The objective of a key escrow encryption system is to provide encryption of user traffic (e.g., voice or data) such that the session keys used for traffic encryption are available to properly authorized thud parties under special circumstances (“emergency access”). This grants thud parties which have monitored user traffic the capability to decrypt such traffic. Wide-scale public interest in such systems arose when law enforcement agencies promoted then use to facilitate legal wiretapping of telephone calls to combat criminal activities. However, other uses in industry include recovery of encrypted data following loss of keying material by a legitimate party, or destruction of keying material due to equipment failure or malicious activities. One example of a key escrow system is given below, followed by more general issues.
(i) The Clipper key escrow system
The CUpper key escrow system involves use of the Clipper chip (or a similar tamper-resist- ant hardware device - generically referred to below as an escrow chip) in conjunction with certain administrative procedures and controls. The basic idea is to deposit two key components, which jointly determine an encryption key, with two trusted third parties (escrow agents), which subsequently allow (upon proper authorization) recovery of encrypted user data.
More specifically, encryption of telecommunications between two users proceeds as follows. Each party has a telephone combined with a key escrow chip. The users negotiate or otherwise establish a session key K,s which is input to the escrow chip of the party encrypting data (near end). As a function of Is and an initialization vector (IV), the chip creates by an undisclosed method a data block called a law enforcement access field (LEAF). The LEAF and IV are transmitted to the far end during call set-up of a communications session. The near end escrow chip then encrypts the user data D under K.s producing Eks (D), by a U.S. government classified symmetric algorithm named SKIPJACK. The far end escrow chip decrypts the traffic only if the transmitted LEAF validates properly. Such verification requires that this far end chip has access to a common family key Кц (see below) with the near end chip.
The LEAF (see Figure 13.11) contains a copy of the session key encrypted under a device-specific key Кц. Кц is generated and data-filled into the chip at the time of chip manufacture, but prior to the chip being embedded in a security product. The system meets its objective by providing third party access under proper authorization (as defined by the Key Escrow System) to the device key Кц of targeted individuals.
To derive the key Кц embedded in an escrow chip with identifier UID, two key components (Kci, Kc2) are created whose XOR is Кц. Each component is encrypted under a key Кск = К_чфК_'2, where K^i is input to the chip programming facility by the first and second trusted key escrow agent, respectively. (Used to program a number of chips, Kni is stored by the escrow agent for subsequent recovery of Кск-) One encrypted key component is then given to each escrow agent, which stores it along with UID to service later requests. Stored data from both agents must subsequently be obtained by an authorized official to allow recovery of Кц (by recovering first Кск. and then Kci, Kc2, and КЦ = КС1ФКС2).
Disclosed details of the LEAF are given in Figure 13.11. Each escrow chip contains a 32-bit device unique identifier (UID), an 80-bit device unique key (Кц), and an 80-bit family key (Kf) common to a larger collection of devices. The LEAF contains a copy of the 80-bit session key Ks encrypted under Кц, the UID, and a 16-bit encryption authenticator (EA) created by an undisclosed method; these are then encrypted under Kf- Recovery of K,s from the LEAF thus requires both Kp and Ktj. The encryption authenticator is a checksum designed to allow detection of LEAF tampering (e.g., by an adversary attempting to prevent authorized recovery of Kg and thereby D).
Figure 13.11: Creation and use of LEAF for key escrow data recovery.
(ii) Issues related to key escrow
Key escrow encryption systems may serve a wide variety of applications, and a corresponding range of features exists. Distinguishing properties of escrow systems include:
- 1. applicability to store-and-forward vs. real-time user communications
- 2. capability of real-time decryption of user traffic
- 3. requirement of tamper-resistant hardware or hardware with trusted clock
- 4. capability of user selection of escrow agents
- 5. user input into value of escrowed key
- 6. varying trust requirements in escrow agents
- 7. extent of user data uncovered by one escrow access (e.g., limited to one session or fixed time period) and implications thereof (e.g., hardware replacement necessary).
Threshold systems and shared control systems may be put in place to access escrowed keying information, to limit the chances of unauthorized data recovery. Key escrow systems may be combined with other life cycle functions including key establishment, and key backup and archival (cf. key access servers - Notes 13.5 and 13.6).