[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Binding cryptography - a fraud-detectible alternative to key-esc
In this message, we introduce binding cryptography, a new proposal for
establishing an information security infrastructure that does not
hamper law enforcement. We present an alternative that can give
law-enforcement agencies access to session keys, without users having
to deposit private keys. Unilateral fraud in this scheme is easily
detectible. We outline the proposal below, and announce two articles
which will describe the proposal in more detail and which will provide
the legal and the technical context.
The text is also available at
http://cwis.kub.nl/~frw/people/koops/binding.htm.
9 October 1996
Eric Verheul, [email protected]
Bert-Jaap Koops, [email protected]
Henk van Tilborg, [email protected]
-------------------------------------------
(c) 1996 Eric Verheul, Bert-Jaap Koops, Henk van Tilborg
This message may only be redistributed in its entirety and with
inclusion of the copyright notice. Credit if quoting.
_Binding Cryptography, a fraud-detectible alternative to key-escrow
proposals_
_1. Introduction_
Information security, and so cryptography, is essential in today's
information society. A robust (information) security infrastructure
must be set up, including a Key Management Infrastructure. However,
the unconditional use of encryption by criminals poses a threat to law
enforcement, a problem that is hard to solve. Consequently,
governments have two tasks. The first is stimulating the establishment
of a security structure that protects their citizens, but which does
not aid criminals. The second task is coping with the use of
encryption by criminals outside of this framework. We think that
encryption outside of the framework (e.g., PGP) should not be outlawed
- but it need not be mainstream either. It is crucial that any such
established security structure is widely accepted and trusted, as this
will lower the demand for encryption outside of this framework, and so
will make the second goal easier to achieve (or, at least, not more
difficult). The establishment of such a widely accepted and trusted
security structure is now the challenge that (US) IT businesses face
if they want to participate in the recent CLIPPER IV initiative.
_2. Binding cryptography_
In a series of two articles, we address the establishment of an
information security infrastructure. Several proposals have been made
by governments and others to establish such an infrastructure, but a
satisfactory overall solution remains yet to be found. In the
non-technical article [VKT], we review several technical proposals and
a few government initiatives, focusing on key-escrow proposals. We
present a series of criteria that acceptable solutions should meet,
and note that all proposals so far fail to meet many of these
criteria. We argued that the establishment of a worldwide security
infrastructure can not be achieved without strong cooperation of
governments. In fact, governments themselves should take up the
challenge of establishing a security infrastructure, based on
public-key encryption, which does not hamper law enforcement. We offer
a new solution to achieve this: "binding data", which also improves
upon current proposals. It has the advantage that it helps the
establishment of a strong security infrastructure which discourages
abuse for criminal or subversive purposes by making unilateral abuse
easily detectible. It allows a straightforward monitoring of
compliance with law-enforcement regulations, without users having to
deposit ("escrow") keys beforehand. Thus, an information security
infrastructure can be established, which does not worsen the crypto
problem for law enforcement.
Metaphorically speaking, our solution consists of equipping public-key
encryption systems used for confidentiality with a (car) governor (a
speed-limiting device). The specifications of this governor are rather
general, and so many systems can probably be equipped with them. It is
inspired by the proposal of Bellare and Rivest [BR], in which users'
encrypted messages consist of three components:
1. the (actual) message encrypted with any symmetric system, using a random session
key;
2. the session key encrypted with the public key(s) of the addressee(s);
3. the session key encrypted with the public key of a Trusted Retrieval Party (TRP).
In effect, the TRP is treated as a virtual addressee, although the
message is not sent to it. When a law-enforcement agency is conducting
a lawful intercept and strikes upon an enciphered message, they take
the third information component to the TRP. If shown an appropriate
warrant, the TRP decrypts the information component and hands over the
session key, so that the law-enforcement agency has access to the
message. Observe that users are not obliged to escrow their (master)
keys, they only give access to the (temporary) session keys used in
the communication. The concept of "virtual escrow" has been the base
of several escrow products (AT&T Crypto, RSA Secure, TIS Commercial
Key Escrow).
The main drawback of this concept is that it offers no possibility, at
least for others than the TRP, to check whether the third component
actually contains the (right) session key; moreover, the TRP will only
discover fraud after a lawful wiretap. This renders the solution
almost entirely unenforceable.
Therefore, we propose a binding alternative, which adds a fourth
component to the encrypted message:
4. binding data.
The idea is that any third party, e.g., a network or service provider,
who has access to components 2, 3 and 4 (but not to any additional
secret information) can:
a. check whether the session keys in components 2 and 3 coincide;
b. not determine any information on the actual session key.
