Gene Hoffman <***@pgp.com> writes:
> On Wed, 15 Oct 1997, Adam Back wrote:
>
> >
> > - store a copy of the private half of the users PGP encryption key
> > encrypted to the company data recovery key on the users disk.
> >
>
> You would rather have PGP implement private key escrow?

Yes.

This is less GAK friendly than the way that PGP are implementing CMR.

In worked example #2 and I might do a #3 as well, I will as promised
show you how to apply the design principles to achieve greater
GAK-hostility than example #1 which you are objected to above.

However, in the mean time, I would like you and other PGPers to
re-read my post and answer the questions contained in it:

> - can you see ways that this could be perverted to implement GAK
> (yes I can too, btw, but...)
> - are those ways logisitically harder for GAKkers to acheive than for CMR

You appear to claim that your answer to the second question is no.

I would like to see you explain your reasoning for why this is so.

You may find it constructive to re-read some of Tim May's recent posts
as he explains the logic of this fairly clearly. Tim May does not
need the anti-GAK design principles to think in an critical
GAK-hostile way.

PGP Inc does appear to need them because their design principles are
currently at best GAK-neutral, and appear to be largely based on
wooly, ill thought-out pro-privacy / liberal thinking.

You have to think in a crypto-anarchist, saboteur mindset to maximise
your ability to prevent mandatory GAK becoming reality. The anti-GAK
design principles are a codification of the crypto-anarchist GAK
saboteur's natural predilections to want to prevent the GAKkers.

I have in waiting some other design principles which codify more
general crypto-anarchist design principles. I will not be adding
these to the anti-GAK design principles at this stage for fear of
confusing the first issue: how to best prevent GAK occuring in our and
other countries.

Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Kent Crispin has a tenacious ability to continue to think logically
and critically, and not be drawn into emotional exchanges in the face
of jibes and hostilities (I am referring to previous unpleasantaries
on cypherpunks). I think we all could take a leaf out of his book. I
am going to attempt to myself from this point on in the CMR vs CDR
argument. (I accept Jon Callas comments along similar lines.)

Kent Crispin <***@songbird.com> writes:
> On Wed, Oct 15, 1997 at 11:45:01PM +0100, Adam Back wrote:
> >
> >
> > Part of the problem in this debate I think is that I have proposed
> > many alternate designs, with varying degrees of GAK-hostility.
> >
> > Also I have been accused of using "lots of anti GAK rhetoric, but
> > giving no proposals" by Kent.
>
> Adam, you've tossed out half-baked ideas buried in several thousand
> lines of anti-GAK rant. None of them were thought through in terms of
> infrastructure impact.

I have resolved to repent my ways with regard to unconstructive
ranting and rudeness. This should have the positive side effect of
reducing the length of my posts, and ensuring that more people read
them critically.

That the ideas seemed initially fuzzy is a reflection of the fact that
I have, as I presume others have also, been gradually improving my
understanding of these complex issues.

I found the exercise in attempting to codify what I consider to be
optimal design decisions from the point of view of maximising the GAK
resistance properties of protocol designs, software implementations
and communications standards useful in clarifying my thoughts.

I feel confident in my ability to demonstrate that my GR (GAK
resistant) design principles can be usefully applied to increase the
GAK resistance of the design of systems using confidentiality and
communicatons.

I will comment on your specific comments on this aspect below.

> The idea of reencrypting the data strikes me as half-baked, as well
> -- I sit and wonder about the pass-phrase handling for the transient
> encryption keys that are changing on a daily or weekly basis -- or
> is there no pass-phrase -- is the key just stored on disk with no
> protection

Your suggestion that the re-encryption construct is weak from a GAK
resistancy (GR) perspective is correct. See my earlier comments on
realising the danger of that construct.

> > I reject that claim. (I did use lots
> > of rhetoric, but this was to try to impress upon those arguing for CMR
> > of it's dangers. They do not seem to acknowledge them.)
>
> The evidence seems to suggest that the PGP folks agonized pretty
> heavily over their design. A stupid attack such as yours is far more
> likely to cement resistance than it is likely to win cooperation.

I am forced to agree that emotional attacks are likely to hinder
cooperation. Therefore emotional attacks on this topic are themselves
likely to be counter to global GR optimisation. It is for this reason
that I will attempt from this point on in this discussion to swallow
my anger unless I can justify outbursts in terms of GR optimisation.
Readers are encouraged to remind me if I start slipping.

