Cryptography's Role in Securing the Information Society (1996) / Chapter Skim
Currently Skimming:
Other Dimensions of National Cryptography Policy
Other Dimensions of National Cryptography Policy
Pages 216-246
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 216... ...
was widely known as the "digital telephony" bill before its formal passage. The CALEA is not explicitly connected to national cryptography policy, but it is an important aspect of the political context in which national cryptography policy has been discussed and debated.
|
From page 217... ...
They do not apply to information services, such as the services of electronic mail providers; on-line services such as Compuserve or America Online; or
|
From page 218... ...
The CALEA also provides that a warrant is needed to tap a cordless telephone; wiretaps on cellular telephones are already governed by Title III or the Foreign Intelligence Surveillance Act. The Stated Rationale for the CALEA Historically, telecommunications service providers have cooperated with law enforcement officials in allowing access to communications upon legal authorization.
|
From page 219... ...
For example, the technology of speech recognition for the most part cannot cope with speech that is speakerindependent and continuous, and artificial intelligence programs today and for the foreseeable future will be unable to distinguish between the criminally relevant and nonrelevant parts of a conversation. Human agents are an essential component of a wiretap, and law enforcement officials have made three key points in response to the concern raised above: • Most importantly, today's wiretaps are performed generally with law enforcement agencies paying telecommunications service providers for delivering the intercepted communications to a point of law enforcement's choosing.
|
From page 220... ...
For law enforcement, products with encryption capabilities and features that allow exceptional access are useless without access to the traffic in question. The CALEA was an initiative spearheaded by law enforcement to deal with the access problem created by new telecommunications services.
|
From page 221... ...
The CALEA provides that a party providing communications services that in the judgment of the FCC are "a replacement for a substantial portion of the local telephone exchange service" may be deemed a carrier subject to the requirements of the CALEA. Thus, one possible path along which telecommunications services may evolve could lead to the imposition of CALEA requirements on information service providers, even though they were exempted as an essential element of a legislative compromise that enabled the CALEA to pass in the first place.
|
From page 222... ...
, and FIPS 186, the Digital Signature Standard (DSS)
|
From page 223... ...
This stan dard provides specifications for cryptographic modules which can be used within computer and telecommunications systems to protect unclassified information in a variety of different applications. • FIPS 185: Escrowed Encryption Standard (see main text)
|
From page 224... ...
The other domain is procurement of products that are useful in both the private and public sectors. Where equipment and products serve both government and private sector needs, in some instances the ability of the government to buy in bulk guarantees vendors a large enough market to take advantage of mass production, thereby driving down for all consumers the unit costs of a product that the government is buying in bulk.
|
From page 225... ...
This point was acknowledged by Administration officials to the committee on a number of occasions. Specifically, the government hoped that the adoption of the EES to ensure secure communications within the government and for communications of other parties with the federal government would lead to a significant demand for EES-compliant devices, thus making possible production in larger quantities and thereby driving unit costs down and making EES-compliant devices more attractive to other users.
|
From page 226... ...
Impeding the spread of high-quality products with encryption capabilities internationally is the stated and explicit goal of export controls; on the domestic front, impeding the spread of high-quality products with encryption capabilities has been a desirable outcome from the standpoint of senior officials in the law enforcement community. A very good example of the impact of fear, uncertainty, and doubt on the marketplace for cryptography can be found in the impact of government action (or more precisely, inaction)
|
From page 227... ...
and the desire to reduce overall system costs for digital signatures. For a discussion of the intellectual issues involved in the rejection of the RSA algorithm and the concern over confidentiality, see Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S.
|
From page 228... ...
performing signals intelligence against potential foreign adversaries. In the information security side of the operation, NSA-developed technology has extraordinary strengths that have proven well suited to the protection of classified information relevant to defense or foreign policy needs.
|
From page 229... ...
The DSS uses the NIST-developed Digital Signature Algorithm, which according to NIST is available for use without a license. However, during the DSS's development, concern arose about whether the DSS might infringe on the public-key patents cited above, as well as a patent related to signature verification held by Claus Schnorr of Goethe University in Frankfurt, Germany.16 NIST asserts that the DSS does not infringe on any of these 14See RSA Data Security Inc.
|
From page 230... ...
17National Institute of Standards and Technology, "Digital Signature Standard," Computer Systems Laboratory (CSL) Bulletin, NIST, Gaithersburg, Md., November 1994.
|
From page 231... ...
For example, although the United States maintains formal mutual legal assistance treaties with a number of nations, U.S. law enforcement agencies cooperate (sometimes extensively)
|
From page 232... ...
. A second attempt to provide product evaluation was represented by the National Computer Security Center (NCSC)
|
From page 233... ...
In late 1995, articles in the trade press reported that the DOD was attempting to revive the evaluation program in a way that would involve private contractors.20 A recent attempt to provide certification services is the Cryptographic Module Validation Program (CMVP) to test products for conformance to FIPS 140-1, Security Requirements for Cryptographic Modules.21 FIPS 140-1 provides a broad framework for all NIST cryptographic standards, specifying design, function, and documentation requirements for cryptographic modules -- including hardware, software, "firmware," and combinations thereof -- used to protect sensitive, unclassified information in computer and telecommunication systems.22 The CMVP was established in July 1995 by NIST and the Communications Security Establishment of the government of Canada.
|
From page 234... ...
