[Report Cover] [Header all report pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] Cryptography's Role in Securing the Information Society Kenneth Dam and Herbert Lin, Editors Committee to Study National Cryptography Policy Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council National Academy Press Washington, D.C. 1996 ____________________________________________________________ NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Harold Liebowitz is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy maKers pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr. Harold Liebowitz are chairman and vice chairman, respectively, of the National Research Council. Support for this project was provided by the Department of Defense (under contract number DASW01-94-C-0178) and the National Institute of Standards and Technology (under contract number 50SBNB4C8089). Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors. Library of Congress Catalog Number 96-68943 International Standard Book Number 0-309-05475-3 Additional copies of this report are available from: National Academy Press 2101 Constitution Avenue, NW Box 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington Metropolitan Area) Copyright 1996 by the National Academy of Sciences. All rights reserved. Printed in the United States of America ____________________________________________________________ COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY KENNETH W. DAM, University of Chicago Law School, Chair W.Y. SMITH, Institute for Defense Analyses (retired), Vice Chair LEE BOLLINGER, Dartmouth College ANN CARACRISTI, National Security Agency (retired) BENJAMIN CIVILETTI, Venable, Baetjer, Howard and Civiletti COLIN CROOK, Citicorp SAMUEL H. FULLER, Digital Equipment Corporation LESLIE H. GELB, Council on Foreign Relations RONALD GRAHAM, AT&T Bell Laboratories MARTIN HELLMAN, Stanford University JULIUS KATZ, Hills & Company PETER G. NEUMANN, SRI International RAYMOND OZZIE, Iris Associates EDWARD SCHMULTS, General Telephone and Electronics (retired) ELLIOT M. STONE, Massachusetts Health Data Consortium WILLIS WARE, RAND Corporation Staff MARJORY S. BLUMENTHAL, Director HERBERT S. LIN, Study Director and Senior Staff Officer JOHN M. GODFREY, Research Associate FRANK PITTELLI, Consultant to CSTB GAIL E. PRITCHARD, Project Assistant ____________________________________________________________ COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD WILLIAM A. WULF, University of Virginia, Chair FRANCES E. ALLEN, IBM T.J. Watson Research Center DAVID CLARK, Massachusetts Institute of Technology JEFF DOZIER, University of California at Santa Barbara HENRY FUCHS, University of North Carolina CHARLES GESCHKE, Adobe Systems Incorporated JAMES GRAY, Microsoft Corporation BARBARA GROSZ, Harvard University JURIS HARTMANIS, Cornell University DEBORAH A. JOSEPH, University of Wisconsin BUTLER W. LAMPSON, Microsoft Corporation BARBARA LISKOV, Massachusetts Institute of Technology JOHN MAJOR, Motorola ROBERT L. MARTIN, AT&T Network Systems DAVID G. MESSERSCHMITT, University of California at Berkeley WILLIAM PRESS, Harvard University CHARLES L. SEITZ, Myricom Incorporated EDWARD SHORTLIFFE, Stanford University School of Medicine CASIMIR S. SKRZYPCZAK, NYNEX Corporation LESLIE L. VADASZ, Intel Corporation MARJORY S. BLUMENTHAL, Director HERBERT S. LIN, Senior Staff Officer PAUL D. SEMENZA, Staff Officer JERRY R. SHEEHAN, Staff Officer JEAN E. SMITH, Program Associate JOHN M. GODFREY, Research Associate LESLIE M. WADE, Research Assistant GLORIA P. BEMAH, Administrative Assistant GAIL E. PRITCHARD, Project Assistant ____________________________________________________________ COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS ROBERT J. HERMANN, United Technologies Corporation, Chair PETER M. BANKS, Environmental Research Institute of Michigan SYLVIA T. CEYER, Massachusetts Institute of Technology L. LOUIS HEGEDUS, W.R. Grace and Company (retired) JOHN E. HOPCROFT, Cornell University RHONDA J. HUGHES, Bryn Mawr College SHIRLEY A. JACKSON, U.S. Nuclear Regulatory Commission KENNETH I. KELLERMANN, National Radio Astronomy Observatory KEN KENNEDY, Rice University THOMAS A. PRINCE, California Institute of Technology JEROME SACKS, National Institute of Statistical Sciences L.E. SCRIVEN, University of Colorado LEON T. SILVER, California Institute of Technology CHARLES P. SLICHTER, University of Illinois at Urbana-Champaign ALVIN W. TRIVELPIECE, Oak Ridge National Laboratory SHMUEL WINOGRAD, IBM T.J. Watson Research Center CHARLES A. ZRAKET, MITRE Corporation (retired) NORMAN METZGER, Executive Director ____________________________________________________________ Preface INTRODUCTION For most of history, cryptography -- the art and science of secret writing -- has belonged to governments concerned about protecting their own secrets and about asserting their prerogatives for access to information relevant to national security and public safety. In the United States, cryptography policy has reflected the U.S. government's needs for effective cryptographic protection of classified and other sensitive communications as well as its needs to gather intelligence for national security purposes, needs that would be damaged by the widespread use of cryptography. National security concerns have motivated such actions as development of cryptographic technologies, development of countermeasures to reverse the effects of encryption, and control of cryptographic technologies for export. In the last 20 years, a number of developments have brought about what could be called the popularization of cryptography. First, some industries -- notably financial services -- have come to rely on encryption as an enabler of secure electronic funds transfers. Second, other industries have developed an interest in encryption for protection of proprietary and other sensitive information. Third, the broadening use of computers and computer networks has generalized the demand for technologies to secure communications down to the level of individual citizens and assure the privacy and security of their electronic records and transmissions. Fourth, the sharply increased use of wireless communications (e.g., cellular telephones) has highlighted the greater vulnerability of such communications to unauthorized intercept as well as the difficulty of detecting these intercepts. As a result, efforts have increased to develop encryption systems for private sector use and to integrate encryption with other information technology products. Interest has grown in the commercial market for cryptographic technologies and systems incorporating such technologies, and the nation has witnessed a heightened debate over individual need for and access to technologies to protect individual privacy. Still another consequence of the expectation of widespread use of encryption is the emergence of law enforcement concerns that parallel, on a civilian basis, some of the national security concerns. Law enforcement officials fear that wide dissemination of effective cryptographic technologies will impede their efforts to collect information necessary for pursuing criminal investigations. On the other side, civil libertarians fear that controls on cryptographic technologies will give government authorities both in the United States and abroad unprecedented and unwarranted capabilities for intrusion into the private lives of citizens. CHARGE OF THE COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY At the request of the U.S. Congress in November 1993, the National Research Council's Computer Science and Telecommunications Board (CSTB) formed the Committee to Study National Cryptography Policy. In accordance with its legislative charge (Box P.1), the committee undertook the following tasks: + Framing the problem. What are the technology trends with which national cryptography policy must keep pace? What is the political environment? What are the significant changes in the post-Cold War environment that call attention to the need for, and should have an impact on, cryptography policy? + Understanding the underlying technology issues and their expected development and impact on policy over time. What is and is not possible with current cryptographic (and related) technologies? How could these capabilities have an impact on various U.S. interests? + Describing current cryptography policy. To the committee's knowledge, there is no single document, classified or unclassified, within the U.S. government that fully describes national cryptography policy. + Articulating a framework for thinking about cryptography policy. The interests affected by national cryptography policy are multiple, varied, and related: they include personal liberties and constitutional rights, the maintenance of public order and national security, technology development, and U.S. economic competitiveness and markets. At a minimum, policy makers (and their critics) must understand how these interests interrelate, although they may decide that one particular policy configuration better serves the overall national interest than does another. + Identifying a range offeasible policy options. The debate over cryptography policy has been hampered by an incomplete analysis and discussion of various policy options -- both proponents of current policy and of alternative policies are forced into debating positions in which it is difficult or impossible to acknowledge that a competing view might have some merit. This report attempts to discuss fairly the pros and cons of a number of options. + Making recommendations regarding cryptography policy. No cryptography policy will be stable for all time. That is, it is unrealistic to imagine that this committee or any set of policy makers could craft a policy that would not have to evolve over time as the technological and political milieu itself changes. Thus, the committee's recommendations are framed in the context of a transition, from a world characterized by slowly evolving technology, well-defined enemies, and unquestioned U.S. technological, economic, and geopolitical dominance to one characterized by rapidly evolving technology, fuzzy lines between friend and foe, and increasing technological, economic, and political interdependencies between the United States and other nations of the world. ____________________________________________________________ BOX P.1 Legislative Charge to the National Research Council Public Law 103-160 Defense Authorization Bill for fiscal Year 1994 Signed November 30, 1993 SEC. 267. COMPREHENSIVE INDEPENDENT STUDY OF NATIONAL CRYPTOGRAPHY POLICY (a) Study by National Research Council. -- Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall request the National Research Council of the National Academy of Sciences to conduct a comprehensive study of cryptographic technologies and national cryptography policy. (b) Matters To Be Assessed in Study. -- The study shall assess (1) the effect of cryptographic technologies on -- (A) national security interests of the United States Government (B) law enforcement interests of the United States Government (C) commercial interests of United States industry; and (D) privacy interests of United States citizens; and (2) the effect on commercial interests of United States industry of export controls on cryptographic technologies. (c) Interagency Cooperation With Study. -- The Secretary of Defense shall direct the National Security Agency, the Advanced Research Projects Agency, and other appropriate agencies of the Department of Defense to cooperate fully with the National Research Council in its activities in carrying out the study under this section. The Secretary shall request all other appropriate Federal departments and agencies to provide similar cooperation to the National Research Council. ____________________________________________________________ Given the diverse applications of cryptography, national cryptography policy involves a very large number of important issues. Important to national cryptography policy as well are issues related to the deployment of a large-scale infrastructure for cryptography and legislation and regulations to support the widespread use of cryptography for authentication and data integrity purposes (i.e., collateral applications of cryptography), even though these issues have not taken center stage in the policy debate. The committee focused its efforts primarily on issues related to cryptography for confidentiality, because the contentious problem that this committee was assembled to address at the center of the public policy debate relates to the use of cryptography in confidentiality applications. It also addressed issues of cryptography policy related to authentication and data integrity at a relatively high level, casting its findings and recommendations in these areas in fairly general terms. However, it notes that detailed consideration of issues and policy options in these collateral areas requires additional study at a level of detail and thoroughness comparable to that of this report. In preparing this report, the committee reviewed and synthesized relevant material from recent reports, took written and oral testimony from government, industry, and private individuals, reached out extensively to the affected stakeholders to solicit input, and met seven times to discuss the input from these sources as well as the independent observations and findings of the committee members themselves. In addition, this study built upon three prior efforts to examine national cryptography policy: the Association for Computing Machinery report *Codes, Keys, and Conflicts: Issues in US. Crypto Policy*,(1) the Office of Technology Assessment report *Information Security and Privacy in Network Environments*,(2) and the JASON encryption study.(3) A number of other examinations of cryptography and/or information security policy were also important to the committee's work.(4) --------- (1) Susan Landau et al., *Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy*, Association for Computing Machinery Inc., New York, 1994. (2) U.S. Congress, Office of Technology Assessment, *Information Security and Privacy in Network Environments*, OTA-TCT-606, U.S. Govemment Printing Office, Washington, D.C., September 1994. (3) JASON Program Office, *JASON Encryption/Privacy Study*, Report JSR-93-520 (unpublished), MITRE Corporation, Reston, Va., August 18, 1993. (4) These works include *Global Information Infrastructure*, a joint report by the European Association of Manufacturers of Business Machines and Information Technology Industry, the U.S. Information Technology Industry Council, and the Japan Electronic Industry Development Association (EUROBIT-ITI-JEIDA), developed for the G-7 Summit on the Global Information Society, Gll Tripartite Preparatory Meeting, January 26-27, 1995, Brussels; the U.S. Council for International Business statement titled "Business Requirements for Encryption," October 10, 1994, New York; and the International Chamber of Commerce position paper "International Encryption Policy," Document No. 373/202 Rev. and No. 373-30/9 Rev., Paris, undated. Important source documents can be found in Lance J. Hoffman (ed.), *Building in Big Brother*, SpringerVerlag, New York, 1995; and in the cryptography policy source books published annually by the Electronic Privacy Information Center in Washington, D.C. ____________________________________________________________ WHAT THIS REPORT IS NOT The subject of national cryptography policy is quite complex, as it figures importantly in many areas of national interest. To keep the project manageable within the time, resources, and expertise available, the committee chose not to address in detail a number of issues that arose with some nontrivial frequency during the course of its study. + This report is not a comprehensive study of the grand trade-offs that might be made in other dimensions of national policy to compensate for changes in cryptography policy. For example, this report does not address matters such as relaxing exclusionary rules that govern the court admissibility of evidence or installing video cameras in every police helmet as part of a package that also eliminates restrictions on cryptography, though such packages are in principle possible. Similarly, it does not address options such as increasing the budget for counterterrorist operations as a quid pro quo for relaxations on export controls of cryptography. The report does provide information that would help to assess the impact of various approaches to cryptography policy, although how that impact should be weighed against the impact of policies related to other areas is outside the scope of this study and the expertise of the committee assembled for it. + This report is not a study on the future of the National Security Agency (NSA) in the post-Cold War era. A determination of what missions the NSA should be pursuing and/or how it should pursue those missions was not in the committee's charge. The report does touch lightly on technological trends that affect the ability to undertake the missions to which cryptography is relevant, but only to the extent necessary to frame the cryptography issue. At the same time, this report does address certain conditions of the political, social, and technological environment that will affect the answers that anyone would formulate to these questions, such as the potential impact on policy of a world that offers many users the possibilities of secure communications. + This report is not a study of computer and communications security, although of course cryptography is a key element of such security. Even the strongest cryptography is not very useful unless it is part of a secure *system*, and those responsible for security must be concerned about everything from the trustworthiness of individuals writing the computer programs to be used to the physical security of terminals used to access the system. A report that addressed system dimensions of computer security was the National Research Council report *Computers at Risk*,(5) this current study draws on that report and others to the extent relevant for its analysis, findings, and conclusions about cryptography policy. + This report is not a study of the many patent disputes that have arisen with respect to national cryptography policy in the past several years. While such disputes may well be a sign that the various holders expect cryptography to assume substantial commercial importance in the next several years, such disputes are in principle resolvable by the U.S. Congress, which could simply legislate ownership by eminent domain or by requiring compulsory licensing. Moreover, since many of the key patents will expire in any case in the relatively near future (i.e., before any infrastructure that uses them becomes widely deployed), the issue will become moot in any case. + This report is not exclusively a study of national policy associated with the Clipper chip. While the Clipper chip has received the lion's share of press and notoriety in the past few years, the issues that this study was chartered to address go far beyond those associated simply with the Clipper chip. This study addresses the larger context and picture of which the Clipper chip is only one part. ---------- (5) Computer Science and Telecommunications Board, National Research Council, *Computers at Risk: Safe Computing in the Information Age*, National Academy Press, Washington, D.C., 1991. ____________________________________________________________ ON SECRECY AND REPORT TIME LINE For most of history, the science and technologies associated with cryptography have been the purview of national governments and/or heads of state. It is only in the last 25 years that cryptographic expertise has begun to diffuse into the nongovernment world. Thus, it is not surprising that much of the basis and rationale underlying national cryptography policy has been and continues to be highly classified. Indeed, in a 1982 article. then-Deputy Director of the Central Intelligence Agency Bobby R. Imnan wrote that [o]ne sometimes hears the view that publication should not be restrained because "the government has not made its case," almost always referring to the absence of specific detail for public consumption. This reasoning is circular and unreasonable. It stems from a basic attitude that the government and its public servants cannot be trusted. Specific details about why information must be protected are more often than not even more sensitive than the basic technical information itself. Publishing examples, reasons and associated details would certainly damage the nation's interests. Public review and discussion of classified information which supports decisions is not feasible or workable.