1981 US Document on Encryption Policy

This was newly released under FOIA at my request: Victor C. Williams, Jr., Donn B. Parker, and Charles C. Wood, "Impacts of Federal Policy Options for Nonmilitary Cryptography," NTIA-CR-81-10, National Telecommunications and Information Administration, US. Department of Commerce, June 1981. It argues that cryptography is an important enabling technology. At this point, it's only of historical value.

Posted on March 23, 2016 at 6:20 AM • 14 Comments

Comments

Vesselin BontchevMarch 23, 2016 7:18 AM

@JG4 Oh, yes, that same John McAfee to admitted lying on TV in order to get more attention? What a trustworthy source they've got there!

SunshineMarch 23, 2016 7:25 AM

John McAfee the most recognized cyber security personality on the planet, lying fits the bill with our presidential candidates though...

ZMarch 23, 2016 7:57 AM

Considering how bad the 90s were for civilian crypto, it was only of historical value even back then

iBelieveMarch 23, 2016 8:19 AM

Is this the same John McAfee who, in an interview with RT, said it was a 30 minute job to tear the iPhone apart (hardware engineer), copy the phone data, and using a disassembler (software engineer), figure-out the passcode and "POOF!" you've got the unencrypted data? You mean THAT John McAfee???

Clive RobinsonMarch 23, 2016 8:23 AM

@ Bruce,

At this point, it's only of historical value.

That rather depends on how you view history.

Some regard history as the "immaterial past" and thus ignore it.

Others who tend to be a little more successful in life, regard history as providing valuable lessons for present use to try to limit future misfortunes.

The result is several truisms, not least of which is,

    Those who do not learn from history are oft condemed to relive it.

Thus it might be wise to view the document in it's historical setting and see why things went the way they did and see if we can avoid the mistakes, or form them into lessons for others to learn from.

SimonMarch 23, 2016 9:14 AM

All points as valid as they ever were.

New Threats Introduced By Use of Encryption

Selection of a computer security control may involve the introduction of new threats. When encryption is used, these threats may be introduced:

o Loss of cryptographic keys - this may result in loss of data and backup and recovery problems (if current keys or even cryptographic facilities are not provided by backup systems).

o Theft of cryptographic keys - the thief might be able to ransom the key because data in storage are inaccessible without a certain cyptographic key.

o Malfunction of cryptographic devices, such that encryption or decryption is done using an algorithm or key other than the proper algorithm or key - this may result in lost data, especially if a communication goes in one direction only.

o Failure of cryptographic devices - this does not necessarily result in lost data, but may hamper operations and expose data to other threats, such as wiretapping.

o Erroneous generation of keys - this situation does not affect the computer system security or operations unless the key generated is one of the very unusual "weak keys."

o Failure to load new keys at proper times - this lessens system security, and may disrupt operations if other parts of the system have loaded keys on schedule, but otherwise has no noticeable effect.

o Cryptographic devices may have undocumented characteristics - e.g., the cryptographic key could be obtained as output if a stream of zeros was provided as input.

Slow News DayMarch 23, 2016 9:29 AM

Understand why you're really under surveillance - enforcing conformity ('you will be assimilated'):

http://jmq.sagepub.com/content/early/2016/02/25/1077699016630255.full

This study provided an important first look at how perceptions of surveillance may contribute to an online spiral of silence. The absence of a significant direct relationship between perceived surveillance and speaking out in general implies the effect is more nuanced than a blanket silencing that some (e.g., Brown, 2014; Hampton et al., 2014) have suggested. Instead, it attenuates the relationship between the opinion climate and voicing opinions except among a small number of participants who believe surveillance is not justified. Those who firmly believe that the government’s monitoring programs are unacceptable decide whether to share their views entirely independently of both perceived surveillance and the opinion climate. In other words, this group of individuals was not affected by the surveillance prime. Although not directly measured, the individuals who comprise this group may very well be members of the avant-garde who are highly educated and vocal about their views regardless of circumstances, and individuals who are so turned off by surveillance that they are unwilling to ever share political beliefs online.

