[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ABA Likes GAK



   10-03-96 at 19:09 EDT, American Banker 
 
 
   Banks Like Export Plan for High-Power Encryption  
 
   By Drew Clark 
 
   ----- 
 
   "Banks have really taken a leadership role in the 
   responsible management of cryptography," said a senior 
   Clinton administration official who asked not to be 
   named. "Banks are already doing what we want other 
   organizations to do: safeguarding their keys and 
   providing them, when necessary, to law enforcement." 
 
   "Providing 56-bit encryption with key recovery doesn't 
   help us," said Netscape spokeswoman Chris Holton. "The 
   government is saying that you can export it but you have 
   to provide us with the keys. We feel that is extortion on 
   the part of the government." 
 
   "We are making the best of a bad situation," said Scott 
   Schnell, vice president of marketing for RSA Data 
   Security. 
 
   ----- 
 
 
   Bank technology experts have reacted favorably to the 
   Clinton administration's proposal to liberalize the 
   development and sale of strong data security tools. 
 
   This week, the government said it would lift export 
   restrictions on certain kinds of cryptography, provided 
   U.S. companies agree to cooperate with a procedure that 
   would give law enforcement officials access to the "keys" 
   of such codes, upon presentation of a warrant. 
 
   Banks were heartened by the announcement because many 
   view the widely used Data Encryption Standard - a 
   low-level form of data scrambling - as inadequate 
   protection against the rising computer power of so-called 
   hackers. 
 
   Though banks can use a complex 56-bit data encryption key 
   for financial transactions, sensitive communications with 
   overseas branches are limited to a less powerful 40-bit 
   standard. 
 
   Banks hope that a loosening of restrictions in general 
   will benefit them, too. 
 
   "This policy announcement is better than anyone 
   expected," said Kawika M. Daguio, federal representative 
   at the American Bankers Association in Washington. "It is 
   gravy for us, but it's the meat and potatoes for the 
   hardware and software industries." 
 
   "Banks probably won't be adversely affected," said 
   Stewart A. Baker, a partner at Steptoe & Johnson, a 
   Washington law firm, "and they will be left pretty much 
   where they were before." 
 
   The announcement by Vice President Al Gore said that 
   controls over powerful encryption technology would be 
   lifted as the government and private sector develop a 
   "key recovery" system. (International Business Machines 
   Corp. already has stepped forward to head a consortium 
   dedicated to creating such a system.) 
 
   Current law forbids the export of computer hardware or 
   software that uses cryptographic codes with digital 
   "keys" - randomly generated combinations of 0's and 1's - 
   longer than 40 bits. The longer the key length, the more 
   impenetrable the code. 
 
   For three years, the government has said it would permit 
   the general use of more complex cryptography only if the 
   companies using it placed their keys in the hands of the 
   government or a third party. 
 
   "Key escrow," as it is known in the technical community, 
   is needed in order to prosecute people who have stored 
   evidence of illegal activity on the hard drive of a 
   computer, officials argued. 
 
   But the private sector - banks included - have balked at 
   handing over such access to any third party. 
 
   The disagreement gave rise to a compromise system known 
   as "key recovery" in which companies would hold their own 
   keys but could be required to divulge certain information 
   about specific transactions when presented with a court 
   order or warrant. 
 
   "What is novel is that it doesn't escrow any keys," said 
   Homayoon Tajalli, executive vice president of Trusted 
   Information Systems, Glenwood, Md., one of IBM's 
   consortium partners. 
 
   "If the government comes and gets this data with a court 
   order," explained Mr. Tajalli, "then they take a digital 
   lockbox from the third party or parties that hold it, and 
   they read the message." 
 
   Kathy Kincaid, director of information technology for 
   IBM, said the difference between key escrow and key 
   recovery is analogous to the following approach to 
   securing a house when its owner goes on vacation: Instead 
   of giving a key to two neighbors, the owner gives each 
   neighbor half the combination to a lockbox that holds the 
   key. 
 
   "You must have both halves and put them together in 
   exactly the right sequence," said Ms. Kincaid. "This 
   provides protection against a single point of attack." 
 
   Companies participating in development of key recovery 
   systems include: Apple Computer Inc., Digital Equipment 
   Corp., Groupe Bull, Hewlett-Packard Co., NCR Corp., RSA 
   Data Security, Sun Microsystems Inc., Trusted Information 
   Systems, and United Parcel Service. 
 
   And a government official said banks may even play a 
   role. 
 
   "Banks have really taken a leadership role in the 
   responsible management of cryptography," said a senior 
   Clinton administration official who asked not to be 
   named. "Banks are already doing what we want other 
   organizations to do: safeguarding their keys and 
   providing them, when necessary, to law enforcement." 
 
   Heidi Kukis, a spokeswoman for Vice President Gore, said: 
   "This key recovery system is the proper balance between 
   commercial interests and national security." 
 
   But not all agree. Some argue that the key recovery 
   system still gives the government too much control over 
   information flow. 
 
   "Providing 56-bit encryption with key recovery doesn't 
   help us," said Netscape spokeswoman Chris Holton. "The 
   government is saying that you can export it but you have 
   to provide us with the keys. We feel that is extortion on 
   the part of the government." 
 
   "We are making the best of a bad situation," said Scott 
   Schnell, vice president of marketing for RSA Data 
   Security. 
 
   "The bottom line is that the standard proposed by the 
   government is an insubstantial step in the right 
   direction," he said. "We want to make sure it is usable 
   and prepare for the day that products will be available 
   that do not have this key recovery situation." 
 
   The government's announcement came three months after a 
   National Research Council report on the role of 
   cryptography in an information-oriented society. 
 
   The report encouraged liberalization of government 
   standards and questioned the feasibility of the key 
   escrow system then favored by government. 
 
   "We raised the issue about the security of key escrow 
   systems," said law professor Kenneth W. Dam, chairman of 
   the body that prepared the report, "and we said the 
   government should work on it." 
 
   "I take it this is an attempt to move in the way of key 
   escrow, with the help of industry," said Mr. Dam. 
 
   [End]