Showing papers on "Key escrow published in 1996"

The Dark Side of Black-Box Cryptography, or: Should We Trust Capstone?

Abstract: The use of cryptographic devices as "black boxes", namely trusting their internal designs, has been suggested and in fact Capstone technology is offered as a next generation hardware-protectcd escrow encryption technology. Software cryptographic servers and programs are being offered as well, for use as library functions, as cryptography gets more and more prevalent in computing environments. The question we address in this paper is how the usage of cryptography as a black box exposes users to various threats and attacks that are undetectable in a black-box environment. We present the SETUP (Secretly Embedded Trapdoor with Universal Protection) mechanism, which can be embedded in a cryptographic black-box device. It enables an attacker (the manufacturer) to get the user's secret (from some stage of the output process of the dcvice) in an unnoticeable fashion, yet protects against attacks by others and against, reverse engineering (thus, maintaining the relative advantage of the actual attacker). We also show how the SETUP can, in fact, be employed for the design of "aubo-escrowing key" systems. We present embeddings of SElUPs in RSA, El-Gamal, DSA, and private key systems (Kerberos). We implemented an RSA key-generation based SETUP that performs favorably when compared to PGP, a readily available RSA implementation. We also relate message-based SETUPs and subliminal channel attacks. Finally, we reflect on the potential implications of "trust management" in the context of the design and production of cryptosystems.

A taxonomy for key escrow encryption systems

Abstract: decrypt ciphertext with the help of information supplied by one or more trusted parties holding special data recovery keys. The data recovery keys are not normally the same as those used to encrypt and decrypt the data, but rather provide a means of determining the data encryption/decryption keys. The term key escrow is used to refer to the safeguarding of these data recovery keys. Other terms used include key archive, key backup, and data recovery system. This article presents a taxonomy for key escrow encryption systems, providing a structure for describing and categorizing the escrow mechanisms of complete systems as well as various design options. Table 1 applies the taxonomy to several key escrow products or proposals. The sidebar, “Glossary and Sources,” identifies key terms, commercial products, and proposed systems.

Guaranteed partial key-escrow

Abstract: A given decryption key is decomposed into at least two parts, for example, a first subkey and a second subkey. The first subkey may be verifiably secret-shared among a set of one or more trustees, whereas the trustees preferably receive no information at all about the second subkey. Reconstruction of the first subkey by the trustees does not yield a decryption key useful by itself in decrypting ciphertexts. The trustees, however, also receive a guarantee that once they reveal their shares to a given entity, the entity has the capability of determining the second subkey. Generally, the generation of the second subkey will be carried out by the entity using a brute force technique, although the calculation may be performed by still another party (or even the trustees themselves in cooperation with the entity). Once the second subkey is determined, the guarantee ensures that combination of the first and second subkeys yields a given decryption key that may then be used to decrypt ciphertexts.

Encapsulated Key Escrow

Abstract: The widespread need for encryption for private communication and stored information poses a problem when there exists an authority, such as the governement or business employer, who under some predetermined set of circumstances, needs to be able to obtain access to information and communication of selected users. Key-escrow is the main solution considered to ensure the ability of an authority to wiretap communictaion. The main objection to all current Key-escrow proposals is that they assume complete faith in the authority and its trustees. If the authorities do not follow the rules, or are replaced by an un-trustworthy authority tomorrow, they can immediately recover the secret keys of all users, and embark on massive wiretapping automatically scanning everyone's e-mail and computer les. We introduce a new approach to key escrow called veriiable encapsulated key escrow (VEKE), applicable to any encryption algorithm, which makes it veriiably computationally possible for an authority to only selectively wiretap a small number of individual users, and computationally prohibitive to launch large scale wiretapping. This is achieved by imposing a time delay between the obtaining the escrowed information of a user and obtaining the user secret key. We achieve VEKE by a new cryptographic tool called veriiable cryptographic time capsules (VCTC). The capsules are ways of strongly encoding information, which allow an authority to verify that it can obtain the contents of the capsule after (and only after) a speciied amount of time delay. When applied to key-escrow, the content of the capsules are secret-keys of users, and the amount of time it takes to open these capsules is a parameter which is set such that it is computationally possible to open a few of them, but computationally hard to open large numbers of them. When several trustees are available, the time capsule is split amongst them via a secret sharing scheme. When trustees pull their pieces together, they can recover the capsule and start computing toward opening it. VCTC's can be constructed under the general assumption that claw-free trapdoor functions exist. For the purpose of key-escrow for the RSA cryptosystem (and the Diie and Hellman cryptosystem), we give very eecient implementations of VCTC based on the particular assumption that factoring integers is hard (respectively, the assumption that the discrete logarithm is hard to compute). Although conceived for the purpose of wiretapping and in the context of key-escrow, VCTC can be used for \sending information into the …

