Key encrypts, authenticates on client'not server

Key encrypts, authenticates on client'not server

TecSec founder Edward Scheidt, who helped develop the cryptography for the Kryptos sculpture at CIA headquarters, is selling a new cryptography system to the government.

Cryptographic system embeds rules within object, managing file access based on employee's duties

By William Jackson

GCN Staff

TecSec Inc., a Vienna, Va., company that makes Secure Telephone Unit III wireless telephones for the government, is marketing a cryptographic system that manages access to information based on the user's role in an organization.

Constructive Key Management 2000 embeds access rules within an object, which can be anything from a bit to an entire file, while it is being encrypted. The one-time, symmetrical encryption key does not require sharing any information across a network for authentication.

CKM 2000 is network-friendly because encryption and authentication happen on the client rather than on a server, said TecSec founder Edward M. Scheidt, former CIA head of cryptography.

Fantasy island

Security is relatively easy with unlimited resources, Scheidt said, but in the real world, bandwidth takes on great importance.

CKM's low bandwidth demand and its 392-bit, one-time encryption key have drawn interest from the Navy, Scheidt said, and two agencies have adopted the system, although he would not say which ones.

The Commerce Department has approved CKM 2000 for export despite its long key length, he said, because TecSec has convinced regulators that the one-time key is recoverable by the network owner or administrator'a requirement for exporting strong cryptography.

Scheidt is no stranger to designing secure cryptography for the government. In addition to working for the CIA, he helped design the coding scheme for James Sanborn's sculpture puzzle Kryptos, which has challenged professional and amateur code breakers ever since its 1990 dedication at CIA headquarters in Langley, Va.

The CKM 2000 system has two components, CKM-File and CKM-Mail. To encrypt a file, the user generates a one-time key from split elements available to both sender and receiver, combined with random factors. The key is destroyed immediately after encryption. When the encrypted information travels to another user, the header holds information about the sender and the intended recipient, including permission labels specifying who is entitled to see which portions of the information.

Upon receipt, the permission labels are compared against labels residing on the recipient's computer. If they match, the cryptographic splits needed to access specific information become available to reconstruct the key, which is again destroyed after the information is decrypted.

CKM 2000 runs under Microsoft Windows 9x and Windows NT, and a Unix version is in the works. Future versions will support a public-key infrastructure for stronger authentication.

The strength of the current version, in addition to the 392-bit key, is the granularity of access control. Any number of objects can be defined within a file, at varying degrees of restriction for each. Access restrictions are enforced by credentials in a software token loaded on the reader's PC, as defined by that person's role in an organization.

CKM 2000 can reformat a document to hide portions to which the reader does not have access rights.

The product costs $50 per seat in volume buys; a $1,500 administrative package is required to create the user credentials. A software development kit for integrating CKM 2000 with applications is priced separately.

Contact TecSec at 703-506-9069.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.