This is my response to the questions from Senator Hatch, as a followup to my 9 July 1997 testimony and its attached report (ftp://research.att.com/dist/mab/key_study.txt or .ps, or http://www.crypto.com/key_study, respectively).
Senator Orrin G. Hatch 2 September 1997 United States Senate Committee on the Judiciary Washington DC 20510-6275 Dear Senator Hatch, Thank you for your request for follow-up discussion relating to your Senate Judiciary Committee hearing on cryptography on 9 July 1997. On 15 August, I received the set of questions contained in your letter dated 29 July 1997, and am happy to respond accordingly to amplify what I have already stated in my prepared testimony and what was submitted in its attached report (Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, ``The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption,'' 27 May 1997) -- which I understand will be included in the permanent record of the hearing. I hope that my responses adequately address the specific questions. Comments from several of the coauthors of the May report are incorporated into my responses. Let me reiterate my appreciation to you, Senator Leahy, and the rest of the Committee for sponsoring the hearing and for giving me the opportunity to respond to your subsequent questions. I am truly grateful for having been invited to participate. Peter G. Neumann Computer Science Laboratory SRI International EL-243 333 Ravenswood Ave Menlo Park CA 94025-3493 Tel 650/859-2375 [or 415-859-2375, until 1 Feb 1998] Fax 650/859-2844 [or 415-859-2844, until 1 Feb 1998] Neumann@CSL.sri.com Note 1: As of 2 August 1997, the San Francisco south Bay Area area code 415 was supposed to become 650, although 415 will remain valid until the end of January 1998. However, there are widespread reports of 650 not being accepted by various telephone company systems, which apparently are not yet programmed to accept the middle digit 5. Note 2: My identification was incorrectly listed at the time of the hearing. I presume that has been corrected in your records. Incidentally, SRI International is a not-for-profit research institute. ============================= % CUT HERE % ============================= Question 4 from Senator Thurmond to Peter Neumann: "Mr. Neumann, you state in your prepared testimony that there is little evidence that encryption is becoming a significant problem for law enforcement. Is it your view that the concerns of the Director of the FBI are misplaced, and that encryption should not be a priority for him?" Peter Neumann's Response to Senator Thurmond's Question 4: Senator Thurmond, your question cannot be answered with a single yes or no. In the following response, my answer to the first part --- are his concerns misplaced? -- indicates that his concerns need rebalancing. My answer to the second part -- should encryption not be a priority for him? -- is that encryption should not be his top priority; I think that putting all of his eggs in the key-recovery basket could prove to be self-defeating for the FBI. But this greatly simplified summary requires some careful explanation. I believe that the expressed concerns of the Director of the FBI relating to cryptography are indeed seriously misplaced -- they overemphasize one element of the big picture (key recovery as a would-be magic bullet), and essentially ignore everything else. If the security of our computer-communication infrastructure is not radically improved in the very near future, through the use of vastly improved system security and cryptography that is much more impervious to misuse than the proposed key-recovery schemes are likely to be, then our entire nation will be seriously at risk regarding computer-related crimes. The FBI Director apparently has little interest in improving the infrastructure, only in achieving the establishment of an unproven key-recovery infrastructure that could be very badly misused. In the absence of a dramatically improved general security infrastructure, the desired key-recovery infrastructure is likely to be riddled with security vulnerabilities and subject to undetected compromises. Yes, I believe his emphasis is badly misplaced, and that he is almost completely ignoring some very important issues -- and their potential consequences. First of all, a recent report by Professor Dorothy E. Denning of the Computer Science Department at Georgetown University and William E. Baugh Jr., vice president of Science Applications International Corporation suggests that the concerns of Judge Freeh may be overstated at this time. Their report says, ``Most of the investigators we talked to did not find that encryption was obstructing a large number of investigations. When encryption has been encountered, investigators have usually been able to get the keys from the subject, crack the codes or use other evidence.'' Professor Denning for many years has been an outspoken supporter of the FBI's needs, and William Baugh is a recently retired FBI employee. Second, the following direct quote from my written testimony is relevant: ``It must be recognized that the common goal is to reduce total crime, for which multiple approaches are undoubtedly necessary. However, whereas key-recovery schemes do not help the intelligence community (and probably hinder it), they might also backfire badly on the law-enforcement community -- because of the risks outlined here. Law enforcement desperately needs to pursue other avenues. Among many other alternatives, database tracking facilities are already widespread, through telephone records, credit-card billing, airline reservations, etc. Intelligent programs for data fusion could be very effective -- although perhaps risky from a privacy point of view. Additionally, use of biometric and other forms of less spoofable identification and authentication would add significantly to determining who is doing what to whom.'' I reiterated that point in my oral testimony on 9 July 1997, and added that the National Security Agency has already realized that it can no longer succeed in attempting to stop the worldwide spread of good unrestricted cryptography (that is, without key recovery), let alone the use of such cryptography within the United States. I also mentioned that NSA is already actively pursuing most of these alternatives, and that the FBI would be wise to follow NSA's lead. I might add here that DARPA has an extensive ongoing program in anomaly and misuse detection that can be used to detect unusual potential misuse of computer-communication facilities and penetrations, and that this technology could also be used to identify situations suggestive of criminal activities. Also, as a further example, police in various countries have had considerable success in extracting history logs from confiscated smart cards and cellular telephones, even when those logs are encrypted -- although such access may not always need to be surreptitious. Furthermore, our National Research Council study recognizes that the FBI is seriously lagging behind NSA in expertise related to computer security, and recommends that the FBI undertake a major effort to improve its technical expertise relating to computer and communication technologies. Please read that report for background if you have not already done so (Kenneth W. Dam, W.Y. Smith, Lee Bollinger, Ann Caracristi, Benjamin R. Civiletti, Colin Crook, Samuel H. Fuller, Leslie H. Gelb, Ronald Graham, Martin Hellman, Julius L. Katz, Peter G. Neumann, Raymond Ozzie, Edward C. Schmults, Elliot M. Stone, and Willis H. Ware, Cryptography's Role In Securing the Information Society, a.k.a. the CRISIS report, Final Report of the National Research Council Cryptographic Policy Study Committee, National Academy Press, 2101 Constitution Ave., Washington, D.C. 20418, 1996). I have absolutely no doubt that the presence of cryptography will in the future make the FBI's task more difficult. This is inevitable, because excellent cryptography without key recovery will be available throughout the world irrespective of U.S. actions; criminals can always use nonrecoverable keys even in the presence of key-recovery systems (for example, by superencrypting, or by disabling the key recovery, or by using a system without key recovery), and because security has become an international problem, not just a national one. Consequently, it is clear that the FBI should be pursuing alternatives. Incidentally, I have worked directly with various U.S. Government (including NSA and FBI) people over the past 24 years, and have a considerable appreciation of their needs and their technological strengths and weaknesses. I believe that the FBI will have difficulties with increased uses of cryptography, but I also believe that the nation is not ready for any key-recovery scheme that can be foreseen today. Too many unidentified risks have yet to be evaluated, only a few of which are outlined in my prepared testimony and in its attached jointly authored report (Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, ``The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption,'' 27 May 1997). ============================================================================ Question from Senator Grassley to both panels: [Let us assume that the Grassley Amendment is adopted, relating to reporting whether wiretaps were impeded by encryption.] "If the results of these information- gathering procedures show that criminals are using encryption to commit crimes and frustrate legitimate law-enforcement investigations, how would you suggest Congress address the problem of criminals misusing encryption?" Peter Neumann's Response to Senator Grassley's question to both panels: Senator Grassley, efforts to increase the amount and quality of information available regarding the use of encryption by criminals are very worthy of Senate action. Congress urgently needs accurate information. Unfortunately, the case made by the FBI thus far has been largely based on very emotional arguments rather than on factual analyses. The U.S. Government has been running escrow centers at Treasury and NIST for some time. Congress would do well to have the relevant Government escrow agents testify on how frequently their services have been used, by whom, and in what connection. Also, Congress would do well to request similar information from the FBI. Cryptographic hardware and software without key recovery are already becoming widely available worldwide, and are going to be increasingly available in the future. Congress cannot stop that. Nor should it. High-quality cryptography has many beneficial effects on society, including increased privacy, freedom of association, and integrity of the physical infrastructure. Cryptography researchers have First Amendment rights to pursue and spread knowledge of cryptography, and it is not a long stretch to say that the right of an individual citizen to protect his or her own privacy with cryptography may be protected by the freedom of expression and the ``right to be let alone'' inherent in our Constitution. Congress must recognize these realities, rather than assuming that key recovery will solve the problem. Criminals will soon have at their disposal cryptographic techniques from numerous countries throughout the world. Consequently, crime should be treated as crime, whether or not the use of cryptography is involved. The use of cryptography, in the absence of crime, should not be made into a crime; and the use of cryptography in furthering a criminal scheme should not be any more illegal than the use of a pen or a computer in furthering an illegal scheme. The evil is in the crime itself, not in the tools used to pursue it. Whether or not there is a dramatic increase in the use of encryption in the process of committing crimes, Congress should encourage the FBI to urgently explore other avenues that could facilitate its efforts to detect and prosecute crimes. In addition, Congress should urgently act to encourage much greater security in the entire computer-communication infrastructure. Today's systems and networks are simply riddled with security vulnerabilities, and apparently the FBI has very little interest in seeing that situation improved. However, a greatly improved computer-communication infrastructure is absolutely essential for the well-being of our nation, the soundness of our commerce, and the international competitiveness of our computer industry. A sound infrastructure with adequate attention to authentication and accountability would also greatly help to reduce computer-related crime and would at the same time facilitate the FBI's role in preventing, detecting, and prosecuting crime. My response to the [preceding] direct question from Senator Thurmond notes that law enforcement urgently needs to pursue other avenues besides key recovery. My prepared testimony outlines a few such alternatives, and is reinforced by my oral testimony on 9 July 1997 -- where I noted that the National Security Agency is already actively pursuing many of these alternatives. ============================================================================ Question from Senator Grassley to Panel Two: "Many of your written statements assert that key-escrow systems should not be pursued because such systems have too many technical flaws or weaknesses. Assuming that these flaws or weaknesses could be resolved, would you still oppose key escrow? In other words, if we could get a technologically acceptable key-escrow system, would you support an escrow system?" Peter Neumann's Response to Senator Grassley's Question to Panel Two: Senator Grassley, your question implies a possible misperception of what my prepared testimony says, and of what our National Research Council report says. Therefore, I have taken the liberty of modifying your first sentence slightly to represent properly what I do believe I can address more reasonably: "Many of your written statements assert that key-escrow systems should not be pursued because such systems *would very likely* have too many technical flaws or weaknesses." First of all, no such systems exist in the full measure of technological implementation and administrative procedures necessary to evaluate whether there is any hope that the potential risks of misuse can be controlled. Thus, it is impossible to assess the technical flaws and weaknesses based on what is known today. But I do believe there is a strong likelihood that serious vulnerabilities will exist in every key-recovery system. Essentially every system I have ever studied has been compromisible, and years of experience in the field suggests that will remain true in the future. However, I do not agree that key-recovery systems should not be pursued. In particular, our National Research Council report explicitly recommends that, in the absence of detailed understanding of the risks that might result, the Government should actively pursue such techniques for its own internal use and should seriously evaluate the efficacies and risks of key-recovery systems. The problems experienced with the Clipper effort to establish a key-escrow infrastructure for telecommunications suggest that key recovery may be even more difficult, because NSA had complete control over Clipper, which would certainly not be the case in the anticipated distributed collection of key-recovery infrastructures. This suggests that Congress should ask the Government to elaborate on its experiences to date with key escrow and key recovery, including an evaluation of the potential risks. [The cited NRC report is: Kenneth W. Dam, W.Y. Smith, Lee Bollinger, Ann Caracristi, Benjamin R. Civiletti, Colin Crook, Samuel H. Fuller, Leslie H. Gelb, Ronald Graham, Martin Hellman, Julius L. Katz, Peter G. Neumann, Raymond Ozzie, Edward C. Schmults, Elliot M. Stone, and Willis H. Ware, Cryptography's Role In Securing the Information Society (a.k.a. the CRISIS report), Final Report of the National Research Council Cryptographic Policy Study Committee, National Academy Press, 2101 Constitution Ave., Washington, D.C. 20418, 1996.] It is very important to realize that key-recovery mechanisms imply a dramatic centralization of trust and power, even if the key-recovery facilities are distributed among different entities, and even if the keys are fragmented as is the case in Clipper. Compromise of a single key-recovery authority could have enormous consequences. I wonder whether Senators and Representatives would be willing to trust every President, Attorney General, FBI Director, down to local law-enforcement officers who might easily gain access to their keys, with all the concomitant risks. I strongly believe that as a nation we are not ready for key-recovery infrastructures with surreptitious access in the absence of detailed procedures for the administration of the process of controlled government access, together with detailed evaluations of the risks involved and the overall implications on our constitutional well-being. It is intriguing to me that you have chosen to use the term "key escrow" -- a concept that has apparently been totally abandoned by NSA and the FBI as unworkable, and replaced by the alternative term "key recovery" that is claimed to be totally workable -- presumably because of the public trashing that key escrow underwent. The Government is attempting to make a distinction between the two concepts; however, they are both inherently surreptitious access in one form or another, irrespective of how the keys are handled, whether there are single individuals or groups that must be responsible, etc. There are no significant conceptual differences between key escrow and key recovery, despite what you may be told; there are of course operational differences. Key recovery has most of the same potential risks as key escrow, although no one in the Administration seems to be admitting that. There are two ways for me to properly answer your question. The first way is to say that all of my professional experience tells me that you are presupposing the impossible. It