[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clipper Global (Teil 1)

From: Heiko Recktenwald <UZS106@IBM.RHRZ.Uni-Bonn.DE>
Subject:      Clipper Global
To: debate@fitug.de

                                                         Draft Key Escrow Paper
[Thanks to Mr. Ed Roback, CSL/Computer Security Division,
NIST, for promptly faxing this document to John Young on May
21, 1996. Transcribed by JY and DN.]


              Executive Office of the President
               Office of Management and Budget
                   Washington, D.C. 20503

                        May 20, 1996


SUBJECT:  Draft Paper, "Enabling Privacy, Commerce, Security
          and Public Safety in the Global Information

FROM:     Bruce W. McConnell [Initials]
          Edward J. Appel [Initials]
          Co-Chairs, Interagency Working Group on
          Cryptography Policy

     Attached for your review and comment is a draft paper
entitled "Enabling Privacy, Commerce, Security and Public
Safety in the Global Information Infrastructure." It presents
a vision and course of action for developing a cryptographic
infrastructure that will protect valuable information on
national and international networks.

     The draft paper is the result of the many discussions we
have had with interested parties concerning the use of
encryption. While those discussions have explored the use of
both key recoverable encryption and non-recoverable
encryption, the draft paper addresses an infrastructure which
uses key recoverable encryption. We believe such a key
management infrastructure, voluntary and supported by *private
sector* key management organizations, is the prospect of the
near future. It would permit users and manufacturers free
choice of encryption algorithm, facilitate international
interoperability, preserve law enforcement access, and, most
importantly, provide strong system security and integrity.

     Recognizing that a robust infrastructure is not yet a
reality, we are also considering measures to liberalize export
policy for some non-escrowed products. Appendix II of the
draft paper begins to summarize current policy, and we intend
to expand and improve that section.

     We believe that clearly articulating such a vision will
accelerate the ability of the United States to realize the
full advantages of the global network for commerce, security
and public safety. However, such a vision cannot become a
reality unless it is widely shared. Therefore, rather than
being a finished product, the attached paper is a draft which
we ask you to help us improve. We hope it will contribute to
constructive discussion and promote a clearer understanding of
each others' needs and concerns regarding the use of

     We welcome your comments and look forward to further
discussion. Written comments may be sent to our attention,
Room 10236, NEOB, Washington, D.C. 20503.

[End cover letter]

[Note:    All 25 pages of the typeset report have the word
          "Draft" printed in large letters across the text.]

[Head note of report] Last Modified: May 17, 1996

Enabling Privacy, Commerce, Security and Public Safety in the
Global Information Infrastructure


Statement of the Issue

     This paper outlines a course of action for developing an
infrastructure that will protect valuable national information
resources on national and international networks. Government
and industry must work together to create a security
management infrastructure and attendant products that
incorporate robust cryptography without undermining national
security and public safety. A policy for escrow of
cryptographic keys which provides a basis for bilateral and
multilateral government agreements must be determined so that
industry can produce products for worldwide interoperability.
Industry will participate in defining algorithms and protocol
standards, and will develop key escrow encryption products
suitable for the protection of both government and private
sector information and which will assure timely, lawful,
government decryption access. Government will help set
standards for the Key Management Infrastructure (KMI) and
deliver a market for robust security products. A KMI
infrastructure and attendant key escrow products will provide
many benefits, both domestic and internationally, as the US
begins to realize the advantages of the global network for
improve commerce, security and public safety.

I.   Introduction

     Government can no longer monopolize state of the art
cryptography. It is no longer acceptable to argue that the
only information of a compelling national security interest is
government information. It is unrealistic to believe that
government can produce solutions which keep ahead of today's
rapidly changing information technology. Increasingly, all
institutions, military, civil, or corporate, will communicate
across common links. The nation's commerce is moving to
networking. With these enormous changes, means must be found
to responsibly raise the quality of cryptographic services
without jeopardizing effective law enforcement, imperilling
public safety.

