1996-08-17 - Re: key escrow idea from David Staelin of MIT Lincoln Labs

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: 85d0e0e9e88f47836d827c3b34c8afc6da3dff7fba9cffb1d896d711b9c196f3
Message ID: <199608170506.WAA17213@toad.com>
Reply To: N/A
UTC Datetime: 1996-08-17 07:15:10 UTC
Raw Date: Sat, 17 Aug 1996 15:15:10 +0800

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 17 Aug 1996 15:15:10 +0800
To: cypherpunks@toad.com
Subject: Re: key escrow idea from David Staelin of MIT Lincoln Labs
Message-ID: <199608170506.WAA17213@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


Matt Blaze posted Ron Rivest's summary of Dave Staelin's 
suggestion for a different type of Government Access to Keys (GAK) policy,
and Rivest's proposed variant and analysis, and there's been
some discussion on the Cypherpunks list, including the usual
"GAK is evil, period", plus commentary on the variations.
Below I suggest a variant on Ron's variant that's less evil,
though less desireable to the government than Ron's.

R(S)>Here is Staelin's idea:
R(S)>	(1) You can use any crypto you want, but you must keep a record
R(S)>	    of the crypto keys you used.
R(S)>	(2) The government can ask for the crypto keys later, if they have
R(S)>	    a court order, just as they can ask for any of your other papers
R(S)>	    or documents.  You must give the key(s) to them, just as you
R(S)>       must turn over your private papers in such a situation.

For technical reasons, this is a non-starter.  Storing keys requires memory,
and many practical cryptosystems need to generate large numbers of keys, 
or run in environments such as cellphones and password-calculators that
don't _have_ any available memory.  Storing lots of keys implies a high
probability of losing lots of keys, and Matt's talked about the difficulty
of storing keys securely.  Non-technically, as was discussed,
US citizens aren't required to keep personal papers or documents,
though businesses are required to keep some tax and rule-compliance records,
and taxpayers who want to claim deductions need to keep relevant records.

Ron's trusted third party variant:
R>In a variant of Staelin's proposal (my twist) you could append to each
R>encrypted message an encrypted form of the message key.  The
R>encryption could be with the public-key of a trusted third party who
R>will not (and legally may not) reveal the message key without
R>notifying you first (or ensuring that you have been appropriately
R>served with the corresponding warrant).  For example, the ACLU might

Stewart's untrusted first party variants:
Why a trusted _third_ party?  I don't trust third parties with my calls.
Have the sender generate, and keep, a Master Key, and append the
session key encrypted with the Master Key.  As with Staelin's method,
the government can subpoena or warrant the master key.
(So you can call it a Self-Incrimination Key if you like.)

If you use a public key for the SIK, there's the time and space
required to do public-key encryption, but the session keys for 
each session can be decrypted separately by the sender, and verified
by the court, without needing to turn over the private key.

If you use a secret key for the SIK, it's fast and small,
though the SIK needs to be protected and one subpoena decrypts all 
conversations made with the key (as does a warrant seizing the phone.)
(It's basically Clipper with the user instead of NSA generating master keys,
and the user instead of the Friends Of The NSA storing them.)

An intermediate is to use a secret SIK for a small-to-medium
number of sessions, and public-key Master SIK used to generate
an encrypted SIK sent with each message as well as the 
SIK-encrypted session key.  It's still bulky, like the full public-key
version, but not as slow, since you can generate and encrypt
secret-SIK keys off-line.

As with Staelin's proposal, mine also doesn't give the government
real-time access, only after-the-fact access, but it doesn't
have most of the technical difficulties of secure, reliable used-key 
storage (hmmm - sounds kind of like a sharps-box for used needles :-)

R>CONCLUSION
R>The fundamental idea is to give the government a right to access
R>encrypted communication in return for a guarantee that access may not
R>be obtained until there is BOTH proper legal authorization AND proper
R>prior notice to (at least one of) the communicants.
R>Is this workable??

As Matt says:
M>While Ron's twist decreases some of the burden on the user it
M>eliminates the main benefit of the Staelin proposal - that one
M>cannot obtain cleartext without the knowledge of at least one party.

Agreed - while Ron's proposal asserts that the TTP is forbidden
to reveal the key to the government without also telling the owner,
current government wiretap laws often require just the opposite,
and even if the government initially changed their policy to
require TTPs to tell users, they could rapidly change back.
The only way to guarantee that prior notice (or post-access notice)
is for the protocol to require the user's participation, 
which inherently makes it non-real-time and gives the user the
ability to refuse (at whatever cost.)

Also, "to give the government a right to access" implies that they
don't have that right today (which I agree with but Louis Freeh doesn't),
and that we _should_ give them that right when we don't have to
(which Dorothy Denning would agree with but I don't) and that a 
Trusted Government Guarantee (TGG) is a good enough payment in return.

And if you retain the word "voluntary", as used by Ron, you need to 
convince a Bad Guy or an Innocent Guy to believe a TGG or TTP -
Bad Guys won't, and Innocent Guys, as Ed Meese said, "usually 
aren't suspects", so it's still no-win for the government.


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# <A HREF="http://idiom.com/~wcs"> 	Reassign Authority!






Thread