
Resolving the Encryption Dilemma:
The Case for Clipper 
By Dorothy E. Denning

The U.S. government has launched a program to expand security and privacy protection for electronic communications, while 
preserving the government's capability to conduct authorized wiretaps. Despite attacks from civil libertarians, the approach is 
the best way to balance individual privacy with the social good.
---------------------------------------------------------------------------
DOROTHY E. DENNING is professor of computer science at Georgetown University and a specialist in computer 
and communication security. She is author of Cryptography and Data Security (Addison-Wesley, 1982). 
---------------------------------------------------------------------------
Links related to this article 
---------------------------------------------------------------------------


Imagine you are the program manager for a new, energy-efficient airplane. You fax the design plans to the manager of an 
overseas plant that will manufacture parts of the plane. You also discuss the design by phone with engineers in the plant. A 
few months later, your company loses a bid for a fleet of planes to an overseas competitor who proposed a nearly identical 
design. The rival stole your plans by intercepting your voice and fax communications. 

Fortunately, electronic communication can be protected against such industrial espionage with encryption - scrambling of data 
in such a manner that they are unintelligible to anyone other than the intended receiver. In today's digital world, 
communications are first converted into ones and zeroes. An encryption algorithm mathematically transforms these bits into a 
stream of digits that seems random. Performing the transformation requires a secret key - which is also a random-seeming 
string of ones and zeroes; the receiver uses this key to decrypt and recover the original message. The more digits there are in 
this key, the more secure the protection; each additional bit doubles the number of possible combinations that a would be 
snooper must try.

Encryption has been used in the United States primarily to protect classified state and military secrets from foreign 
governments. However, its use outside the government has been steadily increasing ever since the Data Encryption Standard 
(DES) was adopted as a federal standard in 1977. DES, which is based on a 56-bit key, is now used extensively by the 
banking industry to protect money transfers and by some corporations to protect sensitive communications transmitted 
through company networks or the telephone system. As individuals and companies swarm onto the Internet, they are also 
beginning to encrypt electronic mail and computer files.

But encryption is a dual-edged sword. The spread of high-quality encryption could undermine the value of wiretaps Ñ a 
technology that has helped ensnare organized crime figures and other menaces to society. With the government essentially 
locked out, computers and telecommunications systems would become safe havens for outlaws and terrorists. In one recent 
child pornography case in California, evidence was concealed in encrypted computer files that could not be broken.

Encryption also could interfere with U.S. intelligence abroad, because it could allow a country like Iraq to operate behind a 
wall of electronic secrecy. Encryption technology is therefore subject to export controls: products that incorporate DES or 
other strong encryption methods cannot generally be exported. This has been a sore point with U.S. industry, which has 
argued that since DES-based products are manufactured overseas also, the controls have succeeded only in putting U.S. 
industry at a disadvantage. However, even though export controls have not prevented DES and other methods of encryption 
from being implemented elsewhere, the controls have protected valuable and fragile intelligence capabilities.

Encryption poses a threat to organizations and individuals, too. For effective secrecy, a minimal number of people should be 
allowed to know the encryption key. This practice invites disaster, though, as valuable information stored in encrypted files 
could become inaccessible if the key were accidentally lost or corrupted, intentionally destroyed, or maybe even held for 
ransom by a disgruntled employee or former employee. Encryption also could enable an employee to transmit corporate 
secrets to a competitor or to cover up fraud, embezzlement, and other illegal activity.

Despite such problems, almost everyone agrees that individuals and organizations need access to encryption technology. With 
the spread of computer networks, people are conducting more and more of their personal and business affairs through 
computer and telephone networks. Encryption is essential for erecting a wall of privacy around those communications.

To resolve the encryption dilemma, the Clinton administration in 1993 proposed a new approach, called "key-escrow" 
encryption. The idea is to make broadly available an essentially unbreakable encryption scheme. The catch: to allow for 
emergency access to information, the keys to unlock the keys to unlock the encrypted data would be held by the U.S. 
government.

The idea is to allow the most secure encryption, but with a built-in emergency decryption capability that allows authorized 
officials, with the cooperation of one or more trusted parties who hold keys, to decrypt data. The initial embodiment of this 
system is a microelectronic device called the Clipper chip, and its escrow agents are the National Institute of Standards and 
Technology (NIST) and the Department of Treasury's Automated Systems Division. In principle, commercial organizations 
also could serve as escrow agents.

