History of the First Crypto War

As we're all gearing up to fight the Second Crypto War over governments' demands to be able to back-door any cryptographic system, it pays for us to remember the history of the First Crypto War. The Open Technology Institute has written the story of those years in the mid-1990s.

The act that truly launched the Crypto Wars was the White House's introduction of the "Clipper Chip" in 1993. The Clipper Chip was a state-of-the-art microchip developed by government engineers which could be inserted into consumer hardware telephones, providing the public with strong cryptographic tools without sacrificing the ability of law enforcement and intelligence agencies to access unencrypted versions of those communications. The technology relied on a system of "key escrow," in which a copy of each chip's unique encryption key would be stored by the government. Although White House officials mobilized both political and technical allies in support of the proposal, it faced immediate backlash from technical experts, privacy advocates, and industry leaders, who were concerned about the security and economic impact of the technology in addition to obvious civil liberties concerns. As the battle wore on throughout 1993 and into 1994, leaders from across the political spectrum joined the fray, supported by a broad coalition that opposed the Clipper Chip. When computer scientist Matt Blaze discovered a flaw in the system in May 1994, it proved to be the final death blow: the Clipper Chip was dead.

Nonetheless, the idea that the government could find a palatable way to access the keys to encrypted communications lived on throughout the 1990s. Many policymakers held onto hopes that it was possible to securely implement what they called "software key escrow" to preserve access to phone calls, emails, and other communications and storage applications. Under key escrow schemes, a government-certified third party would keep a "key" to every device. But the government's shift in tactics ultimately proved unsuccessful; the privacy, security, and economic concerns continued to outweigh any potential benefits. By 1997, there was an overwhelming amount of evidence against moving ahead with any key escrow schemes.

The Second Crypto War is going to be harder and nastier, and I am less optimistic that strong cryptography will win in the short term.

Posted on June 22, 2015 at 1:35 PM • 30 Comments


Bob RobertsonJune 22, 2015 2:00 PM

While certainly not on the front lines through the first CryptoWar, I might be considered a foot soldier. PGP, RSA email signature, pestering my congresscrawlers (who were and are mindless slugs on the issue), and so on.

I would have thought by now that the Snowden documents and NSA activities had demonstrated that the actual _content_ of the messages, phone calls, etc., is so much less valuable than the "metadata". Metadata that still exists even with strong encryption.

The control freaks want control. They don't have everything, so they demand those few things that remain as if everything depended upon them. Their budgets are effectively unlimited, while those of us who actually care about privacy and security are spread thin and trying to earn a living the hard way.

How can anyone continue to advocate back-door keys with a straight face, when their own systems are vulnerable? I cannot imagine that there aren't some moles working at the NSA just waiting for a reason to bolt with the keys to the kingdom for a high enough price.

Snowden did what he did out of a sense of justice. He could have just as easily, or even easier, done it for profit. Those back-door keys, if mandated, are going to be a target of opportunity the likes of which the world has never seen before.

82de478ea93bdd87June 22, 2015 2:06 PM

To me the first crypto war was more about encryption export controls and deliberately weakening cryptography than the Clipper chip itself, being this small chip just an example of weakened encryption device. We are paying yet the consequences of this crypto war (e.g. by the recent removal of server-gated cryptography from LibreSSL on june 18th, 2015).

Ross SniderJune 22, 2015 2:18 PM

The Clipper Chip became the TPM ("Trusted Platform Module"). Apple's "Secure Enclave" only allows ~15 bits of security to be provided by the user - the rest are bits that the manufacturer keeps for themselves and by law would be required to disclose.

We have the equivalent of the Clipper Chip in all of our devices today. It looked like we won the first crypto war, but the Snowden disclosures are a sobering reminder that we truly lost.

The second crypto war will be no different. If the public supports it with enough force we will win some rhetoric. But intelligence agencies are NOT going to stand for communications they are not able to intercept.

