 |
 |
|||||||
Read
more than 3,000 books online FREE! More than 900 PDFs now available
for sale |
||||||||
|
||||||||
|
Questions? Call 888-624-8373
| ||||||||
|
||||||||||||||
| Cryptography's Role in Securing the Information Society
(1996) Computer Science and Telecommunications Board (CSTB) |
|
| |||||||||||
|
|
|
|||||||||
|
The following HTML text is provided to enhance online readability. Many aspects of typography translate only awkwardly to HTML. Please use the page image as the authoritative form to ensure accuracy. CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETYCommittee to Study National Cryptography Policy Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council NATIONAL ACADEMY PRESS Washington, D.C. 1996 |
| ||||||||||
| |||||||||||||||||||
The Open Book page image presentation framework is not designed to replace printed books. Rather, it is a free, browsable, nonproprietary, fully and deeply searchable version of the publication which we can inexpensively and quickly produce to make the material available worldwide.
For most effective printing, use the "printable PDF page" link available on each OpenBook page's tool block. The 300 x 150 dpi PDF linked to it is printable on your local printer.
More information on the Open Book is available.
| [ Top of Page ] [ Home ] [ Contact Us ] [ Help ] [ The National Academies Home ] | ||
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY Kenneth W. Dam and Herbert S. Lin, Editors Committee to Study National Cryptography Policy Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council NATIONAL ACADEMY PRESS Washington, D.C. 1996
OCR for page R2
Page ii
NATIONAL ACADEMY PRESS 2101 Constitution Avenue, NW Washington, DC 20418
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine.
Support for this project was provided by the Department of Defense (under contract number DASW01-94-C-0178) and the Department of Commerce (under contract number 50SBNB4C8089). Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.
Library of Congress Catalog Card Number 96-68943 International Standard Book Number 0-309-05475-3
The Computer Science and Telecommunications Board (CSTB) will be glad to receive comments on this report. Please send them via Internet e-mail to CRYPTO@NAS.EDU, or via regular mail to CSTB, National Research Council, 2101 Constitution Avenue NW, Washington, DC 20418.
Copyright 1996 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
OCR for page R3
Page iii
COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY
KENNETH W. DAM, University of Chicago Law School, Chair
W.Y. SMITH, Institute for Defense Analyses (retired), Vice Chair
LEE BOLLINGER, Dartmouth College
ANN CARACRISTI, National Security Agency (retired)
BENJAMIN R. CIVILETTI, Venable, Baetjer, Howard and Civiletti
COLIN CROOK, Citicorp
SAMUEL H. FULLER, Digital Equipment Corporation
LESLIE H. GELB, Council on Foreign Relations
RONALD GRAHAM, AT&T Bell Laboratories
MARTIN HELLMAN, Stanford University
JULIUS L. KATZ, Hills & Company
PETER G. NEUMANN, SRI International
RAYMOND OZZIE, Iris Associates
EDWARD C. SCHMULTS, General Telephone and Electronics (retired)
ELLIOT M. STONE, Massachusetts Health Data Consortium
WILLIS H. WARE, RAND Corporation
Staff
MARJORY S. BLUMENTHAL, Director
HERBERT S. LIN, Study Director and Senior Staff Officer
JOHN M. GODFREY, Research Associate
FRANK PITTELLI, Consultant to CSTB
GAIL E. PRITCHARD, Project Assistant
OCR for page R4
Page iv
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
WILLIAM A. WULF, University of Virginia, Chair
FRANCES E. ALLEN, IBM T.J. Watson Research Center
DAVID D. CLARK, Massachusetts Institute of Technology
JEFF DOZIER, University of California at Santa Barbara
HENRY FUCHS, University of North Carolina
CHARLES GESCHKE, Adobe Systems Incorporated
JAMES GRAY, Microsoft Corporation
BARBARA GROSZ, Harvard University
JURIS HARTMANIS, Cornell University
DEBORAH A. JOSEPH, University of Wisconsin
BUTLER W. LAMPSON, Microsoft Corporation
BARBARA LISKOV, Massachusetts Institute of Technology
JOHN MAJOR, Motorola
