White House Wants a Clipper Alternative

The National Institute of Science and Technology has launched a quiet nine-month search for alternatives to the controversial Clipper cryptography chip designed by the National Security Agency.

The search was commissioned by officials in the White House, who have been bombarded with criticism of Clipper by computer, software and the crypto industry, as well as lobbying groups seeking to minimize the government's role in computer communications.

NIST's search for alternatives is focused on software-based crypto and is "a best faith effort on the part of the government to show some of the Clipper critics that the government is willing to go halfway," said Lynn McNulty, NIST's associate director of computer security. With help from the NSA, NIST is responsible for promoting the security of the government's unclassified information.

"There may be better alternatives out there," said Mike Nelson, special assistant for information technology at the White House. But the NIST-led investigation is no repudiation of Clipper, which remains the best available answer to the competing demands for personal privacy and government investigation of criminal activities, he said.

The Clipper chip will be widely used in government to scramble unclassified data, voice conversations and E-mail messages exchanged between government officials, but there's no plan to mandate that companies or individuals use Clipper.

The NIST investigation deals with one of two primary criticisms of the Clipper chip; that it is a classified creation of the government's chief agency for electronic eavesdropping, and therefore can't be trusted by U.S. or foreign citizens.

However, the NIST investigation doesn't question the other knock on the chip, which is also the most controversial: whether the U.S. government should promote the use of encryption methods that it can bypass.

The heart of Clipper is a secret data-scrambling algorithm known as Skipjack, which is inside tamper-proof devices, such as the Tessera card built by Secure Computing Corp. of Roseville, Minn., or the Clipper voice-scrambling chip.

This approach allows the government to keep secret its advanced encryption software and hinder covert alteration of the encryption algorithm, said Clinton Brooks, chief of external affairs at the National Security Agency in Fort Meade, Md.

The Clipper's inner technology is secret "because it is so damn good that we don't want others to have it... it would be flat-out irresponsible," Brooks said.

This approach stands in contrast to the widely used (and government-endorsed) Data Encryption Standard, a 1970s-era unclassified, easily examined software program that can be installed in most types of computers.

Critics of Clipper say it is a much more expensive scheme than software-only encryption methods such as DES, and that any revelation of the secret encryption scheme could allow eavesdroppers to unscramble private data.

Also, reliance on a secret method raises concerns among potential U.S. and foreign customers that the U.S. government may have secretly installed an extra channel for covertly reading private data. By relying on unclassified software, such as DES, the government can show there is no secret trapdoor, easing sales of electronics and software, they say.

These secrecy-related Clipper issues have spawned numerous informal academic and private industrial efforts to find software-based rivals, according to Dorothy Denning, one of the few Clipper advocates.

For example, government officials, academics and industry representatives recently met in Karlsruhe, Germany, where they discussed various ideas for unclassified, software-based encryption methods, said Denning, who is a professor at Georgetown University, Washington.

One U.S.-developed alternative is being offered by Stephen Walker, president of Trusted Information Systems Inc., an encryption firm based in Glenwood, Md. The system may get a showing before the NSA by the end of this month, Walker said.

Brooks said the NSA has no objection in principle to government-sponsored software-based encryption.

It would be cheaper to produce, easier to install in electronic networks and would not "suffer from criticism that was created by the NSA," he said.

But although software-based systems can be as tough for an enemy to crack as secret encryption methods, they are more vulnerable to covert alteration, he said.

Such alterations could include the modification of the software to secretly divert private data to another organization, or to prevent the government's legal monitoring of criminal activities, said Brooks.

Officials working for Hewlett Packard Co. have offered a plan to overcome legal obstacles that hinder the international use of Clipper and other encryption methods.

Jim Schindler, director of information security for Hewlett Packard Co., based in Palo Alto, Calif., said laws governing the use of encryption in countries such as France and the United Kingdom could be accommodated by creating an international network of trusted encryption centers.

For example, U.S. companies that rely on Clipper to protect their data inside the United States could use an encryption center to send private data to a satellite office in a foreign country. The center would encrypt the data with a method acceptable to the foreign government, he said.

The idea was sparked by complaints from many of the firm's multinational customers whose private communications between their worldwide offices are hindered by various countries' encryption laws, he said.

Both Denning and Brooks said foreign interest in the Clipper chip has grown, partly because officials want to coordinate the international transfer of encrypted data.

SIDEBAR 1:

Key Escrow Not Part of the Study

One issue the NIST investigation will not review is the government's controversial position that law-enforcement authorities be able to crack the Clipper or any alternatives.

Because government officials expect their electronic surveillance of criminals to be frustrated by widespread availability of commercial encryption devices, Clipper includes a feature -- dubbed "key escrow" -- that allows the government to unscramble Clipper-encrypted data.

"The driving motivation [behind Clipper] is that it would be irresponsible for the government to promote a secure encryption technique that had the potential for providing a safe haven for the criminal element," said NSA's Brooks.

To minimize concerns that this unscrambling feature would be abused, two halves of a numerical key will be held in escrow by two different government organizations, such as the Department of Justice and NIST. Only when the two halves of the key are released with the approval of a judge, could the government unscramble a person's data.

But civil liberties organizations, such as the Washington-based Electronic Privacy Information Center, object to any use of escrow systems, arguing that the government cannot be trusted not to illegally combine the numbers and spy on the private activities of its citizens. No encryption system using key escrow should be promoted by the government, said David Sobel, the center's legal counsel.

Developers of software-based encryption methods are leery of key-escrow. Whitfield Diffie, a leading encryption expert now working for Sun Microsystems, Mountain View, Calif., argued that the development of key escrow encryption technology will bolster the power of governments to monitor and control their citizens. Government-controlled encryption could be combined with massive databases of personal factoids to "establish a vulnerability, perhaps greater than exists now" to the public's privacy, he said.

Stephen Walker of Trusted Information Systems said his firm has not decided whether to sell its software-based system, which includes a key-escrow feature. "Those folks [who oppose key-escrow systems] are not going to be happy with this," he said.

--Neil Munro

SIDEBAR 2:

Defending the pariah Chip

Critics have charged the Clipper chip with two technical flaws, but government officials deny their significance.

The newest potential snafu was identified by Whitfield Diffie, an encryption expert at Sun Microsystems, Mountain View, Calif. Put simply, it's this: If an eavesdropper can crack three messages from a particular Clipper chip installed in a computer or telephone, he can then crack every encrypted message processed by that chip, Diffie claims.

The National Security Agency says otherwise.

"It's true, but just try it," responded Clinton Brooks, the NSA's chief of external relations.

The sophistication of the Clipper chip, which the agency designed, makes the task of breaking the first few messages practically impossible -- even with the most powerful of current computers, he said.

Diffie confirmed the difficulty, estimating the cost of breaking a single message once per year from a single chip to be more than $1 billion.

However, another problem is the much-discussed flaw unearthed by Matthew Blaze, a scientist at AT&ampT Bell Laboratories.

Blaze discovered a way to generate a false positive signal inside the Clipper chip, effectively allowing people to use it while defeating government wiretaps.

However, the Blaze flaw is not significant, said Brooks. It does not apply to telephone links, and government experts are already developing simple countermeasures for implementation in the first Clipper-related Tessera chips to be released by the end of the year, he said.

--Neil Munro