Bryan ManskeJune 22, 2015 2:24 PM

Please remember to include Phil Zimmermann's story from that era. It was an important saga and we should commemorate it, lest we forget.

Assuming that we can tackle the technical crypto problems surrounding non-deterministic routing, rapid mathematical digression and forced rapid evolution of the keying material - the question really becomes: "Can we muster the international political will to choose to live in a world of light rather than darkness?"

Most politicians aren't very bright when it comes to technical matters. Education needs to be the front line of the Info Wars right now. And education, in all its forms, is impermanent. This will be a life-long fight for many of us.

Thank you for bringing it to the forefront for the moment.

Not really anonymousJune 22, 2015 2:53 PM

This goes back further than the 90s. George Davida tried to fight to be able to publish an encryption system in the late 70s.

mptrJune 22, 2015 3:01 PM

We losy that one by now.
-hardware is compromised
-software is compromised
-MY phone protect content not my private
- and so and so...

rgaffJune 22, 2015 3:07 PM

@Ross Snider

You can spin all kinds of things as wins and losses... but it will be 1000 times worse if we just give up and let them have their global dictatorship without a fight.... So... fight on soldier, don't give up.

Snarki, child of LokiJune 22, 2015 3:30 PM

Okay, all you snooping a*holes, here's all my keys; they don't fit in a blog
post, so I wrote you a little Perl script to generate them:

for ($j=0; $j < (1<<8192); $j++) {
print "key $j\n";

There, satisfied now?

Nick PJune 22, 2015 5:33 PM

@ Bruce

On the *Third* Crypto Wars

This is a lot of good data. I'll have to edit my old essay on the subject: might have jumped the gun a bit. Yet, our intense discussion about export here did reveal that the best security technologies (esp EAL6/7 systems) were still export-controlled to an unknown extent. TEMPEST is also still classified and restricted. Most of these products they approved for export were unshielded with implementations certified for non-hostile environments... connected to the Internet. That people widely deployed such products trusting their security is both an epic win for us (i.e. benefits of crypto) and opponents (i.e. low assurance = high SIGINT). They later used all the weaknesses against us in an all-out assault on IT and INFOSEC across the board.

The dissenters are right: the Second Crypto War already happened, it happened in secret, we lost it, and our whistleblowers (esp Snowden) let us know. I think we should own that in our discussions by straight up saying it. The NSA, post-9/11, launched a covert war on all domestic communications providers, domestic software/hardware producers, and foreign software/hardware producers. They used some type of legal (Patriot Act, CALEA) and physical (FBI SWAT) threats on domestic providers along with bribes to get submission. They bribes and ISA/CIA-supported espionage on foreign firms. They also used political and economic pressure on other nations (esp NATO) going way back to establish SIGINT partnerships. The whole of this gave NSA and its partners essentially dominance of the Internet. And they did this more stealthily with less insider leaks than the Cold War. The battle was initiated, fought, and won largely in secret.

Our stance on the Third Crypto War reflects this. We're largely talking as a reaction to stuff that's already happened. They already SIGINT-enabled all kinds of stuff. They already weakened a bunch of crypto. They already inserted, kept, or bought 0-days in critical systems. We're arguing to roll back all of these advances they made to bypass most security. On top of that, we're countering with legal and technical protections. So, this is either Round 2 of a clandestine war they've been winning or the first round of an entirely new war.

I think it's a new war. Everyone was speculating before. They were focusing on the wrong things too much because they were uninformed. Now, people know reality and they're seeing what we've discussed on your blog for years: the whole stack, from hardware up and side to side (middleware/protocols), must be protected, replaced, or eliminated entirely in private activities. Further, that we know the enemies' legal and digital successes informs our approach to doing battle with them. That we've seen the consequences of their poor OPSEC and damage to our exports makes the problems even more real in future debates.

Yet, we're not going to win the Third Crypto Wars unless we admit the Second Crypto Wars already happened, we lost without knowing it, and that we're striking back at its winner from a severely disadvantaged position. The vigilance and dedication the Third War will take can only come from keeping a realistic view of our dire situation.

