13 July 1998; add JG message and WSJ article; add KE message; add PK message
To: cypherpunks@cyberpass.net Subject: "breakthrough possible" on crypto law Date: Mon, 13 Jul 98 00:42:35 -0700 From: "Vladimir Z. Nuri" <vznuri@netcom.com> ------- Forwarded Message Date: Sun, 12 Jul 1998 07:19:12 -0500 To: believer@telepath.com From: believer@telepath.com Subject: IP: Encryption Battle Breakthrough Possible Source: Washington Post Breakthrough Possible in Battle Over Encryption Technology By Elizabeth Corcoran Washington Post Staff Writer Sunday, July 12, 1998; Page A08 A coalition of high-tech companies plans to unveil a plan tomorrow it hopes will persuade the U.S. government to dramatically loosen export restrictions on sophisticated data-scrambling technology. Government officials say they are cautiously optimistic that the coalition's approach, dubbed the "private doorbell," will win their approval. The industry group hopes to win a license to export the technology as part of "routers," computer hardware and software that transmit data over electronic networks. If approved, the proposal will mark an important shift in the more than five-year struggle over encryption technology that has pitted the government against high-tech companies and privacy advocates. The coalition of about 10 companies is led by networking giant Cisco Systems Inc. There are no restrictions on use of encryption technology in the United States. But both law enforcement and national security agents have long worried that if sophisticated encryption technology becomes widely used, it will hinder their efforts to track down terrorists and criminals. As a result, the government has tightly controlled the export of such technology, reasoning that U.S. companies are unlikely to build different types of encryption products for use at home and abroad. Computer companies and privacy advocates, however, argue that unfettered access to the strongest forms of encryption is essential to ensuring privacy and promoting commerce in the information age. The conflicting concerns for privacy and security have made for a bitter ideological battle. Recently, officials on both sides have been struggling with whether they should devise a global solution or put together a mosaic of regulations that lets some companies sell sophisticated products to certain users under certain conditions. If the government and the private companies agree on the doorbell proposal, that would solidify the more piecemeal approach. The doorbell proposal also would be an important piece in the mosaic because it would make sophisticated encryption technology much more available than it is today. "The administration and the industry have all hit on the notion that they should take this a bite at a time," said Stewart Baker, former general counsel for the National Security Agency and now an attorney in private practice in Washington. "We're pushing the issue, bringing it to a head," said John Chambers, Cisco's chief executive. If industry is broadly restricted from selling its best encryption products abroad, "I think you slow down the growth in business's ability to use the Internet [and to] have influence over how it evolves," he said. Other companies in the coalition include Sun Microsystems Inc., Novell Inc., Hewlett-Packard Co. and Network Associates, which makes security software. Although other major names in the industry, including Intel Corp., Microsoft Corp. and Netscape Communications Corp., are not currently filing for a "private doorbell" license, those companies said they support the approach. Here's how it would work: Many organizations, whether they are private companies or Internet service providers, serve as gateways for managing the electronic messages sent by their employees or subscribers. Just before messages are released to the Internet, such organizations could encrypt or scramble them to protect the content from unwanted eavesdroppers. Every snippet of electronic mail carries with it the Internet address of the sender and receiver. And "routers," the equipment that oversees the traffic, can be programmed to fish out specific addresses from the stream of data flowing through them. So either just before outgoing mail is scrambled or after incoming mail is deciphered, a router could pull out messages that law enforcement officers would specify in a warrant. "We think this is a simple market solution to a complicated problem," said Kelly Huebner Blough, director of government relations at Network Associates in Santa Clara, Calif. Americans for Computer Privacy, a lobbying organization focused on encryption, is strongly backing the "private doorbell" plan, said its counsel, Jeffrey Smith. "It's true that this does not give the government everything it wants," he said. But it shows how industry and government can work together to solve the encryption problem, piece by piece, he added. "We think it's a fair compromise," said