National Academies Press: OpenBook
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY

Kenneth W. Dam and Herbert S. Lin, Editors

Committee to Study National Cryptography Policy

Computer Science and Telecommunications Board

Commission on Physical Sciences, Mathematics, and Applications

National Research Council

NATIONAL ACADEMY PRESS

Washington, D.C. 1996

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page ii

NATIONAL ACADEMY PRESS 2101 Constitution Avenue, NW Washington, DC 20418

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.

This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine.

Support for this project was provided by the Department of Defense (under contract number DASW01-94-C-0178) and the Department of Commerce (under contract number 50SBNB4C8089). Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

Library of Congress Catalog Card Number 96-68943
International Standard Book Number 0-309-05475-3

The Computer Science and Telecommunications Board (CSTB) will be glad to receive comments on this report. Please send them via Internet e-mail to CRYPTO@NAS.EDU, or via regular mail to CSTB, National Research Council, 2101 Constitution Avenue NW, Washington, DC 20418.

Copyright 1996 by the National Academy of Sciences. All rights reserved.

Printed in the United States of America

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page iii

COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY

KENNETH W. DAM, University of Chicago Law School, Chair

W.Y. SMITH, Institute for Defense Analyses (retired), Vice Chair

LEE BOLLINGER, Dartmouth College

ANN CARACRISTI, National Security Agency (retired)

BENJAMIN R. CIVILETTI, Venable, Baetjer, Howard and Civiletti

COLIN CROOK, Citicorp

SAMUEL H. FULLER, Digital Equipment Corporation

LESLIE H. GELB, Council on Foreign Relations

RONALD GRAHAM, AT&T Bell Laboratories

MARTIN HELLMAN, Stanford University

JULIUS L. KATZ, Hills & Company

PETER G. NEUMANN, SRI International

RAYMOND OZZIE, Iris Associates

EDWARD C. SCHMULTS, General Telephone and Electronics (retired)

ELLIOT M. STONE, Massachusetts Health Data Consortium

WILLIS H. WARE, RAND Corporation

Staff

MARJORY S. BLUMENTHAL, Director

HERBERT S. LIN, Study Director and Senior Staff Officer

JOHN M. GODFREY, Research Associate

FRANK PITTELLI, Consultant to CSTB

GAIL E. PRITCHARD, Project Assistant

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page iv

COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

WILLIAM A. WULF, University of Virginia, Chair

FRANCES E. ALLEN, IBM T.J. Watson Research Center

DAVID D. CLARK, Massachusetts Institute of Technology

JEFF DOZIER, University of California at Santa Barbara

HENRY FUCHS, University of North Carolina

CHARLES GESCHKE, Adobe Systems Incorporated

JAMES GRAY, Microsoft Corporation

BARBARA GROSZ, Harvard University

JURIS HARTMANIS, Cornell University

DEBORAH A. JOSEPH, University of Wisconsin

BUTLER W. LAMPSON, Microsoft Corporation

BARBARA LISKOV, Massachusetts Institute of Technology

JOHN MAJOR, Motorola

ROBERT L. MARTIN, AT&T Network Systems

DAVID G. MESSERSCHMITT, University of California at Berkeley

WILLIAM PRESS, Harvard University

CHARLES L. SEITZ, Myricom Incorporated

EDWARD SHORTLIFFE, Stanford University School of Medicine

CASIMIR S. SKRZYPCZAK, NYNEX Corporation

LESLIE L. VADASZ, Intel Corporation

MARJORY S. BLUMENTHAL, Director

HERBERT S. LIN, Senior Staff Officer

PAUL D. SEMENZA, Staff Officer

JERRY R. SHEEHAN, Staff Officer

JEAN E. SMITH, Program Associate

JOHN M. GODFREY, Research Associate

LESLIE M. WADE, Research Assistant

GLORIA P. BEMAH, Administrative Assistant

GAIL E. PRITCHARD, Project Assistant

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page v

COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS

ROBERT J. HERMANN, United Technologies Corporation, Chair

PETER M. BANKS, Environmental Research Institute of Michigan

SYLVIA T. CEYER, Massachusetts Institute of Technology

L. LOUIS HEGEDUS, Elf Atochem North America Inc.

JOHN E. HOPCROFT, Cornell University

RHONDA J. HUGHES, Bryn Mawr College

SHIRLEY A. JACKSON, U.S. Nuclear Regulatory Commission

KENNETH I. KELLERMANN, National Radio Astronomy Observatory

KEN KENNEDY, Rice University

THOMAS A. PRINCE, California Institute of Technology

JEROME SACKS, National Institute of Statistical Sciences

L.E. SCRIVEN, University of Minnesota

LEON T. SILVER, California Institute of Technology

CHARLES P. SLICHTER, University of Illinois at Urbana-Champaign

ALVIN W. TRIVELPIECE, Oak Ridge National Laboratory

SHMUEL WINOGRAD, IBM T.J. Watson Research Center

CHARLES A. ZRAKET, MITRE Corporation (retired)

NORMAN METZGER, Executive Director

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page vi

The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce Alberts is president of the National Academy of Sciences.

The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is interim president of the National Academy of Engineering.

The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine.

The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr. William A. Wulf are chairman and interim vice chairman, respectively, of the National Research Council.

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page vii

Preface

INTRODUCTION

For most of history, cryptography—the art and science of secret writing—has belonged to governments concerned about protecting their own secrets and about asserting their prerogatives for access to information relevant to national security and public safety. In the United States, cryptography policy has reflected the U.S. government's needs for effective cryptographic protection of classified and other sensitive communications as well as its needs to gather intelligence for national security purposes, needs that would be damaged by the widespread use of cryptography. National security concerns have motivated such actions as development of cryptographic technologies, development of countermeasures to reverse the effects of encryption, and control of cryptographic technologies for export.

