Interesting People mailing list archives
Commercial Key Escrow: part 2 of 2
From: David Farber <farber () central cis upenn edu>
Date: Wed, 4 Jan 1995 11:00:57 -0500
again be able to access this information in a procedure similar to a normal search warrant process. International law enforcement escrow key recovery also reduces to already well established procedures. If U.S. law enforcement authorities wish to recover encrypted files or messages from an American in the United Kingdom, they need only ask UK authorities for assistance in obtaining the session keys from the UK corporate or public DRC. The international nightmare of unilateral agreements to allow governments to share government escrowed keys is thus reduced to already-in-place international police agreements. What Are The Alternatives? To best understand why commercial key escrow may provide the best answer to the national and international tension between governments and their citizens, we must first understand who the players are in any such system and the consequences of choosing one approach over another. Who Are The Players and What Do They Want? First, the interests of the user, individual, and corporation, must be satisfied, for unless they are, no system will be of any value. The individual user wishes to protect his or her sensitive information using the best products and the best cryptography available while retaining the ability to recover encrypted information whenever an encryption key is lost. The corporation (or other organization) wishes to protect its sensitive information while retaining the ability to recover encrypted information whenever an individual user is unavailable for whatever reason. Second, we must satisfy the interests of the software publishers, for without software the user will not have the products with which to achieve his or her goals. The software publisher wishes to provide the user, whether an individual or corporation, with the best possible product using the best possible encryption techniques available on a worldwide basis. It is important to note that in general, neither the individual, the corporate user, nor the software publisher is in any way interested in doing any harm to the government's interests, either law enforcement or national security. Third, the interests of the government, both for law enforcement and national security, must be met in any workable solution. Law enforcement must have the ability to decrypt communications of suspected illegal activities within its jurisdiction, when authorized. National security interests, including, when possible, the ability to decrypt the communications of terrorists and other adversaries, must be accommodated. This set of what appear to be mutually conflicting requirements must all be balanced if we are to find the tension relaxer that we are seeking. In the following section, we will examine a number of cases that represent the spectrum of key escrow alternatives. This analysis will be done in light of the particular interests of each of the players listed above. How Many Ways Can We Escrow Keys? Alternative 1: Do It Yourself The first alternative is the simplest and most obvious one whereby each individual is responsible for safeguarding the encryption key of each message or file that the user encrypts. He or she does this by making an extra copy of the key and storing it on a floppy disk or other token that is stored in a safe place, like a safe deposit box, or with a trusted neighbor. This simplest form of key escrow is one that everyone should be using, in the absence of a better alternative, and some people no doubt are, at least for especially sensitive encrypted files. This approach is GOOD for the Individual, when it is used, BAD for the Corporation, BAD for the Software Publisher, BAD for Law Enforcement, BAD for National Security. Since no one other than the individual knows how to recover the escrowed key, no one else can benefit from this alternative. Fortunately, this approach will never be used on a widespread basis and therefore represents one extreme in the overall key escrow spectrum. Alternative 2: Product-by-Product Ad Hoc Solutions The solution much more likely to become widely available is the one in which each vendor who produces a product that uses encryption creates a "backdoor" system administration function that can be used to recover encrypted data if the key is lost. This is the nightmare situation for vendors. They do not want to advertise this capability since it represents a significant vulnerability for their product. But they cannot do without such a feature since their customer base will be very unhappy if they invest heavily in encrypting all their sensitive information only to find that it is all lost when they cannot remember the encryption key. This approach serves an essential recovery function for the software publisher. It also is useful for the individual except that if each product he or she uses has its own "backdoor," the user will most likely be confused by the variety of ways to recover from lost keys. For the corporation, this is a very poor