Alternative Cryptography Policy Options

Dr. Phillip Hallam-Baker

The demand for enterprise key recovery systems is now recognized independently of government pressure. Commercial key recovery systems are now available and to this extent the administration can fairly claim that its stated goals have been realized. Further pressure is unnecessary and counter-productive.

Recommended: Administration should declare that the goal of ensuring widespread availability of key recovery systems has been met.

The ability to conduct traffic analysis represents a more important police resource than the ability to conduct content analysis. Traffic analysis allows networks of conspirators to be identified even when encryp tion is employed.

Recommended: Administration should establish a program to examine the use of traffic analysis for law enforcement purposes.

The Internet will play a vital role in the new economy, it is a vital national security interest that this infrastructure is secure against information warfare attack. The administration use of export controls to limit use of cryptography is not being effective in its intended aim but is compromising the integrity of the emerging Internet infrastructure.

Recommended: Administration should cease applying export controls to commercial applications incorporating cryptography.

Independent of the political ends sought there are two approaches to politics. The idealist insists on means that are consistent with the ends even if they are counter-productive while the pragmatist insists that the only basis on which to evaluate the desirability of policy is on the effect achieved.

The idealist case for an end to cryptography controls is easy to argue; that privacy is an essential human right; that the purpose of the government is to protect individual liberty and that therefore the government has no 'right' to co ntrol use of cryptography. Such arguments do not speak to those who do not already believe in the correctness of the conclusion however and are thus unpersuasive.

The pragmatic case for control over the use of cryptography is made in an equally straightforward fashion. Criminal organizations exist which pose a threat to liberty. It is a pragmatic fact that citizens are less free in societies run by terrorists and dealers in illegal drugs, as the (admittedly extreme) examples of Lebanon and Columbia demonstrate.

It is not sufficient for a pragmatic policy to merely conclude that the government 'must attempt' action in the face of such a threat. A pragmatic policy can only be justified by the likelihood of a better outcome.

People behave differently when they know they are being watched. For this reason any government action which reduces individual privacy represents a shift in the balance of power between people and government.

For systematic invasion of individual privacy to be justified it is necessary for the government to demonstrate that this result in a better outcome. It is not sufficient for the government to simply state that it is undesirable for cri minals to have access to cryptographic apparatus and on those grounds alone make use of such apparatus illegal. What the government must demonstrate is that the controls will be effective, that criminals will be denied access to cryptographic appar atus and that this will in turn lead improve the effectiveness of law enforcement, or that foreign surveillance targets will not obtain effective encryption systems from other sources.

Public debate on the issue of government control over the use of cryptography has been characterized by accusation and mutual hostility. Those believing themselves to be the guardians of National Security are not inclined to compromise, nor are those believing themselves the guardians of Civil Liberties.

Both sides accept that technology has dramatically altered the balance of power between government and people. Law enforcement sees the loss of a major investigative tool. Civil libertarians see technology dramatically extending governm ent powers to an unprecedented and dangerous degree.

As we later see, all parties are agreed that the current situation is undesirable, yet no compromise is possible within the current terms of debate. A resolution depends therefore on the defeat of one side or the other or in a change to the terms of debate.

Ensuring the Effectiveness of Law Enforcement

In this paper we seek to address a different formulation of the problem. Instead of looking to prevent access to technology that might compromise the effectiveness of law enforcement we look to ways of preserving the effectiveness of law enforcement despite the inevitable proliferation of technology.

Encryption provides a means of hiding the content of communications but computing also makes possible the automatic analysis of intercept material allowing far broader use of intercepts. Improving voice recognition technology and the tr end towards machine readable forms of communication such as e-mail dramatically reduce the cost of intercepts. At present the use of intercepts is severely limited by cost, restricting its use almost exclusively to narcotics, gambling and racketeering (95 % of intercepts in 1997). As the cost of intercepts decreases the routine use of intercepts becomes both possible and probable.

The International Dimension

It is a curious fact that despite the fact that administration depends crucially on an export policy it is justified almost exclusively in terms of domestic policy goals. To the extent that the administ ration policy has an international dimension it consists of strenuous efforts to obtain public support from other governments, support which with a handful of exceptions (China, Singapore, France), has been withheld if not denied.

No government can expect to control information provided via the Internet without at a minimum active support from other governments. Even then it is doubtful that control would be very effective. Foreign governments are unlikely to agr ee to controls unless they believe that they will have equal rights to conduct intercepts and that the US will not use an intercept capability to conduct commercial or other forms of espionage.

If the administration cannot win the domestic argument and assure its own citizens of its integrity there is little chance its argument will be convincing abroad.

