6.805/STS085: 1995-97: From Clipper to Key Recovery

By mid-1994, Clipper was dead as a serious proposal, although the debate continued to seethe -- and the pressure from industry to address the awkward export regulations mounted. The need to do something was brought home in August 1995 when David Byers in Sweden and Eric Young in the UK, and (independently) Damien Doligez in France demonstrated that they could break the 40-bit RC4 encryption algorithm used in Netscape's SSL (the only encryption algorithm generally approved for export from the US, and claimed by the Administration to be adequate for commercial applications) using clusters of workstations running for 8 days. (This feat was duplicated in January 1996 at MIT by Andrew Twyman, using a single graphics workstation.)

Fall 1995: Clipper II

In September and December 1995, the Administration sponsored public meetings under the auspices of the National Institute of Standards and Technology (NIST), aimed at raising support for a new approach to the cryptography dilemma. The basic principle was that the U.S. would permit export of products using stronger algorithms -- up to 56-bit DES -- provided these included spare keys that would be deposited with authorized "escrow agents" who would respond to government requests. Additional criteria included that products must be designed so that the escrow mechanism cannot be circumvented, and that escrowed encryption products cannot interoperate with non-escrowed encryption products.

This approach was seen as an improvement over Clipper, but industry support was generally cold. The proposed 56-bit DES limit was still considered inadequate, and the various criteria were criticized as unclear and difficult to implement, and with inadequate safeguards against abuse. The initiative was opposed as a "Clipper II" and (because of the non-interoperability criterion) an attempt to impose key escrow on domestic use of encryption. Here are links to further details:

August 18, 1995, New York Times (John Markoff), U.S. to Urge A New Policy On Software
August 19, 1995, Washington's Computer Insecurity, by Whitfield Diffie, New York Times op-ed piece.
September 11, 1995, New York Times, (Peter Lewis), Privacy for computers? Clinton sets the stage for a debate on data encryption
September 16, 1995, Washington Post (Elizabeth Corcoran), Feuding again erupts over encryption exports

May 1996: The NRC Report

In 1994, at the height of the original Clipper controversy, the National Research Council began a study of U.S. cryptography policy. This was finally published in May, 1996, as Cryptography's Role in Securing the Information Society. Even though a year has since gone by in this rapidly changing area, the 700-page NRC report is the still the single best and most comprehensive source for information about cryptography policy and its implications.

The report contained several major recommendations, including:

No law should bar the manufacture, sale, or use of any form of encryption within the United States.
Export controls on cryptography should be progressively relaxed but not eliminated.
National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law.

The third recommendation seems the most general, but it is perhaps the most important one. Most members of the NRC panel had been given security clearances and had received classified briefings from the law-enforcement and intelligence communities. The panel concluded that although the classified information contained important details, these did not make a difference in the overall policy debate, which should therefore be conducted in public fora rather than in closed hearings.

The panel also recommended that the U.S. government begin to experiment with escrowed encryption in order to gain experience with it. But it criticized efforts to promote rapid, widescale deployment of key escrow systems, saying that the technical issues and potential risks were not sufficiently understood. Largely as a result of this criticism, the Administration quickly distanced itself form the report.

Overview of the report and summary recommendations.
The entire report (prepublication version) is available on-line. The published report is also on reserve for the course.

May 1996: Key-management infrastructures ("Clipper III")

In May 1996, the Administration introduced a new idea for dealing with control of cryptography, with the publication of the draft memorandum Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure by Bruce McConnell, and Edward Appel, who co-chaired the White House's Interagency Working Group on Cryptography Policy.

This approach went further than ever before in recognizing that industry must play a major role in any solution to the cryptography problem. Rather than focusing on cryptographic algorithms themselves, the report highlighted the importance of a key-management infrastructure(KMI) through which users of cryptography are able to identify the the people they are communicating with. This identification can be accomplished by having keys registered and digitally signed by certification authorities (CAs), which serve as "digital notarys public" to attest to the identity of the person nominally associated with a given key. (There are other possible techniques, such as the "web of trust" used in PGP.)

The Administration paper emphasized the importance of key-management infrastructures and suggested a collaborative effort by government and industry to develop a KMI in which, when keys are registered with a certification authority, they are also escrowed with an associated key escrow agent that would respond to government requests for access to keys. The report suggested that encryption products whose keys are escrowed in this way would be eligible for export. It also called for developing a framework of international agreements about sharing keys and providing access to escrowed information.

The proposal was viewed as significant progress by the Administration in recognizing the importance of expanding the use of encryption. But it was criticized -- and immediately dubbed "Clipper III" by opponents -- on the grounds that it would effectively make key escrow (even for domestic encryption) a precondition for participation in the Global Information Infrastructure by incorporating escrow into the basic framework of identification on the network.

The Electronic Frontier Foundation's Clipper III Archive contains several statements critical of the proposal.

Summer 1996: Key recovery and inducements for industry cooperation

Note: By the summer of 1996, "key escrow" had amassed so much criticism that proponents of the idea started using the term "key recovery" to mean essentially the same thing. There have been several attempts to explain the difference, usually by companies that have developed key escrow schemes. The explanation usually boils down to "Key escrow was that old unacceptable idea, but this particular feature of our product includes makes it recovery rather than escrow."