     Industry and government must partner in the development
of a public key-based key management infrastructure and
attendant products that will assure participants can transmit
and receive information electronically with confidence in the
information's integrity, authenticity, and origin and which
will assure timely lawful government access. When we conduct
transactions, we rely on face-to-face interactions, or
obtaining a signature on a paper, to have confidence that
commitments will be fulfilled. Policies and infrastructure are
needed to assure we can have at least the same degree of
confidence when we interact electronically. Government bears
a significant responsibility to ensure the information
infrastructure has the features that are essential to such

     There is a more compelling rationale for the government
to be a partner in the development of the KMI. Not only has
the Information Age sparked fundamental changes in the way we
interact, but reliance on information systems makes our
institutions vulnerable to an unprecedented degree. Almost all
institutions upon which public safety and national security
depend, ranging from the power grid to military command and
control, are at severe risk because of their presence in and
dependence upon a global information infrastructure.

     But the proliferation of quality cryptographic services
is not without risk. Keys can be lost, stolen, or forgotten --
rendering encrypted data useless. Additionally, the widespread
use of encryption without safety features such as key recovery
can pose serious risks to society. It will put at risk
important law enforcement and national security investigations
where electronic surveillance and search and seizure are
essential in preserving and prosecuting crimes, and more
importantly, in saving human life.

     Public key cryptography allows for secure authenticated
transactions with any party, known or unknown, with assurance
of data integrity and non-repudiation of the transaction.
These features, together with increased network reliability,
are needed to support electronic commerce, public services,
redefined business processes and national security.  But to
achieve its promise, public key cryptography must be based on
a key management infrastructure and attendant products that
tie individual and coprorate identities to their public key
through a series of Certificate Authorities (CA). The key
management infrastructure to do this on a global scale will be
very large and complex, but it is an essential foundation.
Without a KMI of trusted certificate authorities, users cannot
know with whom they are dealing on the network, or sending
money to, or who signed a document, or if the document was
intercepted and changed by a third part. Therefore, users will
demand a strong key management infrastructure, which may, in
turn, be based on a voluntary system of commercial certificate
authorities (CAs) operating within prescribed policy and
performance guidelines. To achieve the environment for such an
approach, a number of principles need to be accepted by
government, industry, and other users:

+    Participation in the KMI will be voluntary. Key escrow in
     the KMI will occur naturally through mutually trusted

+    There will be a transition period during which legacy
     equipments which do not support key recovery can be used
     to communicate with users in emerging full featured KMIs.
     Government, industry, and users will need to address the
     legitimate needs of those currently using non-key
     recovery products to communicate with users of the full-
     featured KMI in a manner that protects legitimate
     government and public safety concerns. This will provide
     a stable transition path.

+    Products that operate with an escrowed KMI need to be
     developed with industry taking the lead.

+    Industry can continue to lead in establishing standards
     for public key certificates, encryption algorithms,
     protocols, data recovery, and security servcies.

+    Certificate authorities will operate within performance
     standards set by law.

+    Agreements between governments will serve as the basis
     for international cross certification.

+    Self-escrow will be permitted under specific

+    Export controls on Key Escrow products will be relaxed
     progressively as the infrastructure matures.

(1)  The escrow agency must meet performance requirements for
     law enforcement access.


II.  Key Management Infrastructure

     In a key management infrastructure (KMI) based on public
key cryptography, each user has one or more pairs of public
and private keys. The public and private keys differ in a such
a way that it is computationally infeasible to determine the
private key from the public key. This allows the public key to
be revealed without endangering the security of the private
key. Users can communicate securely without having to share a
"secret"; they only need to know each other's public key and
that each public key is certified by a trusted authority.
Without assurance on the "binding" of a user to a specific
public key, these keys have little or no value.

     Public key cryptography supports security services such
as authentication, confidentiality, data integrity and
nonrepudiation. Access to a user's encrypted data for which
the key is lost is a security related service referred to as
data recovery. Providing a secure and trusted means of storing
private keys within the Key Management Infrastructure is one
means of providing data recovery. This capability naturally
supports law enforcement access, under legal warrants. Thus,
the user desire for data recovery and law enforcement's
potential need for access can be accommodated in a single
locale, so long as the user trusts the key storage and law
enforcement has confidentiality of access.(2)

(2)  For a survey of escrow mechanisms see Dorothy Denning's
     article in the March 1996 Journal of Communications of
     the ACM. More in depth articles on solutions to escrow
     can be found in *Building in Big Brother*, a collection
     of papers edited by Professor Lance Hoffman that
     contains both technical and political responses to


          -->  Authority  (private key database)
          |         |
          |         |
          |         | public keys
          |         |                        Escrow and
private   |         V                        Certificate
key       |    Certificate                   Authorities
(either   |    Authority                     can be combined
way)      |         |                        into one entity
          |         |
          |         | public key certificate
          |         | (binds IDs and keys)
          |         |
          |         V
          -->  User A (private keys and certificates)

     The simplest model for a KMI meets government access
requirements by relying on the certificate authorities (CAs).
However, the hierarchy could be structured to include a
separate Escrow Authority (EA) to provide law enforcement
access. Provision for split keys to enhance personal privacy
and security can be incorporated into the KMI. Either of these
mechanisms lessens the burden of key escrow on users and on
the producers of security products.

     To participate in the network a user needs a public key
certificate signed by a CA which "binds" the user's identity
to their public key. One condition of obtaining a certificate
is that sufficient information (e.g., private keys or other
information as appropriate) has been escrowed with a certified
escrow authority to allow access to a user's data or
communications.(3) (As noted before, this might be the CA or
an independent escrow authority). The certificate creation
process is pictured above.

     For users to have confidence in the KMI, CAs must meet
minimum standards for security, performance, and liability. A
Policy Approving Authority (PAA) certifies CAs for operation.
The PAA sets rules and responsibilities for ensuring the
integrity of the CAs. The PAA is also responsible for setting
CA performance criteria to meet law enforcement needs.

     If law enforcement has obtained legal authority to access
a user's encrypted data or communications, it would certify
that authorization to the escrow authority. The escrow
authority will then relinquish information sufficient to
access the user's communication.

(3)  This applies only to keys used for confidentiality
     purposes and not keys used for signing purposes.


III. Some Issues

     Difficult issues include i) how to refine the application
of export controls, ii) whether and to what extent to permit
self-escrow, iii) whether legislation is required and, if so,
what it should accomplish, and iv) the certainty and extent
that tovernment-togovernment agreements can be established to
ensure timely law enforcement access to keys/information held
by a foreign country. This section of the White paper briefly
explores each.

Export Controls

     The most contentious issue surrounding encryption is
export control policy. Encryption exports are controlled to
all destinations in the interest of U.S. national security/
foreign policy under the Arms Export Control Act. These export
controls are often criticized as an impediment to the fielding
of interoperable security across the GII and the
competitiveness of U.S. industry. The government is mindful of
these criticisms and has initiated a number of reforms to ease
the impact export controls have on manufacturers and users of
encryption. The task, then, is to find a method of applying
export controls that meets the interest of national security,
public safety, privacy, and competitiveness.

     Freedom to choose any mutually trusted certificate
authority may accommodate the above interests.(4) In addition,
allowing ready export of products of any bit length to markets
where the key management infrastructure, which complies with
statuatory constraints, is in place to permit government
access to keys, would provide both a level market for U.S.
manufacturers and higher quality security products for users.
Products that meet defined performance requirements and which
will not operate until the key is escrowed with an appropriate
certificate authority will address commercial, public safety
and national security needs. Some law enforcement and national
security concerns would be protected since government agencies
would be able to obtain escrowed keys pursuant to government-
to-government agreements.

(4)  A mutually trusted authority is an escrow agent trusted
     by users to store keys and trusted by law enforcement to
     provide access upon certification of lawful authority.


     We are working toward a policy that permits licensing of
key recovery encryption systems regardless of algorithm, bit
length, or whether implemented in hardware or software, once
needed infrastructure and government-to-government agreements
are in place. In the interim we recognize that the policy must
make it worthwhile for manufacturers and users to invest in
escrowed KMI. With these objectives in mind, and consistent
with applicable statutes, the interim policy will consider:

Prior to formal government-to-government agreements:

+    Permitting export of products that use an escrowed KMI to
     approved markets, e.g., Europe or Australia, consistent
     with the policies of the destination country.

