
Testimony Before the
Subcommittee on Technology, Environment, and Aviation
of the
Committee on Science, Space, and Technology
U. S. House of Representatives


May 3, 1994


Dorothy E. Denning

Computer Science Department
Georgetown University
Washington, DC 20057




Summary

The Clipper Chip and associated key escrow system is a technically sound 
approach for ensuring the security and privacy of 
electronic communications. Clipper's SKIPJACK encryption algorithm 
provides strong cryptographic security, and the key 
escrow system includes extensive safeguards to protect against 
unauthorized use of keys. The more advanced chip, Capstone, 
further provides all the cryptographic functionality needed for 
information security on the National Information Infrastructure.

Recent research suggests that the technology provides a starting point 
for developing an intemational cryptography framework 
that would support secure international communications while 
accommodating individual national cryptography policies. Such a 
framework would be based on standard cryptographic application 
interfaces and national cryptographic modules, and might 
support corporate key escrow. An international cryptography framework 
would allow U.S. industry, under existing export 
control policies, to develop and export software applications that meet 
the information security needs of government, industry, 
and individuals.

As we move into an era of even greater electronic communications, we can 
and must design our telecommunications 
infrastructure and encryption systems to support our needs as a nation 
not only for secure communications, individual privacy, 
and economic strength, but also for law enforcement and national 
security. If we dismiss the intercept needs for law enforcement 
and national security, society could suffer severe economic and human 
losses resulting from a diminished capability to investigate 
and prosecute organized crime and terrorism, and from a diminished 
capability for foreign intelligence. The Clipper Chip and 
Digital Telephony proposal are important steps toward meeting all of our 
national needs.

1


My name is Dorothy Denning and I am Professor and Chair of Computer 
Science at Georgetown University. I have been in the 
field of cryptography and information security for over twenty years. 
Before coming to Georgetown, I worked for Digital 
Equipment Corporation, SRI International, and Purdue University. I am 
author of the textbook Cryptography and Data Security 
and was the first President of the International Association for 
Cryptologic Research. During the past two years, my research has 
focused on the impact of encryption and digital telephony on law 
enforcement's ability to conduct lawful wiretaps and on 
different approaches to encryption that accommodate the needs of law 
enforcement. I am one of the outside reviewers invited by 
the government to evaluate the Clipper Chip and its key escrow system, 
and a member of the Software Escrowed Encryption 
Working Group sponsored by NIST. I am pleased to have this opportunity 
to testify before the Subcommittee on Technology, 
Environment, and Aviation.

I will begin by giving my assessment of the Clipper Chip technology and 
associated key escrow system. I will then describe 
future options. My main conclusions are that the Clipper Chip is a 
technically sound approach for ensuring the security and 
privacy of electronic communications, that the more advanced Capstone 
Chip provides all the cryptographic functionality needed 
for information security on the National Information Infrastructure, and 
that the technology provides a starting point towards 
developing an international cryptography framework.


Assessment of Clipper and Key Escrow System

The Clipper Chip is an implementation of the Escrowed Encryption 
Standard (EES), a voluntary government standard for 
encrypting sensitive but unclassifled telephone communications, 
including voice, fax, and data.

The chip was designed with two main goals. The first is strong 
cryptographic protection for electronic communications. To meet 
this goal, Clipper uses the SKIPJACK encryption algorithm designed by 
the National Security Agency. The second goal is a 
mechanism that allows authorized law enforcement officials to decrypt 
Clipper encoded communications, while ensuring a high 
level of protection against unauthorized decryption. For this, Clipper 
transmits a Law Enforcement Access Field (LEAF) with all 
communications. The LEAF includes the encryption key for the 
communications, commonly called the "session key," encrypted 
under a special chip unique key. The chip unique key thereby provides 
access to the session key, which in turn provides access to 
the content of the communications. When conducting an authorized 
intercept, government officials obtain the chip unique key by 
getting two key components, which are encrypted and stored in escrow 
when the chip is manufactured, from two key escrow 
agents. These components are decrypted and combined inside a special key 
escrow decryption processor, which then decrypts the 
intercepted communications. Both SKIPJACK and the LEAF creation method 
are classified.

