CDR: Re: Zero Knowledge changes business model (press release)

Ray Dillinger bear at sonic.net
Wed Nov 1 16:08:41 PST 2000



On Wed, 1 Nov 2000, David Honig wrote:

>Although its hazardous if done wrong [cf recent PGP problems], is
>tarnished by the Fedz/Denning/etc, and might have no use in a personal
>privacy tool (your diary dies with you), isn't it too dogmatic to rule out
>key escrow for tools intended for use by groups? 
>
>Are there equivalent methods which don't use escrowed keys, which I
>am unaware of?  

First, I think the people who've spoken about document escrow are 
right.  A much safer approach than key escrow.  

But I'm going to talk about key escrow, because there *are* decent 
ways to do it.

There are methods for key escrow that don't involve a single trusted 
party having all the keys.  For example, you can generate a dozen 
random strings of bits, XOR them together, then XOR the result with 
your key.  Take the result of that operation and it's your thirteenth 
string.  Now you can hand the thirteen strings out to thirteen different 
people.  Now if you get hit by a bus, or if they are *ALL* ready to 
subvert the protocol by working together, they can get together, XOR 
all the strings together, and produce your key.  A reasonable protocol 
for a company with fourteen board members, perhaps.  There would be no 
way to serve thirteen out of fourteen board members with subpeonas and 
still have the investigation of the fourteenth board member be a secret 
to the company.

Third, there are methods for key escrow with a single escrow agent 
that don't allow the escrow agent access to the key while it's still 
live.  Take your August key on August First, and use a digital 
timelock to put one solid month of computing between the company 
escrow officer and the key.  Hand the escrow officer the resulting 
blob, and use your key with impunity until August 30.  On the 30th, 
you encrypt everything with your September key.  On September 1, if 
she's put the fastest available machine to work on it the whole time, 
the escrow agent gets your August Key.  Now, if you get hit by a 
bus during august, the escrow officer will be able to get stuff 
from your drive after august -- but will never have your key while 
that key is still in use. 

Fourth, the trusted third party doesn't need access to your keys.  I 
could set up a web service that generated complementary asymmetric 
key pairs and published them thirty days apart.  Now when Alice 
wants to put her key in storage for the company escrow officer, 
she can come to my site, pick up the key of the day, encrypt her 
key with it, and hand it to Bob the escrow officer.  If Bob needed 
to use the key, and it were more than a month later, he could come 
to my site and get the complementary key and decrypt Alice's key. 
With this setup, I'm the only one that knows the decryption key, 
and I don't know diddley about what's encrypted under it or where 
anything encrypted under it is stored. 

				Bear






More information about the cypherpunks-legacy mailing list