nemo
/
hn-classics
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
hn-classics/_stories/1994/16070656.md

884 lines
50 KiB
Markdown
Raw Normal View History

Tufte CSS, upgrade jekyll, add metadata, index
2018-02-23 18:58:03 +00:00
---
created_at: '2018-01-04T14:51:28.000Z'
title: Battle of the Clipper Chip (1994)
url: http://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-chip.html?pagewanted=all
author: Cieplak
points: 65
story_text:
comment_text:
num_comments: 19
story_id:
story_title:
story_url:
parent_id:
created_at_i: 1515077488
_tags:
- story
- author_Cieplak
- story_16070656
objectID: '16070656'
---
New parser with newspaper + pandoc
2018-03-03 09:35:28 +00:00
On a sunny spring day in Mountain View, Calif., 50 angry activists are
plotting against the United States Government. They may not look
subversive sitting around a conference table dressed in T-shirts and
jeans and eating burritos, but they are self-proclaimed saboteurs. They
are the Cypherpunks, a loose confederation of computer hackers, hardware
engineers and high-tech rabble-rousers.
The precise object of their rage is the Clipper chip, offically known as
the MYK-78 and not much bigger than a tooth. Just another tiny square of
plastic covering a silicon thicket. A computer chip, from the outside
indistinguishable from thousands of others. It seems improbable that
this black Chiclet is the focal point of a battle that may determine the
degree to which our civil liberties survive in the next century. But
that is the shared belief in this room.
The Clipper chip has prompted what might be considered the first holy
war of the information highway. Two weeks ago, the war got bloodier, as
a researcher circulated a report that the chip might have a serious
technical flaw. But at its heart, the issue is political, not technical.
The Cypherpunks consider the Clipper the lever that Big Brother is using
to pry into the conversations, messages and transactions of the computer
age. These high-tech Paul Reveres are trying to mobilize America against
the evil portent of a "cyberspace police state," as one of their
Internet jeremiads put it. Joining them in the battle is a formidable
force, including almost all of the communications and computer
industries, many members of Congress and political columnists of all
stripes. The anti-Clipper aggregation is an equal-opportunity club,
uniting the American Civil Liberties Union and Rush Limbaugh.
The Clipper's defenders, who are largely in the Government, believe it
represents the last chance to protect personal safety and national
security against a developing information anarchy that fosters
criminals, terrorists and foreign foes. Its adherents pose it as the
answer, or at least part of the answer, to a problem created by an
increasingly sophisticated application of an age-old technology:
cryptography, the use of secret codes.
For centuries, cryptography was the domain of armies and diplomatic
corps. Now it has a second purpose: protecting personal and corporate
privacy. Computer technology and advanced telecommunications equipment
have drawn precious business information and intimate personal
communications out into the open. This phenomenon is well known to the
current Prince of Wales, whose intimate cellular phone conversations
were intercepted, recorded and broadcast worldwide. And corporations
realize that competitors can easily intercept their telephone
conversations, electronic messages and faxes. High tech has created a
huge privacy gap. But miraculously, a fix has emerged: cheap,
easy-to-use, virtually unbreakable encryption. Cryptography is the
silver bullet by which we can hope to reclaim our privacy.
The solution, however, has one drawback: cryptography shields the law
abiding and the lawless equally. Law-enforcement and intelligence
agencies contend that if strong codes are widely available, their
efforts to protect the public would be paralyzed. So they have come up
with a compromise, a way to neutralize such encryption. That's the
Clipper chip and that compromise is what the war is about.
The idea is to give the Government means to override other people's
codes, according to a concept called "key escrow." Employing normal
cryptography, two parties can communicate in total privacy, with both of
them using a digital "key" to encrypt and decipher the conversation or
message. A potential eavesdropper has no key and therefore cannot
understand the conversation or read the data transmission. But with
Clipper, an additional key -- created at the time the equipment is
manufactured -- is held by the Government in escrow. With a
court-approved wiretap, an agency like the F.B.I. could listen in. By
adding Clipper chips to telephones, we could have a system that assures
communications will be private -- from everybody but the Government.
And that's what rankles Clipper's many critics. Why, they ask, should
people accused of no crime have to give Government the keys to their
private communications? Why shouldn't the market rather than Government
determine what sort of cryptosystem wins favor. And isn't it true that
the use of key escrow will make our technology so unattractive to the
international marketplace that the United States will lose its edge in
the lucrative telecommunications and computer fields? Clipper might clip
the entire economy.
Nonetheless, on Feb. 4 the White House announced its approval of the
Clipper chip, which had been under study as a Government standard since
last April, and the Crypto War broke out in full force. Within a month,
one civil liberties group, Computer Professionals for Social
Responsibility, received 47,000 electronic missives urging a stop to
Clipper. "The war is upon us," wrote Tim May, co-founder of the
Cypherpunks, in an urgent electronic dispatch soon after the
announcement. "Clinton and Gore folks have shown themselves to be
enthusiastic supporters of Big Brother."
And though the Clinton Administration's endorsement of Clipper as a
Government standard required no Congressional approval, rumblings of
discontent came from both sides of the Capitol. Senator Patrick J.
Leahy, the Vermont Democrat whose subcomittee has held contentious
hearings on the matter, has called the plan a "misstep," charging that
"the Government should not be in the business of mandating particular
technologies."
Two weeks ago, an AT\&T Bell Laboratories researcher revealed that he
had found a serious flaw in the Clipper technology itself, enabling
techno-savvy lawbreakers to bypass the security fuction of the chip in
some applications. Besides being a bad idea, Clipper's foes now say, it
doesn't even work properly.
Yet the defenders of Clipper have refused to back down, claiming that
the scheme -- which is, they often note, voluntary -- is an essential
means of stemming an increasing threat to public safety and security by
strong encryption in everyday use. Even if Clipper itself has to go back
to the drawing board, its Government designers will come up with
something quite similar. The underlying issue remains unchanged: If
something like Clipper is not implemented, writes Dorothy E. Denning, a
Georgetown University computer scientist, "All communications on the
information highway would be immune from lawful interception. In a world
threatened by international organized crime, terrorism and rogue
governments, this would be folly."
The claims from both sides sound wild, almost apocalyptic. The passion
blurs the problem: Can we protect our privacy in an age of computers --
without also protecting the dark forces in society?
The crypto war is the inevitable consequence of a remarkable discovery
made almost 20 years ago, a breakthrough that combined with the
microelectronics revolution to thrust the once-obscure field of
cryptography into the mainstream of communications policy.
It began with Whitfield Diffie, a young computer scientist and
cryptographer. He did not work for the Government, which was strange
because in the 1960's almost all serious crypto in this country was done
under Federal auspices, specifically at the Fort Meade, Md.,
headquarters of the supersecret National Security Agency. Though it
became bigger than the C.I.A., the N.S.A. was for years unknown to
Americans; the Washington Beltway joke was that the initials stood for
"No Such Agency." Its working premise has always been that no
information about its activities should ever be revealed. Its main
mission involved cryptography, and the security agency so dominated the
field that it had the power to rein in even those few experts in the
field who were not on its payroll.
But Whitfield Diffie never got that message. He had been bitten by the
cryptography bug at age 10 when his father, a professor, brought home
the entire crypto shelf of the City College library in New York. Then he
lost interest, until he arrived at M.I.T.'s Artifical Intelligence
Laboratory in 1966. Two things rekindled his passion. Now trained as a
mathematician, he had an affinity for the particular challenges of
sophisticated crypto. Just as important, he says, "I was always
concerned about individuals, an individual's privacy as opposed to
Goverment secrecy."
Diffie, now 50, is still committed to those beliefs. When asked about
his politics, he says, "I like to describe myself as an iconoclast." He
is a computer security specialist for Sun Microsystems, a celebrated
cryptographer and an experienced hand at Congressional testimony. But he
looks like he stumbled out of a Tom Robbins novel -- with blond hair
that falls to his shoulders and a longish beard that seems a virtual
trademark among code makers. At a Palo Alto, Calif., coffeehouse one
morning, he describes, in clipped, precise cadence, how he and Martin E.
Hellman, an electrical engineering professor at Stanford University,
created a crypto revolution.
Diffie was dissatisfied with the security on a new time-sharing computer
system being developed by M.I.T. in the 1960's. Files would be protected
by passwords, but he felt that was insufficient. The system had a
generic flaw. A system manager had access to all passwords. "If a
subpeona was served against the system managers, they would sell you
out, because they had no interest in going to jail," Diffie says. A
perfect system would eliminate the need for a trusted third party.
This led Diffie to think about a more general problem in cryptography:
key management. Even before Julius Caesar devised a simple cipher to
encode his military messages, cryptography worked by means of keys. That
is, an original message (what is now called "plaintext") was encrypted
by the sender into seeming gibberish (known as "ciphertext"). The
receiver, using the same key, decrypted the message back into the
original plaintext. For instance, the Caesar key was the simple
replacement of each letter by the letter three places down in the
alphabet. If you knew the key, you could encrypt the word help into the
nonsense word khos; the recipient of the message would decrypt the
message back to help.
The problem came with protecting the key. Since anyone who knew the
Caesar key would be able to understand the encoded message, it behooved
the Romans to change that key as often as possible. But if you change
the key, how do you inform your spies behind enemy lines? (If you tell
them using the old code, which may have already been cracked, your
enemies will then learn the new code.) For centuries, generals and
diplomats have faced that predicament. But a few years ago, it took on
added urgency.
With computers and advanced telecommunications, customers outside
Government were discovering a need for information security.
Cryptography was the answer, but how could it be applied widely,
considering the problem of keys? The best answer to date was something
called a key-management repository, where two parties who wanted secrecy
would go to a trusted third party who would generate a new key for the
private session. But that required just what Diffie deplored -- an
unwanted third wheel.
"The virtue of cryptography should be that you don't have to trust
anybody not directly involved with your communication," Diffie says.
"Without conventional key distribution centers, which involved trusting
third parties, I couldn't figure how you could build a system to secure,
for instance, all the phones in the country."