As one of the cryptographers invited by the government to evaluate 
Clipper, I had the

2


opportunity to learn about NSA's design and evaluation of SKIPJACK, and 
to perform experiments on the algorithm to 
determine its ability to withstand particular attacks. As the result of 
this study, I concluded that SKIPJACK does not contain any 
"trapdoor" and is not vulnerable to any short-cut method of attack. The 
other four reviewers and myself issued a joint report 
stating that there was no significant risk that SKIPJACK could be broken 
by any short cut method of attack. In addition, we 
observed that because SKIPJACK's 80-bit keys are 24 bits longer than 
those used by the Data Encryption Standard (DES), under 
an assumption that the cost of processing power continues to be halved 
every year and a half, it will be 36 years before the cost of 
breaking SKIPJACK by trying all possible keys is comparable to the cost 
of breaking DES today. Thus, Clipper can be expected 
to provide strong cryptographic protection for several decades.

Although publication of SKIPJACK would have the advantage of giving more 
people the opportunity to review it and, therefore, 
foster greater public trust, publication would undermine the second goal 
of Clipper. In particular, it would enable someone to 
build a hardware or software product that used SKIPJACK without 
escrowing keys, thereby taking advantage of the 
government's strong algorithm in order to make communications immune 
from lawful interception and foreign intelligence 
operations. It is for this reason also that the EES specifies a tamper-
resistant hardware implementation; there is no known way of 
reliably hiding the structure of an algorithm in software.

We also examined Clipper's classified LEAF creation method to make sure 
that chip unique keys and session keys are not 
vulnerable to exposure. We found no vulnerabilities.

Clipper's second goal of allowing authorized government access is 
implemented through a key escrow system, wherein keys are 
released upon receipt of certification of legal authority to wiretap. Of 
particular concern to users of Clipper is whether that system 
will adequately protect against unauthorized access by the government or 
anyone else.

We are currently in the process of reviewing the entire key escrow 
system, both as it is currently configured and as it will be 
configured in the final system. From what I have seen so far, I believe 
that the risk of unauthorized access will be acceptably low, 
and that any such occurrence will be detectable through auditing.

The key escrow system has been designed with extensive safeguards to 
ensure that no single individual or two individuals from 
the same organization can compromise the escrowed key components, and to 
ensure that any potential compromises are 
detectable. I would like to mention two of these safeguards here: "two 
person integrity" and auditing. Two person integrity has 
been used successfully for many years to protect top secret 
cryptographic material and other highly sensitive government 
information. It is used in the key escrow system for all operations that 
involve key escrow data. For example, it takes two people 
from each escrow agent to access that agent's escrowed key components, 
and representatives of both agents to supply law 
enforcement with the encrypted key components and information needed to 
decrypt those components.

3


Auditing is used extensively throughout the key escrow system. For 
example, detailed audit records are produced from the time 
the key components are generated, encrypted, and stored with the escrow 
agents through their release to law enforcement and 
ultimate deletion in the law enforcement decryption processor. Using 
these logs, it should be possible for an auditor to determine 
that a particular key released to the govemment was used only as 
authorized. If a key is used to decrypt communications not 
authorized to have been intercepted or used to decrypt communications 
not intercepted during the period when the authorization 
was in effect, this would be detected in the audit.

Some people have criticized Clipper's approach to key escrow for giving 
law enforcement access to the chip unique keys rather 
than the individual session keys on a per conversation basis. They are 
concerned that law enforcement will misuse the chip keys 
to decrypt traffic illegally intercepted prior to or following a court 
order. My assessment is that a key escrow system that would 
require law enforcement to go through the escrow agents for each 
individual conversation, which can be in the hundreds per day, 
not only would be excessively burdensome to the point of seriously 
jeopardizing many investigations, but also is unjustified and 
unnecessary given other legal, operational, and technical safeguards.

It is important to not make the key escrow more complicated or 
burdensome than required to make the risk of unauthorized use of 
Clipper keys acceptably low. I believe that with the current approach it 
will be extremely difficult if not impossible for anyone, 
including the government, to improperly access Clipper-encrypted 
communications, and that unauthorized use of Clipper keys 
will be detectable through auditing. Clipper will provide far greater 
protection against illegal wiretaps by the government than is 
presently available.

