Konstantinos Rantos (2001) Key recovery in a business environment.
Full text access: Open
This thesis looks at the use of key recovery primarily from the perspective of business needs, as opposed to the needs of governments or regulatory bodies. The threats that necessitate the use of key recovery as a countermeasure are identified together with the requirements for a key recovery mechanism deployed in a business environment. The applicability of mechanisms (mainly designed for law enforcement access purposes) is also examined. What follows from this analysis is that whether the target data is being communicated or archived can influence the criticality of some of the identified requirements. As a result, key recovery mechanisms used for archived data need to be distinguished from those used for communicated data, and the different issues surrounding those two categories are further investigated. Two mechanisms specifically designed for use on archived data are proposed. An investigation is also carried out regarding the interoperability of dissimilar key recovery mechanisms, when these are used for encrypted communicated data. We study a scheme proposed by the Key Recovery Alliance to promote interoperability between dissimilar mechanisms and we show that it fails to achieve one of its objectives. Instead, a negotiation protocol is proposed where the communicating parties can agree on a mutually acceptable or different, yet interoperable, key recovery mechanism(s). The issue of preventing unfair key recovery by either of two communicating parties, where one of the parties activates a covert channel for key recovery by a third party, is also investigated. A protocol is proposed that can prevent this. This protocol can also be used as a certification protocol for Diffie-Hellman keys in cases where neither the user nor the certification authority are trusted to generate the user’s key on their own. Finally, we study the use of key recovery in one of the authentication protocols proposed in the context of third generation mobile communications. We propose certain modifications that give it a key recovery capability in an attempt to assist its international deployment given potential government demands for access to encrypted communications.
This is a Published version This version's date is: 01/11/2001 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/d9b7c233-3ee8-8090-bf5a-298e439c031c/1/
Deposited by () on 15-Jul-2010 in Royal Holloway Research Online.Last modified on 09-Dec-2010
[1] H. Abelson, R. Anderson, S.M. Bellovin, J. Benaloh, M. Blaze, W. Diffie,J. Gilmore, P.G. Neumann, R.L. Rivest, J.I. Schiller, and B. Schneier.The risks of key recovery, key escrow, and trusted third party encryption.http://www.cdt.org/crypto/risks98.
[2] Advanced Security for Personal Communications Technologies (ASPeCT).http://www.esat.kuleuven.ac.be/cosic/aspect/.
[3] D. Balenson and T. Markham. ISAKMP key recovery extensions. Computers &Security, 19(1):91–99, 2000.
[4] D.M. Balenson, C.M. Ellison, S.B. Lipner, and S.T. Walker. A new approachto software key escrow encryption. In L.J. Hoffman, editor, Building in BigBrother, The Cryptographic Policy Debate, pages 180–207. Springer-Verlag, NewYork, 1995.
[5] M. Blaze. Key management in an encrypting file system. In Proceedings Summer1994 USENIX Technical Conference, Boston, MA, June 1994.
[6] M. Blaze. Protocol failure in the escrowed encryption standard. In Proceedings of Second ACM Conference on Computer and Communications Security, pages 59–67, FairFax VA, November 1994.
[7] E.F. Brickell, D.E. Denning, S.T. Kent, D.P. Maher, and W. Tuchman. SKIPJACKreview: Interim report. In L.J. Hoffman, editor, Building in Big Brother,The Cryptographic Policy Debate, pages 119–130. Springer-Verlag, New York,1995.
[8] W.J. Caelli. Commercial key escrow: An Australian perspective. In E.P. Dawson and J. Golic, editors, Proceedings of Cryptography: Policy and Algorithms, International Conference Brisbane, Queensland, Australia, July 1995, pages 40–64.Springer-Verlag (LNCS 1029), Berlin (1996).
[9] W.J. Caelli and D. Longley. Key recovery - a perspective for the rest of the world.Presented at 5th Annual IT Security Summit, Sydney NSW, February 1998.
[10] L. Chen, D. Gollmann, and C.J. Mitchell. Key escrow in mutually mistrustingdomains. In M. Lomas, editor, Security Protocols – Proceedings, InternationalWorkshop, Cambridge, April 1996, pages 139–153. Springer-Verlag (LNCS 1189),Berlin (1997).
[11] D. Denning and M. Smid. Key escrowing today. IEEE Communications Magazine,32:58–68, 1994.
[12] D.E. Denning. To tap or not to tap. Communications of the ACM, 36(3):25–44,March 1993.
[13] D.E. Denning. The U.S. key escrow encryption technology. Computer Communications,17(7):111–118, July 1994.
[14] D.E. Denning. International key escrow encryption: Proposed objectives and options.In L.J. Hoffman, editor, Building in Big Brother, The Cryptographic Policy Debate, pages 208–225. Springer-Verlag, New York, 1995.