When Diffie moved to Stanford University in 1969, he foresaw the rise of
home computer terminals and began pondering the problem of how to use
them to make transactions. "I got to thinking how you could possibly
have electronic business, because signed letters of intent, contracts
and all seemed so critical," he says. He devoured what literature he
could find outside the National Security Agency. And in the mid-1970's,
Diffie and Hellman achieved a stunning breakthrough that changed
cryptography forever. They split the cryptographic key.
In their system, every user has two keys, a public one and a private
one, that are unique to their owner. Whatever is scrambled by one key
can be unscrambled by the other. It works like this: If I want to send a
message to Whit Diffie, I first obtain his public key. (For complicated
mathematical reasons, it is possible to distribute one's public key
freely without compromising security; a potential enemy will have no
advantage in code-cracking if he holds your public key alone.) Then I
use that key to encode the message. Now it's gobbledygook and only one
person in the world can decode it -- Whit Diffie, who holds the other,
private, key. If he wants to respond to me with a secret message, he
uses my public key to encode his answer. And I decode it, using my
private key.
It was an amazing solution, but even more remarkable was that this
split-key system solved both of Diffie's problems, the desire to shield
communications from eavesdroppers and also to provide a secure
electronic identification for contracts and financial transactions done
by computer. It provided the identification by the use of "digital
signatures" that verify the sender much the same way that a real
signature validates a check or contract.
Suddenly, the ancient limitations on cryptography had vanished. Now,
perhaps before the millennium, strong cryptography could find its way to
every telephone, computer and fax machine -- if users wanted it.
Subsequent variations on the Diffie-Hellman scheme focused on using
crypto algorithms to insure the anonymity of transactions. Using these
advances, it is now possible to think of replacing money with digital
cash -- while maintaining the comforting untraceability of bills and
coins. The dark art of cryptography has become a tool of liberation.
From the moment Diffie and Hellman published their findings in 1976, the
National Security Agency's crypto monopoly was effectively terminated.
In short order, three M.I.T. mathematicians -- Ronald L. Rivest, Adi
Shamir and Leonard M. Adleman -- developed a system with which to put
the Diffie and Hellman findings into practice. It was known by their
initials, RSA. It seemed capable of creating codes that even the N.S.A.
could not break. They formed a company to sell their new system; it was
only a matter of time before thousands and then millions of people began
using strong encryption.
That was the National Security Agency's greatest nightmare. Every
company, every citizen now had routine access to the sorts of
cryptographic technology that not many years ago ranked alongside the
atom bomb as a source of power. Every call, every computer message,
every fax in the world could be harder to decipher than the famous
German "Enigma" machine of World War II. Maybe even impossible to
decipher\!
The genie was out of the bottle. Next question: Could the genie be made
to wear a leash and collar? Enter the Clipper chip.
When illustrating the Government's need to control crypto, Jim
Kallstrom, the agent in charge of the special operations division of the
New York office of the F.B.I., quickly shifts the discussion to the
personal: "Are you married? Do you have a child? O.K., someone kidnaps
one of your kids and they are holding your kid in this fortress up in
the Bronx. Now, we have probable cause that your child is inside this
fortress. We have a search warrant. But for some reason, we cannot get
in there. They made it out of some new metal, or something, right?
Nothing'll cut it, right? And there are guys in there, laughing at us.
That's what the basis of this issue really is -- we've got a situation
now where a technology has become so sophisticated that the whole notion
of a legal process is at stake here\!"
Kallstrom is a former head of the Bureau Tech Squad, involved in the
bugging operation that brought John Gotti to justice. Some have
described him as the F.B.I.'s answer to "Q," the gadget wizard of the
James Bond tales.
"From the standpoint of law enforcement, there's a superbig threat out
there -- this guy is gonna build this domain in the Bronx now, because
he's got a new steel door and none of the welding torches, none of the
boomerangs, nothing we have is gonna blast our way in there. Sure, we
want those new steel doors ourselves, to protect our banks, to protect
the American corporation trade secrets, patent rights, technology. But
people operating in legitimate business are not violating the laws -- it
becomes a different ball of wax when we have probable cause and we have
to get into that domain. Do we want a digital superhighway where not
only the commerce of the nation can take place but where major criminals
can operate impervious to the legal process? If we don't want that, then
we have to look at Clipper."
Wiretapping is among law enforcement's most cherished weapons. Only 919
Federal, state and local taps were authorized last year, but police
agencies consider them essential to fighting crime. Obviously if
criminals communicate using military-grade cryptosystems, wiretapping
them becomes impossible.
For two years, the F.B.I. has been urging Congress to pass the proposed
Digital Telephony and Communications Privacy Act, which would in essence
require that new communications technologies be designed to facilitate
wiretapping. Even if the bill should somehow pass, overcoming the
opposition of the communications industry and civil libertarians, the
extra effort and expense will be wasted if the only thing the
wiretappers can hear is the hissy white noise of encrypted phone
conversations and faxes. If cryptography is not controlled, wiretapping
could be rendered obsolete. Louis J. Freeh, the Director of the F.B.I.,
surely fears that prospect. He has told Congress that preserving the
ability to intercept communications legally, in the face of these
technological advances, is "the No. 1 law enforcement, public safety and
national security issue facing us today."
