home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
texts
/
txtfiles_misc
/
cryptbil.txt
< prev
next >
Wrap
Text File
|
1993-06-29
|
15KB
|
581 lines
This thread is copied from "sci.crypt" on Usenet. -Bruce
>From: schuman@sgi.com (Aaron Schuman)
Newsgroups: sci.crypt
Subject: Congress to order crypto trapdoors?
Date: 11 Apr 91 23:30:28 GMT
Organization: Silicon Graphics 415-335-1901
Lines: 83
The United States Senate is considering a bill that would require
manufacturers of cryptographic equipment to introduce a trap door, and
to make that trap door accessible to law enforcement officials.
If you feel, as I do, that t|he risk of abuse far outweighs the potential
benefits, please write to Senators Joseph Biden and Dennis DeConcini,
and to the Senators that represent your state, asking that they propose
a friendly amendment to their bill removing this requirement.
I don't have exact addresses for Senators Biden and DeConcini, and I
hope someone will post them here, but the Washington DC post office can
deliver letters addressed to
Senator Joseph Biden Senator Dennis DeConcini
United States Senate and United States Senate
Washington, DC Washington, DC
RISKS-LIST: RISKS-FORUM Digest Wednesday 10 April 1991 Volume 11 : Issue 43
Date: Wed, 10 Apr 91 17:23 EDT
>From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: U.S. Senate 266, Section 2201 (cryptographics)
Senate 266 introduced by Mr. Biden (for himself and Mr. DeConcini)
contains the following section:
SEC. 2201. COOPERATION OF TELECOMMUNICATIONS PROVIDERS WITH LAW ENFORCEMENT
It is the sense of Congress that providers of electronic communications
services and manufacturers of electronic communications service
equipment shall ensure that communications systems permit the government
to obtain the plain text contents of voice, data, and other
communications when appropriately authorized by law.
------------------------------
The referenced language requires that manufacturers build trap-doors
into all cryptographic equipment and that providers of cconfidential
channels reserve to themselves, their agents, and assigns the ability to
read all traffic.
Are there readers of this list that believe that it is possible for
manufacturers of crypto gear to include such a mechanism and also to
reserve its use to those "appropriately authorized by law" to employ it?
Are there readers of this list who believe that providers of electronic
communications services can reserve to themselves the ability to read
all the traffic and still keep the traffic "confidential" in any
meaningful sense?
Is there anybody out there who would buy crypto gear or confidential
services from vendors who were subject to such a law?
David Kahn asserts that the sovereign always attempts to reserve the use
of cryptography to himself. Nonetheless, if this language were to be
enacted into law, it would represent a major departure. An earlier
Senate went to great pains to assure itself that there were no trapdoors
in the DES. Mr. Biden and Mr. DeConcini want to mandate them. The
historical justification of such reservation has been "national
security;" just when that justification begins to wane, Mr. Biden wants
to use "law enforcement." Both justifications rest upon appeals to fear.
In the United States the people, not the Congress, are sovereign; it
should not be illegal for the people to have access tto communications
that the government cannot read. We should be free from unreasonable
search and seizure; we should be free from self-incrimination. The
government already has powerful tools of investigation at its disposal;
it has demonstrated precious little restraint in their use.
Any assertion that all use of any such trap-doors would be only "when
appropriately authorized by law" is absurd on its face. It is not
humanly possible to construct a mechanism that could meet that
requirement; any such mechanism would be subject to abuse.
I suggest that you begin to stock up on crypto gear while you can still
get it. Watch the progress of this law carefully. Begin to identify
vendors across the pond.
William Hugh Murray, Executive Consultant, Information System Security 21
Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769
Article 3419 of sci.crypt:
>From: karn@epic.bellcore.com (Phil R. Karn)
Newsgroups: sci.crypt,alt.privacy
Subject: Re: Congress Mandates Backdoors
Date: 15 Apr 91 23:51:07 GMT
Organizatinon: Packet Communications Research Group (Bellcore)
Since I was looking for any excuse to procrastinate on my taxes this
past weekend, I composed this letter to Senators Biden and DeConcini.
