By By Dorothy E. Denning and William E. Baugh, Jr.
In the summer of 1995, a French student cracked a forty-bit key in eight days using 120 workstations and a few supercomputers.
WHEN SECURITY MANAGERS ASK experts how best to protect a company's computerized information, especially when it is sent across open networks, they are likely to be told to encrypt it. But the need for security in the information age has run up against concerns for public safety and national security. Just as encryption can protect privacy and prevent the theft of proprietary data, it can be a powerful weapon in the hands of terrorists, drug dealers, and others who may use it to conceal their activities and thwart investigations.
For more than two years, the government has been working with industry to hammer out an approach that would promote the use of strong encryption without denying legitimate government access. While there are still unresolved issues, it now appears that progress is being made toward a policy that addresses the needs of both business and the government.
Current law defines encryption programs as munitions, which cannot be exported without a license. Businesses object that the rules make it more difficult for them to obtain strong encryption to protect international communications, and U.S. manufacturers of computer products say it puts them at a competitive disadvantage in the global marketplace. The government's Clipper Chip offered strong, exportable encryption, but it met with considerable opposition on three accounts: its encryption algorithm was classified, it required special hardware, and the government held a backdoor key to every chip.
The most recent discussions center around a new proposal from the Clinton administration. First issued on August 17, then refined and released for comment on November 6, the proposal is expected to be implemented in early 1996. It would allow the general export of software encryption products with unclassified algorithms provided the products meet two criteria: (1) the key size is no more than sixty-four-bit keys and (2) there is an acceptable key escrow mechanism, including the use of approved key escrow agents.
According to the proposal, encryption keys would be held by trusted parties within the private sector rather than by government agencies. While some private sector objections remain (based on opposition to the very idea of government access to an escrowed key as well as continued concerns over the restrictions on key length), the new proposal represents a major step forward in national encryption policy with potential benefits to businesses, individuals, and the government.
Under current export policy, software encryption products with keys longer than forty bits are not generally exportable and are considered on a case-by-case basis following review by the Department of State. The vendor must apply for a separate license for each customer. By comparison, products with key lengths not exceeding forty bits can be readily exported under general licenses administered by the Department of Commerce. Consequently, many products developed by U.S. companies for the international market use forty-bit keys.
The longer the key, the harder it is for a hacker to break the code. For many applications, forty-bit keys provide adequate protection. However, they are not foolproof. In the summer of 1995, a French student cracked a forty-bit key in eight days using 120 workstations and a few supercomputers. The key gave him access to a dummy purchase order that had been encrypted with the overseas version of a popular program for browsing the World Wide Web. Even though a substantial investment of resources was required just to crack a single message, many potential users regard the incident as indication that forty-bit keys are unacceptable.
As a result, some U.S. companies complain that they have lost sales to foreign competitors who are able to provide stronger encryption, including the Data Encryption Standard (DES), which uses fifty-six-bit keys. They cite the widespread availability of products using DES and other encryption algorithms worldwide as evidence that export controls limit U.S. companies' competitiveness in the global market. As of June 1995, Trusted Information Systems of Glenwood, Maryland, had identified 455 encryption products from 27 countries, 179 of which used DES. In some cases, software vendors have built separate product lines for domestic and foreign sales to meet the demands of U.S. customers for DES or better encryption.
The proposed liberalization of export controls would allow a vendor to develop a single product line for both domestic and international sales, using software or hardware implementations of DES or stronger sixty-four-bit algorithms. This step should help integrate strong encryption into network and applications software, thereby making it cheaper and easier for businesses to encrypt their electronic transactions and proprietary data. If strong algorithms can be implemented in both domestic and international products, businesses will be able to communicate securely with customers, suppliers, partners, investors, and subsidiaries throughout the world.
Exportable products will be allowed to use keys up to sixty-four-bits long, but they must not provide multiple encryption modes that increase the key length. For example, the criteria will allow the use of DES, but not double or triple-DES, which uses two keys that equal 112 bits or three keys that equal 168 bits.
Sixty-four bits might not sound like much more than forty, but each bit doubles the number of possible keys and thus the effort required to crack a key. The additional twenty-four bits provides security that is about 17 million times stronger than a forty-bit key. It would have taken the French student 136 million days--or about 2 billion computers in eight days--to crack a single sixty-four-bit key. At the current rate of technological advancement, it will be several decades before the French student could break a sixty-four-bit key in eight days with updated computers. Sixty-four bits is likely to provide a high level of security for at least the next twenty years.
If a company sends out numerous messages per day, each encrypted with a different key, the task of an adversary who must attempt to break all keys with the hope of finding some message worth reading becomes all the more impractical. For the near term, DES combined with key escrow can provide strong security while being available in exportable software products. For the longer term, DES, which is now about twenty years old, can be replaced with a sixty-four-bit algorithm.
