Response to Questions on crypto hearing 9 July 1997

This is my response to the questions from Senator Hatch, as a followup to my 9 July 1997 testimony and its attached report ( or .ps, or, respectively).

Senator Orrin G. Hatch                                     2 September 1997
United States Senate
Committee on the Judiciary
Washington DC 20510-6275

Dear Senator Hatch,

Thank you for your request for follow-up discussion relating to your Senate
Judiciary Committee hearing on cryptography on 9 July 1997.  On 15 August, I
received the set of questions contained in your letter dated 29 July 1997,
and am happy to respond accordingly to amplify what I have already stated in
my prepared testimony and what was submitted in its attached report (Hal
Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze,
Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey
I. Schiller, Bruce Schneier, ``The Risks of Key Recovery, Key Escrow, and
Trusted Third-Party Encryption,'' 27 May 1997) -- which I understand will be
included in the permanent record of the hearing.  I hope that my responses
adequately address the specific questions.  Comments from several of the
coauthors of the May report are incorporated into my responses.

Let me reiterate my appreciation to you, Senator Leahy, and the rest of the
Committee for sponsoring the hearing and for giving me the opportunity to
respond to your subsequent questions.  I am truly grateful for having been
invited to participate.

  Peter G. Neumann
  Computer Science Laboratory
  SRI International EL-243
  333 Ravenswood Ave
  Menlo Park CA 94025-3493
    Tel 650/859-2375   [or 415-859-2375, until 1 Feb 1998]
    Fax 650/859-2844   [or 415-859-2844, until 1 Feb 1998]

Note 1: As of 2 August 1997, the San Francisco south Bay Area area code 415
was supposed to become 650, although 415 will remain valid until the end of
January 1998.  However, there are widespread reports of 650 not being
accepted by various telephone company systems, which apparently are not yet
programmed to accept the middle digit 5.

Note 2: My identification was incorrectly listed at the time of the hearing.
I presume that has been corrected in your records.  Incidentally, SRI
International is a not-for-profit research institute.

============================= % CUT HERE % =============================

Question 4 from Senator Thurmond to Peter Neumann: "Mr. Neumann, you state
  in your prepared testimony that there is little evidence that encryption
  is becoming a significant problem for law enforcement.  Is it your view
  that the concerns of the Director of the FBI are misplaced, and
  that encryption should not be a priority for him?"

Peter Neumann's Response to Senator Thurmond's Question 4:

Senator Thurmond, your question cannot be answered with a single yes or no.
In the following response, my answer to the first part --- are his concerns
misplaced? -- indicates that his concerns need rebalancing.  My answer to
the second part -- should encryption not be a priority for him? -- is that
encryption should not be his top priority; I think that putting all of his
eggs in the key-recovery basket could prove to be self-defeating for the
FBI.  But this greatly simplified summary requires some careful explanation.

I believe that the expressed concerns of the Director of the FBI relating to
cryptography are indeed seriously misplaced -- they overemphasize one
element of the big picture (key recovery as a would-be magic bullet), and
essentially ignore everything else.  If the security of our
computer-communication infrastructure is not radically improved in the very
near future, through the use of vastly improved system security and
cryptography that is much more impervious to misuse than the proposed
key-recovery schemes are likely to be, then our entire nation will be
seriously at risk regarding computer-related crimes.  The FBI Director
apparently has little interest in improving the infrastructure, only in
achieving the establishment of an unproven key-recovery infrastructure that
could be very badly misused.  In the absence of a dramatically improved
general security infrastructure, the desired key-recovery infrastructure is
likely to be riddled with security vulnerabilities and subject to undetected
compromises.  Yes, I believe his emphasis is badly misplaced, and that he is
almost completely ignoring some very important issues -- and their potential

First of all, a recent report by Professor Dorothy E. Denning of the
Computer Science Department at Georgetown University and William E. Baugh
Jr., vice president of Science Applications International Corporation
suggests that the concerns of Judge Freeh may be overstated at this time.
Their report says, ``Most of the investigators we talked to did not find
that encryption was obstructing a large number of investigations.  When
encryption has been encountered, investigators have usually been able to get
the keys from the subject, crack the codes or use other evidence.''
Professor Denning for many years has been an outspoken supporter of the
FBI's needs, and William Baugh is a recently retired FBI employee.

Second, the following direct quote from my written testimony is relevant:
``It must be recognized that the common goal is to reduce total crime, for
which multiple approaches are undoubtedly necessary.  However, whereas
key-recovery schemes do not help the intelligence community (and probably
hinder it), they might also backfire badly on the law-enforcement community
-- because of the risks outlined here.  Law enforcement desperately needs to
pursue other avenues.  Among many other alternatives, database tracking
facilities are already widespread, through telephone records, credit-card
billing, airline reservations, etc.  Intelligent programs for data fusion
could be very effective -- although perhaps risky from a privacy point of
view.  Additionally, use of biometric and other forms of less spoofable
identification and authentication would add significantly to determining who
is doing what to whom.''

I reiterated that point in my oral testimony on 9 July 1997, and added that
the National Security Agency has already realized that it can no longer
succeed in attempting to stop the worldwide spread of good unrestricted
cryptography (that is, without key recovery), let alone the use of such
cryptography within the United States.  I also mentioned that NSA is already
actively pursuing most of these alternatives, and that the FBI would be wise
to follow NSA's lead.  I might add here that DARPA has an extensive ongoing
program in anomaly and misuse detection that can be used to detect unusual
potential misuse of computer-communication facilities and penetrations, and
that this technology could also be used to identify situations suggestive of
criminal activities.  Also, as a further example, police in various
countries have had considerable success in extracting history logs from
confiscated smart cards and cellular telephones, even when those logs are
encrypted -- although such access may not always need to be surreptitious.

Furthermore, our National Research Council study recognizes that the FBI is
seriously lagging behind NSA in expertise related to computer security, and
recommends that the FBI undertake a major effort to improve its technical
expertise relating to computer and communication technologies.  Please read
that report for background if you have not already done so (Kenneth W. Dam,
W.Y. Smith, Lee Bollinger, Ann Caracristi, Benjamin R. Civiletti, Colin
Crook, Samuel H. Fuller, Leslie H. Gelb, Ronald Graham, Martin Hellman,
Julius L. Katz, Peter G. Neumann, Raymond Ozzie, Edward C. Schmults, Elliot
M. Stone, and Willis H. Ware, Cryptography's Role In Securing the
Information Society, a.k.a. the CRISIS report, Final Report of the National
Research Council Cryptographic Policy Study Committee, National Academy
Press, 2101 Constitution Ave., Washington, D.C. 20418, 1996).

I have absolutely no doubt that the presence of cryptography will in the
future make the FBI's task more difficult.  This is inevitable, because
excellent cryptography without key recovery will be available throughout the
world irrespective of U.S. actions; criminals can always use nonrecoverable
keys even in the presence of key-recovery systems (for example, by
superencrypting, or by disabling the key recovery, or by using a system
without key recovery), and because security has become an international
problem, not just a national one.  Consequently, it is clear that the FBI
should be pursuing alternatives.