(6) Secrecy is a two-edged sword for a democratic nation -- on the one hand, secrecy has a legitimate basis in those situations in which fundamental national interests are at stake (e.g., the preservation of American lives during wartime). Moreover, the history of intelligence reveals many instances in which the revelation of a secret, whether intentional or inadvertent, has led to the compromise of an information source or the loss qf a key battle.(7) On the other hand, secrecy has sometimes been used to stifle public debate and conceal poorly conceived and ill-informed national policies, and mistrust is therefore quite common among many responsible critics of government policy. A common refrain by defenders of policies whose origins and rationales are secret is that "if you knew what we knew, you would agree with us." Such a position may be true or false, but it clearly does not provide much reassurance for those not privy to those secrets for one very simple reason: those who fear that government is hiding poorly-conceived policies behind a wall of secrecy are not likely to trust the government, yet in the absence of a substantive argument being called for, the government's claim is essentially a plea for trust. In pursuing this study, the committee has adopted the position that some secrets are still legitimate in today's global environment, but that its role is to illuminate as much as possible without compromising those legitimate interests. Thus, the committee has tried to act as a surrogate for well-intentioned and well-meaning people who fear that the worst is hiding behind the wall of secrecy -- it has tried to ask the questions that these people would have asked if they could have done so. Public Law 103-160 called for all defense agencies, including the National Security Agency, to cooperate fully with the National Research Council in this study. For obvious reasons, the committee cannot determine if it did not hear a particular piece of information because an agency withheld that information or because that piece of information simply did not exist. But for a number of reasons, the committee believes that to the best of its knowledge, the relevant agencies have complied with Public Law 103-160 and other agencies have cooperated with the committee. One important reason is that several members of the committee have had extensive experience (on a classified basis) with the relevant agencies, and these members heard nothing in the briefings held for the committee that was inconsistent with that experience. A second reason is that these agencies had every motivation and self-interest to make the best possible case for their respective positions on the issues before the committee. Thus, on the basis of agency assurances that the cornrnittee has indeed received all inforrnation relevant to the issue at hand, they cannot plausibly argue that "if the committee knew what Agency X knew, it would agree with Agency X's position." This unclassified report does not have a classified annex, nor is there a classified version of it. After receiving a number of classified briefings on material relevant to the subject of this study, the fully cleared members of the committee (13 out of the total of 16) agree that these details, while necessarily important to policy makers who need to decide tomorrow what to do in a specific case, are not particularly relevant to the larger issues of why policy has the shape and texture that it does today nor to the general outline of how technology will and policy should evolve in the future. For example, the committee was briefed on certain intelligence activities of various nations. Policy makers care that the activities of nation X (a friendly nation) fall into certain categories and that those of nation Y (an unfriendly nation) fall into other categories, because they must craft a policy toward nation X in one way and one toward nation Y in another way. But for analytical purposes, the exact names of the nations involved are much less relevant than the fact that there will always be nations friendly and unfriendly to the United States. Committee members are prepared to respond on a classified basis if necessary to critiques and questions that involve classified material.(8) As for the time line of this study, the committee was acutely aware of the speed with which the market and product technologies evolve. The legislation called for a study to be delivered within 2 years after the full processing of all necessary security clearances, and the study committee accelerated its work schedule to deliver a report in 18 months from its first meeting (and only 13 months from the final granting of the last clearance). The delivery date of this study was affected by the fact that the contract to fund this study was signed by the Department of Defense on September 30, 1994. ---------- (6) Bobby Inman, "Classifying Science: A Government Proposal ... ," *Aviation Week and Space Technology*, February 8, 1982, p. 10. (7) For example, following press reports of deciphered Libyan messages before and after a bombing in West Berlin in which an American soldier died, Libya changed its communications codes. A senior American official was quoted as saying that the subsequent Libyan purchase of advanced cryptographic equipment from a Swiss firm was "one of the prices [the United States is] paying for having revealed, in order to marshal support of our allies and public opinion, that intercepted communications traffic provided evidence that Libya was behind the bombing of the Berlin disco." See "Libyans Buy Message-Coding Equipment," *Washington Post*, April 22, 1986, p. A-8. (8) The point of contact within the National Research Council for such inquiries is the Computer Science and Telecommunications Board, National Research Council, 2101 Constitution Avenue, N.W., Washington, D.C. Telephone 202-334-2605 or e-mail CSTB@NAS.EDU. ____________________________________________________________ A NOTE FROM THE CHAIR The title of this report is *Cryptography's Role in Securing the Information Society*. The committee chose this title as one best describing our inquiry and report -- that is, the committee has tried to focus on the role that cryptography, as one of a number of tools and technologies, can play in providing security for an information age society through, among other means, preventing computer-enabled crimes and enhancing national security. At the same time, the committee is not unaware of the acronym for this report -- CRISIS -- and it believes that the acronym is apt. From my own standpoint as chair of the NRC Committee to Study National Cryptography Policy, I believe that the crisis is a policy crisis, rather than a technology crisis, an industry crisis, a law enforcement crisis, or an intelligence-gathering crisis. It is not a technology crisis because technologies have always been two-edged swords. All technologies -- cryptography included can be used for good or for ill. They can be used to serve society or to harm it, and cryptography will no doubt be used for both purposes by different groups. Public policy will determine in large measure not just the net balance of benefit and loss but also how much benefit will be derived from constructive uses of this remarkable technology. It is not an industry crisis, nor a law enforcement crisis, nor an intelligence-gathering crisis, because industry, law enforcement, and the intelligence establishment have all had to cope with rapid technological change, and for the most part the vitality of these enterprises within the nation is a testament to their successes in so coping. But a policy crisis is upon the nation. In the face of an inevitably growing use of cryptography, our society, acting as it must through our government as informed by the manifold forums of our free private processes, has been unable to develop a consensus behind a coherent national cryptography policy, neither within its own ranks nor with the private stakeholders throughout society -- the software industry, those concerned with computer security, the civil liberties community, and so on. Indeed, the committee could not even find a clear written statement of national cryptography policy that went beyond some very general statements. To be sure, a number of Administration proposals have seen the light of day. The best known of these proposals, the Clipper initiative, was an honest attempt to address some of the issues underlying national cryptography policy, but one of its primary effects was to polarize rather than bring together the various