Download pdf - Uncle Sam's crypto road show

Transcript
Page 1: Uncle Sam's crypto road show

Network Security March 7 998

Uncle Sam’s Crypt0

Road Show Wayne Madsen

State Department documents released to the Electronic Privacy Information Center (EPIC) illustrate the extensive travels of Ambassador David Aaron, President Clinton’s former Special Envoy for Cryptography, during 1996 and 1997. On 6 November 1996, Aaron became the Under Secretary of Commerce for international trade. Aaron was charged by the Clinton administration with selling the concept of the unpopular key escrow/key recovery initiatives to governments around the world. This was in addition to his other duties as Permanent Representative to the Organization for Economic Cooperation and Development (OECD) in Paris.

Contrary to statements by Aaron and other administration officials, the newly-released documents indicate that many foreign governments were either opposed to the US encryption initiatives, reluctant to make any quick decisions to adopt key escrow, or were not sufficiently informed on the matter to make a decision at all. Even before Aaron was appointed Clinton’s ‘Special Envoy for Cryptography’, US State Department messages indicate that the US was making overtures to various countries via American embassies around the world. These include the diplomatic posts in Canberra, London, Tokyo, Ottawa, Tel Aviv, Paris, Bonn, The Hague and Moscow. One message to these posts announced the revised US cryptography export policy - the key recovery within two years or ‘no export’ rule (the public announcement was made on 1 October 1996).

Following the receipt of the message, the US Embassy Economic Officer in Ottawa

8

briefed Lynda Watson, the Canadian Director of the Export Controls Division of the Department of Foreign Affairs and International Trade (DFAIT), on 2 October 1996. In a message to the State Department classified ‘Sensitive But Unclassified’ (SBU), it is stated that Watson’s reaction to the proposed cryptography policy was “one of mild surprise”. Watson said that Canada “had not expected this outcome at this time”. When the Economic Officer asked Watson to provide a list of senior officials for an, at the time, unnamed senior American official to meet, Watson declined, saying that would depend on the rank of the US official.

Diplomatic protocol, it seems, actually became a stumbling block to a quick commitment by Canada to readily accept US key recovery proposals. Watson also had a list of questions for the Americans to pose to their Government concerning key recovery, including the reasonable question of when the

new American policy was to come into effect. Although the Economic Officer seemed to indicate to Watson that US- Canadian meetings would be coordinated through her, he provided copies of the message outlining the new US key recovery plan to embassy representatives of the National Security Agency (NSA), the FBI and US Customs Service. They were directed to contact their Canadian counterparts directly to seek out Canadian officials who might meet with the unnamed senior US official.(l)

In a further embassy message to Washington, MS Watson is reported to not have received a timely response to her questions about US intentions. In the message (subject: US Cryptography Policy: Canadians reiterate their questions), an embassy official reports that Watson, on 29 October 1996, asked him whether the embassy had received answers to her previous questions on US cryptography policy and the identity of the ‘senior official’ who would be coming to Canada. The message states:

“The GOC (Government of Canada) would like to be in a position to have a meaningful discussion at a senior level, Watson said. But the lack of any information from the USG (US Government) in the three weeks since the embassy originally approached DFAIT about the potential visit of a senior USG official has made it difficult for DFAIT to prepare for such a meeting. It was essential, she said, that the GOC be given ‘more than just seven to 10 days advance notice’ to prepare for the visit of the senior official. If DFAIT did not have this information well in advance, Watson said,

0 1998 Elsevier Science Ltd

Page 2: Uncle Sam's crypto road show

March 7 998 Network Security

the senior official’s visit to Ottawa risked being less productive than both sides would like.” (2)

US Government officials had often cited Canada as one of the US allies that was supportive of US cryptography initiatives. Revelations from these released diplomatic cables do not seem to support that contention. The announcement by the White House that the ‘senior US official’ would be David Aaron was not made until 15 November 1996. State Department message traffic reveals that further US diplomatic posts were brought into the cryptography picture. These include the posts in Budapest, Buenos Aires, Mexico City, Prague, Pretoria, and Seoul as well as American consulates in Strasbourg (the headquarters of the Council of Europe) and Marseilles. They also included the OECD collective address of ‘All OECD Capitals’. (3) This prompted the US Embassy in Bern to inquire as to whether they were supposed to arrange meetings between Aaron and officials of the Federal Office of Communications (BAKOM), the lead agency for cryptography issues in domestic legislation. (4)