The administration has certainly delayed the availability of strong cryptography and ensured that until recently it has only been available to the most determined users. Despite these efforts, products using strong cryptogr aphy to ensure confidentiality are available in shrink wrap form from standard retailers. What has not reached the market however is products ensuring the integrity of the Internet infrastructure generally, an infrastructure the US economy is increasingly dependent on. The threat of information warfare attacks is now both serious and real as the President himself acknowledge in a recent address to the Naval Academy .

The cost of this policy has been to deny the administration an effective role in the development of commercial cryptography. To the extent that it is continuing to affect the development of Internet standards it is encouraging the devel opment of systems which are as resistant as possible to its objectives. A significant fraction of the developer community considers government mandated escrow as simply another form of attack which the system must be secured against.

In addition to rendering mandatory escrow controls increasingly impractical these efforts are creating a technology infrastructure whose principal purpose is to ensure privacy at all costs rather than an optimal architecture for electro nic commerce.

The principle example of this trend is the market success of PGP, an email security program whose principal goal is to provide confidentiality. Unlike the comprehensive X.509, PGP does not address the legal impli cations of public key infrastructure such as the non-repudiation of digitally signed messages in a legal context, nor are the legal liabilities of trust providers considered. The design is however highly resistant to government mandates however and is suc cessful for that reason.

The design goal of PGP is to maximize privacy within a particular community of users, it is not designed to provide a social and legal infrastructure based on public key cryptography which constitutes a global system of trust. The admin istrations role in creating and popularizing PGP cannot be understated. The enforcement of export controls made it inevitable that those who designed products to defeat them were indifferent to legal constraints of all sorts. The climate of intimidation c reated by the prosecution of Phil. Zimmerman made the success of PGP inevitable. As a direct result of administration policy an email security product which is far better suited for use by a small band of conspirators than it is as a basis for global elec tronic commerce has established a substantial user base.

The administration has attempted to promote key escrow as a compromise between the interests of law enforcement and civil liberties. As is later demonstrated however this does not represent a compromise as such b etween the interests of the two parties, as the extension of unacceptable and unrealistic constraints to domestic use of cryptography.

Far from promoting the adoption of commercial key escrow systems the continuing threat of government mandates discourages it. Nor are such mandates made any more acceptable by being described as ‘voluntary’ if they are to be enforced by withholding of government licensing as proposed by Senate bill S.909.

A commercial provider of key escrow systems must establish a viable business model. As with the provision of any service where the consequences of error are serious, the ability to control risk is central to the economic viability of su ch a service. Law enforcement mandates which make immediate access to escrowed keys possible without the knowledge of the party purchasing the service require a key escrow agent to accept very significantly greater risks and seriously compromise the abili ty to effectively control them.

A commercial key escrow agent requires the flexibility to establish whatever controls safeguarding the release of escrowed keys as are appropriate to the specific application. Furthermore a key escrow agent requires the ability to limit the scope of use of escrowed keys in order to ensure that they are not employed for purposes which carry unacceptable risk or for which key escrow is not appropriate.

For example, for reasons discussed later there is no commercial requirement to escrow keys used to authenticate legally binding contracts. The risk of escrowing such a key is high since a party attempting to repudiate a contract might s eek to claim that the key escrow agent had fraudulently created the signature. The key escrow agent is therefore potentially a party to any litigation arising from the use of the escrowed keys, however vexatious. In addition there is the real risk that a corrupt escrow agent might indeed abuse her trust in this manner.

While S.909 could be amended so that it only mandated the escrow of keys used for encryption to do so would defeat its purpose. Protocols providing secure confidential communications, which rely on the existence of pre-established signa ture keys alone are already in use. Parties which have established signature keys may readily use them to exchange encryption keys using the perfect forward secrecy protocol described in a later section.

Control proponents argue that the widespread dissemination of knowledge about cryptography is not the same as the widespread availability of cryptographic products. For a cryptographic product to be secure it is essential for the implementation to be flawless, a goal that the computer industry has yet to meet with respect to any moderately complex commercial product.

This argument is strong insofar as the US is the worlds leading supplier of software products. The US is not however the only supplier of computer software and even in the US not all software engineers are US nationals. The concern of m any software producers is that continued export control regulations will give foreign competitors an advantage. Nobody seriously disputes the ability of foreign nationals to produce effective cryptographic products except insofar as the administration is forced to do so to avoid ending ITAR controls.

It is not the mere proliferation of cryptographic products which is the threat however but rather the ability of illegal organizations to communicate confidentially. This is a relatively weak requirement which does not requ ire anything like the sophistication of a commercial product designed to ensure secure communication between parties who do not have an established trust relationship.

