posted on the Internet for free downloading. These systems have no mechanisms for accommodating authorized government decryption. Export controls have little effect as the programs can be posted in countries that have no such controls.


In addition to the free encryption programs being distributed on the net, encryption is becoming a basic service integrated into commercial applications packages and network products. The IP Security Working Group of the Internet Engineering Task Force has written a document that calls for all compliant IPv6 (Internet Protocol, version 6) implementations to incorporate DES cryptography.


Anonymous remailers, which allow users to send or post messages without disclosing their identity or host system, have also become popular on the Internet. May reports that there are about 20 cypherpunk-style remailers on the Internet, with more being added monthly. These remailers allow unlimited nesting of remailing, with PGP encryption at each nesting level. Anonymous digital cash, which would provide untraceability of electronic payments, is on the horizon.


The potential harms of cryptography have already begun to appear. As the result of interviews I conducted in May, 1995, I found numerous cases where investigative agencies had encountered encrypted communications and computer files. These cases involved child pornography, customs violations, drugs, espionage, embezzlement, murder, obstruction of justice, tax protestors, and terrorism. At the International Cryptography Institute held in Washington in September, 1995, FBI Director Louis Freeh reported that encryption had been encountered in a terrorism investigation in the Philippines involving an alleged plot to assassinate Pope John Paul II and bomb a U.S. airliner [4].


AccessData Corp., a company in Orem, Utah which specializes in providing software and services to help law enforcement agencies and companies recover data that has been locked out through encryption, reports receiving about a dozen and a half calls a day from companies with inaccessible data. About one-half dozen of these calls result from disgruntled employees who left under extreme situations and refused to cooperate in any transitional stage by leaving necessary keys (typically in the form of passwords). Another half dozen result from employees who died or left on good terms, but simply forgot to leave their keys. The third half dozen result from loss of keys by current employees.


The Emergence of Key Escrow as an Alternative


The benefits of strong cryptography can be realized without following the crypto anarchy path to social disorder. One promising alternative is key escrow encryption, also called escrowed encryption [5]. The idea is to combine strong encryption with an emergency decryption capability. This is accomplished by linking encrypted data to a data recovery key which facilitates decryption. This key need not be (and typically is not) the one used for normal decryption, but it must provide access to that key. The data recovery key is held by a trusted fiduciary, which could conceivably be a governmental agency, court, or trusted and bonded private organization. A key might be split among several such agencies. Organizations registered with an escrow agent can acquire their own keys for emergency decryption. An investigative or intelligence agency seeking access to communications or stored files makes application through appropriate procedures (which normally includes getting a court order) and, upon compliance, is issued the key. Legitimate privacy interests are protected through access procedures, auditing, and other safeguards.


In April, 1993, as response to a rising need for and use of encryption products, the Clinton Administration announced a new initiative to promote encryption in a way that would not prohibit lawful decryption when investigative agencies are authorized to intercept communications or search computer files [6]. Government agencies were directed to develop a comprehensive encryption policy that would accommodate the privacy and security needs of citizens and businesses, the ability of authorized government officials to access communications and data under proper court or other legal order, the effective and timely use of modern technology to build the National Information Infrastructure, and the need of U.S. companies to manufacture and export high technology products. The goal was not to prevent citizens from having access to encryption or "to stigmatize cryptography as something only criminals would use" [7]. As part of this encryption initiative, the government developed an escrowed encryption chip called the Clipper Chip.


Each Clipper Chip has a unique key that is programmed onto the chip and used to recover data encrypted by that chip. This key is split into two components, and the two components are held by two separate government agencies: the National Institute of Standards and Technology and the Department of Treasury Automated Systems Division. Clipper's data encryption algorithm, Skipjack, is a classified algorithm designed by the National Security Agency [8]. It has a key size of 80 bits. The general specifications for the Clipper Chip were adopted in February, 1994, as the Escrowed Encryption Standard (EES) [9], which is a voluntary government standard for telephone communications, including voice, fax, and data. Implementations of the EES are required to use tamper-resistant hardware in order to protect the classified algorithms. The chip and associated key escrow system have been designed with extensive safeguards, including two person control and auditing, to protect against any unauthorized use of keys [10]. Clipper's key escrow system does not provide user data recovery services.


