[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: Binding cryptography - a fraud-detectible alternative to key-esc



>Bert-Jaap Koops <[email protected]> writes on cpunks:
>> We present an alternative that can give law-enforcement agencies
>> access to session keys, without users having to deposit private
>> keys.  Unilateral fraud in this scheme is easily detectible.
>
>OK, so I can see how the `binding data' technique acheives a more
>robust form of keys escrow of session keys, without handing over
>private keys.  (Your wording also implied to me that the problem would
>not exist if private keys were handed over, but I think this is not
>the case, if a warrant is required to get the private keys, the stated
>presumtion is that no speculative decryptions will be tried).  Also
>the proposal (and other proposals which escrow session keys) doesn't
>really provide any guarantees of protection from LE abuse, as such,
>because they can decrypt all of the escrowed session keys with their
>own private key
No. In the scheme Law Enforcement (that is your LE, right?) agencies are never
handed over the private keys of Trusted Retrieval Parties (TRPs), only the session
keys. So for each sessionkey LEs will have to go to a TRP. Moreover, the choice
of TRPs should be large, so the idea is that you can always pick one you trust. Or
set up your own, for that matter... 
>
[stuff deleted]
>However, simpler approaches I think fulfill the requirements given the
>(stated) voluntary nature of GAK.
>
>For instance, if you are using a hybrid RSA/symmetric key system with
>the session key encrypted with RSA, you can encrypt the session key to
>a second recipient also (PGP allows this much, Carl Ellison suggested
>this for PGP, Bill Stewart recently also suggested the same).  If the
>recipient wishes to check that the sender is really escrowing the same
>session key, this can be acheived by revealing to the primary
>recipient the random padding of the second recipient's RSA encrypted
>copy of the session key.  The primary recipient can then repeat the
>encryption, and check.  (I proposed this on sci.crypt last year some
>time, with an anti-GAK caveat :-).

In our scheme any third party, which is probably never a TRP, can check
equality of the sessionkeys send to the primary recipient (the TRP) and
the second recipient (the real adressee), i.e. *without* needing secret
information! In your suggestion checking can only be done with secret
information (you need the secret key of the primary recipient). Also,
"random padding" information of the second recipient is very secret as well, just 
compare the results Don Coppersmith presented on Eurocrypt97: if you
know the enough padding you know it all. So for instance sending
along the padding info along will make any key-escrow superflous (-;
   

>As GAK is (stated to be) voluntary, surely the only person who has any
>business knowing whether the message is honestly GAKked is the
>recipient.  After all you can double encrypt or not use GAK at your
>option, so this seems to lose nothing for the GAKkers.
>
>The description of the paper also says nothing about trust worthiness
>of the TTPs, from the public's perspective.
As far as we are concerned, anybody - willing to follow regulating - can set
up his own TRP.



      > (Not that I,
>or anyone else would want to use GAK still, but it would be a gesture
>of good will on the part of the GAKkers, and would show intentions not
>to misuse the system.  I suggest that they would never agree to such a
>system because their stated aims are untrue: they *do* want to outlaw
>non-escrowed encryption for domestic US traffic, and they *do* want to
>decrypt without warrants, and without public audit.  Export control
>and temporarily `voluntary' GAK is a means, not an end.)
Who is they, governments as a whole? If you simplify discussions in this
way, I might as well say: "you guys only want to help criminals". I understand
your fears, but don't exaggerate.

Eric Verheul