Despite the cold war origin of the export control regime the NATO powers themselves intentionally shared the knowledge of public key based cryptography techniques with the U.S.S.R. The proliferation of nuclear weaponry meant that it was in the interests of all the nuclear powers to ensure that each had access to technology that allowed accidental or unauthorized attacks to be prevented. This technology is based on the essentially the same public key cryptography techniques as is now emp loyed in commercial systems. The recent emergence of two additional declared nuclear powers and the continued ambitions of others means that pragmatic politics may require similar technology transfers in the future.

Control Proponents

Historically the main proponent of cryptography controls has been the National Security Agency (NSA). The current export control regime has developed out of the NSA's objective of compromising the encryption systems used by its foreign adversaries, a role which naturally leads to an NSA interest in preventing foreign nationals obtaining encryption systems stronger than they can break.

From 1991 the NSA has played a diminishing role in the public debate concerning the use cryptography and the FBI has emerged as the main public proponent of control. While the reasons behind this change are not fully known to the public at the present time, Clinton Brooks, advisor to the director of the NSA reports initiating concern at the FBI . As a result there is a continuing public perception that the FBI policy is more representative of (possibly obsolete) NSA interests than their own.

It is not known whether the change in presentation represents a diminishing interest on the part of the NSA, a preference for its case to be put by another party or a preference to avoid debate of any kind on the subject. Certainly it d oes not serve the interests of the NSA for cryptography to become the subject of an active political controversy. Whether the battle for domestic controls is won or not controversy alerts foreign users to the risks of weak cryptography.

Liberalization Advocates

The political outlook of many Liberalization advocates is a more or less absolutist interpretation of Benjamin Franklin's motto: "They that give up essential liberty to obtain a little temporary safety deserve neithe r liberty nor safety." The typical liberalization advocate has one or more degrees, is employed as a computer security expert and most unlikely to be persuaded by pragmatic political concerns.

Cryptography Vendors

Cryptography vendors are the party most directly affected by export control restrictions and it is this party that the administration has spent most effort attempting to negotiate a compromise with. In practice howev er no cryptography vendor is willing to forego the US market to boost export sales and in any case their dependence on liberalization advocates to produce a product is significant.

Administration cryptography policy is frequently criticized for ignoring the limitations of technology. Such criticism has equally frequently been met by accusations of deliberate obstruction on the part of techn ologists. While it is certainly the case that there is little sympathy for the administration's objectives in this quarter their argument is only strengthened by demands to build the computer security equivalent of antigravity or perpetual motion machines .

The recent demands made with respect to key recovery systems by the director of the FBI are generally regarded as being irreconcilable in principle with the basic principles of good security design. To understand why this is the case it is necessary to explain the technology in some detail.

In particular we show that the needs of a security system to support ubiquitous Internet commerce are very different from the needs of illegal organizations. The cornerstone of enabling secure Internet commerce is creating trust between parties whose only interaction is through the Internet. This objective is considerably harder to realize than merely enabling confidential communications between conspirators which have already established a trust relationship.

Perhaps the most important principle of good network security design is simplicity. Whatever the theoretical merits of a system its security in practice depends on the security of actual implementations. The more complex a design, the greater the possibility of an overlooked weakness or faulty implementation.

In practice most network security systems are considerably more complex than the designers would ideally like. In most cases the principle of layered abstraction is employed to render the system comprehensible. The term abstracti on is used in its original sense of ignoring unnecessary detail. Complex protocols are rendered comprehensible through use of a protocol stack in which each layer performs a specific function which may be relied upon by higher layers.

The principle of least risk is essentially a generalization of the traditional security concepts need to know and least privilege. Both these traditional doctrines may be essentially described as not taking a risk u nless there is a good reason for doing so. Applying the principle of least risk the designer of a network security protocol attempts to construct systems that may be proven to eliminate certain risks.

Finally a network security designer must take account of the possibility that any party placed in a position of trust will abuse it. The most significant threat to a security system in most cases comes from within as the recent cases of Nicholas Leason and Aldrich Ames demonstrate.

Digital Signatures

Digital Signatures are a method of authenticating a document. Essentially a digital signature is a form of 'checksum' - that is a value attests to the integrity of the document. A digital signature has three special properties, first creation of the signature requires secret knowledge but verification of the signature does not, second any change to the document that has been signed causes verification of the signature to fail, third the secret knowledge required to c reate a signature cannot be obtained from any public information such as signatures created with those keys.

