textfiles/programming/CRYPTOGRAPHY/nsapaper.txt

The NSA Papers
------------------------------------------------------------------------------


  The following is the written response to my request for an interview with
the NSA. To the best of my knowledge, and according to their claims, it
is the government's first complete answer to the many questions and allegations
that have been made in regards to the matter of cryptography.
   I would like to invite reaction from any qualified readers who care to
address any of the issues raised herein. Please mail to edtjda@chron.com
(713) 220-6845.



   NATIONAL SECURITY AGENCY
   CENTRAL SECURITY SERVICE
   Serial: Q43-11-92 9


10 June 1992
Mr. Joe Abernathy
Houston Chronicle 
P.O. Box 4260
Houston, TX 77210


 Dear Mr. Abernathy:

	
   Thank you for your inquiry of 3 June 1992 on the 

subject of cryptography. Attached please find answers 

to the questions that you provided our Agency. If 

any further assistance is needed, please feel free 

to contact me or Mr. Jerry Volker of my staff on (xxx)

xxx-xxxx.
	
   
   Sincerely,

	
   MICHAEL S.CONN
	
   Chief
   Information Policy

ENCL:
	

   1. Has the NSA ever imposed or attempted to impose 
a weakness on any cryptographic code to see if it 
can thus be broken?
	
   One of NSA's missions is to provide the means for 
protecting U.S. government and military communications 
and information systems related to national security. 
In fulfilling this mission we design cryptologic codes 
based on an exhaustive evaluation process to ensure 
to the maximum extent possible that information systems 
security products that we endorse are free from any 
weaknesses. Were we to intentionally impose weaknesses 
on cryptologic codes for use by the U.S. government, 
we would not be fulfilling our mission to provide 
the means to protect sensitive U.S. government and 
military communications and our professional integrity 
would be at risk.

   2. Has the NSA ever imposed or attempted 
to impose a weakness on the DES or DSS?
	
   Regarding the Data Encryption Standard (DES), we 
believe that the public record from the Senate Committee 
for Intelligence's investigation in 1978 into NSA's 
role in the development of the DES is responsive to 
your question. That committee report indicated that 
NSA did not tamper with the design of the algorithm 
in any way and that the security afforded by the 
DES was more than adequate for at least a 5-10 year 
time span for the unclassified data for which it was 
intended. In short, NSA did not impose or attempt 
to impose any weakness on the DES.
	
   Regarding the draft Digital Signature Standard 
(DSS), NSA never imposed any weakness or attempted 
to impose any weakness on the DSS.

    3. Is the NSA aware of any weaknesses in the
DES or the DSS? The RSA?
	
   We are unaware of any weaknesses in the DES or 
the DSS when properly iplemented and used for the 
purposes for which they both are designed. We do not 
comment on nongovernment systems.
	
   Regarding the alleged trapdoor in the DSS. We 
find the term trapdoor somewhat misleading since 
it implies that the messages sent by the DSS are encrypted
and with access via a trapdoor one could somehow decrypt 
(read) the message without the sender's knowledge. 
The DSS does not encrypt any data. The real issue 
is whether the DSS is susceptible to someone forging 
a signature and therefore discrediting the entire 
system. We state categorically that the chances of 
anyone - including NSA - forging a signature with 
the DSS when it is properly used and implemented is 
infinitesimally small.
	
   Furthermore, the alleged trapdoor vulnerability 
is true for ANY public key-based authentication system, 
including RSA. To imply somehow that this only affects 
the DSS (a popular argument in the press) is totally 
misleading. The issue is one of implementation and 
how one goes about selecting prime numbers. We call 
your attention to a recent EUROCRYPT conference which 
had a panel discussion on the issue of trapdoors in 
the DSS. Included on the panel was one of the Bellcore 
researchers who initially raised the trapdoor allegation, 
and our understanding is that the panel - including 
the person from Bellcore - concluded that the alleged 
trapdoor was not an issue for the DSS. Furthermore, 
the general consensus appeared to be that the trapdoor 
isue was trivial and had been overblown in the press. 
However, to try to respond to the trapdoor allegation, 
at NIST's request, we have designed a prime generation 
process which will ensure that one can avoid selection 
of the relatively few weak primes which could lead 
to weakness in using the DSS. Aditionally, NIST intends 
to allow for larger modulus sizes up to 1024 which 
effectively negates the need to even use the prime 
generation process to avoid weak primes. An additional 
very important point that is often overlooked is that 
with the DSS the primes are PUBLIC and therefore can 
be subject to public examination. Not all public key 
systems provide for this same type of examination.
	