Incidentally, I have worked directly with various U.S. Government (including
NSA and FBI) people over the past 24 years, and have a considerable
appreciation of their needs and their technological strengths and
weaknesses.  I believe that the FBI will have difficulties with increased
uses of cryptography, but I also believe that the nation is not ready for
any key-recovery scheme that can be foreseen today.  Too many unidentified
risks have yet to be evaluated, only a few of which are outlined in my
prepared testimony and in its attached jointly authored report (Hal Abelson,
Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield
Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey
I. Schiller, Bruce Schneier, ``The Risks of Key Recovery, Key Escrow, and
Trusted Third-Party Encryption,'' 27 May 1997).


Question from Senator Grassley to both panels: [Let us assume that the
  Grassley Amendment is adopted, relating to reporting whether wiretaps
  were impeded by encryption.]  "If the results of these information-
  gathering procedures show that criminals are using encryption to commit
  crimes and frustrate legitimate law-enforcement investigations, how would
  you suggest Congress address the problem of criminals misusing encryption?"

Peter Neumann's Response to Senator Grassley's question to both panels:

Senator Grassley, efforts to increase the amount and quality of information
available regarding the use of encryption by criminals are very worthy of
Senate action.  Congress urgently needs accurate information.
Unfortunately, the case made by the FBI thus far has been largely based on
very emotional arguments rather than on factual analyses.

The U.S. Government has been running escrow centers at Treasury and NIST for
some time.  Congress would do well to have the relevant Government escrow
agents testify on how frequently their services have been used, by whom, and
in what connection.  Also, Congress would do well to request similar
information from the FBI.

Cryptographic hardware and software without key recovery are already
becoming widely available worldwide, and are going to be increasingly
available in the future.  Congress cannot stop that.  Nor should it.
High-quality cryptography has many beneficial effects on society, including
increased privacy, freedom of association, and integrity of the physical
infrastructure.  Cryptography researchers have First Amendment rights to
pursue and spread knowledge of cryptography, and it is not a long stretch to
say that the right of an individual citizen to protect his or her own
privacy with cryptography may be protected by the freedom of expression and
the ``right to be let alone'' inherent in our Constitution.

Congress must recognize these realities, rather than assuming that key
recovery will solve the problem.  Criminals will soon have at their disposal
cryptographic techniques from numerous countries throughout the world.
Consequently, crime should be treated as crime, whether or not the use of
cryptography is involved.  The use of cryptography, in the absence of crime,
should not be made into a crime; and the use of cryptography in furthering a
criminal scheme should not be any more illegal than the use of a pen or a
computer in furthering an illegal scheme.  The evil is in the crime itself,
not in the tools used to pursue it.

Whether or not there is a dramatic increase in the use of encryption in the
process of committing crimes, Congress should encourage the FBI to urgently
explore other avenues that could facilitate its efforts to detect and
prosecute crimes.  In addition, Congress should urgently act to encourage
much greater security in the entire computer-communication infrastructure.
Today's systems and networks are simply riddled with security
vulnerabilities, and apparently the FBI has very little interest in seeing
that situation improved.  However, a greatly improved computer-communication
infrastructure is absolutely essential for the well-being of our nation, the
soundness of our commerce, and the international competitiveness of our
computer industry.  A sound infrastructure with adequate attention to
authentication and accountability would also greatly help to reduce
computer-related crime and would at the same time facilitate the FBI's role
in preventing, detecting, and prosecuting crime.

My response to the [preceding] direct question from Senator Thurmond notes
that law enforcement urgently needs to pursue other avenues besides key
recovery.  My prepared testimony outlines a few such alternatives, and is
reinforced by my oral testimony on 9 July 1997 -- where I noted that the
National Security Agency is already actively pursuing many of these


Question from Senator Grassley to Panel Two:

  "Many of your written statements assert that key-escrow systems should
  not be pursued because such systems have too many technical flaws or
  weaknesses.  Assuming that these flaws or weaknesses could be resolved,
  would you still oppose key escrow?  In other words, if we could get a
  technologically acceptable key-escrow system, would you support an escrow

Peter Neumann's Response to Senator Grassley's Question to Panel Two:

Senator Grassley, your question implies a possible misperception of what my
prepared testimony says, and of what our National Research Council report
says.  Therefore, I have taken the liberty of modifying your first sentence
slightly to represent properly what I do believe I can address more

  "Many of your written statements assert that key-escrow systems should not
  be pursued because such systems *would very likely* have too many
  technical flaws or weaknesses."

First of all, no such systems exist in the full measure of technological
implementation and administrative procedures necessary to evaluate whether
there is any hope that the potential risks of misuse can be controlled.
Thus, it is impossible to assess the technical flaws and weaknesses based on
what is known today.  But I do believe there is a strong likelihood that
serious vulnerabilities will exist in every key-recovery system.
Essentially every system I have ever studied has been compromisible, and
years of experience in the field suggests that will remain true in the

However, I do not agree that key-recovery systems should not be pursued.  In
particular, our National Research Council report explicitly recommends that,
in the absence of detailed understanding of the risks that might result, the
Government should actively pursue such techniques for its own internal use
and should seriously evaluate the efficacies and risks of key-recovery
systems.  The problems experienced with the Clipper effort to establish a
key-escrow infrastructure for telecommunications suggest that key recovery
may be even more difficult, because NSA had complete control over Clipper,
which would certainly not be the case in the anticipated distributed
collection of key-recovery infrastructures.  This suggests that Congress
should ask the Government to elaborate on its experiences to date with key
escrow and key recovery, including an evaluation of the potential risks.
[The cited NRC report is: Kenneth W. Dam, W.Y. Smith, Lee
Bollinger, Ann Caracristi, Benjamin R. Civiletti, Colin Crook, Samuel
H. Fuller, Leslie H. Gelb, Ronald Graham, Martin Hellman, Julius L. Katz,
Peter G. Neumann, Raymond Ozzie, Edward C. Schmults, Elliot M. Stone, and
Willis H. Ware, Cryptography's Role In Securing the Information Society
(a.k.a. the CRISIS report), Final Report of the National Research Council
Cryptographic Policy Study Committee, National Academy Press, 2101
Constitution Ave., Washington, D.C. 20418, 1996.]

It is very important to realize that key-recovery mechanisms imply a
dramatic centralization of trust and power, even if the key-recovery
facilities are distributed among different entities, and even if the keys
are fragmented as is the case in Clipper.  Compromise of a single
key-recovery authority could have enormous consequences.  I wonder whether
Senators and Representatives would be willing to trust every President,
Attorney General, FBI Director, down to local law-enforcement officers who
might easily gain access to their keys, with all the concomitant risks.

I strongly believe that as a nation we are not ready for key-recovery
infrastructures with surreptitious access in the absence of detailed
procedures for the administration of the process of controlled government
access, together with detailed evaluations of the risks involved and the
overall implications on our constitutional well-being.

