22 July 1998: Link to Netscape
presentation cited in text
21 July 1998
Thanks to MO
The long, strong arm of the
By Ellen Messmer
Network World, 7/20/98
Fort Meade, Md. - Back in the days of the cold war, Washington insiders used
to joke that NSA stood for "No Such Agency." The government denied the very
existence of this group, which is dedicated to intercepting and decoding
That was then. Today the National Security Agency is well known, and spends
a lot of time leaning on software, switch and router vendors, pushing them
to re-tool their products. The agency's goal: to ensure that the government
has access to encrypted data.
The industry is facing a year-end deadline to add a government-approved back
door into network gear. Vendors that don't provide this access risk losing
Cruising up and down Silicon Valley, NSA spooks from the agency's Fort Meade
headquarters have been making pit stops at companies ranging from industry
leaders Netscape Communications Corp. and Sun Microsystems, Inc. to start-ups
such as VPNet Technologies, Inc. in order to get a peek at products still
on the drawing board.
The NSA wants software vendors to make sure that any product with strong
encryption have some way for the government to tap into the data. And because
practically every commercial network application, router or switch these
days includes encryption or an option for it, almost every vendor now has
to answer to the NSA if it wants to export.
Hot line to the NSA
It's gotten to the point where no vendor hip to the NSA's power will even
start building products without checking in with Fort Meade first. This includes
even that supposed ruler of the software universe, Microsoft Corp. "It's
inevitable that you design products with specific [encryption] algorithms
and key lengths in mind," said Ira Rubenstein, Microsoft attorney and a top
lieutenant to Bill Gates. By his own account, Rubenstein acts as a "filter"
between the NSA and Microsoft's design teams in Redmond, Wash. "Any time
that you're developing a new product, you will be working closely with the
NSA," he noted.
When it comes to encryption, it's widely known that a 40-bit encryption key
is easily breakable and hence rather useless. Until not long ago, this is
what the U.S. government allowed for the export of software.
But the Clinton administration a year and a half ago said it would allow
the export of products with stronger encryption keys by any vendor that agreed
to add a "key-recovery" feature to its products by year-end - giving the
government access to encrypted data without the end user's knowledge.
According to Bill Reinsche, Department of Commerce undersecretary for the
Bureau of Export Controls [sic], about 50 vendors have submitted plans
for government-approved key-recovery, also called data-recovery. These companies,
which include IBM, were rewarded with Key Management Infrastructure (KMI)
export licenses to export products with 56-bit or stronger encryption until
But some companies are discovering that dealing with the Commerce Department
for a KMI license means more involvement with the NSA.
The Bureau of Export Control [sic] is actually just a front for the
NSA, said Alison Giacomelli, director of export compliance at VPNet Technologies,
Inc., a San Jose, Calif.-based vendor of IP-based encryption gateways. "The
NSA has sign-off authority on these KMI licenses," Giacomelli said. In return
for the KMI license, VPNet opened itself up for an NSA audit.
"They've already come out once, and they'll be coming out again," Giacomelli
said. VPNet remains committed to meeting the deadline for adding key-recovery
to its product but has one major problem: uncertainty about what the NSA
really wants. The confusion means "there's a lot of risk . . . in terms of
engineering and resources," Giacomelli said.
Clearly wary of granting the government supervision over its products, Microsoft
has stubbornly refused to submit a data-recovery plan, even though the Redmond
giant already includes a data-recovery feature in its Exchange Server.
"The Exchange Server can only be used when this feature is present," Rubenstein
said. "Because we haven't filed a product plan, it's harder for us to export
this than for companies that have filed plans."
But in an odd-couple sort of joint-partner arrangement, Microsoft and the
NSA did work together to build what's called Server Gated Cryptography. Primarily
intended to help banks use Web servers to do business internationally, the
technology lets a server with a special digital certificate provide 128-bit
encryption support to a Web browser outside the U.S.
Sybase, Inc., which also submitted a plan to add key-recovery to its products,
found it hard to satisfy the government's demands. "They approved our
technological approach but disapproved each of our applications with it,"
said Sybase President and CEO Mitchell Kertzman. "It's been frustrating."
Documents recently obtained under the Freedom of Information Act (FOIA) by
the Washington, D.C.-based Electronic Privacy Information Center contain
plan Netscape filed at the Commerce Department last year.
