17 October 1998
Thanks to Vin McLelland

IAB, BXA, Cisco, Reinsch, Aaron - Private Doorbells

	On the Cryptography list, Perry Metzger
<perry@piermont.com> offered the Internet Architecture
Board's 15 October statement on "'Private Doorbell'
encryption." (Text appended below.)

	The IAB statement is probably best understood if you
first read the recent interview with US Under Secretary of
Commerce William Reinsch in the September issue of
Information Security magazine. See:

	Mr.Reinsch, the guy who runs the DoC's Bureau of Export
Administration (BXA), seems to be the Clinton Administration's 
domestic point man on crypto export policy. It is one of 
Reinsch's more endearing qualities that he also seems 
self-conscious about the subtle interaction between his BXA 
export controls on crypto, the overseas market for
crypto-enhanced products, and the type of crypto that gets
sold and bought in the domestic US market.

	Many in the industry now see the US government's export
controls less as a program to control non-Americans' access
to strong crypto, and more of a bludgeon to force hopeful
exporters into secret deals with the NSA and FBI. Getting a
crypto export license in the US is not a public or
transparent process. In recent years, the government
approval process has typically involved such arbitrary
judgements on the part of the Commerce Department and NSA
staff that there has been no rational way of predicting if a
product will be approved or not. Such a process leaves a lot
of room for quiet deals and maximizes the government's
ability to apply pressure on corporations.

	In the magazine interview, Reinsch offers an awkward
summary of US policy on export controls and domestic crypto
controls.  The article makes a fascinating counterpoint to
the Oct. 13th speech on US Crypto Policy by US Under
Secretary of Commerce (for International Trade) David Aaron
before the Federation of German Chambers of Industry and
Commerce. See: http://jya.com/aaron101398.htm

	Aaron actually gives a better and more informed summary
of US export regs, but Reinsch is able to at least
acknowledge that the US intelligence community and US
eavesdroppers overseas are players in US crypto policy.

	(Aaron, in Germany, had to make believe that US controls
on crypto exports -- and the overseas push to get other
nations to restrict the quality of the crypto their citizens
are permitted to use -- is simply an initiative on the part
of the FBI and other US law enforcement agencies. The War
against child porn, drugs, terrorism, etc., etc.)

	Reinsch's suggestion that the US software firms which
were forced to design key recovery versions of their
cryptographic or crypto-enhanced products (because that was
the _only_ way they could service their overseas customers
with 56-bit crypto) are doing this development because they
smell a Market Demand (not because they had been
blackmailed) is notably ludicrous, but par for the course.

	The most striking thing about this interview was the way
Reinsch positioned Cisco's "Private Doorbell" proposal as a
potential solution to both the FBI's fears about widespread
use of strong crypto inside the US, and the NSA's worries
about the use of strong crypto in e-mail and other
communications by non-Americans anywhere.

	Reinsch suggested that the Cisco-crafted proposal --
basically, a loud suggestion that the government should wake
up to the potential for obtaining  cleartext from the
managers of link-encryption switches and servers, and quit
bothering honest merchants trying to sell link-crypto
enabled network equipment overseas -- might be a
"compromise" solution to the thorny issue of eavesdropping
options for encrypted e-mail and other communications.

	The way Reinsch used it to redefine e-mail security may
have surprised a lot of people (including, I'm sure, the
Cisco policy maven who originally developed the concept.)

	Reinsch seems to believe that Cisco's "Private Doorbell"
initiative -- or perhaps some other mega-trend his advisors
have perceived -- indicates that corporations in the US and
overseas, as a matter of policy, will begin to deny
employees (or customers) access to PC-based end-to-end
crypto. Instead, corporate policy will force them to
"secure" e-mail and other communications soley with
link-encryption or crypto systems with overt
corporate-message-recovery (CMR) options.

	As an alternative to end-to-end crypto for e-mail, this
sounds fairly far-fetched... until you recall the mechanics
of PGP for Business (one of the NSA's quiet domestic
triumphs) and the US Government-approved cryptographic
security offered in Microsoft's new WebTV product.

	WebTV has just been licensed by Reinsch's BXA to be sold
almost anywhere overseas with e-mail and other messaging
options protected by a 128-bit RC4 cryptosystem.  E-mail,
http, and WebTV command channel messages are passed up to
the WebTV server protected by 128-bit RC4 in a proprietary
VPN protocol. (The WebTV designers were not allowed to use
SSL.) Given the BXA export permit, I presume that WebTV
messages are potentially accessible at the WebTV server,
before they are passed over to the Internet.

	The implications of this new US Govt fixation on the
network servers and switches as the access point for
surreptitous eavesdropping on e-mail and other
communications protocols apparently surprised the Internet
Society too.

	Yesterday (within a day or two of the Reinsch interview
being published on-line, I believe) the Internet
Architecture Board and the IESG -- the political and
technical High Command for the Net -- punched out a brief
but forceful policy document which directly challenged
Reinsch's expectations.