The Clipper chip uses an encryption algorithm called Skipjack and keys of 80 bitsÑ24 bits longer than DES keys. The extra 
24 bits provides 224 or about 16 million times the security against trial-and-error guesses at keys. The Skipjack algorithm was 
designed by the National Security Agency (NSA) and is classified.

Some civil libertarians have adamantly opposed this plan, worrying that the key escrow system will put the communications of 
honest persons needlessly at risk. After all, they argue, criminals are not going to be dumb enough to use an encryption 
scheme to which the government holds the keys. The logical next step, they say, would be to outlaw other methods of 
encryption, striking a blow at citizens' right to communicate away from the government's eyes and ears. Thus, critics argue, 
Clipper heralds future erosions in privacy rightsÑBig Brother on a chip.

Actually, Clipper represents a more secure approach to encryption than the two other avenues that the government has 
considered. One approach would use an encryption method with short enough keys that it becomes practical for any 
eavesdropper to guess a key by trying all possibilities. The other would use long keys, but have a built-in "trapdoor" allowing 
someone familiar with the system to find the key. The problem with this approach is that someone else might discover the 
trapdoor. Clipper avoids these weaker methods, offering a high-security solution to the encryption dilemma.

Holding Keys in Escrow 

The specifications for Clipper were adopted last year as the Escrowed Encryption Standard for use with sensitive but 
unclassified telephone communications, including voice, fax, and data. The EES standard is voluntary; nongovernment 
agencies have no obligation to use it, and government agencies can choose between it and any other encryption standard, 
such as DES. With the U.S. government holding the keys, EES poses no threat to foreign intelligence operations and thus 
EES-based encryption products can be exported.

The first product to use the Clipper chip is a device that plugs into a standard phone between the handset and the base unit. 
Manufactured by AT&T, the device can encrypt any conversation as long as the party at the other end has a compatible 
device. After a call is established in the usual way, one party presses a button on the device to activate its "secure mode." 
The two devices then enter into a digital, behind-the-scenes conversation to establish a "session key" that is unique to the 
conversation. Each device passes this 80-bit session key to its Clipper chip; the Clipper uses this key to encrypt outgoing 
communications and decrypt incoming communications. Before encrypting any data, however, the chip computes and 
transmits a string of bits called the law enforcement access field (LEAF). The LEAF contains the session key for the 
conversation and is what enables authorized government officials to decrypt the data.

To protect the session key in the LEAF, it is itself encrypted. Each Clipper chip has a unique identifier (ID) and associated 
"device-unique key." The device-unique key is split into two components, each of which is given to a separate escrow agent. 
Using this device-unique key, the Clipper chip encrypts the session key. The encrypted session key is then put into the LEAF 
along with the chip ID. The entire LEAF is further encrypted under a common "family key" so that even the chip ID is not 
transmitted in the clear. These two layers of encryption provide a strong shield against an eavesdropper learning the session 
key and then decrypting the data.

Users of Clipper don't need to be aware of any of these details; they simply use their phones as always. The complexity 
surfaces when a law enforcement official encounters encrypted communications on a tapped phone line. First, the 
communications must be passed through a special device, known as a decrypt processor, to ascertain if they are Clipper 
communications. If they are, the processor locates and decrypts the LEAF, and then extracts the chip ID. (Because the 
same session key is used to encrypt both ends of the conversation, it is not necessary to obtain the chip ID for both parties.)

But knowledge of this chip ID alone will not allow the wiretap to be deciphered. What is needed are the two components of 
the device-unique key associated with this IDÑand this information is what is held by the two key escrow agents. So the law 
enforcement officials, having obtained this ID, must request these components from the escrow agents. These key 
components are then entered into the decrypt processor, which combines them to form the device-unique key. This 
device-unique key, in turn, is used to decrypt the session key in the LEAF. Knowledge of this session key enables the 
conversation to be decrypted. If subsequent conversations on the intercepted line are encrypted, the decrypt processor can 
decrypt the session key directly, without going through the two escrow agents. This allows for real-time decryption.

Safeguards 

Critics maintain that the very idea of a key escrow system raises the risk that encrypted messages will be decoded by the 
wrong people. Without proper safeguards, an intruder might break into a computer containing escrowed keys, download the 
keys, and use the keys to decrypt communications intercepted illegally. Alternatively, a corrupt employee of an escrow agent 
might use the keys to engage in illegal wiretapping or sell the keys to a foreign government or to the mafia.

Clipper's key escrow system is being developed with extensive controls to protect against such threats. One fundamental 
safeguard is key secrecy. Keys and key components are generated in computers and are never displayed or printed out in 
forms readable by humans. In addition, they are always stored and transmitted in encrypted form.