It is intriguing to me that you have chosen to use the term "key escrow" --
a concept that has apparently been totally abandoned by NSA and the FBI as
unworkable, and replaced by the alternative term "key recovery" that is
claimed to be totally workable -- presumably because of the public trashing
that key escrow underwent.  The Government is attempting to make a
distinction between the two concepts; however, they are both inherently
surreptitious access in one form or another, irrespective of how the keys
are handled, whether there are single individuals or groups that must be
responsible, etc.  There are no significant conceptual differences between
key escrow and key recovery, despite what you may be told; there are of
course operational differences.  Key recovery has most of the same potential
risks as key escrow, although no one in the Administration seems to be
admitting that.

There are two ways for me to properly answer your question.  The first way
is to say that all of my professional experience tells me that you are
presupposing the impossible.  It is highly likely that we will never be able
to resolve some of the most serious the flaws or weaknesses in a
key-recovery system, because many of them are based on human nature and many
others are based on the impossibility of guaranteed security.  Your
hypothesis is unrealizable to the satisfaction of people who truly
understand the flaky nature of our existing computer-communication
infrastructure and its necessary dependence on people who may not be
sufficiently trustworthy.  Even with advanced algorithms for secret sharing,
vulnerabilities are likely to exist in the underlying infrastructure.  As I
note in my written testimony, ``Surprising attacks have been discovered in
many security schemes thought to be virtually impenetrable.''  Worse yet, it
is truly impossible to create a system with no vulnerabilities, and also
impossible to demonstrate the absence of security flaws and vulnerabilities
-- even if there were none (which is itself impossible).  Although some
flaws can certainly be tolerated or controlled, or at least monitored for
misuse, the robustness of proposed key-recovery infrastructures is unknown
today, but historical evidence suggests that we approach this

The situation reminds me of the statement that ``if we had ham, we could
have ham and eggs -- if we had eggs'' -- but in a world in which there are
no hens.  In theory, truly secure systems are impossible.  In practice,
experience has shown that essentially every system has vulnerabilities that
can be exploited.  As a consequence, I am unable to give you the positive
answer that you are seeking.  Whereas the best minds in the country could
design significantly better systems than we have today, those systems might
very likely be implemented by developers whose bottom-line concerns would
stumble on unsecure simplifications, those systems would be operated by
people with inadequate awareness of the risks, the opportunities for
internal fraud and abuse would exist where significant financial benefits
might result, and there might even be opportunities for outsiders to
penetrate the security.  If you could demonstrate that all of those risks
can be overcome, then you would have solved a problem that no one else has
come close to solving in our entire history and that most sensible people
believe cannot be solved without encountering serious risks.  Certainly,
there is no perfect security and neither the Government nor the nation is
expecting perfect security.  However, until the risks have been properly
addressed -- objectively, openly, and honestly -- you are dealing with a
powder keg.  Risk-management professionals may claim that they can limit the
risks to what is acceptable, but in an electronic era in which one
discovered vulnerability can suddenly become amplified and massively
misused, much of the would-be assurance provided by risk managers can become
rapidly invalidated.

The second way to answer your question is for me to assume that my judgment
is wrong, that brilliant people could succeed in designing and building a
system that would provide keys only to authorized Government parties.  Would
I support or oppose such a system?  Personally, I would still oppose it,
because there is as much danger to society from the Government officially
``authorizing'' itself access to everyone's keys as there is from some
teenager or private investigator stealing them.  Attorney General John
Mitchell regularly signed entire blank pads of wiretap-authorization forms,
whose details were later filled in as desired by the FBI.  I would not be
surprised if some current Senators and Representatives have had personal
experiences of being wiretapped, blackmailed, or otherwise harassed by
J. Edgar Hoover.  If such power is created and centralized, it will attract
those who desire to abuse it.  Just as Kim Philby, the Soviet spy, naturally
steered his career toward high secret positions in the British government,
someone who seeks to accumulate power in the U.S. would be drawn to a
position where that power over others can be obtained, and where potential
opponents (defenders of democratic rule) could be watched and neutralized.


Questions from Senator Leahy to Panel Two: 

Peter Neumann's Responses to Senator Leahy's Questions to Panel Two:

Senator Leahy, your very perspicacious questions suggest that it would be
helpful for me to preface my answers with a little background.

It is very important to make a careful distinction between key recovery in
data storage and key recovery in communications such as telephony.  It is
also necessary to make a careful distinction between key recovery for
decrypted information and key recovery for authentication (identity
verification, integrity, digital signatures, certificates, etc.) and other
purposes.  I believe your questions show that you clearly understand these
distinctions, but I mention this for other readers of my responses to your

1. "Are businesses now using key-recovery encryption and, if so, for
   what purposes?"

There are certainly applications in which a corporation wants to retain
access to keys used by its employees for encrypting stored information --
for example, to protect against death, absence, or the disgruntled-employee
syndrome.  Some businesses do this at present, or are considering it.

   (a) "Are you aware of any businesses using key-recovery encryption
   for communications, including e-mail?"

For pure communications, as in computer network transmissions, faxes, and
telecommunications, there has been little or no reason to retain
communications keys after transmitted information has been decrypted, and no
reason to provide key recovery for the transmission itself because, if the
transmission is botched, it can simply be sent again -- perhaps with a new
set of keys.  Whereas there are some businesses who have their own internal
key-recovery procedures for stored data, there are few such reasons for
key-recovery in communications -- apart from the needs of law enforcement.
The potential breaches of security resulting from having duplicate sets of
one-time keys floating around create significant risks, and thus this
practice entails some inherent risks.  It is important to note that, whereas
some companies will wish to have access to their employees' communication
content, if those companies use trusted network servers that provide the
encryption automatically, then the unencrypted information would be
available without the need for key recovery -- because that information
would be available at the server in unencrypted form.

Incidentally, very few individuals and only some businesses record their own
communications (phone calls, faxes, etc.).  Those who do (e.g., to maintain
a log of all customer transactions) would almost always be able to do so at
an endpoint, where unencrypted text is available.

Encrypted e-mail blurs that distinction somewhat, in that encrypted e-mail
in transit through the Internet acts as communications data, but becomes
stored information when it is received.  However, in various schemes such as
PGP, the keys for authentication are embedded in the message itself and in
the user's private keys.  Having user private keys escrowed or otherwise
recoverable by second or third parties is inherently dangerous, because it
can completely undermine all security everywhere.  Furthermore, the demand
for surreptitious key access implies that perfectly innocent users might
never know that their keys had been compromised -- at least not until they
were arrested for a masquerader's illegal actions through identity theft, or
until their life savings had been stolen.

There is a corporate message recovery version of the commercial version of
PGP that automatically adds a corporate key that can be used to decrypt the
message.  It is not intended primarily for surreptitious key access, because
the installer has local control over who may be granted access -- without
revealing private keys.  However, I have no idea who if anyone is using it,
and how.

First-party key recovery: 
There is no need for first-party key-recovery schemes in communications
(where a user holds his or her own keys), because a user could quickly rekey
in the event of a lost key or a garbled transmission.  However, note that
first-party key recovery or key escrow tends to defeat law-enforcement
desires for surreptitious access.  Nevertheless, holders of their own keys
could be asked to reveal their keys under court order.