End with some humor: "I don't know with what tools the Third Crypto Wars will be fought, but the Fourth Crypto Wars may be fought with pencils, short-wave radios, and homebrew CPU's." ;)

KeithJune 22, 2015 5:34 PM

Now they have moved their objective towards backdooring CPUs and firmware.

All recent INTEL processors include one or more backdoors hidden under various names, including "identity protection", "smart connect", "antitheft technology", "AMT/ME" and so on.

Not to mention "modern" firmware connecting to the internet to download "updates".

David HendersonJune 22, 2015 6:07 PM

Dont forget Phil Karn, the instigator of a lawsuit resulting in a ruling that it was legal to export Schneier's "Applied Cryptography" even though the floppy containing source code within the book was classified as a munition.

Marvelous twisting of the rules!!

AndrewJune 22, 2015 6:32 PM

I very much agree with you, we are only in transition to a more aggressive and harder to detect surveillance as the focus moves to hardware.
We are still discussing about encryption software while they are a step ahead and focus on compromising hardware and getting the raw data.

65535June 22, 2015 6:50 PM

So, now we have a new “crypto war” under Obama. What? I thought Obama was going to stop the spying not increase it! I am sorry I ever helped that guy get into office!

As for the first crypto war against Phil Zimmermann it was started by Clinton [as was CALEA]. I don’t like this trend. These guys were supposed to be on our side – not the opposite!

rgaffJune 22, 2015 8:26 PM


"I am sorry I ever helped that guy get into office!"

Except for internet trolls, I've never seen anyone who voted for him who feels differently than you.... And this is not just technical people, but people in all walks of life.

KenJune 22, 2015 8:44 PM

@Nick P, true, NSA's sneak attack puts them one-up on the world. For now. But from now on global forces in industrial and consumer markets are ending the days of USG central planning that let NSA poke vital common infrastructure full of holes.


Corrupting or silencing everyone on earth is hard. Going forward NSA sabotage is going to be exposed and quickly countered, and eventually criminalized like any other form of sabotage.

Nick PJune 22, 2015 9:07 PM

@ Ken

The irony is that your two links are both designs of one to few companies with plenty of NSA subversion potential.

SasparillaJune 22, 2015 9:20 PM

Great link Bruce.

Seems to me like we may have already lost the 2nd war...seems likely the U.S. Intelligence Apparatus has backdoored (either via partnership or by active sabotage) nearly every product they can that's connected to the web.

New article on new Snowden docs below:


Another example of the sabotage route:


And these were years ago. If I was the NSA, I'd plan on having a couple of years or so to backdoor every compiler and firmware image out there before things start to really go dark online.

SasparillaJune 22, 2015 9:28 PM

@ Nick P

Thanks for your first post - so well said.

(sorry for the double folks - just had to call out Nick for such a great post)

ThothJune 22, 2015 10:43 PM

@Bruce Schneier, all
I think we had brought up on this topic of Crypto Wars many times on your blog. We have gone from being positive about the Crypto Wars winning to being rather pessimistic at times (more frequently these days after Snowden).

Some have pointed that Crypto War 1 did not end and was running quietly under cover in forms of key escrow and blackbox security chips although it seemed on the surface the UKUSA Warhawk Administrations seem to relax export controls and openly hold some AES competition and SHA3 competition with all the distractive and positive noises (not that I am being ungrateful to the progress in the AES and SHA3 competition and the crypto advancements it brought).

I think the Warhawk World Governments have realized that keeping cryptographic algorithms under tight lips and active export controls are useless due to the widespread use of the Internet as a communication medium and also people printing clothings and books with algorithms and squeezing cryptographic protocols and implementation codes onto Twitter tweets (TweetSalt library).

They seem to have figured out that by manipulating critical components for secure usage of algorithms, they would stand a better chance at ensuring the NOBUS attitude and they being the King of their perceived Mountains and Realms.

