, SecurityFocus 2001-09-20
Experts warn that encryption key recovery systems would weaken network security.
Everyone is expecting that key recovery will come back as a mandatory proposal, and it will still have the same problems that it had when it was first proposed.
A recent public opinion poll surveying reactions to the terrorist attacks reported that 72 percent of respondents believed that reducing encryption to aid the CIA or FBI would be "somewhat" or "very" helpful in preventing similar incidents. The study, conducted by Princeton Survey Research Associates, found that 54 percent of those surveyed felt encryption laws should be reduced to assist investigators.
During a speech on the Senate floor last week, Sen. Judd Gregg (R-N.H.) called for a global ban on encryption products that do not allow access for decryption by government agents.
In response, many analysts are pointing to a 1998 report entitled "The Risks of Key Recovery, Key Escrow, & Trusted Third Party Encryption," compiled by a group of respected cryptographers and computer scientists. The study details technical risks and costs in deploying systems that provide government access to encryption keys.
According to the report, placing keys with recovery agents increases the likelihood of attack through technical means, malicious exploitation of mistakes, or corruption. "There is a significant risk that widespread insertion of government-access key recovery systems into the information infrastructure will exacerbate, not alleviate, the potential for crime and information terrorism," concluded the researchers.
Reached this week, authors of the report say its warnings against key recovery systems are still timely.
"Nothing technologically has changed," says Bruce Schneier, founder and CTO of Counterpane Internet Security Inc. "Attempting to do this would make things worse because it would centralize all the keys and the risk of reaching them go up dramatically. Increasing security by increasing our risks seems like a mistake."
"It is well understood that you can't run a secure Internet without encryption," says Steven Bellovin, a cryptography and security researcher at AT&T Laboratories and another author of the 1998 study. "But everyone is expecting that [key recovery] will come back as a mandatory proposal and it will still have the same problems that it had when it was first proposed that we discussed in the report."
There is no firm evidence that the terrorists suspected in last week's attack used encryption, and the Bush administration has yet to make a formal call for key recovery or backdoors in encryption products. But according to the Congressional Record, in his Sept. 13th speech, Sen. Gregg said software developers had an "obligation" to include backdoors for government surveillance in their products.
"This is something that we need international cooperation on and we need to have movement on in order to get the information that allows us to anticipate and prevent what occurred in New York and in Washington," said Gregg.
Gregg's aides say he is calling for voluntary measures by encryption companies, not key recovery legislation. But members of the U.S. Senate have already approved the Combating Terrorism Act of 2001, an amendment to a House appropriations bill which adds computer crime to the list of offenses for which a Title III wiretap order can be issued. And on Wednesday, the Bush administration sent a proposed "Mobilization Against Terrorism Act" to Congress which would dramatically increase the U.S. government's domestic surveillance powers.
"I fully expect more automatic surveillance of ordinary citizens, limits on information flow and digital-security technologies, and general xenophobia," wrote Schneier his Crypto-Gram newsletter Saturday. "I do not expect much debate about their actual effectiveness, or their effects on freedom and liberty."
It's been eight years since the Clinton administration first attempted to mandate key recovery via the 'Clipper Chip'. Developed by the National Security Agency (NSA), the chip used an algorithm that could be decrypted using two separate keys.
With Clipper, the government proposed that a master key to each encryption device should be held "in escrow" for release to law enforcement. The keys were to be retained by the National Institute of Standards and Technology (NIST)and the Department of Treasury and combined, under court order, to decrypt messages. The U.K has since succeeded in pushing through a key escrow system that demands decryption keys under the pending Regulation of Investigatory Powers Act (RIPA).
Authors of the 1998 report noted that a ubiquitous key recovery system could encompass thousands of products and key recovery agents, tens of thousands of law enforcement agencies, tens of millions of public-private key pairs and hundreds of billions of recoverable session keys.
The authors warned that the theft of a single private key or small set of keys held by a recovery agent could unlock much or all of the data of a company or an individual. International key recovery systems are especially vulnerable to abuse by insiders, including rogue companies, and governments or law enforcement agencies that might abuse their key recovery authority to the advantage of their own country's corporations, the report read.
"One loss has ripple effect to the entire system," says Schneier who asserts that the nation's electronic infrastructure is already weak.
Bellovin notes if the U.S. government builds a mandatory key recovery system, it could put its own data at risk. He points out that there have been a number of high-profile spy cases in the FBI recently where intelligence officers have leaked sensitive data. "We have the man responsible for counterintelligence for the Soviets for the FBI sitting in a D.C. jail cell right now," said Bellovin. "What would have happened if Hansen had given them a list of keys. This is one of the failure modes of a key recovery center."
Most of the key recovery or key escrow proposals made to date have had weaknesses discovered after their initial implementation. Matt Blaze, a research scientist at AT&T Laboratories who discovered weaknesses in the Clipper key escrow system, wrote last week that he remain concerned about security of such systems.
"I worry about the robustness of systems designed with back doors, the potential for failure in centrally controlled and managed networks, the weakening of the end-to-end model that made the Internet such a natural success," wrote Blaze in an essay.
In an email interview, Blaze added that the security risks enumerated in the 1998
"Failure mode is going to be subtle and render the thing useless," agreed Bellovin, who pointed to the CERT advisory of August 24, 2000 which pointed out a flaw in a key recovery feature in PGP versions 5.5.x to 6.5.3. He says he doesn't see any reason to think that failures like these can be avoided. "Complexity like this is at the root of most software vulnerability and most security holes are caused by buggy software. Here we want to take very critical pieces of software and add more complexity and this is a very dangerous direction and leaves me feeling very nervous."
Frank Wells Sudia, co-founder of CertCo, LLC, and developer of the key escrow system proposed by Bankers Trust Company in 1994, disputes suggestions that developing a secure, large-scale key recovery system is not technically feasible. In an
Sudia's proposed system uses multiple financial institutions as trustees to hold key fragments. He argues that this system preserves sender-receiver independence and international autonomy while providing stringent auditing of law enforcement and national security access and meaningful financial responsibility for security breaches. According to Sudia, the system was praised by the FBI and NSA, but was never built due to doubts over market demand, the absence of requirements, and "vehement public vilification of the escrow concept."
"There is nothing magic about banks and trust companies, but they constitute an existing secure and regulated infrastructure that is relatively close to what is needed for key storage and access," wrote Sudia. "They have substantial minimum capital requirements; their managers face criminal penalties for violations of trust; they are subject to frequent audits and inspections; and if they "fail," a formal process exists for state or federal regulators to seize and merge them into another solvent entity, assuring continuity of services."
Sudia argued Monday that building this type of key recovery systems is still feasible. "We did not loose on technical feasibility, we lost because the civil liberties people are the ones whose trounced the whole thing," said Sudia. "This is a challenge to be sure, but it is not outside the range of possibility to distribute risk adequately and to assure that if problems do occur, there is a level of assurance or capital base to recompense the losses."
Schneier disputes the idea that banking security systems could provide a secure platform for key recovery. He notes that errors caused by banking security problems can be undone, but flaws involving the control of private information cannot. "Most banking problems are discovered after the fact and then fixed," said Schneier. "If we break your privacy, we can't fix it."
While he sees little support for his ideas, Sudia contends that such a system cannot be tested until it is built-- a process that he estimates would take two to three years.
"Would handling keys be a big problem, of course it would be, but it's not as if we don't have a clue how to build high value financial systems," said Sudia. "I am telling you we know how to build one, I'm not saying it should be built, I'm saying it can be built.
Bellovin argues that even if the government actually mandates key recovery systems or encryption with backdoors, it is easy to defeat such controls with simple tactics such as encrypting the data with another undefeatable encryption system before using the approved method.
"What good is it actually going to do," said Bellovin. "You are going to catch your low level crooks who are too stupid to go and get black market crypto, but you will not get the well-organized, well-financed, sophisticated groups that were exactly our major targets. You are in a situation where human vulnerabilities and technical vulnerabilities can't fulfill the mission that you actually want it for, so what is the point?"
Blaze said he was still unsure whether a key recovery proposal would emerge from Washington. "It's difficult to say how serious discussion of key escrow is at this point," wrote Blaze. "Right now, I think people are still reacting to the crisis, and key escrow, and restrictions on cryptography generally aren't really the kinds of things than could be implemented overnight, if at all."