DOCSLIB.ORG

Protocol Failure in the Escrowed Encryption Standard

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Protocol Failure in the Escrowed Encryption Standard Protocol Failure in the Escrowed Encryption Standard Matt Blaze AT&T Bell Laboratories [email protected] August 20, 1994 Abstract The proposal, called the Escrowed Encryption Stan- dard (EES) [NIST94], includes several unusual fea- The Escrowed Encryption Standard (EES) de¯nes tures that have been the subject of considerable de- a US Government family of cryptographic processors, bate and controversy. The EES cipher algorithm, popularly known as \Clipper" chips, intended to pro- called \Skipjack", is itself classi¯ed, and implemen- tect unclassi¯ed government and private-sector com- tations of the cipher are available to the private sec- munications and data. A basic feature of key setup be- tor only within tamper-resistant modules supplied by tween pairs of EES processors involves the exchange of government-approved vendors. Software implementa- a \Law Enforcement Access Field" (LEAF) that con- tions of the cipher will not be possible. Although Skip- tains an encrypted copy of the current session key. The jack, which was designed by the US National Security LEAF is intended to facilitate government access to Agency (NSA), was reviewed by a small panel of civil- the cleartext of data encrypted under the system. Sev- ian experts who were granted access to the algorithm, eral aspects of the design of the EES, which employs a the cipher cannot be subjected to the degree of civilian classi¯ed cipher algorithm and tamper-resistant hard- scrutiny ordinarily given to new encryption systems. ware, attempt to make it infeasible to deploy the sys- By far the most controversial aspect of the EES tem without transmitting the LEAF. We evaluated system, however, is key escrow. As part of the crypto- the publicly released aspects of the EES protocols as synchronization process, EES devices generate and ex- well as a prototype version of a PCMCIA-based EES change a \Law Enforcement Access Field" (LEAF). device. This paper outlines various techniques that This ¯eld contains a copy of the current session key enable cryptographic communication among EES pro- and is intended to enable a government eavesdropper cessors without transmission of the valid LEAF. We to recover the cleartext. The LEAF copy of the ses- identify two classes of techniques. The simplest al- sion key is encrypted with a device-unique key called low communication only between pairs of \rogue" par- the \unit key", assigned at the time the EES device is ties. The second, more complex methods permit rogue manufactured. Copies of the unit keys for all EES de- applications to take unilateral action to interoperate vices are to be held in \escrow" jointly by two federal with legal EES users. We conclude with techniques agencies that will be charged with releasing the keys that could make the ¯elded EES architecture more to law enforcement under certain conditions. robust against these failures. At present, two EES devices are being produced. The simplest, the Clipper chip (also known as the MYK-78), is essentially a drop-in replacement for a 1 Introduction and Background conventional DES [NBS77] chip and relies on key nego- tiation being handled o® the chip. The other EES de- In April 1993, the Clinton Administration an- vice, the Capstone chip (MYK-80), adds built-in sup- nounced a proposed new federal standard symmetric- port for public-key negotiation and digital signatures, key encryption system for the protection of sensitive- with modular arithmetic functions, random number but-unclassi¯ed government and civilian data [Mar93]. generation, and other such features. The interface to the Skipjack cipher is similar to °c 1994. This is a pre-print of a paper to appear at the 2nd that of DES, based on a 64 bit codebook block cipher ACM Conference on Computer and Communications Security, Fairfax, VA, November 1994. and supporting FIPS-81 [NBS80] standard modes of operation. Keys are 80 bits in length, as opposed to DES's 56 bits. The initial application of EES is in stand-alone voice encryption telephone units, such as the AT&T Model 3600 Telephone Security Device. To facilitate 80 bits computer applications such as electronic mail and ¯le encryption, a version of the Capstone chip will also Session key IV & other variables be available packaged in a standard PCMCIA card. EES PCMCIA cards can be installed easily in many commercially available laptop computers, and SCSI- Skipjack encrypt 16 bit checksum based PCMCIA card readers can connect EES cards (unit key) function to most other computers. The government has spec- i¯ed a standard application interface library for com- municating with the cards. 