is highly likely that we will never be able to resolve some of the most serious the flaws or weaknesses in a key-recovery system, because many of them are based on human nature and many others are based on the impossibility of guaranteed security. Your hypothesis is unrealizable to the satisfaction of people who truly understand the flaky nature of our existing computer-communication infrastructure and its necessary dependence on people who may not be sufficiently trustworthy. Even with advanced algorithms for secret sharing, vulnerabilities are likely to exist in the underlying infrastructure. As I note in my written testimony, ``Surprising attacks have been discovered in many security schemes thought to be virtually impenetrable.'' Worse yet, it is truly impossible to create a system with no vulnerabilities, and also impossible to demonstrate the absence of security flaws and vulnerabilities -- even if there were none (which is itself impossible). Although some flaws can certainly be tolerated or controlled, or at least monitored for misuse, the robustness of proposed key-recovery infrastructures is unknown today, but historical evidence suggests that we approach this conservatively. The situation reminds me of the statement that ``if we had ham, we could have ham and eggs -- if we had eggs'' -- but in a world in which there are no hens. In theory, truly secure systems are impossible. In practice, experience has shown that essentially every system has vulnerabilities that can be exploited. As a consequence, I am unable to give you the positive answer that you are seeking. Whereas the best minds in the country could design significantly better systems than we have today, those systems might very likely be implemented by developers whose bottom-line concerns would stumble on unsecure simplifications, those systems would be operated by people with inadequate awareness of the risks, the opportunities for internal fraud and abuse would exist where significant financial benefits might result, and there might even be opportunities for outsiders to penetrate the security. If you could demonstrate that all of those risks can be overcome, then you would have solved a problem that no one else has come close to solving in our entire history and that most sensible people believe cannot be solved without encountering serious risks. Certainly, there is no perfect security and neither the Government nor the nation is expecting perfect security. However, until the risks have been properly addressed -- objectively, openly, and honestly -- you are dealing with a powder keg. Risk-management professionals may claim that they can limit the risks to what is acceptable, but in an electronic era in which one discovered vulnerability can suddenly become amplified and massively misused, much of the would-be assurance provided by risk managers can become rapidly invalidated. The second way to answer your question is for me to assume that my judgment is wrong, that brilliant people could succeed in designing and building a system that would provide keys only to authorized Government parties. Would I support or oppose such a system? Personally, I would still oppose it, because there is as much danger to society from the Government officially ``authorizing'' itself access to everyone's keys as there is from some teenager or private investigator stealing them. Attorney General John Mitchell regularly signed entire blank pads of wiretap-authorization forms, whose details were later filled in as desired by the FBI. I would not be surprised if some current Senators and Representatives have had personal experiences of being wiretapped, blackmailed, or otherwise harassed by J. Edgar Hoover. If such power is created and centralized, it will attract those who desire to abuse it. Just as Kim Philby, the Soviet spy, naturally steered his career toward high secret positions in the British government, someone who seeks to accumulate power in the U.S. would be drawn to a position where that power over others can be obtained, and where potential opponents (defenders of democratic rule) could be watched and neutralized. ============================================================================ Questions from Senator Leahy to Panel Two: Peter Neumann's Responses to Senator Leahy's Questions to Panel Two: Senator Leahy, your very perspicacious questions suggest that it would be helpful for me to preface my answers with a little background. It is very important to make a careful distinction between key recovery in data storage and key recovery in communications such as telephony. It is also necessary to make a careful distinction between key recovery for decrypted information and key recovery for authentication (identity verification, integrity, digital signatures, certificates, etc.) and other purposes. I believe your questions show that you clearly understand these distinctions, but I mention this for other readers of my responses to your questions. 1. "Are businesses now using key-recovery encryption and, if so, for what purposes?" There are certainly applications in which a corporation wants to retain access to keys used by its employees for encrypting stored information -- for example, to protect against death, absence, or the disgruntled-employee syndrome. Some businesses do this at present, or are considering it. (a) "Are you aware of any businesses using key-recovery encryption for communications, including e-mail?" For pure communications, as in computer network transmissions, faxes, and telecommunications, there has been little or no reason to retain communications keys after transmitted information has been decrypted, and no reason to provide key recovery for the transmission itself because, if the transmission is botched, it can simply be sent again -- perhaps with a new set of keys. Whereas there are some businesses who have their own internal key-recovery procedures for stored data, there are few such reasons for key-recovery in communications -- apart from the needs of law enforcement. The potential breaches of security resulting from having duplicate sets of one-time keys floating around create significant risks, and thus this practice entails some inherent risks. It is important to note that, whereas some companies will wish to have access to their employees' communication content, if those companies use trusted network servers that provide the encryption automatically, then the unencrypted information would be available without the need for key recovery -- because that information would be available at the server in unencrypted form. Incidentally, very few individuals and only some businesses record their own communications (phone calls, faxes, etc.). Those who do (e.g., to maintain a log of all customer transactions) would almost always be able to do so at an endpoint, where unencrypted text is available. Encrypted e-mail blurs that distinction somewhat, in that encrypted e-mail in transit through the Internet acts as communications data, but becomes stored information when it is received. However, in various schemes such as PGP, the keys for authentication are embedded in the message itself and in the user's private keys. Having user private keys escrowed or otherwise recoverable by second or third parties is inherently dangerous, because it can completely undermine all security everywhere. Furthermore, the demand for surreptitious key access implies that perfectly innocent users might never know that their keys had been compromised -- at least not until they were arrested for a masquerader's illegal actions through identity theft, or until their life savings had been stolen. There is a corporate message recovery version of the commercial version of PGP that automatically adds a corporate key that can be used to decrypt the message. It is not intended primarily for surreptitious key access, because the installer has local control over who may be granted access -- without revealing private keys. However, I have no idea who if anyone is using it, and how. First-party key recovery: There is no need for first-party key-recovery schemes in communications (where a user holds his or her own keys), because a user could quickly rekey in the event of a lost key or a garbled transmission. However, note that first-party key recovery or key escrow tends to defeat law-enforcement desires for surreptitious access. Nevertheless, holders of their own keys could be asked to reveal their keys under court order. Second-party key recovery: There is a possible desire for a second-party (in-house) key recovery in communications on the part of an employer who wants to be able to find out what is being transmitted. But that desire may be typically irrelevant, because the employer typically already has a right and an ability to see unencrypted messages and e-mail and can do so by gaining direct access to the computer systems involved; then, law enforcement could simply gain access to that information in its unencrypted form, with