NSA is suedfor access toalgorithms
- By Heather Harreld
- Apr 27, 1997
A former Energy Department cryptographer is suing the National Security Agency for access to several classified encryption and authentication algorithms including the controversial "Clipper" algorithm.
William Payne who worked for Sandia National Laboratories in New Mexico from 1980-1992 filed the Freedom of Information Act suit in U.S. District Court in New Mexico on Feb. 28. Payne wants access to algorithms so that the encryption community can scrutinize how easy it is to break the codes. NSA filed its response April 4. The suit was posted on the Internet last month.
In addition to requesting access to the Clipper encryption algorithm which allows law enforcement agencies to decode scrambled messages Payne requested access to an authentication algorithm that monitors nuclear explosions in Russia an authentication algorithm that verifies the integrity of data contained in treaties the algorithm housed in an electronic lock used to secure launch control of small missiles and the encryption algorithm that protects conversations on secure telephone units used extensively by the military and intelligence agencies.
Payne also is requesting access to NSA's published classification guidelines. He claims the agency is abusing its classification privileges and that a recent executive order regarding declassification requires that agencies perform "mandatory declassification" reviews.
In its response NSA claims that the documents requested by Payne are covered by one or more of the exemptions to the FOIA. NSA states that exceptional circumstances exist with regard to its compliance with FOIA time deadlines and that the agency is exercising due diligence in responding to the request according to the court document. NSA also requests that the suit be dismissed.
Payne has had a stormy relationship with NSA since he was fired from Sandia in 1992 for a "flagrant attack on a valued Sandia customer and repeated insensitivity to security/classification requirements " according to a letter from the lab.
Payne said he was terminated because he published reports criticizing NSA cryptography as deficient and refused to work for the FBI to break electronic locks. Payne sued Sandia in 1993 for wrongful termination but the court ruled in favor of the laboratory. That case is now being appealed.
In a recent interview Payne said he believes that NSA does not want to release technical specifications of the algorithms because they would be embarrassing to agency officials because of security weaknesses. The agency also wants to maintain its dominance over the cryptography market he said.
"Every agency has to publish a classification guide " Payne said. "On the FBI and the NSA I could never find those guidelines. You can't classify things that are an embarrassment. [The algorithms are] too slow and take too much hardware to implement. NSA would like to control cryptography totally. If you want to do any type of cryptography you have to get their approval."
To support his assertions Payne said that the algorithm used to protect the language of international treaties contains a key that is only 11 bits long. That key is much shorter than the 48-bit keys contained in the encryption algorithm that in February was cracked by hackers in 13 days. The encryption algorithm required by the federal government for data encryption contains 56-bit keys.
Bruce Schneider president and chief executive officer of Counterpane Systems the cryptography company that recently discovered a security hole in digital telephones said NSA would likely not be embarrassed by the release of the algorithms nor would national security be compromised. The release of these algorithms however would provide great benefits to the cryptography community he said.
"If you look at cryptography before [Data Encryption Standard] it was an absolute mess nobody knew how " said Schneider who is author of the Blowfish algorithm a drop-in replacement for the DES which is widely used by the federal government. "For the last 20 years the research community has gone to school on DES. To get other algorithms out of the NSA those could also be studied and researched by the cryptography community. The interest of a single military agency is running counter to the interest of the country as a whole."
He suggested that NSA does not want the cryptography community to research these algorithms because the industry could evolve to design secure cryptography that would hamper NSA officials from eavesdropping the main mission of the agency.
"Any strong security system...is secure even if all the details of the system are made public " he said. "You want your nuclear launch codes to be secure even if some rogue NSA employee publishes the algorithm."This is not the first legal battle challenging the classification of the Clipper algorithm. The Electronic Privacy Information Center filed in 1993 a federal lawsuit challenging the national security classification of the algorithm and all information related to its use.
Arguments in that case have been completed and a decision is pending said David Sobel legal counsel for EPIC. Sobel said NSA officials argued that if the federal agency were to reveal any information about its cryptography capabilities national security would be compromised.
"It has always been a domestic law enforcement rationale " Sobel said. "We argued that it was inappropriate to use national security classification for something that was intended for domestic use."