32 bits 80 bits 16 bits Clipper and Capstone chips are, at present, avail- Unit ID Encrypted Session Key chksum able only for use in approved products that comply with LEAF handling requirements. EES PCMCIA cards, on the other hand, are themselves a stand-alone product, and are to be made generally available \o® Skipjack encrypt the shelf" in the United States. (global family key) The government has stated that the goal of the EES is to make a strong cipher available for legitimate use without supplying criminals and other adversaries 128 bits with a tool that can be used against American in- LEAF terests or to hide illegal activities from law enforce- ment. Thus the system is intended to be di±cult to deploy without also sending a valid LEAF and thereby Figure 1: LEAF Structure exposing the tra±c to the possibility of government monitoring. In this paper, however, we show that it is possible to construct applications that can enjoy use of the Skipjack cipher but that do not admit law ¯rst must intercept the LEAF and the tra±c itself enforcement access through the LEAF. For the pur- using conventional data wiretapping technology. The poses of this paper, we consider two classes of \rogue" LEAF is decrypted with the family key, revealing the EES applications: those that can communicate only chip serial number, the unit key-encrypted session key with other rogue systems and those that can success- and the LEAF checksum. The chip serial number is fully interoperate with EES \legal" systems as well. provided, with appropriate authorization, to the two The latter category especially threatens the goals of escrow agencies, which each return half of the unit key the EES program, since such rogue applications would for the given serial number. The two half-unit keys can be operationally equivalent to their legal counterparts be combined (by bitwise exclusive-or) to produce the without being subject to government access. unit key, which the law enforcement agency can then use to decrypt the session key. This session key can 1.1 LEAF Structure and Protocols then be used to decrypt the actual tra±c. The LEAF is a 128 bit structure containing enough The wiretapping system thus relies on the availabil- information for law enforcement recovery of the ses- ity of the LEAF along with the encrypted tra±c. To sion key with the cooperation of the two agencies hold- force applications to send the LEAF on the same chan- ing the unit key database. The structure contains a nel as the tra±c, EES devices will not decrypt data 32 bit unique unit identi¯er (the serial number of the until they have received a valid LEAF for the current chip that generated the LEAF), the current 80 bit ses- session key. Presumably, EES devices perform various sion key (encrypted with the device's unit key) and a integrity checks on received LEAFs prior to accepting 16 bit LEAF checksum. The entire structure is en- them. crypted with a ¯xed \family key" to produce the ¯nal LEAF message. All cryptographic operations employ To provide a convenient application interface for symmetric (secret) key techniques. The family key is LEAF management, EES devices generate and load shared by all interoperable EES devices. The family LEAFs along with the FIPS-81 initialization vectors key, the encryption modes used to encrypt the unit (IVs). The devices provide \generate IV" and \load key and the LEAF message, and the details of the IV" functions that operate on 192 bit ¯elds containing checksum are all secret. Externally, the LEAF is an an unencrypted 64 bit IV concatenated with the 128 opaque 128 bit package. See Figure 1. bit encrypted LEAF. The load IV operation fails if the To decrypt EES tra±c, a law enforcement agency associated LEAF does not pass an integrity check. 1.2 Experimental Observations only the checksum, and the checksum appears at the end of the LEAF in public documents, we can Most details of the LEAF creation method, encryp- conclude that at least one of the following is true: tion modes, and data structures, beyond those men- tioned above, are classi¯ed and are therefore unknown { The LEAF is encrypted with a non-standard to us. In particular, the EES standard does not specify mode in which cleartext in \late" blocks af- the exact mechanism that enforces the transmission of fects the early ciphertext. the correct LEAF. However, we were able to perform { The LEAF is encrypted with a standard a number of simple experiments on our prototype de- forward-chaining or stream mode but the vices to con¯rm and expand our knowledge of LEAF checksum appears in the ¯rst cipherblock of internals. All experiments were performed at the pro- the LEAF. tocol level through the standard interface and did not { The LEAF is encrypted with a standard involve cryptanalysis or direct hardware \reverse en- forward-chaining or stream mode but the gineering." We summarize our observations below. current session IV is itself used to initialize it. LEAF integrity is veri¯ed entirely via redundancy ² in the checksum ¯eld.