Method and apparatus for implementing partial and complete optional key escrow

Abstract: A key escrow technique reliably notifies an encrypting principal about escrow authorities requiring access to a secret key used to encrypt information and, further, about how much of that key is required by the authorities. The technique comprises a mechanism for storing escrow instructions pertaining to the authorities' keys in a designated location accessible by the encrypting principal. For example, the designated location may comprise a licensing string of a hardware or software add-on module needed to activate a cryptographic system of a data processing system. The escrow instructions may be further stored in an escrow formation field of a certificate. Here, the certificate may be the encrypting principal's certificate, a recipient principal's certificate and/or any certificate authority's certificate needed for the encrypting principal to verify the recipient principal's certificate.

Crypto backup and key escrow

Abstract: cryptographic keys. Using these mechanisms provides several benefits, including protection of corporate assets. The techniques are also applicable beyond the corporate equity problem to the problem of key escrow in which backup keys can serve the purposes of law enforcement. The recommended system has a threshold property designed so a user can choose among backup keys, each shared among several agents. In this system, a shared backup key need never be completely assembled, even when used. When encrypting a file, I often have several worries: • Will I be able to decrypt the file in the future? • Will the key I need to decrypt the file be available to me when I need it? • Will my colleagues who need to use the file have access to it when I am not available—while access to others is denied?

Time delayed key escrow

Abstract: Methods for designing encryption algorithms with different levels of security for different parties: "easier" (but requiring some work nonetheless) to break for some parties (e.g., the government) than for other parties (the adversaries at large). This is achieved by a new form of key escrow in which the government gets some information related to the secret keys of individuals but not the secret keys themselves. The information given to the government enables it to decrypt with a predetermined level of computational difficulty less than that for adversaries at large. The new key escrow methods are verifiable. Verification information can be provided to the government so that it can verify that the information escrowed is sufficient to enable it to decrypt with the predetermined level of computational difficulty. The fact that the government must perform some computation to break the encryption schemes of individual users provides a serious deterrent against massive wiretapping.

Key Escrow in Mutually Mistrusting Domains

Abstract: In this paper we present a key escrow system which meets possible requirements for international key escrow, where different domains may not trust each other. In this system multiple third parties, who are trusted collectively but not individually, perform the dual role of providing users with key management services and providing authorised agencies in the relevant domains with warranted access to the users' communications. We propose two escrowed key agreement mechanisms, both designed for the case where the pair of communicating users are in different domains, in which the pair of users and all the third parties jointly generate a cryptographic key for end-to-end encryption. The fact that all entities are involved in the key generation process helps make it more difficult for deviant users to subvert the escrowed key by using a hidden ‘shadow-key’. The first mechanism makes use of a single set of key escrow agencies moderately trusted by mutually mistrusting domains. ! The second mechanism uses a transferable and verifiable secret sharing scheme to transfer key shares between two groups of key escrow agencies, where one group is in each domain.

The Ω key management service

Abstract: In this paper we i.ntroduce R, a distributed public key management service for open networks. f’l offers interfaces by which clients can register, retrieve, and revoke public keys, and escrow, use (to decrypt messages), and recover private keys, all of which can be subjected to access control policy. R is built using multiple servers in a way that ensures its correct operation despite the malicious corruption of fewer than one-third of its component servers. We describe the design of R, the protocols underlying its operation, performance in our present implementation, and an experimental application of the service.

On the difficulty of software key escrow

Abstract: At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt in such a way that the receiver can be traced by an authority having additional information. This paper shows that the proposed scheme does not have the required properties, by devising three non-specified protocols misleading the authority. We also discuss how to repair Desmedt's scheme, such that our attacks are no longer possible. However, by allowing slightly more general, but absolutely realistic attacks also this improved system can be broken. In fact, we argue that software key escrow as proposed by Desmedt will be very hard to implement as it requires that the distributed public key can only be used in few, well-defincd systems. Furthermore, even if this is achieved, most applications to key distribution can be broken.

Key escrow method with warrant bounds

Abstract: A key escrow technique is disclosed which permits cryptographic limits on wiretapping warrants. Specifically, time limits on wiretaps may be enforced. In addition, the wiretapper is targeted to a specific party or specific pairs of parties communicating in a network.

