KeyEscrowinMutuallyMistrustingDomains?

Transcription

1 KeyEscrowinMutuallyMistrustingDomains? Abstract.Inthispaperwepresentakeyescrowsystemwhichmeets L.Chen,D.GollmannandC.J.Mitchell possiblerequirementsforinternationalkeyescrow,wheredierentdomainsmaynottrusteachother.inthissystemmultiplethirdparties, RoyalHolloway,UniversityofLondon Egham,SurreyTW200EX,UK InformationSecurityGroup risedagenciesintherelevantdomainswithwarrantedaccesstotheusers' communications.weproposetwoescrowedkeyagreementmechanisms, ofprovidinguserswithkeymanagementservicesandprovidingautho- whoaretrustedcollectivelybutnotindividually,performthedualrole bothdesignedforthecasewherethepairofcommunicatingusersare mains.thesecondmechanismusesatransferableandveriablesecret ahidden`shadow-key'.therstmechanismmakesuseofasingleset ofkeyescrowagenciesmoderatelytrustedbymutuallymistrustingdo- itmoredicultfordeviantuserstosubverttheescrowedkeybyusing thatallentitiesareinvolvedinthekeygenerationprocesshelpsmake indierentdomains,inwhichthepairofusersandallthethirdparties sharingschemetotransferkeysharesbetweentwogroupsofkeyescrow agencies,whereonegroupisineachdomain. jointlygenerateacryptographickeyforend-to-endencryption.thefact usertracinordertocombatcrimeandprotectnationalsecurity.akeyescrow dictoryrequirements.ontheonehanduserswanttocommunicatesecurelywith 1Introduction 1.1Keyescrowinmutuallymistrustingdomains Inmodernsecuretelecommunicationssystemstherearelikelytobetwocontra- systemisdesignedtomeettheneedsofbothusersandgovernments,wherea otherusers,andontheotherhandgovernmentshaverequirementstointercept toprovidethelawenforcementagenciesofalltherelevantcountries,e.g.the keyescrowsystemshaverecentlybeenproposed,andforanoverviewoftheeld, thereaderisreferredto[4]. authorised.followingtheusgovernment'sclipperproposals,[1],anumberof (orasetofagencies)andlaterdeliveredtogovernmentagencieswhenlawfully cryptographickeyforusercommunicationsisescrowedwithakeyescrowagency?thisworkhasbeenjointlyfundedbytheukepsrcunderresearchgrant GR/J17173andtheEuropeanCommissionunderACTSprojectAC095(ASPeCT). Whenuserscommunicateinternationally,thereisapotentialrequirement

2 originatinganddestinationcountriesforthecommunication,withwarranted accesstotheusertrac.forexample,aglobalmobiletelecommunicationssystemmightprovideanend-to-endcondentialityservicetotwomobileusersin morecomplicated,thesetwocountrieswilltypicallynottrustoneother(such twodierentcountries,andlawenforcementagenciesinboththesecountries lawenforcementagencyinonecountrymightnotwishtolettheircounterpart mightindependentlywishtointerceptthesecommunications.tomakematters whomaybegiventherighttoaccesscommunicationswithinasingledomain. inanyothercountryknowthataparticularuser'scommunicationsarebeing domainsarereferredtoasmutuallydistrustingcountriesin[6]);forexample,a beresponsibleformaintainingalltheinformationnecessarytoprovideaccessto interceptionagencies,whenpresentedwiththeappropriatelegalauthorisation. FinallywerefertoescrowagenciesorTrustedThirdParties(TTPs)whowill interceptionauthoritieswherewemeanbodiessuchaslawenforcementagencies eralitywerefertodomainsinsteadofcountriesthroughout.wealsoreferto intercepted. outthatthecountriesinvolveddonottrustoneanother;forthemaximumgen- Wenowstateourrequirementsforkeyescrowinaninternational(i.e.a Weareconcernedherewithinternationalkeyescrow,andweassumethrough- multi-domain)context. 1.Nodomaincanindividuallycontrolthegenerationofanescrowedkey,and hencetheescrowedkeycannotbechosenbyentitiesinonlyonedomainand 1.2Priorapproaches 3.Theentitiesinanydomaincanensurethecorrectnessandfreshnessofthe 2.Theinterceptionauthoritiesinanydomaincangainaccesstoanescrowed capableofbeingescrowedinallrelevantdomainsindependently. escrowedkey. keywithoutcommunicatingwithanyotherdomain,i.e.thekeyhastobe thentransferredtotheotherdomain. munications.asessionkeyforend-to-endencryptionisestablishedbasedon providingthetwointerceptionagencieswithwarrantedaccesstotheusers'com- domains,thentherelevantpairofttps(oneineachdomain)collaboratively Jeeries,MitchellandWalker[8]recentlyproposedanovelkeyescrowmechanismsuitableforinternationaluse,calledthe`JMW'mechanismforshort.In thatschemeeveryuserhasanassociatedttp.iftwousers,communicating acombinationofasecretkeysharedbetweenthemandthereceiver'sname, andanotherasymmetrickeyagreementpairfortheotheruser(thesender)is generatedbyhimself.thereceivercomputesthesessionkeybycombininghis (thereceiver)isseparatelycomputedbybothttps(oneineachdomain)using Die-Hellmankeyexchange[5].Anasymmetrickeyagreementpairforoneuser witheachothersecurelybyusingend-to-endencryption,arelocatedindierent performthedualroleofprovidingtheuserswithkeymanagementservicesand privatekey(transferredsecurelyfromhisownttp)withthesender'spublic

