Reports and guidance documents; availability, etc.: Key recovery products; requirements; Technical Advisory Committee report; comment request,

[Federal Register: July 7, 1999 (Volume 64, Number 129)]

[Notices]

[Page 36672-36673]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr07jy99-48]

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 990608155-9155-01]

RIN 0693-ZA31]

Technical Advisory Committee Report: Requirements for Key Recovery Products

AGENCY: National Institute of Standards and Technology (NIST), Commerce.

ACTION: Notice; request for comments.

SUMMARY: The Department of Commerce seeks public comment on ``Requirements for Key Recovery Product,'' encompassing technical recommendations prepared by the ``Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure.'' The Committee was established by the Department to provide technical advice on an encryption key recovery standard for use by Federal agencies to provide for the continued government access to encrypted information in the event of the unavailability (e.g., loss due to unavailability of critical personnel) of the encryption/decryption key(s). The Committee held its final meeting in November, 1998, and subsequently delivered its work to the Secretary of Commerce. Notwithstanding the availability of opportunities for public input to the Committee's activities, the Committee's technical report and significance makes them worthy of additional public discussion and comment. Comments are also sought as to actions that the Department may wish to take as it contemplates using this report as the basis for a Federal key recovery standard.

DATES: Comments should be submitted no later than November 4, 1999.

REPORT AVAILABILITY AND ADDRESSES: The report is available electronically from the Committee's homepage at ‹ http://csrc.nist.gov/ tacdifipsfkmi/ ‹ls-thn-eq›. Electronic comments on the report may be sent to Key-recovery@nist.gov.

A hard copy of the report is available by request from NIST, Information Technology Laboratory, Attention: Review of Key Recovery Committee Report, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899- 8930. Written comments may also be sent to this address.

FOR FURTHER INFORMATION CONTACT: Edward Roback, Executive Secretary, Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure, telephone 301-975-3696.

SUPPLEMENTARY INFORMATION: The ``Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure'' was chartered by the Department of Commerce in 1996 to seek industry recommendations on technical specifications for accomplishing the recovery of keys used for encryption (as opposed to keys used solely for digital signatures, which should not be recoverable, since a new signature key pair is normally created in event of loss). The Committee was comprised of 24 members drawn from the private sector with expertise in computer systems, telecommunications, banking, security, research and other pertinent areas. Its activities were augmented by liaisons from various Federal agencies, who provided input and perspective to the Committee as to the security and functional key recovery requirements of Federal agencies. Twelve meetings of the Committee were held between December 1996 and November 1998. The progress that the Committee made on various drafts of its report may be seen on the Committee's electronic homepage at ‹htt://csrc.nist.gov/tacdfipsfkmi/›.

In June 1998, the Committee delivered an interim work product to the Secretary, requested additional time to complete its work, and suggested that work on detailed implementation guidance be initiated, noting that such guidance will be essential to the successful deployment of any key recovery system (since many aspects of key recovery system security [e.g., integration of key recovery products into an application/operational system or usage policy] were outside the scope of the Committee's work). The Committee also urged pursuit of conformance testing based upon the model employed for Federal Information Processing Standard (FIPS) 140.1, Security of Cryptographic Modules. In response to the request for additional time, the Department extended the charter of the Committee through the end of 1998 and urged the Committee to use the remaining time to complete its review of the document,

[[Page 36673]]

resolve inconsistencies and address any remaining issues.

Because this technical input was requested in anticipation of developing a FIPS on key recovery, the format of the Committee's report parallels that of a FIPS. However, since the Committee was chartered only to address technical issues, some areas (e.g., ``applicability'' and ``waiver process'') contained in a FIPS were not addressed by the Committee. The Committee noted in their draft that text for these sections would have to be supplied at a later date by the government.

In delivering its report to the Secretary, the Committee noted that its members did not ``have time to verify the consistency and completeness of the document as a whole'' and stated that these are crucial. Therefore, the submission of public comments on the consistency and completeness of the document is particularly encouraged.

The Committee's report is divided into two major sections, an ``announcement section'' and a ``specifications section.'' The first section is fairly pro forma and contains, among other items, a brief explanation of the document, an index, list of appropriate applications, notes on implementations, and a glossary. Qualifications on the use of conforming products are also discussed. The second section contains the detailed specifications of the document and is divided into four chapters: (1) Overview, (2) Key Recovery Model, (3) Security Requirements, and (4) Assurance Requirement. Four appendices are included: (A) Key Recovery Technique (B) Examples, (C) Key Recovery Block, and (D) Certificate Extensions.

The key recovery model utilized by the Committee throughout its document describes five key recovery functions: (1) Key Recovery Information Generation, (2) Key Recovery Information Delivery, (3) Function Key Recovery Information Validation, (4) Key Recovery Requestor and (5) Key Recovery Agent. For each of these functions, one or more security levels is defined and functional and security requirements provided. For each security level(s) of a function, a corresponding assurance level is then specified with appropriate requirements.

Dated: June 30, 1999. Karen H. Brown, Deputy Director.

[FR Doc. 99-17234Filed7-6-99; 8:45 am]

BILLING CODE 3510-CN-M