This is scary stuff... Clipper VI (or whatever number we're up to) in the making. Expect a fresh onslaught of government master key attempts from the US government based on this info war initiative. Michael Wilson <0005514706@MCIMAIL.COM> forwards:
"Key recovery is needed to provide business access to data when encryption keys are lost or maliciously misplaced,
Where they pervert commercial key recovery to mean central government master access. Nasty lies expertly spin-doctored.
and court-authorized law enforcement access to the plain text of criminal related communications and data lawfully seized," the report said.
Where criminals who rate the expense of wiretaps will be using pgp2.x downloaded from Russia, or where ever. More spin doctoring.
In its formal recommendations, the commission urged the government to speed up pilot programs on key recovery, promote efforts to plan for implementing large-scale key recovery systems and encourage private-sector key recovery efforts.
And there it is, they now want to encourage private sector key recovery. Now why would they want to do that, if they don't plan to use it as an infrastructure.
WASHINGTON The head of a presidential commission on cyber-terrorism on Wednesday told a Senate panel that a mandatory system guaranteeing third-party access to scrambled computer communications may be necessary if industry does not embrace the Clinton administration's plan for a voluntary encryption decoding system.
And there so soon we have another repetition of Freeh's comments about mandatory being necessary.
But the key to national security, Marsh said, is strong encryption coupled with a back-door access for law enforcement officials to sensitive communications.
I don't buy this at all. For an infrastructure attack you're worried about pervasive problems in case someone tries to bring down the whole system. Building central control in _anything_ is asking for trouble in info war terms. Everything should be as distributed as possible, to minimise scope of an attacker who compromises keys. Law enforcement with the master keys to the whole country is a huge risk. Some law enforcement key custodian will simply be bribed or coerced for the key, and then they really will have an info war risk.
"We want to see that adopted over all the critical control functions at an early date," he told the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Government Information.
They want to fast track mandatory government access also.
He told the panel that "we must lower the temperature of the encryption debate" long enough to complete pilot projects on key recovery that will prove to industry that such systems can work.
A dangerous climate to be building any recovery systems in, however carefully constructed to reduce risks. I am having doubts about the safety of working on even about anything but the most ad-hoc local recovery at this point.
Various agencies of the federal government currently are developing 13 key recovery pilot projects, which were on display Wednesday at a Government Information Technology Services conference. Marsh said the National Security Agency and the National Institutes for Standards and Technology should head efforts to perfect those systems and set standards for a national infrastructure protection office to carry out.
Really gunning for it this time. 13 recovery pilots, NIST and NSA involvement, standards setting.
Asked by the subcommittee's chairman, Jon Kyl, an Arizona Republican, if those controls should be mandated, Marsh responded: "We think businessmen will find it in their best interest to incorporate these controls. ... Of course, in due time, that may be an option if they are not willing to accept them."
That's a new one... give us master key access now, and we'll think about allowing exceptions at some point in the future.
"Significant questions have been raised by leading cryptographers about the security risks inherent in large-scale key recovery systems, which introduce new vulnerabilities and targets for attack, as well as about the costs and feasibility of implementing such systems."
The main problem is the security and risk of government abuse. I'm
not that sure cost or feasibility is a problem.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0