			CRYPTOGRAPHY AS DUCT TAPE
			-------------------------

Ronald L. Rivest
Associate Director, MIT Laboratory for Computer Science
Cambridge, MA 02139
(617)253-5800; fax (617)258-9738; (617)646-0504(home phone and fax)
rivest@theory.lcs.mit.edu
http://theory.lcs.mit.edu/~rivest

Version of June 12, 1997.

Senators of the Senate Commerce and Judiciary Committees

I am writing you regarding an issue of cryptographic policy that faces
the nation.  In particular, I am writing to ask that you do not
support regulations or legislation that support cryptographic ``key
recovery.''  I believe that the proposal to use or require key
recovery for law enforcement purposes is very poorly justified, very
costly for the supposed benefits it would achieve, dangerous to its
users, and based on serious misperceptions about how cryptography fits
into the modern information infrastructure.  In this note I would like
to emphasize this last point, by carrying through the metaphor that
cryptography is really the electronic equivalent of ``duct tape'':
enormously useful (essential, even) for joining together the parts of
an information system, cheap and easy to use, but subject (as is any
technology) to abuse.  Yet we don't require registration of ``duct
tape users,'' and we shouldn't require registration of cryptography
users.  (Key recovery is the effective equivalent of registering duct
tape users, or of requiring registration of every usage of duct tape.)

Today, most information is digital, stored in computers and
transmitted over networks.  Diaries, love-letters, medical and
financial records, business plans, movies, political speeches, and
textbooks are all represented and communicated as sequences of ones
and zeros.  A large fraction of our national memory is now captured,
saved, and replayed in digital form.

In its pure form, digital information is anonymous--you can't tell who
created a given one or a given zero.  A digital prescription may have
been created by your physician, or by a high-school hacker.  A digitized
world requires authentication: a way of telling who authored what.  

Similarly, digital information is normally transmitted semi-publicly
on a radio or on a computer network.  Anyone with an appropriate
receiver or network connection can ``listen in'' to what is being
sent.  (With a little more work, an eavesdropper can even modify the
information being transmitted.)  The digital world is largely a public
world, unless special steps are taken to make information private.

The two most important needs of the digital world are thus
authentication and privacy (or confidentiality).  These needs are of
exceptional importance for the security of this nation.  Our economy
requires the authenticity of financial transactions.  The
competitiveness of our industries requires the confidentiality of
their planning, operational, and technological information.  We lose
billions every year through fraudulent financial transactions and
corporate espionage.  Law and order requires achieving authenticity
and confidentiality of our digitized information infrastructure.

Fortunately, there are reliable ways to achieve privacy and
authentication.  The essential tool is cryptography---the science of
communicating securely in the presence of adversaries who wish to
overhear or modify your digital communications.  Cryptography enables
two parties to ensure that an adversary can not understand a
transmitted message (because it is encrypted) and that an adversary
can not modify a transmitted message without being detected (because
it is ``digitally signed'').  Cryptography uses sophisticated
mathematics to provide unbreakable encryption and unforgeable digital
signatures.

Cryptography is a relatively new technology, outside of military
applications.  In the public domain, serious study of cryptography
really began in the 60's, but didn't blossom until the 70's and 80's.
Necessity is the mother of invention, and computer networks are the
mother of modern cryptography.  Computer networks need cryptography to
link their far-flung parts together just as a high-rise building needs
welds and rivets to hold the girders together.  Without cryptography,
computers don't know which other computers they are talking with, and
don't know if their information is securely kept within a given domain
of trusted computers.  Without rivets, a high-rise building is a pile
of girders, none supporting each other, with all of the building
contents spilled on the ground.

In most engineering sciences, the way parts connect and interact is
most important.  With computer networks, either the parts connect and
interact using cryptography, or they are vulnerable to fraud and
unwanted disclosure of information.  

Computers are not connected merely by wires and networks.  Being
attached to one end of a wire or network provides little assurance as
to who is at the other end of the wire, or that the information
received was not modified en route.  The real connection is provided
by cryptography.  Cryptography helps guide and control the flow of
information, such as duct tape helps connect one air duct to another.

Cryptography is the ``connection science'' of computer networks.  

Used well, cryptography enables us to build the information
infrastructure of the twenty-first century: secure and strong enough
to support our information-based national economy.  Used poorly, we
invite hackers and enemies to disrupt our networks and steal from us.
Law and order requires a strong national capability in cryptography,
well-executed, to protect our information infrastructure.

