Technical Bulletin featuring emerging technologies in criminal justice information management

1994 Issue Number 4

Data Encryption and Electronic Surveillance

By Dorothy E. Denning, Chair Computer Science Department Bureau of Justice Assistance, SEARCH Georgetown University Explore New Technologies Phone calls and computer The SEARCH Technical Bulletin is a quarterly publication communications are often designed to examine emerging technologies in criminal vulnerable to unauthorized justice information management. Research and publication interception. This is especially of the Bulletin is funded by the Bureau of Justice Assistance, true for wireless communica- Office of Justice Programs, U.S. Department of Justice. tions, which can be picked up The Bulletins identify, describe and assess new and through cheap scanners. emerging technologies that have existing or potential Similarly, information stored application in criminal justice information management. on computers can be suscep- They alert practitioners to the existence of technologies tible to unauthorized retrieval. which can benefit their management of information. Encryption protects sensi- If you would like to submit an article for publication in tive information by concealing the Technical Bulletin, please contact SEARCH, The National it from those who are not Consortium for Justice Information and Statistics, at (916) authorized to access it. It 392-2550. works by scrambling (encrypt- ing) the information in such a way that it cannot be and government contractors. puter systems, networks and descrambled (decrypted) Until recently, the products software applications. Free without knowing a secret key. have been expensive, bulky encryption software, such as For communications, this key and difficult to use, and voice Phil Zimmerman’s Pretty must be shared by the sender quality has been poor. Good Privacy (PGP), is and receiver for the duration All this is changing as more available on the Internet and of the session (for example, a and more encryption products local bulletin board systems, phone call) and is usually are becoming available. and its availability and use for referred to as the “session AT&T is selling a telephone file and e-mail encryption has key.” If the method of encryp- security device that is small, been spreading throughout tion is sufficiently strong, an portable, easy-to-use, afford- the world. In a continuing eavesdropper intercepting the able and has high-quality study originally commis- encrypted communications audio. Strong encryption is sioned by the Software will be unable to determine being packaged into inexpen- Publishers Association, as of the secret session key and sive software products and is May 1994, Trusted Informa- decrypt the information. being integrated into com- tion Systems had identified Encryption products have been on the market for years, but their primary use has been to protect classified informa- tion, and the main customers have been the government featuring emerging technologies…

763 cryptographic products investigations of child pornog- based on a special tamper- developed or distributed by a raphy cases have been hin- resistant hardware encryption total of 366 companies (211 dered because seized com- device (Clipper Chip) and a foreign, 155 domestic) in at puter files were encrypted key escrow system which least 33 countries.1 with PGP, which could not be allows an authorized govern- broken. ment official to decrypt Encryption and By rendering communica- communications encrypted by law enforcement tions immune from lawful a particular chip. Encryption is an essential interception, encryption poses tool for organizations and a particular threat to investi- The Clipper Chip and its individuals with sensitive gations that depend on application information to protect. But it wiretaps. Court-authorized The Clipper Chip imple- also presents an enormous interception of communica- ments a strong encryption challenge to the law enforce- tions has been essential for algorithm, called SKIPJACK, ment and criminal justice preventing and solving many which uses 80-bit secret keys community. The technology serious and often violent to control the encryption and can be used not only by crimes, including organized decryption functions. The honest persons to protect crime, drug trafficking, algorithm was designed by against espionage and other government fraud, public the National Security Admin- forms of illegal activity, but corruption and terrorism. If istration and is classified also by criminals who use the the ability to conduct wiretaps secret. technology to conceal their is seriously diminished or Each chip has a unique illegal activities from law precluded altogether, this identifier and key that is enforcement. Already, could have major conse- generated and programmed quences for public safety and onto the chip after the chip is The Technical Bulletin is published law enforcement. manufactured, but before it is by SEARCH, The National Con- Although encryption has placed in a security product. sortium for Justice Information not presented a serious The device unique key is also and Statistics, with funding from the Bureau of Justice Assistance, problem to law enforcement split into two key compo- U.S. Department of Justice. so far, unless steps are taken nents, which are encrypted This document was prepared un- now to avert it, it will become and given to separate key der grant number 92-DD-CX- a major problem as the escrow agents for safekeeping. 0005, provided by the Bureau of technology proliferates. The The initial escrow agents are Justice Assistance, U.S. Depart- ment of Justice. The points of view government’s Key Escrow the National Institute of or opinions stated in the docu- Encryption Initiative is a first Standards and Technology ment are those of the authors and step toward providing such and the U.S. Department of do not necessarily represent the intervention, and is aimed at Treasury Automated Systems official position or policies of the U.S. Department of Justice. the area of greatest immediate Division. Although the device SEARCH is located at 7311 concern: voice, facsimile, and unique key is not used for Greenhaven Drive, Suite 145, Sac- other data transmitted over data encryption, a govern- ramento, California 95831, (916) the telephone system. ment official, pursuant to a 392-2550. lawful authorization, must Dr. Francis J. Carney Jr. The Key Escrow acquire both of its escrow key Chairman Encryption Initiative components in order to Gary R. Cooper On April 16, 1993, the U.S. decrypt communications Executive Director government announced a new encrypted by the chip. Sheila J. Barton Deputy Director encryption initiative aimed at On February 4, 1994, the George A. Buck providing a high level of government announced Deputy Director communications security and adoption of the technology as David J. Roberts privacy without jeopardizing the Escrowed Encryption Deputy Director effective law enforcement, Standard (EES).2 The EES is a Kelly J. Harris public safety and national voluntary government Editor security. The initiative is standard for sensitive but …in criminal justice…

