During the past few years a debate has been raging around the conflict between the rights of an individual to privacy in information to foster its competitiveness and the Government's need to access information for national security and law enforcement purposes. At the heart of the debate is the difficulty in arriving at a position whereby a robust implementation of an encryption process can be accomplished that protects sensitive private or industrial data yet insures that the government can have access to information if that information is part of a criminal conspiracy or enterprise, or other action hostile to the United States. The U.S. Government initially tendered a ciyptographic scheme known as the Clipper Escrow Key management plan. Using communication encryption technology, the government wanted to mandate an encryption process for which it maintained the key used for the decrypting of information transiting any communications path. This key would be split and distributed to escrow agents. The split key would have to be combined if the government were to use the key to decrypt and monitor criminal or other such activities. That methodology met with howls of protest from much of U.S. society (industry and private) due to a certain mistrust of the government and its handling of private information (for example, various IRS scandals). The debate has shifted from the technical solution provided by the Clipper initiative to alternate methods that defme key escrow in terms of a commercial or private entity. A NIST-sponsored key escrow meeting was held on August 17, 1995 to listen to the government's proposal to work towards a solution which industry and the international community would accept and which would provide needed security to private information. The meeting was a positive step towards resolving the conflicting issues surrounding cryptography. The government's proposal to extend the key length of any cryptographic algorithm used to 64 bits to enable export of cryptographic products more readily is a small step towards industry's desire for "good" cryptography. As a result, the government has set the stage to extend cryptography into the broader international field of electronic commerce. Privacy is still an issue and must be included in the resultant key escrow solution. Since the very onset of the debate TECSEC has espoused private key escrow as the only method that individuals, industry and the international community would accept for cryptography. A split key method has been developed that could satisfy many of the issues. The technology is called Constructive Key Management ("CKM "); the resultant product using CKM is called VEIL. VEIL is a software key management design that utilizes multiple key splits with labels as cryptographic triggers. It offers complete administrative control of the key, and it includes an inherent method to construct the key used for encrypting a file or database that results in a fixed header and audit information. By defining the roles of the escrow agent as a mix between government and private as necessary, VEIL can be applied to solve the private key escrow question.
|