Interesting People mailing list archives
IP: HP press conference on crypto
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 18 Nov 1996 14:08:50 -0500
From: director () embassy org (Ross Stapleton-Gray) Date: 96-11-18 10:13:49 EST I decided to bug out of the press conference after finding it scheduled for 9:30, and not 8:00 (though even the Press Club literature was on my side!), though I (1) left the reporting in the hands of folks like Brock Meeks, an (2) scarfed up the available literature. The folks in attendance were a veritable Who's Who of crypto wonkdom... Dorothy Denning, Stu Baker, and a slew of other notables. HP's "breakthrough" is their International Cryptography Framework (ICF). According to their press release, it is approved by USG, "supported" by the French and British governments, and has technology partners in Intel, Microsoft, Gemplus, RSA and TIS, and application partners in Informix, Netscape and VeriFone. Later in the release are quotes from the cited governments: US - "We are satisfied that despite the flexibility that is built into HP's ICF, it has sufficient technical controls to ensure compliance with US policy." France (Service Central des Systemes d'Information) - "The ICF architecture looks very promising to support the Trusted Third Party Schema that will be implemented in France in application of the July 1996 law on Telecommunications." UK (Dept. of Trade & Industry) - "ICF is an interesting solution that may help to ensure that industry needs for security for their information and communication systems are met without undermining the requirements for effective law enforcement." As an old analyst, "looks very promising" and "interesting...may help" are not approvals, just tentative mushy words avoiding endorsement. The technology itself appears to be in the form of a "tamper-proof" physical device (reminiscent of Clipper/Capstone) which would hold "dormant" encryption mechanisms. These could be activated through assertion of a "Policy Activation Token" received from a "Security Domain Authority." Individual encrypted messages would have appended a "Key Recovery Field" to permit the specific session key for that message to be retrieved by a key recovery agent. None of the literature goes into much detail of how governments would play in this... presumably the requirement for "Policy Activation Tokens" means that HP (through hardware partner Intel) could ship a lot of devices that could implement 56-bit DES today, and be later activated to provide 128-bit escrowed Algorithm X, or Y, or Z (not clear if the tamper-proof box can be loaded with new encryption code, or if it's only working from the original set of stored protocols). It's not clear if there's a deactivation capability, or if there is, how the user would be compelled to use it (though one could imagine a time-out feature requiring reactivation). I'll leave it to the real crypto analysts to sort out, but it looks as if what HP, Intel and Microsoft (which has a crypto API for the technology to be fitted in) have delivered is a general-purpose Clipper-like container, with a key escrow structure in two areas: the device itself is governed by the Policy Activation Token, and individual session keys can be reconstructed by whomever the escrow agents are. At first glance there seem to be a lot of unknowns, e.g., whether this system would be as subject to corruption of the Key Recovery Field (and hence rendered unreadable by the escrow agents) as Matt Blaze showed Clipper and its LEAF to be. Not a software solution either, requiring an Intel device... presumably device keys (for use by the "Policy Activation Token") would be established by Intel for passage to "the authorities," or Intel could produce keyable devices. Dunno... the more I think about this the more I'm unsure that this is a safe system (from the perspective of keeping strong crypto out of nongovernment hands)... spoofing of Tokens, corruption of the KRF, etc., all seem reasonable stunts. Ross _____________________________________________________________________ Ross Stapleton-Gray TeleDiplomacy, Inc. director () embassy org 2503 Columbia Pike, Suite 118 Director, Electronic Embassy Program Arlington VA 22204 http://www.embassy.org +1 703 685-5197 / 5257 fax
Current thread:
- IP: HP press conference on crypto Dave Farber (Nov 18)