*** Prepared Remarks of Ray Ozzie, *** President of Iris Associates

1. *** Prepared Remarks of Ray Ozzie,
2. *** President of Iris Associates
3. *** an affiliate of Lotus Development Corporation
4. *** Delivered at opening of the RSA Data Security Conference '96
5. ***
6. <keynote>
7.  
8. SAN FRANCISCO, Jan. 17, 1996 -- As we're all painfully aware, the U.S.
9. government continues to maintain that cryptography should be
10. classified and controlled as a munition of war -- and for good
11. historical reason: Some of cryptography's finest hours have been
12. during past wars.
13. From the government's standpoint, the export controls implied by
14. munitions classification must be working very well, since there has
15. been no mass-deployed worldwide cryptography, most general
16. communications is still in cleartext, and no world of unbreakable
17. crypto has emerged.
18. In the meantime, while we're preoccupied by protecting the flow of
19. bits across borders, trouble is brewing. Criminals don't recognize
20. borders but operate in one wild-and-wolley network. Crackers are able
21. to attack targets halfway around the world with no fear of
22. prosecution. Exceptionally smart people in Eastern Europe crack
23. financial systems in New York.
24. Everywhere you look, bright, clever people are breaking into
25. communication systems, industrial control systems, transportation
26. systems, health care systems -- anything and everything that's
27. controlled by networked computers. And as you know, this isn't a
28. theoretical problem, or just a problem with clever people stealing
29. money from banks; it's a "clear and present danger" that's a direct
30. result of our having moved into the information age without adequately
31. securing our information and our global information systems.
32. This is not just an issue of signals Intelligence or of Title III
33. wiretaps or of lost software industry profits; this is a public safety
34. issue.
35. One of these days, someone is going to bring down an airliner
36. somewhere in the world, or cause a train wreck, or destabilize an
37. economy, by breaking into an information system through the worldwide
38. net. And it may be something that we could have prevented, if we had
39. been making more casual and widespread use of cryptography.
40. And that's why I, and a number of you, spend so much time trying to
41. change the system -- trying to educate, to help convince the U.S.
42. Government to liberalize export controls, to allow our customers
43. worldwide to have access to good security, to protect themselves
44. against the threats present on the worldwide networks.
45. To be sure, the customers are getting more and more astute. Due in
46. large part to the press surrounding the cracking of a few 40-bit RC4
47. keys last year, our customers have lost confidence in 40-bit crypto.
48. They told us that, if we were going to continue to market 40-bit Lotus
49. Notes overseas, we should stop marketing it as a secure system -- that
50. we should start to call it "data scrambling" or "data masking" instead
51. of encryption. And so we have continued to lobby, arguing that the
52. benefits of substantially better exportable crypto outweigh the risks.
53. The government's response? Well, their latest proposal might -- in
54. theory -- allow us to ship a 64-bit product overseas so long as it had
55. third-party key escrow features built in. We talked to our customers
56. about the administration's proposal, and the answer was very clear:
57. our customers have said a resounding "no" to key escrow in Lotus
58. Notes.
59. They simply don't like the notion that they can't compute the
60. additional risk and liability introduced by a third party holding the
61. keys to unlock their data. Well, that left us in a bind.
62. We need to provide better security for our international customers,
63. but the government's proposal was clearly unacceptable to them.
64. And because I didn't see a "silver bullet" solution -- or general
65. export relief -- in the cards, I began looking for an interim solution
66. that might allow us to ship a more secure product in the short term,
67. while we continued to argue for substantial revision of national
68. cryptography policy.
69. And after months of negotiation, I'm here to announce that we have
70. found a short-term workaround to the problem, which I hope you will
71. find to be an interesting, new development in the area of cryptography
72. as it pertains to export controls.
73. While this is a very tough issue, and while I personally believe that
74. a world of widespread cryptography is truly inevitable, the name of
75. the game right now is to find a compromise solution that satisfies the
76. stated needs of the U.S. Government, while still providing good
77. information security.