In the last 20 years, a number of developments have brought about what could be called the popularization of cryptography. First, some industries—notably financial services—have come to rely on encryption as an enabler of secure electronic funds transfers. Second, other industries have developed an interest in encryption for protection of proprietary and other sensitive information. Third, the broadening use of computers and computer networks has generalized the demand for technologies to secure communications down to the level of individual citizens and assure the privacy and security of their electronic records and transmissions. Fourth, the sharply increased use of wireless communications (e.g., cellular telephones) has highlighted the greater vulnerability

Page viii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page viii

of such communications to unauthorized intercept as well as the difficulty of detecting these intercepts.

As a result, efforts have increased to develop encryption systems for private sector use and to integrate encryption with other information technology products. Interest has grown in the commercial market for cryptographic technologies and systems incorporating such technologies, and the nation has witnessed a heightened debate over individual need for and access to technologies to protect individual privacy.

Still another consequence of the expectation of widespread use of encryption is the emergence of law enforcement concerns that parallel, on a civilian basis, some of the national security concerns. Law enforcement officials fear that wide dissemination of effective cryptographic technologies will impede their efforts to collect information necessary for pursuing criminal investigations. On the other side, civil libertarians fear that controls on cryptographic technologies will give government authorities both in the United States and abroad unprecedented and unwarranted capabilities for intrusion into the private lives of citizens.

CHARGE OF THE COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY

At the request of the U.S. Congress in November 1993, the National Research Council's Computer Science and Telecommunications Board (CSTB) formed the Committee to Study National Cryptography Policy. In accordance with its legislative charge (Box P.1), the committee undertook the following tasks:

• Framing the problem. What are the technology trends with which national cryptography policy must keep pace? What is the political environment? What are the significant changes in the post-Cold War environment that call attention to the need for, and should have an impact on, cryptography policy?

• Understanding the underlying technology issues and their expected development and impact on policy over time. What is and is not possible with current cryptographic (and related) technologies? How could these capabilities have an impact on various U.S. interests?

• Describing current cryptography policy. To the committee's knowledge, there is no single document, classified or unclassified, within the U.S. government that fully describes national cryptography policy.

• Articulating a framework for thinking about cryptography policy. The interests affected by national cryptography policy are multiple, varied, and related: they include personal liberties and constitutional rights, the maintenance of public order and national security, technology develop-

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page ix

BOX P.1
Legislative Charge to the National Research Council

Public Law 103-160
Defense Authorization Bill for Fiscal Year 1994
Signed November 30,1993

SEC. 267. COMPREHENSIVE INDEPENDENT STUDY OF NATIONAL CRYPTOGRAPHY POLICY.

(a) Study by National Research Council.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall request the National Research Council of the National Academy of Sciences to conduct a comprehensive study of cryptographic technologies and national cryptography policy.

(b) Matters To Be Assessed in Study.—The study shall assess—

(1) the effect of cryptographic technologies on—

   (A) national security interests of the United States Government;

   (B) law enforcement interests of the United States Government;

   (C) commercial interests of United States industry; and

   (D) privacy interests of United States citizens; and

(2) the effect on commercial interests of United States industry of export controls on cryptographic technologies.

(c) Interagency Cooperation With Study.—The Secretary of Defense shall direct the National Security Agency, the Advanced Research Projects Agency, and other appropriate agencies of the Department of Defense to cooperate fully with the National Research Council in its activities in carrying out the study under this section. The Secretary shall request all other appropriate Federal departments and agencies to provide similar cooperation to the National Research Council.

ment, and U.S. economic competitiveness and markets. At a minimum, policy makers (and their critics) must understand how these interests interrelate, although they may decide that one particular policy configuration better serves the overall national interest than does another.

•  Identifying a range offeasible policy options. The debate over cryptography policy has been hampered by an incomplete analysis and discussion of various policy options—both proponents of current policy and of alternative policies are forced into debating positions in which it is difficult or impossible to acknowledge that a competing view might have some merit. This report attempts to discuss fairly the pros and cons of a number of options.

•  Making recommendations regarding cryptography policy. No cryptography policy will be stable for all time. That is, it is unrealistic to imagine

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page x

that this committee or any set of policy makers could craft a policy that would not have to evolve over time as the technological and political milieu itself changes. Thus, the committee's recommendations are framed in the context of a transition, from a world characterized by slowly evolving technology, well-defined enemies, and unquestioned U.S. technological, economic, and geopolitical dominance to one characterized by rapidly evolving technology, fuzzy lines between friend and foe, and increasing technological, economic, and political interdependencies between the United States and other nations of the world.

Given the diverse applications of cryptography, national cryptography policy involves a very large number of important issues. Important to national cryptography policy as well are issues related to the deployment of a large-scale infrastructure for cryptography and legislation and regulations to support the widespread use of cryptography for authentication and data integrity purposes (i.e., collateral applications of cryptography), even though these issues have not taken center stage in the policy debate.

The committee focused its efforts primarily on issues related to cryptography for confidentiality, because the contentious problem that this committee was assembled to address at the center of the public policy debate relates to the use of cryptography in confidentiality applications. It also addressed issues of cryptography policy related to authentication and data integrity at a relatively high level, casting its findings and recommendations in these areas in fairly general terms. However, it notes that detailed consideration of issues and policy options in these collateral areas requires additional study at a level of detail and thoroughness comparable to that of this report.

In preparing this report, the committee reviewed and synthesized relevant material from recent reports, took written and oral testimony from government, industry, and private individuals, reached out extensively to the affected stakeholders to solicit input, and met seven times to discuss the input from these sources as well as the independent observations and findings of the committee members themselves. In addition, this study built upon three prior efforts to examine national cryptography policy: the Association for Computing Machinery report Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy,1the Office of Technology Assessment report Information Security and Privacy in Network Environments,2and

1 Susan Landau et al., Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy, Association for Computing Machinery Inc., New York, 1994.

2 Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S. Government Printing Office, Washington, D.C., September 1994.

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xi

the JASON encryption study.3A number of other examinations of cryptography and/or information security policy were also important to the committee's work.4(Appendix N contains source documents (e.g., statutes, regulations, memorandums of understanding), relevant to the national debate over cryptography policy.)

