From: Alan Barrett <apb@iafrica.com>
To: cryptography@c2.net
Message Hash: 841798bb77919d5d3f3ed5de9368d3d5afe05c62083401e896d092e300874949
Message ID: <Pine.NEB.3.95.970511094853.29245D-100000@apb.iafrica.com>
Reply To: <19970508192011.29178@bywater.songbird.com>
UTC Datetime: 1997-05-11 08:38:00 UTC
Raw Date: Sun, 11 May 1997 16:38:00 +0800
From: Alan Barrett <apb@iafrica.com>
Date: Sun, 11 May 1997 16:38:00 +0800
To: cryptography@c2.net
Subject: Re: key recovery vs data backup
In-Reply-To: <19970508192011.29178@bywater.songbird.com>
Message-ID: <Pine.NEB.3.95.970511094853.29245D-100000@apb.iafrica.com>
MIME-Version: 1.0
Content-Type: text/plain
On Thu, 8 May 1997, Kent Crispin wrote:
> Unfortunately, it doesn't solve the problem at all. In fact it
> doesn't even address the problem. So much so that reading these
> replies makes me think that I am looking at different problem than
> you.
There are many similarities between your idea of a "key safe" for CAK
(corporate access to keys), and the idea espoused by Carl and others
of encrypting everything to a corporate key as well as to the other
recipients.
If the corporation expects to be successful at forcing it's staff to run
special software that talks to the CAK key safe, then the corporation
should also expect to be successful at forcing its staff to run special
software that adds the special coprorate key as a recipient of all
encrypted messages.
If the corporation expects to be successful at keeping the keys to the
CAK key safe secure, while still allowing an appropriate coalition of
high level managers to get access to the contents of the key safe,
then the corporation should also expect to be successful at keeping
the private part of the corporate key secure, while still allowing
an appropriate coalition of high level managers to use the special
corporate private key to decrypt messages.
If the coproration trusts those with access to the CAK key safe not to
abuse their access, then the corporation should also trust those with
access to the special corporate key not to abuse it.
> With this background, perhaps now you can see why I say that Carl's
> solution doesn't even address the problem. The problem is management
> of complexity. Carl says "encrypt to Acme Corp". Who in Acme Corp?
> What part of the organization that is Acme Corp is authorized to know
> this particular bit of information?
Whatever the answer to the latter question is, it's the same in the CAK
case as it is in the "encrypt to a special coprorate key" case.
> Because some of the employees are idiots you want this
> built automatically into the application they are using for
> encryption/email/whatever. How does this software know what policy
> is appropriate for which employee? How is that policy distributed?
> What is the interface that allows a policy to be defined? How do you
> protect the policy definition from subversion?
The same problems arise in the CAK case. And the same solution: you
make the user's software do the same thing every time, and implement the
policy elsewhere.
> Access to the key-safe is critical, of course, but it can be made very
> secure -- a special-purpose piece of hardware that requires passwords
> from n out of m key czars before access is granted, for example.
> Or the contents of the key safe can be encrypted via keys escrowed
> through a secret sharing mechanism
The same problems and solutions apply in both the CAK case and in the
"corporate key as extra crypto recipient" case.
Now, having spent some time attempting to show that the two cases are
almost identical in many respects, let me point out a few ways in which
I think encrypting to a special corporate key is better than CAK.
- With CAK, the key safe contains at least a copy of every key used by
every staff member. All that needs to be kept secure. This storage
problem does not arise in the non-CAK case.
- With CAK, every time a user creates a new key, the user's software
needs to talk to teh key safe. This needs a secure channel, which
raises further authentication problems (how does the user know that
he's not talking to a fake key safe). These don't arise in the
non-CAK case.
- Once a CAK infrastructure is in place, it is likely to be easier
for a government to impose GAK. It's better not to set up the CAK
infrastructure in the first place.
To be fair, similar arguments apply to the "add an extra crypto
recipient" case: just add two extra crypto recipients (corporate key
and big-brother key). But I think that the general public is more
likely to understand what the government wants and to reject the
idea in this case than in the GAK case.
--apb (Alan Barrett)
Return to May 1997
Return to “Kent Crispin <kent@songbird.com>”