3 amongtheusers,ttpsandinterceptionagencies. above.however,itrequiresthefollowingassumptionsabouttrustrelationships sessionkeyfromthettpinthesamedomain. keybycombininghisprivatekeywiththereceiver'spublickey(obtainedfrom thesender'sownttp).interceptionagenciesineachdomaincanretrievethe key(sentwiththeencryptedmessage).thesendercomputesthesamesession 2.EachTTPbelievesthattheuser,asasender,willprovidethecorrectpublic 1.EachuserbelievesthattheirownTTP(aswellastheTTPsofanyother Notethatthismechanismmeetsthethreerequirementsforkeyescrowlisted 3.EachTTPbelievesthattheotherTTPwillcontributeproperkeyagreement 4.EachinterceptionagencybelievesthattheTTPinitsdomainwillprovide key(matchingthesecretkeyheusesforsecuringmessageshesends). valuesandcerticates,andwillnotrevealtheescrowedkeyillegally. thecorrectescrowedkeywhenrequested. andcerticates,andwillnotrevealtheescrowedkeyillegally. userswithwhichtheycommunicate)willissueproperkeyagreementvalues contributionstoanescrowedkeyandtorevealthekeylegally,andusersalso domain. 1.3Ourcontribution Inthispaperwesupposethat,insomeenvironmentswhereinternationalkey escrowisrequired,ttpsmaynotbetrustedindividuallytoprovideproper whichrequiresakeyescrowagency(oragencies)tobetrustedbymorethanone In[6],FrankelandYunggiveadierentschemeforinternationalkeyescrow, maynotbetrustedtoprovidepropercontributionstoanescrowedkey. 1.Theschemesuseasetofmoderatelytrustedthirdpartiesinsteadofasingle Weconsidertworelatedkeyescrowmechanismswiththefollowingproperties. Forthepurposesofthispaper,moderatelytrustedthirdpartiesaretrusted collectively,butnotindividually,byusers,interceptionagenciesandanother setofttps. Keysplittingschemeshavepreviouslybeenusedforsplittinganescrowed TTP,inaneorttopreventasingleTTPfromcorruptinganescrowedkey. 2.Theyuseaveriablesecretsharingschemeinordertopreventdeviantusers Suchaschemeallowsanysubsetofkofthenescrowagenciestoaectthe keyintonsharesescrowedbynagenciesinproposedkeyescrowsystems 3.Theyuseananeexpansibleveriablesecretsharingschemetoletusers fromrecoveringacompletekey. (e.g.see[4,9,11,12]);wealsomakeuseofakoutofnthresholdscheme. recoveryofacompletekey,butprohibitsanygroupoffewerthankagencies fromsubvertingthesecretsharingschemebyprovidingimpropershares.such andthirdpartiesjointlygenerateanescrowedkey,thuspreventingdeviant aschemehaspreviouslybeenadoptedinakeyescrowsystemtoletagroup ofkeyescrowagenciesverifythattheyhavevalidshares[9]. usersfromobtaininga`shadow-key'(notavailabletotheescrowagency).

4 atransferableveriablesecretsharingschemeandananeexpansibleveriable 4.Thesecondschememakesuseofatransferableveriablesecretsharing andyung'sidea,[6],makesuseofasinglegroupofkeyescrowagenciesmoderatelytrustedbymutuallymistrustingdomains.thesecondscheme,whichis maynottrusteachother. secretsharingschemebasedontheshamirsecretsharingscheme,[15],andthe Pedersenveriablesecretsharingscheme,[13].Wethenproposetwomechanisms forinternationalkeyescrowinsection3.therst,whichincorporatesfrankel Theremainderofthepaperissubdividedasfollows.Insection2,wepresent schemetotransfersharesbetweentwosetsofkeyescrowagencieswhich analternativetothejmwmechanism,adoptsthetransferableandveriable keybyusingtheaneexpansibleveriablesecretsharingscheme. Inbothmechanisms,usersandkeyescrowagenciesjointlygenerateanescrowed secretsharingschemetotransfersharesbetweentwosetsofmoderatelytrusted keyescrowagencies,onesetwithineachoftwomutuallymistrustingdomains. 2VeriableSecretSharing InthissectionwerstbrieydescribetheShamirsecretsharingscheme[15] domains.weconcludebygivingtwoopenquestions. trustedthirdparties,potentiallyuntrustworthyusersandmultiplemistrusting ofentityinvolvedinaninternationalkeyescrowsystem,namelymoderately Insection4,weconsiderpossibletrustrelationshipsamongthethreetypes schemes.thisworkwillprovidethebasisforthekeyescrowschemesdescribed functionofasharedsecret,usingmodicationsoftheshamirandpedersen 2.1TheShamirscheme subsequently. transferasharedsecretbetweentwodomains,andalsohowtoshareanane andthepedersenveriablesecretsharingscheme[13].wethendiscusshowto A(k;n)-thresholdsecretsharingschemeisaprotocolinwhichadealerdistributespartialinformation(ashare)aboutasecrettoeachofnparticipants suchthat Supposepandqarelargeprimessuchthatqdividesp?1,andgisanelementof anygroupofatleastkparticipantscancomputethesecret. nogroupoffewerthankparticipantscanobtainanyinformationaboutthe becomputedmodulop. orderqinzp.itisassumedthatp,qandgarepubliclyknown.theseparameters willbeusedthroughoutthispaper.unlessotherwisestatedallarithmeticwill WenowdescribetheShamir(k;n)-thresholdsecretsharingscheme,[15]. secret,and

