8 July 1999. Thanks to Ed Roback and DG.


[Federal Register: July 7, 1999 (Volume 64, Number 129)]
[Notices]               
[Page 36672-36673]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr07jy99-48]                         

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology
[Docket No. 990608155-9155-01]
RIN 0693-ZA31]

Technical Advisory Committee Report: Requirements for Key 
Recovery Products

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; request for comments.


-----------------------------------------------------------------------

SUMMARY: The Department of Commerce seeks public comment on 
``Requirements for Key Recovery Product,'' encompassing technical 
recommendations prepared by the ``Technical Advisory Committee to 
Develop a Federal Information Processing Standard for the Federal Key 
Management Infrastructure.'' The Committee was established by the 
Department to provide technical advice on an encryption key recovery 
standard for use by Federal agencies to provide for the continued 
government access to encrypted information in the event of the 
unavailability (e.g., loss due to unavailability of critical personnel) 
of the encryption/decryption key(s). The Committee held its final 
meeting in November, 1998, and subsequently delivered its work to the 
Secretary of Commerce. Notwithstanding the availability of 
opportunities for public input to the Committee's activities, the 
Committee's technical report and significance makes them worthy of 
additional public discussion and comment. Comments are also sought as 
to actions that the Department may wish to take as it contemplates 
using this report as the basis for a Federal key recovery standard.

DATES: Comments should be submitted no later than November 4, 1999.

REPORT AVAILABILITY AND ADDRESSES: The report is available 
electronically from the Committee's homepage at < http://csrc.nist.gov/
tacdifipsfkmi/ <ls-thn-eq>. Electronic comments on the report may be 
sent to Key-recovery@nist.gov.

    A hard copy of the report is available by request from NIST, 
Information Technology Laboratory, Attention: Review of Key Recovery 
Committee Report, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-
8930. Written comments may also be sent to this address.

FOR FURTHER INFORMATION CONTACT: Edward Roback, Executive Secretary, 
Technical Advisory Committee to Develop a Federal Information 
Processing Standard for the Federal Key Management Infrastructure, 
telephone 301-975-3696.

SUPPLEMENTARY INFORMATION: The ``Technical Advisory Committee to 
Develop a Federal Information Processing Standard for the Federal Key 
Management Infrastructure'' was chartered by the Department of Commerce 
in 1996 to seek industry recommendations on technical specifications 
for accomplishing the recovery of keys used for encryption (as opposed 
to keys used solely for digital signatures, which should not be 
recoverable, since a new signature key pair is normally created in 
event of loss). The Committee was comprised of 24 members drawn from 

the private sector with expertise in computer systems, 
telecommunications, banking, security, research and other pertinent 
areas. Its activities were augmented by liaisons from various Federal 
agencies, who provided input and perspective to the Committee as to the 
security and functional key recovery requirements of Federal agencies. 
Twelve meetings of the Committee were held between December 1996 and 
November 1998. The progress that the Committee made on various drafts 
of its report may be seen on the Committee's electronic homepage at 
<http://csrc.nist.gov/tacdfipsfkmi/>.

    In June 1998, the Committee delivered an interim work product to 
the Secretary, requested additional time to complete its work, and 
suggested that work on detailed implementation guidance be initiated, 
noting that such guidance will be essential to the successful 
deployment of any key recovery system (since many aspects of key 
recovery system security [e.g., integration of key recovery products 
into an application/operational system or usage policy] were outside 
the scope of the Committee's work). The Committee also urged pursuit of 
conformance testing based upon the model employed for Federal 
Information Processing Standard (FIPS) 140.1, Security of Cryptographic 
Modules. In response to the request for additional time, the Department 
extended the charter of the Committee through the end of 1998 and urged 
the Committee to use the remaining time to complete its review of the 
document,

[[Page 36673]]

resolve inconsistencies and address any remaining issues.

    Because this technical input was requested in anticipation of 
developing a FIPS on key recovery, the format of the Committee's report 
parallels that of a FIPS. However, since the Committee was chartered 
only to address technical issues, some areas (e.g., ``applicability'' 
and ``waiver process'') contained in a FIPS were not addressed by the 
Committee. The Committee noted in their draft that text for these 
sections would have to be supplied at a later date by the government.

    In delivering its report to the Secretary, the Committee noted that 
its members did not ``have time to verify the consistency and 
completeness of the document as a whole'' and stated that these are 
crucial. Therefore, the submission of public comments on the 
consistency and completeness of the document is particularly 
encouraged.

    The Committee's report is divided into two major sections, an 
``announcement section'' and a ``specifications section.'' The first 
section is fairly pro forma and contains, among other items, a brief 
explanation of the document, an index, list of appropriate 
applications, notes on implementations, and a glossary. Qualifications 
on the use of conforming products are also discussed. The second 
section contains the detailed specifications of the document and is 
divided into four chapters: (1) Overview, (2) Key Recovery Model, (3) 
Security Requirements, and (4) Assurance Requirement. Four appendices 
are included: (A) Key Recovery Technique (B) Examples, (C) Key Recovery 
Block, and (D) Certificate Extensions.


    The key recovery model utilized by the Committee throughout its 
document describes five key recovery functions: (1) Key Recovery 
Information Generation, (2) Key Recovery Information Delivery, (3) 
Function Key Recovery Information Validation, (4) Key Recovery 
Requestor and (5) Key Recovery Agent. For each of these functions, one 
or more security levels is defined and functional and security 
requirements provided. For each security level(s) of a function, a 
corresponding assurance level is then specified with appropriate 
requirements.

    Dated: June 30, 1999.

Karen H. Brown,
Deputy Director.

[FR Doc. 99-17234 Filed 7-6-99; 8:45 am]
BILLING CODE 3510-CN-M