mailing list archives
Commercial Key Escrow: part 2 of 2
From: David Farber <farber () central cis upenn edu>
Date: Wed, 4 Jan 1995 11:00:57 -0500
again be able to access this information in a procedure
similar to a normal search warrant process.
International law enforcement escrow key recovery also reduces to
already well established procedures. If U.S. law enforcement
authorities wish to recover encrypted files or messages from an
American in the United Kingdom, they need only ask UK authorities
for assistance in obtaining the session keys from the UK
corporate or public DRC. The international nightmare of
unilateral agreements to allow governments to share government
escrowed keys is thus reduced to already-in-place international
What Are The Alternatives?
To best understand why commercial key escrow may provide the best
answer to the national and international tension between
governments and their citizens, we must first understand who the
players are in any such system and the consequences of choosing
one approach over another.
Who Are The Players and What Do They Want?
First, the interests of the user, individual, and corporation,
must be satisfied, for unless they are, no system will be of any
The individual user wishes to protect his or her sensitive
information using the best products and the best
cryptography available while retaining the ability to
recover encrypted information whenever an encryption key is
The corporation (or other organization) wishes to protect
its sensitive information while retaining the ability to
recover encrypted information whenever an individual user is
unavailable for whatever reason.
Second, we must satisfy the interests of the software publishers,
for without software the user will not have the products with
which to achieve his or her goals.
The software publisher wishes to provide the user, whether
an individual or corporation, with the best possible product
using the best possible encryption techniques available on a
It is important to note that in general, neither the individual,
the corporate user, nor the software publisher is in any way
interested in doing any harm to the government's interests,
either law enforcement or national security.
Third, the interests of the government, both for law enforcement
and national security, must be met in any workable solution.
Law enforcement must have the ability to decrypt
communications of suspected illegal activities within its
jurisdiction, when authorized.
National security interests, including, when possible, the
ability to decrypt the communications of terrorists and
other adversaries, must be accommodated.
This set of what appear to be mutually conflicting requirements
must all be balanced if we are to find the tension relaxer that
we are seeking.
In the following section, we will examine a number of cases that
represent the spectrum of key escrow alternatives. This analysis
will be done in light of the particular interests of each of the
players listed above.
How Many Ways Can We Escrow Keys?
Alternative 1: Do It Yourself
The first alternative is the simplest and most obvious one
whereby each individual is responsible for safeguarding the
encryption key of each message or file that the user encrypts.
He or she does this by making an extra copy of the key and
storing it on a floppy disk or other token that is stored in a
safe place, like a safe deposit box, or with a trusted neighbor.
This simplest form of key escrow is one that everyone should be
using, in the absence of a better alternative, and some people no
doubt are, at least for especially sensitive encrypted files.
This approach is GOOD for the Individual, when it is
BAD for the Corporation,
BAD for the Software Publisher,
BAD for Law Enforcement,
BAD for National Security.
Since no one other than the individual knows how to recover the
escrowed key, no one else can benefit from this alternative.
Fortunately, this approach will never be used on a widespread
basis and therefore represents one extreme in the overall key
Alternative 2: Product-by-Product Ad Hoc Solutions
The solution much more likely to become widely available is the
one in which each vendor who produces a product that uses
encryption creates a "backdoor" system administration function
that can be used to recover encrypted data if the key is lost.
This is the nightmare situation for vendors. They do not want to
advertise this capability since it represents a significant
vulnerability for their product. But they cannot do without such
a feature since their customer base will be very unhappy if they
invest heavily in encrypting all their sensitive information only
to find that it is all lost when they cannot remember the
This approach serves an essential recovery function for the
software publisher. It also is useful for the individual except
that if each product he or she uses has its own "backdoor," the
user will most likely be confused by the variety of ways to
recover from lost keys. For the corporation, this is a very poor
option since the confusion the individual encounters with
multiple products is multiplied by the number of employees.
This alternative presents a disaster scenario for law enforcement
and national security. If there is widespread proliferation of
ad hoc product-by-product solutions, the interests of all
governments in recovering encrypted information will be severely
harmed now and for all the future.