ROBERT L. MARTIN, AT&T Network Systems
DAVID G. MESSERSCHMITT, University of California at Berkeley
WILLIAM PRESS, Harvard University
CHARLES L. SEITZ, Myricom Incorporated
EDWARD SHORTLIFFE, Stanford University School of Medicine
CASIMIR S. SKRZYPCZAK, NYNEX Corporation
LESLIE L. VADASZ, Intel Corporation
MARJORY S. BLUMENTHAL, Director
HERBERT S. LIN, Senior Staff Officer
PAUL D. SEMENZA, Staff Officer
JERRY R. SHEEHAN, Staff Officer
JEAN E. SMITH, Program Associate
JOHN M. GODFREY, Research Associate
LESLIE M. WADE, Research Assistant
GLORIA P. BEMAH, Administrative Assistant
GAIL E. PRITCHARD, Project Assistant
OCR for page R5
Page v
COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS
ROBERT J. HERMANN, United Technologies Corporation, Chair
PETER M. BANKS, Environmental Research Institute of Michigan
SYLVIA T. CEYER, Massachusetts Institute of Technology
L. LOUIS HEGEDUS, Elf Atochem North America Inc.
JOHN E. HOPCROFT, Cornell University
RHONDA J. HUGHES, Bryn Mawr College
SHIRLEY A. JACKSON, U.S. Nuclear Regulatory Commission
KENNETH I. KELLERMANN, National Radio Astronomy Observatory
KEN KENNEDY, Rice University
THOMAS A. PRINCE, California Institute of Technology
JEROME SACKS, National Institute of Statistical Sciences
L.E. SCRIVEN, University of Minnesota
LEON T. SILVER, California Institute of Technology
CHARLES P. SLICHTER, University of Illinois at Urbana-Champaign
ALVIN W. TRIVELPIECE, Oak Ridge National Laboratory
SHMUEL WINOGRAD, IBM T.J. Watson Research Center
CHARLES A. ZRAKET, MITRE Corporation (retired)
NORMAN METZGER, Executive Director
OCR for page R6
Page vi
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce Alberts is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is interim president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr. William A. Wulf are chairman and interim vice chairman, respectively, of the National Research Council.
OCR for page R7
Page vii
Preface INTRODUCTION For most of history, cryptography—the art and science of secret writing—has belonged to governments concerned about protecting their own secrets and about asserting their prerogatives for access to information relevant to national security and public safety. In the United States, cryptography policy has reflected the U.S. government's needs for effective cryptographic protection of classified and other sensitive communications as well as its needs to gather intelligence for national security purposes, needs that would be damaged by the widespread use of cryptography. National security concerns have motivated such actions as development of cryptographic technologies, development of countermeasures to reverse the effects of encryption, and control of cryptographic technologies for export.
In the last 20 years, a number of developments have brought about what could be called the popularization of cryptography. First, some industries—notably financial services—have come to rely on encryption as an enabler of secure electronic funds transfers. Second, other industries have developed an interest in encryption for protection of proprietary and other sensitive information. Third, the broadening use of computers and computer networks has generalized the demand for technologies to secure communications down to the level of individual citizens and assure the privacy and security of their electronic records and transmissions. Fourth, the sharply increased use of wireless communications (e.g., cellular telephones) has highlighted the greater vulnerability
OCR for page R8
Page viii
of such communications to unauthorized intercept as well as the difficulty of detecting these intercepts.
As a result, efforts have increased to develop encryption systems for private sector use and to integrate encryption with other information technology products. Interest has grown in the commercial market for cryptographic technologies and systems incorporating such technologies, and the nation has witnessed a heightened debate over individual need for and access to technologies to protect individual privacy.
