THE METAPHOR IS THE KEY: CRYPTOGRAPHY,
THE CLIPPER CHIP, AND THE CONSTITUTION

A. Michael Froomkin

Document information and copyright notice

[Page n] references relate to the pagination of the printed version.

Click here to jump to a specific page:

To table of contents


I. Modern Cryptography: Private Security, Government Insecurity

Cryptography contributes to commercial, political, and personal life in a surprising number of ways. Now that modern cryptographic techniques have put strong, perhaps uncrackable, cryptography within the reach of anyone with a computer or even a telephone, the use of strong cryptography is likely to increase further. As a result, worried law enforcement and intelligence agencies have developed the Clipper Chip in order to retain their capability to eavesdrop on private electronic communications.

A. Who Needs Cryptography?

Many individuals and businesses want or need communications and data security.{22} Although these desires clearly have an objec[Page 719]tive basis in many cases, some of these desires are undoubtedly symbolic and psychological. Who other than the recipient, after all, is likely to want to read most private faxes and e-mail?{23} The subjective nature of a desire for privacy makes it no less real or worthy of respect.{24} Encryption can play a critical role in contributing to this communications and data security.{25}

The government's assurance that a cryptosystem is secure also contributes to this security. Evaluating the strength of a cipher is a black art that requires skills few businesses or individuals possess. The government's endorsement will at least reassure those, such as banks and lawyers, who have a duty to secure their communications and data but lack the technical knowledge to determine what ciphers are reliable.

1. Banks, ATM-Users, Electronic Transactors

Encryption is heavily used in banking, both in the United States and abroad. Fedwire and the Clearing House Interbank Payment System process a daily total of more than 350,000 messages with an estimated value of between $1 and $2 trillion. These transactions rely on U.S. government-approved encryption to protect against unauthorized modification and forgery.{26} The U.S. Department of the Treasury requires encryption of all U.S. electronic funds transfer [Page 720]messages.{27}

Banks use encryption to protect ID numbers that customers use at bank automated teller machines (ATMs).{28} In addition, many banks encrypt the customer data on ATM cards in order to protect against forgeries.{29} The banking sector's awareness of its vulnerability to electronic theft of funds has spurred the creation of cryptographic standards for both retail and inter-bank transactions.{30}

As the economy continues to move away from cash transactions towards "digital cash," both customers and merchants will need the authentication provided by unforgeable digital signatures in order to prevent forgery and transact with confidence.{31} Forgery is a perennial problem with electronic mail: copying is easy, there are no tangible permanent media involved in the communication, and programmers or system managers can alter e-mail headers to fake the source of a message. Cryptography can provide an authenticating function for these electronic transactions. Cryptographic [Page 721]techniques can be used to produce a digital signature which, when properly used, can prove that a cleartext message (such as a buy or sell order) was really sent by the party from whom the message appears to originate.{32} In addition, a digital signature attests to the integrity of the contents of a message. If the digital signature system is properly implemented, the signature of every document is uniquely calculated from the full text of the document, and is uniquely associated with the sender. There is no way to fake a signature by copying a signature from one document and attaching it to another, nor is it possible to alter the signed message in any way without the recipient immediately detecting the deception.{33} The slightest change in a signed document will cause the digital signature verification process to fail. Indeed, a signature verification failure will be caused by a transmission error affecting a single bit of the message.{34}

The proposed National Information Infrastructure, better known as Vice President Al Gore's information superhighway, envisions "telebanking" and other electronic transactions.{35} It recognizes, however, that as these services expand, so too will "public concern about communications and personal privacy."{36} One important issue will be the extent to which consumer-oriented digital payment systems allow for anonymity and privacy; another will be the extent to which law enforcement and banks will require audit trails that lead to the consumer.{37} [Page 722]

2. Businesses with Commercial and Trade Secrets

Stealing a secret is often much cheaper than discovering, or even rediscovering, it oneself. The United States annually invests more than $130 billion in nongovernmental research and development.{38} The fruits of this investment present a tempting target for industrial espionage, from both foreign and domestic competitors.{39}

