[716] in cryptography@c2.net mail archive
Re: key recovery vs data backup
daemon@ATHENA.MIT.EDU (Adam Back)
Tue May 6 18:33:39 1997
Date: Tue, 6 May 1997 23:21:07 +0100
From: Adam Back <aba@dcs.ex.ac.uk>
To: das@razor.engr.sgi.com
CC: cryptography@c2.net
In-reply-to: <9705061345.ZM19650@razor.engr.sgi.com> (das@razor.engr.sgi.com)
Anil Das <das@razor.engr.sgi.com> writes:
> Far as I can see the intention is indeed for someone else
> to be able to read your email. Just that that someone else is not
> the government.
>
> Customer != User
>
> There are many corporations who have a stated policy that
> all email crossing the firewall will be examined to make sure that
> no corporate information is being leaked or stolen.
Yes, this is some people's stated aim, although this was not the way I
read Tom's mail, he said: "They need a way to recover from lost keys
and forgotten password." I would be interested to here if Netscape
also percieves a customer demand for CKE for the reasons you describe.
Also, Alice's company escrowing Alice's public key does not give them
access to mail that Alice sends, because this is encrypted with the
recipient, Bob's, public key. To enable Alice's company to access
Alice's outgoing communications you need another mechanism.
If you use multiple recipients approach, you'd just as well encrypt
directly to Alice's company's key as to Alice's key as a second
recipient.
For incoming mail, if the company wants to read that too before Alice
sees it, you'd just as well request Bob to encrypt to the company key.
It can be re-encrypted for Alice after inspection, if the company
wants to protect email inside the firewall also.
Sharing keys seems like a bad idea from a security perspective, the
more people know a secret the harder it is to keep secret.
If Alice is working on a sensitive enough project within the company
that her old communications need to be encrypted it would make sense
to encrypt the rest of her files also, as they are likely to be just
as sensitive, if not more so. Encrypting her filesystems would seem
like a sensible approach. Backup proceeds as normal, either backup
plaintext and lock the tapes in the fireproof safe, or take encrypted
backups and escrow the key with the companies law firm, or whatever.
Communications keys are more sensitive than storage keys in the sense
that the ciphertext is sent over open channels. With storage keys,
the attacker must also physically break in to your offices and take
disks, tapes etc. Therefore it may be preferable to escrow storage
keys rather than escrowing communication keys (depending on the
relative value of the plaintexts). Also communication is transient in
nature, people expect the odd email to disappear, where as they get
upset if their disk crashes and they don't have backups.
However, this doesn't answer Tom's stated requirement for key recovery
which is simply that users forget passwords, and that it is a pain to
generate new keys, and re-certify them. This is really a human
computer interface problem, people make poor stores of cryptographic
keying material. Perhaps smart cards would help. I hear dumb smart
card readers are getting pretty cheap, < $10, simple cards are cheap
also.
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