Still another consequence of the expectation of widespread use of encryption is the emergence of law enforcement concerns that parallel, on a civilian basis, some of the national security concerns. Law enforcement officials fear that wide dissemination of effective cryptographic technologies will impede their efforts to collect information necessary for pursuing criminal investigations. On the other side, civil libertarians fear that controls on cryptographic technologies will give government authorities both in the United States and abroad unprecedented and unwarranted capabilities for intrusion into the private lives of citizens.
CHARGE OF THE COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY At the request of the U.S. Congress in November 1993, the National Research Council's Computer Science and Telecommunications Board (CSTB) formed the Committee to Study National Cryptography Policy. In accordance with its legislative charge (Box P.1), the committee undertook the following tasks:
• Framing the problem. What are the technology trends with which national cryptography policy must keep pace? What is the political environment? What are the significant changes in the post-Cold War environment that call attention to the need for, and should have an impact on, cryptography policy?
• Understanding the underlying technology issues and their expected development and impact on policy over time. What is and is not possible with current cryptographic (and related) technologies? How could these capabilities have an impact on various U.S. interests?
• Describing current cryptography policy. To the committee's knowledge, there is no single document, classified or unclassified, within the U.S. government that fully describes national cryptography policy.
• Articulating a framework for thinking about cryptography policy. The interests affected by national cryptography policy are multiple, varied, and related: they include personal liberties and constitutional rights, the maintenance of public order and national security, technology develop-
OCR for page R9
Page ix
BOX P.1 Legislative Charge to the National Research Council
Public Law 103-160 Defense Authorization Bill for Fiscal Year 1994 Signed November 30,1993
SEC. 267. COMPREHENSIVE INDEPENDENT STUDY OF NATIONAL CRYPTOGRAPHY POLICY.
(a) Study by National Research Council.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall request the National Research Council of the National Academy of Sciences to conduct a comprehensive study of cryptographic technologies and national cryptography policy.
(b) Matters To Be Assessed in Study.—The study shall assess—
(1) the effect of cryptographic technologies on—
(A) national security interests of the United States Government;
(B) law enforcement interests of the United States Government;
(C) commercial interests of United States industry; and
(D) privacy interests of United States citizens; and
(2) the effect on commercial interests of United States industry of export controls on cryptographic technologies.
(c) Interagency Cooperation With Study.—The Secretary of Defense shall direct the National Security Agency, the Advanced Research Projects Agency, and other appropriate agencies of the Department of Defense to cooperate fully with the National Research Council in its activities in carrying out the study under this section. The Secretary shall request all other appropriate Federal departments and agencies to provide similar cooperation to the National Research Council.
ment, and U.S. economic competitiveness and markets. At a minimum, policy makers (and their critics) must understand how these interests interrelate, although they may decide that one particular policy configuration better serves the overall national interest than does another.
• Identifying a range offeasible policy options. The debate over cryptography policy has been hampered by an incomplete analysis and discussion of various policy options—both proponents of current policy and of alternative policies are forced into debating positions in which it is difficult or impossible to acknowledge that a competing view might have some merit. This report attempts to discuss fairly the pros and cons of a number of options.
• Making recommendations regarding cryptography policy. No cryptography policy will be stable for all time. That is, it is unrealistic to imagine
OCR for page R10
Page x
that this committee or any set of policy makers could craft a policy that would not have to evolve over time as the technological and political milieu itself changes. Thus, the committee's recommendations are framed in the context of a transition, from a world characterized by slowly evolving technology, well-defined enemies, and unquestioned U.S. technological, economic, and geopolitical dominance to one characterized by rapidly evolving technology, fuzzy lines between friend and foe, and increasing technological, economic, and political interdependencies between the United States and other nations of the world.