Load more

Recommended publications
  • Atlantic Highly Migratory Species Stock Assessment and Fisheries Evaluation Report 2019
    Atlantic Highly Migratory Species Stock Assessment and Fisheries Evaluation Report 2019 U.S. Department of Commerce | National Oceanic and Atmospheric Administration | National Marine Fisheries Service 2019 Stock Assessment and Fishery Evaluation Report for Atlantic Highly Migratory Species Atlantic Highly Migratory Species Management Division May 2020 Highly Migratory Species Management Division NOAA Fisheries 1315 East-West Highway Silver Spring, MD 20910 Phone (301) 427-8503 Fax (301) 713-1917 For HMS Permitting Information and Regulations • HMS recreational fishermen, commercial fishermen, and dealer compliance guides: www.fisheries.noaa.gov/atlantic-highly-migratory-species/atlantic-hms-fishery- compliance-guides • Regulatory updates for tunas: hmspermits.noaa.gov For HMS Permit Purchase or Renewals Open Access Vessel Permits Issuer Permits Contact Information HMS Permit HMS Charter/Headboat, (888) 872-8862 Shop Atlantic Tunas (General, hmspermits.noaa.gov Harpoon, Trap), Swordfish General Commercial, HMS Angling (recreational) Southeast Commercial Caribbean Small (727) 824-5326 Regional Boat, Smoothhound Shark www.fisheries.noaa.gov/southeast/resources- Office fishing/southeast-fisheries-permits Greater Incidental HMS Squid Trawl (978) 281-9370 Atlantic www.fisheries.noaa.gov/new-england-mid- Regional atlantic/resources-fishing/vessel-and-dealer- Fisheries permitting-greater-atlantic-region Office Limited Access Vessel Permits Issuer Permits Contact Information HMS Permit Atlantic Tunas Purse Seine (888) 872-8862 Shop category hmspermits.noaa.gov
    [Show full text]
  • Optimizing the Block Cipher Resource Overhead at the Link Layer Security Framework in the Wireless Sensor Networks
    Proceedings of the World Congress on Engineering 2008 Vol I WCE 2008, July 2 - 4, 2008, London, U.K. Optimizing the Block Cipher Resource Overhead at the Link Layer Security Framework in the Wireless Sensor Networks Devesh C. Jinwala, Dhiren R. Patel and Kankar S. Dasgupta, data collected from different sensor nodes. Since the Abstract—The security requirements in Wireless Sensor processing of the data is done on-the-fly, while being Networks (WSNs) and the mechanisms to support the transmitted to the base station; the overall communication requirements, demand a critical examination. Therefore, the costs are reduced [2]. Due to the multi-hop communication security protocols employed in WSNs should be so designed, as and the in-network processing demanding applications, the to yield the optimum performance. The efficiency of the block cipher is, one of the important factors in leveraging the conventional end-to-end security mechanisms are not performance of any security protocol. feasible for the WSN [3]. Hence, the use of the standard In this paper, therefore, we focus on the issue of optimizing end-to-end security protocols like SSH, SSL [4] or IPSec [5] the security vs. performance tradeoff in the security protocols in WSN environment is rejected. Instead, appropriate link in WSNs. As part of the exercise, we evaluate the storage layer security architecture, with low associated overhead is requirements of the block ciphers viz. the Advanced Encryption required. Standard (AES) cipher Rijndael, the Corrected Block Tiny Encryption Algorithm (XXTEA) using the Output Codebook There are a number of research attempts that aim to do so.