Public key signature techniques employ pairs of keys, a private key used for creation of signatures and a public key used for verification. As their names imply an individual's private key must be kept secret while the corresponding pub lic key may be made public.

For digital signatures to provide an effective basis for Internet commerce a secure means of determining an individual's public key is necessary. Such a means is known as a Public Key Infrastructure (PKI) or a system of trust. Th e basic principle of a PKI is that one or more parties act as trust providers, providing signed statements concerning the holdership of particular public keys.

Encryption

Public key encryption techniques also employ pairs of private and public keys. A message encrypted under the public key may only be decrypted using the private key. Public key encryption allows a confidential message to be sent to a party without prior arrangement. All that is required is knowledge of the public key.

Public key cryptography is relatively slow compared to traditional symmetric key cryptography (in which the same key is used to encrypt and decrypt). For this reason most cryptographic systems combine the two techniques. The message its elf is encrypted using traditional symmetric key cryptography under a randomly chosen session key. The session key is then encrypted under the public key of the recipient. Another advantage of this technique is that the same session key may be encr ypted for additional recipients without having to re-encrypt the message itself.

Key Splitting

Key splitting is a mechanism which allows the private component of a public key pair to be shared amongst a group of people. In a simple threshold scheme n out of m key shares are required to re-assembl e the private key (e.g. 3 out of 5). Other more complex schemes allow different key holders to be given different voting weights (e.g. president and one chief of staff or three chiefs of staff alone). Amongst other things this technique is used to enforce launch controls on nuclear weapons.

Smartcards

Smartcards consist of a microprocessor chip embedded in a plastic card the size and shape of a traditional credit card. Two types of smartcards are in current use, contact and contactless. A contact card communicates with card reader devices through a contact grid approximately 1cm² in size. Contactless cards communicate with card reader devices through a small inductive loop antenna which also supplies the chip with power.

A principle use for smartcards is for storage of private keys. Ideally such a card is capable of performing private key cryptographic operations on the card so that there is no need to provide a means of extracting the private key from the card. At present however cards of this type are considerably more expensive ($30 as opposed to $1) and in short supply. The introduction of Windows NT 5.0 later this year is expected to lead to a significant increase in demand for smartcards and cause prices to fall. The security scheme employed in Windows NT 5.0 relies heavily on public key cryptography to provide security and users are encouraged to consider smartcards as the technology of choice for securing individual's private keys.

If a smartcard fails all information encrypted under the private key stored on it is lost unless another copy of key exists somewhere. Commercial demand for key recovery system is largely motivated by the use of smartcards.

Biometrics

It is important to note that cryptography is not the only technology of relevance to information security. Biometrics identify an individual on the basis of some physical characteristic unique to that person such as appearance, voice or odor.

The principle biometric techniques considered practical at the present time include fingerprint, iris and handwriting recognition. Proposals to exploit DNA matching, retina scanning and body odor are unlikely to gain user acceptance out side military and forensic applications. The success of voice recognition for identification purposes is likely to be dependent on the success of voice recognition generally.

The principle advantage of using biometric techniques in addition to public key cryptography is that they provide a higher level of individual accountability than public key cryptography alone. An individual might seek to deny authoring a digital signature by claiming to have lent their smartcard token and password to another employee. Biometrics are of relevance to law enforcement for the same reason, providing stronger evidence of an individual's participation.

Biometrics offer little security without the use of public key cryptography to bind the identification of an individual to a particular document however and hence it is likely that biometrics will be most widely used as an enhancement t o public key techniques rather than as a replacement. Ginnie Mae is currently conducting a trial which combines public key signatures with dynamic recognition of handwritten signatures.

As previously noted the effectiveness of public key cryptography depends on the trustworthiness of public keys. Even the strongest public key algorithm provides no security if messages are encrypted to private ke ys held by an attacker.

The problem of developing a system of trust is much harder for legitimate users than illegal organizations. An illegal organization is not so much concerned with establishing the identity of a member as their reliability, membership num bers are typically small. The needs of a system of trust to support the patterns of promiscuous trust typical of Internet commerce are considerably more complex in comparison. Such a system relies in part upon identity since disputes cannot be referred to a court of law otherwise. Such a system must be able to support hundreds of thousands of users if it is to meet the internal needs of modern corporations. A system to meet the needs of the Internet as a whole must support hundreds of millions of u sers.

Furthermore the commercial need for secure communications are largely driven by concerns about integrity, not just confidentiality alone. A commercial enterprise receiving a digitally signed contract is concerned that the contract be enforceable in a court of law.

The complexity and sophistication of commercial cryptography products does not lie in the strength of the cryptographic apparatus employed but in the ability to establish trust between parties which have no other connection.

