[Federal Register Volume 59, Number 27 (Wednesday, February 9, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-2919]


[[Page Unknown]]

[Federal Register: February 9, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 930659-4017]
RIN 0693-AB19

 

Approval of Federal Information Processing Standards Publication 
185, Escrowed Encryption Standard (EES)

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: The purpose of this notice is to announce that the Secretary of 
Commerce has approved a new standard, which will be published as FIPS 
Publication 185, Escrowed Encryption Standard.

-----------------------------------------------------------------------

SUMMARY: On July 30, 1993, notice was published in the Federal Register 
(58 FR 40791) that a Federal Information Processing Standard for EES 
was being proposed for Federal use. The written comments submitted by 
interested parties and other material available to the Department 
relevant to this standard were reviewed by NIST. On the basis of this 
review, NIST recommended that the Secretary approve the standard as a 
Federal Information Processing Standards Publication and prepared a 
detailed justification document for the Secretary's review in support 
of that recommendation. The detailed justification document which was 
presented to the Secretary is part of the public record and is 
available for inspection and copying in the Department's Central 
Reference and Records Inspection Facility, room 6020, Herbert C. Hoover 
Building, 14th Street between Pennsylvania and Constitution Avenues, 
NW., Washington DC 20230.
    This FIPS contains two sections: (1) An announcement section, which 
provides information concerning the applicability, implementation, and 
maintenance of the standard; and (2) a specifications section which 
deals with the technical requirements of the standard. Both sections of 
the standard are provided in this notice.

EFFECTIVE DATE: This standard is effective March 11, 1994.

ADDRESSES: Interested parties may purchase copies of this standard, 
including the technical specifications section, from the National 
Technical Information Service (NTIS). Specific ordering information 
from NTIS for this standard is set out in the ``Where to Obtain 
Copies'' section of the announcement section of the standards.

FOR FURTHER INFORMATION CONTACT: Michael R. Rubin, Deputy Chief Counsel 
for the National Institute of Standards and Technology, (301) 975-2803, 
room A1111, Administration Building, National Institute of Standards 
and Technology, Gaithersburg, MD 20899.

SUPPLEMENTARY INFORMATION: This standard specifies a technology 
developed by the Federal government to provide strong encryption 
protection for unclassified information and to provide that the keys 
used in the encryption and decryption processes are escrowed. This 
latter feature will assist law enforcement and other government 
agencies, under the proper legal authority, in the collection and 
decryption of electronically transmitted information. The encryption 
technology will be implemented in electronic devices.
    The purpose of this standard is to facilitate the acquisition of 
devices that implement escrowed encryption techniques by Federal 
government agencies. This standard does not mandate the use of escrowed 
encryption devices by Federal government agencies, the private sector 
or other levels of government. The use of such devices is totally 
voluntary. The standard provides a mechanism for Federal government 
agencies to use when they wish to specify key escrowed encryption as a 
requirement in their acquisition documents. Otherwise agencies would 
have to formally waive the requirements of the recently reaffirmed 
encryption standard, FIPS 46-2, Data Encryption Standard, if they 
wanted to use escrowed encryption techniques.
    Key escrow technology was developed to address the concern that 
widespread use of encryption makes lawfully authorized electronic 
surveillance difficult. In the past, law enforcement authorities have 
encountered very little encryption because of the expense and 
difficulty in using this technology. More recently, however, lower 
cost, commercial encryption technology has become available for use by 
U.S. industry and private citizens. The key escrow technology provided 
by this standard addresses the needs of the private sector for top 
notch communications security, and of U.S. law enforcement to conduct 
lawfully authorized electronic surveillance.

Analysis of Comments

    This FIPS was announced in the Federal Register (58 FR 40791 dated 
July 30, 1993) and was also sent to Federal agencies for review. 
Comments were received from 22 government organizations in the United 
States, 22 industry organizations and 276 individuals. Of the 298 
comments received from industry organizations and from individuals, 225 
were forwarded to NIST by the Electronic Frontier Foundation which had 
collected them as electronic mail messages.
    The Federal government organizations submitting comments included 
11 Cabinet departments and 11 other Federal organizations. The 22 
industry organizations included several large computer industry 
organizations, 4 trade associations, 2 professional societies, and 
several smaller computer industry organizations. The individuals 
submitting comments included computer systems, networks and software 
professionals; consultants; professionals affiliated with universities 
and colleges; students; and many individuals who did not identify their 
professions.
    Comments were grouped for the purpose of this analysis in the 
following major categories:
    A. General comments concerning key escrow encryption;
    B. Other general comments;
    C. Patent infringement allegations;
    D. Economic comments on the standard, including its potential cost 
to Federal agencies and private organizations that adopt it, and the 
effect that the standard may have upon the competitiveness of U.S. 
firms in domestic and world markets; and,
    E. Comments on the technical operation of the standard.
    Each of these matters is discussed in turn below.

