NIST Clipper Chip
by Peter Wayner
Raymond Kammer
NIST
Dear Mr. Kammer:
I'm filing my comments to NIST Clipper Chip. I would like the opportunity
to testify at your meeting on either June 2,3 or 4th.
Thank you for taking the time to solict public comment on the chip.
-Peter Wayner
Comments on the National Institute of Standards and Technology's
(NIST) Proposed Encryption Chip with Key Escrow.
Peter Wayner
Permission is granted to freely distribute this text.
Abstract: My comments are limited to the practical problems involving
pure hardware solutions. I feel that such systems are unwieldy,
expensive and not easily retrofitted into machines that are already in
service. More importantly, the key escrow system adds an additional
weakness that if compromised, could render the standard obsolete. If
such a "Digital Pearl Harbor" occured, the country would be without
secure channels until all of the hardware in the country could be
replaced and this could easily take over 1 year.
Introduction
My comments are limited to the practical problems involved in
implementing a hardware- based encryption standard for the country. I
believe that specialized hardware is an unnecessarily expensive and
overly complicated approach for providing solid encryption
capabilities and these costs will deter people from adopting the
standard. More importantly, these high costs and the general
inflexibility would prevent the US from having a quick response in the
event that the key escrow system became compromised.
Although it is hard to estimate the true effect that the NIST chip
could have on the price of telephones and computers, it is possible to
make ballpark guesses. Manufacturers like Sun Microsystems and IBM
multiply the cost of a part by about 4 to determine the impact of
adding that part to the final price of the machine. This would mean
that a chip that cost $25 would add about $100 to purchasers cost.
This rule of thumb includes the cost of adding extra inventory,
reworking the assembly lines, re-engineering circuit boards, re-
programming system software, training support staff, re-writing
manuals and other extraneous tasks that are not directly related to
the cost of the part.
Some low-end PC manufacturers are able to use lower multiples because
they provide less support and assistance for the final customer. More
importantly, they use very standard designs with off-the-shelf
chipsets that are optimized to make cheap computers available to all.
At this time, though, the chipsets are not designed to allow for an
encryption "co- processor" and adding the chip could be more
expensive. For this reason, I feel that that the chip could also add
$100 to the price of off-the-shelf PCs-- an amount that is almost 10%
for many models.
The cost of adding the chip to any of the existing computers, though,
could be much more expensive. The chip would need to be mounted on an
expansion board that fits into computers. The cost for this board
would need to be about $100 to cover the costs of marketting,
packaging and stocking the product. Some computers, however, do not
have expansion slots and others have all of their expansion slots
filled up already. Computer manufacturers routinely survey users to
discover how many cards they use so the computers can be built with
the minimum necessary slots. In time, there would be enough space for
a NIST encryption chip card, but until then many users would have
trouble adding the chip to their current system.
The high cost is bound to slow the adoption of the standard because
the risk of data insecurity is nebulous and illformed. Will they be
willing to pay extra for this security? Will American people be
willing to add the chip to their home phones to protect themselves
from evesdroppers listening for their credit card numbers? The
problems are severe, but people often don't protect themselves until
it is to late. If the cost is significant, then many people will
certainly balk at the added cost and slow if not stop the development
of the standard.
A Cheaper Solution
Naturally, every new feature is going to cost something. But the fact
is that encryption does not need to cost this much money if it is
accomplished in software. It could be almost free. A student on
summer vacation can turn out a system that lives in the public domain.
There is ample evidence that people are willing to do this. PGP
(Pretty Good Privacy) is a system that Phil Zimmerman developed on his
own and gave to the world. NIST could easily pay someone to generate a
public-domain software version for general distribution if it wanted
to provide the lowest cost standard for the people.
There is already ample evidence that software solutions succeed and
hardware solutions do not. Several corporations including Cryptech and
AMD have manufactured fast DES chips for years. Yet, the chips are
rarely found in many applications. Public domain implementations of
DES accomplish much of the DES encryption which is done in this
country.
