Letter to CACM, Nov. 1992

Here's a little letter I wrote to the Communications of the ACM that got published in CACMv35n11.

Note that they didn't publish it quite as I'd sent it to them (they omitted a few things like the list of references, as well as making some other editorial changes), but I want to present it here exactly as it was published, word-for-word.

IMO, the first few paragraphs are as applicable today as they were then. The more you get into the letter, the less relevant it is to today's problems, however.

After reading all the National Security Agency bashing in the July issue of Communications, I was both amazed and appalled that one very important topic was omitted. Namely, that the NSA, through its actions to squelch the publication of good encryption algorithms and attempts to force standardization on poor ones, has defeated its very purpose, in addition to causing very grave harm to national security interests.

Firstly, the former Soviet Union (now the Commonwealth of Independent States) has had good cheap working copies of both DES and RSA for years now, according to [1]. Secondly, anyone who wants either the algorithms themselves or the executable code, can easily get what they want. In fact, I have found the source code to DES available via anonymous ftp on the Internet. The RSA algorithm is somewhat more difficult to acquire, but not much. Clearly, the NSA has failed miserably in keeping these algorithms from circulating outside certain circles within the U.S.

Many people already know that government agencies are required, by law, to adhere to various different standards enacted by NIST, through their Federal Information Processing Standards (FIPS). What they may not realize is that, by congressional order, the federal agencies are required to use Commercial Off-The-Shelf (COTS) software, wherever feasible. If American companies refrain from producing a quality encryption product due to the FIPS or influences by the NSA, and the federal agencies desire to use a quality product, then they must go to contractors to have one specially written at a good deal of cost. We end up spending significantly more simply because the products we need are not commercially available.

Additionally, since American companies are not given a good standardization method of efficiently and appropriately protecting their confidential data, they are very prone to industrial espionage. Most of the countries which have been our national security espionage adversaries in the past have since turned a significant portion of their efforts over to industrial espionage, making them very vulnerable. Since national security depends, in large part, upon the welfare of defense industry and other high-technology companies, the NSA has succeeded in doing very grave harm to national security interests by leaving these companies to the wolves. Of course, these companies can also contract to have good encryption algorithms implemented for them, but then that puts them in the same boat as the federal government, in that they would be spending much more money than necessary.

Then we have the issue of interoperability -- if we were using known commercial implementations of some standard encryption algorithm, then we could be reasonably sure that we could communicate with each other with a minimum of additional difficulty. However, if we have our own private versions of even good encryption algorithms, no matter how well-written the standard, then there are very serious questions about compatibility, which means, more likely than not, encrypting something would most likely not be done, which would mean that it is effectively totally unprotected. If only the FIPS standard encryption algorithm, were a good one to begin with, and a good implementation of it (through the proper choice of long keys, etc..., as suggested in Rivest, et al. [4]) were included as a part of that standard, then those additional and totally unnecessary costs could be avoided.

In order to balance the needs of the users and the government's needs, I suggest the following:

Have a central Key Distribution Facility (KDF) that is run under the auspices of the IEEE, ANSI, FBI, NIST, another government agency, or some neutral third party -- one that gives a reasonable guarantee (one I will not attempt to define here) that the keys will be kept safely from prying eyes, even those that belong to the government. Specify that the RSA encryption algorithm (or some other public-key encryption algorithm) will be used to safely encrypt messages, and that all keys for this implementation will be issued by this KDF. Furthermore, if law enforcement agencies can present a legal wiretap order to this KDF, then issue them the private key(s) for the person(s) or organization that is/are going to be wiretapped.

There are many implementation details that have been omitted from this discussion, but I feel that this proposal will allow the public the same reasonable guarantee that we have today, namely that no one is illegally listening to conversations. If an international implementation of the encryption scheme is desired, then the organization could be sponsored under the CCITT, ISO, UN, or some other appropriate international organization.

Brad Knowles
Defense Information Systems Agency

Some interesting points:

• A fundamental problem is that many companies in the U.S. are international in nature today, and it is not uncommon to have an U.S. (non-exportable) version, a version for export only, and if you're lucky, a version that suffers from the "Lowest Common Denominator Disease" and can be used anywhere. Unfortunately if it's exportable, the NSA has pretty much guaranteed that it's not cryptographically strong by today's best practices, and therefore could be considered to be worse than having no encryption at all, since it would tend to lull you into a false sense of security.

  The part of the companies here in the U.S. need to be able to protect their overseas affiliates/subsidiaries every bit as much (or more) than they protect themselves in the U.S., but it also needs to be able to guarantee interoperability. But if the exportable encryption isn't strong, then it's not going to be desirable to use in the U.S. Today, strong cryptography and exportability are mutually exclusive, which means that interoperability is virtually non-existant. Gee, thanks.

• The term "...very grave harm to national security interests" comes from the DOD TCSEC "Orange Book", and is the term used to describe the results of committing Treason and handing over Classified Top Secret data to the Enemy. This term was very carefully chosen, and used in precisely the context in which it was intended.
• I talk about what amounts to Key Escrow, but I really should have thought of splitting a key up into M parts, of which only N are required to reassemble the original key (N < M in most cases). Nevertheless, this is the first discussion I know of what later became known as Key Escrow. I'd love to see literature or references to literature that has an earlier discussion of this concept.
• As I'm sure you can imagine, the above letter did not make the Director of the NSA very happy. I was informed by my Directorate Chief at the time that the DIRNSA was hopping mad, called the Director of DISA and basically screamed "WHAT THE F**K IS YOUR BOY DOING OVER THERE?!?" To which the Director of DISA turned around and called my Directorate Chief and repeated the demand/question. Although I was ignorant of the government regulations regarding publication of any documents by employees and contractors (and was stupid enough to use government facilities to send the original email), I still stand behind what I said -- I said what I meant, and I meant what I said. I'll defend it to anyone in the world. There are just some issues that are so important that they are worth virtually any punitive action that can be taken in response.
• So far as I could tell, things got awful quiet in the encryption/privacy community after this letter was published. No one has yet been able to give me a satisfactory answer to this question, and I have a hard time believing that I alone could have had that chilling of an effect.

Some related thoughts:

So, tell me why the State Department had to smuggle STU-III (Secure Telephone Unit III) devices out of the U.S. in diplomatic pouches for delivery to our guys in Saudi Arabia for support of Desert Shield/Desert Storm, when it is the State Department that is supposed to enforce this damn ITAR regulation in the first place?!? This fact was widely reported in the press at the time, by the way....

So, tell me why the STU-III units can be manufactured overseas (in Norway?), but once they're brought to the U.S. and activated with a Key, they are now considered "munitions" and aren't even exportable back to the original country of manufacture? What the HELL is it that we're protecting here, anyway?!?

So, tell me why the contract for the encryption engine for the STU-IV was explicitly given to a Canadian company because they aren't subject to U.S. ITAR restrictions?