A. General Comments Concerning Key Escrow

    Nearly all of the comments received from industry and individuals 
opposed the adoption of the standard, raising concerns about a variety 
of issues including privacy; the use of a secret algorithm; the 
security of the technology; restrictions on software implementation; 
impact on competitiveness; and lack of procedures for escrowing keys. 
Over 80 percent of the industry and individual responses repeated the 
following points which were also made by the Electronic Frontier 
Foundation:
    (1) Five industry organizations and 200 individuals said that 
guarantees are needed to assure that this standard is not a first step 
toward prohibition against other forms of encryption. In response, NIST 
notes that the standard is a specification for voluntary use by the 
Federal government in the acquisition of devices for escrowed 
encryption. There is no requirement that the public use this standard. 
Further, the Administration has announced that it will not propose new 
legislation to limit the use of encryption technology.
    (2) Three industry organizations and 164 individuals said that 
there had been insufficient technical and operational information 
available to allow full public comment. Also, seven Federal government 
organizations, 19 industry organizations, and 213 individuals expressed 
concern that the details of the escrowed encryption system had not been 
announced when the FIPS was proposed. Other related concerns included: 
the escrow agents have not been identified; the operating procedures 
are unclear; the system will not be secure if the keys are not 
protected; the system must allow for enforcement of expiration of 
wiretap authority. One member of the NIST Computer Privacy and Security 
Advisory Board stated that the notice was ``content-free''.
    In response, NIST notes that the standard is a technical one, for 
implementation in electronic devices and use in protection of certain 
unclassified government communications when such protection is 
required. It adopts encryption technology developed by the Federal 
government to provide strong protection for unclassified information 
and to enable the keys used in the encryption and decryption processes 
to be escrowed. The technical aspects of the Escrowed Encryption 
Standard have been set forth in detail, and the classified algorithm 
has been examined by independent experts.
    The responsibility for designation of the key component escrow 
agents lies with the Attorney General, rather than the Secretary of 
Commerce. In addition, the Attorney General is charged with reviewing 
for legal sufficiency the procedures by which an agency establishes its 
authority to acquire the content of communications encrypted with 
electronic devices using the Escrowed Encryption Standard. Designation 
of the key component escrow agents, and approval of procedures for 
acquisition of key components to facilitate decryption of 
communications, are separate from the establishment of the technical 
parameters of this standard. Necessarily, protection of the information 
encrypted by use of the Escrowed Encryption Standard requires that the 
key components and other aspects of the system be accorded strict 
security. Procedures to provide strict security in the programming, 
storage, and transmission of key components have been developed; 
however, the security procedures for the key components are beyond the 
scope of this rule.
    Even were the identity of the key component escrow agents, or the 
procedures under which escrowed key components will be maintained and 
released for use in conjunction with lawfully authorized interceptions 
relevant to the technical standards established in the instant rule, 
the Department of Commerce has found, consistent with 5 U.S.C. 
553(b)(B), that notice and public procedure thereon is unnecessary. The 
technical aspects of the Escrowed Encryption Standard themselves, 
coupled with the strength of the algorithm and the privacy protections 
afforded by the Constitution and relevant statutes, afford adequate 
assurance of the efficacy of the standard for the protection of 
sensitive unclassified Federal government information, without the need 
for specifying the identities of key component escrow agents or 
detailing the procedures respecting maintenance or release of key 
components.
    (3) One Federal government organization, 10 industry organizations, 
and 199 individuals were concerned that the escrowed encryption system 
may infringe on individual rights. Some said that the government cannot 
act as an independent escrow agent. One industry organization and 6 
individuals said that the government cannot be trusted to run the 
escrow system.
    The technical capabilities afforded by the Escrowed Encryption 
Standard permit protection of certain sensitive, but unclassified 
Federal government information at a level far stronger than that of the 
Data Encryption Standard, while at the same time permitting decryption 
of communications in conjunction with electronic surveillance when 
authorized by law. These comments address policy issues separate from 
the technical aspects of the Escrowed Encryption Standard established 
herein. The technical benefits accruing to a Federal government system 
using the Escrowed Encryption Standard are independent of the identity 
of the entities serving as key component escrow agents.
    With respect to the suggestions that the system may infringe 
individual rights, the purpose of the escrowing of key components is to 
permit decryption only in those circumstances in which interception of 
communications is lawfully authorized, consistent with the Constitution 
and relevant statutes. To this end, the Attorney General is to review 
for legal sufficiency the procedures by which an agency establishes its 
authority to acquire the contents of such communications. The 
Department of Justice has assured NIST, therefore, that the Escrowed 
Encryption Standard is fully consistent with protection of individual 
privacy rights.
    (4) Fifteen industry organizations and 193 individuals were 
concerned that the standard uses a secret algorithm. Some said that 
since the algorithm is secret, it is not possible to evaluate it. Some 
said that the algorithm is flawed and is subject to compromise. Two 
individuals said that the algorithm has severe technical problems, and 
that the algorithm for generating the unit keys is too predictable. One 
individual said that in addition to possible decryption via escrowed 
keys, the algorithm has a back door. Others said that people will not 
use encryption that they cannot trust, and that the risks of using the 
EES have not been assessed. One government organization, two industry 
organizations and 7 individuals said that the technology will not be 
accepted internationally if the algorithm is not known.
    The algorithm was developed originally as a classified algorithm 
for the U.S. Government to provide highly effective communications 
security. It is still used for that purpose. There are no trap doors or 
any known weaknesses in it. A classified algorithm is essential to the 
effectiveness of the key escrow solution. The use of a classified 
algorithm assures that no one can produce devices that use the 
algorithm without the key escrow feature and thereby frustrate the 
ability of government agencies to acquire the content of communications 
encrypted with the algorithm, in conjunction with lawfully authorized 
interception. NIST finds that, because the algorithm needs to remain 
secret in order to preserve the utility of the key escrow feature, it 
would be neither practicable nor in the public interest to publish the 
algorithm.
    (5) Eight industry organizations and 181 individuals said that it 
was premature to adopt the EES as a standard until policy decisions on 
encryption are made.
    The Federal government is committed to protection of sensitive 
information of all kinds, particularly sensitive, but unclassified 
information outside the scope of the Warner Amendment. The Escrowed 
Encryption Standard gives Federal managers the ability to afford their 
agencies' sensitive but unclassified information protection 
substantially stronger than possible with the Data Encryption Standard. 
This standard permits, but does not mandate, the use of the Escrowed 
Encryption Standard by Federal managers; it in no way mandates use of 
the standard outside the Federal government. Issuance of the standard 
at this time is fully consistent with the President's Directive on 
encryption management.

B. Other General Comments

    Twelve individuals questioned the role of the National Security 
Agency in the development of the standard. In response, NIST notes that 
NSA, because of its expertise in the field of cryptography and its 
statutory role as a technical advisor to U.S. government agencies 
concerning the use of secure communications, developed the technical 
basis for the standard which allows for the widespread use of 
encryption technology while affording law enforcement the capability to 
access encrypted communications under lawfully authorized conditions. 
NSA worked in cooperation with the Department of Justice, the FBI and 
NIST to develop the escrowed encryption standard.
    Seven individuals said that there is other technology available for 
protecting information that is more cost effective and that the EES is 
not the best solution for the problems identified. NIST notes that use 
of the standard is voluntary. The standard states that a risk analysis 
should be performed to determine potential threats and risk and that 
the costs of providing encryption using this standard as well as 
alternative methods and their respective costs should be projected. A 
decision to use this standard should be based on the risk and cost 
analyses.
    One individual said that the government should not broaden its 
access to private communications. NIST notes that the standard does not 
broaden access to private communications, Access must be legally 
authorized.
    One government organization, 4 industry organizations and 28 
individuals said that the standard hinders security of information and 
will not help law enforcement activities. NIST responds that, as noted 
in the President's directive on ``Public Encryption Management,'' new 
communications technology can frustrate lawful government electronic 
surveillance and, when exported abroad, thwart foreign intelligence 
activities critical to our national interests. The Escrowed Encryption 
Standard provides substantially stronger encryption protection than is 
currently available under the Data Encryption Standard, and its 
implementation in hardware is expected to permit ease and transparency 
of use. It is anticipated that security will be enhanced by the 
combination of robust encryption with technology easily usable even in 
circumstances that have not, in the past, readily lent themselves to 
encryption. The Escrowed Encryption Standard permits the protection of 
sensitive information with strong encryption, while at the same time 
permitting protection of the public safety by decryption in conjunction 
with lawfully authorized electronic surveillance. The key escrowing 
technique in this standard will allow the government to gain access to 
encrypted information only with appropriate legal authorization.
    Four industry organizations and 17 individuals said that the 
standard does not respond to any user requirement. NIST responds that 
the standard provides substantially stronger protection for sensitive, 
but unclassified Federal government information than is currently 
available under the DATA Encryption Standard. Moreover, the standard 
permit law enforcement entities to protect the public safety by gaining 
access to encrypted information in conjunction with lawfully authorized 
electronic surveillance.
    One industry organization and 20 individuals said that it is 
unlikely that people engaged in illegal activities will use the 
standard. NIST notes that the Administration has chosen to encourage 
the widespread use of key escrow devices to make strong encryption 
broadly available and affordable.
    One individual said that the key escrow program will be funded by 
asset forfeiture and therefore will not be subject to Congressional 
review. The Federal government will acquire a number of key escrow-
equipped devices, for some of which funds from the Department of 
Justice Asset Forfeiture Super Surplus Fund will be utilized. NIST 
notes that the asset forfeiture program is subject to Congressional 
review and oversight, and to General Accounting Office reviews and 
audits, if requested by the Congress. There are, however, no plans to 
use asset forfeiture funds for other aspects of the key-escrow 
encryption system.
    One industry organization stated that the applicability of the 
standard should be limited to telephony. NIST notes that the standard 
is applicable to voice, facsimile, and computer information 
communicated in a telephone system.
    One industry organization said that the recommended FIPS deviates 
from the FIPS process. In response, NIST notes that it uses a variety 
of methods to develop needed standards, including working closely with 
other Federal agencies as mandated by the Computer Security Act of 
1987. NIST followed its usual procedures in announcing the proposed 
standard and soliciting comments from government and private sector 
organizations, as well as from interested members of the public. All 
comments received to the Federal Register notice announcing the 
proposed standard have been made part of the public record and are 
available for inspection and copying at the Central Reference and 
Records Inspection Facility in the Department of Commerce. The 
justification document which was presented to the Secretary of Commerce 
is part of the public record as well.

C. Patent Infringement Allegations

    In addition to the above comments, NIST has received two 
allegations of patent infringement for the key escrow technology 
adopted by the EES. The first allegation was from the older of an 
issued patent, the second was from an inventor who had recently filed a 
patent application with the Patent and Trademark Office. Also, one 
government organization observed that the patent status of the EES is 
not clear and may result in cost impacts due to payment of royalties, 
should EES be found to infringe upon any privately held patent. Based 
upon information received to date, NIST has not been persuaded that any 
patent of which it is aware will lead to a successful claim against any 
use of the EES, including U.S. Government users, for payment of 
royalties. An infringement study was conducted upon the first 
infringement allegation, with the result that no infringement was 
found. When the patent relevant to the second allegation was issued in 
January of this year, an infringement study was begun on that patent.