Dan Scheinman, vice president of legal affairs for Cisco. "Law enforcement gets legitimate access to data and people have a reasonable expectation of privacy when they use [data] networks, just like they have with the phone system." Cisco executives contend their solution mirrors how law enforcement works in telephone tapping. But to get what they're after this time, authorities need the cooperation of whoever manages the router. "This doesn't solve the problem of what happens if the manager of the network is corrupt," Scheinman said. But he noted that if a phone system manager is corrupt, authorities would have the same problem. Similarly, the proposal does not stop an individual from encrypting a message on a home personal computer. Overseas, U.S. law enforcement would have to have the cooperation of local authorities as well as the relevant network managers to get access to information. Again, this is what they currently have to do when they want to monitor telephone calls. Sources said U.S. domestic law enforcement agencies, which are accustomed to working with court warrants for wiretaps, are willing to accept this proposal. However, strong opposition continues to come from the National Security Agency, which today can eavesdrop on communications overseas without asking permission from anyone. Under current regulations, companies wanting to export powerful encryption products must create a plan to build a "spare key" into their systems. Such keys are stored by a "trusted" party -- either an independent organization or perhaps the company itself -- that would surrender the keys to law enforcement officials equipped with the proper warrant. Privacy advocates also have argued the current system is vulnerable because any collection of spare keys makes data potentially more accessible to eavesdroppers. But David Sobel, counsel with the Electronic Privacy Information Center, stopped short of endorsing the new doorbell proposal. Any effort that lets people better protect their information improves privacy, he said. But, he cautioned, relying on a third party such as a company or Internet service provider to ensure security raises privacy concerns. © Copyright 1998 The Washington Post Company - ----------------------- NOTE: In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. - ----------------------- ********************************************** To subscribe or unsubscribe, email: majordomo@majordomo.pobox.com with the message: (un)subscribe ignition-point email@address ********************************************** www.telepath.com/believer ********************************************** ------- End of Forwarded Message
Date: Mon, 13 Jul 1998 07:17:15 -0700 To: cryptography@c2.net From: James Glave <james@wired.com> Subject: Cisco, NAI propose new key recovery (I'm a journalist doing a story for Wired News (http://www.wired.com) on this new proposal put forth by Cisco and NAI for building key recovery into routers. If anyone wants to chat about it, please drop me a note to james@wired.com or give me a call at (415) 276-8430. I expect to publish by 9am PST monday - thanks all.) July 13, 1998 Cisco to Offer New Approach To Encryption Technology By RALPH T. KING, JR. and JOHN SIMONS Staff Reporters of THE WALL STREET JOURNAL A computer-industry group will offer Monday a new approach to encryption technology that would keep electronic messages secure but still enable government officials to "eavesdrop" for law enforcement. The group, led by Cisco Systems Inc., San Jose, Calif., hopes the solution will persuade the government to ease export restrictions that have made overseas competition difficult for U.S. hardware and software manufacturers. Government officials and computer- industry representatives have been locked in a frustrating impasse for years, unable to resolve Federal Bureau of Investigation concerns that encryption products would help criminals mask their misdeeds in e-mail and other types of communication. Various past plans that initially seemed promising have proved unworkable. Advocates of the Cisco proposal say their approach is not foolproof, but hope it could finally begin to break the logjam. "It's not the complete answer, but it's a very positive step," said Gene Hodges, vice president of marketing for Network Associates Inc. in Santa Clara, Calif. Members of the group seeking export licenses for the technology besides Cisco and Network Associates include Sun Microsystems Inc., Palo Alto, Calif.; Novell Inc., Provo, Utah; and Hewlett- Packard Co., Palo Alto. Other companies supporting the initiative are Microsoft Corp., Redmond, Wash.; Intel Corp., Santa Clara; and Netscape Communications Corp., Mountain View, Calif. White House officials said the plan helps lead industry and government in a "refreshing new direction" in its pursuit of an agreeable solution to encryption export controls. "We welcome this creative and innovative plan," said an