Decrypting the Puzzle Palace
For the June, 1992  Electronic Frontier column
in Communications of the ACM
by
John Perry Barlow


"A little sunlight is the best disinfectant.
	--Justice Louis Brandeis
	
Over a year ago, in a condition of giddier innocence than I enjoy  
today, I wrote the following about the discovery of Cyberspace:

"Imagine discovering a continent so vast that it may have no other  
side.  Imagine a new world with more resources than all our future  
greed might exhaust, more opportunities than there will ever be  
entrepreneurs enough to exploit, and a peculiar kind of real estate  
which expands with development."  

One less felicitous feature of this terrain which I hadn't noticed  
then is what seems to be a long-encamped and immense army of  
occupation.  

This army represents interests which are difficult to define, guards  
the area against unidentified enemies, meticulously observes almost  
every activity undertaken there, and continuously prevents most who  
inhabit its domain from drawing any blinds against such observation.  

It marshals at least 40,000 troops, owns the most advanced computing  
resources in the world, and uses funds the dispersal of which does  
not fall under any democratic review.

Imagining this force won't require from you the inventive powers of a  
William Gibson.  The American Occupation Army of Cyberspace exists.   
Its name is the National Security Agency.   

It may be argued that this peculiar institution inhibits free trade,  
has directly damaged American competitiveness, and poses a threat to  
liberty anywhere people communicate with electrons.  It's principal  
function, as my EFF colleague John Gilmore puts it, is "wire-tapping  
the world," which it is free to do without a warrant from any judge.  

It is legally constrained from domestic surveillance, but precious  
few people are in a good position to watch what, how, or whom the NSA  
watches.  And those who are tend to be temperamentally sympathetic to  
its objectives and methods.  They like power, and power understands  
the importance of keeping it own secrets and learning everyone  
else's.

Whether it is meticulously ignoring every American byte or not, the  
NSA is certainly pursuing policies which will render our domestic  
affairs transparent to anyone who can afford big digital hardware.   
Such policies could have profound consequences on our liberty and  
privacy.

More to point, the role of the NSA in the area of domestic privacy  
needs to be assessed in the light of other recent federal initiatives  
which seem directly aimed at permanently denying privacy to the  
inhabitants of Cyberspace, whether foreign or American.    

Finally it seems a highly opportune time, directly following our  
disorienting victory in the Cold War, to ask if the threats from  
which the NSA purportedly protects us from are as significant as the  
hazards its activities present.  

Like most Americans I'd never given much thought to the NSA until  
recently.  (Indeed its very existence was a secret for much of my  
life.  Beltway types used to joke that NSA stood for "No Such  
Agency.")

I vaguely knew that it was another of the 12 or so shadowy federal  
spook houses which were erected shortly after the Iron Curtain with  
the purpose of stopping its further advance.  It derives entirely from  
a memorandum sent by Harry Truman on October 24, 1952 to Secretary of  
State Dean Acheson and Defense Secretary Robert Lovatt.  This memo,  
the official secrecy of which remained unpenetrated for almost 40  
years, created the NSA, placed it under the authority of the  
Secretary of Defense, and charged it with monitoring and decoding any  
signal transmission relevant to the security of the United States.  

Even after I started noticing the NSA, my natural immunity to  
paranoia combined with a general belief in the incompetence of all  
bureaucracies...especially those whose inefficiencies are unmolested  
by public scrutiny...to mute any sense of alarm.  But this was before  
I began to understand the subterranean battles raging over data  
encryption and the NSA's role in them.  Lately, I'm less sanguine.  

As I mentioned in a previous column (Private Life in Cyberspace,  
August 1991), encryption may be the only reliable method for  
conveying privacy to the inherently public domain of Cyberspace.  I  
certainly trust it more than privacy protection laws.  Relying on  
government to protect your privacy is like asking a peeping tom to  
install your window blinds.

In fact, we already have a strong-sounding federal law protecting our  
electronic privacy, the Electronic Communications Privacy Act or  
ECPA.  But this law has not particular effective in those areas were  
electronic eavesdropping is technically easy.  This is especially true  
in the area of cellular phone conversations, which, under the current  
analog transmission standard, are easily accessible to anyone from  
the FBI to you.  

The degree of law enforcement apprehension over secure cellular  
encryption provides mute evidence of how seriously they've been  
taking ECPA.  They are moving on a variety of fronts to see that  
robust electronic privacy protection systems don't become generally  
available to the public.  Indeed, the current administration may be so  
determined to achieve this end that they may be willing to paralyze  
progress in America's most promising technologies rather than yield  
on it.

Push is coming to shove in two areas of communications technology:  
digital transmission of heretofore analog signals and the encryption  
of transmitted data.  

