Note: for index of full report see: http://jya.com/nrcindex.htm

---------


                       [Report Cover]

                  [Header all report pages:
              May 30, 1996, Prepublication Copy
           Subject to Further Editorial Correction]



               Cryptography's Role in Securing
                   the Information Society



            Kenneth Dam and Herbert Lin, Editors

       Committee to Study National Cryptography Policy
        Computer Science and Telecommunications Board
Commission on Physical Sciences, Mathematics, and Applications

                  National Research Council


                   National Academy Press
                    Washington, D.C. 1996


____________________________________________________________


NOTICE: The project that is the subject of this report was
approved by the Governing Board of the National Research
Council, whose members are drawn from the councils of the
National Academy of Sciences, the National Academy of
Engineering, and the Institute of Medicine. The members of the
committee responsible for the report were chosen for their
special competences and with regard for appropriate balance.

   This report has been reviewed by a group other than the
authors according to procedures approved by a Report Review
Committee consisting of members of the National Academy of
Sciences, the National Academy of Engineering, and the
Institute of Medicine.


   The National Academy of Sciences is a private, nonprofit,
self-perpetuating society of distinguished scholars engaged in
scientific and engineering research, dedicated to the
furtherance of science and technology and to their use for the
general welfare. Upon the authority of the charter granted to
it by the Congress in 1863, the Academy has a mandate that
requires it to advise the federal government on scientific and
technical matters. Dr. Bruce Alberts is president of the
National Academy of Sciences.

   The National Academy of Engineering was established in
1964, under the charter of the National Academy of Sciences,
as a parallel organization of outstanding engineers. It is
autonomous in its administration and in the selection of its
members, sharing with the National Academy of Sciences the
responsibility for advising the federal government. The
National Academy of Engineering also sponsors engineering
programs aimed at meeting national needs, encourages education
and research, and recognizes the superior achievements of
engineers. Dr. Harold Liebowitz is president of the National
Academy of Engineering.

   The Institute of Medicine was established in 1970 by the
National Academy of Sciences to secure the services of eminent
members of appropriate professions in the examination of
policy maKers pertaining to the health of the public. The
Institute acts under the responsibility given to the National
Academy of Sciences by its congressional charter to be an
adviser to the federal government and, upon its own
initiative, to identify issues of medical care, research, and
education. Dr. Kenneth I. Shine is president of the Institute
of Medicine.

   The National Research Council was organized by the National
Academy of Sciences in 1916 to associate the broad community
of science and technology with the Academy's purposes of
furthering knowledge and advising the federal government.
Functioning in accordance with general policies determined by
the Academy, the Council has become the principal operating
agency of both the National Academy of Sciences and the
National Academy of Engineering in providing services to the
government, the public, and the scientific and engineering
communities. The Council is administered jointly by both
Academies and the Institute of Medicine. Dr. Bruce Alberts and
Dr. Harold Liebowitz are chairman and vice chairman,
respectively, of the National Research Council.

   Support for this project was provided by the Department of
Defense (under contract number DASW01-94-C-0178) and the
National Institute of Standards and Technology (under contract
number 50SBNB4C8089). Any opinions, findings, conclusions, or
recommendations expressed in this material are those of the
authors and do not necessarily reflect the views of the
sponsors.

Library of Congress Catalog Number 96-68943 International
Standard Book Number 0-309-05475-3

Additional copies of this report are available from:

National Academy Press 2101 Constitution Avenue, NW Box 285
Washington, DC 20055 800/624-6242 202/334-3313 (in the
Washington Metropolitan Area)

Copyright 1996 by the National Academy of Sciences. All rights
reserved.

Printed in the United States of America

____________________________________________________________


                     COMMITTEE TO STUDY
                NATIONAL CRYPTOGRAPHY POLICY


KENNETH W. DAM, University of Chicago Law School, Chair
W.Y. SMITH, Institute for Defense Analyses (retired), Vice
   Chair
LEE BOLLINGER, Dartmouth College
ANN CARACRISTI, National Security Agency (retired)
BENJAMIN CIVILETTI, Venable, Baetjer, Howard and Civiletti
COLIN CROOK, Citicorp
SAMUEL H. FULLER, Digital Equipment Corporation
LESLIE H. GELB, Council on Foreign Relations
RONALD GRAHAM, AT&T Bell Laboratories
MARTIN HELLMAN, Stanford University
JULIUS KATZ, Hills & Company
PETER G. NEUMANN, SRI International
RAYMOND OZZIE, Iris Associates
EDWARD SCHMULTS, General Telephone and Electronics (retired)
ELLIOT M. STONE, Massachusetts Health Data Consortium
WILLIS WARE, RAND Corporation


Staff

MARJORY S. BLUMENTHAL, Director
HERBERT S. LIN, Study Director and Senior Staff Officer
JOHN M. GODFREY, Research Associate
FRANK PITTELLI, Consultant to CSTB
GAIL E. PRITCHARD, Project Assistant

____________________________________________________________


COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

WILLIAM A. WULF, University of Virginia, Chair
FRANCES E. ALLEN, IBM T.J. Watson Research Center
DAVID CLARK, Massachusetts Institute of Technology
JEFF DOZIER, University of California at Santa Barbara
HENRY FUCHS, University of North Carolina
CHARLES GESCHKE, Adobe Systems Incorporated
JAMES GRAY, Microsoft Corporation
BARBARA GROSZ, Harvard University
JURIS HARTMANIS, Cornell University
DEBORAH A. JOSEPH, University of Wisconsin
BUTLER W. LAMPSON, Microsoft Corporation
BARBARA LISKOV, Massachusetts Institute of Technology
JOHN MAJOR, Motorola
ROBERT L. MARTIN, AT&T Network Systems
DAVID G. MESSERSCHMITT, University of California at Berkeley
WILLIAM PRESS, Harvard University
CHARLES L. SEITZ, Myricom Incorporated
EDWARD SHORTLIFFE, Stanford University School of Medicine
CASIMIR S. SKRZYPCZAK, NYNEX Corporation
LESLIE L. VADASZ, Intel Corporation


MARJORY S. BLUMENTHAL, Director
HERBERT S. LIN, Senior Staff Officer
PAUL D. SEMENZA, Staff Officer
JERRY R. SHEEHAN, Staff Officer
JEAN E. SMITH, Program Associate
JOHN M. GODFREY, Research Associate
LESLIE M. WADE, Research Assistant
GLORIA P. BEMAH, Administrative Assistant
GAIL E. PRITCHARD, Project Assistant

____________________________________________________________


              COMMISSION ON PHYSICAL SCIENCES,
                MATHEMATICS, AND APPLICATIONS

ROBERT J. HERMANN, United Technologies Corporation, Chair
PETER M. BANKS, Environmental Research Institute of Michigan
SYLVIA T. CEYER, Massachusetts Institute of Technology L.
LOUIS HEGEDUS, W.R. Grace and Company (retired)
JOHN E. HOPCROFT, Cornell University
RHONDA J. HUGHES, Bryn Mawr College
SHIRLEY A. JACKSON, U.S. Nuclear Regulatory Commission
KENNETH I. KELLERMANN, National Radio Astronomy Observatory
KEN KENNEDY, Rice University
THOMAS A. PRINCE, California Institute of Technology
JEROME SACKS, National Institute of Statistical Sciences
L.E. SCRIVEN, University of Colorado
LEON T. SILVER, California Institute of Technology
CHARLES P. SLICHTER, University of Illinois at
   Urbana-Champaign
ALVIN W. TRIVELPIECE, Oak Ridge National Laboratory
SHMUEL WINOGRAD, IBM T.J. Watson Research Center
CHARLES A. ZRAKET, MITRE Corporation (retired)


NORMAN METZGER, Executive Director

____________________________________________________________


                           Preface

                        INTRODUCTION


   For most of history, cryptography -- the art and science of
secret writing -- has belonged to governments concerned about
protecting their own secrets and about asserting their
prerogatives for access to information relevant to national
security and public safety. In the United States, cryptography
policy has reflected the U.S. government's needs for effective
cryptographic protection of classified and other sensitive
communications as well as its needs to gather intelligence for
national security purposes, needs that would be damaged by the
widespread use of cryptography. National security concerns
have motivated such actions as development of cryptographic
technologies, development of countermeasures to reverse the
effects of encryption, and control of cryptographic
technologies for export.

   In the last 20 years, a number of developments have brought
about what could be called the popularization of cryptography.
First, some industries -- notably financial services -- have
come to rely on encryption as an enabler of secure electronic
funds transfers. Second, other industries have developed an
interest in encryption for protection of proprietary and other
sensitive information. Third, the broadening use of computers
and computer networks has generalized the demand for
technologies to secure communications down to the level of
individual citizens and assure the privacy and security of
their electronic records and transmissions. Fourth, the
sharply increased use of wireless communications (e.g.,
cellular telephones) has highlighted the greater vulnerability
of such communications to unauthorized intercept as well as
the difficulty of detecting these intercepts.

