This taxonomy helps desribe and ategorize the esrow mehanisms of omplete systems along with various design options. ATaxonomy for ey Esrow Enryption ystems Dorothy E. Denning and Dennis. Branstad A key esrow enryption system (or esrowed enryption system) is an enryption system with a bakup deryption apability that allows authorized persons s, offiers of an organization, and government offiials under ertain presribed onditions, to derypt iphertext with the help of information supplied by one or more trusted parties holding speial reovery keys. The reovery keys are not normally the same as those used to enrypt and derypt the, but rather provide a means of determining the enryption/deryption keys. The term key esrow is used to refer to the safeguarding of these reovery keys. Other terms used inlude key arhive, key bakup, and reovery system. This artile presents a taxonomy for key esrow enryption systems, providing a struture for desribing and ategorizing the esrow mehanisms of omplete systems as well as various design options. Table applies the taxonomy to several key esrow uts or proposals. The sidebar, lossary and oures, identifies key terms, ommerial uts, and proposed systems. omponents An esrowed enryption system an be divided logially into three main omponents: ser eurity omponent (). The is a hardware devie or software program that provides enryption and deryption apabilities as well as support for the key esrow funtion. This support an inlude attahing a reovery field (DF) to enrypted. The DF may be part of the normal key distribution mehanism. 34 Marh 996/Vol. 39, No. 3 OMMNIATION OF TE AM
ow to se ey Esrow ey Esrow omponent (E). The E, whih is operated by key esrow agents, mages the storage and release or use of reovery keys. It may be part of a li key ertifiate magement system or part of a general key magement infrastruture. Data eovery omponent (D). The D onsists of the algorithms, protools, and equipment needed to obtain the plaintext from the iphertext plus information ontained in the DF and provided by the E. It is ative only as needed to perform a speifi authorized reovery. These logial omponents are highly interrelated, and the design hoies for one affet the others. Figure shows the interation of the omponents. A enrypts plaintext with a key and attahes a DF to the iphertext. The D reovers the plaintext using information ontained in the DF plus information provided by the E. Eah of these omponents is desribed in the following setions. ser eurity omponent The enrypts and derypts and performs funtions that support the reovery proess. It is haraterized by the following: Appliation Domain. A an support one or both of the following: ommuniations. This inludes phone alls, eletroni mail, and other types of onnetions. Emergeny deryption is used by law enforement in onjuntion with ourt-authorized intereption of ommuniations, also known as wiretaps. tored. tored an be simple files or more general objets. Emergeny deryption is used either by the owners of the to reover lost or damaged keys, or by law enforement offiials to derypt omputer files seized under a ourt order. Data Enryption Algorithm. The following attributes are partiularly relevant to esrowed enryption: Name and mode of operation. Mode of operation an affet exportability, so, for example, triple enryption modes may not be allowed under a general export liense. ey length. This an also affet exportability. lassifiation. An algorithm may be lassified or unlassified; if unlassified, it may be proprietary or li. tored Identifiers and eys. The stores identifiers and keys used for emergeny deryption: Identifiers. These an inlude a or identifier, identifiers for keys, and identifiers for the E or esrow agents. eys. These an inlude keys unique to the, keys belonging to its, or global system keys used by the E. They an be li or ate. opies of the keys or their ate ounterparts may be held in esrow. DF and Mehanism. When are enrypted with a key, the must bind the iphertext and to one or more reovery keys, normally by attahing a DF to the enrypted. The binding is haraterized by: Whose reovery keys. an be bound to keys held by the esrow agents of the sender, the reeiver, or both. The hoie affets reovery. ole in key distribution. The DF and binding mehanism an be integrated with the protools used to transmit to the intended reipient. In that ase, the sender must transmit a valid DF in order for the intended reipient to aquire the key. ontents of DF. Normally, the DF ontains enrypted under one or more reovery keys (e.g., a ut key, the li key of the sender or reeiver, or a li key of the E). plaintext key enrypt DF, iphertext key derypt plaintext Figure. ey esrow enryption system ser eurity omponent ser eurity omponent reovery keys ey Esrow omponent determine key derypt plaintext Data eovery omponent OMMNIATION OF TE AM Marh 996/Vol. 39, No. 3 35