Business information need not be scientific or technical to be of enormous value. Sensitive market information such as the amount that a corporation plans to bid at an auction for valuable oil leases or the amount that a construction company plans to offer at tender is of enormous benefit to a competitor.{40} Knowledge of a company's cost and price structure, market research, strategic plans, order and customer lists are of obvious benefit to competitors. For an investor, inside information such as planned merger or acquisition activity, can also reap huge profits. Encryption helps prevent high-tech eavesdropping, while at the same time discourages some low-tech theft: a stolen laptop with an encrypted disk represents a loss of hardware, but not of sensitive information.{41}

The increasing importance of intellectual property makes information security especially valuable to industry; the portability of ideas makes it ever-harder to achieve. The increase in mobile communications also plays a role. As workers rely on networks to tele-commute to the office, or use cellular telephones to communicate with colleagues, or download e-mail onto their laptops while away from the office, they expose their information to eavesdroppers.{42}

[Page 723]The risk to U.S. corporations of both high- and low-tech industrial espionage is particularly great because they are not just the target of domestic and foreign competitors, but also of foreign intelligence agencies. Indeed, according to the FBI, foreign governments routinely use their intelligence services to acquire valuable information about U.S. corporations.{43} As a result, without some form of communications and data security, sensitive technical and market information can be intercepted from faxes, cellular and microwave telephone calls, satellite communications, and inadequately protected computer systems.{44} Foreign firms may soon face a similar threat of industrial espionage by U.S. intelligence agencies searching for new roles, and continued appropriations, in the post-cold-war era.{45} [Page 724]

3. Professionals

Lawyers have long relied on ordinary telephones to communicate with clients and are increasingly using cellular telephones and electronic mail.{46} Every lawyer knows that she should never discuss client confidences in a crowded restaurant. If such a confidence is overheard by a third party, even unintentionally, waiver of the attorney-client privilege may be imputed.{47} Anyone with the right sort of receiver can overhear cellular telephone conversations. Unfortunately, the ease with which electronic mail messages can be intercepted by third parties means that communicating by public electronic mail systems, like the Internet, is becoming almost as insecure as talking in a crowded restaurant.{48} Similarly, the ease with which intruders can gain access to unprotected computers that can be accessed via the Internet means that unencrypted data on such machines is at risk.{49} Even ordinary telephone con[Page 725]versations may be at risk if the signal travels by microwave or satellite.{50} Although there are no cases to date holding that failure to encrypt a cellular telephone conversation or an electronic mail message, much less a regular phone call, constitutes professional negligence, the ease with which these can be overheard or intercepted, combined with the growing simplicity of encryption software, make it conceivable that failure to use encryption may be considered a waiver of privilege at some point in the future (at least for insecure media such as electronic mail and cellular telephones).{51}

Lawyers are not the only professionals who receive client confidences. Doctors, therapists, and accountants all receive sensitive information which they then have a duty to keep confidential. These duties can arise in tort or contract, or pursuant to state and federal statutes.{52} Some of these duties are reflected in evidentiary privileges,{53} but a privilege is not required to create the duty.{54}

4. National ID Cards and Data Authentication

Because strong cryptography can be used to authenticate data,{55} it makes nearly unforgeable national ID cards possible. The cards could have the owner's date of birth, social security number, [Page 726]a digitized photograph, and any other information (for example, health, immigration status, or prior convictions).{56} Users (who might include liquor stores, police, banks, employers, or a national health insurance trust) would have a reader with the government's public key on it, which they would use to decrypt the card. So long as the government was able to keep its private key secret, the ID card would be unforgeable.