stakeholders, both public and private. On the other hand, it did raise public awareness of the issue. In retrospect, many Administration officials have wished that the discourse on national cryptography policy could have unfolded differently, but in fairness we recognize that the government's task is not easy in view of the deep cleavages of interest reviewed in this report. In this context, we therefore saw it as our task, commanded by our statutory charge, to analyze the underlying reasons for this policy crisis and the interests at stake, and then to propose an intelligent, workable and acceptable policy. The Committee to Study National Cryptography Policy is a group of 16 individuals with very diverse backgrounds, a broad range of expertise, and differing perspectives on the subject. The committee included individuals with extensive government service and also individuals with considerable skepticism about and suspicion of government; persons with great technical expertise in computers, communications, and cryptography; and persons with considerable experience in law enforcement, intelligence, civil liberties, national security, diplomacy, international trade, and other fields relevant to the formation of policy in this area. Committee members were drawn from industry, including telecommunications and computer hardware and software, and from users of cryptography in the for-profit and not-for-profit sectors; serving as well were academics and think-tank experts.(9) The committee was by design highly heterogeneous, a characteristic intended to promote discussion and synergy among its members. At first, we wondered whether these different perspectives would allow us to talk among ourselves at all, let alone come to agreement. But the committee worked hard. The full committee met for a total of 23 days in which we received briefings and argued various points; ad hoc subcommittees attended a dozen or so additional meetings to receive even more briefings; members of the committee and staff held a number of open sessions in which testimony from the interested public was sought and received (including a very well attended session at the Fifth Annual Conference on Computers, Freedom, and Privacy in San Francisco in early 1995 and an open session in Washington, D.C., in April 1995); and the committee reviewed nearly a hundred e-mail messages sent in response to its Internet call for input. The opportunity to receive not only written materials but also oral briefings from a number of government agencies, vendors, trade associations, and assorted experts, as well as to participate in the first-ever cryptography policy meeting of the Organization for Economic Cooperation and Development and of its Business Industry Advisory Council, provided the occasion for extended give-and-take discussions with government officials and private stakeholders. Out of this extended dialogue, we found that coming to a consensus among ourselves -- while difficult -- was not impossible. The nature of a consensus position is that it is invariably somewhat different from a position developed, framed, and written by any one committee member, particularly before our dialogue and without comments from other committee members. Our consensus is a result of the extended learning and interaction process through which we lived rather than any conscious effort to compromise or to paper over differences. The committee stands fully behind its analysis, findings, and recommendations. We believe that our report makes some reasonable proposals for national cryptography policy. But a proposal is just that -- a proposal for action. What is needed now is a public debate, using and not sidestepping the full processes of government, leading to a judicious resolution of pressing cryptography policy issues and including, on some important points, legislative action. Only in this manner will the policy crisis come to a satisfactory and stable resolution. ---------- (9) Note that the committee was quite aware of potential financial conflicts of interest among several of its members. In accordance with established National Research Council procedures, these potential financial conflicts of interest were thoroughly discussed by the committee; no one with a direct and substantial financial stake in the outcome of the report served on the committee. ____________________________________________________________ ACKNOWLEDGMENTS The full list of individuals (except for those who explicitly requested anonymity) who provided input to the cornmittee and the study project is contained in Appendix A. However, a number of individuals deserve special mention. Michael Nelson, Office of Science and Technology Policy, kept us informed about the evolution of Administration policy. Dorothy Denning of Georgetown University provided many useful papers concerning the law enforcement perspective on cryptography policy. Clinton Brooks and Ron Lee from the National Security Agency and Ed Roback and Raymond Kammer from the National Institute of Standards and Technology acted as agency liaisons for the committee, arranging briefings and providing other information. Marc Rotenberg from the Electronic Privacy Information Center and John Gilmore from Cygnus Support provided continuing input on a number of subjects as well as documents released under Freedom of Inforrnation Act requests. Rebecca Gould from the Business Software Alliance, Steve Walker from Trusted Information Systems, and Ollie Smoot from the Information Technology Industry Council kept the committee informed from the business perspective. Finally, the committee particularly acknowledges the literally hundreds of suggestions and criticisms provided by the reviewers of an early draft of this report. Those inputs helped the committee to sharpen its message and strengthen its presentation, but of course the content of the report is the responsibility of the committee. The committee also received a high level of support from the Nationai Research Council. Working with the Special Security Office of the Office of Naval Research, Kevin Hale and Kimberly Striker of the NRC's National Security Office had the complex task of facilitating the prompt processing of security clearances necessary to complete this study in a timely manner and otherwise managing these security clearances. Susan Maurizi worked under tight time constraints to provide editorial assistance. Acting as primary staff for the committee were Marjory Blumenthal, John Godfrey, Frank Pittelli, Gail Pritchard, and Herb Lin. Marjory Blumenthal directs the Computer Science and Telecommunications Board, the program unit within the National Research Council to which this congressional tasking was assigned. She sat with the committee during the great majority of its meetings, providing not only essential insight into the NRC process but also an indispensable long-term perspective on how this report could build on other CSTB work, most notably the 1991 NRC report *Computers at Risk*. John Godfrey, research associate for CSTB, was responsible for developing most of the factual material in most of the appendixes as well as for tracking down hundreds of loose ends, his prior work on a previous NRC report on standards also provided an important point of departure for the committee's discussion on standards as they apply to cryptography policy. Frank Pittelli is a consultant to CSTB, whose prior experience in computer and information security was invaluable in framing a discussion of technical issues in cryptography policy. Gail Pritchard, project assistant for CSTB, handled logistical matters for the committee with the utmost skill and patience as well as providing some research support to the committee. Finally, Herb Lin, senior staff officer for CSTB and study director on this project, arranged briefings, crafted meeting agendas, and turned the thoughts of committee members into drafts and then report text. It is fair to say that this study could not have been carried out nor this report written, especially on our accelerated schedule, without his prodigious energy and his extraordinary talents as study director, committee coordinator, writer, and editor. Kenneth Dam, Chair Committee to Study National Cryptography Policy Chicago, Illinois March 29, 1996 A Channel for Feedback CSTB will be glad to receive comments on this report. Please send them via Internet e-mail to CRYPTO@NAS.EDU, or via regular mail to CSTB, National Research Council. 