Physical security is used extensively to protect sensitive material. The computer workstations at NIST and the Department of 
Treasury that are used for key escrow functions are used for nothing else and are kept in secured facilities. The chips are 
programmed with their IDs and device-unique keys in a vault designed for handling classified information.


As the Clipper system develops, keys are stored on floppy disks in double-locked safes and carried manually, wrapped in 
tamper-detecting packages, from the facility where the chips are programmed to the escrow agents and from the escrow 
agents to the law enforcement facility that is tapping the call. Ultimately, the keys will be transmitted electronicallyÑin 
encrypted formÑ between the chip-programming facility and escrow-agent workstations, and between those workstations 
and the law-enforcement decrypt processors. Separation of duties limits the power of a single person or agency. Different 
organizations operate the chip-programming facility (so far, Mykotronx Inc. of Torrance, Calif., runs the only one), the key 
escrow services (NIST and the Department of the Treasury), and the decrypt processors (law enforcement agencies). 
Escrow officers are not allowed to program the chips, operate a decrypt processor, or even have a decrypt processor in their 
possession. Law-enforcement officers have access to a decrypt processor but not to keys (keys cannot be extracted from a 
decrypt processor). Escrow officers will attach a "self-destruct" date, corresponding to the end of the period of authorized 
surveillance, to keys transmitted to a decrypt processor. This measure precludes the use of keys after a wiretap order 
expires.

To limit the power of a single individual to abuse the system, the key escrow system requires that at least two people be 
present whenever a critical function is performed or when sensitive data might be exposed. In fact, because each chip's 
device-unique key is split into two components, and each component is held by a separate key escrow agent, it is not possible 
for one person to act independently. Neither component by itself reveals any information about the key; to reconstruct and 
use the key, both escrow agents must supply their parts. Further, within each escrow agency, it takes two escrow officers to 
unlock the safes that contain the key components. Similar two-person control systems have worked successfully in the 
military to control nuclear-launch codes and in the banking world. Detailed procedures govern all operations that involve 
escrowed keys, including generation of the keys, programming of the chips, storage and release of escrowed keys, and 
government decryption. For example, a request for escrowed key components must include certification that the official is 
authorized to conduct the wiretap (normally established by a court order). 

All operations that involve the generation, release, or use of escrowed keys are logged. From the logs, it should be possible to 
determine that keys are used only as authorized, and only to decrypt communications intercepted during a period of authorized 
surveillance. The key escrow system is undergoing independent validation and verification. In addition to paid contractors, 
four individuals, including myself, have been voluntarily reviewing the system as an extension of our earlier review of the 
Skipjack algorithm, on which Clipper is based. Based on what I have seen so far of the design, I conclude that there is no 
significant risk of an insider or outsider acquiring unauthorized access to keys.

As the Clipper system proves to be strong and resistant to abuse, the technology will, I believe, become more widely 
accepted. The Department of Defense already uses CapstoneÑa more advanced chip that is built into a PC card named 
FortezzaÑto provide security for electronic mail. Fortezza offers an attractive option for secure electronic commerce: it 
contains a mechanism for electronically "signing" a digital document so that the recipient can verify the sender's identity. The 
American National Standards Institute (ANSI) is developing banking standards that could use Fortezza technology.

Who Do You Trust? 

These safeguards have not eased everyone's mind. One big concern is that the Skipjack encryption algorithm on which 
Clipper is based is classified. Because Skipjack is not open to public review, some people have questioned whether NSA 
might have intentionally sabotaged the algorithm with a trapdoor that would allow the government to decode encrypted 
communications while bypassing the escrow agents. 

Critics also worry that this secret algorithm might harbor a design flaw that would leave it vulnerable to cracking. Such 
concerns have a legitimate base. Designing strong encryption algorithms is a difficult task. The only way to make sure that an 
algorithm is any good is to let many people analyze it and try to crack it over an extended period of time; many encryption 
schemes that appeared strong when first proposed later succumbed to attack.

A noteworthy example is the RSA algorithm, named after Ronald Rivest, Adi Shamir, and Len Adleman, all of whom were at 
MIT when they invented it in 1977. Breaking RSA requires the solution of a difficult mathematical problem: given a large 
number, what are the prime numbers that must be multiplied together to yield that number? A very simple example, with a 
low number, would be to find the prime factors of 1,261; a few minutes with a pocket calculator, or a trivial computer 
program, will reveal the answer: 13 and 97. But as the number to be factored increases in length, this task seems to get 
exponentially more difficult. When the algorithm was first introduced, Rivest predicted that it would take a quadrillion years to 
factor a 125-digit number using the fastest factoring methods then known. But factoring methods have advanced rapidly, and 
in 1994 a 129-digit number was factored in 8 months through the use of some 1,600 computers scattered around the world. 
RSA still appears to be very strong for numbers that are 200 digits or more. 

