Carl Malamud: Internet Talk Radio, flame of the Internet.
This is Geek of the Week. We’re talking to Steve Crocker. He’s Vice President at Trusted Information Systems and the new member of the Internet Architecture Board with the security portfolio. Welcome to Geek of the Week, Steve.
Steve Crocker: Thank you very much. I should say that the IAB does not have those specific slots, and John Romkey, who’s been interviewed here before, and Mike Saint Johns in particular, have very strong security interests as well. So I’ll certainly try to do my part on the IAB with respect to security but I expect to have—
Malamud: But before you were kicked upstairs you were the IESG Area Director for security.
Crocker: Yes, that’s right. I was the IESG’s Area Director for security.
Malamud: I’d like to know the difference between the Clipper Chip, DSS, and RSA. So why don’t we start with the Clipper chip, and you can tell us what that is and what the other components of Clipper are.
Crocker: Ah. An interesting collection of topics. I need to back up just a little bit in order to put all of this into perspective. What you’ve named—Clipper, DSS, and RSA—are cryptography technologies. And cryptography is used for several interrelated but somewhat distinct purposes. The most obvious use of cryptography is to scramble information so that it can’t be seen by anybody except the sender and the intended receiver. Cryptography is also used for a signature process so that the person who receives a digitally signed message can be assured that it came from the person who sent it instead of from somebody else who’s forging a message.
Malamud: So you scramble a magic cookie and if you can describe it it must’ve been from you because you’re the only one who can scramble it.
Crocker: Precisely. And there’s yet another closely related but again somewhat distinct aspect, which is to make sure that the message that was received is an untampered-with or unmodified copy of what was sent. And again this involves some use of cryptography, principally involving a cryptographic checksum so that it’s impossible to modify a message and create the same cryptographic checksum, and that if the message is modified the receiver can detect it.
Now, those are three different security services, and then I need to add one more piece of complexity, what’s called symmetric versus asymmetric cryptography.
The Clipper chip is a form of symmetric cryptography. That means that the same key is shared by the sender and the receiver. And the sender uses the key to initiate the scrambling process, and the receiver uses the key—the same key—to descramble the message. And in this respect, Clipper is an alternative to the long-used Data Encryption Standard, DES, that has been around for close to twenty years and has been a federal information processing standard.
Malamud: So Clipper is, if I might oversimplify, is a hardware replacement for the software DES, although DES could’ve been put in hardware.
Crocker: Yeah. Actually, the original FIPS specifications tended to avoid software implementations and insist that DES be in hardware or at least in dedicated microprocessors. But DES is widely implemented in software, as you say. Clipper is intended as a replacement for DES, and of course the thing that makes Clipper of great interest and concern is that in addition to providing the scrambling process it also has this sort of escrowed key idea. Which means that in the process of using it, the key that you use is encoded in a way that the US federal government can intercept if they want and decode that message because the keys are carried with the message, or have to be forwarded in advance, actually. And in forwarding them, they’re encoded in a way that… They’re encrypted with yet another key. And the key that they’re encrypted with is this escrowed key that is created at the time the chip is created and is stored away in a vault somewhere. And the intended operation is that under federal court order are appropriate legal safeguards surrounding that. The key that unlocks the key that the user has chosen is obtainable and usable by federal authorities, or perhaps the local law enforcement authorities—it’s not entirely clear what the procedures will be.
Malamud: So this is a symmetric key system. Basically we share a secret—you know it, I know it—and because we both have it we’re able to decode the traffic. How do we share that secret? How does Clipper let you know the secret that we want to use for this particular conversation?
Crocker: Clipper doesn’t involve… Clipper by itself doesn’t have that particular mechanism. You have to do something else. But in the process of synchronizing the two, you sort of have to make clear what key you’re using. And you do it in a way that as I say, it’s encrypted but only people who have access to the key that the Clipper chip was manufactured with. And each Clipper chip has its own distinct key but in the process of communicating that key across, the identity of the Clipper chip—of that particular chip, its serial number if you will—is disclosed. And then by looking in this vault you can compare the serial number and find the key that goes with that.
