American Banker: Friday, October 4, 1996

Banks Like Export Plan for High-Power Encryption

By DREW CLARK

Bank technology experts have reacted favorably to the Clinton administration's proposal to liberalize the development and sale of strong data security tools.

This week, the government said it would lift export restrictions on certain kinds of cryptography, provided U.S. companies agree to cooperate with a procedure that would give law enforcement officials access to the "keys" of such codes, upon presentation of a warrant.

Banks were heartened by the announcement because many view the widely used Data Encryption Standard -- a low-level form of data scrambling -- as inadequate protection against the rising computer power of so-called hackers.

Though banks can use a complex 56-bit data encryption key for financial transactions, sensitive communications with overseas branches are limited to a less powerful 40-bit standard. Banks hope that a loosening of restrictions in general will benefit them, too.

"This policy announcement is better than anyone expected," said Kawika M. Daguio, federal representative at the American Bankers Association in Washington. "It is gravy for us, but it's the meat and potatoes for the hardware and software industries."

"Banks probably won't be adversely affected," said Stewart A. Baker, a partner at Steptoe & Johnson, a Washington law firm, "and they will be left pretty much where they were before." The announcement by Vice President Al Gore said that controls over powerful encryption technology would be lifted as the government and private sector develop a "key recovery" system. (International Business Machines Corp. already has stepped forward to head a consortium dedicated to creating such a system.)

Current law forbids the export of computer hardware or software that uses cryptographic codes with digital "keys" -- randomly generated combinations of 0's and 1's -- longer than 40 bits. The longer the key length, the more impenetrable the code.

For three years, the government has said it would permit the general use of more complex cryptography only if the companies using it placed their keys in the hands of the government or a third party.

"Key escrow," as it is known in the technical community, is needed in order to prosecute people who have stored evidence of illegal activity on the hard drive of a computer, officials argued. But the private sector -- banks included -- have balked at handing over such access to any third party.

The disagreement gave rise to a compromise system known as "key recovery" in which companies would hold their own keys but could be required to divulge certain information about specific transactions when presented with a court order or warrant.

"What is novel is that it doesn't escrow any keys," said Homayoon Tajalli, executive vice president of Trusted Information Systems, Glenwood, Md., one of IBM's consortium partners.

"If the government comes and gets this data with a court order," explained Mr. Tajalli, "then they take a digital lockbox from the third party or parties that hold it, and they read the message."

Kathy Kincaid, director of information technology for IBM, said the difference between key escrow and key recovery is analogous to the following approach to securing a house when its owner goes on vacation: Instead of giving a key to two neighbors, the owner gives each neighbor half the combination to a lockbox that holds the key.

"You must have both halves and put them together in exactly the right sequence," said Ms. Kincaid. "This provides protection against a single point of attack."

Companies participating in development of key recovery systems include: Apple Computer Inc., Digital Equipment Corp., Groupe Bull, Hewlett-Packard Co., NCR Corp., RSA Data Security, Sun Microsystems Inc., Trusted Information Systems, and United Parcel Service.

And a government official said banks may even play a role.

"Banks have really taken a leadership role in the responsible management of cryptography," said a senior Clinton administration official who asked not to be named. "Banks are already doing what we want other organizations to do: safeguarding their keys and providing them, when necessary, to law enforcement."

Heidi Kukis, a spokeswoman for Vice President Gore, said: "This key recovery system is the proper balance between commercial interests and national security."

But not all agree. Some argue that the key recovery system still gives the government too much control over information flow.

"Providing 56-bit encryption with key recovery doesn't help us," said Netscape spokeswoman Chris Holton. "The government is saying that you can export it but you have to provide us with the keys. We feel that is extortion on the part of the government."

"We are making the best of a bad situation," said Scott Schnell, vice president of marketing for RSA Data Security.

"The bottom line is that the standard proposed by the government is an insubstantial step in the right direction," he said. "We want to make sure it is usable and prepare for the day that products will be available that do not have this key recovery situation."

The government's announcement came three months after a National Research Council report on the role of cryptography in an information- oriented society.

The report encouraged liberalization of government standards and questioned the feasibility of the key escrow system then favored by government.

"We raised the issue about the security of key escrow systems," said law professor Kenneth W. Dam, chairman of the body that prepared the report, "and we said the government should work on it."

"I take it this is an attempt to move in the way of key escrow, with the help of industry," said Mr. Dam.