Second-party key recovery: 
There is a possible desire for a second-party (in-house) key recovery in
communications on the part of an employer who wants to be able to find out
what is being transmitted.  But that desire may be typically irrelevant,
because the employer typically already has a right and an ability to see 
unencrypted messages and e-mail and can do so by gaining direct access
to the computer systems involved; then, law enforcement could simply gain
access to that information in its unencrypted form, with the help of the
second party.  So, there may not be much of a need for second-party key
recovery in communications.  Some companies have indicated that they might
want to have this capability, although apparently most organizations have
said they do not want it.

Third-party key recovery: 
Only a very weak case can be made for third-party key recovery for
transmitted information.  No sensible highly competitive business should
trust a third party to hold sensitive keys that can control the survival of
the company, irrespective of whether surreptitious law-enforcement access is
possible.  Whether or not the third party is of identifiable
trustworthiness, it could be subject to bribes, coercion, and other
deviations from expected behavior.

   (b) "Have customers ... expressed interest in such a key-recovery 
   encryption product for communications?"

Although some interest has been expressed by system purveyors seeking to
justify key recovery for communications (perhaps with the goal of improving
the exportability of their products), there seems to be considerable
conflict even within those purveyors as to the ultimate desirability and
marketability -- particularly in the absence of knowledge about the possible
risks.  On the other hand, the real customers -- system users and businesses
-- seem not to have been particularly interested in such applications,
although a few examples have been mentioned, such as uses of key recovery to
enable recording of telephone conversations to detect fraud or defend
against lawsuits.  However, in almost all of those cases, the employer
already has more convenient access to unencrypted content.  In any case, the
needs of such an extremely small set of hypothetical applications should not
impose the large expected costs and potentially massive security risks on
everyone else.

Royal Dutch Shell is the only company I can think of that has expressed such
a need.  In a different ``customer'' context, you might say that the FBI has
expressed an interest in key recovery for internal communications, in its
desire to use Clipper phones for its own employees.  But that effort has
apparently been put into deep freeze -- at least for the time being.

   (c) "Do you believe there will be a market for, and consumer interest 
   in using, key-recovery encryption for communications, including for
   telephone communications or fax machine transmissions?"

Only if no other encryption options would be available -- for example, if
the Government were to mandate the use of key recovery in all products with
encryption.  There may eventually be a viable market for encrypted
telephones and fax transmissions.  If products without key recovery are
available, they will clearly be preferable.  However, above and beyond the
desires of law enforcement to restrict the marketplace to only products with
key recovery, the risks of misuse such as inadvertent or malicious
interception may be too great for corporations as well -- which could result
in the use of off-shore encryption facilities without key recovery.  I do
not believe that mandating inherently vulnerable cryptography is a wise

Incidentally, another distinction is important, particularly with respect to
communications -- between communication privacy and communication integrity.
The various types of mobile telephones -- cellular, portable, etc. -- suffer
from some serious integrity problems, such as the lack of customer
authentication and device authentication.  Criminals can take considerable
advantages of those integrity vulnerabilities as well as the privacy
vulnerabilities.  Both require nonsubvertible cryptography, but in different
ways.  Neither can afford to be subverted by key recovery.

2. "Do you ... have any estimate on how much it will cost to deploy 
   key-recovery systems of the type that will meet law enforcement's stated
   specifications for access to encrypted data and communications?"

   (a) "How much will it cost consumers?" and
   (b) "How much will it cost the government to oversee?"

One of the biggest problems is that no one has any realistic estimates on
either the costs to deploy or the costs to operate and administer such
key-recovery systems in such a way that undesirable misuse can be
controlled.  Indeed, no one has succeeded in the past in developing systems
that could not be misused, and there is strong evidence to suggest that will
remain true in the future.  However, the situation is even worse with
respect to the projected future of key recovery because there are no
detailed fully fledged designs for how such a key-recovery system could be
soundly implemented and operated.  Perhaps even more critical, however, is
that no one has conducted any evaluations of the risks that might occur as a
result of the misuse of such key-recovery infrastructures.  That would also
be very difficult today, because the risks have yet to be enumerated and
analyzed.  (You might wish to skim through my book, Computer-Related Risks,
which gives some of the flavor of the incredible breadth of risks that must
be considered and the lengths to which we must go in trying to avoid those

   (c) "Have you heard about any plans by the Administration to 
   subsidize the key-recovery system?"

I have heard some statements to that effect.  It is an interesting question,
particularly because William Crowell, NSA Deputy Director, and others have
repeatedly stated that there won't be a single big system, that the playing
field will be level, and that the Government will find a way to help the
key-recovery technology along, presumably through subsidies.  Because of the
expected distributed nature of any key-recovery infrastructures across many
corporations and governments, the coordination required, and the defensive
measures that would have to be taken in attempts to defend against the risks
I have outlined in my prepared statement and in our attached report (Hal
Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze,
Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey
I. Schiller, Bruce Schneier, ``The Risks of Key Recovery, Key Escrow, and
Trusted Third-Party Encryption,'' 27 May 1997), the Administration would
have to do a lot of subsidizing.

3. "The Commerce Department has announced new rules to allow banks and other
   financial institutions to use encryption of any key length including for
   direct home banking software for their customers worldwide.  Do 
   customers ... have the same need as banks and financial institutions to
   protect their global communications with strong encryption?"

Certainly.  Any high-stakes commerce using the Internet will have to rely on
the strongest encryption available that is not subject to compromise,
subversion, and other misuse.  Privacy of very sensitive databases will be
very difficult to ensure in any case, but even more difficult if users
cannot trust the encryption used in accessing those databases.

On the other hand, the banking community has always had special treatment,
for example in its international use of the Digital Encryption Standard,
DES.  The big difference is that citizens and unregulated businesses have
constitutional rights, whereas banking institutions do not; they are ready
to disclose sensitive information at Government request -- without your

4. "The Administration's draft bill and now the McCain-Kerrey bill, S.909,
   both tie the use of certificate authorities for digital signatures to
   use of key recovery for confidentiality.  Under the bill, a person who
   gets a public-key certificate from a licensed certification authority
   for a digital signature and who decides to use the same public-private
   key pair for confidentiality, would have to store his private key with
   a government-licensed key-recovery agent."

   (a) "Is there any technical reason to tie these two uses together?"

No.  The only reason is a misguided belief that it would help law
enforcement, whereas in fact it could greatly impede law enforcement and
considerably increase the amount of computer-related crime using the
Internet and related technologies that depend on robust authentication.

On the contrary, my prepared testimony states that any linkage of a
key-recovery infrastructure with a certificate infrastructure would be a
true disaster, undermining the credibility of all authentication and
destroying the legal validity and operational importance of nonrepudiation.
The idea of escrowing or otherwise providing surreptitious trapdoor access
to authentication keys is utterly ridiculous, because it throws out the baby
with the bathwater.  The idea of compromising the key-management process
itself by including any key-recovery mechanisms could completely undermine
the integrity of every authentication and every cryptographic use --
exposing them not only to authorized Government access, but to worldwide
misuse by anyone from any country anywhere in the world.  This is an
unbelievably dangerous risk, and has not even been mentioned by any of the
proponents of key recovery.