Some people criticize Clipper on the basis that truly sophisticated
criminals would never use it, preferring other easily obtained systems
that use high-grade cryptography. Despite Clipper, kidnappers and drug
kingpins may construct Kallstrom's virtual fort in the Bronx with
impunity, laughing at potential wiretappers.
The Government understands the impossibility of eradicating strong
crypto. Its objective is instead to prevent unbreakable encryption from
becoming rountine. If that happens, even the stupidest criminal would be
liberated from the threat of surveillance. But by making Clipper the
standard, the Government is betting that only a tiny percentage of users
would use other encryption or try to defeat the Clipper.
At a rare public appearance in March at a conference on computers and
privacy, Stewart A. Baker, then general counsel of the National Security
Agency, tried to explain. "The concern is not so much what happens today
when people go in and buy voice scramblers," said Baker, a dapper,
mustached lawyer who worked as an Education Department lawyer in the
Carter Administration. "It is the prospect that in 5 years or 10 years
every phone you buy that costs $75 or more will have an encrypt button
on it that will interoperate with every other phone in the country and
suddenly we will discover that our entire communications network is
being used in ways that are profoundly antisocial. That's the real
concern, I think, that Clipper addresses. If we are going to have a
standardized form of encryption that is going to change the world, we
should think seriously about what we are going to do when it is
misused."
Not all law-enforcement experts believe that cryptography will unleash a
riot of lawlessness. William R. Spernow, a Sacramento, Calif., computer
crime specialist who works on a grant from the Federal Bureau of Justice
Assistance, has encountered a few cases in which criminals have
encrypted information unbreakably, including one involving a pedophile
who encrypted the identities of his young victims. Yet Spernow sees no
reason to panic. "In cases where there's encryption, the officers have
been able to make the case through other investigative means," he says.
"If we hustle, we can still make our cases through other kinds of police
work."
But crime is only part of the problem. What happens to national security
if cryptography runs free? Those who know best, officials of the
National Security Agency, won't say. When the agency's director, Vice
Adm. John M. McConnell testified before a Senate subcommittee on May 3,
he withheld comment on this question until the public hearing was
terminated and a second, classified session convened in a secure room.
Still, the effect of strong crypto on N.S.A. operations is not difficult
to imagine. The agency is charged with signals intelligence, and it is
widely assumed that it monitors all the communications between borders
and probably much of the traffic within foreign countries. (It is barred
from intercepting domestic communications.) If the crypto revolution
crippled N.S.A.'s ability to listen in on the world, the agency might
miss out on something vital -- for instance, portents of a major
terrorist attack.
No compelling case has been made, however, that the key-escrow system
would make it easier for authorities to learn of such an attack. The
National Security Agency would take the legal steps to seek the telltale
keys after it had first identified those potential terrorists and
wiretapped their calls, then discovered the inpenetrable hiss of
encryption. Even then, the keys would be useful only if the terrorists
were encoding conversations with Clipper technology, the one kind the
Government had the capability to decode instantly. What sort of nuclear
terrorist would choose Clipper?
The Government response has been to say that potential terrorists might
indeed use alternative crypto methods to converse among themselves. But
if Clipper were the accepted standard, the terrorists would have to use
it to communicate with outsiders -- banks, suppliers and other contacts.
The Government could listen in on those calls. However, the work of the
Bell Labs researcher, Matthew Blaze, casts serious doubt on that
contention. Blaze has uncovered a flaw in Clipper that would allow a
user to bypass the security funtion of the chip. Anyone who tinkered
with Clipper in this way could communicate in privacy with anyone else
with a Clipper phone and Government wiretappers would be unable to
locate the key to unscramble the conversations.
Nonetheless, it was the terrorist threat, along with national security
concerns, that moved the Clinton Administration to support the
key-escrow inititative. White House high-tech policy makers share a
recurrent fear: one day they might be sitting before an emergency
Congressional investigation after the destruction of half of Manhattan
by a stolen nuclear weapon planted in the World Trade towers and trying
to explain that the Government had intercepted the communications of the
terrorists but could not understand them because they used strong
encryption. If Clipper were enacted, they could at least say, "We
tried."
Obviously the Government views the Crypto revolution with alarm and
wants to contain it. For years, much of its efforts have focused on the
use of stringent export controls. While cryptography within the United
States is unrestricted, the country's export laws treat any sort of
encryption as munitions, like howitzers or nuclear triggers. The
National Security Agency is the final arbiter and it will approve
exports of cryptosystems in computer software and electronic hardware
only if the protective codes are significantly weakened.
The N.S.A. stance is under attack from American businesses losing sales
to foreign competitors. Listen to D. James Bidzos, the 39-year-old
president of RSA Data Security, the Redwood City, Calif., company that
controls the patents for public-key cryptography: "For almost 10 years,
I've been going toe to toe with these people at Fort Meade. The success
of this company is the worst thing that can happen to them. To them,
we're the real enemy, we're the real target."
RSA is making a pitch to become the standard in encryption; its
technology has been adopted by Apple, AT\&T, Lotus, Microsoft, Novell
and other major manufacturers. So imagine its unhappiness that its main
rival is not another private company, but the National Security Agency,
designer of the key-escrow cryptosystems. The agency is a powerful and
dedicated competitor.