In addition to providing excellent protection, Clipper offers high speed 
encryption. Present chips encrypt at a rate of about 20 
Mbits per second. As technology improves, we can expect corresponding 
improvements in the speed of Clipper.

Clipper is technically sound and inexpensive. In lots of 100,000 or 
more, a fully programmed chip is expected to cost $10.00 by 
fall. Clipper's implementation in commercial products such as the AT&T 
3600 Telephone Security Device will give the 
government and public access to high quality, easy-to-use, and 
cryptographically strong encryption for telephone 
communications.

The Capstone Chip, which is an advanced version of Clipper, goes further 
and provides all the cryptographic functionality 
needed for information security within the National Information 
Infrastructure to support secure electronic commerce and other 
applications. In addition to implementing the specifications for the 
EES, Capstone implements the Digital Signature Algorithm, 
which provides a digital signature capability comparable in strength to 
the RSA digital signature system; the Secure Hash 
Algorithm, which provides integrity protection; a key exchange method; 
and various other functions. Capstone is embedded in 
the Tessera PCMCIA card, where it will be used in the government's 
Mosaic system to provide secure electronic mail for the 
Defense Messaging System.

4


Future Options

Recent research suggests that the government's escrowed encryption 
approach can provide a starting point for developing an 
international cryptography framework that would support secure 
international communications while accommodating individual 
national cryptography policies. Such a framework would allow the U.S. 
computer and software industry to strengthen its 
leadership in the global market under existing export control policies.

Keith Klemba and Jim Schindler of Hewlett-Packard presented such a 
framework to NIST's Computer Systems Security and 
Privacy Advisory Board (CSSPAB) in March. Their approach is to 
standardize the service elements of national cryptography 
policies, which would be encoded in smart cards called "national flag 
cards." The U.S. flag card, for example, could include a 
Clipper or Capstone Chip. With a common standard, developers of software 
products could build applications that provide 
information security by interfacing with a national cryptographic module 
that satisfies the policy requirements of the country 
where the product is used. Since the applications themselves would not 
implement cryptographic functions, they would be 
exportable, addressing the main concem of the software industry 
regarding export controls.

Steve Walker, President of Trusted Information Systems, has proposed 
that a consortium of interested parties deflne preliminary 
standards for Cryptographic Application Programming Interfaces (CAPIs), 
and then experimentally test them out with 
cryptographic modules implemented in PCMCIA cards. Such CAPIs could 
build on NIST's draft set of Application Layer 
Cryptographic Service Calls, the interface specifflcations for the 
Tessera PCMCIA card, which uses the Capstone Chip and thus 
implements key escrow, and other publicly available specifications. A 
challenge will be to do this in a way that does not promote 
the proliferation of unescrowed encryption, thereby thwarting lawful 
access by the government.

Within an international cryptography framework, it might be possible to 
add a corporate key escrow system, wherein 
organizations and individuals could escrow keys with private sector 
agents, and then obtain access to those keys without a 
warrant. One of the concerns of many potential users of encryption, 
particularly organizations, is that encrypted information 
could become inaccessible if keys are accidentally lost, intentionally 
destroyed, or held for ransom. A corporate escrow system 
could help protect an organization's information assets and protect 
against liability problems by ensuring that keys are under the 
control of those accountable for the assets. Donn Parker at SRI 
International has been advocating such an approach, and Frank 
Sudia at Bankers Trust presented to the CSSPAB a proposal for an 
international corporate key escrow system, which could use 
escrow agents in different countries. The Bankers Trust system builds on 
an alternative approach to key escrow, which was 
developed by Professor Silvio Micali at MIT and ties in with public-key 
cryptography.

A corporate escrow system might be coupled with that used by the 
govemment for law enforcement and national security 
purposes, as in the Bankers Trust approach, but it also could be 
separate. Although many of the mechanisms would be similar, 
the goals are

5



different. With a separate system, the keys escrowed under the corporate 
escrow system might be different from those escrowed 
for law enforcement.

