Mr. Chairman and Members of the Committee:
Good afternoon. I am Raymond G. Kammer, Deputy Director of the National Institute of Standards and Technology of the U.S. Department of Commerce. Thank you for inviting me to testify. The Computer Security Act of 1987 assigns NIST responsibility for the development of standards for protecting unclassified government computer systems, except those commonly known as "Warner Amendment systems" (as defined in Title 10 USC 2315).
Today, in response to the Committee's expressed desire, I would like to focus my remarks upon the following topics:
First, I would like to broadly outline an important policy and societal dilemma confronting us today. In discussions of cryptographic standards, one can not avoid two often competing interests. On the one hand are the interests of firms and individuals in protecting their telecommunications. Cryptography can be used for excellent information protection. For example, it is utilized by businesses seeking to keep their trade secrets secure. On the other hand are the interests of the national security and law enforcement communities. In particular, I am focusing upon the ability of law enforcement to conduct legally authorized wiretapping and the national security community to conduct its intelligence collection activities outside the U.S. - to keep our society safe from crime and keep our nation secure.
The dilemma we confront arises from the competing interests of those seeking to protect individual privacy and commercial and government information versus the need for lawful access to communications when necessary to help enforce our laws and provide for the national security.
Government cryptographic-related policies have always tried to balance these two sides. Rapid advances in digital telecommunications have brought this dilemma to the forefront. Some experts have stated that, within ten years, most digital telecommunications will be encrypted. Without addressing this issue, law enforcement will be denied a historically useful tool in fighting crime, and the mission of our Intelligence Community will be made far more difficult. The Committee is undoubtedly aware of the benefits such intelligence brings to the nation. This matter raises broad societal issues of significant importance. I have personally been involved in many meetings of a philosophical and wide-ranging nature to discuss and distill the options to address this dilemma. Four broad alternatives emerged:
None of these options satisfies all interested parties fully. I doubt such a solution even exists. But, the Administration has chosen the voluntary key escrow technology approach as the most desirable alternative of these options. Indeed, the NSC-led review of this issue has proceeded far enough for us to rule out recommending a legislative mandate criminalizing unauthorized use of cryptography.
It is interesting to note that other countries have faced this same issue and chosen a different solution. France, for example, outlaws use of unregistered cryptographic devices within its borders.
Let me now turn to our proposed solution.
Let me begin my remarks about the government-developed key escrow encryption chips (referred to as "chips" herein) by discussing the goals that we were trying to achieve in developing this technology.
First and foremost, we sought to develop a federal standard which provides very strong protection for government information requiring confidentiality protection. Much of the sensitive information which the government holds and transmits over telephone lines is personal and requires strong protection. Tax records and census data are two such examples. We sought nothing less than excellent protection for the government's records.
Next, as the Committee is most aware, we now find ourselves in a post-Cold War era in which economic competitiveness has become an increasingly vital component of national security. This can be seen in the efforts that foreign intelligence services are taking to assist foreign firms to compete in the global marketplace. France is typically cited in the open literature as one country with a particularly aggressive "industrial espionage" program. American firms require strong protection against such threats - both at home and abroad. Since many NIST standards are voluntarily adopted by the private sector, we were keenly aware that as a new encryption standard was developed we had to meet the needs of American industry for protecting their sensitive information.
In addition, the increasingly digitalized nature of the global communications network is expected to significantly hamper the ability of law enforcement to carry out lawfully authorized wiretapping. Their problem has two dimensions. First, the design and complexity of the nation's telecommunications networks makes locating the single conversation which can be lawfully tapped very difficult. Second, the proliferation of encryption is expected to make law enforcement's tasks more difficult. If a telephone conversation is encrypted, resources must be expended for decryption, where feasible. Such expenditures and technical capabilities are normally far outside the ability of local law enforcement organizations and could be quite significant at the federal level. In seeking to develop a strong encryption technology, we have sought to take in to account the needs of the law enforcement community. The unfettered release of a significantly more powerful algorithm than DES would make their job much more difficult.
Critical national security intelligence issues were also addressed in the development of this technology. I will defer to members of the Intelligence Community to articulate their concerns.
To address these issues, the National Security Agency, in consultation with NIST and the federal law enforcement community, developed this key escrow encryption technology. This effort culminated in the April 16 White House announcement of the key escrow encryption chip. I note that we have chosen to discontinue to use of the term "Clipper Chip" to avoid any possibilities of potential confusion with products and services with similar names.
The state-of-the-art microcircuit, the key escrow encryption chip, can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. The SKIPJACK algorithm with an 80 bit long cryptographic key is approximately 16 million times stronger than DES. It would take a CRAY YMP over a billion years to find one cryptographic key.
Each key escrow encryption chip has two basic functions. The first is an encryption function, which is accomplished by the SKIPJACK algorithm, developed and rigorously tested by NSA. The second function is a law enforcement access method. I will discuss each briefly.
The SKIPJACK algorithm is a SECRET algorithm which, technically, is a symmetric algorithm (as opposed to "public-key" algorithms). Basically, this means that the same cryptographic key is used for both encryption and decryption. The algorithm is so strong that the Department of Defense will evaluate it for use in protecting selected classified applications. Technical details of the algorithm will remain classified so that interoperable products without the law enforcement access field are not built. For the record, I will restate my earlier public statements that there is no trapdoor in the algorithm.