the help of the second party. So, there may not be much of a need for second-party key recovery in communications. Some companies have indicated that they might want to have this capability, although apparently most organizations have said they do not want it. Third-party key recovery: Only a very weak case can be made for third-party key recovery for transmitted information. No sensible highly competitive business should trust a third party to hold sensitive keys that can control the survival of the company, irrespective of whether surreptitious law-enforcement access is possible. Whether or not the third party is of identifiable trustworthiness, it could be subject to bribes, coercion, and other deviations from expected behavior. (b) "Have customers ... expressed interest in such a key-recovery encryption product for communications?" Although some interest has been expressed by system purveyors seeking to justify key recovery for communications (perhaps with the goal of improving the exportability of their products), there seems to be considerable conflict even within those purveyors as to the ultimate desirability and marketability -- particularly in the absence of knowledge about the possible risks. On the other hand, the real customers -- system users and businesses -- seem not to have been particularly interested in such applications, although a few examples have been mentioned, such as uses of key recovery to enable recording of telephone conversations to detect fraud or defend against lawsuits. However, in almost all of those cases, the employer already has more convenient access to unencrypted content. In any case, the needs of such an extremely small set of hypothetical applications should not impose the large expected costs and potentially massive security risks on everyone else. Royal Dutch Shell is the only company I can think of that has expressed such a need. In a different ``customer'' context, you might say that the FBI has expressed an interest in key recovery for internal communications, in its desire to use Clipper phones for its own employees. But that effort has apparently been put into deep freeze -- at least for the time being. (c) "Do you believe there will be a market for, and consumer interest in using, key-recovery encryption for communications, including for telephone communications or fax machine transmissions?" Only if no other encryption options would be available -- for example, if the Government were to mandate the use of key recovery in all products with encryption. There may eventually be a viable market for encrypted telephones and fax transmissions. If products without key recovery are available, they will clearly be preferable. However, above and beyond the desires of law enforcement to restrict the marketplace to only products with key recovery, the risks of misuse such as inadvertent or malicious interception may be too great for corporations as well -- which could result in the use of off-shore encryption facilities without key recovery. I do not believe that mandating inherently vulnerable cryptography is a wise approach. Incidentally, another distinction is important, particularly with respect to communications -- between communication privacy and communication integrity. The various types of mobile telephones -- cellular, portable, etc. -- suffer from some serious integrity problems, such as the lack of customer authentication and device authentication. Criminals can take considerable advantages of those integrity vulnerabilities as well as the privacy vulnerabilities. Both require nonsubvertible cryptography, but in different ways. Neither can afford to be subverted by key recovery. 2. "Do you ... have any estimate on how much it will cost to deploy key-recovery systems of the type that will meet law enforcement's stated specifications for access to encrypted data and communications?" (a) "How much will it cost consumers?" and (b) "How much will it cost the government to oversee?" One of the biggest problems is that no one has any realistic estimates on either the costs to deploy or the costs to operate and administer such key-recovery systems in such a way that undesirable misuse can be controlled. Indeed, no one has succeeded in the past in developing systems that could not be misused, and there is strong evidence to suggest that will remain true in the future. However, the situation is even worse with respect to the projected future of key recovery because there are no detailed fully fledged designs for how such a key-recovery system could be soundly implemented and operated. Perhaps even more critical, however, is that no one has conducted any evaluations of the risks that might occur as a result of the misuse of such key-recovery infrastructures. That would also be very difficult today, because the risks have yet to be enumerated and analyzed. (You might wish to skim through my book, Computer-Related Risks, which gives some of the flavor of the incredible breadth of risks that must be considered and the lengths to which we must go in trying to avoid those risks.) (c) "Have you heard about any plans by the Administration to subsidize the key-recovery system?" I have heard some statements to that effect. It is an interesting question, particularly because William Crowell, NSA Deputy Director, and others have repeatedly stated that there won't be a single big system, that the playing field will be level, and that the Government will find a way to help the key-recovery technology along, presumably through subsidies. Because of the expected distributed nature of any key-recovery infrastructures across many corporations and governments, the coordination required, and the defensive measures that would have to be taken in attempts to defend against the risks I have outlined in my prepared statement and in our attached report (Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, ``The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption,'' 27 May 1997), the Administration would have to do a lot of subsidizing. 3. "The Commerce Department has announced new rules to allow banks and other financial institutions to use encryption of any key length including for direct home banking software for their customers worldwide. Do customers ... have the same need as banks and financial institutions to protect their global communications with strong encryption?" Certainly. Any high-stakes commerce using the Internet will have to rely on the strongest encryption available that is not subject to compromise, subversion, and other misuse. Privacy of very sensitive databases will be very difficult to ensure in any case, but even more difficult if users cannot trust the encryption used in accessing those databases. On the other hand, the banking community has always had special treatment, for example in its international use of the Digital Encryption Standard, DES. The big difference is that citizens and unregulated businesses have constitutional rights, whereas banking institutions do not; they are ready to disclose sensitive information at Government request -- without your knowledge. 4. "The Administration's draft bill and now the McCain-Kerrey bill, S.909, both tie the use of certificate authorities for digital signatures to use of key recovery for confidentiality. Under the bill, a person who gets a public-key certificate from a licensed certification authority for a digital signature and who decides to use the same public-private key pair for confidentiality, would have to store his private key with a government-licensed key-recovery agent." (a) "Is there any technical reason to tie these two uses together?" No. The only reason is a misguided belief that it would help law enforcement, whereas in fact it could greatly impede law enforcement and considerably increase the amount of computer-related crime using the Internet and related technologies that depend on robust authentication. On the contrary, my prepared testimony states that any linkage of a key-recovery infrastructure with a certificate infrastructure would be a true disaster, undermining the credibility of all authentication and destroying the legal validity and operational importance of nonrepudiation. The idea of escrowing or otherwise providing surreptitious trapdoor access to authentication keys is utterly ridiculous, because it throws out the baby with the bathwater. The idea of compromising the key-management process itself by including any key-recovery mechanisms could completely undermine the integrity of every authentication and every cryptographic use -- exposing them not only to authorized Government access, but to worldwide misuse by anyone from any country anywhere in the world. This is an unbelievably dangerous risk, and has not even been mentioned by any of the proponents of key recovery. In particular, my prepared testimony from 9 July 1997 has this paragraph: ``Acquisition of the master key used by an authentication service or a digital-certificate service could be devastating; worse