Although there was a name now associated with the US ‘senior official’, problems with America’s ‘closest ally’ would continue. In a 22 November 1996 message to the State Department, the American Embassy in Ottawa reported that it shared the news of Ambassador Aaron’s appointment with Lynda Watson. However, Watson did not approve of the dates proposed for Aaron’s visit to Ottawa (lo- 11 December 1996). Watson said that some of the higher-level officials would be out of town that week and most of the DFAIT working-level officials were going

0 1998 Elsevier Science Ltd

to be in Vienna for a meeting of Waasenaar Arrangement nations.(5) It is surprising that Aaron would have proposed a trip to Ottawa during a meeting in which cryptography export controls were surely to be discussed!

The United States would continue to have trouble with Canada. In a 19 December 1996 message from Aaron to the Department of State, the FBI, NSA. Justice Department and Commerce Department, the ambassador relays the content of a phone conversation he had the day before with John Tate, Coordinator of Security and Intelligence within Canada’s Privy Council Office. Tate was responding to the imminent release of the Commerce Department’s new encryption export regulations (which were released on 1 October 1996). Tate said that while Canada supported the thrust of the new US encryption policy, “If the new regulations take effect on 1 January 1997. Canada will be obligated to lift its own export controls with no follow-up proposal to back it up”. Aaron reported that Tate wanted the US to delay its new policy implementation “for six months to a year.” in the message, Aaron states *. . while I was sympathetic to Canada’s position, our own domestic situation did not allow for an extended implementation period”. (6)

In a follow-up phone call with Tate, Aaron reports that the Privy Councilor reconfirmed, ‘Canada would not be in a position to apply the same type of conditions to its own industryY(7) This indicates that Canada was not prepared to go along with the US proposal to have companies agree to take part in a key recovery programme in

order to receive export licenses for cryptographic products.

The US Embassy in Tokyo seemed rather strapped for cash in setting up meetings between Japanese Government officials and Aaron. For example, one message from the Tokyo embassy to the State Department cited the scarcity and expenses of interpreters for the meetings. Another said that in order to have an embassy car sent to Narita Airport for a 6:lO am pick up of Aaron’s party, the embassy would have to pay the driver $150 overtime pay - and it wanted money from Washington in advance. The embassy did suggest that Aaron and his crypt0 party could take the bus to their hotel from the arrival area outside of customs. This was at the bargain rate of $28. Optionally, the embassy said the Aaron’s four-member delegation could hop on a train from the airport to Tokyo station and then take a cab to the embassy. A truly amazing diplomatic reception for President Clinton’s personal envoy!(8)

The Tokyo mission also reported reservations in Japan concerning US encryption proposals. In a 14 January 1997 message to Washington, the Tokyo embassy reports that Aaron should meet with Japanese industry representatives:

“A meeting with Japanese industry reps would be a useful opportunity to address some of the misperceptions and fears we have detected concerning US policy, and an opportunity to encourage Japanese industry to join our companies in developing a key-recovery infrastructure.” (9)

Given the close connection between Japanese industry and Government, it is certain that if

9

Page 3: Uncle Sam's crypto road show

Network Security March 7 998

Japanese industry had reservations about key recovery, the Japanese Government shared these sentiments. Perhaps this was what was behind the request by the Japanese Government for Aaron’s trip to Tokyo to *be kept low-key”. The Japanese also requested that there be no press activities regarding encryption policies, (10)

