Mr. Chairman and Members of the Committee:
Good afternoon. I am Raymond G. Kammer, Deputy Director of the National Institute of Standards and Technology of the U.S. Department of Commerce. Thank you for inviting me here today to testify on the Administration's key escrow encryption initiative. The Computer Security Act of 1987 assigns NIST responsibility for the development of standards for protecting unclassified government computer systems, except those commonly known as "Warner Amendment systems" (as defined in Title 10 USC 2315).
In response to the topics in which the Committee expressed an interest, I would like to focus my remarks on the following:
First, I would like to broadly outline an important policy and societal challenge confronting us today. In developing cryptographic standards, one can not avoid two often competing interests. On the one hand are the interests of users -- both corporate and individual -- in protecting their telecommunications transmissions of sensitive information. Cryptography can be used for excellent information protection. For example, it is utilized by businesses seeking to keep their trade secrets secure. On the other hand are the interests of the national security and law enforcement communities. In particular, I am focusing upon the ability of law enforcement to conduct legally authorized wiretapping and the national security community to conduct its intelligence collection activities outside the U.S. -- to keep our society safe from crime and keep our nation secure.
The challenge we confront arises from the need to protect individual privacy and commercial and government information (including through the use of encryption) while at the same time ensuring lawful access to electronic communications when necessary to help enforce our laws and provide for the national security.
Government cryptographic-related policies have always tried to balance these interests. Rapid advances in digital telecommunications have brought this need to a head. Some experts have stated that, within ten years, most digital telecommunications will be encrypted. Without addressing this issue, law enforcement will be denied a historically useful tool in fighting crime, and the mission of our Intelligence Community will be made far more difficult. The Committee is undoubtedly aware of the benefits such intelligence brings to the nation. This matter raises broad societal issues of significant importance. I have personally been involved in many meetings of a philosophical and wide-ranging nature to discuss and distill the options to address this dilemma. Several alternatives have been suggested:
None of these options satisfies all interested parties fully. I doubt such a solution even exists. The Administration has chosen the voluntary key escrow technology approach as a desirable way to protect government information and offered to make this technology available. Also, the NSC-led review of this issue has proceeded far enough for us to rule out recommending a legislative mandate criminalizing unauthorized use of cryptography.
It is interesting to note that other countries have faced this same issue and chosen a different solution. France, for example, outlaws use of unregistered cryptographic devices within its borders.
Let me now turn to the key escrow encryption technology.
I will begin my remarks about the government-developed key escrow encryption chips (referred to as "chips" herein) by discussing the goals that we were trying to achieve in developing this technology.
First and foremost, we sought to develop a federal standard which provides very strong protection for government information requiring confidentiality protection. Much of the sensitive information which the government holds and transmits over telephone lines is personal and requires strong protection. Tax records and census data are two examples. We sought nothing less than excellent protection for the government's records.
Next, since many NIST standards are voluntarily adopted by the private sector, we were keenly aware that as a new encryption standard was developed we had to meet the needs of American industry for protecting their sensitive information. As the Committee is most aware, we now find ourselves in a post-Cold War era in which economic competitiveness has become an increasingly vital component of national security.
In addition, the proliferation of encryption is expected to significantly hamper the ability of domestic law enforcement to carry out lawfully authorized wiretapping. If a telephone conversation is encrypted, resources must be expended for decryption, where feasible. Such expenditures and technical capabilities are normally far outside the ability of local law enforcement organizations and could be quite significant at the federal level. In seeking to develop a strong encryption technology, we have sought to take in to account the needs of the law enforcement community. The unfettered release of powerful cryptographic algorithms makes their job much more difficult.
Critical national security intelligence issues were also addressed in the development of this technology. I will defer to members of the Intelligence Community to articulate their concerns.
To address these issues, the National Security Agency, in consultation with NIST and the federal law enforcement community, developed this key escrow encryption technology. This effort culminated in the April 16 White House announcement of the key escrow encryption chip. I note that we have chosen to discontinue to use of the term "Clipper Chip" to avoid any possibilities of potential confusion with products and services with similar names.