yet, access to anyone else's public key would then be sufficient to undermine the authentication infrastructure. As a result, the significance of the authentication would *always* be suspect, and the concept of nonrepudiation would effectively go out the window. That is, anyone could justifiably throw doubts on the legitimacy of a perfectly legitimate certificate. Furthermore, recovery access to certification keys would not be likely to provide any directly discernible benefits to law enforcement with respect to either storage keys or transmission keys, unless accompanied by further restrictions on all relevant end-user products worldwide.'' (b) "Could the federal government create a certification authority system that did not require the use of key recovery?" Of course. Key recovery is not essential to certificate authorities, and indeed is completely contrary to the notion of a high-integrity certificate authority. In fact, there are already very serious intrinsic risks to the integrity of any certificate authority, and those risks would be drastically amplified by the presence of key recovery. (c) "In your view, why is the Administration tying the two uses together?" I can believe only that the Administration has not adequately studied the associated problems, and has followed the lead of the FBI -- which has clearly not adequately studied the associated problems because it has rather simplistically decided that key recovery is its last hope in the war against cryptography, regardless of its costs and risks on the nation in every other respect. I believe that the FBI has very legitimate concerns about its future role in the presence of more widespread cryptography, but I also believe that there are many other approaches that should be considered before key recovery is perceived as the last hope. I believe it is a false hope with very serious side effects on the nation, and that it will not even achieve the FBI's desired goals. There are too many ways to avoid key recovery in the commission of a crime, or in civil disobedience by totally honest people. This approach simply will not work as hoped unless it is made mandatory -- which I strongly oppose, for many reasons. (However, the Director of the FBI has said on various occasions that he would attempt to make it mandatory if that is what it takes to fulfill his mission, and the Administration and McCain-Kerrey both seem to want to jawbone the country in that direction.) 5. "Deputy Director Crowell states in his testimony that ``the Administration has engaged various industry and international groups to further define the infrastructure concept. All agree that the emergence of KMIs [Key- Management Infrastructures] is necessary.'' This implies that industry groups support the Administration's vision of a linked certificate authority and key-recovery infrastructure. Is that correct?" You must note the distinction between (i) a key-management infrastructure, which is realistically necessary for sound electronic commerce, authentication, and any sensible use of crypto, and (ii) key recovery or key escrow, which requires some sort of exceptional key-access facility. A sensible KMI does *not* require any exceptional key access, and in fact would be potentially undermined by such a mechanism. You should also note a distinction between NSA/DoD-style key management (with absolutely no key escrow or key recovery) and a KMI that is likely to be used in electronic commerce. It is certainly true that industry groups and foreign governments all want a sensible KMI. (For example, the Organization for Economic Cooperation and Development Cryptography Guidelines define a key management system as ``a system for generation, storage, distribution, revocation, deletion, archiving, certification or application of cryptographic keys.'') Encryption systems rely on reliable ways to generate keys, to publish the ``public'' keys so they can be used to communicate with the owner, and to store the ``private'' keys securely. But ordinary KMIs never require users to disclose their private keys; whenever this ``feature'' is mentioned, it is because of law-enforcement demands. Ordinary KMIs would easily out-compete escrowed KMIs that provide less security, and promise to act against the interests of their clients. Only a government-enforced requirement that users *must not* use an ordinary KMI would make these escrowed KMIs viable. Some draft British legislation on key recovery, which was widely seen as a ``feeler'' preceding a similar attempt in America, was one such attempt (but was opposed by the citizenry, and repudiated by the Labour party, which won the election by a considerable margin). In the United States, if the government attempts to restrict the publication of unescrowed public keys, it will likely run afoul of the First Amendment. Public keys should be published; private keys should remain private, under the full control of their owner. However, returning directly to your question, it is *not* true that such agreement exists relating to key recovery or to any form of key management that facilitates law-enforcement access to private keys. In particular, many foreign governments (see below) have expressed strong opposition to the Administration policy for key recovery, and in particular to the requirement for linking certificate authorities and key-recovery infrastructures. This is another example of an intentionally oversimplified lumping together of concepts that are in fact quite distinct -- a tendency that also occurs in the Government claim that there is a business need for key recovery (ignoring the reality that there is no real need in communications, even if there is one for storage). As I noted in my oral testimony on 9 July 1997, the European Union released a statement on 7 July 1997 in which it disagreed strongly with the U.S. policy relating to key recovery. The EU statement followed earlier recommendations of the OECD in Paris, which earlier this year issued its own guidelines on cryptography policy. The OECD rejected endorsement of the key-escrow proposal even after extensive lobbying by Administration officials and recommended instead a policy based on voluntary, market-driven development of crypto products. Indeed, several nations that appeared to be supportive earlier have backed off. This is the case, for example, in the U.K. -- where in addition to the new government having taken an explicit anti-escrow stand in its election platform, strong opposition was more recently expressed in a Department of Trade and Industry consultation exercise; the new government has put the issue on hold. Denmark is about to announce that it will not tolerate key escrow whatever. Belgium passed an escrow law apparently to mollify the U.S., but has explicitly failed to issue the regulations necessary to put it into effect. Switzerland, Singapore, and Japan appear to be moving in a direction counter to key recovery. I suggest that your staff double-check on the truth of such statements by Deputy Director Crowell, who has said that key recovery is being received warmly abroad. Incidentally, the systems that are favored by those supporting escrow facilities worldwide are assuming the use of identity certificates (that is, electronic identity cards) rather than the authorization certificates that electronic commerce really needs. This links in another issue that is usually considered to be very unwise, namely imposing identity cards on the citizenry -- which in turn could create a massive new underground industry for forged cards and identity theft. Much greater care is necessary in understanding the deeper issues before any legislation is enacted, whether it is to support law enforcement or to protect lawful citizens. Irrespective of who might currently support it (and I believe the U.S. Government may be fighting a losing battle on that one), the vision of linking key recovery with certificate authorities could be a true disaster for electronic commerce and more generally the integrity of everything done electronically, whether on the Internet or not. 6. "S.909 would permit law enforcement to use a subpoena to obtain key-recovery information. Issuing a subpoena is a fairly simple process: no appearance before a judge is required and only a low standard of ``mere relevance'' need be shown to sustain the subpoena." (a) "When law-enforcement agencies obtain a decryption key, are they potentially gaining access to far more than the plain text of the targeted item? Could the key provide access to a large portion of a company's or individual's files, and the ability to decrypt past and future information?" It is very important to realize that key-recovery mechanisms imply a dramatic centralization of trust, even if the key-recovery facilities are distributed among different entities, and even if the keys are fragmented as is the case in Clipper. Compromise of one key-recovery authority could have enormous consequences. Compromise of a single decryption key in a