In an October, 1996 Tokyo embassy message to Washington, it is reported that Ministry of Foreign Affairs Non- proliferation Officer, a Mr Sekiguchi, told US embassy officials, “regarding domestic key recovery . . . the issue will have to be reconciled with the sensitive issue of privacy, which is strictly protected by the Japanese Constitution”. The Ministry of International Trade and Industry also indicated it had reservations with the US approach. It asked a US embassy official to ask Washington, *Once use is made of a third-party key, won’t all future communications of that user be compromised?” The Ministry of Posts and Telecommunications and Ministry of Justice weighed in by rhetorically asking, “What is to prevent people from creating their own encryption products based on publicly available algorithms?” Ironically, the best question was posed by the National Police Agency, rumoured to be Washington’s only ally on encryption in Japan, “How does the new US (encryption policy) affect the status of publicly posted encryption programs such as PGP?“(ll)

In additional communications. the US Embassy in Tokyo continued to report problems for US encryption proposals. In a 31 January 1997 message. the embassy reports:

10

*Over the past several months, there have been several articles in major newspapers (Nikkeiand Nikkei Sangyo) describing encryption and key recovery issues. According to these reports, Japanese firms are wary of participating in key recovery technology development for fear of appearing to support wiretapping.” (12)

The Embassy also reported problems that American firms were having meeting Japanese client demands for encryption (an issue which directly affects the US trade balance):

“A major US software company said it will have to use an NTT-developed product in a MITI-sponsored electronic commerce project it is involved in. Similarly, a recent report notes that WebTV, which has entered a joint venture with Fujitsu, has been forced to ask a Japanese company to develop encryption for its television set-top box, since it cannot export the 128-bit encryption it incorporates into its US product.“(l3)

A message from the US Embassy in Rome proposes that the US attempt to actually influence the Italian legislative process in developing an encryption policy for that country. In a 6 December 1996 message to the State Department, the embassy informed Washington, ‘As Italy is currently formulating its encryption policy, we have a good opportunity to inform and influence the process”. However, the message contains a warning:

“We were told that the encryption issue is being treated delicately since

Italian authorities are concerned about a potential blowback on a matter which affects the privacy of personal data. The Justice Ministry is trying to establish principles which maintain the constitutional right to privacy but also allows effective action against criminal organizations by legal authorities, We were told that the Ministry is looking at a ‘double key’approach, similar to the US concept.” (14)

The message from Rome also identifies Italian Government officials who would be likely targets for an American lobbying effort on encryption policy. They are: Antonio Mirone (Justice ministry Undersecretary); Luigi Scotti (Justice Ministry Chief Legislative Officer); Gianfranco Anedda (Deputy, National Alliance Party(15) and Lower House Reader of the Law); and Senator Salvatore Senese (Democratic Party of the Left and the Senate’s Reader of the Law). A Rome embassy message to Washington dated 20 December 1996, suggests that Aaron meet with neo-Fascist deputy Anedda.(l6)

The Netherlands seemed to hedge on any quick acceptance of US key escrow/recovery proposals. In an American Embassy The Hague message dated 11 December 1996, it is revealed that Dutch Ministry of Economic Affairs official Mark Hoevers had “reservations about the efficiency of proposed consultations in the absence of an official US (and Dutch) encryption policy.” (17)

By early January 1997, it seemed that Aaron was not having too much luck convincing the ‘big players’ to support US encryption

0 1998 Elsevier Science Ltd

Page 4: Uncle Sam's crypto road show

March 7 998 Network Security

policy goals. In a 8 January 1997 message to US embassies in Copenhagen, Dublin, Helsinki, Moscow, Oslo, Seoul, Vienna and Wellington, Aaron requests those posts to identify representatives from the respective governments with whom he might hold “informal bilateral discussions on the margins of the RSA Conference (San Francisco) scheduled for 28-29 January”, (18)

There was also a suspicious meeting on 12 November 1996 between Aaron and OECD official Jean Pierre Tuveri. Aaron discussed Tuveri’s recent trip to Estonia, Latvia, and Lithuania. The crypt0 envoy must have brought up the Baltics’ policies on the use of cryptography during that session, although Aaron’s released day book entries do not indicate cryptography was discussed. However, immediately following the meeting with Tuveri. Aaron, his assistant, and key embassy officers held a meeting on cryptography. Additionally, while in the midst of high-level cryptographic discussions in Paris, Aaron found time for a 27 November 1996 meeting with the counsellor of the Latvian embassy in Paris.

