From: iw@all.net
Subject: IW Mailing List history/951202
---------------------------------------------
Date: Sat, 2 Dec 1995 07:07:59 -0500 (EST)
From: Sick Puppy 
Subject: Re: Key Escrow

The limitation on encryption algorithm and on key length suggest that
one of the criteria used in drafting the proposed procedure was that it
should be possible to decrypt any intercepted message on a laptop
machine. 

There are crypto systems available from European manufacturers which
meet NATO specifications and the keys are NOT escrowed with any
government.  In my view these provide much stronger encryption than the
proposed US procedure would allow.  These systems can be shipped
overseas from Europe without limitation and can also be imported into
the US without limitation. 

Some companies already use European crypto systems within the USA.  The
proprosed procedure does not contain any provision "grandfathering" such
systems. 

>From this dawg's point of view, the proposed procedure is not a very 
effective way for the US to meet foreign competition.

                                    Sick Puppy, the Cat_Eating_Dawg
---------------------------------------------
From: fc (Dr. Frederick B. Cohen)
Subject: crypto impacts on IW
Date: Sat, 2 Dec 1995 09:15:46 -0500 (EST)

I think the interaction between IW and strong civilian cryptography is
one of the most complex ones around.  Here are some of the issues that
come to mind immediately:

	In offensive soft-kill IW, there is great advantage to being
	able to read and corrupt messages.  It leads to strong
	deception, strong gathering, and other similar capabilities. 
	These capabilities can also be leveraged to produce denial. 

	In defensive IW, weak crypto leads to the inability to protect
	information assets against corruption and gathering efforts by
	enemies.  This also leads to difficulty in information assurance. 

The US concentration on offensive IW and lack of attention to defensive
IW is well documented, and it is therefore to be expected that weaker
crypto for the world would be considered beneficial.  As one who plays
the role of a defender more often than not, I naturally have a biassed
view toward stronger crypto for my side.

Since these regulation only have an impact on the civilian side, I have
heard it argued that the impact on IW is minimal.  The problem with this
perspective is that more than 85% of the DII in the US is the NII, and
the vast majority of information travels through COTS systems and public
networks.  If 85% of the DII were corrupted, I think that would have a
substantial impact.

Paul Strausmann was recently quoted in the Cypherpunks mailing list as
having been in support of key escrow, stating that it is beneficial to
the US.  There was some grief in that forum over his position, but it
was my interpretation that his favoring of this proposal was because it
provides a method by which the 85%+ COTS NII systems could have some
protection (as opposed to having none) and not because he had thought
the issue through and decided that key escrow and weak encryption is
better than strong encryption. 
	
Since regulations only have an impact on exported cryptography, I have
heard it argued that the impact on US systems is minimal.  The facts
don't seem to bear that up.  For example, of the products that have both
an exportable (i.e., weak) version and a US-only (i.e., stronger)
version, almost all sales go to the weaker version.  I think the
Netscape figures are that well over 99% of all servers in use in the US
use exportable crypto.  As a side note, this is the same system broken
by a college student in France a few months ago (by brute force), and
subsequently by exploiting a more ellegant key generation algorithm flaw
a few weeks later.  There two likely reasons for the widespread use of
weak crypto within the US:

	1 - Business is international.  Having an incompatable system or
	operating two parallel systems is inefficient and therefore will
	fail in a competitive environment EXCEPT during extraordinary
	circumstances (e.g., high intensity IW conditions).  Therefore,
	business will opt for weak crypto and only one system (if they
	opt for crypto at all).

	2 - You can import strong crypto.  If you want strong globally
	compatable cryptography, you can get it by buying it from
	overseas.  The net impact on the US is a movement of strong
	crypto dollars, expertise, and industry out of the country.
	All of these have a negative impact on both offensive and
	defensive IW.

As an offensive warrior, I like weak crypto but as a defender I want to
have strong crypto.  From a strategic perspective, in order to properly
assess the impact of cryptographic strength, I need to understand who is
hurt the most and helped the most by better offense and defense and to
understand the impact of regulations on the strength of crypto around
the world. 