unclassified phone communi- them back to voice. provide certification of the cations, including voice, To allow for authorized legal authority to conduct the facsimile, and data transmit- government access, each wiretap. Upon receipt of the ted on circuit-switched Clipper Chip computes a Law certification, the escrow systems at rates of standard Enforcement Access Field agents bring their respective commercial modems or which (LEAF) which is transmitted key components to the law use basic rate Integrated over the line before the enforcement monitoring Systems Digital Network or a encrypted communications. facility and enter them into similar grade wireless service. The LEAF contains the device the decrypt processor along The first product to use the ID and the session key for the with the termination date of Clipper Chip is the AT&T conversation. The session key the wiretap. Inside the 3600 Telephone Security is encrypted under the device decrypt processor, the key Device. The government unique key so that an eaves- components are decrypted purchased 9,000 of these dropper cannot learn the key. and combined to form the devices for use by law en- In addition, the entire LEAF is device unique key. The forcement and other Federal encrypted under a family key request for and release of agencies. that is common to all chips. escrowed key components The AT&T device plugs To obtain the session key from must be done in accordance into an ordinary telephone an intercepted LEAF, one with procedures established between the handset and needs access to the escrowed by the U.S. Attorney General.3 base-set. Although both device unique key plus a Once the decrypt processor parties to a conversation must special key escrow decrypt has the device unique key, it have a device, the party at processor that contains the can decrypt the session key in either end can initiate a secure SKIPJACK algorithm, a LEAF the LEAF, and then use the conversation by pushing a decryptor and the family key. session key to decrypt the button. Once this is done, the communications in both security devices enter into a Law enforcement decryption directions. For voice commu- protocol to establish a one- If a law enforcement official nications, additional equip- time secret session key for the encounters what appears as ment is needed to convert the conversation. This key is noise on an installed intercept, decrypted digital streams to established using public key then the communications voice. cryptography techniques that must be passed through the If subsequent conversations allow both devices to agree on key escrow decrypt processor involving the target are a common secret key without — a PC with a specially encrypted, the decrypt exchanging any secret infor- designed board — to deter- processor can decrypt the mation, including the key. The mine if they are Clipper session key directly, without same session key is used to communications. If they are, the need to go through the encrypt and decrypt the then the decrypt processor escrow agents. This allows for communications transmitted locates the LEAF transmitted real-time decryption. How- in both directions. in each direction and extracts ever, at the end of the autho- Since the SKIPJACK the device ID of each (see rized period of surveillance, algorithm operates on digital illustration). the device unique key must be data, the device must convert The device ID of the chip destroyed inside the decrypt the outgoing voice signals to belonging to the subject of the processor so that it cannot be digital before they can be intercept is then presented to used beyond the period of encrypted. After encryption, a the key escrow agents with a authorization. built-in modem converts them request for the device’s key Currently, there is a single back to analog for transmis- components (since the same prototype decrypt processor. sion through the phone session key is used to encrypt The target devices will system. For incoming com- both ends of the conversation, support electronic transmis- munications, the device it is not necessary to obtain sion of data to and from the converts the signals to digital, the device unique key for both escrow agent workstations decrypts them, and converts parties). The request must and automatic deletion of …information management

"Hello" "Hello" session B session key key a&!Nx;lr6$mbJq@*=^Ex" switch

chip chip

start certification tap Chip LEAF C ID D encrypted key LEAF data escrow component processor service agents provider 0

50 key 100 A component session decryption key court order termination date E F Decrypt Processor "Hello"

Government Monitoring Facility

THE CLIPPER CHIP — HOW IT WORKS A Law enforcement agency receives permission to conduct a wiretap. B The conversation. A protocol establishes a one-time secret "session key" for the conversation. The same session key is used to encrypt and decrypt the communications transmitted in both directions. C To allow for authorized government access, each Clipper Chip computes a Law Enforcement Access Field (LEAF) which is transmitted over the line before the encrypted communications. The LEAF contains the device ID and the session key for the conversation. D The escrow agents. The device ID of the chip belonging to the subject of the intercept is presented to the key escrow agents with a request for the device's key components. The request must provide certification of the legal authority to conduct the wiretap. E Upon receipt of the certification, the escrow agents bring their respective key components to the law enforcement monitoring facility and enter them into the decrypt processor along with the termination date of the wiretap. F Inside the decrypt processor, the key components are decrypted and combined to form the device unique key. Once the decrypt processor has the device unique key, it can decrypt the session key in the LEAF, and then use the session key to decrypt the communications in both directions. featuring emerging technologies in criminal justice information management