single key-recovery authority might have less serious consequences -- unless that key were used to unlock other systems, as is the case with worldwide master keys that are used in certain systems for electronic commerce -- in which case such compromises could have truly devastating consequences worldwide. In the context of wiretaps, something on the order of half of the taps are done at state and local levels. The signoff authority can be as low as a local prosecuting attorney or the state Attorney General's office. If this were the case in key recovery or key escrow, the requirement of merely a subpoena would further weaken the accountability of the process. There is also the pocket subpoena that has been so much trouble in the past. The subpoena process is clearly not stringent enough for key recovery and key escrow. (b) "Do you have privacy concerns about authorizing law-enforcement access to keys on a mere subpoena?" Absolutely. The idea that information that, under the Fifth Amendment, could not even be compelled from a defendant on the witness stand but can be easily obtained by law enforcement without even seeing a judge, is anathema to our system of civil rights. The subpoena process is so much weaker that there could be fewer qualms about key-recovery agents ignoring the authorization process altogether. But the subpoena process is vastly too weak in any event. One of many civil-rights objections to key recovery is that it attempts to subvert the Fifth Amendment by forcing users to create second- or third-party records of their keys. The defendant (or the suspect, in a wiretapping case) would have the right under current Constitutional law to keep his or her private key private -- but only if it is kept in their heads instead of on paper or in another party's control, such as a safe-deposit box. Copies on papers or computers can be obtained under a search warrant issued by a judge. Because second and third parties have no Fifth Amendment right to keep these keys private, these parties can easily be coerced into handing them over. For example, copies of your telephone bills are available to any policeman upon request, without a judge's approval. Hundreds of thousands of phone bills are obtained every year in police ``fishing expeditions''. Only about a thousand wiretap orders are legally conducted each year, because this requires probable cause and a judge's approval. If private keys were as easily available as phone bills, hundreds of thousands of people would have their privacy violated annually. 7. "Do you know whether all Department of Justice information and communication systems that use encryption meet the key-recovery requirements currently spelled out in the Commerce Department regulations for export of 56-bit DES?" I believe that very few if any of those systems meet those requirements. The exceptions are likely to be restricted to those developed in recent months. However, in many of the less secure systems, keys or unencrypted content can often be obtained because of software flaws in the operating systems and networking. (a) "If so, do you know how the government is protecting the keys to the Department's encrypted communications and files?" The Fortezza approach keeps keys on a separate chip, so that they never appear in the operating systems. Unfortunately, even in that expensive design, the PINs go into the chip in the clear, which represents a security vulnerability. Furthermore, the keys were to be escrowed in order to enable authorized law-enforcement access. Apparently the entire Fortezza program with escrowed keys has been decommissioned. (b) "Can you ... estimate the cost of bringing the Justice Department alone into compliance with these regulations?" No, I could not begin to do that. But because of what I believe are inherent potential vulnerabilities in the key-recovery process, I also believe that it would be an enormous mistake for the Justice Department to rush into key-recovery schemes prematurely. On the other hand, the Justice Department is certainly a natural guinea pig for experimental use. 8. "About 24 states have already passed legislation on digital signatures, including the pioneering legislation reflected in Utah's Digital Signature Act. Vermont has similar digital signature legislation pending. Would passage of S.909, or similar legislation establishing Federal certificate authorities preempt much of this work done on the state level, where we have traditionally left matters of commercial and contract law?" Yes. Even among supporters of digital signatures, there are differing opinions on how the laws should be changed to reflect this technology and supporting administrative procedures. Some people believe that legally limiting or eliminating the liability for compromised signatures will also limit or eliminate the market for such signatures. Others feel that the potential liability for compromises is so great that nobody would enter the business; consider the signature on a ten-million-dollar check, purchase order, or contract. If such a signature could be forged by subverting a low-paid employee in a certificate authority, who should bear the cost? Federalizing the response to issues such as this will prevent the natural experimentation that would occur in the fifty states, showing us the best answer as opposed to the first one to come to mind. 9. "The encryption bill voted on by the Commerce Committee, S.909, creates a number of new crimes. Some of the new crimes go to the heart of the controversial linkage between the use of certificate authorities and key-recovery agents. For example, a user who gets a public-key certificate from a licensed certificate authority may use that key only as a digital signature to verify his identity even though the same key might be used to protect the privacy of encrypted personal messages. If the user uses this public-private key pair to protect privacy -- for example, to encrypt his e-mail messages -- under this bill, the user would be committing a crime and subject to 5 years in jail, or subject to a civil penalty of $100,000." (a) "Do you find these penalties excessive, particularly since for users the simplest way to encrypt their electronic communications is using the same encryption key they use for their digital signatures?" These proposed penalties are absurd, for several reasons. First of all, and perhaps most important, any linkage between certificate infrastructures and key-recovery infrastructures is itself most unwise. See my response to your Question 4. It is also unwise for anyone to use the same key for authentication and for encryption. In recommended usage, a private-public key pair (e.g., RSA) is used for authentication of identity, whereas different keys should be used for encrypting communications. Ideally, a different private-public key pair should be used to reach key agreement on a one-time conventional key (e.g., a symmetric encryption system such as DES) or keys (e.g., triple-DES). For example, the Diffie-Hellman algorithm can be used for the establishment of a one-time key for end-to-end conventional encryption without the actual session key ever being transmitted. Because there are already significant risks of using the same keys for multiple purposes, stupidity and ignorance should not be punished with long jail terms and civil penalties. (b) "What, in your view, is the purpose of stopping users -- with the threat of a jail term -- from using the same public-private key for which they have a public key certificate for both digital signatures and for encryption?" Given my response to (a), there is no purpose whatsoever in stopping the rather unwise practice of multiple (``polymorphic'') use of keys. It would provide law enforcement with further cryptographic attacks! However, if the intent of the would-be legislation is to stop the use of all cryptographic algorithms that do not use key recovery, then Diffie-Hellman, PGP, and many other algorithms would have to be outlawed worldwide, which is in itself absurd. 