[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GAK Advisory Board 94
>From URL: http://csrc.ncsl.nist.gov/csspab/94-rpt.txt
Executive Summary
This Annual Report documents activities of the National
Computer System Security and Privacy Advisory Board
during 1994, its sixth year.
During the year, the Board continued to review
cryptography related issues. During 1994, the
Escrowed Encryption Standard (EES) and the Digital
Signature Standard (DSS) were approved as Federal
Information Processing Standards (FIPS 185) and (FIPS
186) respectively. The Board heard briefings on
escrowing release procedures, escrow program procedures,
U.S. export procedures, international cryptography
proposals, international corporate key escrow,
alternative key escrow approaches, and software-based key
escrow encryption.
The Board also continued to follow activities related to
the Common Criteria (CC), which remains in draft form.
[Comments on the CC will be reviewed and processed in
March 1995.] The Board continued to examine the
question as to whether there is a business case for
setting up a Trusted Technology Assessment Program
(TTAP).
Membership
Currently, Dr. Willis H. Ware, a senior researcher of the
Corporate Research Staff of RAND, serves as Chairman of
the Board. He was appointed in July 1989. As of
December 1994, the membership of the Board is as follows:
- Chairman
Willis H. Ware, RAND
- Federal Members
Charlie C. Baggett, Jr. National Security Agency
Henry H. Philcox, Department of the Treasury, Internal
Revenue Service
Cynthia C. Rand, Department of Transportation
Stephen A. Trodden, Department of Veterans Affairs
- Non-Federal, Non-Vendor
Genevieve M. Burns, Monsanto Corporation (Member
Designate)
Cris R. Castro, KPMG Peat Marwick
Sandra Lambert, Citibank
Randolph Sanovic, Mobil Corporation (Member Designate)
- Non-Federal, Vendor
Gaetano Gangemi, Wang Laboratories, Inc.
Linda Vetter, Oracle Corporation (Member Designate)
Stephen T. Walker, Trusted Information Systems, Inc.
Bill Whitehurst, International Business Machines Corp.
In December of 1994, Ms. Cynthia Rand resigned from the
Board, leaving a vacancy in the federal member category.
II. Major Issues Discussed
The work of the Board during 1994 was devoted to various
topics related to security of federal unclassified
automated information systems. Among the most important
were:
- Cryptographic Key Escrowing Procedures
- Alternative Key Escrow
- Security in the National Information Infrastructure
(NII)
Escrowing Release/Program Procedures
The Department of Justice briefed the Board on procedures
for release of cryptographic key components, by the two
escrow agents, to government agencies. The two escrow
agents at the National Institute of Standards and
Technology (NIST), of the Department of Commerce and the
Automated Systems Division of the Department of Treasury.
The agents act under strict procedures to ensure the
security of the key components and which govern their
release for use in conjunction with lawful wiretaps.
NIST discussed the procedures for the key escrow program.
Five federal agencies share a role in the key escrow
program: (1) the Department of Justice is a sponsor and
a family key agent that holds one of the components of
the family key, (2) the Federal Bureau of Investigation
is the initial law enforcement user and a family key
agent that holds the other component of the family key,
(3) NIST has a dual role as the program manager and a key
escrow agent, (4) the Department of Treasury is a key
escrow agent; and (5) the National Security Agency
is the system developer that provides technical
assistance.
Alternative Key Escrow
Bankers Trust presented some rationales for key escrow
encryption for corporations, which fulfills management
supervision and compliance duties, and reduces business
risks. They maintain that the Bankers Trust system can
meet both U.S. and European needs. Their system has been
discussed with Canada, Britain, France, Singapore, and
the U.S.; however, none of these countries have
endorsed the system.
Trusted Information Systems, Inc. gave a demonstration
and overview of their approach to software-based key
escrow encryption. They said that software key escrow
systems could be built that meet the objectives of law
enforcement. Also, that variations of their software key
escrow system can provide a commercial key escrow
capability that will be very appealing to corporate and
individual computer users. They believe that widespread
use of corporate key escrow, in which corporations
operate their own key escrow centers, and individual key
escrow, in which bonded commercial key escrow centers
provide a key retrieval capability for registered users,
will better achieve the key escrow objectives of law
enforcement than a government-operated key escrow
system.
[Snip 180kb of very informative docs on the main US
cryptography issues of 1994, still alive in '95.]