In particular, my prepared testimony from 9 July 1997 has this paragraph:
``Acquisition of the master key used by an authentication service or a
digital-certificate service could be devastating; worse yet, access to
anyone else's public key would then be sufficient to undermine the
authentication infrastructure.  As a result, the significance of the
authentication would *always* be suspect, and the concept of nonrepudiation
would effectively go out the window.  That is, anyone could justifiably
throw doubts on the legitimacy of a perfectly legitimate certificate.
Furthermore, recovery access to certification keys would not be likely to
provide any directly discernible benefits to law enforcement with respect to
either storage keys or transmission keys, unless accompanied by further
restrictions on all relevant end-user products worldwide.''

   (b) "Could the federal government create a certification authority
   system that did not require the use of key recovery?"

Of course.  Key recovery is not essential to certificate authorities, and
indeed is completely contrary to the notion of a high-integrity certificate
authority.  In fact, there are already very serious intrinsic risks to the
integrity of any certificate authority, and those risks would be drastically
amplified by the presence of key recovery.

  (c) "In your view, why is the Administration tying the two uses

I can believe only that the Administration has not adequately studied the
associated problems, and has followed the lead of the FBI -- which has
clearly not adequately studied the associated problems because it has rather
simplistically decided that key recovery is its last hope in the war against
cryptography, regardless of its costs and risks on the nation in every other
respect.  I believe that the FBI has very legitimate concerns about its
future role in the presence of more widespread cryptography, but I also
believe that there are many other approaches that should be considered
before key recovery is perceived as the last hope.  I believe it is a false
hope with very serious side effects on the nation, and that it will not even
achieve the FBI's desired goals.  There are too many ways to avoid key
recovery in the commission of a crime, or in civil disobedience by totally
honest people.  This approach simply will not work as hoped unless it is
made mandatory -- which I strongly oppose, for many reasons.  (However, the
Director of the FBI has said on various occasions that he would attempt to
make it mandatory if that is what it takes to fulfill his mission, and the
Administration and McCain-Kerrey both seem to want to jawbone the country in
that direction.)

5. "Deputy Director Crowell states in his testimony that ``the Administration
   has engaged various industry and international groups to further define
   the infrastructure concept.  All agree that the emergence of KMIs [Key-
   Management Infrastructures] is necessary.''  This implies that industry
   groups support the Administration's vision of a linked certificate
   authority and key-recovery infrastructure.  Is that correct?"

You must note the distinction between (i) a key-management infrastructure,
which is realistically necessary for sound electronic commerce,
authentication, and any sensible use of crypto, and (ii) key recovery or key
escrow, which requires some sort of exceptional key-access facility.  A
sensible KMI does *not* require any exceptional key access, and in fact
would be potentially undermined by such a mechanism.  You should also note a
distinction between NSA/DoD-style key management (with absolutely no key
escrow or key recovery) and a KMI that is likely to be used in electronic

It is certainly true that industry groups and foreign governments all want a
sensible KMI.  (For example, the Organization for Economic Cooperation and
Development Cryptography Guidelines define a key management system as ``a
system for generation, storage, distribution, revocation, deletion,
archiving, certification or application of cryptographic keys.'')
Encryption systems rely on reliable ways to generate keys, to publish the
``public'' keys so they can be used to communicate with the owner, and to
store the ``private'' keys securely.  But ordinary KMIs never require users
to disclose their private keys; whenever this ``feature'' is mentioned, it
is because of law-enforcement demands.

Ordinary KMIs would easily out-compete escrowed KMIs that provide less
security, and promise to act against the interests of their clients.  Only a
government-enforced requirement that users *must not* use an ordinary KMI
would make these escrowed KMIs viable.  Some draft British legislation on
key recovery, which was widely seen as a ``feeler'' preceding a similar
attempt in America, was one such attempt (but was opposed by the citizenry,
and repudiated by the Labour party, which won the election by a considerable
margin).  In the United States, if the government attempts to restrict the
publication of unescrowed public keys, it will likely run afoul of the First
Amendment.  Public keys should be published; private keys should remain
private, under the full control of their owner.

However, returning directly to your question, it is *not* true that such
agreement exists relating to key recovery or to any form of key management
that facilitates law-enforcement access to private keys.  In particular,
many foreign governments (see below) have expressed strong opposition to the
Administration policy for key recovery, and in particular to the requirement
for linking certificate authorities and key-recovery infrastructures.  This
is another example of an intentionally oversimplified lumping together of
concepts that are in fact quite distinct -- a tendency that also occurs in
the Government claim that there is a business need for key recovery
(ignoring the reality that there is no real need in communications, even if
there is one for storage).

As I noted in my oral testimony on 9 July 1997, the European Union released
a statement on 7 July 1997 in which it disagreed strongly with the U.S.
policy relating to key recovery.  The EU statement followed earlier
recommendations of the OECD in Paris, which earlier this year issued its own
guidelines on cryptography policy.  The OECD rejected endorsement of the
key-escrow proposal even after extensive lobbying by Administration
officials and recommended instead a policy based on voluntary, market-driven
development of crypto products.

Indeed, several nations that appeared to be supportive earlier have backed
off.  This is the case, for example, in the U.K. -- where in addition to the
new government having taken an explicit anti-escrow stand in its election
platform, strong opposition was more recently expressed in a Department of
Trade and Industry consultation exercise; the new government has put the
issue on hold.  Denmark is about to announce that it will not tolerate key
escrow whatever.  Belgium passed an escrow law apparently to mollify the
U.S., but has explicitly failed to issue the regulations necessary to put it
into effect.  Switzerland, Singapore, and Japan appear to be moving in a
direction counter to key recovery.  I suggest that your staff double-check
on the truth of such statements by Deputy Director Crowell, who has said
that key recovery is being received warmly abroad.

Incidentally, the systems that are favored by those supporting escrow
facilities worldwide are assuming the use of identity certificates (that is,
electronic identity cards) rather than the authorization certificates that
electronic commerce really needs.  This links in another issue that is
usually considered to be very unwise, namely imposing identity cards on the
citizenry -- which in turn could create a massive new underground industry
for forged cards and identity theft.  Much greater care is necessary in
understanding the deeper issues before any legislation is enacted, whether
it is to support law enforcement or to protect lawful citizens.

Irrespective of who might currently support it (and I believe the U.S.
Government may be fighting a losing battle on that one), the vision of
linking key recovery with certificate authorities could be a true disaster
for electronic commerce and more generally the integrity of everything done
electronically, whether on the Internet or not.

6. "S.909 would permit law enforcement to use a subpoena to obtain
   key-recovery information.  Issuing a subpoena is a fairly simple process:
   no appearance before a judge is required and only a low standard of
   ``mere relevance'' need be shown to sustain the subpoena."

   (a) "When law-enforcement agencies obtain a decryption key, are they
   potentially gaining access to far more than the plain text of the
   targeted item?  Could the key provide access to a large portion of a
   company's or individual's files, and the ability to decrypt past and
   future information?"

It is very important to realize that key-recovery mechanisms imply a
dramatic centralization of trust, even if the key-recovery facilities are
distributed among different entities, and even if the keys are fragmented as
is the case in Clipper.  Compromise of one key-recovery authority could have
enormous consequences.  Compromise of a single decryption key in a single
key-recovery authority might have less serious consequences -- unless that
key were used to unlock other systems, as is the case with worldwide master
keys that are used in certain systems for electronic commerce -- in which
case such compromises could have truly devastating consequences worldwide.

