[749] in cryptography@c2.net mail archive
Re: key recovery vs data backup
daemon@ATHENA.MIT.EDU (Hal Finney)
Thu May 8 00:25:11 1997
Date: Wed, 7 May 1997 20:15:49 -0700
From: Hal Finney <hal@rain.org>
To: cryptography@c2.net
It would be nice to provide key or data recovery using a model which
would not easily be converted to GAK. One difference between business
and government key access is that the latter almost always needs to be
secret, while the former can usually be done openly, at least in such
a way that the key holder finds out about it.
Government access to keys will usually occur in the context of a criminal
investigation. Sometimes this is after the fact and can be done openly,
but often I think it is done secretly, and an important ingredient is
that the access be made without the key holder knowing. I think some of
the proposed legislation we have seen for TTP's and such provides for
this kind of access.
Business access would on the other hand usually happen either after a
mistake, where someone somehow lost their keys, or after a dispute, say
where an employee who fired or quit on bad terms has intentionally made
data unavailable. In both these cases there would not be any problem in
the key holder finding out about the access; in fact, I think in most
circumstances the key holder would expect the access to occur.
So, if we could come up with a key recovery protocol which had, as an
integral component, notification of the key holder, we would have soem-
thing which would work OK for all but the most facist businesses (and
unfortunately they do exist), but which would not be easily converted
to a GAK system. I'm not saying that the key recovery should require
the permission of the key holder, since that would enable an employee
to block justified business access, but somehow it should be done so that
he is notified.
The closest system I know to this is Matt Blaze's "Oblivious Key Escrow",
also called "Net Escrow", at ftp://research.att.com/dist/mab/netescrow.ps
(or .tex). In this system the secret key is split into thousands of shares
which are cast onto the Internet winds like dandelion seeds. To recover
a key you broadcast a call for shares, and those random parties who ended
up with the proper pieces can supply them. Because of the broadcast, the
key holder inevitably finds out about the recovery.
In this form it is not really suitable for business use. The system relies
on a highly decentralized infrastructure of key share storage and recovery
agents, which may not be able to guarantee reliability. And the global
broadcast may spread the word about key problems too widely for corporate
comfort. Still I think this is an interesting approach and maybe something
along these lines could be developed which would work better for the
business environment.
Hal
