IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

________________________________________
					)
PHILIP R. KARN, Jr.			)
					)
		Plaintiff,		)
					)	Civ. A. No. 95-1812(CRR)
	v.				)
					)	(Judge Charles R. Richey)
U.S. DEPARTMENT OF STATE, and		)
THOMAS E. MCNAMARA,			)
					)
		 Defendants.		)
					)
________________________________________)

DECLARATION OF PHILIP R. KARN, JR.

PHILIP R. KARN, JR., declares as follows:

1. I am the plaintiff in the captioned action. I make this declaration in opposition to the defendants' Motion to Dismiss or, in the Alternative, for Summary Judgment. I have read that motion and all supporting documents and this declaration is made with full knowledge of the statements made in the defendants' papers.

2. I am a software engineer presently employed as such by Qualcomm, Inc. of 6455 Lusk Blvd., San Diego, CA. I have a BS degree in Electrical Engineering from Cornell University and a MS degree in Electrical Engineering (Computer Engineering) from Carnegie-Mellon University. My previous employers were Bell Telephone Laboratories and Bell Communications Research. I have been actively involved in computer programming since the middle 1970s. I have previously written computer networking programs that have been widely recognized as catalyzing the widespread availability of the Internet over dialup telephone lines. I have contributed to one of the programs included in Bruce Schneier's book, Applied Cryptography, that is involved in this litigation, specifically the DES key schedule code that is part of the source code used by the defendants in the experiment described in the Crowell Declaration.

3. I recently demonstrated the exact equivalence, for the purposes of enabling a computer to encrypt and decrypt information of the DES source code printed in Applied Cryptography and that recorded on the Applied Cryptography Source Code Diskette that is the subject of this action.

4. The source code file in question implements both the US Data Encryption Standard ("DES") and a variant commonly known as "Triple DES". The latter involves merely executing DES three times with three separate keys to strengthen the algorithm against attack. This is somewhat like putting three differently-keyed locks of the same type on a door, all three keys being required to open the door. Nearly all of the code in the file implements the basic DES; the Triple DES extensions are fairly trivial in that they simply execute the basic DES three times.

5. I began by first photocopying, on a standard office photocopier, the 18 pages containing the Triple DES source code listing from Part V of the Book. This took about 5 minutes. Second, I scanned in the 18 sheets on a Macintosh Quadra 610 computer system equipped with an HP ScanJet II flatbed scanner and Omnipage Professional optical character recognition (OCR) software. The computer, scanner, and software are all readily available through normal consumer computer supply channels. The total scanning process took about one and a half hours. About an hour of this time was spent learning to use the scanning system and conducting trial runs, as I had only used it briefly some time ago. The actual scan of the 18 pages took about 15-20 minutes. Third, I transferred the resulting machine-readable file from the Macintosh to my own personal computer and brought it up under GNU EMACS, a popular and widely available text editing program that I have used for many years. In EMACS I compared, by eye, the scanned file displayed on my screen against the printed listing in the Book. I began correcting the scanner's many errors, such as mistaking the digit '0' for the letter 'O' or mistaking the vertical bar '|' for the letter 'I'.

6. After manually correcting those errors noticed through visual comparison with the Book, I invoked the "C" language compiler on the (partially) corrected file. The compiler immediately pointed out additional errors I had overlooked in my visual inspection so I could also correct them by reference to the Book. I also noticed several errors in the listing printed in the Book. However, the programmer's intentions were obvious from the context of each error and were easily fixed. About fifty minutes later, I successfully compiled the file without error.

7. The fourth step was to write a small test program to execute the DES code with the test vectors given at the end of the source code listing. This trivial program took less than 5 minutes to write. Unfortunately, the test did not succeed, meaning that at least one error went undetected by the compiler in either the code as printed in the Book or as scanned. Scrutinizing the code more closely, I quickly found another error in the printed version that was easily corrected. However, it still did not produce correct results. After about an hour of searching, I finally located the error in a list of numbers in a table -- another error in the printed version. By reference to the DES algorithm description in the first part of the Book, which includes the correct numbers in tabular form, I found and corrected the error.

8. At this point the test finally succeeded, so I knew I had a correct program. However, to increase my confidence further I tried a few other DES test vectors that were not included in the source code, but were openly published by the US National Institute of Standards and Technology (NIST). All passed. At this point it was beyond doubt that I had a correct, working copy of the DES source code identical to that on the Disk with all errors removed, including those printed in the Book as well as those added by the scanning process.

9. Finally, in about 40 minutes I wrote and debugged a "driver" program analogous to that included in the Crowell declaration. This driver program takes a sample plaintext file, encrypts it, displays the encrypted file in hexadecimal and then decrypts it.

Here is the original plaintext file called 'sample3':

We are planning an all-out attack against the enemy in the vicinity of Aitape about 10 July.

