Sobel: The Controversy Over the Digital Signature Standard

       Governmental Restrictions on the Development and 
         Dissemination of Cryptographic Technologies: 
     The Controversy Over the Digital Signature Standard
 
                          David L. Sobel* 
 
 
	On August 30, 1991, the National Institute of Standards and 
Technology ("NIST") published a notice in the Federal Register 
proposing a federal digital signature standard ("DSS").  The NIST 
proposal, and details of the standard setting process that 
recently have come to light, raise substantial questions 
concerning the future of U.S. information policy in general and 
cryptographic technology in particular.
 
The Impact of Government Encryption Standards
 
	The DSS provides a means of authenticating the integrity of 
electronically transmitted data and the identity of the sender.  
According to NIST, the standard is "applicable to all federal 
departments and agencies for the protection of unclassified 
information," and is "intended for use in electronic mail, 
electronic funds transfer, electronic data interchange, software 
distribution, data storage, and other applications which require 
data integrity assurance and data origin authentication."1  
 
	With governmental and commercial transactions increasingly 
dependent upon the reliability and integrity of such 
telecommunications applications, authentication techniques are 
indispensable.  As NIST's Associate Director for Computer 
Security, Lynn McNulty, has said, digital signature technology 
"will be an important part of re-engineering the business 
practices that we've used for so many years in government and 
other parts of society.  ...  The signature will be absolutely 
critical in certain areas where, because of statute or practice, 
we currently require a written signature on paper."2   
 
	While use of the proposed DSS would be mandatory only for 
federal agencies, its adoption by the government would have a 
substantial impact on the private sector.  Vendors will need to 
offer products for the government that meet the federal standard 
and are thus likely to design all of their products to conform to 
its requirements.3  Thus, the Data Encryption Standard ("DES"), 
which was adopted by NIST's predecessor, the National Bureau of 
Standards, as a government standard in 1977, was quickly adopted 
by the American National Standards Institute and became the 
worldwide industry standard.
 
"National Security" Interests
 
	In its Federal Register notice, NIST stated that it had 
selected the DSS after evaluating several alternatives and that 
the agency had "followed the mandate contained in section 2 of the 
Computer Security Act of 1987 that NIST develop standards and 
guidelines to ' ... assure the cost-effective security and privacy 
of sensitive information in Federal systems.'"4   
 
	The reference to the Computer Security Act was significant 
because, in enacting the statute, Congress sought to vest civilian 
computer security authority in NIST and to limit the role of the 
National Security Agency ("NSA").5  When Congress enacted the 
legislation, it expressed particular concern that NSA, a military 
intelligence agency, would improperly limit public access to 
information in a manner incompatible with civilian standard 
setting.6  The House Report notes that NSA's 
 
     natural tendency to restrict and even deny access to
     information that it deems important would disqualify that
     agency from being put in charge of the protection of non-
     national security information in the view of many officials
     in the civilian agencies and the private sector.  
 
	NSA's reputation for secrecy is well-known and well-deserved.  
In the years following the Second World War, the making and 
breaking of secret codes became increasingly important to the U.S. 
national security establishment.7  The National Security Agency, 
based at Fort George C. Meade, Maryland, was created by order of 
President Truman in 1952 and tasked with primary responsibility 
for communications intelligence (COMINT) -- intercepting and 
deciphering the secret communications of foreign governments.  By 
some accounts, NSA is capable of acquiring and automatically 
scanning most, if not all, of the electronic messages that enter, 
leave or transit the United States.8  The agency itself refuses to 
confirm or deny published information concerning its capabilities. 
 
	In the 40 years since its creation, NSA has enjoyed a virtual 
monopoly in the area of cryptographic technology within the United 
States.  Believing its mission requires that such technology be 
closely held, the agency has actively sought to maintain its 
monopoly and to suppress the private, non-governmental development 
and dissemination of cryptography.  The motivation behind NSA's 
efforts to suppress cryptographic know-how is obvious -- as the 
ability to securely encrypt information becomes more widespread, 
the agency's collection work becomes more difficult and time-
consuming.  
 
	NSA's efforts to maintain its monopoly have extended into the 
area of export and trade policy.  The export of software products 
containing cryptographic features is governed by the International 
Traffic in Arms Regulations ("ITAR"), administered by the Office 
of Defense Trade Controls at the Department of State.9  In 
addition to software products specifically designed for military 
purposes, the ITAR "Munitions List" includes a wide range of 
commercial software containing encryption capabilities.10  Under 
the export licensing scheme, the NSA reviews license applications 
for "information security technologies" covered by ITAR.11  
 
	While the agency denies the charges, industry representatives 
claim that NSA-imposed restrictions are stifling innovation in an 
area that is increasingly important to the computer industry.  
They further contend that the controls on the export of encryption 
technology are forcing U.S. companies to lose markets to foreign 
competitors.  As economics writer Robert Kuttner has noted,
 
     [r]estricting the ability of domestic manufacturers    to
     commercialize and export new technologies no longer assures
     that advanced technologies will stay out of unfriendly hands:
     it only diverts the business to Japanese or European
     manufacturers who don't share America's view of technological
     security.
 