National ID cards raise a host of problems outside the scope of this Article, many of which could be exacerbated by the use of cryptography. Chief among these difficulties is the danger that the government might encrypt additional information on cards that would be invisible to the holder but might be accessible to law enforcement, or even some employers. Examples of such secret information include criminal record, military discharge status, or health information.{57} Less ominously, digital signatures provide a means of authenticating all electronic data. In a world in which bank, tax, and medical records, and the contents of the digital library are all at risk of accidental or malicious alteration, authentication of data becomes critical. By providing a reliable guarantee that data with a proper signature is authentic, digital signatures provide a certain means of detecting changes when someone tries to rewrite history. [Page 727]

5. Criminals

Cryptography not only allows individuals to keep their communications and records secret, it also allows them to keep their identities secret. We are accustomed to more anonymity in our commercial life than we realize, although this form of privacy is shrinking. Purchasing a newspaper for a few coins from a vending machine or a store leaves no audit trail: ordinary cash is anonymous.{58} Although the use of credit cards continues to increase, there are some transactions that people prefer to keep untraceable.{59} It seems safe to suppose that some cash transactions, while legal, might not occur if the only payment option were something that leaves a record.

Cryptologists have worked out protocols for untraceable, anonymous, electronic cash ("E$") that also resist illicit duplication. These permit customers to acquire E$ from a digital bank without disclosing their identity to the bank. Using high-level cryptographic techniques, the E$ is unforgeably certified as valid, but can be spent only once.{60}

Unfortunately, although cryptography allows the creation of privacy-enhancing E$ and helps ensure that an Orwellian surveillance state remains in the realm of fiction, its advantages come at a price. The same features that might make uncrackable encryption attractive to groups seeking to change the social order by lawful but unpopular means, and that protect those working towards unpopular causes from retribution, also provide security to lawbreakers. Untraceable E$ may help make untraceable "perfect crimes" possible.{61}

[Page 728]Undoubtedly, criminals and conspirators will find a use for encryption,{62} but so too will many others. Not every diarist records crimes in his daybook, but for many people there will be a certain satisfaction in knowing that their most private thoughts are safe from anyone's prying eyes, be they major governments or younger siblings.{63}

6. Users of Telephones, Electronic Mail, Faxes, or Computers

a. Cellular Telephones

There are at least twelve million cellular telephone subscribers in the United States.{64} Few of these telephones use encryption. Most of the cellular telephones that use some form of encryption use a very simple masking algorithm which is easy to defeat with parts available in any Radio Shack. Although cellular telephone eavesdropping is illegal,{65} it is easy.{66} [Page 729]

b. Standard Telephones

Currently, only the U.S. government has a large network of secure telephones, and they are expensive.{67} Although AT&T has developed secure telephones based on the Clipper Chip that will provide encrypted communications so long as both parties have a Clipper-equipped telephone, most telephone conversations remain vulnerable to legal and illegal wiretapping and, if the signal travels by microwave or satellite, to other forms of interception as well.{68}

c. Faxes

Faxes are as vulnerable to interception as any other telephone call, yet few fax transmissions are encrypted.{69} Fax interception equipment is "relatively inexpensive" and in some countries is routinely used by telephone companies or the government to monitor fax traffic.{70} Consequently, software vendors are now adding encryption options to common operating systems such as Microsoft's Windows.{71}

Encryption also protects against the consequences of misdialing a telephone number and reaching the wrong fax machine--an increasingly common problem as the number of dedicated fax lines grows.

d. E-mail

The exponential growth in the Internet's popularity has fueled the private demand for encryption.{72} Military-grade cryptography, or something close to it, is easily available free to any user of the Internet who knows how to download a file.{73} [Page 730]

e. Personal Records

Many people have things they want to hide from their colleagues or family members. The secret can be as trivial as a planned surprise party, as personal as a love letter or sexual orientation, or as unsavory as a planned theft or past misdeed. It can be a private diary or the plans for a bomb. These records may be on paper or stored on a computer disk. Some people derive a sense of security from the knowledge that their communications and data are safe from unauthorized snooping by their friends, family, or anonymous computer hackers. Others seek an even greater sense of security by attempting to encrypt their communications and records in a manner that cannot be decrypted even by authorized law enforcement.{74}