5 Pn(wheren<q)thedealerchoosesapolynomialofdegreek?1: wheref2zq[x]anda0=s.eachparticipantpi(1in)receivessi=f(xi) fori6=j). ashisprivateshare,wherexi2zq?f0gispublicinformationaboutpi(xi6=xj, LetthesecretsbeanelementofZq.InordertodistributesamongP1,..., P2,...,Pk)canndf(x)bytheinterpolationformula, Anykparticipants(withoutlossofgeneralityweassumethattheyareP1, f(x)=kxi=1(yh6=ix?xh f(x)=a0+a1x+:::+ak?1xk?1; Thus s=f(0)=kxi=1(yh6=ixh xi?xh)f(xi)=kxi=1(yh6=ix?xh xh?xi)si: xi?xh)si: ThissecretcanbedistributedtoandveriedbyP1,...,Pn,inthefollowingway: Assumethatadealerhasasecrets2Zqandcorrespondingpublicvalueh=gs. 2.2ThePedersenscheme 1.ThedealercomputessharessiusingtheShamirsecretsharingschemebyrst 2.ThedealersendsthesharesisecretlytoPi(1in)andbroadcastsa a0=sandthencomputingsi=f(xi)(1in).herexiispublic choosingapolynomialf(x)=a0+a1x+:::+ak?1xk?1overzqsatisfying 3.EachPi(1in)computeshi=k?1 informationaboutpiaspreviously. vericationsequencev=(ga0;ga1;:::;gak?1) toallnparticipants. IfthisdoesnotholdthenPibroadcastssiandstops.OtherwisePiaccepts theshare. andverieswhether hi=gsi: Yj=0(gaj)(xi)j; 4.Anykparticipants,whohaveacceptedtheirshares,canndsasdescribed intheshamirsecretsharingschemeabove.

6 1<kminfm;ng. ablesecretsharingscheme,wherek,m,andnarepositiveintegerssatisfying ipants.westartbystatingourrequirementsfora(k;m;n)-transferableveri- 2.3Transferableveriablesecretsharing Wenowconsiderhowtotransferasharedsecretbetweentwogroupsofpartic- TheparticipantsQj(1jn)mustbeabletoverifytheirownprivate NogroupoffewerthankparticipantsinQ1,...,Qncanobtainanyinformationabouts. AnygroupofatleastkparticipantsinQ1,...,Qn,whohaveacceptedtheir AsecretssharedbymparticipantsP1,...,Pmneedstobetransferredto, shares,cancomputes. andthensharedby,anothernparticipantsq1,...,qn. shareswithoutcommunicatingwithotherparticipantsinthesamedomain. Algorithm1AssumethatmparticipantsPi(1im)shareasecrets2Zq ShamirandPedersenschemes. usingthepedersenscheme.thissecretcanbetransferredtoandveriedby anothernparticipantsqj(1jn),inthefollowingway: Wenowpresentatransferableveriablesecretsharingschemebasedonthe 1.EachPi(1im)computesnewsharessij(1jn)usingtheShamir 2.Pi(1im)sendssijsecretlytoQj(1jn)andbroadcastsa secretsharingschemeby: rstchoosingapolynomialfi(x)=ai0+ai1x+:::+ai(k?1)xk?1overzq 3.OnreceiptofsijandVi(1im),Qj(1jn)computes vericationsequencevi=(gai0;:::;gai(k?1)) toallnparticipantsq1,...,qn. thencomputingsij=fi(xj).herexjispublicinformationaboutqj. satisfyingai0=si,and Ifthisdoesnothold,Qjbroadcastssijandstops.OtherwiseQjacceptsthe andverieswhether hij=k?1 hij=gsij: Yl=0(gail)(xj)l; Theorem2Theabovealgorithmhasthefollowingproperties. share.