    [Show full text]
  • Crypto Wars of the 1990S
    Danielle Kehl, Andi Wilson, and Kevin Bankston DOOMED TO REPEAT HISTORY? LESSONS FROM THE CRYPTO WARS OF THE 1990S CYBERSECURITY June 2015 | INITIATIVE © 2015 NEW AMERICA This report carries a Creative Commons license, which permits non-commercial re-use of New America content when proper attribution is provided. This means you are free to copy, display and distribute New America’s work, or in- clude our content in derivative works, under the following conditions: ATTRIBUTION. NONCOMMERCIAL. SHARE ALIKE. You must clearly attribute the work You may not use this work for If you alter, transform, or build to New America, and provide a link commercial purposes without upon this work, you may distribute back to www.newamerica.org. explicit prior permission from the resulting work only under a New America. license identical to this one. For the full legal code of this Creative Commons license, please visit creativecommons.org. If you have any questions about citing or reusing New America content, please contact us. AUTHORS Danielle Kehl, Senior Policy Analyst, Open Technology Institute Andi Wilson, Program Associate, Open Technology Institute Kevin Bankston, Director, Open Technology Institute ABOUT THE OPEN TECHNOLOGY INSTITUTE ACKNOWLEDGEMENTS The Open Technology Institute at New America is committed to freedom The authors would like to thank and social justice in the digital age. To achieve these goals, it intervenes Hal Abelson, Steven Bellovin, Jerry in traditional policy debates, builds technology, and deploys tools with Berman, Matt Blaze, Alan David- communities. OTI brings together a unique mix of technologists, policy son, Joseph Hall, Lance Hoffman, experts, lawyers, community organizers, and urban planners to examine the Seth Schoen, and Danny Weitzner impacts of technology and policy on people, commerce, and communities.
    [Show full text]
  • KLEIN: a New Family of Lightweight Block Ciphers
    KLEIN: A New Family of Lightweight Block Ciphers Zheng Gong1, Svetla Nikova1;2 and Yee Wei Law3 1Faculty of EWI, University of Twente, The Netherlands fz.gong, [email protected] 2 Dept. ESAT/SCD-COSIC, Katholieke Universiteit Leuven, Belgium 3 Department of EEE, The University of Melbourne, Australia [email protected] Abstract Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has ad- vantage in the software performance on legacy sensor platforms, while its hardware implementation can be compact as well. Key words. Block cipher, Wireless sensor network, Low-resource implementation. 1 Introduction With the development of wireless communication and embedded systems, we become increasingly de- pendent on the so called pervasive computing; examples are smart cards, RFID tags, and sensor nodes that are used for public transport, pay TV systems, smart electricity meters, anti-counterfeiting, etc. Among those applications, wireless sensor networks (WSNs) have attracted more and more attention since their promising applications, such as environment monitoring, military scouting and healthcare. On resource-limited devices the choice of security algorithms should be very careful by consideration of the implementation costs. Symmetric-key algorithms, especially block ciphers, still play an important role for the security of the embedded systems.
    [Show full text]
  • Battle of the Clipper Chip - the New York Times
    Battle of the Clipper Chip - The New York Times https://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipp... https://nyti.ms/298zenN Battle of the Clipper Chip By Steven Levy June 12, 1994 See the article in its original context from June 12, 1994, Section 6, Page 46 Buy Reprints VIEW ON TIMESMACHINE TimesMachine is an exclusive benefit for home delivery and digital subscribers. About the Archive This is a digitized version of an article from The Times’s print archive, before the start of online publication in 1996. To preserve these articles as they originally appeared, The Times does not alter, edit or update them. Occasionally the digitization process introduces transcription errors or other problems; we are continuing to work to improve these archived versions. On a sunny spring day in Mountain View, Calif., 50 angry activists are plotting against the United States Government. They may not look subversive sitting around a conference table dressed in T-shirts and jeans and eating burritos, but they are self-proclaimed saboteurs. They are the Cypherpunks, a loose confederation of computer hackers, hardware engineers and high-tech rabble-rousers. The precise object of their rage is the Clipper chip, offically known as the MYK-78 and not much bigger than a tooth. Just another tiny square of plastic covering a silicon thicket. A computer chip, from the outside indistinguishable from thousands of others. It seems 1 of 19 11/29/20, 6:16 PM Battle of the Clipper Chip - The New York Times https://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipp..