The released traffic indicates that one of the strongest proponents for the US key escrow policy in Australia was Peter Ford of the Attorney General’s Office. Ford tried to get the Federal Minister of Communications Senator Richard Alston and Ford’s boss, Attorney General Daryl Williams, to meet with Aaron. However, the US embassy reported that the Attorney General was travelling to Perth during Aaron’s visit and was not available to meet with the US crypt0 ambassador. Alston apparently had other more pressing commitments. Even Norman Reaburn, the Deputy Secretary of the Attorney

General’s Department and the OECD Cryptography Committee of Experts Chairman, was unavailable to meet with Aaron.

In diplomatic terms, such snubs represent a virtual statement of no-confidence. To add insult to injury, the chief law enforcement official of Australia apparently decided to place the entire Australian continent between him and the US cryptography proposals.

Aaron’s itinerary also kept him in his country of diplomatic residence, France. While French policy on encryption was more draconian than America’s in many respects, Aaron found total confusion among French industry and government sectors on how to address the issue.

At a 6 February 1997 roundtable hosted by Aaron at the Paris Trade Show Information Technology Forum/COMDEX, Aaron discussed cryptography with representatives of Alcatel, IBM France, Oracle France, Microsoft France, Hitachi Computer Europe, Netscape. CompuServe and French law firms. In a 5 March 1997 Paris embassy message to Washington, the highlights of these discussions were disclosed. In answer to a question from a Microsoft executive, Aaron pointed out that the US could not mandate encryption policy in the same manner as the French, but would ‘seek a market solution whereby key recovery encryption technologies became dominant throughout the world”. He added that this “was not inconsistent with French objectives”.

The message cited * balkanization” of French industry on the encryption issue as a significant problem. The message states:

“Executives from the sectors most closely concerned with encryption - telecoms, hardware and software manufacturers, and Internet Service Providers - are simply not talking to each other. Voicing concerns that we hear most frequently from our telecoms contacts, a member of the AMCHAM (American Chamber pf Commerce) Telecoms Committee complained of the lack of transparency of the GOF’s (Government of France’s) encryption policy, and the GOF’s unwillingness to consult with the private sector.” (19)

The representative of IBM France said that the proposed French encryption decrees, which require that all encryption devices imported and used in France be approved by the government, was a “first step, a good building block”. But the IBM official added that IBM wanted full liberalization for all 40-bit products and minimal delays in French Government approvals of import licenses and encryption authorizations. Many French industry executives complained that one of the chief opponents of liberalized encryption regulations was the Direction de Surveillance de la Territoire (DST), the French domestic intelligence service. The business leaders stated that the Ministry of Industry was their “best ally” in their arguments with the spook community.

Concerning the French requirement for Trusted Third Parties (TTPs), the Microsoft official decried the fact that foreign companies were not authorized to be TTPs. However, the IBM France official said that, as a French company, his firm could qualify as a lTP under French law. He also said that large French

0 1998 Elsevier Science Ltd 11

Page 5: Uncle Sam's crypto road show

Network Security March 7 998

companies like Michelin, would be permitted to self-escrow their keys. (20)

The Netscape executive complained about non-OECD countries acting as “free riders” in the event strong crypt0 controls were adopted by the OECD nations. He cited Israel, Russia and Singapore as examples. Aaron responded by stating that he would be visiting non-OECD countries during his “encryption consultation missions”. He added that Russia had strong laws, but an enforcement problem; Israel had strong domestic controls but an export problem; and Singapore was adopting legislation in line with the OECD guidelines. He also cited India and Argentina as potential concerns.