To address the concerns about weaknesses and trapdoors in Skipjack, the government invited outside experts to 
independently review the algorithm and report their findings. I participated in that review along with four other cryptographers 
in 1993. We examined NSA's internal design and evaluation of Skipjack and found them to be the same as used with 
algorithms that protect the country's most sensitive classified information. Skipjack underwent thorough evaluation over many 
years following its initial design in 1987, and the specific structures used in the algorithm have an even longer history of 
intense study. We also conducted some analysis and experiments of our own to determine if the algorithm had any properties 
that might make it susceptible to attack. Based on our analysis and experiments, we concluded that there was no significant 
risk that Skipjack contained a trapdoor or could be broken.

Although publication of Skipjack would enable more people to confirm its strength, NSA is unlikely to do so; declassifying 
Skipjack would benefit foreign adversaries and allow the algorithm to be used without the key escrow features. Even if 
Skipjack were made public, it would probably be years before skeptics would accept its strength. When DES was introduced 
in 1975, it was similarly distrusted because of some NSA involvement even though the algorithm was developed by IBM and 
made public.

Still, Clipper's use of a classified algorithm does limit its acceptability. There are many people who will never trust the NSA; 
for them, Clipper is tainted goods. In addition, many potential foreign buyers will not accept a classified algorithm or keys held 
by the U.S. government, although Mykotronx has reported that some potential foreign buyers are not concerned about these 
factors. Agreements might be reached that would allow some other governments to hold the keys or have access to the 
classified technology, but such agreements would likely be limited to a few countries.

Moreover, as long as the algorithm is supposed to remain secret, it must be implemented in tamper-resistant hardware. That's 
because there is no known way of hiding classified information in software. This precludes software implementations, which 
are generally cheaper. On the other hand, hardware generally provides greater security for keys and greater integrity for the 
algorithms than software, so some customers will want hardware products.

Although key escrow is voluntary, critics say that the introduction of Clipper points national policy in a disturbing direction. 
The main premise here is that the criminals that Clipper is meant to uncover would be unlikely to choose an encryption 
scheme to which the U.S. government holds the keys. Many forms of unescrowed encryption are already on the market, and 
more are being developed. One file encryption package, called Pretty Good Privacy (PGP), is spreading as free software 
through the Internet and becoming popular for encrypting e-mail. Unescrowed encryption with time-tested algorithms such as 
DES and RSA is also being integrated into commercial products. The only way to accomplish the goals of Clipper, skeptics 
therefore maintain, would be to ban unescrowed encryption systems Ñ a prospect that enrages some defenders of electronic 
privacy.

But it is not self-evident that criminals will shun Clipper. Whether they use the escrowed encryption system will depend in 
part on what else is available Ñ and in particular what other forms of encryption are built into the most widely used 
commercial products. While PGP has a certain grassroots appeal, many organizations will be reluctant to trust their assets to 
software obtained over the Internet.

Over time, market forces could easily favor escrowed encryption. Some organizations might choose to use Clipper because 
the high quality of its encryption outweighs the slight risk that information will fall into the wrong hands. Vendors might favor 
key escrow because they will be able to build it into products that are exported. And the government's adoption of escrowed 
encryption will set a de facto standard; any company that needs to exchange encrypted information with federal agencies will 
need to use compatible encryption. If escrowed encryption becomes a business standard, many criminals will tend to use it Ñ 
the convenience will outweigh the risk. 

Even if criminals do not use Clipper, the government's voluntary initiative serves a useful purpose. If the government instead 
promoted strong encryption without key escrow, this would accelerate the spread of encryption that the government could not 
decrypt and the use of such encryption by criminals. The government decided that it would not be responsible to use its own 
expertise and resources to pursue encryption standards that fundamentally subvert law enforcement and threaten public 
safety and national security.

Escrow Alternatives 

The basic concept of key escrow does not necessarily depend on handing the keys to government agencies. Private-sector 
organizations Ñ licensed and bonded Ñ could serve as key escrow agents instead. Although nongovernment escrow agents 
are unlikely to provide any greater protection than government ones operating under the controls stipulated for the Clipper 
system, they could be more widely accepted by those who are particularly concerned about government abuse. In addition, 
commercial escrow agents could make their services available to the private sector so that individuals and organizations could 
acquire their own keys for data recovery purposes. Clipper's key escrow system does not have this capability. 

