The proliferation of public cryptographic systems is a newly emerging phenomena. Only very recently are such systems being considered for widespread acceptance in the public domain. For many years cryptography was viewed as a tool solely for the military, of spies, and of diplomats. It has been the dawning of the information age, which has pushed these systems into the light of day. Indeed, our society is becoming so very dependent on information that the importance of protecting this information has become a vital social need. However, the introduction of cryptographic technology into the commercial or public sector has been met with some skepticism. This has been continuously complicated by various government attempts to control and regulate cryptographic systems for public usage. Indeed, there are numerous problems associated with public use of cryptographic systems. These problems include a wide range of different questions including legal liability issues, economic viability, national security, and even constitutional freedom-of-speech issues. There are direct conflicts that occur between the governmental need to be able to perform information gathering for national security and the need of the private sector to protect information from espionage or sabotage. Classes of cryptographic applications that are centrally related to the overall problem of public use of cryptographic technology include those that are associated with the related subjects of key distribution and key storage and retrieval.
There has been some reluctance in the public sector for the general use of cryptographic systems for day to day office applications. In part, this may be due to the potential risk of losing cryptographic keys resulting in permanent data loss. This results in the storage of keying material that must be carefully safeguarded. Indeed, it can be argued that the keying material may be more important to safeguard than the material the keys are protecting. Key storage cannot reliably depend on human memory, for instance. Unfortunately, if the keys are presumed to be “well-chosen” then the keys are not very easy for a human to conveniently remember. Therefore the keys must be stored somewhere. The keys may be physically stored, such as in a safe. In this case, the keys are stored on removable media, a physical device such as a smart card, or perhaps on paper. Alternatively, the keys may be electronically safeguarded. The keys may be permanently stored in an embedded physical device (such as in the U.S. Government's proposed Clipper chip) or electronically maintained in a secure manner by cryptographic protection methods. The later means that some other key or keys must then be in use by the secure system storing the key material. This secondary set of keys are referred to as Master Keys.
There may also be a large number of keys to manage and store. Keys that are stored electronically must likewise be protected. Consequently, a major concern associated with the storage of keying material is the simple loss of the keying information. Once data has been encrypted using a modern cryptographically secure cryptographic system, if for any reason the keys are lost, then all data thus encrypted is, for all practical purposes, totally unretrievable. One proposed application for the limited one-way algorithm is the possibility of creating a key retrieval system that permits keys to be reproduced based on a predetermined and controllable cost function.
A fundamental objective of modern cryptography is to construct data encryption systems, which preclude data recovery without possession of privately held keying information. The primary goal of the design of these systems is to insure that recovery of encrypted information without possession of the associated keying information is an intractable problem. The use of cryptography and cryptographic techniques has only started gaining widespread acceptance in the general commercial information industry in the last few years. Outside the banking and financial industries, little use is still made of this technology for the purpose of general information storage and retrieval, especially for day to day operations. There continues to be a reluctance to use encryption except where absolutely necessary. One reason for this reluctance is that data once encrypted cannot be recovered without the keys. Lose the keys and one also loses the information. This, in part, is what motivates the notion of Key Escrow Systems.
The term Key Escrowing has recently emerged in the literature in reference to systems which are intended to provide the capability for cryptographic key storage and retrieval. These systems are also frequently referred to as Key Recovery Systems. Considerations for the design of such systems were largely ignored in the literature; that is until controversy arose over government proposals concerning public standards and legislation that would have required the creation of a national system for the mandatory escrowing of cryptographic keys. This would therefore require the creation of a national system of key depositories and the associated infrastructure that would be required. The debate sparked a very emotional dialogue due to the potential that such requirements might have for enormous economic impact, as well as potentially serious social consequences. Government requirements for key escrow stem from the desire of the government to restrain the propagation of strong cryptographic systems or, at a minimum provide a mechanism where the government can retain the ability to break those systems. Concerns for the needs of national defense as well as the needs of law enforcement drive the government requirements. Products containing strong encryption technology are beginning to be marketed on a global basis. The desire of government is to have mechanisms, such as key escrow, incorporated into products in order to enable the breaking of these otherwise unbreakable cryptosystems.
The controversy is that the government requirements for a national Key Escrow system are considered to be very expensive and prohibitively difficult to perform. Due to the sheer size and complexity of such a system, it may be impossible to insure security. The key escrows themselves become tempting targets for exploitation or for terrorist attack.
Key escrow is not simply a government initiative. The notion of key recovery also does have very important commercial applications. Corporations, for instance, have a large economic interest in protecting their internal information from industrial espionage. It would be preferred that internal company documentation be protected by encryption as a normal course of business. A problem stems from the large number of individuals involved and the transient nature of individual employment in this society. It may be several years from when data was stored until such time as it is retrieved. Employees may leave the company. Employees may encrypt data and then lose the keys. It may be difficult to identify and associate an employee with the data. In these circumstances, highly valued information may be permanently lost with serious impact on the corporation or company involved. Therefore, it is important that the cryptographic keying material associated with data archived into permanent storage be retained in a manner that permits the recovery of that data when needed. This needs to be accomplished in a reliable, yet secure manner.
The basic problem is that the mere existence of a database of keying information presents a fundamental security concern. The value of the key database itself is equal to that of the data that it protects. Therefore, a key database represents a high priority target for would be attackers. Undetected intrusion is a special concern. Moreover, such a database also potentially represents a tremendous potential for abuse by properly authorized parties who have access to it. Anyone who has master key access to the key database may freely read any of the information protected by any of the keys stored therein. Moreover, an otherwise authorized individual with access to this database may even use the keying information to alter or forge documents without the ability of the original document author to detect the change.
Key Escrow Systems are cryptographic systems used to store cryptographic keying material in a secure manner. These systems have requirements that are unique from other cryptographic systems. Abuse of access to cryptographic key material by authorized users has been largely ignored and methodologies for dealing with this problem have heretofore not been addressed. One of these possible methodologies, imposition of a key withdrawal cost function, is now under consideration.