The following command encrypts the file called 'sample3' and places the encrypted contents in a file called 'sample3.enc':

enc sample3 sample3.enc abc48728bcd39012bc2778bdef287137

Here is the encrypted file in hexadecimal:

  0: 98 33 fe dd 23 52 a9 93 f0 23 99 ad 4b c0 0e c4 .3~]#R).p#[email protected]
 10: c8 2b b3 15 79 cc 34 b4 9d 55 7f df 0e b5 d4 21 H+3.yL44.U._.5T!
 20: 9d a9 9e 39 28 99 10 27 5c 2b d4 36 6e 66 d0 15 .).9(..'\+T6nfP.
 30: 3a 9c f5 d2 0e 59 06 8d 92 e3 57 ef 86 f8 70 71 :.uR.Y...cWo.xpq
 40: 5d 82 c3 83 8d ae 0e 8e 5e f4 67 51 87 3e 91 b5 ].C.....^tgQ.>.5
 50: 4a 23 c8 f4 6c fc 84 cf 78 17 6e 85 55 74 f0 75 J#Htl|.Ox.n.Utpu
The following command decrypts the file 'sample3.enc' and places the contents (which are now the original text) in a file called 'sample3.ori':

dec sample3.enc sample3.ori abc48728bcd39012bc2778bdef287137

Finally, here is the file 'sample3.ori.' Notice that it is the same as the original plaintext.

We are planning an all-out attack against the enemy in the vicinity of Aitape about 10 July.

10. In summary, by using only the Book, a photocopier, a computer scanning system, a text editor and a compiler, and despite numerous printing and scanning errors, I generated a file containing correct DES encryption code that was exactly equivalent in every significant way to that stored on the Disk, with a total time investment of 3.5 hours, not including the 40 minutes spent on the driver program required to use the code on the Disk as well as the Book.

11. The significance of my test is that it shows that the only difference between the source code listings in the book and those on the diskette is that it takes 3.5 hours longer, using the book and OCR scanning technology, to produce the functional encryption/decryption program described in the Crowell declaration than it does to produce that same program beginning with the source code listing on the diskette.

12. I have been informed that it takes a skilled secretary less than 3 hours to type the entire DES source code listing into a computer text file. Assuming that it would be necessary to make corrections to that file, just as I had to do with the scanned file, I believe it would take less than 5 hours, starting with the source code listings in the book, to produce the same error-free DES file as the one on the diskette if the file were produced using manual typing.

13. As a computer programmer, I know there is no functional difference of any significance between source code listings in the form of printed text and the same listings in the form of a text file on computer-readable media. In neither case can the source code be used, by itself, to cause a computer to execute an operating program. Source code must always be complied by a computer program before it can be used as a functioning program. In the case of the encryption algorithm listings in the book and on the diskette, additional programming is required before the cryptographic code has any functionality whatsoever.

14. I regard source code, regardless of the medium on which it is recorded, as "software." Thus there is no difference, from a functional perspective, between the listings in the book and those on the diskette. Both forms are properly described as "software."

15. Programming skills are needed to convert the cryptographic source code listings in the book and on the diskette into functioning computer programs.

16. I am familiar with most of the cryptographic algorithms (ciphers) listed in the Part V of the book and on the diskette. One, the Enigma cipher, was used by the Germans in World War II and was successfully "broken" by the US and British governments during the war. Another cipher, FEAL-8, was broken by Avi Shamir in 1989. Three other programs on the disk aren't even encryption functions designed to provide confidentiality: MD5, N-HASH and SHS are all "hash functions" designed for cryptographic authentication, a technology that in general has been transferred off the USML.

17. I also believe that the IDEA code listed in Part Five is probably secure against cryptanalytic attack, even by NSA. That fact does not, however, mean that export of the IDEA source code on the diskette poses any threat to our national security. The algorithm itself was developed in Switzerland, and the specific source code is already widely available in foreign countries, both by itself and as part of a freely-available encryption program, Pretty Good Privacy ("PGP"). A version has also been printed in a magazine for computer programmers, Dr. Dobbs' Journal, that is published and mailed worldwide.

18. Attached as Exhibit A to this declaration is a current listing of some Internet sites around the world where many of the source code listings in Part V of Applied Cryptography are freely available. Attached as Exhibit B is a listing of some of the Internet sites around the world where PGP is freely available. Given the widespread public availability of these files, there is no factual basis for NSA's contention that the export of the diskette at issue in this case poses any additional threat to our national security.

I swear under penalty of perjury that the foregoing is true and complete to the best of my knowledge and belief.

					[signed]
					Philip R. Karn, Jr.

Date:  December  7, 1995

Exhibit A: Pointers to Cryptographic Software

Exhibit B: Where to Get The Pretty Good Privacy Program (PGP) -- Abridged Version