I can only offer as an excuse that it seems to me that PGP Inc could
be doing more to increase the GAK resistance of their product and
design within the financial and user requirement constraints they
face. Emotional appeals are as you say is not likely to be the best
means to explain this belief.

I also offer as a mild excuse that in carrying out interactive list
discussions with people in the US who are on GMT-8 that my sleep
deprivation may have been showing through in irritability :-) I found
myself for instance going to bed at 8.30 am the other night.

> > I'll try in
> > this post to steer clear of anti-GAK rhetoric. We'll instead take it
> > as a given that pgp5.5 and pgp5.0 are GAK compliant because of CMR and
> > that this is a bad thing.
>
> Trying real hard...

Allow me to rephrase that in the light of my GR maximisation motivated
apparent character reform:

I believe that PGP Inc could make their design more resistant to GAK.

The reason I believe that PGP Inc has thus far arrived at different
design conclusions than I, Bruce Schneier, Tim May, Ian Brown, and
others, is that PGP Inc have differently prioritised the multiple
desirable properties of a socially progressive crypto design.

Desirable properties are in prioritsed order of importance as I see
them:

1. preventing big brotherish governments enforcing GAK
2. discouraging little brotherish business practices
3. encouraging transparency of intent (marking keys with statements of
intent on handling of plaintext)
4. application ergonomics

I think that PGP Inc has transposed criteria 1 and 2 in their
prioritisation. I believe PGP Inc's design decisions and
recommendations to companies reflect honest attempts to discourage
little brother, and their use of statement of intent technology
demonstrates their commitment to preventing big brother. But I fear
that their prioritisation reduces the big brother resistance of their
CMR system because this resistance has been traded off to attempt to
provide little brother resistance.

If I understand correctly several PGP employees have claimed that you
should attempt to enforce the statement of intent principle with
protocol modifications. Whilst statement of intent is useful, and a
good innovation which I applaud, criteria 1 and 2 should take
precedence where protocol modifications which are thought to
strengthen statement of intent have a side effect of reducing GAK
resistance.

Independently I think that it is not semantically useful to try to
enforce statement of intent at the protocol level with the CMR method.
This is because having an enforced second recipient in no way
guarantees that the second recipient will read the message, or is able
to read the message (the second recipient might not receive the
ciphertext, or he might have lost the company access key).

> > Will is correct on one point: at the begining I had not properly
> > thought one aspect through:
>
> I suspect there are several other flaws you are now quite aware
> of...too bad, I hoped you had something.

I believe that using the GAK resistant design principles allows one to
focus more clearly on the benefits of the various trade-offs possible
and to more acurately prioritise the multiple social criteria.

> > Design 1.
> >
> > Instructions:
> >
> > - scrap the CMR key extension
> >
> > - store a copy of the private half of the users PGP encryption key
> > encrypted to the company data recovery key on the users disk.
>
> I work for a large organization, I have a unix workstation, an
> xterminal booting off a departmental server, and a Mac in my office.
> As is typical in large organizations, a system admin team takes care
> of all routine administration of my systems. They all have root, of
> course, and routinely do system upgrades and software installs on my
> Mac.

Sounds like a good example to base discussions upon: X-terminals,
multi user unix work stations and remotely configurable PCs.

> Your solution doesn't seem to fit this environment very well...

I would take your point there to be that you can't store the recovery
key on the local disk for the reason that the disk isn't local, and
that when the recovery key is stored on the local disk on remotely
administered or multi-user workstations that this is less secure.

I agree. It is less secure.

(I have htmlized, and attempted to more clearly re-word the GR design
principles:

http://www.dcs.ex.ac.uk/~aba/gakresis/

I have also added a fourth corollary which you might like to comment
on (it's not relevant to the above point).)

To return to your criticisms based on the mish-mash of shared user and
X-terminals typical of corporate environments, corollary 2 expresses
the best that can be done in this scenario:

> Corollary 2: where communications are transmitted in ways which
> violate principles 1, 2 or 3 it is in general more GAK resistant to
> enforce as far as possible that the recovery or escrow information
> remains in as close proximity to the data as possible, and as much
> under the control of the user as possible.

So if you are using an X-terminal, your passphrase will be going over
the ethernet, and all the files will be on a unix box. About all you
can do about this to minimise security problems is to try to secure
your ethernet with IPSEC technology. This is not currently very
widely deployed especially for intranet use.

Certainly if you are using your X-terminal to connect to machines over
the internet many companies have taken steps to reduce the dangers of
this. VPN systems, and SSH achieve this kind of thing. IPSEC and VPN
technology are typically fairly GAK resistant anyway, because use of
forward secrecy is common.

The overall system is _still_ more GAK resistant than CMR for the
sorts of logistical reasons that Tim May has been describing. You may
like to comment on this claim which I am willing to defend.

> > Recovery method:
> >
> > Custodian of recovery key inserts recovery floppy disk in machine,
> > decrypts copy of users private key, hands control back to user to
> > choose new passphrase.
>
> Must be a very special boot floppy, of course, otherwise I just
> subvert the floppy driver, feign forgetting my passphrase, and
> collect the corporate crown jewels. Or I hack into somebody else's
> system and corrupt their key...

You can hack around it, and this is implicitly acknowledged. The
point is that in trying to design the system so that it must be hacked
around before allowing easy use in a mandatory GAK setting you have
built in extra GAK resistance in the form of the deployment and
logistical problems the government will have in developing, and
deploying patches and making sure every one applies them.

> [...]
> >
> > - what is stopping you implementing this
>
> It's completely unrealistic.

It was stated in it's simplest possible form for clarity.

It is however possible to build resistance into the system in the form
of inertia of the deployed code base in not providing automated ways
to access the recovery information outside of the software package.

Bill Stewart came up with the very good suggestion for example that
you only keep some of the bits of the recovery key to ensure that
recovery appears is artificially made time consuming. This means that
with out replacing your software base, the government has a much
harder time installing GAK. This also has the social benefit of
discouraging companies from using what are intended to be data
recovery features as snooping features. This is exactly the sort of
lateral thinking that I am hoping to encourage.

> > - are there any plug ins which can't cope with this
> > - are there user requirements which it can't meet
> > - is there some fundamental flaw you think I have missed
> > - can you see ways that this could be perverted to implement GAK
> > (yes I can too, btw, but...)
> > - are those ways logisitically harder for GAKkers to acheive than for CMR
> >
> > Please be specific, no general waffle about understanding the
> > complexities of balancing user ergonomics, user requirements etc.
>
> Unfortunately, for real products you do have to consider these
> factors.

I fully agree that you have to acknowledge user ergonomics and user
requirements. What I was asking was that people in criticising my GR
design principles explain which user requirements they think can not
be met, or which user ergonomics features are hindered. I also
explicitly state in design principle 4 that you should balance these
considerations to maximise the global GAK resistance of the deployed
software and hardware in the target jurisdiction.

> > principle 3:
> > communications should be encrypted to the minimum number of
> > recipients (typically one), and those keys should have as short a
> > life time as is practically possible
>
> Key lifetime is a major issue. Keys are either protected by
> pass-phrase, or vulnerable. Think about how you are going to
> generate new keys every day, or every week...

Perhaps if I give some examples of how some one designing a protocol
according to these principles might proceed in this direction it would
be clearer how to minimise the impact on ergonomics without losing
security to the extent that it allows government access simply as a
property of the induced weakness. (In otherwords I am willing to
trade security for extra GAK resistance if it comes to it, but
typically does not seem to be required as GR design principles 1, 2,
and 3 are independently sound security objectives).

Companies would protect all keys by password, or by smart card token,
or by secured facilities or just by the nature of it being sufficient
for their security requirements to rely on the same weak physical
security which protects their paper files.

So: the signature key does not have recovery information -- I think
this is agreed by all. The storage key used in encrypting information
on your disk is has recovery information stored as described. The
shorter lived forward secret keys could be also recovery protected
(during their lifetime). PGP 5.x already has this feature. Consider
the encryption keys to be your forward secret keys. Give them shorter
than normal expiry dates.

Your next comment is very pertinent in demonstrating the sorts of
problems you must work around in attempting to maximise use of forward
secrecy.

> Think about off-line composition of email -- I have a laptop, download
> my mail from the pop server, compose email. Now I can't store my
> friends public keys on my disk, because they expire every day. So I
> have to go to the public keyserver for every correspondent's public
> key -- if the keyserver is unaccessible I'm out of luck. This
> radically changes the expected semantics of email.

I have 2 comments on this problem:

Consider: a system which automatically adapts and is forward secret
when it is able but not when it is not possible is more GAK resistant
than one which never uses forward secrecy at all because of the
existance of some situations where it is difficult to use.

Consider also: a system which is relatively forward secret (perhaps
with key updates every week, or month) is more GAK resistant than one
which makes no frequent key recommendations and leaving people to
choose long expiries of 1 year or with user no comments made on the
dangers of not having expiries at all is more dangerous.

Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Bill Stewart <***@ix.netcom.com> writes:
> > [separate signing and encryption keys]
>
> On the other hand, if the keys are separate, Louis Freeh
> can tell the Congress that it's not a big problem,
> he'd NEVER dream of GAKing your signature keys,

Valid argument with some value yes. Actually now that you bring it up
I dimly remember this aspect being raised on cypherpunks some time
back. Perhaps it was you who raised it even. Or perhaps it was Phil
Karn, or someone.

> Similarly, your corporate security bureaucrats can understand
> the concept that if they CAK your privacy keys,
> they're risking having official company signatures get forged,
> and they'll often do the right thing and desist,
> but with separate keys that won't stop them.

Hmmm. I think that if companies start encrypting anything, they're
going to need recovery of some sort. Else they just won't use it at
all.

Most of them aren't using storage encryption right now anyway, which
is why Tim May's suggestion to store emails after decrypt in the clear
makes a lot of sense as a simple interim way out of this problem until
the issues have been explored more.

This largely avoids company requirement to recover emails.

One valid objection to this approach is that if the employee forgets
their password whilst there are lots of emails queued up to receive
that those emails will be lost. Or if the employee gets hit by a
truck.

However I'm not so sure this is a big deal for a number of reasons:

1. how often do employees get hit by trucks?
2. how often do employees forget passwords? (all the time unfortunately)
3. things which are important the sender is likely able to resend because
he has in clear on disk
4. senders using the same software can have archives of what they have sent
and easily able to resend.

> >Does pgp5.0 reply encrypting to just me as individual, or two crypto
> >recipients me, and Mega Corp recovery key?
> Just you.

If you are right, it will bounce when it hits an enforcer with the
strict setting turned on.

Is this what will happen?

This will mean that the users will have to manually figure out how to
solve (get enforcer key, multiple encrypt to that key, possibly by
cc'ing to enforcer email address/userID even if this bounces).

> >It is evil. But it is not _as_ evil.
> >
> >The reason for this is that government access to storage keys is not
> >as evil as government access to communications keys, because the
> >government has to come and capture the ciphertext (take your disk),
> >whereas with communications they can grab them via an arrangement with
> >your ISP.
>
> First of all, the only reason for having a CMRK attached to your key
> is that either your mail service will reject mail to you that doesn't
> contain it, or your employer insists on it. In either case,
> it can be done without a special CMRK field on your key --
> PGP multiple recipients are enough to do that, and the sender
> just has to remember to include the (no longer automagically attached) CMRK.
> So leaving out the CMRK doesn't protect you.

Lack of automation is some weak protection. What are users to do?
Send Cc: <***@nsa.gov>. What if they forget? Much more
plausible to forget. Makes strict penalties for forgetting difficult
in western countries. 5 years jail time for forgetting? Don't think
so.

What about the traffic? If you make it an invalid address, just to
pick up the key it'll flood email systems with bounces; every single
encrypted mail will get a bounce.

Not an overwhelming protection, but may mean more people will more
resist it, and more people will forget often with the current email
MUA deployed base.

With many people using CMR based pgp5.5, forgetting will be much less
plausible.

Putting in CMR encourages adoption of this kind of filtering/bouncing
approach.

I am interested in analysis and discussion of the level of
significance this difference makes to user uptake of GAK in say the US
as an example (say some time in 1998 when many more businesses and
individuals have upgraded to pgp5.x). What differences are there in
resistance between a pgp5.5 using CMR and with a pgp5.6 using CDR (or
storage-CAK as Bill terms the approach)?

> Second, if the government is coming to get your disk anyway,
> they can get themselves a court order to have you reveal the key,
> and you can argue with the judge about whether you should be
> compelled to reveal it, and at least in the US there's a
> Fifth Amendment backing up your arguments (though like the
> other amendments, it's weakened by the "except for drugs" clause...)