administration official familiar with the proposal. The technology would allow data to be scrambled for privacy but provide restricted access to it at the beginning and end of each transmission, the access points, so-called "private doorbells," are inside routers, the computers that direct data traffic, or inside software that control such networks. In simple terms, the system works as if it were operating at both ends of a string connecting two tin cans. Data travels down the string in scrambled form. But before it leaves one can, and once it reaches the other, it is unscrambled and can be retrieved if the address of the sender or receiver are known. The routers, or the controlling software, can be programmed to pull out the messages to or from a specific address. But under certain scenarios, the approach might not work. For example, if two parties encrypted their messages before sending them, the intercepted traffic would be impossible to decipher. So-called end-to-end encryption is widely available. "There are limits to what this technology can do," said an executive with one of the member companies. "This is a lock on a door, but there will need to be other locks on doors, as well, to achieve the kind of security we want." Officials at both the Commerce and Justice departments will review the plan in the coming weeks. According to one administration official, "We expect that there will be a number of issues that will need to be resolved. We want to be sure that the approach strikes a good balance between protecting business information and national security and law-enforcement interests." James Glave, News Editor, Wired News, http://www.wired.com (415) 276-8430
Date: Mon, 13 Jul 1998 12:03:58 -0400 To: cryptography@c2.net From: Kathleen Ellis <ellis@epic.org> Subject: Cisco et. al. to build GAK into routers Note the conference call information at the bottom. (!) I just bought & installed a new NetGear (Bay Networks) ethernet hub for EPIC..now I'll probably be sending it back. from http://www.cisco.com/warp/public/146/july98/3.html Thirteen High-Tech Leaders Support Alternative Solution to Network Encryption Stalemate Ascend, Bay Networks, Cisco Systems, 3Com, Hewlett-Packard Company, Intel, Microsoft, Netscape Communications, Network Associates, Novell, RedCreek Communications, Secure Computing, Sun Microsystems support alternative solution to win U.S. export relief Encryption White Paper SAN JOSE, Calif. -- July 13, 1998 -- Thirteen leading high-tech companies today announced support for a 'private doorbell' solution to the network encryption stalemate called 'operator action.' Ten of the 13 companies filed proposals with the U.S. Department of Commerce last week, asking for permission to sell strong encryption products abroad that use operator action technologies. An alternative to key recovery, the operator action model delivers a 'private door-bell,' not a 'house-key' to parties lawfully seeking access to data. Under the operator action model, information traveling over a data network remains secure and private unless a network operator is served with a legal warrant or court order. Once served, the network operator can access a network control switch that actively filters messages delivered over a private network or the public Internet. The solution allows customers to keep their private information 'private,' unless directed to disclose information by legal warrant or court order. While this effort represents a partial solution to the encryption debate, industry is committed to work together toward a complete solution. An Industry Solution Ascend, Bay Networks, Cisco Systems, 3Com, Hewlett-Packard Company, Intel, Microsoft, Netscape Communications, Network Associates, Novell, RedCreek Communications, Secure Computing, Sun Microsystems jointly support the industry alternative, which balances the privacy needs of individuals and businesses with the security needs of U.S. law enforcement. Today's announcement reflects the convergence of thirteen companies around a technology concept that addresses the complex issue of accessing encrypted information over data networks. The filings request broad export relief for a range of networking products including most firewalls, VPNs (Virtual Private Networks), and E-commerce products. Industry leaders have been working to define an operational standard since October 1997. "As the global public network becomes increasingly important to both business and consumers, resolving issues such as exportation of security technology become more and more critical," said Mory Ejabat, CEO of Ascend Communications. "We fully support this effort as we believe it meets the needs of both the public and private sector." "Bay Networks and other American companies have developed the world's leading encryption technology," said Dave House, chairman, president, and CEO of Bay Networks. "Our overseas customers want that technology and the privacy