7. Dissidents and Others

Most, if not all, of the readers of this Article probably experience life in the United States as one of political freedom. For some of these readers, a desire for communications and electronic records security, particularly security from possible or suspected government surveillance or intrusion, may appear to be an excess of libertarian paranoia. The existence of low-water marks in civil liberties (such as the 1798 Alien and Sedition Act,{75} the 1920s'[Page 731]"Palmer raids,"{76} the Japanese internment during World War II,{77} and COINTELPRO{78}) may be seen by some readers as well-documented and anomalous departures from American ideals; other readers may see them as symptoms of a more general tendency of those in authority, approaching the "iron law of oligarchy."{79}

Organized government intrusion into personal communications and data privacy is less visible than an order to round up thousands of civilians. It is also far more frequent. When given the duty and authority to identify threats to national security,{80} public servants have shown a tendency to adopt a "vacuum cleaner[]" approach to private information.{81} Indeed, the Senate committee charged with investigating domestic surveillance noted "the tendency of intelligence activities to expand beyond their initial scope" and stated that government officials "have violated or ignored the law over long periods of time and have advocated and defended their right to break the law."{82}

[Page 732]It is harder to view fears of government surveillance as aberrational when one learns that in the 1950s the FBI identified 26,000 "potentially dangerous" persons who should be rounded up in the event of a "national emergency," and that it maintained this list for many years.{83} During the 1970s, even sympathizers dismissed as fantastical the claims by Black Panthers and other dissident groups that they were being wiretapped and bugged by the FBI. These allegations proved to be correct.{84} Indeed, the U.S. government has an unfortunate recent history of intrusion into private matters. During the 1970s, the FBI kept information in its files covering the beliefs and activities of more than one in four hundred Americans;{85} during the 1960s, the U.S. Army created files on about 100,000 civilians.{86} Between 1953 and 1973, the CIA opened and photographed almost 250,000 first class letters within the U.S. from which it compiled a database of almost 1.5 million names.{87} Similarly, the FBI opened tens of thousands of domestic letters, while the NSA obtained millions of private telegrams sent from, to, or through the United States.{88}

Although the Constitution guarantees a high degree of political freedom and autonomy, "[t]he Government has often undertaken the secret surveillance of citizens on the basis of their political beliefs, even when those beliefs posed no threat of violence or illegal acts on behalf of a hostile foreign power."{89} Certainly, neither statutory nor constitutional prohibitions have proved consistently effective in preventing civil liberties abuses. For example, U.S. Census data is supposed to be private, and that privacy is guaranteed by law. Nevertheless, during World War II the government used census data to identify and locate 112,000 [Page 733]Americans of Japanese ancestry who were then transported to internment camps.{90} Similarly, the CIA repeatedly violated the prohibition on domestic intelligence contained in its charter.{91}

One need not believe that such excesses are routine to sympathize with those who fear that another such excess is foreseeable. Indeed, whether one considers these operations to have been justified, to have resulted from a type of a bureaucratic rationality that rewards results regardless of legal niceties,{92} or to have been a form of security paranoia, this history could cause a reasonable person to fear she might someday be swept up in an investigation.{93} The passage of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III),{94} designed to define standards for the use of wiretaps, appears to have reduced greatly the amount of illegal wiretapping by police. Nonetheless, illegal wiretapping by police has not been completely eliminated.{95}

[Page 734]Not all government intrusion into privacy is centrally organized, but that hardly makes it less intrusive. During the past five years the IRS has caught hundreds of its employees snooping into the tax records "of friends, neighbors, enemies, potential in-laws, stockbrokers, celebrities and former spouses."{96} Authorized users of the FBI's National Crime Information Center have used its databases to check up on friends and neighbors and to check backgrounds for political purposes.{97} It is an article of faith for many Americans that postal workers read the postcards they process--and not without reason when postal workers are heard to say that they "pass the really good ones around the office."{98}

A reasonable person may also be concerned about surveillance by nongovernmental actors. For instance, political campaigns are notorious for dirty tricks, including the bugging of opponents;{99} the yellow pages in any major city contain numerous advertisements for detective agencies and investigators;{100} and eavesdropping and bugging devices are readily available in stores.{101}

In light of this history of public and private intrusion into personal privacy and the growing interconnection of computers and communications envisioned by the National Information Infrastructure, it is impossible to dismiss the desire for personal communica[Page 735]tions and records security as pure paranoia. It may, in fact, be very sensible.

