I've been mulling over PGP5's CMR feature for a while, trying to decide what I think of it. It hasn't been easy, but I've come down against it. I'm restricting my discussion to the use of CMR in corporate email. I am not addressing stored data.

Jon Callas (jon@pgp.com) writes:

There are two things I will discuss in this missive:

(1) The assertion that Corporate Message Recovery is "just like Clipper" and why this is not true. (2) The fear a number of people have expressed that Corporate Message Recovery (CMR) could be used by the US government to slide in GAK.

I think we're agreed that CMR isn't itself GAK and I'll talk some about why it isn't with (1).

I think that we're a lot more worried that the presence of features like CMR will make it easier for governments to mandate GAK. It's much tougher to insist on GAK if a switch requires new software to be developed, and for everyone to purchase, install, and use espionage-enabled software. If CMR - like facilities are already in the software, then GAK could be mandated overnight by executive order. The inclusion of CMR drastically lowers the barriers to mandated GAK.

CMR isn't like Clipper:

* Clipper was a 64-bit key. CMR symmetric keys are full-strength keys (128 bits or more), backed with a full-strength public key.

A word of advice: don't try to discuss Clipper in this forum without checking your facts. Clipper used an 80 bit key.

* Clipper's key was set in hardware by the manufacturer, and users were required to use it.

Actually, the chips left the manufacturer 'blank'. They were to have their unit keys set by some ill-defined process involving government employees. It never really got nailed down, since Clipper was killed before the key escrow agencies and systems were ramped up beyond demonstration levels.

A CMR key is a software-enabled key, no user is ever required to use it.

With a CMR feature in place, a government can say "Starting now, encrypt to this key or we'll throw you in jail." Without CMR, they can't really do this.

There are cases in which a user might "volunteer" to use a CMR because they work for someone who requires it,

[or because the State says it will toss his sorry ass in jail if he does not]

but that's a problem we'll address with the PGP Secure Resume Server which allows headhunters to securely and anonymously find people who've made bad career decisions.

[or bad citizenship decisions?]

* A CMR key can be revoked, reissued, or changed. You can periodically change it as a matter of policy. You can even stop using it. Clipper's was, again, set in hardware, with no option of not using it.

Once again, you're unlikely to do this if the State decides that that would be a good reason to jail you.

* The Clipper symmetric algorithm was secret; CMR keys use publicly available algorithms.

True, but the point is moot - most people beleive that the NSA is perfectly competant to write secure symmetric ciphers without outside review, and since they had given themselves a backdoor, there was no reason to leave the window unlocked as well.

* With Clipper, there was always a concern that an outside agency had the keys. This is true with a number of other systems (the so-called key recovery systems), and is the reason that a number of them are lumped together with the term GAK. Note that the user-organization creates a CMR key, and the end-user enables it. If any government gets access to this key, it is because either (1) they solved the Discrete Logarithm Problem, (2) they broke the public CMR key, (3) they black-bagged your CMR key, or (4) they are using a subpoena, warrant, or discovery to get the key. We're working on a way around (1), we can't do anything about (2) or (3), but these are fine reasons not to use CMR! If you're beset by (4), you need lawyers, not cryptographers.

If the State could do (1), they would not be asking for key recovery in the first place. (2) and (3), are greatly aided by CMR, since CMR provides high value targets; breaking or black-bagging a single key gives you access to a great deal of traffic, and in the case of (4), you lose 5th Amendment protection, since a third party holds a key.

* With Clipper, there was a central repository of all the keys. With CMR, there is not. I discussed that in detail in my message, "Why Corporate Message Recovery isn't Key Escrow."

Once again, you haven't checked the record. Clipper keys were to be split, with different halves going to different government agencies. There were fairly elaborate plans to prevent posession of only one half giving an attacker an advantage. Thus there were *two* repositories, not one. (From the point of view of the paranoid, this was not much of a comfort - both repositories belonged to the same entity.)

I have noticed that a number of people have the tacit assumption that business people and corporations are in cahoots with the FBI, waiting to hand over everyone's secret key. As in all parts of life, there are many, many businesspeople and corporate execs who are not particularly moral. But I don't think that their immorality takes this form. If we could examine the dark, secret thoughts of a corporate scumwaffle -- the ones that he *really* hopes don't hit the papers -- I sincerely doubt that, "Oh, Louis, I love it when you rummage my drawers" is among them.

Here's an alternative interpretation. I think that 'business people and corporations' feel (with considerable justification, I might add) that they have a moral right to control the information which flows in and out of their worksites, just as they have a right to control to flow of material goods on and off of their premises. To control the flow of material goods, companies install security systems, guards, metal detectors, etc. Depending on the type of good and it's value, these more or less work, though they're never perfect; when the marginal cost of improving security exceeds the loss that the improvement would prevent, you stop adding security. In the extreme case, the diamond workers of Namibia have to undergo a full-body X-ray whenever they leave the diamond reserve. Companies would like to be able to able to exercise similar control over data. However, bits behave differently than do atoms. Physical barriers are almost perfectly transparent. An employee can slip a multi-gigabyte DAT tape in a shirt pocket, or transfer stego'd data undetected inside innocent cover data, perhaps with non-CMR'd superencryption. For data, physical barriers - firewalls, passwords, isolated lans, access controls encryption, et al, can work more or less effectively to prevent unauthorized outsiders from acquiring data they should not. However, there is *no* way in which you can prevent a person you have authorized to receive data from making whatever use of it they desire, even if those uses are opposed to your reasons for giving them the data. CMR serves to give corporate executives the illusion that they can control the uncontrollable. It lets them think they can monitor the expression of their employess, while they can not. It lets them beleive that they can use technology to protect corporate proprietary data from theft by disloyal employees, while they can not. The only way to protect data is to make sure that employees share the goals and ends of the corporation; ie, give them a reason to be loyal and trustworthy. Classified agencies know this. In the classified world, there is a huge effort to protect data from outside attack. There is a similarly intense effort to check that only loyal, reliable, trustworthy people get clearances, and strong 'need to know' controls to restrict what data even they can see. However, once a cleared person has acheived properly authorized access to classified data, there is (in my observation) remarkably little done to prevent them from deliberately walking off with it. CMR provides an illusion that this loss can be prevented. It looks good in a chief security officer's report; it gives warm fuzzies to senior management. However, it provides no real security. In fact, it actually weakens security, since anyone with licit or illicit access to the CMR key(s) can read the data.

Now then, the next topic is the fear that CMR will be used in some insidious government plot to slip in GAK everywhere.

I worry about this, too. But I don't think it's feasible that CMR can be a stalking horse for GAK. If the government wants to GAK-enable all PGP, they'll have to have a plan similar to this:

[Strawman GAK plan deleted] Here's a more realistic scenario. 1. OpenPGP with CMR becomes a standard, and is widely accepted and installed. PGP gets rich. (Are you going to claim that this could never happen?) 2. An executive order is signed by the President, ordering that all encrypted email include the FBI public key as a recipient. He notes that this will be no burden to industry, since it's a freebie with the industry standard CMR facility. To summarize: 1. CMR cannot prevent disloyal employees from sending messages that their employers would want to prevent. 2. CMR, widely deployed, would greatly ease a transition to mandated GAK. Given CMR's inability to provide an a desirable goal (improve corporate security), coupled with the severe downside (paving the road to GAK), I have decided that I must oppose it.

Jon Callas jon@pgp.com

Peter Trei trei@ziplink.net