Re: German Key Usage

At 09:46 PM 8/17/98 -0400, Robert Moskowitz wrote:
>At 04:19 PM 8/14/98 -0700, -=jack=- wrote:
>>Why would you ever escrow any signature key? I personally have never
heard of
>>any proposal/plan/law/etc to escrow signature keys. My understanding of why
>>the
>>US Government and law enforcement want key escrow is to decrypt
>>information, not
>>to be able to regenerate a signature.
>
>Check out the UK white paper.  From the reports I am still getting they
>still have escrowing of authentication keys in it.
>
>>of course I'll be damned if I'll use an escrowed key to encrypt anything
>>either, ;-), but hey, I want my privacy damnit, and no ballyhoo about
>>drugs/terrorists/kiddie porn makes that worth sacrificing.  Of *course*
>>this is just my opinion...!
>
>Actaully I would have at least three private; certificates.  One would be
>my signing cert and that would not be escrowed.  I would then have TWO
>encrypting certs.  One would be escrowed with my estate, the other in some
>deep dark place that only I know.
>
>Those items I wish to protect, but give over to my estate (like financial
>records) would be encrypted with the one key.  Those things that I never
>want anyone to see (like my personal journal) would be encrypted with the
>other key.
>
>
>Of course my business personna would have a couple of certs also.....
>
>
>
>Robert Moskowitz
>ICSA
>Security Interest EMail: rgm-sec@xxxxxxxxxxxxxxx
>
>

Bob,

This may be a quibble, but I don?t understand why, in the latter two cases,
where you are encrypting data, you are necessarily even talking about
certificates.  There is no particular reason to use public key cryptography
at all to encrypt your own files.  So I would claim that you would have
three keys, but only need one certificate.  Conceivably you might choose to
encrypt the encryption key for your financial records under your executor?s
public key.

It seems to me that a great deal of confusion arises whenever we talk about
stored encrypted data in the context of a PKI.  I don?t believe that PKI?s
are about stored encrypted data.  They may be somewhat useful for some
flavors of key recovery for stored data, but a PKI is hardly necessary or
central to the business of encrypting your own stored files. 

Public keys certificates are much more useful for encrypting transmitted
data.  However, some folks do apparently want to use the same key-pair that
they use for encrypted data sent to them.  I suspect that this causes a lot
of problems.  I think that we should always remember that long term storage
encryption needs only asymmetric key encryption, and public-key
cryptography, if it is involved is only a convenience of some sort.

To continue on the subject of multiple uses of the same key, it seems to me
undeniable that every way in which you use the same key:

1. adds some new attacks on that key, and;
2. increases the consequences if any of the attacks is successful.

So it is generally more secure to use one key only for one purpose.
However, there are some practical problems to managing and keeping many
different keys secure, which may tend to cause one to use a single key for
more than one use.  I would argue that it is more secure to use one key to
protect transmitted data, and a different key to protect that same data
while it is stored.  This is true because:

1. we can easily change communications session keys, but must assume that
people can intercept the encrypted sessions, and;
2. we will find it painful to frequently change the keys for stored
encrypted data, but can make it pretty difficult for an intruder to get
access to the encrypted data.

There does seem me to be a really fundamental key management problem with
using one public key pair for nonrepudiation via digital signatures and
encryption of long-term stored data:

1. nonrepudiation private keys should be destroyed when they expire -
nothing but bad can come from keeping a nonrepudiation private key after
the expiration of the certificate, but;
2. encryption private keys must be retained as long as data is stored
encrypted under them.

So we keep signature public keys for long periods, but should destroy the
private keys as soon as the expire, while we should never use encryption
public keys after they expire, but may need to keep the private keys as
long as we keep the data that they protect.  That argues for separate keys.

There is perhaps less difficulty with using one key pair for authentication
(i.e., digital signature but not nonrepudiation) and for session
encryption, because I can, and probably should, destroy the private key as
soon as it expires.  I think that perhaps IKE falls in this category.

I am beginning to think that key usage should perhaps distinguish between
session encryption and storage encryption, if we are to use public key
certificates for stored encrypted data.  So which is e-mail?  In the best
of all possible worlds, I think that e-mail should be encrypted with a
session key, decrypted when it is received, then, if necessary,
re-encrypted under a storage key.

There is little business reason (but there are law enforcement reasons) for
key recovery of session keys.  There are compelling business reasons (as
well as law enforcement reasons) for key recovery for stored data
encryption keys.

I also suspect that the legal regimes for encrypted stored and transmitted
data may also be quite different, in many cases.  I presume that for stored
data I can arrange it so that the cops must actually serve a warrant to get
access even to the ciphertext. 

Regards,

Bill Burr