Some encryption products already have private key escrow capabilities whereby an organization can escrow its own keys. In 
addition, several companies and individuals have proposed commercial key escrow approaches, with third party agents. Some 
of these proposals, for example, one from Trusted Information Systems of Glenwood, Md., use software with unclassified 
algorithms. Commercial key escrow might achieve greater acceptability than Clipper and encourage the adoption of key 
escrow over unescrowed encryption. For that reason, the government has been working with industry to find alternatives to 
Clipper that might better meet the needs of industry and users.

For commercial key escrow to work, legislation may be required to deal with issues relating to liability and jurisdiction. What 
happens, for instance, if a state or local law enforcement agency needs keys held by an escrow agent located in another 
state? Normally, a warrant cannot be taken across state boundaries except during federal investigations.

Another important question surrounding commercial key escrow is whether such systems will be exportable. Companies that 
make encryption products would like to be able to manufacture a single product line for both domestic and international sales. 
Moreover, the opening of an export market would help expand the market for key escrow encryption Ñ indirectly, at least, 
lowering the chances that criminals will use unescrowed encryption. So far, the U.S. government has not said whether it 
would permit the export of commercial key escrow or software-based systems. At issue is whether the government is 
assured that it will have a way to decrypt information when it deems it necessary to do so.

An exportable encryption scheme would also facilitate an international encryption standard Ñ an important goal, given that 
organizations often need to communicate securely with customers, suppliers, and partners outside the United States. So far, 
no international encryption standard provides end-to-end protection of confidentiality. DES is used worldwide, especially by 
the financial industry, but mainly for authenticating financial transactions rather than shrouding messages in secrecy. Many 
countries around the world have adopted a system called Global System for Mobile to keep mobile radio communications 
secure. But GSM encrypts only the over-the-air link between a mobile phone and a base station. 

Communications that travel through wires and cables therefore remain vulnerable to interception. Key escrow encryption 
offers the best hope for an international standard that would facilitate such international communications. In fact, an 
encryption method that does not provide a capability for government access is unlikely to be accepted as an international 
standard; other countries share the U.S. desire not to be left in the electronic lurch. Each country could designate its own 
escrow agents, which could be either government or commercial organizations. Users might have the option of choosing an 
escrow agent from this list. Bankers Trust has outlined a proposal for just such an approach. Like Clipper, the Bankers Trust 
system would use hardware for its greater security; unlike Clipper, however, the algorithm would be unclassified and 
therefore more suitable for commercial and international use.

Will Clipper Catch On? 

Much opposition to Clipper stems from the belief that the government has an insatiable and unsavory desire to gather 
information about its law-abiding citizens. Clipper, say critics, is a bad idea because it permits such activity. Despite the 
system's safeguards, some people are concerned that a future administration or corrupt police officer could obtain keys to 
conduct questionable if not outright illegal wiretaps.

At a forum held at MIT last September, professor Rivest argued that the fundamental question Clipper raises is: Should 
American citizens have the right to have communications and records that the government cannot access even when properly 
authorized? A case can be made that from a constitutional standpoint, no such absolute right exists. The Fourth Amendment 
specifically protects against unreasonable searches and seizures while allowing those conducted with a court order.

While abuse of the Clipper system cannot be ruled out, it is unlikely. Neither the public nor Congress has tolerated such 
activity in the past, and federal wiretap laws, government regulations and procedures, and congressional committees have 
been established to protect against their occurrence in the future. Wiretaps are conducted under tight controls and subject to 
considerable oversight. Clipper includes an additional layer of protection since anyone wishing to conduct a wiretap must also 
acquire a special decrypt processor and keys from the escrow agents.

The opposition to Clipper makes its widespread adoption by no means assured. But escrowed encryption offers the best hope 
for reaping the benefits of encryption while minimizing its potential harm. Rejection of key escrow would have profound 
implications for criminal justice. As computer networks continue to expand into every area of society and commerce, 
court-ordered wiretaps and seizures of records could become tools of the past, and the information superhighway a safe 
haven for criminal activity. 
---------------------------------------------------------------------------
Links related to this article.
Know a good URL? Suggest a link.
---------------------------------------------------------------------------

Technology Review Homepage| Table of Contents| Free Issue
---------------------------------------------------------------------------
TECHNOLOGY REVIEW ON-LINE COPYRIGHT NOTICE