Although the algorithm will remain SECRET and, therefore, not subject to general review by the academic community, the government is providing an opportunity for a limited number of independent experts to study the algorithm. We have invited ten cryptographers (who did not participate in the development of the algorithm or chip) to evaluate the algorithm and publicly report their findings, consistent with security requirements. We will be making the algorithm available to this group shortly, and hope to have their findings available later this summer. We will be publicly announcing the names of those cryptographers we have invited once we have obtained legal releases from these individuals. For the Committee, however, we have received acceptances from: Ernest Brickell, Dorothy Denning, Stephen Kent, and Walter Tuchman. We are currently discussing the conditions of acceptance with several others.
The second basic function of the chip is the provision for law enforcement access under lawful authorization. To do so, each chip is programmed with three values: a cryptographic family key, a chip unique key, and a serial number. These are used in conjunction with the actual cryptographic key used to encrypt the message, known as the session key. Before an encrypted message is sent, the serial number is encrypted using the cryptographic family key and transmitted to the receiver along with the session key encrypted with the chip unique key. When law enforcement has obtained lawful authorization to eavesdrop on a particular electronic device, the serial number can be obtained electronically. Law enforcement can then take the serial number and a certification of their legal authorization to two escrow holders (to be designated by the Attorney General) and obtain the separate components of the chip unique key held by each escrow holder. Using this key, the session key can be obtained and the message can be decrypted and understood. This key may be used by law enforcement only for the applicable period of time of the lawful authorization. It can also only be used to decrypt communications transmitted or received by the device in question.
The President has directed the Attorney General to designate the two escrow agents and develop the security and administrative procedures they are to follow in protecting the keys. The escrow agents will also be informed of those specific circumstances and procedures for release of the keys. Please note that the escrow agents will not track the devices by individual owners; they will simply maintain a database of device serial numbers and associated chip unique keys. When the agents are chosen and the procedures finalized, I anticipate that they will be the subject of rigorous scrutiny.
At the President's direction, we are working to incorporate this technology into a draft Federal Information Processing Standard, which we will publish for public comment. I want to emphasize that the key escrow chip standard is focused on telephone communications. Approaches to other telecommunication technologies remain to be addressed.
In your letter of invitation, you asked that I discuss "any safeguards incorporated in the concept for the privacy of Americans from unwarranted government intrusion." I would like to discuss four issues.
First, this encryption technique provides very good security. The vast majority of telecommunications today is not encrypted, and the use of this strong technology adds immeasurably to the level of privacy afforded confidential conversations.
Second, since we will not be keeping track of the chip unique keys by owner, we have avoided any need for citizens to register their cryptographic devices. This has obviated the need for a Privacy Act "system of records" on our citizens.
Third, this technology provides the law enforcement community no more authority to access telecommunications than already exists under existing law.
Finally, as I have stated, we have decided to split the chip unique key into two components, to be held by the escrow agents to assuage fears that a single rogue individual could compromise anybody's privacy. The security and administrative procedures to be determined by the Attorney General will also clearly demonstrate our commitment to protecting this information and only allowing release under lawfully authorized circumstances.
In order to assess technology trends and explore new cryptographic approaches and technologies (like the key- escrow system), the President's National Security Advisor, in a classified directive, has tasked government agencies to develop a comprehensive policy on encryption that accommodates:
In the White House announcement, the Press Secretary noted that the President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. In mid-May, I requested that the Computer System Security and Privacy Advisory Board assist the Administration by obtaining wide and varied comments from these outside communities for input to the Administration's deliberations. We published an extensive list of questions in the Federal Register on these issues. Approximately forty-five comments were sent to the Board. At its June meeting, the Board heard from approximately 20 speakers on these issues. I believe that the Committee staff has already been provided a copy of these publicly available comments. The Board has recommended that the Administration move more slowly on addressing these issues and has identified a list of concerns and problems, which we will be examining.
Lastly, I would like to provide a brief overview of our current federal encryption standard for the protection of unclassified information requiring confidentiality protection. The Data Encryption Standard, published as Federal Information Processing Standard 46-1, was first approved for use by the government in 1977. It is based upon technology developed in the early 1970s. The standard has been reaffirmed by the Secretary of Commerce twice since its initial promulgation, and indeed, I plan to recommend to Secretary Brown that he reaffirm it again, making it valid for government use through 1998.
Last year, NIST published its proposal to reaffirm DES for another five-year period in the Federal Register and solicited public comments. NIST received 38 responses. All favored reaffirmation. In addition, many comments included suggestions for improving the standard. Several organizations suggested that during the next five-year reaffirmation period, NIST should start to develop another algorithm that would eventually replace DES as the federal encryption standard. It turns out that the government was already at work to develop such a replacement, but the White House had not yet announced the development of the key escrow encryption chip.
DES has served the federal government and the private sector well. However, it is based upon twenty year old technology and, with the anticipated advances in computing power over the next few years, we believe it prudent to begin migration within the federal government toward a new technology. By announcing our intent to recommend reaffirmation of the standard, we hope to give people an opportunity to think through their options and plan for orderly technology transitions. In the meantime, we need to worry about the large installed base of systems that rely upon this proven standard. We anticipate that DES will remain an effective security tool during the next five years.
This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted telephonically. At the same time, this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals.
Encryption technology will play an increasingly important role in future network infrastructures and the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law.
Thank you, Mr. Chairman. I would be pleased to answer your