   As a result, efforts have increased to develop encryption
systems for private sector use and to integrate encryption
with other information technology products. Interest has grown
in the commercial market for cryptographic technologies and
systems incorporating such technologies, and the nation has
witnessed a heightened debate over individual need for and
access to technologies to protect individual privacy.

   Still another consequence of the expectation of widespread
use of encryption is the emergence of law enforcement concerns
that parallel, on a civilian basis, some of the national
security concerns. Law enforcement officials fear that wide
dissemination of effective cryptographic technologies will
impede their efforts to collect information necessary for
pursuing criminal investigations. On the other side, civil
libertarians fear that controls on cryptographic technologies
will give government authorities both in the United States and
abroad unprecedented and unwarranted capabilities for
intrusion into the private lives of citizens.


              CHARGE OF THE COMMITTEE TO STUDY
                NATIONAL CRYPTOGRAPHY POLICY

   At the request of the U.S. Congress in November 1993, the
National Research Council's Computer Science and
Telecommunications Board (CSTB) formed the Committee to Study
National Cryptography Policy. In accordance with its
legislative charge (Box P.1), the committee undertook the
following tasks:

   + Framing the problem. What are the technology trends with
which national cryptography policy must keep pace? What is the
political environment? What are the significant changes in the
post-Cold War environment that call attention to the need for,
and should have an impact on, cryptography policy?

   + Understanding the underlying technology issues and their
expected development and impact on policy over time. What is
and is not possible with current cryptographic (and related)
technologies? How could these capabilities have an impact on
various U.S. interests?

   + Describing current cryptography policy. To the
committee's knowledge, there is no single document, classified
or unclassified, within the U.S. government that fully
describes national cryptography policy.

   + Articulating a framework for thinking about cryptography
policy. The interests affected by national cryptography policy
are multiple, varied, and related: they include personal
liberties and constitutional rights, the maintenance of public
order and national security, technology development, and U.S.
economic competitiveness and markets. At a minimum, policy
makers (and their critics) must understand how these interests
interrelate, although they may decide that one particular
policy configuration better serves the overall national
interest than does another.

   + Identifying a range offeasible policy options. The debate
over cryptography policy has been hampered by an incomplete
analysis and discussion of various policy options -- both
proponents of current policy and of alternative policies are
forced into debating positions in which it is difficult or
impossible to acknowledge that a competing view might have
some merit. This report attempts to discuss fairly the pros
and cons of a number of options.

   + Making recommendations regarding cryptography policy. No
cryptography policy will be stable for all time. That is, it
is unrealistic to imagine that this committee or any set of
policy makers could craft a policy that would not have to
evolve over time as the technological and political milieu
itself changes. Thus, the committee's recommendations are
framed in the context of a transition, from a world
characterized by slowly evolving technology, well-defined
enemies, and unquestioned U.S. technological, economic, and
geopolitical dominance to one characterized by rapidly
evolving technology, fuzzy lines between friend and foe, and
increasing technological, economic, and political
interdependencies between the United States and other nations
of the world.

____________________________________________________________

 BOX P.1 Legislative Charge to the National Research Council

                     Public Law 103-160
       Defense Authorization Bill for fiscal Year 1994
                  Signed November 30, 1993

SEC. 267. COMPREHENSIVE INDEPENDENT STUDY OF NATIONAL
CRYPTOGRAPHY POLICY

   (a)  Study by National Research Council. -- Not later than
90 days after the date of the enactment of this Act, the
Secretary of Defense shall request the National Research
Council of the National Academy of Sciences to conduct a
comprehensive study of cryptographic technologies and national
cryptography policy.

   (b)  Matters To Be Assessed in Study. -- The study shall
        assess

        (1)  the effect of cryptographic technologies on  --

             (A)  national security interests of the United
                  States Government
             (B)  law enforcement interests of the United
                  States Government
             (C)  commercial interests of United States
                  industry; and
             (D)  privacy interests of United States
                  citizens; and

        (2)  the effect on commercial interests of United
             States industry of export controls on
             cryptographic technologies.

   (c)  Interagency Cooperation With Study. -- The Secretary
   of Defense shall direct the National Security Agency, the
   Advanced Research Projects Agency, and other appropriate
   agencies of the Department of Defense to cooperate fully
   with the National Research Council in its activities in
   carrying out the study under this section. The Secretary
   shall request all other appropriate Federal departments and
   agencies to provide similar cooperation to the National
   Research Council.
____________________________________________________________


   Given the diverse applications of cryptography, national
cryptography policy involves a very large number of important
issues. Important to national cryptography policy as well are
issues related to the deployment of a large-scale
infrastructure for cryptography and legislation and
regulations to support the widespread use of cryptography for
authentication and data integrity purposes (i.e., collateral
applications of cryptography), even though these issues have
not taken center stage in the policy debate.

   The committee focused its efforts primarily on issues
related to cryptography for confidentiality, because the
contentious problem that this committee was assembled to
address at the center of the public policy debate relates to
the use of cryptography in confidentiality applications. It
also addressed issues of cryptography policy related to
authentication and data integrity at a relatively high level,
casting its findings and recommendations in these areas in
fairly general terms. However, it notes that detailed
consideration of issues and policy options in these collateral
areas requires additional study at a level of detail and
thoroughness comparable to that of this report.

   In preparing this report, the committee reviewed and
synthesized relevant material from recent reports, took
written and oral testimony from government, industry, and
private individuals, reached out extensively to the affected
stakeholders to solicit input, and met seven times to discuss
the input from these sources as well as the independent
observations and findings of the committee members themselves.
In addition, this study built upon three prior efforts to
examine national cryptography policy: the Association for
Computing Machinery report *Codes, Keys, and Conflicts: Issues
in US. Crypto Policy*,(1) the Office of Technology Assessment
report *Information Security and Privacy in Network
Environments*,(2) and the JASON encryption study.(3) A number
of other examinations of cryptography and/or information
security policy were also important to the committee's
work.(4)

---------

   (1)  Susan Landau et al., *Codes, Keys, and Conflicts:
Issues in U.S. Crypto Policy*, Association for Computing
Machinery Inc., New York, 1994.

   (2)  U.S. Congress, Office of Technology Assessment,
*Information Security and Privacy in Network Environments*,
OTA-TCT-606, U.S. Govemment Printing Office, Washington, D.C.,
September 1994.

   (3)  JASON Program Office, *JASON Encryption/Privacy
Study*, Report JSR-93-520 (unpublished), MITRE Corporation,
Reston, Va., August 18, 1993.

   (4)  These works include *Global Information
Infrastructure*, a joint report by the European Association of
Manufacturers of Business Machines and Information Technology
Industry, the U.S. Information Technology Industry Council,
and the Japan Electronic Industry Development Association
(EUROBIT-ITI-JEIDA), developed for the G-7 Summit on the
Global Information Society, Gll Tripartite Preparatory
Meeting, January 26-27, 1995, Brussels; the U.S. Council for
International Business statement titled "Business Requirements
for Encryption," October 10, 1994, New York; and the
International Chamber of Commerce position paper
"International Encryption Policy," Document No. 373/202 Rev.
and No. 373-30/9 Rev., Paris, undated. Important source
documents can be found in Lance J. Hoffman (ed.), *Building in
Big Brother*, SpringerVerlag, New York, 1995; and in the
cryptography policy source books published annually by the
Electronic Privacy Information Center in Washington, D.C.
____________________________________________________________


                   WHAT THIS REPORT IS NOT

   The subject of national cryptography policy is quite
complex, as it figures importantly in many areas of national
interest. To keep the project manageable within the time,
resources, and expertise available, the committee chose not to
address in detail a number of issues that arose with some
nontrivial frequency during the course of its study.

   + This report is not a comprehensive study of the grand
trade-offs that might be made in other dimensions of national
policy to compensate for changes in cryptography policy. For
example, this report does not address matters such as relaxing
exclusionary rules that govern the court admissibility of
evidence or installing video cameras in every police helmet as
part of a package that also eliminates restrictions on
cryptography, though such packages are in principle possible.
Similarly, it does not address options such as increasing the
budget for counterterrorist operations as a quid pro quo for
relaxations on export controls of cryptography. The report
does provide information that would help to assess the impact
of various approaches to cryptography policy, although how
that impact should be weighed against the impact of policies
related to other areas is outside the scope of this study and
the expertise of the committee assembled for it.

   + This report is not a study on the future of the National
Security Agency (NSA) in the post-Cold War era. A
determination of what missions the NSA should be pursuing
and/or how it should pursue those missions was not in the
committee's charge. The report does touch lightly on
technological trends that affect the ability to undertake the
missions to which cryptography is relevant, but only to the
extent necessary to frame the cryptography issue.

