[cryptography] Key escrow 2012

mheyman at gmail.com mheyman at gmail.com
Fri Mar 30 12:15:42 EDT 2012


On Thu, Mar 29, 2012 at 6:38 PM, Jon Callas <jon at callas.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Mar 29, 2012, at 2:48 PM, mheyman at gmail.com wrote:
>
>> On Tue, Mar 27, 2012 at 1:17 PM, Nico Williams <nico at cryptonector.com> wrote:
>>> On Tue, Mar 27, 2012 at 5:18 AM, Darren J Moffat
>>>>
>>>> For example an escrow system for ensuring you can decrypt data written by
>>>> one of your employees on your companies devices when the employee forgets or
>>>> looses their key material.
>>>
>>> Well, the context was specifically the U.S. government wanting key
>>> escrow.
>>>
>> Hmm - these are not mutually exclusive.
>>
>> Back in the mid to late 90s, the last time the U.S. government
>> required key escrow for international commerce with larger key sizes,
>> they allowed key escrow systems that were controlled completely by the
>> company. Specifically, they allowed Trusted Information System's
>> RecoverKey product (I worked on this one, still have the shirt, and am
>> not aware of any other similar products available at the time - PGP's
>> came later and was more onerous to use).
>>
>> RecoverKey simply wrapped a session key in a corporate public key
>> appended to the same session key wrapped with the user's public key.
>> If the U.S. Government wanted access to the data, the only thing they
>> got was the session key after supplying the key blob and a warrant to
>> the corporation in question. The U.S. government even allowed us to
>> sell RecoverKey internationally to corporations that kept their
>> RecoverKey data recovery centers offshore but agreed to keep them in a
>> friendly country.
>
> I'd have to disagree with you on much of that.
>
> The US Government never required key escrow for international commerce.
> Encrypted data was never restricted, what was restricted was the export of
> software etc....
>
So, your second sentence disagrees with your first? In the real but
rapidly changing world that existed back then, if you wanted to export
cryptographic software that used strong keys from the U.S., you needed
key escrow. Or, of course, you could publish a book of your source
code ;-) (although that wasn't proven legal until 1999).
>
> Amusingly, I ended up having TIS's RecoverKey under my bailiwick because
> Network Associates bought PGPi and then TIS. The revenues from it were
> so small that I don't think they even covered marketing material like that shirt
> you had. In a very real sense, it didn't exist as anything more than a proof-of-
> concept that proved the concept was silly.
>
What do you mean 'had', I still have the shirt!

No argument on the silliness but if the government hadn't relaxed the
rules and you had a pile of non-U.S. installations of Microsoft
applications (Outlook, IE, and other code using the Microsoft
CryptoAPI) and you wanted strong crypto, then RecoverKey was the
_only_ option. Now, back then, most internationals were happy with the
Microsoft's base cryptographic service provider (512-bit RSA key
exchange, 40-bit RC2, 40-bit RC4, DES(-40?)). Deep Crack was changing
that but then, probably because of Deep Crack, impending rule changes
made RecoverKey almost irrelevant.
>
> Also, there wasn't a PGP system. The PGP "additional decryption key" is
> really what we'd call a "data leak prevention" hook today, but that term
> didn't exist then.
>
I was just using the PGP additional decryption key design as an
example of something that used a similar technique of encrypting the
session key under more than one public key.

As for data leak prevention, that isn't what we other Network
Associates employees heard back then. We were told and used the PGP
ADK thing as if it would help us when we lost our private keys (along
with protecting the company from employees that try to hold data
hostage). I remember trying to get company officers to get their key
shares together to please please please recover my backup encrypted
volume. Alas, I had no success and had to do a few weeks of scrambling
to recover the old fashioned way. I admit I was  young, naive, and
tainted by having worked on RecoverKey where the data recovery center
sat in a room with a modem happily waiting for me to recover my own
keys.

Yes, RecoverKey was never much more than a commercial grade
proof-of-concept. But, it was well thought out, satisfied a real,
albeit an artificially-created-by-stupid-policy need, and it did work
as advertised.
----
-Michael Heyman



More information about the cryptography mailing list