Most technologies are usable by the ``bad guys'' as well as by the
``good guys.''  The automobile becomes a get-away car.  The radio and
telephone enable long-distance communications between a crook and his
boss.  The computer is used to run a numbers game.  Duct tape is used
to tie up hostages.  Airplanes carry drugs.  Most technologies are
egalitarian--they help everyone, good or bad, to be more effective or
more efficient.

Of course, there are numerous examples of forensic and surveillance
technologies developed specifically for law-enforcement: DNA, fiber,
handwriting and fingerprint analysis, bugging and wiretapping,
polygraphs, video surveillance, radar speed detectors, chemical trace
detectors, intrusion and motion detectors, and so on.  Because of
these specific advances, one can reasonably conclude that
technological advances have, overall, helped law enforcement immensely.

It is curious that the technology of cryptography has come to be such
a controversial one in terms of societal policy.  The issue arises
because cryptography allows individuals, good or bad, to keep their
communications confidential.

Of course, the issue isn't really whether individuals can have private
conversations.  Of course they can.  You and I can always meet
privately on the beach or elsewhere to talk.  I believe that a
democratic society should guarantee the right of any two individuals
to have a private conversation, unless one or both of them is in jail.
(This is an important belief to me, although not central to the
development here.)

The problem arises from the fact that more and more of our
communications are now carried on electronically.  When I was young, a
phone call was a rare event, and TV a novelty.  Today, the bulk of my
communications are electronic---I use the phone, TV, and email heavily
for routine communications.  I talk to my wife almost as much on the
phone as I do to her in person (we talk a lot on the phone).  I
frequently send email to my secretary to ask her to do something.  I
watch the news on TV.  Because it conquers distance easily, electronic
communication replaces talking face-to-face.  

But electronic communication, like any network communication,
engenders needs for privacy and authentication.  I want to know that
no one is listening in to my conversaation with my wife.  My secretary
wants to know that the request to mail out my draft paper is really
from me. 

We have been working with a deeply flawed communications network for
most of the century.  The network does not provide the privacy and
authentication that it should.  It replaces private face-to-face
communication with reproduced voice and email that is not guaranteed
to be private and is not guaranteed to be authentic.  Cellular phones
have long been known to broadcast lover's sighs and credit-card
numbers to all who cared to listen.  A computer receiving a phone call
has little idea who is calling, until the caller identifies himself
with a name and password.  The network gets the information from one
point to another, but privacy and authentication have been lost in the
transition from face-to-face to electronics.

Law enforcement has upon occasion exploited these flawed
communications networks.  Wiretapping exploits the lack of privacy.
Bad guys (and good guys) often use the computer and phone networks as
if they had properties of privacy and authentication that they don't.
A wiretap can pick up a inadvertent fact or admission.

We are in the process of fixing these flawed networks, because it is
in our national interest to do so.  Cryptography is the essential tool
that can provide the privacy and authentication required.  The ``fix''
may take the form of new phones embodying cryptography, or of a
computer program that enables secure computer-to-computer connections.
Engineers everywhere are adding cryptography to their network and
product designs.  Devices that process digital information now use
cryptography routinely.  Products that don't use cryptography are
``cracked'' and cause their users and manufacturers huge problems.

Electronic commerce, electronic voting, the privacy of medical
records, pay-per-view entertainment, protection of intellectual
property, maintaining the stability of the financial system, and
controlling access to information and property all require
cryptography.  Cryptography is becoming as ubiquitous and pervasive
as electronic communications, because electronic communications
require cryptography to function properly and securely.

The average household may soon (if not already) contain dozens of
devices that deal with digitized information, all of which use
cryptography.  You will have pay-TV decoder boxes, smart-cards in your
wallet, electricity meters that can be read remotely, computers that
allow you browse the web, purchase items with your credit card, or
read your email, electronic door locks that communicate with an
electronic key, postage meters that print digitized postage stamps,
phones that provide secure communications, and medical records
encrypted in your electronic wallet.  Everywhere there is information,
there cryptography will be.

Good cryptography is the friend of law enforcement, because it
prevents crime.  Cryptography allows the flow of information to be
managed and checked.  Information only goes where it is supposed to
go, and bad or fraudulent information is detected and discarded.
Information theft and fraud based on unauthorized information
manipulation are stopped in their tracks by cryptography.

It is in our national interest to see that cryptography is vigorously
developed and utilized by the private sector.  Our economy is becoming
increasingly based on information and information management, and
cryptography is the most important and effective tool for controlling
and authenticating the flow of information.  Economic and political
adversaries, malcontents and insiders can exploit poorly protected
information systems.  Airline control systems, power grids, financial
institutions, and high-tech industries are either well-protected
cryptographically, or they are vulnerable targets waiting to be
attacked.