Certificate AuthoritIES

The lynchpin of any system of trust is trust providers. In the PGP model all users are also trust providers, in the X.509 model this role is performed by specialists called Certificate Authorities.

The original X.509 model assumed that Certificate Authorities would be government or quasi-government entities. A deeper understanding of the problem has led to the conception of Certificate Authorities as commercial trust providers, wh ich like any commercial entity must have a viable business model.

A Certificate Authority issues digital certificates, that is a signed assertion which in most cases concerns the holder of a particular private key. A VeriSign Class 3 SSL certificate for example asserts documentary proof has bee n presented which demonstrates that the holder is a bona fide commercial entity. The effect of this assertion is that a consumer may provide a credit card number to an online merchant with a degree of security which is roughly equivalent to that of a tran saction in a store. An Authenticode certificate asserts that the holder is a bona-fide software vendor which has undertaken to ensure that its product is virus free. A Trust-e certificate asserts that the holder has undertaken to respect the privacy of pe rsonal data provided to it.

It has taken over a decade for the legal liabilities of Certificate Authorities to be understood well enough for operation of a commercial CA to be viable. A Certificate Authority uses three principal strategies to control liability, wa rranting the process of establishing identity as opposed to the outcome, establishing contractual limits on liability and providing insurance against loss.

Key Escrow and Recovery

Cryptography provides the 'locks' of cyberspace. As with conventional locks it is occasionally necessary to open a lock when the key is lost. This is especially important when the locks in question are to all intents and purposes unbreakable. Key Escrow is a means of storing a copy of a cryptographic key in a manner that allows later Key Recovery if and only if certain criteria are met.

As discussed earlier a commercial key escrow agent requires the ability to determine operating procedures on the basis of sound business practices. The development of commercial suppliers of key escrow services is not served by allowing the demands of law enforcement to trump all other considerations.

By taking as its reference point a telephone intercept law enforcement has demanded exceptional access which is immediate and transparent. The demand for access within one hour effectively means an escrow agent must employ an online key recovery center with minimal controls safeguarding access to keys.

A better metaphor is to compare key escrow to a bank vault, access to which may be guarded by a timer, use of multiple locks whose keys are kept by more than one individual. Law enforcement may obtain a court order to obtain access to t he contents of such a vault, but it is entirely unreasonable to require a backdoor to be created for their own unobserved use. Not only would such a backdoor add to the cost of the vault, it would compromise the integrity of the vault itself.

The designer of a commercial key escrow system applies essentially the same design principles as the designer of a bank vault. Wherever possible unnecessary risks are avoided. Where a risk is unavoidable controls are employed to mitigat e it. Table 2 summarizes the principle risks associated with the type of architecture required to meet demands made by law enforcement.

The cost of establishing a high security computing facility is very substantial, typically between $4 and $5 million. In addition to requiring a high level of physical security operation of such a system a considerable numb er of highly trained and trusted personnel. While such facilities are of course essential for a commercial key escrow agent offering a service to third parties a self escrow system would meet the minimal security needs of many enterprises at minimal cost.

Commercial Trusted Third Parties such as Key Escrow Agents and Certificate Authorities typically perform rigorous background checks on all employees prior to employment and at regular intervals throughout their employment. In addition t hey design their systems to ensure each individual is accountable for their actions. Even if it is never used, the very existence of a backdoor weakens the effectiveness of the accountability controls employed and thus the value the commercial key escrow agent provides.

It is not unreasonable therefore for such Trusted Third Parties to consider government employees at least as untrustworthy as their own staff. A typical trusted employee is paid a premium salary on the Confucian principle that those who are well paid are less likely to accept bribes.

A common misunderstanding amongst non cryptographers is to confuse encryption and signature techniques with the objectives of achieving confidentiality and integrity. While such a correspondence exi sts in the simplest protocols such as secure email more sophisticated protocols regard both techniques simply as tools to be used to achieve the broader objective of establishing a system of trust.

Perfect Forward Secrecy represents an example of a property desirable in such a system of trust. As previously discussed most sophisticated public key algorithms involve two sets of keying material, long term keys that rep resent the system of trust and short term session keys used to establish security for particular communications. All secure communication protocols have the property that a compromise of a session key does not compromise any long term keys. A proto col has the additional property of perfect forward secrecy if a compromise of a long term key does not compromise the short term key.

Note that despite the fact that Alice and Bob establish a confidential connection they do so using their signature keys. The advantage of using a protocol of this type is that it is highly resistant to attack. Even if an attacker was to compromise either parties long term signature key this would only allow them to induce the other party to enter into a new conversation it would not allow any previous conversation to be decrypted. Each time the parties exchange keys the cr yptographic equivalent of a fire gap is created. Even if an attacker were able to decrypt one communication session this would provide no advantage in decrypting earlier or later sessions.