The National Security Agency also designed a more advanced chip called Capstone as part of the Multilevel Information System Security Initiative (MISSI). Capstone implements the EES plus algorithms for the Digital Signature Standard (DSS) and for establishing session keys. It has been embedded in the Fortezza card (a PCMCIA card) where it is used to provide the cryptographic services needed for communications and file security. The private keys used for key establishment and digital signatures, which are stored on the Fortezza card, are not stored in Clipper's key escrow system. They are, however, escrowed with the user's public-key certificate authority so that they can be recovered in case the card becomes corrupted. This allows encrypted files and previously received electronic mail messages to be read. Fortezza cards are available with or without a modem capability. The modem cards allow encryption and decryption to be performed as part of the communications protocols or as independent service calls (e.g., for encrypting the content of an e-mail message or file).


The government has not been alone in its pursuit of key escrow technology. Some type of key escrow is a feature or option of several commercial products including Fisher Watchdog®, Nortel's Entrust, PC Security Stoplock KE, RSA Secure[TM], and TECSEC Veil[TM]. Escrowing is done within the user's organization and serves primarily to protect against data loss.


Several companies have proposed designs for commercial key escrow systems where the escrow agents could be trusted third parties that provide emergency decryption services for both registered users and authorized government officials. Such escrow agents might be licensed, with licenses granted to organizations demonstrating the capability to administer key escrow encryption and safeguard keys and other sensitive information. Some of the proposed systems have been designed with the objective of being suitable for international use.


One such example is a proposal from Bankers Trust for an international commercial key escrow system for secure communications [11]. Their proposal uses a combination of hardware and software, unclassified algorithms, and public-key cryptography for key establishment and key escrow functions. Each user has a trusted encryption device, a public-private signature key pair, and a public-private encryption key pair that is used for establishing session keys and for data recovery. The private encryption keys are escrowed through a device registration process, and may be split among several escrow agents.


Trusted Information Systems (TIS) has proposed a commercial software key escrow system intended primarily for file encryption [12]. A commercial entity serves as a key escrow agent and operates a data recovery center. To use the services of a particular center, a user must register with the center. Emergency decryption is possible through a key that is private to the center. The key is not released to users or the government; instead, the center participates in the decryption of each file that is encrypted under a distinct file encryption key. TIS would franchise their data recovery centers to interested organizations. National Semiconductor and TIS have jointly proposed Commercial Automated Key Escrow (CAKE), which combines a CAKE-enabled PersonaCard[TM] token (National's PCMCIA cryptographic card) with a TIS data recovery center [13]. The goal is an exportable, strong encryption alternative using accepted public encryption algorithms such as DES, triple DES, and RSA.


Under current U.S. export regulations, encryption products with key lengths greater than 40 bits are not generally exportable when used for confidentiality protection. One of the attractions of key escrow encryption is that by providing a mechanism for authorized government decryption, it can enable the export of products with strong encryption. For example, Clipper/Capstone devices are generally exportable, even though the encryption algorithm is strong and uses 80-bit keys. Commercial key escrow approaches that use some form of hardware token are good candidates for export as they can provide reasonable protection against modifications to bypass the key escrow functions. The Bankers Trust and National/TIS proposals take that approach. Fortress U & T, Ltd. also has proposed a token-based approach to key escrow [14].


Hardware encryption generally offers greater security than software. Nevertheless, there is a large market for software encryption. On August 17, 1995, the Clinton Administration announced a proposal to allow ready export of software encryption products with key lengths up to 64 bits when combined with an acceptable key escrow capability. This policy would allow export of DES, for example, which uses 56-bit keys, but not triple DES. Keys would be held by government-approved trusted parties within the private sector, where they would support both user data recovery and legitimate government decryption. The proposal, which is still undergoing refinement as of December, is expected to be implemented in early 1996.


Key escrow encryption has been a topic of growing interest in the research community. Most of this work is reviewed in [5]. Silvio Micali's proposal for "fair cryptosystems" [15] has influenced several designs including the Bankers Trust proposal. Karlsruhe University's TESS system uses smart cards for user keys which are escrowed [16]. A proposal from Royal Holloway integrates escrow with the trusted third parties that serve as certificate authorities [17].


Some type of escrow facility might be used to control anonymity services as well as encryption. For example, escrow could be used with digital cash and anonymous remailers to ensure traceability when there is a court order or other legal authorization for information about the originator of a transaction. Ernie Brickell, Peter Gemmell, and David Kravitz propose a system for electronic cash that would incorporate trustee-based tracing in an otherwise anonymous cash system [18].


Alternatives to Key Escrow


Key escrow is not the only way of accommodating authorized government access. Another approach is weak encryption. The data encryption keys are short enough that a key can be determined by trying all possibilities. From the user's perspective, key escrow encryption has an advantage over weak encryption of allowing the use of strong encryption algorithms that are not vulnerable to attack. However, for applications where such a high level of security is not needed, weak encryption offers a less costly alternative. A disadvantage of weak encryption (unless it is extremely weak) from a law enforcement perspective is that it can preclude real-time decryption in an emergency situation (e.g., kidnaping).


A third approach is link encryption. Communications are encrypted between network nodes but not across nodes. Thus, plaintext communications can be accessed in the network switching nodes. One major advantage of link encryption is that it allows someone with a cellular phone to protect the over-the-air connection into the phone system without requiring that the other party have a compatible encryption device or, indeed, use any encryption at all. Global System for Mobile (GSM), a world-wide standard for mobile radio telecommunications, encrypts communications transmitted over the radio link, but they are decrypted before being transmitted through the rest of the network. The disadvantage of link encryption is that plaintext data are exposed in, potentially, many intermediate nodes. By contrast, key escrow encryption can support secure end-to-end encryption.

Crypto Anarchy is Not Inevitable


In the United States, there are no restrictions on the import, manufacture, or use of cryptographic products (except that government agencies are required to use government standards). The question is: Are such controls needed or will voluntary key escrow, combined with weak encryption and link encryption where appropriate, be sufficient to avoid crypto anarchy?


Several factors will facilitate the adoption of key escrow. Because key escrow products will be exportable, under appropriate conditions, vendors will have a strong incentive to adopt key escrow, as it will enable them to integrate strong cryptography into a single product line for both domestic and international sales. Currently, vendors must either install weak cryptography, which does not meet the needs of many customers, or develop two sets of products, which greatly increases costs and prohibits interoperability between domestic and foreign customers. Users will have an incentive to purchase key escrow products, because such products will protect them against lost or damaged keys. The government's own commitment to key escrow will ensure a large market for escrowed encryption products. As the market develops, many users will choose key escrow products in order to communicate with those using such products. Concern over the social consequences of crypto anarchy will also motivate some people to develop or use key escrow products. Finally, the adoption of key escrow might be facilitated by legislation that would specify the qualifications, responsibilities, and liabilities of government-approved escrow agents. This legislation could define unlawful acts relating to the compromise or abuse of escrowed keys (e.g., deliberately releasing a key to someone who is not authorized to receive it). Such legislation could ensure that at least approved escrow agents satisfy the requirements of users and the government. It also could allay the privacy concerns of those using approved escrow agents.


International interest is key escrow will also contribute to its success. There is growing recognition on the part of governments and businesses worldwide of the potential of key escrow to meet the needs of both users and law enforcement. In addition to providing confidentiality and emergency backup decryption, escrowed encryption is seen as a way of overcoming export restrictions, common to many countries, which have limited the international availability of strong encryption in order to protect national security interests. With key escrow, strong exportable cryptography can be standardized and made available internationally to support the information security needs of international business. Key escrow could be a service provided by trusted parties that manage the public-key infrastructure and issue X.509 certificates. Some products and proposals for key escrow use this approach


At a meeting sponsored by the Organization for Economic Development (OECD) and the International Chamber of Commerce (ICC) in December, 1995 in Paris, representatives from the international business community and member governments agreed to work together to develop encryption policy guidelines based on agreed upon principles that accommodate their mutual interests. The INFOSEC Business Advisory Group (IBAG) issued a statement of seventeen principles that they believe can form the basis of a detailed agreement [19]. IBAG is an association of associations (mostly European) representing the information security interests of users.


The IBAG principles acknowledge the right of businesses and individuals to protect their information and the right of law-abiding governments to intercept and lawfully seize information when there is no practical alternative. Businesses and individuals would lodge keys with trusted parties who would be liable for any loss or damage resulting from compromise or misuse of those keys. The trusted parties could be independently accredited entities or accredited entities within a company. The keys would be available to businesses and individuals on proof of ownership and to governments and law enforcement agencies under due process of law and for a limited time frame. The process of obtaining and using keys would be auditable. Governments would be responsible for ensuring that international agreements would allow access to keys held outside national jurisdiction. The principles call for industry to develop open voluntary, consensus, international standards and for governments, businesses, and individuals to work together to define the requirements for those standards. The standards would allow choices about algorithm, mode of operation, key length, and implementation in hardware or software. Products conforming to the standards would not be subject to restrictions on import or use and would be generally exportable.