Given the diverse applications of cryptography, national cryptography policy involves a very large number of important issues. Important to national cryptography policy as well are issues related to the deployment of a large-scale infrastructure for cryptography and legislation and regulations to support the widespread use of cryptography for authentication and data integrity purposes (i.e., collateral applications of cryptography), even though these issues have not taken center stage in the policy debate.
The committee focused its efforts primarily on issues related to cryptography for confidentiality, because the contentious problem that this committee was assembled to address at the center of the public policy debate relates to the use of cryptography in confidentiality applications. It also addressed issues of cryptography policy related to authentication and data integrity at a relatively high level, casting its findings and recommendations in these areas in fairly general terms. However, it notes that detailed consideration of issues and policy options in these collateral areas requires additional study at a level of detail and thoroughness comparable to that of this report.
In preparing this report, the committee reviewed and synthesized relevant material from recent reports, took written and oral testimony from government, industry, and private individuals, reached out extensively to the affected stakeholders to solicit input, and met seven times to discuss the input from these sources as well as the independent observations and findings of the committee members themselves. In addition, this study built upon three prior efforts to examine national cryptography policy: the Association for Computing Machinery report Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy,1the Office of Technology Assessment report Information Security and Privacy in Network Environments,2and
1 Susan Landau et al., Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy, Association for Computing Machinery Inc., New York, 1994.
2 Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S. Government Printing Office, Washington, D.C., September 1994.
OCR for page R11
Page xi
the JASON encryption study.3A number of other examinations of cryptography and/or information security policy were also important to the committee's work.4(Appendix N contains source documents (e.g., statutes, regulations, memorandums of understanding), relevant to the national debate over cryptography policy.)
WHAT THIS REPORT IS NOT The subject of national cryptography policy is quite complex, as it figures importantly in many areas of national interest. To keep the project manageable within the time, resources, and expertise available, the committee chose not to address in detail a number of issues that arose with some nontrivial frequency during the course of its study.
• This report is not a comprehensive study of the grand trade-offs that might be made in other dimensions of national policy to compensate for changes in cryptography policy. For example, this report does not address matters such as relaxing exclusionary rules that govern the court admissibility of evidence or installing video cameras in every police helmet as part of a package that also eliminates restrictions on cryptography, though such packages are in principle possible. Similarly, it does not address options such as increasing the budget for counterterrorist operations as a quid pro quo for relaxations on export controls of cryptography. The report does provide information that would help to assess the impact of various approaches to cryptography policy, although how that impact should be weighed against the impact of policies related to other areas is outside the scope of this study and the expertise of the committee assembled for it.
• This report is not a study on the future of the National Security Agency (NSA) in the post-Cold War era. A determination of what mis-
3 JASON Program Office, JASON Encryption/Privacy Study, Report JSR-93-520 (unpublished), MITRE Corporation, McLean, Va., August 18,1993.
4 These works include Global Information Infrastructure, a joint report by the European Association of Manufacturers of Business Machines and Information Technology Industry, the U.S. Information Technology Industry Council, and the Japan Electronic Industry Development Association (EUROBIT-ITI-JEIDA), developed for the G-7 Summit on the Global Information Society, GII Tripartite Preparatory Meeting, January 26-27, 1995, Brussels; the U.S. Council for International Business statement titled ''Business Requirements for Encryption," October 10, 1994, New York; and the International Chamber of Commerce position paper "International Encryption Policy," Document No. 373/202 Rev. and No. 373-30/ 9 Rev., Paris, undated. Important source documents can be found in Lance J. Hoffman (ed.), Building in Big Brother: The Cryptographic Policy Debate, Springer-Verlag, New York, 1995, and in the cryptography policy source books published annually by the Electronic Privacy Information Center in Washington, D.C.