	This has the most far-reaching implications for American 
competitiveness, because it is precisely the most militarily 
sensitive technologies -- super-computers, semiconductor 
architecture and fabrication, fiber-optics, advanced machine 
tools, cryptography -- that are also key to the competitiveness of 
America's commercial industry.12
 
	Considerations of "national security" can also play a role in 
the patent system and inhibit the technological innovation that 
system is intended to foster.  The Invention Secrecy Act, a 
little-known provision enacted in 1952 (the year of NSA's birth), 
authorizes the Commissioner of Patents and Trademarks to withhold 
a patent and order that an invention be kept secret "for such 
period as the national interest requires."  Violation of a patent 
secrecy order is punishable by two years' imprisonment and a 
$10,000 fine.13  As a Justice Department representative told a 
congressional subcommittee in 1980, "[w]hat the Invention Secrecy 
Act says in effect is that there are some inventions that are too 
dangerous to be disclosed in the way that a patent normally 
discloses the invention ...."14
 
	The number of secrecy orders issued under the Invention 
Secrecy Act remained relatively constant from 1952 until 1979.  
Since then, the number of active secrecy orders has increased: a 
total of 4,685 orders were in effect in 1986 compared with 3,513 
in 1979.15  While information concerning the substance of patent 
secrecy orders is obviously difficult to obtain, cryptographic 
technology clearly has been the subject of many such orders issued 
at the insistence of NSA.16  These restrictions in effect exempt 
cryptography from the underlying purpose of the patent system: to 
"stimulate ideas and the eventual development of further 
significant advances in the art."17  NSA's objective has been to 
suppress, rather than stimulate, advances in civilian 
cryptography.
 
NSA Involvement in the Development of Security Standards
 
	As noted, Congress was cognizant of NSA's propensity toward 
extreme secrecy when it passed the Computer Security Act and 
sought to remove the impediments to technological innovation in 
the civilian sector.  Congress specifically intended to "greatly 
restrict" the influence of the military intelligence agencies 
"while at the same time providing a statutory mandate for a strong 
security program headed up by [NIST], a civilian agency."18  The 
House Report on the legislation noted that NSA's involvement in 
the development of civilian computer standards
 
     could have a chilling effect on the vigorous research and
     development that is on-going in the academic community and
     our domestic computer industry.  This industry has been one
     of the most viable segments of our economy.  Its rapid
     technological advances have been due in large part to being
     free to openly exchange ideas without government
     interference.  NSA's inherent tendency to classify everything
     at its highest level is bound to conflict with this broader
     goal.
 
	The development of the digital signature standard is, to a 
large extent, the first real test of the Computer Security Act.  
Unfortunately, information that has recently come to light 
suggests that the barrier Congress sought to erect between the 
civilian and military agencies can easily be breached.  
 
	The Federal Register notice announcing the proposed DSS last 
August made no explicit reference to NSA and clearly implied that 
NIST had developed the standard.  In an effort to analyze the 
federal standard setting process, Computer Professionals for 
Social Responsibility ("CPSR") submitted a Freedom of Information 
Act request to NIST for records related to DSS.  In response to 
the request, the agency initially asserted that
 
     all of the materials related to the evaluation of technology
     in choosing a digital signature standard for computer
     security are documents that are advisory and predecisional in
     nature, and are therefore exempt from disclosure under
     [FOIA].  In addition, some of the materials pertain to
     pending patent applications and are withheld under [FOIA]
     ... [and] are also protected under the provisions of [patent
     law].19
 
	After CPSR filed suit in federal court to compel disclosure 
of the DSS materials, NIST acknowledged for the first time that 
the bulk of relevant documents in its possession in fact 
originated with NSA -- 142 pages of material were created by NIST 
while 1,138 pages were created by NSA.20  For reasons not 
explained by the agency, NIST dropped its FOIA exemption claims 
and released 140 pages of its own material and referred the 
remaining documents to NSA for processing.
 
