A Comparison of Clipper I and II Greg Hudson Beginning in early 1994, the executive branch of the United States Government attempted to use its buying power to standardize a hardware device known as the Clipper Chip. The Clipper Chip is a data encryption chip with a back door allowing the government to decrypt the output using an escrowed copy of a key embedded in the chip during its manufacture. The proposal to standardize the Clipper Chip met with a firestorm of criticism from industry and civil liberties groups, and the proposal was all but abandoned by the summer. In the summer of 1995, the executive branch began a second effort to standardize key escrow, this time by offering to weaken controls on the export of cryptographic software products if the keys used are escrowed with a suitable escrow agent in the private sector. At the time of this writing, the National Institute of Standards and Technology (NIST) is attempting to flesh out the details of this new proposal with representatives from industry and civil liberties groups. The new proposal has been dubbed "Clipper II" even though it does not involve an analog to the "Clipper Chip." This paper will attempt to enumerate the major criticisms made against the original Clipper proposal, and to judge how well the new proposal addresses these criticisms. I will begin with a factual overview of the Clipper proposal, move on to a discussion of the criticisms of it, and will then describe the Clipper II proposal and how well those criticisms apply. The Clipper Proposal -------------------- The Clipper Chip is a tamper-resistant hardware chip implementing a proprietary encryption algorithm called Skipjack. The Clipper Chip accepts as input a block of data and a session key, and then outputs the encrypted data and a "Law Enforcement Block." With the aid of an escrowed key associated with each chip, a listener can use the "Law Enforcement Block" to obtain the session key and thus decrypt the chip's output. To prevent abuse of the escrowed keys by any single individual, the escrowed keys would be split between two or more government agencies. The most important goal of the Clipper Chip was use inside telephones. The US Government wanted phone companies to use the Clipper Chip to encrypt telephone conversations; this way, people would have privacy against eavesdropping, but the government would still be able to conduct wiretaps. More importantly, telephone manufacturers would not be motivated to provide alternative forms of encryption which don't allow the government to conduct wiretaps. The Clipper proposal encountered harsh opposition from a range of parties, including professional groups such as the Computer Professionals for Social Responsibility (CPSR), civil liberties groups such as the Electronic Privacy Information Center (EPIC), companies such as RSA Data Security, and newspaper columnists. I will focus on five important criticisms: * Even with the stated precautions, the government could abuse the escrowed keys and violate both the security and privacy of computer communications. Even if the current government is trustworthy, future governments might not be. * There are risks associated with any form of key escrow. The Clipper Chip, if it became a de facto standard, would deny people the ability to choose whether or not to take those risks--and there are many people who do not. In February of 1994, William Safire wrote, "Assure us not that our personal life stories will be ``safeguarded'' by multiple escrows in the brave new world of snooperware; we saw only last month how political appointees can rifle the old-fashioned files of candidates and get off scot-free." * The government's motives in introducing the Clipper proposal are suspect. CPSR claimed that "there is no evidence to support law enforcement's claims that new technologies are hampering criminal investigations," and MIT professor Ron Rivest noted that there are currently fewer than 1000 wiretaps per year. There was widespread speculation that a covert purpose of the Clipper proposal was to maintain the NSA's ability to do widespread surveillance of international or possibly even domestic communications. Further questions were raised in August 1995 (after the original Clipper proposal was moot) when EPIC obtained documents showing that some government agencies advocated making the Clipper Chip a non-voluntary standard. In addition to suspicions about communications surveillance and the eventual outlawing of non-escrowed cryptography, many privacy advocates also suspected that the government is merely trying to delay the widespread use of strong cryptography by proposing unworkable government-approved standards. * Because Clipper uses a secret algorithm (Skipjack), it is impossible for the public sector to verify that the algorithm is secure. This concern was made especially important on June 2 when a front-page New York Times article publicized a flaw in the Clipper Chip specification (discovered by Matt Blaze) which could allow someone circumvent the need to include the Law Enforcement Block in their communications. Although the flaw was minor, it opened up the possibility that the government made other mistakes in the Clipper Chip which the public sector can't discover. * There would be no foreign market for cryptographic devices with back doors for the US government. The New York Times observed in February of 1994 that "no other foreign government or foreign company has indicated that it is willing to use a coding system that is breakable by United States spying agencies." It should be noted that my presentation