Cryptography's Role in Securing the Information Society (1996) / Chapter Skim
Currently Skimming:
Escrowed Encryption and Related Issues
Escrowed Encryption and Related Issues
Pages 167-215
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 167... ...
is delivered to an independent trusted party that might be a person or an organization (i.e., an escrow agent) for safekeeping, and is accompanied by a set of rules provided by the parties involved in the transaction governing the actions of the escrow agent.
|
From page 168... ...
. In any event, the salient point is that all terms and conditions and functioning of an escrow process are, or can be, visible to the parties involved; moreover, the behavior and performance of formal escrow agents are governed by legally established obligations.
|
From page 169... ...
5.2 ADMINISTRATION INITIATIVES SUPPORTING ESCROWED ENCRYPTION Since inheriting the problem of providing law enforcement access to encrypted telephony from the outgoing Bush Administration in late 1992, 2In the more general meaning of escrowed encryption, exceptional access refers to access to plaintext by a party other than the originator and the recipient of encrypted communications. For the case of stored information, exceptional access may refer to access to the plaintext of an encrypted file by someone not designated by the original encryptor of the file to decrypt it or even by persons so designated who have forgotten how to do so.
|
From page 170... ...
If widely adopted and properly implemented, escrowed encryption could provide legitimate users with high degrees of assurance that their sensitive information would remain secure but nevertheless enable law enforcement and national security authorities to obtain access to escrowencrypted data in specific instances when authorized under law. Moreover, the Administration hoped that by meeting legitimate demands for better information security, escrowed encryption would dampen the market for unescrowed encryption products that would deny access to law enforcement and national security authorities even when they sought access for legitimate and lawfully authorized purposes.
|
From page 171... ...
5. Law enforcement could use the information in the LEAF to identify the par ticular device of interest, solicit its master-key components from the two escrow agents, combine them, recover the session key, and eventually decrypt the encrypted traffic.
|
From page 172... ...
Possession of this key would enable one to decrypt all communications sent to and from the telephone unit in which the chip was integrated. • A law enforcement access field (LEAF)
|
From page 173... ...
When law enforcement officials encountered a Clipper-encrypted conversation on a wiretap, they would use the LEAF to obtain the serial number of the Clipper chip performing the encryption and the encrypted session key.8 Upon presentation of the serial number and court authorization for the wiretap to the escrow agents, law enforcement officials could then obtain the proper unit-key components, combine them, recover the session key, and eventually decrypt the encrypted voice communications.9 Only one key would be required in order to obtain access to both sides of the Clipper-encrypted conversation. The authority for law enforcement to approach escrow agents and request unit-key components was considered to be that granted by Title III and the Foreign Intelligence Surveillance Act (FISA)
|
From page 174... ...
The EES was developed by communications security experts from the NSA, but the escrow features of the EES are intended to meet the needs of law enforcement -- i.e., its needs for clandestine surveillance of electronic and wire communications as described in Chapter 3. NSA played this development role because of its technical expertise.
|
From page 175... ...
Intelligence collections of digital data can proceed with few difficulties if regulations permit escrow agents to make keys available to national security author ities on an automated basis and without the need to request keys one by one. On the other hand, if the regulations forbid wholesale access to keys (and the products in question do not include a "universal key" that allows one key to decrypt messages produced by many devices)
|
From page 176... ...
For confidentiality, the Capstone chip uses the Skipjack algorithm, the same algorithm that is used in the Clipper chip (which is intended only for voice communications, including low-speed data and fax transmission across the public switched telephone network, and the same mechanism to provide for key escrowing. The agents used to hold Capstone keys are also identical to those for holding Clipper keys -- namely, the Departments of Treasury and Commerce.
|
From page 177... ...
. These criteria are intended to ensure that a product's key escrow mechanism cannot be readily altered or bypassed so as to defeat the purposes of key escrowing.
|
From page 178... ...
4. The product's key escrow cryptographic functions' ciphertext shall contain, in an accessible format and with a reasonable frequency, the identity of the key escrow agent(s)
|
From page 179... ...
• A FIPS for key escrow will be developed that will, among other things, specify performance requirements for escrow agents and for escrowed encryption products. How this relates to the existing or modified FIPS-185 is also uncertain at this time.
|
From page 180... ...
But in one proposal, escrow agents known as Data Recovery Centers (DRCs) do not hold user keys or user key components at all.
|
From page 181... ...
Calls made using EES-compliant telephones would be protected against such surveillance, except when surveillance parties (presumably law enforcement authorities) had obtained the necessary keys from escrow agents.
|
From page 182... ...
and private en cryption keys with one or more commercial escrow agents selected by the corpora tion. (SecureKEES product literature, CertCo, Bankers Trust Company.)
|
From page 183... ...