While it is not difficult to design a version of the protocol which supports exceptional access it is not feasible to do so in a way which preserves the perfect forward secrecy property. Consider the case in which Bob encrypts each sess ion key x under an exceptional access key G. Doing so creates the common point of failure the entire protocol is designed to avoid. The only means of preserving the perfect forward secrecy property while supporting exceptional access is to e nter into a parallel perfect forward secrecy exchange with the escrowed access agent. This is highly undesirable for reasons of both cost and reliability.

The task of the police is to deter crime by catching criminals and bringing them to justice. 'Catching criminals' consists of detecting a crime, identifying suspects and apprehending them. 'Bringing them to justi ce' consists of obtaining convincing evidence of guilt admissible in a court of law.

The ability to comprehend communications between organized criminals is clearly an advantage in each of these tasks. The question is one of degree however. Democratic societies recognize that the needs of law enforcement must be balance d against the needs of civil liberties. A considerable number of malefactors could be imprisoned if the fifth amendment was abolished.

The use of wiretap evidence to detect crime is not at present legal in the US. Substantial evidence that a crime has occurred must be presented to the court in order to obtain authorization for an intercept.

The 1997 Report on Court-Authorized Intercepts (known as the ‘Wiretap Report’) lists only 569 federal and Y state wiretaps authorizations were made. This represents even fewer investigations since 97 of the federal applications were lis ted as ‘related’.

As in previous years the majority of cases involved narcotics (%) which together with gambling and racketeering represented the overwhelming majority of applications. Despite frequent assertions that the ability to obtain wiretap eviden ce in kidnapping cases is critical only four federal orders cite kidnapping as the offense specified, three of which were related to a single investigation and one of which was never installed. Terrorism is cited in only 2 cases, as is murder, the number of authorizations citing a principal offense of firearms (2) and bombing (1) are similarly negligible.

It is difficult to accept on the basis of these figures that the ability to conduct wiretaps represents a more than a significant law enforcement capability with respect to the identification and apprehension of suspects.

The report states that XXX% of intercepts were ‘incriminating’ a term that is not defined. It is interesting to note however that a majority of ‘incriminating’ intercepts did not result in a conviction. The term ‘incriminating intercept ’ appears to refer to an intercept which obtained information which was possibly incriminating allowing the information to be recorded. Federal law requires investigators to cease listening to conversations which are not incriminating.

Only 33 of the orders authorized in 1997 resulted in one or more conviction. While the time taken to prosecute cases reduces this number the report cites only 172 cases from previous years in which a conviction was obtained, a number wh ich is artificially high because in many cases convictions occurred in more than one year.

The evidentiary value of wire intercepts is least impressive. The wiretap report does not report on the number of cases in which wiretap evidence lead to a conviction, an inevitably subjective question. The report does report the number of cases in which the defense counsel introduced a motion to suppress evidence from an intercept however. Federal court rules require such a motion to be made at the initial trial stage if an appeal against the introduction of such evidence is to be allo wed at a later stage. The exceptionally restrictive regime in which intercepts are admitted into evidence results in a substantial proportion of these motions being granted. As a result it is possible to infer the number of cases in which such evidence wa s introduced by the number of motions to suppress.

Of the 33 cases in which a conviction was obtained in 1997 a motion to suppress intercept information was only made in a single case, resulting in the conviction of 4 persons. The report also reports an additional 21 cases in which a co nviction was obtained and a motion to suppress intercept evidence was filled. These cases resulted in the conviction of a total of 314 persons, but 171 of these persons had been convicted in previous years.

The total number of persons being convicted in 1997 in a trial in which wiretap evidence was introduced by the prosecution is only 147 therefore. This number is almost certainly greater than the number of persons actually convicted a s a result of the intercept evidence.

It is not possible to substantiate the claim that the ability of law enforcement to intercept communication content is a unique capability whose loss would result in an explosion of crime. Infrequently used and less frequently effective the interception of telephone conversations is simply one way in which an existing infrastructure has been employed for law enforcement purposes. The telephone system was never designed to support this capability. The evidence of the 1997 Wiretap Report does not suggest that the risk of allowing the Internet infrastructure to develop without interference is very high.

There are good reasons for believing that the emerging Internet infrastructure will be at least as adaptable to serve law enforcement purposes as the telephone network did. To do so will require the invention of new techniques to adapt to a very different environment however. Attempting to redesign the Internet to protect the continued effectiveness of traditional methods is futile.

