The Honorable Orrin G. Hatch Senate Judiciary Committee U.S. Senate 224 Dirksen Senate Office Building Washington, DC 20510-6275 Attention: Phil Shippman, Pat Murphy Dear Mr. Chairman: This letter responds to your offer to me to submit additional comments for the record of the hearing of the Senate Judiciary Committee on July 9, 1997, on key recovery and encryption. In addition to addressing specific issues that might be of concern to you, I want to respond to the challenge you left us at the end of the hearingto find a reasonable compromise among the various interests. The NRC study on national cryptography policy that I chaired was formed in response to a Congressional request to study this topic. It came to a unanimous set of conclusions and recommendations that we collectively believed constitute a reasonable approach to national cryptography policy. The study involved a blue-ribbon committee, including a former Attorney General of the United States, a former deputy director of the National Security Agency, a former deputy commander-in-chief of the U.S. European Command in Germany, and several members with experience in the computer, software, and telecommunications industries. (The names of all committee members are appended to this letter.) Among our primary recommendations were the following: - No law should bar the manufacture, sale, or use of any form of encryption within the United States. - National cryptography policy should be more closely aligned with market forces. Domestic users should be free to determine which kind of cryptography system best meets their needs. - Export controls on cryptography should be relaxed progressively but not eliminated. Export controls on cryptography should be relaxed to help U.S. firms operating internationally protect vital information and to solidify the nation's leadership in the information technology field, which is critical to national security and economic competitiveness. Retention of some export controls would mitigate the loss to national security interests in the short term, allow the United States to evaluate the impact of further changes, and give authorities time to cope with a new technical reality. Relaxation would accommodate easier exports of 56-bit DES-based encryption products, without a time limit and without regard to key recovery; foreign consumers with needs for stronger encryption would be able to obtain stronger encryption if they agree to provide U.S. authorities with plaintext upon legally authorized requests. - Because key recovery is a promising but unproven technology (a point acknowledged by the Administration), the U.S. government should experiment with key recovery for its own purposes to gain operational experience with it, rather than to aggressively promote it to the private sector as a proven technology. - The U.S. government should take affirmative policy actions to help law enforcement and national security. For example, we recommended that government take an affirmative role in encouraging collateral uses of cryptography such as authentication. In addition, the government should promote better security for the public switched network through measures such as link encryption. (Link encryption is the application of encryption only to potentially vulnerable links (e.g., the wireless link of a cellular telephone call).) Such measures would not reduce the ability of law enforcement to obtain an authorized wiretap, but would reduce the demand for devices that encrypt communications from sender to receiver, making it more difficult for criminal users to obtain devices that could block lawfully authorized wiretaps. Most importantly, we strongly supported R&D to develop new technical capabilities that would ultimately be more useful than pushing key recovery onto a resistant market. For example, even without encryption, obtaining the relevant electronic data or signal from a complex communications channel will become much harder in the future, and law enforcement needs to be able to deal with that problem. - The U.S. government needed to find a mechanism to promote information security in the private sector. No such mechanism existed in the United States at the time of the study, and though some steps have been taken since then (e.g., the formation of the Presidents Commission on Critical Infrastructure Protection), a comprehensive legislative and regulatory framework to support this need is still not in place. Our assessment at the time was that the package of recommendations described above struck a good balance between the various interests, and I see no reason to change that assessment today. Difficulties with encryption encountered by law enforcement At the hearing, Judge Freeh acknowledged that the use of encryption by criminals has been relatively minimal to date. In the course of the NRC study, we were not apprised of any Title III warrant for wiretapping that had been frustrated by encryption, and I have not learned of any example since then. Moreover, law enforcement officials have often (though not always) been able to cope with encryption when they have encountered it, whether by penetrating the security offered by encryption or by obtaining the necessary information through some other means. Dorothy E. Denning and William E. Baugh, Jr., Encryption and Evolving Technolgies as Tools of Organized Crime and Terrorism, National Strategy Information Centers US Working Group on Organized Crime, July 1997. Denning is professor of computer science at Georgetown University and an advisor to the FBI on encryption; William Baugh is former Assistant Director of the FBIs Information Resources Division. However, the major point is that no one knows the true extent of the problem with criminals using encryption, whether for communications or for