KEY RECOVERY DEMONSTRATION PROJECT

Formerly known as the Emergency Access Demonstration Project

Until recently, federal agencies have not made significant use of commercial cryptography to protect sensitive unclassified information. However, as federal agencies have begun to realize the sensitivity of their information and that cryptography can help protect that information, more agencies are making use of encryption mechanisms. As encryption becomes more prominent, providing a means for management and other authorized entities to recover keys in the event that a user is away on vacation or is terminated from employment will become critical to the continued operation of each organization. Key recovery (also known as emergency access) is a security service which allows for the decryption of encrypted information through the retrieval of information required to implement that mechanism. Key recovery ensures that mechanisms are in place for management and other authorized entities to recover encrypted information.

The Interagency Working Group on Cryptography Policy (IWG) has established a task group to demonstrate the practicability of key recovery as an element of a key management infrastructure/public key infrastructure (KMI/PKI). The Task Group is formed jointly of representatives from the Government Information Technology Services Board (GITS) and the IWG. The Task Group is chaired by a representative from the Department of the Treasury, who also serves as the Champion for Security and Privacy for the GITS Board with participation from NIST, FBI, NSA, and GSA and each agency with a pilot selected from this demonstration.

Ten Federal agency pilots will test the elements of the vision laid out in the white paper, "Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure." In addition, the pilots have been selected based on their ability to:

The following presents a brief description of each candidate agency's pilot:

The Department of Energy's (DOE) Office of Energy Research EDI/Internet Security project will test emerging security technologies for Electronic Data Interchange (EDI) that are based on the Internet standards for secure e-mail. Participants include six Federal agencies and eight academic research organizations currently involved in Electronic Research Administration (ERA). The project will test the interoperability of multiple vendors' products across an open systems environment. The initial implementation will focus on processing electronic grant application requirements. Point of Contact: Jean Morrow, jean.morrow@mailgw.er.doe.gov

The U.S. Electronic Grants pilot project will demonstrate that a secure electronic grants system can be built around low cost, World Wide Web technology while maintaining the standard EDI structure required for government-wide data sharing. The Department of Transporation (DOT) Federal Railroad Administration will lead the project in cooperation with its Electronic Grants partners including the Federal Highway Administration, Federal Transit Administration, Federal Aviation Administration, U.S. Coast Guard, Department of Energy, Department of Education, Department of Interior, Office of Naval Research, Environmental Protection Agency, and Small Business Administration. In fiscal year 1995, approximately $300 billion in grants were awarded government wide to support research and development, environmental protection, education, transportation safety, economic development, improved public health and similar programs. DOT and its partners will pilot this application with a small segment of grantees that represent universities, state and local governments and non-profit organizations. Point of Contact: Bradley Smith, bradley.smith@fra.dot.gov

The Lawrence Livermore National Laboratory (LLNL) is in the process of building a Public Key Infrastructure (PKI) to support both its Programmatic and Business operations. Part of those operations include network interactions with many other DOE laboratories, facilities, and vendors. In order to utilize the network, LLNL's infrastructure must provide strong authentication, non-repudiation, message integrity, and privacy for the information being exchanged. An Emergency Access capability is viewed as a critical part of this infrastructure if the full potential of public key encryption technology for privacy is to be realized. LLNL will exercise the Emergency Access capabilities of a commercial software product to ascertain its ability to meet requirements. Point of Contact: Frank Ploof, fploof@llnl.gov

The National Institute of Standards and Technology's (NIST) has responsibility for providing technical support to the other Federal agencies that are participating in the Key Recovery Demonstration Project (KRDP). NIST will issue a Broad Agency Announcement (BAA)that solicits information from vendors about the availability of products, components, and services that can be used in the KRDP. NIST will chair the panel which evaluates responses to the BAA. NIST will also assist the KRDP pilot agencies in the development of their implementation plans. NIST will act as the technical lead for the testing of all pilot Emergency Access systems. NIST will coordinate the development of a comprehensive test suite for each pilot system and assist in evaluating and reporting the test results. In order to establish a pilot public key infrastructure for the KRDP and test the interaction among Certification Authorities (CAs) for the other pilots, NIST will procure and operate a root CA. NIST will also acquire COTS products which provide a secure E-Mail and file encryption capability and permit key recovery. NIST will evaluate and demonstrate the new technology in the NIST Security Division Laboratory. Point of Contact: Jerry Mulvenna, jerry.mulvenna@nist.gov

The National Technical Information Service's (NTIS) FedWorld Secure Web and Certificate Authority Project will prototype trusted-agent services that support digital signature, the encryption of files and messaging, and authorized emergency access to encrypted information through key recovery management. Point of Contact: Mike Williams, mwilliams@fedworld.gov

The Social Security Administration (SSA) and Pitney Bowes Inc. are conducting a proof-of-concept demonstration project with a group of small employers. The project participants securely submit their annual W2/W3 data to SSA over the Internet using public/private key technology. SSA has proposed an expansion of the project to incorporate a test of emergency access to the W2/W3 data. Point of Contact: John Sabo, jtsabo@ssa.gov

The North American Trade Automation Prototype (NATAP): The trilateral Information Exchange and Automation Working Group developed a vision for processing commercial transactions to fulfill the provisions of Article 512 of the North American Free Trade Agreement (NAFTA). The prototype will cover land border transactions: truck and rail. Participants will include Customs, Immigration, Transportation, Census, state and local authorities, and the international trade community. During the prototype, traders and brokers will submit common, standardized, commercial goods and transportation data to the governments (Canada, Mexico, U.S.) in UN/EDIFACT syntax via the Internet using a Trade Software Package (TSP). The governments will perform processing and selectivity functions and return the results of their processing to the trader or broker via the Internet. Transaction related data consists of proprietary information such as trading relationships among sellers and buyers, importers, etc., the prices paid for merchandise, and the declarations made to the governments for the payment (or refund) of import duties, taxes, and fees. This information must be protected against unauthorized access. Accordingly, the TSP must have adequate security through encryption and decryption. (For further info see http://www.itds.treas.gov) Point of Contact: Edward Grose, edward.grose@grosee00.customs.sprint.com

The Patent and Trademark Office's (PTO) International Patent Document Exchange Project will demonstrate the exchange of patent documents in secure electronic form between the Trilateral Offices (U.S. Patent and Trademark Office, European Patent Office, and Japanese Patent Office) and the International Bureau of the World Intellectual Property Office (WIPO) to reduce processing costs and the burden on applicants. Point of Contact: Wesley Gewehr, gewehr@uspto.gov

The Small Business Administration (SBA) Electronic Lending Program is an initiative to re-engineer business loan guarantee processes. The Emergency Access project will feature acceptance of electronic applications for SBA guarantees on FA$TRAK loans from a small group of bank lenders. Point of Contact: Donna Clark, donna.clark@sba.com

The Department of the Treasury, jointly with the GSA Center for Electronic Messaging Technologies, will implement an Electronic Messaging Services Network Infrastructure. This will be comprised of a private Administrative Management Domain for federal government use offering origin authentication, secure access management, data confidentiality, data integrity, non-repudiation, and emergency access. This infrastructure will consist of: SMTP and X.400 email, X.500 directory services, and an Electronic Commerce Clearing House. Point of Contact: Michele Rubenstein, michele.rubenstein@dasis.treas.gov

For further information or if you have any questions about the Key Recovery Demonstration Project, please contact Ms. Patricia N. Edfors, U.S. Department of the Treasury, at (202) 622-1552,patricia.edfors@cio.treas.gov