Nonprofit group says NSA report shows weaknesses of key recovery

The Center for Democracy and Technology (CDT) is expected to issue its response tomorrow to a National Security Agency (NSA) report that documents the potential risks posed by the encryption technology that has been at the center of a raging debate between the Clinton administration and industry.

The Feb. 18 NSA report [FCW, April 6] details the potential threats of deploying key-recovery technology, which is an encryption system that allows users to retrieve the key needed to unscramble encrypted data should they lose the key. Under the administration's key-recovery proposal, law enforcement agents could decode encrypted data after obtaining a court order or other authorization.Alan Davidson, staff counsel of CDT, said today that the report marks the first time the NSA has noted there are risks and vulnerabilities associated with key-recovery technology.

"The report lays out this whole series of attacks on key-recovery systems," he said. "You have literally at least 20 potential attacks listed on key-recovery systems. This is a very powerful admission. What they're basically saying is that there are no guarantees a key-recovery system will let them catch the bad guys."

The report, "Threat and Vulnerability Model for Key Recovery," pointed out that certain law enforcement agents and officials operating key-recovery centers could pose the greatest threat to a key-recovery system—- and to the users' data, which is encrypted by the system—- if proper security mechanisms were not in place.

Key-recovery centers would also become attractive to criminals because of the potential for a huge return on investment that an attack on a center—- and access to the data protected within—- would bring, according to the report. The report also notes that if a sender of an encrypted message conspires to circumvent the key-recovery system with the receiver, the technology's security mechanisms could be bypassed.

According to a written response NSA provided FCW earlier this month, the threat that anyone poses to key-recovery systems is a function of how well the application has been designed and operated to address potential security concerns. If due consideration is given to the threats and vulnerabilities noted in the report, there would be "minimal risk" posed to the key recovery system, the statement said.However, Davidson noted, "Ultimately, it's another piece of evidence that shows that the kind of key-recovery systems being debated on Capitol Hill have serious flaws."

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.