   At the same time, this report does address certain
conditions of the political, social, and technological
environment that will affect the answers that anyone would
formulate to these questions, such as the potential impact on
policy of a world that offers many users the possibilities of
secure communications.

   + This report is not a study of computer and communications
security, although of course cryptography is a key element of
such security. Even the strongest cryptography is not very
useful unless it is part of a secure *system*, and those
responsible for security must be concerned about everything
from the trustworthiness of individuals writing the computer
programs to be used to the physical security of terminals used
to access the system. A report that addressed system
dimensions of computer security was the National Research
Council report *Computers at Risk*,(5) this current study
draws on that report and others to the extent relevant for its
analysis, findings, and conclusions about cryptography policy.

   + This report is not a study of the many patent disputes
that have arisen with respect to national cryptography policy
in the past several years. While such disputes may well be a
sign that the various holders expect cryptography to assume
substantial commercial importance in the next several years,
such disputes are in principle resolvable by the U.S.
Congress, which could simply legislate ownership by eminent
domain or by requiring compulsory licensing. Moreover, since
many of the key patents will expire in any case in the
relatively near future (i.e., before any infrastructure that
uses them becomes widely deployed), the issue will become moot
in any case.

   + This report is not exclusively a study of national policy
associated with the Clipper chip. While the Clipper chip has
received the lion's share of press and notoriety in the past
few years, the issues that this study was chartered to address
go far beyond those associated simply with the Clipper chip.
This study addresses the larger context and picture of which
the Clipper chip is only one part.

----------
   
   (5)  Computer Science and Telecommunications Board,
National Research Council, *Computers at Risk: Safe Computing
in the Information Age*, National Academy Press, Washington,
D.C., 1991.

____________________________________________________________


               ON SECRECY AND REPORT TIME LINE

             For most of history, the science and technologies
associated with cryptography have been the purview of national
governments and/or heads of state. It is only in the last 25
years that cryptographic expertise has begun to diffuse into
the nongovernment world. Thus, it is not surprising that much
of the basis and rationale underlying national cryptography
policy has been and continues to be highly classified. Indeed,
in a 1982 article. then-Deputy Director of the Central
Intelligence Agency Bobby R. Imnan wrote that

   [o]ne sometimes hears the view that publication should not
   be restrained because "the government has not made its
   case," almost always referring to the absence of specific
   detail for public consumption. This reasoning is circular
   and unreasonable. It stems from a basic attitude that the
   government and its public servants cannot be trusted.
   Specific details about why information must be protected
   are more often than not even more sensitive than the basic
   technical information itself. Publishing examples, reasons
   and associated details would certainly damage the nation's
   interests. Public review and discussion of classified
   information which supports decisions is not feasible or
   workable.(6)

   Secrecy is a two-edged sword for a democratic nation -- on
the one hand, secrecy has a legitimate basis in those
situations in which fundamental national interests are at
stake (e.g., the preservation of American lives during
wartime). Moreover, the history of intelligence reveals many
instances in which the revelation of a secret, whether
intentional or inadvertent, has led to the compromise of an
information source or the loss qf a key battle.(7)

   On the other hand, secrecy has sometimes been used to
stifle public debate and conceal poorly conceived and
ill-informed national policies, and mistrust is therefore
quite common among many responsible critics of government
policy. A common refrain by defenders of policies whose
origins and rationales are secret is that "if you knew what we
knew, you would agree with us." Such a position may be true or
false, but it clearly does not provide much reassurance for
those not privy to those secrets for one very simple reason:
those who fear that government is hiding poorly-conceived
policies behind a wall of secrecy are not likely to trust the
government, yet in the absence of a substantive argument being
called for, the government's claim is essentially a plea for
trust.

   In pursuing this study, the committee has adopted the
position that some secrets are still legitimate in today's
global environment, but that its role is to illuminate as much
as possible without compromising those legitimate interests.
Thus, the committee has tried to act as a surrogate for
well-intentioned and well-meaning people who fear that the
worst is hiding behind the wall of secrecy -- it has tried to
ask the questions that these people would have asked if they
could have done so. Public Law 103-160 called for all defense
agencies, including the National Security Agency, to cooperate
fully with the National Research Council in this study.

   For obvious reasons, the committee cannot determine if it
did not hear a particular piece of information because an
agency withheld that information or because that piece of
information simply did not exist. But for a number of reasons,
the committee believes that to the best of its knowledge, the
relevant agencies have complied with Public Law 103-160 and
other agencies have cooperated with the committee. One
important reason is that several members of the committee have
had extensive experience (on a classified basis) with the
relevant agencies, and these members heard nothing in the
briefings held for the committee that was inconsistent with
that experience. A second reason is that these agencies had
every motivation and self-interest to make the best possible
case for their respective positions on the issues before the
committee. Thus, on the basis of agency assurances that the
cornrnittee has indeed received all inforrnation relevant to
the issue at hand, they cannot plausibly argue that "if the
committee knew what Agency X knew, it would agree with Agency
X's position."

   This unclassified report does not have a classified annex,
nor is there a classified version of it. After receiving a
number of classified briefings on material relevant to the
subject of this study, the fully cleared members of the
committee (13 out of the total of 16) agree that these
details, while necessarily important to policy makers who need
to decide tomorrow what to do in a specific case, are not
particularly relevant to the larger issues of why policy has
the shape and texture that it does today nor to the general
outline of how technology will and policy should evolve in the
future. For example, the committee was briefed on certain
intelligence activities of various nations. Policy makers care
that the activities of nation X (a friendly nation) fall into
certain categories and that those of nation Y (an unfriendly
nation) fall into other categories, because they must craft a
policy toward nation X in one way and one toward nation Y in
another way. But for analytical purposes, the exact names of
the nations involved are much less relevant than the fact that
there will always be nations friendly and unfriendly to the
United States. Committee members are prepared to respond on a
classified basis if necessary to critiques and questions that
involve classified material.(8)

   As for the time line of this study, the committee was
acutely aware of the speed with which the market and product
technologies evolve. The legislation called for a study to be
delivered within 2 years after the full processing of all
necessary security clearances, and the study committee
accelerated its work schedule to deliver a report in 18 months
from its first meeting (and only 13 months from the final
granting of the last clearance). The delivery date of this
study was affected by the fact that the contract to fund this
study was signed by the Department of Defense on September 30,
1994.

----------

   (6)  Bobby Inman, "Classifying Science: A Government
Proposal ... ," *Aviation Week and Space Technology*, February
8, 1982, p. 10.

   (7)  For example, following press reports of deciphered
Libyan messages before and after a bombing in West Berlin in
which an American soldier died, Libya changed its
communications codes. A senior American official was quoted as
saying that the subsequent Libyan purchase of advanced
cryptographic equipment from a Swiss firm was "one of the
prices [the United States is] paying for having revealed, in
order to marshal support of our allies and public opinion,
that intercepted communications traffic provided evidence that
Libya was behind the bombing of the Berlin disco." See
"Libyans Buy Message-Coding Equipment," *Washington Post*,
April 22, 1986, p. A-8.

   (8)   The point of contact within the National Research
Council for such inquiries is the Computer Science and
Telecommunications Board, National Research Council, 2101
Constitution Avenue, N.W., Washington, D.C. Telephone
202-334-2605 or e-mail CSTB@NAS.EDU.

____________________________________________________________


                    A NOTE FROM THE CHAIR

   The title of this report is *Cryptography's Role in
Securing the Information Society*. The committee chose this
title as one best describing our inquiry and report -- that
is, the committee has tried to focus on the role that
cryptography, as one of a number of tools and technologies,
can play in providing security for an information age society
through, among other means, preventing computer-enabled crimes
and enhancing national security. At the same time, the
committee is not unaware of the acronym for this report --
CRISIS -- and it believes that the acronym is apt.

   From my own standpoint as chair of the NRC Committee to
Study National Cryptography Policy, I believe that the crisis
is a policy crisis, rather than a technology crisis, an
industry crisis, a law enforcement crisis, or an
intelligence-gathering crisis.

   It is not a technology crisis because technologies have
always been two-edged swords. All technologies -- cryptography
included can be used for good or for ill. They can be used to
serve society or to harm it, and cryptography will no doubt be
used for both purposes by different groups. Public policy will
determine in large measure not just the net balance of benefit
and loss but also how much benefit will be derived from
constructive uses of this remarkable technology.

   It is not an industry crisis, nor a law enforcement crisis,
nor an intelligence-gathering crisis, because industry, law
enforcement, and the intelligence establishment have all had
to cope with rapid technological change, and for the most part
the vitality of these enterprises within the nation is a
testament to their successes in so coping.