Oblivious key escrow

Abstract: We propose a simple scheme, based on secret-sharing over large-scale networks, for assuring recoverability of sensitive archived data (e.g., cryptographic keys). In our model anyone can request a copy of the archived data but it is very difficult to keep the existence of a request secret or to subvert the access policy of the data “owner.” We sketch an architecture for a distributed key escrow system that might be suitable for deployment over very large-scale networks such as the Internet. We also introduce a new cryptographic primitive, oblivious multicast, that can serve as the basis for such a system.

Master-Key Cryptosystems

Abstract: We initiate the study of a new class of secret-key cryptosystems, called "master-key cryptosystems," in which an authorized third party possesses a "master key" that allows efficient recovery of the cleartext without knowledge of the session key. One motivation for this study is that master-key cryptosystems could provide a less cumbersome alternative to "key escrow" in situations in which third-party access is required. We demonstrate that designing a master-key cryptosystem with acceptable performance is roughly equivalent to designing a public-key cryptosystem in which encryption is much faster than is possible with current public-key techniques.

Cryptography : policy and algorithms : International Conference, Brisbane, Queensland, Australia, July 3-5, 1995 : proceedings

Abstract: Open forum - Cryptography: Personal freedom and law enforcement is it possible to get agreement?.- Privacy and security policy choices in an NII environment.- Commercial Key Escrow: An Australian perspective.- Encryption and the Global Information Infrastructure: An Australian perspective.- Crypto in Europe - markets, law and policy.- Saving dollars makes sense of crypto export controls.- A proposed architecture for trusted third party services.- A new key escrow cryptosystem.- How to fairly reconstruct a shared secret.- A note on nonuniform decimation of periodic sequences.- Randomness measures related to subset occurrence.- Low order approximation of cipher functions.- Multiple encryption with minimum key.- A one-key cryptosystem based on a finite nonlinear automaton.- A cryptanalysis of clock-controlled shift registers with multiple steps.- Discrete optimisation and fast correlation attacks.- Keyed hash functions.- Some active attacks on fast server-aided secret computation protocols for modular exponentiation.- Cryptanalysis of the enhanced ElGamal's signature scheme.- Access with pseudonyms.- A new identification algorithm.- Public-key cryptography on smart cards.- Integrating smart cards into authentication systems.- Smart-card with interferometric quantum cryptography device.- Cryptographic APIs.- Foiling active network impersonation attacks made in collusion with an insider.- The CASS shell.

Private escrow key management: a method and its issues

Abstract: During the past few years a debate has been raging around the conflict between the rights of an individual to privacy in information to foster its competitiveness and the Government's need to access information for national security and law enforcement purposes. At the heart of the debate is the difficulty in arriving at a position whereby a robust implementation of an encryption process can be accomplished that protects sensitive private or industrial data yet insures that the government can have access to information if that information is part of a criminal conspiracy or enterprise, or other action hostile to the United States. The U.S. Government initially tendered a ciyptographic scheme known as the Clipper Escrow Key management plan. Using communication encryption technology, the government wanted to mandate an encryption process for which it maintained the key used for the decrypting of information transiting any communications path. This key would be split and distributed to escrow agents. The split key would have to be combined if the government were to use the key to decrypt and monitor criminal or other such activities. That methodology met with howls of protest from much of U.S. society (industry and private) due to a certain mistrust of the government and its handling of private information (for example, various IRS scandals). The debate has shifted from the technical solution provided by the Clipper initiative to alternate methods that defme key escrow in terms of a commercial or private entity. A NIST-sponsored key escrow meeting was held on August 17, 1995 to listen to the government's proposal to work towards a solution which industry and the international community would accept and which would provide needed security to private information. The meeting was a positive step towards resolving the conflicting issues surrounding cryptography. The government's proposal to extend the key length of any cryptographic algorithm used to 64 bits to enable export of cryptographic products more readily is a small step towards industry's desire for "good" cryptography. As a result, the government has set the stage to extend cryptography into the broader international field of electronic commerce. Privacy is still an issue and must be included in the resultant key escrow solution. Since the very onset of the debate TECSEC has espoused private key escrow as the only method that individuals, industry and the international community would accept for cryptography. A split key method has been developed that could satisfy many of the issues. The technology is called Constructive Key Management ("CKM "); the resultant product using CKM is called VEIL. VEIL is a software key management design that utilizes multiple key splits with labels as cryptographic triggers. It offers complete administrative control of the key, and it includes an inherent method to construct the key used for encrypting a file or database that results in a fixed header and audit information. By defining the roles of the escrow agent as a mix between government and private as necessary, VEIL can be applied to solve the private key escrow question.

Another approach to software key escrow encryption

Abstract: Key escrow cryptography has gained much attention in the last two years. A key escrow system can provide cryptographic protection to unclassified, sensitive data, while at the same time, allows for the decryption of encrypted messages when lawfully authorized.