Blackbox chips are the largest offenders and @Nick P did mention on the use of EAL 6/7 implementations (again we need a firm Root of Trust that is simply an illusion in most cases).

Knowledge on high assurance security instead of just outright implementation of innocent cryptographic algorithms are in the exclusive domains of the Governments although the recent blooming of higher (although not high enough) assurance of security have taken roots in the academic and commercial researches but the outright lack of usable implementations choices are really daunting.

Recent news of US Navy and other Warhawk Govts hording cyberweapons and USA's influence of the Wassenaar Agreement to regulate "offensive" programs and codes under weapons export controls isn't looking all too good.

Backdoors, frontdoors and some sort of escrow techniques to prevent proper secure usage of security hardwares or normal hardwares are looking grim.

As usual, endpoints are wholly insecure despite the propagation and easier availability of security processors and modules because a secure module does not equate to complete system security as the usage and validation needs to be correct and secure too.

Taking the whole picture of the current environment, we minute hand to the 12 o'clock of cyber nastiness moves yet a couple of steps closer as Govts around the World are actively preventing privacy and security in favour of subservient population controls.

tyrJune 22, 2015 11:50 PM

@ Nick P

I've also noticed the first mention of copyright law
to apply to the widespread subversion done by the
IC. Supposedly the contents of your email are to
be protected by copyright law. This also applies
to the whole Intellectual Property realm. I hate
to use that word because it only exists in your
head (if at all) but they seem to have shot off
their foot in the rush to make everything into a
form of goods. I'd like to see a class action lawsuit
against Bluffdale storage facility for violating
copyright laws. In theory no one is above the law
and that applies to governments and their people.

They might have to move their storage site into
China to avoid their own draconian actions.

I also noticed that the only result of NATOs
rush to the east has been Russia making more
nukes. Escalation and brinkmanship are a fools
methods of warfare. NSA has too much money too
many dubious partners (GCHQ,BND) and way too high
of a profile coupled with zero evidence that
they are doing their job. The whole dirty business
has been continual failures since the National
Security Act was passed in 1947. Its like the
VietNam war headline, we had to destroy the
village in order to save it. Now its we must
destroy the world to make it safe for the IC

65535June 23, 2015 12:54 AM

@ rgaff

I am still not happy with the guy. He stabbed us in the back. He has the power to reverse this mess with a stroke of his Presidential pen [or his powerful political position]. But, I am not holding my breath.

Nick PJune 23, 2015 8:30 AM

@ tyr

It's an interesting idea. It might even get somewhere in court. However, there's a ton of law (or secret interpretations) saying they can do collection. Then there's this one set of laws saying they can't. Whenever there's contradictions, they usually win in court or at least there's no penalty.

Regarding IC community, good points. They do seem to be accomplishing nothing except pissing off everyone. Many companies are moving data already to dodge them. Maybe we need to see Wall St move a ton of their money to a new country that doesn't track financial metadata or something. Then we might see some policy changes.

CuriousJune 23, 2015 10:40 AM

I am a mere gamer, but I think I would much rather have a kind of modular OS with sovereign control over the hardware and the software (and how it works), than living with some feudal system where one would have to rely on corporations to not be evil and ultimately being bossed around by them.

Ross SniderJune 23, 2015 12:58 PM


Agreed that the loss in one war doesn't mean not to learn important lessons and try in another. :)

albertJune 23, 2015 4:20 PM

@Nick P,
@ tyr,
Compared to revising the 4th Amendment, it's easy to get US copyright law amended. It's been changed several times (and gotten more draconian). Certainly less harmful than allowing patents on math and software:)
It would be an interesting case, though.

name.withheld.for.obvious.reasonsJune 24, 2015 3:54 AM

As I see it, the first crypto-war CW-1, began with a model proposed by government to manage systems designed to provide for secure data management. A hardware-based clipper chip was championed as a sound method to provide cryptographic processing AND management (i.e. key escrow and management). It does make sense to "encapsulate" the management of secrets (key-based) and the processing of data convolved using these secrets. What will always be problematic is the SHARING of these secrets (keys). If the OPM hack is instructive, it is that secrets are not secrets if they are shared (or accessible remotely).