In the context of wiretaps, something on the order of half of the taps are
done at state and local levels.  The signoff authority can be as low as a
local prosecuting attorney or the state Attorney General's office.  If this
were the case in key recovery or key escrow, the requirement of merely a
subpoena would further weaken the accountability of the process.  There is
also the pocket subpoena that has been so much trouble in the past.  The
subpoena process is clearly not stringent enough for key recovery and key

   (b) "Do you have privacy concerns about authorizing law-enforcement
   access to keys on a mere subpoena?"

Absolutely.  The idea that information that, under the Fifth Amendment,
could not even be compelled from a defendant on the witness stand but can be
easily obtained by law enforcement without even seeing a judge, is anathema
to our system of civil rights.  The subpoena process is so much weaker that
there could be fewer qualms about key-recovery agents ignoring the
authorization process altogether.  But the subpoena process is vastly too
weak in any event.

One of many civil-rights objections to key recovery is that it attempts to
subvert the Fifth Amendment by forcing users to create second- or
third-party records of their keys.  The defendant (or the suspect, in a
wiretapping case) would have the right under current Constitutional law to
keep his or her private key private -- but only if it is kept in their heads
instead of on paper or in another party's control, such as a safe-deposit
box.  Copies on papers or computers can be obtained under a search warrant
issued by a judge.  Because second and third parties have no Fifth Amendment
right to keep these keys private, these parties can easily be coerced into
handing them over.  For example, copies of your telephone bills are
available to any policeman upon request, without a judge's approval.
Hundreds of thousands of phone bills are obtained every year in police
``fishing expeditions''.  Only about a thousand wiretap orders are legally
conducted each year, because this requires probable cause and a judge's
approval.  If private keys were as easily available as phone bills, hundreds
of thousands of people would have their privacy violated annually.

7. "Do you know whether all Department of Justice information and 
   communication systems that use encryption meet the key-recovery
   requirements currently spelled out in the Commerce Department regulations
   for export of 56-bit DES?"

I believe that very few if any of those systems meet those requirements.
The exceptions are likely to be restricted to those developed in recent
months.  However, in many of the less secure systems, keys or unencrypted
content can often be obtained because of software flaws in the operating
systems and networking.

   (a) "If so, do you know how the government is protecting the keys to the
   Department's encrypted communications and files?"

The Fortezza approach keeps keys on a separate chip, so that they never
appear in the operating systems.  Unfortunately, even in that expensive
design, the PINs go into the chip in the clear, which represents a security
vulnerability.  Furthermore, the keys were to be escrowed in order to enable
authorized law-enforcement access.  Apparently the entire Fortezza program
with escrowed keys has been decommissioned.

   (b) "Can you ... estimate the cost of bringing the Justice 
   Department alone into compliance with these regulations?"

No, I could not begin to do that.  But because of what I believe are
inherent potential vulnerabilities in the key-recovery process, I also
believe that it would be an enormous mistake for the Justice Department to
rush into key-recovery schemes prematurely.  On the other hand, the Justice
Department is certainly a natural guinea pig for experimental use.
8. "About 24 states have already passed legislation on digital signatures,
   including the pioneering legislation reflected in Utah's Digital 
   Signature Act.  Vermont has similar digital signature legislation 
   pending.  Would passage of S.909, or similar legislation establishing 
   Federal certificate authorities preempt much of this work done on the
   state level, where we have traditionally left matters of commercial
   and contract law?"

Yes.  Even among supporters of digital signatures, there are differing
opinions on how the laws should be changed to reflect this technology and
supporting administrative procedures.  Some people believe that legally
limiting or eliminating the liability for compromised signatures will also
limit or eliminate the market for such signatures.  Others feel that the
potential liability for compromises is so great that nobody would enter the
business; consider the signature on a ten-million-dollar check, purchase
order, or contract.  If such a signature could be forged by subverting a
low-paid employee in a certificate authority, who should bear the cost?
Federalizing the response to issues such as this will prevent the natural
experimentation that would occur in the fifty states, showing us the best
answer as opposed to the first one to come to mind.

9. "The encryption bill voted on by the Commerce Committee, S.909, creates
   a number of new crimes.  Some of the new crimes go to the heart of the
   controversial linkage between the use of certificate authorities and 
   key-recovery agents.  For example, a user who gets a public-key
   certificate from a licensed certificate authority may use that key only
   as a digital signature to verify his identity even though the same key
   might be used to protect the privacy of encrypted personal messages.  If
   the user uses this public-private key pair to protect privacy -- for
   example, to encrypt his e-mail messages -- under this bill, the user
   would be committing a crime and subject to 5 years in jail, or subject to
   a civil penalty of $100,000."

   (a) "Do you find these penalties excessive, particularly since for users
   the simplest way to encrypt their electronic communications is using the
   same encryption key they use for their digital signatures?"

These proposed penalties are absurd, for several reasons.

First of all, and perhaps most important, any linkage between certificate
infrastructures and key-recovery infrastructures is itself most unwise.  See
my response to your Question 4.

It is also unwise for anyone to use the same key for authentication and for
encryption.  In recommended usage, a private-public key pair (e.g., RSA) is
used for authentication of identity, whereas different keys should be used
for encrypting communications.  Ideally, a different private-public key pair
should be used to reach key agreement on a one-time conventional key (e.g.,
a symmetric encryption system such as DES) or keys (e.g., triple-DES).  For
example, the Diffie-Hellman algorithm can be used for the establishment of a
one-time key for end-to-end conventional encryption without the actual
session key ever being transmitted.

Because there are already significant risks of using the same keys for
multiple purposes, stupidity and ignorance should not be punished with long
jail terms and civil penalties.

   (b) "What, in your view, is the purpose of stopping users -- with the
   threat of a jail term -- from using the same public-private key for which
   they have a public key certificate for both digital signatures and for

Given my response to (a), there is no purpose whatsoever in stopping the
rather unwise practice of multiple (``polymorphic'') use of keys.  It would
provide law enforcement with further cryptographic attacks!  However, if the
intent of the would-be legislation is to stop the use of all cryptographic
algorithms that do not use key recovery, then Diffie-Hellman, PGP, and many
other algorithms would have to be outlawed worldwide, which is in itself

10. "Sections 405 and 702 of S.909 would punish with 5 years in jail, and
    civil penalties of up to $100,000, violations of regulations to be
    issued some time in the future by the Secretary of Commerce.  That is an
    enormous grant of power to give an appointed Executive Branch official
    to define what is illegal conduct in this country."

    (a) "Do you agree?"


    (b) "Is there any provision in S.909 that would bar the Secretary of
    Commerce from issuing regulations requiring all licensed certificate
    authorities to employ NSA's Digital Signature Standard (DSS) or all
    licensed key-recovery agents to employ the Clipper chip?"

I know of no such provision in S.909.  Generally, S.909 is in need of
considerable modifications in this and other respects noted here.