I think that most people would agree that a secure standard for data
encryption is necessary to the country's economic health. For this
reason, I believe that a free software implementation is the best way
to achieve this goal. Cost will not prevent people from adopting the
software.
The Telephone Problem
Perhaps the best example of the cost of converting a $25 chip into a
markettable product is the AT&T secure phone announced on the same day
as the NIST chip. It was priced at over $1000. Certainly, some of this
cost covers the extra electronics to process the voice, but the need
to mark up products to pay for the work is still evident. The price on
these phones is sure to drop as the market grows more mature, but it
should be obvious that the market won't grow substantially until the
price drops more. The Government may be able to afford these rates,
but even the average corporation cannot.
The cost of adding secure encryption to handheld market is more
difficult to estimate. Here size, weight and power consumption are
just as important as price and an extra chip adds to each of these
problems. Cellular companies currently aim to manufacturer devices at
a price point of $100/unit in wholesale costs. The NIST chip would
mark up the price by at least 25%, drop the battery life, increase the
weight and add to pocket bulge. These are not positive effects on a
product.Yet, digital cellular phones and digital cordless phones are
perhaps the most important market for a secure encryption device
because the signals travel over the airwaves.
As before, all of the work of the Clipper chip could be accomplished
in software. Many of the current digital cellular phones use
highly-integrated Digital Signal Processing computers that both
control the phone and handle the signalling chores. Adding encryption
to a phone can be done by merely instructing the programmer to add an
additional function. The cost per unit is minimal and the extra
feature does not affect the power consumption. There is no doubt that
most people would rather have a software solution.
"Digital Pearl Harbors"
The Key Escrow system allows the law enforcement agencies to access
the content of a signal when they are duly authorized. The NIST plan
requires that the key be split up and held by two separate agencies.
This is both a concession to those who fear abuse and a good safety
procedure. But we must remember Ben Franklin's admonishment that
"three can keep a secret if two are dead."
Does NIST have plans for replacing the chips throughout the country if
the key escrow services are compromised? Although I realize that
serious precautions will be taken to protect the keys, I hope that
NIST realizes their value. The Russians were able to obtain the
secrets of the atomic bomb and the hydrogen bomb for very little
money. There have been several high-profile spy cases involving
cryptographic information. The intelligence community recognizes the
need to keep information compartmentalized and to frequently change
codes and ciphers but there are still breaches of security. This system,
however, is barely compartmentalized.
Criminals are becoming increasingly adept with technology. One group
placed a fake Automated Teller Machine in a Mall and used it to steal
account information which they later used to make fake withdrawls.
Many crimes like this will be possible in the future and I have little
doubt that the escrowed keys will have much more value than the atomic
secrets.
The cost of replacing all of the NIST chips around the country would
be prohibitive. What would happen if the FBI discovered that two
people in the different escrow agencies succumbed to bribery? Would
NIST announce a recall of all encryption chips? What would they use to
replace the chips? It could take 6 months to design and fabricate a
new chip in sufficient quantities. There are at least 250 million
phones around the country and 50 million computers. Even if each
computer and phone had a zero insertion force sockets that made
exchanging the chips easy, the cost to the country would be over $7
billion dollars at $25 a chip.
A software solution, on the other hand, could be changed very quickly
in the event of a compromise. Many companies that manufacture virus
software include provisions for delivering updates whenever a new
virus is discovered. The solution often travels substantially faster
than the virus itself because people are able to download the
anti-virus from bulletin boards.
The military and the intelligence community routinely change their
cipher systems because they know that mistakes can be made and leaks
can emerge in even the best system. The economic health of the country
is resting, in some part, on the success of large, broadly implemented
encryption systems. Many foreign companies pay princely sums for
American technology. They routinely pay sums that are 10 times larger
than the largest offered by the old Soviet Union. Can we be certain
that two escrow agencies are going to be any more secure than the
atomic scientists or the intelligence community?
Conclusions
The NIST system is too expensive and too unwieldly for general use.
NIST would be better advised to develop a standard implemented in
software that could be made available to all at no cost. It could be
essentially free and much less prone to dangerous interruptions of
services in case the system was compromised.
|