OCR for page R22
Page xxii
2 CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE
51
2.1 Cryptography in Context
51
2.2 What Is Cryptography and What Can It Do?
52
2.3 How Cryptography Fits into the Big Security Picture
57
2.3.1 Factors Inhibiting Access to Information
58
2.3.2 Factors Facilitating Access to Information
60
2.4 The Market for Cryptography
65
2.4.1 The Demand Side of the Cryptography Market
66
2.4.2 The Supply Side of the Cryptography Market
72
2.5 Infrastructure for Widespread Use of Cryptography
74
2.5.1 Key Management Infrastructure
74
2.5.2 Certificate Infrastructures
75
2.6 Recap
77
3 NEEDS FOR ACCESS TO ENCRYPTED INFORMATION
79
3.1 Terminology
79
3.2 Law Enforcement: Investigation and Prosecution
81
3.2.1 The Value of Access to Information for Law Enforcement
81
3.2.2 The Legal Framework Governing Surveillance
84
3.2.3 The Nature of the Surveillance Needs of Law Enforcement
88
3.2.4 The Impact of Cryptography and New Media on Law Enforcement (Stored and Communicated Data)
90
3.3 National Security and Signals Intelligence
94
3.3.1 The Value of Signals Intelligence
95
3.3.2 The Impact of Cryptography on Signals Intelligence
101
3.4 Similarities in and Differences Between Foreign Policy/National Security and Law Enforcement Needs for Communications Monitoring
102
3.4.1 Similarities
102
3.4.2 Differences
104
3.5 Business and Individual Needs for Exceptional Access to Protected Information
104
3.6 Other Types of Exceptional Access to Protected Information
108
3.7 Recap
109
OCR for page R23
Page xxiii
PART II—POLICY INSTRUMENTS
4 EXPORT CONTROLS
113
4.1 Brief Description of Current Export Controls
113
4.1.1 The Rationale for Export Controls
113
4.1.2 General Description
114
4.1.3 Discussion of Current Licensing Practices
122
4.2 Effectiveness of Export Controls on Cryptography
127
4.3 The Impact of Export Controls on U.S. Information Technology Vendors
134
4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography
134
4.3.2 Regulatory Uncertainty Related to Export Controls
138
4.3.3 The Size of the Affected Market for Cryptography
145
4.3.4 Inhibiting Vendor Responses to User Needs
152
4.4 The Impact of Export Controls on U.S. Economic and National Security Interests
153
4.4.1 Direct Economic Harm to U.S. Businesses
153
4.4.2 Damage to U.S. Leadership in Information Technology
155
4.5 The Mismatch Between the Perceptions of Government/ National Security and Those of Vendors
157
4.6 Export of Technical Data
159
4.7 Foreign Policy Considerations
162
4.8 Technology-Policy Mismatches
163
4.9 Recap
165
5 ESCROWED ENCRYPTION AND RELATED ISSUES
167
5.1 What Is Escrowed Encryption?
167
5.2 Administration Initiatives Supporting Escrowed Encryption
169
5.2.1 The Clipper Initiative and the Escrowed Encryption Standard
170
5.2.2 The Capstone/Fortezza Initiative
176
5.2.3 The Relaxation of Export Controls on Software Products Using ''Properly Escrowed" 64-bit Encryption
177
5.2.4 Other Federal Initiatives in Escrowed Encryption
179
5.3 Other Approaches to Escrowed Encryption
179
OCR for page R24
Page xxiv
5.4 The Impact of Escrowed Encryption on Information Security
181
5.5 The Impact of Escrowed Encryption on Law Enforcement
184
5.5.1 Balance of Crime Enabled vs. Crime Prosecuted
184
5.5.2 Impact on Law Enforcement Access to Information
185
5.6 Mandatory vs. Voluntary Use of Escrowed Encryption
187