"We have the system that they're most afraid of," Bidzos says. "If the
U.S. adopted RSA as a standard, you would have a truly international,
interoperable, unbreakable, easy-to-use encryption technology. And all
those things together are so synergistically theatening to the N.S.A.'s
interests that it's driving them into a frenzy."
The export laws put shackles on Bidzos's company while his overseas
competitors have no such restaints. Cryptographic algorithms that the
N.S.A. bans for export are widely published and are literally being sold
on the streets of Moscow. "We did a study on the problem and located 340
foreign cryptographic products sold by foreign countires," says Douglas
R. Miller, government affairs manager of the Software Publishers
Association. "The only effect of export controls is to cripple our
ability to compete."
The real potential losses, though, come not in the stand-alone
encryption category, but in broader applications. Companies like
Microsoft, Apple and Lotus want to put strong encryption into their
products but cannot get licenses to export them. Often, software
companies wind up installing a weaker brand of crypto in all their
products so that they can sell a single version worldwide. This seems to
be the Government's intent -- to encourage "crypto lite," strong enough
to protect communications from casual intruders but not from Government
itself.
In the long run, however, export regulation will not solve the National
Security Agency's problem. The crypto business is exploding. People are
becoming more aware of the vunerability of phone conversations,
particularly wireless ones. Even the National Football League is
adopting crypto technology; it will try out encrypted radio
communication between coaches and quarterbacks, so rivals can't
intercept last-minute audibles.
Anticipating such a boom, the N.S.A. devised a strategy for the 90's. It
would concede the need for strong encryption but encourage a system with
a key-escrow "back door" that provides access to communications for
itself and law enforcement. The security agency had already developed a
strong cryptosystem based on an algorithm called Skipjack, supposedly 16
million times stronger than the previous standard, D.E.S. (Data
Encryption Standard). Now the agency's designers integrated Skipjack
into a new system that uses a Law Enforcement Access Field (LEAF) that
adds a signal to the message that directs a potential wiretapper to the
approriate key to decipher the message. These features were included in
a chip called Capstone, which could handle not only telephone
communications but computer data transfers and digital signatures.
Supposedly, this technology was designed for Government use, but in 1993
the National Security Agency had a sudden opportunity to thrust it into
the marketplace. AT\&T had come to the agency with a new, relatively
low-cost secure-phone device called the Surity 3600 that was designed to
use the nonexportable DES encryption algorithm. The N.S.A. suggested
that perhaps AT\&T could try something else: a stripped-down version of
Capstone for telephone communications. This was the Clipper chip. As a
result, AT\&T got two things: an agreement that Uncle Sam would buy
thousands of phones for its own use (the initial commitment was 9,000,
from the F.B.I.) and the prospect that the phone would not suffer the
unhappy fate of some other secure devices when considered for export.
There was also the expectation that AT\&T would sell a lot more phones,
since private companies would need to buy Clipper-equipped devices to
communicate with the Governmment's Clipper phones.
It was an ingenious plan for several reasons. By agreeing to buy
thousands of phones, and holding out the promise that thousands, or even
millions more might be sold, AT\&T phones gained a price advantage that
comes with volume. (The original price of the Surity 3600 was $1,195,
considerably less than the previous generation of secure phones;
Mykotronx, the company making the Clipper chip, says that each chip now
costs $30, but in large orders could quickly go as low as $10.) That
would give the phones a big push in the marketplace. But by saturating
the market, Clipper had a chance to become the standard for encryption,
depending on whether businesses and individuals would be willing to
accept a device that had the compromise of a government-controlled back
door.
This compromise, of course, is the essence of Clipper. The Government
recognizes the importance of keeping business secrets, intimate
information and personal data hidden from most eyes and ears. But it
also preserves a means of getting hold of that information after
obtaining "legal authorization, normally a court order," according to a
White House description.
The N.S.A. presented the idea to the Bush Administration, which took no
action before the election. Then it had to convince a Democratic
Administration to adopt the scheme, and started briefing the Clinton
people during the transition. Many in the computer industry figured that
with Vice President Al Gore's enthusiastic endorsement of the
high-frontier virtues of the information highway, the Administration
would never adopt any proposal so tilted in favor of law enforcement and
away from his allies in the information industries. They figured wrong.
A little more than two months after taking office, the Clinton
Administration announced the existence of the Clipper chip and directed
the National Institute of Standards and Technology to consider it as a
Government standard.
Clipper was something the Administration -- starting with the Vice
President -- felt compelled to adopt, and key escrow was considered an
honorable attempt to balance two painfully contradictory interests,
privacy and safety.
The reaction was instant, bitter and ceaseless. The most pervasive
criticisms challenged the idea that a Clipper would be, as the standard
said, "voluntary." The Government's stated intent is to manipulate the
marketplace so that it will adopt an otherwise unpalatable scheme and
make it the standard. Existing systems have to cope with export
regulations and, now, incompatibility with the new Government Clipper
standard. Is it fair to call a system voluntary if the Government puts
all sorts of obstacles in the way of its competitors?
Others felt that it was only a matter of time before the National
Security Agency pressured the Government to require key escrow of all
cryptographic devices -- that Clipper was only the first step in a
master plan to give Uncle Sam a key to everyone's cyberspace back door.