device unique keys. classified encryption algo- academia, and privacy and The key escrow system has rithm, which precludes public public interest groups in order extensive technical and scrutiny and limits its accept- to better understand their procedural safeguards to ability. Moreover, because it concerns and explore alterna- ensure that keys do not get in uses a classified algorithm, it tive approaches to key escrow. the wrong hands or are used must be implemented in Several alternatives have been for anything other than a special tamper-resistant proposed, including software- lawfully authorized surveil- hardware. For many applica- based approaches to key lance.4 The entire system will tions, software is preferred. escrow that use unclassified be subject to verification and The selection of escrow agents algorithms, and private sector audit, and the U.S. Depart- has been criticized, with critics approaches that would give ment of Justice will conduct arguing that at least one corporations and individuals a inquiries to ascertain that keys should be outside the Execu- backup capability for protect- are used only as authorized. tive branch, either from the ing their own information judiciary or private sector. assets, stored encrypted in The Clipper controversy Critics also argue that files, from becoming inacces- The announcement of Clipper products will have a sible in case the keys are ever Clipper Chip has sparked a limited foreign market as long lost, destroyed or held for lively and often heated as the algorithms are classified ransom. debate. Clipper’s strongest and the U.S. holds the keys, While these proposals are opponents have portrayed it and that Clipper will not serve promising, they do not appear as an Orwellian tool of the needs for secure interna- to be replacements for Clip- oppression that will cripple tional communications. There per, but rather alternative privacy in advance of due is some interest in developing options that may be better process. They believe that an international key escrow suited for some applications. citizens have the right to use system.5 Clipper is a sound approach strong encryption that evades Since Clipper is voluntary, for phone communications. It government surveillance, and many people argue criminals offers excellent security, while that exercising this capability will not use it and it will be a serving the real-time needs of is one way to protect against a waste of taxpayer money. In law enforcement. Most of the government that cannot be fact, cryptography without alternatives under discussion trusted. While acknowledg- key escrow is spreading. apply more to computer ing the value of wiretaps in Since key escrow is voluntary, networks or file systems. certain cases, they argue that the government could very However, even for computer society needs to be protected well find itself locked out of networks, the Capstone Chip, from the government more many communications and which is a more advanced than the government needs to stored files. The government, version of Clipper that wiretap its citizens. however, has a dilemma. If it includes algorithms for Clipper also has been promulgates encryption implementing the Digital criticized for being developed standards that preclude Signature Standard and key in secrecy without prior government access, such exchange, is an attractive public review. Critics argue standards will be used by option for secure electronic that encryption standards criminals to the detriment of mail and electronic commerce. should be developed by an society. The policy, therefore, open process, with input from is to adopt standards that industry, academia, privacy permit only authorized This report was written by groups and other interested government access. Dorothy E. Denning of parties. While maintaining its Georgetown University. Points Some of the criticism has commitment to key escrow, of view or opinions are those of been aimed not at the prin- the Administration has the author and do not necessarily ciple of key escrow encryp- responded to the criticisms by represent those of SEARCH or tion, but its use through meeting with representatives the SEARCH Membership Clipper. Clipper uses a from Congress, industry, Group. Capstone has been embedded Endnotes 4 Denning, D. E. and Smid, M., “Key Escrowing Today,” IEEE Communica- in a Personal Computer 1 Walker, S. T., testimony to the tions, Sept. 1994. Memory Card International Committee on the Judiciary, Subcom- 5 Denning, D. E., “International Key Association crypto card for mittee on Technology and the Law, United States Senate, May 3, 1994. Escrow Encryption: Proposed use in the Defense Messaging 2 Objectives and Options,” Proceedings System. National Institute for Standards of the International Cryptography and Technology, “Escrowed Encryp- Institute 1994: Global Challenges, Key escrow encryption Federal tion Standard (EES),” National Intellectual Property Law Information Processing Standards offers the possibility of Institute, Sept. 1994. providing strong crypto- Publication (FIPS PUB) 185, Feb. 9, graphic protection while 1994. 3 meeting the needs of society U.S. Department of Justice, “Authorization Procedures for for law enforcement and Release of Encryption Key Compo- national security, and the nents in Conjunction with Intercepts needs of organizations for a Pursuant to Title III,” “Authorization backup decryption capability. Procedures for Release of Encryption Key Components in Conjunction with Eventually, international Intercepts Pursuant to FISA,” and standards for escrowed “Authorization Procedures for encryption may emerge, and Release of Encryption Key Compo- key escrow may become the nents in Conjunction with Intercepts Pursuant to State Statutes,” Feb. 4, dominant form of encryption. 1994.

NONPROFIT ORG. U.S. POSTAGE P A I D Technical Bulletin Permit No. 1632 featuring emerging technologies in criminal justice information management Sacramento, CA

SEARCH The National Consortium for Justice Information and Statistics 7311 Greenhaven Drive, Suite 145 • Sacramento, California 95831 Telephone (916) 392-2550