Expect key management rules
- By Kevin Powers
- Mar 17, 1997
"We need legislation to set the rules for access to keys. It might not be a crime
today if someone illegally accesses the keys," said Edward Appell, director of
counterintelligence programs for the National Security Council.
Speaking at a recent Armed Forces Communications and Electronics Association conference
in Fairfax, Va., Appell outlined the plan to create a global key management scheme for
both digital signatures and fully encrypted communications.
Under the plan announced by Vice President Gore last fall, vendors can export 56-bit
encryption systems if they build a key escrow system that grants law enforcement agencies
access to encoded messages with a court order. Within two years, all exportable systems
must have a key escrow feature.
The White House transferred export control authority over commercial encryption
products to the Commerce Department. The Justice Department has veto authority over
exportable cryptographic applications.
The administration has had trouble selling industry on the key escrow concept ever
since it unveiled the controversial Clipper encryption chip and subsequent Escrow
Encryption Standard (EES) several years ago.
Many privacy advocates and industry groups criticized EES because it was based on a
classified encryption algorithm developed by the National Security Agency and left key
management to agencies.
Nevertheless, the new key management approach provides the best balance between law
enforcement's need for access and users' privacy concerns because the users can create and
store their own encryption keys, Appell said.
"The use of encryption and key recovery will be voluntary. But it will be present
in federal products," he said. They will submit their own bill to support key
management, he said, but it will not mandate anything.
Some industry leaders still challenge the feasibility of any sort of
government-approved key management system that limits exportable encryption key lengths.
Jim Bidzos, chief executive officer for RSA Data Security Inc. of Redwood City, Calif.,
said his company already has developed an emergency data recovery system that lets users
give law enforcement access whenever required.
Despite the government's legitimate security concerns, Bidzos warned that the White
House's failure to enforce a uniform encryption standard among federal users makes the
global key management plan even less plausible.
"The fact that the emperor has no clothes is clear, as a number of agencies
already are running RSA applications against government policy," Bidzos said.
"The government's power in terms of purchasing is overblown," he said.