78. This is just such a compromise.
79. Lotus Notes Release 4, which is now shipping, utilizes a new method of
80. security that we're referring to as "Differential Workfactor
81. Cryptography." It is a conceptually simple solution that addresses two
82. problems at the same time: First, it protects sensitive corporate
83. information from most malicious crackers far more effectively than
84. previously exported products; second, it permits the government to
85. retain its current level of access to encrypted information carried by
86. U.S. products overseas.
87. No more access, no less access.
88. As you know, the U.S. government has defined its "maximum tolerance
89. level" for exportable unescrowed cryptography at 40 bits. That is,
90. because they generally permit the export of 40-bit products, the U.S.
91. government is clearly already willing to deal with a 40-bit work
92. factor in order to examine encrypted communications outside of this
93. country.
94. So, the system that we're shipping in Lotus Notes Release 4 overseas
95. is one that presents different work factors to different parties,
96. hence the name.
97. Against crackers -- against the run-of-the-mill adversary trying to
98. break a message -- the work factor is 64 bits, just like it is in the
99. U.S. That is, in the new International Edition of Lotus Notes, bulk
100. data keys are now 64 bits just as they are in our North American
101. Edition that's sold in the U.S. and Canada.
102. But when the U.S. Government needs access to a communications stream
103. overseas encoded by the international edition of Lotus Notes, they are
104. no worse off - and no better off - than they are today - they have to
105. crack 40 bits.
106. So how can this be true, when the work factor is 64 bits for
107. non-governmental adversaries? It's pretty simple. We asked the
108. government to generate a special RSA key pair, and to make known their
109. RSA Public Key. We asked them to keep their private key classified,
110. compartmentalized -- as secret as they'd keep the keys to their own
111. military and diplomatic communication systems -- and to never disclose
112. it to anyone.
113. Then, we changed Notes so that whenever the product generates an
114. encrypted 64-bit bulk data key, bound to that key is a small package
115. -- a "workfactor reduction field" -- containing 24 bits of the bulk
116. data key encrypted with the U.S. government's public key. So the U.S.
117. government has exclusive access to 24 of the 64 bits.
118. That's 64 bits against the cracker, 40 bits for the government.
119. And, of course, this version of Notes is fully interoperable with the
120. North American Edition of Notes, the only version that we sell in the
121. United States.
122. In the North American Edition, as always, keys generated for
123. communications within the U.S. and Canada aren't subject to any kind
124. of work factor reduction. And both the North American Edition and the
125. International Edtion are shipping today.
126. We are very pleased that we are now able to offer this increased level
127. of security to our overseas customers. And I encourage you out there
128. -- product designers and developers who are in a similar bind -- to
129. offer stronger confidentiality features to your customers in your
130. exported products by taking advantage of our already having negotiated
131. export approval for this Differential Workfactor implementation.
132. But please make no mistake about it: We fully recognize that this is a
133. compromise solution. This is not a panacea. This is not the "silver
134. bullet" that addresses all needs.
135. We continue to argue vigorously that global and national economic
136. security, domestic law enforcement related to Information security
137. crimes, and personal privacy concerns would all be served well by the
138. rapid and broad, worldwide proliferation of good, strong, high-grade
139. cryptography. And we continue to push for a complete and public review
140. of national cryptography policy.
141. But we relish the fact that, in today's highly-charged political
142. climate surrounding the issue of cryptography, we were able to
143. negotiate a solution that increases information security for our
144. worldwide customers. By throwing another potential solution into the
145. mix -- by leading the way for others by clearing its export approval
146. -- we hope that this stirs debate related to national cryptography
147. policy.
148. A debate that is both global and local in nature; a debate that, with
149. your help, we can hopefully bring to the attention of the U.S Public.
150. Updated: 01/17/96 01:14:15 PM
151. </keynote>
152.  
153. ***
154. *** White Paper by Charlie Kaufman, distributed at the RSA '96
155. conference
156. ***
157.  
158. <whitepaper>
159.  
160.  
161. Differential Workfactor Cryptography
162.  