WHAT THIS REPORT IS NOT

The subject of national cryptography policy is quite complex, as it figures importantly in many areas of national interest. To keep the project manageable within the time, resources, and expertise available, the committee chose not to address in detail a number of issues that arose with some nontrivial frequency during the course of its study.

•  This report is not a comprehensive study of the grand trade-offs that might be made in other dimensions of national policy to compensate for changes in cryptography policy. For example, this report does not address matters such as relaxing exclusionary rules that govern the court admissibility of evidence or installing video cameras in every police helmet as part of a package that also eliminates restrictions on cryptography, though such packages are in principle possible. Similarly, it does not address options such as increasing the budget for counterterrorist operations as a quid pro quo for relaxations on export controls of cryptography. The report does provide information that would help to assess the impact of various approaches to cryptography policy, although how that impact should be weighed against the impact of policies related to other areas is outside the scope of this study and the expertise of the committee assembled for it.

•  This report is not a study on the future of the National Security Agency (NSA) in the post-Cold War era. A determination of what mis-

3 JASON Program Office, JASON Encryption/Privacy Study, Report JSR-93-520 (unpublished), MITRE Corporation, McLean, Va., August 18,1993.

4 These works include Global Information Infrastructure, a joint report by the European Association of Manufacturers of Business Machines and Information Technology Industry, the U.S. Information Technology Industry Council, and the Japan Electronic Industry Development Association (EUROBIT-ITI-JEIDA), developed for the G-7 Summit on the Global Information Society, GII Tripartite Preparatory Meeting, January 26-27, 1995, Brussels; the U.S. Council for International Business statement titled ''Business Requirements for Encryption," October 10, 1994, New York; and the International Chamber of Commerce position paper "International Encryption Policy," Document No. 373/202 Rev. and No. 373-30/ 9 Rev., Paris, undated. Important source documents can be found in Lance J. Hoffman (ed.), Building in Big Brother: The Cryptographic Policy Debate, Springer-Verlag, New York, 1995, and in the cryptography policy source books published annually by the Electronic Privacy Information Center in Washington, D.C.

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xii

sions the NSA should be pursuing and/or how it should pursue those missions was not in the committee's charge. The report does touch lightly on technological trends that affect the ability to undertake the missions to which cryptography is relevant, but only to the extent necessary to frame the cryptography issue.

At the same time, this report does address certain conditions of the political, social, and technological environment that will affect the answers that anyone would formulate to these questions, such as the potential impact on policy of a world that offers many users the possibilities of secure communications.

•  This report is not a study of computer and communications security, although of course cryptography is a key element of such security. Even the strongest cryptography is not very useful unless it is part of a secure system, and those responsible for security must be concerned about everything from the trustworthiness of individuals writing the computer programs to be used to the physical security of terminals used to access the system. A report that addressed system dimensions of computer security was the National Research Council report Computers at Risk;5 this current study draws on that report and others to the extent relevant for its analysis, findings, and conclusions about cryptography policy.

•  This report is not a study of the many patent disputes that have arisen with respect to national cryptography policy in the past several years. While such disputes may well be a sign that the various holders expect cryptography to assume substantial commercial importance in the next several years, such disputes are in principle resolvable by the U.S. Congress, which could simply legislate ownership by eminent domain or by requiring compulsory licensing. Moreover, since many of the key patents will expire in any case in the relatively near future (i.e., before any infrastructure that uses them becomes widely deployed), the issue will become moot in any case.

•  This report is not exclusively a study of national policy associated with the Clipper chip. While the Clipper chip has received the lion's share of press and notoriety in the past few years, the issues that this study was chartered to address go far beyond those associated simply with the Clipper chip. This study addresses the larger context and picture of which the Clipper chip is only one part.

5 Computer Science and Telecommunications Board, National Research Council, Computers at Risk: Safe Computing in the Information Age, National Academy Press, Washington, D.C., 1991.

Page xiii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xiii

ON SECRECY AND REPORT TIME LINE

For most of history, the science and technologies associated with cryptography have been the purview of national governments and/or heads of state. It is only in the last 25 years that cryptographic expertise has begun to diffuse into the nongovernment world. Thus, it is not surprising that much of the basis and rationale underlying national cryptography policy has been and continues to be highly classified. Indeed, in a 1982 article, then-Deputy Director of the Central Intelligence Agency Bobby R. Inman wrote that

[o]ne sometimes hears the view that publication should not be restrained because "the government has not made its case," almost always referring to the absence of specific detail for public consumption. This reasoning is circular and unreasonable. It stems from a basic attitude that the government and its public servants cannot be trusted. Specific details about why information must be protected are more often than not even more sensitive than the basic technical information itself. Publishing examples, reasons and associated details would certainly damage the nation's interests. Public review and discussion of classified information which supports decisions is not feasible or workable.6

Secrecy is a two-edged sword for a democratic nation. On the one hand, secrecy has a legitimate basis in those situations in which fundamental national interests are at stake (e.g., the preservation of American lives during wartime). Moreover, the history of intelligence reveals many instances in which the revelation of a secret, whether intentional or inadvertent, has led to the compromise of an information source or the loss of a key battle.7

On the other hand, secrecy has sometimes been used to stifle public debate and conceal poorly conceived and ill-informed national policies, and mistrust is therefore quite common among many responsible critics

6 Bobby Inman, "Classifying Science: A Government Proposal. . .," Aviation Week and Space Technology, February 8, 1982, p. 10.

7  For example, following press reports of deciphered Libyan messages before and after a bombing in West Berlin in which an American soldier died, Libya changed its communications codes. A senior American official was quoted as saying that the subsequent Libyan purchase of advanced cryptographic equipment from a Swiss firm was "one of the prices [the United States is] paying for having revealed, in order to marshal support of our allies and public opinion, that intercepted communications traffic provided evidence that Libya was behind the bombing of the Berlin disco." See "Libyans Buy Message-Coding Equipment," Washington Post, April 22, 1986, p. A8.

