9 February 1999
House Armed Services Committee
Source: http://www.house.gov/hasc/billsandreports/106thcongress/plan106.htm
[Excerpt]
Technology Transfers and Export Controls
The committee will continue to conduct a careful examination of the current U.S. export control regime and its effectiveness in preventing the transfer of sensitive military-related technologies to potential adversaries. In particular, the committee will focus its efforts on the following: evaluating the impact of U.S. policy regarding the export of sophisticated encryption products on U.S. national security; conducting oversight of the implementation of legislative requirements related to the export of high performance computers (so-called "supercomputers") contained in Public Law 105-85, the National Defense Authorization Act for Fiscal Year 1998; examining the results and impact of the licensing jurisdiction changes related to the export of U.S. satellites mandated by Public Law 105-261, the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999; and assessing the findings, conclusions, and recommendations of the Select Committee on U.S. National Security and Military/Commercial Concerns With the People’s Republic of China with a view toward developing appropriate legislative remedies to prevent the unauthorized or dangerous transfer of military-related U.S. technology to China. In these and other export control-related areas, the committee will continue to cooperate as appropriate with the Committee on International Relations and the Permanent Select Committee on Intelligence.
Source: http://www.senate.gov/~burns/digital_dozen.htm
29 January 1999
[Excerpt]
Senator Burns: "While the administration did recently take a small step forward in its new policy on encryption, it provided limited relief only for specialized industry groups."
Encryption
Burns introduced the "Pro-CODE" legislation in both the 104th and 105th congresses and supported similar legislation by other sponsors, including Senators Ashcroft and Leahy. Burns will again be introducing legislation similar to the 1997 version of Pro-CODE in early February and will have a draft bill on his Web site soon. "New federal regulations still leave the majority of consumers without adequate privacy and security online," Burns said. "Senator Burns' attention to issues that impact the growth of electronic commerce provides a forum to discuss and debate the future of the Internet and the unprecedented economic opportunities it offers," stated Robert Holleyman, president and CEO of the Business Software Alliance. Added Craig Mundie, senior VP of consumer strategy for Microsoft, "With the blossoming of the Internet and electronic commerce, it is critical that policymakers around the world regularly reexamine existing laws and regulations so that they do not inadvertently slow down this tremendous phenomenon."
Source: http://www.senate.gov/~appropriations/commerce/2499jr.htm
[Excerpt]
C. Encryption
Court-authorized electronic surveillance (wiretaps) and search and seizure are two of the most critically important investigative techniques used by law enforcement to prosecute crime including terrorism. The growing use of strong, commercially-available, non-recoverable encryption will significantly impair our ability to effectively use wiretaps and conduct searches and seizures.
Encryption is extremely beneficial when used legitimately by individuals and corporations to protect the privacy and confidentiality of voice and data communications and sensitive electronically stored information (computer files). In order to provide individuals and corporations with greater privacy protections as the world moves into the information age, both industry and government are encouraging the use of strong encryption. But the use of strong encryption by criminals and terrorists poses a significant risk to public safety and national security.
Law enforcement has steadfastly expressed its concern about the adoption of an encryption policy based solely on market forces. Law enforcement, including the International Association of Chiefs of Police, the National Sheriff's Association, the National District Attorneys Association, the National Association of Attorney Generals and the Major City Chiefs, continues to call for the adoption of a balanced encryption policy -- one that meets the commercial needs of industry as well as the needs of the public for effective law enforcement.
The Administration is not currently seeking mandatory controls on encryption, but instead is working with industry to find voluntary solutions that meet privacy, electronic commerce and public safety needs. We remain optimistic that such a voluntary approach will be successful in addressing our public safety needs.
Source: http://www.fbi.gov/congress/freehct2.htm
[Excerpt]
Most encryption products manufactured today for use by the general public are non-recoverable. This means they do not include features that provide for timely law enforcement access to the plain text of encrypted communications and computer files that are lawfully seized. Law enforcement remains in unanimous agreement that the continued widespread availability and increasing use of strong, non-recoverable encryption products will soon nullify our effective use of court authorized electronic surveillance and the execution of lawful search and seizure warrants. The loss of these capabilities will devastate our capabilities for fighting crime, preventing acts of terrorism, and protecting the national security. Recently, discussions with industry have indicated a willingness to work with law enforcement in meeting our concerns and assisting in developing a law enforcement counterencryption capability. I strongly urge the Congress to adopt a balanced public policy on encryption, one that carefully balances the legitimate needs of law enforcement to protect our Nation's citizens and preserve the national security with the needs of individuals.