Starting in late summer, the Administration began trying to garner industry support for key recovery along the lines laid down in the May KMI paper. In a series of meetings with computer and software companies through the fall, the following policy was hammered out:

The Administration would shift jurisdiction over export of cryptographic hardware and software from the State Department to the Commerce Department. Industry liked this, since it considers the Commerce Department to be more receptive to industry views.
Companies could apply for and receive immediate approval to export encryption products using 56-bit DES, provided they presented a plan to install key recovery in their exported encryption products within two years.
Encryption products of any strength would be eligible for export approval, if they incorporate key recovery.

This policy generally received reluctant cooperation from industry. On the one hand, companies insisted that export regulations place them at a disadvantage with respect to foreign competition, and they were loathe to supporting any plan that would continue to regulate encryption export. On the other hand, the were eager to obtain approval for their 56-bit DES products (even though these are not adequate for high-security applications).

In October, eleven companies -- Apple, Atalla, Digital, Groupe Bull, Hewlett-Packard, IBM, NCR, RSA, Sun, Trusted Information Systems and UPS -- became charter members of the Key Recovery Alliance, whose aim is to develop key-recovery techniques to meet the needs of customers and to allow easing of export restrictions. The Alliance emphasized that there are valid commercial reasons for key recovery (such as people gaining access to their data if they lose their keys), but they took pains to make clear that they oppose any attempts by governments to mandate key recovery. Since then, Alliance membership has grown to 60 companies. The KRA Website contains several press releases on Alliance activities and position papers on key recovery.

1997: Situation still murky

At the very end of December 1996 the Administration, as promised, published new regulations transferring export control of cryptography from the State Department to the Commerce Department's Bureau of Export Administration.

Here are the regulations, as published on December 30, 1996.

Technically, these regulations are an "interim rule", but as of this date (September, 1998), they are still in effect, while the Administration revises them in response to comments. Reception from industry remains grudging: Overall, companies are filing plans to gain export approval for 56-bit DES, while continuing to oppose any export restrictions. Their mantra here is "We oppose government regulation of encryption, but we will provide key-recovery products in response to customer demand".

1997 was also the year in which the crypto dilemma attracted Congress's attention in a big way, with numerous hearings and several bills introduced, with industry and civil liberties groups lobbying for relaxing export controls, while law-enforcement (notably the FBI and the Justice Department) lobbied for tighter controls.

One influential document in the debate was The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption, by a group of cryptographers and computer scientists (Hal Abelson, Ross Anderson, Steven Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter Neumann, Ronald Rivest, Jeffrey Schiller, and Bruce Schneier) published in May 1997 with the assistance of the Center for Democracy and Technology. The group cautions that key recovery for government access (where keys must be made accessible to law-enforcement on short notice without the knowledge of the user) has inherent risks and expenses that are not well understood, and advises against rapid, wide-scale deployment of such systems.

Congressional legislation in 1997 was all over the map, with bills introduced ranging the elimination of export controls outright, to bills outlawing the sale of non-escrowed encryption products, even domestically. By the end of the legisltive session, the encryption debate has become too chaotic to result in any legislation.

Here are some articles that appeared during 1997, which you can skim to get a flavor of the crypto debate. Note the flare-up after September 3, when FBI Director Louis Freeh proposed regulation of domestic encryption, just as he had announced as his intent ever since the debate over Digital Telephony.
Here is a summary (as of October 10, 1997) of the encryption legislation considered by Congress in 1997, with comments by the Electronic Frontier Foundation. This is is far from an unbiased report, since the EFF is adamantly opposed to any regulations on encryption, but is nevertheless helpful to see all the bills discussed in one place.

Another element of the crypto debate that became critical in 1997 was the reaction of other governments. The Administration's vision of a Key Management Infrastructure requires significant international cooperation on to develop a framework for inter-government access to keys and encrypted information, and the U.S. has been lobbying strongly for other governments to adopt the key recovery approach. On October 8, the European Commission issued a report Towards a European Framework for Digital Signatures and Encryption, which appears to throw cold water on the U.S. efforts. (See the New York Times article on the report.) The anti-regulation forces are claiming that this report "all but dooms efforts by the Clinton Administration and the FBI" to create an international framework for key escrow. But international diplomacy is a treacherous area, and there are many shoes yet to drop here.

1998: Going slow (so far)

So far, 1998 has been a year of slow going. The Secure Public Networks Act (S. 909), passed by the Senate Commerce Committee in July, 1997, would mandate the use of key recovery on networks built using federal funding, and also as a precondition to gaining certificates for electronic commerce. This bill has not yet come before the full Senate.

One interesting development was the demonstration by the Electronic Frontier Foundation that 56-bit DES could be cracked in 56 hours using a special-purpose machine that can be built at modest cost, thus underlining the inadequacy of 56 bits as a limit on exportable encryption.

Harking back to CALEA and the beginning of this survey -- the US Telephone Association filed suit against the FBI and the Department of Justice on August 19 to block the implementation of CALEA, on the grounds that the implementation cost-recovery regulations and FBI rules exceed the FBI's statutory authority. On September 11, 1998, the FCC helped defuse the tension between the FBI and the telecommunications industry by delaying the date for CALEA compliance (originally scheduled for October 1998) until June 2000.

Overall, though, most action seems to be behind the scenes positioning. Whether anything will emerge before the end of the legislative session remains to be seen.

For an overview of latest events, see the information pages maintained by the Internet Privacy Coalition and the Center for Democracy and Technology.

Hal Abelson (hal@mit.edu)
Mike Fischer (mfischer@mit.edu)
Joanne Costello (joanne@mit.edu)

Last modified: August 9 1999, 9:28 PM