Interesting People mailing list archives
IP: Re: HP press conference on crypto
From: Dave Farber <farber () cis upenn edu>
Date: Sat, 23 Nov 1996 06:39:36 -0500
This is in reply to Ross Stapleton-Gray piece on the HP crypto issue djf Date: Fri, 22 Nov 1996 18:05:25 -0500 To: farber () linc cis upenn edu From: thompson () tis com (Bill Thompson) I just thought you'd like some additional info re: your [Ross Stapleton-Gray - ed] comments
Analysis of HP (Snip)The technology itself appears to be in the form of a "tamper-proof" physical device (reminiscent of Clipper/Capstone) which would hold "dormant" encryption mechanisms. These could be activated through assertion of a "Policy Activation Token" received from a "Security Domain Authority." Individual encrypted messages would have appended a "Key Recovery Field" to permit the specific session key for that message to be retrieved by a key recovery agent.
Yes, the technology is "tamper proof (resistant?), and it will contain "broken" implementations of RSA, and RecoverKey, the addition of either of which is a funtion of the policy activation token that is present. In addition, a certificate from an export approved Key Recovery Center (KRC) will be necessary to enable any key recovery "required" products. In US shipments, there will be full RSA policy tokens available, as well as user descretionary key recovery policy tokens, which do not require a government approved key recovery center. The exported versions will include available policy tokens for 40 bit and 56 bit DES without recovery fields, and tokens requiring recovery fields for cryptography stronger than 56 bits (128 bit RC2, RC4, 168 bit triple DES). There will be a special US only policy token that supports all of these, and it will automatically create a key recovery field if interoperation with an exported product is detected, assuming a valid export approved KRC certificate also exists. If any of required conditions aren't met, the product simply won't work in that mode, but can work in other modes. It is possible that similar products can be configured for other markets (ie full encryption within a country with user choice on recovery, but requirements for key recovery on all communications or file exchanges across international boundaries with more than 56 bit DES), but that isn't in concrete yet, and will vary by country. France, for example, will be requiring key recovery on all encrypted traffic, domestic or international.
None of the literature goes into much detail of how governments would play in this... presumably the requirement for "Policy Activation Tokens" means that HP (through hardware partner Intel) could ship a lot of devices that could implement 56-bit DES today, and be later activated to provide 128-bit escrowed Algorithm X, or Y, or Z (not clear if the tamper-proof box can be loaded with new encryption code, or if it's only working from the original set of stored protocols). It's not clear if there's a deactivation capability, or if there is, how the user would be compelled to use it (though one could imagine a time-out feature requiring reactivation).
You are correct, it is likely that many ICFs will be exported with 56 bit DES and no recovery enabled via policy tokens. Policy tokens can be changed, so adding additional capabilities later (say with key redovery) is possible, and subject to memory restrictions, other algorithms can also be added. There currently is no time out for the 56 bit DES product, but since they can't be exported after Jan 1, 1999, they will probably see a declining use rate after that in favor of stronger (albeit key recovery enabled) encryption products. I think user choice, rather than regulation will drive that, as two years from now 56 bit DES will likely not be seen as secure enough for many transactions.
I'll leave it to the real crypto analysts to sort out, but it looks as if what HP, Intel and Microsoft (which has a crypto API for the technology to be fitted in) have delivered is a general-purpose Clipper-like container, with a key escrow structure in two areas: the device itself is governed by the Policy Activation Token, and individual session keys can be reconstructed by whomever the escrow agents are. At first glance there seem to be a lot of unknowns, e.g., whether this system would be as subject to corruption of the Key Recovery Field (and hence rendered unreadable by the escrow agents) as Matt Blaze showed Clipper and its LEAF to be.
The asnwer here is absolutely not, and that is a central issue in the export approval. While nothing is absolutely tamper proof, the implementation is so difficult to change (because of crypto signing techniques and separate hashing of operational and boot up code which a hacker will not be privy to information about) it will be significantly easier to start from scratch than try to modify or defeat either a software or hardware implementation of RecoverKey. The ICF adds another layer of difficulty on top of that, as does the fact that certificates will also contain crypto authentication information used in the calculations. This will change all the time and must be validated on both ends of the cryptgraphic implementation.
Not a software solution either, requiring an Intel device... presumably device keys (for use by the "Policy Activation Token") would be established by Intel for passage to "the authorities," or Intel could produce keyable devices.
There are software CSP implementations to be available from TIS in January 1997 which use the same CAPI calls, and will be 100% compatible with the hardware framework. Since they are software, they will be less expensive, but slower in operation. They will be tamper resistant as well, although perhaps to a lesser degree than the hardware soultion, but still significant enough to thwart modification. Intel will not have any way to control the recovery process, and the keying of the devices will be totally up to the users.
Dunno... the more I think about this the more I'm unsure that this is a safe system (from the perspective of keeping strong crypto out of nongovernment hands)... spoofing of Tokens, corruption of the KRF, etc., all seem reasonable stunts. Ross
Healty skeptcism is always a reasonable posture, but the collective knowledge of lots of crypto experts who have seen all kinds of attempts at spoofing, etc. are present in these products. The whole idea is a framework designed to support user needs to protect their information and be completely in control of the recovery process, whether it is for themselves or to satisfy legal demands from law enforcement or the intelligence community. The private sector is in control, not the government. All government can do is establish rules as to who can be approved to be a recovery agent for export enabled crypto, and they have (grudgingly) allowed it to be copanies protecting their own information.
_____________________________________________________________________ Ross Stapleton-Gray TeleDiplomacy, Inc. director () embassy org 2503 Columbia Pike, Suite 118 Director, Electronic Embassy Program Arlington VA 22204 http://www.embassy.org +1 703 685-5197 / 5257 fax
If you have other questions, I'd be delighted to try to answer them. I think as you look at this in greater detail, you'll be less concerned about the big brother problem, and more a believer that this technology provides the best balance between strong confidentiality for users and compliance with laws, not only ours in the US, but in other countries as well, who are now very concerned we will open the crypto floodgates. Regards, Bill *--------------------------------------------------------------------------* |R. William Thompson Vice President, Business Development| |Trusted Information Systems thompson () tis com| |444 Castro Street, Suite 800 (415) 962-8885, X3019| |Mountain View, CA 94041 Fax (415) 962-9330| |Office in Home Home Office Tel (512) 263-3110| |9305 Scenic Bluff Drive Home Office Fax (512) 669-7069| |Austin, TX 78733 Home Tel (512) 263-5936| | Home Fax (512) 263-9436| *--------------------------------------------------------------------------*
Current thread:
- IP: Re: HP press conference on crypto Dave Farber (Nov 23)