"That's a real fear," says Stephen T. Walker, a former N.S.A. employee
who is now president of Trusted Information Systems, a company
specializing in computer security products. "I don't think the
Government could pull it off -- it would be like prohibition, only
worse. But I think they might try it."
But mostly, people were unhappy with the essence of Clipper, that the
Government would escrow their keys. As Diffie notes, key escrow
reintroduces the vulnerability that led him to invent public key
cryptography -- any system that relies on trusted third parties is, by
definition, weaker than one that does not. Almost no one outside the
Government likes the key-escrow idea. "We published the standard for 60
days of public comments," says F. Lynn McNulty, associate director for
computer security at the National Institute of Standards and Technology.
"We received 320 comments, only 2 of which were supportive."
Many people thought that in the face of such opposition, the
Administration would quietly drop the Clipper proposal. They were
dismayed by the Feb. 4 announcement of the adoption of Clipper as a
Government standard. Administration officials knew they were alienating
their natural allies in the construction of the information superhighway
but felt they had no alternative. "This," said Michael R. Nelson, a
White House technology official, "is the Bosnia of telecommunications."
If clipper is the administration's Techno-Bosnia, the crypto equivalent
of snipers are everywhere -- in industry, among privacy lobbyists and
even among Christian Fundamentalists. But the most passionate foes are
the Cypherpunks. They have been meeting on the second Saturday of every
month at the offices of Cygnus, a Silicon Valley company, assessing new
ways they might sabotage Clipper. The group was co-founded in September
1992 by Eric Hughes, a 29-year-old freelance cryptogapher, and Tim May,
a 42-year-old physicist who retired early and rich from the Intel
company. Other Cypherpunk cells often meet simultaneously in six or
seven locations around the world, but the main gathering place for
Cypherpunks is the Internet, by means of an active mailing list in which
members post as many as 100 electronic messages a day.
Cypherpunks share a few common premises. They assume that cryptography
is a liberating tool, one that empowers individuals. They think that one
of the most important uses of cryptography is to protect communications
from the Government. Many of them believe that the Clipper is part of an
overall initiative against cryptography that will culminate in Draconian
control of the technology. And they consider it worth their time to
fight, educating the general public and distributing cryptographic tools
to obstruct such control.
Both Hughes and May have composed manifestos. Hughes's call to arms
proclaims: "Cypherpunks write code. We know that someone has to write
software to defend privacy, and since we can't get privacy unless we all
do, we're going to write it."
May's document envisions a golden age in which strong cryptography
belongs to all -- an era of "crypto anarchism" that governments cannot
contain. To May, cryptography is a tool that will not only bestow
privacy on people but help rearrange the economic underpinnings of
society.
"Combined with emerging information markets, cryptography will create a
liquid market for any and all material that can be put into words and
pictures," May's document says. "And just as a seemingly minor invention
like barbed wire made possible the fencing-off of vast ranches and
farms, thus altering forever the concepts of land and property rights in
the frontier West, so too will the seemingly minor discovery out of an
arcane branch of mathematics come to be the wire clippers which
dismantle the barbed wire around intellectual property."
At a recent meeting, about 50 Cypherpunks packed into the Cygnus
conference room, with dozens of others participating electronically from
sites as distant as Cambridge, Mass., and San Diego. The meeting
stretched for six hours, with discussions of hardware encryption
schemes, methods to fight an electronic technique of identity forgery
called "spoofing," the operation of "remailing" services, which allow
people to post electronic messages anonymously -- and various ways to
fight Clipper.
While the Cypherpunks came up with possible anti-Clipper slogans for
posters and buttons, a bearded crypto activist in wire-rim glasses named
John Gilmore was outside the conference room, showing the latest sheaf
of cryptography-related Freedom of Information documents he'd dragged
out of Government files. Unearthing and circulating the hidden crypto
treasures of the National Security Agency is a passion of Gilmore, an
early employee of Sun Microsystems who left the company a
multimillionaire. The Government once threatened to charge him with a
felony for copying some unclassified-and-later-reclassified N.S.A.
documents from a university library. After the story hit the newspapers,
the Government once again declassified the documents.
"This country was founded as an open society, and we still have the
remnants of that society," Gilmore says. "Will crypto tend to open it or
close it? Our Government is building some of these tools for its own
use, but they are unavailable -- we have paid for cryptographic
breakthroughs but they're classified. I wish I could hire 10 guys --
cryptographers, librarians -- to try to pry cryptography out of the dark
ages."
Perhaps the most admired Cypherpunk is someone who says he is ineligible
because he often wears a suit. He is Philip R. Zimmermann, a 40-year-old
software engineer and cryptographic consultant from Boulder, Colo., who
in 1991 cobbled together a cryptography program for computer data and
electronic mail. "PGP," he called it, meaning Pretty Good Privacy, and
he decided to give it away. Anticipating the Cypherpunk credo,
Zimmermann hoped that the appearance of free cryptography would
guarantee its continued use after a possible Government ban. One of the
first people receiving the program placed it on a computer attached to
the Internet and within days thousands of people had PGP. Now the
program has been through several updates and is becoming sort of a
people's standard for public key cryptography. So far, it appears that
no one has been able to crack information encoded with PGP.