   But a policy crisis is upon the nation. In the face of an
inevitably growing use of cryptography, our society, acting as
it must through our government as informed by the manifold
forums of our free private processes, has been unable to
develop a consensus behind a coherent national cryptography
policy, neither within its own ranks nor with the private
stakeholders throughout society -- the software industry,
those concerned with computer security, the civil liberties
community, and so on. Indeed, the committee could not even
find a clear written statement of national cryptography policy
that went beyond some very general statements.

   To be sure, a number of Administration proposals have seen
the light of day. The best known of these proposals, the
Clipper initiative, was an honest attempt to address some of
the issues underlying national cryptography policy, but one of
its primary effects was to polarize rather than bring together
the various stakeholders, both public and private. On the
other hand, it did raise public awareness of the issue. In
retrospect, many Administration officials have wished that the
discourse on national cryptography policy could have unfolded
differently, but in fairness we recognize that the
government's task is not easy in view of the deep cleavages of
interest reviewed in this report. In this context, we
therefore saw it as our task, commanded by our statutory
charge, to analyze the underlying reasons for this policy
crisis and the interests at stake, and then to propose an
intelligent, workable and acceptable policy.

   The Committee to Study National Cryptography Policy is a
group of 16 individuals with very diverse backgrounds, a broad
range of expertise, and differing perspectives on the subject.
The committee included individuals with extensive government
service and also individuals with considerable skepticism
about and suspicion of government; persons with great
technical expertise in computers, communications, and
cryptography; and persons with considerable experience in law
enforcement, intelligence, civil liberties, national security,
diplomacy, international trade, and other fields relevant to
the formation of policy in this area. Committee members were
drawn from industry, including telecommunications and computer
hardware and software, and from users of cryptography in the
for-profit and not-for-profit sectors; serving as well were
academics and think-tank experts.(9) The committee was by
design highly heterogeneous, a characteristic intended to
promote discussion and synergy among its members.

   At first, we wondered whether these different perspectives
would allow us to talk among ourselves at all, let alone come
to agreement. But the committee worked hard. The full
committee met for a total of 23 days in which we received
briefings and argued various points; ad hoc subcommittees
attended a dozen or so additional meetings to receive even
more briefings; members of the committee and staff held a
number of open sessions in which testimony from the interested
public was sought and received (including a very well attended
session at the Fifth Annual Conference on Computers, Freedom,
and Privacy in San Francisco in early 1995 and an open session
in Washington, D.C., in April 1995); and the committee
reviewed nearly a hundred e-mail messages sent in response to
its Internet call for input. The opportunity to receive not
only written materials but also oral briefings from a number
of government agencies, vendors, trade associations, and
assorted experts, as well as to participate in the first-ever
cryptography policy meeting of the Organization for Economic
Cooperation and Development and of its Business Industry
Advisory Council, provided the occasion for extended
give-and-take discussions with government officials and
private stakeholders.

   Out of this extended dialogue, we found that coming to a
consensus among ourselves -- while difficult -- was not
impossible. The nature of a consensus position is that it is
invariably somewhat different from a position developed,
framed, and written by any one committee member, particularly
before our dialogue and without comments from other committee
members. Our consensus is a result of the extended learning
and interaction process through which we lived rather than any
conscious effort to compromise or to paper over differences.
The committee stands fully behind its analysis, findings, and
recommendations.

   We believe that our report makes some reasonable proposals
for national cryptography policy. But a proposal is just that
-- a proposal for action. What is needed now is a public
debate, using and not sidestepping the full processes of
government, leading to a judicious resolution of pressing
cryptography policy issues and including, on some important
points, legislative action. Only in this manner will the
policy crisis come to a satisfactory and stable resolution.

----------

   (9)   Note that the committee was quite aware of potential
financial conflicts of interest among several of its members.
In accordance with established National Research Council
procedures, these potential financial conflicts of interest
were thoroughly discussed by the committee; no one with a
direct and substantial financial stake in the outcome of the
report served on the committee.

____________________________________________________________


                       ACKNOWLEDGMENTS

   The full list of individuals (except for those who
explicitly requested anonymity) who provided input to the
cornmittee and the study project is contained in Appendix A.
However, a number of individuals deserve special mention.
Michael Nelson, Office of Science and Technology Policy, kept
us informed about the evolution of Administration policy.
Dorothy Denning of Georgetown University provided many useful
papers concerning the law enforcement perspective on
cryptography policy. Clinton Brooks and Ron Lee from the
National Security Agency and Ed Roback and Raymond Kammer from
the National Institute of Standards and Technology acted as
agency liaisons for the committee, arranging briefings and
providing other information. Marc Rotenberg from the
Electronic Privacy Information Center and John Gilmore from
Cygnus Support provided continuing input on a number of
subjects as well as documents released under Freedom of
Inforrnation Act requests. Rebecca Gould from the Business
Software Alliance, Steve Walker from Trusted Information
Systems, and Ollie Smoot from the Information Technology
Industry Council kept the committee informed from the business
perspective. Finally, the committee particularly acknowledges
the literally hundreds of suggestions and criticisms provided
by the reviewers of an early draft of this report. Those
inputs helped the committee to sharpen its message and
strengthen its presentation, but of course the content of the
report is the responsibility of the committee.

   The committee also received a high level of support from
the Nationai Research Council. Working with the Special
Security Office of the Office of Naval Research, Kevin Hale
and Kimberly Striker of the NRC's National Security Office had
the complex task of facilitating the prompt processing of
security clearances necessary to complete this study in a
timely manner and otherwise managing these security
clearances. Susan Maurizi worked under tight time constraints
to provide editorial assistance. Acting as primary staff for
the committee were Marjory Blumenthal, John Godfrey, Frank
Pittelli, Gail Pritchard, and Herb Lin. Marjory Blumenthal
directs the Computer Science and Telecommunications Board, the
program unit within the National Research Council to which
this congressional tasking was assigned. She sat with the
committee during the great majority of its meetings, providing
not only essential insight into the NRC process but also an
indispensable long-term perspective on how this report could
build on other CSTB work, most notably the 1991 NRC report
*Computers at Risk*. John Godfrey, research associate for
CSTB, was responsible for developing most of the factual
material in most of the appendixes as well as for tracking
down hundreds of loose ends, his prior work on a previous NRC
report on standards also provided an important point of
departure for the committee's discussion on standards as they
apply to cryptography policy. Frank Pittelli is a consultant
to CSTB, whose prior experience in computer and information
security was invaluable in framing a discussion of technical
issues in cryptography policy. Gail Pritchard, project
assistant for CSTB, handled logistical matters for the
committee with the utmost skill and patience as well as
providing some research support to the committee. Finally,
Herb Lin, senior staff officer for CSTB and study director on
this project, arranged briefings, crafted meeting agendas, and
turned the thoughts of committee members into drafts and then
report text. It is fair to say that this study could not have
been carried out nor this report written, especially on our
accelerated schedule, without his prodigious energy and his
extraordinary talents as study director, committee
coordinator, writer, and editor.

Kenneth Dam, Chair
Committee to Study National Cryptography Policy

Chicago, Illinois
March 29, 1996



A Channel for Feedback

   CSTB will be glad to receive comments on this report.
Please send them via Internet e-mail to CRYPTO@NAS.EDU, or via
regular mail to CSTB, National Research Council. 2101
Constitution Avenue NW, Washington, DC 20418.

[End Preface]

____________________________________________________________


                          Contents


PREFACE

   Introduction
   Charge of the Committee to Study National Cryptography
   Policy
   What This Report Is Not
   On Secrecy and Report Time Line
   A Note from the Chair
   Acknowledgments

EXECUTIVE SUMMARY

A ROAD MAP THROUGH THIS REPORT



             PART I -- FRAMING THE POLICY ISSUES


1  GROWING VULNERABILITY IN THE INFORMATION AGE

   1.1  The Technology Context of the Information Age

   1.2  Transitions to an Information Society--Increasing
        Interconnections and Interdependence

   1.3  Coping with Information Vulnerability

   1.4  The Business and Economic Perspective

        1.4.1  Protecting Important Business Information
        1.4.2  Ensuring the Nation's Ability to Exploit
               Global Markets

   1.5  Individual and Personal Interests in Privacy

        1.5.1  Privacy in an Information Economy
        1.5.2  Privacy for Citizens

   1.6  Special Needs of Government

   1.7  Recap


2  CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE

   2.1  Cryptography in Context

   2.2  What Is Cryptography and What Can It Do?

   2.3  How Cryptography Fits into the Big Security Picture

        2.3.1  Technical Factors Inhibiting Access to
               Information
        2.3.2  Factors Facilitating Access to Information