I have two beliefs at this time that may or may not be right:

	The impact seems to be that the US (NII) has weaker crypto
	and the rest of the world (GII) has weaker crypto.

	Weaker crypto hurts the US more than the rest of the world
	because the US is:
		more dependent on COTS in the NII for IW
	- AND - more dependent on IW for warfare in general
	than the rest of the world.

If these beliefs are right, it would seem that stronger COTS crypto
would be better for the overall US IW effort.  On the other hand:

	Stronger crypto (GII) weakens technical intel capabilities.  The
	US is increasingly dependent on technical intel.  If we don't
	keep the rest of the world's crypto weak, we will be unable to
	exploit this technical capability as effectively.

If you believe that the NSA is far better than the rest of the world at
exploiting crypto to generate intel then weaker crypto would seem to
favor the US. 

	Being far better at exploiting crypto alone isn't enough to
	justify the stated levels of keylength and strength.  At this
	keysize, people from all over the world can attack systems
	with fairly minimal resources.  For example, 64 bit RSA keys
	are easily broken without supercomputers.  Even a brute force
	attack against a DES-like scheme of 64 bits is not beyond the
	technical capabilities of most adversaries today. 

The limitation of 64 bit keys on the escrowed key systems currently
proposed appears to be outlandish.  There can be no doubt that this
length is chosen to allow these systems to be broken regardless of the
use of key escrow.  Hence the escrow system must be just a convenience
for governments to be able to break codes without expending advanced
cryptographic skills or large budgets. 

	From the law enforcement side, this is very helpful.  It makes
	tapping conversations straight forward while making tapping by
	those without the escrow key far more difficult.  When combined
	with the FBI's initiative to be able to tap into millions of
	telephone conversations at the same time (even though there
	are less than 1,500 legal taps in the US per year), this leads
	to a potential for abuse that is staggering. It would tend to
	support the contention that either massive illegal taps are
	underway or planned, or that there is an anticipated change in
	the law to allow widespread tapping in the US.

	In the age of government sponsored economic warfare by
	exploiting weaknesses of IT, weak and escrowed keys essentially
	allow governments to grant a franchise for breaking crypto to
	their chosen companies, agencies, etc. 

In terms of IW, key escrow and weak cryptography has clear implications
relating to catching spies, limiting the leakage of information if and
when high intensity war occurs, and technical intel.  Key escrow is, it
seems, also a possible instrument of economic warfare in the information
age.  To the extent that economic warfare has impacts on the ability to
fight, etc.  this has indirect IW implications as well. 

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
---------------------------------------------
Date: Sat, 2 Dec 95 08:39:10 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)
Subject: RE: IW Mailing List history/951201

I am planning to be there. IMNSHO (and somewhat biased, am the "other"
person besides Dorothy who would like to see Clipper publicly
available, but then I also believe in first amendment protections).
Do believe that this is near-workable with some tweaks and caveats.

What is the IW impact ? Well in the original version, the single
repository (or two pieces) would be an obvious target just as the single
certificate authority (Verisign) in the current Netscape is. 

Given (3), keys could be held potentially by many agencies. This would
increase the risk that a single key could be lost but reduce the risk
that *all* the keys could be lost.

An analysis of my hopes and problems with the current proposal follows:

The big one to me is number three:

>3.  The product's key escrow cryptographic functions' key(s) shall be
>escrowed with escrow agent(s) certified by the U.S.  Government, or
>certified by foreign governments with which the U.S.  Government has
>formal agreements consistent with U.S.  law enforcement and national
>security requirements. 

In order for this to work at all, the three layer mechanism mentioned by
a US representative at the EC meeting must be established:

1) DoD & Gov agencies will hold their own keys with the option of delegating
   the responsibility to a central organization. They may primarily use
   Clipper.

2) Major corporations and financial institutions will also be licensed to 
   hold keys. It is to be expected that they will be required to set up
   a quasi-independant organization within their structure so that the
   confidentiality of any law enforcement investigation can be maintained.
   (Law Enforcement is not going to like this but is going to have to live 
   with it since when you get down to brass tacks, the US is built on
   property rights and keys are property. To ameliorate this I would expect
   that all personnel involved will be required to be cleared by he FBI
   (they have their own form of clearances).

