Monday, Mar. 14, 1994
Who Should Keep the Keys?
By Philip Elmer-DeWitt
Until quite recently, cryptography -- the science of making and breaking secret codes -- was, well, secret. In the U.S. the field was dominated by the National Security Agency, a government outfit so clandestine that the U.S. for many years denied its existence. The NSA, which gathers intelligence for national security purposes by eavesdropping on overseas phone calls and cables, did everything in its power to make sure nobody had a code that it couldn't break. It kept tight reins on the "keys" used to translate coded text into plain text, prohibiting the export of secret codes under U.S. munitions laws and ensuring that the encryption scheme used by business -- the so-called Digital Encryption Standard -- was weak enough that NSA supercomputers could cut through it like butter.
But the past few years have not been kind to the NSA. Not only has its cover been blown, but so has its monopoly on encryption technology. As computers -- the engines of modern cryptography -- have proliferated, so have ever more powerful encryption algorithms. Telephones that offered nearly airtight privacy protection began to appear on the market, and in January U.S. computermakers said they were ready to adopt a new encryption standard so robust that even the NSA couldn't crack it.
Thus the stage was set for one of the most bizarre technology-policy battles ever waged: the Clipper Chip war. Lined up on one side are the three-letter cloak-and-dagger agencies -- the NSA, the CIA and the FBI -- and key policymakers in the Clinton Administration (who are taking a surprisingly hard line on the encryption issue). Opposing them is an equally unlikely coalition of computer firms, civil libertarians, conservative columnists and a strange breed of cryptoanarchists who call themselves the cypherpunks.
At the center is the Clipper Chip, a semiconductor device that the NSA developed and wants installed in every telephone, computer modem and fax machine. The chip combines a powerful encryption algorithm with a "back door" -- the cryptographic equivalent of the master key that opens schoolchildren's padlocks when they forget their combinations. A "secure" phone equipped with the chip could, with proper authorization, be cracked by the government. Law-enforcement agencies say they need this capability to keep tabs on drug runners, terrorists and spies. Critics denounce the Clipper -- and a bill before Congress that would require phone companies to make it easy to tap the new digital phones -- as Big Brotherly tools that will strip citizens of whatever privacy they still have in the computer age.
In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich Partners, two-thirds said it was more important to protect the privacy of phone calls than to preserve the ability of police to conduct wiretaps. When informed about the Clipper Chip, 80% said they opposed it.
The battle lines were first drawn last April, when the Administration unveiled the Clipper plan and invited public comment. For nine months opponents railed against the scheme's many flaws: criminals wouldn't use phones equipped with the government's chip; foreign customers wouldn't buy communications gear for which the U.S. held the keys; the system for giving investigators access to the back-door master codes was open to abuse; there was no guarantee that some clever hacker wouldn't steal the keys. But in the end the Administration ignored the advice. In early February, after computer- industry leaders had made it clear that they wanted to adopt their own encryption standard, the Administration announced that it was putting the NSA plan into effect. Government agencies will phase in use of Clipper technology for all unclassified communications. Commercial use of the chip will be voluntary -- for now.
It was tantamount to a declaration of war, not just to a small group of crypto-activists but to all citizens who value their privacy, as well as to telecommunications firms that sell their products abroad. Foreign customers won't want equipment that U.S. spies can tap into, particularly since powerful, uncompromised encryption is available overseas. "Industry is unanimous on this," says Jim Burger, a lobbyist for Apple Computer, one of two dozen companies and trade groups opposing the Clipper. A petition circulated on the Internet electronic network by Computer Professionals for Social Responsibility gathered 45,000 signatures, and some activists are planning to boycott companies that use the chips and thus, in effect, hand over their encryption keys to the government. "You can have my encryption algorithm," said John Perry Barlow, co-founder of the Electronic Frontier Foundation, "when you pry my cold dead fingers from my private key."
The seeds of the present conflict were planted nearly 20 years ago, when a young M.I.T. student named Whitfield Diffie set out to plug the glaring loophole in all traditional encryption schemes: their reliance on a single password or key to encode and decode messages. Ultimately the privacy of coded messages is a function of how carefully the secret decoder keys are kept. But people exchanging messages using conventional coding schemes must also find a way to exchange the key, which immediately makes it vulnerable to interception. The problem is compounded when encryption is employed on a vast scale and lists of keys are kept in a central registry.
Diffie's solution was to give everybody two keys -- one that could be widely distributed or even published in a book, and a private key known only to the user. For obscure mathematical reasons, a message encoded with either key could be decoded with the other. If you send a message scrambled with someone's public key, it can be turned back into plain text only with that person's private key.
The Diffie public-key encryption system could solve one of the big problems facing companies that want to do business on the emerging information highway: how to collect the cash. On a computer or telephone network, it's not easy to verify that the person whose name is on a credit card is the one who is using it to buy a new stereo system -- which is one of the reasons catalog sales are * rife with fraud. But if an order confirmation encoded with someone's public key can be decoded by his or her private key -- and only his or her private key -- that confirmation becomes like an unforgeable digital signature.
However, public-key encryption created a headache for the NSA by giving ordinary citizens -- and savvy criminals -- a way to exchange coded messages that could not be easily cracked. That headache became a nightmare in 1991, when a cypherpunk programmer named Phil Zimmermann combined public-key encryption with some conventional algorithms in a piece of software he called PGP -- pretty good privacy -- and proceeded to give it away, free of charge, on the Internet.
Rather than outlaw PGP and other such programs, a policy that would probably be unconstitutional, the Administration is taking a marketing approach. By using its purchasing power to lower the cost of Clipper technology, and by vigilantly enforcing restrictions against overseas sales of competing encryption systems, the government is trying to make it difficult for any alternative schemes to become widespread. If Clipper manages to establish itself as a market standard -- if, for example, it is built into almost every telephone, modem and fax machine sold -- people who buy a nonstandard system might find themselves with an untappable phone but no one to call.
That's still a big if. Zimmermann is already working on a version of PGP for voice communications that could compete directly with Clipper, and if it finds a market, similar products are sure to follow. "The crypto genie is out of the bottle," says Steven Levy, who is writing a book about encryption. If that's true, even the NSA may not have the power to put it back.
With reporting by David S. Jackson/San Francisco and Suneel Ratan/Washington