   2.4  The Market for Cryptography

        2.4.1  The Demand Side of the Cryptography Market
        2.4.2  The Supply Side of the Cryptography Market

   2.5  Infrastructure for Widespread Use of Cryptography

        2.5.1  Key Management Infrastructure
        2.5.2  Certificate Infrastructures

   2.6 Recap


3  NEEDS FOR ACCESS TO ENCRYPTED INFORMATION

   3.1  Terminology

   3.2  Law Enforcement: Investigation and Prosecution

        3.2.1  The Value of Access to Information for Law
               Enforcement
        3.2.2  The Legal Framework Governing Surveillance
        3.2.3  The Nature of Surveillance Needs of Law
               Enforcement
        3.2.4  The Impact of Cryptography and New Media on
               Law Enforcement (Stored and Communicated Data)

   3.3  National Security and Signals Intelligence

        3.3.1  The Value of Signals Intelligence
        3.3.2  The Impact of Cryptography on SIGINT

   3.4  Similarities and Differences Between Foreign
        Policy/National Security and Law Enforcement Needs for
        Communications Monitoring

        3.4.1  Similarities
        3.4.2  Differences

   3.5  Business and Individual Needs for Exceptional Access
        to Protected Information

   3.6  Other Types of Exceptional Access to Protected
        Information

   3.7  Recap



                PART II -- POLICY INSTRUMENTS


4  EXPORT CONTROLS

   4.1  Brief Description of Current Export Controls

        4.1.1  The Rationale for Export Controls
        4.1.2  General Description
        4.1.3  Discussion of Current Licensing Practices

   4.2  Effectiveness of Export Controls on Cryptography

   4.3  The Impact of Export Controls on U.S. Information
        Technology Vendors

        4.3.1  De Facto Restrictions on the Domestic
               Availability of Cryptography
        4.3.2  Regulatory Uncertainty Related to Export
               Controls
        4.3.3  The Size of the Affected Market for
               Cryptography
        4.3.4  Inhibiting Vendor Responses to User Needs

   4.4  The Impact of Export Controls on U.S. Economic and
        National Security Interests

        4.4.1  Direct Economic Harm to U.S. Businesses
        4.4.2  Damage to U.S. Leadership in Information
               Technology

   4.5  The Mismatch Between the Perceptions of Government/
        National Security and Those of Vendors

   4.6  Export of Technical Data

   4.7  Foreign Policy Considerations

   4.8  Technology-Policy Mismatches

   4.9  Recap


5  ESCROWED ENCRYPTION AND RELATED ISSUES

   5.1  What Is Escrowed Encryption?

   5.2  Administration Initiatives Supporting Escrowed
        Encryption

        5.2.1  The Clipper Initiative and the Escrowed
               Encryption Standard
        5.2.2  The Capstone/Forteza (sic) Initiative
        5.2.3  The Relaxation of Export Controls on Software
               Products Using "Properly Escrowed" 64-bit
               Encryption
        5.2.4  Other Federal Initiatives in Escrowed
               Encryption

   5.3  Other Approaches to Escrowed Encryption

   5.4  The Impact of Escrowed Encryption on Information
        Security

   5.5  The Impact of Escrowed Encryption on Law Enforcement

        5.5.1  Balance of Crime Enabled vs. Crime Prosecuted
        5.5.2  Impact on Law Enforcement Access to
               Information

   5.6  Mandatory vs. Voluntary Use of Escrowed Encryption

   5.7  Process Through Which Policy on Escrowed Encryption
        Was Developed

   5.8  Affiliation and Number of Escrow Agents

   5.9  Responsibilities and Obligations of Escrow Agents and
        Users of Escrowed Encryption

        5.9.1  Partitioning Escrowed Information
        5.9.2  Operational Responsibilities of Escrow Agents
        5.9.3  Liabilities of Escrow Agents

   5.10 The Role of Secrecy in Ensuring Product Security

        5.10.1 Algorithm Secrecy
        5.10.2 Product Design and Implementation Secrecy

   5.11 The Hardware/Software Choice in Product Implementation

   5.12 Responsibility for Generation of Unit Keys

   5.13 Issues Related to the Administration Proposal to
        Exempt 64-bit Escrowed Encryption in Software

        5.13.1 The Definition of "Proper Escrowing"
        5.13.2 The Proposed Limitation of Key Lengths to 64
               Bits or Less

   5.14 Recap


6  OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY

   6.1  The Communications Assistance for Law Enforcement Act

        6.1.1  Brief Description of and Stated Rationale for
               the CALEA
        6.1.2  Reducing Resource Requirements for Wiretaps
        6.1.3  Obtaining Access to Digital Streams in the
               Future
        6.1.4  The CALEA Exemption of Information Service
               Providers and Distinctions Between Voice and
               Data Services

   6.2  Other Levers Used in National Cryptography Policy

        6.2.1  Federal Information Processing Standards
        6.2.2  The Government Procurement Process
        6.2.3  Implementation of Policy: Fear, Uncertainty,
               Doubt, Delay, Complexity
        6.2.4  R&D Funding
        6.2.5  Patents and Intellectual Property
        6.2.6  Formal and Informal Arrangements with Various
               Other Governments and Organizations
        6.2.7  Certification and Evaluation
        6.2.8  Nonstatutory Influence
        6.2.9  Interagency Agreements Within the Executive
               Branch

   6.3  Organization of the Federal Government with Respect to
        Information Security

        6.3.1  Role of National Security vis-a-vis Civilian
               Information Infrastructures
        6.3.2  Other Government Entities with Influence on
               Information Security

   6.4  International Dimensions of Cryptography Policy

   6.5  Recap



   PART III--POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS


7  POLICY OPTIONS FOR THE FUTURE

   7.1  Export Control Options for Cryptography

        7.1.1  Dimensions of Choice for Controlling the
               Exportof Cryptography
        7.1.2  Complete Elimination of Export Controls on
               Cryptography
        7.1.3  Transferral of All Cryptography Products to
               the Commerce Control List
        7.1.4  End-use Certification
        7.1.5  Nation-by-Nation Relaxation of Controls and
               Harmonization of U.S. Export Control Policy on
               Cryptography with Export/Import Policies of
               Other Nations
        7.1.6  Liberal Export for Strong Cryptography with
               Weak Defaults
        7.1.7  Liberal Export for Cryptographic Applications
               Programming Interfaces
        7.1.8  Liberal Export for Escrowable Products with
               Encryption Capabilities
        7.1.9  Alternatives to Government Certification of
               Escrow Agents Abroad
        7.1.10 Use of Differential Work Factors in
               Cryptography
        7.1.11 Separation of Cryptography from Other Items on
               the U.S. Munitions List

   7.2  Alternatives for Providing Government Exceptional
        Access to Encrypted Data

        7.2.1  A Prohibition of the Use and Sale of
               Cryptography Lacking Features for Exceptional
               Access
        7.2.2  Criminalization of the Use of Cryptography in
               the Commission of a Crime
        7.2.3  Technical Non-Escrow Approaches for Obtaining
               Access to Information
        7.2.4  Network-based Encryption
        7.2.5  Distinguishing Between Encrypted Voice and
               Data Communications Services for Exceptional
               Access
        7.2.6  A Centralized Decryption Facility for
               Government Exceptional Access

   7.3  Looming Issues

        7.3.1  The Adequacy of Various Levels of Encryption
               Against High-Quality Attack
        7.3.2  Organizing the U.S. Government for Better
               Information Security on a National Basis

   7.4  Recap


8  SYNTHESIS, FINDINGS, AND RECOMMENDATIONS

   8.1  Synthesis and Findings

        8.1.1  The Problem of Information Vulnerability
        8.1.2  Cryptographic Solutions to Information
               Vulnerabilities
        8.1.3  The Policy Dilemma Posed by Cryptography
        8.1.4  National Cryptography Policy for the
               Information Age

   8.2  Recommendations

   8.3  Additional Work Needed

   8.4  Conclusion


                         APPENDIXES

A  Contributors to the NRC Project on National Cryptography
   Policy

B  Glossary

C  A Brief Primer on Cryptography

D  An Overview of Electronic Surveillance: History and Current
   Status

E  A Brief History of Cryptography Policy

F  A Brief Primer on Intelligence

G  The International Scope of Cryptography Policy

H  Summary of Important Requirements for a Public-Key
   Infrastructure

I  Industry-Specific Dimensions of Security

J  Examples of Risks Posed by Unprotected Information

K  Cryptographic Applications Programming Interfaces

L  Laws, Regulations, and Documents Relevant to Cryptography

M  Other Looming Issues Related to Cryptography Policy

N  Federal Information Processing Standards

[End Contents]

____________________________________________________________


                      Executive Summary

   In an age of explosive worldwide growth of electronic data
storage and communications, many vital national interests
require the effective protection of information. When used in
conjunction with other approaches to information security,
cryptography is a very powerful tool for protecting
information. Consequently, current U.S. policy should be
changed to promote and encourage the widespread use of
cryptography for the protection of the information interests
of individuals, businesses, government agencies, and the
nation as a whole, while respecting legitimate national needs
of law enforcement and intelligence for national security and
foreign policy purposes to the extent consistent with good
information protection.


