I've had a request for the text of the NSA objections to the 3DES ballot, it's
included below along with the ballot cover sheet for anyone who's interested,
with the serial numbers filed off both documents.
I've already asked this earlier, does anyone know any more about the planned
TC68/SC2 crypto policy, which presumably was going to be along the lines of
the "newly-accepted X9 policy" (see the NSA letter) which looked very
NSA-inspired?
Peter.
-- Snip --
ACCREDITED STANDARDS COMMITTEE - LETTER BALLOT
TO: X9 Members
FROM: X9 Secretariat
SUBJ: NWI: Triple DES Encryption for the Financial Industry
DATE: 10/18/94
At the Accredited Standards Committee-X9 meeting there was substantial
discussion about the issue of triple-des. The conclusive vote of the committee
was to ballot the work item. There are many different views on this
cryptography. Different views include the fact that NSA has stated that
triple-des will not be exportable, that triple-des is not within the X9 policy
written last fall and submitted to TC68/SC2, and that there are inter-industry
groups working with government agencies to examine other cryptography which may
be more acceptable, making triple-des, at best, a non-exportable short term
solution.
The work item states the position of those in the X9F3 working group in favour
of triple-des, there were dissenting votes cast. Furthermore, at the X9
meeting, the ABA and other X9 members voted against the proposal.
Please proceed to vote as to whether X9F, under X9, should develop a standard
for triple-des.
-- Snip --
X9 Member
I will be casting a NO vote of the NWI proposal for triple-DES, Letter Ballot
XXXX. The reasons are set forth below. You may find these useful as you
determine your position.
Jerry Rainville.
NSA REASONS FOR NEGATIVE VOTE
While NSA supported the use of DES in the global financial sector, we believe
that standardization of triple DES is ill-advised for a number of reasons.
The financial community should be planning to transition to a new generation of
cryptographic algorithms. When DES was first introduced, it represented the
"only game in town". It supported encryption, authentication, key management,
and secure hashing applications. With a broader interest in security, the
market can now support optimized algorithms by application. Going through the
expense of installing a stop-gap can only serve to delay progress in achieving
interoperable universal appropriate solutions.
While we understand the appeal of a snap-in upgrade, our experience has been
that any change is expensive, especially one where the requirements on the key
management system change. We do not agree that replacing DES with triple DES
is significantly less expensive than upgrading to more appropriate technology.
Tripling of any algorithm is cryptographically unsound. Notice that tripling
DES, at best, only doubles the length of the cryptovariable (key). Phrased
another way, the DES was optimised for security at 56 bits. We cannot vouch
that any of the schemes for doubling the cryptovariable length of DES truly
squares the security.
We understand the financial community has concerns with current key escrow
based encryption, however, we are committed to searching for answers to those
concerns. But the government also is committed to key escrow encryption, and
we do not believe the proposal for triple DES is consistent with this
objective.
US export control policy does not allow for general export of DES for
encryption, let alone triple DES. Proceeding with this NWI would place X9 at
odds with this long-standing policy. It also violates the newly-accepted X9
cryptography policy.
The US government has not endorsed triple-DES; manufacturers and users may be
reluctant to use triple-DES for fear of possible liability.
Finally, further proliferation of triple-DES is counter to national security
and economic concerns. We would welcome the opportunity to discuss these
concerns with an appropriate senior executive of your institution.
