Encryption Alliance Supports Key Recovery Technology

Hot on the heels of the Clinton administration's new encryption policy, 11 information technology vendors and user organizations have announced formation of an alliance to support the development of key-recovery technologies.

The alliance is also open to other companies with an interest in key recovery.

While the initiative is clearly an effort by industry to create a mechanism that will comply with the newly opened door to encryption technology exports, vendor members of the group say that there are real market opportunities to be exploited in the key-recovery arena.

"Key recovery has been known to have legitimate business purposes all along, said Doug McGowan, R&ampD manager of Hewlett-Packard's networking and security division. "Several companies have been working independently to develop these technologies, two of which are in this alliance -- IBM and TIS," he said.

For instance, large companies that would like to start routinely encrypting data that travels between international facilities are already finding key recovery useful in several circumstances.

"If an employee quits in such an organization and decides on the last day of work that he or she wants to erase the encryption key, you as a company would want to get the data back," McGowan said.

According to Digital Equipment Corp.'s Robert Rarog, reliance on international data communications between trading partners, as well as internal corporate divisions, is making the key-recovery approach to securing operations increasingly relevant.

"Without this approach," said Rarog, "large organizations would have to manage any loss of encrypted data by simply requiring that all data be backed-up someplace within the organization. In a world where there is a great deal of activity between unknown partners, such as when companies do business over the Internet, there is more of a need for key encryption."

Given this dynamic, what is at stake is not so much the international market for encryption technology itself, as is the ability for U.S. vendors to develop new applications that user organizations are demanding in a global digital economy, industry executives said.

"For example, if you sell a network solution, the hardware, software and services are sold together. The key-encryption function is the sort of product that [would enable] new types of economic activity. From that perspective it will allow you to sell to people that you would not have been able to sell to before," said Rarog.

"Our inability to export strong [key] recovery has been an important missing piece. If we had a customer in Switzerland that wanted to set up a network with South America, we could sell them everything except the security. As a result, very often they would take their business for the whole project elsewhere," said Rarog.

This is a dilemma that other vendors have faced, as well. In response to similar market and government pressures, European companies are forming a consortium called the Trusted Third Party Program, which will address the same issues.

"This raises for us important questions about interoperability and evolution as the two groups develop their respective technologies," said McGowan.

Notably missing from the alliance are the major software providers in the industry, including Microsoft. Current members, stressing that their first organizational meeting will be held in two weeks, said they intend to eventually brief all segments of the industry.

"They are welcome to join," McGowan said. "Hardware vendors and their respective associations have been more supportive than software providers and their lobbying groups on the current government position. But the assumption is that they can play the same way we can play.

"If they have plans for rolling out key-recovery products, they will be able to participate in the digital encryption standard export initiatives outlined by the new government position," said McGowan.

In the meantime, the alliance plans to create the organizational infrastructures that will support the creation of standards, procedures and guidelines members will use to develop compatible and interoperable key-recovery products, services and implementations.