    (c) "Is there any provision in S.909 that would bar the Secretary of
    Commerce from requiring certificate authorities or key-recovery agents
    from using only those encryption algorithms or systems that have been
    adopted as ``Federal Information Processing Standards'' (FIPS)?"

I know of no such provision in S.909.  My response to 10(b) applies here as

11. "The Administration contemplates negotiating multilateral agreements
    to provide foreign governments with keys to the encrypted files and 
    communications of Americans."

    (a) "Do you think there should be clearly defined legal standards 
    governing the terms of these multilateral agreements so that buyers
    and users of key-recovery products are confident their rights will be

This is equivalent to the classic question, ``Am I still beating my wife?''
First, I do not believe that such multilateral agreements can meaningfully
be agreed upon worldwide that will prohibit the use of products that do not
support key recovery.  To do that worldwide would require enforced
*mandatory* worldwide key recovery and total outlawing of all other
products.  Even if such agreements were reached among the democratic
countries of the world, massive off-shore cryptographic centers would
appear.  In addition, software and hardware development might tend to
migrate to other countries.

   (b) "What protections, in terms of procedures and release of keys to
   foreign governments, should be in place in these multilateral agreements
   so that U.S. buyers and users of key-recovery products are [could be]
   confident their rights will be protected?"

There are in all likelihood *no* such protections that could ensure that the
rights of U.S. citizens could be protected.  There can be no such
protections even within the United States, even without any involvement of
foreign governments.  However, the intrinsic corruption commonplace in many
foreign governments would greatly exacerbate the problem.  I will not even
begin to suggest that I can come up with an adequate set of protections,
because I believe that task is essentially impossible in the presence of
untrustworthy individuals and untrustable governments.

It is senseless for rapists and burglars to be put in jail for short terms,
while innocent citizens, who harm no-one and who are merely protecting their
own privacy, would for political reasons spend five years behind bars, or
lose their life's savings.  In no sense does the punishment fit the crime.

However, in addition to the philosophical objections to this provision,
there is a practical objection.  Modern key-agreement protocols never use
the citizen's long-term keys for encryption, only for signature.  Yet these
protocols still produce an encrypted connection that cannot be compromised.
The user would be using signature keys for their intended purpose -- to
verify his or her identity, but the result would be the full protection of
privacy.  An example of such a key-agreement protocol is the
Station-to-Station protocol invented at Northern Telecom by Whitfield Diffie
and others.

In order to prevent such uses of signature keys, the Government would have
to outlaw the use of entire branches of cryptography.  This would have a
serious impact on First Amendment protected cryptographic research, as well
as being realistically unenforceable.  I believe that the worldwide research
and civil-rights communities would furthermore work hard to undermine such a
ban -- for example, by writing and releasing free software that gets around
it, and by researching alternative ways to provide privacy even under the
imposed restrictions.  PGP itself was written and given away free for
exactly this purpose, while the Senate was considering a bill that would
have required that the plaintext of encrypted communications be made
available to law enforcement.  Several papers at the Crypto '97 conference
in August 1997 were presented by researchers inspired by Government attempts
to subvert the cryptographic infrastructure, such as the Clipper and
Fortezza initiatives.  A Congress alarmed by the decline in respect for law
would do well to avoid passing laws that would get no respect.

12. "Do you believe that certificate authorities, merely because they are
    registered with the [U.S.] government, should receive total immunity
    from all non-contractual liability, as provided in S.909?"

The immunity clause is presumably included in S.909 primarily as a jawboning
mechanism in an attempt to coerce all would-be certificate authorities to go
along with key recovery.  I think the granting of total immunity would lead
to enormous opportunities for fraud and misuse on the part of people
associated with the certificate authorities, which must be even further
beyond reproach than most existing financial institutions.  

Granting any party immunity from liability is an immense gift.  Would
Congress grant me immunity from all noncontractual civil suits?  Could I
violate patents and copyrights with impunity?  Could I slander and libel at
will?  Do I just have to give the Government copies of all my customers'
private keys in order to get these privileges?  In many ways it sounds like
commissioning a privateer, a Government-sanctioned pirate on the high seas.

Although not directly relevant to the question of immunity, the mere
creation of domestic certificate authorities whose key holding may not be
completely trustworthy could encourage the existence of untrustworthy
off-shore certificate services, whose identities might appear to be totally
equivalent to any approved authority, because of the inherent flakiness of
the existing computer-communication infrastructure and its likely successors
-- even in the presence of apparently legitimate certificate authorities.

13. "Should certificate authorities [that] are not registered with the
    government, and their customers, be denied the same protections from
    federal law-enforcement abuse offered in S.909 only to those who use
    registered certificate authorities?" 

This is another ``Are you still beating your wife?'' question.  I believe
that S.909 is totally misconceived in trying to jawbone certificate
authorities into enabling key recovery.  I have already stated that the
linkage is in and of itself enormously risky; see my response to your
Question 4.  Therefore, I do not believe that anyone should be granted
blanket immunity.

14. "Is the STU-III classified telephone system based on a key-recovery
    system?  If S.909 becomes law, and all government communication systems,
    and equipment purchased with government funds, are required to use 
    key-recovery systems, will the STU-III classified telephone system have
    to be replaced?  Could you explain?"

It is my understanding that the STU-III and other NSA-developed
high-security encryption devices intentionally do *not* use any key-recovery
schemes, precisely because the risks of compromise by untrustworthy persons
and untrustworthy computer systems would be vastly increased.  Indeed,
technical measures are taken to ensure that no copy of any key is *ever*
accessible outside of the phones, precisely to avoid the danger of
compromise by such persons.  The risks of key compromise are already great
enough -- as seen by various past breaches of classified security -- without
introducing the enormously greater potential risks of key recovery.

The Department of Defense already uses a variety of highly classified
encryption devices (e.g., KG boxes) whose key-generation algorithms are
vastly more secure than anything that is possible in the presence of
key-recovery mechanisms.  If the key is lost, the systems are rekeyed.  The
presence of a key-recovery facility in those systems that are intended to be
as secure as possible would totally undermine their security.  Thus, NSA and
the Department of Defense must laugh in the face of S.909 and ignore
key-recovery mechanisms altogether for such devices.  Key access to KG boxes
and STU-III systems could totally undermine their intended security.
However, note that new-key generation (rekeying) is always possible.  Please
realize that the mere existence of a trapdoor necessary for key recovery
suggests that such a trapdoor may be exploitable by people other than those
who are supposedly authorized to use it.

This suggests how absurd things are becoming.  The U.S. Government can
certainly use any key-recovery, key-escrow, or key-management scheme it
wants, for its own purposes.  However, in my opinion it would be very
foolish to do have a trapdoored key-recovery system whenever secrecy is
really critical.


Question from Senator Feinstein to Peter Neumann: "There have been some very
  legitimate privacy concerns expressed by speakers today.  What additional
  privacy could be lost by providing law-enforcement access to encrypted
  phone calls and electronic mail?"

Peter Neumann's Response to Senator Feinstein's Question to him:

Senator Feinstein,

Thank you for your recognition of the privacy concerns expressed by the
second panel.  They are indeed very profound and quite insidious.  It was
unfortunate that you were not able to attend the second panel in person, but
from the nature of your question, I trust that your staffers did an
excellent job of briefing you afterwards.

