[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ABA Likes GAK
10-03-96 at 19:09 EDT, American Banker
Banks Like Export Plan for High-Power Encryption
By Drew Clark
-----
"Banks have really taken a leadership role in the
responsible management of cryptography," said a senior
Clinton administration official who asked not to be
named. "Banks are already doing what we want other
organizations to do: safeguarding their keys and
providing them, when necessary, to law enforcement."
"Providing 56-bit encryption with key recovery doesn't
help us," said Netscape spokeswoman Chris Holton. "The
government is saying that you can export it but you have
to provide us with the keys. We feel that is extortion on
the part of the government."
"We are making the best of a bad situation," said Scott
Schnell, vice president of marketing for RSA Data
Security.
-----
Bank technology experts have reacted favorably to the
Clinton administration's proposal to liberalize the
development and sale of strong data security tools.
This week, the government said it would lift export
restrictions on certain kinds of cryptography, provided
U.S. companies agree to cooperate with a procedure that
would give law enforcement officials access to the "keys"
of such codes, upon presentation of a warrant.
Banks were heartened by the announcement because many
view the widely used Data Encryption Standard - a
low-level form of data scrambling - as inadequate
protection against the rising computer power of so-called
hackers.
Though banks can use a complex 56-bit data encryption key
for financial transactions, sensitive communications with
overseas branches are limited to a less powerful 40-bit
standard.
Banks hope that a loosening of restrictions in general
will benefit them, too.
"This policy announcement is better than anyone
expected," said Kawika M. Daguio, federal representative
at the American Bankers Association in Washington. "It is
gravy for us, but it's the meat and potatoes for the
hardware and software industries."
"Banks probably won't be adversely affected," said
Stewart A. Baker, a partner at Steptoe & Johnson, a
Washington law firm, "and they will be left pretty much
where they were before."
The announcement by Vice President Al Gore said that
controls over powerful encryption technology would be
lifted as the government and private sector develop a
"key recovery" system. (International Business Machines
Corp. already has stepped forward to head a consortium
dedicated to creating such a system.)
Current law forbids the export of computer hardware or
software that uses cryptographic codes with digital
"keys" - randomly generated combinations of 0's and 1's -
longer than 40 bits. The longer the key length, the more
impenetrable the code.
For three years, the government has said it would permit
the general use of more complex cryptography only if the
companies using it placed their keys in the hands of the
government or a third party.
"Key escrow," as it is known in the technical community,
is needed in order to prosecute people who have stored
evidence of illegal activity on the hard drive of a
computer, officials argued.
But the private sector - banks included - have balked at
handing over such access to any third party.
The disagreement gave rise to a compromise system known
as "key recovery" in which companies would hold their own
keys but could be required to divulge certain information
about specific transactions when presented with a court
order or warrant.
"What is novel is that it doesn't escrow any keys," said
Homayoon Tajalli, executive vice president of Trusted
Information Systems, Glenwood, Md., one of IBM's
consortium partners.
"If the government comes and gets this data with a court
order," explained Mr. Tajalli, "then they take a digital
lockbox from the third party or parties that hold it, and
they read the message."
Kathy Kincaid, director of information technology for
IBM, said the difference between key escrow and key
recovery is analogous to the following approach to
securing a house when its owner goes on vacation: Instead
of giving a key to two neighbors, the owner gives each
neighbor half the combination to a lockbox that holds the
key.
"You must have both halves and put them together in
exactly the right sequence," said Ms. Kincaid. "This
provides protection against a single point of attack."
Companies participating in development of key recovery
systems include: Apple Computer Inc., Digital Equipment
Corp., Groupe Bull, Hewlett-Packard Co., NCR Corp., RSA
Data Security, Sun Microsystems Inc., Trusted Information
Systems, and United Parcel Service.
And a government official said banks may even play a
role.
"Banks have really taken a leadership role in the
responsible management of cryptography," said a senior
Clinton administration official who asked not to be
named. "Banks are already doing what we want other
organizations to do: safeguarding their keys and
providing them, when necessary, to law enforcement."
Heidi Kukis, a spokeswoman for Vice President Gore, said:
"This key recovery system is the proper balance between
commercial interests and national security."
But not all agree. Some argue that the key recovery
system still gives the government too much control over
information flow.
"Providing 56-bit encryption with key recovery doesn't
help us," said Netscape spokeswoman Chris Holton. "The
government is saying that you can export it but you have
to provide us with the keys. We feel that is extortion on
the part of the government."
"We are making the best of a bad situation," said Scott
Schnell, vice president of marketing for RSA Data
Security.
"The bottom line is that the standard proposed by the
government is an insubstantial step in the right
direction," he said. "We want to make sure it is usable
and prepare for the day that products will be available
that do not have this key recovery situation."
The government's announcement came three months after a
National Research Council report on the role of
cryptography in an information-oriented society.
The report encouraged liberalization of government
standards and questioned the feasibility of the key
escrow system then favored by government.
"We raised the issue about the security of key escrow
systems," said law professor Kenneth W. Dam, chairman of
the body that prepared the report, "and we said the
government should work on it."
"I take it this is an attempt to move in the way of key
escrow, with the help of industry," said Mr. Dam.
[End]