The Risks Of "Key Recovery," "Key Escrow," And "Trusted Third-Party" Encryption | 1998

[1] MIT Laboratory for Computer Science/Hewlett-Packard hal@mit.edu

[2] University of Cambridge ross.anderson@cl.cam.ac.uk

[3] AT&T Laboratories -- Research smb@research.att.com

[4] Microsoft Research benaloh@microsoft.com

[5] AT&T Laboratories -- Research mab@research.att.com

[6] Sun Microsystems diffie@eng.sun.com

[7] gnu@toad.com

[8] SRI International neumann@sri.com

[9] MIT Laboratory for Computer Science rivest@lcs.mit.edu

[10] MIT Information Systems jis@mit.edu

[11] Counterpane Systems schneier@counterpane.com

[12] The latest version of this document can be found at http://www.cdt.org/crypto/risks98/

[13] This report grew out of a group meeting at Sun Microsystems in Menlo Park, CA in late January 1997, including many of the authors and also attended by Ken Bass, Alan Davidson, Michael Froomkin, Shabbir Safdar, David Sobel and Daniel Weitzner. The authors thank these other participants for their contributions, as well as the Center for Democracy and Technology for coordinating this effort and assisting in the production of this final report.

[14] The National Research Council's comprehensive 1996 report on cryptography includes a detailed examination of the rising importance of encryption. National Research Council, Cryptography's Role in Securing the Information Society (1996).

[15] Dept. of Commerce, "Interim Rule on Encryption Items," Federal Register, Vol. 61, p. 68572 (Dec. 30, 1996)

[16] For example, the recent British "Trusted Third-Party" system proposes similar law enforcement demands, requiring one hour turnaround time for TTP recovery agents. See U.K. Department of Trade and Industry, "LICENSING OF TRUSTED THIRD-PARTIES FOR THE PROVISION OF ENCRYPTION SERVICES," (March 1997) (Public Consultation Paper).

[17] In fact, it is technically straightforward for two parties to use their authentication keys to negotiate encryption keys for secure communication. Any system that distributes trusted authentication keys would ipso facto serve as an infrastructure for private communication that is beyond the reach of government surveillance.

[18] There is a great deal of debate about the appropriate role of government in regulating CAs. CAs may ultimately be large, centralized, or even government-certified entities, or smaller, locally-trusted entities. At this early stage in their deployment, no consensus has emerged on what government role is appropriate. For an excellent overview of the debate over CA regulation, see Michael Froomkin, "The Essential Role of Trusted Third-Parties in Electronic Commerce," 75 Oregon L. Rev. 49 (1996).

[19] Storage of a smaller key part is not necessarily cheaper than storage of the whole key, and the preferred key-splitting methods generally produce key parts each of which is as large as the whole key.

[20] U.S. Department of Justice, Bureau of Justice Statistics, Sourcebook of Criminal Justice Statistics 1995 (1996), p. 39.