Crypto key management

Aself-constituted group of cryptographers and computer scientists—Hal Abelson (MIT/HewlettPackard), Ross Anderson (Cambridge University), Steven M. Bellovin (AT&T Research), Josh Benaloh (Microsoft), Matt Blaze (AT&T Research), Whitfield Diffie (Sun Microsystems), John Gilmore (Electronic Frontier Foundation), Ronald L. Rivest (MIT), Jeffery I. Schiller (MIT), Bruce Schneier (Counterpane Systems), and I—issued a report “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption” May 27, 1997 (see http://www.crypto.com) covering the related technical implications, risks, and costs. Significant potential risks and costs should always be considered before deploying key-management schemes. As a coauthor and long-time riskologist, I believe the report deserves wider discussion. So, here are its executive summary and a brief discussion of its implications. “A variety of ‘key recovery,’ ‘key escrow,’ and ‘trusted third-party’ encryption requirements have been suggested in recent years by government agencies seeking to conduct covert surveillance within the changing environments brought about by new technologies. This report examines the fundamental properties of these requirements and attempts to outline the technical risks, costs, and implications of widely deploying systems that provide government access to encryption keys. “The deployment of key-recovery-based encryption infrastructures to meet law enforcement’s stated specifications will result in substantial sacrifices in security and greatly increased costs to the end user. “Building the secure computer-communication infrastructures necessary to provide adequate technological underpinnings demanded by these requirements would be enormously complex and is far beyond the experience and current competency of the field. Even if such infrastructures could be built, the risks and costs of such an operating environment may ultimately prove unacceptable. In addition, these infrastructures would generally require extraordinary levels of human trustworthiness. “These difficulties are a function of the basic government access requirements proposed for key-recovery encryption systems. They exist regardless of the design of the recovery systems—whether the systems use privatekey cryptography or public-key cryptography; whether the databases are split with secret-sharing techniques or maintained in a single hardened secure facility; whether the recovery services provide private keys, session keys, or merely decrypt specific data as needed; and whether there is a single centralized infrastructure, many decentralized infrastructures, or a collection of different approaches. “All key-recovery systems require the existence of a highly sensitive and highly available secret key or collection of keys that must be maintained in a secure manner over an extended time period. These systems must make decryption information quickly accessible to law-enforcement agencies without notice to the key owners. These basic requirements make the problem of general key recovery difficult and expensive—and potentially too unsecure and too costly for many applications and many users. “Attempts to force the widespread adoption of keyrecovery encryption through export controls, import or domestic use regulations, or international standards should be considered in light of these factors. The public must carefully consider the costs and benefits of embracing government-access key recovery before imposing the new security risks and spending the huge investment required (potentially many billions of dollars, in direct and indirect costs) to deploy a global key-recovery infrastructure.” Cryptography is not a panacea for attaining security and privacy, just one technique among many. The cryptographic and system-security communities must work harder to overcome some of the deficiencies in the computer-communication infrastructure—hopefully with greater encouragement from the U.S. law-enforcement community (which currently focuses on prosecution, not prevention of computer misuse). But trapdoor access is not a panacea for law enforcement or fighting terrorism, providing at best peepholes into certain kinds of information. Such access would provide substantial administrative problems for law enforcement and everyone else. The need to address security as a systemic problem is a familiar thread in this column. The risks lie not only in the cryptographic algorithms and key lengths but in how cryptography is encapsulated. We must face such issues with key escrow, key recovery, and the third parties themselves. Similar problems arise for those seeking to increase system and network security and for those believing the inherent risks are controllable. Because the infrastructure is weak, vulnerabilities are inevitable.