This approach is OK for the Individual, but confusing,
POOR for the Corporation; too many
OK for the Software Publisher,
POOR for Law Enforcement,
BAD for National Security.
Alternative 3: Licensed Data Recovery Centers
This option is the principal topic of this paper. Companies and
private organizations operate Data Recover Centers serving their
own interests. This approach assumes that the DRCs are
registered (or licensed) in the countries in which they operate
so that law enforcement authorities can obtain access to them to
recover file encryption keys when appropriately authorized.
This alternative is attractive to the individual and corporation
because it provides a useful service, the recovery of encrypted
data when the original encrypting key is not available, in a
centralized and easily accessible manner. This approach is also
attractive to the software publishers because it relieves them of
the obligation to provide a system administrative function to
recover keys when lost by the user.
Law enforcement will find this approach attractive since it
provides a clear and convenient path to recovery of encrypted
files. The identity of the DRC is contained within the file, and
the file encryption key is readily obtained using normal search
warrant or equivalent procedures. National security interests
are better served by this approach than by the previous two since
it is generally easier to deal with one common approach to
escrowed keys than a multitude of ad hoc product-by-product
This approach is GOOD for the Individual,
GOOD for the Corporation,
GOOD for the Software Publisher,
GOOD for Law Enforcement,
OK for National Security.
Alternative 4: Government Key Escrow
This approach is exemplified by the Clipper system introduced by
the U.S. Government in 1993. It serves the needs of law
enforcement and presumably national security very well, to the
extent that it is used by the public. But since it provides
little incentive to the user, corporation, or software publisher,
it is unlikely to see widespread commercial use and thus will
fall short of its potential for satisfying the government's
This approach is POOR for the Individual,
POOR for the Corporation,
POOR for the Software Publisher,
VERY GOOD for Law Enforcement, to the extent
it is used,
VERY GOOD for National Security, to the
extent it is used.
Looking at these four alternatives in the spectrum of key escrow
solutions, # 3 looks the most attractive and the most likely to
satisfy governments' interests if it became widely used.
The argument can be made that:
If commercial key escrow such as outlined in # 3 above,
satisfies law enforcement's interests as well as
since Clipper-equipped devices are intended to be
exportable (presumably to make them more attractive to
a wider customer base),
then, it follows that alternative # 3 appropriately bound
with commonly available algorithms such as DES should also
This leads to a fifth alternative:
Alternative 5: Licensed Data Recovery Centers with
In this approach, the software publishers can achieve their goal
of worldwide availability for products with good quality
cryptography. This would in turn lead to widespread use by
individuals and corporations that would, in turn, lead to greatly
expanded recovery of encrypted files by law enforcement, when
authorized. Similarly, widespread use will make this approach
much better for national security interests than the
proliferation of ad hoc solutions described in alternative 2.
This approach is VERY GOOD for the Individual,
VERY GOOD for the Corporation,
VERY GOOD for the Software Publisher,
VERY GOOD for Law Enforcement,
GOOD for National Security.
But What If We Do Not Proceed With Alternative 5?
It is understandable that governments would prefer key escrow
solutions such as Alternative 4 that provide them with full and
complete control of databases of escrowed keys. But the last
two years have shown that the issues associated with Clipper key
escrow are sufficient that it will not achieve widespread use
While there is always a tendency in government to stick with
what we have, it is often necessary to look beyond one s own
ideas and realize that by accepting an approach where the
government has a little less direct control, all governments may
be far better served.
The Commercial Key Escrow system described in Alternative 5 has
the potential to become widely available throughout the computer
and communications industry throughout the world because it
provides a highly useful service to individuals and corporations
/ organizations worldwide. The exportability of a commonly
available encryption algorithm such as DES, appropriately bound
to the key escrow system, provides a powerful incentive to the
software industry to make this approach widely available
throughout all its products.
To the extent that CKE becomes widely used in the U.S. and around
the world, the government can ensure that law enforcement will
have appropriate access to encrypted files and communications,
now and for the foreseeable future.
