[1600] in cryptography@c2.net mail archive
Costs of Mandatory Key Recovery
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Tue Sep 23 16:07:04 1997
Date: Tue, 23 Sep 97 17:37:35 GMT
From: "William Allen Simpson" <wsimpson@greendragon.com>
To: Philipw@CBO.GOV
Cc: Fred Baker <fred@cisco.com>, Don Heath <heath@isoc.org>
-----BEGIN PGP SIGNED MESSAGE-----
While important costs are identified, several of the projections have
missed the point. This so-called "key recovery" legislation is not
about "escrow" of longer term public-private key-pairs. The legislation
requires "immediate access" to communication keys. We call those
"session-keys".
In the Internet, the public-private key-pairs are used only for
identification. Escrow and recovery of the longer term private-keys
cannot be used to learn past short-term session-keys. The long-term
private-keys can only be used to _IMPERSONATE_ a user in _future_
sessions, and thus learn those session-keys.
The session-keys are separately generated, using one of various
Diffie-Hellman exchanges. Thus, every session-key will need to be both
(1) escrowed for "key recovery" and (2) included in every Internet
datagram for "immediate access".
Session-keys are generated by (NSA-DoD) ISAKMP-Oakley or (Karn-Simpson)
Photuris Session-Key Management Protocols or (Microsoft-Netscape)
Secure-Session-Layer or (Finnish-Canadian) Secure-Shell at a rate of
seconds or minutes. The estimate for "escrow" of this immense number of
keys that are concurrently generated by tens of millions of computers is
several orders of magnitude more than just public-private key-pairs.
Based on the current volume of use (dominated by tens of millions of web
browsers), this is likely to require a new secure communications
infrastructure for transmitting the session-keys to the escrow facility
at least the size of the current Internet, and storage requirements that
are a large fraction of the secured traffic volume. This will require
$40-100 billion, as we don't know whether the growth curve will plateau
by 2001.
However, escrowing these session-keys requires the cooperation of every
user. The legislation requires that user cooperation not be needed.
It is entirely possible that some users might not cooperate. Thus, every
datagram will need to carry enough identifying information to locate and
recover the session-key, and to identify non-compliance.
Moreover, the legislation requires that particular sessions be selected,
as identified by the warrant. Presumably this must not be done by a
sweep that includes hundreds or thousands of other users at the same
time.
The IP Source and Destination and TCP/UDP/etc. Ports are not useful for
this identification. More than one user might use the same machines.
The headers are frequently changed via Network Address Translation.
Therefore, each datagram will need to carry cryptographic tokens for the
Source user, Destination user, and current session-key.
Public-keys can be used for identification of the principals. This
would add 512 to 1024 bytes (two principals of 2048 to 4096 bits each)
to every packet. Since this is too large to carry, a hash of each
principals' key could be used instead, adding only 40 bytes to each
packet.
The session-key could be encoded by a special FBI public-key. This
public-key could be included in every piece of software. But, this key
would need to be proof against compromise for at least 100 years. At
least 2048 bits are required, adding another 256 bytes to every packet.
Since the maximum path transmission unit for IPv4 is 576 bytes, adding
at least 296 bytes to every packet will substantially decrease the
efficiency of the Internet. Currently, as regularly reported at the
North American Network Operators Group (NANOG), about 1/3 of traffic is
40 bytes, another 1/3 is the maximum 576 bytes, and the rest of
intermediate sizes. The 40 byte traffic will be bloated 800% to 336
bytes, while 576 byte traffic data carrying capacity will be reduced 60%
from 536 bytes to only 180 bytes.
Data transfers will take 3 to 8 times as long. Waits that are now a few
minutes will become extremely lengthy. The effect on network operators
and end users will be catastrophic. US information technology will
experience a reduction in productivity.
This will create an incredible number of scofflaws. New software
releases will hide among the existing user base, and depend upon the
impracticability of jailing or fining tens of millions of citizens.
Knowledge of the passing of this legislation with its future loss of
productivity could lead to a collapse of the inflated US stock markets.
The cost is incalculable.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNCgF7Nm/qMj6R+sxAQEEqwQAksR9sFQwTdbNhwZBh0gG7defP9urf3Ej
Q5C+CD709kDlBxvrnHKlmtBbdLGlnmecIiuLnFQ4o9mHL7hqnvYt8Lxc4JAGH/Wa
4g86jqPYs2vPjDLCL8C/oR8UoGt+QGKWxbSxx6SBiXIhrgIJoF41L6a3zPkY+T0+
z2Rfkc6u72k=
=8br8
-----END PGP SIGNATURE-----