D. Economic Effects of the Standard

    Public comments were received on three economic aspects of the 
proposed standard, including concerns about the cost to the government 
and the private sector of implementing the standard; the effect of the 
standard upon the competitiveness of U.S. software firms in world 
markets; and suggestions that the government has bestowed an unfair 
economic benefit upon the contractor that has been selected to 
manufacture the escrow encryption semiconductor chips that are called 
for in the standard. Each of these matters is addressed in turn below.
1. Costs
    A number of comments were received concerning the possible cost of 
implementing the Escrowed Encryption Standard. Thus, one government 
agency, two industry organizations and nine individuals expressed 
concern about the cost of administration of the escrow database, or 
about the cost, availability, implementation and maintenance of the 
equipment needed to support the standard. Indeed, one Federal 
organization said that it did not support the standard because there 
would be an adverse impact if the organization had to replace or modify 
its current equipment. An industry organization suggested that the 
standard would impose costs on the private sector if private parties 
need to use the standard to communicate with the government.
    NIST estimates the cost of establishing the escrow system to be 
approximately $14 million. The cost of operating the key escrow 
facility is estimated to be $16 million annually.
    These costs figures are based upon a number of factors. NIST notes 
that use of the standard is voluntary for Federal agencies, and that 
agencies are not required to implement it. Agencies will determine 
whether to use this standard based on their analyses of the risk of 
unauthorized disclosure of their sensitive data and the cost of using 
this standard to protect the data. NIST does not expect the wholesale 
replacement of the current base of equipment that conforms to FIPS 46-
2, Data Encryption Standard. Rather, the implementation of this 
standard appears most likely to occur as the Federal government 
replaces old and obsolete equipment. NIST believes that as the Federal 
government replaces old and obsolete equipment, the additional costs of 
implementing this standard in electronic devices will prove to be 
negligible compared to the costs of equivalent encryption protection 
which would be implemented in encryption devices which do not comply 
with this standard.
    NIST also notes that the standard has no direct applicability to 
entities that do not operate Federal computer systems. Thus, 
businesses, universities and other nonprofit organizations and 
individual citizens are free to use products that conform to the 
standard, or to ignore the standard if they see fit.
2. Competitiveness
    Eight industry organizations and 28 individuals said that the 
standard will reduce the competitiveness of U.S. computer hardware and 
software companies in foreign markets. NIST notes that approval of the 
Escrowed Encryption Standard will not prevent U.S. manufacturers from 
making other encryption products for the private sector. While export 
controls may affect the sales of U.S. encryption products abroad, key 
escrow products are already exportable to U.S. industry and individuals 
operating abroad in accordance with proper export licensing through the 
Department of State. Further, a comprehensive policy review on 
commercial encryption is now underway by the Administration. This 
review will consider, among other topics, broader export options for 
key escrow products. Again, approval of the Escrowed Encryption 
Standard for broader export will not restrict exports of other 
encryption products. The overseas market for these products will depend 
on a variety of factors including any restrictions other countries 
place on imports of encryption technology.
3. Unfair Competitive Advantage
    One industry organization and two individuals said that the 
standard gives an economic advantage to the one company that has been 
selected by the Government to date to manufacture semiconductor chips 
which conform to this standard. NIST notes that the company that 
designed the microcircuit was selected because of its expertise in 
design of custom cryptographic chips, its secure facilities, and 
employment of cleared personnel. The company that developed the 
microcircuit was selected for its technological capabilities to 
fabricate microcircuits resistant to reverse engineering. Other 
manufacturers that wish to enter the market and can satisfy the 
technology and security requirements will be approved to manufacture 
the microcircuits.