    [Show full text]
  • Data Encryption Routines for the PIC18
    AN953 Data Encryption Routines for the PIC18 Author: David Flowers ENCRYPTION MODULE OVERVIEW Microchip Technology Inc. • Four algorithms to choose from, each with their own benefits INTRODUCTION • Advanced Encryption Standard (AES) This Application Note covers four encryption - Modules available in C, Assembly and algorithms: AES, XTEA, SKIPJACK® and a simple Assembly written for C encryption algorithm using a pseudo-random binary - Allows user to decide to include encoder, sequence generator. The science of cryptography decoder or both dates back to ancient Egypt. In today’s era of informa- - Allows user to pre-program a decryption key tion technology where data is widely accessible, into the code or use a function to calculate sensitive material, especially electronic data, needs to the decryption key be encrypted for the user’s protection. For example, a • Tiny Encryption Algorithm version 2 (XTEA) network-based card entry door system that logs the persons who have entered the building may be suscep- - Modules available in C and Assembly tible to an attack where the user information can be - Programmable number of iteration cycles stolen or manipulated by sniffing or spoofing the link • SKIPJACK between the processor and the memory storage - Module available in C device. If the information is encrypted first, it has a • Pseudo-random binary sequence generator XOR better chance of remaining secure. Many encryption encryption algorithms provide protection against someone reading - Modules available in C and Assembly the hidden data, as well as providing protection against tampering. In most algorithms, the decryption process - Allows user to change the feedback taps at will cause the entire block of information to be run-time destroyed if there is a single bit error in the block prior - KeyJump breaks the regular cycle of the to to decryption.
    [Show full text]
  • Development of the Advanced Encryption Standard
    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
    [Show full text]
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • Encryption Friction
    ENCRYPTION FRICTION Christopher Babiarz INTRODUCTION The Supreme Court decision in Riley v. California reflects the fact that the Court is increasingly sensitive to the implications of new technologies in the lives of individuals and their subsequent impacts on reasonable expectations of privacy.1 This increased judicial awareness for the pervasive role that technology plays in our modern privacy suggests that in the future the Court would be more inclined to protect individual privacy rights and less inclined to force technology manufacturers to only provide broken encryption to users so that the government can enjoy unfettered access to protected data.2 Although encryption admittedly presents unique challenges to government interests in law enforcement and terrorism prevention, the proposed government solution undercuts and outweighs fundamental aspects of modern privacy.3 Given the Court’s demonstration of an increased awareness for modern privacy concerns, efforts by the government to undermine encryption should be dismissed by the Court in favor of individual privacy rights. Following an introduction to encryption generally, this paper begins with the rekindling of a privacy issue that Michael Froomkin wrote about in the mid-1990’s.4 The lack of a solidified judicial stance on this issue sets the stage for the modern encryption battle between the FBI and Apple, and the recent Supreme Court decision in Riley v. California illustrates a likelihood that the current Court is ready to finally take a position on this old debate.5 This paper argues that the Court should be 1 Riley v. California, 134 S. Ct. 2473 (2014). 2 Id. at 2484.
    [Show full text]
  • The Clipper Chip Proposal: Deciphering the Unfounded Fears That Are Wrongfully Derailing Its Implementation, 29 J
    UIC Law Review Volume 29 Issue 2 Article 8 Winter 1996 The Clipper Chip Proposal: Deciphering the Unfounded Fears That Are Wrongfully Derailing Its Implementation, 29 J. Marshall L. Rev. 475 (1996) Howard S. Dakoff Follow this and additional works at: https://repository.law.uic.edu/lawreview Part of the Constitutional Law Commons, Criminal Law Commons, Criminal Procedure Commons, Evidence Commons, Fourth Amendment Commons, and the Legislation Commons Recommended Citation Howard S. Dakoff, The Clipper Chip Proposal: Deciphering the Unfounded Fears That Are Wrongfully Derailing Its Implementation, 29 J. Marshall L. Rev. 475 (1996) https://repository.law.uic.edu/lawreview/vol29/iss2/8 This Comments is brought to you for free and open access by UIC Law Open Access Repository. It has been accepted for inclusion in UIC Law Review by an authorized administrator of UIC Law Open Access Repository. For more information, please contact [email protected]. NOTES THE CLIPPER CHIP PROPOSAL: DECIPHERING THE UNFOUNDED FEARS THAT ARE WRONGFULLY DERAILING ITS IMPLEMENTATION INTRODUCTION Improvements in technology have reduced law enforcement's ability to conduct electronic surveillance of criminal activity.' Rather than rely on telephones to communicate with their accom- plices, criminals may increasingly use computers to perpetrate crimes.2 In response to these problems, law enforcement authori- ties have pushed for the implementation of new methods to im- prove the ability of law enforcement agencies to intercept criminal transmissions, while concurrently increasing the privacy of in- dividual citizens.3 The "Clipper Chip" was developed to address this objec- tive.4 This device is intended to alleviate law enforcement's re- duced ability to conduct electronic surveillance by allowing gov- ernment authorities, using proper methods, to intercept criminal transmissions.5 As planned, the Clipper Chip will achieve this by providing a mechanism for government authorities to decode en- crypted communications using so-called "key escrow" technology.6 1.