In a 13 February 1997 meeting with officials of Oracle France, that company noted strong demand for encryption products in France among their financial, industrial, and military clients. They told Aaron they were concerned about French efforts to restrict the import and distribution of US-made encryption (i.e. %-bit and above). They stated they would use Ireland as an export platform for US-made encryption products “if France attempted to place unreasonable restrictions in legitimate imports”. Citing the 1994 European Union Directive on dual-use goods, they said that France was prohibited from imposing national restrictions on dual-use goods that circulated freely in any EU country, i.e. Ireland. Under export control regimes dual-use items are those which have both civilian and military applications(21)

The released State Department traffic indicates that France has imposed in its encryption policy

hidden benefits for its intelligence and police agencies. For example, a 12 September 1996 message from the Paris Embassy to Washington explaining the details of a meeting between the US embassy Economic Counsellor and General J.L. Devigne, the Director of the Information Systems Security Service (SCSSI), (22) is almost entirely redacted (whited out). One paragraph eliminated deals with Slow Progress on Encryption in the OECD’.(23)

Another meeting with the SCSSI officials followed on 26 September 1996. The venue was an OECD Paris meeting on cryptography. US and French officials met at a working breakfast meeting. On the US side were Scott Charney (Department of Justice); Ed Appel (National Security Council); and Mike Nelson (White House Office of Science and Technology Policy). Representing the French were General Devigne, Philippe Dejean, and Francois Belorgey of the Ministry of Industry and Telecommunications.(24) There was a follow-up meeting between US and French encryption policy officials on 23 October 1996. Attending from the US side were Susan Eckert of the Commerce Department and William J. Denk of Commerce’s Bureau of Export Administration. On the French side were Philippe Dejean, Michel Ferrier, Director of Technology and Strategic Export Controls at the General Secretariat for National Defense (SGDN), and representatives of the DST and French foreign intelligence service, the DGSE.(25)

In a keynote address to the RSA Data Security Conference in San Francisco on 28 January 1997, Aaron declared US allies “support

12

the concept of lawful access by governments” of encrypted files and communications. He also said, “many governments in the interest of public safety, want stronger controls than we have”. The release by the State Department of Aaron’s detailed papers and diplomatic traffic are at variance with the ambassador’s contention. Most countries visited by Aaron either showed a lack of resolve on the key recovery issue or were just outright indifferent. Moreover, as can be seen from some US embassy traffic, America’s own diplomatic representatives (e.g. Japan) were apprehensive about pushing key recovery in countries that opposed it. As a result of his travelling road show, most countries just decided they were not going to buy Ambassador Aaron’s ‘magic tonic’ of key recovery.

References

(1)American Embassy Ottawa Cable (Operational Immediate - Sensitive - Number 004391, 2 October 1996).

(2)American Embassy Ottawa Cable (Routine - Sensitive - Number 004819, 29 October 1996).

(3) These include Madrid, Lisbon, Athens, Copenhagen, Oslo, Helsinki, Reykjavik, Wellington, Vienna, Warsaw, Dublin, Ankara, and Luxembourg.

(4) American Embassy Bern Cable (Routine - Number 005191, 25 November 1996 - Subject: Special Envoy for Cryptography - Travel to Switzerland?)

(5) American Embassy Ottawa Cable (Operational Immediate -

0 1998 Elsevier Science Ltd

Page 6: Uncle Sam's crypto road show

March 7 998 Network Security

Sensitive - Number 00517522 November 1996).

(6) American Embassy Paris Cable (Priority - Number 029026, 19 December 1996).

(12) American Embassy Tokyo Cable (Priority - Originally Confidential - Number 000880,31 January 1997).

(13) Ibid.

(7) American Embassy Paris (14) American Embassy Rome Cable (Priority - Number 029226, Cable (Priority - Number 011869,6 20 December 1996). December 1996).

(8) American Embassy Tokyo Cable (Priority - Number 000480, 21 December 1997).

(9) American Embassy Tokyo Cable (Priority - Number 00346, 14 January 1997).

(15) This party is generally referred to as the neo-Fascist party. One of its leaders includes Vittorio Mussolini, the son of the former Fascist leader.

(10) American Embassy Tokyo Cable (Priority - Number 000480, 21 December 1997).

(16) American Embassy Rome Cable (Priority - Number 012256, 20 December 1996).