Now, if Comey suggests that a TLA can manage what is essentially "compromised" security "devices" one only has to respond with "I see that your neighbor reported you have large groups of people gather at your house late at night--at least that's what's on the SF-86 form."

CW-2 is as problematic as ever, there is no single form of cryptographic processing and management that MUST allow for others access and claims that fidelity can be maintained. I think of the bitcoin authenticity model, there are other distributed key management systems, that a collection of independent nodes contain only a piece of the cryptographic keymat puzzle. If this model is inverted, as is the suggested methodology, it quickly breaks down from a risk analysis perspective.

For any secure system, the number of entities in possession of keys is a first order risk multiplier. A Trust No One methodology (TNO) irrespective of the programmatic model (that is complete) is more secure then a system where trust includes more than one entity.

Clive RobinsonJune 24, 2015 7:33 AM

@ name.withheld...,

The "Trust No One" principle has it's own issues as once observed "three can keep a secret if one kills the other two". But keeping secrets to yourself and likewise communicating only to yourself is not an efective or profitable use of information in most cases, which can also be shown as a retrograde effect on society.

There are solutions to this problem with "dishonest" people, by effectivly having more dirt on them than they can get on you, they won't talk. Even the most honest of people in most --but not all-- cases can be controled via believable threats against their loved ones. It is by such methods that tyrants rule. However most of us would not wish to live in such feudalistic serfdom.

Which brings me around to why trying to control cryptography will not work for tyrants or bureaucrats except with authoritarian followers. The crypto genie is out of the bottle, or for those wishing to suppress it, the horse has bolted and Pandora has opened the box, as far as crypto is concerned it has escaped beyond the tyrants and bureaucrats recovery and thus control.

Which unfortunatly leaves the tyrants and bureaucrats with few options, most of wish are detrimental not just to individuals but society as well. As far as we can tell tyranny like the empires it builds always ends up with the same fate, the yoke gets thrown off by the citizens. The only question is how much violence and destruction will be involved. This is a point that is lost on those toothless vipers like Hayden, their demise is so close that they neither see nor care what the inevitable is as they will not see it happen for them.

We can safely assume that society will not give up cryptography, it has progressed to the point that it can not survive in it's current form without it, because the sort of trade we now engage in would cease and bring down the economy like a house of cards. Thus those who pay the piper will call the tune as they do with tax legislation, it's this realisation which is responsible for all this "golden key" or "front door" nonsense from the likes of the FBI. They know without doubt it's a nonsensical idea, but one the politicos will stupidly fall for and vote for. However the legislation will have a sting in the tail, where the authorities can not get at the plain text, irrespective of why or who might or might not be to blaim, the accused will have no rights, just the option of "comply or die" in purgatory by jail and asset stripping. We have seen the start of this with the UK's RIPA which whilst currently barely used, will with the likes of moronic politicos like David Cameron move to the fore, both for the "justice is seen to be done" vote winning propaganda and for the income asset stripping will bring in.

The real winners will of course be those "to important to fail" who currently ensure the corporations they work for pay no tax and are beyond justice of any form as long as they "bless" those we vote for with scraps from the table.

Uenal MutluJuly 10, 2015 2:53 AM

Relax people! They cannot forbid or water down encrypting, because otherwise the system would collapse due to the insecurity then. The society needs a working security based on encryption, best example is https. Otherwise the collapse of this corrupt and rotten western system we are living in is inevitable.

I'm working on crypto, and I know that there are some crypto methods nobody can break, not even with any of the fantasized quantum-computers.

So, the US govt and its criminal organgs (NSA, CIA etc.) are doomed to lose this final war against the people! Believe me! They better should apologize to the people before it's too late for them!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.