   The integrity of any information security system 
requires attention to proper implementation. With 
the myriad of vulnerabilities possible given the differences 
among users, NSA has traditionally insisted on centralized 
trusted centers as a way to minimize risk to the system. 
While we have designed technical modifications to 
the DSS to meet NIST's requests for a more decentralized 
approach, we still would emphasize that portion of 
the Federal Register notice for the DSS which states: 
While it is the intent of this standard to specify 
general security requirements for generating digital 
signatures, conformance to this standard does not assure 
that a particular implementation is secure. The responsibe 
authority in each agency or department shall assure 
that an overall implementation provides an accetable 
level of security. NIST will be working with government 
users to ensure appropriate implementations.
	
   Finally, we have read all the arguments purporting 
insecurities with the DSS, and we remain unconvinced 
of their validity. The DSS has been subjected to intense 
evaluation within NSA which led to its being endorsed 
by our Director of Information Systems Security for 
use in signing unclassified data processed in certain 
intelligence systems and even for signing classified 
data in selected systems. We believe that this approval 
speaks to the lack of any credible attack on the 
integrity provided by the DSS given proper use and 
implementation. Based on the technical and security 
requirements of the U.S. government for digital signatures, 
we believe the DSS is the best choice. In fact, the 
DSS is being used in a pilot project for the Defense 
Message System to assure the authenticity of electronic 
messages of vital command and control information. 
This initial demonstration includes participation from 
the Joint Chiefs of Staff, the military services, 
and Defense Agencies and is being done in cooperation 
with NIST.

      4. Has the NSA ever taken advantage of 
any weaknesses in the DES or the DSS?
	
   We are unaware of any weaknesses in the DSS or 
in the DES when properly implemented and used for the 
purposes for which they both are designed.

 5. Did the NSA play a role in designing the DSS? Why, in the 
NSA's analysis, was it seen as desirable to create 
the DSS when the apparently more robust RSA already 
stood as a de facto standard?
	
   Under the Computer Security Act of 1987, NIST is 
to draw upon computer systems technical security guidelines 
of NSA where appropriate and to coordinate closely 
with other agencies, including NSA, to assure:
	
   a. maximum use of all existing and planned programs, 
materials, and reports relating to computer systems 
security and privacy, in order to avoid unnecessary 
and costly duplication of effort; and
	
   b. that standards developed by NIST are consistent 
and compatible with standards and procedures developed 
for the protection of classified systems.
	
   Consistent with that law and based on a subsequent 
Memorandum of Understanding (MOU) between NSA and NIST, 
NSA's role is to be responsive to NIST's requests 
for assistance in developing, evaluating, or researching 
cryptographic algorithms and techniques. (See note 
at end). In 19??, NIST requested that NSA evaluate 
candidate algorithms proposed by NIST for a digital 
signature standard and that NSA provide new algorithms 
when existing algorithms did not meet U.S. government 
requirements. In the two-year process of developing 
a digital signature for U.S. government use, NIST 
and NSA examined various publicly-known algorithms 
and their variants, including RSA. A number of techniques 
were deemed to provide appropriate protection for 
Federal systems. The one selected by NIST as the draft 
Digital Signature Standard was determined to be the 
most suitable for reasons that were set forth in the 
Federal Register announcement. One such reason was 
to avoid issuance of a DSS that would result in users 
outside the government having to pay royalties. Even 
though the DSS is targeted for government use, eliminating 
potential barriers for commercial applications is 
useful to achieve economies of scale. Additionally, 
there are features of the DSS which make it more attractive 
for federal systems that need to have a digital signature 
capability for large numbers of users. Chief mong 
them are the number of trusted operation points and 
system management overhead that are minimized with 
the NIST proposed technique.