E. Technical Recommendations and Editorial Changes

    A wide range of technical issues were raised in the public comment 
process. Each issue, and a NIST response follows below.
    Four industry organizations and 7 individuals said that the 
required hardware implementation of the escrowed encryption standard 
was not optimum. Software implementation would be more useful and cost 
effective. NIST notes that because software is easy to change, secure 
software implementations of the key escrow technique have been 
difficult to devise. On August 24, 1993 (58 FR 44662) NIST invited the 
participation of the software industry in cooperative efforts to meet 
this challenge. Several organizations have indicated that they wish to 
collaborate with NIST in this area. NIST will try to establish 
cooperative partnerships to investigate the implementation of the EES 
in software.
    Three Federal government organizations and one individual said that 
applicability of the standard should not be restrictive, and that it 
should allow for other applications and data rates. NIST notes that the 
scope of applicability was established to address the immediate need 
for improved telephone security while preserving the law enforcement 
capability of decrypting intercepted telecommunications that have been 
lawfully authorized. Use of the standard is voluntary. Use of the 
standard for other purposes is not prohibited in the standard.
    One individual stated that the standard should require two or more 
escrow agents and that the standard should state that all the 
components of the device unique key are independent and all are needed 
to form the key. A change was made to state that the Device Unique Key 
shall be composed of two components (each 80 bits long) and each 
component shall be independently generated and stored by an escrow 
agent. This change provides for the two escrow agents envisioned by the 
Department of Justice, and two key components, each 80 bits long.
    One individual said that the name of Device Identifier (DID) should 
be device Unique Identifier (UID). Since DID is used elsewhere for 
another purpose, NIST changed the name of Device Identifier (DID) to 
device Unique Identifier (UID).
    One individual said that the standard should provide for access to 
both sides of a real-time conversation. NIST notes that if the two keys 
are different, either a law enforcement official must obtain a court 
order for both parties of a two-day communication or it can only 
decrypt one part of a conversation. Therefore, the standard was changed 
to state that the session key used to encrypt transmitted information 
shall be the same as the session key used to decrypt received 
information in a two-way simultaneous communication.
    One industry organization said that the standard should specify a 
register for Leaf Creation Methods. NIST changed the standard to state 
that the Leaf Creation Method (LCM) shall be registered in the NIST 
Computer Security Object Register (e.g., LCM-1). Additional LCM's may 
be created in the future.
    One industry organization said that the Cryptographic Protocol 
Field (CPF) has not been defined and should be removed from the 
standard since it is an incomplete specification. NIST changed the 
standard to state that the Cryptographic Protocol Field (CPF) shall be 
registered in the NIST Computer Security Object Register. This will 
enable the details on the CPF to be formalized later.
    Four Federal government organizations and two individuals said that 
the standard is not an interoperability standard, that it does not 
specify parameter lengths and formats and placement in communications, 
and that the standard provides insufficient technical information for 
implementation. NIST added information to the standard to explain that 
it is not an interoperability standard. It does not provide sufficient 
information to design and implement a security device or equipment. 
Other specifications and standards will be required to assure 
interoperability of EES devices in various applications. Specifications 
of a particular EES device must be obtained from the manufacturer in 
order to use it in an application.
    One industry commenter said that the standard should specify a 
register of family keys, such as ``FBI Family Key 1,'' to provide some 
assurance of interoperability. NIST changed the standard to state that 
the family key shall have an identifier (KF-ID). The identifier of a 
family key shall be registered in the NIST Computer Security Object 
Register. As a result, if more than one family key exists (reasonable 
assumption), it should be identified so that law enforcement agencies 
can decrypt the LEAF.
    One industry organization and one individual stated that the 
standard should reference technical specifications explicity (even if 
they are classified). NIST changed the standard to provide specific 
information on how to obtain the technical specifications for the 
SKIPJACK algorithm and the LEAF Creation Method 1.
    One industry organization said that parameters (input, output, 
status, errors) are not specified in the standard, and that diversity 
of sources of implementations cannot be established. NIST notes that 
various devices meeting this standard are anticipated. Therefore, the 
implementations will depend on a number of factors, including physical, 
electrical and application requirements.
    One industry organization said that the standard should state that 
DID is transmitted in the LEAF. NIST notes that the standard does state 
this.
    One individual said that the reverse engineering protection for the 
algorithm is not prefect. NIST notes that the standard specifies that 
the encryption algorithm and the LEAF creation method shall be 
implemented in electronic devices highly resistant to reverse 
engineering. It does not specify how the reverse engineering is to be 
prevented (or deterred). It also does not specify a metric for 
measuring the prevention (or deterrence). These are difficult to 
quantify and to specify and depend greatly on the implementation. A 
study is being performed to evaluate the protection provided by one of 
the current implementations of the standard (MYK-78). Estimates of the 
protection provided are 1-4 years of protection against attacks by 
specialized laboratories investing $1M to $4M.
    One industry organization stated that 2**80 keys is sufficient for 
session key, but it is not sufficient for lifetime keys (family and 
unique keys). NIST notes that the length of the family key and the 
device unique key are presently 80 bits for the SKIPJACK algorithm. The 
session key is also 80 bits. While the security lifetime of a session 
key is normally much shorter than the security lifetime of a master key 
(also called Key Encrypting Key), it is convenient to use keys of the 
same length for all purposes. Present implementations of the EES use 
one length key for all three types of keys (i.e., 80 bits). This is 
expected to be sufficiently long for unclassified data encryption for 
many years. However, the length of the family key and device unique key 
can be increased in future implementations and future LEAF creation 
methods. Some provisions for these have been made in the standard.
    One industry organization was concerned that disclosure of the 
Device Unique Key could allow decryption of ALL information ever 
encrypted with that device (all past and all future), and that this 
condition could technically be prevented. NIST believes that key escrow 
procedures intended to administratively control the use of the device 
Unique Key are outside the scope of standard. Technical controls were 
not included in the initial design of the MYK-78 but could be added in 
future designs.
    One individual was concerned that two party control is not truly 
implemented in the ``chip.'' NIST acknowledges that two party control 
was not in the original design criteria of the chip. Administrative 
controls are to be used to assure two party control for present design. 
This two party control feature could be added to future designs.
    One individual said that one ``tamperproofing session'' is 
supported by the Mykotronics implementation of the EES. However, the 
second escrow agent entering a key could read first escrow agent's key 
and hence have both keys. NIST notes that the present method of reverse 
engineering protection provides for one ``programming session'' in 
which device unique parameters are put into the device. The parameters 
are ``locked'' after being entered and verified. The present technology 
allows this to be done only once. Other technologies may be developed 
which allow two or more independed ``program sessions'' which prevent 
reading of previously entered parameters while other parameters are 
being entered. Future implementations may be have this feature but such 
requirements at the present time are outside the scope of this 
standard.
    One industry organization recommended that the following should be 
put into the standard: ``The Session Key (80 bits) shall be encrypted 
with the device Unique Key. The encrypted Session Key is concatenated 
with the Device Identifier (DID) (xx bits) and the Escrow Authenticator 
(EA) (yy bits). This result is then encrypted with the Family Key to 
generate a 128 bit LEAF. The 128 bit LEAF along with a 64 bit 
Initialization Vector shall be transmitted with the cipher text.'' NIST 
acknowledges that this is a general description of the LEAF creation 
method specified in this standard. The complete specifications are 
classified. Classified specifications must be obtained in order to 
implement the standards. Users of devices meeting this standard do not 
need to know the specifics of the LEAF creation method in order to use 
security devices meeting this standard. There is, therefore, no purpose 
in providing this general specification in the standard.
    One industry organization recommended that Modes of Operation be 
developed for the EES, including Counter Addressing or Long Cycle Mode, 
and that the LFSR should be included. NIST notes that four modes of 
operation are specified in FIPS-81. Subsets of these four modes are 
specified in the EES. Other subsets are implemented in various devices 
implementing this standard. For example, the Output Feedback (OFB) mode 
is implemented in the MYK-78T while all subsets specified in the 
standard are implemented in the MYK-80. The Linear Feedback Shift 
Register (LFSR) mode has been used in some devices but was not included 
in the Modes of Operation for DES. OFB can be used in the same 
applications. National security interests were considered when 
selecting the modes of operation.
    One industry organization said that the standard should state 
length of Family Key. NIST notes that the length of the family key (80 
bits) may increase in future implementations, and therefore flexibility 
is needed in the standard.