Like Diffie, Zimmermann developed a boyhood interest in crypto. "When I
was a kid growing up in Miami, it was just kind of cool -- secret
messages and all," he says. Later, "computers made it possible to do
ciphers in a practical manner." He was fascinated to hear of public key
cryptography and during the mid-1980's he began experimenting with a
system that would work on personal computers. With the help of some
colleagues, he finally devised a strong system, albeit one that used
some patented material from RSA Data Security. And then he heard about
the Senate bill that proposed to limit a citizen's right to use strong
encryption by requiring manufacturers to include back doors in their
products. Zimmermann, formerly a nuclear freeze activist, felt that one
of the most valuable potential uses of cryptography was to keep messages
secret from the Government.
Zimmermann has put some political content into the documentation for his
program: "If privacy is outlawed, only outlaws will have privacy.
Intelligence agencies have access to good cryptographic technology. So
do the big arms and drug traffickers. So do defense contractors, oil
companies, and other corporate giants. But ordinary people and
grassroots political organizations mostly have not had access to
affordable 'military grade' public-key cryptographic technology. Until
now."
He has been told that Burmese freedom fighters learn PGP in jungle
training camps on portable computers, using it to keep documents hidden
from their oppressive Government. But his favorite letter comes from a
person in Latvia, who informed him that his program was a favorite among
one-time refuseniks in that former Soviet republic. "Let it never be,"
wrote his correspondant, "but if dictatorship takes over Russia, your
PGP is widespread from Baltic to Far East now and will help democratic
people if necessary."
Early last year, Zimmermann received a visit from two United States
Customs Service agents. They wanted to know how it was that the strong
encryption program PGP had found its way overseas with no export
license. In the fall, he learned from his lawyer that he was a target of
a grand jury investigation in San Jose, Calif. But even if the Feds
should try to prosecute, they are likely to face a tough legal issue:
Can it be a crime, in the process of legally distributing information in
this country, to place it on an Internet computer site that is
incidentally accessible to network users in other countries? There may
well be a First Amendment issue here: Americans prize the right to
circulate ideas, including those on software disks.
John Gilmore has discovered that Government lawyers have their own
doubts about these issues. In some documents he sued to get, there are
mid-1980's warnings by the Justice Department that the export controls
on cryptography presented "sensitive constitutional issues." In one
letter, an assistant attorney general warns that "the regulatory scheme
extends too broadly into an area of protected First Amendment speech."
Perhaps taking Phil Zimmermann to court would not be the Government's
best method for keeping the genie in the bottle.
The Clipper program has already begun. About once a month, four couriers
with security clearances travel from Washington to the Torrance, Calif.,
headquarters of Mykotronx, which holds the contract to make Clipper
chips. They travel in pairs, two from each escrow agency: the NIST and
the Treasury Department. The redundancy is a requirement of a protocol
known as Two-Person Integrity, used in situations like nuclear missile
launches, where the stakes are too high to rely on one person.
The couriers wait while a Sun work station performs the calculations to
generate the digital cryptographic keys that will be imprinted in the
Clipper chips. Then it splits the keys into two pieces, separate number
chains, and writes them on two floppy disks, each holding lists of "key
splits." To reconstruct the keys imprinted on the chip, and thereby
decode private conversations, you would need both sets of disks.
After being backed up, the sets of disks are separated, each one going
with a pair of couriers. When the couriers return to their respective
agencies, each set of disks is placed in a double-walled safe. The
backup copies are placed in similar safes. There they wait, two stacks
of floppy disks that grow each month, now holding about 20,000 key
splits, the so-called back doors.
Will this number grow into the millions as the Government hopes?
Ultimately the answer lies with the American public. Administration
officials are confident that when the public contemplates scenarios like
the Fortress in the Bronx or the Mushroom Cloud in Lower Manhattan, it
will realize that allowing the Government to hold the keys is a
relatively painless price to pay for safety and national security. They
believe the public will eventually accept it in the same way it now
views limited legal wiretapping. But so far the Administration hasn't
recruited many prominent supporters. The main one is Dorothy Denning, a
crypto expert who heads the computer science department at Georgetown
University.
Since endorsing Clipper (and advocating passage of the Digital Telephony
initiative) Denning has been savagely attacked on the computer nets.
Some of the language would wither a professional wrestler. "I've seen
horrible things written about me," Denning says with a nervous smile. "I
try to actually now avoid looking at them, because that's not what's
important to me. What's important is that we end up doing the right
thing with this. It was an accumulation of factors that led me to agree
with Clipper, and the two most important areas, to me, are organized
crime and terrorism. I was exposed to cases where wiretaps had actually
stopped crimes in the making, and I started thinking, 'If they didn't
have this tool, some of these things might have happened.' You know, I
hate to use the word responsibility, but I actually feel some sense of
responsibility to at least state my position to the extent so that
people will understand it."
The opponents of Clipper are confident that the marketplace will vote
against it. "The idea that the Government holds the keys to all our
locks, before anyone has even been accused of committing a crime,
doesn't parse with the public," says Jerry Berman, executive director of
the Electronic Frontier Foundation. "It's not America."
