KEY RECOVERY DEMONSTRATION PROJECT

Formerly known as the Emergency Access Demonstration Project

In May 1996, the Office of Management and Budget (OMB) released a white paper titled "Enabling Privacy, Commerce, Security, and Public Safety in the Global Information Infrastructure". This paper stated that "government and industry must work together to create a security management infrastructure and attendant products that incorporate robust cryptography without undermining national security and public safety". In support of this goal, a Key Recovery Demonstration Project (KRDP) was initiated in order to demonstrate the practicability of the recovery of keys that support data encryption in Federal government applications. Approximately ten Federal agencies will participate in a pilot program in which different key recovery technologies will be implemented, tested, and evaluated. A brief description of the pilot agency applications is found in an KRDP Project Summary.

The National Institute Of Standards and Technology (NIST) has issued a Broad Agency Announcement (BAA) that solicits products and services that will be used to support this project. Three possible methods of key recovery are depicted in Key Recovery Examples.

KRDP Implementation Evaluation Criteria identify the functional and security concerns related to the Federal governments's need to have emergency access to encrypted data.

The following additional documents may be useful to contracting organizations that are responding to the BAA.

  1. FIPS 140-1

    In January 1994, NIST issued "Security Requirements for Cryptographic Modules" as Federal Information Processing Standard (FIPS) 140-1. The standard specifies the security requirements that are to be satisfied by a cryptographic module utilized within a security system protecting unclassified information within computer and telecommunication systems. When applicable, responders to the BAA are asked to provide FIPS 140-1 compliance status for their offered product or service; however, compliance with FIPS 140-1 is not required for participation in this project.

  2. Minimum Interoperability Specification for PKI Components

    A Certification Authority (CA) system certifies the public key that is part of a public/private key pair that can be used to support data encryption. Vendors of CA systems that are responding to the BAA are asked to state to what extent their product or service complies with the NIST draft "Minimum Interoperability Specification for PKI components" which was issued for public comment in December,1996.