Govt. committee seeks more time for crypto review

At issue: federal ability to break encrypted messages.

By Margret Johnston
IDG News Service, 7/3/98

Washington - A technical advisory committee that has been asked by the U.S. government to help develop a standard for a federal "key recovery" system needs more time to complete its assignment, according to a draft of a letter the group plans to send to Commerce Secretary William Daley.

The letter, which was posted at the committee's Web site, says the group has made substantial progress and the document it has drafted "could provide a basis for the development of a Federal Information Processing Standard." But the letter also says "significant, substantive additional work is necessary before this document will be ready for the next step in the process."

A key recovery system would allow law enforcement authorities to obtain "keys" to encrypted communications, which the Clinton administration has said is a necessary power that police and prosecutors must maintain to aid in the fight against terrorism and drug trafficking.

But the government's interest in setting up a "key recovery" system is controversial because of concerns over what access the government should have to encrypted data, and many technologists believe it would be too expensive to establish and operate and would be ineffective.

At the technical advisory committee's meeting last month it became clear that there wasn't enough time to do as thorough a job as the committee had hoped, said Ed Roback of the National Institute of Standards and Technology and secretary of the 22-member committee that held its first meeting in December 1996.

Though the committee said its draft is not "complete, coherent and comprehensive in addressing the many facets of this complex security technology," Roback said this is not an indication that key recovery is impossible.

"Some people have mistakenly concluded that the delay proves key recovery can't be done," Roback said. "I flatly disagree with that."

Roback and another committee member, Santosa Chockhani, said the committee's task of setting the functionality, security, interoperability and assurance requirements for key recovery agents is a tremendous amount of work.

"We have a very good draft, which we went over during a three-day meeting in Minnesota," Chockhani said. "We went through about one-third of it line by line. It would be a good starting point if we could have two or three more meetings."

The committee's charter expires at the end of July, but the letter says the committee is willing to continue working.

Leaders of top U.S. software companies have lobbied against U.S. encryption policy, which prohibits the export of encryption software stronger than 56-bit key technology without a waiver from the U.S. Department of Commerce. They say the U.S. policy is flawed because of the widespread availability of encryption software outside the U.S.

Representative Bob GoodLatte, sponsor of a bill to change U.S. encryption policy, said last month that it appeared unlikely any legislation on encryption would pass this year. [See "Legislation to Change U.S. Encryption Policy Given Long Odds," June 8 ]

However, House Speaker Newt Gingrich this week reportedly told a California gathering of technology leaders that a task force will start working on encryption this month and the leadership hopes to pass an encryption bill this year.