Cryptography is a defensive technology.  It protects against an
adversary exploiting a lack of privacy or a lack of authentication.
It is the lightning rod, the flame-proof material, the door-way
peep-hole of communications.  It protects the user from harm.  It is
the ``communications condom'' protecting one from ``unsafe
communications.''  It prevents damage to the integrity or privacy of
an information system.  It does not do damage itself.  

Given the overwhelming need for such a excellent defensive technology
in today's world, why should anyone attempt to restrict or limit its
use?  The answer is obvious: if the ``bad guys'' can use this
defensive technology as well, then the ``good guys'' won't be able to
tap and exploit their communications.

As noted earlier, technology often smiles on the evil as well as on
the good.  Unfortunately, this is as true of cryptography as it is of
the automobile.  The bad guys can protect their secrets with
cryptography, and smuggle their drugs in an automobile.  

When should technology be regulated?  I think there are two conditions
that need to be satisfied:

	(a) it should first of all be possible to do so, and
	
	(b) the benefit of regulation should exceed the costs and
	    disadvantages of doing so.

I feel that cryptography fails on both counts.

It is not possible to effectively regulate cryptography.  Trying to do
so is trying to command the sea to retreat.  As noted above,
information systems require cryptography for effective and secure
operation.  It is not possible to prohibit cryptography without
crippling our information infrastructure.  It is not possible to
require ``weak cryptography'' without leaving the whole structure
vulnerable to collapse.  And it is not possible to provide ``key
recovery'' without running enormous risks, as noted in my recent
report [KR].  Putting key recovery into cryptography is like
soaking your flame-retardant materials in gasoline---you risk a
catastrophic failure of the exact sort you were trying to prevent.
The ability of organized crime to corrupt just a few officials or
judges could be the spark that ignites it, with the security of our
national information infrastructure disappearing in the flames of keys
``recovered'' by organized crime.  

Indeed, key recovery schemes seem like they were designed by organized
crime.  What could be better than to persuade corporate America to
effectively put all of its secrets of its in one or a few baskets,
baskets that are sure to be underfunded and poorly guarded because
they are hardly ever used legitimately?  

Moreover, cryptography is impossible to regulate because it is trivial
to reproduce.  Many cryptographic techniques can be described with a
computer program that is shorter than the preceding paragraph.
Cryptography programs have been ``published'' on T-shirts.  Trying to
prevent the spread of a cryptographic technique is as hard as trying
to prevent the spread of a good piece of juicy gossip.  A short
telephone call can transmit a cryptographic program from one state or
country to another.  While one could coerce some major manufacturers
into producing products that are cryptographically weakened to include
key-recovery, alternative cryptographic techniques are easily
available from overseas world-wide-web sites.  I don't believe that
one should pass laws or issue regulations that are laughably naive
about the likelihood that they are capable of enforcement or being
effective in the desired aims.

Second, I believe that disadvantages of regulating cryptography far
exceed the aimed-for advantages.  It is regrettable that some ``bad
guys'' will use cryptography to conceal their activities.  It is
regrettable that duct tape is used by criminals too.  But I already
have more cryptographic devices in my house than I have rolls of duct
tape, and the benefits of duct tape are accepted without undue regard
for the fact that criminals might find it useful.  I believe that one
should properly regard cryptography as a kind of ``duct tape'' for the
information infrastructure of the country.  Like duct tape,
cryptography is cheap, essential, and easily reproduced.  Everyone
needs it.  Like duct tape, cryptography is used very widely for
legitimate purposes, and very infrequently by criminals.  Some crooks
will use cryptography.  We'll catch them and convict them using the
many newly developed forensic and surveillance technologies.  Trying
to regulate ``duct tape'' or register its users is foolish and a waste
of taxpayer's money.

References

[KR] The Risks of Key Recovery, Key Escrow, and Trusted Third Party 
     Encryption.  By Hal Abelson, Ross Anderson, Steven M. Bellovin,
     Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, 
     Peter G. Neumann, Ronald L. Rivest, Jeffery I. Schiller, and 
     Bruce Schneier.
     At http://www.crypto.com/key_study/


------------------------

Professor Ronald L. Rivest is the Webster Professor of Electrical
Engineering and Computer Science at MIT, and Associate Director of
MIT's Laboratory for Computer Science, and head of that laboratory's
Cryptography and Information Security research group.  He is a
co-inventor of the RSA public-key cryptosystem, and a founder of RSA
Data Security, a Redwood City (California) firm specializing in
cryptographic software.  He has numerous publications in the area of
cryptography, and has served on the board of directors of the
International Association for Cryptologic Research.  He is a member of
the National Academy of Engineering.