At the heart of any encryption scheme is the algorithm--a sequence of mathematical steps that are used to scramble the bits of information into gibberish. The government's Clipper Chip was criticized, in part, for using a classified algorithm (Skipjack). The objections were twofold: the algorithm was not open to public scrutiny, and special hardware was required in order to protect the classified code.
The November proposal addresses these concerns by allowing for unclassified algorithms and software implementations. The proposal does not, however, prohibit the use of either hardware or classified algorithms in exportable products.
The advantage of hardware is that it generally offers greater security than software. In addition, it can better protect against tampering that would disable or circumvent the key escrow mechanism. For this reason, hardware devices that implement key escrow might be approved for export with even longer keys. The Fortezza Card (see below), for example, uses the Skipjack algorithm, which has eighty-bit keys.
The keys to the government's Clipper Chip are held by two government entities. Industry asked for private sector escrow agents, and the November proposal satisfies that request. The government is currently considering conditions under which some organizations could hold their own keys.
Under the November proposal, products must be designed to resist alterations that would circumvent or disable the key escrow mechanism. The escrowed encryption functions must operate only with escrowed functions in other products. They must not operate with products whose key escrow features have been altered or disabled.
To qualify for general export under the November proposal, an encryption product must also provide an acceptable key escrow mechanism. A vendor with a candidate product would submit the product to the Department of State for review. If it is determined that the product meets the criteria for export, it would be transferred to the Commodity Control List (CCL), administered by the Department of Commerce, where it would be exportable under a general license.
The export criteria are intended to ensure that the government can, when lawfully authorized, readily access keys and decrypt intercepted communications and stored information in a timely manner. Products must include information in the encrypted text that identifies the escrow agents and the particular keys needed for decryption. Keys must be held by escrow agents certified by the U.S. government or by foreign governments with which the U.S. government has formal agreements.
At a meeting held at the National Institute of Standards and Technology on December 5, the government distributed draft criteria for key escrow agents. These criteria address requirements for escrow system integrity and security and for key access.
Escrow agents will be required to ensure the confidentiality, integrity, and availability of key-escrow-related information and to ensure only authorized use of that information. They will need to respond to requests in a timely fashion and maintain audit records of all events related to the management and release of keys.
Key escrow is already a feature or option of Clipper, Fortezza, and several other commercial products. These include Fisher Watchdog, Nortel's Entrust, PC Security's Stoplock KE (used by Shell International), RSA Secure, and TECSEC Veil. With all of these products, escrowing can be done within the user's organization.
Bankers Trust is developing a commercial key escrow system in which the keys, which are stored on hardware cryptographic tokens, can be split among multiple third party escrow agents. Other proposals have come from researchers at AT&T, Bell Atlantic, Cylink, Fortress U&T, Karlsruhe University, Massachusetts Institute of Technology, Royal Holloway, and the University of Wisconsin.
Several of the above products and proposals have come from outside the U.S. In addition, other governments have been considering encryption policies based on key escrow.
While not speaking on behalf of their governments, at the International Cryptography Institute, Peter Ford from the Australian Attorney General's Department and David Gould, formerly with the U.K. Cabinet Office, both expressed interest in the use of key escrow to resolve the dilemma posed by encryption. Gould commended the idea of a Europeanwide network of trust services, under the control of member states, accredited to offer digital signatures, confidentiality, data integrity, and other services. Such a network should operate with other international arrangements. The trusted parties, which could be commercial or private entities, would also serve as key escrow agents. The European Community is said to be considering an encryption policy based on key escrow and the use of trusted third parties.
How it works. Escrowed encryption provides a backup decryption capability for emergency use. This capability makes use of special data recovery keys that are held by a trusted fiduciary. The data recovery keys need not be--and typically are not--the ones used for normal encryption and decryption, but they must provide access to those keys. They can be unique to individual users or products or shared by many users. Use of the backup capability is restricted to persons who have been authorized to access the information that has been encrypted. These individuals can include users, their organizations, and law enforcement officials.
Although there is no single approach to escrowed encryption, all methods follow a few general principles. The data recovery key for a particular encryption product is generated by or given to a trusted party sometime before the product is used. For example, it might be generated and escrowed during product manufacture or when the product is initialized and registered with an escrow agent. The key could be given to a single escrow agent or it could be split into several components, with each component held by a separate entity.
Whenever a document is encrypted by the product, the product attaches sufficient information to the encrypted data to allow backup decryption. If the user's everyday encryption key is later lost, then the user or an officer in the user's organization could give that information to the escrow agent and request assistance.
After determining that the request is authentic, the escrow agent either would release the data recovery key--if it is unique to the user--or use the key to determine and release the data encryption key. If an investigative or intelligence agency needs access to the key during an authorized search or communications intercept, the agency would present certification of the legal authority--normally a court order--to the escrow agents to access that information. Legitimate privacy interests can be protected through access procedures, auditing, and other technical, legal, and operational safeguards.