In many cases, this ability is not based on specific legislative authority, but rather on the use of the "bully pulpit." For example, the government can act in a convening role to bring focus and to stimulate the private sector to work on a problem.25 The bully pulpit can be used to convey a sense of urgency that is tremendously important in how the private sector reacts, especially large companies that try to be good corporate citizens and responsive to informal persuasion by senior government officials. Both vendors and users can be influenced by such authority.26 23As of September 1995, the National Institute of Standards and Technology's National Voluntary Laboratory Accreditation Program had accredited three U.S.
|
From page 235... ...
between NIST and NSA outlines several areas of cooperation between the two agencies that are intended to implement the Computer Security Act of 1987; joint NISTNSA activities are described in Box 6.2. This MOU has been the subject of some controversy, with critics believing that the MOU and its implementation cede too much authority to NSA and defenders believing that the 27Office of Management and Budget press release, "National Information Infrastructure Security Issues Forum Releases ‘NII Security: The Federal Role,'" Washington, D.C., June 14, 1995.
|
From page 236... ...
. MOU is faithful to both the spirit and letter of the Computer Security Act of 1987.28 The MOU between the FBI and NSA, declassified for the National Research Council, states that the NSA will provide assistance to the FBI upon request, when the assistance is consistent with NSA policy (includ 28For more discussion of these critical perspectives, see Office of Technology Assessment, Information Security and Privacy in Network Environments, 1994, Box 4-8, pp.
|
From page 237... ...
. The role of the ISSR-JTO is "to optimize use of the limited research funds available, and strengthen the responsiveness of the programs to DISA, expediting delivery of technologies that meet DISA's requirements to safeguard the confidentiality, integrity, authenticity, and availability of data in DOD information systems, provide a robust first line of defense for defensive information warfare, and permit electronic commerce between the DOD and its contractors."29 6.3 ORGANIZATION OF THE FEDERAL GOVERNMENT WITH RESPECT TO INFORMATION SECURITY 6.3.1 Role of National Security vis-à-vis Civilian Information Infrastructures The extent to which the traditional national security model is appropriate for an information infrastructure supporting both civilian and military applications is a major point of contention in the public debate.
|
From page 238... ...
Since enactment of the Computer Security Act, there has been no serious (i.e., adequately funded and properly staffed) , sustained effort to establish a center of information-security expertise and leadership outside the defense/intelligence communities." See Office of Technology Assessment, Issue Update on Information Security and Privacy in Network Environments, OTA-BP-ITC-147, U.S.
|
From page 239... ...
(Note that NSA does not have broad authority to assist private industry with information security, although it does conduct for industry, upon request, unclassified briefings related to foreign information security threats; NSD 42 (text provided in Appendix N) also gives NSA was reached by the Board on Assessment of NIST Programs of the National Research Council, which wrote that "the Computer Security Division is severely understaffed and underfunded given its statutory security responsibilities, the growing national recognition of the need to protect unclassified but sensitive information, and the unique role the division can play in fostering security in commercial architectures, hardware, and software." See Board on Assessment of NIST Programs, National Research Council, An Assessment of the National Institute of Standards and Technology, Fiscal Year 1993, National Academy Press, Washington, D.C., 1994, p.
|
From page 240... ...
can enter as well. By contrast, the traditional national security model keeps potential adversaries outside the security perimeter, allowing access only to those with a real need.
|
From page 241... ...
in November 1988 in response to the needs exhibited during the Internet worm incident. CERT's charge is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct research targeted at improving the security of existing systems.33 CERT offers around-the-clock technical assistance for responding to computer security incidents, educates users regarding product vulnerability 32This observation was also made in Computer Science and Telecommunications Board, National Research Council, Computers at Risk: Safe Computing in the Information Age, National Academy Press, Washington, D.C., 1991, a report that proposed an Information Security Foundation as the most plausible type of organization to promote information security in the private sector.
|
From page 242... ...
Operationally, the NACIC works 34Office of Management and Budget press release, "National Information Infrastructure Security Issues Forum Releases ‘NII Security: The Federal Role,'" Washington, D.C., June 14, 1995. Available on-line at gopher://ntiant1.ntia.doc.gov:70/00/iitf/security/files/ fedworld.txt.
|
From page 243... ...
are active in information security. 6.4 INTERNATIONAL DIMENSIONS OF CRYPTOGRAPHY POLICY The cryptography policy of the United States must take into account a number of international dimensions.
|
From page 244... ...
Appendix G contains more discussion of international issues relevant to national cryptography policy. 6.5 RECAP While export controls and escrowed encryption are fundamental pillars of current national cryptography policy, many other aspects of government action also have some bearing on it.
|
From page 245... ...
In some ways, the debate over national cryptography policy reflects a tension in the role of the national security establishment with respect to information infrastructures that are increasingly important to civilian use. In particular, the use of cryptography has been the domain of national security and foreign policy for most of its history, a history that has led to a national cryptography policy that today has the effect of discouraging the use of cryptography in the private sector.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.