10. "Sections 405 and 702 of S.909 would punish with 5 years in jail, and civil penalties of up to $100,000, violations of regulations to be issued some time in the future by the Secretary of Commerce. That is an enormous grant of power to give an appointed Executive Branch official to define what is illegal conduct in this country." (a) "Do you agree?" Yes. (b) "Is there any provision in S.909 that would bar the Secretary of Commerce from issuing regulations requiring all licensed certificate authorities to employ NSA's Digital Signature Standard (DSS) or all licensed key-recovery agents to employ the Clipper chip?" I know of no such provision in S.909. Generally, S.909 is in need of considerable modifications in this and other respects noted here. (c) "Is there any provision in S.909 that would bar the Secretary of Commerce from requiring certificate authorities or key-recovery agents from using only those encryption algorithms or systems that have been adopted as ``Federal Information Processing Standards'' (FIPS)?" I know of no such provision in S.909. My response to 10(b) applies here as well. 11. "The Administration contemplates negotiating multilateral agreements to provide foreign governments with keys to the encrypted files and communications of Americans." (a) "Do you think there should be clearly defined legal standards governing the terms of these multilateral agreements so that buyers and users of key-recovery products are confident their rights will be protected?" This is equivalent to the classic question, ``Am I still beating my wife?'' First, I do not believe that such multilateral agreements can meaningfully be agreed upon worldwide that will prohibit the use of products that do not support key recovery. To do that worldwide would require enforced *mandatory* worldwide key recovery and total outlawing of all other products. Even if such agreements were reached among the democratic countries of the world, massive off-shore cryptographic centers would appear. In addition, software and hardware development might tend to migrate to other countries. (b) "What protections, in terms of procedures and release of keys to foreign governments, should be in place in these multilateral agreements so that U.S. buyers and users of key-recovery products are [could be] confident their rights will be protected?" There are in all likelihood *no* such protections that could ensure that the rights of U.S. citizens could be protected. There can be no such protections even within the United States, even without any involvement of foreign governments. However, the intrinsic corruption commonplace in many foreign governments would greatly exacerbate the problem. I will not even begin to suggest that I can come up with an adequate set of protections, because I believe that task is essentially impossible in the presence of untrustworthy individuals and untrustable governments. It is senseless for rapists and burglars to be put in jail for short terms, while innocent citizens, who harm no-one and who are merely protecting their own privacy, would for political reasons spend five years behind bars, or lose their life's savings. In no sense does the punishment fit the crime. However, in addition to the philosophical objections to this provision, there is a practical objection. Modern key-agreement protocols never use the citizen's long-term keys for encryption, only for signature. Yet these protocols still produce an encrypted connection that cannot be compromised. The user would be using signature keys for their intended purpose -- to verify his or her identity, but the result would be the full protection of privacy. An example of such a key-agreement protocol is the Station-to-Station protocol invented at Northern Telecom by Whitfield Diffie and others. In order to prevent such uses of signature keys, the Government would have to outlaw the use of entire branches of cryptography. This would have a serious impact on First Amendment protected cryptographic research, as well as being realistically unenforceable. I believe that the worldwide research and civil-rights communities would furthermore work hard to undermine such a ban -- for example, by writing and releasing free software that gets around it, and by researching alternative ways to provide privacy even under the imposed restrictions. PGP itself was written and given away free for exactly this purpose, while the Senate was considering a bill that would have required that the plaintext of encrypted communications be made available to law enforcement. Several papers at the Crypto '97 conference in August 1997 were presented by researchers inspired by Government attempts to subvert the cryptographic infrastructure, such as the Clipper and Fortezza initiatives. A Congress alarmed by the decline in respect for law would do well to avoid passing laws that would get no respect. 12. "Do you believe that certificate authorities, merely because they are registered with the [U.S.] government, should receive total immunity from all non-contractual liability, as provided in S.909?" The immunity clause is presumably included in S.909 primarily as a jawboning mechanism in an attempt to coerce all would-be certificate authorities to go along with key recovery. I think the granting of total immunity would lead to enormous opportunities for fraud and misuse on the part of people associated with the certificate authorities, which must be even further beyond reproach than most existing financial institutions. Granting any party immunity from liability is an immense gift. Would Congress grant me immunity from all noncontractual civil suits? Could I violate patents and copyrights with impunity? Could I slander and libel at will? Do I just have to give the Government copies of all my customers' private keys in order to get these privileges? In many ways it sounds like commissioning a privateer, a Government-sanctioned pirate on the high seas. Although not directly relevant to the question of immunity, the mere creation of domestic certificate authorities whose key holding may not be completely trustworthy could encourage the existence of untrustworthy off-shore certificate services, whose identities might appear to be totally equivalent to any approved authority, because of the inherent flakiness of the existing computer-communication infrastructure and its likely successors -- even in the presence of apparently legitimate certificate authorities. 13. "Should certificate authorities [that] are not registered with the government, and their customers, be denied the same protections from federal law-enforcement abuse offered in S.909 only to those who use registered certificate authorities?" This is another ``Are you still beating your wife?'' question. I believe that S.909 is totally misconceived in trying to jawbone certificate authorities into enabling key recovery. I have already stated that the linkage is in and of itself enormously risky; see my response to your Question 4. Therefore, I do not believe that anyone should be granted blanket immunity. 14. "Is the STU-III classified telephone system based on a key-recovery system? If S.909 becomes law, and all government communication systems, and equipment purchased with government funds, are required to use key-recovery systems, will the STU-III classified telephone system have to be replaced? Could you explain?" It is my understanding that the STU-III and other NSA-developed high-security encryption devices intentionally do *not* use any key-recovery schemes, precisely because the risks of compromise by untrustworthy persons and untrustworthy computer systems would be vastly increased. Indeed, technical measures are taken to ensure that no copy of any key is *ever* accessible outside of the phones, precisely to avoid the danger of compromise by such persons. The risks of key compromise are already great enough -- as seen by various past breaches of classified security -- without introducing the enormously greater potential risks of key recovery. The Department of Defense already uses a variety of highly classified encryption devices (e.g., KG boxes) whose key-generation algorithms are vastly more secure than anything that is possible in the presence of key-recovery mechanisms. If the key is lost, the systems are rekeyed. The presence of a key-recovery facility in those systems that are intended to be as secure as possible would totally undermine their security. Thus, NSA and the Department of Defense must laugh in the face of S.909 and ignore key-recovery mechanisms altogether for such devices. Key access to KG boxes and STU-III systems could totally undermine their intended security. However, note that new-key generation (rekeying) is always possible. Please realize that the mere existence of a trapdoor necessary for key recovery suggests that such a trapdoor may be exploitable by people other than those who are supposedly authorized to use it. This suggests how absurd things are becoming. The U.S. Government can certainly use any key-recovery, key-escrow, or key-management scheme it wants, for its own purposes. However, in my opinion it would be very foolish to do have a trapdoored key-recovery system whenever secrecy is really critical. ============================================================================ Question from Senator Feinstein to Peter Neumann: "There have been some very legitimate privacy concerns expressed by speakers today. What additional privacy could be lost by providing law-enforcement access to encrypted phone calls and electronic mail?" Peter Neumann's Response to Senator Feinstein's Question to him: Senator Feinstein, Thank you for your recognition of the privacy concerns expressed by the second panel. They are indeed very profound and quite insidious. It was unfortunate that you were not able to attend the second panel in person, but from the nature of your question, I trust that your staffers did an excellent job of briefing you afterwards. One of the