The administration's new software key escrow proposal responds to industry's request for a flexible approach to key escrow and liberalized export controls. The proposal accommodates industry's request to use unclassified algorithms, software, and private sector escrow agents that would support emergency decryption for both registered users and authorized government officials. While many issues remain to be resolved, this move toward a compromise with the private sector is a good first step toward a policy that meets the needs of both law enforcement and business.
William E. Baugh, Jr., J.D., is vice president for corporate development, Science Applications International Corporation of McLean, Virginia. He recently retired from the FBI, where he was assistant director of the information resources division. Dorothy E. Denning, Ph.D., is professor of computer science at Georgetown University in Washington, D.C. She was chair of the International Cryptography Institute in 1995.
© 1995 Dorothy Denning and William Baugh, Jr.
The Fortezza Card
THE CLIPPER CHIP IS A scaled back version of a more advanced chip, called Capstone, which the National Security Agency (NSA) developed for use in the Fortezza PC card (also called a PCMCIA card). The government's goal was a small, affordable, and secure hardware token that would provide cryptographic services for confidentiality protection, authentication, and digital signatures.
Capstone implements the Escrowed Encryption Standard (EES)--also the Clipper standard--plus public-key cryptographic algorithms for the Digital Signature Standard and for generating and establishing session keys. A Fortezza PCMCIA modem card is also available so that encryption and decryption can be performed either as part of the transmission protocols or as independent service calls, for example, to encrypt or decrypt files and electronic mail messages. The government plans to extend the scope of the EES to cover high speed communications over computer networks so that Fortezza and other Capstone-based devices will meet approved standards for use by federal agencies.
Although Fortezza was developed as part of NSA's Multilevel Information Systems Security Initiative (MISSI), the technology is available commercially. What makes it attractive from a corporate standpoint is that it provides a full suite of cryptographic functions with strong security and a data recovery capability in a single package that can be integrated into commercial products. Support for Fortezza has already been added to AT&T SecureAgent, Netscape Navigator, Oracle's Secure Network Services, and other products.
Data recovery is handled through the certificate authorities, which grant certificates for the public keys used for key establishment and digital signatures. Those same authorities escrow the user's corresponding private keys, which are stored on the Fortezza card; the keys can be recovered from the certificate authority in case the card is lost or the keys become corrupted. Without the key escrow system, encrypted messages and files would otherwise be inaccessible because the government key escrow system used with Clipper or Capstone does not provide services for user data recovery.
Why Key Escrow
ALTHOUGH ENCRYPTION IS an essential tool for protecting communications and electronic commerce, it can also threaten public safety and national security. Powerful encryption methods can be used by organized crime, drug traffickers, and terrorist groups to facilitate their crimes and conceal their activities from lawful surveillance by governments. At the International Cryptography Institute held in Washington in September, FBI Director Louis Freeh reported that encryption had been encountered in a terrorism investigation in the Philippines involving an alleged plot to assassinate Pope John Paul II and bomb a U.S. airliner. He also noted that the FBI had encountered encryption in a child pornography case.
As encryption becomes more available and easier to use, it will become routine to encounter it during an investigation. If law enforcement and intelligence agencies are effectively locked out of all communications and stored files, their ability to carry out their missions could be seriously impaired.
Key escrow encryption offers an alternative scenario that delivers the benefits of encryption without its harms. By adopting the key escrow standard for government computer systems and requiring that products with strong encryption be coupled with key escrow to qualify for general export, the administration's encryption policy will promote products that are safe for society.
Key escrow also benefits private organizations. It protects against the hazards of lost or damaged keys, whether caused by accident or by disgruntled employees or former employees.
One company that provides software and services to help companies recover data hidden behind passwords and encryption schemes reports receiving approximately eighteen calls a day from companies that have encountered problems accessing their own encrypted information. Protection from these disasters will become even more critical as corporate strategies, secrets, and financial information are increasingly transmitted and stored electronically.
In addition, key escrow offers protection against employees using encryption to cover up fraud, espionage, and other crimes. If encryption prevents a law enforcement agency from successfully investigating a case involving persons inside the organization, the organization could suffer huge financial losses and damage to its public image. Because such investigations can require access to communications as well as to stored files, key escrow is useful for both.
In recognition of these threats, some companies have adopted internal security policies requiring key escrow. At the International Cryptography Institute, Nick Mansfield of Shell International reported that key escrow is used in Shell Group enterprises. Keys are escrowed by a trusted Shell service company on behalf of the shareholders and businesses. This provides the shareholders with an independent ability to decrypt information should the need arise. Business continuity is supported by a fallback mechanism to recover encrypted data in the event of a disaster.
Key escrow thus offers a valuable service to individuals, organizations, and society. While benefiting law enforcement, it protects businesses from a host of problems--from misplaced keys to espionage.