5.7 Process Through Which Policy on Escrowed Encryption Was Developed
188
5.8 Affiliation and Number of Escrow Agents
189
5.9 Responsibilities and Obligations of Escrow Agents and Users of Escrowed Encryption
193
5.9.1 Partitioning Escrowed Information
193
5.9.2 Operational Responsibilities of Escrow Agents
194
5.9.3 Liabilities of Escrow Agents
197
5.10 The Role of Secrecy in Ensuring Product Security
201
5.10.1 Algorithm Secrecy
201
5.10.2 Product Design and Implementation Secrecy
204
5.11 The Hardware/Software Choice in Product Implementation
208
5.12 Responsibility for Generation of Unit Keys
211
5.13 Issues Related to the Administration Proposal to Relax Export Controls on 64-bit Escrowed Encryption in Software
213
5.13.1 The Definition of "Proper Escrowing"
213
5.13.2 The Proposed Limitation of Key Lengths to 64 Bits or Less
214
5.14 Recap
215
6 OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY
216
6.1 The Communications Assistance for Law Enforcement Act
216
6.1.1 Brief Description of and Stated Rationale for the CALEA
217
6.1.2 Reducing Resource Requirements for Wiretaps
218
6.1.3 Obtaining Access to Digital Streams in the Future
220
OCR for page R25
Page xxv
6.1.4 The CALEA Exemption of Information Service Providers and Distinctions Between Voice and Data Services
221
6.2 Other Levers Used in National Cryptography Policy
221
6.2.1 Federal Information Processing Standards
222
6.2.2 The Government Procurement Process
224
6.2.3 Implementation of Policy: Fear, Uncertainty, Doubt, Delay, Complexity
225
6.2.4 R&D Funding
227
6.2.5 Patents and Intellectual Property
228
6.2.6 Formal and Informal Arrangements with Various Other Governments and Organizations
231
6.2.7 Certification and Evaluation
232
6.2.8 Nonstatutory Influence
234
6.2.9 Interagency Agreements Within the Executive Branch
235
6.3 Organization of the Federal Government with Respect to Information Security
237
6.3.1 Role of National Security vis-à-vis Civilian Information Infrastructures
237
6.3.2 Other Government Entities with Influence on Information Security
241
6.4 International Dimensions of Cryptography Policy
243
6.5 Recap
244
PART III—POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS
7 POLICY OPTIONS FOR THE FUTURE
249
7.1 Export Control Options for Cryptography
249
7.1.1 Dimensions of Choice for Controlling the Export of Cryptography
249
7.1.2 Complete Elimination of Export Controls on Cryptography
251
7.1.3 Transfer of All Cryptography Products to the Commerce Control List
254
7.1.4 End-use Certification
256
7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations
256
7.1.6 Liberal Export for Strong Cryptography with Weak Defaults
257
OCR for page R26
Page xxvi
7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces
259
7.1.8 Liberal Export for Escrowable Products with Encryption Capabilities
262
7.1.9 Alternatives to Government Certification of Escrow Agents Abroad
263
7.1.10 Use of Differential Work Factors in Cryptography
264
7.1.11 Separation of Cryptography from Other Items on the U.S. Munitions List
264
7.2 Alternatives for Providing Government Exceptional Access to Encrypted Data
265
7.2.1 A Prohibition on the Use and Sale of Cryptography Lacking Features for Exceptional Access
265
7.2.2 Criminalization of the Use of Cryptography in the Commission of a Crime
273
7.2.3 Technical Nonescrow Approaches for Obtaining Access to Information,