Another possible option is a software-based approach to encryption and 
key escrow. The NIST-sponsored Software Escrowed 
Encryption Working Group, of which I am a member, is working towards 
requirements and specifications for an international 
software-based key escrow encryption system that would meet the needs of 
businesses, governments, and individuals for secure 
domestic and international communications and the needs of national 
govemments for accessing communications under their legal 
authority. A challenge here is finding a way that does not allow the 
user to readily circumvent the key escrow process. At this 
point, it is too early to tell whether we will achieve our goal.

Both a corporate key escrow system and a software-based escrow system 
are likely to be substantially more complex than the 
current Clipper/Capstone key escrow system, and may depend on the 
implementation of a public key infrastructure. Thus, they 
do not represent near-term alternatives to the Clipper approach. In 
addition to its simplicity, the Clipper system also has the 
advantage of guaranteeing key escrow without requiring any action on the 
part of users and of offering potentially greater privacy 
by escrowing keys by device rather than by user.


Conclusions

The Clipper Chip and associated key escrow system provides both strong 
communications security and lawful government 
access, while providing a very high level of protection against 
unauthorized access. Clipper offers strong encryption for 
electronic communications, while the more advanced Capstone Chip offers 
a full range of cryptographic functions to satisfy the 
requirements for secure electronic commerce and other applications on 
the NII.

As we move into an era of even greater electronic communications, we can 
and must design our telecommunications 
infrastructure and encryption systems to support our needs as a nation 
for secure communications, individual privacy, economic 
strength, effective law enforcement, and national security. The Clipper 
Chip is an important step towards meeting all our national 
needs, and the government should continue to move forward with the 
program.

The government needs an encryption standard to succeed DES. If in lieu 
of Clipper, the government were to adopt and promote a 
standard that provides strong encryption without government access, 
society could suffer severe economic and human losses 
resulting from a diminished capability of law enforcement to investigate 
and prosecute organized crime and terrorism, and from a 
diminished capability for foreign intelligence. Critics argue that 
unescrowed encryption will proliferate through the private sector 
anyway, undermining the government's efforts. Indeed, this is possible 
since some proponents of cryptography either actively 
oppose government wiretaps or dismiss law enforcement and national 
security needs as unessential. Nevertheless, the 
government rightly concluded that it would be irresponsible

6


to promote a standard that foils law enforcement when technology is at 
hand to accommodate law enforcement needs without 
jeopardizing security and privacy. Moreover, through the 
Administration's commitment to Clipper or some other form of key 
escrow, escrowed encryption may dominate in the market, mitigating the 
impact of unescrowed encryption on law enforcement. 
Several researchers and industry leaders recognize the value of 
providing both secure communications and authorized government 
access, so escrowed encryption may gain in popularity, particularly as a 
framework for intemational cryptography evolves.

Clipper is also a good testbed for trying out key escrow. If key escrow 
encryption is successful, it might form the basis for a 
broader-based, more complex key escrow system, possibly managed by the 
private sector, which would allow individual and 
organizational access as well as access by the government. Such a system 
might support international key escrow and a variety of 
encryption standards and national policies. If the key escrow system for 
some reason fails to provide acceptable protection against 
unauthorized use of keys, then the escrowed keys can always be 
destroyed, leaving behind strong cryptographic protection. By 
contrast, it would be extremely difficult to go the other way and 
implement key escrow after some other form of strong 
encryption has come into widespread use.

Assuming efforts to develop an international key escrow framework prove 
successful, such a framework could support secure 
international communications while accommodating individual national 
policies governing cryptography. An international 
framework likely would be based on standard cryptographic application 
interfaces and national cryptographic modules, and could 
support Clipper and Capstone technology along with other forms of 
escrowed encryption. This approach would allow U.S. 
industry, under existing export control policies, to strengthen its 
leadership in the global market by developing and exporting 
software applications that meet the information security needs of 
government, industry, and individuals.

Just as encryption has threatened the government's ability to access 
communications intercepted under its legal authority, 
advances in telecommunications technology are already undermining the 
government's ability to intercept those communications 
in the first place and to obtain call setup information. While Clipper 
addresses the former problem, the proposed Digital 
Telephony legislation addresses the latter. Both are needed in order to 
ensure that as technology provides greater communications 
security, law enforcement agencies continue to have the tools they need 
to investigate major crimes and acts of terrorism.

7

