13 July 1998; add JG message and WSJ article; add KE message; add PK message

To: cypherpunks@cyberpass.net
Subject: "breakthrough possible" on crypto law
Date: Mon, 13 Jul 98 00:42:35 -0700
From: "Vladimir Z. Nuri" <vznuri@netcom.com>

------- Forwarded Message

Date: Sun, 12 Jul 1998 07:19:12 -0500
To: believer@telepath.com
From: believer@telepath.com
Subject: IP: Encryption Battle Breakthrough Possible

Source:  Washington Post

Breakthrough Possible in Battle Over Encryption Technology

By Elizabeth Corcoran
Washington Post Staff Writer
Sunday, July 12, 1998; Page A08 

A coalition of high-tech companies plans to unveil a plan tomorrow it
hopes will persuade the U.S. government to dramatically loosen export
restrictions on sophisticated data-scrambling technology. Government
officials say they are cautiously optimistic that the coalition's approach,
dubbed the "private doorbell," will win their approval.

The industry group hopes to win a license to export the technology as part
of "routers," computer hardware and software that transmit data over
electronic networks. If approved, the proposal will mark an important shift
in the more than five-year struggle over encryption technology that has
pitted the government against high-tech companies and privacy advocates. 

The coalition of about 10 companies is led by networking giant Cisco
Systems Inc.

There are no restrictions on use of encryption technology in the United
States. But both law enforcement and national security agents have long
worried that if sophisticated encryption technology becomes widely used, it
will hinder their efforts to track down terrorists and criminals. As a result,
the government has tightly controlled the export of such technology,
reasoning that U.S. companies are unlikely to build different types of
encryption products for use at home and abroad. 

Computer companies and privacy advocates, however, argue that
unfettered access to the strongest forms of encryption is essential to
ensuring privacy and promoting commerce in the information age. The
conflicting concerns for privacy and security have made for a bitter
ideological battle.

Recently, officials on both sides have been struggling with whether they
should devise a global solution or put together a mosaic of regulations that
lets some companies sell sophisticated products to certain users under
certain conditions. If the government and the private companies agree on
the doorbell proposal, that would solidify the more piecemeal approach.
The doorbell proposal also would be an important piece in the mosaic
because it would make sophisticated encryption technology much more
available than it is today. 

"The administration and the industry have all hit on the notion that they
should take this a bite at a time," said Stewart Baker, former general
counsel for the National Security Agency and now an attorney in private
practice in Washington.

"We're pushing the issue, bringing it to a head," said John Chambers,
Cisco's chief executive. If industry is broadly restricted from selling its best
encryption products abroad, "I think you slow down the growth in
business's ability to use the Internet [and to] have influence over how it
evolves," he said.

Other companies in the coalition include Sun Microsystems Inc., Novell
Inc., Hewlett-Packard Co. and Network Associates, which makes
security software. Although other major names in the industry, including
Intel Corp., Microsoft Corp. and Netscape Communications Corp., are
not currently filing for a "private doorbell" license, those companies said
they support the approach. 

Here's how it would work: Many organizations, whether they are private
companies or Internet service providers, serve as gateways for managing
the electronic messages sent by their employees or subscribers. Just before
messages are released to the Internet, such organizations could encrypt or
scramble them to protect the content from unwanted eavesdroppers.

Every snippet of electronic mail carries with it the Internet address of the
sender and receiver. And "routers," the equipment that oversees the traffic,
can be programmed to fish out specific addresses from the stream of data
flowing through them. So either just before outgoing mail is scrambled or
after incoming mail is deciphered, a router could pull out messages that law
enforcement officers would specify in a warrant.

"We think this is a simple market solution to a complicated problem," said
Kelly Huebner Blough, director of government relations at Network
Associates in Santa Clara, Calif. 

Americans for Computer Privacy, a lobbying organization focused on
encryption, is strongly backing the "private doorbell" plan, said its counsel,
Jeffrey Smith. "It's true that this does not give the government everything it
wants," he said. But it shows how industry and government can work
together to solve the encryption problem, piece by piece, he added.