B. The U.S. Data Encryption Standard (DES) Is Increasingly Vulnerable

While the need for communications security grows, the officially sanctioned tools for providing that security are beginning to look dated and vulnerable.

1. How DES Became a Standard

In the early 1970s, the National Bureau of Standards (NBS), since renamed the National Institute of Standards and Technology (NIST), decided to define a national standard cryptographic algorithm.{102} The absence of a government standard, the NBS determined, caused people to use competing cryptographic products that were unable to communicate with each other.{103} The lack of interoperability among commercial cryptographic products deterred firms from using encryption when it would have been of value. Similarly, the absence of a standard kept the costs of products high and reduced the incentive to improve them. In selecting a standard cryptographic system, the NBS proposed to certify the strength of its algorithm, and thus reassure potential users that the system was strong enough to resist attack, something that most users would be unable to determine for themselves. The NBS determined that the algorithm it selected should be easy to use, strong, suitable for use in electronic devices, and yet sufficiently weak to be exportable without running afoul of export control regulations which control cryptography.{104}

[Page 736]In 1977, after several years of acrimonious public debate among professional cryptologists, the NBS selected an algorithm developed by IBM that the NSA had certified as "free of any statistical or mathematical weaknesses."{105} It is now known as the Data Encryption Standard (DES).{106} DES is a single-key cipher: the senderand the receiver use the same key to encrypt and decrypt the message. DES keys are fifty-six bits (about eight ASCII characters) long.{107} This means that there are seventy-two quadrillion (actually 72,057,594,037,927,936) different possible keys.{108} DES is approved for use by the government for its sensitive information, but not for classified information.{109}

The designation of DES as the U.S. standard was controversial, foreshadowing the current controversy over Clipper. An earlier version of the IBM project used a key with well over one hundred bits.{110} The key shrank to fifty-six bits by the time it became the U.S. standard. Critics charged that the shortened key was designed to be long enough to frustrate corporate eavesdroppers, but short enough to be broken by the NSA.{111} Some critics also feared there might be a "back door,"{112} an implanted weakness in a key[Page 737]part of the encryption algorithm known as S-boxes, that would allow the agency to use computational shortcuts to break the code.{113}

The problem was exacerbated by the unwillingness of DES's creators to explain why they had chosen the particular, seemingly arbitrary, method of mixing up bits that they had selected. Cryptology is a field for the truly devious, and many cryptologists were concerned that there might be a mathematical vulnerability intentionally inserted by the cryptographers who designed the DES cipher. The search for such back doors in government-sponsored ciphers such as DES has been a popular pastime among suspicious cryptologists since the NBS proposed DES, yet no back door has been reported. Recently, however, academic cryptologists determined that DES's unusual algorithm is peculiarly resistant to a newly discovered mathematical attack called "differential cryptanalysis"--a technique which had not been discovered, at least in unclassified form, at the time DES became the U.S. standard. DES's inventors have since stated that they were aware in 1974 of DES's resistance to differential cryptanalysis, but kept quiet to protect national security.{114}

Export of DES is controlled by the State Department as if it were a weapon like a tank or fighter plane.{115} Financial institutions and the foreign offices of U.S.-controlled corporations routinely receive clearance to export DES if they show a need, but the State Department--presumably acting under the advice of the NSA--usually refuses to allow others to export it.

Although U.S. law ordinarily prevents Americans from selling DES-equipped encryption products to foreigners, DES is found around the world and freely sold by foreign corporations in many countries. It may be "the most widely used cryptosystem in the [Page 738]world."{116} A full specification of DES is available in books sold in the United States,{117} the export of which is not controlled,{118} presumably on First Amendment grounds.{119}

2. DES Is Vulnerable to Attack

In a world where computing speed almost doubles every year, DES looks as if it has been a standard for a very long time. Its 56-bit keys look more vulnerable to attack than ever before. DES is thus approaching the end of its useful life, at least for high security information. NIST recertified DES in 1993 but suggested that its days as an official standard are numbered.{120}

Given that computer processors become cheaper every day, brute-force searches for DES keys are now well within the reach of relatively affordable, massively parallel machines.{121} A recent paper describes a brute-force attack on DES as "alarmingly economical," estimating that for $1 million one could build an optimized machine that would try fifty million keys per second and would crack a DES key in an average of 3.5 hours.{122} An investment of $10 million would produce a machine that would be expected to crack a DES key every twenty-one minutes.{123} DES-cracking remains beyond the means of the casual snooper, but is now within the means of many corporations and every government.