of these criticisms is deliberately one-sided. The interaction between these criticisms, dissenting opinions, and other criticisms is very complicated, and it is not my goal to resolve the debate on the original Clipper proposal. Having set down the major criticisms against Clipper, I will now go on to describe the "Clipper II" proposal and how well it addresses those criticisms. Clipper II ---------- The Clipper II proposal could be said to have begun in June of 1994, at the same time the Clinton administration began to back down from the original Clipper proposal. On that day, Vice President Gore wrote a letter to Rep. Maria Cantwell, an opponent of administration policy on cryptography. Gore acknowledged that US companies were being hurt by export controls, and proposed to solve this by "entering into a new phase of cooperation among government, industry representatives and privacy advocates with a goal of trying to develop a key escrow encryption system that will provide strong encryption, be acceptable to computer users worldwide, and address our national security needs as well." A year later, in August of 1995, the government proposed to arrange for "expedited approval" of the export of software products using encryption with a 64-bit keys, as long as the products escrow a key which can decrypt the message with an "approved escrow agent." "Expedited approval" means that products would be reviewed by the Department of State and then transferred to the jurisdiction of the Department of Commerce, which allows general export licenses. (An existing government policy already allows expedited approval of software products using two particular algorithms, RC2 and RC4, with 40-bit keys. There is no key-escrow requirement on such products.) So far, NIST meetings have been held in September and December of 1995 to flesh out the details of this proposal. At the September NIST meeting, the government presented a list of ten criteria for expedited export approval, which I will paraphrase for brevity: 1. An unclassified algorithm with no more than 64-bit keys 2. Prevents multiple encryption 3. An escrowed key is accessible to decrypt data 4. Data identifies escrow agent and key to be used 5. Prevents disabling key escrow mechanism 6. Won't interoperate with a product not using key escrow 7. Can decrypt a communication using the escrowed key for either the sender or the recipient 8. Escrow agent only needs to be involved once for a given period of "authorized access" 9. Escrow keys must be unique for each production copy, or there must be a provision for replacing the escrowed key 10. Will only accept escrow with certified escrow agents. At the December meeting, the government presented twenty requirements for certified escrow agents. Most of the requirements were "good business practice" requirements; however, I will quote four important requirements here which will elucidate how the process of obtaining escrowed keys would work: 3. Escrow agent entities shall protect against disclosure of information regarding the identity of the person/organization whose key and/or key components is requested, and the fact that the key and/or key components was requested or provided. 7. An escrow agent entity shall employ one or more persons who possess a SECRET clearance for purposes of processing classified (e.g. FISA) requests to obtain keys and/or key components. 8. Escrow agent entities shall protect against unauthorized disclosure information regarding the identity of the organization requesting the key and key components. 11. Escrow agent entities shall provide key/key components to authenticated requests in a timely fashion and shall maintain a capability to respond more rapidly to emergency requirements for access. Having described the above requirements, I will go on to discuss how well they address the initial criticisms of the original Clipper proposal. With one exception, the new proposal only partially addresses the criticisms made. * Abuse by the government appears to be less of a possibility because third-party escrow agents would be holding the keys. However, the escrow agent requirements appear to provide adequate room for governmental abuse: certified escrow agents are compelled to respond to "authenticated requests" for key information (there is no reason to suspect that a warrant would be required), would apparently have no way of challenging requests, and would be prevented from publicizing either the origin or the existence of the requests made. Moreover, by making the requests classified, the government could restrict access to information about the request to a single employee of the escrow agent who is well known to the government. * A third-party escrow agent system would allow users more choice in determining what risks to accept in encrypting their communications, but in many respects this second proposal increases, not decreases, the risks faced by the average user: not only are the escrowed keys accessible by the government, but they are held in trust by a private organization which may not be as trustworthy as the government and which may not be as capable of maintaining secrecy. * It seems unlikely that the escrow system in the Clipper II proposal is motivated by a government desire to allow widespread communications surveillance; even with the back doors described above, the government would probably be unable to obtain enough keys to do widespread surveillance. However, the motives of the government are still suspect. The new proposal doesn't completely make sense to all parties. For instance, the government cannot