2101 Constitution Avenue NW, Washington, DC 20418. [End Preface] ____________________________________________________________ Contents PREFACE Introduction Charge of the Committee to Study National Cryptography Policy What This Report Is Not On Secrecy and Report Time Line A Note from the Chair Acknowledgments EXECUTIVE SUMMARY A ROAD MAP THROUGH THIS REPORT PART I -- FRAMING THE POLICY ISSUES 1 GROWING VULNERABILITY IN THE INFORMATION AGE 1.1 The Technology Context of the Information Age 1.2 Transitions to an Information Society--Increasing Interconnections and Interdependence 1.3 Coping with Information Vulnerability 1.4 The Business and Economic Perspective 1.4.1 Protecting Important Business Information 1.4.2 Ensuring the Nation's Ability to Exploit Global Markets 1.5 Individual and Personal Interests in Privacy 1.5.1 Privacy in an Information Economy 1.5.2 Privacy for Citizens 1.6 Special Needs of Government 1.7 Recap 2 CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE 2.1 Cryptography in Context 2.2 What Is Cryptography and What Can It Do? 2.3 How Cryptography Fits into the Big Security Picture 2.3.1 Technical Factors Inhibiting Access to Information 2.3.2 Factors Facilitating Access to Information 2.4 The Market for Cryptography 2.4.1 The Demand Side of the Cryptography Market 2.4.2 The Supply Side of the Cryptography Market 2.5 Infrastructure for Widespread Use of Cryptography 2.5.1 Key Management Infrastructure 2.5.2 Certificate Infrastructures 2.6 Recap 3 NEEDS FOR ACCESS TO ENCRYPTED INFORMATION 3.1 Terminology 3.2 Law Enforcement: Investigation and Prosecution 3.2.1 The Value of Access to Information for Law Enforcement 3.2.2 The Legal Framework Governing Surveillance 3.2.3 The Nature of Surveillance Needs of Law Enforcement 3.2.4 The Impact of Cryptography and New Media on Law Enforcement (Stored and Communicated Data) 3.3 National Security and Signals Intelligence 3.3.1 The Value of Signals Intelligence 3.3.2 The Impact of Cryptography on SIGINT 3.4 Similarities and Differences Between Foreign Policy/National Security and Law Enforcement Needs for Communications Monitoring 3.4.1 Similarities 3.4.2 Differences 3.5 Business and Individual Needs for Exceptional Access to Protected Information 3.6 Other Types of Exceptional Access to Protected Information 3.7 Recap PART II -- POLICY INSTRUMENTS 4 EXPORT CONTROLS 4.1 Brief Description of Current Export Controls 4.1.1 The Rationale for Export Controls 4.1.2 General Description 4.1.3 Discussion of Current Licensing Practices 4.2 Effectiveness of Export Controls on Cryptography 4.3 The Impact of Export Controls on U.S. Information Technology Vendors 4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography 4.3.2 Regulatory Uncertainty Related to Export Controls 4.3.3 The Size of the Affected Market for Cryptography 4.3.4 Inhibiting Vendor Responses to User Needs 4.4 The Impact of Export Controls on U.S. Economic and National Security Interests 4.4.1 Direct Economic Harm to U.S. Businesses 4.4.2 Damage to U.S. Leadership in Information Technology 4.5 The Mismatch Between the Perceptions of Government/ National Security and Those of Vendors 4.6 Export of Technical Data 4.7 Foreign Policy Considerations 4.8 Technology-Policy Mismatches 4.9 Recap 5 ESCROWED ENCRYPTION AND RELATED ISSUES 5.1 What Is Escrowed Encryption? 5.2 Administration Initiatives Supporting Escrowed Encryption 5.2.1 The Clipper Initiative and the Escrowed Encryption Standard 5.2.2 The Capstone/Forteza (sic) Initiative 5.2.3 The Relaxation of Export Controls on Software Products Using "Properly Escrowed" 64-bit Encryption 5.2.4 Other Federal Initiatives in Escrowed Encryption 5.3 Other Approaches to Escrowed Encryption 5.4 The Impact of Escrowed Encryption on Information Security 5.5 The Impact of Escrowed Encryption on Law Enforcement 5.5.1 Balance of Crime Enabled vs. Crime Prosecuted 5.5.2 Impact on Law Enforcement Access to Information 5.6 Mandatory vs. Voluntary Use of Escrowed Encryption 5.7 Process Through Which Policy on Escrowed Encryption Was Developed 5.8 Affiliation and Number of Escrow Agents 5.9 Responsibilities and Obligations of Escrow Agents and Users of Escrowed Encryption 5.9.1 Partitioning Escrowed Information 5.9.2 Operational Responsibilities of Escrow Agents 5.9.3 Liabilities of Escrow Agents 5.10 The Role of Secrecy in Ensuring Product Security 5.10.1 Algorithm Secrecy 5.10.2 Product Design and Implementation Secrecy 5.11 The Hardware/Software Choice in Product Implementation 5.12 Responsibility for Generation of Unit Keys 5.13 Issues Related to the Administration Proposal to Exempt 64-bit Escrowed Encryption in Software 5.13.1 The Definition of "Proper Escrowing" 5.13.2 The Proposed Limitation of Key Lengths to 64 Bits or Less 5.14 Recap 6 OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY 6.1 The Communications Assistance for Law Enforcement Act 6.1.1 Brief Description of and Stated Rationale for the CALEA 6.1.2 Reducing Resource Requirements for Wiretaps 6.1.3 Obtaining Access to Digital Streams in the Future 6.1.4 The CALEA Exemption of Information Service Providers and Distinctions Between Voice and Data Services 6.2 Other Levers Used in National Cryptography Policy 6.2.1 Federal Information Processing Standards 6.2.2 The Government Procurement Process 6.2.3 Implementation of Policy: Fear, Uncertainty, Doubt, Delay, Complexity 6.2.4 R&D Funding 6.2.5 Patents and Intellectual Property 6.2.6 Formal and Informal Arrangements with Various Other Governments and Organizations 6.2.7 Certification and Evaluation 6.2.8 Nonstatutory Influence 6.2.9 Interagency Agreements Within the Executive Branch 6.3 Organization of the Federal Government with Respect to Information Security 6.3.1 Role of National Security vis-a-vis Civilian Information Infrastructures 6.3.2 Other Government Entities with Influence on Information Security 6.4 International Dimensions of Cryptography Policy 6.5 Recap PART III--POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS 7 POLICY OPTIONS FOR THE FUTURE 7.1 Export Control Options for Cryptography 7.1.1 Dimensions of Choice for Controlling the Exportof Cryptography 7.1.2 Complete Elimination of Export Controls on Cryptography 7.1.3 Transferral of All Cryptography Products to the Commerce Control List 7.1.4 End-use Certification 7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations 7.1.6 Liberal Export for Strong Cryptography with Weak Defaults 7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces 7.1.8 Liberal Export for Escrowable Products with Encryption Capabilities 7.1.9 Alternatives to Government Certification of Escrow Agents Abroad 7.1.10 Use of Differential Work Factors in Cryptography 7.1.11 Separation of Cryptography from Other Items on the U.S. Munitions List 7.2 Alternatives for Providing Government Exceptional Access to Encrypted Data 7.2.1 A Prohibition of the Use and Sale of Cryptography Lacking Features for Exceptional Access 7.2.2 Criminalization of the Use of Cryptography in the Commission of a Crime 7.2.3 Technical Non-Escrow Approaches for Obtaining Access to Information 7.2.4 Network-based Encryption 7.2.5 Distinguishing Between Encrypted Voice and Data Communications Services for Exceptional Access 7.2.6 A Centralized Decryption Facility for Government Exceptional Access 7.3 Looming Issues 7.3.1 The Adequacy of Various Levels of Encryption Against High-Quality Attack 7.3.2 Organizing the U.S. Government for Better Information Security on a National Basis 7.4 Recap 8 SYNTHESIS, FINDINGS, AND RECOMMENDATIONS 8.1 Synthesis and Findings 8.1.1 The Problem of Information Vulnerability 8.1.2 Cryptographic Solutions to Information Vulnerabilities 8.1.3 The Policy Dilemma Posed by Cryptography 8.1.4 National Cryptography Policy for the Information Age 8.2 Recommendations 8.3 Additional Work Needed 8.4 Conclusion APPENDIXES A Contributors to the NRC Project on National Cryptography Policy B Glossary C A Brief Primer on Cryptography D An Overview of Electronic Surveillance: History and Current Status E A Brief History of Cryptography Policy F A Brief Primer on Intelligence G The International Scope of Cryptography Policy H Summary of Important Requirements for a Public-Key Infrastructure I Industry-Specific Dimensions of Security J Examples of Risks Posed by Unprotected Information K Cryptographic Applications Programming Interfaces L Laws, Regulations, and Documents Relevant to Cryptography M Other Looming Issues Related to Cryptography Policy N Federal Information Processing Standards [End Contents] ____________________________________________________________ Executive Summary In an age of explosive worldwide growth of electronic data storage and communications, many vital national interests require the effective protection of information. When used in conjunction with other approaches to information security, cryptography is a very powerful tool for protecting information. Consequently, current U.S. policy should be changed to promote and encourage the widespread use of cryptography for the protection of the information interests of individuals, businesses, government agencies, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes to the extent consistent with good information protection. BASIC POLICY ISSUES The Information Security Problem Today's information age requires U.S. businesses to compete on a worldwide basis, sharing sensitive information with appropriate parties while protecting that information against competitors, vandals, suppliers, customers, and foreign governments (Box ES.1). Private law-abiding citizens dislike the ease with which personal telephone calls can be tapped, especially those carried on cellular or cordless telephones. Elements of the U.S. civilian infrastructure such as the banking system, the electric power grid, the public switched telecommunications network, and the air traffic control system are central to so many dimensions of modern life that protecting these elements must have a high priority. The federal government has an important stake in assuring that its important and sensitive political, economic, law enforcement, and military information, both classified and unclassified, is protected from foreign governments or other parties whose interests are hostile to those of the United States. ____________________________________________________________ BOX ES.I The Foreign Threat to U.S. Business Ineerests Of the wide variety of information risks facing U.S. companies operating internationally, those resulting from electronic vulnerabilities appear to be the most significant. The National Counterintelligence Center (NACIC). an arm of the U.S. intelligence community established in 1994 by presidential directive, concluded that "specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private-sector encryption weaknesses) account for the largest portion of economic and industrial information lost by U.S. corporations." Specifically, the NACIC noted that [b]ecause they are so easily accessed and intercepted, corporate telecommunications --particularly international telecommunications -- provide a highly vulnerable and lucrative source