Raymond G. KammerDeputy Director,
National Institute of Standards and Technology
Subcommittee on Technology
Committee on Science, Space, and Technology
House of RepresentativesMay 3, 1994
Good morning. My name is Raymond G. Kammer, Deputy Director of the Commerce Department's National Institute of Standards and Technology (NIST). Thank you for inviting me here today to testify on the Administration's key escrow encryption initiative. The Computer Security Act of 1987 assigns NIST responsibility for the development of standards for protecting unclassified government computer systems, except those commonly known as "Warner Amendment systems" (as defined in Title 10 U.S.C. 2315).
In response to the topics in which the Committee expressed an interest, I would like to focus my remarks on the following:
- the principal encryption policy issue confronting us,
- the importance of encryption technology,
- how voluntary key escrow encryption technically works and how it ensures privacy and confidentiality,
- alternatives to the voluntary key escrow initiative,
- critical components of the Administration's policy on encryption technology,
- recent initiative to modify Secure Hash Standard, and
- the effectiveness of the Computer Security Act of 1987.
The Principal Encryption Policy Issue
First, I would like to broadly outline an important public policy and societal issue confronting us today regarding unclassified government and commercial cryptography. In developing cryptographic standards, one can not avoid two often competing interests. On the one hand are the needs of users -- corporate, government, and individual -- in protecting telecommunications transmissions of sensitive information. Cryptography can be used for excellent information protection. On the other hand are the interests of the national security and law enforcement communities in being able to monitor electronic communications. In particular, I am focusing upon their need for continued ability to keep our society safe from crime and our nation secure.
Rapid advances in digital telecommunications have brought this issue to a head. Some experts have stated that, within ten years, most digital telecommunications will be encrypted. Unless we address this issue expeditiously, law enforcement will lose an important tool in fighting crime--the ability to wiretap--and the mission of our Intelligence Community will be made more difficult. The Committee is undoubtedly aware of the benefits such intelligence brings to the nation. This matter raises broad societal issues of significant importance. I have personally been involved in many meetings of a philosophical and wide-ranging nature to discuss this dilemma.
Four broad conceptual alternatives emerged:
- Seek a legislative mandate criminalizing the use of unauthorized cryptography.
- Seek wide adoption of an encryption method with an unannounced "trap door." This was never seriously considered.
- Seek wide voluntary adoption of a technology incorporating a secure "key escrow" scheme.
- Allow technology to evolve without government intervention; in effect, do nothing.
None of these options satisfies all interested parties fully. I doubt such a solution even exists, but the Administration has chosen the voluntary key escrow technology approach as the most desirable alternative for protecting voice communications without impairing the ability of law enforcement agencies to continue to conduct wiretaps. For data communication the long-standing Data Encryption Standard has recently been recertified for use.
It is interesting to note that other countries have faced this same issue and chosen different solutions. France, for example, outlaws the use of unregistered cryptographic devices within its borders.
The Importance of Encryption Technology
Encryption provides one of the best ways to guarantee information integrity and obtain cost-effective information confidentiality. Encryption transforms intelligible information into an unintelligible form. This is accomplished by using a mathematical algorithm and a "key" (or keys) to manipulate the data in a complex manner. The resulting enciphered data can then be transmitted without fear of disclosure, provided, of course, that the implementation is secure and the mathematical-based algorithm is sound. The original information can then be understood through a decryption process. As I shall discuss, knowledge of the particular key utilized for a particular encryption of information (or, in the case of asymmetric cryptography, knowledge of the associated key of the key pair) allows decryption of the information. For this reason, such keys are highly protected.
Uses of Cryptography
Encryption can be used in many applications for assuring integrity and confidentiality, or both. It can be used to protect the integrity and/or confidentiality of phone calls, computer files, electronic mail, electronic medical records, tax records, corporate proprietary data, credit records, fax transmissions and many other types of electronic information. It is expected that cryptographic technologies will be used on a voluntary basis in the protection of information and services provided via the National Information Infrastructure.
Encryption used with these and other types of information protects the individual privacy of our citizens including, for example, their records and transactions with government agencies and financial institutions. Private sector organizations can also benefit from encryption by securing their product development and marketing plans, for example. It also can protect against industrial espionage by making computers more secure against unauthorized break-ins and, if data is encrypted, making it useless for those without the necessary key.
The government has long used cryptography for the protection of its information -- from that involving highly classified defense and foreign relations activities to unclassified records, such as those protected under the Privacy Act. My point here is not to list all potential applications and benefits but to give you a feel for the innumerable applications and benefits which encryption, when securely implemented, can provide.