    [Show full text]
  • A Clash of Interests Over the Electronic Encryption Standard
    American University Washington College of Law Digital Commons @ American University Washington College of Law Articles in Law Reviews & Other Academic Journals Scholarship & Research 1995 A Puzzle Even the Codebreakers Have Trouble Solving: A Clash of Interests over the Electronic Encryption Standard Sean Flynn Follow this and additional works at: https://digitalcommons.wcl.american.edu/facsch_lawrev Part of the Communications Law Commons, Computer Law Commons, International Trade Law Commons, Internet Law Commons, and the Science and Technology Law Commons A PUZZLE EVEN THE CODEBREAKERS HAVE TROUBLE SOLVING: A CLASH OF INTERESTS OVER THE ELECTRONIC ENCRYPTION STANDARD SEAN M. FLYNN* I. INTRODUCTION On February 9, 1994, when the National Institute of Standards and Technology (NIST) announced the federal Escrowed Encryption Stan- dard (EES),' the simmering debate over encryption policy in the United States boiled over. Public interest groups argued that the standard would jeopardize an individual's right to privacy. U.S. multinationals voiced concerns that the government would undercut private encryption technology and limit their choice of encryption products for sensitive transmissions. Computer software groups claimed that EES lacked commercial appeal and would adversely affect their ability to compete. Pitted against these concerns were those of the law enforcement and national security communities, which countered that the interests of national security required the adoption of EES. A quick study2 of EES reveals little that would explain this uproar. The NIST issued EES as an encryption methodology for use in its government information processing 3 pursuant to the Computer Secu- rity Act of 1987. 4 The EES is intended to supersede the existing government standard, Data Encryption Standard (DES), which has been in use since 1977 and is very popular.
    [Show full text]
  • Going Dark: Impact to Intelligence and Law Enforcement and Threat Mitigation
    GOING DARK: IMPACT TO INTELLIGENCE AND LAW ENFORCEMENT AND THREAT MITIGATION Bonnie Mitchell Krystle Kaul G. S. McNamara Michelle Tucker Jacqueline Hicks Colin Bliss Rhonda Ober Danell Castro Amber Wells Catalina Reguerin Cindy Green-Ortiz Ken Stavinoha ACKNOWLEDGEMENTS We would like to first thank the Office of the Director of National Intelligence (ODNI) for its generous funding and support for our study and learning journey to the DEFCON hacking conference. We are also very grateful to the Department of Homeland Security (DHS) for its support during the duration of the program. We could not have completed this study without the unwavering support and dedication of Ms. Bonnie Mitchell, ODNI Deputy National Intelligence Manager for the Western Hemisphere and the Homeland, our devoted Team Champion who steered us throughout this study and helped turn an idea into a product. We would like to acknowledge and thank each member of our public-private sector working group for their tireless efforts from around the U.S., which includes Krystle Kaul, G. S. McNamara, Michelle Tucker, Jacqueline Hicks, Colin Bliss, Rhonda Ober, Danell Castro, Amber Wells, Catalina Reguerin, Cindy Green- Ortiz and Ken Stavinoha. We are very thankful for all the unique insight we received from interviewees who contributed to this report by educating our group on the many aspects of ‘going dark,’ and we take full responsibility for any and all errors of fact or interpretation implied or explicit in this paper. Our interviewees include the Village sponsors at DEF CON, private sector industry experts and government officials. We are thankful for the interesting and diverse perspectives particularly from senior government officials and private sector experts.
    [Show full text]