2 January 2010. Cryptome: By comparing redactions of the Tom Johnson document at the National Security Archive with redactions in the one released by NSA to Cryptome, a number of differences were seen which revealed additional information. Red text below shows the differences. See Whitfield Diffie's comments, linked below.
2 January 2010. Whitfield Diffie writes 1 January 2010:
Here are my comments on the NSA document you received. It turns out to be from Book III: Retrenchment and Reform of Tom Johnson's multi-volume history of NSA released under a different FOIA request in 2008. On balance this document is less heavily redacted than Johnson's full history but that version does answer some questions about this one. http://cryptome.org/0001/diffie-nsa.htm
[And, later] Note that the most important thing about finding out that this is from Johnson is that it deprives it of a good bit of authenticity. This volume of Johnson's history is dated 1998. It is not a contemporary memo on the subject nor even a contemporary account. 1 January 2010.
Craig Bauer (cbauer[at]ycp.edu) brought the Joseph Meyer letter to Cryptome's attention.
Professor Martin Hellman has provided comments on the following documents, a chapter of a planned book on the topic, and a copy of the Joseph Meyer letter and related correspondence:
This is a Cryptome transcription of these NSA FOIA documents:
NSA provided the documents in request to a Cryptome FOIA request:
Date: Wed, 25 Nov 2009 19:18:18 -0500 (EST)
NATIONAL SECURITY AGENCY
FOIA Case: 60251
Mr. John L. Young
Dear Mr. Young:
This is an initial response to your Freedom of Information Act (FOIA) request submitted via the Internet on 25 November 2009, which was received by this office on 27 November 2009, for all documents pertaining to a letter written by Joseph A. Meyer to the IEEE in August 1977 concerning possible ITAR violations of cryptography research exported to countries outside the United States unless by export license, including the actual letter. Your request has been assigned Case Number 60251. This letter indicates that we have begun to process your request. There is certain information relating to this processing about which the FOIA and applicable Department of Defense (DoD) and NSA/ CSS regulations require we inform you.
For purposes of this request and based on the information you provided in your letter, you are considered an "all other" requester. As such, you are allowed 2 hours of search and the duplication of 100 pages at no cost. There are no assessable fees for this request.
Your request is being processed under the FOIA and some of the documents you requested are enclosed. Certain information, however, has been deleted from the enclosures and one document (29 pages) has been withheld in its entirety. Also, after a reasonable search the actual letter written by Joseph A. Meyer was not located.
Some of the information deleted from the enclosures, as well as that in the fully denied document, was found to be currently and properly classified in accordance with Executive Order 12958, as amended. This information meets the criteria for classification as set forth in Subparagraph (c) of Section 1.4 and remains classified TOP SECRET or SECRET as provided in Section 1.2 of the Executive Order. The information is classified because its disclosure could reasonably be expected to cause exceptionally grave damage to the national
FOIA Case: 60251
security. The information is exempt from automatic declassification in accordance with Section 3.3(b)(3) and (8) of E.O. 12958, as amended. Because the information is currently and properly classified, it is exempt from disclosure pursuant to the first exemption of the FOIA (5 U .S.C. Section 552(b)(1)). Regarding the fully denied document, we are not authorized to release Senate documents without the approval of the U.S. Senate. We coordinated the release of this document responsive to your request with the Senate Select Committee on Intelligence, and they asked that we withhold the document.
In addition, this Agency is authorized by various statutes to protect certain information concerning its activities, as well as the names of NSA/ CSS employees. We have determined that such information exists in these documents. Accordingly, those portions are exempt from disclosure pursuant to the third exemption of the FOIA, which provides for the withholding of information specifically protected from disclosure by statute. The specific statutes applicable in this case are Title 18 U.S. Code 798 and Section 6, Public Law 86-36 (50 U.S. Code 402 note).
The Initial Denial Authority for NSA information is the Deputy Associate Director for Policy and Records, Diane M. Janosek. The fact that we were unable to locate one record responsive to your request, the denial of information in the enclosures, and the denial of one document in full, may be considered by you to be adverse determinations. You are hereby advised of this Agency's appeal procedures. Any person notified of an adverse determination may file an appeal to the NSA/ CSS Freedom of Information Act Appeal Authority. The appeal must be postmarked no later than 60 calendar days after the date of the adverse determination. The appeal shall be in writing addressed to the NSA/CSS FOIA Appeal Authority (DJP4), National Security Agency, 9800 Savage Road STE 6248, Fort George G. Meade, MD 20755-6248. The appeal shall reference the initial denial of access and shall contain, in sufficient detail and particularity, the grounds upon which you believe release of the information is required and/or the grounds upon which you believe this Agency maintains the unlocated record. The NSA/CSS FOIA Appeal Authority will endeavor to respond to the appeal within 20 working days after receipt, absent any unusual circumstances.
The remaining material responsive to your request is not voluminous or complex, and your request has been placed in the first-in, first-out processing queue for Non-Personal Easy cases. Because there are several cases ahead of yours in that queue, however, we are unable to finalize your request within 20 days. We appreciate your patience with our efforts to treat all requesters fairly by responding to each on a "first-in, first-out" basis.
FOIA Case: 60251
Correspondence related to your request should include the case number assigned to your request, which is included in the first paragraph of this letter.
Your letter should be addressed to National Security Agency, FOIA Office (DJP4), 9800 Savage Road STE 6248, Ft. George G. Meade, MD 20755-6248 or may be sent by facsimile to 443-479-3612. If sent by fax, it should be marked for the attention of the FOIA office. The telephone number of the FOIA office is 301-688-6527.
PAMELA N. PHILLIPS
[--------------] Indicates redactions in original text.
[One-half page redacted. Available at NSArchive.]
(U) PUBLIC CRYPTOGRAPHY
(U) Modern cryptography has, since its earliest days, been associated with governments. Amateurs there were, like Edgar Allan Poe, who dabbled in the art, and it has held a certain public fascination from the earliest days. But the discipline requires resources, and only governments could marshal the resources necessary to do the job seriously. By the end of World War II, American cryptology had become inextricably intertwined with the Army and Navy's codebreaking efforts at Arlington Hall and Nebraska Avenue. But this picture would begin changing soon after the war.
(U) Modem public cryptography originated with a Bell Laboratories scientist, Claude Shannon, whose mathematics research led him to develop a new branch of mathematics called information theory. A 1948 paper by Shannon brought the new discipline into the
Approved for Release by NSA on
public domain, and from that time on, cryptography became a recognized academic pursuit.119
(U) Public cryptography had no market in those days. So when IBM researcher Horst Feistel developed a line of key generators to be embedded in IBM computers, called Lucifer, there was no immediate use for it. But in 1971 Lloyd's Bank of London contacted IBM to ask about the possibility of securing transactions from a cash dispensing terminal. Feistal sent Lucifer to Lloyd's. IBM then formed a group. headed by Walter Tuchman, to develop the idea of encrypting banking transactions.
(U) To calm the waters, NBS called a conference in August 1976. It solved nothing. Leading academic figures contended that the DES algorithm was so weak that it could be solved with fairly modest resources (on the order of $9 million), while defenders pronounced it secure against virtually any attack feasible at the time. National Bureau of Standards ultimately promised that the DES algorithm would be reevaluated every five years.124
(U) The problem was, in large part, one of timing. During the Church and Pike Committee hearings, NSA had been tarred with the same brush that smeared CIA and FBI, and the exculpatory conclusions of the Church Committee were lost in a sea of fine print. What the public remembered were the sensational allegations of journalist Tad Szulc [Redacted in the NSArchive *] and the finger-pointing of former cryptologist Winslow Peck. [*] Whether NSA was an apolitical collector of foreign intelligence information or truly a governmental "Big Brother" had not yet been adjudicated in the public mind. The concern for individual privacy, largely an outgrowth of the Watergate period, exercised an important sway on the American public, and even Walter Mondale, with years of experience watching over intelligence agencies from his Senate perch, was consumed by this issue when he was Carter's vice president. Any endeavor that would make NSA out as an inspector of private American communications would play negatively. The DES controversy was one of those issues.
(U) In 1976 a related chain of events began which was to flow together with the DES controversy. In that year Martin Hellman of Stanford, one of the world's leading practitioners of the cryptographic arts, and his graduate student, Whitfield Diffie, published "New Directions in Cryptography" in the November issue of IEEE Transactions on Information Theory. It contained the first public exposition of what was to become known as public key cryptography. In the Hellman-Diffie scheme, it would be possible for individual communicants to have their own private key and to communicate securely with others without a preset key. All that was necessary was to possess a publicly available key and a private key which could be unlocked only with permission. This revolutionary concept freed cryptography from the burdensome periodic exchange of key with a set list of
correspondents and permitted anyone with the same equipment to communicate with complete privacy.125
(U) In April 1977 David Boak and Cecil Corry of NSA visited Dr. John Pasta, director of NSF's division of mathematical and computer research, to discuss the issue. Since the early 1970s there had been sporadic contact between NSA and NSF, and NSF had agreed to permit a certain amount of NSA "assistance" on these types of projects, but only to examine grant proposals on their technical merits rather than to institute a formal coordination process. Pasta, believing that academic freedom was at stake, held fast to the NSF position and refused to permit NSA to exercise any sort of control over future grants.127
[Redacted in NSArchive *]
appeared that he was in it for the money and thus lacked First Amendment protection. This was incontrovertible logic but bad politics, and once again NSA was forced to back down. The Davida patent was reinstated.129
(U) This idea was pushed internally by one [Five instances of Meyer's name redacted in Cryptome *] Joseph A. Meyer [*] but was just one of several techniques being considered. In July 1977 took Meyer matters into his own hands. The Institute of Electrical and Electronics Engineers would be holding a symposium on cryptography in Ithaca, New York. Concerned about the potential hemorrhage of cryptographic information Meyer sent a letter to E. K. Gannet, staff secretary of the IEEE publications board, pointing out that cryptographic systems were covered by ITAR and contending that prior government approval would be necessary for the publication of many of the papers. The letter raised considerable commotion within IEEE, with scholars racing to secure legal opinions and wondering if the federal government might arrest them and impound the information.132
(U) The issue did not stop with IEEE. Someone notified the press, and journalist Deborah Shapley published the entire controversy in an issue of Science magazine. Although Meyer wrote the letter on plain bond paper, Shapley quickly discovered his association, and she claimed that NSA was harassing scientists and impeding research into public cryptography. In her view, the lack of direct traceability constituted smuggling NSA's official view covertly to academia, with plausible deniability. Congressional reaction was swift, and the Senate decided to hold hearings on the issues.133
(U) The Meyer letter was dispatched, recalled Inman ruefully, on virtually the same date that he became director. It presented him with his first public controversy, only days into his new administration.
a. Do nothing. This school of thought, championed by G Group, held that any public discussion would heighten awareness of cryptographic problems and could lead to nations buying more secure crypto devices. This threat was especially acute in the Third World.
[Redacted in NSArchive *]
(U) Inman first chose the legislative solution. Daniel Silver, the head of NSA's legal team, circulated a draft of a new Cryptologic Information Protection Act. This proposed creating a new entity, the U.S. Cryptologic Board, which could restrict dissemination of sensitive cryptologic material for up to five years and would impose severe penalties (five years in prison, a $10,000 fine) for violation.135
(U) But Inman himself recognized the unlikelihood of getting Congress to act. NSA's proposed legislation would run against a strong movement in the opposite direction in both Congress and the White House, where the desire was to unshackle U.S. commerce from any sort of Pentagon-imposed restriction on trade. Even as the NSA seniors were recommending strengthening NSA's control over cryptography, President Carter was signing PD-24. This presidential directive divided cryptography in half. "National security cryptography," that which pertained to the protection of classified and unclassified information relating to national defense, would remain with NSA. But the directive also defined another sort of issue, "national interest" cryptography, which pertained to unclassified information which it was desirable to protect for other reasons (international currency exchange information, for instance), Protecting this type of
information and dealing with the private sector on such protection (for instance, on DES), would become part of the domain of the Commerce Department. The National Telecommunications and Information Administration (NTIA), within Commerce, would be responsible for dealing with the public. NTIA moved promptly to assert its authority in the area of cryptographic export policy and to deal with academia over cryptography. NSA mounted strong opposition to both moves.
(U) Inman was convinced from the start that the legislative approach, even if successful, would have to be supplemented by some sort of jawboning with academia. Early in his administration, he decided to visit Berkeley, a center of opposition to any sort of government intervention, and a hotbed of raw suspicion since the early days of the Vietnam War. He found himself in a room with antiestablishment faculty members, and "for an hour it was a dialogue of the deaf." Then the vice chancellor of the University of California, Michael Heyman, spoke up. Just suppose, he said, the admiral is telling the truth and that national security is being jeopardized. How would you address the issue? Instantly the atmosphere changed, and the two sides (Inman on one side, the entire faculty on the other) began a rational discussion of compromises. This convinced him that he was on the right track, and he pursued this opening to the public.138
(U) Inman followed this with a visit to Richard Atkinson, head of the National Science Foundation, to discuss the ideas that had emerged at Berkeley. The faculty had expressed a desire to get an "honest broker," one that both sides trusted, to sort through the issues and get to a compromise. Atkinson suggested that they approach the American Council on Education (ACE), and agreed that if ACE would agree to sponsor the effort, the National Science Foundation would fund it.139
(U) This presented NSA with a historic opportunity to engage in a rational debate with the private sector, and it drove Inman to bring the issue to the attention of the American public. His forum was the annual meeting of the Armed Forces Communications Electronics Association in January 1979. It was the first public speech by an NSA director, and as Inman said at the outset, it was "a significant break with NSA tradition and policy." He then laid out the conflicting interests - academic freedom versus national security. He advocated a problem-solving dialogue, but also acknowledged that the government might on occasion have to impose restrictions on extremely sensitive technology to protect national security. "I believe that there are serious dangers to our broad national interests associated with uncontrolled dissemination of cryptologic information within the United States. It should be obvious that the National Security Agency would not continue to be in the signals intelligence business if it did not at least occasionally enjoy some cryptanalytic successes." On the other hand, the government might have to permit the free exchange of technology, taking action in only the most difficult cases. The important thing, he stressed, was to talk through these issues so that both sides understood what was at stake and could appreciate the position of the other side. And he articulated the long-range importance of the problem: "Ultimately these concerns are not those merely of a single government agency, NSA. They are of vital interest to every citizen of the United States, since they bear vitally on our national defense and the successful conduct of our foreign policy."140
(U) The public opening was followed by a series of meetings, sponsored by ACE, to devise a forum to begin the dialogue. Some members (most notedly George Davida) held out for a complete absence of any controls on academia, but the majority concluded that controls would be necessary when national security was involved. What emerged was a procedure for prior restraint, involving a board of five members, a minority of whom would be from NSA, to review publication proposals. Submissions would be voluntary, and the area of examination would be very limited. The proposal passed with the unlikely Yes vote of Martin Hellman, who had earlier been subjected to some private jawboning by Inman. He, along with others in academia, had come to believe that there was, indeed, a legitimate national security interest in what they were doing.141
(U) Prepublication review turned out to be less of a real than an imagined threat to First Amendment freedoms. The committee requested very few changes to proposals, and most of those were easily accomplished. In one case, NSA actually aided in lifting a secrecy order placed on a patent application. The submitter, Shamir of RSA fame, thanked NSA for its intervention. At the same time, NSA established its own program to fund research proposals into cryptography. Martin Hellman was one of the first applicants.142
(U) As for DES, the controversy quieted for a period of years. DES chips were being manufactured by several firms and had become a profitable business. In 1987, NSA proposed a more sophisticated algorithm, but the banking community, the prime user of DES, had a good deal of money invested in it and asked that no modifications be made for the time. By the early 1990s it had become the most widely used encryption algorithm in the world. Though its export was restricted, it was known to be widely used outside the United States. According to a March 1994 study, there were some 1,952 products developed and distributed in thirty-three countries.143
[Three-fourths of a page redacted with "Non - Responsive" inserted. Available at NSArchive.]
[Full page redacted with "Non - Responsive" inserted. Available at NSArchive.]
[Full page redacted with "Non - Responsive" inserted. Available at NSArchive.]
[Full page redacted with "Non - Responsive" inserted]
[One-fourth page redacted with "Non - Responsive" inserted. Available at NSArchive.]
119. (U) DDIR files, 96026, Box 4, Drake Notebook, Proto Paper.
120. (U) Ibid [--------------] draft history of COMPUSEC, in CCH files; [-------] "NSA Comes Out of the Closet: The Debate over Public Cryptography in the Inman Era," Cryptologic Quarterly, Spring 1996) 15: 6-7.
121. (U) Ibid.
122. (U) Ibid.
123. (U) DDIR files, 96026, Box 4, Drake Notebook, Proto paper; David Kahn, "Cryptology Goes Public," Foreign Affairs (Fall 1979) 147-59 [-------] "NSA Comes Out of the Closet," 13-14.
124. (U) [-------] "NSA Comes Out of the Closet," 8-9.
125. (U) [-------] "NSA Comes Out of the Closet," 10 [--------------] Fifty Years of Mathematical Cryptanalysis (Fort Meade), Md. NSA, 1988), 80.
126. (U) [-------] "NSA Comes Out of the Closet," 10 [--------------] Fifty Years of Mathematical Cryptanalysis (Fort Meade), Md. NSA, 1988), 78.
127. (U) [-------] "NSA Comes Out of the Closet," 10.
128. (U) [-------] "NSA Comes Out of the Closet," 10 [--------------] Fifty Years of Mathematical Cryptanalysis (Fort Meade), Md. NSA, 1988), 80.
129. (U) Kahn, "Cryptology Goes Public," 154-55 [-------] "NSA Comes Out of the Closet," 16.
130. (U) Kahn, "Cryptology Goes Public," 155 [-------] "NSA Comes Out of the Closet," 16.
131. (U) [-------] "NSA Comes Out of the Closet," 11; DDIR files, 96026, Box 4, Drake Notebook.
132. (U) Kahn, "Cryptology Goes Public," 155-56 [-------] "NSA Comes Out of the Closet," 13.
133. (U) [-------] "NSA Comes Out of the Closet," 12.
134. (U) Ibid. 20-21.
135. (U) Ibid. 25.
136. (U) Ibid. 17-18, 32-35.
137. (U) Ibid.
138. (U) Interview, Norman Boardman, by Robert D. Farley, 1986, OH 3-86, NSA.
139. (U) Ibid.
140. (U) CCH Series VI.D.2.30.
141. (U) [-------] "NSA Comes Out of the Closet," 28-31.
142. (U) Boardman Interview; Report of a Special Panel of the ACM U.S. Public Policy Committee (USACM), Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy (New York: ACM, 1994).
143. (U) Kahn, "Cryptology Goes Public [------------------------] Comes Out of the Closet," 13; Codes, Keys, and Conflicts, 4-5; Telephone interview [-----------] January 1998.
[Balance of page blank.]
Approved for release by NSA on
SCIENCE VOL. 211, 13 MARCH 1981
MIT Committee Seeks Cryptography Policy
Questions of who should do research on cryptography and how results should be disseminated are the first order of business
Gina Bari Kolata