Hazards of Cryptography
Counterbalanced against its benefits, encryption also can present many substantial drawbacks -- to both the government and other users. First and foremost, encryption can frustrate legally authorized criminal investigations by the federal, state, and local law enforcement agencies. As their representatives can better explain, lawful electronic surveillance has proven to be of the utmost benefit in both investigating and prosecuting serious criminal activity, including violent crime. Cryptographic technologies can also seriously harm our national security and intelligence capabilities. As I shall discuss, the Administration recognizes that the consequences of wide-spread, high quality encryption upon law enforcement and national security are considerable.
Encryption may also prove a potential hazard to other users, such as private sector firms, particularly as we move into the Information Age. Private firms, too, are concerned about the misuses of cryptography by their employees. For example, a rogue employee may encrypt files and offer the "key" for ransom. This is often referred to as the "data hostage" issue. Keys can also be lost or forgotten, resulting in the unavailability of data. Additionally, users of encryption may gain a false sense of security by using poorly designed or implemented encryption. To protect against such hazards, some corporations have expressed interest in a "corporate" key escrowing capability to minimize harm to their organizations from internal misuse of cryptography. As security experts point out, such a false sense of security can be worse than if no security measures were taken at all. Encryption is not a "cure-all" to all security problems.
Let me now turn to the details of the Administration's key escrow encryption initiative.
Voluntary Key Escrow Encryption Initiative
Goals of the Voluntary Key Escrow Encryption Initiative
I will begin my remarks about the government-developed key escrow encryption chips (referred to as "chips" herein) by discussing the goals that we were trying to achieve in developing this technology for application to voice-grade communication.
At the outset, we sought to develop a technology which provides very strong protection for government information requiring confidentiality protection. Much of the sensitive information which the government holds, processes, and transmits is personal and requires strong protection. Tax records and census data are two such examples. We sought nothing less than excellent protection for government communications. In order to allow agencies to easily take advantage of this technology, its voluntary use (in Federal Information Processing Standards (FIPS) 185) to protect telephone communications has been approved by the Secretary of Commerce.
The chips implementing FIPS 185 efficiently support applications within the its scope. They far exceed the speed requirements of commercial modems existing today or envisioned for the near future.
In addition to the need for strong information protection, the increasingly digitized nature of advanced telecommunications is expected to significantly hamper the ability of domestic law enforcement to carry out lawfully authorized wiretapping. Their problem has two dimensions.
First, the design and complexity of the nation's telecommunications networks makes locating those communications which can be lawfully tapped very difficult. This is the digital telephony issue, which my law enforcement colleague will discuss today.
Second, the proliferation of encryption is expected to make law enforcement's tasks more difficult. If a telephone conversation is encrypted, resources must be expended for decryption, where feasible. Such expenditures and technical capabilities are normally far outside the ability of local law enforcement organizations and could be quite significant at the federal level. In seeking to make available a strong encryption technology, we have sought to take in to account the needs of the law enforcement community. For example, one of the reasons that the SKIPJACK algorithm, the formula on which the key escrow chip is based, is being kept classified is that its release would make their job much harder were it to be used to hide criminal activity.
Misconceptions Concerning the Purpose of the Voluntary Key Escrow Encryption Initiative
A number of those opposed to this Administration initiative have expressed doubt about whether the key escrow encryption initiative can do anything to solve this nation's crime problem. Of course, this initiative cannot by itself do so. The basic intent of the program is the provision of sound security, without adversely affecting other government interests, including, when necessary, the protection of society through lawfully authorized electronic surveillance.
The voluntary key escrow encryption initiative, first and foremost, was devised to provide solid, first-rate cryptographic security for the protection of information held by the government when government agencies decide such protection is needed for unclassified government communications -- for example, tax, social security and proprietary information. (The Escrowed Encryption Standard (FIPS 185) allows federal agencies to use this technology for protection of telephone communications.) This was done, in part, with the realization that the current government cryptographic technique, the Data Encryption Standard (which was recently re-approved) is over fifteen years old; while DES is still sound, its usefulness will not continue indefinitely. We also recognized that were we to disclose an even stronger algorithm (with the government's "seal of approval"), it could be misused to hamper lawful investigations, particularly electronic surveillance.