	In response to news media scrutiny, NSA has now also 
acknowledged the leading role it played in developing the proposed 
DSS.  In a letter to MacWeek magazine, NSA's Chief of Information 
Policy acknowledged that the agency "evaluated and provided 
candidate algorithms including the one ultimately selected by 
NIST."21  While NSA steadfastly insists that its role in 
developing the digital signature standard is consistent with the 
letter of the Computer Security Act, the fact that the agency 
actually "provided" the DSS algorithm to NIST raises questions as 
to whether the spirit of the legislation has been followed.
 
	At least one authoritative observer does not believe it has.  
Rep. Jack Brooks, who was a driving force behind the Computer 
Security Act while serving as Chairman of the House Government 
Operations Committee (and who now serves as Chairman of the 
Judiciary Committee), recently held hearings on DSS.  He noted 
that
 
     [u]nder the Computer Security Act of 1987, the Department of
     Commerce [through NIST] has primary responsibility for
     establishing computer security standards including those
     dealing with cryptography.  However, many in industry are
     concerned that in spite  of the Act, the NSA continues to
     control the Commerce Department's work in this area.  For
     example, Commerce (at the urging of the National Security
     Agency) has proposed  a "digital signature standard" (DSS)
     that has been severely criticized by the computer and
     telecommunications industry.22
 
	The criticism of DSS alluded to by Rep. Brooks goes to the 
heart of the matter -- whether NSA's involvement in the standard 
setting process has resulted in the adoption of a flawed standard.  
Comments submitted to NIST by industry and academic cryptography 
experts were overwhelmingly critical of the proposed DSS.  The 
vast majority of these experts expressed the view that the 
proposed standard is inferior to the established and widely used 
RSA public-key technology, which many have characterized as the de 
facto international standard.23    
 
	Professor Martin Hellman of Stanford University, the co-
inventor of public-key cryptography, wrote that he was "deeply 
concerned by faults in the technical specifications of the 
proposed DSS and by its development process."  He noted that
 
     NIST has lost considerable credibility with the non-military
     cryptographic research community and, unless the revision
     process of DSS is carried out in a much more rapid and open
     fashion, NIST is likely to become totally ineffective in the
     setting of cryptographic standards.24 
 
	NIST documents released to CPSR under the Freedom of 
Information Act suggest that the agency's own experts recognized 
the superiority of the existing RSA technology and its status as 
an emerging de facto authentication standard.  An internal NIST 
evaluation of existing technology conducted in late 1989 noted 
that the RSA technique is "widely known and widely used" and is "a 
most versatile public-key cryptosystem."25  Indeed, IEEE Spectrum 
magazine recently reported that the RSA technique 
 
     had been readied by NIST as the [federal] standard for
     several months and was dropped in December 1989 with no
     alternative in sight.  Not until early spring of 1991 did NSA
     present the algorithm of choice to NIST.  Even on background,
     sources declined to detail reasons behind the decision,
     although one mentioned that legitimate national security
     factors had come into play.26
 
	The questions surrounding DSS -- both technical and 
procedural -- are so significant that even NIST's Computer System 
Security and Privacy Advisory Board has expressed reservations 
about the proposed standard.  The Board has called for a "national 
level public review" of cryptography policy and has deferred 
approval of the proposed DSS "pending progress on the national 
review."27  The Undersecretary of Commerce for Technology, Dr. 
Robert M. White, agreed with the Board's recommendation and called 
upon NIST to organize public workshops on cryptography issues.
 
	This review of national cryptography policy comes at a 
critical time.  In the Cold War atmosphere that prevailed for 45 
years, cryptography was seen as a vital national interest and most 
policymakers were willing to permit the National Security Agency 
and the military establishment to maintain a monopoly in the 
field.  With the end of the Cold War, the military and 
intelligence considerations have changed.  Indeed, Congress 
recognized the need for reform when it enacted the Computer 
Security Act in 1987, even before the demise of the Soviet Union. 
 
	Electronic communications are now widely used in the civilian 
sector and have become an integral component of the global 
economy.  Computers store and exchange an ever increasing amount 
of highly personal information, including medical and financial 
data.  In this electronic environment, the need for privacy-
enhancing technologies is apparent.  Communications applications 
such as electronic mail and electronic funds transfers require 
secure means of encryption and authentication -- goals that can be 
achieved only through the robust development and dissemination of 
cryptographic technology free of military interference.  To that 
end, the role of the National Security Agency in civilian 
cryptography should be eliminated and NIST should be granted the 
authority and resources to assist, rather than hinder, the 
development of civilian cryptography in the United States. 
\
 
*   David L. Sobel is Legal Counsel to Computer Professionals for 
Social Responsibility ("CPSR") in Washington, DC.  This article is 
adapted from a paper presented at the Twentieth Annual Tele-
communications Policy Research Conference.  The author wishes to 
acknowledge the research assistance of CPSR policy analyst David 
Banisar. 
 
