Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Risks of key recovery

From: David Farber <farber () cis upenn edu>
Date: Thu, 22 May 1997 10:25:21 -0400
To: farber () cis upenn edu
Subject: Risks of key recovery
Date: Thu, 22 May 1997 09:34:21 -0400
From: Matt Blaze <mab () research att com>


[I'm not sure if I sent this already; sorry if this is a duplicate.
 Your IP readers may find this to be of some interest.  -matt]


In January, an ad-hoc group of cryptographers and computer scientists
met to explore the technical implications, risks, and costs of the
``key recovery,'' ``key escrow'' and ``trusted third-party''
encryption systems being promoted by various governments.  We have
just completed a preliminary report of our findings.


We have specifically chosen not to endorse, condemn, or draw
conclusions about any particular regulatory or legislative proposal or
commercial product.  Rather, it is our hope that our findings will
shed further light on the debate over key recovery and provide a
long-needed baseline analysis of the costs of key recovery as
policymakers consider embracing one of the most ambitious and
far-reaching technical deployments of the information age.


Our preliminary report is available as follows:


On the web at:
   http://www.crypto.com/key_study


In PostScript format via ftp:
   ftp://research.att.com/dist/mab/key_study.ps


In plain ASCII text format via ftp:
   ftp://research.att.com/dist/mab/key_study.txt


=======================================================================


              THE RISKS OF KEY RECOVERY, KEY ESCROW, AND
                    TRUSTED THIRD-PARTY ENCRYPTION


                             Hal Abelson
                            Ross Anderson
                          Steven M. Bellovin
                             Josh Benaloh
                              Matt Blaze
                           Whitfield Diffie
                             John Gilmore
                           Peter G. Neumann
                           Ronald L. Rivest
                         Jeffery I. Schiller
                            Bruce Schneier


                             21 May 1997


Executive Summary:


A variety of ``key recovery,''``key escrow,'' and ``trusted third-
party'' encryption requirements have been suggested in recent years by
government agencies seeking to conduct covert surveillance within the
changing environments brought about by new technologies.  This report
examines the fundamental properties of these requirements and attempts
to outline the technical risks, costs, and implications of widely
deploying systems that provide government access to encryption keys.


The deployment of a global key-recovery-based encryption
infrastructure to meet law enforcement's stated specifications will
result in substantial sacrifices in security and greatly increased
costs to the end-user.  Building the secure infrastructure of the
breathtaking scale and complexity demanded by these requirements is
far beyond the experience and current competency of the field.  Even
if such an infrastructure could be built, the risks and costs of such
a system may ultimately prove unacceptable.


These difficulties are a function of the basic law enforcement
requirements proposed for key recovery encryption systems.  They
exist regardless of the design of the recovery system -- whether
the system uses private key cryptography or public key cryptography;
whether the database is split with secret sharing techniques or
maintained in a single hardened secure facility; and whether the
recovery service provides private keys, session keys, or merely
decrypts specific data as needed.


All key recovery systems require the existence of a highly sensitive
and highly available secret key or collection of keys that must be
maintained in a secure manner over an extended time period.  These
systems must make decryption information quickly accessible to law
enforcement agencies without notice to the key owners.  These basic
requirements make the problem of general key recovery difficult and
expensive -- and potentially too insecure and too costly for many
applications and many users.


Attempts to force the widespread adoption of key recovery encryption
through export controls, import or domestic use regulations, or
international standards should be considered in light of these
factors. The public must carefully consider the costs and benefits of
embracing government-access key recovery before imposing the new
security risks and spending the huge investment required (potentially
many billions of dollars, in direct and indirect costs) to deploy a
global key recovery infrastructure.
Previous By Date Next
Previous By Thread Next

Current thread: