-----------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 3, Number 6
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 3, Number 6 May 21, 1997
CONTENTS: (1) Leading Cryptographers, Computer Scientists Say Government
Key Recovery Plan is Risky, Impractical, and Expensive
(2) Summary of Report
(3) How to Subscribe/Unsubscribe
(4) About CDT, contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of
** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------
LEADING CRYPTOGRAPHERS, COMPUTER SCIENTISTS SAY
GOVERNMENT KEY RECOVERY PLAN IS EXPENSIVE, IMPRACTICAL, AND POSES
GRAVE RISKS TO PRIVACY AND SECURITY
A group of leading cryptographers and computer scientists today released a
comprehensive report questioning the viability of key recovery encryption
systems designed to meet law enforcement specifications for guaranteed
access to private communications.
The report raises serious questions about the added risks, costs, and
complexity of government key recovery proposals. "Building the secure
infrastructure of the breathtaking scale and complexity demanded by these
requirements is far beyond the experience and current competency of the
field," the authors note. "Even if such an infrastructure could be built,
the risks and costs of such a system may ultimately prove unacceptable."
The full text of the report can be found at http://www.crypto.com/key_study
The report substantially changes the terms of the ongoing debate over US
encryption policy. For more than four years, the Clinton Administration
has pushed for a policy of continued export restrictions on strong
encryption, and the development of global key escrow and key recovery
systems to address the concerns of law enforcement. The study, the first
comprehensive analysis of the risks of key recovery and key escrow systems,
calls into question the viability of the Administration's approach.
Drawing a sharp distinction between government requirements for key
recovery and the types of recovery systems users want, the report found
that government key recovery systems will produce:
* NEW VULNERABILITIES AND RISKS -- Key recovery systems make encryption systems
less secure by "adding a new and vulnerable path to the unauthorized recovery
of data" where one need never exist. Such backdoor paths remove the
guaranteed security of encryption systems and create new "high-value
targets" for attack in key recovery centers.
* NEW COMPLEXITIES -- Key recovery will require a vast infrastructure of
recovery agents and government oversight bodies to manage access to the
billions of keys that must be recoverable. "The field of cryptography has no
experience in deploying secure systems of this scope and complexity."
* NEW COSTS -- Key recovery will cost "billions of dollars" to deploy, making
encryption security both expensive and inconvenient.
In addition, the report authors raise questions about recent Administration
proposals to link electronic commerce identity certification systems with
key recovery, noting that such linkages "make no sense technically" and
"have serious liabilities."
Authors of the report include Hal Abelson, Steven M. Bellovin, Josh
Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann,
Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier.
The full text of the report is available at http://www.crypto.com/key_study/
For more information, please contact Alan Davidson, Jonah Seiger, or Daniel
Weitzner at CDT (202) 637-9800.
_____________________________________________________________________________
(2) SUMMARY OF THE RISKS OF KEY RECOVERY, KEY ESCROW, AND TRUSTED THIRD PARTY
ENCRYPTION
A variety of "key recovery," "key escrow," and "trusted third party"
encryption systems have been proposed in recent years by government
agencies seeking to conduct covert surveillance within the changing
environments brought about by the Internet and other communications
technologies. This report examines the fundamental properties of these
government requirements and attempts to outline the technical risks, costs,
and implications of widely deploying systems that provide government access
to encryption keys.
The deployment of a global key-recovery-based encryption infrastructure to
meet law enforcement's stated specifications will result in substantial
sacrifices in security and greatly increased costs to the end-user. The
report states, "building a secure, global key recovery system of the
breathtaking scale and complexity demanded by government requirements is
far beyond the experience and current competency of the field. Even if
such an infrastructure could be built, the risks and costs of such a system
may ultimately prove unacceptable."
GOVERNMENT SPECIFICATIONS VS. END-USER REQUIREMENTS
Many expect that there will be some market demand for encryption systems
that allow users to recover their encrypted data in the case that a key is
lost or unavailable. CDT believes that there are legitimate uses of key
recovery technologies to meet the practical needs of users.
However, in our view, governments seeking covert surveillance have imposed
additional requirements on key recovery systems that are at odds with the
needs of business and individual users. These requirements would make
decryption information quickly accessible to law enforcement agencies
without notice to the key owners. They would require global adoption of key
recovery for nearly all applications and users. And they would demand
access to encrypted communications as well as to encrypted stored data,
even though user demand for communications key recovery is highly limited.
The difficulties posed by key recovery systems are a function of these
basic law enforcement requirements proposed for key recovery encryption
systems. They exist regardless of the design of the recovery system --
whether the system uses private key cryptography or public key
cryptography; whether the database is split with secret sharing techniques
or maintained in a single hardened secure facility; and whether the
recovery service provides private keys, session keys, or merely decrypts
specific data as needed.