In approving this initiative, we felt it important that protective measures be taken to prevent its misuse -- a safety catch, if you will. This will help assure that this powerful technology is not misused if adopted and used voluntarily by others. Our method of providing this safety mechanism relies upon escrowing cryptographic key components so that, if the technology is misused, lawful investigations will not be thwarted. Additionally, the algorithm (SKIPJACK) will remain classified so that its only uses will be consistent with our safety mechanism, key escrowing. I think it is fair to say that use of this powerful algorithm without key escrowing could pose a serious threat to our public safety and our national security.
Key Escrow Encryption Technology
The National Security Agency, in consultation with NIST and the federal law enforcement community, undertook to apply voluntary key escrow encryption technology to voice-grade communications. The product of this effort was announced in the April 16, 1993 White House release concerning the key escrow encryption chip. I note that we have chosen to discontinue use of the term "Clipper Chip" to avoid potential confusion with products and services with similar names.
The state-of-the-art microcircuit, the key escrow encryption chip, can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm more powerful than many in commercial use today. The SKIPJACK algorithm, with an 80-bit long cryptographic key,is approximately 16 million times stronger than DES. For the record, I will restate my earlier public statements that there is no trapdoor in the algorithm.
Each key escrow encryption chip has two basic functions. The first is an encryption function, which is accomplished by the SKIPJACK algorithm, developed and rigorously tested by NSA. The second function is a law enforcement access method. I will discuss each briefly.
The SKIPJACK algorithm is a symmetric algorithm (as opposed to "public-key" algorithms). Basically, this means that the same cryptographic key (the session key) is used for both encryption and decryption. The algorithm is so strong that the Department of Defense will evaluate it for use in protecting selected classified applications.
The second basic function of the chip is the provision for law enforcement access under lawful authorization. To do so, each chip is programmed with three values: a cryptographic family key, a device unique key, and a serial number. (The device unique key is split into two key components which are then encrypted and are provided to the two current escrow agents, NIST and the Automated Systems Division of the Department of the Treasury, for secure storage.) These three values are used in conjunction with the session key (which itself encrypts the message) in the creation of the law enforcement access field. When law enforcement has obtained lawful authorization for electronic surveillance, the serial number can be obtained electronically. Law enforcement can then take the serial number and a certification of their legal authorization to the two escrow agents. (Detailed procedures for the release of these key components were issued by the Department of Justice in early February.) After these certifications are received, the encrypted components will be transmitted by escrow agent officials for combination in the decrypt-processor.
After decryption of the key components within the decrypt processor, the two key components are then mathematically combined, yielding the device unique key. This key is used to obtain another key, the session key, which is used to decrypt and understand the message. This device unique key may be used by law enforcement only for the decryption of communications obtained during the applicable period of time of the lawful electronic surveillance authorization. It can also only be used to decrypt communications transmitted or received by the device in question.
Security and Privacy Using Key Escrow Encryption
When the Administration announced the voluntary key escrow encryption initiative, we anticipated that questions would be raised about the strength and integrity of the SKIPJACK algorithm, which is at the heart of the system. We assured the public that we knew of no weakness in the algorithm and that there was not an undisclosed point of entry, commonly referred to as a trapdoor. The algorithm was designed by cryptographic experts at the National Security Agency and withstood a rigorous testing and analysis process.
As a further way to indicate the fundamental strength of SKIPJACK, we invited a group of independent experts in cryptography to review the algorithm, under appropriate security conditions, and make their results publicly known, again, consistent with the classified nature of the algorithm. This group consisted of Ernest Brickell (Sandia National Laboratories), Dorothy Denning (Georgetown University), Stephen Kent (BBN Communications Corp.), David Maher (AT&T) and Walter Tuchman (Amperif Corp.). These experts reported that:
- Under an assumption that the cost of processing power is halved every eighteen months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive search will be equal to the cost of breaking DES today;
- There is no significant risk that SKIPJACK can be broken through a shortcut method of attack.
Let me also repeat the reasons why the algorithm must remain classified. First, we believe it would be irresponsible to publish the technical details. This would be tantamount to handing over this strong algorithm to those who may use it to hide criminal activity. Publishing the algorithm may also reveal some of the classified design techniques that NSA uses to design military-strength technology. It would also allow devices to be built without the key escrowing feature, again allowing criminals to take advantage of the strength of this very powerful technology without any safeguard for society.
With regard to privacy, key escrow encryption can, of course, be used to protect personal information contained in telephone communications. Moreover, the voluntary key escrow encryption initiative does not expand the government's authority for the conduct of electronic surveillance, as my colleague from the Federal Bureau of Investigation will discuss. It is important to understand that the escrow agents will not track the devices by individual owners; they will simply maintain a database of chip ID numbers and associated chip unique key components (which themselves are encrypted).