most serious potential risks with covert and surreptitious law-enforcement access to arbitrary communications and stored information involves the risks of misuse of that access. The existing process of judicial warrants does impose some restraints, but the relatively unencumbered use of subpoenas as proposed by McCain-Kerrey is an open invitation to misuse. However, even if legal law-enforcement access could be rigidly controlled (for example, with warrants equivalent to those required in wiretaps), essentially all computer-communication systems can be subverted by means that lie outside of normally expected access -- for example, exploiting trapdoors and planting Trojan horses that guarantee unmonitored access, or simply misuse by authorized insiders. In all my years of analyzing system security, I have never found a system whose security could not be broken -- and often broken in ways that would not be detected or traced to the culprit. Key recovery is in essence a monster potential trapdoor. Passing laws that make misuse illegal do not stop the exploitation of fundamentally weak systems, especially across foreign boundaries. The notion of privacy in the context of your question is usually considered in a way that is significantly too narrow. We must also consider the very serious implications of the consequences of (i) reuse of information beyond its intended use, (ii) the propagating effects of incorrect or intentionally false information, and (iii) the risks of identity theft. My book, Computer-Related Risks (Senators Hatch and Leahy both have copies), is full of examples of these serious threats to human well-being. For example, (i) a master key might be used far beyond the intended purpose of one-time surveillance; (ii) there are numerous cases of false arrest resulting from incorrect data or misidentifications; (iii) in quite a few cases, actions of masqueraders have actually caused their victims to be arrested, in some cases after their life savings and pensions had been stolen. To illustrate the point that government databases have been abused and government employees have been guilty of serious misuses of computer systems, here are just a few examples involving motor vehicle bureaus, the IRS, and the Social Security Administration. Employees of the Virginia DMV created and sold thousands of fraudulent drivers' licenses. Actress Rebecca Schaeffer was murdered by someone who had acquired her address from DMV records. A former Arizona law-enforcement officer tracked down and killed his ex-girlfriend based on information friends that some of his friends extracted from government databases. Employees of the Social Security Administration sold internal database information (including Social Security Numbers and mothers' maiden names) of more than 11,000 people to a credit-card fraud ring, which then used the information to activate newly issued Citibank credit cards that had been stolen. An IRS employee was accused of giving tax data on judges and jurors to a defendant. Various IRS employees have been indicted for fraud. These are just a few of the cases documented in the archives of the Risks Forum and in my RISKS book. Perhaps most threatening of all is that the FBI's demand for easily misused surreptitious key access implies that perfectly innocent users might never know that their keys had been compromised, with many possible adverse consequences. One other issue deserves your consideration. Privacy is an international problem; each nation has its own notions of what must be protected and what penalties might be incurred for violators. Similarly, computer-communication security is an international problem, and cannot be solved nationally. Significant international cooperation must be involved. Creating a national key-recovery infrastructure in the absence of consideration of the international issues is itself a risky business -- for a wide variety of reasons. Attempting to create an international key-recovery infrastructure is a truly imposing task, and raises the issue of having to trust potentially untrustworthy agents and governments with keys. The following two paragraphs are taken directly from my prepared testimony (with the inclusion of the reference to the GAO report). ``Key-recovery infrastructures could greatly increase the opportunities for insider fraud, malice, and other misuse within governmental organizations. There are various reports of insider misuse of FBI and other law-enforcement databases. For example, House testimony from Laurie E. Ekstrand of the GAO documents 62 cases of misuses of law-enforcement computer data. Similar misuse has been discovered in other Government offices, such as Social Security Administration employees selling information to enable the activation of 11,000 credit cards stolen from the mail, and IRS employees leaking tax information and altering records. It is clearly unwise to assume that our Government is totally benevolent and incapable of illegal actions.'' [The cited GAO report is: National Crime Information Center -- Legislation Needed to Deter Misuse of Criminal Justice Information, U.S. General Accounting Office testimony before the U.S. House of Representatives Subcommittee on Information, Justice, Agriculture, and Transportation, of the Committee on Government Operations, and the Subcommittee on Civil and Constitutional Rights, of the Committee on the Judiciary, 28 July 1993.] ``The potential risks of misuse of key-recovery infrastructures extend far into our social structure. Loss of privacy can often result in serious consequences to individuals. (In addition, retrieval of incorrect data can have damaging results on the individuals involved, although that is true whether or not the information is encrypted.) Constitutional issues are also at risk, such as protection against unreasonable search and seizure. If on-line infrastructures for key recovery are to use existing commercial systems, they may be seriously lacking in confidentiality, integrity, accountability, and assurance.'' It is very important to realize that key-recovery mechanisms imply a dramatic centralization of trust, even if the key-recovery facilities are distributed among different entities, and even if the keys are fragmented as is the case in Clipper. Compromise of one key-recovery authority could have enormous consequences. Compromise of a single decryption key in a single key-recovery authority might have less serious consequences -- unless that key were used to unlock other systems, as is the case with worldwide master keys that are used in certain systems for electronic commerce -- in which case such compromises could have truly devastating consequences worldwide. By the way, you must be aware of the importance of electronic commerce to the computer industry. The bottom-line reason for good security and nonsubvertible crypto is economics. The vast sums of money that will be protected by such systems are sufficient to entice and induce corruption. A key purchased illegally from a recovery site could be very inexpensive relative to the profits that could be gained. Forged warrants, bogus subpoenas, dishonest insiders, criminals impersonating law-enforcement officials, and many other modes of misuse have occurred and will continue to occur. However, the existence of single points of vulnerability greatly compounds the problems -- and greatly increases the likelihood of misuse. A German lawyer involved in the opposition to key recovery in Germany has stated that ``trust structures in the electronic world should as far as possible mirror relationships in existing practice.'' The opportunity to gain electronic access to massive numbers of keys and massive amounts of sensitive information without proper authorization is truly a disaster waiting to happen. The existence of a trapdoor that can be used surreptitiously in widespread computer-communication systems is an open invitation to an enormous range of potential misuses. Hopes of avoiding those misuses would have to rely in part on the security of the key-recovery infrastructure, which is very likely to be flawed -- despite anything you may hear to the contrary. (Surprising attacks have been discovered in many security schemes thought to be virtually impenetrable. Indeed, serious system security flaws are common in all computer systems, and have plagued essentially every computer system I have ever had the pleasure to analyze.) But more importantly, those hopes of avoiding misuses would have to rely on the impeccable trustworthiness of an unfortunately large number of people who might either misuse their legitimate access or find a way to acquire clandestine unauthorized access to the keys (for example, because of inherent flaws in the system security). In essence, what is advertised as law-enforcement access could easily become subject to extensive misuse, even in the presence of supposedly restrictive administrative procedures. ============================================================================