Binding cryptography - a fraud-detectible alternative to key-esc

[Adam Back]

Hey Bert-Jaap, I had you down as one of the good guys, what caused you
to fold :-)

Bert-Jaap Koops <E.J.Koops at kub.nl> writes on cpunks:
> We present an alternative that can give law-enforcement agencies
> access to session keys, without users having to deposit private
> keys.  Unilateral fraud in this scheme is easily detectible.

OK, so I can see how the `binding data' technique acheives a more
robust form of keys escrow of session keys, without handing over
private keys.  (Your wording also implied to me that the problem would
not exist if private keys were handed over, but I think this is not
the case, if a warrant is required to get the private keys, the stated
presumtion is that no speculative decryptions will be tried).  Also
the proposal (and other proposals which escrow session keys) doesn't
really provide any guarantees of protection from LE abuse, as such,
because they can decrypt all of the escrowed session keys with their
own private key.  But then the original clipper proposal had similar
supposed safeguards, they claimed to have the decryption keys split
across two databases, and they claimed that they would place the key
in a tamper resistant device so that it could only be used for the
duration of the court approved wiretap.

`binding data' combats the problem of people sabotaging key escrow by
using garbage for the escrowed session key.  Matt Blaze was able to
produce compliant capstone/tessera messages which would be accepted by
the recipient, and yet would reveal nothing to the LE agent.  Your
binding data technique would allow a software only implementation of
the non-interoperability requirements of clipper III, and combat
attacks such as Matt's.

However, simpler approaches I think fulfill the requirements given the
(stated) voluntary nature of GAK.

For instance, if you are using a hybrid RSA/symmetric key system with
the session key encrypted with RSA, you can encrypt the session key to
a second recipient also (PGP allows this much, Carl Ellison suggested
this for PGP, Bill Stewart recently also suggested the same).  If the
recipient wishes to check that the sender is really escrowing the same
session key, this can be acheived by revealing to the primary
recipient the random padding of the second recipient's RSA encrypted
copy of the session key.  The primary recipient can then repeat the
encryption, and check.  (I proposed this on sci.crypt last year some
time, with an anti-GAK caveat :-).

As GAK is (stated to be) voluntary, surely the only person who has any
business knowing whether the message is honestly GAKked is the
recipient.  After all you can double encrypt or not use GAK at your
option, so this seems to lose nothing for the GAKkers.

The description of the paper also says nothing about trust worthiness
of the TTPs, from the public's perspective.  It would be nice to see a
proposal which also resulted in the cryptographic revealing of number
of wire taps, as an unavoidable result of the protocol.  (Not that I,
or anyone else would want to use GAK still, but it would be a gesture
of good will on the part of the GAKkers, and would show intentions not
to misuse the system.  I suggest that they would never agree to such a
system because their stated aims are untrue: they *do* want to outlaw
non-escrowed encryption for domestic US traffic, and they *do* want to
decrypt without warrants, and without public audit.  Export control
and temporarily `voluntary' GAK is a means, not an end.)

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)