[15] D.E. Denning. Information Warfare and Security. Addison Wesley, 1998.
[16] D.E. Denning and W.E. Baugh. Key escrow encryption policies and technologies.Information System Security, 5(2):44–51, Summer 1996.
[17] D.E. Denning and D.K. Branstad. A taxonomy of key escrow encryption systems.Communications of the ACM, 39(3):34–40, March 1996.
[18] Y. Desmedt. Securing traceability of ciphertexts–Towards a secure software key escrow system. In L. Guillou and J. Quisquater, editors, Advances in Cryptology–EUROCRYPT’95, pages 147–157. Springer-Verlag (LNCS 921), 1995.
[19] T. Dierks and C. Allen. The TLS protocol, version 1.0, January 1999. RFC 2246.
[20] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactionson Information Theory, 22:644–654, 1976.
[21] ETSI EG 201 781. Intelligent Networks—Lawful Interception, July 2000.
[22] ETSI ETR 331. Security Techniques Advisory Group (STAG); Definition of userrequirements for lawful interception of telecommunications; Requirements of thelaw enforcement agencies, December 1996.
[23] ETSI TS 133 106. Universal Mobile Telecommunications System (UMTS); 3GSecurity; Lawful Interception Requirements, January 2000.
[24] P.A. Fouque, G. Poupard, and J. Stern. Recovering keys in open networks. In Proceedings of IEEE Information Theory and Communications Workshop (ITW’99),Kruger National Park, South Africa, June 1999.
[25] Y. Frankel and M. Yung. Escrow encryption systems visited: attacks, analysis and designs. In D. Coppersmith, editor, Advances in Cryptology–CRYPTO’95,California, USA, August 1995, pages 222–235. Springer-Verlag (LNCS 963), Berlin (1995).
[26] E.H. Freeman. When technology and privacy collide. Encoded encryption and the Clipper chip. Information System Management, 12(2):43–46, Spring 1995.
[27] R. Gennaro, P. Krager, S. Matyas, M. Peyravian, A. Roginsky, D. Safford, M.Willett, and N. Zunic. Two–phase cryptographic key recovery system. Computers& Security, 16:481–506, 1997.
[28] S. Gupta. A common key recovery block format: Promoting interoperability between dissimilar key recovery mechanisms. Computers & Security, 19(1):41–47,2000.
[29] S. Gupta, S.M. Matyas Jr., and N. Zunic. Public key infrastructure: Analysis of existing and needed protocols and object formats for key recovery. Computers & Security, 19(1):56–68, 2000.
[30] U. Hansmann, M.S. Nicklous, T. Schack, and F. Seliger. Smart Card Application Development Using Java. Springer Verlag, 2000.
[31] J. He and E. Dawson. A new key escrow cryptosystem. In E.P. Dawson and J.Golic, editors, Proceedings of Cryptography: Policy and Algorithms, International Conference Brisbane, Queensland, Australia, July 1995, pages 105–114. Springer-Verlag (LNCS 1029), Berlin (1996).
[32] G. Horn, P. Howard, K.M. Martin, C.J. Mitchell, B. Preneel, and K. Rantos.Trialling secure billing with trusted third party support for UMTS applications.In Proceedings of 3rd ACTS Mobile Communications Summit, pages 574–579,Rhodes, Greece, June, 1998.
[33] G. Horn and B. Preneel. Authentication in future mobile systems. TechnicalReport KUL-ESAT-COSIC98-2, Katholieke Universiteit Leuven, 1998.
[34] G. Horn and B. Preneel. Authentication and payment in future mobile systems.In J-J. Quisquater, Y. Deswarte, C. Meadows, and D. Gollmann, editors, Computer Security - ESORICS 98, pages 539–548. Springer-Verlag (LNCS 1485), Berlin (1998).
[35] IBM SecureWay. Towards a framework based solution to cryptographic key recovery.http://www-4.ibm.com/software/security/keyworks/library/.
[36] International Organization for Standardization, Gen`eve, Switzerland. ISO/IEC 7816–4, Information technology—Identification cards—Integrated circuit(s) cards with contacts—Part 4: Interindustry commands for interchange, 1995.
[37] International Organization for Standardization, Gen`eve, Switzerland. ISO/IEC 11770–2, Information technology—Security techniques—Key management—Part2: Mechanisms using symmetric techniques, 1996.
[38] International Organization for Standardization, Gen`eve, Switzerland. ISO/IEC 11770–3, Information technology—Security techniques—Key management—Part3: Mechanisms using asymmetric techniques, 1999.