option since the confusion the individual encounters with multiple products is multiplied by the number of employees. This alternative presents a disaster scenario for law enforcement and national security. If there is widespread proliferation of ad hoc product-by-product solutions, the interests of all governments in recovering encrypted information will be severely harmed now and for all the future. This approach is OK for the Individual, but confusing, POOR for the Corporation; too many options, OK for the Software Publisher, POOR for Law Enforcement, BAD for National Security. Alternative 3: Licensed Data Recovery Centers This option is the principal topic of this paper. Companies and private organizations operate Data Recover Centers serving their own interests. This approach assumes that the DRCs are registered (or licensed) in the countries in which they operate so that law enforcement authorities can obtain access to them to recover file encryption keys when appropriately authorized. This alternative is attractive to the individual and corporation because it provides a useful service, the recovery of encrypted data when the original encrypting key is not available, in a centralized and easily accessible manner. This approach is also attractive to the software publishers because it relieves them of the obligation to provide a system administrative function to recover keys when lost by the user. Law enforcement will find this approach attractive since it provides a clear and convenient path to recovery of encrypted files. The identity of the DRC is contained within the file, and the file encryption key is readily obtained using normal search warrant or equivalent procedures. National security interests are better served by this approach than by the previous two since it is generally easier to deal with one common approach to escrowed keys than a multitude of ad hoc product-by-product solutions. This approach is GOOD for the Individual, GOOD for the Corporation, GOOD for the Software Publisher, GOOD for Law Enforcement, OK for National Security. Alternative 4: Government Key Escrow This approach is exemplified by the Clipper system introduced by the U.S. Government in 1993. It serves the needs of law enforcement and presumably national security very well, to the extent that it is used by the public. But since it provides little incentive to the user, corporation, or software publisher, it is unlikely to see widespread commercial use and thus will fall short of its potential for satisfying the government's interests. This approach is POOR for the Individual, POOR for the Corporation, POOR for the Software Publisher, VERY GOOD for Law Enforcement, to the extent it is used, VERY GOOD for National Security, to the extent it is used. Looking at these four alternatives in the spectrum of key escrow solutions, # 3 looks the most attractive and the most likely to satisfy governments' interests if it became widely used. The argument can be made that: If commercial key escrow such as outlined in # 3 above, satisfies law enforcement's interests as well as Clipper and since Clipper-equipped devices are intended to be exportable (presumably to make them more attractive to a wider customer base), then, it follows that alternative # 3 appropriately bound with commonly available algorithms such as DES should also be exportable. This leads to a fifth alternative: Alternative 5: Licensed Data Recovery Centers with Exportable DES In this approach, the software publishers can achieve their goal of worldwide availability for products with good quality cryptography. This would in turn lead to widespread use by individuals and corporations that would, in turn, lead to greatly expanded recovery of encrypted files by law enforcement, when authorized. Similarly, widespread use will make this approach much better for national security interests than the proliferation of ad hoc solutions described in alternative 2. This approach is VERY GOOD for the Individual, VERY GOOD for the Corporation, VERY GOOD for the Software Publisher, VERY GOOD for Law Enforcement, GOOD for National Security. But What If We Do Not Proceed With Alternative 5? It is understandable that governments would prefer key escrow solutions such as Alternative 4 that provide them with full and complete control of databases of escrowed keys. But the last two years have shown that the issues associated with Clipper key escrow are sufficient that it will not achieve widespread use commercially. While there is always a tendency in government to stick with what we have, it is often necessary to look beyond one s own ideas and realize that by accepting an approach where the government has a little less direct control, all governments may be far better served. The Commercial Key Escrow system described in Alternative 5 has the potential to become widely available throughout the computer and communications industry throughout the world because it provides a highly useful service to individuals and corporations / organizations worldwide. The exportability of a commonly available encryption algorithm such as DES, appropriately