As the communications service providers move to packet switching,  
fiber optic transmission lines, digital wireless, ISDN and other  
advanced techniques, what have been discrete channels of continuous  
electrical impulses, voices audible to anyone with alligator clips on  
the right wires, are now becoming chaotic blasts of data packets,  
readily intelligible only to the sender and receiver.  This  
development effectively forecloses traditional wire-tapping  
techniques, even as it provides new and different opportunities for  
electronic surveillance.  

It is in the latter area where the NSA knows its stuff.  A fair  
percentage of the digital signals dispatched on planet Earth must  
pass at some point through the NSA's big sieve in Fort Meade,  
Maryland, 12 underground acres of the heaviest hardware in the  
computing world.  There, unless these packets are also encrypted with  
a particularly knotty algorithm, sorting them back back into their  
original continuity is not so difficult.

Last spring, alarmed at a future in which it would have to sort  
through an endless fruit salad of encrypted bits, the FBI persuaded  
Senator Joseph Biden to include language in Senate Bill 266 which  
would have directed providers of electronic communications services  
and devices (such as digital cellular phone systems or other  
multiplexed communications channels) to implement only such  
encryption methods as would assure governmental ability to extract  
from the data stream the plaintext of any voice or data  
communications in which it took a legal interest.  It was if the  
government had responded to a technological leap in lock design by  
requiring building contractors to supply it with skeleton keys to  
every door in America.

The provision raised wide-spread concern in the computer community,  
which was better equipped to understand its implications than the  
general public, and in August of last year, the Electronic Frontier  
Foundation, in cooperation with Computer Professionals for Social  
Responsibility and other industry groups, successfully lobbied to  
have it removed from the bill.

Our celebration was restrained.  I knew we knew we hadn't seen the  
last of it.  For one thing, the movement to digital communications  
does create some serious obstacles to traditional wire-tapping  
procedures.  I fully expected that law enforcement would be back with  
new proposals, which I hoped might be ones we could support.  But what  
I didn't understand then, and am only now beginning to appreciate,  
was the extent to which this issue had already been engaged by the  
NSA in the obscure area of export controls over data encryption  
algorithms.

Encryption algorithms, despite their purely defensive  
characteristics, have been regarded by the government of this country  
as weapons of war for many years.  If they are to be employed for  
privacy (as opposed to authentication) and they are any good at all,  
their export is licensed under State Department's International  
Traffic in Arms Regulations or ITAR.   

The encryption watchdog is the NSA.  It has been enforcing a policy,  
neither debated nor even admitted to, which holds that if a device or  
program contains an encryption scheme which the NSA can't break  
fairly easily, it will not be licensed for international sale.  

Aside for marvelling at the silliness of trying to embargo  
algorithms, a practice about as practicable as restricting the export  
of wind, I didn't pay much attention to the implications of NSA  
encryption policies until February of this year.   It was then that I  
learned about the deliberations of an an obscure group of cellular  
industry representatives called the Ad Hoc Authentication Task Force,  
TR45.3 and of the influence which the NSA has apparently exercised  
over their findings.

In the stately fashion characteristic of standard-setting bodies,  
this group has been working for several years on a standard for  
digital cellular transmission, authentication, and privacy protection  
to be known by the characteristically whimsical telco moniker IS-54B.  

In February they met near Giants Stadium in East Rutherford, NJ.  At  
that meeting, they recommended, and agreed not to publish, an  
encryption scheme for American-made digital cellular systems which  
many sophisticated observers believe to be intentionally vulnerable.   
It was further thought by many observers that this "dumbing down" had  
been done in direct cooperation with the NSA.  

Given the secret nature of the new algorithm, its actual merits were  
difficult to assess.  But many cryptologists believe there is enough  
in the published portions of the standard to confirm that it isn't  
any good.

One cryptographic expert, one of two I spoke with who asked not to be  
identified lest the NSA take reprisals against his company,  said:

"The voice privacy scheme , as opposed to the authentication scheme,  
is pitifully easy to break.  It involves the generation of two "voice  
privacy masks" each 260 bits long.  They are generated as a byproduct  
of the authentication algorithm and remain fixed for the duration of  
a call.  The voice privacy masks are exclusive_ORed with each frame of  
data from the vocoder at the transmitter.  The receiver XORs the same  
mask with the incoming data frame to recover the original plaintext.   
Anyone familiar with the fundamentals of cryptanalysis can easily see  
how weak this scheme is."

And indeed, Whitfield Diffie, co-inventor of Public Key cryptography  
and arguably the dean of this obscure field, told me this about the  
fixed masks:

"Given that description of the encryption process, there is no need  
for the opponents to know how the masks were generated.  Routine  
cryptanalytic operations will quickly determine the masks and remove  
them."

Some on committee claimed that possible NSA refusal of export  
licensing had no bearing on the algorithm they chose.  But their  
decision not to publish the entire method and expose it to  
cryptanalytical abuse (not to mention ANSI certification) was  
accompanied by the following convoluted justification: 

"It is the belief of the majority of the Ad Hoc Group, based on our  
current understanding of the export requirements, that a published  
algorithm would facilitate the cracking of the algorithm to the  
extent that its fundamental purpose is defeated or compromised."   
(Italics added.)

Now this is a weird paragraph any way you parse it, but its most  
singular quality is the sudden, incongruous appearance of export  
requirements in a paragraph otherwise devoted to algorithmic  
integrity.  In fact, this paragraph is itself code, the plaintext of  
which goes something like this: "We're adopting this algorithm  
because, if we don't, the NSA will slam an export embargo on all  
domestically manufactured digital cellular phones."

Obviously, the cellular phone systems manufacturers and providers are  
not going to produce one model for overseas sale and another for  
domestic production.  Thus, a primary effect of NSA-driven efforts to  
deny some unnamed foreign enemy secure cellular communications is on  
domestic security.  The wireless channels available to private  
Americans will be cloaked in a mathematical veil so thin that, as one  
crypto-expert put it, "Any county sheriff with the right PC-based  
black box will be able to monitor your cellular conversations."   

When I heard him say that, it suddenly became clear to me that,  
whether consciously undertaken with that goal or not, the most  
important result of the NSA's encryption embargoes has been the  
future convenience of domestic law enforcement.  Thanks to NSA export  
policies, they will be assured that, as more Americans protect their  
privacy with encryption, it will be of a sort easily penetrated by  
authority.  

I find it increasingly hard to imagine this is not their real  
objective as well.  Surely, they must be aware of how ineffectual  
their efforts have been in keeping good encryption out of inimical  
military possession.  An algorithm is somewhat less easily stopped at  
the border than, say, a nuclear reactor.  As William Neukom, head of  
Microsoft Legal puts it, "The notion that you can control this  
technology is comical."

I became further persuaded that this was the case upon hearing, from  
a couple of sources, that the Russians have been using the possibly  
uncrackable (and American) RSA algorithm in their missile launch  
codes for the last ten years and that, for as little as five bucks,  
one can get a software package called Crypto II on the streets of  
Saint Petersburg which includes both RSA and DES encryption systems.

Nevertheless, the NSA has been willing to cost American business a  
lot of revenue rather than allow domestic products with strong  
encryption into the global market.  

While it's impossible to set a credible figure on what that loss  
might add up to, it's high.  Jim Bidzos, whose RSA Data Security  
licenses RSA, points to one major Swiss bid in which a hundred  
million dollar contract for financial computer terminals went to a  
European vendor after American companies were prohibited by the NSA  
from exporting a truly secure network.

The list of export software containing intentionally broken  
encryption is also long.  Lotus Notes ships in two versions.  Don't  
count on much protection from the encryption in the export version.   
Both Microsoft and Novell have been thwarted in their efforts to  
include RSA in their international networking software, despite  
frequent publication of the entire RSA algorithm in technical  
publications all over the world.

With hardware, the job has been easier.  NSA levied against the  
inclusion of a DES  chip in the AS/390 series IBM mainframes in late  
1990 despite the fact that, by this time, DES was in widespread use  
around the world, including semi-official adoption by our official  
enemy, the USSR.  

I now realize that Soviets have not been the NSA's main concern at  
any time lately.  Naively hoping that, with the collapse of the Evil  
Empire, the NSA might be out of work, I then learned that, given  
their own vigorous crypto systems and their long use of some  
embargoed products, the Russians could not have been the threat from  
whom this forbidden knowledge was to be kept.  Who has the enemy been  
then? I started to ask around.

Cited again and again as the real object of the embargoes were  
Third-World countries.  terrorists and...  criminals.  Criminals, most  
generally drug-flavored, kept coming up, and nobody seemed terribly  
concerned that some of their operations might be located in areas  
supposedly off-limits to NSA scrutiny.  

Presumably the NSA is restricted from conducting American  
surveillance by both the Foreign Intelligence Surveillance Act of  
1978 (FISA) and a series of presidential directives, beginning with  
one issued by President Ford following Richard Nixon's bold  misuse  
of the NSA, in which he explicitly directed the NSA to conduct  
widespread domestic surveillance of political dissidents and drug  
users.  

But whether or not FISA has actually limited the NSA's abilities to  
conduct domestic surveillance seemed less relevant the more I thought  
about it.  A better question to ask was, "Who is best served by the  
NSA's encryption export policies?" The answer is clear: domestic law  
enforcement.  Was this the result of some spook plot between NSA and,  
say, the Department of Justice? Not necessarily.

Certainly in the case of the digital cellular standard, cultural  
congruity between foreign intelligence, domestic law enforcement, and  
what somebody referred to as "spook wannabes on the TR45.3 committee"  
might have a lot more to do with the its eventual flavor than any  
actual whisperings along the Potomac.  

Unable to get anyone presently employed by the NSA to comment on this  
or any other matter and with little opportunity to assess the NSA's  
congeniality toward domestic law enforcement from the inside, I  
approached a couple of old hands for a highly distilled sample of  
intelligence culture.

I called Admirals Stansfield Turner and Bobby Ray Inman.  Not only had  
their Carter administration positions as, respectively, CIA and NSA  
Directors, endowed them with considerable experience in such matters,  
both are generally regarded to be somewhat more sensitive to the  
limits of democratic power than their successors.  None of whom seemed  
likely to return my calls anyway.

My phone conversations with Turner and Inman were amiable enough, but  
they didn't ease my gathering sense that the NSA takes an active  
interest in areas which are supposedly beyond its authorized field of  
scrutiny.  

Turner started out by saying he was in no position to confirm or deny  
any suspicions about direct NSA-FBI cooperation on encryption, but he  
didn't think I was being exactly irrational in raising the question.   
In fact, he genially encouraged me to investigate the matter further.

He also said that while a sub rosa arrangement between the NSA and  
the Department of Justice to compromise domestic encryption would be  
"injudicious," he could think of no law, including FISA (which he  
helped design), which would prevent it.   

Most alarmingly, this gentleman who has written eloquently on the  
hazards of surveillance in a democracy did not seem terribly  
concerned that our digital shelters are being rendered permanently  
translucent by and to the government.  

He said, "A threat could develop...terrorism, narcotics,  
whatever...where the public would be pleased that all electronic  
traffic was open to decryption.  You can't legislate something which  
forecloses the possibility of meeting that kind of emergency."  

Admiral Inman had even more enthusiasm for assertive governmental  
supervision.  Although he admitted no real knowledge of the events  
behind the new cellular encryption standard, he wasn't the least  
disturbed to hear that it might be flawed.

And, despite the fact that his responsibilities as NSA Director had  
been restricted to foreign intelligence, he seemed a lot more  
comfortable talking about threats on the home front.  

"The Department of Justice," he began, "has a very legitimate worry.   
The major weapon against white collar crime has been the  
court-ordered wiretap.  If the criminal elements go to using a high  
quality cipher, the principal defense against narcotics traffic is  
gone."  This didn't sound like a guy who, were he still head of NSA,  
would rebuff FBI attempts to get a little help from his agency.

He brushed off my concerns about the weakness of the cellular  
encryption standard.  "If all you're seeking is personal privacy, you  
can get that with a very minimal amount of encipherment."  

Well, I wondered, Privacy from whom?

And he seemed to regard real, virile encryption to be something  
rather like a Saturday Night Special.   "My answer," he said, "would  
be legislation which would make it a criminal offense to use  
encrypted communication to conceal criminal activity."

Wouldn't that render all encrypted traffic automatically suspect? I  
asked.  

"Well, he said, "you could have a registry of institutions which can  
legally use ciphers.  If you get somebody using one who isn't  
registered, then you go after him."  

You can have my encryption algorithm, I thought to myself, when you  
pry my cold dead fingers from its private key.

It wasn't a big sample, but it was enough to gain a better  
appreciation of the cultural climate of the intelligence community.   
And these guys are the liberals.  What legal efficiencies might their  
Republican successors be willing to employ to protect the American  
Way?

Without the comfortably familiar presence of the Soviets to hate and  
fear, we can expect to see a sharp increase in over-rated bogeymen  
and virtual states of emergency.  This is already well under way.  I  
think we can expect our drifting and confused hardliners to burn the  
Reichstag repeatedly until they have managed to extract from our  
induced alarm the sort of government which makes them feel safe.

This process has been under way for some time.  One sees it in the war  
on terrorism, against which pursuit "no liberty is absolute," as  
Admiral Turner put it.  This, despite the fact that, during last year  
for which I have a solid figure, 1987, only 7 Americans succumbed to  
terrorism.

You can also see it clearly under way in the War on Some Drugs.  The  
Fourth Amendment to the Constitution has largely disappeared in this  
civil war.  And among the people I spoke with, it seemed a common  
canon that drugs (by which one does not mean Jim Beam, Marlboros,  
Folger's, or Halcion) were a sufficient evil to merit the  
government's holding any more keys it felt the need for.

One individual close to the committee said that at least some of the  
afore-mentioned "spook wannabes" on the committee  were "interested  
in weak cellular encryption because they considered warrants not to  
be "practical" when it came to pursuing drug dealers and other  
criminals using cellular phones."

In a miscellaneously fearful America, where the people cry for  
shorter chains and smaller cages, such privileges as secure personal  
communications are increasingly regarded as expendable luxuries.  As