7 Proof 1.AnygroupofatleastkparticipantsinQ1,...,Qn,whohaveacceptedtheir 2.NogroupoffewerthankparticipantsinQ1,...,Qncanobtainanyinformationaboutsi(1im)ands. sharesfollowingalgorithm1,canndsi(1im),andhencecompute asusedtoprovethesamestatementsforthepedersenscheme. 3.EachQj(1jn)canverifysij(1im)andgswithoutcommunicatingwithotherparticipantsinthesamedomain. Allthreepartsofthetheoremholdbyusingpreciselythesamearguments s. TTPsinonedomaintoanothersetofTTPsinaseconddomaininMechanism 7describedinthenextsection.Thetwogroupsofparticipantsdonothaveto Thisschemewillbeusedtotransferapartialescrowedkeyfromasetof trusteachother.iffewerthankparticipantsinanydomainfollowthescheme, thesecrettransfercannotbesuccessful,butnoonecansubvertthealgorithm byforcinganyoneelsetoacceptafraudulentsecret. 2 Wenowconsiderananeexpansionofthresholdsecretsharing.Westartby 2.4Aneexpansibleveriablesecretsharing statingourrequirementsfor`aneexpansion'. ontheshamirandpedersenschemes. Asecrets2ZqissharedbymparticipantsP1,...,Pm.Itsanefunction Algorithm3AssumethatmparticipantsPi(1im)shareasecrets2Zq Nogroupoffewerthankparticipantscanobtainanyinformationaboutw. Anygroupofatleastkparticipantscancomputew. Wenowpresentananeexpansibleveriablesecretsharingschemebased w=as+b,wherea;b2zqanda6=0,needstobesharedbythesame usingthepedersenscheme,andknowpublicinformationa2zq?f0gand participants.hereaandbarepublicinformationaboutpi(1im). b2zq.anewsecretw=as+b2zqcanbesharedandveriedbythesamem participantswithoutcommunicatingwithoneanother.thenewshareswiare Theorem4Theabovealgorithmhasthefollowingproperties. Thecorrespondingpublickeysare gwi=gasi+b=(gsi)agb;and gw=gas+b=(gs)agb: wi=asi+b:

8 1.Itmeetstherequirementsforaneexpansiblesecretsharing. escrowedkeyinmechanism5andmechanism7describedbelow.because Proof 2.Pi(1im)canverifywi(1im)andgwwithoutcommunicating thecontributionisnotknowntousers,itisdicultfortheuserstosubvertthe toestablishthepropertiesofthepedersenscheme. Thisschemewillbeusedtoletthirdpartiesprovideancontributiontoan Thistheoremagainfollowsusingpreciselythesameargumentsasareused withotherparticipants. escrowedkeybyusingahidden`shadow-public-key',thecorresponding`shadowprivate-key'ofwhichcannotbecomputedbyusingarealkeypairand`shadowpublic-key'[9]. 2 Wemakethefollowingassumptionsforourmodelofaninternationalkeyescrow 3.1Assumptions system. 3Escrowedkeyagreement TwoentitiesAandB,locatedinmutuallymistrustingdomains,wantto Intherstscheme(Mechanism5)asinglesetofTTPsfT1,...,Tmgare ThecommunicationsbetweenAandBhavetomeetpotentiallegalrequirementsforwarrantedinterception.Interceptionagenciesineachdomainare shareanysecret. beforetheauthenticationandkeydistributionprocessingstartstheydonot communicatesecurelywitheachother.forthispurposetheyneedtoverify oneanother'sidentityandestablishasharedsessionkeykab,although agenciesfortheinterceptionagenciesinbothdomains.inthesecondscheme usedasbothmultipleauthenticationserversfortheusers,andkeyescrow butmayrequireaccesstothesessionkeykab. notactivelyinvolvedintheauthenticationandkeydistributionprocedures, 3.2Mechanism1 interceptionagenciescollectively,butnotindividually. ineachdomain,areusedasmultipleauthenticationserversfortheusers andkeyescrowagenciesfortheinterceptionagencies.inbothcasestheyare KAB,andescrowingthesessionkey.Theyaretrustedbyboththeusersand responsibleforverifyinga'sandb'sidentities,establishingasessionkey (Mechanism7)twosetsofTTPsfT1,...,TmgandfU1,...,Ung,onegroup [5]andtheveriablesecretsharingschemesdescribedinsection2.Inthemechanism,AandBareusersinseparatedomains,andmmoderatelyTTPsT1,..., ThisescrowedkeyagreementschemeisbasedonDie-Hellmankeyexchange