 6. What national interests are served by limiting the
power of cyptographic schemes used by the public?
	
   We call your attention to the House Judiciary committee 
hearing of 29 April 1992. The Director of the FBI 
expressed his concerns that law enforcement interests 
in meeting responsibilities given to them by Congress 
could be affected unless they had access to communications, 
as was given to them by statute in 1968 (court monitored, 
court sponsored, court reviewed and subject to Congressional 
oversight).
	
   The National Security Agency has no role in limiting 
the power of cryptographic schemes used by the public 
within the U.S. We have always been in favor of the 
use of information security technologies by U.S. businesses 
to protect their proprietry information, and when 
we had an information security role with private industry 
(prior to the Computer Security Act of 1987), we actively 
advocated use of such technologies.

    7. What national interests are served by limiting the
export of cryptographic technology?
	
   Cryptographic technology is deemed vital to national 
security interests. This includes economic, military, 
and foreign policy interests.
	
   We do not agree with the implications from the 
House Judiciary Committee hearing of 7 May 1992 and 
recent news articles that allege that U.S. export 
laws prevent U.S. firms' manufacture and use of top 
encryption equipment. We are unaware of any case where 
a U.S. firm has been prevented from manufacturing 
and using encryption equipment within this country 
or for use by the U.S. firm or ts subsidiaries in 
locations ouside the U.S. because of U.S. export restrictions. 
In fact, NSA has always supported the use of encryption 
by U.S. businesses operating domestically and overseas 
to protect sensitive information.
	
   For export to foreign countries, NSA as a component 
of the Department of Defense (along with the Department 
of State and the Department of Commerce) reviews export 
licenses for information security technologies controlled 
by the Export Administration Regulations or the international 
Traffic in Arms Regulations. Similar export control 
systems are in effect in all the Coordinating Committee 
for Multilateral Export Controls (CoCom) countries 
as well as many non-CoCom countries as these technologies 
are universally considered as sensitive. Such technologies 
are not banned from export and are reviewed on a case-by-case 
basis. As part of the export review process, licenses 
may be required for these systems and are reviewed 
to determine the effect such export could have on 
national security interests - including economic, 
military, and political security interests. Export 
licenses are approved or denied based upon the type 
of equipment involved, the proposed end-se and the 
end-user.
	
   Our analysis indicates that the U.S. leads the 
world in the manufacture and export of information 
security technologies. Of those cryptologic products 
referred to NSA by the Department of State for export 
licenses, we consistently approve over 90%. Export 
licenses for information security products under the 
jurisdiction of the Department of Commerce are processed 
and approved without referral to NSA or DoD. This includes 
products using such techniques as the DSS and RSA 
which provide authentication and access control to 
computers or networks. In fact, in the past NSA has 
played a major role in successfully advocating the 
relaxation of export controls on RSA and related technologies 
for authentication purposes. Such techniques are extremely 
valuable against the hacker problem and unauthorized 
use of resources.

      8. What national interests are at 
risk, if any, if secure cryptography is widely available?
	
   Secure cryptography widely available outside the 
United States clearly has an impact on national security 
interests including economic, military, and political.
	
   Secure cryptography within the United States may 
impact law enforcement interests.

    9. What does the NSA see as its legitimate interests in
the area of cryptography?  Public cryptography?
	
   Cearly one of our interests is to protect U.S. 
government and military communications and information systems 
related to national security. As part of that mission, 
we stay abreast of activities in public cryptography. 

   10. How did NSA enter into negotiations with the Software 
Publishers Association regarding the export of products 
utilizing cryptographic techniques? How was this group 
chosen, and to what purpose? What statute or elected 
representative authorized the NSA to engage in the 
discussions?
	