3) The really important part (and the reason commercial interests will be
   willing to invest in this) will be for the promise of the US Government
   to provide those foreign agreements so that companies will not have to
   gain individual licences for every foreign office in a different country
   (as is rapidly happening).

Problem areas:

>5.  The product's key escrow feature shall allow access to the key(s)
>needed to decrypt the product's ciphertext regardless of whether the
>product generated or received the ciphertext. 
>9.  The product's key escrow cryptographic functions shall interoperate
>only with key escrow cryptographic functions in products that meet these
>criteria, and shall not interoperate with the cryptographic functions of
>a product whose key escrow encryption function has been altered,
>bypassed, disabled, or otherwise rendered inoperative. 

The difficulty here is that this assumes that all messages will be passed
directly between operating devices and that the line itself would be
protected. This eliminated bufferred or POP E-Mail or any form of
queueing.

More important, if we could control all receivers of a message, then
we *would not need crypto in the first place*. It is because we cannot
control who may be listening or what they may do with it that encryption
is required.

Thus while it may re reasonable to ensure the the receiver only decrypt 
compliant messages, it is unreasonable for a sender to be able to 
determine that no-one else will ever gain access to a copy of the message.

>7.  The product's key escrow cryptographic functions shall use an
>unclassified encryption algorithm with a key length not to exceed
>sixty-four (64) bits. 
>8.  The product's key escrow cryptographic functions shall not provide
>the feature of multiple encryption (e.g., triple- DES). 

These have two problems. First, they have meaning only in terms of symmetric 
keys. Assymetric keys such as Diffie-Hellman, RSA, and those others
collectively called public key/private key require much longer key lengths
(on the close order of 20X) in order to have equal strength to symetric
keys.

There is an easy answer: since asymetric keys, due to inherant slowness,
are typically used only for key exchange, while a symmetric key is used
for the actual message, then simply making the key exchange/ key
management mechanism open while enforcing escrow (and item 4)

Beyond that, the question remains, "given the key escrow mechanism, why
should the key length & mechanism make any difference ?" Personally, I
expect that for the moment, 64 bits is enough, but the gov is placing
itself at risk that technical advances will make the initiative obsolete.

True, 64 bits can be better than DES and 64 bit mechanisms are easy to 
manipulate in current personal computers however that should not be a 
reson to regulate unless the government does not trust their own initiative
to work. A more rational move would be to remove these two limitations 
entirely lest technical advances destroy the entire foundation of the system.

>4.  The product's key escrow cryptographic functions' ciphertext shall
>contain, in an accessible format and with a reasonable frequency, the
>identity of the key escrow agent(s) and information sufficient for the
>escrow agent(s) to identify the key(s) required to decrypt the
>ciphertext. 

on the message itself would make sense.  Even more so since the key
exchange/key management mechanism could be handled out-of-channel (e.g. 
via CD-ROM) just as easily and is the common mechanism used today. 
In-channel secure exchange such as used by Netscape is an essential
component to Internet Commerce. 

The balance of the items mentioned (below) I have no particular problem
with.  (2) is difficult but possible, (10) can be satisfied with a
checksum/hash.  (1) and (6) are procedural. 

However as I said, the "Quid pro quo" is found in item (3) and the
government had best be willing to provide the foreign agreements before
industry can be expected to invest in it. 
						Warmly,
							Padgett
---------------------------------------------------------------------
Points that I do not see as problems:

1.  The key(s) required to decrypt the product's key escrow
cryptographic functions' ciphertext shall be accessible through a key
escrow feature. 

2.  The product's key escrow cryptographic functions shall be inoperable
until the key(s) is escrowed in accordance with #3. 

6.  The product's key escrow feature shall allow for the recovery of
multiple decryption keys during the period of authorized access without
requiring repeated presentations of the access authorization to the key
escrow agent(s). 

