Interesting People mailing list archives
Response to John Gilmore's comments of 2/2 on TIS key escrow
From: David Farber <farber () central cis upenn edu>
Date: Wed, 8 Feb 1995 16:51:51 -0500
To: farber () central cis upenn edu Date: Wed, 08 Feb 1995 16:43:57 -0500 From: Stephen Walker <steve () tis com> I appreciate John's comments because they offer an opportunity to clarify several points about Trusted Information Systems' Commercial Key Escrow (CKE) proposal. The essential objective of this proposal is to integrate "good" cryptography into mass-market computer applications so that users worldwide can have reasonable protection of their sensitive information. I will hold the discussion of what "good" cryptography is until later in this note. Export controls on cryptography have always been the stumbling block preventing this integration. Various attempts to change the export control situation through legislation or judicial review have been and will continue to be tried and may eventually succeed. But in the meantime, if an approach can be devised that provides widespread use of cryptography plus the ability to recover lost keys while giving law enforcement the legal access it needs without imposing any additional civil liberties burden, it certainly seems it should be explored. Key escrow, as envisioned in CKE, is a relatively new concept. But the desire to recover one's own sensitive information if the encryption keys are lost is not new. Most vendors that offer encryption include some way to recover in the event of lost keys. They have to; telling your customers it's too bad they entrusted their vital secrets to your product is not the best way to enhance the public's image of your product. And if all vendors must come up with their own ad hoc ways of recovering from lost keys, nobody is really helped since there will be so many different approaches that corporations and ordinary users will quickly become hopelessly confused. We agree that users want "encryption that can't be subverted," but the issue is more sophisticated than that. Users also want encryption that won't work against them. Many potential users have thus far refused to use encryption for fear of the consequences if the encryption keys are lost. Our January 3rd paper is oriented toward convincing the government of the merits of this proposal. We assume that users who are concerned about recovering from lost keys will examine the advantages of CKE and decide on their own whether they want it or not. It is the government that has to which forms of encryption can be exported, and our primary "pitch" in that paper is to convince the government that this is the time to act. As stated above, the real objective of this proposal is to find a way to get "good" cryptography available for everyone. The CKE idea provides, for stored files and messages at least, the same law enforcement access as Clipper without the negative side effects of government-escrowed keys, secret algorithms, hardware-only solutions, etc. Since Clipper is exportable, this approach should also be exportable when combined with "good" cryptography. If "good" cryptography is exportable without the Clipper side effects, and users can recover from lost keys as well, this is a win-win situation for everyone. The government does NOT have to pass any new laws "making some kinds of domestic cryptography illegal." With Licensed Data Recovery Centers (DRC), the government (Federal or State) would establish a means to license legitimate organizations to operate a DRC. A company or other organization would apply, showing proof of their legitimate status, and be granted a DRC license. Vendors who provide DRCs would only sell to organizations that have such licenses. As in any such licensing approach, there will be cases where an illegal operation poses as legitimate and obtains a fraudulent license, but we live with that in many other aspects of our lives and we can live with it here as well. We agree that licensing of DRCs will be important, but use of CKE is voluntary and no laws need be passed to make other forms of cryptography illegal. The "six-month window of opportunity" in our paper refers to our estimate that, if the government does not take some action within six months, the continued evolution of ad hoc, product-by-product key recovery solutions will lead to such confusion in the market that an organized DRC approach, even one with exportable cryptography, will have little chance of success. If, on the other hand, the government clearly indicates in a timely manner that a CKE system such as the one we propose is eligible for export approval, we believe that market forces will quickly draw vendors and users to this approach. As to our "bad assumption" that "DES is good encryption," we chose DES as the algorithm in our paper for two reasons. First it is well known and recognized as "good enough," at least for now, in many circles. The other reason we talk about DES rather than 3DES or other algorithms is that there are people in government who are finally beginning to realize that DES is available worldwide but haven't yet fully accepted that 3DES and other algorithms are also readily available. Our proposal today is for DES or algorithms of similar "strength." We believe that if we insist on more right now, we put the whole proposal at risk. Once everyone gets comfortable with CKE using DES or similar algorithms, we can then upgrade to any and all algorithms. I am not a lawyer and do not want to debate Fourth Amendment protections, but I cannot follow the logic of John's final argument. In the United States, we are all subject to a properly obtained search warrant process, assuming law enforcement can show probable cause that we have incriminating evidence in our home, car, or workplace. If that evidence is encrypted and there is a readily available means to decrypt it, such as a key written on a sticky paper nearby or in a DRC, then law enforcement probably has the authority to decrypt the evidence. But, if our intent is to hide incriminating evidence, we still have, and I believe we will always have, the right to use non-key escrow encryption (but don't write the key on a sticky paper near by). So, yes, if you use key escrow encryption you are subjecting your encrypted files to the same Fourth Amendment search procedures to which your unencrypted files are already subject, but nothing more. We believe that this is a small price (if any) to pay for the ability to have "good" cryptography readily available in all your favorite applications and the ability to recover encrypted data from lost keys as well. And it is and always will be your choice whether you use CKE or not. Again, I appreciate the opportunity to discuss these issues and welcome other comments or criticisms.
Current thread:
- Response to John Gilmore's comments of 2/2 on TIS key escrow David Farber (Feb 08)