Key Recovery

I. Encryption Introduction.

Access to secure, reliable, industrial-strength encryption technologies enable companies to ensure the confidentiality of commercial transactions and communications as "e-Business" becomes increasingly pervasive. However, that access must be balanced with the national security interests of governments around the globe.

On October 1, 1996, the United States government announced the relaxation of export restrictions on products that implement or use encryption with a 56-bit key. This liberalization was predicated upon the computer industry developing key recovery technology that would balance the need for confidentiality with the legitimate security needs of government.

II. E-Business require backdoor for the key of encryption. (Key escrow and non-escrow)

In addition to reasons for hiding or encrypting information, there are legitimate reasons for recovering encrypted information such as :

  • an individual has encrypted important information and has lost or forgotten the key

  • a business needs access to employee-encrypted non-personal information and the employee is not available

  • law enforcement procures a court order giving them the right to access information (for example, a search warrant).

    • The cryptographic key is the critical item required to recover encrypted information. Therefore, the availability or accessibility of the key is a pivotal issue. A number of key recovery technologies exist to make the key available to recover encrypted information. There are two basic types of key recovery techniques:

    those involving some form of escrow of the key or key parts with a trusted party and those non-escrow techniques that involve creating key recovery fields that are mathematically related to but not actually the key or parts of the key and associating these fields with the message. Later the key recovery fields can be used to recover the key. Such techniques are called encapsulation.

    II. Key escrow and its weak points.

    Key escrow means that the key or key parts are distributed to key escrow agent(s) for storage. Information recovery using a key escrow system requires the key escrow agent(s) to provide the necessary key or key parts to recover the key.

    For example, the National Security Agency's Clipper microchip requires key escrow and two government key escrow agents. Authorized "eavesdroppers" to the encrypted communication would subpoena the key parts from the government key escrow agents, recover the key, and intercept/decrypt the communication.

    Trusted Third Party (TTP) means that a third party to the cryptographic application actually creates and provides the cryptographic keys to the participants, storing a copy for future key recovery.

    The disadvantages and limitations of both escrow and TTP schemes for information recovery include :

  • single point of vulnerability/compromise

  • poor scaleability

  • loss of control over key management

  • distrust

  • high entry cost

    • Scaleability is affected since communication with a third party is required for each session/archive key initiation. Distrust results from the fact that control of information recovery belongs to a single jurisdiction (government, country, company, etc).

    III. Key non-escrow: Key recovery.

    The high-level flow of the key recovery technology is as follows:

    1.Select a subset of the key recovery service providers in each jurisdiction

    2.Phase 1: Prepare recovery information using the public keys of the selected key recovery service providers

    3.Select an encryption algorithm and a session/archive key (session: interactive or store/forward)

    4.Select and encrypt a message/file

    5.Phase 2: Prepare recovery information based on the selected session/archive key. Optionally, a piece of recovery information is withheld for either/both ends of the communication, thus creating a residual work factor for key recovery

    6.Place the two-phase recovery information in the header or extended file of the encrypted message/file

    7.Transmit

    Note: Phase 1 is independent of the particular session/archive key.

    The recovery information also contains administrative information that is useful if and when key recovery is necessary and authorized; for example:

  • Sender/Receiver IDs (optional)

  • Sender/Receiver Jurisdiction of Origin IDs

  • Key recovery service provider IDs for both the sending and receiving jurisdictions

  • ID of the message

  • time period during which key is valid date and time of the message

  • cryptographic algorithm used to encrypt the message

    • The key recovery process is an add-on to existing encryption schemes and can be invoked by any cryptographic application. Key recovery support could be either optional or mandatory, depending on the jurisdictional requirements.

    Implementation details

    In order to minimize the preparation overhead, the recovery information is prepared in two phases: one phase is in dependent of the particular session/archive key being prepared; the second phase is dependent on the particular key and session parameters.

    The first phase, which uses public-key encryption, can be shared across multiple invocations of key recovery preparation, thus reducing overhead. The public-key encryptions can be stored for repeated use. The public key encryptions are not applied to the original key or key parts. Rather, a random number (one random number per each selected key recovery service provider in each jurisdiction) is encrypted using the public-key of the respective service provider.

    (Phase 1). These public-key encrypted values are independent of the session/archive key being prepared. These indexed random numbers, one per service provider, serve as starting points in a process that determines the remainder of the recovery information (Phase 2). Several methods for creating these indexed random numbers will be described below.

    For Phase 2, any fast/convenient/strong symmetric encryption algorithm is selected. This could be the original encryption algorithm or an independent selection. The indexed random numbers from Phase 1 are used as input to a process that generates a secondary set of parameters. Using the selected, symmetric encryption algorithm, the secondary parameters are used as keys to encrypt the original session/archive key in nested order. All the secondary parameters/keys associated with the selected service providers per jurisdiction are used. The nested encryptions, one per jurisdiction, become part of the session-specific recovery information in Phase 2. Later, key recovery requires that the nested encryption in either jurisdiction be undone in reverse order to recover the session/archive key.

    Therefore, the recovery information consists of two parts:

    Phase 1: the public-key encrypted random numbers associated/indexed with each selected service provider

    Phase 2: the nested, symmetric encryptions associated with each jurisdiction, using secondary parameters/keys derived from the indexed random numbers (plus administrative and identifying information).

    For key recovery, only the public-key encrypted, indexed random numbers from Phase 1 are provided to the service providers in a given jurisdiction. Each service provider internally decrypts the random number, re-calculates the derived secondary parameter/key, and returns this key to the authorized requester. The indexed random number is not returned. With the returned secondary keys, the authorized requester applies nested decryptions to the Phase 2 recovery information in the appropriate order to recover the original session/archive key.

    Without the intercepted, nested encryption (which is not given to the service providers), the service providers cannot recover the session/archive key. The role of the service providers is essential to recovery, but is independent of the session/archive key. IBM SecureWay key recovery technology is collusion resistant.

    At the same time that the two-part recovery information is being calculated, optional pre-authorization information can be calculated in a similar fashion and added to the recovery information. The original participants have exclusive knowledge of the pre-authorization information, in case the participants later require recovery of a destroyed key.

    The duties of the key recovery service providers are two-fold:

    Select a public/private key pair and provide the public key, holding the private key in secret.

    When requested and authorized, apply the private-key decryption to the encrypted recovery information provided by the requesting authority. >From the (indexed) random number decrypted, calculate the secondary parameter/key, which is then returned to the requesting authority.

    IV. Conclusion.

    In summary, the 'key' benefits of the key recovery technology are:

  • Scaleability for global use in network computing environments

  • Low preparation overhead

  • Flexibility to work with all encryption algorithms and key lengths

  • Self-contained: no communication with an agent or third party

  • Transparent operation to end users

  • No single point of attack

  • Key recovery within multiple jurisdictions

  • Interoperability with jurisdictions not supporting key recovery

  • No key parts exposed outside the cryptographic facility

  • Collusion resistant

  • Pre-authorization for communicating parties to perform key recovery

  • Exploits elliptic curve public-key schemes (performance boost)

  • Enables global exploitation of strong encryption (re: import/export/usage restrictions)