Nonprofit group says NSA report shows weaknesses of key recovery

The Center for Democracy and Technology (CDT) is expected to issue its response tomorrow to a National Security Agency (NSA) report that documents the potential risks posed by the encryption technology that has been at the center of a raging debate between the Clinton administration and industry.

The Feb. 18 NSA report [FCW, April 6] details the potential threats of deploying key-recovery technology, which is an encryption system that allows users to retrieve the key needed to unscramble encrypted data should they lose the key. Under the administration's key-recovery proposal, law enforcement agents could decode encrypted data after obtaining a court order or other authorization.Alan Davidson, staff counsel of CDT, said today that the report marks the first time the NSA has noted there are risks and vulnerabilities associated with key-recovery technology.

"The report lays out this whole series of attacks on key-recovery systems," he said. "You have literally at least 20 potential attacks listed on key-recovery systems. This is a very powerful admission. What they're basically saying is that there are no guarantees a key-recovery system will let them catch the bad guys."

The report, "Threat and Vulnerability Model for Key Recovery," pointed out that certain law enforcement agents and officials operating key-recovery centers could pose the greatest threat to a key-recovery system—- and to the users' data, which is encrypted by the system—- if proper security mechanisms were not in place.

Key-recovery centers would also become attractive to criminals because of the potential for a huge return on investment that an attack on a center—- and access to the data protected within—- would bring, according to the report. The report also notes that if a sender of an encrypted message conspires to circumvent the key-recovery system with the receiver, the technology's security mechanisms could be bypassed.

According to a written response NSA provided FCW earlier this month, the threat that anyone poses to key-recovery systems is a function of how well the application has been designed and operated to address potential security concerns. If due consideration is given to the threats and vulnerabilities noted in the report, there would be "minimal risk" posed to the key recovery system, the statement said.However, Davidson noted, "Ultimately, it's another piece of evidence that shows that the kind of key-recovery systems being debated on Capitol Hill have serious flaws."

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.