Interesting People mailing list archives
IP: Risks of key recovery
From: David Farber <farber () cis upenn edu>
Date: Thu, 22 May 1997 10:25:21 -0400
To: farber () cis upenn edu Subject: Risks of key recovery Date: Thu, 22 May 1997 09:34:21 -0400 From: Matt Blaze <mab () research att com> [I'm not sure if I sent this already; sorry if this is a duplicate. Your IP readers may find this to be of some interest. -matt] In January, an ad-hoc group of cryptographers and computer scientists met to explore the technical implications, risks, and costs of the ``key recovery,'' ``key escrow'' and ``trusted third-party'' encryption systems being promoted by various governments. We have just completed a preliminary report of our findings. We have specifically chosen not to endorse, condemn, or draw conclusions about any particular regulatory or legislative proposal or commercial product. Rather, it is our hope that our findings will shed further light on the debate over key recovery and provide a long-needed baseline analysis of the costs of key recovery as policymakers consider embracing one of the most ambitious and far-reaching technical deployments of the information age. Our preliminary report is available as follows: On the web at: http://www.crypto.com/key_study In PostScript format via ftp: ftp://research.att.com/dist/mab/key_study.ps In plain ASCII text format via ftp: ftp://research.att.com/dist/mab/key_study.txt ======================================================================= THE RISKS OF KEY RECOVERY, KEY ESCROW, AND TRUSTED THIRD-PARTY ENCRYPTION Hal Abelson Ross Anderson Steven M. Bellovin Josh Benaloh Matt Blaze Whitfield Diffie John Gilmore Peter G. Neumann Ronald L. Rivest Jeffery I. Schiller Bruce Schneier 21 May 1997 Executive Summary: A variety of ``key recovery,''``key escrow,'' and ``trusted third- party'' encryption requirements have been suggested in recent years by government agencies seeking to conduct covert surveillance within the changing environments brought about by new technologies. This report examines the fundamental properties of these requirements and attempts to outline the technical risks, costs, and implications of widely deploying systems that provide government access to encryption keys. The deployment of a global key-recovery-based encryption infrastructure to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end-user. Building the secure infrastructure of the breathtaking scale and complexity demanded by these requirements is far beyond the experience and current competency of the field. Even if such an infrastructure could be built, the risks and costs of such a system may ultimately prove unacceptable. These difficulties are a function of the basic law enforcement requirements proposed for key recovery encryption systems. They exist regardless of the design of the recovery system -- whether the system uses private key cryptography or public key cryptography; whether the database is split with secret sharing techniques or maintained in a single hardened secure facility; and whether the recovery service provides private keys, session keys, or merely decrypts specific data as needed. All key recovery systems require the existence of a highly sensitive and highly available secret key or collection of keys that must be maintained in a secure manner over an extended time period. These systems must make decryption information quickly accessible to law enforcement agencies without notice to the key owners. These basic requirements make the problem of general key recovery difficult and expensive -- and potentially too insecure and too costly for many applications and many users. Attempts to force the widespread adoption of key recovery encryption through export controls, import or domestic use regulations, or international standards should be considered in light of these factors. The public must carefully consider the costs and benefits of embracing government-access key recovery before imposing the new security risks and spending the huge investment required (potentially many billions of dollars, in direct and indirect costs) to deploy a global key recovery infrastructure.
Current thread:
- IP: Risks of key recovery David Farber (May 22)