NASA National Aeronautics and Space Administration Washington D.C. 20546 JTD James H. Burrows, Director Computer Systems Laboratory Technology Building, Room B154 National Institute of Standards and Technology Gaithersburg, Maryland 20899 Dear Mr. Burrows: NASA has reviewed the  proposed Federal Information Processing Standard (FIPS) for and Escrowed Encryption Standard (EES) and provides comments below. NASA does not support the adoption of the proposed FIPS for and EES.  NASA understands the need to keep sensitive, unclassified information from those  without a need to know, however the EES is not appropriate for use in the NASA environment.   Many NASA organizations are currently utilizing Data Encryption  Standard (DES)  based  devices  for  the  telecommunication of sensitive unclassified data. NASA has identified several  EES-related issues that need to be addressed.  The significant issues are discussed below. 1.       Devices using  the  EES (CAPSTONE  and  CLIPPER), which implement the classified SKIPJACK algorithm, must be programmed. The  chip  programmer  is  a  device  provided by  the  National Security Agency (NSA).  There is no assurance, without scrutiny, that  all keying material introduced during the chip programming is not already available to the NSA.   Thus, not only do the key escrow agents have a decryption  capability,the NSA also retains this  capability.   As  long  as  the  programming  devices  are controlled  by the NSA,  there is no way to prevent the NSA from routinely monitoring all SKIPJACK encrypted traffic.   Moreover, compromise of the  NSA keys,  such as in the Walker case,  could compromise the entire EES system. 2.       Users with  criminal intent who are smart enough to use encryption will  employ their  own algorithms, thereby defeating EES devices.   Should  EES devices be  mandated under law, these users will still encrypt the information feeding  into  the  EES devices, thereby defeating EES. 3.       Commercial   and  international   use  issues  must  be resolved in order for there to be value  to the government.   If the EES is not adopted by non-government organizations,  Federal agencies will be impacted by a significant cost and inefficiency factors.  This is particularly true of government agencies  with many non-government customers and suppliers. 4.       Implementation of  this  standard  would  result  in  a significant, adverse impact to NASA.   The Headquarters Computer Network, other local area networks,  and many computers that are not  TEMPEST-rated would  have  to be modified  or  replaced  at considerable cost.  NASA would no be able to use the Internet or any  other network that  did not use the  same encryption method and the same encryption key. EES devices offer no  significant benefit to NASA over  existing DES-base devices and their implementation would adversely impact many NASA organizations.   Therefore,  NASA does not concur with the adoption of the proposed FIPS for an EES. Benita A.  Cooper Associate Administrator for Management Systems and Facilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 if by land, 2 if by sea.  Paul Revere - encryption 1775 Charles R. Smith SOFTWAR http://www.us.net/softwar