In the last issue of ICSA NEWS we discussed the problems facing organizations who want to use strong encryption to protect information traveling internationally, particularly via the Internet. Shortly after the last issue of ICSA NEWS went to the printer, Trusted Information Systems, Inc. (TIS) of Glenwood, Maryland, announced a Key Recovery Technology designed to provide emergency recovery of encryption keys for individuals, corporations, and governments. This is technology that enables anyone, but especially multinational companies, to encrypt worldwide communications with the blessing of the U.S. government.
This is now possible because of the U.S. government's new escrowed encryption initiative, which allows any cryptographic product with a key length of up to 64 bits to be exported, if it includes a commercial key escrow feature providing emergency access to encryption keys for court-approved law enforcement and national security reasons. According to Bill Sweet, Vice President of CKE Marketing at TIS, the government's new escrowed encryption initiative is analogous to keeping a spare car key in a safe place that you select. The key is available to you or your company with proper authorization, or to a court-authorized governmental agency pursuing a criminal investigation. Unlike previous government-approved schemes, this one does not require that the government itself hold the keys.
The technology developed by TIS can be implemented by Cryptographic Service Provider (CSP) vendors in one of two forms: exportable Commercial Key Escrow (CKE) technology for international deployment, or non exportable Commercial Key Recovery (CKR) technology for domestic-only deployment. Both implementations escrow an encrypted Data Recovery Field (DRF) within the message or file itself. The DRF contains a specially encrypted copy of the one-time session key used to encrypt the message or file, plus a sender identifier and a plaintext Data Recovery Center (DRC) identifier. The Data Recovery Center is only accessed by users during initial registration and data recovery, because a DRC does not store any of the user's session keys or private encryption keys, and is never given copies of messages sent.
If this is sounding complicated, consider Sweet's analogy of the realtor's lockbox typically found on a home for sale. Imagine a lockbox on the "front door" of every message encrypted by a user, with a spare copy of the session key inside, and with the lockbox key residing in the DRC. Imagine that the lockbox can easily be locked by the user, but that only the realtor (DRC) can open it with his/her private key. Normally, senders and receivers of encrypted messages use the "front door lock" with their own private encryption keys. The lockbox remains unused until someone loses his/her keys. Whoever lost his/her key goes to the DRC, authenticates his/her access rights, and the DRC unlocks the "lockbox" and hands over the "spare key." The DRC only possesses one set of lockbox keys, plus the list of the people and corporations using that DRC's lockbox services.
The advantage to the TIS technology is that no one needs to escrow his private key, and Data Recovery Center administration is relatively simple. The TIS Key Recovery Technology presents a sharp contrast to conventional private-key escrow proposals, which require users to send a copy of their personal private encryption key(s) to a central location, such as a bank or other public escrow facility. Another major advantage of the technology is that CKE and CKR present a systematic approach to the recovery process that is independent of applications and computer platforms, unlike ad hoc application-specific schemes.
Standard RSA public key cryptographic technology is used for authentication of DRCs and escrowing of session keys, but only the private key of a Data Recovery Center can unlock the DRF, which can then be used to decrypt the message. The TIS technology provides backup recovery of encrypted messages (or archived files) for users who have lost or damaged their keys, corporations who have lost their employees, or for law enforcement agencies or officers who have properly executed court orders. CKE is designed to satisfy U.S. government requirements for Department of Commerce commodity jurisdiction export permission to most countries of the world except those on the U.S. State Department restricted list. With CKE enabled, cryptography vendors may export software encryption products with keys of up to 64 bits. One of the first products licensed for export with this new technology is the TIS Gauntlet Internet Firewall version 3.2, which provides a Global Virtual Private Network (GVPN) by using the 56-bit Data Encryption Standard (DES) to encrypt the Internet Protocol layer of the communications stream among firewalls. TIS is the first company to obtain such export permission for 56-bit DES-encrypted firewalls, and has been able to obtain export permission by using CKE Key Recovery Technology. CKE meets the following U.S. government requirements:
If the DRC certificates of each recipient are valid and acceptable to the sender, a random symmetric encryption session key (generally 56-bit single DES) is generated and used to encrypt the message. This session key is encrypted with the public key of each recipient, and is sent to the recipient as his/her normal key exchange process to permit unlocking the message at the other end. Then comes the escrow process. An escrowed copy of the session key is created for each participant by concatenating the session key with the 32-bit Access Rules Index (ARI) for the participant and then encrypting the result with the public key of the participant's designated DRC, and attaching a plain text identifier for that DRC. A DRC Verification String (DVS) is then constructed for each participant by concatenating the public key of his/her DRC with his/her ARI, and then encrypting the result with the session key. All of these key elements-the encrypted session key for normal access, the DRF, and the DVS for each participant-are collected together into "keyblobs" and attached to the encrypted message. These keyblobs go anywhere the message or file is sent (including archival storage).
On the receiving side of the message, a user's CSP first retrieves the session key from the key blob using his/her private key. It then uses the session key to unlock the sender's and that one receiver's DVSs to retrieve the DRC public keys and ARIs. Using this information -- the session key, and the ARIs and DVSs for the sender and the receiver -- the appropriate DRFs are calculated by the receiver's CSP. If the newly calculated results match those transmitted, the normal message decryption process may proceed. That is, the session key is used to decrypt the message, and other public key authentication checks are made in the normal fashion.
Since CKE-enabled CSPs may use any CKE-authorized DRC in any country, regardless of sender and receiver location, multinational corporations can mandate that all recipients of a secure message must designate a DRC or DRCs stipulated by the corporation. When picking a country for the DRC locations, corporations also pick the legal system to protect access to the DRC. Because the sender controls all the basic CKE key recovery and escrow decisions, and because the CKE system is as tamper-resistant as presently possible, organizations can be assured that the security of their most valuable assets is both globally deployable, and safe from competitors, pirates, hackers and criminals.
There is a less restrictive variant of the TIS Key Recovery Technology, called Commercial Key Recovery (CKR). This does not meet the U.S. government requirements for export of strong encryption, but could be valuable to organizations desiring the stronger encryption capabilities allowed within the United States. CKR eliminates the government export restrictions that have little commercial security value and assumes that users are not motivated to defeat the key recovery functionality. Data Recovery Center functionality is similar to that of CKE. But since government export requirements are not a factor, CKR allows users to select those CKE features they desire. It also allows users to eliminate those they feel are burdensome, or expensive, such as double-ended escrow and checking for proper DRF generation at the receiving end. The key recovery function may be turned on, or off, at the discretion of the user or the user's organization.
TIS will be sharing this new technology through application developers
and CSP vendors. For more information, visit the TIS web site at www.tis.com.
We will watch this technology with interest as it may satisfy the reservations
that many commercial users have expressed about previous government key
escrow schemes.
Retirado do site: http://www.icsa.net/library/research/b.shtml em jul/99