Fears rekindle key escrow debate

From...

By Brian Fonseca

(IDG) -- As concern grows over the vulnerability of government and industry organizations, a controversial battle is being drummed up on Capitol Hill that could grant government control over encrypted messages.

Key escrow, a system whereby digital keys are generated and copies are acknowledged with a third party that keeps them in escrow until re-covered, is being bandied about in light of the Sept. 11 bombings. The attackers are suspected of having used encryption methods during preparations.

IDG.net INFOCENTER InfoWorld Main Page InfoWorld Test Center Subscribe to InfoWorld Newsletters Infoworld Opinions and Spotlights Related IDG.net Stories Master key encryption plan abandoned Opening encryption 'back door' problematic, experts say Congress debates security vs. civil liberties Features PC World.com Product Finder Bluetooth wireless connectivity set to take off DSL in distress Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Sen. Judd Gregg (R-N.H.) is pushing legislation that would give law enforcement entities a "master key," granting full backdoor access to all encryption products made in the United States.

But businesses are already shouting down the proposal for both privacy and technical reasons. "I have not found anybody in the private sector that does not understand the value of encryption without hidden keys and vulnerabilities without hidden access," says Ed Black, president and CEO of lobbying group Computer and Communications Industry Association (CCIA).

Black says the temptation to abuse key escrow or create a mass repository of stored keys would pose a single point of security risk unlike ever before. Furthermore, he says fear of its abuse could have a chilling effect on people's sense of privacy and security, causing users to shy away from the technology.

The key-escrow debate mirrors a dropped effort on the part of the government to institute a "Clipper chip" a few years ago. It was designed to allow the government to review any information passing through devices where it was installed.

"Clipper was a heavy-handed way of forcing a particular design into things, and the reason Clipper failed is the same reasons that this will fail," says John Pescatore, vice president and research director of network security at Gartner in Stamford, Conn. "Users lose out if cryptography is weakened or ineffective or much harder to use."

Pescatore says law enforcement, national intelligence agencies, businesses, and end-users need to seek common ground on encryption by increasing the investment on new techniques to break encryption.

"It's never a good idea to increase complexity of cryptographic processes unnecessarily," says Alex Van Someren, CEO of Woburn, Mass.-based nCipher. "It's considered likely any unintentional side effects could occur, which can be dangerous and potentially undermines security of any system employing those techniques."