                     BASIC POLICY ISSUES

              The Information Security Problem

   Today's information age requires U.S. businesses to compete
on a worldwide basis, sharing sensitive information with
appropriate parties while protecting that information against
competitors, vandals, suppliers, customers, and foreign
governments (Box ES.1). Private law-abiding citizens dislike
the ease with which personal telephone calls can be tapped,
especially those carried on cellular or cordless telephones.
Elements of the U.S. civilian infrastructure such as the
banking system, the electric power grid, the public switched
telecommunications network, and the air traffic control system
are central to so many dimensions of modern life that
protecting these elements must have a high priority. The
federal government has an important stake in assuring that its
important and sensitive political, economic, law enforcement,
and military information, both classified and unclassified, is
protected from foreign governments or other parties whose
interests are hostile to those of the United States.

____________________________________________________________

   BOX ES.I The Foreign Threat to U.S. Business Ineerests

   Of the wide variety of information risks facing U.S.
companies operating internationally, those resulting from
electronic vulnerabilities appear to be the most significant.
The National Counterintelligence Center (NACIC). an arm of the
U.S. intelligence community established in 1994 by
presidential directive, concluded that "specialized technical
operations (including computer intrusions, telecommunications
targeting and intercept, and private-sector encryption
weaknesses) account for the largest portion of economic and
industrial information lost by U.S. corporations."
Specifically, the NACIC noted that

   [b]ecause they are so easily accessed and intercepted,
   corporate telecommunications --particularly international
   telecommunications -- provide a highly vulnerable and
   lucrative source for anyone interested in obtaining trade
   secrets or competitive information. Because of the
   increased usage of these links for bulk computer data
   transmission and electronic mail, intelligence collectors
   find telecommunications intercepts cost-effective. For
   example, foreign intelligence collectors intercept
   facsimile transmissions through government-owned telephone
   companies, and the stakes are large -- approximately half
   of all overseas telecommunications are facsimile
   transmissions. Innovative "hackers" connected to computers
   containing competitive information evade the controls and
   access companies' information. In addition, many American
   companies have begun using electronic data interchange, a
   system of transferring corporate bidding, invoice, and
   pricing data electronically overseas. Many foreign
   government and corporate intelligence collectors find this
   information invaluable.

----------

SOURCE: National Counterintelligence Center, Annual Report
to Congress on Foreign Economic Collection and Industrial
Espionage, July 1995, pages 16-17.

____________________________________________________________


 Cryptographic Dimensions of Information Security Solutions

   Information vulnerabilities cannot be eliminated through
the use of any single tool. For example, it is impossible to
prevent with technical means a party authorized to view
information from improperly disclosing that information to
someone else. However, as part of a comprehensive approach to
addressing information vulnerabilities, cryptography is a
powerful tool that can help to assure the confidentiality and
integrity of information in transit and in storage and to
authenticate the asserted identity of individuals and computer
systems. Information that has been properly encrypted cannot
be understood or interpreted by those lacking the appropriate
cryptographic "key"; information that has been integrity-
checked cannot be altered without detection. Properly
authenticated identities can help to restrict access to
information resources to those properly authorized individuals
and to take fuller advantage of audit trails to track down
parties who have abused their authorized access.



       Law Enforcement and National Security Dilemmas
                    Posed by Cryptography

   For both law enforcement and national security,
cryptography is a two-edged sword. The public debate has
tended to draw lines that frame the policy issues as the
privacy of individuals and businesses against the needs of
national security and law enforcement. While such a dichotomy
does have a kernel of truth, when viewed in the large, this
dichotomy is misleading. If cryptography can protect the trade
secrets and proprietary information of businesses and thereby
reduce economic espionage (which it can), it also supports in
a most important manner the job of law enforcement. If
cryptography can help protect nationally critical information
systems and networks against unauthorized penetration (which
it can), it also supports the national security of the United
States. Framing discussion about national cryptography policy
in this larger law enforcement and national security context
would help to reduce some of the polarization among the
relevant stakeholders.

   On the other hand, cryptography intended primarily to
maintain the confidentiality of information that is available
to the general public for legitimate purposes such as
defending against information theft is also available for
illegitimate purposes such as terrorism. Encryption thus does
poses a threat to the capability that law enforcement
authorities may seek under appropriate legal authorization to
gain access to information for the purpose of investigating
and prosecuting criminal activity. Encryption also poses a
threat to intelligence gathering for national security and
foreign policy purposes, an activity that depends on access to
information of foreign governments and other foreign entities.

   Note that other applications of cryptography -- for
purposes of assuring data integrity and authenticating
identities of users and computer systems -- do not pose
dilemmas for law enforcement and national security in the same
way that confidentiality does.


    National Cryptography Policy for the Information Age

   For many years, concern over foreign threats to national
security has been the primary driver of a national
cryptography policy that has sought to maximize the protection
of U.S. military and diplomatic communications while denying
the confidentiality benefits of cryptography to foreign
adversaries through the use of export controls on cryptography
and related technical data. More recently, the U.S. government
has aggressively promoted the domestic use of a certain kind
of cryptography escrowed encryption -- that would provide
strong protection for legitimate uses but would permit legally
authorized access by law enforcement officials when authorized
by law. Today, these and other dimensions of current national
cryptography policy generate considerable controversy.

   All of the various stakes are legitimate: privacy for
individuals, protection of sensitive or proprietary
information for businesses, ensuring the continuing
reliability and integrity of nationally critical information
systems and networks, law enforcement access to stored and
communicated information for purposes of investigating and
prosecuting crime, and national security access to information
stored or communicated by foreign powers or other entities and
organizations whose interests and intentions are relevant to
the national security and the foreign policy interests of the
United States. Informed public discussion of the issues must
begin by acknowledging the legitimacy both of information
gathering for law enforcement and national security purposes
and of information security for law-abiding individuals and
businesses.

   The conduct of the debate regarding national cryptography
policy has been complicated because a number of participants
have often invoked classified information that cannot be made
public. However, the cleared members of the National Research
Council's Committee to Study National Cryptography Policy (13
of the 16 committee members) concluded that *the debate over
national cryptography policy can be carried out in a
reasonable manner on an unclassified basis*. Classified
material is often important to operational matters in specific
cases, but it is neither essential to the big picture of why
cryptography policy is the way it is nor required for the
general outline of how technology will and policy should
evolve in the future.

   The problems of information vulnerability, the legitimacy
of the various national interests described above, and trends
such as those outlined in Box ES.2 point to the need for a
concerted effort to protect vital information assets of the
United States. Cryptography is one important element of a
comprehensive U.S. policy for better information security.

   The committee believes that *U.S. national policy should be
changed to support the broad use of cryptography in ways that
take into account competing U.S. needs and desires for
individual privacy, international economic competitiveness,
law enforcement, national security, and world leadership*.
Because cryptography is an important tool for protecting
information and because it is very difficult for governments
to control, the committee believes that the widespread
nongovernment use of cryptography in the United States and
abroad is inevitable in the long run. Accordingly, the proper
role of national cryptography policy is to facilitate a
judicious transition between today's world of high information
vulnerability and a future world of greater information
security, while to the extent possible meeting the legitimate
needs of law enforcement and information gathering for
national security and foreign policy purposes.

   The committee found that *current national cryptography
policy is not adequate to support the information security
requirements of an information society*. Indeed, current
policy discourages the use of cryptography, whether
intentionally or not, and in so doing impedes the ability of
the nation to use cryptographic tools that would help to
remediate certain important vulnerabilities. National
cryptography policy should support three objectives:

   1.   Broad availability of cryptography to all legitimate
        elements of U.S. society;

   2.   Continued economic growth and leadership of key U.S.
        industries and businesses in an increasingly global
        economy, including but not limited to U.S. computer,
        software, and communications companies; and

   3.   Public safety and protection against foreign and
        domestic threats.

   Objectives 1 and 2 argue for a policy that places few
government restrictions on the use of cryptography and
actively promotes the use of cryptography on a broad front.
Objective 3 argues that some kind of government policy role in
the deployment and use of cryptography for confidentiality may
continue to be necessary for public safety and national
security reasons. These three objectives can be met within a
framework recognizing that *on balance, the advantages of more
widespread use of cryptography outweigh the disadvantages*.