1   56 Fed. Reg. 42981 (August 30, 1991).
 
2     "Lynn McNulty on Infosecurity Standards: A Talk with NIST's 
Protection Point Man,"  ISPNews, (September/October 1992) at 6.
 
3     See Wright, The Law of Electronic Commerce (Little, Brown 
1991) at 192-193.
 
4   56 Fed. Reg. 42981 (August 30, 1991).
 
5      See "The Computer Security Act of 1987 (P.L. 100-235) and 
the Memorandum of Understanding Between the National Institute of 
Standards and Technology (NIST) and the National Security Agency 
(NSA)," the Subcommittee on Legislation and National Security, 
Committee on Government Operations, House of Representatives, May 
4, 1989 (testimony of Marc Rotenberg, CPSR Washington Office 
Director) reprinted in Military and Security Control of Computer 
Security Issues, 101st Cong., 1st Sess. (1989) at 80.
 
6     H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987).
 
7     See generally Kahn, The Codebreakers (Macmillan 1967).
 
8     Burnham, The Rise of the Computer State  (Random House 
1980), at 126.  See generally Bamford, The Puzzle Palace (Houghton 
Mifflin 1982); "The National Security Agency and Fourth Amendment 
Rights," Hearings before the Senate Select Committee to Study 
Governmental Operations with Respect to Intelligence Activities, 
94th Cong., 1st Sess. (1975).
 
9       22 CFR Parts 120-130.
 
10     See generally, Greguras and Black, "The Encryption Export 
Maze: Red Tape, Requirements, Restrictions," INFOSecurity Product 
News (June 1992).
 
11     Adam, "Cryptography = Privacy?," IEEE Spectrum, August 1992 
at 34 (reprinted statement of NSA).
 
12        Kuttner, "Spooks and Science: An American Dilemma," The 
Washington Post, August 20, 1989, at B8.  See, also Kuttner, "How 
'National Security' Hurts National Competitiveness," Harvard 
Business Review, January - February 1991, at 140.
 
13     35 U.S.C. Sec. 181 et seq. 
 
14     "The Government's Classification of Private Ideas," 
Hearings before a Subcommittee of the House Committee on 
Government Operations, 96th Cong., 2d Sess. (1980) (hereinafter 
cited as "Private Ideas") at 258 (testimony of H. Miles Foy, 
Office of Legal Counsel, Department of Justice).
 
15     Hausken, "The Value of a Secret: Compensation for 
Imposition of Secrecy Orders under the Invention Secrecy Act," 119 
Military Law Review (Winter 1988) at 202 n.10 (446 new orders were 
issued in 1986 compared with 293 in 1979).
 
16     See "Private Ideas" at 406-431; see also Gilbert, "Patent 
Secrecy Orders: The Unconstitutionality of Interference in 
Civilian Cryptography under Present Procedures," 22 Santa Clara 
Law Review 325 (1982).
 
17     Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 481 (1974).
 
18     H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 7 (1987).
 
19   Letter from NIST to CPSR dated September 11, 1991.
 
20     CPSR v. NIST, Civil Action No. 92-0972 (D.D.C.) (agency 
affidavits filed in support of motion to stay proceedings).
 
21     Letter from Michael S. Conn (NSA) to Mitch Ratcliffe 
(MacWeek), October 31, 1991.
 
22     Opening Statement of Rep. Jack Brooks, Threat of Foreign 
Economic Espionage to U.S. Corporations, House Judiciary 
Subcommittee on Economic and Commercial Law, May 7, 1992 at 2.
 
23     See, e.g., Comments submitted to NIST by Fischer 
International Systems Corp., dated November 26, 1991.  See also 
"Debating Encryption Standards," Communications of the ACM, July 
1992 at 34 ("After years of testing and proven reliability, RSA is 
now used by the majority of software makers around the world, 
including IBM, Apple, Lotus, Sun and Microsoft").
 
24     Comments submitted to NIST by Professor Martin E. Hellman, 
dated November 12, 1991, reprinted in Communications of the ACM, 
July 1992 at 47-49.
 
25     Memorandum from Roy Saltman to Lynn McNulty dated December 
22, 1989.
 
26     Adam, "Cryptography = Privacy?," IEEE Spectrum, August 1992 
at 29.
 
27     Computer System Security and Privacy Advisory Board, 
Resolutions No. 1 and 3, March 18, 1992.
Return to:
Digital Signature Standard Page
Cryptography Policy Page
EPIC Home Page