    Dated: February 4, 1994.
Samuel Kramer,
Associate Director.

Federal Information Processing Standards Publication 185

Announcing the Escrowed Encryption Standard (EES)
    Federal Information Processing Standards Publications (FIPS PUBS) 
are issued by the National Institute of Standards and Technology (NIST) 
after approval by the Secretary of Commerce pursuant to section 111(d) 
of the Federal Property and Administrative Services Act of 1949 as 
amended by the Computer Security Act of 1987, Public Law 100-235.
    Name of Standard: Escrowed Encryption Standard (EES).
    Category of Standard: Telecommunications Security.
    Explanation: This Standard specifies use of a symmetric-key 
encryption (and decryption) algorithm (SKIPJACK) and a Law Enforcement 
Access Field (LEAF) creation method (one part of a key escrow system) 
which provides for decryption of encrypted telecommunications when 
interception of the telecommunications is lawfully authorized. Both the 
SKIPJACK algorithm and the LEAF creation method are to be implemented 
in electronic devices (e.g., very large scale integration chips). The 
devices may be incorporated in security equipment used to encrypt (and 
decrypt) sensitive unclassified telecommunications data. Decryption of 
lawfully intercepted telecommunications may be achieved through the 
acquisition and use of the LEAF, the decryption algorithm and the two 
escrowed key components.
    One definition of ``escrow'' means that something (e.g., a 
document, an encryption key) is ``delivered to a third person to be 
given to the grantee only upon the fulfillment of a condition'' 
(Webster's Seventh New Collegiate Dictionary). The term, ``escrow'', 
for purposes of this standard, is restricted to this dictionary 
definition.
    A key escrow system, for purposes of this standard, is one that 
entrusts the two components comprising a cryptographic key (e.g., a 
device unique key) to two key component holders (also called ``escrow 
agents''). In accordance with the above definition of ``escrow'', the 
key component holders provide the components of a key to a ``grantee'' 
(e.g., a law enforcement official) only upon fulfillment of the 
condition that the grantee has properly demonstrated legal 
authorization to conduct electronic surveillance of telecommunications 
which are encrypted using the specific device whose device unique key 
is being requested. The key components obtained through this process 
are then used by the grantee to reconstruct the device unique key and 
obtain the session key which is then used to decrypt the 
telecommunications that are encrypted with that session key.
    The SKIPJACK encryption/decryption algorithm has been approved for 
government applications requiring encryption of sensitive but 
unclassified data telecommunications as defined herein. The specific 
operations of the SKIPJACK algorithm and the LEAF creation method are 
classified and hence are referenced, but not specified, in this 
standard.
    Data for purposes of this standard includes voice, facsimile and 
computer information communicated in a telephone system. A telephone 
system for purposes of this standard is limited to a system which is 
circuit switched and operating at data rates of standard commercial 
modems over analog voice circuits or which uses basic-rate ISDN or a 
similar grade wireless service.
    Data that is considered sensitive by a responsible authority should 
be encrypted if it is vulnerable to unauthorized disclosure during 
telecommunications. A risk analysis should be performed under the 
direction of a responsible authority to determine potential threats and 
risks. The costs of providing encryption using this standard as well as 
alternative methods and their respective costs should be projected. A 
responsible authority should then make a decision, based on the risk 
and cost analyses, whether or not to use encryption and then whether or 
not to use this standard.
    Approving Authority: Secretary of Commerce.
    Maintenance Agency: Department of Commerce, National Institute of 
Standards and Technology.
    Applicability: This standard is applicable to all Federal 
departments and agencies and their contractors under the conditions 
specified below. This standard may be used in designing and 
implementing security products and systems, which Federal departments 
and agencies use or operate or which are operated for them under 
contract. These products may be used when replacing Type II and Type 
III (DES) encryption devices and products owned by the government and 
government contractors.
    This standard may be used when the following conditions apply:
    1. An authorized official or manager responsible for data security 
or the security of a computer system decides that encryption is 
required and cost justified as per OMB Circular A-130; and
    2. The data is not classified according to Executive Order 12356, 
entitled ``National Security Information,'' or to its successor orders, 
or to the Atomic Energy Act of 1954, as amended.
    However, Federal departments or agencies which use encryption 
devices for protecting data that is classified according to either of 
these acts may use those devices also for protecting unclassified data 
in lieu of this standard.
    In addition, this standard may be adopted and used by non-Federal 
Government organizations. Such use is encouraged when it provides the 
desired security.
    Applications: This standard may be used in any unclassified 
government and commercial communications. Use of devices conforming to 
this standard is voluntary for unclassified government applications and 
for commercial security applications.
    Implementations: The encryption/decryption algorithm and the LEAF 
creation method shall be implemented in electronic devices (e.g., 
electronic chip packages) which are protected against unauthorized 
entry, modification and reverse engineering. Implementations which are 
tested and validated by NIST will be considered as complying with this 
standard. An electronic device shall be incorporated into a 
cryptographic module in accordance with FIPS 140-1. NIST will test for 
conformance with FIPS 140-1. Conforming cryptographic modules can then 
be integrated into security equipment for sale and use in a security 
application. Information about devices that have been validated, 
procedures for testing equipment for conformance with NIST standards, 
and information about approved security equipment are available from 
the Computer Systems Laboratory, NIST, Gaithersburg, MD 20899.

    Export Control: Implementations of this standard are subject to 
Federal Government export controls as specified in Title 22, Code of 
Federal Regulations, Parts 120 through 131 (International Traffic of 
Arms Regulations--ITAR). Exporters of encryption devices, equipment and 
technical data are advised to contact the U.S. Department of State, 
Office of Defense Trade Controls for more information.
    Patents: Implementations of this standard may be covered by U.S. 
and foreign patents.
    Implementation Schedule: This standard becomes effective thirty 
days following publication of this FIPS PUB.
    Specifications: Federal Information Processing Standard (FIPS 185), 
Escrowed Encryption Standard (EES) (affixed).

Cross Index

    a. FIPS PUB 46-2, Data Encryption Standard.
    b. FIPS PUB 81, Modes of Operation of the DES.
    c. FIPS PUB 140-1, Security Requirements for Cryptographic Modules.

Glossary

    The following terms are used as defined below for purposes of this 
standard:
    Data--Unclassified voice, facsimile and computer information 
communicated over a telephone system.
    Decryption--Conversion of ciphertext to plaintext through the use 
of a cryptographic algorithm.
    Device (cryptographic)--An electronic implementation of the 
encryption/decryption algorithm and the LEAF creation method as 
specified in this standard.
    Digital data--Data that have been converted to a binary 
representation.
    Encryption--Conversion of plaintext to ciphertext through the use 
of a cryptographic algorithm.
    Key components--The two values from which a key can be derived 
(e.g., KU,  KU2).
    Key escrow--The processes of managing (e.g., generating, storing, 
transferring, auditing) the two components of a cryptographic key by 
two key component holders.
    LEAF Creation Method--A part of a key escrow system that is 
implemented in a cryptographic device and creates a Law Enforcement 
Access Field.
    Type I cryptography--A cryptographic algorithm or device approved 
by the National Security Agency for protecting classified information.
    Type II cryptography--A cryptographic algorithm or device approved 
by the National Security Agency for protecting sensitive unclassified 
information in systems as specified in section 2315 of Title 10 United 
States Code, or section 3502(2) of title 44, United States Code.
    Type III cryptography--A cryptographic algorithm or device approved 
as a Federal Information Processing Standard.
    Type III(E) cryptography--A Type III algorithm or device that is 
approved for export from the United States.
    Qualifications: The protection provided by a security product or 
system is dependent on several factors. The protection provided by the 
SKIPJACK algorithm against key search attacks is greater than that 
provided by the DES algorithm (e.g., the cryptographic key is longer). 
However, provisions of this standard are intended to ensure that 
information encrypted through use of devices implementing this standard 
can be decrypted by a legally authorized entity.
    Where to Obtain Copies of the Standard: Copies of this publication 
are for sale by the National Technical Information Service, U.S. 
Department of Commerce, Springfield, VA 22161. When ordering, refer to 
Federal Information Processing Standards Publication 185 (FIPS PUB 
185), and identify the title. When microfiche is desired, this should 
be specified. Prices are published by NTIS in current catalogs and 
other issuances. Payment may be made by check, money order, deposit 
account or charged to a credit card accepted by NTIS.

Federal Information Processing Standards Publication 185

Specifications for the Escrowed Encryption Standard

1. Introduction

    This publication specifies Escrowed Encryption Standard (EES) 
functions and parameters.

2. General

    This standards specifies use of the SKIPJACK cryptographic 
algorithm and a LEAF Creation Method to be implemented in an approved 
electronic device (e.g., a very large scale integration electronic 
chip). The device is contained in a logical cryptographic module which 
is then integrated in a security product for encrypting and decrypting 
telecommunications.
    Approved implementations may be procured by authorized 
organizations for integration into security equipment. Devices must be 
tested and validated by NIST for conformance to this standard. 
Cryptographic modules must be tested and validated by NIST for 
conformance to FIPS 140-1.