for anyone interested in obtaining trade secrets or competitive information. Because of the increased usage of these links for bulk computer data transmission and electronic mail, intelligence collectors find telecommunications intercepts cost-effective. For example, foreign intelligence collectors intercept facsimile transmissions through government-owned telephone companies, and the stakes are large -- approximately half of all overseas telecommunications are facsimile transmissions. Innovative "hackers" connected to computers containing competitive information evade the controls and access companies' information. In addition, many American companies have begun using electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. Many foreign government and corporate intelligence collectors find this information invaluable. ---------- SOURCE: National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, July 1995, pages 16-17. ____________________________________________________________ Cryptographic Dimensions of Information Security Solutions Information vulnerabilities cannot be eliminated through the use of any single tool. For example, it is impossible to prevent with technical means a party authorized to view information from improperly disclosing that information to someone else. However, as part of a comprehensive approach to addressing information vulnerabilities, cryptography is a powerful tool that can help to assure the confidentiality and integrity of information in transit and in storage and to authenticate the asserted identity of individuals and computer systems. Information that has been properly encrypted cannot be understood or interpreted by those lacking the appropriate cryptographic "key"; information that has been integrity- checked cannot be altered without detection. Properly authenticated identities can help to restrict access to information resources to those properly authorized individuals and to take fuller advantage of audit trails to track down parties who have abused their authorized access. Law Enforcement and National Security Dilemmas Posed by Cryptography For both law enforcement and national security, cryptography is a two-edged sword. The public debate has tended to draw lines that frame the policy issues as the privacy of individuals and businesses against the needs of national security and law enforcement. While such a dichotomy does have a kernel of truth, when viewed in the large, this dichotomy is misleading. If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. Framing discussion about national cryptography policy in this larger law enforcement and national security context would help to reduce some of the polarization among the relevant stakeholders. On the other hand, cryptography intended primarily to maintain the confidentiality of information that is available to the general public for legitimate purposes such as defending against information theft is also available for illegitimate purposes such as terrorism. Encryption thus does poses a threat to the capability that law enforcement authorities may seek under appropriate legal authorization to gain access to information for the purpose of investigating and prosecuting criminal activity. Encryption also poses a threat to intelligence gathering for national security and foreign policy purposes, an activity that depends on access to information of foreign governments and other foreign entities. Note that other applications of cryptography -- for purposes of assuring data integrity and authenticating identities of users and computer systems -- do not pose dilemmas for law enforcement and national security in the same way that confidentiality does. National Cryptography Policy for the Information Age For many years, concern over foreign threats to national security has been the primary driver of a national cryptography policy that has sought to maximize the protection of U.S. military and diplomatic communications while denying the confidentiality benefits of cryptography to foreign adversaries through the use of export controls on cryptography and related technical data. More recently, the U.S. government has aggressively promoted the domestic use of a certain kind of cryptography escrowed encryption -- that would provide strong protection for legitimate uses but would permit legally authorized access by law enforcement officials when authorized by law. Today, these and other dimensions of current national cryptography policy generate considerable controversy. All of the various stakes are legitimate: privacy for individuals, protection of sensitive or proprietary information for businesses, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United States. Informed public discussion of the issues must begin by acknowledging the legitimacy both of information gathering for law enforcement and national security purposes and of information security for law-abiding individuals and businesses. The conduct of the debate regarding national cryptography policy has been complicated because a number of participants have often invoked classified information that cannot be made public. However, the cleared members of the National Research Council's Committee to Study National Cryptography Policy (13 of the 16 committee members) concluded that *the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis*. Classified material is often important to operational matters in specific cases, but it is neither essential to the big picture of why cryptography policy is the way it is nor required for the general outline of how technology will and policy should evolve in the future. The problems of information vulnerability, the legitimacy of the various national interests described above, and trends such as those outlined in Box ES.2 point to the need for a concerted effort to protect vital information assets of the United States. Cryptography is one important element of a comprehensive U.S. policy for better information security. The committee believes that *U.S. national policy should be changed to support the broad use of cryptography in ways that take into account competing U.S. needs and desires for individual privacy, international economic competitiveness, law enforcement, national security, and world leadership*. Because cryptography is an important tool for protecting information and because it is very difficult for governments to control, the committee believes that the widespread nongovernment use of cryptography in the United States and abroad is inevitable in the long run. Accordingly, the proper role of national cryptography policy is to facilitate a judicious transition between today's world of high information vulnerability and a future world of greater information security, while to the extent possible meeting the legitimate needs of law enforcement and information gathering for national security and foreign policy purposes. The committee found that *current national cryptography policy is not adequate to support the information security requirements of an information society*. Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. National cryptography policy should support three objectives: 1. Broad availability of cryptography to all legitimate elements of U.S. society; 2. Continued economic growth and leadership of key U.S. industries and businesses in an increasingly global economy, including but not limited to U.S. computer, software, and communications companies; and 3. Public safety and protection against foreign and domestic threats. Objectives 1 and 2 argue for a policy that places few government restrictions on the use of cryptography and actively promotes the use of cryptography on a broad front. Objective 3 argues that some kind of government policy role in the deployment and use of cryptography for confidentiality may continue to be necessary for public safety and national security reasons. These three objectives can be met within a framework recognizing that *on balance, the advantages of more widespread use of cryptography outweigh the disadvantages*. ____________________________________________________________ BOX ES.2 The Past and Future World Environment Past Future Trends _______________________ _________________________________ Computing and Computer and information communications networks acquisition, retrieval and were expensive and processing are inexpensive and rare. ubiquitious. Rapid growth is evident in the development and deployment of diverse technology- based services. Communications networks Communications networks are were analog and voice digital and oriented toward video oriented; and data trasnmissions. communications made Communications made heavy use of heavy use of dedicated shared infrastructure and lines. media (e.g., satellites, wireless). Passive eavesdropping is thus harder to detect. Telecommunications was Telecommunications involves a controlled by a small large number of players. number of players. The U.S. economy was The U.S. economy is important but unquestionably dominant not dominant in the world, and it in the world. is increasingly interlinked with allies, customers, suppliers, vendors, and competitors all over the world. The economy was The economy is oriented toward oriented toward information and services. material production. The security threat was Security threats are much more relatively homogeneous heterogeneous than in the Cold (Soviet Union and Cold War, both in origin and in War). nature. Cryptography was used Cryptography has important primarily for military applications throughout all and diplomatic aspects of society. purposes. Government Nongovernmental entities have had a relative monopoly significant expertise and on cryptographic capability built on an open, expertise and public, and expanding base of