[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Key Escrow Agent Criteria [Draft]




[From NIST 12-08-95]


The following draft discussion paper was distributed at the  
12/5/95 meeting at NIST on draft criteria for 64-bit software 
key  escrow exportability.


                              DRAFT
                            (12/1/95)

                    Key Escrow Agent Criteria


Introduction


An often heard concern regarding key escrow encryption is that  
users of such encryption are vulnerable to abuse of the 
escrowed  key by the escrow agents or others.  Many have 
suggested that  changes in the law are needed that 
specifically, criminalize any  such abuses.  We agree that such 
laws will be beneficial in  deterring acts by anyone to access 
escrowed keys without  authority or to undermine the integrity 
of the escrow key system.


However, the availability of criminal prosecution is not alone  
sufficient.  Key escrow agents must be selected not only with a 
 view toward assuring the availability of escrowed keys for  
properly authorized government officials, but also to assure 
that  the escrow agents have the commitment and means to 
protect the  confidentiality and integrity of the keys they 
escrow and the  escrow system.  This will be particularly 
important if, as we  expect will occur, some key escrow 
products will be designed such  that the escrow agent could 
discern the identity of the user from  the keys and other 
information that is escrowed with them.


The following criteria were drafted with these principles in  
mind.  We have not yet addressed conditions under which users 
can  be the sole repository of the keys for their system.  We  
recognize that some organizations or people do not want anybody 
 but themselves to escrow their keys.  However, since an 
important  reason for escrowing is to preserve effective law 
enforcement, we  must assure authorized officials can reliably 
and timely obtain  access to escrowed keys through entities 
independent of the  subject of electronic surveillance.  Thus 
we welcome suggestions  on how best to meet this range of 
interests.


In considering the criteria appropriate for approving escrow  
agents, we considered whether the government needs to assure it 
 has timely and reliable access when authorized and what key  
escrow encryption users would want to ensure that the escrowing 
 of keys does not undermine their security.  Of course, the  
government is also a user of key escrow encryption products and 
 shares with other users an interest to ensure the integrity 
and  security of the escrow system.  Similarly, organizations  
interested in data recovery share the government's interest to  
have a system through which access to escrowed key is enabled  
under appropriate circumstances.  With these considerations in  
mind, we developed criteria in two categories, "Escrow System  
Integrity and Security" and "Key Access Requirements."  We 
expect  that prospective escrow agents that meet criteria such 
as these  would be considered as "approved" escrow agents for 
export  purposes, to hold keys for government systems, etc.


Note that keys and/or key components for devices that may 
process  classified information shall be escrowed with escrow 
agent  entities selected by the U.S. government, and that those 
escrow  agent entities may be required to meet more stringent  
requirements.


Escrow System Integrity and Security


1.   Escrow agent entities shall devise and institutionalize
     policies, procedures, and mechanisms to ensure the
     confidentiality, integrity, and availability of key escrow
     related information.


     a.   Escrow agent entities shall be designed and operated 
so
          that a failure by a single person, procedure, or
          mechanism does not compromise the confidentiality,
          integrity or availability of the key and/or key
          components (e.g., two person control of keys, split
          keys, etc.)


     b.   Unencrypted escrowed key and/or key components that 
are
          stored and/or transmitted electronically shall be
          protected (e.g., via encryption) using approved 
means.


     c.   Unencrypted escrowed key and/or key components stored
          and/or transferred via other media/methods shall be
          protected using approved means (e.g., safes).


2.   Escrow agent entities shall ensure due form of escrowed 
key
     access requests and authenticate the requests for escrowed
     key and/or key components.


3.   Escrow agent entities shall protect against disclosure of
     information regarding the identity of the person/
     organization whose key and/or key components is requested,
     and the fact that a key and/or key component was requested
     or provided.


4.   Escrow agent entities shall enter keys/key components into
     the escrowed key database immediately upon receipt.


5.   Escrow agent entities shall ensure at least two copies of
     any key and/or key component in independent locations to
     help ensure the availability of such key and/or key
     components due to unforeseen circumstances.


6.   Escrow agent entities that are certified by the U.S.
     government shall work with developers of key escrow
     encryption products and support a feature that allows
     products to verify to one another that the products' keys
     have been escrowed with a U.S.-certified agent.


Key Access Requirements


7.   An escrow agent entity shall employ one or more persons 
who
     possess a SECRET clearance for purposes of processing
     classified (e.g., FISA) requests to obtain keys and/or key
     components.


8.   Escrow agent entities shall protect against unauthorized
     disclosure of information regarding the identity of the
     organization requesting the key or key components.


9.   Escrow agent entities shall maintain data regarding all 
key
     escrow requests received, key escrow components released,
     database changes, system administration accesses, and 
dates
     of such events, for purposes of audit by appropriate
     government officials or others.


10.  Escrow agent entities shall maintain escrowed keys and/or
     key components for as long as such keys may be required to
     decrypt information relevant to a law enforcement
     investigation.


11.  Escrow agent entities shall provide key/key components to
     authenticated requests in a timely fashion and shall
     maintain a capability to respond more rapidly to emergency
     requirements for access.


12.  Escrow agent entities shall possess and maintain a
     Certificate of Good Standing from the State of 
incorporation
     (or similar local/national authority).


13.  Escrow agent entities shall provide to the U.S. government 
a
     Dun & Bradstreet/TRW number or similar credit report 
pointer
     and authorization.


14.  Escrow agent entities shall possess and maintain an Errors 
&
     Omissions insurance policy.


15.  Escrow agent entities shall provide to the U.S. government 
a
     written copy of, or a certification of the existence of a
     corporate security policy governing the key escrow agent
     entity's operation.


16.  Escrow agent entities shall provide to the U.S. government 
a
     certification that the escrow agent will comply with all
     applicable federal, state, and local laws concerning the
     provisions of escrow agent entity services.


17.  Escrow agent entities shall provide to the U.S. government 
a
     certification that the escrow agent entity will transfer 
to
     another approved escrow agent the escrow agent entity's
     equipment and data in the event of any dissolution or 
other
     cessation of escrow agent entity operations.


18.  Escrow agent entities for products sold in the U.S. shall
     not be a foreign country or entity thereof, a national of 
a
     foreign country, or a corporation of which an alien is an
     officer or more than one-fourth of the stock which is 
owned
     by aliens or which is directly or indirectly controlled by
     such a corporation.  Foreign escrow agent entities for
     products exported from the U.S. will be approved on a case
     by case basis as law enforcement and national security
     agreements can be negotiated.


19.  Escrow agent entities shall provide to the U.S. government 
a
     certification that the escrow agent entity will notify the
     U.S. government in writing of any changes in the forgoing
     information.


20.  Fulfillment of these and the other criteria are subject to
     periodic recertification.


12/1/95

*****************************************************  

Elaine Frye
Computer Security Division
National Institute of Standards and Technology  Bldg. 820, M.S. 
Room 426
Gaithersburg, MD  20899-0001
Voice:   301/975-2819    Fax:  301/948-1233

*****************************************************