home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud534d.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
8KB
|
148 lines
Date: Thu, 6 May 1993 13:09:12 EST
From: David Sobel <dsobel@WASHOFC.CPSR.ORG>
Subject: File 4--New NIST/NSA Revelations
New NIST/NSA Revelations
Less than three weeks after the White House announced a
controversial initiative to secure the nation's electronic
communications with government-approved cryptography, newly released
documents raise serious questions about the process that gave rise to
the administration's proposal. The documents, released by the
National Institute of Standards and Technology (NIST) in response to a
Freedom of Information Act lawsuit, suggest that the super-secret
National Security Agency (NSA) dominates the process of establishing
security standards for civilian computer systems in contravention of
the intent of legislation Congress enacted in 1987.
The released material concerns the development of the Digital
Signature Standard (DSS), a cryptographic method for authenticating
the identity of the sender of an electronic communication and for
authenticating the integrity of the data in that communication. NIST
publicly proposed the DSS in August 1991 and initially made no mention
of any NSA role in developing the standard, which was intended for use
in unclassified, civilian communications systems. NIST finally
conceded that NSA had, in fact, developed the technology after
Computer Professionals for Social Responsibility (CPSR) filed suit
against the agency for withholding relevant documents. The proposed
DSS was widely criticized within the computer industry for its
perceived weak security and inferiority to an existing authentication
technology known as the RSA algorithm. Many observers have speculated
that the RSA technique was disfavored by NSA because it was, in fact,
more secure than the NSA-proposed algorithm and because the RSA
technique could also be used to encrypt data very securely.
The newly-disclosed documents -- released in heavily censored
form at the insistence of NSA -- suggest that NSA was not merely
involved in the development process, but dominated it. NIST and NSA
worked together on the DSS through an intra-agency Technical Working
Group (TWG). The documents suggest that the NIST-NSA relationship was
contentious, with NSA insisting upon secrecy throughout the
deliberations. A NIST report dated January 31, 1990, states that
The members of the TWG acknowledged that the efforts
expended to date in the determination of a public key
algorithm which would be publicly known have not been
successful. It's increasingly evident that it is
difficult, if not impossible, to reconcile the concerns
and requirements of NSA, NIST and the general public
through using this approach.
The civilian agency's frustration is also apparent in a July
21, 1990, memo from the NIST members of the TWG to NIST director
John W. Lyons. The memo suggests that "national security"
concerns hampered efforts to develop a standard:
THE NIST/NSA Technical Working Group (TWG) has held 18
meetings over the past 13 months. A part of every
meeting has focused on the NIST intent to develop a
Public Key Standard Algorithm Standard. We are
convinced that the TWG process has reached a point where
continuing discussions of the public key issue will
yield only marginal results. Simply stated, we believe
that over the past 13 months we have explored the
technical and national security equity issues to the
point where a decision is required on the future
direction of digital signature standards.
An October 19, 1990, NIST memo discussing possible patent issues
surrounding DSS noted that those questions would need to be
addressed "if we ever get our NSA problem settled."
Although much of the material remains classified and withheld
from disclosure, the "NSA problem" was apparently the intelligence
agency's demand that perceived "national security" considerations
take precedence in the development of the DSS. From the outset,
NSA cloaked the deliberations in secrecy. For instance, at the
March 22, 1990, meeting of the TWG, NSA representatives presented
NIST with NSA's classified proposal for a DSS algorithm. NIST's
report of the meeting notes that
The second document, classified TOP SECRET CODEWORD, was
a position paper which discussed reasons for the
selection of the algorithms identified in the first
document. This document is available at NSA for review
by properly cleared senior NIST officials.
In other words, NSA presented highly classified material to NIST
justifying NSA's selection of the proposed algorithm -- an
algorithm intended to protect and authenticate unclassified
information in civilian computer systems. The material was so
highly classified that "properly cleared senior NIST officials"
were required to view the material at NSA's facilities.
These disclosures are disturbing for two reasons. First, the
process as revealed in the documents contravenes the intent of
Congress embodied in the Computer Security Act of 1987. Through
that legislation, Congress intended to remove NSA from the process
of developing civilian computer security standards and to place
that responsibility with NIST, a civilian agency. Congress
expressed a particular concern that NSA, a military intelligence
agency, would improperly limit public access to information in a
manner incompatible with civilian standard setting. The House
Report on the legislation noted that NSA's
natural tendency to restrict and even deny access to
information that it deems important would disqualify
that agency from being put in charge of the protection
of non-national security information in the view of many
officials in the civilian agencies and the private
sector.
While the Computer Security Act contemplated that NSA would
provide NIST with "technical assistance" in the development of
civilian standards, the newly released documents demonstrate that
NSA has crossed that line and dominates the development process.
The second reason why this material is significant is because
of what it reveals about the process that gave rise to the so-
called "Clipper" chip proposed by the administration earlier this
month. Once again, NIST was identified as the agency actually
proposing the new encryption technology, with "technical
assistance" from NSA. Once again, the underlying information
concerning the development process is classified. DSS was the
first test of the Computer Security Act's division of labor
between NIST and NSA. Clipper comes out of the same
"collaborative" process. The newly released documents suggest
that NSA continues to dominate the government's work on computer
security and to cloak the process in secrecy, contrary to the
clear intent of Congress.
On the day the Clipper initiative was announced, CPSR
submitted FOIA requests to key agencies -- including NIST and NSA
-- for information concerning the proposal. CPSR will pursue
those requests, as well as the pending litigation concerning NSA
involvement in the development of the Digital Signature Standard.
Before any meaningful debate can occur on the direction of
cryptography policy, essential government information must be made
public -- as Congress intended when it passed the Computer
Security Act. CPSR is committed to that goal.
***************************************************
David L. Sobel
CPSR Legal Counsel
(202) 544-9240
dsobel@washofc.cpsr.org
Downloaded From P-80 International Information Systems 304-744-2253