9 positiveintegerk(km),anysetofkttpscancomputethesessionkey andgenerateaprivateintegerstab.theschemeisdesignedsothatforsome establishedbetweenaandb,butnogroupofk?1orlessttpscanderiveany functionfshalltakeasinputthesharedsecretkeyandthenamesofaandb, TTPsagreeacommonlyheldsecretkeyK(T1;:::;Tm)andafunctionf.This ticatedchannelswithti(1im).asinthejmwmechanism,thesem Tmworkforbothusersasauthenticationservers,andforinterceptionagencies inbothdomainsaskeyescrowagencies.weassumethataandbhaveauthen- usefulinformationaboutthissessionkey. Mechanism5AsetofTTPsT1,...,TmassisttwousersAandBinestablishingasessionkeyKAB,andescrowthekeycollectively. 1.AsecretlychoosesandstoresitsprivatekeyagreementvalueSA,andcomputesthecorrespondingpublicvaluePA(=gSA),theprivatesharesSAi sequencevaasdenedinsubsection2.2,andthensendssaiandvatoti (1im). avericationsequencevb,andsendingsbiandvbtoti(1im)). (1im)ofSAasdenedinsubsection2.1,andthepublicverication 2.BfollowsthesameprocedureasA(choosingSB,creatingprivatesharesSBi, 3.Ti(1im)veriesSAi,PA,andSBi,PBasdescribedinsubsection 4.Ti(1im)doesthefollowing: otherwisetiacceptstheshare. 2.2.Ifthevericationfails,Tibroadcaststhesuspectsharevalueandstops; kttpscancomputekab(whichiswhatisrequiredforescrowpurposes). Theorem6Theabovemechanismhasthepropertythatanygroupofatleast 5.AandBseparatelycomputeasessionkeyas: calculatespat(=pstab sendspattobandpbttoa. obtainsstabbyusingthefunctionfwithk(t1;:::;tm),aandb, KAB=(PAT)SB=(PBT)SA=gSASBSTAB: A)andPBT(=PSTAB B),and theshamirschemediscussedinsubsection2.1above).hencetheycancompute Proof AnygroupofatleastkTTPscancomputeSAandSB(bythepropertiesof colluding,andnogroupoffewerthankthirdpartiescanobtainanyinformation partycanforceaorbtoacceptawrongmessageunlessallthethirdpartiesare aboutkab. andtheresultfollows. KABfrombeingescrowedbyusingahidden`shadow-key'.Inaddition,nothird ThemechanismhasbeendesignedtomakeitdicultforAandBtoprevent KAB=gSASBSTAB 2

10 meanthatkabalsochanges).thiscouldbeachievedbyincludingadate-stamp bydomainsotherthanthetwodomainsbeingserved,orbya`super-domain' inthefunctionfusedtocomputestab. includingthetwodomains,oroneorotherofthetwodomains. internationalsecuretelecommunications.thesetcouldconsistofttpslicensed atelytrustedbymutuallymistrustingdomains,dependsontherequirementsfor Themethodusedtocomposeasetofkeyescrowagencies,whoaremoder- lettingthetwouserschoosethekey(see[7]),lettingasetofttpsgeneratethe key(see[3]),andlettingoneuserandtwottpsgeneratethekey(see[8]),this jointlygeneratethekey,sothatitmaybemoredicultforusersandttpsto subvertthekey. mechanismforcesallinvolvedentities,i.e.bothusersandthesetofttps,to Comparedwithanumberofotherproposedkeyagreementschemes,suchas, ItwouldbedesirableifSTABcouldbechangedfromtimetotime(whichwill 2.Inthismechanism,AandBareusersindierentdomains.Therearem 3.3Mechanism2 [5]andthetransferableveriablesecretsharingschemedescribedinsection ThisescrowedkeyagreementschemeisbasedonDie-Hellmankeyexchange TTPsU1,...,UnworkingforBasauthenticationservers(inB'sdomain).These TTPsT1,...,TmworkingforAasauthenticationservers(inA'sdomain),andn serversalsooperateaskeyescrowagenciesfortheinterceptionagenciesintheir respectivedomains.eachsetofthirdpartiesismoderatelytrustedbytheirusers andinterceptionagencies.usersandinterceptionagenciesdonotcommunicate withttpsoutsidetheirdomain.ttpti(1im)cancommunicatewith Uj(1jn).Again,weassumethatAhasanauthenticatedchannelwith eachti,andbhasanauthenticatedchannelwitheachuj.eachgroupofttps fshalltakeasinputthesharedsecretkeysandthenamesofaandb,and agreeasecretkeyk(t1;:::;tm)ork(u1;:::;un)andafunctionf.thisfunction AandB(respectively)toestablishasessionkeyKAB.Eachsetofthirdparties escrowthekeycollectively. Mechanism7TwosetsofTTPsfT1,...,TmgandfU1,...,Ungassisttwousers aboutthissessionkey. andb,butnogroupofk?1orlessttpscanderiveanyusefulinformation orotherofthetwodomainscancomputethesessionkeyestablishedbetweena generateprivateintegersstabandsuabrespectively.theschemeisdesigned sothatforsomepositiveintegerk(kminfm;ng),anysetofkttpsfromone 1.AsecretlychoosesandstoresitsprivatekeyagreementvalueSA,andcomputesthefollowingvalues: thepublicvericationsequencevaasdenedinsubsection2.2,andthen thecorrespondingpublicvaluepa(=gsa), theprivatesharessai(1im)asdenedinsubsection2.1,and sendssaiandvatoti(1im).