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xiv

of government policy. A common refrain by defenders of policies whose origins and rationales are secret is that "if you knew what we knew, you would agree with us." Such a position may be true or false, but it clearly does not provide much reassurance for those not privy to those secrets for one very simple reason: those who fear that government is hiding poorly conceived policies behind a wall of secrecy are not likely to trust the government, yet in the absence of the substantive argument being called for, the government's claim is essentially a plea for trust.

In pursuing this study, the committee has adopted the position that some secrets are still legitimate in today's global environment, but that its role is to illuminate as much as possible without compromising those legitimate interests. Thus, the committee has tried to act as a surrogate for well-intentioned and well-meaning people who fear that the worst is hiding behind the wall of secrecy—it has tried to ask the questions that these people would have asked if they could have done so. Public Law 103-160 called for all defense agencies, including the National Security Agency, to cooperate fully with the National Research Council in this study.

For obvious reasons, the committee cannot determine if it did not hear a particular piece of information because an agency withheld that information or because that piece of information simply did not exist. But for a number of reasons, the committee believes that to the best of its knowledge, the relevant agencies have complied with Public Law 103-160 and other agencies have cooperated with the committee. One important reason is that several members of the committee have had extensive experience (on a classified basis) with the relevant agencies, and these members heard nothing in the briefings held for the committee that was inconsistent with that experience. A second reason is that these agencies had every motivation and self-interest to make the best possible case for their respective positions on the issues before the committee. Thus, on the basis of agency assurances that the committee has indeed received all information relevant to the issue at hand, they cannot plausibly argue that "if the committee knew what Agency X knew, it would agree with Agency X's position."

This unclassified report does not have a classified annex, nor is there a classified version of it. After receiving a number of classified briefings on material relevant to the subject of this study, the fully cleared members of the committee (13 out of the total of 16) agree that these details, while necessarily important to policy makers who need to decide tomorrow what to do in a specific case, are not particularly relevant to the larger issues of why policy has the shape and texture that it does today nor to the general outline of how technology will and policy should evolve in the future. For example, the committee was briefed on certain intelligence activities of various nations. Policy makers care that the activities of nation X (a friendly nation) fall into certain categories and that those of

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xv

nation Y (an unfriendly nation) fall into other categories, because they must craft a policy toward nation X in one way and one toward nation Y in another way. But for analytical purposes, the exact names of the nations involved are much less relevant than the fact that there will always be nations friendly and unfriendly to the United States. Committee members are prepared to respond on a classified basis if necessary to critiques and questions that involve classified material.8

As for the time line of this study, the committee was acutely aware of the speed with which the market and product technologies evolve. The legislation called for a study to be delivered within 2 years after the full processing of all necessary security clearances, and the study committee accelerated its work schedule to deliver a report in 18 months from its first meeting (and only 13 months from the final granting of the last clearance). The delivery date of this study was affected by the fact that the contract to fund this study was signed by the Department of Defense on September 30, 1994.

A NOTE FROM THE CHAIR

The title of this report is Cryptography's Role in Securing the Information Society. The committee chose this title as one best describing our inquiry and report—that is, the committee has tried to focus on the role that cryptography, as one of a number of tools and technologies, can play in providing security for an information age society through, among other means, preventing computer-enabled crimes and enhancing national security. At the same time, the committee is not unaware of the acronym for this report—CRISIS—and it believes that the acronym is apt.

From my own standpoint as chair of the NRC Committee to Study National Cryptography Policy, I believe that the crisis is a policy crisis, rather than a technology crisis, an industry crisis, a law enforcement crisis, or an intelligence-gathering crisis.

It is not a technology crisis because technologies have always been two-edged swords. All technologies—cryptography included—can be used for good or for ill. They can be used to serve society or to harm it, and cryptography will no doubt be used for both purposes by different groups. Public policy will determine in large measure not just the net balance of benefit and loss but also how much benefit will be derived from constructive uses of this remarkable technology.

8 The point of contact within the National Research Council for such inquiries is the Computer Science and Telecommunications Board, National Research Council, 2101 Constitution Avenue, N.W., Washington, DC  20418 (telephone 202-334-2605 or e-mail CSTB@NAS.EDU).

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xvi

It is not an industry crisis, nor a law enforcement crisis, nor an intelligence-gathering crisis, because industry, law enforcement, and the intelligence establishment have all had to cope with rapid technological change, and for the most part the vitality of these enterprises within the nation is a testament to their successes in so coping.

But a policy crisis is upon the nation. In the face of an inevitably growing use of cryptography, our society, acting as it must through our government as informed by the manifold forums of our democratic processes, has been unable to develop a consensus behind a coherent national cryptography policy, either within government or with the private stakeholders throughout society—the software industry, those concerned with computer security, the civil liberties community, and so on. Indeed, the committee could not even find a clear written statement of national cryptography policy that went beyond some very general statements.

To be sure, a number of government proposals have seen the light of day. The best known of these proposals, the Clipper initiative, was an honest attempt to address some of the issues underlying national cryptography policy, but one of its primary effects was to polarize rather than bring together the various stakeholders, both public and private. On the other hand, it did raise public awareness of the issue. In retrospect, many Administration officials have wished that the discourse on national cryptography policy could have unfolded differently, but in fairness we recognize that the government's task is not easy in view of the deep cleavages of interest reviewed in this report. In this context, we therefore saw it as our task, commanded by our statutory charge, to analyze the underlying reasons for this policy crisis and the interests at stake, and then to propose an intelligent, workable, and acceptable policy.

The Committee to Study National Cryptography Policy is a group of 16 individuals with very diverse backgrounds, a broad range of expertise, and differing perspectives on the subject. The committee included individuals with extensive government service and also individuals with considerable skepticism about and suspicion of government; persons with great technical expertise in computers, communications, and cryptography; and persons with considerable experience in law enforcement, intelligence, civil liberties, national security, diplomacy, international trade, and other fields relevant to the formation of policy in this area. Committee members were drawn from industry, including telecommunications and computer hardware and software, and from users of cryptography in the for-profit and not-for-profit sectors; serving as well were academics and think-tank experts.9The committee was by design highly heteroge-

9 Note that the committee was quite aware of potential financial conflicts of interest among several of its members. In accordance with established National Research Council proce-

Page xvii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xvii

neous, a characteristic intended to promote discussion and synergy among its members.