As demonstrated in this report the widespread availability of cryptographic apparatus means that any party with the desire to send a message to another in confidence can do so with little or no difficulty. What i s not easily achieved however is disguising the fact that a communication took place. Furthermore even the most comprehensive proposals for Internet security such as IPSEC secure only the content of messages, not the message headers which provide routing information.

Traffic analysis is a well established intelligence tool. The history of World War II provides numerous examples of the use of traffic analysis by both sides and of the use of decoy techniques to misdirect the enemy. The effectiveness o f decoy techniques is limited however since this means no more than laying false trails. The genuine communications must form a subset of the whole.

Even today there are few cases in which the actual content of a communication is directly incriminating. The recent difficulties of the Speaker of the House of Representatives with respect to a cellular telephone call being perha ps the exception that proves the rule. Professional criminals acting with a guilty mind are rarely incapable of copying the style of circumlocution employed in second rate gangster movies. The use of evidence gathered from logs of telephone calls h owever is critical.

The importance of traffic analysis is clearly seen in the World Trade Center bombing case. Although this case is frequently cited by the FBI as demonstrating the effectiveness of wiretaps the transcripts did no more than establish that calls had been made between Razmi Yousef and Sheik Omar Abdel Rahman. The content of those conversations was described by New York Times reports as being ''not incriminating'' and containing ''no references to violence''. The intercepted communications we re important because they established that Rahman and Yousef were known to each other.

The current administration policy carries the substantial and serious risk that the attempt to control cryptography will lead to defenses against traffic analysis, in particular the retrospective analysis made possible by examination of telephone logs.

Are There Technical Defenses Against Traffic Analysis?

It is at present theoretically possible to defend against a traffic analysis attack by use of an anonymous re-mailer such as the mixmaster re-mailers operated by members the cipherpunks group. Such a re-mailer provid es a cryptographically perfect means of getting lost in a crowd. In practice the number of persons using such re-mailers is too small for the 'crowd' to offer any camouflage.

There are however much larger crowds to become lost in such as Usenet, the Internet news system. This is essentially a bulletin board system with a large number of access points and millions of users. Messages are communicated between U senet access points using a flood fill algorithm, a mechanism which makes traffic analysis particularly difficult in addition to being hugely wasteful of resources.

It is the profligate manner in which Usenet employs network resources which leads to the difficulty of traffic analysis. Every message is sent to every access point regardless of whether anyone wishes to read it there or not. An infrast ructure which only sent messages on to places where they were to be read would be considerably more efficient in addition to allowing traffic analysis. The increasing costs associated with Usenet means that administration sponsorship of such a project is likely to be favorably received.

Although superficially similar the requirements for exceptional access for law enforcement and enterprise purposes are very different. Law enforcement demands exceptional access to be prompt and transparent, that is the party under surveillance should not be aware of the fact. An enterprise requires exceptional access to be secure and accountable.

These objectives are not compatible since the requirements of law enforcement can only be fully met by an online key recovery center providing 24 hour access to keys. Enterprise requirements for security and accountability are more effe ctively met by a system which employs key sharing to enforce authorization criteria for exceptional access. An enterprise is likely to prefer key share holders to be senior officers of the company.

If as S.909 and the FBI director propose key holders are to be obliged under penalty of imprisonment to provide access at an hours notice 24 hours a day however the key holders are likely to be considerably more junior, if indeed any pa rty is likely to be willing to accept the liability at all. While it is not necessarily the case that junior members of an organization are less trustworthy than their seniors, the existing powers of company officers are such that control of the enterpris e key recovery system does not represent a significant increase in risk.

Despite describing its approach as 'voluntary' S.909 contains language requiring all licensed Certificate Authorities to require private keys to be escrowed. No distinction is made between signature and encryption keys. Nor does this c lause take account of the fact that a large scale Certificate Authority infrastructure makes provision for different parts of the certificate issuing process to be performed separately. In most large scale the administrative process of deciding whether a person has met the defined identification criteria is performed by a Registration Authority while the technical process of generating the certificates themselves is performed by a separate Issuing Authority.

Separation of functions in this manner has both security and economic advantages. For malfeasance to be undetected, both the issuing and registration authorities must collaborate. Such an arrangement is considerably cheaper to implement since the expensive resources of single issuing authority may be shared amongst a large number of Registration Authorities.

The requirements imposed on the 'Certificate Authority' in S.909 are therefore highly undesirable. As stated it is not clear on which party they would fall and provision of Certificate Authority services is deliberately tied to key escr ow services, a situation many consider a dangerous concentration of power.