[Page 739]The security problem is compounded by the probabilistic nature of a brute-force key search. The strength of an algorithm is expressed in the amount of time it would take to be certain of finding the key by trying every possibility. The expected (average) amount of time per key is only half that amount. If, however, an attacker is engaged in a routine program of successively trying to break keys, and knows how often they are changed, the attacker will inevitably get lucky. This can be a serious threat in situations where one piece of luck will garner the attacker a large return.

Suppose, for example, that a bank which becomes concerned about the vulnerability of its DES keys decides to change the key used for interbank financial transactions every day. Does this give it security? If an attacker has a machine that is certain to break a key in a year, then the attacker has over a 0.01% chance of breaking the new key in an hour, and a 0.27% chance of breaking it in a day.{124} In plain English, the attacker has just better than a one in ten thousand chance of breaking each key in the first hour; she has a chance of about one in 370 of breaking each key before it is changed. The attacker thus can hope for a large electronic funds transfer to her bank account about once a year.{125}

Worse, the attacker does not need special computers so long as she has several of them. An attacker armed with only one 100Mhz Pentium computer would have a minuscule daily chance of success. If she links a group of 500 Pentium computers on a university network, however, her chance of cracking DES in a day rises to just above one in 40,000.{126} These are not bad odds for a lottery in which the payoff can be in the millions, and the cost of a ticket--idle [Page 740]time on computers in a university network--may be zero to the user.

The idea of networks of computers harnessed together to crack a DES password may sound like science fiction, but something similar is already happening. A group of computer scientists and mathematicians recently used the Internet to harness computer time donated by 600 volunteers. Using a total of about 5000 MIPS-years{127} of processing time to make 100 quadrillion calculations over an eight month period, the group solved a problem equal in complexity to breaking a 129-digit RSA key.{128} RSA is a commercial public-key cryptosystem{129} and its keys are not precisely comparable to DES keys, but even so the problem was far harder than breaking DES's 56-bit key.{130}

3. How to Achieve Better Security

One solution to the aging DES problem may be to switch to "triple-DES." As the name suggests, in triple-DES a message is processed with DES three times, although the middle step is a decryption (with a different key) in order to make the final product [Page 741]compatible with regular DES.{131} The advantage of using triple-DES rather than a single 56-bit encryption is that messages remain more compatible with existing equipment; the disadvantages are a loss in speed, a need to revise existing software and hardware, inelegance, and some lingering uncertainty as to its safety.{132} NIST has been silent on the security (or lack thereof) of triple-DES. The NSA has not disclosed whether it considers triple-DES insecure, too secure, or neither.{133} It may be that the NSA has been silent on triple-DES in the hopes that it will be elbowed out of the market by "escrowed" encryption products such as Clipper. Triple-DES is probably very hard to break; breaking through Clipper's protections will involve no (computational) effort for authorized persons because the government will keep a copy of the keys.{134}

[Page 742]A second solution, applicable only to time-sensitive information, is to change DES keys very frequently. If a new DES key is used for every message, by the time the attacker figures out the old key, it is too late. Of course, this solution does not work for things that need to be kept secret for long periods of time. It also requires that parties to communication have some way to agree on a continuing supply of new keys which, by definition, they cannot do on the insecure channel which requires the encryption in the first place.{135}

A third solution is to abandon DES, in whole or in part, and try something new. The U.S. government has selected a replacement for DES that involves escrowed encryption using a new algorithm called SKIPJACK. The government has indicated that it hopes U.S. users of cryptography will adopt this option.


To table of contents