--Phil
25-B Hillcrest Rd
Warren, NJ 07059-5304
April 13, 1991
Senator Dennis DeConcini
United States Senate
Washington, DC 20510
Dear Senator DeConcini:
Yesterday I read a most disturbing computer network article
about a piece of legislation you are proposing that
apparently attempts to regulate the use of cryptography to
protect the secrecy of private communications. I refer to
this excerpt:
Senate 266 introduced by Mr. Biden (for himself and Mr.
DeConcini) contains the following section:
SEC. 2201. COOPERATION OF TELECOMMUNICATIONS PROVIDERS
WITH LAW ENFORCEMENT
It is the sense of Congress that providers of elec-
tronic communications services and manufacturers of
electronic communications service equipment shall
ensure that communications systems permit the govern-
ment to obtain the plain text contents of voice, data,
and other communications when appropriately authorized
by law.
The author of the article continues:
The referenced language requires that manufacturers
build trap-doors into all cryptographic equipment and
that providers of confidential channels reserve to
themselves, their agents, and assigns the ability to
read all traffic.
I would like to know if this is indeed the intent of your
legislation. If so, it will be the most futile exercise of
authority since King Canute set up his throne on the beach,
ordered the sea to withdraw and probably got his feet wet
for his trouble.
I would like the opportunity to explain.
First of all, this legislation will not serve its ostensible
purpose (facilitating a legitimate police investigation
involving encrypted communications or stored data). Quite
April 15, 1991
- 2 -
simply, cryptography exists; it cannot be uninvented. And
with today's powerful, inexpensive and readily available
computer technology, anyone - law-abiding citizen or crimi-
nal - can apply a little technical knowledge and build and
operate his own cryptographic communications system.
You see, with the right software, even the simplest personal
computer becomes an excellent cipher machine - and the
software is readily and widely available. I know of perhaps
six public-domain programs that do the National Bureau of
Standards' Data Encryption Standard (DES); I wrote one of
them. DES software is also available in several publicly
available books and magazines and from several commercial
suppliers. Even without all this software, an interested
programmer can find the complete specifications for DES in
any of several dozen textbooks on cryptography - not to men-
tion the official Federal standards themselves.
And DES is not the only cryptographic algorithm available to
the public. Because of concerns about possible weaknesses in
the DES (including unproven allegations that the National
Security Agency introduced a "trap door" into the design),
research into stronger alternatives has been brisk. New
algorithms appear all the time, and they come from cryptolo-
gists all over the world. The NSA has abandoned its attempts
to control the publication of private cryptographic research
because it is clearly protected by the First Amendment.
It is precisely because computers are so easily turned into
cipher machines that your reference to "providers of elec-
tronic communications services" is so pointless. A smart
criminal won't trust anyone with his plain text that he
doesn't have to - especially not a communications provider
subject to subpoena. He'll encrypt on an end-to-end basis
with his own computers, his own cryptographic software and
with cryptographic keys known only to him (and protected by
his Fifth Amendment right against self-incrimination). Com-
munications service providers won't have the opportunity to
turn plain text over to law enforcement because they'll
never see it.
You also refer to "manufacturers of electronic communica-
tions service equipment," which I assume means "manufactur-
ers of cryptographic hardware." But this would be equally
ineffective: no criminal would use a ready-made cipher
machine with a "trap door" built into it when he can so
easily turn his own personal computer into a cipher machine
without a trap door, and at much lower cost. Indeed, spe-
cialized cryptographic hardware has only one real advantage
over cryptographic software running on general purpose com-
puters: the hardware is generally more tamper-resistant.
This is usually important only in highly sensitive applica-
tions such as banking, where one does not want to trust
one's employees too much. It is irrelevant where the owner
April 15, 1991
- 3 -
and user of the computer, the person being protected by
cryptography and the person who knows the key are all the
same.
