Experts pan administration's key-recovery infrastructure

A group of leading cryptographers issued a report sharply criticizing the government's key-recovery infrastructure as substantially vulnerable to misuse and costly for end users.

The report the first analysis of the technical aspects of the Clinton administration's controversial plan to provide law enforcement access to encrypted data concludes that building a system with the complex federal requirements exceeds the current ability of encryption experts.

"Our conclusion is that key-recovery systems of the kind the government proposes are extraordinarily hard to design extraordinarily hard to build and extraordinarily hard to operate safely " said Matt Blaze principal research scientist at AT&T Research and one of the 11 cryptographers who contributed to the report. "In almost every aspect of the design and implementation of these systems there will be very high costs " Blaze said. "Key recovery takes encryption technology which we know how to do essentially for free and converts it into technology that would be quite expensive. The risks of unauthorized disclosure in a key-recovery system are much greater than those in a non-key-recovery system."

In the study "The Risks of Key Recovery Key Escrow and Trusted Third-Party Encryption " the cryptographers considered only the impact of the technical requirements needed to provide law enforcement access to the keys needed to decrypt data. The authors of the report - from such private-industry giants as Hewlett-Packard Co. Microsoft Research and Sun Microsystems Inc. and from academia - did not take into consideration the varying details of government proposals such as what entity would hold copies of user keys needed to decrypt information.

Blaze said the group neither endorses nor condemns the administration's proposed policy. The report was coordinated but not funded by the Washington D.C.-based Center for Democracy and Technology. Solveig Bernstein associate director of telecommunications and technology studies at the Cato Institute a conservative Washington D.C. think tank said the report will have a significant impact on the policy debate whirling about encryption and key recovery.

"The whole question of whether it's really going to be possible to build a mass-market infrastructure is a question that the existing analysis hasn't addressed " Bernstein said. "The idea that it isn't possible will have to be faced squarely. This report puts that issue squarely on the table. This is something that Congress can really possibly sink its teeth into and use as a foundation for some serious reform."

Clinton administration officials said the authors misrepresented the administration's policy in the report. While the federal government will have a single key-recovery infrastructure the administration does not envision a single massive government-led global infrastructure said William Reinsch undersecretary of Commerce for export administration. Instead the private-sector infrastructure likely will be market-driven and will consist of several smaller key-recovery systems.

"[The report] sets up a lot of straw men and it knocks them down " Reinsch said. "This is not going to be an infrastructure that is going to be designed for law enforcement it will be designed for electronic commerce. I don't think most of their assumptions are accurate about what we have in mind."

The government's requirements for key recovery that the report takes into account are a mechanism outside the primary means of encryption and decryption by which a third-party can unscramble data and the existence of a secret key that must be secured for an extensive period of time. Law enforcement requirements also include access to keys without user notification or consent.

Risks associated with key-recovery systems include improper disclosure of keys and the theft of valuable information according to the report. The complexity of the design of key-recovery systems also could introduce new risks. It is possible that such systems would have design or operational flaws that would allow the recovery of data by unauthorized parties the report says.

The unique requirements also may result in exorbitant costs to end users according to the report. For example while commercial users primarily are interested in recovering encrypted stored data the government also would require access to encrypted communications traffic such as telephone calls Internet links and fax transmissions. The government also requires access to keys within two hours according to the Commerce Department and access without the knowledge of the user. These two requirements need the participation of a "trusted third party" to hold the key thereby increasing operational costs.

Additional costs include product design and testing for the complex widespread global infrastructure that officials have said they envision and for government oversight to monitor test and approve key-recovery products.

"Without government-driven key recovery encryption systems can easily be fielded in a way that is transparent to the user " the report concludes. "Highly secure communication and storage need require nothing further than the purchase of a reputable commercial product. This is already happening at negligible cost to the user. In contrast the use of a secure key-recovery system requires at least some additional user effort diligence or expense."

In March the administration began circulating a draft form of a bill that would legislate its key-recovery plan but so far it has not been introduced in Congress. Two other bills designed to eliminate the key-recovery requirements from rules governing the export of encryption products are now being considered by Congress.