17 October 1998
Thanks to Vin McLelland
IAB, BXA, Cisco, Reinsch, Aaron - Private Doorbells On the Cryptography list, Perry Metzger <perry@piermont.com> offered the Internet Architecture Board's 15 October statement on "'Private Doorbell' encryption." (Text appended below.) The IAB statement is probably best understood if you first read the recent interview with US Under Secretary of Commerce William Reinsch in the September issue of Information Security magazine. See: http://www.infosecuritymag.com/sept/q%26a.htm Mr.Reinsch, the guy who runs the DoC's Bureau of Export Administration (BXA), seems to be the Clinton Administration's domestic point man on crypto export policy. It is one of Reinsch's more endearing qualities that he also seems self-conscious about the subtle interaction between his BXA export controls on crypto, the overseas market for crypto-enhanced products, and the type of crypto that gets sold and bought in the domestic US market. Many in the industry now see the US government's export controls less as a program to control non-Americans' access to strong crypto, and more of a bludgeon to force hopeful exporters into secret deals with the NSA and FBI. Getting a crypto export license in the US is not a public or transparent process. In recent years, the government approval process has typically involved such arbitrary judgements on the part of the Commerce Department and NSA staff that there has been no rational way of predicting if a product will be approved or not. Such a process leaves a lot of room for quiet deals and maximizes the government's ability to apply pressure on corporations. In the magazine interview, Reinsch offers an awkward summary of US policy on export controls and domestic crypto controls. The article makes a fascinating counterpoint to the Oct. 13th speech on US Crypto Policy by US Under Secretary of Commerce (for International Trade) David Aaron before the Federation of German Chambers of Industry and Commerce. See: http://jya.com/aaron101398.htm Aaron actually gives a better and more informed summary of US export regs, but Reinsch is able to at least acknowledge that the US intelligence community and US eavesdroppers overseas are players in US crypto policy. (Aaron, in Germany, had to make believe that US controls on crypto exports -- and the overseas push to get other nations to restrict the quality of the crypto their citizens are permitted to use -- is simply an initiative on the part of the FBI and other US law enforcement agencies. The War against child porn, drugs, terrorism, etc., etc.) Reinsch's suggestion that the US software firms which were forced to design key recovery versions of their cryptographic or crypto-enhanced products (because that was the _only_ way they could service their overseas customers with 56-bit crypto) are doing this development because they smell a Market Demand (not because they had been blackmailed) is notably ludicrous, but par for the course. The most striking thing about this interview was the way Reinsch positioned Cisco's "Private Doorbell" proposal as a potential solution to both the FBI's fears about widespread use of strong crypto inside the US, and the NSA's worries about the use of strong crypto in e-mail and other communications by non-Americans anywhere. Reinsch suggested that the Cisco-crafted proposal -- basically, a loud suggestion that the government should wake up to the potential for obtaining cleartext from the managers of link-encryption switches and servers, and quit bothering honest merchants trying to sell link-crypto enabled network equipment overseas -- might be a "compromise" solution to the thorny issue of eavesdropping options for encrypted e-mail and other communications. The way Reinsch used it to redefine e-mail security may have surprised a lot of people (including, I'm sure, the Cisco policy maven who originally developed the concept.) Reinsch seems to believe that Cisco's "Private Doorbell" initiative -- or perhaps some other mega-trend his advisors have perceived -- indicates that corporations in the US and overseas, as a matter of policy, will begin to deny employees (or customers) access to PC-based end-to-end crypto. Instead, corporate policy will force them to "secure" e-mail and other communications soley with link-encryption or crypto systems with overt corporate-message-recovery (CMR) options. As an alternative to end-to-end crypto for e-mail, this sounds fairly far-fetched... until you recall the mechanics of PGP for Business (one of the NSA's quiet domestic triumphs) and the US Government-approved cryptographic security offered in Microsoft's new WebTV product. WebTV has just been licensed by Reinsch's BXA to be sold almost anywhere overseas with e-mail and other messaging options protected by a 128-bit RC4 cryptosystem. E-mail, http, and WebTV command channel messages are passed up to the WebTV server protected by 128-bit RC4 in a proprietary VPN protocol. (The WebTV designers were not allowed to use SSL.) Given the BXA export permit, I presume that WebTV messages are potentially accessible at the WebTV server, before they are passed over to the Internet. The implications of this new US Govt fixation on the network servers and switches as the access point for surreptitous eavesdropping on e-mail and other communications protocols apparently surprised the Internet Society too. Yesterday (within a day or two of the Reinsch interview being published on-line, I believe) the Internet Architecture Board and the IESG -- the political and technical High Command for the Net -- punched out a brief but forceful policy document which directly challenged Reinsch's expectations. The IAB pointed out that the idea of network switches as effective Points of Interception only works if you presume that there are other restrictions on people's use of strong end-to-end crypto at the desktop. Such restrictions are overtly counterproductive, they said, and threaten to "warp the protocol structure" -- whatever that might mean. "This is in conflict with the 'end-to-end' principle, a fundamental tenet of the Internet architecture," warned the Board. To require link encryption "in all places (and to exclude end-to-end encryption) would warp the protocol structure. Furthermore, it offers a significantly lower level of security, in that there is no longer protection against inside attacks, which by all accounts are a serious threat." Reinsch, in his interview, said that he expected employers to deny employees access to desktop end-to-end crypto, and force them to rely upon network crypto,"for employee control purposes." He seemed certain that corporate distrust of employees -- in America? in Social Democratic Europe? -- is strong enough to outweigh the security advantages of end-to-end crypto and to justify a vast impowerment of corporate rent-a-cops (who, in this scenario, are usually expected to read, vet, and report upon all e-mail and file transfers through the corporate firewall.) This is actually a more plausible argument today than it has been anytime in the past 20 years. Most companies have only connected to the Net in the past five years. Workplace conventions about Net use have not yet evolved. Many US companies are still confused about how to deal with the "legal" opportunity to listen or filter their employees' at-work use of the Internet. While many Europeans find this sort of routine surveillance of employees amazing -- and many European nations outlaw it -- in the libertarian US, there are few constraints on employers and few privacy rights for employees on the job. As a result, the rent-a-cop surveillance model is being tried in many US companies, and the various online discussion groups for Firewall experts are full of vendors and consultants promoting various keyword and delay-loop technologies for corporate eavesdropping on employee communications. As might be expected, the US government is also promoting it in the Defense industries, the government market, and in the regulated US finance and brokerage industries. Given all the marketing noise today about content filters and the talk of censors (human and virtual) for information flowing through the corporate firewall, I can see where the FBI (and maybe even the NSA) finds hope in this analysis. The FBI gets what it wants overseas -- and that may make it more likely they will get it in the US too -- and the NSA gets an inherently weaker communications security system (which is about the best they can expect in the light of day anyway.) As the IAB quickly concluded, however, none of these "Private Doorbell" pipe dreams mean much of anything unless strong end-to-end crypto is forbidden, by national law or corporate convention. Even in the US corporate culture, that assumption seems a long shot. We have ahead of us both Clinton's Presidential Impeachment Hearings and one or several Microsoft antitrust cases. These are two seminal legal and political events which can be expected to trenchantly highlight the dangers of collecting old memos (all memos?) in some musty archive -- and/or rashly presuming that data "erased" on a hard disk is truly gone. Many impressionable minds (lawyers and CIOs among them) will be led to the conclusion that keeping records of everything you write, or everything your employees write -- or letting the System keep such records -- is idiotic, irresponsible, and self-destructive. There is also a deeply-rooted US corporate tradition of restricting access to sensitive info on a Need-to-Know basis. Surveillance isn't really the same thing as personnel managment, but US government and DoD folks often confuse the two.In the military, an elite class of employees (with security clearances) watches everyone else, and handles information that others are not allowed to know or touch. The corporate world doesn't think that way, or work on that model. That is something one might expect the NSA and others to have learned in the 20 years they tried to restructure the US computer market to fit the MLS Orange Book. Suerte, _Vin ----- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A Thinking Man's Creed for Crypto _vbm. * Vin McLellan + The Privacy Guild + <vin@shore.net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 --------------------------------------------------------------- - - - IAB Statement -------------- To: IETF-Announce Subject: IAB statement on "private doorbell" encryption From: The IAB <iab@ietf.org> Date: Thu, 15 Oct 1998 10:35:10 -0400 The IAB and IESG are concerned by published descriptions of the "private doorbell" approach to resolving the encryption controversy. Essentially, the private doorbell requires that encryption and decryption be done at a gateway, rather than at an end system; see http://www.cisco.com/warp/public/779/govtaff/policy/paper/paper_index.html for one description. This is in conflict with the "end-to-end" principle, a fundamental tenet of the Internet architecture. While there is certainly a place for gateway-based encryption in some circumstances, to require it in all places (and to exclude end-to-end encryption) would warp the protocol structure. Furthermore, it offers a significantly lower level of security, in that there is no longer protection against inside attacks, which by all accounts are a serious threat. In addition, putting all security at the gateway ignores the need for different levels of protection in different situations. For some applications, encryption to the gateway may suffice. Others may require encryption and cryptographic authentication of the individual machine or even user. Should a strong encryption algorithm be used, or a very efficient one? It is very difficult to make these decisions anywhere but the end-system. But the "private doorbell" scheme would block deployment of such fine-grained protection.