My first send of this message was garbled and truncated. Here it is again. Sorry. My comments included below Rivest's message. -matt ------- Forwarded Message Received: from amontillado.research.att.com (amontillado.research.att.com [135.104.21.154]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id QAA04438 for <mab-local@nsa.research.att.com>; Tue, 13 Aug 1996 16:17:05 -0400 (EDT) Received: from research.research.att.com (research.att.com [135.104.117.5]) by amontillado.research.att.com (8.7.5/8.7) with SMTP id QAA24830 for <mab@issr.research.att.com>; Tue, 13 Aug 1996 16:20:09 -0400 (EDT) Received: from theory.lcs.mit.edu by research; Tue Aug 13 16:17:17 EDT 1996 Received: from swan.lcs.mit.edu by theory.lcs.mit.edu (5.65c/TOC-1.2S) id AA05040; Tue, 13 Aug 96 16:16:20 EDT From: rivest@theory.lcs.mit.edu (Ron Rivest) Received: by swan.lcs.mit.edu (5.65c/TOC-1.2C) id AA00335; Tue, 13 Aug 96 16:16:20 EDT Date: Tue, 13 Aug 96 16:16:20 EDT Message-Id: <199608132016.AA00335@swan.lcs.mit.edu> To: jim@rsa.com, gnu@toad.com, whitfield.diffie@eng.sun.com, mab@research.att.com, denning@cs.georgetown.edu Cc: staelin@ll.mit.edu, mld@hq.lcs.mit.edu Subject: Crypto Policy Variant Hi -- Here is another MIT professor's (Dave Staelin's) suggestion for a national crypto policy. I thought you might be interested in seeing it; given the difficulty of the debate, any variant, even if only slightly different from previous ones, should be considered. Feel free to pass this note around, or to post it... Here is Staelin's idea: (1) You can use any crypto you want, but you must keep a record of the crypto keys you used. (2) The government can ask for the crypto keys later, if they have a court order, just as they can ask for any of your other papers or documents. You must give the key(s) to them, just as you must turn over your private papers in such a situation. (There would have to be an appropriate penalty for losing the key...) The attractive feature of this proposal is that it puts encrypted communications in the same category as private papers; the government is required to give notice to (at least one of) the affected individual(s) _before_ the search can be undertaken. This cures what is in my mind a defect in the current wire-tapping laws. DISCUSSION In a variant of Staelin's proposal (my twist) you could append to each encrypted message an encrypted form of the message key. The encryption could be with the public-key of a trusted third party who will not (and legally may not) reveal the message key without notifying you first (or ensuring that you have been appropriately served with the corresponding warrant). For example, the ACLU might be such a TTP. This protects the government's right to access and protects the individual from the penalties (or benefits) of losing the key. This procedure is technically simple; what is more complex is ensuring that the TTP's are appropriately registered and protected from undue government influence. The use of such a TTP would in any case be optional; the communicants need not use a TTP if they understand their obligation to keep the crypto keys around for some period of time afterwards. In Staelin's proposal government gains access to the communications, but does not gain "real-time access" as desired by the FBI. This loss may be tolerable, given the benefit obtained (forcing access to be made in accordance with the Constitutional requirements for notification before search). The use of wiretapping encrypted communications as a preventive measure might be severely limited, but its use as a means of gathering evidence to force a conviction would be preserved. For international communications, each communicant might be required to use a TTP that is bound to honor the laws of his country (which TTP to be used should be the choice of the communicant). It may be seem a bit strange to force individuals to keep around information (keys) that they no longer really need. However, this is more-or-less the case for financial records right now. CONCLUSION The fundamental idea is to give the government a right to access encrypted communication in return for a guarantee that access may not be obtained until there is BOTH proper legal authorization AND proper prior notice to (at least one of) the communicants. Is this workable?? ------- End of Forwarded Message [Matt's comments follow] The requirement to store your keys for some period of time would, I think, be very unusal, legaly. As far as I know there are virtually no records that an ordinary individual is required to keep today under criminal penalty of law. One has to keep tax records if one expects to be able to document deductions if audited, but for people without deductions, no records need be kept (and even those who do but who destroy their records risk having their deductions disallowed, but face criminal penalties only if the govenment can prove you intended fraud. Not having records does not by itself constitute fraud, as far as I know). According to the original message: The attractive feature of this proposal is that it puts encrypted communications in the same category as private papers; the government is required to give notice to (at least one of) the affected individual(s) _before_ the search can be undertaken. This cures what is in my mind a defect in the current wire-tapping laws. Yes and no. True, it makes it impossible to recover communication without the knowledge of one party. But it still goes well beyond the norms for private papers. The vast majority of private papers are, according to the law, just that - private. One is under no obligation to maintain "private papers" in any particular manner or for any period of time. Only very limited types of private papers (none for most people) have to be maintained at all. While, in general, the government can get a court order to force one to turn over documents that exist, one is not obligated to keep documents that are otherwise of no use in order to be ready should a court order happen sometime in the future. One can burn one's old love letters any time one feels like it. But enough philosophy. There are technical reasons to consider this proposal a bad idea. The main technical problem with the Staelin proposal is the requirement that the user maintain a large store of no longer useful but highly sensitive data in a secure manner for a period of time. This introduces an obvious storage burden (how does an encrypting phone or network connection store old keys?) that would make many kinds of otherwise simple encryption hardware and software far more complex and difficult to design and expensive to implement and operate. Consider a secure phone (like the TSD 3600 or STU III). A critical design feature of these devices is that they never have to emit secret keys outside their internal security boundaries. Consider, too, software that runs on PCs and workstations. Ordinarily, software that establishes, say, a secure Internet connection has no need to store any secret associated with the session anywhere. And that's a good thing - the file systems on most computers aren't secure enough to store keys, so including the key storage feature required by the Staelin scheme would entail implementing some kind of secure storage system that isn't otherwise needed by the application. Even if the design complexity is solved, there is the problem of maintaining the stored keys in a secure manner, introducing what would in most cases be a more serious security vulnerability than any other aspect of the application (since the keys would continue to exist long after the secure session has ended). Under the Staelin proposal, the design, implementation, and use of encryption software and hardware becomes much more complex, so complex that I honestly don't think we know how to do it. I touch on these points in discussing key escrow in general in my Senate testimony, ftp://research.att.com/dist/mab/testimony.txt . While Ron's twist decreases some of the burden on the user it eliminates the main benefit of the Staelin proposal - that one cannot obtain cleartext without the knowledge of at least one party. The TTP could be compelled (as the phone company is now for regular wiretaps) to keep the request secret, under court order. And the design complexity problem doesn't even go away - in fact, it gets worse, since now there's a protocol with a third party involved. -matt