	The IAB pointed out that the idea of network switches as
effective Points of Interception only works if you presume
that there are other restrictions on people's use of strong
end-to-end crypto at the desktop. Such restrictions are
overtly counterproductive, they said, and threaten to "warp
the protocol structure" -- whatever that might mean.

	"This is in conflict with the 'end-to-end' principle, a
fundamental tenet of the Internet architecture," warned the
Board. To require link encryption "in all places (and to
exclude end-to-end encryption) would warp the protocol
structure. Furthermore, it offers a significantly lower
level of security, in that there is no longer protection
against inside attacks, which by all accounts are a serious

	Reinsch, in his interview, said that he expected
employers to deny employees access to desktop end-to-end
crypto, and force them to rely upon network crypto,"for
employee control purposes."

	He seemed certain that corporate distrust of employees
-- in America? in Social Democratic Europe? -- is strong
enough to outweigh the security advantages of end-to-end
crypto and to justify a vast impowerment of corporate
rent-a-cops (who, in this scenario, are usually expected to
read, vet, and report upon all e-mail and file transfers
through the corporate firewall.)

	This is actually a more plausible argument today than it
has been anytime in the past 20 years. Most companies have
only connected to the Net in the past five years. Workplace
conventions about Net use have not yet evolved. Many US
companies are still confused about how to deal with the
"legal" opportunity to listen or filter their employees'
at-work use of the Internet.

	While many Europeans find this sort of routine
surveillance of employees amazing -- and many European
nations outlaw it -- in the libertarian US, there are few
constraints on employers and few privacy rights for
employees on the job. As a result, the rent-a-cop
surveillance model is being tried in many US companies, and
the various online discussion groups for Firewall experts
are full of vendors and consultants promoting various
keyword and delay-loop technologies for corporate
eavesdropping on employee communications. As might be
expected, the US government is also promoting it in the
Defense industries, the government market, and in the
regulated US finance and brokerage industries.

	Given all the marketing noise today about content
filters and the talk of censors (human and virtual) for
information flowing through the corporate firewall, I can
see where the FBI (and maybe even the NSA) finds hope in
this analysis. The FBI gets what it wants overseas -- and
that may make it more likely they will get it in the US too
-- and the NSA gets an inherently weaker communications
security system (which is about the best they can expect in
the light of day anyway.)

	As the IAB quickly concluded, however, none of these
"Private Doorbell" pipe dreams mean much of anything unless
strong end-to-end crypto is forbidden, by national law or
corporate convention.

	Even in the US corporate culture, that assumption seems
a long shot.

	We have ahead of us both Clinton's Presidential
Impeachment Hearings and one or several Microsoft antitrust
cases. These are two seminal legal and political events
which can be expected to trenchantly highlight the dangers
of collecting old memos (all memos?) in some musty archive
-- and/or rashly presuming that data "erased" on a hard disk
is truly gone.

	Many impressionable minds (lawyers and CIOs among them)
will be led to the conclusion that keeping records of
everything you write, or everything your employees write  --
or letting the System keep such records -- is idiotic,
irresponsible, and self-destructive.

	There is also a deeply-rooted US corporate tradition of
restricting access to sensitive info on a Need-to-Know
basis. Surveillance isn't really the same thing as personnel
managment, but US government and DoD folks often confuse the
two.In the military, an elite class of employees (with
security clearances) watches everyone else, and handles
information that others are not allowed to know or touch.
The corporate world doesn't think that way, or work on that
model. That is something one might expect the NSA and others
to have learned in the 20 years they tried to restructure
the US computer market to fit the MLS Orange Book.



	"Cryptography is like literacy in the Dark Ages.
Infinitely potent, for good and ill... yet basically an
intellectual construct, an idea, which by its nature will
resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto  _vbm.

*    Vin McLellan + The Privacy Guild + <vin@shore.net>    *
    53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548


- - - IAB Statement --------------

To: IETF-Announce
Subject: IAB statement on "private doorbell" encryption
From: The IAB <iab@ietf.org>
Date: Thu, 15 Oct 1998 10:35:10 -0400

	The IAB and IESG are concerned by published descriptions
of the "private doorbell" approach to resolving the
encryption controversy. Essentially, the private doorbell
requires that encryption and decryption be done at a
gateway, rather than at an end system; see


for one description.  This is in conflict with the
"end-to-end" principle, a fundamental tenet of the Internet
architecture.  While there is certainly a place for
gateway-based encryption in some circumstances, to require
it in all places (and to exclude end-to-end encryption)
would warp the protocol structure.  Furthermore, it offers a
significantly lower level of security, in that there is no
longer protection against inside attacks, which by all
accounts are a serious threat.

	In addition, putting all security at the gateway ignores
the need for different levels of protection in different
situations.  For some applications, encryption to the
gateway may suffice.  Others may require encryption and
cryptographic authentication of the individual machine or
even user.  Should a strong encryption algorithm be used, or
a very efficient one?  It is very difficult to make these
decisions anywhere but the end-system.  But the "private
doorbell" scheme would block deployment of such fine-grained