Prior to multi-national Public Key Infrastructure with Key

+    Reviewing, on a case-by-case basis, proposals to export
     products which require the use of an escrowed KMI to any
     destination with which the U.S. has a government-to-
     government key escrow agreement.

+    Continuing and expanding the administration's previously
     announced key escrow initiative by permitting the export
     of 64 bit S/W or 80 bit H/W key escrow products that meet
     defined performance requirements, after one-time review,
     to any destination if keys will be escrowed in the U.S.,
     or in foreign countries with which the U.S. has a
     govvernment-to-government key escrow agreement.

In any condition:

+    Permitting the export of other products on a case-by-case
     determination that such exports are consistent with US

     The proposals for an interim export control policy are
founded on the assumption that the products will require the
use of an escrowed KMI in a country with which the U.S. has a
government-to-government agreement. Note that the contemplated
exports are to civil end-users; exports to military end-users
will require more extensive product review. The existing
policies applicable to unescrowed products provide substantial
flexibility and will continue as currently defined throughout
the transition period (see Appendix II). Additional requests
for near-term relief will be considered on a case-by-case
basis consistent with existing practice.

     The interim policy also reflects a judgment that overseas
escrow of key will generally be permissible with suitable
government-to-government arrangements. There is a concern that
U.S. products with keys escrowed in the U.S. will not be
saleable overseas. Hence, it may be possible to permit
overseas escrow in Europe, even before government-to-
government arrangments are completed. This exception is
possible since the European countries are already moving to
implement key escrow systems and we can reasonably expect to
enter into law enforcement agreements in the near term. The
OECD's goal of negotiating multilateral cryptography
guidelines by 31 December 1996 is further evidence of European
intent and momentum in infrastructure development.

     The interim policy reflects a differentiation between
hardware and software products, i.e., hardware products with
greater bit lengths are treated more favorably under this
policy. Hardware implementations of products permit more
confident binding between encryption and the key management,
limiting the risk that the encryption can be easily stripped
from the key management and used independently of key
recovery. Software does not provide similar protection. This
said, the interim policy to permit export of 64 bit software
key recovery products would reflect a significant increase
over the bit length restrictions applicable to non-key
recovery products.


     Self-escrow will be a principal concern of many large
corporations that want to provide corporate data recovery,
protect against loss of proprietary data from use of an
outside escrow agent, and simply for reasons of efficiency and
cost. Hence, self-escrow must be considered as an acceptable

     Escrow requires less architecture if the CA can be the
escrow authority. However, in those cases in which an
indidividual or corporation serves as its own certificate
authority, government organizations could be compelled to
request escrowed key from the subject of an investigation. The
investigation could be compromised under such circumstances.
While this risk could be avoided by adding independent escrow
authorities as another layer in the PKI, such a solution would
be costly and inefficient.

     A solution is a national policy which allows CAs for an
organization to serve as escrow authorities if they can meet
necessary performance requirements. These requirements should
be determined by government in consultation with industry and
should address timeliness, security, confidentiality of
requests for, or release of, keys, and independence of the
escrow authority from the rest of the organization. To this
end, the government should seek legislation that would shield
organization certificate authorities from internal pressures
in the course of law enforcement investigations.


     There is some consensus that the ultimate legislative
package should include provisions to criminalize the
unauthorized disclosure/use of escrowed key, provisions to
authorize civil actions by victims against those responsible
for the unauthorized disclosure/use of escrowed key,
provisions specifying the circumstances in which escrowed key
may be requested and released (e.g., death of a family member
or employee), and establishing liability protection for
certificate authorities who exercizes due prudence in the
fulfillment of their performance obligations.

     Those who endorse a larger government role would seek
legislation that would, for example, establish the government
as a major participant in the PAA, which would be responsible
to establish policies and guidelines governing certificate
issuance. In this case, the government would be authorized to
assure establishment of standards for the PKI that adequately
provide for systems security and law enforcement access.
Inasmuch as the integrity and reliability of the whole range
of network centered activities, including electronic commerce,
will depend on the integrity and reliability of the key
management certificate process, there is good reason for
government to play a substantial role.

     The enabling legislation envisioned here should reflect
the stated needs of industry and users. To that end,
government must work closely with industry and other affected
parties to develop such legislation.