In this way, fraud is easily detectible: a sender that attempts to
virtually address a session key to the TRP (component 3) that is
different from the real one he uses on the message (or just nonsense)
will be discovered by anyone checking the binding data. If such
checking happens regularly, fraud can be properly discouraged and
punished. The binding concept supports the virtual addressing of
session keys to several TRPs (or none for that matter), for instance,
one to a TRP in the country of the sender and one in the country of
the addressee. The solution therefore offers the same advantage for
worldwide usability as the Royal Holloway [Holl] concept. We also
remark that the concept supports the use of controllable key splitting
in the sense of Micali [Mica] as well: a sender can split the session
key and virtually address all the shares separately to the addressee
and various TRPs using the binding concept. Moreover, the number of
shares and the TRPs can - in principle - be chosen freely by each
user. Finally we remark that the time-boundedness conditon (the
enforceability of the timelimits of a warrant) can be fulfilled by
additionally demanding that encrypted information (or all components)
be timestamped and signed by the sender; a condition that can be
publicly verified by any third party (e.g., monitor) as well.
A PKI that incorporates binding data hence has the following four
players:
- Users, i.e., governments, businesses, and citizens,
- TTPs offering trusted services (e.g., time-stamping and certification of
public keys),
- TRPs aiding law-enforcement agencies with decrypting legally intercepted messages,
- Monitors, monitoring communications encrypted via the PKI on compliance with
binding regulations. For instance, these could be network operators or (Internet) service
providers.
In [VKT], we explain how we envision the framework in which the
binding concept could present a security tool in the information
society. We think the concept is flexible enough (e.g., in the choice
of TRPs) to be incorporated into almost any national crypto policy, on
both the domestic and foreign use of cryptography.
In a mathematical paper [VT], Verheul and Van Tilborg propose a
technical construction for binding data for an important public-key
encryption system: ElGamal. This construction is compatible with
Desmedt's [DESM] traceable variant of ElGamal. The construction is
based on the techniques used in zero knowledge proofs. We expect that
these constructions can be improved and that various other public-key
encryption systems can be equipped with binding data. We present this
as a challenge to the cryptographic research community.
An outline of the mathematical construction of binding ElGamal can be
found at http://cwis.kub.nl/~frw/people/koops/bindtech.htm.
_3. References_
[BR]
M. Bellare, R.L. Rivest, "Translucent Cryptography. An Alternative to
Key Escrow, and its Implementation via Fractional Oblivious Transfer",
see http://theory.lcs.mit.edu/~rivest
[Desm]
Y. Desmedt, "Securing Traceability of Ciphertexts - Towards a Secure
Key Escrow System", Advances in Cryptology - EUROCRYPT'95 Proceedings,
Springer-Verlag, 1995, pp.147-157.
[Holl]
N. Jefferies, C. Mitchell, M. Walker, "A Proposed Architecture for
Trusted Third Party Services", Royal Holloway, University of London,
see http://platon.cs.rhbnc.ac.uk
[Mica]
S. Micali, "Fair Public-key Cryptosystems'", Advances in Cryptology -
CRYPTO '92 Proceedings, Springer-Verlag, 1993, pp. 113-138.
[VKT]
E. Verheul, B.J. Koops, H.C.A. van Tilborg, "Binding Cryptography. A
fraud-detectible alternative to key-escrow solutions", Computer Law
and Security Report, January-February 1997, to appear. [*]
[VT]
E. Verheul, H.C.A. van Tilborg, "Binding ElGamal. A fraud-detectible
alternative to key-escrow solutions", will be submitted to
Eurocrypt97.
[*] For the Computer Law and Security Report, send subscription
enquiries, orders and payments to:
Pam Purvey
The Oxford Fulfilment Centre
PO Box 800, Kidlington
Oxford 0X5 1DX UK
Tel: +44 1865 843373
Fax: +44 1865 843940
For the United States:
Elsevier Advanced Technology
Fulfilment (enquiries)
660 White Plains Road, Tarrytown
New York, NY 10591-5153
USA
Tel: 914 333 2458
---------------------------------------------------------------------
Bert-Jaap Koops tel +31 13 466 8101
Center for Law, Administration and facs +31 13 466 8149
Informatization, Tilburg University e-mail [email protected]
--------------------------------------------------
Postbus 90153 | This world's just mad enough to have been made |
5000 LE Tilburg | by the Being his beings into being prayed. |
The Netherlands | (Howard Nemerov) |
---------------------------------------------------------------------
http://cwis.kub.nl/~frw/people/koops/bertjaap.htm
---------------------------------------------------------------------