   The Software Publishers Association (SPA) went 
to the National Security Advisor to the President 
to seek help from the Administration to bring predictability, 
clarity, and speed to the process for exporting mass 
market software with encryption. The National Security 
Advisor directed NSA to work wth the mass market software 
representatives on their request.

 ii. What is the status of these negotiations?
	
   These negotiations are ongoing.

 12. What is the 
status of export controls on products uing cryptographic 
techniques? How would you respond to those who point 
to the fact that the expot of RSA from the U.S. is 
controlled, but that its import into the U.S. is not?
	
   To the best of our knowledge, most countries who 
manufacture cryptographic products regulate the export 
of such products from their countries by procedures 
similar to those existing within the U.S. Some even 
control the import into their countries. The U.S. 
complies with the guidelines established by CoCom 
for these products.
	
   Regarding the export of RSA from the U.S., we are 
unaware of any restrictions that have been placed 
on the export of RSA for authentication purposes. 

13. What issues would you like to discuss that I have 
not addressed?
	
   None.

 14. What question or questions would you 
like to pose of your critics?
	
   None.

 NOTE: To clarify misunderstandings regarding 
this Memorandum of Understanding (MOU); this MOU does 
not provide NSA any veto power over NIST proposals. 
As was discussed publicly in 1989, the MOU provides 
that if there is an issue that can not be resolved 
between the two agencies, then such an issue may be 
referred to the President for resolution. Enclosed 
please find a copy of subject MOU which has been made 
freely available in the past by both NSA and NIST 
to all requestors. At the House Judiciary Committee 
hearings on 7 May 1992, the Director of NIST responded 
that he had never referred an issue to the White House 
since his assumption of Directorship in 1990.
	
   MEMORANDUM OF UNDERSTANDING
	
   BETWEEN
	
   THE DIRECTOR OF THE NATIONAL INSTITUTE OF STANDARDS 
AND TECHNOLOGY
	
   AND
	
   THE DIRECTOR OF THE NATIONAL SECURITY AGENCY
	
   CONCERNING
	
   THE IMPLEMENTATION OF PUBLIC LAW 100-235 Recognizing 
that:
	
   A. Under Section 2 of the Computer Security Act 
of 1987 (Public Law 100-235), (the Act), the National 
Institute of Standards and Technology (NIST) has the 
responsibility within the Federal Government for:.
	
   1. Developing technical, management, physical, 
and administrative standards and guidelines for the 
cost-effective security ad privacy of sensitive information 
in Federal computer systems as def ined in the Act; 
and,
	
   2. Drawing on the computer system technical security 
guidelines of the National Security Agency (NSA) in 
tis regard where appropriate.
	
   B. Under Section 3 of the Act, the NIST is to coordinate 
closely with other agencies and offices, including 
the NSA, to assure:
	
   1. Maximum use of all existn and planned programs, 
materials, studies, and reports relating to computer 
systems security and pivacy, in order to avoid unnecessary 
and costly duplication of effort; and, - 2. To the 
maximum extent feasible, that standards developed 
by the NIST under the Act are consistent and compatible 
with standards and procedures developed for the protection 
of classified information in Federal computr systems.
	
   C. Under the Act, the Secretary of Commerce has 
the responsibility, which he has delegated to the 
Director of NIST, for appointing the members of the 
Computer System Security and Privacy Advisory Board, 
at least one of whom shall be from the NSA. Therefore, 
in furtherance of the puroses of this MOU, the Director 
of the NIST and the Director oE the NSA hereby agree 
as follows:
	
   The NIST will:
	
   1. Appoint to the Computer Security and Privacy 
Advisory Board at least one representative nominated by 
the Director of the NSA.
	
   2. Draw upon computer system technical security 
guidelines developed -by the NSA to the extent that the NIST 
determines that such guidelines are consistent with the requirements 
tor protecting sensitive information in -Fedeal computer 
systems.
	
   3. Recognize the NSA-certified rating of evaluated 
trusted systems uder te Trusted Computer Security Evaluation 
Criteria Program without requiring additional evaluto.
	
