key recovery vs data backup

[Adam Back]

Kent Crispin <kent at songbird.com> writes:
> > At 11:47 PM 5/7/97 -0400, Carl Ellison wrote:
> > >I was saying that if Sam needs to read my encrypted file/mail, then
> > >I should list Sam as a crypto-recipient.  If Acme,Inc. needs to read
> > >my encrypted file/mail, then I should list Acme,Inc. as a
> > >crypto-recipient.
> > >
> > >There's no safe of keys.  It's even simpler to explain to an executive.
> 
> Unfortunately, it doesn't solve the problem at all.  In fact it
> doesn't even address the problem.  So much so that reading these
> replies makes me think that I am looking at different problem than
> you. 

It seems to me that it is you Kent who is scrambling to find plausible
reasons why key escrow is the best or only technology to use in
corporate email systems.

> [long analogy to physical locks and keys on company premises]
>
> With this background, perhaps now you can see why I say that Carl's 
> solution doesn't even address the problem.  The problem is management 
> of complexity.  Carl says "encrypt to Acme Corp".  Who in Acme Corp?  
> What part of the organization that is Acme Corp is authorized to know 
> this particular bit of information?  Because some of the employees 
> are idiots you want this built automatically into the application 
> they are using for encryption/email/whatever.  How does this software 
> know what policy is appropriate for which employee?  How is that 
> policy distributed?  What is the interface that allows a policy to be 
> defined?   How do you protect the policy definition from subversion?

Ah I see you do acknowledge what Carl Ellison and Matt Blaze have been
saying on cryptography at c2, that key escrow has complexity problems,
contrary to what you have previously been arguing :-)

> Contrast that with a key-safe model, where a copy of every encryption
> key is kept in a secure database.  The encryption client software only
> talks to the key-safe when a new key is generated, over a
> cryptographically secure channel, of course.  There is no policy the
> client has to know.  The user encrypts freely without concern about
> who else should get copies.  The organization knows that there is very
> little chance of data loss because of lost keys, and can use any
> policy it chooses to recover keys, from the company president's ad hoc
> whim to a carefully specified organization al security policy. 
> 
> Access to the key-safe is critical, of course, but it can be made 
> very secure -- a special-purpose piece of hardware that requires 
> passwords from n out of m key czars before access is granted, for 
> example.  Or the contents of the key safe can be encrypted via keys 
> escrowed through a secret sharing mechanism

I don't see the difference.  With the encrypt to multiple recipients
approach where the second crypto-recipient is the company key you can
store the private half of the corporate key using the same techniques
you discussed above.

Access to the data requires access to the master key in both cases.

You fix the second crypto-recipient in the MUA if you wish to.  The
fire-wall can reject posts without the second crypto-recipient.  You
can use binding cryptography to ensure the fire-wall can tell that it
is an encrypted copy of the same document without the firewall needing
access to the master key.  You can't do this company has all keys in
the safe model, without givin the firewall automatic access to the
safe, which is a huge security risk.

So, I suppose you would argue that oh no, the user can by pass this
feature of the MUA, they can use a different MUA, or telnet to the
SMTP port manually.

Well, you know, people can bypass keys which are stored in the company
safe also: don't use them!

They can also walk out of the building with a floppy, store info in
their heads, or use any number of subliminal channels that abound in
crypto and internet protocols.

The advantage of the multiple recipient model is that doesn't commit
the cardinal sin/design flaw of sharing private crypto keys.

Some people have argued that multiple recipient is less suited to GAK,
and therefore it would be better to use multiple recipient, I'm not
sure that it makes that much difference.  If we get forced to put the
government as the second crypto-recipient recipient, the government
still gets to read all your mail.

The main argument against company generates all keys, company holds
all keys, to me is that it's bad crypto design.

The `it's easier to explain a safe full of all employee keys' to
management argument is nonsense also.  It's a master key either way
and just as easy to explain either way: a master key is a key that
lets you decrypt all mail.

Adam
-- 
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`