Cylink tries key recovery

The firm is expected to announce a set of developer tools to incorporate key-recovery mechanisms into security applications.

3 min read
Cylink is expected to announce this week a set of developer tools called CyKey to incorporate key-recovery mechanisms into security applications.

Key recovery allows an employer to gain access to data encrypted by a former employee, for example--but it is controversial because of federal efforts to require key recovery to give law enforcement officials with a court order access to encrypted data.

"Even if U.S. government regulations don't require it, some of our customers are beginning to ask for key-recovery services anyway," said Chuck Williams, Cylink's chief scientist. "Now we are removing the veil of government requirements and we see that business requirements are starting to demand key recovery."

Cylink is a member of the Key Recovery Alliance (KRA), a group of 30-plus technology companies and corporate users--initially driven by IBM and Hewlett-Packard--that are interested in key recovery for business reasons.

However, opponents of U.S. encryption policy, which favors key recovery, have criticized the group for dividing industry efforts.

Cylink joins two other firms with commercial key recovery offerings, IBM and Trusted Information Systems, now part of Network Associates. IBM's product is called KeyWorks and Network Associates markets RecoverKey, a software system for companies to store private keys of their employees.

This week the KRA approved four new technical specifications for key recovery, which will be posted on the KRA Web site later this week, and Cylink's offerings are designed to comply with those specs.

Corporate managers worry that if a decryption key is lost or an employee leaves the company, data scrambled by the related encryption key is lost unless the key can be recovered. Cylink describes CyKey as an easy-to-deploy system for recovering encrypted information when the user's key is lost or otherwise unavailable.

CyKey provides vendors of encryption hardware or software a way to implement key recovery, including libraries that integrate into existing products and a turnkey application for administering and recovering keys. The toolkit libraries can be distributed royalty-free.

Cylink positions CyKey as giving corporate users a key-recovery system that protects the privacy of encrypted data and fits with existing business practices. CyKey also gives companies the choice to run an internal key-recovery center or out-source it.

Key recovery allows the individual who encrypts the data or an authorized company representative to recover a lost or otherwise unavailable encryption key. That means a user who forgets a password can get access to his or her data, or the company can get the encrypted data of someone who leaves the company.

CyKey uses key encapsulation and other technologies to protect the data's privacy. The encryption key is the only information the key-recovery agent restores.

CyKey is available from Cylink and includes several components. The Encryptor Toolkit is priced at $20,000 with no run-time or royalty fees. Evaluation copies are available now, with an official release due later this month. The Recovery Agent, a Windows NT application that restores session keys, will be available by year's end for $1,995. A test version is provided in the encryptor toolkit.

The Recovery Authority, another Windows NT application, functions as a certificate authority to sanction recovery agents. It too will be available by year's end for $1,995, and a test version is provided in the encryptor toolkit. The Applications Toolkit lets OEMs and key-recovery service providers customize the CyKey agent or certificate authority software. It will be available by year's end for $20,000.

Cylink also will make the CyKey design specification available free of charge for those who wish to write their own software.