For example, the final procedures for managing law enforcement access to EES-protected voice conversations call for the hardware providing exceptional access to be designed in such a way that law enforcement officials would decrypt communications only if the communications were occurring during the time window specified in the initial court authorization. The fact that law enforcement officials will have to approach escrow agents 26Even worse, it is not just future communications that are placed at risk, but past communications as well.
|
From page 184... ...
5.5.1 Balance of Crime Enabled vs. Crime Prosecuted One question is the following: Does the benefit to law enforcement from access to encrypted information through an escrow mechanism outweigh the damage that might occur due to the failure of procedures intended to prevent unauthorized access to the escrow mechanism?
|
From page 185... ...
• Repeated involvement by key escrow agents (KEAs) is not required to obtain the information needed to decrypt multiple conversations and data messages (refer to expeditious information release by KEAs)
|
From page 186... ...
However, the widespread deployment of strong encryption without features for exceptional access would mean that even the careless criminal would easily obtain unbreakable encryption, and thus the Administration's initiatives are directed primarily at the first scenario. Similar considerations would apply to escrowed encryption products used to store data -- many criminals will use products with encryption 29"Voluntary" has been used ambiguously in the public debate on key escrow.
|
From page 187... ...
On the other hand, some criminals will hide or conceal their stored data through the use of unescrowed products or by storing them on remote computers whose location is known only to them, with the result that the efforts of law enforcement authorities to obtain information will be frustrated.
|
From page 188... ...
. We also recognize that a new key escrow encryption system must permit the use of private-sector key escrow agents as one option.
|
From page 189... ...
Executive branch escrow agents may well be more responsive than outside escrow agents to authorized requests from law enforcement for keys. Executive branch escrow agents can be enjoined more easily from divulging to the target of a surveillance the fact that they turned over a key to law enforcement officials, thereby helping to ensure that a surveillance can be performed surreptitiously.
|
From page 190... ...
One result might be that executive branch escrow agents might divulge keys improperly; a second result might be that executive branch escrow agents could be more likely to reveal the fact of key disclosure to targets in the executive branch under investigation. Some of the concerns described above could be mitigated by placement of escrow agents in the judiciary branch of government on the theory that since judicial approval is needed to conduct wiretaps, giving the judiciary control of escrowed keys would in fact give it a way of enforcing the Title III requirements for legal authorization.
|
From page 191... ...
• Vendors of products with encryption capabilities and features for exceptional access. Vendors acting as escrow agents would face a considerable burden in having to comply with registration requirements and might be exposed to liability.35 At the same time, vendors could register keys at the time of manufacture or by default at some additional expense.36 • Customers themselves.
|
From page 192... ...
A second important issue regarding escrow agents deals with their number. Concentrating escrow arrangements in a few escrow agents may make law enforcement access to keys more convenient, but it also focuses the attention of those who may attempt to compromise those facilities -- the "big, fat target" phenomenon -- because the aggregate value of the keys controlled by these few agents is, by assumption, large.39 On the other hand, given a fixed budget, concentrating resources on a few escrow agents may enable them to increase the security against compro 38The dominance of corporate sales over sales to individuals was cited in Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, released January 11, 1996, p.
|
From page 193... ...
(In the Clipper case, two escrow agents would be used to hold the unit keys to all EES-compliant telephones.) A single escrow agent for a given key poses a significant risk of singlepoint failure -- that is, the compromise of only one party (the single escrow agent)
|
From page 194... ...
of five (n) escrow agents could be sufficient to enable exceptional access.
|
From page 195... ...
From a policy standpoint, it is necessary to have a contingency plan that would facilitate recovery from wholesale compromise. Box 5.6 describes law enforcement views on the responsibilities of escrow agents.
|
From page 196... ...
KEAs should protect the confidentiality of the person or persons for whom a key escrow agent holds keys or components thereof, and protect the confidentiality of the identity of the agency requesting decrypt information or components thereof and all information concern ing such agency's access to and use of encryption keys or components thereof. For law enforcement requests, KEA personnel knowledgeable of an interception or decryption should be of good character and have not been convicted of crimes of moral turpitude or otherwise bearing on their trustworthiness.
|
From page 197... ...
Reprinted from text available on-line at http://csrc.ncsl.nist.gov/keyescrow/criteria.txt. 5.9.3 Liabilities of Escrow Agents In order to assure users that key information entrusted to escrow agents remains secure and authorized third parties that they will be able to obtain exceptional access to encrypted data when necessary, escrow agents and their employees must be held accountable for improper behavior and for the use of security procedures and practices that are appropriate to the task of protection.
|
From page 198... ...
10. Escrow agent entities shall maintain escrowed keys and/or key components for as long as such keys may be required to decrypt information relevant to a law enforcement investigation.
|
From page 199... ...
