hood that software key escrow can in fact be compromised. This subject is considered in Sections 5.10.2 and 5.11. But a second point is the fact that the 64-bit limit is easily circumvented by multiple encryption under some circumstances. Specifically, consider a stand-alone security-specific product for file encryption that is based on DES and is escrowed. Such a productin its unaltered statemeets all of the proposed draft criteria for export. But disassembly of the object code of the program (to defeat the escrow binding) may also reveal the code for DES encryption in the product. Once the source code for the DES encryption is available, it is a technically straightforward exercise to implement a package that will use the product to implement a triple-DES encryption on a file.
Escrowed encryption is one of several approaches to providing exceptional access to encrypted information. The U.S. government has advanced a number of initiatives to support the insertion of escrow features into products with encryption capabilities that will become available in the future, including the Escrowed Encryption Standard, the Capstone/ Fortezza initiative, and a proposal to liberalize export controls on products using escrowed encryption. Its support of escrowed encryption embodies the government's belief that the benefit to law enforcement and national security from exceptional access to encrypted information outweighs the damage owing to loss of confidentiality that might occur with the failure of procedures intended to prevent unauthorized access to the escrow mechanism.
Escrowed encryption provides more confidentiality than leaving information unprotected (as most information is today), but less confidentiality than what could be provided by good implementations of unescrowed cryptography. On the other hand, escrowed encryption provides more capability for exceptional access under circumstances of key loss or unavailability than does unescrowed encryption. All users will have to address this trade-off between level of confidentiality and key unavailability.
The central questions with respect to escrowed encryption are the following:
• With what degree of confidence is it possible to ensure that third parties will have access to encrypted information only under lawfully authorized circumstances?
• What is the trade-off for the user between potentially lower levels of confidentiality and higher degrees of confidence that encrypted data will be available when necessary?