Partial Key Escrow
The recent discussion of the SSL Challenge and the revival of the Software Key Escrow issue brought the following idea to mind. For the purposes of this suggestion let's just assume that the goal is to provide some kind of Government Access to Keys (GAK) for a widely deployed crypto system such as clipper phones. How about if instead of escrowing the whole key with the goverment/escrow agent you only save some of the bits of the key? I am thinking that the goverment would insist that at a minimum all key bits in excess of some N be escrowed. Where N is aournd 48. So if I was using IDEA with 128-bit keys, I'd need to escrow at least 80 bits and reveal all 128 bits only to the receiver. The export version of RC4 is similar except that 40 bits are hidden and 88 bits are "escrowed" as plaintext. I see the advantage of this is that it might just be palatable to the government. In particular, 48 bits wouldn't be any significant burden on the NSA or FBI for legally authorized wiretaps (I recall that something like 1000 were performed in some recent year). It would be a simple matter for the FBI to budget enough hardware to do brute force attacks on a few thousand keys a year with a time-to-crack of a few hours (I doubt most wiretaps are obtained with more time urgency than this). The big advantage to the user is that this provides are well defined limit on the effort required to violate their privacy. The biggest problem with the clipper-type GAK system is that everyone assumes that in the worst case keys could be obtained illegally with essentially zero cost. There are numerous scenarios where the administrative controls that protect keys break down and the public is left with no privacy at all. In this case, however, there is a significant, well-known, and quantitative (but, unfortunately, time-variable) cost in obtaining a key even if the adminstrative controls are completely compromised. While this doesn't make the privacy of any particular target much safer it seems it would significantly improve the safety of the public privacy in aggregate. Ted Anderson
A disadvantage of this ingenious proposal is that it makes it even more difficult to spot rogue key-cracking efforts. If you are an honest government employee and you come across a key cracking program today, and you work for a domestic TLA you know something funny is going on. "Just routine" will be line henceforth... A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | mfroomki@umiami.ir.miami.edu U. Miami School of Law | P.O. Box 248087 | It's hot here. And humid. Coral Gables, FL 33124 USA | See http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html and http://www.law.cornell.edu/jol/froomkin.htm
Michael Froomkin <mfroomki@umiami.ir.miami.edu> writes:
A disadvantage of this ingenious proposal is that it makes it even more difficult to spot rogue key-cracking efforts. If you are an honest government employee and you come across a key cracking program today, and you work for a domestic TLA you know something funny is going on. "Just routine" will be line henceforth...
Yeah, but that _doesn't matter_. The domestic TLA can't afford to embark on massive, wholesale fixing expeditions this way, even _with_ the escrowed part. The point is to fix the unescrowed part at such a size that they can afford to crack a limited number of keys in a reasonable interval. Say, at a cost of about $10000 / key. That's peanuts for an OKBomb or WTC bomb case, but it gets to be expensive (hard to hide the expense) if you're fishing for dirt on members of the opposition party, or investigating 14 year-old Black Panthers. It also suggests some interesting (and admittedly, abusable) TV shows. "type this number into your ``America's Most Wanted'' official Screen Saver key finder..."
participants (3)
-
Lyle Seaman -
Michael Froomkin -
Ted_Anderson@transarc.com