____________________________________________________________

       BOX ES.2 The Past and Future World Environment

Past                          Future Trends
_______________________       _________________________________
Computing and                 Computer and information
communications networks       acquisition, retrieval and
were expensive and            processing are inexpensive and
rare.                         ubiquitious. Rapid growth is
                              evident in the development and
                              deployment of diverse technology-
                              based services.

Communications networks       Communications networks are
were analog and voice         digital and oriented toward video
oriented;                     and data trasnmissions.
communications made           Communications made heavy use of
heavy use of dedicated        shared infrastructure and
lines.                        media (e.g., satellites,
                              wireless). Passive eavesdropping
                              is thus harder to detect.

Telecommunications was        Telecommunications involves a
controlled by a small         large number of players.
number of players.

The U.S. economy was          The U.S. economy is important but
unquestionably dominant       not dominant in the world, and it
in the world.                 is increasingly interlinked with
                              allies, customers, suppliers,
                              vendors, and competitors all over
                              the world.

The economy was               The economy is oriented toward
oriented toward               information and services.
material production.

The security threat was       Security threats are much more
relatively homogeneous        heterogeneous than in the Cold
(Soviet Union and Cold        War, both in origin and in
War).                         nature.

Cryptography was used         Cryptography has important
primarily for military        applications throughout all
and diplomatic                aspects of society.
purposes. Government          Nongovernmental entities have
had a relative monopoly       significant expertise and
on cryptographic              capability built on an open,
expertise and                 public, and expanding base of
capability.                   scientific and technical
                              knowledge about cryptography.

____________________________________________________________


   The recommendations below address several critical policy
areas. In the interests of brevity, only short rationales for
the recommendations are given here. The reader is urged to
read Chapter 8 of the report for essential qualifications,
conditions, and explanations.


        A FRAMEWORK FOR NATIONAL CRYPTOGRAPHY POLICY

   The framework for national cryptography policy should
provide coherent structure and reduce uncertainty for
potential vendors and for nongovernment and government users
of cryptography in ways that policy does not do today.

*Recommendation 1: No law should bar the manufacture, sale, or
use of any form of encryption within the United States*.
Specifically, a legislative ban on the use of unescrowed
encryption would raise both technical and legal or
constitutional issues. Technically, many methods are available
to circumvent such a ban; legally, constitutional issues,
especially those related to free speech, would be almost
certain to arise, issues that are not trivial to resolve.
Recommendation 1 is made to reinforce this particular aspect
of the Administration's cryptography policy.

*Recommendation 2: National cryptography policy should be
developed by the executive and legislative branches on the
basis of open public discussion and governed by the rule of
law*. Only a national discussion of the issues involved in
national cryptography policy can result in the broadly
acceptable social consensus that is necessary for any policy
in this area to succeed. A consensus derived from such
deliberations, backed by explicit legislation when necessary,
will lead to greater degrees of public acceptance and trust,
a more certain planning environment, and better connections
between policy makers and the private sector on which the
nation's economy and social fabric rest.

*Recommendation 3: National cryptography policy affecting the
development and use of commercial cryptography should be more
closely aligned with market forces*. As cryptography has
assumed greater importance to nongovernment interests,
national cryptography policy has become increasingly
disconnected from market reality and the needs of parties in
the private sector. Experience with technology deployment
suggests that reliance on market forces is generally the most
effective way to promote the widespread use of a new
technology. Since the committee believes that widespread
deployment and use of cryptography are in the national
interest, it believes that national cryptography policy should
align itself with user needs and market forces to the maximum
feasible extent. Accordingly, national cryptography policy
should emphasize the freedom of domestic users to determine
cryptographic functionality, protection, and implementations
according to their security needs as they see fit; encourage
the adoption of cryptographic standards by the federal
government and private parties that are consistent with
prevailing industry practice; and support the use of
algorithms, product designs, and product implementations that
are open to public scrutiny.


                       EXPORT CONTROLS

   For many years, the United States has controlled the export
of cryptographic technologies, products, and related technical
information as munitions (on the U.S. Munitions List
administered by the State Department). However, the current
export control regime for cryptography is an increasing
impediment to the information security efforts of U.S. firms
competing and operating in world markets, developing strategic
alliances internationally, and forming closer ties with
foreign customers and suppliers. Export controls also have had
the effect of reducing the domestic availability of products
with strong encryption capabilities. Looking to the future,
both U.S. and foreign companies have the technical capability
to integrate high-quality cryptographic features into their
products and services. U.S. export controls may stimulate the
growth of significant foreign competition for U.S. vendors to
the detriment of both U.S. national security interests and
U.S. business and industry.

   Some relaxation of today's export controls on cryptography
is warranted. Relaxation would create an environment in which
U.S. and multinational firms and individuals could use the
same security products in the United States and abroad,
thereby supporting better information security for U.S. firms
operating internationally. It would also increase the
availability of good cryptography products in the United
States. Finally, it would help to solidify U.S. leadership in
a field critical to national security and economic
competitiveness.

   At the same time, cryptography is inherently dual-use in
character, with important applications to both civilian and
military purposes. Because cryptography is a particularly
critical military application for which few technical
alternatives are available, retention of some export controls
on cryptography will mitigate the loss to U.S. national
security interests in the short term, allow the United States
to evaluate the impact of relaxation on national security
interests before making further changes, and "buy time" for
U.S. national security authorities to adjust to a new
technical reality.

*Recommendation 4: Export controls on cryptography should be
progressively relaxed but not eliminated*.

   *Recommendation 4.1 -- Products providing confidentiality
at a level that meets most general commercial requirements
should be easily exportable.(1) Today, products with
encryption capabilities that incorporate the 56-bit DES
algorithm provide this level of confidentiality and should be
easily exportable*. As a condition of export, vendors of
products covered under this recommendation 4.1 (and 4.2 below)
would be required to provide to the U.S. government full
technical specifications of their product and reasonable
technical assistance upon request in order to assist the U.S.
government in understanding the product's internal operations.

   *Recommendation 4.2 -- Products providing stronger
confidentiality should be exportable on an expedited basis to
a list of approved companies if the proposed product user is
willing to provide access to decrypted information upon
legally authorized request*. Firms on the list would agree to
abide by a set of requirements described in Chapter 8 that
would help to ensure the ability of the U.S. government to
obtain the plaintext of encrypted information upon
presentation of a proper law enforcement request. (Plaintext
is the information that was initially encrypted.)

   *Recommendation 4.3 -- The U.S. government should
streamline and increase the transparency of the export
licensing process for cryptography*. Greater efforts in this
area would reduce uncertainty regarding rules, time lines, and
the criteria used in making decisions about the exportability
of particular products. Chapter 8 describes specific possible
steps that might be taken.

----------

   (1)  For purposes of Recommendation 4.1, a product that is
"easily exportable" will automatically qualify for treatment
and consideration (i.e., commodity jurisdiction, or CJ) under
the CCL. Automatic qualification refers to the same procedure
under which software products using RC2 or RC4 algorithms for
confidentiality with 40-bit key sizes currently qualify for
the CCL.

____________________________________________________________


            ADJUSTING TO NEW TECHNICAL REALITIES

   As noted above, cryptography is helpful to some dimensions
of law enforcement and national security and harmful to
others. The committee accepts that the onset of an information
age is likely to create many new challenges for public safety,
among them the greater use of cryptography by criminal
elements of society. If law enforcement authorities are unable
to gain access to the encrypted communications and stored
information of criminals, some criminal investigations and
prosecutions will be significantly impaired. For these
reasons, specific steps should be taken to mitigate these
difficulties. In the realm of national security, new
capabilities are needed to better cope with the challenges
that cryptography presents.

   Since 1993, the approach of the U.S. government to these
problems has been an aggressive promotion of escrowed
encryption (see Chapter 5) as a pillar of the technical
foundation for national cryptography policy, primarily in
response to the law enforcement concerns described above.
Initiatives promoted by the U.S. government include the
Escrowed Encryption Standard (a voluntary Federal Information
Processing Standard for secure voice telephony), the
Capstone/Fortezza initiative that provides escrowed encryption
capabilities for secure data storage and communications, and
a recent proposal to liberalize export controls on certain
encryption products if the keys are "properly escrowed."

   The committee understands the Administration's rationale
for promoting escrowed encryption but believes that escrowed
encryption should be only one part of an overall strategy for
dealing with the problems that encryption poses for law
enforcement and national security. The committee's view of an
appropriate overall strategy is described below, and escrowed
encryption is the focus of Recommendation 5.3.

*Recommendation 5: The U.S. government should take steps to
assist law enforcement and national security to adjust to new
technical realities of the information age*. Over the past 50
years, both law enforcement and national security authorities
have had to cope with a variety of changing technological
circumstances. For the most part, they have coped with these
changes quite well. Today, however, "business as usual" will
not suffice to bring agencies responsible for law enforcement
and national security into the information age. At the same
time, both law enforcement and national security have
demonstrated considerable adaptability to new environments;
this record of adaptability provides considerable confidence
that they can adapt to a future of digital communications and
stored data as well.