[39] N. Jefferies, C. Mitchell, and M. Walker. A proposed architecture for trusted third parties. In E. Dawson and J. Golic, editors, Cryptography: Policy and Algorithms — Proceedings: International Conference, Brisbane, Australia, pages 98–104. Springer-Verlag (LNCS 1029), Berlin (1996).
[40] N. Jefferies, C. Mitchell, and M. Walker. Trusted third party based key management allowing warranted interception. In Proceedings: Public Key Infrastructure Invitational Workshop. MITRE, McLean, Virginia, USA, NISTIR 5788, September 1995.
[41] N. Jefferies, C. Mitchell, and M. Walker. Practical solutions to key escrow and regulatory aspects. In Public Key Solutions ’96, Zurich, Switzerland, September/ October 1996.
[42] J. Kennedy, S.M. Matyas Jr., and N. Zunic. Key recovery functional model. Computers & Security, 19(1):31–36, 2000.
[43] J. Kilian and T. Leighton. Fair cryptosystems, revisited. In D. Coppersmith, editor,Advances in Cryptology–CRYPTO’95, California, USA, August 1995, pages 208–221. Springer-Verlag (LNCS 963), Berlin (1995).
[44] S. Kim, I. Lee, M. Mambo, and S. Park. On the difficulty of key recovery systems.In M. Mambo and Y. Zheng, editors, International Workshop on Information Security,Kuala Lumpur, Malaysia, November 1999, pages 207–224. Springer-Verlag(LNCS 1729), Berlin (1999).
[45] L.R. Knudsen and K.M. Martin. In search of multiple domain key recovery. Journal of Computer Security, 6:219–235, 1998.
[46] L.R. Knudsen and T.P. Pedersen. On the difficulty of software key escrow. In U. Maurer, editor, Advances in Cryptology–EUROCRYPT’96, pages 237–244.Springer-Verlag (LNCS 1070), Berlin (1996).
[47] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-hashing for messageauthentication, February 1997. RFC 2104.
[48] Y. Lee and C. Laih. On the key recovery of the key escrow system. In Proceedings of 13th Annual Computer Security Applications Conference, pages 216–220, San Diego, California, 1997.
[49] A.K. Lenstra, P. Winkler, and Y. Yacobi. A key escrow system with warrantbounds. In D. Coppersmith, editor, Advances in Cryptology–CRYPTO’95, pages197–207. Springer-Verlag (LNCS 963), Berlin (1995).
[50] A. Maclean, S.M. Matyas Jr., and N. Zunic. Organization implementation guidelines for recovery of encrypted information. Computers & Security, 19(1):69–81,2000.
[51] C. Madson and R. Glenn. The use of HMAC-MD5-96 within ESP and AH. RFC2403.
[52] C. Madson and R. Glenn. The use of HMAC-SHA-1-96 within ESP and AH. RFC2404.
[53] D.P. Maher. Crypto backup and key escrow. Communications of the ACM,39(3):48–53, March 1996.
[54] C. Markantonakis and K. Rantos. On the life cycle of the certification authority key pair in EMV’96. In Proceedings of Euromedia ’99, pages 125–130, Munich,Germany, April, 1999.
[55] T. Markham and C. Williams. Key recovery header for IPSEC. Computers &Security, 19(1):86–90, 2000.
[56] K.M. Martin, B. Preneel, C.J. Mitchell, H.J. Hitz, G. Horn, A. Poliakova, and P.Howard. Secure billing for mobile information services in UMTS. In S. Trigila, M. Campolargo, H. Vanderstraeten, and M. Mampaey, editors, Proceedings of the 5th Internatiotal Conference in Services and Networks, IS&N’98, pages 535–548.Springer-Verlag (LNCS 1430), Berlin (1998).
[57] S.M. Matyas Jr. and N. Zunic. Additional Key Recovery Functions. Computers& Security, 19(1):37–40, 2000.
[58] D. Maughan, M. Schertler, and J. Turner. Internet security association and key management protocol (ISAKMP). RFC 2408.
[59] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography.CRC Press, Boca Raton, 1997.
[60] S. Micali. Fair cryptosystems. In L.J. Hoffman, editor, Building in Big Brother,The Cryptographic Policy Debate, pages 149–173. Springer-Verlag, New York,1995.
[61] W.J. Micali. Fair public key cryptosystems. In E.F. Brickell, editor, Advances in Cryptology–CRYPTO’92, pages 113–138. Springer-Verlag (LNCS 740), Berlin (1993).
[62] C.J. Mitchell and K. Rantos. A fair certification protocol. ACM Computer Communication Review, 29(3):47–49, July 1999.
[63] C.J. Mitchell, M. Ward, and P. Wilson. Key control in key agreement protocols.Electronics Letters, 34:980–981, 1998.
[64] J. Nechvatal. A public key based key escrow system. Journal of System Software,35(1):73–83, October 1996.