"We think it's a fair compromise," said Dan Scheinman, vice president of
legal affairs for Cisco. "Law enforcement gets legitimate access to data and
people have a reasonable expectation of privacy when they use [data]
networks, just like they have with the phone system." 

Cisco executives contend their solution mirrors how law enforcement
works in telephone tapping. But to get what they're after this time,
authorities need the cooperation of whoever manages the router.

"This doesn't solve the problem of what happens if the manager of the
network is corrupt," Scheinman said. But he noted that if a phone system
manager is corrupt, authorities would have the same problem. Similarly, the
proposal does not stop an individual from encrypting a message on a home
personal computer.

Overseas, U.S. law enforcement would have to have the cooperation of
local authorities as well as the relevant network managers to get access to
information. Again, this is what they currently have to do when they want
to monitor telephone calls.

Sources said U.S. domestic law enforcement agencies, which are
accustomed to working with court warrants for wiretaps, are willing to
accept this proposal. However, strong opposition continues to come from
the National Security Agency, which today can eavesdrop on
communications overseas without asking permission from anyone.

Under current regulations, companies wanting to export powerful
encryption products must create a plan to build a "spare key" into their
systems. Such keys are stored by a "trusted" party -- either an independent
organization or perhaps the company itself -- that would surrender the
keys to law enforcement officials equipped with the proper warrant.

Privacy advocates also have argued the current system is vulnerable
because any collection of spare keys makes data potentially more
accessible to eavesdroppers. But David Sobel, counsel with the Electronic
Privacy Information Center, stopped short of endorsing the new doorbell
proposal. Any effort that lets people better protect their information
improves privacy, he said. But, he cautioned, relying on a third party such
as a company or Internet service provider to ensure security raises privacy

© Copyright 1998 The Washington Post Company
- -----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only. 
- -----------------------

To subscribe or unsubscribe, email:
with the message:
     (un)subscribe ignition-point email@address


