Computing Article: Banks & Keys Recovery

[John R T Brazier]

Dear All,

26th March Issue of Computing (computignet.co.uk), lead article below. Al=
so
on the front page the Post Office is starting up as a digital signature
certifier.

Cheers,

John B


-----------------------------------------
Banks slam snoops

Major users split over government's attempt to regulate cyberspace =


Europe's banks have rejected a controversial key recovery encryption sche=
me
on the eve of an expected government announcement imposing the policy on
the UK, writes Dan Sabbagh.

Computing has learned that the European Committee on Banking Standards
(ECBS) - a powerful consortium of financial institutions - has filed a
submission with the European Commission arguing against key recovery. The=

committee's stance is backed by the UK's banks, which are represented by
industry body APACS.

It is understood that the submission, which will not be made public, says=

that many European banks are 'fundamentally opposed' to the introduction =
of
statutory regulations for key recovery in Europe. Financiers, it maintain=
s,
'cannot see any benefit for European banks and their customers'.

Key recovery schemes require individuals and companies that use encryptio=
n
to deposit a copy of their encryption keys with a 'trusted third party'.
These keys are then made avail- able to law enforcement agencies, on
production of a warrant, allowing them access to encrypted private
transmissions.

The Department of Trade and Industry is thought to be close to unveiling =
a
key recovery scheme for UK encryption users in the face of opposition fro=
m
civil liberties campaigners and a growing number of corporates, including=

Microsoft.

The ECBS' argument has been broadly endorsed by NatWest. Tim Jones,
managing director of retail banking services at NatWest, said: 'Key
recovery is a brutal and expensive way to achieve law enforcement.' =


Jones said that he believed there were simpler ways to allow access to
encrypted data. He added that, in his opinion, medium-strength encryption=
 -
64-bit DES - should not necessitate key recovery because codes could be
cracked 'with a couple of Crays and a following wind'.

Steve Thomas, head of security at APACS, outlined the objections of
Europe's banks. 'If key recovery is so good for business, as its supporte=
rs
argue, then we don't need a statutory framework to introduce it. Giving u=
p
any keys to a third party must reduce the security of any system,' he sai=
d.

Thomas stressed that other alternatives could be explored. 'Banks can
provide text for legal inspection without the need for this complex
infrastructure,' he said.

Long-standing opponents of key recovery welcomed the banks' move. Brian
Gladman, former deputy director general of NATO's technical centre, said:=

'This is a serious blow to the government's attempt to enforce key
recovery.'

In a further set back for key recovery advocates, the US Department of
Justice and the FBI conceded that they will no longer insist on legislati=
on
requiring a key recovery system to be developed in the US.