stored files. Indeed, it was only last year that a law was passed mandating the collection and compilation of such data. (The Economic Espionage Act of 1996, Title V, Section 501.) The magnitude of the future problem is unknown, and one of the reasons we adopted a wait-and-see attitude on the need for key recovery was that the nation needed real data on the extent of the problem and trends before it adopted policies based on the presumed existence of that problem. What needs to be done before the nation adopts a policy of supporting key recovery The NRC report argued that too little was known about how key recovery might work before the government charges ahead with imposing key recovery on the marketplace. We believed that experience is needed in two major areas. The first area is the actual business need for key recovery. Because we believe that a market-driven solution is the only stable long-term solution, experience is needed to know: - how often business organizations need to recover keys to encrypted files and, especially, to encrypted communications; - the extent to which users are willing to buy key recovery products domestically and overseas; and - how these parties use key recovery products. The second area is vulnerability of key recovery products, where experience is needed for knowing: - the frequency with which unauthorized parties are able to obtain keys improperly from key recovery agents; - the extent of the financial losses suffered from such improper access to keys; and - whether or not the inclusion of key recovery features introduces technical weaknesses into products. Again, as noted above, the actual extent and nature of the encryption problem for law enforcement is unknown. We dont know how often encryption is encountered, the forms in which encryption is encountered (files or communications), and how often investigations or prosecutions are thwarted by encryption. The McCain/Kerrey legislation: the Secure Public Networks Act of 1997 For the most part, the McCain/Kerrey bill (S. 909, The Secure Public Networks Act (SPNA)) is inconsistent with the general thrust of the NRC report. The SPNA is a highly aggressive promotion of key recovery for the private sector, establishing that technology as a pillar of national cryptography policy. Nothing has happened since May 1996 to alter our basic position that the nation lacks the experience to make legislation that would govern the behavior or deployment of key recovery agents. In addition, the bill attempts to use something that all parties agree is needed for electronic commerce, namely a public key infrastructure (PKI), as leverage for obtaining approval for something fundamentally unrelated, namely key recovery for domestic use. Our committee opposed the use of export controls as a lever to force industry to produce and sell key recovery products, and it is also dubious public policy to use the leverage of electronic commerce (e.g., a public key infrastructure) to promote key recovery. Furthermore, the Administration has said on one hand that it believes there is a strong market for key recovery products. On the other hand, it feels the need to use the leverage of export controls and the need for a PKI to promote key recovery. Because government intervention is necessary only when the market fails, the Administrations actions raise the question of why intervention is necessary if market forces are in fact working. Finally, while I have not undertaken a detailed analysis of the bill, some elements of the SPNA are inconsistent with the NRC report, while a few are consistent with it. Inconsistencies between McCain/Kerry and the NRC report - The bill attempts to draw a distinction between public keys that may be used for authentication and digital signatures (Section 402, (b)(1)) and public keys that may be used for encryption (Section 402, (b)(2)). However, such a distinction is artificial in the context of the bill: once a certificate is issued, the use of the associated public key cannot be limited to any single purpose. Thus, the bill would allow one of two things. - A recipient of a public key certificate intended for use in authentication and digital signatures could in practice use it for encryption purposes, thus circumventing the intent of the bill. - To close this loophole, the government might interpret the law so as to obtain access to the private key associated with a given public key certificate. However, anyone in possession of such a private key would be able to impersonate the true owner of the public key certificate. In particular, possession of the private key would give government authorities the technical capability to forge documents that were ostensibly created by the true owner, and to do so in an undetectable manner. While government employees are generally trustworthy, any such access creates risks, and the bill would grant many state and local authorities and even foreign governments access to keys under certain circumstances. Because of such potentially broad disclosure, the validity of any electronic contract based on the security of this key could thus be called into question. In turn, doubt and uncertainty in this area could have a major negative impact on the development of electronic commerce. - Section 306 prohibits the export of encryption upon the showing of evidence that the product would be used in acts harmful to certain U.S. national interests. Since foreign terrorists and criminals have access to commercially available products and are likely to use these products to further their goals, this section as drafted could be construed so as to prohibit the export of essentially all encryption products even to legitimate overseas customers (which would be contrary to the bills stated objective of improving information security). - Section 901(Waiver Authority) allows the President to waive any provision of the act for reasons of national security or domestic safety. Even if this provision is not exercised, its mere presence will create considerable market uncertainty and thus act as an inhibitor to broad commercial development and use of cryptographic products. - Section 106 allows the government to obtain the plaintext of encrypted messages using a subpoena rather than a search warrant. Further, Section 110 prohibits informing the owner of an encrypted text that his information has been made accessible to government authorities. Subpoenas generally require a lesser showing than that required for search warrants. We felt that the plaintext of encrypted information require strong protection, and we regarded the protection afforded by Title III for the privacy of telephone conversations as a good balance between the needs of law enforcement and the privacy rights of citizens, especially as it imposed further showings by law enforcement for the granting of a court order because of the surreptitious nature of electronic surveillance. We are aware that the FBI does not accept this interpretation of the SPNA. During the hearing, I understood Director Freeh to say that a court order analogous to a Title III warrant for wiretapping would be required for access to encryption keys and that the surreptitious subpoena power would be used only to implement the earlier court order . Of course, the issuance of a Title III warrant is subject to a number of mandated protections for the subject of the wiretap, such as the wiretap being the investigative technique of last resort. Perhaps it is the FBI's intent to require safeguards that parallel those required by Title III for wiretaps, but the bill as written certainly does not so state. This is a sufficiently important matter, not only substantively but also in terms of public acceptance, that it should not be left for legislative history but should be carefully spelled out in the legislative text. Further, the issuance of a Title III warrant is subject to a requirement for minimization (only conversations relevant to the subject of the investigation may be recorded and used). By contrast, the legislation as written (Section 105, Privacy Protection) is not drafted in such a way as to clearly preclude the possibility that once the decryption key to one relevant message is obtained, it will not be used to decrypt other non-relevant messages associated with that decryption key. - The SNPA is primarily a law enforcement bill that is intended to facilitate law enforcement access to encrypted data and communications; as such it does not deal with the largerand in our view more significantdimensions of the information security problems facing the nation. Moreover, by focusing so strongly on the law enforcement desire for encryption keys, it distorts the nature of the overall problem. A comprehensive approach to information security will still be needed, and that comprehensive approach may well be inconsistent with key portions of the SNPA. As one example, the NRC report noted that key recovery entailed a number of risks to users. For example, key recovery necessarily involves the possibility that technical vulnerabilities or human weaknesses in the key recovery system may result in the compromise of keys. The current key recovery experiments being undertaken by the Federal government are intended to demonstrate the feasibility of key recovery, but not its strength against unauthorized penetration or compromise. The SNPA presents an opportunity to require such testing (often called red-teaming), but fails to do so. Consistencies between McCain/Kerry and the NRC report - Section 302 requires that encryption products using 56-bit DES be exportable under a license exception after a one-time review. Depending on the nature of this review, this provision could well be consistent with our recommendation that restrictions on the export of DES-based encryption products be relaxed. - Title VI directs the President to negotiate with other nations on mutual recognition of key recovery agents and certificate authorities. This title is in general consistent with our recommendation that the U.S. should work with other nations on harmonization of cryptography policy. The Burns, Leahy, and Goodlatte bills Essentially, these bills all relax export controls on encryption to the standard of foreign availabilitythey would allow the export of U.S. encryption products whose strength was comparable to that of products available from foreign vendors. Our report made a recommendation to relax export controls on encryption to the level of 56-bit DES, rather than the current 40-bit limit, and we made no reference to foreign availability. We chose not to rely on a foreign availability criterion because of our desire to avoid arguments about what was or was not really available from foreign vendors. Anyone knows that simply labeling a box is not a guarantee of the performance of a product inside that box. Thus, the use of foreign availability as a criterion entails a complex inquiry requiring hearings and bureaucratic fact-finding. History demonstrates that a foreign availability requirement almost always entails delay (or worse, the excuse for delay) in an industry in which the time scale of decision-making makes delay one of the most objectionable aspects of the export control process. By contrast, the U.S. has a well-established procedure for determining the exportability of products using 40-bit RC-2 and RC-4 algorithms, and it would be a simple matter to adapt that existing procedure to 56-bit DES. In addition, the Leahy and Goodatte bills provide sanctions for the use of encryption for criminal purposes. We believed that the such a