by J. H. Saltzer, 23 April, 1993
Only a few of the following points are original; most are based on
conversations and reading of RISKS, PRIVACY-FORUM, and private e-mail
messages.
- The algorithm is secret. Why? (To reduce ability for terrorists to
reproduce it in software?)
- The government will invite a team of experts to examine the
algorithm. What is the problem with this proposal? Will anyone be
willing to join the team if it requires signing a non-disclosure
statement or obtaining a security clearance?
- Can the algorithm be properly evaluated without being publicly
revealed? What would it take to convince you that the algorithm was
secure?
- Once a key is obtained it can be used to unseal all past (recorded)
and future conversations with that telephone. No provision for
protecting keys revealed to Law Enforcement agencies. (They make a
list?)
- One can buy several telephones, and use different ones at different
times, for different purposes, thus impeding the warrant process. Does
this opportunity reduce the value of the Clipper Chip concept?
- Does national security require a warrant? If not, how do the escrow
agencies handle national security requests?
- No method is suggested for initial session key exchange. Why not?
Perhaps it would be too hard to get agreement now?
- Clinton administration couldn't have had time to work this out; must
have been presented as a fait accompli. Perhaps leaped in prematurely?
- What would public reaction be to a requirement that locksmiths must
report your house key tumbler settings to a bank to be held in escrow,
in case they are needed by law enforcement agencies? How about a law
requiring that TV cameras be installed throughout your home, but that
they can be activated only by court order? Are these valid analogies?
- Supposing that the SkipJack algorithm is an 80-bit DES, how secure
is it against chip technology that is improving in speed at 50%/year?
- what is to stop people from doing their own encryption? Modern PC's
are beginning to provide digital interfaces to the telephone line
(nominally to grab caller ID and look things up in a data base, and
perhaps to program a digital answering machine), so packages that can
do really secure encryption could soon be available at Egghead
software.
- is there a risk that this is the first step in the direction of
outlawing civilian use of unapproved encryption systems? What, if
anything, would stop movement in that direction.
- Q&A statement says that this development does not expand authority of
law enforcement. Is there a benign inefficiency argument that says
that although the authority doesn't change the effect of that authority
does? Imagine an FBI agent in an office in Denver sending an
(authenticated) e-mail message to a judge in California asking for a
warrant that direct PacBell to send to Denver a copy of all bit streams
going to and from a particular San Jose telephone. The warrant returns
that day by e-mail, is forwarded to Pac Bell, and the bit streams start
arriving a few minutes later. The agent starts recording all the
forwarded bit streams, then decodes the identification packet and
forwards, by authenticated e-mail, a request to the two escrow agents
for the underlying keys. They return by e-mail a few hours later and
the agent begins decoding. All without leaving his office. Is this
scenario realistic? Does it represent a qualitatively different result
from one where the agent must personally visit a wire center in San
Jose, install alligator clips and a tape recorder, and come back to
pick up the tapes?
- The system is "more secure than many other voice encryption systems
readily available today". Does this provide any reassurance at all?
- Is it plausible that the "Family" key ("F" in Denning's note) can be
kept secret? How many people have to know it? What value is there it
keeping it secret? Who benefits from its secrecy, and who finds it a
hassle?
- Is there a believable threat to privacy from traffic analysis
(starting with a log of who is calling whom and initiating secure
conversations)
- Is it appropriate for a proposed national standard to depend on a
technology that only one company has access to? That in order to enter
the market, other companies must obtain security clearances? For which
foreign competition is effectively forbidden?
------------------------------------------------------------------------
Here are several suggestions from Andre DeHon:
Cipra points out that the rapid rate of progress in computer power may
undermine the trustworthiness of digital time stamps. Explain how the
problem is worse or better for secure communications using encryption?
How does Clipper address the issues?
...as far as I can tell, it does not. However, that does seem to be an
omission worth noting.
Given what you know about the progress of computer technology, what
kind of guarantees can you expect for secure communications?
That idea is to focus in on formulating a specific guarantee like the
one Rivest develops: mean-time-to-cryptanalyze = f(T[i.e. year],$) -- make
some ballpark assumptions and come up with a rough formula -- should
also note that your security has a finite lifetime)
One key component of the community outrage is that the standard was
not developed under public scrutiny. Given what has (and particularly
has not) been said about Clipper, what technical concerns should you
have?
The government is trying to embed encryption technology into the NII.
Does the government understand the end-to-end argument? Does the
government understand technology progress?