Introduction to Cryptography and the Clipper Chip Controversy

Notes for 2/1/95 Wednesday Workshop lecture by Lorrie Cranor

Next week John Perry Barlow and Stewart Baker will be debating the future of cyberspace. It's hard to guess exactly what they will be talking about, but from past lectures and essays, I'm guessing that there will be some discussion of privacy and cryptography. And even if they don't discuss it, it's an interesting topic that you should all be aware of.

I am going to try to present to you facts about cryptography and a summary of the controversial issues surrounding its use in as non-biased a manner as possible. This may be difficult because I have strong opinions about some of these issues. But I would like you to think about these issues yourself and draw your own conclusions.

Much of the information in this presentation is taken from:

Codes, Keys and Conflicts: Issues in U.S. Crypto Policy. Report of a Special Panel of the ACM U.S. Public Policy Committee (USACM) June 1994.
The report can be obtained in various electronic formats from ACM's Internet host. Internet users can access the report through any of the following URLs:

Parts of this presentation were inspired by a tutorial at the March 1994 Computers, Freedom and Privacy Conference: "Everything you need to know about cryptography in just 60 easy minutes" by Matt Blaze. Blaze is the AT&T Bell Labs researcher who discovered a famous flow in the escrowed encryption standard in May 1994.

For additional information on encryption, check out the EP/CS142 encryption archive.

Who needs privacy?

Before we start discussing cryptography, let's talk about the reason it was invented in the first place: privacy.

Who needs privacy and why?

Can't the U.S. government be trusted to respect my privacy?

Although the U.S. government is generally known for respecting the privacy rights of American citizens, there are a number of documented instances where government officials have violated these rights:

Why is privacy more of a problem now than ever before

Online computer databases make it much easier than ever before for someone to piece together a composite profile of any American citizen. Twenty years ago you could collect information about someone by digging through public records scattered about the counties where they have lived or by hiring a private investigator; now you can obtain much of the same information in a matter of hours (or minutes if you know what you are doing) without leaving your home. Direct marketers are taking advantage of this to better identify potential customers.

Face-to-face communications can generally be made private, but telephone, cellular phone, postal mail, email, and radio are easily interceptable. This becomes more of a problem as virtual meetings, electronically transmitted and signed contracts, and electronic payments become the norm.

What can people do to protect their privacy? Only communicate in person, always use cash, or use cryptography.

What is cryptography?

Cryptography provides security for messages that must pass over communications channels that are not secure.

"Cryptography is the science of secret writing." -- Matt Blaze

Cryptography can provide:

Secret (or Private) Key Cryptography

The oldest form of cryptography -- dates back to at least Ancient Egypt.

The simplest form of private key cryptography can be found in cereal box "secret decoder rings."

All the parties who want to correspond secretly must have a copy of the secret key. This means that they must arrange to exchange the secret key in advance over a secure channel.

"In a well designed system:

-- Matt Blaze

The most popular implementation of private key cryptography is the Data Encryption Standard (DES).

A relatively new secret key system, IDEA, was developed three years ago by a Swiss graduate student and has a 128 bit key.

Public Key Cryptography

Solves private key cryptography's key distribution problem.

Proposed in the 1970s by Stanford researchers Diffie and Helman and realized by Rivest, Shamir, and Adelman as RSA.

Any message encrypted with a private key must be decrypted with the corresponding public key, and vice users publish one key and keep the other key secret.

RSA is "based on the idea that factoring really large numbers seems to be a hard problem." -- Matt Blaze

RSA is about 1000 times slower than DES, and is therefore usually combined with DES, IDEA, or another private key cryptosystem.


A Hypothetical Example: BlackNet

Excerpts from " Introduction to BlackNet" (A message distributed on the Internet in the fall of 1993. As far as I know nothing like BlackNet currently exists; however, everything in this message is possible)
Your name has come to our attention. We have reason to believe
you may be interested in the products and services our new
organization, BlackNet, has to offer.

BlackNet is in the business of buying, selling, trading, and otherwise
dealing with *information* in all its many forms.

We buy and sell information using public key cryptosystems with
essentially perfect security for our customers. Unless you tell us who
you are (please don't!) or inadvertently reveal information which
provides clues, we have no way of identifying you, nor you us.

Our location in physical space is unimportant. Our location in
cyberspace is all that matters. Our primary address is the PGP key
location: "BlackNet" and we can be contacted
(preferably through a chain of anonymous remailers) by encrypting a
message to our public key (contained below) and depositing this
message in one of the several locations in cyberspace we monitor....

BlackNet is nominally nondideological, but considers nation-states,
export laws, patent laws, national security considerations and the
like to be relics of the pre-cyberspace era. Export and patent laws
are often used to explicity project national power and imperialist,
colonialist state fascism. BlackNet believes it is solely the
responsibility of a secret holder to keep that secret--not the
responsibilty of the State, or of us, or of anyone else who may come
into possession of that secret. If a secret's worth having, it's worth


BlackNet can make anonymous deposits to the bank account of your
choice, where local banking laws permit, can mail cash directly (you
assume the risk of theft or seizure), or can credit you in
"CryptoCredits," the internal currency of BlackNet (which you then
might use to buy _other_ information and have it encrypted to your
special public key and posted in public place).


