IBM Key Recovery Kit Goes to Beta

Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

29 May 1997, PC Week:

IBM Key Recovery Kit Goes to Beta

IBM last week took the first steps to help software vendors comply with federal encryption export rules, with the release into beta of a new security tool kit.

IBM's SecureWay Key Management Framework Toolkit enables ISVs to embed key recovery into their applications.

The final version of the tool kit, for AIX, Windows 95 and Windows NT, is due by the end of the year. The Armonk, N.Y., company is planning to use the security technology within its own software applications, which are due by 1998.

Key recovery records the information used to secure E-mail messages or establish an encrypted session on the Web. It also provides a means to store the data necessary to rebuild the key and open the encrypted message in the event of a court order or an employee death or dismissal.

To ensure that the key information, which also is encrypted, does not fall into the wrong hands, IBM's recovery technology breaks the key into chunks and stores it in separate locations or with separate people. The only way a message can be decrypted is if all the pieces are physically combined.

To build in key recovery with the tool kit, ISVs are given a set of APIs that connect their application to the Framework, which includes key recovery and encryption technology, sockets and APIs to plug in other encryption technologies.

The IBM software development kit is one of the first tool kits that give software vendors the ability to embed key recovery capabilities.

For one user, the ability to get at encrypted files if an employee is fired has some real benefits.

"I have run into problems in the past, so if there is a way that won't compromise security but will let me get access when I need to, that will solve several problems," said the security director for a San Francisco consultancy.

Key recovery has become a hot topic. In March, the U.S. Department of Commerce and the Clinton administration announced plans to require the use of key recovery by ISVs if they wanted to export software that uses encryption that exceeds the 40-bit limit.

Earlier this month, the House Judiciary Committee approved the Security and Freedom Through Encryption Act, which would remove limitations on the type or strength of encryption shipped internationally. It is now set to go before the International Relations Committee and eventually before the House of Representatives for a vote.