Minutes of the February 19-20, 1997 Meeting of the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure February 19, 1997 The second meeting of the Committee was called to order at 9:05 a.m. by Executive Secretary Ed Roback. He welcomed everyone and reviewed the agenda for the two day meeting. (Reference #1) Next, Committee Chairperson Dr. Kent commented on the establishment of the informal working groups (WGs), which now all have chairpersons in place. He encouraged all members and federal liaisons to join one or more of the WGs if they had not already done so. The WGs are #1 Framework, #2 Security Models, #3, Key Recovery Agents (KRAs) , #4, non-KRA Elements, and #5, Interoperability: The WGs will not act independently for the Committee. They will function solely to gather information or conduct research of the Committee, analyze relevant issues and facts, or draft position papers for consideration by the Committee. Dr. Kent asked if there were any comments from the membership. There being none, the Committee then proceeded to hear presentations from the federal government liaisons regarding their key recovery perspectives and requirements. Federal Key Recovery Perspectives Ms. Elaine Barker of NIST (representing Ms. Patricia Edfors of Treasury/GITS) presented the evaluation criteria of the PKI emergency access effort. She briefed the policies and procedures, process, emergency access implementation, user protection, key recovery requirements, and key recovery agent requirements of the project. (Reference #2) Mr. Howard Bolden, Small Business Administration (SBA), expressed his agency’s concerns from the administrative and logistical standpoint. Mr. Bolden said that SBA will comply with whatever is established. However, they are most concerned about maintaining the data given that the half-life of encryption software is less than the 20 years during which SBA must maintain some encrypted data. He would like to see a standard developed, maintained and utilized by any software that is going to fulfill this need. He also recommended having a test file at NIST which all users and vendors must be able to decrypt. That would give SBA the confidence to use this method and be relatively comfortable with encrypting long term data and meet their requirement of retrieval of data that is up to 20 years old. Mr. Clem Boyleston, Department of Energy (DOE), agreed with the expressed requirements that whatever is approved for agency use will have to last for many years. He stated that DOE will have needs for key recovery. He expressed concern that a particularly sensitive issue is when key recovery done without the user’s knowledge but acknowledged that it has to be an option because, unfortunately, not all people are law abiding. He described a strong need for checks and balances in key recovery. Mr. Boyleston was asked if use of time stamp was a consideration. He replied that was indeed a consideration at DOE. He also said that the same requirements would be used in the international arena and noted that DOE is looking at key recovery as more of a "right now" form of encryption need as opposed to future need. Discussion followed regarding the type of keys to be discussed. The committee is to be focus on the recovery of keys used for encryption. With regard to the question of key recovery for classified v. unclassified data, the committee efforts involve unclassified information only. Mr. Michael Gilmore, Federal Bureau of Investigations (FBI), reported on the current key recovery activities in his agency. The FBI is currently developing a secure e-mail system which will use KMI. Also, the FBI’s Computer Investigations and Infrastructure Threat Assessment Center (CITAC) has a requirement to securely communicate with approximately 200 vendors and government agents. CITAC will communicate over the Internet using encryption software as well as provide encryption software. The FBI will manage the keys. The characteristics that the FBI would like to see in a Federal KMI are (1) information availability to allow law enforcement to decrypt communications and stored information in a timely manner and retained for extended time periods; (2) readily accessible key escrow agents so that proper requests are accepted any time; (3) upon receipt of a proper request, the expeditious release of the information needed for decryption; and (4) safeguards to maintain the confidentiality of information pertaining to the request for and the release of the decrypted information. (Reference #3) Mr. Jan Manning, National Security Agency (NSA), presented their requirements for key recovery, including modular key recovery architecture, scalability, flexibility, encryption algorithm independence, key recovery for confidentiality keys only, and trustworthy components/functions. He also reviewed security requirements, key recovery agent requirements, and the interoperability aspects of the key recovery-enabled products. He concluded his presentation by stating that NSA’s recommendation is for a modular architecture to support different access requirements and uses of key recovery within the government. (Reference #4) Mr. Mark McCloy of the National Oceanic and Atmospheric Administration (NOAA) began his briefing by saying that most of NOAA’s information is not encrypted. However, they are interested in insuring that whatever is developed will meet their future encryption needs, even though it may be minimally used. They are looking into the potential for any international ramifications because NOAA regularly exchanges vast amounts of information and data across national boundaries. Mr. John Sabo, Social Security Administration (SSA), says that SSA is very business-focused and a data system warehouse of sensitive data regarding the American people. As their systems evolve, so will their need for encryption, so they will need key recovery. Mr. Sabo said that SSA is looking to this committee to identify where it is appropriate to use key recovery with outside partners. His presentation covered the following: - why SSA needs key recovery; - their interest in recovery of data; - infrastructure requirements of key recovery for