From: Matt Blaze <mab@research.att.com>
To: cypherpunks@toad.com
Message Hash: 9339aa70a00933f93163cd345e66a4d83b5b9981889f759422d5e1f8ffd33253
Message ID: <199608140124.VAA04963@nsa.research.att.com>
Reply To: N/A
UTC Datetime: 1996-08-14 04:28:51 UTC
Raw Date: Wed, 14 Aug 1996 12:28:51 +0800
From: Matt Blaze <mab@research.att.com>
Date: Wed, 14 Aug 1996 12:28:51 +0800
To: cypherpunks@toad.com
Subject: resend: key escrow idea from David Staelin of MIT Lincoln Labs
Message-ID: <199608140124.VAA04963@nsa.research.att.com>
MIME-Version: 1.0
Content-Type: text/plain
My first send of this message was garbled and truncated. Here it is again.
Sorry.
My comments included below Rivest's message.
-matt
------- Forwarded Message
Received: from amontillado.research.att.com (amontillado.research.att.com [135.104.21.154]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id QAA04438 for <mab-local@nsa.research.att.com>; Tue, 13 Aug 1996 16:17:05 -0400 (EDT)
Received: from research.research.att.com (research.att.com [135.104.117.5]) by amontillado.research.att.com (8.7.5/8.7) with SMTP id QAA24830 for <mab@issr.research.att.com>; Tue, 13 Aug 1996 16:20:09 -0400 (EDT)
Received: from theory.lcs.mit.edu by research; Tue Aug 13 16:17:17 EDT 1996
Received: from swan.lcs.mit.edu by theory.lcs.mit.edu (5.65c/TOC-1.2S)
id AA05040; Tue, 13 Aug 96 16:16:20 EDT
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Received: by swan.lcs.mit.edu (5.65c/TOC-1.2C)
id AA00335; Tue, 13 Aug 96 16:16:20 EDT
Date: Tue, 13 Aug 96 16:16:20 EDT
Message-Id: <199608132016.AA00335@swan.lcs.mit.edu>
To: jim@rsa.com, gnu@toad.com, whitfield.diffie@eng.sun.com,
mab@research.att.com, denning@cs.georgetown.edu
Cc: staelin@ll.mit.edu, mld@hq.lcs.mit.edu
Subject: Crypto Policy Variant
Hi --
Here is another MIT professor's (Dave Staelin's) suggestion for a
national crypto policy. I thought you might be interested in seeing
it; given the difficulty of the debate, any variant, even if only
slightly different from previous ones, should be considered. Feel
free to pass this note around, or to post it...
Here is Staelin's idea:
(1) You can use any crypto you want, but you must keep a record
of the crypto keys you used.
(2) The government can ask for the crypto keys later, if they have
a court order, just as they can ask for any of your other papers
or documents. You must give the key(s) to them, just as you
must turn over your private papers in such a situation.
(There would have to be an appropriate penalty for losing the
key...)
The attractive feature of this proposal is that it puts encrypted
communications in the same category as private papers; the government
is required to give notice to (at least one of) the affected
individual(s) _before_ the search can be undertaken. This cures what is
in my mind a defect in the current wire-tapping laws.
DISCUSSION
In a variant of Staelin's proposal (my twist) you could append to each
encrypted message an encrypted form of the message key. The
encryption could be with the public-key of a trusted third party who
will not (and legally may not) reveal the message key without
notifying you first (or ensuring that you have been appropriately
served with the corresponding warrant). For example, the ACLU might
be such a TTP. This protects the government's right to access and
protects the individual from the penalties (or benefits) of losing the
key. This procedure is technically simple; what is more complex is
ensuring that the TTP's are appropriately registered and protected
from undue government influence. The use of such a TTP would in any
case be optional; the communicants need not use a TTP if they
understand their obligation to keep the crypto keys around for some
period of time afterwards.
In Staelin's proposal government gains access to the communications,
but does not gain "real-time access" as desired by the FBI. This loss
may be tolerable, given the benefit obtained (forcing access to be
made in accordance with the Constitutional requirements for
notification before search). The use of wiretapping encrypted
communications as a preventive measure might be severely limited, but
its use as a means of gathering evidence to force a conviction would
be preserved.