(1 1) American Embassy Tokyo Cable (Priority - Originally Confidential - Number 009585, 16 October 1996).

(17) American Embassy The Hague Cable (Routine - Number 005239,ll December 1996).

(18) American Embassy Paris Cable (Routine - Number 000422,

8 January 1997).

(19) American Embassy Paris Cable (Priority - Number 005109.5 March 1997).

(20) bid.

(21) Ibid.

(22) The counsellor also met with Philippe Dejean, SCSSI’S Cryptographic Division Chief.

(23) American Embassy Paris Cable (Priority - Number 20381,12 September 1996).

(24) American Embassy Paris Cable (Priority - Number 22577, 7 October 1996).

(25) American Embassy Paris Cable (Priority - Originally Confidential - Number 025048,31 October 1996).

Manag,ing Network

Security - Red Teaming Fred Cohen

Over the last few years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programmes has increasingly become a function of our ability to make prudent management decisions about organizational activities. This series of articles takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Many people in the information security industry, myself included, offer Red Teaming services to their clients. In simplest terms, these services provide information on and demonstrations of vulnerabilities, but it isn’t really that simple. The real challenge with Red Teaming is getting value for your money.

The cheap and dirty Red Team

Lots of people believe that the most important impacts of Red Teaming are in the effects of the results on management with a graphic demonstration of the vulnerabilities faced by the organization. The information

security specialists know that there is a big problem, but they are having difficulty making management understand. So they decide to do a sample penetration to make the impact of vulnerabilities clearer. Naturally, they call in a consultant rather than doing it themselves...

Joe:Joe’s security consulting... Joe speaking.

You: Hi Joe, can you break into my computers?

Joe: Sure, but it’ll cost you a pretty penny.

You: How much?

Joe: That depends on what you want me to do. What did you have in mind?

You: We want to show the boss that we could lose millions if a hacker broke in.

0 1998 Elsevier Science Ltd 13


Recommended

Sam's Recipes
Sam's Recipes Self Improvement
Sam's Walking Tour
Sam's Walking Tour Documents
Uncle Sam's Favorite Corporations
Uncle Sam's Favorite Corporations Documents
Sam's slide show
Sam's slide show Documents
Royal Rangers Sam's Throne in Arkansasreadyrangers.tzo.com/samsthrone2014.pdf · Judy) then up to Sam's Throne State Park. You can Google Sam's Throne. Royal Rangers Sam's Throne
Royal Rangers Sam's Throne in Arkansasreadyrangers.tzo.com/samsthrone2014.pdf · Judy) then up to Sam's Throne State Park. You can Google Sam's Throne. Royal Rangers Sam's Throne Documents
Page 2 — Tues. June 30, 2009, Logan Banner Best of the …matchbin-assets.s3.amazonaws.com/public/sites/487/assets/Readers...Breakfast - Bob Evans THE FRONT ROOM ... Uncle Sam's
Page 2 — Tues. June 30, 2009, Logan Banner Best of the …matchbin-assets.s3.amazonaws.com/public/sites/487/assets/Readers...Breakfast - Bob Evans THE FRONT ROOM ... Uncle Sam's Documents
Sam's Q-tips
Sam's Q-tips Documents
Sam's Copy
Sam's Copy Documents
Sam's FundRaiser2
Sam's FundRaiser2 Documents
Sam's Mistake
Sam's Mistake Documents
Sam's Arts Diploma
Sam's Arts Diploma Documents
4.05 Uncle Sam's Toolbox—Honors Selected government program to analyze: Social security
4.05 Uncle Sam's Toolbox—Honors Selected government program to analyze: Social security Documents
Sam's FundRaiser4
Sam's FundRaiser4 Documents
Sam's FundRaiser5
Sam's FundRaiser5 Documents
Sam's Buyer Presentation
Sam's Buyer Presentation Documents
Sam's FundRaiser1
Sam's FundRaiser1 Documents
Sam's shadow
Sam's shadow Documents
Sam's Bistro Menu
Sam's Bistro Menu Documents