adequately explain the 64-bit key length limit; if 64-bit cryptography is strong, as the government claims, then there seems to be no reason not to allow longer keys, while if 64-bit cryptography is weak, then compliant products may not be competitive with foreign products which use strong cryptography. To privacy advocates, the new proposal also seems just as likely to be a precursor to outlawing domestic use of strong encryption. Brock Meeks discusses this theory in the November 1995 issue of _Wired_, claiming that if the Clipper II proposal succeeds, "all the pieces will be in place" for a push to outlaw non-escrowed cryptography. Not only privacy advocates believe this theory; the Business Software Alliance, representing mass-market software companies such as Microsoft, wrote that the government may be pursuing a "strategy that could lead to the *mandatory* use of key escrow encryption" and described a possible scenario. Finally, the government is still suspected of proposing unworkable solutions as a delaying strategy. Carl Ellison writes, "the claim that a correction [to US export laws] is just around the corner appears to be just stringing US business along." * The good news is that the Clipper II proposal does not involve classified algorithms, so there is no risk of undiscovered flaws due to the standard. * The Clinton administration claims that the Clipper II proposal will open up new markets to industry, and third-party escrow agents may indeed provide some business opportunities which the original Clipper proposal. But most business groups at the NIST meeting claimed that there is very little foreign market for products with limited key lengths and escrowed keys, especially if keys are escrowed in the United States. The Business Software Alliance in particular condemned the Clipper II proposal as providing no new market opportunities to mass market software vendors: "Nothing in the Administration's proposal will change this imbalance [in favor of foreign software vendors] because the proposal does not adequately recognize that a key recovery system must be market driven, not government imposed, for it to gain popular acceptance and widespread utilization." In conclusion, based on the five criticisms I chose to focus on, the government's "Clipper II" proposal does not appear to be a significant improvement over the original Clipper proposal. The main improvements in the new proposal are that the specification allows greater freedom of choice and does not require use of a classified algorithm, but the new proposal still has the same major defects as the old one. Bibliography ------------ Keeping track of the zillions of short opinion pieces on the Clipper and Clipper II controversies is a dizzying task. Following is my best attempt at a list of the source material I used. For technical information on the original Clipper proposal, I am relying on information obtained at a presentation given by two employees of the National Security Association at MIT in June of 1994, and also on a presentation given by Matt Blaze at the June 1994 USENIX Technical Conference. Bidzos, Jim. "Some Thoughts on Clipper, NSA, and One Key Escrow Alternative." March 8, 1994. http://www.eff.org/pub/Privacy/Clipper/bidzos_clipper.article Computer Professionals for Social Responsibility. "CPSR Announces Campaign to Oppose Clipper Proposal." Feburary 7, 1994. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/cpsr-annce.txt Corcoran, Elizabeth. "Feuding Again Erupts Over Encryption Exports." _The Washington Post_. September 16, 1995. http://swissnet.ai.mit.edu/6805/articles/clipper/short-pieces/wash-post-sept-16-95.html The Electronic Frontier Foundation. "EFF Analysis of Vice-President Gore's Letter on Cryptography Policy." July 22, 1994. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/eff-gore-analysis-july22.txt Ellison, Carl. "NIST/NSA/DoJ view of SKE." September 11, 1995. http://www.clark.net/pub/cme/html/nist-ske.html Farell, Pat. "September NIS&T Key Escrow Export." http://www.isse.gmu.edu/~pfarrell/nist/nist950906.html and associated pages Farrell, Pat. "Clipper II, Meeting December 5 1995." http://www.isse.gmu.edu/~pfarrell/nist/nist951205.html and associated pages Godwin, Mike. "A Chip Over My Shoulder: The PRrblems With Clipper." _Internet World_. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/godwin-clipper.txt Lewis, Peter H.. "Privacy For Computers?" _The New York Times_. September 11, 1995. http://swissnet.ai.mit.edu/6805/articles/clipper/short-pieces/nyt-sept-11-95.html Markoff, John. "Who Keeps the Keys to Cyberspace?" _The New York Times_. February 12, 1994. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/markoff-clipper.txt The National Institute of Standards and Technology. "Draft Software Key Escrow Encryption Export Criteria." November 1995. http://csrc.ncsl.nist.gov/keyescrow/criteria.txt Netscape Communications Corporation. "Netscape Policy on Encryption Export." http://home.netscape.com/newsref/ref/encryption_export.html Rivest, Ron. "Government Crypto Policy." July 23, 1994. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/rivest-july23.txt Rivest, Ron. "Newday Editorial." _Privacy Digest_. February 25, 1994. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/privacy-forum-digest.txt Safire, William. "Essay: Sink the Clipper Chip." _The New York Times_. February 13, 1994. http://swissnet.ai.mit.edu/6095/articles/clipper/short-pieces/safire-clipper.txt Sterling, Bruce. "Remarks at Computers, Freedom and Privacy Conference IV." March 26, 1994. http://www.eff.org/pub/Privacy/Clipper/cfp_94_sterling.speech