Bert-Jaap Koops <E.J.Koops@kub.nl> writes on cpunks:
We present an alternative that can give law-enforcement agencies access to session keys, without users having to deposit private keys. Unilateral fraud in this scheme is easily detectible.
OK, so I can see how the `binding data' technique acheives a more robust form of keys escrow of session keys, without handing over private keys. (Your wording also implied to me that the problem would not exist if private keys were handed over, but I think this is not the case, if a warrant is required to get the private keys, the stated presumtion is that no speculative decryptions will be tried). Also the proposal (and other proposals which escrow session keys) doesn't really provide any guarantees of protection from LE abuse, as such, because they can decrypt all of the escrowed session keys with their own private key No. In the scheme Law Enforcement (that is your LE, right?) agencies are never handed over the private keys of Trusted Retrieval Parties (TRPs), only the session keys. So for each sessionkey LEs will have to go to a TRP. Moreover, the choice of TRPs should be large, so the idea is that you can always pick one you trust. Or set up your own, for that matter...
[stuff deleted]
However, simpler approaches I think fulfill the requirements given the (stated) voluntary nature of GAK.
For instance, if you are using a hybrid RSA/symmetric key system with the session key encrypted with RSA, you can encrypt the session key to a second recipient also (PGP allows this much, Carl Ellison suggested this for PGP, Bill Stewart recently also suggested the same). If the recipient wishes to check that the sender is really escrowing the same session key, this can be acheived by revealing to the primary recipient the random padding of the second recipient's RSA encrypted copy of the session key. The primary recipient can then repeat the encryption, and check. (I proposed this on sci.crypt last year some time, with an anti-GAK caveat :-).
In our scheme any third party, which is probably never a TRP, can check equality of the sessionkeys send to the primary recipient (the TRP) and the second recipient (the real adressee), i.e. *without* needing secret information! In your suggestion checking can only be done with secret information (you need the secret key of the primary recipient). Also, "random padding" information of the second recipient is very secret as well, just compare the results Don Coppersmith presented on Eurocrypt97: if you know the enough padding you know it all. So for instance sending along the padding info along will make any key-escrow superflous (-;
As GAK is (stated to be) voluntary, surely the only person who has any business knowing whether the message is honestly GAKked is the recipient. After all you can double encrypt or not use GAK at your option, so this seems to lose nothing for the GAKkers.
The description of the paper also says nothing about trust worthiness of the TTPs, from the public's perspective. As far as we are concerned, anybody - willing to follow regulating - can set up his own TRP.
> (Not that I,
or anyone else would want to use GAK still, but it would be a gesture of good will on the part of the GAKkers, and would show intentions not to misuse the system. I suggest that they would never agree to such a system because their stated aims are untrue: they *do* want to outlaw non-escrowed encryption for domestic US traffic, and they *do* want to decrypt without warrants, and without public audit. Export control and temporarily `voluntary' GAK is a means, not an end.) Who is they, governments as a whole? If you simplify discussions in this way, I might as well say: "you guys only want to help criminals". I understand your fears, but don't exaggerate.
Eric Verheul