confidentiality only; - that the standard not be developed dependent upon an algorithm; - SSA’s security requirements; - key recovery agent requirements; - non-key recovery agent components; - does it embody everything else that's not key recovery; - questioned do we want standard on law enforcement access, so there is standardization of how that is done; - how to prevent the circumvention--difficult to track; and - have automatic use of key recovery mechanism. Mr. Sabo said that interoperability of key recovery enabled products should be automatic. He would like to see that users are aware when communicating with a non-key recovery entity. He would also like (1) to know when one side is recoverable; (2) the architecture to be modular to support different access requirements; and (3) a means to keep the standard current with advancing technologies. (Reference #5) Mr. Miles Smid, National Institute of Standards and Technology (NIST), presented his perspectives on requirements for the new standard, noting that the initial government requirements for security/complexity are in their third revision. He stated that the commercial and government requirements need to come closer together. The desirable properties NIST sees are: low maintenance, security, integrity, availability and reasonable costs. He stressed that the recovery system should be designed to stand up to attacks (this also applying to integrity) and that costs should be minimized. He continued with an overview of the requirements areas which included the overall system, data recovery agents, recovery sub-systems, end user products and conformance testing. He also indicated that modification of use of algorithms for government data needed to be approved but there was still a need to have some requirements on the cryptographic methods approved for government uses. (Reference #6) Mr. Roback informed the Committee that since not all departments and agencies could provide a liaison to the Committee, he had written federal CIOs to ask for submission of requirements to the Committee. Responses from the Treasury Department, Department of Veterans Affairs, and Department of Labor were distributed to the Committee. (Reference #7) This concluded the federal government briefing sessions. The meeting focus then turned to hearing from the foreign government representatives. Foreign Perspectives Ms. Asterid Pregel, of the Canadian Embassy in Washington, delivered a public statement containing information on Canada's cryptography policy. (Reference #8) The Canadian government is committed to the development of a balanced policy framework for the production, deployment and use of cryptography and as such has not predetermined what its favored outcome will be. The Canadian federal government will require their version of PKI to provide a uniform key management infrastructure for sensitive but unclassified information across the federal government. The Canadian federal PKI is currently headed by the Treasury Board Secretariat. Ms. Pregel was accompanied by Mr. Gareth Sansom of Industry Canada and Mr. Glenn Sibbitt of the Canadian Department of Foreign Affairs and International Trade, who took questions from the Committee. General Louvion and Mr. Philippe Dejean of the French Service Central de la Sécurité des Systèmes d’Information (SCSSI) first presented an overview of SCSSI, which is in charge of securing the information systems used by the French government and the enforcement of French legislation concerning cryptography. Concerning French cryptographic policy, before 1986, the French government considered cryptographic equipment "war material" and as such, it was almost always banned for the layman. In the early 1990s, legislation was enacted that ended that ban. A 1996 law added the freedom to introduce some kind of encryption equipment or provisions of services, control of importation from countries outside the European Union and a deadline for authorization to be granted was enacted. General Louvion covered what was constrained, what must be declared and what must be authorized. He also discussed licensed third party, law enforcement agencies needs and technical constraints. (Reference #9) Representing Germany, Dr. Ansgar Heuser of the German Information Security Agency, presented the current state of affairs and perspective of German cryptography policy. He was accompanied by Dr. Marion Rengstorf of the German Federal Chancellery. Dr. Heuser stated that currently Germany allows free use of cipher systems inside Germany, has no import controls, and export controls are according to the Wassenaar arrangement. From the law enforcement perspective it is not a big issue at this time, although this may change in the near future. There is ongoing debate about the necessity, usefulness, enforceability, and human rights aspects of this issue and, particularly in academic circles, there is massive resistance to any suggestions of cryptography legislation. Dr. Heuser expects that there will be no legislation in the next 2-3 years. Data recovery only applies to encrypted stored data, not to communications. There is very limited interest in data encryption systems with built in data recovery features; currently, no German manufacturers offer such products. Foreign key repositories will not be accepted by the user nor be recommended by the German government. (Reference #10) The Japanese government was represented by Mr. Ken Mukai, Deputy Director, IT Security Policy Office, Ministry of International Trade and Industry (MITI), Mr. Takashi Goto, Director of the IT Security Center of the Information Technology Promotion Agency, Mr. Shinichi Fukushima, Senior Engineer, Product Planning Department, Hitachi, Ltd., Software Development Center, and Mr. Akifumi Kambara, Chief Manager, Computers Group Planning Division, NEC Corporation. Mr. Mukai’s presentation covered the market trends, cryptography, problems areas, and basic outline of MITI’s cryptography policy. He said that Japan’s basic concept for technological development includes market-driven or demand-driven technology, non-enforcement by government agencies and to encourage the private sector to