[Cryptography] Escrowing keys

Tom Mitchell mitch at niftyegg.com
Fri May 5 16:37:57 EDT 2017 

On Fri, Apr 28, 2017 at 11:12 AM, Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> I am currently wrapping up the Mesh code. At this point I am halfway through
> the set of test cases for the line mode client. And almost all the
> functionality being tested is already tested at the library level.
>
> One area I am still working to get right is the offline escrow mechanism.
> The basic idea of the Mesh is that we want to enable people to use a single
> fingerprint to identify their personal root of trust and this should be able
> to last their entire life. I have eliminated the idea of pre-determined
> certificate expiry completely.
>
>
> So the root of trust comes down to:
>
> 1) The master signature key
> 2) A list of master encryption escrow keys

There is one additional layer of concern:  legal.

The problem Apple has is all the devices
in a single class have the same key and a forced
legal disclosure impacts a million other devices.
The million of other devices and the financial impact to
the company protected Apple.

Any encryption escrow today needs to ponder the US All Writs Act
as well as the legal equivalents worldwide.
And since data has value the system needs to ponder death and taxes.

As a minimum a contractual obligation to notify the disclosure inside
of 24 hours
any delivery of the key if so mandated by law needs to be part of any EULA.
As a result the warrant must void the contract that is a foundation of the
entire business.

The key ring (all keys) might be tried and tested inside an afternoon
against a single
encrypted resource should the identity of the account be unclear.   This does
appear to limit the data in question to the data in hand but once the
ring of keys
has been disclosed the cat is out of the bag.   At 10.51 x 10^12
checks per second
the only need for an afternoon is the physical mechanics and
documentation process.

Facebook has over a billion users but that number is very small compared to the
key space of modern crypto systems.

So a design goal is escrow that has a secure granularity of one.


-- 
  T o m    M i t c h e l l

More information about the cryptography mailing list