   4. Develop telecommunications security standards 
for protecting sensitive unclassife omputer data, drawing 
upon the expertise and products of the National Security 
Agency, to the ratest extent possible, in meeting 
these responsibilities in a timely and cost effective manner
	
   5. Avoid duplication where possible in entering 
into mutually agreeable arrangements with th NSA for 
the NSA support.
	
   6. Request the NSA's assistance on all matters 
related to cryptographic algorithms and cryptographic techniques 
including but not limited to research, development valuation, 
or endorsement. . - I
	
   II. The NSA will:
	
   1. Provide the NIST with technical guidelines in 
trusted technology, telecommunications secrity, and personal 
-identification that may be used in cost-effective 
systems for protecting sensitive computer data.
	
   2. Conduct or initiate research and development 
programs in trusted technology, telecommunications security, 
cryptographic techniques and personal identification methods.
	
   3. Be responsive to the NIST's requests for assistance 
in respect to all matters related to cryptographic 
algorithms and cryptographic techniques including but not limited 
to research, development, evaluation, or endorsement.
	
   4. Establish the standards and endorse products 
for application to secure systems covered in 10 USC 
Section 2315 (the  Warner Amendment).
		
   5 Upon request by Federal agencies5 their contractors 
and other goernment-sponsored entities, conduct assessments 
of the hostile intelligence threat to federal infomation 
systems, and provide technical assistance and recommend endorsed 
products for application to secure systems against that threat.
	
   iii. The NIST and the NSA shall:
	
   1. Jointly rview agency plans for the securityand 
-privacy of computer systems submitted to NIST and NSA pursuant 
to section 6(b) of the Act.'
	
   2. Exchange technical standards and guidelines 
as necessary to achieve the purposes of the Act.
	
   3. Work together to achieve the purposes of this 
mmorandumwith the greatest efficiency possible, avoidigg 
unnecessary duplication of effort.
	
   4. Maintain an ongoing, open dialogue to ensure 
that each organization remains abreast of emerging technologids 
and issues effecting automated information system security 
in computer-based systms.
	
   5. Establish a Technical Working Group to review 
and analyze issues of mutual interes pertinent to protection 
of systems that process sensitive or other unclassified-information. 
The Group shall be composed of six federal employees, three 
each selepted by NIST and NSA and tobe augmented as necessary by 
representatives of other agencies. Issues may be referred to the 
groupby either  the NSA Deputy Director for Information Security 
or the NIST Deputy Director or may be gnerated -and addressed 
by the group upon approval by the NSA DDI or NIST Deputy Director. 
Within days of the referral of an issue to the Group by 
either the NSA Deputy Director for InformationSecurity or the 
NIST Deputy .Director, the Group will respondwith 
a progress report and pan for further analysis, if any.
	
   6. Exchange work plans on an annual basis on all 
research and development projects pertinent to protection 
of systems that process sensitive or other unclassified information, 
including trusted technology, technology for protecting the 
integrity and availability of data, telecommunications security 
and personal identification methods. Project updates will be 
exchanged quarterly, and project reviews will be provided 
by either party upon request of he other party.
	
   7. Ensure the Technical Working Group reviews prior 
to public disclosure all matters regarding technical_systems 
security techniques to be developed for use in protecting 
snsitive information in federal computer systems to ensure 
they are consistdnt with the national security of-the 
United States. If NIST and NSA are unable to resolve 
such an issue within 60 days, either _ agency may elect 
to raise the issue to the Secretary of Defense and 
the Secretary of Commerce. It is recognized that such 
an issue may be referred to the President through 
the NSC for resolution. No action shall be taken on 
such an issue until it isresolved.
	
   8. Specify additional operational agreements in 
annexes to this MOU as they. are agreed to by NSA 
and NIST.
	
   IV. Either party may elect to terminate this MOU 
upon six months written ntice. This MO& is effective 
upon approval of both signatories.
	
   RAYMOND G. KAMMER W. 0. STUDEMAN
	
   Acting Director Vice Admiral, U.S. Navy National 
Institut of Director Standards and Technology National 
Security Agency