Response to John Gilmore's comments of 2/2 on TIS key escrow

[David Farber <farber () central cis upenn edu>]

To: farber () central cis upenn edu
Date: Wed, 08 Feb 1995 16:43:57 -0500
From: Stephen Walker <steve () tis com>




I appreciate John's comments because they offer an opportunity to clarify
several points about Trusted Information Systems' Commercial Key Escrow
(CKE) proposal.


The essential objective of this proposal is to integrate "good" cryptography
into mass-market computer applications so that users worldwide can have
reasonable protection of their sensitive information.  I will hold the
discussion of what "good" cryptography is until later in this note.


Export controls on cryptography have always been the stumbling block
preventing this integration.  Various attempts to change the export control
situation through legislation or judicial review have been and will continue
to be tried and may eventually succeed.


But in the meantime, if an approach can be devised that provides widespread
use of cryptography plus the ability to recover lost keys while giving law
enforcement the legal access it needs without imposing any additional civil
liberties burden, it certainly seems it should be explored.


Key escrow, as envisioned in CKE, is a relatively new concept.  But the
desire to recover one's own sensitive information if the encryption keys are
lost is not new.


Most vendors that offer encryption include some way to recover in the event
of lost keys.  They have to; telling your customers it's too bad they
entrusted their vital secrets to your product is not the best way to enhance
the public's image of your product.


And if all vendors must come up with their own ad hoc ways of recovering
from lost keys, nobody is really helped since there will be so many
different approaches that corporations and ordinary users will quickly
become hopelessly confused.


We agree that users want "encryption that can't be subverted," but the issue
is more sophisticated than that.  Users also want encryption that won't work
against them.  Many potential users have thus far refused to use encryption
for fear of the consequences if the encryption keys are lost.


Our January 3rd paper is oriented toward convincing the government of the
merits of this proposal.  We assume that users who are concerned about
recovering from lost keys will examine the advantages of CKE and decide on
their own whether they want it or not.  It is the government that has to
which forms of encryption can be exported, and our primary "pitch" in that
paper is to convince the government that this is the time to act.


As stated above, the real objective of this proposal is to find a way to get
"good" cryptography available for everyone.  The CKE idea provides, for
stored files and messages at least, the same law enforcement access as
Clipper without the negative side effects of government-escrowed keys,
secret algorithms, hardware-only solutions, etc.  Since Clipper is
exportable, this approach should also be exportable when combined with
"good" cryptography.  If "good" cryptography is exportable without the
Clipper side effects, and users can recover from lost keys as well, this is
a win-win situation for everyone.


The government does NOT have to pass any new laws "making some kinds of
domestic cryptography illegal."  With Licensed Data Recovery Centers (DRC),
the government (Federal or State) would establish a means to license
legitimate organizations to operate a DRC.  A company or other organization
would apply, showing proof of their legitimate status, and be granted a DRC
license.  Vendors who provide DRCs would only sell to organizations that
have such licenses.  As in any such licensing approach, there will be cases
where an illegal operation poses as legitimate and obtains a fraudulent
license, but we live with that in many other aspects of our lives and we can
live with it here as well.  We agree that licensing of DRCs will be
important, but use of CKE is voluntary and no laws need be passed to make
other forms of cryptography illegal.


The "six-month window of opportunity" in our paper refers to our estimate
that, if the government does not take some action within six months, the
continued evolution of ad hoc, product-by-product key recovery solutions
will lead to such confusion in the market that an organized DRC approach,
even one with exportable cryptography, will have little chance of success.
If, on the other hand, the government clearly indicates in a timely manner
that a CKE system such as the one we propose is eligible for export
approval, we believe that market forces will quickly draw vendors and users
to this approach.


As to our "bad assumption" that "DES is good encryption," we chose DES as
the algorithm in our paper for two reasons.  First it is well known and
recognized as "good enough," at least for now, in many circles.  The other
reason we talk about DES rather than 3DES or other algorithms is that there
are people in government who are finally beginning to realize that DES is
available worldwide but haven't yet fully accepted that 3DES and other
algorithms are also readily available.  Our proposal today is for DES or
algorithms of similar "strength."  We believe that if we insist on more
right now, we put the whole proposal at risk.  Once everyone gets
comfortable with CKE using DES or similar algorithms, we can then upgrade to
any and all algorithms.


I am not a lawyer and do not want to debate Fourth Amendment protections,
but I cannot follow the logic of John's final argument.   In the United
States, we are all subject to a properly obtained search warrant process,
assuming law enforcement can show probable cause that we have incriminating
evidence in our home, car, or workplace.   If that evidence is encrypted and
there is a readily available means to decrypt it, such as a key written on a
sticky paper nearby or in a DRC, then law enforcement probably has the
authority to decrypt the evidence.   But, if our intent is to hide
incriminating evidence, we still have, and I believe we will always have,
the right to use non-key escrow encryption (but don't write the key on a
sticky paper near by).


So, yes, if you use key escrow encryption you are subjecting your encrypted
files to the same Fourth Amendment search procedures to which your
unencrypted files are already subject, but nothing more.  We believe that
this is a small price (if any) to pay for the ability to have "good"
cryptography readily available in all your favorite applications and the
ability to recover encrypted data from lost keys as well.  And it is and
always will be your choice whether you use CKE or not.


Again, I appreciate the opportunity to discuss these issues and welcome
other comments or criticisms.