The demand for accessing, examining, and analyzing computers and computer storage media for evidentiary purposes is becoming increasingly critical to our ability to investigate terrorism, child pornography, computer-facilitated crimes, and other cases. In the past, the Subcommittee has supported FBI efforts to establish a data forensics capability through our Computer Analysis Response Teams. There is a need to further expand this capability to address a growing workload. Indeed, our limited capability has created a backlog that impacts on both investigations and prosecutions. For 2000, the FBI is requesting 20 positions and $13,835,000 for our cryptanalysis and network data interception programs and 79 positions and $9,861,000 to expand our Computer Analysis Response Team capabilities.
Our Nation's critical infrastructure -- both cyber and physical -- present terrorists, hackers, criminals, and foreign agents with a target for attacks, the consequences of which could be devastating. Over the past several years, the Congress has been very supportive of FBI efforts to develop and improve its capabilities for investigating computer intrusions and other cyber- crimes. These efforts have included the establishment of the National Infrastructure Protection Center and the creation of specially-trained and equipped squads and teams in FBI field offices. For 2000, we are requesting increases of $1,656,000 for operations of the National Infrastructure Protection Center and 108 positions (60 agents) and $11,390,000 for additional field National Infrastructure Protection and Computer Intrusion squads and teams.
Date: Mon, 8 Feb 1999 09:07:26 -0500 To: cypherpunks@cyberpass.net, cryptography@c2.net, mac-crypto@vmeng.com From: Robert Hettinga <rah@shipwright.com> Subject: linux-ipsec: Re: 1des inclusion NOT! --- begin forwarded text To: Linux IPsec <linux-ipsec@clinet.fi>, gnu@toad.com Subject: linux-ipsec: Re: 1des inclusion NOT! Date: Sun, 07 Feb 1999 21:57:41 -0800 From: John Gilmore <gnu@toad.com> People have been bandying about various claims about the security of various ciphers. My own point of view is that none of the ciphers mentioned (things like RCn, Blowfish, and various AES candidates) has had the substantial investment in *understanding* its real security that DES has had. You can't prove that an algorithm is secure; you can only prove that it's insecure (by cracking it). It took more than fifteen years before any theoretical cracks of DES were published, and longer than that before the first public brute-force attack. Blithe statements like "X is more secure than DES" have no basis in fact. In three years we'll know much more about the security of the leading AES candidate, though we probably will not be able to say for certain that it is "more secure than DES". Today we only know useful facts about the security of *some* of the AES candidates -- the ones that have already cracked. Due to the way unmodified single DES is used as a subcomponent, it is strongly believed that 3DES is no less secure than DES -- but we know little more than that about its true security. One thing we *can* measure relatively accurately is the speed of various algorithms, leading people to want to compare them on that basis. I truly see the speed of all these ciphers as irrelevant in the short, medium, and long term. 3DES IPSEC already maxes out a T1 line using ordinary PC processors from a year or two ago. If you really want to secure a T3, fine, buy a hardware 3DES board; you're .005% of the market. If you want to use ten-year-old hardware to secure your T1 line, get a life and spend $500 for this year's low-end PC. We're laying the keel for the privacy of all Internet traffic. As this protocol moves into the firmware and circuitry of future generations of devices, which algorithms we pick will be irrelevant to the cost or price of the devices. But which algorithms we pick will be VERY relevant to the privacy of the traffic. Turn off and leave off all algorithms except 3DES in your Web browser, and see how many "secure" sites are unable to talk to you. It's more than 0%, years after 3DES servers came out. If we start off by making IPSEC compatible with insecure algorithms, some fraction of the net will end up using them forever. That fraction may be quite large if NSA pressures a few mass-market companies into "neglecting" to implement stronger algorithms (using export controls or private deals). It'll be much harder for anyone to get away with this if the lobotomized IPSECs won't actually interoperate with real IPSECs. Pardon my "French" here, I get emotional on this issue. I put a year into building a fucking brute-force cryptanalysis machine to make it 1000% clear that single DES is useless, and some of you bozos still don't get it. If there is any easy way to make any code that I'm involved with interoperate with single DES, or with any unproven cipher, I consider that a major bug. This is not going to be a smorgasbord feature-checklist product, it's a plug-in-and-turn-on privacy product. (It's hard enough to build in real security with NO options.) If you don't like it, nobody's forcing you to use Linux or the Linux IPSEC implementation; buy one from a vendor who doesn't care about privacy. You can have insecurity or you can use this code, but I will work hard to make sure you don't get both in the same package. John Gilmore --- end forwarded text ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'