At first, we wondered whether these different perspectives would allow us to talk among ourselves at all, let alone come to agreement. But the committee worked hard. The full committee met for a total of 23 days in which we received briefings and argued various points; ad hoc subcommittees attended a dozen or so additional meetings to receive even more briefings; members of the committee and staff held a number of open sessions in which testimony from the interested public was sought and received (including a very well attended session at the Fifth Annual Conference on Computers, Freedom, and Privacy in San Francisco in early 1995 and an open session in Washington, D.C., in April 1995); and the committee reviewed nearly a hundred e-mail messages sent in response to its Internet call for input. The opportunity to receive not only written materials but also oral briefings from a number of government agencies, vendors, trade associations, and assorted experts, as well as to participate in the first-ever cryptography policy meeting of the Organization for Economic Cooperation and Development and of its Business Industry Advisory Council, provided the occasion for extended give-and-take discussions with government officials and private stakeholders.

Out of this extended dialogue, we found that coming to a consensus among ourselves—while difficult—was not impossible. The nature of a consensus position is that it is invariably somewhat different from a position developed, framed, and written by any one committee member, particularly before our dialogue and without comments from other committee members. Our consensus is a result of the extended learning and interaction process through which we lived rather than any conscious effort to compromise or to paper over differences. The committee stands fully behind its analysis, findings, and recommendations.

We believe that our report makes some reasonable proposals for national cryptography policy. But a proposal is just that—a proposal for action. What is needed now is a public debate, using and not sidestepping the full processes of government, leading to a judicious resolution of pressing cryptography policy issues and including, on some important points, legislative action. Only in this manner will the policy crisis come to a satisfactory and stable resolution.

dures, these potential financial conflicts of interest were thoroughly discussed by the committee; no one with a direct and substantial financial stake in the outcome of the report served on the committee.

Page xviii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xviii

ACKNOWLEDGMENTS

The full list of individuals (except for those who explicitly requested anonymity) who provided input to the committee and the study project is contained in Appendix A. However, a number of individuals deserve special mention. Michael Nelson, Office of Science and Technology Policy, kept us informed about the evolution of Administration policy. Dorothy Denning of Georgetown University provided many useful papers concerning the law enforcement perspective on cryptography policy. Clinton Brooks and Ron Lee from the National Security Agency and Ed Roback and Raymond Kammer from the National Institute of Standards and Technology acted as agency liaisons for the committee, arranging briefings and providing other information. Marc Rotenberg from the Electronic Privacy Information Center and John Gilmore from Cygnus Support provided continuing input on a number of subjects as well as documents released under Freedom of Information Act requests. Rebecca Gould from the Business Software Alliance, Steve Walker from Trusted Information Systems, and Ollie Smoot from the Information Technology Industry Council kept the committee informed from the business perspective. Finally, the committee particularly acknowledges the literally hundreds of suggestions and criticisms provided by the reviewers of an early draft of this report. Those inputs helped the committee to sharpen its message and strengthen its presentation, but of course the content of the report is the responsibility of the committee.

The committee also received a high level of support from the National Research Council. Working with the Special Security Office of the Office of Naval Research, Kevin Hale and Kimberly Striker of the NRC's National Security Office had the complex task of facilitating the prompt processing of security clearances necessary to complete this study in a timely manner and otherwise managing these security clearances. Susan Maurizi worked under tight time constraints to provide editorial assistance.  Acting as primary staff for the committee were Marjory Blumenthal, John Godfrey, Frank Pittelli, Gail Pritchard, and Herb Lin. Marjory Blumenthal directs the Computer Science and Telecommunications Board, the program unit within the National Research Council to which this congressional tasking was assigned. She sat with the committee during the great majority of its meetings, providing not only essential insight into the NRC process but also an indispensable long-term perspective on how this report could build on other CSTB work, most notably the 1991 NRC report Computers at Risk. John Godfrey, research associate for CSTB, was responsible for developing most of the factual material in most of the appendixes as well as for tracking down hundreds of loose ends; his prior work on a previous NRC report on standards also pro-

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xix

vided an important point of departure for the committee's discussion on standards as they apply to cryptography policy. Frank Pittelli is a consultant to CSTB, whose prior experience in computer and information security was invaluable in framing a discussion of technical issues in cryptography policy. Gail Pritchard, project assistant for CSTB, handled logistical matters for the committee with the utmost skill and patience as well as providing some research support to the committee. Finally, Herb Lin, senior staff officer for CSTB and study director on this project, arranged briefings, crafted meeting agendas, and turned the thoughts of committee members into drafts and then report text. It is fair to say that this study could not have been carried out nor this report written, especially on our accelerated schedule, without his prodigious energy and his extraordinary talents as study director, committee coordinator, writer, and editor.

Kenneth W. Dam, Chair
Committee to Study
National Cryptography Policy

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

There was a problem loading page R20.