------- End of Forwarded Message

Date: Mon, 13 Jul 1998 07:17:15 -0700 To: cryptography@c2.net From: James Glave <james@wired.com> Subject: Cisco, NAI propose new key recovery (I'm a journalist doing a story for Wired News (http://www.wired.com) on this new proposal put forth by Cisco and NAI for building key recovery into routers. If anyone wants to chat about it, please drop me a note to james@wired.com or give me a call at (415) 276-8430. I expect to publish by 9am PST monday - thanks all.) July 13, 1998 Cisco to Offer New Approach To Encryption Technology By RALPH T. KING, JR. and JOHN SIMONS Staff Reporters of THE WALL STREET JOURNAL A computer-industry group will offer Monday a new approach to encryption technology that would keep electronic messages secure but still enable government officials to "eavesdrop" for law enforcement. The group, led by Cisco Systems Inc., San Jose, Calif., hopes the solution will persuade the government to ease export restrictions that have made overseas competition difficult for U.S. hardware and software manufacturers. Government officials and computer- industry representatives have been locked in a frustrating impasse for years, unable to resolve Federal Bureau of Investigation concerns that encryption products would help criminals mask their misdeeds in e-mail and other types of communication. Various past plans that initially seemed promising have proved unworkable. Advocates of the Cisco proposal say their approach is not foolproof, but hope it could finally begin to break the logjam. "It's not the complete answer, but it's a very positive step," said Gene Hodges, vice president of marketing for Network Associates Inc. in Santa Clara, Calif. Members of the group seeking export licenses for the technology besides Cisco and Network Associates include Sun Microsystems Inc., Palo Alto, Calif.; Novell Inc., Provo, Utah; and Hewlett- Packard Co., Palo Alto. Other companies supporting the initiative are Microsoft Corp., Redmond, Wash.; Intel Corp., Santa Clara; and Netscape Communications Corp., Mountain View, Calif. White House officials said the plan helps lead industry and government in a "refreshing new direction" in its pursuit of an agreeable solution to encryption export controls. "We welcome this creative and innovative plan," said an administration official familiar with the proposal. The technology would allow data to be scrambled for privacy but provide restricted access to it at the beginning and end of each transmission, the access points, so-called "private doorbells," are inside routers, the computers that direct data traffic, or inside software that control such networks. In simple terms, the system works as if it were operating at both ends of a string connecting two tin cans. Data travels down the string in scrambled form. But before it leaves one can, and once it reaches the other, it is unscrambled and can be retrieved if the address of the sender or receiver are known. The routers, or the controlling software, can be programmed to pull out the messages to or from a specific address. But under certain scenarios, the approach might not work. For example, if two parties encrypted their messages before sending them, the intercepted traffic would be impossible to decipher. So-called end-to-end encryption is widely available. "There are limits to what this technology can do," said an executive with one of the member companies. "This is a lock on a door, but there will need to be other locks on doors, as well, to achieve the kind of security we want." Officials at both the Commerce and Justice departments will review the plan in the coming weeks. According to one administration official, "We expect that there will be a number of issues that will need to be resolved. We want to be sure that the approach strikes a good balance between protecting business information and national security and law-enforcement interests." James Glave, News Editor, Wired News, http://www.wired.com  (415) 276-8430
Date: Mon, 13 Jul 1998 12:03:58 -0400 To: cryptography@c2.net From: Kathleen Ellis <ellis@epic.org> Subject: Cisco et. al. to build GAK into routers Note the conference call information at the bottom. (!) I just bought & installed a new NetGear (Bay Networks) ethernet hub for EPIC..now I'll probably be sending it back. from http://www.cisco.com/warp/public/146/july98/3.html Thirteen High-Tech Leaders Support Alternative Solution to Network Encryption Stalemate Ascend, Bay Networks, Cisco Systems, 3Com, Hewlett-Packard Company, Intel, Microsoft, Netscape Communications, Network Associates, Novell, RedCreek Communications, Secure Computing, Sun Microsystems support alternative solution to win U.S. export relief Encryption White Paper SAN JOSE, Calif. -- July 13, 1998 -- Thirteen leading high-tech companies today announced support for a 'private doorbell' solution to the network encryption stalemate called 'operator action.' Ten of the 13 companies filed proposals with the U.S. Department of Commerce last week, asking for permission to sell strong encryption products abroad that use operator action technologies. An alternative to key recovery, the operator action model delivers a 'private door-bell,' not a 'house-key' to parties lawfully seeking access to data. Under the operator action model, information traveling over a data network remains secure and private unless a network operator is served with a legal warrant or court order. Once served, the network operator can access a network control switch that actively filters messages delivered over a private network or the public Internet. The solution allows customers to keep their private information 'private,' unless directed to disclose information by legal warrant or court order. While this effort represents a partial solution to the encryption debate, industry is committed to work together toward a complete solution. An Industry Solution Ascend, Bay Networks, Cisco Systems, 3Com, Hewlett-Packard Company, Intel, Microsoft, Netscape Communications, Network Associates, Novell, RedCreek Communications, Secure Computing, Sun