Alternatives to the Voluntary Key Escrow Initiative
In reaction to industry's concerns about our hardware-only implementation of key escrow encryption, we announced an opportunity for industry to work with us on developing secure software-based key escrow encryption. Unfortunately, initial industry interest was minimal; our offer, however, remains open. We are also willing to work on hardware alternatives to key escrowing as we emphasized in our recent announcements.
The Administration has been seeking to meet with members of the computer, software, and telecommunications industries to discuss the importance of this matter. We are open to other approaches.
Key Government Policies on Unclassified/Commercial Encryption
Encryption is an important tool to protect privacy and confidentiality.
As I discussed earlier, encryption is powerful technology that can protect the confidentiality of data and the privacy of individuals. The government will continue to rely on this technology to protect its secrets as well as the personal and proprietary data it maintains. Use of encryption by federal agencies is encouraged when it cost-effectively meets their security requirements.
No legislation restricting domestic use of cryptography.
Early in the policy review process, we stated that the Administration would not be seeking legislation to restrict the use, manufacture, or sale of encryption products in the U.S. This was a fear that was expressed in the public comments we received, and one that continues, despite our repeated assertions to the contrary. Let me be clear - this Administration does not seek legislation to prohibit or in any way restrict the domestic use of cryptography.
Export Controls on encryption are necessary but administrative procedures can be streamlined.
Encryption use worldwide affects our national security. While this matter cannot be discussed in detail publicly without harm to this nation's intelligence sources and methods, I can point to the Vice President's public statement that encryption has "huge strategic value." The Vice President's description of the critical importance of encryption is important to bear in mind as we discuss these issues today.
In recent months, the Administration has dramatically relaxed export controls on computer and telecommunications equipment. However, we have retained export controls on encryption technology, in both hardware and software. These controls strongly promote our national security. These export controls include mass market software implementing the Data Encryption Standard. The Administration determined, however, that there are a number of reforms the government can implement to reduce the burden of these controls on U.S. industry.
These reforms are part of the Administration's goal to eliminate unnecessary controls and ensure efficient implementation of those controls that must remain. For example, fewer licenses will be required by exporters since manufacturers will be able to ship their approved products from the U.S. directly to customers within approved regions without obtaining individual licenses for each end user. Additionally, the State Department has set a license review turnaround goal of two working days for most applications. Moreover, the State Department will no longer require that U.S. citizens obtain an export license prior to taking encryption products out of the U.S. temporarily for their own personal use. Lastly, after a one-time initial technical review, key escrow encryption products may now be exported to most end users. These reforms should help to minimize the effect of export controls on U.S. industry.
The Government requires a mechanism to deal with continuing encryption policy issues.
In recognition of this, the Interagency Working Group on Encryption and Telecommunications was formed in recognition of the possibility that the economic significance of our current encryption policy could change. The Working Group has been assigned to monitor changes in the balance that the President has struck with these policy decisions and to recommend changes in policy as circumstances warrant. The Working Group will work with industry on technologies like the key escrow encryption chip and in the development and evaluation of possible alternatives to the chip.
The group is co-chaired by the White House Office of Science and Technology Policy and the National Security Council. It includes representatives from all departments and agencies which participated in the policy review and others as appropriate, and keeps the Information Policy Committee of the Information Infrastructure Task Force apprised of its activities.
Flexibility on Encryption Approaches.
From the time of the initial White House announcement of this technology, we have stated that this key escrow encryption technology provides 1) exceptionally strong protection and 2) a feature to protect society against those that would seek to misuse it. I have personally expressed our flexibility in seeking solutions to these difficult issues. We have offered to work with industry in developing alternative software and hardware approaches to key escrowing. We actively seek additional solutions to these difficult problems.
We also stand willing to assist the Congressionally-directed study of these issues by the National Research Council.
Use of EES is voluntary and limited to telephone systems.
The Escrowed Encryption Standard, which was approved on February 3, 1994, is a voluntary standard for use both within and outside of the federal government. It is applicable for protecting telephone communications, including voice, fax and modem. No decisions have been made about applying key escrow encryption technology to computer-to-computer communications (e.g., e-mail) for the federal government.
Government standards should not harm law enforcement/national security
This is fairly straightforward, but can be difficult to achieve. In setting standards, the interests of all the components of the government should be taken into account. In the case of encryption, this means not only the user community, but also the law enforcement and national security communities, particularly since standards setting activities can have long-term impacts (which, unfortunately, can sometimes be hard to forecast).