capability. scientific and technical knowledge about cryptography. ____________________________________________________________ The recommendations below address several critical policy areas. In the interests of brevity, only short rationales for the recommendations are given here. The reader is urged to read Chapter 8 of the report for essential qualifications, conditions, and explanations. A FRAMEWORK FOR NATIONAL CRYPTOGRAPHY POLICY The framework for national cryptography policy should provide coherent structure and reduce uncertainty for potential vendors and for nongovernment and government users of cryptography in ways that policy does not do today. *Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States*. Specifically, a legislative ban on the use of unescrowed encryption would raise both technical and legal or constitutional issues. Technically, many methods are available to circumvent such a ban; legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve. Recommendation 1 is made to reinforce this particular aspect of the Administration's cryptography policy. *Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law*. Only a national discussion of the issues involved in national cryptography policy can result in the broadly acceptable social consensus that is necessary for any policy in this area to succeed. A consensus derived from such deliberations, backed by explicit legislation when necessary, will lead to greater degrees of public acceptance and trust, a more certain planning environment, and better connections between policy makers and the private sector on which the nation's economy and social fabric rest. *Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces*. As cryptography has assumed greater importance to nongovernment interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector. Experience with technology deployment suggests that reliance on market forces is generally the most effective way to promote the widespread use of a new technology. Since the committee believes that widespread deployment and use of cryptography are in the national interest, it believes that national cryptography policy should align itself with user needs and market forces to the maximum feasible extent. Accordingly, national cryptography policy should emphasize the freedom of domestic users to determine cryptographic functionality, protection, and implementations according to their security needs as they see fit; encourage the adoption of cryptographic standards by the federal government and private parties that are consistent with prevailing industry practice; and support the use of algorithms, product designs, and product implementations that are open to public scrutiny. EXPORT CONTROLS For many years, the United States has controlled the export of cryptographic technologies, products, and related technical information as munitions (on the U.S. Munitions List administered by the State Department). However, the current export control regime for cryptography is an increasing impediment to the information security efforts of U.S. firms competing and operating in world markets, developing strategic alliances internationally, and forming closer ties with foreign customers and suppliers. Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities. Looking to the future, both U.S. and foreign companies have the technical capability to integrate high-quality cryptographic features into their products and services. U.S. export controls may stimulate the growth of significant foreign competition for U.S. vendors to the detriment of both U.S. national security interests and U.S. business and industry. Some relaxation of today's export controls on cryptography is warranted. Relaxation would create an environment in which U.S. and multinational firms and individuals could use the same security products in the United States and abroad, thereby supporting better information security for U.S. firms operating internationally. It would also increase the availability of good cryptography products in the United States. Finally, it would help to solidify U.S. leadership in a field critical to national security and economic competitiveness. At the same time, cryptography is inherently dual-use in character, with important applications to both civilian and military purposes. Because cryptography is a particularly critical military application for which few technical alternatives are available, retention of some export controls on cryptography will mitigate the loss to U.S. national security interests in the short term, allow the United States to evaluate the impact of relaxation on national security interests before making further changes, and "buy time" for U.S. national security authorities to adjust to a new technical reality. *Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated*. *Recommendation 4.1 -- Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable.(1) Today, products with encryption capabilities that incorporate the 56-bit DES algorithm provide this level of confidentiality and should be easily exportable*. As a condition of export, vendors of products covered under this recommendation 4.1 (and 4.2 below) would be required to provide to the U.S. government full technical specifications of their product and reasonable technical assistance upon request in order to assist the U.S. government in understanding the product's internal operations. *Recommendation 4.2 -- Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request*. Firms on the list would agree to abide by a set of requirements described in Chapter 8 that would help to ensure the ability of the U.S. government to obtain the plaintext of encrypted information upon presentation of a proper law enforcement request. (Plaintext is the information that was initially encrypted.) *Recommendation 4.3 -- The U.S. government should streamline and increase the transparency of the export licensing process for cryptography*. Greater efforts in this area would reduce uncertainty regarding rules, time lines, and the criteria used in making decisions about the exportability of particular products. Chapter 8 describes specific possible steps that might be taken. ---------- (1) For purposes of Recommendation 4.1, a product that is "easily exportable" will automatically qualify for treatment and consideration (i.e., commodity jurisdiction, or CJ) under the CCL. Automatic qualification refers to the same procedure under which software products using RC2 or RC4 algorithms for confidentiality with 40-bit key sizes currently qualify for the CCL. ____________________________________________________________ ADJUSTING TO NEW TECHNICAL REALITIES As noted above, cryptography is helpful to some dimensions of law enforcement and national security and harmful to others. The committee accepts that the onset of an information age is likely to create many new challenges for public safety, among them the greater use of cryptography by criminal elements of society. If law enforcement authorities are unable to gain access to the encrypted communications and stored information of criminals, some criminal investigations and prosecutions will be significantly impaired. For these reasons, specific steps should be taken to mitigate these difficulties. In the realm of national security, new capabilities are needed to better cope with the challenges that cryptography presents. Since 1993, the approach of the U.S. government to these problems has been an aggressive promotion of escrowed encryption (see Chapter 5) as a pillar of the technical foundation for national cryptography policy, primarily in response to the law enforcement concerns described above. Initiatives promoted by the U.S. government include the Escrowed Encryption Standard (a voluntary Federal Information Processing Standard for secure voice telephony), the Capstone/Fortezza initiative that provides escrowed encryption capabilities for secure data storage and communications, and a recent proposal to liberalize export controls on certain encryption products if the keys are "properly escrowed." The committee understands the Administration's rationale for promoting escrowed encryption but believes that escrowed encryption should be only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security. The committee's view of an appropriate overall strategy is described below, and escrowed encryption is the focus of Recommendation 5.3. *Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age*. Over the past 50 years, both law enforcement and national security authorities have had to cope with a variety of changing technological circumstances. For the most part, they have coped with these changes quite well. Today, however, "business as usual" will not suffice to bring agencies responsible for law enforcement and national security into the information age. At the same time, both law enforcement and national security have demonstrated considerable adaptability to new environments; this record of adaptability provides considerable confidence that they can adapt to a future of digital communications and stored data as well. The specific subrecommendations that follow attempt to build on this record. They are intended to support law enforcement and national security missions in their totality -- for law enforcement, in both crime prevention and crime prosecution and investigation; for national security, in both defense of nationally critical information systems and the collection of intelligence information. *Recommendation 5.1 -- The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks*. These applications are particularly important in addressing vulnerabilities of nationally critical information systems and networks. Furthermore, these applications of cryptography are important crime-fighting measures. To date, national cryptography policy has not fully supported such nonconfidentiality uses. Some actions have been taken in this area, but these actions have sometimes conflicted with government concerns about confidentiality. As importantly, government has expressed considerably more concern in the public debate regarding the deleterious impact of widespread cryptography used for confidentiality than over the deleterious impact of not deploying cryptographic capabilities for user authentication and data integrity. Chapter 8 provides a number of illustrative examples to demonstrate what specific actions government can take to promote nonconfidentiality applications of cryptography. *Recommendation 5.2 -- The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications (2) and the improvement of security at telephone switches*. Such steps would not diminish government access for lawfully authorized wiretaps through the requirements imposed on carriers today to cooperate with law enforcement in such matters. Furthermore, by addressing public demands for greater security in voice communications that are widely known to be nonsecure through the telecommunications service providers, these measures would also reduce the demand for (and thus the availability of) devices used to provide end-to-end encryption of voice communications. Without a ready supply of such devices, a criminal user would have to go to considerable trouble to obtain a device that could thwart a lawfully authorized wiretap. *Recommendation 5.3 -- To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic*. Escrowed encryption has both benefits and risks. The benefits for law enforcement and national security are that when escrowed encryption is properly implemented and widely deployed, law enforcement and national security authorities will be able to obtain access to escrow-encrypted data in specific instances when authorized by law. Escrowed encryption also enables end users to recover encrypted stored data to which access has been inadvertently lost. The risk to end users is that escrowed encryption provides a potentially lower degree of confidentiality because it is specifically designed to permit exceptional access by parties not originally intended to have access to the encrypted data. Aggressive government promotion of escrowed encryption is not appropriate at this time for several reasons: the lack of operational experience with how a large-scale infrastructure for escrowed encryption would work; the lack of demonstrated evidence that escrowed encryption will solve the most serious problems that law enforcement authorities face; the likely harmful impact on the natural market development of applications made possible by new information services and technologies; and the uncertainty of the market response to such aggressive promotion. At the same time, many policy benefits can be gained by an operational exploration of escrowed encryption by the U.S. government for government applications; such exploration would enable the U.S. government to develop the base of experience on which to build a more aggressive promotion of escrowed encryption should circumstances develop in such a way that encrypted communications come to pose a significant problem for law enforcement. *Recommendation 5.4 -- Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime*. The purpose of such a statute would be to discourage the use of cryptography for illegitimate purposes, thus focusing the weight of the criminal justice system on individuals who were in fact guilty of criminal activity rather than on law-abiding citizens and criminals alike. Any statute in this area should be drawn narrowly. *Recommendation 5.5 -- High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security to cope with new technological challenges. Such R&D should be undertaken during the time that it will take for cryptography to become truly ubiquitous. These new capabilities are almost certain to have a greater impact on future information collection efforts than will aggressive attempts to promote escrowed encryption to a resistant market. ---------- (2) "Link encryption" refers to the practice of encrypting information being communicated in such a way that it is encrypted only in between the node from which it is sent and the node where it is received; while the information is at the nodes themselves, it is unencrypted. In the context of link encryption for cellular communications, a cellular call would be encrypted between the mobile handset and the ground station. When carried on the landlines of the telephone network, the call would be unencrypted. ____________________________________________________________ THE POLICY RELATIONSHIP BETWEEN INFORMATION SECURITY AND CRYPTOGRAPHY Although this report is concerned primarily with national cryptography policy, any such policy is only one component of a national information security policy. Without a forward-looking and comprehensive national information security policy, changes in national cryptography policy may have little operational impact on U.S. information security. *Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector*. As is widely acknowledged, the U.S. government is not well organized to meet the challenges presented by an information society, and no government agency has the responsibility to promote information security in the private sector. Absent a coordinated approach to promoting information security, the needs of many stakeholders may well be given inadequate attention and notice; those who are pursuing enhanced information security and those who have a need for legal access to stored or communicated information must both be included in a robust process for managing the often-competing issues and interests that will inevitably arise over time. Government has an important role in actively promoting the security of information systems and networks critical to the nation's welfare (e.g., the banking and financial system, the public switched telecommunications network, the air traffic control system, the electric power grid). In other sectors of the economy, the role of the U.S. government should be limited to providing information and expertise. Chapter 8 provides some illustrative examples of what the government might do to promote information security in the private sector. CONCLUSION The committee believes that its recommendations will lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources. In addition, they will result in improved security and assurance for the information systems and networks used by the nation -- a more secure national information infrastructure. While the recommendations will in these ways contribute to the prevention of crime and enhance national security, the committee recognizes that the spread of cryptography will increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities. It believes that widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. Thus, the committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography. [End Executive Summary] ____________________________________________________________ A Road Map Through This Report This report responds to a request made in the Defense Authorization Act of FY 1994 by the U.S. Congress for the National Research Council to conduct a comprehensive study of national cryptography policy, a subject that has generated considerable controversy in the past few years. This report is organized into three parts. Part I frames the policy issues. Chapter 1 outlines the problem of growing information vulnerability and the need for technology and policy to mitigate this problem. Chapter 2 describes possible roles for cryptography in reducing information vulnerability and places cryptography into context as one element of an overall approach to ensuring information security. Chapter 3 discusses nongovernment needs for access to encrypted information and related public policy issues, specifically those related to information gathering for law enforcement and national security purposes. Part II of this report describes the instruments and goals of current U.S. cryptography policy and some of the issues raised by current policy. Chapter 4 is concerned primarily with export controls on cryptography, a powerful tool that has long been used in support of national security objectives but whose legitimacy has come under increasing fire in the last several years. Chapter 5 addresses escrowed encryption, an approach aggressively promoted by the federal government as a technique for balancing national needs for information security with those of law enforcement and national security. Chapter 6 discusses other dimensions of national cryptography policy, including the Digital Telephony Act of 1995 (aka the Communications Assistance for Law Enforcement Act) and a variety of other levers used in national cryptography policy that do not often receive much attention in the debate. Part III has two goals enlarging the space of possible policy options, and offering findings and recommendations. Chapter 7 discusses a variety of options for cryptography policy, some of which have been suggested or mentioned in different forums (e.g., in public and/or private input received by the committee, or by various members of the committee). These policy options include alternative export control regimes for cryptography and alternatives for providing third-party access capabilities when necessary. In addition, Chapter 7 addresses several issues related to or affected by cryptography that will appear on the horizon in the foreseeable future. Chapter 8 describes the committee's findings and recommendations. A set of appendixes provides more detail where needed. [End Road Map] ____________________________________________________________