11 2.Ti(1im)veriesSAiandPAasdescribedinsubsection2.2.IfthevericationfailsthenTibroadcaststhesuspectsharevalueandstops;otherwise Tiacceptstheshare. 3.BsecretlychoosesandstoresitsprivatekeyagreementvalueSB,andcomputesthefollowingvalues: Ujacceptstheshare. icationfailsthenujbroadcaststhesuspectsharevalueandstops;otherwise thecorrespondingpublicvaluepb(=gsb), theprivatesharessbj(1jn)asdenedinsubsection2.1,and thepublicvericationsequencevbasdenedinsubsection2.2,andthen calculatespat(=pstab obtainsstabbyusingthefunctionfwithk(t1;:::;tm),aandb, sendssbjandvbtouj(1jn). 5.Ti(1im)doesthefollowing: 4.Uj(1jn)veriesSBjandPBasdescribedinsubsection2.2.Ifthever- 6.Uj(1jn)veriesSAijSTAB,VAiandPATasdescribedinsubsection 2.3.IfthevericationfailsthenUjbroadcaststhesuspectsharevalueand calculatessaij(1jn)fromsaiasdenedinsubsection2.3, Finally,TisendsSAijSTAB,VAiandPATtoUj(1jn). computesthe`privateshares'saijstab,andtheircorrespondingpublic sequencevaiasdenedinsubsection2.2. valuesgsaijstabasdenedinsubsection2.4,andthepublicverication A), 7.Uj(1jn)doesthefollowing: stops,otherwiseujacceptstheshare. calculatespatu(=psuab obtainssuabbyusingthefunctionfwithk(u1;:::;un),aandb, 8.Ti(1im)veriesSBjiSUAB,VBjandPBUasdescribedinsubsection sendssbjisuab,vbjandpbutoti(1im). calculatespbu(=psuab calculatessbji(1im)fromsbjasdenedinsubsection2.3, computesthe`privateshares'sbjisuab,andtheircorrespondingpublic valuesgsbjisuabasdenedinsubsection2.4,andthepublicverication sequencevbjasdenedinsubsection2.2,and,nally, B), AT)andsendsittoB, kttps(ineitherdomain)cancomputekab. Theorem8Theabovemechanismhasthepropertythatanygroupofatleast 9.AandBcannowseparatelycomputethesessionkey: 2.3.IfthevericationfailsthenTibroadcaststhesuspectsharevalueand ittoa. stops,otherwisetiacceptstheshare,calculatespbtu(=pstab KAB=(PBTU)SA=(PATU)SB=gSASBSTABSUAB: BU)andsends Proof Theprooffollowsimmediatelyfromtheresultsinsubsection3.2above.2

12 thepreviousmechanism,itissuggestedthatstabandsuabshouldbechanged totrusteachother,asmentionedinsubsection2.3.forthesamereasonsasin asoftenasrequired. 4Furtherconsiderations Inakeyescrowsystem,thedieringrequirementsofusersandinterceptionauthoritiesarefurthercomplicatedbytheintroductionofthekeyescrowagencieciesforpreventingcriminalusersfromabusingescrowedkeys.Boththeusers andinterceptionagenciesshouldbeinapositiontocheckthatthekeyescrow theotherdomaincannotsubverttheescrowedkeys. relationshipsamongstthesethreegroupsofentitiesbecomesstillmorecompli- agenciescannotrevealescrowedkeysillegally.ininternationalkeyescrow,the domainhaveapotentialrequirementtocheckthatthekeyescrowagenciesin catedbecausemorethanonedomainisinvolved.thekeyescrowagenciesinone 4.1Moderatelytrustedthirdparties Therearetwomajorreasonswhywemakeuseofmoderatelytrustedthirdparties inthispaper. thevariousentitiesinvolved. Ifinterceptionagenciesarenotactivelyinvolvedinsessionkeyestablishment Inthissection,wediscussionsomeaspectsofthetrustrelationshipsbetween Inthismechanism,thetwosetsofthirdpartiesinbothdomainsdonothave (orttps).thekeyescrowagenciesareresponsibletotheinterceptionagen- Iftwouserssharingnosecretwanttocommunicatesecuritywitheachother, forpossiblydeviantusersanddonotstoreeverysessionkeythemselves,key ofthemmightbecollectivelytrustedbytheinterceptionagencies. escrowagenciesarerequiredtoprovideavalidkeywhenlawfullyauthorised. theyneedanauthenticationserviceprovidedbyauthenticationservers.althoughtheserversmaynotbetrustedindividually,agroupofthemmight Althoughthekeyescrowagenciesmaynotbetrustedindividually,agroup agenciesinpreviouslyproposedkeyescrowsystems.therstapproachinvolves [2,15])havebeenusedforsplittinganescrowedkeyintonsharesescrowedbyn `splitting'withannoutofnscheme,whereallncomponentsareneededto restoreagivenkey[12].thesecondapproachusessplittingwithankoutofn thresholdscheme,whichallowsanysubsetofkofthenescrowagenciestoaect Fourkindsofkeysplittingschemesbasedonsecretsharingschemes(e.g. therecoveryofacompletekey,butprohibitsanygroupoffewerthankagencies becollectivelytrustedbytheirusers. (n;t;u)-escrowscheme,whichallowsasubsetoftheescrowagenciestorecover fromrecoveringacompletekey[9].thethirdapproachinvolvessplittingwithan akey,wheretescrowagenciescouldconspirewithoutcompromisingakey,and n?uagenciescould`withhold'theircomponentswithoutinterferingwithkey