274
7.2.4 Network-based Encryption
278
7.2.5 Distinguishing Between Encrypted Voice and Data Communications Services for Exceptional Access
281
7.2.6 A Centralized Decryption Facility for Government Exceptional Access
284
7.3 Looming Issues
286
7.3.1 The Adequacy of Various Levels of Encryption Against High-Quality Attack
286
7.3.2 Organizing the U.S. Government for Better Information Security on a National Basis
289
7.4 Recap
292
8 SYNTHESIS, FINDINGS, AND RECOMMENDATIONS
293
8.1 Synthesis and Findings
293
8.1.1 The Problem of Information Vulnerability
293
8.1.2 Cryptographic Solutions to Information Vulnerabilities
296
8.1.3 The Policy Dilemma Posed by Cryptography
297
8.1.4 National Cryptography Policy for the Information Age
298
8.2 Recommendations
303
8.3 Additional Work Needed
338
8.4 Conclusion
339
OCR for page R27
Page xxvii
APPENDIXES
A CONTRIBUTORS TO THE NRC PROJECT ON NATIONAL CRYPTOGRAPHY POLICY
343
A.1 Committee Members
343
A.2 Additional Contributors to the Project
349
B GLOSSARY
353
C A BRIEF PRIMER ON CRYPTOGRAPHY
364
C.1 A Very Short History of Cryptography
364
C.2 Capabilities Enabled by Cryptography
365
C.2.1 Ensuring the Integrity of Data
365
C.2.2 Authentication of Users
367
C.2.3 Nonrepudiation
370
C.2.4 Preservation of Confidentiality
371
C.3 Basic Constructs of Cryptography
374
C.4 Attacks on Cryptographic Systems
378
C.5 Elements of Cryptographic Security
383
C.6 Expected Lifetimes of Cryptographic Systems
384
C.6.1 Background
385
C.6.2 Asymmetric Cryptographic Systems
385
C.6.3 Conventional Cryptographic Systems
388
C.6.4 Timing Attacks
390
C.6.5 Skipjack/Clipper/EES
391
C.6.6 A Warning
391
C.6.7 Quantum and DNA Computing
392
C.6.8 Elliptic Curve Cryptographic Systems
394
C.6.9 Quantum Cryptography
394
D AN OVERVIEW OF ELECTRONIC SURVEILLANCE: HISTORY AND CURRENT STATUS
396
D.1 The Legal Framework for Domestic Law Enforcement Surveillance
396
D.1.1 The General Prohibition on Electronic Surveillance
396
D.1.2 Title III of the Omnibus Crime Control and Safe Streets Act of 1968 and the Electronic Communications Privacy Act of 1986
396
D.1.3 The Foreign Intelligence Surveillance Act
403
D.2 Historical Overview of Electronic Surveillance
410
OCR for page R28
Page xxviii
E A BRIEF HISTORY OF CRYPTOGRAPHY POLICY
414
E.1 Export Controls
414
E.2 Academic Research and the Control of Information About Cryptography
415
E.3 Commercial Cryptography
417
E.4 Recent Developments
419
F A BRIEF PRIMER ON INTELLIGENCE
421
F.1 The Intelligence Mission
423
F.2 The Intelligence Cycle
425
F.2.1 Planning
426
F.2.2 Collection
426
F.2.3 Processing
428
F.2.4 Analysis
428
F.2.5 Dissemination
429
G THE INTERNATIONAL SCOPE OF CRYPTOGRAPHY POLICY
430
G.1 International Dimensions of Cryptography Policy
430
G.2 Similarities in and Differences Between the United States and Other Nations with Respect to Cryptography
431
G.3 Foreign Export Control Regimes
434
G.4 Foreign Import and Use Control Regimes
436
G.5 The State of International Affairs Today
438
G.6 Obtaining International Cooperation on Policy Regarding Secure Communications
439
G.7 The Fundamental Questions of International Cryptography Policy
444
G.7.1 Who Holds the Keys?
444
G.7.2 Under What Circumstances Does the Key Holder Release the Keys to Other Parties?
444
G.7.3 How Will Nations Reach Consensus on International Cryptography Policy Regarding Exports and Use?
