Bert-Jaap Koops homepage - research
Key recovery, key escrow, government access to keys - whatever it's called, it means a crypto system that allows the government to access the key or plaintext. It's meant to catch criminals, or to give law-abiding citizens a robust, police-friendly crypto system, or both. Various systems are being researched, yet all involve security risks.
| Clipper chip | chip for EES, proposed by US government in 1993, providing government access through a LEAF; died somewhere in 1996 |
| data recovery | all-encompassing term for retrieving the plaintext of encrypted data if the key for decryption is not available (this includes key escrow, key recovery, and plaintext recovery; to be used for government or for users' needs); modern equivalent of GAK |
| EES | Escrowed Encryption Standard; US standard for key escrow system, using the Escrowed Encryption Algorithm, based on the classified symmetric crypto system Skipjack |
| GAK | Government Access to Keys; outdated term for crypto systems that allow a government (law-enforcement or national-security agencies) to access crypto keys or plaintext; although outdated, still useful as a generic term |
| key backup | euphemistic synonym for key escrow |
| key deposit | synonym for key escrow |
| key encapsulation | new term for key recovery in its original sense: a crypto system which provides data recovery by having people tag along to messages a recoverable session key rather than deposit their private keys |
| key escrow | generic term for crypto systems that provide government (or occasionally user) access to keys by having people deposit their keys with a TTP |
| key management | the process of key generation, key certification, certificate distribution, and certificate revocation, may also include key deposit or backup; used in the OECD Guidelines as a potential euphemism for key recovery (which suggests that, once 'key recovery' becomes tainted with negative implications, key management may replace 'key recovery' as the next generic term for GAK) |
| key recovery | originally a term for a crypto system which provides GAK by having people tag along to messages a recoverable session key rather than deposit their private keys; is increasingly used, however, irrespective of the technology, as a generic term for GAK and a replacement for 'key escrow' which has become a too negative term |
| LEAF | Law-Enforcement Access Field; data unit sent by Clipper chips which enables the Clipper TTPs to decrypt the message; sometimes also used in other key recovery systems |
| LEAK | Law-Enforcement Access to Keys; law-enforcement part of GAK; I introduced this term in my Ph.D. thesis as a generic term for crypto systems that provide the police with access to keys or plaintext without the user's cooperation or knowledge (Law-Enforcement Access to Data would be more correct, but LEAK seems the more appropriate acronym) |
| plaintext recovery | method that provides recovery of encrypted data if the key for decryption is not available by storing a back-up of the unencrypted data in a safe |
| private doorbell | confusing term circulating in the US around 1998 for key recovery (in its original sense) |
| TTP | Trusted Third Party; organization which offers cryptographic services, such as key certification, distribution, revocation, and time-stamping; may also denote a Key Escrow Agent or Key Recovery Agency |
Similar to the US Key Recovery Alliance, but smaller in scale, seven European companies are studying the potential of key recovery ('confidentiality services') in KRISIS, as part of the European Union's broad project on information security.
Their main conclusion is:
"Key recovery systems are inherently less secure, more costly, and more difficult to use than similar systems without a recovery feature. The massive deployment of key-recovery-based infrastructures to meet law enforcement's specifications will require significant sacrifices in security and convenience and substantially increased costs to all users of encryption. Furthermore, building the secure infrastructure of the breathtaking scale and complexity that would be required for such a scheme is beyond the experience and current competency of the field, and may well introduce ultimately unacceptable risks and costs. "
This is an important report, and it is essential that the increased security risks of key recovery are made clear.
However, I have four objections to the study.
I would welcome a broader report that takes into account protocols addressing some of the objections to key recovery, that distinguishes between voluntary and mandatory key recovery, and that is based on key recovery as a concept, rather than on (US) government requirements that may not be essential.
Despite these objections, the main conclusions of the report are valid and on the mark. It's an important report, and I encourage everyone - especially governments - to read it.
© Bert-Jaap Koops, 1997-1999. All rights reserved.
Last updated on 20 July 1999.
home | help | address | mail | links
research | crypto law survey | publications | personal | amnesty
crypto & crime | key recovery | PKI | research links