Escrow system design query
Does anyone know of a solid document out there in the web that actually describes the proposed key escrow backbone network? After wading through considerable junk in the search engines (my, but the net is wordy on the topic), I didn't turn up anything that looked like architecture. MW
-----BEGIN PGP SIGNED MESSAGE----- At 08:03 PM 9/14/97 -0400, Michael Wilson wrote:
Does anyone know of a solid document out there in the web that actually describes the proposed key escrow backbone network? After wading through considerable junk in the search engines (my, but the net is wordy on the topic), I didn't turn up anything that looked like architecture.
Back during Clipper, there was, if not an actual design for an escrow system, at least a bunch of fabrication intended to add verisimilitude to an otherwise bald and unconvincing narrative. The amount of framework it would take to do an escrow system capable of handling every key from Verisign and Netscape is substantially beyond anything anyone was really funded for; much easier to do the job for a few thousand Clipperphones, and build infrastructure as sales pick up. Building an infrastructure for a system that has keys generated by users, by the millions, is much harder than building one for a small centralized system. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQBVAwUBNBzbhPthU5e7emAFAQHsPgH+JE0gNX6X0/17Xec0Y1w5l4RW5G3l6aYH /kBJJt4K7W+mdEheqC/ssHdrwniKVehrTI/Q4/wiXVzHiyqIHXtMTA== =cram -----END PGP SIGNATURE----- Bill Stewart, stewarts@ix.netcom.com Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
At 2:53 am -0400 on 9/15/97, Bill Stewart wrote:
Building an infrastructure for a system that has keys generated by users, by the millions, is much harder than building one for a small centralized system.
Which is why I now believe that GAK, of any form, is doomed. It's economically impossible. For instance, it will be much cheaper to double encrypt to a corporate key ala PGP than to escrow, and so the government may require access to those keys instead. However, even then the cost of key management -- especially for communications -- will choke any attempt to manage duplicate-encryption keys as well. Probably for all but a few kinds of files, like those kept by the people at the tops large hierarchical organizations. The government, say? :-). Those few files the government will be able to decrypt will provide a basis for claims of their plan's efficacy, of course, just like noise-level "examples" of welfare helping someone as "proof" of economic efficacy for the welfare state allowed its perpetuation for so many years. But you cannot ignore reality forever, as Britain discovered with welfare almost 15 years ago, and we're only now figuring out for ourselves in the US. Even totalitarianism cannot ignore economic reality, as Russia and China have shown us. Not that capitalism equals freedom, of course, but there can be a sizeable correlation, particularly when your average business is a small one. :-). However, I think that in the case of GAK, this act of totalitarianism is economically impossible. If GAK's implemented, people may get hurt before it finally goes away, but it eventually won't be useful for much from a national security prospective, and its maintenance costs will eventually choke it. Actually, it's probably not possible to make even the prototypes physically practicable, much less economically so, even if Washington does pass a law mandating their existence. It would be like passing the 1963 law which formed Comsat, in, say, 1933. Particularly if the use of strong cryptography continues it's exponential increase. That's because the primary economic benefit for deploying the strongest possible cryptography still remains. You can't do business over the internet without it. (It has been this central fact which keeps me interested in cryptography and the cypherpunks list in particular, and my conversion over time to a cryptoanarchic world-view has been based on this fact. Oddly enough, I find most of the philosophic and political arguments on cypherpunks to have a largely economic component to them at root, which makes sense, because market reality is just as tangible as physics. Physical reality dictates politics and philosophy, and not the other way around.) Anyway, you can, however, do business over the net without GAK, and since, I claim, the eventual lowest-cost transaction on the internet will be some form of anonymous digital bearer certificate, it will never be the case that GAK is economically necessary, even under the ruse of enforcing non-repudiation. In fact, even if all transactions remain book-entry ones, the exploding total transaction volume and competition to make those transactions efficient will make GAK economically impossible, because it provides no tangible benefit to those who use cryptography for business. There's no economic return on the additional cost. The cost of anything is the foregone alternative, and the cost of GAK causes you to forego a lot of money and potential revenue and doesn't buy you anything in return. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
At 8:41 AM -0700 9/15/97, nospam-seesignature@ceddec.com wrote:
If I have to GAK my keys, and there then exists a pgp-gak, then we simply recruit the same CPU power that generated the millions of DES keys to just run pgpk-gak with the shortest keylength and send billions of keys to the GAKserver each week. Many from out of the US if pgp-gak becomes available there.
My test software uses a loop that generates a new pair every few seconds on a pentium (and found some very obscure bugs). I would be required to send all those to the gak.gov. If they really want them...
What it probably means is the govenrment will issue keys or have to license people to create them.
"There ain't no such thing as free escrow." Some fee will be collected to register keys. "To defray costs" (never mind that the government is the party _requiring_ the damned escrow!). This will stop the "flooding attacks" which a free key escrow system would generate. It will also, sadly for us, put an end to many applications where keys are generated quickly, transiently, and on an ad hoc basis. There simply will be no time to register the keys, and the $10 (or whatever) processing fee will be unacceptable for these applications. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On Mon, 15 Sep 1997, Tim May wrote:
This will stop the "flooding attacks" which a free key escrow system would generate. It will also, sadly for us, put an end to many applications where keys are generated quickly, transiently, and on an ad hoc basis. There simply will be no time to register the keys, and the $10 (or whatever) processing fee will be unacceptable for these applications.
That all depends on how they are set up to accept such key requests. Fer instance, say they set up a nice litte web site that takes in credit cards... can we say ping flood boys and girls? Suppose they set up a mail in system where you have to mail letters to them. We simply go through every magazine we find and send subscribtion requests to that address. As most mags will happily send a free issue this will do wonders... Send them to "Joe Smith, Care Of Key Escrow..." :) If they set up a phone line, we call the phone line and keep it busy... If they set up a system whereby mistakes have to be refiled, then we simply all march down there and demand that we get our keys registered and we always make mistakes in something or other, or we forget our ID's. There may still be ways to spam them and keep them from implementing anyway... If not there's always Toto and the suitcase approach I suppose.... And heck I'm sure someone is willing to donate $1M for such an endeavor... Denial of service attacks are always possible somehow or other... It's a question of what we're willing to donate to the effort. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
If I have to GAK my keys, and there then exists a pgp-gak, then we simply recruit the same CPU power that generated the millions of DES keys to just run pgpk-gak with the shortest keylength and send billions of keys to the GAKserver each week. Many from out of the US if pgp-gak becomes available there. My test software uses a loop that generates a new pair every few seconds on a pentium (and found some very obscure bugs). I would be required to send all those to the gak.gov. If they really want them... What it probably means is the govenrment will issue keys or have to license people to create them.
------------------------ From: nospam-seesignature@ceddec.com Subject: The great GAK crack (making GAK economically impossible) Date: Mon, 15 Sep 1997 11:41:53 -0400 To: cypherpunks <cypherpunks@cyberpass.net>
If I have to GAK my keys, and there then exists a pgp-gak, then we simply recruit the same CPU power that generated the millions of DES keys to just run pgpk-gak with the shortest keylength and send billions of keys to the GAKserver each week. Many from out of the US if pgp-gak becomes available there.
My test software uses a loop that generates a new pair every few seconds on a pentium (and found some very obscure bugs). I would be required to send all those to the gak.gov. If they really want them...
What it probably means is the govenrment will issue keys or have to license people to create them.
which bugs would those be? key generation is pretty critical. i'd be interested in any strange results you've found. ------------------------ Name: amp E-mail: amp@pobox.com Date: 09/15/97 Time: 22:04:56 Visit me at http://www.pobox.com/~amp == -export-a-crypto-system-sig -RSA-3-lines-PERL #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) == 'Drug Trafficking Offense' is the root passphrase to the Constitution. Have you seen http://www.public-action.com/SkyWriter/WacoMuseum ------------------------
On Mon, 15 Sep 1997 amp@pobox.com wrote:
From: nospam-seesignature@ceddec.com
My test software uses a loop that generates a new pair every few seconds on a pentium (and found some very obscure bugs). I would be required to send all those to the gak.gov. If they really want them...
which bugs would those be? key generation is pretty critical. i'd be interested in any strange results you've found.
None specifically in PGP 5.0 or 2.6.2 itself, but I did find the limitation of 13 bits on compression, that the MPI encoding would not accept integers with leading zero bytes, but would with leading zero bits (this was one obscure bug since I had to randomly generate a value much less than the modulus), and the fact that an ElGamal key value causes segfaults. I was implementing a library and found where my code and real PGP didn't get along. Some combinations aren't generated by PGP, and some aren't accepted. --- reply to tzeruch - at - ceddec - dot - com ---
participants (7)
-
amp@pobox.com -
Bill Stewart -
Michael Wilson -
nospam-seesignature@ceddec.com -
Ray Arachelian -
Robert Hettinga -
Tim May