[65] J.G. Nieto, K. Viswanathan, C. Boyd, and E. Dawson. Key recovery system forthe commerical environment. In E. Dawson, A. Clark, and C. Boyd, editors,Information Security and Privacy – ACISP 2000, pages 149–162. Springer-Verlag(LNCS 1841), Brisbane, Australia, 2000.
[66] National Institute of Standards and Technology. requirements for key recovery products, November 1998. Available at http://csrc.nist.gov/keyrecovery/.
[67] NSA report. threat and vulnerability model for key recovery, February 1998.http://www.fcw.com/pubs/fcw/1998/0413/web-nsareport-4-14-1998.html.
[68] OpenCard Framework — General Information Web Document, October 1998.http://www.opencard.org.
[69] OpenCard Framework 1.2 — Programmer’s Guide, December 1999.http://www.opencard.org.
[70] National Institute of Standards and Technology. FIPS Publication 185: Escrowed Encryption Standard, February 1994.
[71] B. Pfitzmann and M. Waidner. How to break fraud-detectable key recovery. ACM Operating Systems Review, 32(1):23–28, 1998.
[72] K. Rantos and C.J. Mitchell. Key recovery scheme interoperability – a protocol for mechanism negotiation. Submitted.
[73] K. Rantos and C.J. Mitchell. Matching key recovery mechanisms to businessrequirements. Submitted.
[74] K. Rantos and C.J. Mitchell. Remarks on KRA’s key recovery block format.Electronics Letters, 35:632–634, 1999.
[75] K. Rantos and C.J. Mitchell. Key recovery for archived data using smart cards.In Proceedings of the 5th Nordic Workshop on Secure IT Systems, pages 75–85,Reykjavik, Iceland, October 2000.
[76] K. Rantos and C.J. Mitchell. Key recovery in ASPeCT authentication and initialisation of payment protocol. In Proceedings of 4th ACTS Mobile Communications Summit, pages 629–634, Sorento, Italy, June, 1999.
[77] B. Schneier. Applied Cryptography. John Wiley & Sons Inc., 2nd edition, 1996.
[78] B. Schneier. Security in the real world: How to evaluate security technology.Computer Security Journal, 15(4):1–14, 1999.
[79] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613,March 1979.
[80] A. Shamir. Partial key escrow: A new approach to software key escrow. The Weizmann Institute, presentation at NIST Key Escrow Standards meeting, September1995.
[81] T. Shoriak. SSL/TLS protocol enablement for key recovery. Computers & Security,19(1):100–104, 2000.
[82] Skipjack. http://csrc.nist.gov/encryption/skipjack/skipjackkea.htm.
[83] M. Smith, P. van Oorschot, and M. Willett. Cryptographic information recovery using key recovery. Computers & Security, 19(1):21–27, 2000.
[84] M.R. Smith. Commonsense Computer Security. McGraw-Hill, 1994.
[85] Sun Microsystems. Java card 2.1 application programming interface, February1999. http://www.java.sun.com/products/javacard/.
[86] Sun Microsystems. Java card 2.1 runtime environment specification, February1999. http://www.java.sun.com/products/javacard/.
[87] Sun Microsystems. Java card 2.1 virtual machine specification, March 1999.http://www.java.sun.com/products/javacard/.
[88] Universal Mobile Telecommunications System (UMTS). http://www.umtsforum.org/.
[89] E.R. Verheul and H.C.A. van Tilborg. Binding Elgamal: A fraud-detectable alternative to key escrow proposals. In W. Fumy, editor, Advances in Cryptology–EUROCRYPT’97, pages 119–133. Springer-Verlag (LNCS 1233), Berlin (1997).
[90] S.T. Walker. Software key escrow: A better solution for law enforcement’s needs? In L.J. Hoffman, editor, Building in Big Brother, The Cryptographic Policy Debate,pages 174–179. Springer-Verlag, New York, 1995.
[91] S.T. Walker, S.B. Lipner, C.M. Ellison, and D.M. Balenson. Commercial keyrecovery. Communications of the ACM, 39(3):41–47, March 1996.
[92] The White House. Directive on public key encryption management, 1993.
[93] M.J. Wiener. Efficient DES key search - an update. RSA Laboratories’ CryptoBytes, 3(2):6–8, Autumn 1997.
[94] M. Willett. Features, attributes, characteristics, and traits (FACTs) of key recovery schemes/products. Computers & Security, 19(1):28–30, 2000.
[95] C. Williams and N. Zunic. Global interoperability for key recovery. Computers & Security, 19(1):48–55, 2000.
[96] N. Zunic. Organization considerations for retrieval of stored data via key recovery methods. Computers & Security, 19(1):82–85, 2000.