Let me move quickly to the other questions that you asked because I think it’s important to understand the other pieces. You asked about the Digital Signature Standard and you asked about RSA. These are what are called asymmetric, or more commonly public key, technologies. And public key technology has this peculiar and really exciting idea that there are a matched pair of keys. Instead of a single key being shared by both parties, there are two different and distinct keys. One is used by the sender and one is used by the receiver. And the mathematical process that’s used to create the pair of keys makes them a mated pair. And when used for encryption, the sender uses the first key and the receiver uses the second key. The sender encrypts and the receiver decrypts, but the the sender cannot, and nobody else can decrypt the message because they’ve only used the encrypting key.
And so the way that’s used is if I want to send a message to you, you have a matched pair of keys and you make one half of that, you make one of those available for everybody to know. And that’s what you call your public key. And you have a matching one that you keep private and you don’t let anybody else know. Anybody who wants to send information to you so that only you can read it will use your public key. And they will encrypt the message using your public key and then send it to you. You will have the private key and you will be able to decrypt that message using your private key.
The same idea applies in reverse with a digital signature. Again, using public key technology there’s a matched pair of keys. In this case the sender has a pair of keys. He uses one that he uses privately, and he uses that to sign the message. And he makes available his public component. Everybody who wants to know whether or not that message was signed by that person gets a hold of the public component and uses it to check the signature. So there’s two uses of public key technology. And in both cases you have one party keeping one half of the information private and making the other half publicly available.
Malamud: Steve Crocker, we’ve been talking about public key, and there are several variants of public key signature standards. There’s RSA and there’s DSS. Maybe you can explain what the differences between the Digital Signature Standard and RSA.
Crocker: Right. As I’ve described, there’s two uses of public key technology. One is an encryption-oriented, and the other is signature. Now we come to a most peculiar and most interesting phenomenon.
There are multiple algorithms available for public key technology. The one that is most widely used and most popular, and far and away prevalent in the marketplace and has very nice technical properties is the RSA algorithm. RSA stands for the three inventors, Rivest, Shamir, and Adleman. And because it’s also the name of the algorithm and then there’s a company, RSA Data Security, the term RSA seems to be used for both the algorithm and the company, and sometimes even to refer to the inventors.
Malamud: And this is a set of patents as well.
Crocker: That’s right. This public key technology is patented. There are multiple patents governing different parts of public key technology and in particular there’s one for the RSA algorithm.
The interesting phenomenon related to the RSA algorithm and is not shared with some of the other algorithms is it is useful for both encryption and for digital signature. That is they are two distinct uses and this single algorithm is useful for both of those. And there’s an amazing and somewhat interesting story that then develops from that. But I’m getting ahead of myself a little bit.
The Digital Signature Standard, or the Digital Signature Algorithm, which the US government is seeking to turn into a federal standard, is another public key algorithm. And it is useful only for signatures and is not useful for encryption.
Malamud: Why is that?
Crocker: Well, I don’t want to dig down too far into the technical details of this, but the broad overview is that the process of checking the signature yields a result that says, “Yes, I know that that was signed by somebody,” but it doesn’t transfer any information. The computation results in a yes or no process and it doesn’t transfer any information.
The RSA algorithm, in contrast, transfers a certain amount of information and that information can be used either to initiate an encryption process. And it can also be used in a signature mode because you check whether or not the information that got transferred that way is equivalent to another piece of information which is inherent in the message. But the the Digital Signature Algorithm has this other property where no new information other than a single yes or no computation is transferred
Now, it turns out that encryption technology is viewed as a very sensitive subject by governments in general, by the US government in particular. It’s viewed as a critical military technology. And it is treated for export purposes the same as machine guns, and nuclear weapons, and submarine turbines and other high technology, militarily-relevant issues. It’s listed on the International Traffic in Arms Regulations list of controlled munitions. And the—
Malamud: All cryptography or certain algorithms? Are they specifically listed or can you just…is there a blanket…?