163. Charlie Kaufman
164. Security Architect
165. Iris Associates
166.  
167. January 17, 1996
168.  
169. Abstract: This document describes the technical approach behind the
170. exportable strong cryptography included in Lotus Notes Release 4
171. (International Edition). Current U.S. export regulations generally prohibit
172. the export of cryptographic software that uses keys larger than 40 bits,
173. but advances in processor technology make 40 bit keys breakable by
174. exhaustive search practical for a growing collection of potential
175. attackers. In a novel scheme we sometimes refer to as 64/40, we provide
176. the cryptographic strength of 64 bit keys against most attackers while to
177. comply with export regulations we make the workfactor for breaking the
178. system equivalent to only 40 bits for the U.S. government. We do that
179. by encrypting 24 of the 64 bits under a public RSA key provided by the
180. U.S. government and binding the encrypted partial key to the encrypted data.
181.  
182. Background: As we're all painfully aware, the U.S. government continues
183. to maintain that cryptography should be classified and controlled as a
184. munition of war. There is a long historical basis for this - some of
185. cryptography's finest hours have been during the wars of the past. And
186. while some would argue that export controls are a sham because many
187. foreign governments impose no such restrictions and we participate in an
188. international marketplace, by one very important measure export controls
189. have been a success: no mass-deployed worldwide cryptography has emerged
190. and most general communications is still in cleartext.
191.  
192. But while the government has been successfully defending its ability to
193. spy, trouble has been brewing. Criminals don't recognise borders -
194. there's
195. only one wild and wooly network. Crackers are able to attack targets
196. halfway around the world with no fear of prosecution. Smart people in
197. Eastern Europe crack financial systems in New York. Everywhere you
198. look, bright clever people are breaking into communication systems,
199. industrial control systems, transportation systems, health care systems,
200. anything and everything that's controlled by networked computers. This is
201. not a theoretical problem, or just a problem with clever people stealing
202. money from banks; it's a clear and present danger that's a direct result of
203. the fact that we've moved into the information age without adequately
204. securing our global information systems.
205.  
206. Lotus Notes has been a pioneer in providing transparent strong RSA based
207. cryptography in its product offering. It went to great lengths to provide
208. the strongest protection legally permissable. There is an International
209. Edition that complies with export regulations and a domestic edition that
210. does not (called the North American Edition because it is legally available
211. in the U.S. and Canada). In the International Edition, users use two RSA
212. key pairs - one used to protect data integrity and authentication and
213. another (shorter) one to protect data confidentiality because only data
214. confidentiality key sizes are regulated by export controls. Full
215. interoperability between the North American and International Editions is
216. achieved by having the two ends negotiate down to the largest key size that
217. both ends support. This design came at no small cost, but it was the only
218. way we could deliver the best security possible to each of our customers
219. given the existing regulatory climate.
220.  
221. Differential Workfactor Cryptography is another innovation in the direction
222. of giving our customers the best security we can while continuing to oppose
223. the regulations that make the complexity necessary.
224.  
225. How it works: The idea behind Differential Workfactor Cryptography is
226. simple; whenever a bulk data key is created, a 64 bit random number is
227. chosen. If the use of that key is one involving data confidentiality and
228. the International Edition of Notes, 24 of the bits are encrypted under a
229. public RSA key that was provided to us by the U.S. government and the
230. result - called a Workfactor Reduction Field - is bound into the encrypted
231. data. There is no Workfactor Reduction Field in data used only by the
232. domestic edition of Notes, and there is none for keys that are not used
233. for data confidentiality (e.g. those used for authentication).
234.  
235. If an attacker wanted to break into a Notes system based on information
236. obtained by eavesdropping, he would have to exhaustively search a 64 bit
237. key space. Even the U.S. government would face this workfactor because
238. there is no Workfactor Reduction Field in keys used for authentication.
239. An attacker who wanted to read an encrypted document that was either read
240. from a server or eavesdropped from the wire would face a 64 bit workfactor.