   The specific subrecommendations that follow attempt to
build on this record. They are intended to support law
enforcement and national security missions in their totality
-- for law enforcement, in both crime prevention and crime
prosecution and investigation; for national security, in both
defense of nationally critical information systems and the
collection of intelligence information.

   *Recommendation 5.1 -- The U.S. government should actively
encourage the use of cryptography in nonconfidentiality
applications such as user authentication and integrity
checks*. These applications are particularly important in
addressing vulnerabilities of nationally critical information
systems and networks. Furthermore, these applications of
cryptography are important crime-fighting measures. To date,
national cryptography policy has not fully supported such
nonconfidentiality uses. Some actions have been taken in this 
area, but these actions have sometimes conflicted with
government concerns about confidentiality. As importantly,
government has expressed considerably more concern in the
public debate regarding the deleterious impact of widespread
cryptography used for confidentiality than over the
deleterious impact of not deploying cryptographic capabilities
for user authentication and data integrity. Chapter 8 provides
a number of illustrative examples to demonstrate what specific
actions government can take to promote nonconfidentiality
applications of cryptography.

   *Recommendation 5.2 -- The U.S. government should promote
the security of the telecommunications networks more actively.
At a minimum, the U.S. government should promote the link
encryption of cellular communications (2) and the improvement
of security at telephone switches*. Such steps would not
diminish government access for lawfully authorized wiretaps
through the requirements imposed on carriers today to
cooperate with law enforcement in such matters. Furthermore,
by addressing public demands for greater security in voice
communications that are widely known to be nonsecure through
the telecommunications service providers, these measures would
also reduce the demand for (and thus the availability of)
devices used to provide end-to-end encryption of voice
communications. Without a ready supply of such devices, a
criminal user would have to go to considerable trouble to
obtain a device that could thwart a lawfully authorized
wiretap.

   *Recommendation 5.3 -- To better understand how escrowed
encryption might operate, the U.S. government should explore
escrowed encryption for its own uses. To address the critical
international dimensions of escrowed communications, the U.S.
government should work with other nations on this topic*.
Escrowed encryption has both benefits and risks. The benefits
for law enforcement and national security are that when
escrowed encryption is properly implemented and widely
deployed, law enforcement and national security authorities
will be able to obtain access to escrow-encrypted data in
specific instances when authorized by law. Escrowed encryption
also enables end users to recover encrypted stored data to
which access has been inadvertently lost. The risk to end
users is that escrowed encryption provides a potentially lower
degree of confidentiality because it is specifically designed
to permit exceptional access by parties not originally
intended to have access to the encrypted data.

   Aggressive government promotion of escrowed encryption is
not appropriate at this time for several reasons: the lack of
operational experience with how a large-scale infrastructure
for escrowed encryption would work; the lack of demonstrated
evidence that escrowed encryption will solve the most serious
problems that law enforcement authorities face; the likely
harmful impact on the natural market development of
applications made possible by new information services and
technologies; and the uncertainty of the market response to
such aggressive promotion. At the same time, many policy
benefits can be gained by an operational exploration of
escrowed encryption by the U.S. government for government
applications; such exploration would enable the U.S.
government to develop the base of experience on which to build
a more aggressive promotion of escrowed encryption should
circumstances develop in such a way that encrypted
communications come to pose a significant problem for law
enforcement.

   *Recommendation 5.4 -- Congress should seriously consider
legislation that would impose criminal penalties on the use of
encrypted communications in interstate commerce with the
intent to commit a federal crime*. The purpose of such a
statute would be to discourage the use of cryptography for
illegitimate purposes, thus focusing the weight of the
criminal justice system on individuals who were in fact guilty
of criminal activity rather than on law-abiding citizens and
criminals alike. Any statute in this area should be drawn
narrowly.

   *Recommendation 5.5 -- High priority should be given to
research, development, and deployment of additional technical
capabilities for law enforcement and national security to cope
with new technological challenges. Such R&D should be
undertaken during the time that it will take for cryptography
to become truly ubiquitous. These new capabilities are almost
certain to have a greater impact on future information
collection efforts than will aggressive attempts to promote
escrowed encryption to a resistant market.

----------

   (2)  "Link encryption" refers to the practice of encrypting
information being communicated in such a way that it is
encrypted only in between the node from which it is sent and
the node where it is received; while the information is at the
nodes themselves, it is unencrypted. In the context of link
encryption for cellular communications, a cellular call would
be encrypted between the mobile handset and the ground
station. When carried on the landlines of the telephone
network, the call would be unencrypted.

____________________________________________________________


               THE POLICY RELATIONSHIP BETWEEN
            INFORMATION SECURITY AND CRYPTOGRAPHY

   Although this report is concerned primarily with national
cryptography policy, any such policy is only one component of
a national information security policy. Without a
forward-looking and comprehensive national information
security policy, changes in national cryptography policy may
have little operational impact on U.S. information security.

*Recommendation 6: The U.S. government should develop a
mechanism to promote information security in the private
sector*. As is widely acknowledged, the U.S. government is not
well organized to meet the challenges presented by an
information society, and no government agency has the
responsibility to promote information security in the private
sector. Absent a coordinated approach to promoting information
security, the needs of many stakeholders may well be given
inadequate attention and notice; those who are pursuing
enhanced information security and those who have a need for
legal access to stored or communicated information must both
be included in a robust process for managing the
often-competing issues and interests that will inevitably
arise over time. Government has an important role in actively
promoting the security of information systems and networks
critical to the nation's welfare (e.g., the banking and
financial system, the public switched telecommunications
network, the air traffic control system, the electric power
grid). In other sectors of the economy, the role of the U.S.
government should be limited to providing information and
expertise. Chapter 8 provides some illustrative examples of
what the government might do to promote information security
in the private sector.


                         CONCLUSION

   The committee believes that its recommendations will lead
to enhanced confidentiality and protection of information for
individuals and companies, thereby reducing economic and
financial crimes and economic espionage from both domestic and
foreign sources. In addition, they will result in improved
security and assurance for the information systems and
networks used by the nation -- a more secure national
information infrastructure. While the recommendations will in
these ways contribute to the prevention of crime and enhance
national security, the committee recognizes that the spread of
cryptography will increase the burden of those in government
charged with carrying out certain specific law enforcement and
intelligence activities. It believes that widespread
commercial and private use of cryptography in the United
States and abroad is inevitable in the long run and that its
advantages, on balance, outweigh its disadvantages. Thus, the
committee concluded that the overall interests of the
government and the nation would best be served by a policy
that fosters a judicious transition toward the broad use of
cryptography.

[End Executive Summary]

____________________________________________________________


               A Road Map Through This Report


   This report responds to a request made in the Defense
Authorization Act of FY 1994 by the U.S. Congress for the
National Research Council to conduct a comprehensive study of
national cryptography policy, a subject that has generated
considerable controversy in the past few years.

   This report is organized into three parts. Part I frames
the policy issues. Chapter 1 outlines the problem of growing
information vulnerability and the need for technology and
policy to mitigate this problem. Chapter 2 describes possible
roles for cryptography in reducing information vulnerability
and places cryptography into context as one element of an
overall approach to ensuring information security. Chapter 3
discusses nongovernment needs for access to encrypted
information and related public policy issues, specifically
those related to information gathering for law enforcement and
national security purposes.

   Part II of this report describes the instruments and goals
of current U.S. cryptography policy and some of the issues
raised by current policy. Chapter 4 is concerned primarily
with export controls on cryptography, a powerful tool that has
long been used in support of national security objectives but
whose legitimacy has come under increasing fire in the last
several years. Chapter 5 addresses escrowed encryption, an
approach aggressively promoted by the federal government as a
technique for balancing national needs for information
security with those of law enforcement and national security.
Chapter 6 discusses other dimensions of national cryptography
policy, including the Digital Telephony Act of 1995 (aka the
Communications Assistance for Law Enforcement Act) and a
variety of other levers used in national cryptography policy
that do not often receive much attention in the debate.

   Part III has two goals enlarging the space of possible
policy options, and offering findings and recommendations.
Chapter 7 discusses a variety of options for cryptography
policy, some of which have been suggested or mentioned in
different forums (e.g., in public and/or private input
received by the committee, or by various members of the
committee). These policy options include alternative export
control regimes for cryptography and alternatives for
providing third-party access capabilities when necessary. In
addition, Chapter 7 addresses several issues related to or
affected by cryptography that will appear on the horizon in
the foreseeable future. Chapter 8 describes the committee's
findings and recommendations.

   A set of appendixes provides more detail where needed.

[End Road Map]

____________________________________________________________