develop highly secure algorithms. They believe that cryptography is the key technology for the promotion of electronic commerce. He discussed the free flow of encryption and promotion of its use and the establishment of certificate authorities. He pointed out necessity for developing data recovery technology due to the commercial needs for recovering the data in case of EDI and system auditing. Japan’s export trade control order and foreign exchange control order are based on the Wassenaar arrangement. He said that the MITI would cooperate with other governments to assure interoperability and mutual authentication among different cryptographic systems beyond the boundaries. (Reference #11) Mr. Takashi Goto of the IPA then presented an overview describing what IPA is and its activities in the IT security area, including cryptography and authentication activities. Mr. Goto stated that as soon as MITI had decided on its policy on KRS the IPA was ready to implement it. (Reference #12) The Swedish delegation consisted of Mr. Göran Axelsson of the Swedish Agency for Administrative Development, Mr. Stig-Arne Ekhall, Military Intelligence and Security, Communications Security Section, Headquarters of Defence, Dr. Gyorgy Endersz of Telia Research AB and Mr. Giere of Ericsson Inc. Mr. Axelsson, representing the crypto policy team in the Swedish Cabinet offices, reported that the Cabinet office is preparing cryptographic policies regarding encryption with Ambassador Faxén leading the effort. Intensive work has been conducted in the OECD and cryptography guidelines are close to be finalized. He indicated that the struggle is with the balance in development of the policies to cover all areas of need such as users (business, government use, individuals), law enforcement, export control and national security. They believe that cooperative agreements between states are logical in order to secure communication and satisfy requirements from law enforcement agents. They are also investigating if there is a need for creation of legislation. Launched activities of the Swedish government in the area of electronic commerce include providing customers with trusted third party and CA-functions to secure the transactions and to promote the growth of the marketplace in order to get a breakthrough for this type of service/infrastructure. (Reference #13) Dr Endersz presented Telia and ETSI activities related to key management. Telia AB, the largest Swedish telecom operator, is engaged in the development of TTP infrastructures in more than one way. Telia acts as one of the providers of services and infrastructure within the governments electronic commerce project, contributes to the work of ETSI concerning requirements and standards for TTP services and follows closely the developments within key recovery, especially with regard to international activities. One fundamental requirement for a key management infrastructure in the open telecom service environment is interoperability based on standards. The ETSI ad-hoc working group on TTP services has completed the final draft of the technical report (ETR) "Requirements of Trusted Third Party Services" and started work on the technical standard (ETS) for asymmetric and symmetric key management services and key recovery. Modularity is a major requirement and it means that service components and key recovery can be combined and implemented according to prevailing demands and policies. The ETS draft proposal is scheduled for later this year. (Reference #14) Mr. Ekhall of Sweden's Headquarters of Defense stated that his organization is currently not working in the area of key management infrastructure. Their interests are in the area of interoperability, essential to promote international communications. There is a strong need for internationally agreed evaluation criteria such as the common criteria. Mr. Axelsson expressed, in response to questions from Committee members, mixed feeling about key recovery. The crypto policy team is in the process of finding a balanced solution to incorporate general key recovery solutions. He said that Sweden is looking forward to studying the proposed FIPS to see what they may be able to use. At the current time, they do not have any recovery standards in place. At present, they are investigating the issue of key repositories in other countries and have not regulations on key repositories in their own country. He said that there are not limitations on import and no rules in place regarding licensing. They are waiting to see what the international solutions on the outside may be. He indicated that Sweden's export policy follows Wassenaar Agreement rules. The next speaker was Mr. Mark King of the Communications-Electronics Security Group (CESG), United Kingdom. Mr. King reviewed the UK’s paper on regulatory intent concerning use of encryption on public networks and the government’s proposal for trusted third parties. He also addressed the constraints of confidentiality of international cryptographic systems. (Reference #15) Following Mr. King’s presentation, the meeting was recessed until the following day. Thursday, February 20 The meeting was reconvened at 9 a.m. beginning with discussion of intellectual property issues. Mr. Mark Bohannon, Department of Commerce, reviewed Annexes of the American National Standards Institute (ANSI) patent policy. (Reference #16) He pointed out that it is stated that when drafting standards, there is no objection in principle to including the use of patented items, if technical reasons exist. Mr. Bohannon said that the work of this Committee is following an open standards setting process that follows the ANSI patent policy. Early disclosure of patents is essential to assure that improper restraints of trade do not occur. Committee work is open to the public. Exceptions can be made, but there are statutorily limited conditions under which federal advisory committee meetings may be closed. What can be discussed at the open committee meetings include any information that members do not wish to treat as a trade secret, patents that have been granted, patent applications that do not make enabling disclosures (i.e., disclosures that would teach a person to practice the invention). He pointed out that before anyone discloses any invention to this Committee that is not yet patented, they should consult with their counsel. (Reference #17) With respect to the Committee’s questions from the December meeting regarding federal patent rights, Mr. Bohannon said that there is not a centralized way to identify all the patents that the government owns but he has research underway and will provide the findings to the Chairperson when completed. Mr. Miles Smid, NIST, lead a discussion on the FIPS development process. He reviewed NIST’s strategies for integrating voluntary industry standards for FIPS as well as reviewed the new requirements by the federal government to use voluntary consensus standards. He suggested that this Committee many want to consider employing existing accreditation mechanisms and move quicker to where the government uses voluntary standards to do its business. (Reference #18) Mr. Bohannon provided the Committee with additional background and the legal framework for FIPS. (Reference #19) Mr. Smid also distributed a 1979 paper "A User Controlled Key Management Scheme with System Controlled Backup." (Reference #20) Reports of the Working Groups 1. Framework WG chaired by Mr. Roger French. Mr. French reported that the WG is struggling with the identification of actual objectives. They plan to develop a list of technical requirements for encrypted systems or subsystems that provide for key recovery. Such a list would include the differences between stored and transmitted data. As a result of the briefings by the federal agencies at this meeting, they will compile a master list of requirements, eliminate the duplicates and come up with a finished list. Existing products and schemes will be matched to see what differences arise. They may construct a high level model that embraces different methods upon which to organize requirements in addition to other granular breakdowns. It was pointed out that the group may want to be careful in coming up with extensive requirements list because other groups will be developing requirements in their areas. Mr. Sabo stated that he would like to see the group look at the scope as it applies to applicability. 2. Security Models working group chaired by Dr. Brickell. Dr. Benaloh was asked to give their report in Dr. Brickell’s absence. Dr. Benaloh said that there was a good deal of overlap between the requirements and framework groups and they are trying to separate the two. He stated that from what the agencies presented, they are looking for a flexible mandatory standard, covering both stored and transmitted data, for commercially available off-the-shelf products. A major issue noted was the matter of flexibility. The standard must be broad enough to allow products to be developed by anyone. The scope of this working group was stated by Mr. Chokhani as identifying things such as key recovery agents, TTPs, two entity systems, integrity, authorization of keys, confidentiality of information, and accountability, especially of key recovery agents. 3. Key Recovery working group chaired by Mr. Joe Alexander. Mr. Alexander addressed the idea of keeping it simple but high level. Emphasis on the need for flexibility was pointed out. A definition of what is expected would be a good thing to have identified. It was noted that there is the potential for some organizations to act as their own key recovery agents as opposed to use of an outside TTP. Ms. Elaine Barker of NIST stated that NIST may offer certificate authority and data recovery capabilities to other agencies. 4. Non-Key Recovery working group chaired by Mr. Steve Ellis. Mr. Ellis said that this group would work on the essentials of protocol and the issues raised by network vendors. He plans to have minutes of his working groups sessions posted electronically and suggested that all the working groups do likewise. 5. The charge for the Interoperability working group, chaired by Mr. Don Rothwell, is to examine interoperable approaches for data recovery methods. The key recovery approach would not affect communications interoperability. They plan to explore various interoperability implications of key recovery systems. Next on the agenda was discussion of topics for the next meeting in Boston on April 23-24, 1997. The committee requested a presentation, perhaps from a representative from the National Archives, regarding records retention issues relating to cryptography and key recovery. Another topic of discussion, which was requested by Mr. Chokhani, was high level system architecture. (ACTION - Secretariat) Dr. Kent stated that one hour would be set aside for full scale presentations by the each WG at the next meeting. He also said that it would be useful if the working groups would make their presentation material available in advance of the meeting. Dr. Kent reminded the committee that he had requested input from them with regard to intellectual property matters and that he had not received any feedback at this point. (ACTION - Members) There were no requests made for public participation at this meeting. Mr. Roback mentioned that NIST was holding a workshop on April 15, 1997 at NIST headquarters (Gaithersburg, Maryland) to discuss the draft evaluation criteria for the Advanced Encryption Standard. He welcomed comments from the committee and invited them to attend the workshop. Having no further business, Dr. Kent adjourned the meeting at 1:30 p.m. References (on file with the Secretariat) #1 - Agenda #2 - EADP Evaluation Criteria #3 - FBI/Gilmore presentation #4 - NSA/Manning presentation (2) #5 - SSA/Sabo presentation #6 - NIST/Smid presentation #7 - Submissions from Treasury, VA and Labor (3) #8 - Canadian presentation #9 - French presentation #10 - German Presentation #11 - Japan/MITI presentation #12 - Japan/IPA presentation #13 - Swedish presentation #14 - ETSI documents #15 - UK presentation #16- ANSI Patent policy #17- Commerce/Bohannon presentation #18- NIST/Smid presentation (FIPS) #19- Commerce/Bohannon presentation (FIPS 101 Primer) #20- NIST/Smid paper (1979, "A User Controlled ...")