[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Gore's "new and improved" key escrow proposal



Eli writes:

> Tim May said:
> > Others here will have a clearer idea than I have, but I don't think a
> > "software standard" is what is now being planned. Software-only
> > solution cannot possibly have the security that's needed [...]
> 
> My reading of the BSA blurb was that software key escrow really is
> being planned: "software implementable [and] based on a non-classified
> encryption formula".  Yes, this sounds pretty silly.  I don't see how
> you could possibly prevent a rogue phone from interoperating with a
> fascistic one.  Guess I need to snarf the original document.

Whit Diffie gave a talk at a recent Bay Area Cypherpunks meeting
about the software-only master-key system that Dorothy Denning
and friends are working with.  He'd talked about it earlier,
and it was discussed at a workshop at Univ.Karlsruhe they went to.

Essentially, it's a fairly clean protocol for sending a session key and
a master key, encrypted with a keymaster's public key, in a way that the 
recipient of the message (who knows the separately-negotiated session key)
can duplicate the public-key-encrypted access-field chunk to verify it.
The wrinkle that was noticed at the workshop was that you can use 
anybody's ID in the ID field, so there's a need for your master-key
(which is already digitally signed by the keymasters)
to include some verification; I don't remember the details,
though it was fixable after some mild embarassment for the statists.

As far as communications between rogue phones and conformist phones,
it's actually stronger than Clipper turned out to be - if the conformist
receiver *wants* to verify that the access-field is correct, it can,
so you have to generate it correctly, while you could generate a
fake Clipper checksum in ~2**16 tries and the receiver wouldn't know.
For end-to-end communications, that's ok; if you and your friend
are both non-conformists, you don't need to check access fields,
and you gain a small setup-time advantage by not checking.
But your cellular phone company will probably be Conformist,
as required by Digital Telephony Initiative #N, and your bank
may be as well (assuming the government continues to regulate banks.)

Unlike tamperproof secret-design hardware, an open wiretap protocol
can't force you to be conformist - but traditional government regulations
have worked to keep banks and phone companies conforming in the past.

Will they be able to get us to accept this abuse?  Maybe.
I hope Clipper put a bad enough taste in the public's mouth that
they won't get away with it, but a hardware chip is a lot more concrete
than "telecommunications software protocol standards" for many people.
Depends on whether the government looks like they're "compromising"
(which looks good and nice) or "continuing to push this trash
even after they've lost" (which looks obnoxious, but they seems to be
getting away with it quite well with National ID cards - they're on 
about their 5th attempt.)

				Bill
				
# Bill Stewart  AT&T Global Information Solutions, aka NCR Corp
# 6870 Koll Center Parkway, Pleasanton CA, 94566 Phone 1-510-484-6204 fax-6399
# email [email protected] [email protected]
# ViaCrypt PGP Key IDs 384/C2AFCD 1024/9D6465