Referrences to SKE and GAK

Carl Ellison cme at
Wed Oct 5 07:05:26 PDT 1994

>From: tcmay at (Timothy C. May)
>Date: Sun, 2 Oct 1994 20:31:13 -0700 (PDT)

>And I think we have indeed seen things coming before a lot of others
>did. The latest such alert, by Carl Ellison, myself, and others, is
>about "software key escrow," or what Carl dubs "GAK" (government
>access to keys). I think SKE is the wave of future repression, worth
>starting to fight now. The popular media is largely oblivious to it,
>as usual.  (John Markoff, of the NY Times, is on top of it, more so
>than most of us, and is waiting for the right time to do something on

As someone at TIS actively involved in looking at SKE and related
technology, I find it bothersome that Tim keeps mixing the terms SKE and
GAK.  I'm not a fan of giving government access to civilian keys, no matter
what form it takes.  However, my mother was an English major and she taught
me to be protective of the language.

	escrow - n - a deed, a bond, money or a piece of property held in
	trust by a third party to be turned over to the grantee only upon
	the fulfillment of a condition

>From inside this morass, there are so many options with so many gradations
that it's important to keep terms well defined and separate.  Try this:

KE:	key escrow, implementation and grantee unspecified

HKE:	key escrow, in hardware, grantee unspecified

SKE:	key escrow, in software, grantee unspecified

KEG:	key escrow, implementation unspecified, government grantee

GAK:	government access to keys, method unspecified

GAK is clearly more general than KE and even more general than SKE.  There
is a real danger that (KE/HKE/SKE) could be subverted by the government but
there are some real uses (as have been pointed out here) for what Steve
Walker (the TIS president) calls a "spare key in the wallet".  [I'm hoping
to get his paper on the subject on our FTP or Web server -- will tell
people when it's there.]  A spare key version of SKE would have the key's
owner as grantee -- leaving the gov't out of the loop *except through
normal subpoena and search warrant access*.

My predictions:

	1.	access by subpoena is still too objectionable for
		many people and isn't likely to fly;

	2.	surveillance agencies are not served by these mechanisms
		so they are not likely to welcome such systems.

Meanwhile, NSA access isn't covered by any of these terms, except perhaps
GAK.  This is relevant since at the last KEA meeting (NIST's "Key Escrow
Approaches"), TIS SKE was demonstrated and people from industry were asked
if they wanted to participate in an experiment -- put it in some product,
let some gov't agency be the guinea pig user community and see if the FBI
was happy with the result (this would be SKEG -- SKE with gov't as grantee)
-- and the response was that there was *no* interest unless this provided
a way to get software exported.  Mike Nelson of the White House (their
point man on Clipper, etc.) and Clint Brooks of NSA replied with a resounding
"we'll have to think about that".  [There has been no result of such thinking

The sequence of events is:

1.	industry wants to export
2.	NSA controls export
3.	industry appears ready to do all sorts of things (like provide GAK)
	in order to get export permission
4.	the NSA doesn't get its needs met by SKEG (because the SKEG mechanisms
	can be circumvented, leaving normal S/W without GAK)
5.	the current situation is an impasse
6.	the forces of the dark side are so desperate to get GAK that
	they'll look at anything which might get them there


So, there's a real reason to watch SKEG developments.  There's also a real
reason to get a new Cantwell bill passed.

At the same time, although the term KE is tainted by NIST/NSA/FBI misuse,
there do exist positive uses for KE (especially SKE) *without* the gov't as
grantee.  I encourage individuals to give this a little thought.  The
example Steve Walker keeps using in public is "the second time I locked
myself out of my car, I decided to carry a spare key in my wallet".


>Dorothy Denning is deeply involved with SKE, 

Dorothy has seen the TIS SKE demo.  Involvement other than that is none, at
least on TIS's side, except that she provided one suggestion to the three
TIS developers (Dave Balenson, Steve Lipner and Steve Walker) during the
design stage (in early May I believe).

BTW, my name appears on the TIS SKE paper because I added a variant -- the
escrow-less option.  That is, instead of having a private key in escrow for
the FBI to get and use forever, have the sender split his session key into
KS1 and KS2 (KS = XOR(KS1,KS2)) and encrypt each half for a different
escrow agent.  [That term is already a misnomer in this case, since these
"escrow agents" have no databases of keys and therefore escrow nothing.  I
tell you, this morass has done major damage to the English language, all
because the gov't perpetrators are afraid to say what they really mean, in
plain English!]  LE would then have to send a piece to each escrow agent
for each message -- letting the agents do traffic analysis on FBI efforts
and also giving out no key lasting beyond a wiretap court order.  As with
anything else, when faced with a technical problem, if I see solutions I
offer them.  [PRZ tells a story of an engineer being led to a gallows which
has been malfunctioning, letting people go free (through a presumed act of
God) -- looking at it and saying "Oh, I see the problem".  (sorry if I
ruined the joke with abbreviation)]

ob.polit.: I don't mind GAK if it is applied only to the military and
various executive agencies, as Clipper/Capstone now appears to be.  Those
people have already given up rights to private communications.  However,
for military uses of Capstone, it bothers me as a citizen to see the keys
kept by Treasury and NIST.  I'd rather see them kept by NSA and Fort Knox
(and I've said so, to Mike Nelson among others).

For private citizens, I intend to fight to my last breath any attempt to
declare a government right to our keys.  I also intend to fight attempts to
declare that the public is volunteering to go along with GAK.  I don't buy
that and I'm in a position to see if it were true.

>					      working with Miles Schmid
>of the NSA 

Miles is with NIST (or was this a snide comment on NIST? :-).

>	    and the folks from Trusted Information Systems (according
>to Whit Diffie, who saw a joint presentation by the bunch of them in
>Karlsruhe, and their glee that the Micali escrow patent will likely be
>overturned due to prior art in Europe).

The TIS SKE stuff was presented at several places, most recently the
CSS&PAB.  The new thrust by Steve Walker is that the public has no reason
to buy KEG products.  They add no value to the consumer.  However, the
public *has* a reason to buy spare-key-in-the-wallet systems.  Given the
existence of a redundant place to find a message key (or to get it
decrypted), law enforcement could mine that database, using existing
legal mechanisms (subpoena and search warrant).  [This access does
not meet the desires of covert surveillance, however, so it's likely
to be rejected.]

 - Carl

More information about the cypherpunks-legacy mailing list