bound to the key escrow system, provides a powerful incentive to the software industry to make this approach widely available throughout all its products. To the extent that CKE becomes widely used in the U.S. and around the world, the government can ensure that law enforcement will have appropriate access to encrypted files and communications, now and for the foreseeable future. But if they should fail to promote CKE, with the export approved of appropriate encryption algorithms in a timely manner, the government will in effect be promoting the further development of ad hoc, product-by- product key escrow solutions, and, through the ensuing confusion, ensuring that law enforcement and national security interests are seriously damaged, now and for the future! Unfortunately, there is little time left! While the government continues to "study the problem," more and more ad hoc solutions are being introduced in the marketplace! We predict that there is approximately a six-month window in which the government can exercise the only lever it has left, export control, to limit the expansion of incompatible product-by-product solutions and promote a solution that will help all parties involved. A New National Cryptography Policy If a Commercial Key Escrow system similar to Alternative 5 is adopted, we may soon all be able to relax our fundamental tension with a national cryptography policy such as: Good cryptography shall be available to the public without government restriction, where: "Good cryptography" is defined as DES and RSA bound with commercial key escrow, and "Without government restriction" means without export control or any other mandatory restriction. We believe that Commercial Key Escrow, properly bound with exportable DES, is the only way to reduce the ever-growing tension between the public and government interests in encryption. We hope that the U.S. and other governments around the world will take appropriate actions to enable this approach to succeed before its too late! Status Trusted Information Systems, Inc., is implementing its commercial key escrow system for use in all applications that offer encryption. TIS is working with software developers to include commercial dey escrow user functions in their applications. An initial Data Recovery Center will be available for test use on the Internet early in 1995. Operational DRCs will be available for corporate and individual use later in 1995. Additional information can be obtained from: Trusted Information Systems, Inc., 3060 Washington Rd. (Rt. 97), Glenwood, MD 21794. Phone: (301) 854-6889; FAX: (301) 854-5363; or via E-mail to: tis () tis com ============================================================ ================== Notes 1 A few countries such as France and Singapore also use import or internal-use controls. 2 The Clipper Initiative includes programs such as Clipper for telephone devices and Capstone for computer applications. Throughout this paper the term Clipper will be used to refer to all U.S. government programs using key escrow hardware such as Clipper or Capstone. 3 There are those, even among the authors of this paper, who argue that the term key escrow has been tainted by the Clipper proposal and should no longer be used. Most of us, however, believe the term is central to a vital concept and, while it may have been abused, should be retained to describe the more general concept. 4 One of the strengths of the Clipper design is that the government key escrow system is closely bound in hardware with the encryption process so that it is very difficult to disable the escrow process while allowing encryption and decryption to take place. ============================================================================== References [Blaze] Protocol Failure in the Escrowed Encryption Standard, Matt Blaze, AT&T Bell Laboratories, Preliminary Draft, June 3, 1994. [Brooks] Hearings before the Subcommittee on Economic and Commercial Law, Committee on the Judiciary, U.S. House of Representatives, Congressman Jack Brooks presiding, May 7, 1992. [Cantwell] HR3627, 103rd Congress, 1st Session, November 1993. [Gore] Vice President Al Gore, letter to Representative Marie Cantwell, July 20, 1994. [NRC] Computers at Risk: Safe Computing in the Information Age, published by the National Academy Press, Washington, D.C., 1991. Finding Common Ground: Export Controls in a Changed Global Environment, published by the National Academy Press, Washington, D.C., 1991. Global Trends in Computer Technology and their Impact on Export Controls, published by the National Academy Press, Washington, D.C., 1988. Balancing the National Interest: U.S. National Security Export Controls and Global Economic Competition, published by the National Academy Press, Washington, D.C., 1987. [Time] Clipper-related articles appearing in TIME Magazine, March 14, 1994; NEWSWEEK, March 14, 1994; US NEWS AND WORLD REPORT, March 14, 1994; among others. [TIS] A New Approach to Software Key Escrow, Trusted Information Systems, Inc., August 15, 1994.
Current thread:
- Commercial Key Escrow: part 2 of 2 David Farber (Jan 04)