Senator Leahy hints that Congress might not stand for the Clinton
Administration's attempt to construct the key-escrow system, at an
estimated cost of $14 million dollars initially and $16 million
annually. "If the Administration wants the money to set up and run the
key-escrow facilities," he says, "it will need Congressional approval."
Despite claims by the National Institute of Standards and Technology
deputy director, Raymond G. Kammer, that some foreign governments have
shown interest in the scheme, Leahy seems to agree with most American
telecommunications and computer manufacturers that Clipper and
subsequent escrow schemes will find no favor in the vast international
marketplace, turning the United States into a cryptographic island and
crippling important industries.
Leahy is also concerned about the Administration's haste. "The
Administration is rushing to implement the Clipper chip program without
thinking through crucial details," he says. Indeed, although the
Government has been buying and using Clipper encryption devices, the
process of actually getting the keys out of escrow and using them to
decipher scrambled conversations has never been field tested. And there
exists only a single uncompleted prototype of the device intended to do
the deciphering.
Leahy is also among those who worry that, all policy issues aside, the
Government's key escrow scheme might fail solely on technical issues.
The Clipper and Capstone chips, while powerful enough to use on today's
equipment, have not been engineered for the high speeds of the coming
information highway; updates will be required. Even more serious are the
potential design flaws in the unproved key-escrow scheme. Matthew
Blaze's discovery that wrongdoers could foil wiretappers may be only the
first indication that Clipper is unable to do the job for which it was
designed. In his paper revealing the glitch, he writes, "It is not clear
that it is possible to construct EES (Escrow Encryption Standard) that
is both completely invulnerable to all kinds of exploitation as well as
generally useful."
At bottom, many opponents of Clipper do not trust the Government. They
are unimpressed by the elaborate key-escrow security arrangements
outlined for Clipper. Instead, they ask questions about the process by
which the Clipper was devised -- how is it that the N.S.A., an
intelligence agency whose mission does not ordinarily include consumer
electronics design, has suddenly seized a central role in creating a
national information matrix? They also complain that the Skipjack
cryptographic algorithm is a classified secret, one that cryptographic
professionals cannot subject to the rigorous, extended testing that has
previously been used to gain universal trust for such a standard.
"You don't want to buy a set of car keys from a guy who specializes in
stealing cars," says Marc Rotenberg, director of the Electronic Privacy
Information Center. "The N.S.A.'s specialty is the ability to break
codes, and they are saying, 'Here, take our keys, we promise you they'll
work.' "
At the March conference on computers and privacy, Stewart Baker
responded to this sort of criticism. "This is the revenge of people who
couldn't go to Woodstock because they had too much trig homework," he
said, evoking some catcalls. "It's a kind of romanticism about privacy.
The problem with it is that the beneficiaries of that sort of
romanticism are going to be predators. PGP, they say, is out there to
protect freedom fighters in Latvia. But the fact is, the only use that
has come to the attention of law enforcement agencies is a guy who was
using PGP so the police could not tell what little boys he had seduced
over the net. Now that's what people will use this for -- it's not the
only thing people will use it for, but they will use it for that -- and
by insisting on having a claim to privacy that is beyond social
regulation, we are creating a world in which people like that will
flourish and be able to do more than they can do today."
Even if Clipper flops, the Crypto War will continue. The Administration
remains committed to limiting the spread of strong cryptography unless
there's a back door. Recently, it has taken to asking opponents for
alternatives to Clipper. One suggestion it will not embrace is inaction.
"Deciding that the genie is out of the bottle and throwing our arms up
is not where we're at," says a White House official.
The National Security Agency will certainly not go away. "The agency is
really worried about its screens going blank" due to unbreakable
encryption, says Lance J. Hoffman, a professor of computer science at
George Washington University. "When that happens, the N.S.A. -- said to
be the largest employer in Maryland -- goes belly-up. A way to prevent
this is to expand its mission and to become, effectively, the one-stop
shop for encryption for Government and those that do business with the
Government."
Sure enough, the security agency is cooking up an entire product line of
new key-escrow chips. At Fort Meade, it has already created a high-speed
version of the Skipjack algorithm that outperforms both Clipper and
Capstone. There is also another, more powerful, encryption device in the
works named Baton. As far as the agency is concerned, these developments
are no more than common sense. "To say that N.S.A. shouldn't be involved
in this issue is to say that Government should try to solve this
difficult technical and social problem with both hands tied behind its
back," Stewart Baker says.
But Phil Zimmermann and the Cypherpunks aren't going away, either.
Zimmermann is, among other things, soliciting funds for a PGP phone that
will allow users the same sort of voice encryption provided by the
Clipper chip. The difference, of course, is that in his phone there is
no key escrow, no back door. If the F.B.I. initiated a wiretap on
someone using Zimmermann's proposed phone, all the investigators would
hear is static that they could never restore to orderly language.
What if that static shielded the murderous plans of a terrorist or
kidnapper? Phil Zimmermann would feel terrible. Ultimately he has no
answer. "I am worried about what might happen if unlimited security
communications come about," he admits. "But I also think there are
tremendous benefits. Some bad things would happen, but the trade-off
would be worth it. You have to look at the big picture."