Some lessons relevant for today.
In a short notice published last month, the National Institute for Standards and Technology (NIST) announced it was retiring a number of Federal Information Processing Standards (FIPS) because they were obsolete. Notably, that list of retirements includes FIPS-185.
Never heard of FIPS-185? Perhaps you know it as the Escrowed Encryption Standard (EES). Its best-known implementation was a chipset known as the Clipper Chip. The Clipper Chip—and the lesser known implementation, Capstone—were developed by the U.S. National Security Agency (NSA) to be installed in communications devices, for the purpose of protecting private communications, but which also provided "back door" access to law enforcement agencies to conduct electronic surveillance, subject to court order. Naturally, this raised a lot of questions and concerns (some of which are worthy of a whole other blog post).
Ostensibly, the EES is now being withdrawn because it references a cryptographic algorithm, Skipjack, that is no longer approved for U.S. government use. But one facet especially strikes home: Whatever the reason for the proposal to withdraw the FIPS, it is a timely reminder that efforts by governments to require use of specific technologies that have not been developed in a transparent manner with broad input are not merely misguided—they are very likely to fail. Especially in areas as sensitive as that involved here.
To recall, EES was approved by the Secretary of Commerce, who has oversight of NIST, in 1994. It is a hardware-focused standard for encrypted communications that was intended to protect unclassified government and private sector communications. The significant feature of EES is its encryption key escrow method of enabling access by authorized government agencies under certain circumstances.
This was an era when the U.S. government assumed that it could shape commercial markets, an assumption that proved itself flawed almost from the day EES was announced. It was the beginning of the commercialization of the Internet; the transition of the Domain Name System had just begun. And if you wanted to surf the World Wide Web, you were probably using Mosaic. Jim Clark and Marc Andresson would found what would later become Netscape the same year.
In a paper published shortly after the Secretary’s announcing the standard, well known cryptographer and computer security expert, Matt Blaze (then with AT&T Labs) documented how from the beginning the lack of transparency and openness permeated the process and contributed to its failure.
EES includes "several unusual features that have been the subject of considerable debate and controversy," Blaze wrote. For example, the cipher algorithm, Skipjack, "is itself classified, and implementations of the cipher are available to the private sector only within tamper-resistant modules supplied by government-approved vendors." And while "Skipjack ... was reviewed by a small panel of civilian experts who were granted access to the algorithm, the cipher cannot be subjected to the degree of civilian scrutiny ordinarily given to new encryption systems."
As Blaze went on to point out in detail, it became apparently fairly quickly that "rogue applications defeat EES by making use of the cipher without the government 'back door'." Many others pointed out the distinct possibility that escrowed encryption keys could be likely obtained by unauthorized persons, and misused by overzealous government agencies. The Clipper Chip quickly gathered dust after its introduction. Skipjack was eventually declassified and published in 1998. But, by then, the lack of transparency and collaboration in its development had already had a deleterious effect, and fostered lingering suspicion.
This chapter influenced the cryptography debate for years. And when NIST announced its challenge to replace the outdated Data Encryption Standard (DES) with a new Advanced Encryption Standard (AES), it designed a process that was open, transparent, and global. The process—and result—received notable praise from the cryptographic community, including from one of the losers and one of NIST’s harshest critics in previous years, thereby increasing confidence.
Recent discussion—and misunderstandings—about encryption have been renewed, on both sides of the Atlantic. In recent weeks, a key leader in EU anti-terrorism efforts has, per media reports, called for for consideration of "rules obliging Internet and telecommunications companies operating in the EU to provide ... access of the relevant national authorities to communications (ie share encryption keys)." So now, even 20 years later, there is still a need to remind and recall the lessons of FIPS-185.
NIST is receiving comments on its list of withdrawals. You can submit a comment through March 2, 2015 (before 5pm US Eastern Time), at email@example.com.