241. But if the U.S. government needed to decrypt such a document it could
242. obtain 24 of the bits using its private key and the Workfactor Reduction Field
243. and then exhaustively search a 40 bit key space.
244.  
245. Tamper resistance: You might wonder what's to prevent someone from deleting
246. the Workfactor Reduction Field from a document or the setup protocol of a
247. network connection. This is similar to the problem faced in the Clipper
248. design to assure that the LEAF field was not removed from a conversation.
249. In a software only implementation, it is not possible to prevent tampering
250. entirely. The easiest form of tampering would be to smuggle the North
251. American Edition CD out of the U.S. or pass it to someone over the
252. Internet. The best a software implementation can do in terms of tamper
253. resistance is to make it impossible to remove the Workfactor Reduction
254. Field without modifying both the source of the data and the destination..
255. This can be done by having the destination check for the presence of the
256. Workfactor Reduction Field and refuse to decrypt the data if it is not
257. there or not correct. The destination can't decrypt the Workfactor
258. Reduction Field to check it, but knowing the bulk data key and the
259. government public key, it can regenerate the WRF and compare the result
260. with the supplied value. RSA has the convenient property that the same
261. value encrypted twice produces the same result; it would be somewhat more
262. complex (but still possible) to duplicate this functionality with other
263. public key algorithms. [Note: for this to work, the random pad that was
264. used in creating the WRF must be delivered to the recipient of the message.
265. For it to be secure, it must be delivered encrypted since a clever attacker
266. who knew the pad could do 2^24 trial encryptions to get 24 bits of the key
267. and then do 2^40 trial decryptions to recover the rest.]
268.  
269.  
270.  
271. Frequently Asked Questions:
272.  
273. Q: Does this mean that the International Edition of Lotus Notes Release 4
274. is just as secure as the North American Edition against someone who does
275. not know the U.S. Government's key.
276.  
277. A: Almost. There are factors other than the 64 and 40 bit secret keys.
278. The International Edition is still limited to 512 bit RSA keys when they
279. are used for data confidentiality. The North American Edition uses 630 bit
280. RSA keys in this context. While 512 bit RSA keys are considerably more
281. secure than 40 bit secret keys, they are not as secure as 64 bit keys, so in
282. both cases it would be more cost effective to attack the RSA keys than to
283. attack the secret keys. In considering the security of the International
284. Edition, users must also assess the likelihood that an attacker might learn the
285. government's private key either by breaking through the government's
286. protective mechanisms or by breaking the single RSA key. If either were
287. to happen, the International Edition would become only as secure as other
288. 40 bit products.
289.  
290. Q: Does Lotus also have a copy of the private key used to reduce the
291. workfactor from 64 to 40 bits?
292.  
293. A: No. The U.S. government generated the RSA key and supplied us with
294. the public component. We never had access to the private component (which
295. made debugging this thing a real joy!).
296.  
297. Q: How is this scheme different from Key Escrow?
298.  
299. A: While one goal may be the same - to provide exportable strong
300. cryptography - there are differences with respect to security,
301. functionality, and administrative convenience. It is more secure than
302. Key Escrow in that even if third parties misbehave, there remains a
303. substantial workfactor in breaking each individual message. It may be
304. more or less secure than Key Escrow depending on the policies of the
305. holder of the U.S. government key compared to the policies of possible
306. Key Escrow agents. It is less functional than some Key Escrow proposals
307. because it is impractical to use this facility to recover lost keys. And
308. it is more administratively convenient than key escrow because there is no
309. communication with third parties necessary as part of setup. Notes is
310. secure 'out of the box'.
311.  
312. Q: Does this scheme address law enforcement concerns within the U.S.
313. (i..e. should it be considered an alternative to Clipper)?
314.  
315. A: No. In only one way does this scheme address the Law Enforcement
316. interests of either U.S. or foreign governments: better information
317. security helps Law Enforcement to guard against information-related crimes.
318. As indicated by our continuing to go to considerable expense to maintain
319. both domestic and international editions, we continue to oppose any
320. limits on domestic use of strong cryptography.
321.  
322. </whitepaper>