Kent Crispin <kent@songbird.com> writes:
At 11:47 PM 5/7/97 -0400, Carl Ellison wrote:
I was saying that if Sam needs to read my encrypted file/mail, then I should list Sam as a crypto-recipient. If Acme,Inc. needs to read my encrypted file/mail, then I should list Acme,Inc. as a crypto-recipient.
There's no safe of keys. It's even simpler to explain to an executive.
Unfortunately, it doesn't solve the problem at all. In fact it doesn't even address the problem. So much so that reading these replies makes me think that I am looking at different problem than you.
It seems to me that it is you Kent who is scrambling to find plausible reasons why key escrow is the best or only technology to use in corporate email systems.
[long analogy to physical locks and keys on company premises]
With this background, perhaps now you can see why I say that Carl's solution doesn't even address the problem. The problem is management of complexity. Carl says "encrypt to Acme Corp". Who in Acme Corp? What part of the organization that is Acme Corp is authorized to know this particular bit of information? Because some of the employees are idiots you want this built automatically into the application they are using for encryption/email/whatever. How does this software know what policy is appropriate for which employee? How is that policy distributed? What is the interface that allows a policy to be defined? How do you protect the policy definition from subversion?
Ah I see you do acknowledge what Carl Ellison and Matt Blaze have been saying on cryptography@c2, that key escrow has complexity problems, contrary to what you have previously been arguing :-)
Contrast that with a key-safe model, where a copy of every encryption key is kept in a secure database. The encryption client software only talks to the key-safe when a new key is generated, over a cryptographically secure channel, of course. There is no policy the client has to know. The user encrypts freely without concern about who else should get copies. The organization knows that there is very little chance of data loss because of lost keys, and can use any policy it chooses to recover keys, from the company president's ad hoc whim to a carefully specified organization al security policy.
Access to the key-safe is critical, of course, but it can be made very secure -- a special-purpose piece of hardware that requires passwords from n out of m key czars before access is granted, for example. Or the contents of the key safe can be encrypted via keys escrowed through a secret sharing mechanism
I don't see the difference. With the encrypt to multiple recipients approach where the second crypto-recipient is the company key you can store the private half of the corporate key using the same techniques you discussed above. Access to the data requires access to the master key in both cases. You fix the second crypto-recipient in the MUA if you wish to. The fire-wall can reject posts without the second crypto-recipient. You can use binding cryptography to ensure the fire-wall can tell that it is an encrypted copy of the same document without the firewall needing access to the master key. You can't do this company has all keys in the safe model, without givin the firewall automatic access to the safe, which is a huge security risk. So, I suppose you would argue that oh no, the user can by pass this feature of the MUA, they can use a different MUA, or telnet to the SMTP port manually. Well, you know, people can bypass keys which are stored in the company safe also: don't use them! They can also walk out of the building with a floppy, store info in their heads, or use any number of subliminal channels that abound in crypto and internet protocols. The advantage of the multiple recipient model is that doesn't commit the cardinal sin/design flaw of sharing private crypto keys. Some people have argued that multiple recipient is less suited to GAK, and therefore it would be better to use multiple recipient, I'm not sure that it makes that much difference. If we get forced to put the government as the second crypto-recipient recipient, the government still gets to read all your mail. The main argument against company generates all keys, company holds all keys, to me is that it's bad crypto design. The `it's easier to explain a safe full of all employee keys' to management argument is nonsense also. It's a master key either way and just as easy to explain either way: a master key is a key that lets you decrypt all mail. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`