BSI security code prompts criticism about key escrow

Oppositition to the government's encryption strategy resurfaced following the launch of the British Standard Institute's (BSI) new security code of practice.

The BSI's Information Security Management (BS 7799), launched yesterday, is the fruit of labours started by the DTI and a group of blue-chip British companies in 1995. It contains guidelines for the whole remit of computer-related business practices, including the problematic business of encryption.

A BSI representative says: "Security has become an issue in the news over the last few months with people having their computers compromised. But this is more about promoting e-commerce and attracting clients than scare-mongering."

Companies can gain accreditation under the new code after applying to the DTI. A number of companies including Link, which manages 90% of the UK's ATM cash machines, have already been accredited.

The new code's guidelines on encryption, in section 10.3, explain the importance of adhering to both national and international law when using this technology. This will no doubt reassure companies concerned about the legal implications of encryption, but civil liberty campaigners remain unimpressed.

Stefan Magdalinski, of, said: "The imposition of Public Key Escrow schemes is both damaging to civil liberties, and places severe burdens (financial, and technical) on the implementation of viable e-commerce sites. Furthermore, it does not significantly help law enforcement, but fundamentally weakens the security of the encryption itself, by introducing a single point of weakness."

This news comes as American scientists announce a breakthrough in encryption technology. Researchers at the US Department of Energy's Sandia National Labs yesterday revealed their Encryptor chip, capable of encrypting data at 6.7bn bits per second. This is sufficient to be used for the first time on the 2.5 Gbs and 10 Gbs channels used to carry a large volume of Internet traffic. It is also 10 times faster than any existing cryptography device, making in easier to send large amounts of encrypted data.

Show Comments