This brings me to the second fundamental flaw in your pro-
posed legislation. Even if "trap doors" were installed in
cryptographic equipment of the type used by banks (among
others), how could their use be limited to persons "duly
authorized by law"? Experience has shown electronic vandals
(popularly known as "hackers" or "phone phreaks") to be
highly adept at discovering and exploiting hidden security
weaknesses in computer and communication systems. What is to
prevent such persons from discovering and exploiting
weaknesses deliberately introduced in response to your
legislation?
They certainly wouldn't remain secret for long. Every modern
cipher is designed to rely entirely on the secrecy of the
key for its security. The design of the cipher itself must
be assumed to be completely public, because eventually it
will be. (This philosophy is captured in a popular computer
science saying: "Security through obscurity doesn't work.")
Indeed, what procedures could guarantee that "trap doors"
would not be abused by law enforcement or other government
personnel not properly authorized by court order? The rise
of computer technology has opened up many opportunities for
invasion of privacy and the abuse of government power. It is
only fitting that the same technology in the hands of indi-
viduals can also put some real teeth into the guarantees of
the Fourth and Fifth Amendments.
The government is simply going to have to get used to its
citizens using cryptography that it cannot break. The police
may have to give up on wiretaps and information seizures and
resort to the more traditional (and less invasive and less
easily abused) ways of conducting investigations, such as
informants and grants of immunity for testimony. They may
even have to give up entirely on enforcing certain laws,
e.g., those prohibiting the mere possession of information.
Perhaps the government can then redirect its resources
toward enforcing laws that make more sense.
A popular metaphor states that the computer is an extension
of the human mind. With cryptography, this metaphor becomes
reality in one important way - a user can make the informa-
tion stored in a computer or transmitted over a phone line
just as private as the information in his own mind. And I
wouldn't have it any other way in a free society.
Senator, I urge you to abandon this ill-advised proposal. At
best, it will be ignored. At its worst, it would decrease
security for law-abiding citizens while doing nothing to
help bring clever criminals to justice.
Sincerely yours,
Philip R. Karn, Jr.
Article 3420 of sci.crypt:
>From: gwyn@smoke.brl.mil (Doug Gwyn)
Newsgroups: sci.crypt
Subject: Re: Senate Bill 266 would require trapdoors in encryption gear
Date: 16 Apr 91 03:05:59 GMT
Organization: U.S. Army Ballistic Researech Laboratory, APG, MD.
Lines: 23
In article <17056@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes:
>"If privacy is outlawed, only outlaws will have privacy"...
Absolutely -- this hits the nail right on the head. Just as gun control
activists, who inspired the slogan on which the above was based, can
achieve at best the disarming of law-abiding citizens, leaving them no
defense against potential assault by those who ignore such laws, other
than to die or to break the law trehemselves.
The right to privacy unfortunately was not considered sufficiently
questionable by the framers of the US Constitution to require explicit
mention in the Constitution (as was done for the right to keep and bear
arms); it was among those rights that the 10th Amendment reserved to the
people.
I am all for catching genuine criminals, i.e. those who injure others
deliberately. However, I am not willing to have perfectly reasonable
activities on my part be declared "criminal" by the legal system as part
of misguided attempts to "do something" about crime. Having recently
sat in on several court proceedings, I can attest to the fact that there
are a lot of fundamental problems with the entire US system of justice
that should be addressed if crime is truly to be controlled.
Article 3422 of sci.crypt:
>From: gwyn@smoke.brl.mil (Doug Gwyn)
Newsgroups: sci.crypt
Subject: Re: Congress Mandates Backdoors
Date: 16 Apr 91 02:54:47 GMT
Organization: U.S. nArmy Ballistic Research Laboratory, APG, MD.
Lines: 12
-COOPERATION OF TELECOMMUNICATIONS PROVIDERS WITH LAW ENFORCEMENT
-It is the sense of Congress that providers of electronic
-communications services and manufacturers of electronic communications
-service equipment shall ensure that communications systems permit the
-government to obtain the plain text contents of voice, data, and other
-communications when appropriately authorized by law.
"Damn, I wish I were The Man!" (with apologies to Cindy Lee Berryhill).
With representatives like these, our remaining freedoms are not long
for the world.