Netscape's plan explains that the "escrow of private encryption keys" could
be achieved by developing client and server products that can only issue
an X.509 digital certificate after the private key has been escrowed. The
key can only be held by an entity chosen by the intranet administrator who
handles security policy.
The Netscape plan called for introducing a certificate server with recovery
capabilities in the first quarter of this year, with the introduction of
S/MIME clients with basic recovery features in the second quarter.
Netscape hasn't actually carried out this plan, and the company declined
to discuss it. Netscape attorney Peter Harter would only say officially,
"We had no choice but to submit the plan, no matter how much we opposed
key-escrow, in order to be part of the ongoing dialog."
Other FOIA documents show that Netscape was regularly briefing the NSA on
its product plans since 1996 and that then NSA Deputy Director William Crowell
took a special interest in trying to dissuade Netscape from using strong
Crowell, now vice president for product marketing and strategy at
Cylink Corp., said he had frequent
discussions with Netscape, especially concerning changes to Netscape Navigator.
"Their product didn't have a separate signature key, so if the government
used the product for key-escrow later, you'd have to store the signature
key with a third party, which we thought was a bad idea," Crowell said. He
added that Netscape Navigator 3.0 adopted the changes the NSA wanted.
According to Crowell, the NSA has a great deal of expertise in securing
communications, and it wants to ensure that products bought by the Defense
Department meet NSA standards. "In addition, as part of the NSA's intelligence
mission, [the agency needs] to have a thorough understanding of where commercial
products are headed."
Taher Elgamal, author of the Netscape data-recovery plan, who recently left
Netscape to start his own venture, said Netscape had no choice but to maintain
constant contact with the NSA. "They're costing the industry a lot of money,"
Others agree. "Everyone in Silicon Valley, including us, has to have specific
staff - highly paid experts - to deal with them," said Chris Tolles, security
group product manager at Sun. "Their job is to wrangle this from a policy
Sun has had run-ins with the NSA in the past. Two years ago, the NSA objected
to Sun including encryption in the exportable version of Java 1.1. The end
result was that Sun stripped encryption out of Java 1.1 and the software
was delayed by about six months.
Charge it to the
By Ellen Messmer
Network World, 7/20/98
The National Security Agency (NSA), with an estimated 40,000 employees, works
hard to make U.S. military encryption devices rock solid, the agency is inclined
to weaken commercial encryption when it can because strong encryption impedes
the agency's mission of data collection.
In one instance, the spy agency forced MasterCard International, Inc. to
dumb down the Secure Electronic Transaction (SET) credit-card encryption
When MasterCard first thought of creating SET for credit-card encryption,
"we ran over to the government to tell them what we wanted to do," said John
Wankmuller, MasterCard's principal in charge of electronic commerce. However,
the NSA quickly threw a damper on the company's enthusiasm. "They told us
what we wouldn't do," Wankmuller said.
The NSA nixed the idea that SET should be able to encrypt the customer's
entire purchase information, limiting the encrypted fields to the account
number, amount and the expiring date, Wankmuller said. "In the end, it's
a very small amount of data that gets encrypted."
But in other areas, the NSA has also had less confrontational contact with
The agency played the lead role at the IETF in developing two protocols,
one called IP Security and the other called Internet Key Exchange, which
is gaining wide acceptance in products and among users in the automotive
manual: Dodging the rules
By Ellen Messmer
The National Security Agency (NSA) wrote the export
rules on encryption. But from the point of view of corporations that want
to ship U.S. software to their foreign offices, getting around the U.S. export
rules is a top priority.
And even for those who used to work at the NSA, it's still a challenge.
"Well, I wrote those export rules when I was at the NSA," confessed Russell
Davis, now chief of information technology security at SBC Warburg Dillon
Read, a division of Swiss Bank Corp., which operates in 77 countries. Since
joining the corporate life, Davis has used his knowledge of the NSA to find
ways to work around the export system on behalf of his customer, the bank,
which uses a lot of encryption-based security gear.
"It took 17 months to figure out how to get crypto-based smart cards to Swiss
facilities and elsewhere," Davis said. "But I wrote the rules on all this,
and I know how to get around them." Would he ever consider using
"Never," Davis declared. "My customers come first!"
"Our customers just aren't going to buy these types of products," said Tom
Carty, vice president of business development for GTE CyberTrust. He agreed
the government is leading industry down a path to build products few users
will willingly buy.
Another sidebar reports on Cisco's "Private Doorbell" proposal: