26 June 1998
Date: Fri, 26 Jun 1998 16:03:34 -0500 To: John Young <jya@pipeline.com> From: Alan Davidson <abd@CDT.ORG> Subject: Fips Flop John, Thought you might be interested in this for Cryptome. The final letter from NIST's Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure is attached below. Regards, Alan Alan Davidson, Staff Counsel 202.637.9800 (v) Center for Democracy and Technology 202.637.0968 (f) 1634 Eye St. NW, Suite 1100 <abd@cdt.org> Washington, DC 20006 PGP key via finger ----------------- U.S. effort on encryption "backdoors" ends in failure By Aaron Pressman WASHINGTON, June 25 (Reuters) - A U.S. government panel has failed in a two-year effort to design a federal computer security system that includes "back doors," a feature that would enable snooping by law enforcement agencies, people familiar with the effort said this week. The failure casts further doubt on the Clinton administration policy -- required for government agencies and strongly encouraged for the private sector -- of including such back doors in computer encryption technology used to protect computer data and communications, according to outside experts. But administration officials said the panel, which is set to expire in July, simply needed more time. "I wouldn't pronounce the issue dead by any means," Undersecretary of Commerce William Reinsch told Reuters. "It clearly has turned out to be a difficult task. ... This one was a hard one." The 22-member panel appointed by the secretary of commerce in 1996 concluded at a meeting last week that it could not overcome the technical hurdles involved in creating a large-scale infrastructure that would meet the needs of law enforcers, panel members said. The group was tapped to write a formal government plan known as a "Federal Information Processing Standard," or FIPS, detailing how government agencies should build systems including back doors. In a letter to Commerce Secretary William Daley obtained by Reuters, the panel said it "encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS." "Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology," the group added. "The attached document does not satisfy these criteria." The group is formally known as the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure, but with the unwieldy acronym of TACDFIPSFKMI, members of the panel jokingly referred to themselves as "Bob." The failure after two years to write a FIPS vindicates the view of critics of the administration's encryption policy, said Alan Davidson, staff counsel at the Center for Democracy and Technology, a nonprofit advocacy group. "The administration keeps spending taxpayer money to pursue a ... strategy that's wrong-headed and won't protect security," Davidson said. "Its own advisory committee can't answer basic questions about how to make it work for the government, yet they continue to push for its adoption by everyone, worldwide." The administration and law enforcement agencies have been at odds with high-tech companies, Internet users and civil liberties groups for years over encryption regulation. Encryption products -- which use mathematical formulas to scramble information and render it unreadable without a password or software "key" -- have become critical tools for protecting all kinds of digital data, including cellular phone calls and credit card numbers sent over the Internet. But law enforcement agencies, fearing such products will be used by criminals or others to hide wrongdoing, have pushed for the inclusion of back doors in all encryption. High-tech industry groups, Internet users and privacy advocates have opposed those requirements, joined by leading lawmakers, including the Senate majority leader and the House minority and majority leaders. They worry that back doors will weaken the security of all encrypted data, allow for improper government snooping and add tremendous cost and complexity to security systems. Foreign governments and companies have also expressed concern about the prospect that the policy will enable U.S. government agencies to read their e-mail. Bruce Schneier, a leading cryptography researcher and critic of the government policy, said the FIPS panel failed because of the impossibility of meeting the needs of both law enforcers and industry. "You can't solve this problem," said Schneier, president of the computer consulting firm Counterpane Systems. "If it was obvious, they could have agreed. The interests of government and business aren't the same, and when you try to balance the two, you end up with nothing." But Edward Roback, an official with the U.S. National Institution of Standards and Technology who worked closely with the panel, said the technical problems the group encountered were surmountable with more time. "These technical experts wanted more time," Roback said, pointing out that the panel's charter expires in July. "I wouldn't characterize it that they ran into roadblocks but more that they have a road ahead of them." ((Aaron Pressman, Washington newsroom, 202-898-8312)) Friday, 26 June 1998 14:17:59 RTRS [nN25122338] ------------------------------------------------------------------------ Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. ----------------- Final Letter From the National Instititue of Standards and Technology (NIST) Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure June 19, 1998 -------- Dear Mr. Secretary: We respectfully submit the attached technical input from the "Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure" (TAC) for Requirements for Key Recovery Products. The TAC is cognizant of the steps you are obligated to take under various statutes and policies to seek public comment in making your determination about implementing a Federal Information Processing Standard. However, the TAC believes significant, substantive additional work is necessary before this document will be ready for the next step in the process. Specifically, we believe that this document is not ready to be released for public comment, to be used as a basis for generation of answers to policy questions relevant to a FIPS, or to begin planning for development of implementation guidance. With regard to this latter topic, we suggest initiating work on detailed implementation guidance, once this document is completed. Such guidance will be essential to the successful deployment of any key recovery system (KRS), since many aspects of KRS security are outside the scope of the work we have undertaken. We also urge pursuit of conformance testing based on the NVLAP model, e.g., as employed for FIPS 140-1. Because of the complexity and security sensitivity of KRS technology, we do not support vendor self-declaration of conformance. The TAC has made substantial progress and a completed version of the work begun here could provide a basis for the development of a FIPS. However, the TAC encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS. There are unresolved conflicts among some requirements. In addition, the model that underlies the product evaluation process is not yet complete. In retrospect, the time and effort devoted to this task were not sufficient to develop an adequate set of technical requirements for a FIPS. Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology. The attached document does not satisfy these criteria. The TAC understands that its charter expires in July of 1998. However, the TAC has gained much experience during this process, and is willing to continue to work towards the completion of its initial charge. As you know, TAC members were appointed for their individual expertise. The actions of the TAC do not have the explicit or implicit endorsement of the corporations or organizations with which its members are affiliated. On behalf of the TAC, we hope that you find our efforts have been useful, and we thank you for the opportunity to work on your behalf.
More on the committee's final work and documents:
Source: http://csrc.nist.gov/tacdfipsfkmi/
The Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure was established by the Department of Commerce in July, 1996. The Committee, which was formally chartered on July 24, 1996, held its first meeting on December 5-6, 1996. The Committee's last meeting was held June 17-19, 1998.
[Excerpts]
| 1998-05-21 | June 17-19, 1998 Meeting Agenda | agenda9806.txt [908 bytes] |
| June 19, 1998 | Revised Cover Letter (6/19/98) | revisedcover.txt |
| June 19, 1998 | Revised Assembled Document (6/19/98) (MS Word '97) | revisedFIPS9806.doc |
| June 1998 | Discussion Draft Cover Letter | cover.txt |
| June 1998 | Draft Assembled Document (MS Word '97) Original | FIPS698_Word97.doc |
| June 1998 | Draft Assembled Document (MS Word 6 / '95) | FIPS698_Word95.doc |
| June 1998 | Draft Assembled Document text format | FIPS698.txt |