EUROBIT (European Association of Manufacturers of Business Machines and Information Technology Industry), ITAC (Information Technology Industry Association of Canada), ITI (Information Technology Industry Council, U.S.), and JEIDA (Japan Electronic Industry Development Association) also issued a statement of principles for global cryptography policy at the OECD meeting [20]. The quadripartite group accounts for more than 90% of the worldwide revenue in information technology. Acknowledging the needs of both users and governments, their principles call for harmonization of national cryptography policies and industry-led international standards.


It is conceivable that domestic and international efforts will be sufficient to avoid crypto anarchy, particularly with support from the international business community. However, it is possible that they will not be enough. Many companies are developing products with strong encryption that do not accommodate government access, standards groups are adopting non-key escrow standards, and software encryption packages such as PGP are rapidly proliferating on the Internet, which is due, in part, to the crypto anarchists whose goal is to lock out the government. Since key escrow adds to the development and operation costs of encryption products, the price advantage of unescrowed encryption products could also be a factor which might undermine the success of a completely voluntary approach. If escrow is integrated into the public-key infrastructure, however, cost might not be a significant factor.


Considering the explosive growth of telecommunications and the encryption market, it will be necessary to closely watch the impact of encryption on law enforcement. If government-proof encryption begins to seriously undermine the ability of law enforcement agencies to carry out their missions and fight organized crime and terrorism, then legislative controls over encryption technology may be desirable. One possibility would be to license encryption products but not their use. Licenses could be granted only for products that reasonably satisfy law enforcement and national security requirements for emergency decryption and provide privacy protections for users. The exact requirements might be those that evolve from the current efforts of the OECD and international business community to develop common principles and standards. The manufacture, distribution, import, and export of unlicensed encryption products would be illegal, but no particular method of encryption would be mandated. Individuals would be allowed to develop their own encryption systems for personal or educational use without obtaining licenses, though they could not distribute them to others. France and Russia have adopted licensing programs, though of a somewhat different nature. Both countries require licenses to use encryption.


Under this licensing program, commercial encryption products, including programs distributed through public network servers, would comply with government regulations. These products would not support absolute privacy or completely anonymous transactions. Mainstream applications would assure accountability and protect societal and organizational interests. Although non-compliant products might be distributed through underground servers and bulletin boards, such products would not interoperate with licensed ones, so their use would be limited.


Such an approach would not prevent the use of government-proof encryption products by criminals and terrorists. They could develop their own or acquire the products illegally. But an approach of this type would make it considerably more difficult than it is at present. Had such controls been adopted several years ago -- before programs such as DES and PGP were posted on the Internet -- the encryption products on the market today would support key escrow or some other method for government access. It would not be possible to acquire strong, government-proof encryption from reputable vendors or network file servers. The encryption products available through underground servers and the black market would most likely not possess as high a quality as products developed through the legitimate market. Underground products could have security vulnerabilities or be less user friendly. They would not be integrated into standard applications or network software.


Summary


Crypto anarchy is an international threat which has been stimulated by international communications systems including telephones and the Internet. Addressing this threat requires an international approach that provides for both secure international communications crossing national boundaries and electronic surveillance by governments of criminal and terrorist activity taking place within their jurisdictions. The adoption of an international approach is critical in order to avoid a situation where the use of encryption seriously endangers the ability of law enforcement agencies, worldwide, to fight terrorism and crime. The result will not be worldwide suppression of communications and encryption tools, as May asserts, but rather the responsible use of such tools lest they lead to social disorder. Our information superways require responsible conduct just as our interstate highways require.


Key escrow encryption has emerged as one approach that can meet the confidentiality and data recovery needs of organizations while allowing authorized government access to fight terrorism and crime. It can facilitate the promulgation of standards and products that support the information security requirements of the global information infrastructure. The governments of the OECD nations are working with the international business community to find specific approaches that are mutually agreeable.



References and Notes


1. Tim May, "Crypto Anarchy and Virtual Communities," Internet Security, April 1995, pp. 4-12.


2. Jim Warren, "Is Phil Zimmermann being persecuted? Why? By whom? Who's next?," Internet Security, April 1995, pp. 15-21.


3. Secure Computing Corporation, "Answers to Frequently Asked Questions About Network Security," Roseville, MN, Oct. 1994.


4. Louis J. Freeh, Keynote talk at International Cryptography Institute, Sept. 1995. Available through http://www.fbi.gov/crypto.htm


5. For a description of the characteristics of key escrow encryption systems and different proposals, see Dorothy E. Denning and Dennis K. Branstad, "A Taxonomy of Key Escrow Encryption," Comm. of the ACM, to appear in March, 1996. More detailed descriptions of 30 systems can be found through http://www.cosc.georgetown.edu/~denning/crypto. See also Dorothy E. Denning, "Key Escrow Encryption: The Third Paradigm," Computer Security Journal, Summer, 1995 and Dorothy E. Denning, "Critical Factors of Key Escrow Encryption Systems," Proc. National Information Systems Security Conf., Oct. 1995.


6. Statement by the Press Secretary, The White House, April 16, 1993.


7. John A. Thomas, "Can the F.B.I. Stop Private Cryptography?," Internet Security, April 1995, pp. 13-14.


8. Because the algorithm is classified and not open to public review, outside experts were invited to examine the algorithm and report their findings to the public. See Ernest F. Brickell, Dorothy E. Denning, Stephen T. Kent, David P. Maher, and Walter Tuchman, "The SKIPJACK Review, Interim Report: The SKIPJACK Algorithm," July 28, 1993; available through http://www.cosc.georgetown.edu/~denning/crypto


9. National Institute for Standards and Technology, "Escrowed Encryption Standard (EES)," Federal Information Processing Standards Publication (FIPS PUB) 185, 1994.


10. For a technical description of the Clipper Chip and its key escrow system, see Dorothy E. Denning and Miles Smid, "Key Escrowing Today," IEEE Communications, Vol. 32, No. 9, Sept. 1994, pp. 58-68. For a less technical description and discussion of some of the issues surrounding Clipper, see Dorothy E. Denning, "The Case for Clipper," MIT Technology Review, July 1995, pp. 48-55. Both articles can be accessed through http://www.cosc.georgetown.edu/~denning/crypto


11. Bankers Trust Electronic Commerce, "Private Key Escrow System," presentation at the SPA/AEA Cryptography Policy Workshop, Aug. 17, and at the International Cryptography Institute 1995: Global Challenges, Sept. 21-22, 1995.


12. Stephen T. Walker, Steven B. Lipner, Carl M. Ellison, and David M. Balenson, "Commercial Key Escrow," to appear in Comm. ACM, Mar. 1996. Also available from Trusted Information Systems, Inc., Glenwood, MD, 1995.


13. William B. Sweet and Stephen T. Walker, "Commercial Automated Key Escrow (CAKE): An Exportable Strong Encryption Alternative," National Semiconductor, iPower Business Unit, Sunnyvale, CA, June 4, 1995.


14. Carmi Gressel, Ran Granot, and Itai Dror, "International Cryptographic Communication without Key Escrow; KISS: Keep the Invaders (of Privacy) Socially Sane, presented at the International Cryptography Institute 1995: Global Challenges, Sept. 21-22, 1995.


15. Silvio Micali, "Fair Cryptosystems," MIT/LCS/TR-579.c, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, August 1994.


16. Thomas Beth, Hans-Joachim Knoblock, Marcus Otten, Gustavus J. Simmons, and Peer Wichmann, "Clipper Repair Kit - Towards Acceptable Key Escrow Systems," Proc. 2nd ACM Conf. on Communications and Computer Security, 1994.


17. Nigel Jefferies, Chris Mitchell, and Michael Walker, "A Proposed Architecture for Trusted Third Party Services," Royal Holloway, University of London, 1995.


18. Ernie Brickell, Peter Gemmell, and David Kravitz, "Trustee-based Tracing Extensions to Anonymous Cash and the Making of Anonymous Change," Proc. Sixth Annual ACM-SIAM Symp. on Discrete Algorithms, 1995, pp. 457-466.


19. INFOSEC Business Advisory Group (IBAG) Statement. Available through http://www.cosc.georgetown.edu/~denning/crypto


20. EUROBIT-ITAC-ITI-JEIDA Statement. Available through http://www.cosc.georgetown.edu/~denning/crypto.