The state-of-the-art microcircuit, the key escrow encryption chip, can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. The SKIPJACK algorithm with an 80 bit long cryptographic key is approximately 16 million times stronger than DES. It would take a CRAY YMP over a billion years to find one cryptographic key.
Each key escrow encryption chip has two basic functions. The first is an encryption function, which is accomplished by the SKIPJACK algorithm, developed and rigorously tested by NSA. The second function is a law enforcement access method. I will discuss each briefly.
The SKIPJACK algorithm is a SECRET algorithm which, technically, is a symmetric algorithm (as opposed to "public- key" algorithms). Basically, this means that the same cryptographic key is used for both encryption and decryption. The algorithm is so strong that the Department of Defense will evaluate it for use in protecting selected classified applications. Technical details of the algorithm will remain classified so that interoperable products without the law enforcement access field are not built. For the record, I will restate my earlier public statements that there is no trapdoor in the algorithm.
Although the algorithm will remain SECRET and, therefore, not subject to general review by the academic community, the government has provided an opportunity for five independent experts, not involved in development of the algorithm or chip, to evaluate the algorithm -- and publicly report their findings. This group consisted of Ernest Brickell (Sandia National Laboratories), Dorothy Denning (Georgetown University), Stephen Kent (BBN Communications Corp.), David Maher (AT&T) and Walter Tuchman (Amperif Corp.). These experts reported that:
The second basic function of the chip is the provision for law enforcement access under lawful authorization. To do so, each chip is programmed with three values: a cryptographic family key, a chip unique key, and a serial number. These are used in conjunction with the actual cryptographic key used to encrypt the message, known as the session key. Before an encrypted message is sent, the serial number is encrypted using the cryptographic family key and transmitted to the receiver along with the session key encrypted with the chip unique key. When law enforcement, having obtained lawful authorization to intercept communications, encounters encryption using a particular electronic device, the serial number of the chip in that device can be obtained electronically. Law enforcement can then communicate the serial number and a certification of their legal authorization to conduct electronic surveillance to two escrow holders (to be designated by the Attorney General) and obtain the separate components of the chip unique key held by each escrow holder. Using this key, the session key can be obtained and the message can be decrypted and understood. This key may be used by law enforcement only for the applicable period of time of the lawful authorization.
The President has directed the Attorney General to designate the two escrow agents and strict security procedures for protecting the keys. The escrow agents will also be informed of the specific circumstances and procedures for release of the keys -- which I believe Mr. Richard is prepared to brief you on some detail.
It is important to understand that the escrow agents will not track the devices by individual owners; they will simply maintain a database of device serial numbers and associated chip unique keys. When the agents are chosen and the procedures finalized, I anticipate that they will be the subject of rigorous scrutiny.
At the President's direction, we have prepared a Federal Information Processing Standard, the Escrowed Encryption Standard, incorporating this technology. We published this proposed standard for public comment on July 30, 1993. We have received approximately three hundred comments, which we are currently analyzing.
I want to emphasize that the key escrow chip is to be a voluntary standard focused on telephone communications. Approaches to other telecommunication technologies remain to be addressed.
In order to assess technology trends and explore new cryptographic approaches and technologies (like the key-escrow system), the President's National Security Advisor has tasked government agencies to develop clear policy options on encryption that carefully consider:
An interagency working group was established by the National Security Council to conduct this review. Sub-groups were formed to deal with four issues: 1) technology trends, 2) encryption, 3) export, and 4) key escrow. I chaired the first two sub-groups. We are currently preparing a report for consideration by the NSC Deputies Committee.
Key escrow encryption can help protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted telephonically. At the same time, this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of suspected criminals.
Encryption technology will play an increasingly important role in future network infrastructures and the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to developing these policies in a balanced and constructive way and in consultation with both the private sector and the Congress.
Thank you, Mr. Chairman. I would be pleased to answer your