Nonprofit group says NSA report shows weaknesses of key recovery

The Center for Democracy and Technology (CDT) is expected to issue its response tomorrow to a National Security Agency (NSA) report that documents the potential risks posed by the encryption technology that has been at the center of a raging debate between the Clinton administration and industry.

The Feb. 18 NSA report [FCW, April 6] details the potential threats of deploying key-recovery technology, which is an encryption system that allows users to retrieve the key needed to unscramble encrypted data should they lose the key. Under the administration's key-recovery proposal, law enforcement agents could decode encrypted data after obtaining a court order or other authorization.Alan Davidson, staff counsel of CDT, said today that the report marks the first time the NSA has noted there are risks and vulnerabilities associated with key-recovery technology.

"The report lays out this whole series of attacks on key-recovery systems," he said. "You have literally at least 20 potential attacks listed on key-recovery systems. This is a very powerful admission. What they're basically saying is that there are no guarantees a key-recovery system will let them catch the bad guys."

The report, "Threat and Vulnerability Model for Key Recovery," pointed out that certain law enforcement agents and officials operating key-recovery centers could pose the greatest threat to a key-recovery system—- and to the users' data, which is encrypted by the system—- if proper security mechanisms were not in place.

Key-recovery centers would also become attractive to criminals because of the potential for a huge return on investment that an attack on a center—- and access to the data protected within—- would bring, according to the report. The report also notes that if a sender of an encrypted message conspires to circumvent the key-recovery system with the receiver, the technology's security mechanisms could be bypassed.

According to a written response NSA provided FCW earlier this month, the threat that anyone poses to key-recovery systems is a function of how well the application has been designed and operated to address potential security concerns. If due consideration is given to the threats and vulnerabilities noted in the report, there would be "minimal risk" posed to the key recovery system, the statement said.However, Davidson noted, "Ultimately, it's another piece of evidence that shows that the kind of key-recovery systems being debated on Capitol Hill have serious flaws."

Featured

  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected