A group of 11 cryptographers and computer scientists released a report today that casts doubt on the economic and technological feasibility of the Clinton administration's goal to establish a worldwide system to crack encrypted messages.
"The deployment of a global key-recovery-based infrastructure to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end user," states the report, which is available at Crypto.com. "Building the secure infrastructure of the breathtaking scale and complexity demanded by these requirements is far beyond the experience and current competency of the field."
Current federal policy requires users of strong encryption--a set of mathematical codes that scramble text into gibberish--to store the unscrambling "keys" in a system that would give law enforcement officials access to them with a court order. This unscrambling process, called "key recovery," must be built in to all strong encryption shipped out of the United States.
Users and producers of encryption software agree that key recovery is a useful tool in case a user forgets his key, misplaces it, or is incapacitated. But opponents of the federal policy argue that systems providing third-party access without the keyholder's knowledge should not be mandatory.
The report, which its authors stress is not politically motivated, nonetheless comes at a time when both houses of Congress are debating legislation that seeks to overturn most of the restrictions on encryption.
Proponents of the bills--"Pro-Code" in the Senate and the "SAFE Act" in the House--are struggling to keep the bills from being watered down as they wind their way through committees. The two bills face an almost certain presidential veto if passed in their present form.
"This report provides an important context in the debate," said Jonah Seiger of the online rights advocacy group Center for Democracy and Technology.
Rep. Zoe Lofgren (D-California), who is helping shepherd the SAFE bill through House committees, thinks the report will be valuable in swaying members of Congress who have not yet backed either SAFE or Pro-Code in the Senate.
"It'll be part of our arsenal of facts," representative Lofgren said today from her office. "Coupled with what Sun was able to do earlier this week, this report paints a picture of what's afoot and why."
Sun Microsystems announced Monday that it would circumvent U.S. export controls by using Russian-made encryption without key recovery in its SKIP security products.
The SAFE bill, currently in the House international relations committee, now has 114 co-sponsors, according to Lofgren. 218 votes are needed to pass the bill. Lofgren expects a markup in the IR committee by early July.
The report acknowledges that key recovery is a viable means of obtaining stored information. But it objects to key-recovery systems that are set up to accommodate fast, 24-hour-a-day access without notification of the keyholder.
Because such systems would amass collections of keys in centralized locations--usually under the auspices of a federally sanctioned third party--key recovery would in fact increase a keyholder's security risk, the report said.
"In many key-recovery systems, the theft of a single private key [or small set of keys] held by a recovery agent could unlock much or all of the data of a company or individual," the report says. "The key-recovery infrastructure will tend to create extremely valuable targets, more likely to be worth the cost and risk of the attack."
One way to decentralize storage is to split a key into many pieces, but this and other methods also increase the amount of time it takes to recover the key. Authorities want access to encrypted data within two hours of presenting a court order, according to the report. Such quick turnaround would in turn require a more expensive infrastructure, one that could present a hacker with weak links of entry.
"Regardless of how many times a key is split, law enforcement's demand for timely access will still require the development of fast systems for the recovery of key parts. Both the systems for key part assembly, and the ultimate whole key assembled for law enforcement, will present new points of vulnerability."
In addition, the report says, a two-hour turnaround in a worldwide system would compromise the checks and balances that prevent willful or accidental handover of the wrong keys.
Noting that the Clinton administration has promised to let marketplace solutions drive its key-recovery plans, the report questions the commercial need for key recovery for on-the-fly communication such as cellular phone conversations, faxes, or email.
"Key recoverability is a potentially added-value feature in certain stored data systems...There is hardly ever a reason for an encryption user to want to recover the key used to protect a communication session," it says.
The following scientists are among the 11 who signed the report: Harold Abelson, professor of electrical engineering and computer science at MIT; Steven Bellowin, researcher of cryptography and security at AT&T; Josh Benaloh, cryptographer at Microsoft; Matt Blaze, principal research scientist at AT&T; John Gilmore, cofounder of the Electronic Frontier Foundation and the Cypherpunks; Peter Neumann, principal scientist at SRI; Ronald Rivest, MIT professor and cofounder of RSA Data Security; Jeffrey Schiller, network manager at MIT; and Bruce Schneier, president of Counterpane Systems and creator of the Blowfish encryption algorithm.