One of the most serious potential risks with covert and surreptitious
law-enforcement access to arbitrary communications and stored information
involves the risks of misuse of that access.  The existing process of
judicial warrants does impose some restraints, but the relatively
unencumbered use of subpoenas as proposed by McCain-Kerrey is an open
invitation to misuse.  However, even if legal law-enforcement access could
be rigidly controlled (for example, with warrants equivalent to those
required in wiretaps), essentially all computer-communication systems can be
subverted by means that lie outside of normally expected access -- for
example, exploiting trapdoors and planting Trojan horses that guarantee
unmonitored access, or simply misuse by authorized insiders.  In all my
years of analyzing system security, I have never found a system whose
security could not be broken -- and often broken in ways that would not be
detected or traced to the culprit.  Key recovery is in essence a monster
potential trapdoor.  Passing laws that make misuse illegal do not stop the
exploitation of fundamentally weak systems, especially across foreign

The notion of privacy in the context of your question is usually considered
in a way that is significantly too narrow.  We must also consider the very
serious implications of the consequences of (i) reuse of information beyond
its intended use, (ii) the propagating effects of incorrect or intentionally
false information, and (iii) the risks of identity theft.  My book,
Computer-Related Risks (Senators Hatch and Leahy both have copies), is full
of examples of these serious threats to human well-being.  For example, (i)
a master key might be used far beyond the intended purpose of one-time
surveillance; (ii) there are numerous cases of false arrest resulting from
incorrect data or misidentifications; (iii) in quite a few cases, actions of
masqueraders have actually caused their victims to be arrested, in some
cases after their life savings and pensions had been stolen.

To illustrate the point that government databases have been abused and
government employees have been guilty of serious misuses of computer
systems, here are just a few examples involving motor vehicle bureaus, the
IRS, and the Social Security Administration.  Employees of the Virginia DMV
created and sold thousands of fraudulent drivers' licenses.  Actress Rebecca
Schaeffer was murdered by someone who had acquired her address from DMV
records.  A former Arizona law-enforcement officer tracked down and killed
his ex-girlfriend based on information friends that some of his friends
extracted from government databases.  Employees of the Social Security
Administration sold internal database information (including Social Security
Numbers and mothers' maiden names) of more than 11,000 people to a
credit-card fraud ring, which then used the information to activate newly
issued Citibank credit cards that had been stolen.  An IRS employee was
accused of giving tax data on judges and jurors to a defendant.  Various IRS
employees have been indicted for fraud.  These are just a few of the cases
documented in the archives of the Risks Forum and in my RISKS book.

Perhaps most threatening of all is that the FBI's demand for easily misused
surreptitious key access implies that perfectly innocent users might never
know that their keys had been compromised, with many possible adverse

One other issue deserves your consideration.  Privacy is an international
problem; each nation has its own notions of what must be protected and what
penalties might be incurred for violators.  Similarly,
computer-communication security is an international problem, and cannot be
solved nationally.  Significant international cooperation must be involved.
Creating a national key-recovery infrastructure in the absence of
consideration of the international issues is itself a risky business -- for
a wide variety of reasons.  Attempting to create an international
key-recovery infrastructure is a truly imposing task, and raises the issue
of having to trust potentially untrustworthy agents and governments with

The following two paragraphs are taken directly from my prepared testimony
(with the inclusion of the reference to the GAO report).

``Key-recovery infrastructures could greatly increase the opportunities for
insider fraud, malice, and other misuse within governmental organizations.
There are various reports of insider misuse of FBI and other law-enforcement
databases.  For example, House testimony from Laurie E. Ekstrand of the GAO
documents 62 cases of misuses of law-enforcement computer data.  Similar
misuse has been discovered in other Government offices, such as Social
Security Administration employees selling information to enable the
activation of 11,000 credit cards stolen from the mail, and IRS employees
leaking tax information and altering records.  It is clearly unwise to
assume that our Government is totally benevolent and incapable of illegal
actions.''  [The cited GAO report is: National Crime Information Center --
Legislation Needed to Deter Misuse of Criminal Justice Information,
U.S. General Accounting Office testimony before the U.S. House of
Representatives Subcommittee on Information, Justice, Agriculture, and
Transportation, of the Committee on Government Operations, and the
Subcommittee on Civil and Constitutional Rights, of the Committee on the
Judiciary, 28 July 1993.]

``The potential risks of misuse of key-recovery infrastructures extend far
into our social structure.  Loss of privacy can often result in serious
consequences to individuals.  (In addition, retrieval of incorrect data can
have damaging results on the individuals involved, although that is true
whether or not the information is encrypted.)  Constitutional issues are
also at risk, such as protection against unreasonable search and seizure.
If on-line infrastructures for key recovery are to use existing commercial
systems, they may be seriously lacking in confidentiality, integrity,
accountability, and assurance.''

It is very important to realize that key-recovery mechanisms imply a
dramatic centralization of trust, even if the key-recovery facilities are
distributed among different entities, and even if the keys are fragmented as
is the case in Clipper.  Compromise of one key-recovery authority could have
enormous consequences.  Compromise of a single decryption key in a single
key-recovery authority might have less serious consequences -- unless that
key were used to unlock other systems, as is the case with worldwide master
keys that are used in certain systems for electronic commerce -- in which
case such compromises could have truly devastating consequences worldwide.

By the way, you must be aware of the importance of electronic commerce to
the computer industry.  The bottom-line reason for good security and
nonsubvertible crypto is economics.  The vast sums of money that will be
protected by such systems are sufficient to entice and induce corruption.  A
key purchased illegally from a recovery site could be very inexpensive
relative to the profits that could be gained.

Forged warrants, bogus subpoenas, dishonest insiders, criminals
impersonating law-enforcement officials, and many other modes of misuse have
occurred and will continue to occur.  However, the existence of single
points of vulnerability greatly compounds the problems -- and greatly
increases the likelihood of misuse.  A German lawyer involved in the
opposition to key recovery in Germany has stated that ``trust structures in
the electronic world should as far as possible mirror relationships in
existing practice.''  The opportunity to gain electronic access to massive
numbers of keys and massive amounts of sensitive information without proper
authorization is truly a disaster waiting to happen.

The existence of a trapdoor that can be used surreptitiously in widespread
computer-communication systems is an open invitation to an enormous range of
potential misuses.  Hopes of avoiding those misuses would have to rely in
part on the security of the key-recovery infrastructure, which is very
likely to be flawed -- despite anything you may hear to the contrary.
(Surprising attacks have been discovered in many security schemes thought to
be virtually impenetrable.  Indeed, serious system security flaws are common
in all computer systems, and have plagued essentially every computer system
I have ever had the pleasure to analyze.)  But more importantly, those hopes
of avoiding misuses would have to rely on the impeccable trustworthiness of
an unfortunately large number of people who might either misuse their
legitimate access or find a way to acquire clandestine unauthorized access
to the keys (for example, because of inherent flaws in the system security).
In essence, what is advertised as law-enforcement access could easily become
subject to extensive misuse, even in the presence of supposedly restrictive
administrative procedures.