EC refutes GAK

[Peter Gutmann]

[I originally posted this to the c2.net crypto list but apparently it never
 appeared, I've reposted it here in case anyone finds it useful]
 
>The report also notes a new (to me, anyway) method of bypassing GAK while
>maintaining full compliance with the law:
>
>"Users could encrypt a relatively large number of session keys in a way that
>the previous key encrypts the next one, always using one or several official
>escrow/recovery systems. Only the last key would be used to encrypt the
>message.
 
There's another way to foil GAK which I don't think has been mentioned before,
using what is often referred to as "malicious obedience" in the military (or
"you asked for it, you got it" elsewhere):
 
Since I don't trust any cryptosystem based on mathematical principles, I
encrypt all my communications using a one-time pad communicated on CDROM
(700+MB if you push it).  To limit the exposure of each pad, I change it once a
month at a cost of ~$1 per CDR blank.  If I communicate with around 100 people
that's 100 x 12 x 700+MB or (rounding things up a bit) a terabyte of keying
material a year.  Since they use their own pads to communicate back to me,
anyone wanting to intercept a years worth of traffic to/from me would need to
archive 100 terabytes of keying material (I'd make sure I spread out the bits
of pad I used so they couldn't just keep the useful bits and discard the rest).
In any case since this will only be used for court-authorised intercepts (just
keep repeating that until you believe it), everything would have to be archived
without any changes so it could be used as evidence.
 
At a cost of $100/month in CDR's this should comply with any GAK law (instant
access to keys, etc), but will also do a reasonable job of overwhelming any
centralised repository charged with storing the data.  Of course since I don't
trust the government any more than I trust those nasty cryptosystems based on
mathematical principles, I'd use triple DES underneath the OTP just to be sure.
 
Peter.