But if they should fail to promote CKE, with the export approved
of appropriate encryption algorithms in a timely manner, the
government will in effect be promoting the further development of
ad hoc, product-by- product key escrow solutions, and, through
the ensuing confusion, ensuring that law enforcement and national
security interests are seriously damaged, now and for the future!
Unfortunately, there is little time left! While the government
continues to "study the problem," more and more ad hoc solutions
are being introduced in the marketplace! We predict that there
is approximately a six-month window in which the government can
exercise the only lever it has left, export control, to limit the
expansion of incompatible product-by-product solutions and
promote a solution that will help all parties involved.
A New National Cryptography Policy
If a Commercial Key Escrow system similar to Alternative 5 is
adopted, we may soon all be able to relax our fundamental tension
with a national cryptography policy such as:
Good cryptography shall be available to the public without
government restriction, where:
"Good cryptography" is defined as DES and RSA bound
with commercial key escrow, and
"Without government restriction" means without export
control or any other mandatory restriction.
We believe that Commercial Key Escrow, properly bound with
exportable DES, is the only way to reduce the ever-growing
tension between the public and government interests in
encryption. We hope that the U.S. and other governments around
the world will take appropriate actions to enable this approach
to succeed before its too late!
Trusted Information Systems, Inc., is implementing its commercial
key escrow system for use in all applications that offer
encryption. TIS is working with software developers to include
commercial dey escrow user functions in their applications. An
initial Data Recovery Center will be available for test use on
the Internet early in 1995. Operational DRCs will be available
for corporate and individual use later in 1995.
Additional information can be obtained from: Trusted Information
Systems, Inc., 3060 Washington Rd. (Rt. 97), Glenwood, MD 21794.
Phone: (301) 854-6889; FAX: (301) 854-5363; or via E-mail to:
tis () tis com
1 A few countries such as France and Singapore also use import
or internal-use controls.
2 The Clipper Initiative includes programs such as Clipper for
telephone devices and Capstone for computer applications.
Throughout this paper the term Clipper will be used to refer to
all U.S. government programs using key escrow hardware such as
Clipper or Capstone.
3 There are those, even among the authors of this paper, who
argue that the term key escrow has been tainted by the Clipper
proposal and should no longer be used. Most of us, however,
believe the term is central to a vital concept and, while it may
have been abused, should be retained to describe the more general
4 One of the strengths of the Clipper design is that the
government key escrow system is closely bound in hardware with
the encryption process so that it is very difficult to disable
the escrow process while allowing encryption and decryption to
[Blaze] Protocol Failure in the Escrowed Encryption Standard,
Matt Blaze, AT&T Bell Laboratories, Preliminary Draft, June 3,
[Brooks] Hearings before the Subcommittee on Economic and
Commercial Law, Committee on the Judiciary, U.S. House of
Representatives, Congressman Jack Brooks presiding, May 7, 1992.
[Cantwell] HR3627, 103rd Congress, 1st Session, November 1993.
[Gore] Vice President Al Gore, letter to Representative Marie
Cantwell, July 20, 1994.
[NRC] Computers at Risk: Safe Computing in the Information Age,
published by the National Academy Press, Washington, D.C., 1991.
Finding Common Ground: Export Controls in a Changed Global
Environment, published by the National Academy Press, Washington,
Global Trends in Computer Technology and their Impact on
Export Controls, published by the National Academy Press,
Washington, D.C., 1988.
Balancing the National Interest: U.S. National Security
Export Controls and Global Economic Competition, published by the
National Academy Press, Washington, D.C., 1987.
[Time] Clipper-related articles appearing in TIME Magazine,
March 14, 1994; NEWSWEEK, March 14, 1994; US NEWS AND WORLD
REPORT, March 14, 1994; among others.
[TIS] A New Approach to Software Key Escrow, Trusted Information
Systems, Inc., August 15, 1994.
- Commercial Key Escrow: part 2 of 2 David Farber (Jan 04)