Interesting People mailing list archives
Privacy board sees new encryption technology
From: David Farber <farber () central cis upenn edu>
Date: Sun, 27 Mar 1994 17:30:35 -0500
From: hal () clark net (hal) Just wanted to report on what I saw at the last meeting of the NIST Privacy Advisory Board. They had two vendors that told of their hardware developments. It is basically a neat plug in card for the PC or laptop that holds an encryption engine. It was developed to do all the users encryption needs on the card including signature, key exchanges, basic message encryption and transaction encryption (application layer). The really interesting thing was the socalled FLAG module (about 1 inch wide by 2 inches in length). It slides into a slot on the encryption plug in card. This flag card contains the national policy definition and conditions the card to only provide services defined by the local nations policy. In the US that might mean key escrow, in other contries something else. The card would include protocols that enforce say.. a plaintext gateway policy. (One country has such a policy: only plaintext can cross the boarder. I suppose the card handshakes with the gateway and "tells" your card to shut off its privacy feature, just a guess). The whole card including the slide in FLAG module is about the size of three credit cards stacked on top of each other. Its a standard ( and the standards name escapes me just now. Maybe a reader can supply it). When pressed by the panel about policy issues the vendors said they were not interested in policy issues. That it was a matter for local governments to decide. That they only wished to separate the technology issues away from the policy debate in order to create a standard that all countries could use. That when the technology was a bit more mature it would be submitted to various economic unions (like the EC) for standardization. The FLAG module would contain all the rules and local policy "keys" in a non-forgeable format and the whole thing will be tamper proof. The vendors indicated that they had shown this technology to half a dozen countries an it had been received very well. One country that is currently building an infrastructure wants to incorporate it now into their plans. There was some discussion about using the existing postal services as a source for the cards and modules. That this would provide a certified source for the boards/flag module (i.e. issued by a government outlet). You would get them at your local post office. The panel raised the issue of interoperability between different countries. The vendor again stressed that this was a policy issue that would have to be worked out by international agreements.But that this technology had no limitations in that respect. One panel member raised the issue that sooner or later someone would forge a FLAG module and run under a "false" FLAG policy. There was some discussion about this and it was agreeded that someone at sometime would attempt to forge a FLAG module. But the vendors said that the FLAG module would have a secure protocol that it would use to communicate with the actual crypto-card. That it would be necessary to either reverse engineer the FLAG and card, assumed to be very very difficult, or break the secure protocol, also very very difficult to do. It was then agreeded that someone could produce a forged card that didn't use a FLAG module. This was thought possible. I'm not quite sure but I found the notion of your own laptop having to communicate with a government policy server kind of funny. This was thought necessary to enforce some types of government policy (not necessarily an American policy). One country was said to favor a postal meter arrangement under which your card ran out after a certain number of sessions and had to be recharged by the post and telegraph people. It will be interesting to see the full range of local government policies when they get published as part of an international standard. -hal () seta com
Current thread:
- Privacy board sees new encryption technology David Farber (Mar 27)