13 recovery(t<un)[11].thelastapproachinvolvessplittingwitha`general ofescrowagenciesthatcanworktogethertorestoreakey[4]. tually,anyoneofthesefoursplittingschemescouldhavebeenchosen,andin moderatelytrustedthirdparties.notealsothattheideaofreiteretal.regardingsecuregroupimplementationin[14]canbeusedtoestablishsuchasetof monotoneaccessstructure',whichallowsforthespecicationofarbitrarysubsets 4.2Untrustworthyusers practicethechoicewoulddependontherequirementsforestablishingasetof moderatelytrustedthirdpartiesandtheirgroupkey. Wehaveusedthesecondapproachinthemechanismsdescribedhere.Ac- S0)isa`shadow'keypair,andP0=f(P)wherefisaneasilycomputedand (P,S)and(P0,S0),where(P,S)isaproper(public-key,private-key)pair,(P0, agreement.inthisattack,eachoftwoattackersinsteadgeneratestwokeypairs interceptionauthoritycancomputeanescrowedkeybyusingdie-hellmankey interceptionauthoritytheabilitytoreconstructs,sothatboththeusersand exchange.eachnormalusergeneratesapair(p,s),publishespandgivesan howthisattackmightworkinakeyescrowsystembasedondie-hellmankey KilianandLeightongavea`shadow-public-key'attackin[9],andwenowsee Wenowconsiderthecasewhereusersarenottrustworthyinakeyescrowsystem. separatelycomputea`shadow-escrowed-key'byusinghis`shadow-private-key' ordinaryuser,butkeepss0reservedashisshadowprivatekey.bothattackers publiclyknownfunction.eachofthemuses(p,s)inthesamewayaswouldan andtheother's`shadow-public-key'.ifitisinfeasibletoobtains0byknowingp, P0andS,theinterceptionauthoritycannotobtainthe`shadow-escrowed-key'. tion2.4,whichprovidedthebasisofusersandthirdpartiesjointlygenerating Furthermoretheinterceptionauthoritymaynotdetectthischeating. anescrowedkeyinordertopreventtheusersfromusingahidden`shadow-key'. whichisinfeasiblycomputedbyusingp,p0ands. NotethatitonlymakessensetopreventcriminalusersfromobtainingaS0 ingthekeyescrowsystembyusingimproperkeys,forexamples,usinganold escrowedkeyinsteadofacurrentone,usingamodicationoftheescrowedkey, e.g.whichmaybeapubliclyknownfunctionoftherealescrowedkey,andusing Wepresentedananeexpansibleveriablesecretsharingschemeinsubsec- ands.althoughtheseabusesarealldetectable,akeyescrowmechanismmay a`shadow-public-key',wheres0mayfeasiblybecomputedbyknowingp,p0 nevercheckforsuchabuses,givingdeviantusersgreaterleewayintheirabuses. as,keepingalloldescrowedkeysinavalidperiodtocheckiftheyareused Thefurtherproblemishowinpracticetopreventcriminalusersfromabus- again,andmonitoringallcommunicationchannelsbetweensuspectedcriminal users[10].unfortunately,theseapproachesmaynotbepractical,particularly,in thecurrentescrowkeyiftheusersshareasecretorcanusetheirownsecurity complicatedmobiletelecommunicationssystems. Anumberofapproachescouldbeusedtopreventtheaboveabuses,such Infact,itisimpossibleforakeyescrowsystemtoforcetwouserstouseonly