Microsystems jointly support the industry alternative, which balances the privacy needs of individuals and businesses with the security needs of U.S. law enforcement. Today's announcement reflects the convergence of thirteen companies around a technology concept that addresses the complex issue of accessing encrypted information over data networks. The filings request broad export relief for a range of networking products including most firewalls, VPNs (Virtual Private Networks), and E-commerce products. Industry leaders have been working to define an operational standard since October 1997. "As the global public network becomes increasingly important to both business and consumers, resolving issues such as exportation of security technology become more and more critical," said Mory Ejabat, CEO of Ascend Communications. "We fully support this effort as we believe it meets the needs of both the public and private sector." "Bay Networks and other American companies have developed the world's leading encryption technology," said Dave House, chairman, president, and CEO of Bay Networks. "Our overseas customers want that technology and the privacy that goes with it, and this solution will allow us to export our technology, instead of handing the business over to foreign companies." "As the Internet continues to drive economic and job opportunities worldwide, it's important customers feel safe doing business on the web," said John T. Chambers, president and CEO of Cisco Systems. "This industry proposal extends the same privacy rights we enjoy today to tomorrow's digital world, delivers a market-driven solution our customers want, and secures a competitive advantage for the U.S. high-tech industry." "U.S. technological leadership depends on a reasoned resolution to this debate," said Eric Benhamou chairman and CEO of 3Com. "Continued evolution of converged networks will require balancing the needs of businesses and government agencies concerning data security." "We are committed to providing our worldwide customers the network security that they demand," said William Larson, CEO of Network Associates. "The industry is presenting an innovative solution that meets both market and government requirements for network layer encryption." "Relief from export controls is an industry wide matter," said Jim Barksdale, president and CEO of Netscape. "We believe the "private doorbell" feature, if successful, will demonstrate that industry and government can work together. Further relief, however, will be necessary in the near term, if US vendors are to remain ahead of their overseas competitors." "This solution represents a real step forward for U.S. encryption policy," said Eric Schmidt, CEO of Novell. "At last, we have a market solution that meets the needs of consumers, corporations, law enforcement and national security." "RedCreek believes that the adoption of this proposal is essential to the healthy development of the market for products that address business use of the Internet," said Tom Steding, CEO of RedCreek Communications Inc. "This international market has in the main been denied to U. S. companies. Particularly for VPN companies, our ability to compete internationally will be significantly restored by its adoption." "It is vital for our customers to be able to implement technology on a global level, without country-specific restrictions limiting their use or effectiveness," said Jeff Waxman, CEO and Chairman of Secure Computing Corporation. "Security is a top priority for multi-national corporations and this action, which attempts to find a solution, will help move the promise of ubiquitous security to a reality." Critical Differences from Key Recovery The proposal is a compelling alternative in the network space to key recovery. Protecting privacy and due process rights, the industry proposal delivers an important solution for securing data over a public or private network. In seeking government export approval, the companies made no modifications to their products or encryption technology. The companies however offered to restrict sales to some foreign governments and militaries, and to continue to comply with existing U.S. Department of Commerce regulations. Cisco Systems Cisco Systems, Inc. (NASDAQ: CSCO) is the worldwide leader in networking for the Internet. News and information are available at http://www.cisco.com. For more information visit Cisco PR Contacts # # # A copy of the white paper on encryption export is available at the following URL: http://www.cisco.com/warp/public/146/july98/2.html Editor Note: Conference call with industry executives July 13, 1998 11 am - 1 pm PDT (888) 527-4180, ID : 8903
Date: Mon, 13 Jul 1998 11:24:06 -0700 (PDT) From: Phil Karn <karn@qualcomm.com> To: cryptography@c2.net Subject: Re: Cisco et. al. to build GAK into routers I just read the Cisco white paper. They're proposing simply that there be plaintext back doors into encryption boxes that operate at less than an end-to-end level and are operated by entities other than the one under investigation. A good example would be a tunnel-mode IPSEC gateway operated as part of a company's virtual private network when the target of the investigation is, say, an employee. This hardly creates a new vulnerability, at least not in principle. It merely illustrates a basic security principle we've known for a very long time: security mechanisms should always be placed as close as possible to the entities that they protect. And to prevent conflicts of interest, they should be controlled by the same entities whose data they are protecting. In other words, user-controlled end-to-end encryption is the only way to go, and only a fool trusts someone else to encrypt his data for him. We've *always* known that. Tunnel-mode IPSEC is still useful as a way of allowing an employee to penetrate a corporate firewall from the outside when he travels.  But the user must remember that the encryption here is for the company's benefit, not his own. Tunnel-mode IPSEC is still no substitute for end-to-end encryption controlled by the user himself. Phil