10.  The product shall be resistant to anything that could disable or
circumvent the attributes described in #1 through #9. 
---------------------------------------------
Moderator's note:
	The following information appeared on the Cypherpunks mailing
list today (I have edited most of it out for space reasons) and is
available globally via the Web.  These are examples of publicly
available IW information that is generated by the US and given away to
the world.  Are there similar archives available from other countries?
Should the US be giving this sort of stuf away? If so, to what extent?
Is anyone actively considering this issue? (I am not asking for comments
on the quality of the work, but rather on how much strategic information
and IW thought the US should be making available to the world.)

---------------------------------------------
From owner-cypherpunks@toad.com Sat Dec  2 10:31:03 1995
Date: Sat, 2 Dec 1995 16:16:36 +0100
Subject: Info Foes 
URL: http://www.ndu.edu/ndu/inss/strforum/z1106.html
   Strategic Forum
                      THE REVOLUTION IN MILITARY AFFAIRS
   Martin Libicki, CDR James Hazlett, et al. [Excerpts]
  DISCUSSION I: STRATEGIC CHALLENGES

Those who assess future strategic challenges tend to look to Asian
countries, and to categorize competitors as peer, regional, or niche. 

...
  DISCUSSION II: OPERATIONAL CHALLENGES
  
Considerable evidence suggests that commercial access to information --
GPS readings, space-based imagery, and Internet data -- could be
transformed into military advantage thereby levelling the playing field
between ourselves and our potential opponents.  Other dual-use
technologies, for instance, those that would permit remote piloting of
aerial vehicles, permit commercial technologies such as electronic video
photography to act as powerful military tools accessible to all (RPVs
are made in more than thirty countries). 
   
    Technologies That Level the Field
    
Does the proliferation in information technologies necessarily negate
our current military lead? Information-based warfare creates new
vulnerabilities for industrial-age institutions slow to adapt.  Because
most U.S.  logistics facilities and command nodes are not well hidden,
they are vulnerable to precision strike.  The widespread availability of
overhead imagery coupled with GPS integration into weapon systems-- no
more than a few years away for countries such as India--poses a serious
threat to which our improving defensive measures (e.g., anti-tactical
ballistic missiles) will provide only a partial solution.  Our own
counter-C2 operations are complicated by the rapidly falling cost of
bandwidth and redundancy.  Even if 90 percent of a bit flow can be
interdicted, the remaining 10 percent may suffice for operational uses. 
Rapid expansion of cellular nodes, particularly through exploitation of
commercial space assets, may make targeting and communications denial
difficult or impossible.  Multiple channels of electronic access will
also complicate psychological operations and countermeasures. 
...
    
The United States, nevertheless, retains an edge in two important areas:
space and systems integration.  Space systems are relatively difficult
to build and although many potential middle-income adversaries can
borrow space services from third parties, fewer can own satellites, and
far fewer can launch them.  Thus the United States will retain a clear
edge in the size and sophistication (timeliness and interpretation) of
space capabilities, in their adoption and adaptation for military uses,
in their augmentation or adaptation for the particulars of future
contingencies, and in the assurance of their continuity. 
   
The distinctions between data and information, and between information
and knowing could also favor U.S.  forces.  There are vast differences
between, for instance, access to meteorological imagery and determining,
for instance, that a locus of operations is likely to be fogged in 24
hours hence (a distinction relevant to the Falklands campaign).  The art
of operational planning is not acquired automatically with the
acquisition of computers.  Similarly, as sensors proliferate in type as
well as numbers, data fusion is likely to become more decisive in future
conflicts.  ... 

  1. command-and-control warfare [C2W];
  2. intelligence-based warfare [IBW];
  3. electronic warfare [EW];
  4. psychological operations [PSYOPS];
  5. hackerwar software-based attacks on information systems;
  6. information economic warfare [IEW] war via the control 
    information trade; and
  7. cyberwar [combat in the virtual realm]. ...
------------------
URL: http://www.ndu.edu/ndu/inss/actpubs/act003/a003ch07.html
---------------------------------------------