IP: The risks of key recovery ... by an all star cast 1998 Key escow paper

[David Farber <dave () farber net>]

Abstract

A variety of "key recovery," "key escrow," and "trusted third-party" 
encryption requirements have been suggested in recent years by government 
agencies seeking to conduct covert surveillance within the changing 
environments brought about by new technologies. This report examines the 
fundamental properties of these requirements and attempts to outline the 
technical risks, costs, and implications of deploying systems that provide 
government access to encryption keys.

INTRODUCTION

One year after the 1997 publication of the first edition of this report, 
its essential finding remains unchanged and substantively unchallenged: The 
deployment of key recovery systems designed to facilitate surreptitious 
government access to encrypted data and communications introduces 
substantial risks and costs. These risks and costs may not be appropriate 
for many applications of encryption, and they must be more fully addressed 
as governments consider policies that would encourage ubiquitous key recovery.
Our 1997 "Risks" report was designed to stimulate a public, technical 
debate and analysis that, in our judgment, must precede any responsible 
policy decision that could result in the wide-scale deployment of key 
recovery systems. While there are numerous and important economic, social, 
and political issues raised by key recovery, the report's analysis was 
confined to the technical problems created by deployment of key recovery 
systems designed to meet government access specifications. As of mid-1998, 
no substantive response addressing these technical concerns has been offered.

While efforts have been made over the last year to design key recovery 
systems for commercial purposes, they do not alleviate the concerns raised 
by deployment at the scale and in the manner required to meet government 
demands. The design of secure key recovery systems remains technically 
challenging, and the risks and costs of deploying key recovery systems are 
poorly understood. Most significantly, government demands for access place 
additional requirements on key recovery systems, including covert access, 
ubiquitous adoption, and rapid access to plaintext. There is good reason to 
believe that these additional requirements amplify the costs and risks of 
key recovery substantially.

In the past year, the importance of cryptography for protecting computing 
and communications systems has gained broader recognition among the public 
and within industry. Most presently-deployed encryption systems support 
rather than hinder the prevention and detection of crime. Encryption helps 
to protect burglar alarms, cash machines, postal meters, and a variety of 
vending and ticketing systems from manipulation and fraud; it is also being 
deployed to facilitate electronic commerce by protecting credit card 
transactions on the Net and hindering the unauthorized duplication of 
digital audio and video. However, the deployment of encryption (and other 
information protection mechanisms) is still patchy. Most automatic teller 
machine transactions are protected by encryption, but transactions made by 
bank staff (which can involve much larger amounts of money) are often not 
protected. Most Internet electronic mail is still sent "in the clear" and 
is vulnerable to interception. Most cellular telephone calls in the U.S. 
are still sent over the air without the benefit of strong encryption. The 
situation is similar in other areas.
Members of the law enforcement and intelligence communities continue to 
express concern about widespread use of unescrowed cryptography. At the 
same time, these communities have expressed increasing alarm over the 
vulnerability of "critical infrastructure." But there is a significant risk 
that widespread insertion of government-access key recovery systems into 
the information infrastructure will exacerbate, not alleviate, the 
potential for crime and information terrorism. Increasing the number of 
people with authorized access to the critical infrastructure and to 
business data will increase the likelihood of attack, whether through 
technical means, by exploitation of mistakes or through corruption. 
Furthermore, key recovery requirements, to the extent that they make 
encryption cumbersome or expensive, can have the effect of discouraging or 
delaying the deployment of cryptography in increasingly vulnerable 
computing and communications networks.

The technical concerns about key recovery and trusted third-party systems 
in 1998 remain largely unchanged from our 1997 analysis. We specifically do 
not address questions of how and whether key recovery might benefit law 
enforcement and whether there are alternatives to key recovery that might 
achieve equal or greater benefits. However, the predictable costs and risks 
of key recovery, particularly when deployed on the scale desired by law 
enforcement, are very substantial. The onus is on the advocates of key 
recovery to make the case that the benefits outweigh these substantial 
risks and costs.

> http://www.cdt.org/crypto/risks98/
>
>
> >



For archives see: http://www.interesting-people.org/