Yes. This is the kind of reason I argue that storage recovery is less
dangerous than communications recovery. They've got to get the disk
first. And they can't tell if you have used GAK until they get it;
when they get it if you're suspecting they will try this, you will
ensure there is no GAK access, you will use other software, as you
have nothing to lose.

> GAK asserts that the government has the right to your keys
> before you get to court.

Well that is the scenario that Freeh is arguing for yes. Faced with a
choice of giving him your comms keys or your storage keys, I'd go for
storage keys anyday. I can lie to him, and give him some random
numbers and he'll never know. The point at which he will know will be
after the dawn raid; if it gets to dawn raids you are indendently in
trouble anyway.

> On yet another hand, while it may be obvious when the government
> steals your disk and uses Storage-GAK, companies using Storage-CAK
> or Storage-CMR can use it just as well on the backup tapes without
> your notice as on your disk drive. Furthermore, you can think of
> the data backup process as communications from you to the
> backupmeister, so Storage-CAK _is_ Message-CAK, and Storage-CMR is
> Message-CMR.

Technically yes. Practically no, there is a large difference. The
extra protection of Storage-CAK method is the extra GAK resistance due
to the fact that availability of access to communications is patchy,
and more expensive for the government to achieve, and enforcement is
patchy, even detection is patchy. This patchiness is good. Mass
keyword scanning is impossible on a wide scale. The government can
keyword scan some of you, but they can do that already at similar cost
levels: they can plant bugs, have undercover federal investigator
inflitrate your company in guise of employee etc. The aim of the game
is to make the cost higher than existing physical attacks, or at least
as high as possible.

> But CAKing the disk doesn't protect the company's information,
> and there's therefore no excuse for using it.

Surely it does?

If you are in ACME Corp and they want all disks encrypted as a
security policy. They provide smart cards to employees, and
workstations data is inaccessible until correct smart card is
inserted. Employee lets dog chew on smart card. No recovery implies
that this data is irretrievably lost.

> Superencryption is always possible, in messages as well as files,
> but with message encryption the eavesdropping-prone corporation can
> detect superencrypted messages going by (though not stego'd), while
> PGP-encrypted files on your disk only show up _after_ you've been
> hit by the bus on your way to the headhunter's.

This is good. Both systems are hackable from all three directions.
(individuals can hack around system to increase privacy; corporations
can hack around to decrease privacy (keyboard sniffer); governments
can too by walking in and taking disks and threatening people fail
time for not handing over keys.) Many aspects of this are better with
storage data recovery than they are with communications recovery.
Especially government aspects. Company aspects are almost neutral
non-issue in my mind due to ease with which company can remove your
privacy as they own machines, and can do all sorts of things to your
software, hardware, video cam, bug phone, keyboard sniffer, keyboard
log, etc.,etc.

> BTW, PGP5.5 CMR _is_ CMR'd storage encryption.
> It's not as convenient as encrypted file systems
> like PGPdisk and Secdev,
> but people are using it to encrypt stored data,
> including email and non-email files.

Yes. pgp5.0 which I looked at windows version (available on
ftp://ftp.replay.com/ (netherlands) somewhere for other non-US
people), does file and email encryption. As does linux version.

> On a technical note, GAK for storage can be made less dangerous,
> though not less offensive, by adding a layer of indirection -
> use your public key to encrypt a symmetric key, store the encrypted
> symmetric key on your disk, and then use the symmetric key for
> encrypting the storage (or as a master key for encrypting the
> per-file or per-block storage keys, if you're doing that,
> which you probably should.) This means that a search warrant
> which is required to itemize the things it's looking for can be
> more effectively restricted to specific files rather than
> cracking the whole disk and every other disk that uses the
> same encryption keys.

Good point.

> >The point though is that storage recovery is a completely separable
> >issue from communications "recovery" which is a euphamism for allowing
> >companies to read, or snoop, employees email, unless it is being used
> >soley for data recovery of mail stored in mail folders (which seems to
> >be what PGP Inc means by CMR term), in which case it is not necessary
> >functionality, and can be better acheived by encrypting the mail
> >archive with a user symmetric key with company storage recovery on
> >that key.
>
> Trust me - you _really_ don't want mailboxes encrypted,
> recovery key or no recovery key, unless it's implemented very very well.

PGP Inc does use this otherwise there would be no argument about need
for recovery information -- you don't need recovery information for
plaintext.

> [100Mb mail folder corruption nightmares]

Your example of corruption problems with large mail boxes is one
argument against this practice.

Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`