14 agenciesinordertoauthenticateoneanother'sidentityandestablishashared byusinganoldescrowedkeyoramodiedescrowedkey.howeverwehavenot communicatesecurelywitheachother,havetogetassistancefromkeyescrow answeredthequestionofhowtoforceuserstouseonlythecurrentescrowed sessionkey.weassumeitisdetectableiftheuserssubvertkeyescrowsystems system.forthepurposesofthispaper,wesupposethattwousers,whowantto 4.3Multiplemistrustingdomains withtwomobilecompaniesbelongtocountriesgandh,andareroamingin Sofarwehavediscussedkeyescrowinmutuallymistrustingdomains.However, arecitizensofcountriescandd,workforcountrieseandf,areregistered twocountriesiandj.theirtracmightconceivablyneedtobeintercepted somemodernsecurecommunicationsmaycovermorethantwodomains.for example,inaglobalmobiletelecommunicationssystem,twousers,respectively, anddeviseaninternationalkeyescrowsystemwhichprovidesallgovernments byagenciesinanyofcountriesc?j,andhenceitmaybenecessarytotry involvedwithwarrantedaccesstousercommunications.tomakemattersmore complicated,thecountriesinvolvedmaynotalltrusteachother. large. maynotbepractical,particularlywhenthenumberofdomainsinvolvedisquite involvedhavetocollaboratetoprovidecontributionstotheescrowedkey.this asdescribedinsubsection3.3,couldalsobeusedforthispurpose,atleastin theory.theproblemisthateachsetofkeyescrowagenciesineachdomain purpose.however,whetherornotasetofkeyescrowagenciescouldbeset upwhicharemoderatelytrustedbymultiplemistrustingdomains,dependson politicalconsiderationsbeyondthescopeofthispaper.thesecondmechanism, Ourrstmechanism,asdescribedinsubsection3.2,couldbeusedforthis inmutuallymistrustingdomainsandanalyseditsuse. 5Conclusions Wehavedescribedakeyescrowsystemusingmoderatelytrustedthirdparties Dothereexistpracticalkeyescrowsystemsforcinguserstouseonlythe Thefollowingopenquestionsareofpotentialpracticalimportance. References 1.NationalInstituteofStandardsandTechnology.FIPSPublication185:Escrowed Canapracticalkeyescrowschemebedesignedforthecasewheremorethan spanmorethanonedomain? currentescrowedsessionkey? EncryptionStandard.February1994. twodomainsareinvolved,andwhereescrowagenciesarenotpermittedto

15 2.G.R.Blakley.Safeguardingcryptographickeys.IntheProceedingsofAFIPS L.Chen,D.Gollmann,andC.Mitchell.Keydistributionwithoutindividual NCC,Vol.48,Arlington,Va.,pages313{317,June Y.FrankelandM.Yung.Escrowencryptionsystemsvisited:attacks,analysis 5.W.DieandM.E.Hellman.Newdirectionsincryptography.IEEETransactions 4.D.E.DenningandD.K.Branstad.Ataxonomyforkeyescrowencryptionsystems. oninformationtheory,22:644{654,november1976. anddesigns.ind.coppersmith,editor,lecturenotesincomputerscience963, CommunicationsoftheACM,39(3):34{40,1996. trustedauthenticationservers.inproceedings:the8thieeecomputersecurity AdvancesinCryptology CRYPTO'95,pages222{235.Springer{Verlag,1995. California,June1995. FoundationsWorkshop,pages30{36.IEEEComputerSocietyPress,LosAlamitos, 7.L.Gong.Increasingavailabilityandsecurityofanauthenticationservice.IEEE 10.A.K.Lenstra,P.Winkler,andY.Yacobi.Akeyescrowsystemwithwarrant 8.N.Jeeries,C.Mitchell,andM.Walker.Aproposedarchitecturefortrusted thirdpartyservices.ine.dawsonandj.golic,editors,lecturenotesincomputerscience1029,cryptography:policyandalgorithmsconference,pages98{104. Springer-Verlag,1996. editor,lecturenotesincomputerscience963,advancesincryptology-crypto JournalonSelectedAreasinCommunications,11:657{662, S.MicaliandR.Sidney.Asimplemethodforgeneratingandsharingpseudorandomfunctions,withapplicationstoclipper-likekeyescrowsystems.InD. Software,toappearOctober1996. Coppersmith,editor,LectureNotesinComputerScience963,AdvancesinCryp- 9.J.KilianandT.Leighton.Faircryptosystems,revisited.InD.Coppersmith, 12.J.Nechvatal.Apublic-keybasedkeyescrowsystem.JournalofSystemsand '95,pages208{221.Springer{Verlag, T.P.Pedersen.Distributedproverswithapplicationstoundeniablesignatures. bounds.ind.coppersmith,editor,lecturenotesincomputerscience963,advancesincryptology-crypto'95,pages197{207.springer{verlag, M.K.Reiter,K.P.Birman,andR.vanRenesse.Asecurityarchitectureforfaulttolerantsystems.ACMTransactionsonComputerSystems,12:340{371, A.Shamir.Howtoshareasecret.CommunicationsoftheACM,22:612{613,1979. tology-crypto'95,pages185{196.springer{verlag,1995. InD.W.Davies,editor,LectureNotesinComputerScience547,Advancesin Cryptology:Proc.Eurocrypt'91,pages221{238.Berlin:Springer-Verlag,1991. ThisarticlewasprocessedusingtheLATEXmacropackagewithLLNCSstyle