Secure Hash Standard
As the Committee may be aware, NIST has recently initiated the process to issue a technical modification to Federal Information Processing Standard 180, the Secure Hash Standard. The Secure Hash Standard uses a cryptographic-type algorithm to produce a short hash value (also known as a "representation" or "message digest") of a longer message or file. This hash value is calculated such that any change to the file or message being hashed, will, to a very high degree of probability, change the hash value. This standard can be used alone to protect the integrity of data files against inadvertent modification. When used in conjunction with a digital signature, it can be used to detect any unauthorized modification to data.
Our intent to modify the standard was announced by NIST after the National Security Agency informed me that their mathematicians had discovered a previously unknown weakness in the algorithm. This meant that the standard, while still very strong, was not as robust as we had originally intended. This correction will return the standard to its intended level of strength.
I think this announcement illustrates two useful issues with regard to cryptographic-based standards. First, developing sound cryptographic technology is very difficult. This is also seen with commercial algorithms, including those used for hashing and encryption. Secondly, this incident demonstrates the commitment of NIST, with NSA's technical assistance, to promulgating sound security standards. In this case, a weakness was found, and is being quickly corrected.
Effectiveness of the Computer Security Act of 1987
Lastly, as requested in your invitation to appear here today, let me briefly address the effectiveness of the Computer Security Act of 1987 (P.L. 100-235). I will first briefly comment on what we learned about the state of computer security in the federal government during our agency visit process and then turn to cryptographic-specific issues.
As part of our efforts to increase awareness of the need for computer security, during 1991-1992, officials from OMB, NIST and NSA visited 28 federal departments and agencies. Each visit was designed to increase senior managers' awareness of security issues and to motivate them to improve security. I believe that what we learned during those visits remains valid -- and indicates that we still need to focus on basic computer security issues in the government.
Specifically, OMB, NIST and NSA proposed the following steps to improve security:
- Focus management attention on computer security.
- Improve planning for security.
- Update security awareness and training programs.
- Improve contingency planning and incident response capabilities.
- Improve communication of useful security techniques.
- Assess security vulnerabilities in emerging information technologies.
Actions are being taken by NIST and other agencies to address each of these areas. The background and discussion of the need for these measures is discussed in the summary report prepared by OMB on "Observations of Agency Computer Security Practices and Implementation of OMB Bulletin No. 90-08" (February 1993). In short, the Computer Security Act provides an appropriate framework for agencies to continue improving the security of their automated systems -- but much work remains to be done, by NIST and individual federal agencies.
One of the questions that the Committee was interested in was whether there is a need to modify this legislation in response to the same advancements in technology that led to the key escrow initiative and digital telephony proposal. First, I would observe that the Act, as a broad framework, is not tied to a specific technology. I think it would be unworkable if the Act were to address specific computer technologies, since this is a rapidly evolving field. Also, I would note that the Act does not address digital telephony concerns -- the Administration is proposing separate legislation in that area. In short, no modifications to the Act are necessary because of technology advances.
Before leaving the subject of the Computer Security Act, however, let me briefly comment on the Escrowed Encryption Standard. I strongly believe that NIST and NSA have complied with the spirit and intent of the Act. At the same time, this issue underscores the complex issues which arise in the course of developing computer security standards, particularly cryptographic-based standards for unclassified systems.
The Act, as you are aware, authorizes NIST to draw upon computer security guidelines developed by NSA to the extent that NIST determines they are consistent with the requirements for protecting sensitive information in federal computer systems. In the area of cryptography, we believe that federal agencies have valid requirements for access to strong encryption (and other cryptographic-related standards) for the protection of their information. We were also aware of other requirements of the law enforcement and national security community. Since NSA is considered to have the world's foremost cryptographic capabilities, it only makes sense (from both a technological and economic point of view) to draw upon their guidelines and skills as useful inputs to the development of standards. The use of NSA-designed and -tested algorithms is fully consistent with the Act. We also work jointly with NSA in many other areas, including the development of criteria for the security evaluation of computer systems. They have had more experience than anyone else in such evaluations. As in the case of cryptography, this is an area in which NIST can benefit from NSA's expertise.
Key escrow encryption can help protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted telephonically. Key escrow encryption is available as a valuable tool for protecting federal agencies' critical information communicated by telephone. At the same time, this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals.
Encryption technology will play an increasingly important security role in future computer applications. Its use for security must be balanced with the need to protect all Americans from those who break the law.
Thank you, Mr. Chairman. I would be pleased to answer your questions.