3. Algorithm Specifications

    The specifications of the encryption/decryption algorithm 
(SKIPJACK) and LEAF Creation Method 1 (LCM-1) are classified. The 
National Security Agency maintains these classified specifications and 
approves the manufacture of devices which implement the specifications. 
NIST tests for conformance of the devices implementing this standard in 
cryptographic modules to FIPS 140-1 and FIPS 81.

4. Functions and Parameters

4.1.  Functions
    The following functions, at a minimum, shall be implemented:
    1. Data Encryption: A session key (80 bits) shall be used to 
encrypt plaintext information in one or more of the following modes of 
operation as specified in FIPS 81: ECB, CBC, OFB (64), CFB (1, 8, 16, 
32, 64).
    2. Data Decryption: The session key (80 bits) used to encrypt the 
data shall be used to decrypt resulting ciphertext to obtain the data.
    3. LEAF Creation: A Family Key (e.g., KF-1) shall be used to create 
a Law Enforcement Access Field (LEAF) in accordance with a LEAF 
Creation Method (e.g., LCM-1). the security equipment shall ensure that 
the LEAF is transmitted in such a manner that the LEAF and ciphertext 
may be decrypted with legal authorization. No additional encryption or 
modification of the LEAF is permitted.
4.2  Parameters
    The following parameters shall be used in performing the prescribed 
functions:
    1. Device Unique Identifier (UID): The identifier unique to a 
particular device and used by the Key Escrow System.
    2. Device Unique Key (KU): The cryptographic key unique to a 
particular device and used by the Key Escrow System.
    3. Cryptographic Protocol Field (CPF): The field identifying the 
registered cryptographic protocol used by a particular application and 
used by the Key Escrow System (reserved for future specification and 
use).
    4. Escrow Authenticator (EA): A binary pattern that is inserted in 
the LEAF to ensure that the LEAF is transmitted and received properly 
and has not been modified, deleted or replaced in an unauthorized 
manner.
    5. Initialization Vector (IV): A mode and application dependent 
vector of bytes used to initialize, synchronize and verify the 
encryption, decryption and key escrow functions.
    6. Family Key (KF): The cryptographic key stored in all devices 
designated as a family that is used to create a LEAF.
    7. Session Key (KS): The cryptographic key used by a device to 
encrypt and decrypt data during a session.
    8. Law Enforcement Access Field (LEAF): The field containing the 
encrypted session key and the device identifier and the escrow 
authenticator.

5. Implementation

    The Cryptographic Algorithm (i.e. SKIPJACK) and a LEAF Creation 
Method (e.g., LCM-1) shall be implemented in an electronic device 
(e.g., VLSI chip) which is highly resistant to reverse engineering 
(destructive or non-destructive) to obtain or modify the cryptographic 
algorithm, the UID, the KF, the KU, the EA, the CPF, the operational 
KS, and any other security or Key Escrow System relevant information. 
The device shall be able to be programmed/personalized (i.e., made 
unique) after mass production in such a manner that the UID, KU (or its 
components), KF (or its components) and EA fixed pattern can be entered 
once (and only once) and maintained without external electrical power.
    The LEAF and the IV shall be transmitted with the ciphertext. The 
specifics of the protocols used to create and transmit the LEAF, IV, 
and encrypted data shall be registered and a CPF assigned. The CPF (and 
the KF-ID, LCM-ID) shall then be transmitted in accordance with the 
registered specifications.
    Various devices implementing this standard are anticipated. The 
implementation may vary with the application. The specific electric, 
physical and logical interface will vary with the implementation. Each 
approved, registered implementation shall have an unclassified 
electrical, physical and logical interface specification sufficient for 
an equipment manufacturer to understand the general requirements for 
using the device. Some of the requirements may be classified and 
therefore would not be specified in the underclassified interface 
specification.
    The device Unique Key shall be composed of two components (each a 
minimum of 80 bits long) and each component shall be independently 
generated and stored by an escrow agent. The session key used to 
encrypt transmitted information shall be the same as the session key 
used to decrypt received information in a two-way simultaneous 
communication. The Lead Creation Method (LCM), the Cryptographic 
Protocol Field (CPF), and the Family Key Identifier (KF-ID) shall be 
registered in the NIST Computer Security Object Register.
    This standard is not an interoperability standard. It does not 
provide sufficient information to design and implement a security 
device or equipment. Other specifications standards will be required to 
assure interoperability of EES devices in various applications. 
Specifications of a particular EES device must be obtained from the 
manufacturer.
    The specification for the SKIPJACK algorithm are contained in the 
R21 Informal Technical Report entitled ``SKIPJACK'' (S), R21-TECH-044-
91, May 21, 1991. The specifications for LEAF Creation Method 1 are 
contained in the R21 Informal Technical Report entitled ``Law 
Enforcement Access Field for the Key Escrow Miscrocircuit'' (S). 
Organizations holding an appropriate security clearance and entering 
into a Memorandum of Agreement with the National Security Agency 
regarding implementation of the standard will be provided access to the 
classified specifications. Inquiries may be made regarding the 
Technical Reports and this program to Director, National Security 
Agency, Fort George G. Meade, MD 20755-6000, Attn: R21.

[FR Doc. 94-2919 Filed 2-8-94; 8:45 am]
BILLING CODE 3510-CN-M