If escrowed encryption is adopted widely in data communications, compromise of escrow agents holding keys relevant to network encryption may be catastrophic, and may become easier as the number of access points that can be penetrated becomes larger. Note that liability of escrow agents may be related to the voluntary use of escrow.
|
From page 200... ...
The United States is obligated to pay successful claims by third parties in excess of the required protection, up to $1.5 billion, unless the loss is related to the licensee's willful misconduct. The law also requires licens ees to enter into reciprocal waivers of claims with their contractors and customers, under which each party agrees to be responsible for losses it sustains.
|
From page 201... ...
Another aspect of liability could arise if the escrow agents were also charged with the responsibilities of certificate authorities. Under some circumstances, it might be desirable for the functions of escrow agents and certificate authorities to be carried out by the same organization.
|
From page 202... ...
235. 2 Dorothy Denning, Cryptography and Data Security, Addison-Wesley, Read ing, Mass., 1982, p.
|
From page 203... ...
A second disadvantage of algorithm secrecy is the fact that if a cryptographic infrastructure is based on the assumption of secrecy, public discovery of those secrets can compromise the ends to be served by that infrastructure. For example, if a cryptographic infrastructure based on a secret algorithm were widely deployed, and if that algorithm contained a secret and unannounced "back door" that allowed those with knowledge of this back door easy access to encrypted data, that infrastructure would be highly vulnerable and could be rendered untrustworthy in short order by the public disclosure of the back door.
|
From page 204... ...
. Certain techniques can be used to increase the difficulty of 48As one example, the RC2 encryption algorithm, nominally a trade secret owned by RSA Data Security Inc.
|
From page 205... ...
50Estimates of the cost to reverse-engineer the Clipper chip nondestructively cover a wide range, from "doable in university laboratories with bright graduate students and traditions of reverse engineering" (as estimated by a number of electrical engineers in academia with extensive experience in reverse engineering) to as much as $30 million to $50 million (as estimated in informal conversations between JASON members and DOD engineers)
|
From page 206... ...
An information security manager with very high security needs must make trade-offs in assurance vs. cost.
|
From page 207... ...
Thus, public trust in the technical desirability of the EES and Fortezza for exceptional access depends on a high degree of trust in the government, entirely apart from any fears about compromising escrow agents wherever they are situated. Of course, some of the same considerations go beyond the Skipjack algorithm and the Clipper/Capstone approach.
|
From page 208... ...
For example, a security problem with the Netscape Navigator's key-generation facility could have been found had the implementation in which the key generator was embedded been available for public examination prior to its release, even though the encryption algorithm itself was properly implemented.54 5.11 THE HARDWARE-SOFTWARE CHOICE IN PRODUCT IMPLEMENTATION After the Clipper initiative was announced, and as the debate over escrowed encryption broadened to include the protection of data communications and stored data, the mass market software industry emphasized that a hardware solution to cryptographic security -- as exemplified by the Clipper chip -- would not be satisfactory. The industry argued with some force that only a software-based approach would encourage the widespread use of encryption envisioned for the world's electronic future, making several points: • Customers have a strong preference for using integrated cryptographic products.
|
From page 209... ...
In general, products with encryption capabilities today use software or hardware or both to help ensure security.57 The crux of the hardware 56 One vendor is manufacturing a circuit board for encryption that fits into a 3.5" floppy disk drive. However, this device does not employ the Capstone/Foretzza approach.
|
From page 210... ...
This particular problem is known as binding or, more explicitly, escrow binding; escrow binding is an essential element of any escrow scheme that is intended to provide exceptional access. Concern over how to solve the escrow binding problem was the primary motivation for the choice of a hardware approach to the Clipper initiative.
|
From page 211... ...
Unit keys are often used to protect session keys from casual observation in escrowed encryption products, but precisely how they are used depends on the specifics of a given product.
|
From page 212... ...
and then registered prior to sale with escrow agents in accordance with established procedures. Such an approach has one major advantage from the standpoint of those who may require exceptional access in the future -- it guarantees registration of keys, because users need not take any action to ensure registration.
|
From page 213... ...
Thus, valid unit keys would be held by escrow agents in two cases -- for products owned by users who did not change the unit key, and for products owned by users who chose to register their new keys with escrow agents. Who is responsible for the collection of unit keys?
|
From page 214... ...
products with encryption capabilities when it is openly announced that the information security of those products could be compromised by or with the assistance of escrow agents certified by the U.S. government.
|
From page 215... ...
Its support of escrowed encryption embodies the government's belief that the benefit to law enforcement and national security from exceptional access to encrypted information outweighs the damage owing to loss of confidentiality that might occur with the failure of procedures intended to prevent unauthorized access to the escrow mechanism. Escrowed encryption provides more confidentiality than leaving information unprotected (as most information is today)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.