Federal Register Vol. 59, No. 27 announced approval of Federal Information Processing Standards Publication 185 (FIPS-185), Escrowed Encryption Standard (EES). This standard specifies a technology developed by the Government of the United States of America for providing strong encryption of unclassified information and to provide for escrowed keys. This latter feature assists law enforcement agencies and other government agencies, under proper legal authority, in the collection and decryption of electronically transmitted information.
Key escrow technology was developed to address the concern that widespread use of encryption would hinder lawfully authorized electronic surveillance. In the past, law enforcement authorities have encountered very little encryption because of the expense and difficulty in using this technology. More recently, however, low-cost encryption technology has become commercially available to all. The key escrow technology provided by FIPS-185 addresses the needs of the private sector for secure cryptography and the needs of U.S. law enforcement to conduct lawfully authorized electronic surveillance.
FIPS-185 specifies use of a symmetric-key encryption (and decryption) algorithm and a Law Enforcement Access Field (LEAF) creation method which allows the decryption of encrypted telecommunications by authorized law enforcement agencies.
The definition of "escrow" in the present invention is the delivery to a third person of an item that is to be given to a grantee only upon the fulfillment of a condition. Therefore, a key escrow system is one that entrusts one or more components comprising a cryptographic key to one or more key-component holders (i.e., escrow agents). The key-component holders provide the components of a key to a "grantee" (e.g., a law enforcement official) only upon fulfillment of the condition that the grantee obtain proper legal authorization to conduct electronic surveillance of a particular device whose key is being requested. The key components obtained through this process are then used by the grantee to obtain the session key used by the particular device. The session key is then used to decrypt the message sent by the device of interest.
Data for purposes of this patent application includes voice, facsimile, and computer information communicated in a telephone system.
The following terms are used as defined below: a) decryption is the conversion of ciphertext to plaintext through the use of a cryptographic algorithm; b) digital data is data that have been converted to a binary representation; c) encryption is the conversion of plaintext to ciphertext through the use of a cryptographic algorithm; d) key components are the parts from which a key may be derived; e) key escrow is the process of managing (e.g., generating, storing, transferring, auditing) the components of a cryptographic key by key component holders; and f) LEAF creation method is a part of a key escrow system that is implemented in a cryptographic device and creates a Law Enforcement Access Field.
FIPS-185 requires the following functions, at a minimum, to be implemented: a) data encryption, where a session key is used to encrypt plaintext information in one or more modes of operation specified in FIPS-81 (i.e., electronic codebook, cipher block chaining, output feedback, and cipher feedback); b) data decryption, where the session key used to encrypt the data is used to decrypt resulting ciphertext to obtain the data; and c) LEAF creation, where a family key and a unique key are used to create a Law Enforcement Access Field (LEAF) in accordance with a LEAF Creation Method, and where the LEAF is transmitted in a way that allows it to be decrypted with legal authorization.
FIPS-185 requires the use of the following parameters: a) a device unique identifier (UID), where the UID is unique to a particular device, and where the UID is used by the Key Escrow System; b) a device unique key (KU), where KU is a cryptographic key that is unique to a particular device and used by the Key Escrow System; c) cryptographic protocol field (CPF), where CPF is the field identifying the registered cryptographic protocol used by a particular application and used by the Key Escrow System; d) escrow authenticator (EA), where EA is a binary pattern that is inserted in the LEAF to insure that the LEAF is transmitted and received properly and has not been modified, deleted, or replaced in an unauthorized manner; e) initialization vector (IV), where IV is a mode and application dependent vector of bytes used to initialize, synchronize, and verify the encryption, decryption, and key escrow functions; f) family key (KF), where KF is the cryptographic key stored in all devices designated as a family that is used to create a LEAF; g) session key (KS), where KS is the cryptographic key used by a device to encrypt and decrypt data during a session; and h) Law Enforcement Access Field (LEAF), where LEAF is the field containing the encrypted session key and the device identifier and the escrow authenticator.
The LEAF is transmitted with the ciphertext. The device unique key is composed of two components, where each component is independently generated and stored by an escrow agent. The session key used to encrypt transmitted information is used to decrypt received information.
The escrowed encryption standard described in FIPS-185 uses symmetric keys (i.e., keys that are used for both encryption and decryption). The symmetric keys, which are stored in the device, are subject to reverse engineering. The present invention discloses an escrowed encryption device and method that does not require the storage of a secret key and is, therefore, not susceptible to reverse engineering. From a security standpoint, the present invention is substantially stronger than a symmetric-key escrowed-encryption system. Instead, the present invention uses public key techniques to transmit and store in the device a public version of the key.
The closest prior art would most likely be found amongst devices for and methods of creating an access code. For example, the prior art may include U.S. Pat. Nos. 4,304,961 (entitled "AUTHENTICATOR CODE GENERATOR"), 4,908,861 (entitled "DATA AUTHENTICATION USING MODIFICATION DETECTION CODES BASED ON A PUBLIC ONE WAY ENCRYPTION FUNCTION"), and 4,965,827 (entitled "AUTHENTICATOR"). One difference between these patents and the present invention is the manner in which the secure transformation is accomplished. Another difference is the public-key processing contained in the present invention that is not contained in these prior art patents.
U.S. Pat. No. 5,276,737, entitled "FAIR CRYPTOSYSTEMS AND METHODS OF USE," discloses a cryptosystem that requires the users to break a traffic key into shares. Each share would then be held by a trustee so that no one trustee could reconstruct the traffic key. Each trustee is provided with information that would enable each trustee to independently verify that the trustee is in possession of a share of a traffic key. The present invention differs from U.S. Pat. No. 5,276,737 in that the present invention does not require the traffic key be broken into shares and given to trustees. Also, the present invention does not provide trustees with information that would enable them to independently verify that they hold a share of the traffic key.