Crocker: Cryptography as a subject is listed. The specific algorithms are then subject to regulation by state departments, by the defense department, and by the commerce department in sort of an interlocking set of regulations. But the critical factor is that cryptography as a subject is first and foremost treated as a military technology, and then if the algorithms are sufficiently benign, then they are passed over to commerce for regulation as general trade issues the same as everything else is regulated—apparel and fruits and every kind of other thing. But the first test before you can export something is “are we giving away technology which would help foreign governments or foreign nationals of any sort—terrorists or others,” and cryptography is treated as a very sensitive subject.
And within the general realm of cryptography, encryption is considered to be far more sensitive and far more important to control than other uses of cryptography such as authentication and protection of integrity. So if you want to export some software or hardware that contains cryptography, and if it only contains authentication and integrity controls, then it’s far easier and the regulations are make it much easier to export that, to sell that, almost without limitation.
On the other hand if it contains encryption technology, so that it scrambles data and prevents somebody from seeing the information, that’s very tightly controlled. And the short description of the rules, and with the usual caveats that I’m not a lawyer working in this area—I’m not a lawyer at all and I’m not working in this area that way. But the basic common sense of this is that if the cryptography is strong enough, and DES for example is strong enough, then you cannot get a general purpose license to ship it anywhere outside the United States and Canada. And you can get a special purpose license to ship it to subsidiaries of US multinationals and to financial institutions. But general commercial use of high-grade cryptography is prohibited outside the US and Canada. Inside the US and Canada, things are wide and open and anybody can make anything they want and sell it anywhere they want.
Now, that brings us back to the RSA story. RSA is a very elegant, and simple, and clean, and effective, and broadly-used algorithm. But because it’s useful for both encryption as well as for signatures, this has triggered a considerable amount of interest inside the US government and they are continuing to go to considerable effort to slow down the spread of encryption technology. And their strategy has been to invent and bring out a new signature algorithm with the intent of dividing the market and attempting to limit the use of RSA technology.
Malamud: So that’s DSS.
Crocker: That’s right.
Malamud: And DSS is a…does that somehow tread on the patents from RSA? Is there an interlocking patents issue here?
Crocker: Well, that’s another excellent question. DSS, because it’s a public key technology, does indeed require access to the existing patents. And in addition, not only does it require access to the basic public key technology patents, but the particular algorithm that they invented turns out to make use of the same ideas that a German inventor, Schnorr, also patented himself. And the Schnorr patent has now been acquired by Public Key Partners, which controls the other public key technology patents.
And so the US government is in this extremely awkward position of having invented an algorithm, and I think they’ve obtained a patent on it themselves. But they’ve only obtained a patent on the portion that’s new. Meanwhile it rests on patented technology by Schnorr and by the other public key technologies. And so they now have to find a way to license it. And there’s been quite an outcry.
So the the US government’s caught in multiple ways on this. First of all they’re trying to invent a algorithm that serves no technical purpose except to undermine and divide the marketplace that has already got a solution to this in the form of the RSA algorithm. And second of all, they’re trying to make available as a public standard a technology that they don’t have clean and unhampered rights to.
Malamud: Let’s talk about security in the Internet, and how do you secure a general-purpose infrastructure? You’ve been involved in this area of study for a long time. Do we have an idea on how to secure the Internet now?
Crocker: Yes, not only do we have an idea, we have lots of ideas. And I should say first of all that the idea of securing the Internet is not a single, uniform, one-shot process. There’s not a single thing that you could do that [crosstalk] would bring you a high degree of—
Malamud: No just turn the key and say we’re done.
Crocker: No, there’s no turning the key. There are many aspects of securing the Internet. You know, so we’ve described there’s different aspects of security related to protecting the privacy or confidentiality of information while it’s being transmitted. And entirely different issue of of protecting the integrity to assure that something hasn’t been tampered with or if it has that you can detect it.
Malamud: So security is many layers and many different protocols.
Crocker: Multi-faceted, multiple aspects of what’s meant by security. And of course one of our biggest concerns is making sure that computers don’t get broken into on the network.
At the same time, the Internet consists of a lot of different parts. One might try to protect the transmission of information going across the network. And at the same time, one would like to make sure that the infrastructure—the routers and the transmission lines and so forth—can’t be tampered with, thereby bringing down the network. I mean, one of the most terrible things we could imagine is that somebody might penetrate enough of the network to interrupt the flow of information and bring the whole network down, irrespective of whether or not they got into any of the end systems on the network.
Malamud: Does that mean authenticating router exchanges so that one router knows that it’s really the other router it’s talking to?
Crocker: Certainly one of the most sensitive aspects is the routing information that the routers use to know how to direct one packet to move across the network to get to where it’s going. And protecting routing information is absolutely essential to that. We’ve been fortunate so far in that there have not been any intentional disruptions of routing mechanisms. There have been a number of accidental events over the past twenty years that have brought down particular networks for short periods of time.
Most of the security issues where we’ve seen any kind of intentional activity has been directed at the end systems—people breaking into specific computers around the network. And the most recent visible flurry of events has been harvesting of passwords using Ethernet-sniffing programs. And that’s caused a great deal of concern.
Malamud: Well, let’s look at that issue right there. The problem there was a network device that you would use on occasion to put your Ethernet controller into promiscuous mode so you can look at your Ethernet and see what’s going on. It’s a classic debugging tool. And what happened is people would come in from the outside, steal an account, sit there and use tools this tool as a way of harvesting passwords. Do we have solutions available to stop that kind of an attack?
Crocker: Yes. I think your description is right. And the other question is well, what can we do to stop this. And I think there are two things that have to be done to stop this. First of all, we’d like computers to be protected enough so that people are not breaking in and taking them over and running the sniffer program and capturing all the information that’s going by.
One of the things that’s made this particular flurry of incidents more important than in the past— And it’s probably important to emphasize that this kind of attack is not brand new, but this is sort of a worse case than we’ve seen in the past. The reason it’s been somewhat worse is that the attacks have taken place not only on local area networks within a single organization, but certain critical computers that were sitting on Ethernets in the middle of cross-country or international traffic points were broken into. And so the traffic that was accessible was originated at quite some distance away and was headed at some further remote point, and so passwords were harvested not only for locally-available machines but for machines all over the world.
Certainly strengthening the operation of those class of machines, the ones that are operated by regional networks and that are sitting in critical points in the operations, those can be strengthened very easily. That’s mainly a matter of attention and discipline and heightened awareness.
Now, that’s one aspect and I think that’s relatively straightforward. But that’s only a first step. A much more important step is a realization that sending passwords in the clear over the Internet is a dead idea. That’s just an idea whose time has passed.
Crocker: A one-time password is something that you use once and then you don’t use it again. And then the natural question is well, what do I do the next time that I have to log into a remote machine? And the answer is you have another one-time passwords. So you have a list of them, and each time you use one you cross it off.
Malamud: So you take this list and you print it out onto a piece of paper and you tack it up on the wall next your computer?
Crocker: Well, in fact that is one of the ways to do it, and that’s a little clumsy and seems a little odd but it’s a workable system. I’ll come back to that in a second. Let me shift over to a another class of things that’re called challenge-response systems. It’s now moderately common to be able to use a little calculator device, and things work this way: I want to log into a remote computer. I have an account on that computer. I identify myself—I say “crocker,” and back comes not a request for my password, but a number is typed out at me. And that number is a random number that is different every single time that I try to connect. So that’s where part of the security comes from, is the fact that this number changes every single time. If somebody were watching this they would not learn anything from watching one exchange.
Malamud: Okay, so that’s the challenge. The challenge is some unique random number.
Crocker: Right. I take that random number, and I key it into this little calculator device. And in the window of this calculator device is the answer. Now, what’s happened is inside this calculator device is a secret number, [crosstalk] like a password.
Malamud: Like my RSA private key, maybe.
Crocker: No, it’s not— It doesn’t have to be as complicated as that. It’s more typically a DES key, and it just transforms the challenge into the response. And of course at the other end, the computer that I’m trying to log into—the host—it has the same secret number. And it’s done the same transformation. So then I respond with this transformed number, this response, and it checks to see if it’s what it’s expecting.
Because the challenges are different every single time, simply recording the challenge and response if some eavesdropper were doing that, wouldn’t teach him anything. And furthermore, there isn’t any way to discover what the secret was by looking at the challenge and response pair. This is very important. One could record the challenge, one could record the response; if the transformation process were sufficiently simple, one could look at that pair and derive what the secret is but it’s a part of the cryptography that you can’t figure out what the secret is just from looking at an input and output pair.
Malamud: It sounds like we have tools. We have public key, we have challenge-response systems. How long before the Internet becomes a safe place to live and work? Or is it a safe place to live and work now?
Crocker: Well it’s not as dangerous as one might gather from press reports, but it’s definitely not as safe as it could be. “How long” is the kind of question that is a very very tough to answer. It depends—
Malamud: Are we going to see short-term dramatic improvements in Internet security, or is this something we’re going to be waiting for years and years?
Crocker: I think your point is right, that the basic technology is in hand. It has not been as usable as it could be. It has not been folded into the products, and I must admit it has not been folded into the protocols as quickly as it should have been. In the protocol process we’ve concentrated perhaps too much on high-end protocols and more much more complex things. I would like to see automatic one-time password mechanisms or challenge-response mechanisms built into telnet protocols and FTP protocols. Many of us travel with laptops; there’s no reason why those computations couldn’t be done in the laptop, transparent to the user.
User-friendliness, usability, are key issues with respect to security and it’s a very typical kind of trade-off that where security gets in the way of usability, security is usually jettisoned. That helps sales in the short run but it doesn’t improve security for the total network environment.
Malamud: But you think we have the tools that we can begin doing this.
Crocker: Yeah. I would hope that over the next twelve to eighteen months, and here it is, the tail end of March of ’94 that I’m talking so let me go on the record. Let’s see, first of April is the beginning of a new quarter. So if we roll forward eighteen months then we’re talking about first of October, 1995. It might be interesting to ask what is the state of security with respect to the kind of password attacks and related things that we’ve seen? And maybe we’ll all be sleeping better or maybe the situation won’t be any better and I will be properly chagrined about how hard this problem has been to tackle.
Malamud: Well there you have it. We’ve been talking to Steve Crocker. This has been Geek of the Week.
Malamud: This is Internet Talk Radio, flame of the Internet. You’ve been listening to Geek of the Week. You make coffee this program to any medium and change the encoding, but may not alter the data or sell the contents. To purchase an audio cassette of this program, send mail to firstname.lastname@example.org. Support for Geek of the Week comes from Sun Microsystems. Sun, the network is the computer.
Support for Geek of the Week also comes from O’Reilly & Associates, publishers of The Global Network Navigator, your online hypertext magazine. For more information, send mail to email@example.com. Network connectivity for the Internet Multicasting Service is provided by MFS Datanet and by UUNET Technologies.
Executive Producer for Geek of the Week is Martin Lucas. Production Manager is James Roland. Rick Dunbar and Curtis Generous are the sysadmins. This is Carl Malamud for the Internet Multicasting Service, town crier to the global village.