provisionif drawn narrowlywas worth examining by the U.S. Congress, but that many issues had to be resolved before such a provision was actually legislated. To the best of our knowledge, no hearings have explored issues such as what it means to use encrypted communications when communications are automatically encrypted without user intervention. I therefore believe not only that such hearings are desirable but also that the subject of the definition of such a crime (which is bound to be controversial and which perhaps might raise constitutional problems in view of the potential absence of intent where the user does not consciously choose encryption) is well within the jurisdiction and the long-established competence of the Senate Judiciary Committee. The adequacy of 56-bit DES While the recent cracking of a single DES message is impressive, I do not think it fundamentally changes our view on 56-bit DES. Is DES good enough for everyone? No, and we said so in the report. We understood the limitations of DES given modern computing technology, but we still concluded that DES provided good enough security for most commercial requirements. The cracking of DES was based on the simultaneous use of 14,000 computers connected through the Internet, and even so it took months to undertake. That is a lot of effort to crack one message, and in general, an adversary may not know which encrypted message is worth that effort. On the other hand, this effort does demonstrate two points made in our reportthat a determined adversary, such as a well-funded foreign government, would be required to mount a successful challenge to DES on a large scale, and that a replacement for DES will be needed in the not-too-distant future. Note that today, NIST is coordinating an effort to designate a suitable replacement. Conclusion I continue to believe that the recommendations of the NRC study would lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources. In addition, they would result in improved security and assurance for the information systems and networks used by the nationa more secure national information infrastructure. While the recommendations of the committee would thus contribute to the prevention of crime and enhance national security, the spread of encryption would also increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities. In order to reduce the impact of this burden, the government should take certain steps (outlined in the report) to help law enforcement and national security authorities to cope with the new technical realities of the information age. The NRC report concluded that widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. Thus, the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography. I commend your attention to this vital though often confusing and obscure issue. If I can be of further assistance to you on this matter, please contact me. The relevant staff contact is Dr. Herb Lin, National Research Council, who can be reached by phone at 202-334-3191 or by email at hlin@nas.edu. Sincerely, Kenneth W. Dam MEMBERS OF THE NRC COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY (Affiliations are those of May 1996, the date the study was released) Kenneth W. Dam, Chair, is the Max Pam Professor of American and Foreign Law at the University of Chicago Law School. Mr. Dam served as deputy secretary of state (1982-1985), as provost of the University of Chicago (1980-1982), and as corporate vice president for law and external relations at IBM (1985-1992). W.Y. Smith, Vice Chair, is president emeritus of the Institute for Defense Analyses, and served as its president (1985-1991). His military posts include deputy commander in chief of the European Command in Germany (1981-1983) and chief of staff of SHAPE, Belgium (1979-1981). Lee Bollinger is provost of Dartmouth College. He was also dean of the Michigan law school (1987-1994). Ann Caracristi was deputy director of the National Security Agency (1980-1982). She is also a member of President Clinton's Foreign Intelligence Advisory Board. Benjamin R. Civiletti practices law with Venable, Baetjer, Howard & Civiletti in Baltimore and Washington, D.C. He served as attorney general of the United States (1979-1981). Colin Crook is the senior technology officer of Citicorp. Samuel H. Fuller is vice president and the chief scientist of Digital Equipment Corporation. He is also a member of the National Academy of Engineering. Leslie H. Gelb is president of the Council on Foreign Relations. He also served as director of the Bureau of Politico-Military Affairs in the Department of State (1977-1979). Ronald Graham is director of Information Sciences Research at AT&T Laboratories. He is also a member of the National Academy of Sciences. Martin Hellman is professor of electrical engineering at Stanford University, and a co-inventor of public-key cryptography. Julius Katz is president of Hills & Company, International Consultants. Ambassador Katz held the position of deputy U.S. trade representative (1989-1993) and was the U.S chief negotiator for the North American Free Trade Agreement. Peter G. Neumann is principal scientist in the Computer Science Laboratory at SRI. Raymond Ozzie is the founder and president of Iris Associates, the developer of Lotus Notes. Iris is a wholly owned subsidiary of Lotus Development Corporation and IBM Corporation. Edward C. Schmults was senior vice president for external affairs and general counsel of GTE Corporation (1984-1995). Previously he served as deputy attorney general of the United States (1981-1984). Elliot M. Stone is executive director of the Massachusetts Health Data Consortium. Willis H. Ware is a member (emeritus) of the Corporate Research Staff at the RAND Corporation. He is also a member of the National Academy of Engineering.