[555] in cryptography@c2.net mail archive
Re: Two crypto policy articles online
daemon@ATHENA.MIT.EDU (Hal Finney)
Wed Apr 16 13:47:03 1997
Date: Wed, 16 Apr 1997 08:49:41 -0700
From: Hal Finney <hal@rain.org>
To: cryptography@c2.net, cypherpunks@cyberpass.net, E.J.Koops@kub.nl
Bert-Jaap Koops, <E.J.Koops@kub.nl>, writes:
> E. Verheul, B.J. Koops, H. van Tilborg, Binding Cryptography. A
> fraud-detectible alternative to key escrow, Computer Law & Security
> Report, January-February 1997, pp. 3-14
> http://cwis.kub.nl/~frw/people/koops/bind-art.htm
I was very disappointed to read this article. Written for a lay audience,
it gives an incorrectly optimistic impression of the practicality of
establishing a public key infrastructure (PKI) which cannot be exploited by
criminals.
We had many discussions on the cypherpunks list back in October 1996 about
your "binding cryptography" proposal. We showed how the use of super-
encryption and similar techniques could easily allow criminals to use the
keys and certificates of the PKI to communicate without access by any
third parties ("trusted" or not). The main new idea of "binding", which
is simply encrypting to a third party in such a way that outsiders can
confirm that the same session key is used as for the main recipient, does
not address this issue.
Yes, criminals would have to use their own software. But that is already
the case with existing proposals for software key escrow, where the
recipient software would check to see that the third party encryption
was correct. With both your system and previous proposals, criminals who
use the software they are "supposed to" can't cheat; with both your system
and previous proposals, criminals who use their own software can cheat,
undetectably by outsiders.
Granted, as an abstract technical idea, being able to prove the equality
of the contents of the two encrypted session keys is interesting. If this
were written up as a minor new crypto result that would be appropriate.
But you have been presenting it as though this is an advance which
would allow a worldwide key escrow infrastructure to work better than
previously known schemes. For example, in the paper cited above, you write,
regarding TIS's commercial key escrow scheme:
> By sending along useless data instead of a session key encrypted with
> the public key of the TRP, unilateral abuse is easily possible and
> will only be detected in case of a lawful wiretap. This is prevented
> in TIS-CKE (or actually in its successor RecoverKey International) by
> having the decryption software of the addressee first validate whether
> the session key encrypted with the public key of the TRP matches the
> third component; if it does not, the software refuses to
> decrypt. However, abuse by collusion of sender and receiver - through
> manipulation of this validation in the software - is still (easily)
> possible and will only be detected in case of a lawful wiretap
> (contrary to criterion f).
This last sentence applies equally well to your own scheme. However, when
discussing it you say:
> Abuse of the concept (i.e., not complying with the binding rules) can be
> made difficult by checks in supporting software/hardware; it can also be
> discouraged (e.g., by fining) and can be easily detected by third parties
> (criteria e and f) without their accessing the information content.
The last part is false. Abuse via non-compliant software cannot be
detected by third parties without accessing the information content.
You have claimed an operational advantage over earlier proposals which
is not valid.
When you are writing for a non-specialist audience, you have an obligation
as an expert in the field to write carefully about what you are presenting,
and to avoid making statements which you cannot justify. Your article
could serve to encourage the development of an international key recovery
infrastructure, based on your incorrect assurance that such a system would
be able to detect abuse. The readers are not going to be in a position to
evaluate the technical details of your proposal. They trust you to describe
its benefits and limitations accurately. But you have not done so.
The only possible excuse I can see is that you were simply unaware of
the fact that users with non-compliant software could use a PKI based
on "binding cryptography" without detection, similarly to the older
TIS proposal. Perhaps it was not until our October discussion that you
were made aware of potential countermeasures. And given the lead times
for some publications, there may not have been sufficient time for you
to revise the article above. If this is the case, I trust that you
will issue a correction as expeditiously as possible to explain that
criminals could gain all the benefits of the PKI you propose without
being detected by outsiders.
Hal Finney
hal@rain.org