For international communications, each communicant might be required to
use a TTP that is bound to honor the laws of his country (which TTP to be
used should be the choice of the communicant).
It may be seem a bit strange to force individuals to keep around
information (keys) that they no longer really need. However, this is
more-or-less the case for financial records right now.
CONCLUSION
The fundamental idea is to give the government a right to access
encrypted communication in return for a guarantee that access may not
be obtained until there is BOTH proper legal authorization AND proper
prior notice to (at least one of) the communicants.
Is this workable??
------- End of Forwarded Message
[Matt's comments follow]
The requirement to store your keys for some period of time would,
I think, be very unusal, legaly.
As far as I know there are virtually no records that an ordinary
individual is required to keep today under criminal penalty of law.
One has to keep tax records if one expects to be able to document
deductions if audited, but for people without deductions, no records
need be kept (and even those who do but who destroy their records
risk having their deductions disallowed, but face criminal penalties
only if the govenment can prove you intended fraud. Not having
records does not by itself constitute fraud, as far as I know).
According to the original message:
The attractive feature of this proposal is that it puts
encrypted communications in the same category as private
papers; the government is required to give notice to (at
least one of) the affected individual(s) _before_ the search
can be undertaken. This cures what is in my mind a defect
in the current wire-tapping laws.
Yes and no. True, it makes it impossible to recover communication
without the knowledge of one party. But it still goes well beyond
the norms for private papers. The vast majority of private papers
are, according to the law, just that - private. One is under no
obligation to maintain "private papers" in any particular manner
or for any period of time. Only very limited types of private
papers (none for most people) have to be maintained at all. While,
in general, the government can get a court order to force one to
turn over documents that exist, one is not obligated to keep
documents that are otherwise of no use in order to be ready should
a court order happen sometime in the future. One can burn one's
old love letters any time one feels like it.
But enough philosophy. There are technical reasons to consider
this proposal a bad idea.
The main technical problem with the Staelin proposal is the
requirement that the user maintain a large store of no longer useful
but highly sensitive data in a secure manner for a period of time.
This introduces an obvious storage burden (how does an encrypting
phone or network connection store old keys?) that would make many
kinds of otherwise simple encryption hardware and software far more
complex and difficult to design and expensive to implement and
operate. Consider a secure phone (like the TSD 3600 or STU III).
A critical design feature of these devices is that they never have
to emit secret keys outside their internal security boundaries.
Consider, too, software that runs on PCs and workstations.
Ordinarily, software that establishes, say, a secure Internet
connection has no need to store any secret associated with the
session anywhere. And that's a good thing - the file systems on
most computers aren't secure enough to store keys, so including
the key storage feature required by the Staelin scheme would entail
implementing some kind of secure storage system that isn't otherwise
needed by the application. Even if the design complexity is solved,
there is the problem of maintaining the stored keys in a secure
manner, introducing what would in most cases be a more serious
security vulnerability than any other aspect of the application
(since the keys would continue to exist long after the secure
session has ended). Under the Staelin proposal, the design,
implementation, and use of encryption software and hardware becomes
much more complex, so complex that I honestly don't think we know
how to do it. I touch on these points in discussing key escrow in
general in my Senate testimony,
ftp://research.att.com/dist/mab/testimony.txt .
While Ron's twist decreases some of the burden on the user it
eliminates the main benefit of the Staelin proposal - that one
cannot obtain cleartext without the knowledge of at least one party.
The TTP could be compelled (as the phone company is now for regular
wiretaps) to keep the request secret, under court order. And the
design complexity problem doesn't even go away - in fact, it gets
worse, since now there's a protocol with a third party involved.
-matt
Return to August 1996
Return to “Matt Blaze <mab@research.att.com>”
1996-08-14 (Wed, 14 Aug 1996 12:28:51 +0800) - resend: key escrow idea from David Staelin of MIT Lincoln Labs - Matt Blaze <mab@research.att.com>