A former CIA official has developed a unique cryptographic management system that provides access control to any data object. Edward Scheidt, former head of the CIA's Cryptographic Center, founded TecSec to commercialise the Constructive Key Management (CKM) system for symmetric key algorithms. It creates a one-time encryption key to access individual databases, documents, photographs or Web pages. The system is now in use by government agencies and defence contractors, said Scheidt, who recently talked to IDG.
IDG: Why has the CKM system been approved for export?
Scheidt: We met the export requirements, which say that if you have 100 per cent key recovery, you can do what we do.
The kind of key recovery that we have is defined in the regulations as "self key recovery", which means that the government or another entity does not have a copy of your key. It is not a key escrow system.
Our argument to the [US] Department of Commerce and others was that they needed to define or identify cryptologic systems that were based on self key recovery as opposed to escrow key recovery.
How do you assure customers the encryption is secure?
The design or architecture is part of an American National Standards Institute standard that has been peer-reviewed.
We can demonstrate to the customer that they are the only ones who will have access to their keys.
We don't have access to them. There is no third copy. There is no way to get into the operating system, or something like that.
Have any independent cryptographers evaluated the product?
We've been evaluated by some of the US government agencies in the process.
As far as an independent cryptographer goes, we have discussed the designs but not the product per se.
Our next version of our product will go through a federal government review, and there will be a third-party lab review.
Do you have any intention of making your source code available for review if a customer requests it?
Only if there is a need to do that under a federal review or a formal review.
I'm not too interested in having an arbitrary review of our source code; then we lose our trade secrets.