From: Adam Back <aba@dcs.ex.ac.uk>
To: jon@pgp.com
Message Hash: 87be24f53c7aebae9dbc53006bd977f248b2ba9eb4226455690f29e79bf0e2cb
Message ID: <199710081706.SAA00194@server.test.net>
Reply To: <3.0.3.32.19971007142710.00a22970@mail.pgp.com>
UTC Datetime: 1997-10-08 17:22:18 UTC
Raw Date: Thu, 9 Oct 1997 01:22:18 +0800
From: Adam Back <aba@dcs.ex.ac.uk>
Date: Thu, 9 Oct 1997 01:22:18 +0800
To: jon@pgp.com
Subject: Re: What's really in PGP 5.5?
In-Reply-To: <3.0.3.32.19971007142710.00a22970@mail.pgp.com>
Message-ID: <199710081706.SAA00194@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain
Jon Callas <jon@pgp.com> defends:
> One of the downsides of cryptography is that if you lose your passphrase
> (or token, PIN, smart card, or whatever), you've lost your data. My
> favorite way of expressing this problem is, "if you lose the keys to your
> car, then you have to get a new car."
This is true but mainly I think for _storage_ keys. PGP is being
discussed as an email communications system. It's probably just as
likely that your email will disappear down a black hole as that you
forget your keys.
Your analogy doesn't fit.
All you're encrypting is something sent over a fairly unreliable
communications link. If you lose the key, well heck you just get the
sender to resend it. Happens every day with or without crypto.
(So you generate a new key, and get it certified, and publish your
revocation cert., if you have one).
This is the same mistake that Freeh and company make in arguing for
GAK. It's a flawed argument.
> This downside is particularly insidious for a number of reasons. First,
> without fixing that problem, strong cryptography will be in some sort of
> limbo. You want to use it to protect your valuable information, but you
> won't want to use it for any information that's *too* valuable, because
> it's easily lost. Crypto-protected information is fragile, and this
> fragility could hurt its widespread deployment.
Email itself is pretty fragile, and email is not commonly used for
long term storage. (What are PGP are thinking? "gee, how best can we
best archive our master source tree ... I know we'll email it to our
colleague over here and delete it before I get confirmation it
arrived"?).
> When they started mumbling along these lines, the privacy community got
> their own act together and started describing what we believe to be the
> real solution. This is called "data recovery."
Way I understand "data recovery" is that you have a recovery mechanism
for stored data. Like you have backups of the keys for your hard disk
driver level encryption program, or encrypted back up program.
You either have misunderstood the data recovery argument, or are
attempting to rejig it to fit your argument.
> When I was at HIP97 this August, I was amused to hear cypherpunks
> chanting, "Data recovery good, key recovery bad."
I'm pretty sure said cypherpunks were chanting about storage keys:
keys for data stored on your disk, as opposed to the GAKkers wanting
access to your communications keys.
> The essence of data recovery is that focusing on the keys is a
> canard. If you've misplaced your data, you want the data back, not
> the keys.
Bingo. And your data is where? On your disk. Not in limbo being
passed around the flaky sendmail/mailserver hodge-podge that is
Internet mail.
> If you've locked yourself out of your car, you want the use of
> your car, not the just the key. Thus, the solution to encrypted data
> being fragile is to let people get to the data.
No, no! The simple solution to fragile encryption on fragile
communications data is to keep a copy of the email you sent! Encrypt
and backup the keys for that all you want, and you won't get any GAK
complaints.
> If you don't like data recovery, you aren't going to like what we
> did in PGP 5.5 -- we built a data recovery system.
No you didn't, you built a GAK system.
> Data recovery is useful for a number of things. Perhaps you lost
> your passphrase. Or data might have been encrypted by an employee or
> co worker who was in an accident.
Yes, and your archives are going to be where? On backup tapes, on an
encrypted partition on his hard disk... not in the email system.
> (As an aside, fifteen years ago, the architect of a product I worked
> on was in a severe car wreck. He was not killed, but suffered brain
> damage and has never returned to work.)
Sad story. I venture to suggest, however, that the product source
code was not stored solely in your email box, nor I expect did the
last copy of your source tree happen to be en-route in encrypted
email which only he had the key for.
> Your spouse might need access to financial records.
She might. In which case you might secret split the key to your
encrypted partition, your lawyer and her, or whatever.
> What makes data recovery different from key recovery? In my opinion,
> data recovery allows you to get encrypted data without compromising
> the key of the person who encrypted it.
Nope, that's not it. Data recovery is being able to recover stored
data. "Key escrow" and "key recovery" are newspeak terms defined by
the GAKkers which mean that they want access to your communications
keys. Your response should be to widely field systems using forward
secrecy, not to go along and implement GAK for them.
[description of PGP GAKware elided]
If any PGP employees want a job working for a company which doesn't do
GAK, contact me off list, encrypted mail preferred.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Return to October 1997
Return to ““William H. Geiger III” <whgiii@invweb.net>”