...

For the remainder—and majority—of participants, being primed of government surveillance significantly reduced the likelihood of speaking out in hostile opinion climates. These findings introduce important theoretical and normative consequences. Theoretically, it adds a new layer of chilling effects to the spiral of silence. This is the first study to provide empirical evidence that the government’s online surveillance programs may threaten the disclosure of minority views and contribute to the reinforcement of majority opinion. Noelle-Neumann (1974) and the scholars who have followed her have relied on an individual’s fear of social isolation as the underlying mechanism to explain silencing effects. But the results from this study suggest there may be an additional mechanism that contributes to this process: one’s fear of isolation from authority or government. Fear of isolation, as traditionally measured, taps an individual’s concern of being alienated from other members of society, but does not address fear of alienation or prosecution from the government. Csikszentmihalyi (1991) argues that social isolation is a minimal concern compared to material sanctions that government is capable of enacting, like losing one’s job or instigating legal consequences.

Vesselin BontchevMarch 23, 2016 1:37 PM

@Who - yeah, that same clown.

@Sunshine - LOL, LOL, LOL. McAfee is no "security expert". The only thing he is an expert of is self-advertising by making bombastic unverifiable claims. I've known him personally since the late 80s. People keep saying that "McAfee's anti-virus is crap" - but they usually have no idea. The CURRENT "McAfee anti-virus" has absolutely nothing to do with John McAfee, besides the name. It is based on Dr. Solomon's Anti-Virus Toolkit, which McAfee's company bought long time ago (but after John McAfee was kicked out of the company already, I believe). Before that, McAfee had an original anti-virus, made by John McAfee. Boy, *THAT* thing was absolute, utter crap, made by someone who didn't have the slightest clue about viruses and computer security in general. Dr. Solomon's product was top-notch. McAfee's was crap. If you don't like the current quality of McAfee Anti-virus, boy would you have hated the original product!

As an example of how "bright" John McAfee is/was when it comes to computer security, the integrity of his original product was "ensured" by two 16-bit CRCs listed in the documentation. I kid you not.

Anyway. Now I know who the entity that will be trying to unlock that iPhone is, too. It is Celebrite. But, unlike John McAfee, I would cite reasonably believable sources:

http://mobile.reuters.com/article/idUSKCN0WP17J

TatütataMarch 24, 2016 4:26 PM

I had no idea who John McAfee was until this thread.

Now it seems entirely logical to me that his name is used to designate some collateral "security" crapware that Adobe tries to foist unto me each and every time there is a new panic with Flash. (I can't bring myself to uninstalling Flash even though it has been disabled for years.)

TatütataMarch 24, 2016 4:38 PM

Regarding the report, isn't Congress exempt from FOIA?

The Federal Information Manual, Gidiere, ABA, 2006, p. 145 :

5.4 ACCESS TO CONGRESSIONAL AND COURT RECORDS VIA THE COMMON LAW RIGHT OF ACCESS

The judicial and legislative branches are not subject to the disclosure requirements of the FOIA.

Generally, the federal courts and Congress make available to the general public only the information that they choose to. There are some limits to this discretion, however. Courts have recognized that the common law right of access may provide a member of the public with a mechanism for gaining access to judicial or legislative records in some situations. [...]

About 10-15 years ago I got a copy of a similar report on transportation policy from Congress from the same era.

It went very swiftly and unbureaucratically.

I simply made a polite general inquiry without mentioning any statute whatsoever, asking where I could find a copy of a certain document, fully expecting to be redirected elsewhere. Just a couple of weeks later I got about 100+ pages in the post.

I find the contrast between the quality of congressional research and the everyday mudslinging of the lawmakers which are supposed to be its recipients both amazing and disheartening.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.