ABA Pushes to Keep Encryption System Certified

Representatives of the American Bankers Association plan to meet today with government officials to try to head off decertification of a widely used bank standard for encrypting financial transactions.

The ABA is pushing to have the Data Encryption Standard, or DES, certified for another 10 years.

DES, developed in 1977 by International Business Machines Corp., is used to protect sensitive financial information from automated teller machines, the automated clearing house network, Fed Wire, and other sources of on- line transactions.

The association will attempt to convince the two agencies that hold the power to recertify the standard - the Department of Commerce and the National Security Agency - that DES is still an effective means of encryption.

The chief concern among bankers is that the industry will be forced into large-scale conversions to new encryption standards.

Such conversions would cost the banking industry a minimum of $2 billion over the next few years, ABA officials said.

Though the standard will not come up for its five-year recertification until 1998, ABA officials believe that now is the time to express concerns and seek clarification of the government's position regarding DES.

"Bankers say there's not enough time to make adjustments if in fact we wanted to or were forced to make adjustments," said John J. Byrne, senior counsel with the ABA.

"The DES is still valid, since no one has ever proven to anyone's satisfaction that its been broken," he added.

The government's concern is that the standard is antiquated and has grown susceptible to compromise as desktop computing power has grown.

ABA officials acknowledge that technological advances may pose some threat to the standard.

In the years immediately following the development of DES, bankers regarded the standard as "nearly impossible" to break, according to Steve Katz, the ABA's chairman of information security.

However, he added,"over the next few years or so, it's viewed that there'll be enough processing power on a desktop to be able to decrypt a message."

For this reason the ABA does not plan to recommend that DES be the only computer security standard in the banking industry.

Instead, the association recommends the development of "a family of commercial algorithms" that vary in degree of complexity.

The ABA said this family, which should include DES, will give banks options for transactions of varying levels of sensitivity or risk.

The ABA also plans to renew its opposition to any mandated electronic key management system. Such a system would require that cryptographic keys that decipher coded transactions be held in escrow, outside of a bank.

Currently, banks are responsible for key management. ABA officials maintain that controls for such systems outside the purview of banks will provide a back door for Big Brother-type government surveillance.

Others scheduled to attend today's meeting include representatives from the White House, the Federal Bureau of Investigation, and the Treasury Department.

In anticipation of today's meeting, as many as 40 representatives from banks, technology vendors, and privacy groups convened last month to help the ABA hammer out a revised policy statement on data encryption.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER