The following questions from Congress were recently answered by NIST. ---------------------------------------------- Questions and Answers on the Administration's "Clipper Chip" Technology 1. Has the encryption algorithm or standard endorsed by the Administration been tested by any entity other than NSA, NIST or the vendor? If so, please identify such entities and the nature of testing performed. If not, please describe any plans to have the algorithm tested by outside experts and how such experts will be chosen. A: No entities other than those listed have tested or studied the algorithm. The White House has stated that respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report its findings. It is anticipated that this will occur over the next two months, provided that appropriate security clearance and logistical details can be worked out, but no detailed plans. 2. Under the Administration's plan, what entities will be the holders of the "keys" to decrypt scrambled data? What procedures or criteria will the Administration utilize to designate such key holders? A: The President has directed the Attorney General to make all arrangements with appropriate entities to hold the keys for the key-escrow microcircuits installed in communications equipment. In each case, the key holder must agree to strict security procedures to prevent unauthorized release of the keys. The selection process, which is currently underway, is being accomplished by the Attorney General, in accordance with the President's instructions. 3. Does the encryption algorithm endorsed by the Administration contain a "trap door" or "back door," which could allow an agency or entity of the Federal government to crack the code? A: No. 4. It is clear that, over time, changes in technologies used for communications will require new techniques and additional equipment. How will encryption devices adapt to the rapid advancement of telecommunications technology? A: The microcircuit technology in which the "Clipper Chip" algorithm is incorporated is expected to advance as technology advances. In addition, private sector firms will have market incentives to design and build more advanced products designed to meet the ever-advancing demands of the marketplace. 5. What additional costs would the proposed encryption place on the Federal government? What is the estimated cost to consumers and businesses which opt for the federal standard in their equipment? A: It is anticipated that costs for "Clipper Chip"-based hardware products will be competitive with other hardware- based solutions. The chip itself is expected to be no more than $26/each (in quantity) to product manufacturers. As the technology gains acceptance and production costs are minimized, it is anticipated that the cost of the chip will fall correspondingly. The purchasing of encryption technology, whether in the government or private sector, is a decision which must be made by weighing the costs of the products, maintenance, and administration against the expected losses of information disclosure or other loss. The "Clipper Chip" offers protection exceeding the strength of many of the products on the market today. 6. What is the Commerce Department's assessment of the competitive impact of the Administration's endorsement of the "Clipper Chip" technology on U.S. exports of computer and telecommunications hardware and software products? A: The Administration's endorsement of the "Clipper Chip" is unlikely to have any immediate impact on the competitiveness of these industries in the export market. Ultimately, the impact upon exports will depend on the growth of encryption technology as a percentage of these markets, customer demand for these products and the importability of these devices into foreign countries. Currently, encryption technology encompasses a very small percentage of the entire computer and telecommunications hardware and software industry. Please be aware that the subject of cryptographic export controls will be examined by comprehensive policy on encryption. Meanwhile, products containing the "Clipper Chip" will initially be handled in accordance with the State Department regulations for the export of data encryption products. An export license will be required but likely approved for exports to American firms and their subsidiaries overseas. This same procedure is now in place for exports of products containing the Data Encryption Standard.