NEW VULNERABILITIES AND RISKS
Any key recovery infrastructure, by its very nature, introduces a new and
vulnerable path to the unauthorized recovery of data where one did not
otherwise exist. This introduces serious new security risks including:
* NEW PATHS TO PLAINTEXt -- Key recovery systems must provide a new and fast
path to the recovery of data that never existed before and is completely out
of the control of the user. They remove the inherent guarantees of security
available through non-recoverable systems, which do not have an alternate
path to sensitive plaintext that is beyond the uses' control.
* NEW POTENTIAL FOR ABUSE -- Users of a key recovery system must trust that
the individuals designing, implementing, and running the key recovery
operation are indeed trust-worthy. The risk of "insider abuse" becomes
even more evident when attempts are made to design key recovery schemes
that are international in scope. National law-enforcement agencies, for
example, might abuse their key recovery authority to the advantage of their
own country's corporations.
* NEW TARGETS FOR ATTACK -- Key recovery agents will maintain databases that
hold, in centralized collections, the keys to the information and
communications their customers most value. In many systems, the theft of a
single private key (or small set of keys) could unlock much or all of the
data of a company or individual.
NEW COMPLEXITIES
The authors note that government key recovery proposals call for one of the
most ambitious and far-reaching deployments of the information age.
* IMPLEMENTATION -- Key recovery makes it much more difficult to assure that
encryption systems work as intended. Most of the key recovery or key escrow
proposals made to date, including those designed by the National Security
Agency, have had weakness discovered after their initial implementation. It
is possible, even likely, that lurking in any key recovery system are one or
more weaknesses that allow recovery of data by unauthorized parties.
* SCALE -- Key recovery as envisioned by law enforcement will require the
deployment of a secure infrastructure involving thousands of companies,
recovery agents, regulatory bodies, and law enforcement agencies worldwide
interacting on an unprecedented scale. Any breakdown in security among
these complex interactions will result in compromised keys and a greater
potential for abuse or incorrect disclosures.
* OPERATIONAL COMPLEXITY -- Demands on the speed and process for recovering
keys will greatly increase the difficulty of tasks facing key recovery
agents. Global adoption of key recovery will greatly increase the complexity
and number of entities involved. Each of these will in turn have a
significant impact on both the security and cost of the key recovery system.
The authors argue that the field of cryptography has no experience in
deploying secure systems of this scope and complexity. There are few, if
any, secure systems that operate effectively and economically on such a
scale and under such tightly-constrained conditions. It is inevitable that
a global key recovery infrastructure will be more vulnerable to fraudulent
key requests, will make mistakes in giving out the wrong key, and will
otherwise compromise security from time to time.
NEW COSTS
Key recovery on the scale required for government access impose new system
costs for designing, deploying, and operating the ubiquitous key recovery
system. According to the study, these costs include:
* OPERATIONAL COSTS FOR KEY RECOVERY AGENTS -- the cost of maintaining and
controlling sensitive, valuable key information securely over long
periods of time; of responding to both law enforcement requests and
legitimate commercial requests for data; and of communicating with users
and vendors.
* PRODUCT DESIGN AND ENGINEERING COSTS -- new expenses entailed in the
design of secure products that conform to the stringent key recovery
requirements.
* GOVERNMENT OVERSIGHT COSTS -- substantial new budgetary requirements for
government bodies to test and approve recovery products, certify and audit
approved recovery agents, and support law enforcement requests for and
use of recovered key information.
* USER COSTS -- including both the expense of choosing, using, and managing
key recovery systems and the losses from lessened security and mistaken or
fraudulent disclosures of sensitive data.
The report cautions that users will also be faced with real tradeoffs
between cost and security. While relatively simple and inexpensive key
escrow systems may exist, they would jeopardize security. For example, a
poorly-run key recovery agent, employing less-skilled low-paid personnel,
with a low level of physical security, and without liability insurance will
likely be far less expensive to operate -- and far less secure.
CONCLUSION
The report cautions that key recovery systems designed to meet law
enforcement specifications would be expensive, impractical, and would pose
grave risks to privacy and security.
Attempts to force the widespread adoption of key recovery encryption
through export controls, import or domestic use regulations, or
international standards should be considered in light of these factors. The
public must carefully consider the costs and benefits of embracing
government-access key recovery before imposing the new security risks and
spending the huge investment required -- potentially many billions of
dollars, in direct and indirect costs -- to deploy a global key recovery
infrastructure.
------------------------------------------------------------------------
(3) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
nearly 10,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request@cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post 3.06 05/21/97
-----------------------------------------------------------------------
CDT Publications Page
CDT Cryptography Page
CDT Home Page