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxi

Contents

EXECUTIVE SUMMARY

1

A ROAD MAP THROUGH THIS REPORT

15

PART I—FRAMING THE POLICY ISSUES

1 GROWING VULNERABILITY IN THE INFORMATION AGE

19

1.1 The Technology Context of the Information Age

19

1.2 Transition to an Information Society—Increasing Interconnections and Interdependence

22

1.3 Coping with Information Vulnerability

27

1.4 The Business and Economic Perspective

30

1.4.1 Protecting Important Business Information

30

1.4.2 Ensuring the Nation's Ability to Exploit Global Markets

38

1.5 Individual and Personal Interests in Privacy

40

1.5.1 Privacy in an Information Economy

41

1.5.2 Privacy for Citizens

44

1.6 Special Needs of Government

46

1.7 Recap

48

Page xxii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxii

2 CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE

51

2.1 Cryptography in Context

51

2.2 What Is Cryptography and What Can It Do?

52

2.3 How Cryptography Fits into the Big Security Picture

57

2.3.1 Factors Inhibiting Access to Information

58

2.3.2 Factors Facilitating Access to Information

60

2.4 The Market for Cryptography

65

2.4.1 The Demand Side of the Cryptography Market

66

2.4.2 The Supply Side of the Cryptography Market

72

2.5 Infrastructure for Widespread Use of Cryptography

74

2.5.1 Key Management Infrastructure

74

2.5.2 Certificate Infrastructures

75

2.6 Recap

77

3 NEEDS FOR ACCESS TO ENCRYPTED INFORMATION

79

3.1 Terminology

79

3.2 Law Enforcement: Investigation and Prosecution

81

3.2.1 The Value of Access to Information for Law Enforcement

81

3.2.2 The Legal Framework Governing Surveillance

84

3.2.3 The Nature of the Surveillance Needs of Law Enforcement

88

3.2.4 The Impact of Cryptography and New Media on Law Enforcement (Stored and Communicated Data)

90

3.3 National Security and Signals Intelligence

94

3.3.1 The Value of Signals Intelligence

95

3.3.2 The Impact of Cryptography on Signals Intelligence

101

3.4 Similarities in and Differences Between Foreign Policy/National Security and Law Enforcement Needs for Communications Monitoring