that goes with it, and this solution will allow us to export our technology, instead of handing the business over to foreign companies." "As the Internet continues to drive economic and job opportunities worldwide, it's important customers feel safe doing business on the web," said John T. Chambers, president and CEO of Cisco Systems. "This industry proposal extends the same privacy rights we enjoy today to tomorrow's digital world, delivers a market-driven solution our customers want, and secures a competitive advantage for the U.S. high-tech industry." "U.S. technological leadership depends on a reasoned resolution to this debate," said Eric Benhamou chairman and CEO of 3Com. "Continued evolution of converged networks will require balancing the needs of businesses and government agencies concerning data security." "We are committed to providing our worldwide customers the network security that they demand," said William Larson, CEO of Network Associates. "The industry is presenting an innovative solution that meets both market and government requirements for network layer encryption." "Relief from export controls is an industry wide matter," said Jim Barksdale, president and CEO of Netscape. "We believe the "private doorbell" feature, if successful, will demonstrate that industry and government can work together. Further relief, however, will be necessary in the near term, if US vendors are to remain ahead of their overseas competitors." "This solution represents a real step forward for U.S. encryption policy," said Eric Schmidt, CEO of Novell. "At last, we have a market solution that meets the needs of consumers, corporations, law enforcement and national security." "RedCreek believes that the adoption of this proposal is essential to the healthy development of the market for products that address business use of the Internet," said Tom Steding, CEO of RedCreek Communications Inc. "This international market has in the main been denied to U. S. companies. Particularly for VPN companies, our ability to compete internationally will be significantly restored by its adoption." "It is vital for our customers to be able to implement technology on a global level, without country-specific restrictions limiting their use or effectiveness," said Jeff Waxman, CEO and Chairman of Secure Computing Corporation. "Security is a top priority for multi-national corporations and this action, which attempts to find a solution, will help move the promise of ubiquitous security to a reality." Critical Differences from Key Recovery The proposal is a compelling alternative in the network space to key recovery. Protecting privacy and due process rights, the industry proposal delivers an important solution for securing data over a public or private network. In seeking government export approval, the companies made no modifications to their products or encryption technology. The companies however offered to restrict sales to some foreign governments and militaries, and to continue to comply with existing U.S. Department of Commerce regulations. Cisco Systems Cisco Systems, Inc. (NASDAQ: CSCO) is the worldwide leader in networking for the Internet. News and information are available at http://www.cisco.com. For more information visit Cisco PR Contacts # # # A copy of the white paper on encryption export is available at the following URL: http://www.cisco.com/warp/public/146/july98/2.html Editor Note: Conference call with industry executives July 13, 1998 11 am - 1 pm PDT (888) 527-4180, ID : 8903
Date: Mon, 13 Jul 1998 11:24:06 -0700 (PDT) From: Phil Karn <karn@qualcomm.com> To: cryptography@c2.net Subject: Re: Cisco et. al. to build GAK into routers I just read the Cisco white paper. They're proposing simply that there be plaintext back doors into encryption boxes that operate at less than an end-to-end level and are operated by entities other than the one under investigation. A good example would be a tunnel-mode IPSEC gateway operated as part of a company's virtual private network when the target of the investigation is, say, an employee. This hardly creates a new vulnerability, at least not in principle. It merely illustrates a basic security principle we've known for a very long time: security mechanisms should always be placed as close as possible to the entities that they protect. And to prevent conflicts of interest, they should be controlled by the same entities whose data they are protecting. In other words, user-controlled end-to-end encryption is the only way to go, and only a fool trusts someone else to encrypt his data for him. We've *always* known that. Tunnel-mode IPSEC is still useful as a way of allowing an employee to penetrate a corporate firewall from the outside when he travels. But the user must remember that the encryption here is for the company's benefit, not his own. Tunnel-mode IPSEC is still no substitute for end-to-end encryption controlled by the user himself. Phil