At a recent seminar at MIT an FBI spokesperson stated that he refused to believe that a technological compromise was beyond 'American ingenuity'. Such statements are as unhelpful as similar statements made by non-scientists with respect to the Strategic Defense Initiative. The problem does not lie in the technology but in the nature of the demands made.

What value does the a commercial key escrow offer law enforcement? Essentially a commercial key escrow facility means that there is an effective means of obtaining an escrowed key albeit not necessarily as prompt ly or covertly as would be ideal for the purposes of law enforcement. Balancing these restrictions however is the fact that considerably more enterprises will establish such systems if they are voluntary and the enterprises are free to choose systems whic h meet their needs.

While it is not possible to state precisely what regime an enterprise would chose to adopt on a voluntary basis, nor anticipate what procedures enterprises may adopt in response to their own, highly specific needs a typical enterprise k ey recovery system would include:

• Key escrow enforced by Registration Authority.
• Key recovery constraints definable on a per key basis e.g.:
• Low risk keys (junior personnel) recoverable via online service
• High risk keys (senior and highly trusted personnel) escrowed using key splitting techniques
• Operation of recovery service supported during standard business hours only.
• Key escrow system to be protected from overly broad search and seizure warrants.

The exceptional access afforded law enforcement under such a commercial escrow regime under normal circumstances essentially meets law enforcement demands. Under normal circumstances law enforcement could reasonably expect a cour t order for exceptional access to a specific private key to be executed within the same day during normal business hours. Recovery of keys escrowed using key splitting techniques would require additional time to assemble the required quorum but this too c ould normally be achieved within a few days.

Where a commercial key escrow system departs from law enforcement demands is in its ability to guarantee exceptional access within a given time frame. Providing guaranteed service is an exceptionally costly process requiring cons iderably more equipment, additional staff and operational experience.

All parties now recognize the status quo as undesirable but for different reasons. Cryptography vendors are unable to compete effectively in foreign markets. Control proponents realize that to achieve domestic go als there must be domestic controls but seek to maintain export controls as their bargaining chip. Liberalization Advocates are even more opposed to domestic controls than the current export regime, both are contrary to their objectives.

The proliferation of cryptographic systems both domestically and abroad makes continued inaction increasingly untenable. Arguably the point has already been reached where proliferation of strong cryptographic products which do not suppo rt exceptional access has rendered export controls ineffective. It is in the interest of Liberalization Advocates and Export Control Opponents to encourage such proliferation in order to render government policy moot.

The only positive element of the current situation is that the ability of the NSA to conduct commercial espionage is protected. Only a very small part of the US economy can benefit from such activities however and any advantages are far outweighed by the economic damage caused to cryptography vendors.

The principle difficulty of imposing domestic controls on the use of cryptography is that applications providing strong cryptography are already widely available. The likelihood of controls being observed by criminals is small. The is no likelihood of international controls being agreed.

If imposition of domestic controls were politically feasible it would have been attempted already. The political cost of attempting to impose domestic controls will be high, the chance of success small. It is unlikely that any legislati on mandating use of key escrow such as S.909 presently before the Senate will pass this session. The longer domestic controls are delayed, the greater the proliferation of non-controlled products will be.

Despite advocating 'commercial key recovery' as the basis of its mandatory escrow proposal the FBI has yet to find a credible commercial enterprise willing to offer a service which meets its needs. Those companies investing in key escro w systems are doing so for their own advantage, in spite of rather than as a result of government pressure. A significant number of Fortune 500 companies are already making significant investments in public key infrastructure. Each company making such an investment becomes a natural opponent of government mandated changes to that infrastructure.

The final and preferred strategy option is to withdraw from attempts to control cryptography and instead concentrate on measures which do not require the active cooperation of opponents. Traffic analysis is consi derably cheaper than communication intercepts, is considerably more difficult to evade and is less intrusive.

The author would like to thank Whitfield Diffie for agreeing to proof read this paper. My thanks also to Jock Gill for many helpful comments.

Dr Phillip Hallam-Baker is Principal Consultant for VeriSign Inc. a leading supplier of products based on public key cryptography. In addition to playing a key role in the development of VeriSign's Key recovery p roduct his consulting clients include Fortune 100 companies, major financial institutions and a government.

Before joining VeriSign, Dr Hallam-Baker played a leading role in the development of the World Wide Web. He holds a doctorate from the Nuclear physics department at the University of Oxford and a BSc. in Electronic Engineering from the University of Southampton.

This briefing paper represents the opinions of the author alone and does not necessarily represent policy of VeriSign Inc.