102

3.4.1 Similarities

102

3.4.2 Differences

104

3.5 Business and Individual Needs for Exceptional Access to Protected Information

104

3.6 Other Types of Exceptional Access to Protected Information

108

3.7 Recap

109

Page xxiii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxiii

PART II—POLICY INSTRUMENTS

4 EXPORT CONTROLS

113

4.1 Brief Description of Current Export Controls

113

4.1.1 The Rationale for Export Controls

113

4.1.2 General Description

114

4.1.3 Discussion of Current Licensing Practices

122

4.2 Effectiveness of Export Controls on Cryptography

127

4.3 The Impact of Export Controls on U.S. Information Technology Vendors

134

4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography

134

4.3.2 Regulatory Uncertainty Related to Export Controls

138

4.3.3 The Size of the Affected Market for Cryptography

145

4.3.4 Inhibiting Vendor Responses to User Needs

152

4.4 The Impact of Export Controls on U.S. Economic and National Security Interests

153

4.4.1 Direct Economic Harm to U.S. Businesses

153

4.4.2 Damage to U.S. Leadership in Information Technology

155

4.5 The Mismatch Between the Perceptions of Government/ National Security and Those of Vendors

157

4.6 Export of Technical Data

159

4.7 Foreign Policy Considerations

162

4.8 Technology-Policy Mismatches

163

4.9 Recap

165

5 ESCROWED ENCRYPTION AND RELATED ISSUES

167

5.1 What Is Escrowed Encryption?

167

5.2 Administration Initiatives Supporting Escrowed Encryption

169

5.2.1 The Clipper Initiative and the Escrowed Encryption Standard

170

5.2.2 The Capstone/Fortezza Initiative

176

5.2.3 The Relaxation of Export Controls on Software Products Using ''Properly Escrowed" 64-bit Encryption

177

5.2.4 Other Federal Initiatives in Escrowed Encryption

179

5.3 Other Approaches to Escrowed Encryption

179

Page xxiv Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxiv

5.4 The Impact of Escrowed Encryption on Information Security

181

5.5 The Impact of Escrowed Encryption on Law Enforcement

184

5.5.1 Balance of Crime Enabled vs. Crime Prosecuted

184

5.5.2 Impact on Law Enforcement Access to Information

185

5.6 Mandatory vs. Voluntary Use of Escrowed Encryption

187

5.7 Process Through Which Policy on Escrowed Encryption Was Developed

188

5.8 Affiliation and Number of Escrow Agents

189

5.9 Responsibilities and Obligations of Escrow Agents and Users of Escrowed Encryption

193

5.9.1 Partitioning Escrowed Information

193

5.9.2 Operational Responsibilities of Escrow Agents

194

5.9.3 Liabilities of Escrow Agents

197

5.10 The Role of Secrecy in Ensuring Product Security

201

5.10.1 Algorithm Secrecy

201

5.10.2 Product Design and Implementation Secrecy

204

5.11 The Hardware/Software Choice in Product Implementation

208

5.12 Responsibility for Generation of Unit Keys

211

5.13 Issues Related to the Administration Proposal to Relax Export Controls on 64-bit Escrowed Encryption in Software

213

5.13.1 The Definition of "Proper Escrowing"

213

5.13.2 The Proposed Limitation of Key Lengths to 64 Bits or Less

214

5.14 Recap

215

6 OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY

216

6.1 The Communications Assistance for Law Enforcement Act

216

6.1.1 Brief Description of and Stated Rationale for the CALEA

217

6.1.2 Reducing Resource Requirements for Wiretaps

218

6.1.3 Obtaining Access to Digital Streams in the Future

220

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxv

6.1.4 The CALEA Exemption of Information Service Providers and Distinctions Between Voice and Data Services

221

6.2 Other Levers Used in National Cryptography Policy

221

6.2.1 Federal Information Processing Standards

222

6.2.2 The Government Procurement Process

224

6.2.3 Implementation of Policy: Fear, Uncertainty, Doubt, Delay, Complexity

225

6.2.4 R&D Funding

227

6.2.5 Patents and Intellectual Property

228

6.2.6 Formal and Informal Arrangements with Various Other Governments and Organizations

231

6.2.7 Certification and Evaluation

232

6.2.8 Nonstatutory Influence

234

6.2.9 Interagency Agreements Within the Executive Branch

235

6.3 Organization of the Federal Government with Respect to Information Security

237

6.3.1 Role of National Security vis-à-vis Civilian Information Infrastructures

237

6.3.2 Other Government Entities with Influence on Information Security

241

6.4 International Dimensions of Cryptography Policy

243

6.5 Recap

244

PART III—POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS

7 POLICY OPTIONS FOR THE FUTURE

249

7.1 Export Control Options for Cryptography

249

7.1.1 Dimensions of Choice for Controlling the Export of Cryptography

249

7.1.2 Complete Elimination of Export Controls on Cryptography

251

7.1.3 Transfer of All Cryptography Products to the Commerce Control List

254

7.1.4 End-use Certification

256

7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations

256

7.1.6 Liberal Export for Strong Cryptography with Weak Defaults

257

Page xxvi Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxvi

7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces

259

7.1.8 Liberal Export for Escrowable Products with Encryption Capabilities

262

7.1.9 Alternatives to Government Certification of Escrow Agents Abroad

263

7.1.10 Use of Differential Work Factors in Cryptography

264

7.1.11 Separation of Cryptography from Other Items on the U.S. Munitions List

264

7.2 Alternatives for Providing Government Exceptional Access to Encrypted Data

265

7.2.1 A Prohibition on the Use and Sale of Cryptography Lacking Features for Exceptional Access

265

7.2.2 Criminalization of the Use of Cryptography in the Commission of a Crime

273

7.2.3 Technical Nonescrow Approaches for Obtaining Access to Information,

274

7.2.4 Network-based Encryption

278

7.2.5 Distinguishing Between Encrypted Voice and Data Communications Services for Exceptional Access

281

7.2.6 A Centralized Decryption Facility for Government Exceptional Access

284

7.3 Looming Issues

286

7.3.1 The Adequacy of Various Levels of Encryption Against High-Quality Attack

286

7.3.2 Organizing the U.S. Government for Better Information Security on a National Basis

289

7.4 Recap

292

8 SYNTHESIS, FINDINGS, AND RECOMMENDATIONS

293

8.1 Synthesis and Findings

293

8.1.1 The Problem of Information Vulnerability

293

8.1.2 Cryptographic Solutions to Information Vulnerabilities

296

8.1.3 The Policy Dilemma Posed by Cryptography

297

8.1.4 National Cryptography Policy for the Information Age

298

8.2 Recommendations

303

8.3 Additional Work Needed

338

8.4 Conclusion

339

Page xxvii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxvii

APPENDIXES

A CONTRIBUTORS TO THE NRC PROJECT ON NATIONAL CRYPTOGRAPHY POLICY

343

A.1 Committee Members

343

A.2 Additional Contributors to the Project

349

B GLOSSARY

353

C A BRIEF PRIMER ON CRYPTOGRAPHY

364

C.1 A Very Short History of Cryptography

364

C.2 Capabilities Enabled by Cryptography

365

C.2.1 Ensuring the Integrity of Data

365

C.2.2 Authentication of Users

367

C.2.3 Nonrepudiation

370

C.2.4 Preservation of Confidentiality

371

C.3 Basic Constructs of Cryptography

374

C.4 Attacks on Cryptographic Systems

378

C.5 Elements of Cryptographic Security

383

C.6 Expected Lifetimes of Cryptographic Systems

384

C.6.1 Background

385

C.6.2 Asymmetric Cryptographic Systems

385

C.6.3 Conventional Cryptographic Systems

388

C.6.4 Timing Attacks

390

C.6.5 Skipjack/Clipper/EES

391

C.6.6 A Warning

391

C.6.7 Quantum and DNA Computing

392

C.6.8 Elliptic Curve Cryptographic Systems

394

C.6.9 Quantum Cryptography

394

D AN OVERVIEW OF ELECTRONIC SURVEILLANCE: HISTORY AND CURRENT STATUS

396

D.1 The Legal Framework for Domestic Law Enforcement Surveillance

396

D.1.1 The General Prohibition on Electronic Surveillance

396

D.1.2 Title III of the Omnibus Crime Control and Safe Streets Act of 1968 and the Electronic Communications Privacy Act of 1986

396

D.1.3 The Foreign Intelligence Surveillance Act

403

D.2 Historical Overview of Electronic Surveillance

410

Page xxviii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxviii

E A BRIEF HISTORY OF CRYPTOGRAPHY POLICY

414

E.1 Export Controls

414

E.2 Academic Research and the Control of Information About Cryptography

415

E.3 Commercial Cryptography

417

E.4 Recent Developments

419

F A BRIEF PRIMER ON INTELLIGENCE

421

F.1 The Intelligence Mission

423

F.2 The Intelligence Cycle

425

F.2.1 Planning

426

F.2.2 Collection

426

F.2.3 Processing

428

F.2.4 Analysis

428

F.2.5 Dissemination

429

G THE INTERNATIONAL SCOPE OF CRYPTOGRAPHY POLICY

430

G.1 International Dimensions of Cryptography Policy

430

G.2 Similarities in and Differences Between the United States and Other Nations with Respect to Cryptography

431

G.3 Foreign Export Control Regimes

434

G.4 Foreign Import and Use Control Regimes

436

G.5 The State of International Affairs Today

438

G.6 Obtaining International Cooperation on Policy Regarding Secure Communications

439

G.7 The Fundamental Questions of International Cryptography Policy

444

G.7.1 Who Holds the Keys?

444

G.7.2 Under What Circumstances Does the Key Holder Release the Keys to Other Parties?

444

G.7.3 How Will Nations Reach Consensus on International Cryptography Policy Regarding Exports and Use?

447

H SUMMARY OF IMPORTANT REQUIREMENTS FOR A PUBLIC-KEY INFRASTRUCTURE

450

I INDUSTRY-SPECIFIC DIMENSIONS OF SECURITY

455

I.1 Banking and Financial Services

455

I.2 Medical Consultations and Health Care

457

I.3 Manufacturing

461

Page xxix Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxix

I.4 The Petroleum Industry

463

I.5 The Pharmaceutical and Chemical Industries

465

I.6 The Entertainment Industry

466

I.7 Government

466

J EXAMPLES OF RISKS POSED BY UNPROTECTED INFORMATION

469

J.1 Risks Addressed by Cryptography for Authentication

469

J.2 Risks Addressed by Cryptography for Confidentiality

470

J.3 Risks Addressed by Cryptography for Both Authentication and Confidentiality

471

J.4 Risks Addressed by Cryptography for Data Integrity

472

K CRYPTOGRAPHIC APPLICATIONS PROGRAMMING INTERFACES

474

L OTHER LOOMING ISSUES RELATED TO CRYPTOGRAPHY POLICY

477

L.1 Digital Cash

477

L.1.1 Anonymity and Criminal Activity

480

L.1.2 Public Trust

480

L.1.3 Taxation

482

L.1.4 Cross-Border Movements of Funds

482

L.2 Cryptography for Protecting Intellectual Property

482

M FEDERAL INFORMATION PROCESSING STANDARDS

485

N LAWS, REGULATIONS, AND DOCUMENTS RELEVANT TO CRYPTOGRAPHY

489

N.1 Statutes

489

N.1.1 Wire and Electronic Communications Interception and Interception of Oral Communications(U.S. Code, Title 18, Chapter 119)

489

N.1.2 Foreign Intelligence Surveillance (U.S. Code, Title 50, Chapter 36)

511

N.1.3 Pen Register and Traffic Analysis (U.S. Code, Title 18, Chapters 121 and 206)

526

N.1.4 Communications Assistance for Law Enforcement Act of 1995

540

N.1.5 Computer Security Act of 1987

551

N.1.6 Arms Export Control Act (U.S. Code, Title 22, Chapter 39)

558

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxx

N.2 Executive Orders

573

N.2.1 Executive Order 12333 (U.S. Intelligence Activities)

573

N.2.2 Executive Order 12958 (Classified National Security Information)

589

N.2.3 Executive Order 12472 (Assignment of National Security and Emergency Preparedness Telecommunications Functions)

612

N.2.4 National Security Directive 42 (National Policy for the Security of National Security Telecommunications and Information Systems)

620

N.3 Memorandums of Understanding (MOU) and Agreement (MOA)

627

N.3.1 National Security Agency/National Institute of Standards and Technology MOU

627

N.3.2 National Security Agency/Federal Bureau of Investigation MOU,

630

N.3.3 National Security Agency/Advanced Research Projects Agency/Defense Information Systems Agency MOA

632

N.4 Regulations,

636

N.4.1 International Traffic in Arms Regulations (22 CFR, Excerpts from Parts 120-123, 125, and 126)

636

N.4.2 Export Administration Regulations

655

INDEX

677

Page xxxi Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

There was a problem loading page R31.

Page xxxii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page xxxii

CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY

image

National cryptography policy entails a complex juggling act among a number of different interests. A member of the National Research Council's Committee to Study National Cryptography Policy, Ronald Graham (pictured above) is also a member of the National Academy of Sciences and a past president of the International Juggling Association. Photograph by Ché Graham.

Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R1
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R2
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R3
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R4
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R5
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R6
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R7
Page viii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R8
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R9
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R10
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R11
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R12
Page xiii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R13
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R14
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R15
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R16
Page xvii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R17
Page xviii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R18
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R19
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R20
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R21
Page xxii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R22
Page xxiii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R23
Page xxiv Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R24
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R25
Page xxvi Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R26
Page xxvii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R27
Page xxviii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R28
Page xxix Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R29
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R30
Page xxxi Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R31
Page xxxii Cite
Suggested Citation:"Front Matter." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page R32
Next: Executive Summary »
Cryptography's Role in Securing the Information Society Get This Book
×
Buy Hardback | $80.00 Buy Ebook | $64.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

For every opportunity presented by the information age, there is an opening to invade the privacy and threaten the security of the nation, U.S. businesses, and citizens in their private lives. The more information that is transmitted in computer-readable form, the more vulnerable we become to automated spying. It's been estimated that some 10 billion words of computer-readable data can be searched for as little as $1. Rival companies can glean proprietary secrets . . . anti-U.S. terrorists can research targets . . . network hackers can do anything from charging purchases on someone else's credit card to accessing military installations. With patience and persistence, numerous pieces of data can be assembled into a revealing mosaic.

Cryptography's Role in Securing the Information Society addresses the urgent need for a strong national policy on cryptography that promotes and encourages the widespread use of this powerful tool for protecting of the information interests of individuals, businesses, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes. This book presents a comprehensive examination of cryptography—the representation of messages in code—and its transformation from a national security tool to a key component of the global information superhighway. The committee enlarges the scope of policy options and offers specific conclusions and recommendations for decision makers.

Cryptography's Role in Securing the Information Society explores how all of us are affected by information security issues: private companies and businesses; law enforcement and other agencies; people in their private lives. This volume takes a realistic look at what cryptography can and cannot do and how its development has been shaped by the forces of supply and demand. How can a business ensure that employees use encryption to protect proprietary data but not to conceal illegal actions? Is encryption of voice traffic a serious threat to legitimate law enforcement wiretaps? What is the systemic threat to the nation's information infrastructure? These and other thought-provoking questions are explored.

Cryptography's Role in Securing the Information Society provides a detailed review of the Escrowed Encryption Standard (known informally as the Clipper chip proposal), a federal cryptography standard for telephony promulgated in 1994 that raised nationwide controversy over its "Big Brother" implications. The committee examines the strategy of export control over cryptography: although this tool has been used for years in support of national security, it is increasingly criticized by the vendors who are subject to federal export regulation.

The book also examines other less well known but nevertheless critical issues in national cryptography policy such as digital telephony and the interplay between international and national issues. The themes of Cryptography's Role in Securing the Information Society are illustrated throughout with many examples—some alarming and all instructive—from the worlds of government and business as well as the international network of hackers. This book will be of critical importance to everyone concerned about electronic security: policymakers, regulators, attorneys, security officials, law enforcement agents, business leaders, information managers, program developers, privacy advocates, and Internet users.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!