Draft plan requires agency use of key-recovery technology

While the debate on encryption policy continues to play out this month on Capitol Hill a technical advisory committee has yet to decide whether to force agencies to include the controversial key recovery in a standard it is developing for governmentwide use.

The committee which is developing a standard for agency use of public-key cryptography plans to recommend to the Commerce Department that agencies apply the new standard to all products they use for general encryption of unclassified data according to a preliminary copy of a draft Federal Information Processing Standard (FIPS) for key-recovery systems which Federal Computer Week obtained last week.

The standard must be applied by agencies when computer files are encrypted for secure storage or transmission and when e-mail is encrypted before transmission according to the draft. Agencies also must apply the standard when electronic voice communications are encrypted and when keys are backed up for emergency recovery such as when a system administrator who may have the only key dies suddenly.

Public-key cryptography involves the use of two keys: one that is available to everyone and another that is kept secret by the user. The key-recovery mechanism which the Clinton administration and law enforcement agencies support is aimed broadly at allowing users whose private keys have been lost or stolen to recover them.

Santosh Chokhani president of Cygnacom Solutions and a member of the advisory committee said that although the committee has made substantial progress on the framework some security issues have yet to be resolved. For example the group has not determined if the encryption mechanism on federal users' workstations should force users to employ key recovery.

"We're trying to be inclusive and accommodating for various key-recovery schemes " Chokhani said. "The group is making good progress on some of the technical issues. There is no ideal solution for this thing."

The Clinton administration's key-recovery policy would allow the FBI and other agencies to obtain - through a court order - access to a user's private key to unscramble encrypted data. Privacy advocates contend that the United States should have no rules requiring the use of key-recovery software. After public backlash to a 1994 proposal to require all encryption users to register their keys with the government the Clinton administration recently has supported a plan to encourage voluntary domestic use of key-recovery systems.

Last week however FBI director Louis Freeh told a Senate subcommittee that encryption products sold domestically should be required to employ a key-recovery mechanism. The nation's law enforcement community led by the FBI has insisted that their pursuit of a variety of criminals would be hampered by the widespread use of encryption with no key-recovery mechanism to allow law enforcement officials to unscramble encrypted data.

David Sobel legal counsel for the Electronic Privacy Information Center said the draft standard indicates that proponents of key recovery such as law enforcement agencies and the Clinton administration are trying to promote the widespread use of key-recovery products through federal agency purchases.

"They continue to abuse the FIPS process to influence what is happening in the private sector " Sobel said.