Join us in this revolutionary--and profitable--venture.

Cryptography and law enforcement

The telephone made it easier for criminals to make secret plans. Once law enforcement officers figured out how to wiretap they could intercept these plans. Cryptography could make secret communication easier for criminals again.

The Fourth Amendment provides safeguards for the security of our "persons, houses, papers and effects" against intrusion by the government.

Prior to 1968, the legality of wiretapping was questioned many times in the courts. In 1968 Congress decided to make the legality of wiretapping unambiguous by including wire tap provisions in the Omnibus Crime Control and Safe Streets Act:

The law enforcement community views wiretaps as essential:

There is no way to know whether evidence obtained through a wire tap is really what ultimately led to a conviction.

In 1993, the average cost of installing and monitoring a wire tap was $57,256.

There are an average of about 900 wire taps annually. About two-thirds are for drug cases.

Cryptography prevents law enforcement from listening in on criminals' communications -- even with a court order!

Cryptography and national security

The public availability of strong cryptography strengthens the U.S. economy by protecting the secrets of American businesses and making U.S. encryption products more desirable.

The public availability of strong cryptography allows foreign governments and terrorists to send communications that U.S. intelligence agencies cannot decipher.

Countries are somewhat successful at controlling the flow of people and tangible items across their borders. However, they are not as successful at controlling the flow of information across their borders, especially when that information is encrypted.

In order to protect all American communications, strong encryption must be widely available in the U.S. However, it is nearly impossible to make strong encryption widely available in the U.S. without making it available abroad as well. For example, despite efforts to prevent the export of DES, it is widely available around the world.

Export control

"The goals of U.S. export control policy in the area of cryptography are:
  1. to limit foreign availability of cryptographic systems of strategic capability, namely, those capable of resisting concerted cryptanalytic attack;
  2. to limit foreign availability of cryptographic systems of sufficient strength to present a serious barrier to traffic selection or the development of standards that interfere with traffic selection by making the messages in broad classes of traffic (fax, for example) difficult to distinguish; and
  3. to use the export-control process as a mechanism for keeping track of commercially produced cryptosystems, whether U.S. or foreign that NSA may at some time be called upon to break."

Export controls make it difficult or impossible for American software developers to market their encryption products abroad.

Private use of encryption technology is prohibited or restricted in several countries including France, Korea, Taiwan, and China. Thus, there is little or no market for U.S. encryption products in some foreign countries.

Products containing digital signatures but no cryptographic algorithms that conceal the content of communications are generally exportable.

Key escrow encryption

How can strong cryptography be made available to American citizens without risking its abuse by criminals, terrorists, and foreign governments?

Key Escrow: An encryption system in which one or more "escrow agents" hold copies of all encryption keys.

In April 1993 President Clinton announced the Escrowed Encryption Initiative, "a voluntary program to improve security and privacy of telephone communications while meeting the legitimate needs of law enforcement."

Clipper Chips are manufactured by one company -- Mykotronx. They are used in AT&T secure telephones.

Public response was overwhelmingly negative.

Despite the negative public opinion, on February 4, 1994, the Department of Commerce announced the approval of the Escrowed Encryption Standard as a voluntary Federal Information Processing Standard.

The Clipper Chip breaks messages up into chunks, encrypts each chuck, and adds a Law Enforcement Access Field (LEAF), before transmitting the message. Each encrypted and packaged chunk looks something like this (summarized from Denning's technical report):

diagram of Clipper Chip data packet goes here

F = Family key (common to all Clipper Chips) - 80 bits
N = serial Number of chip - 30 bits
U = secret key for chip - 80 bits
K = Key specific to particular conversation - 80 bits
M = the Message

Law enforcement officers who have a court order permitting them to intercept a phone conversation can decrypt the conversation using the following procedure:

In May 1994 Matt Blaze announced that he had found a flaw in EES. Blaze said he discovered a way to replace the LEAF with a bogus LEAF containing a different serial number. Although his technique is not fast enough to be useful for voice communication, it seems to succeed in defeating law enforcement access for other types of communications.

Although EES is a voluntary government standard, the NSA is hoping that everyone will buy Clipper products voluntarily because they will be less expensive than other encryption products. In addition, if an agency such as the IRS were to adopt EES, then anyone who wanted to file their taxes electronically would have to use it.

On July 20, 1994 Vice President Al Gore announced that the administration was backing down on SKIPJACK and its applications. He said they would still pursue the use of Clipper for voice and low speed data communications but would investigate other solutions for high speed data communications. There is still a lot of uncertainty as to what other solutions will be proposed.

Summary of major issues

Will EES solve a legitimate problem?

Are there other solutions to this problem?

Is EES likely to violate the privacy of American citizens?

Is EES likely to reduce foreign markets for American hardware and software products?

Can we afford to live with EES?

Can we afford to live without EES?