-----BEGIN PGP SIGNED MESSAGE----- Here are my noted and remembered impressions from Wedensday's NIS&T conference on key escrow (aka GAK) export. Please note that there is a separate conference next week on creating a FIPS PUB standard for key escrow. That standard will be promulgated, just as GOSIP, POSIX and Clipper/Skipjack were promulgated. This export conference was separate from that FIPS standardization process. I got stuck in a construction traffic jam, and missed the introductory speaches. Perhaps one of the other c'punks can fill us all in on what I missed. The first item is that the export criteria will be changed. A small number of bits will be added to unescrowed crypto, and 64-bit escrow'd (GAK'd) systems will be allowed. They don't care which algorithm is used, DES, RC4, blowfish, etc. They care about key length. If it is short enough, it is exportable. The conference seemed to be an attempt to co-opt industry into agreeing that 64-bit GAK is much better than the current situation. After all, it would be too strong for a "hacker in France" to break it. When they opened the floor, there were a few comments/questions that indicated that not everyone was convinced that this was a good thing. I pointed out some graduate students don't consider "hacker" a compliment, and that I thought Damian did a great job breaking RC4-40. I also pointed out that it was broken again in 31 hours with a "bunch of commercial systems, Sun and Pentiums" with no need for supercomputers. I then asked if the criteria were fixed, as setting criteria controls the result. The NIS&T approved board said that changes to the criteria was part of why the conference was being held. The next hour and a half was presentation from "industry." Essentially comments on the proposal. Nearly all of the spokesmen said that the criteria were flawed. Some said that they already had commercial products that met most of the real needs of the industry (key recovery) but they didn't meet the NIS&T/NSA "criteria." Probably the strongest was the condamnation by Robert Holleyman of the Business Software Alliance. Hollyman said that BSA represents firms such as Microsoft, Novell, Lotus, Sybase, SCO, Autodesk, and Intergraph. He said that current policy "directly threatens" the industry because of "The US Government's continuing refusal to adopt realistic export control policies." He went on and on. It was clear that his position is that the proposed policy is a mistake. After the presentations, there were more questions. I proposed one additional criteria (based on email that I received from the c'punks): How do we expire court approved access to encrypted data, so that once the court orders are over, the LEAs no longer have the ability to decrypt. The answer was that with clipper, special hardware is needed, and it goes away when the court order does. I asked how that model worked in a software only world. There were mumbled statements about adding it as a criteria. The conference then broke for lunch and breakout groups. The one I was in discussed criterias 5 and 6 of Topic 3, published in my URL http://www.isse.gmu.edu/~pfarrell/nistmeeting.html They are short enought to reproduce here. 5. The product shall be resistant to any alteration that would disable or circumvent the key escrow mechanism, to include being designed so that the key escrow mechanism cannot be disabled by a static patch, (i.e., the replacement of a block of code by a modified block). 6. The product shall not decrypt messages or files encrypted by non-escrowed products, including products whose key escrow mechanisms have been altered or disabled. After I commented that the person writing the notes has the ability to detirmine what was said, the folks from NSA and NIS&T asked me to take the notes. I love it; but I did try to be objective. In the middle of this discussion, a government-generated, but anonymnous paper was distributed. It had "Example Suggested Solutions." It suggested that source code not be available for products suitable for export. It also suggested other ideas, such as storing a checksum/hash and having the system "check the cryptographic code several times during its use." There was a strong reaction against these suggestions, not because they were bad ideas, but because the paper was delivered with no prior publication. This precluded any planned response to its ideas. We reworded #5 to say "want to Trust the Product." This means that it is untampered, works as expected, etc. We then hashed out ways to know this. The list ended up looking like: 1. is available only as object code 2. contains some "hash" function to check for modifications 3. contains some unique hash, with uniqueness based upon something like "site," "per copy" or "per release" 4. Contains policies against modification, such as liscense language against decompilation. 5. OS-related security, such as runs "protected mode" instead of as a wild DOS program. Of course, the software vendors went wild against "per copy" identifiers, saying it would add two orders of magnitude worth of problems to manufacturing. The items on the list were not "must have all of these" rather it was a pick-and-chose menu. We also required that the standard allow for technical innovation to keep up with the evolving state of the art. The discussion of #6 was more lively. We took a long time figuring out what it said. For instance, could ViaCrypt sell a product that was compatible with PGP 2.6.2 (non-escrowed) that also worked with the new escrowed ciphers? It seems to me, and a lot of other folks there, that such a product would be non-exportable. We simplified the criteria to: "right products won't talk to wrong products." with "right products" meaning those that are exportable, and wrong products being those that aren't, or are hacked, or ... We then developed "goals" including: 1. One version for sale worldwide 2. Allow development in the US 3. Domestic Law Enforcement Agencies want Escrowed (I almost wrote GAK :-) 4. Must interoperate with everything 5. Receiver can only decrypt if escrow agencies can decrypt. This leads to a bunch of issues and observations, including: a. Can goals 1, 2, and 4 be met simultaneously? There was a suggestion of a "friendly man-in-the-middle" who would receive a GAK'd conversation, and strip off the GAK parts, and reencrypt it, and retransmit it to a non-GAK user. Which leads to: b. Can we prohibit a friendly MITM? The big issue was: c. Startup compatibility. No one will buy products unless they have sales attractiveness. This means compatibility with existing systems. Yet the criteria #6 seems to say that approved products must refuse backwards compatibility. This was labeled a "non starter" by the group. The consensus was that companies can develop a substantial competitive advantage by developing off-shore and offering both escrowed encryption and compatibility with existing systems. There was a discussion of grandfathering in some technologies. This was to help interoperability. The conversation became fuzzy, Grandfather technologies included DES, 3-DES, IDEA, and long key RC4. One key idea was that it may make sense to allow software that encrypts with escrowed keys, but can also decrypt with any algorithm. This allows the LEA's to access outgoing messages, while allowing interoperability. The discussions frequently wandered to discuss the language of the criteria. The wording was considered simultaneously too subjective and impractical. For example, we considered the phrase "tamper resistant" to be preferable to the original "prevent tampering," because it is impossible to absolutly prevent modification to software. The issue of interoperability was raised repeatedly. It is critical that exportable products interoperate with other, existing export products. The last issue in the session was that the length of the key, 64-bits, was defined in criteria #1. There was no discussion at the conference on this criteria. It seems that the NIS&T and NSA folks believe that this is a closed topic. The folks in the session did not agree. They felt that 64-bits was not enough. Once the breakout session was over, the entire conference met together, and the "reporter" from each session reported their comments and findings. All breakout sessions had suggested changes. The group that discussed criteria #9 recommended removing it. The group that discussed criteria #2 (no multiple encryption) reported that industry was working on a general solution to the problem of key recovery, and that their solution would probably appear as quickly without the government's "help." Several groups identified that there are at least two separate problem domains: communications and data storage. Communications typically is short term, and has unique keys for each session. Data storage has far fewer keys that are used for long periods. Several speakers suggested that while communications keys were not suited to be escrowed, there was a large need for key recovery for data storage. There was no response from the government representatives to any of these points. One government speaker did say that there would be a Federal key escrow standard, period. After the combined session, there were more break-out sessions. In the one that I attended, the folks from National Semiconductor described their CAKE system. This is a smartcard/PCMCIA device that uses 2000+ bit public/private key encryption and signatures. They are hoping for export approval; it is necessary for the project to be viable. The system looks pretty interesting, but it too complicated to describe here. In short, random session keys are generated and signed with a Data Recovery Center's public key. The LEAs could then send encrypted session keys to the DRC, which would decrypt them, and return the unencrypted session keys which the LEA could then used to decrypt the messages. While this is a hardware system, its concepts could be transfered to a software implementation. One obvious problem is that NS' system doesn't meet criteria #8 (retuiring repeated involvement of the escrow agent), since it may require hundreds or thousands of session key decipherments. It also has a number of attractive features, such as never sending the private key anywhere, only the session key is escrowed. The general discussion showed concerns that in the international community, requiring government escrow may cause lose of valuable data, as some foriegn governments are not as trustworthy as the US. It was the consensus that requiring users to have 50 or more escrow centers was unworkable. Yet this could be required for large multinational companies working in 50 or more countries, if each required a local key escrow service. The NS model would allow both date stamping of session keys, and periodic rekeying. Either would satisfy my "unaccepted" Citeria #11, technical limits to the time that a court ordered decryption could be executed. There was a discussion of changing the criteria so that only the transmission of data was concerned with escrow. This would simplify the issue of multinational escrow. We did not resolve whether this would be sufficient or acceptable. Today, we will talk about suitable escrow agencies. Pat -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBME7WOLCsmOInW9opAQHbawP+PSC+9p7ll7yKTiwnkzrIf+aT/ZfuoCqj Fp6ZhykIoJQVF5YAEhz9O1t9FKOauo3baMDhaIvU4pUSm2b/hKlUFB8cwYr7KTjd MFGxTOG/D7blGuX6ZXbHlS5EkKeT1pDtfrd9GlnTKWHxfga/51ROWCG/33BWZxHR lyNLI07UPbo= =kFkC -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Date: Fri, 8 Sep 1995 09:32:43 -0400 (EDT) From: "Pat Farrell" To: cypherpunks@toad.com Cc: BCc: Subject: Day 2 NIST meeting notes X-NUPop-Charset: IBM 8-Bit Thursday's GAK Export meeting started with reports from the prior afternoon's breakout meetings. I reported on the session I was in, saying what I posted to the list yesterday (about National Semi's product, etc.) The other breakout groups reported their problems with the criteria, again asking that #9 be dropped, longer, keys, etc. The presentation for Group "A" was different. It was a speach. It asked that the process be stopped to let industry develop market-driven solutions. It was greeted by applause from the vendors and privacy advocates, with no reaction from the government representatives. Randy Williams of Commerce, and Dan Cook of State, described the current export approval process. Lots of talk of jurisdictions and types of liscenses. I quickly got lost in the jargon. The moderator wisecracked that the official language of the session was English. You couldn't tell from some of the exchanges. They were questioned on import restrictions. Both Williams and Cook said that there are no import restrictions into the US. They also pointed out that Treasury, not State or Commerce, has jurisdiction over imports. An engineer from Compaq asked a question: He said that his company buys liscenses to software, and bundles it as "value added" to their systems. They are interested in bundling in security features. He asked if his computers would then be subject to export restrictions. The answer was yes. He asked if he could purchase security software overseas and import it. The answer was again yes. He asked if he could install that software on his computers, again yes. And export the computers, NO. They didn't even seem to think that this was illogical. So Commerce, State, and the rest of the government are activly encouraging the development of competing software industries in Israel, Germany and other counrties. I hate to think what they'd do if they tried to hurt US industry. And interesting tidbit came up after the session. In an offline conversation, the topic of "personal use export" came up. A reliable source said that revised regulations are being developed, and will, be avaialble soon. I explicitly asked if this meant "PGP on a notebook computer" and was told, Yes, that will be allowed; with the usual rules that it can't be for export, you can't be attempting to sell it, etc. Personal use, carry out and carry back. The "source" was asked if they had read Matt Blaze's personal use disaster story. The name didn't ring a bell, but the story was well know and considered a nightmare. Penny Brummitt of NSA was to talk about Clipper's key escrow agents, but called in sick. I didn't catch the name of the replacement. He talked about Clipper's process, not as an example of what will be required for GAK agents, but as an "existance proof" that some agents can be found. The essence was that Clipper escrow facilities are strong, and staffed with people cleared to the "Secret" level. They also tosed out the phrase "US Person" in regard to the corporate entity that is responsible for the contract. Geoff Greiveldinger, of the US Department of Justice, gave a frequently inaudible recounting of the evils of strong encryption in the war on D, P, & T, and also corrupt mayors. He was very personable. He also sounded like a fascist. Throughout the meeting, all sides tried to have a civil discussion, even though we disagreed. It was impossible to stay civil through his drivel. Ruby Ridge and Furman had been unmentionable up until his speach. Mr. Greiveldinger said that acceptable escrow agents will be in the US. This caused considerable concern among vendors trying to sell in the International market. Dan Weitzer of CDT (the EFF spinoff) gave a short, rousing speach. It was a call to arms. He said that since NIS&T was ignoring the consistant input from industry to stop this silly and stupid GAK, that we need to immediately contact our congresscritters. Ken Mendelsen [sic?] of TIS gave a great speach. He suggested that the critera for escrow agents be the same as the form to export tanks and other munitions. Then he showed the one page form used by State. He argued that legislative solutions to the escrow agent approval process will take too long and kill the effort. I'll try to get copies of his presentation. F.W. Gerbracht, Jr a VP Merril Lynch, represented the Securities Industry Association. He said that they are willing to work with the government, but they need long keys, strong ciphers, and international escrow agents. He used the phrase "unlimited algorithms and keyspace" as a requirement. They also need buy in from their regulators, and presented a long list of SEC, CFT, NYSE, NASDealers, and 50 state regulators, all who have to sign off. Nanette DiTosto of Bankers Trust gave a short, to the point presentation. She said that BT has a commercial key escrow service, but that was not what she wanted to get accross. She said that multinational banks demand strong encryption and non-US escrow agents. And that they would settle for nothing less. A speaker from VTW gave a nice presentation. VTW is something like voter's telecommunications watch. They have a mailing list, at listproc@vtw.org. He said that escrow was doomed to failure. That there is no middle ground. I'll try to get his slides too. Jack Wack of TECSEC gave a pitch for his shrinkwrapped product. He said it is exportable now, they've jumped through all the hoops. He also gave a great crack from his son. It want roughly like: "Dad, if you own the data before you encrypt it, how come the government says you don't own it after you encrypt it?" It brought down the house. (if someone has a more accurate quote, please let me have a copy). Professor Hoffman of George Washington gave a great speach. He listed the Al Gore to Maria Cantwell letter's criteria, as a matrix. He then filled in the matrix with the Export GAK's criteria. It was painfully obvious that the NIST/NSA propsal didn't come close. He recommended that they focus closly on the Gore criteria, and come up with an approach that meets all the the criteria. While I planned on staying for the remainder of the meeting, a crisis came up at my day job. I can't say I was looking forward to more, a day and a half was enough for me, and I wasn't the only person leaving early. Attendance was down visibly Thursday relative to the first day Pat -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMFBGEbCsmOInW9opAQEfQgP+P/P0MRGe3EOElzM0UPQy+xce0XGe3wex gfQdTrGWhL+FbYt/7taj6jgtcRg9zih1yQ3W+kN/VUXY9J4I1b6dw+j0sb6MkCjT pShnflDI5OPQmmUq9KZlmy50u2yXuBqfWSdXd9NypjDsh7XDrWIqvqIcuT1cc/di quNZ3u7aymw= =oJC7 -----END PGP SIGNATURE-----