447
H SUMMARY OF IMPORTANT REQUIREMENTS FOR A PUBLIC-KEY INFRASTRUCTURE
450
I INDUSTRY-SPECIFIC DIMENSIONS OF SECURITY
455
I.1 Banking and Financial Services
455
I.2 Medical Consultations and Health Care
457
I.3 Manufacturing
461
OCR for page R29
Page xxix
I.4 The Petroleum Industry
463
I.5 The Pharmaceutical and Chemical Industries
465
I.6 The Entertainment Industry
466
I.7 Government
466
J EXAMPLES OF RISKS POSED BY UNPROTECTED INFORMATION
469
J.1 Risks Addressed by Cryptography for Authentication
469
J.2 Risks Addressed by Cryptography for Confidentiality
470
J.3 Risks Addressed by Cryptography for Both Authentication and Confidentiality
471
J.4 Risks Addressed by Cryptography for Data Integrity
472
K CRYPTOGRAPHIC APPLICATIONS PROGRAMMING INTERFACES
474
L OTHER LOOMING ISSUES RELATED TO CRYPTOGRAPHY POLICY
477
L.1 Digital Cash
477
L.1.1 Anonymity and Criminal Activity
480
L.1.2 Public Trust
480
L.1.3 Taxation
482
L.1.4 Cross-Border Movements of Funds
482
L.2 Cryptography for Protecting Intellectual Property
482
M FEDERAL INFORMATION PROCESSING STANDARDS
485
N LAWS, REGULATIONS, AND DOCUMENTS RELEVANT TO CRYPTOGRAPHY
489
N.1 Statutes
489
N.1.1 Wire and Electronic Communications Interception and Interception of Oral Communications(U.S. Code, Title 18, Chapter 119)
489
N.1.2 Foreign Intelligence Surveillance (U.S. Code, Title 50, Chapter 36)
511
N.1.3 Pen Register and Traffic Analysis (U.S. Code, Title 18, Chapters 121 and 206)
526
N.1.4 Communications Assistance for Law Enforcement Act of 1995
540
N.1.5 Computer Security Act of 1987
551
N.1.6 Arms Export Control Act (U.S. Code, Title 22, Chapter 39)
558
OCR for page R30
Page xxx
N.2 Executive Orders
573
N.2.1 Executive Order 12333 (U.S. Intelligence Activities)
573
N.2.2 Executive Order 12958 (Classified National Security Information)
589
N.2.3 Executive Order 12472 (Assignment of National Security and Emergency Preparedness Telecommunications Functions)
612
N.2.4 National Security Directive 42 (National Policy for the Security of National Security Telecommunications and Information Systems)
620
N.3 Memorandums of Understanding (MOU) and Agreement (MOA)
627
N.3.1 National Security Agency/National Institute of Standards and Technology MOU
627
N.3.2 National Security Agency/Federal Bureau of Investigation MOU,
630
N.3.3 National Security Agency/Advanced Research Projects Agency/Defense Information Systems Agency MOA
632
N.4 Regulations,
636
N.4.1 International Traffic in Arms Regulations (22 CFR, Excerpts from Parts 120-123, 125, and 126)
636
N.4.2 Export Administration Regulations
655
INDEX
677
OCR for page R31
CRYPTOGRAPHY S
2oLE
it.
EN
SECURING THE
it.
l NFORMATION
SOCIETY
OCR for page R32
Page xxxii
CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY
National cryptography policy entails a complex juggling act among a number of different interests. A member of the National Research Council's Committee to Study National Cryptography Policy, Ronald Graham (pictured above) is also a member of the National Academy of Sciences and a past president of the International Juggling Association. Photograph by Ché Graham.
Representative terms from entire chapter:
national cryptography policy, international cryptography policy, cryptography policy issues, cryptography policy regarding, cryptography policy, study national cryptography, underlying national cryptography, national cryptography, national security agency, national security concerns, law enforcement crisis, law enforcement act, law enforcement, united states industry, export controls, escrowed encryption, effective cryptographic technologies, study national, government exceptional access, cryptographic technologies, information technology industry, information security, telecommunications board, global information society, information society kenneth, looming issues related, exceptional access, technology industry council, security agency, export control regimes
Items in cart [0]