Table. ummary harateristis of key esrow enryption systems and approahes ey Esrow ystem or Approah (* is ommerial ut) AT&T rypto Bakup Bankers eureee* Bell Atlanti Yaksha Blaze File rypto lipper hip (EE)* ylink ey Esrow Desmedt Traeable Fortezza ard* Fortress I ilian/leighton F-safe Leiberih TB-lipper Leighton/Miali Lenstra/Winkler/Yaobi Lotus Notes Int'l* Miali Fair rypto Miali Partial Esrow Miali/idney Es. Natiol AE Nehvatal Publi-ey Nortel Entrust* P e. toplok E* oyal olloway TTPs A eure* hamir Partial Esrow TEE VEIL* TE w ey Esrow ThresholdDeryption TI omm. ey Es.* TI oftware lipper f,,f f,f,f f,,f,f f f f, ser eurity omponent () App Ene Alg r r r r eys DF Imp ole Type none,k,k,k,k,k,k,k,k,k /, MI PI PI PI PI PI MI PI MI PI ey Esrow omponent (E) Es eys session dir partial system partial system plit,, n/n any ervie de rel rel de file rel /exp rel rel de rel rel /tb rel / rel V/tb de partial rel /tb t/u/n rel de n/n rel rel rel de rel rel rel th-de de rel Data eovery omponent (D) eys eq / / / / / / / / /? Per / / / / / / / /? ser eurity omponent () App = appliation: = ommuniations; f = files and other stored objets. En Alg = enryption algorithm: = lassified; = unlassified; r = proprietary unlassified. eys = stored keys used with key esrow funtion: = ate keys and optiolly li keys; = li keys only. DF = enryption keys used to ompute Data eovery Field: = ate keys (and, optiolly, i keys); = li keys; k = DF also used with key establishment/distribution; = not appliable. Imp = implementation: = some speial hardware required; / = hardware with a lok; = software with optiol hardware. ey Esrow omponent (E) ole = integration of key esrow into key magement infrastruture: MI = integrated with key magement infrastruture; PI = omponent of li key infrastruture administered by ertifiate authorities. Type = type of system: = keys held by ommerial or ate setor esrow agents; = keys held by government. Es eys = keys stored in esrow: dir = file enryption key used with entire diretory; = esrow agent key; partial = part of or appliation key; = ut unique key; session = session key; system = keys maged by system; = key. plit = splitting of keys with esrow agents: n/n = n out of n needed for deryption; = k out of n needed using threshold tehniques; t/u/n = allows t to onspire and ompromise key and n-u to withhold. ervie = servie provided to D: de = derypt enryption key ; rel = release from esrow; thd-de = use threshold deryption; de = derypt or ut key; rel = release from esrow; rel V = release keys used by pair of s and V; tb = time-bounded keys released; exp = keys released with expiration date. Data eovery omponent (D) eys eq = keys required for derypting : = keys assoiated with the sender or the sender s ; = keys assoiated with the reeiver or the reeiver s ; / = keys assoiated with either sender or reeiver. Per = frequeny with whih D must interat with E to get keys: = one per session/file key; = one per sender; = one per reeiver. Blanks in table denote open or unspeified elements. 36 Marh 996/Vol. 39, No. 3 OMMNIATION OF TE AM
A Taxonomy for ey Esrow Enryption ystems In some ases, only some of the bits of may be made available through the DF so the remaining bits must be determined through brute fore. The DF also ontains information identifying the reovery keys, the E or key esrow agents, the enryption algorithm and mode, or the DF reation method. The entire DF may be enrypted under a family key assoiated with the D in order to protet identifiers transmitted in the DF. ingle-key or li-key ryptography an be used. The length of the DF an affet the suitability of a partiular sheme to ertain appliations (e.g., radio ommuniations) where error rates are high. Transmission and frequeny. Normally, the DF preedes the iphertext in a message or file header. With open onnetions, it may be retransmitted at regular intervals. Validation. The DF may inlude an esrow authentiator verified by the reeiver to determine the integrity of the DF. Altertively, if li keys are used to reate the DF, the reeiver ould reompute the DF and ompare the result with the DF reeived. Interoperability. A may be designed to interoperate only with orretly funtioning s and not with s that have been tampered with or that do not support key esrow. Implementation. A may be implemented in hardware, software, firmware, or some ombition thereof. ardware is generally more seure and less vulnerable to modifiation than software. If lassified algorithms are used, they must be implemented in tamper-resistant hardware. ardware implementations may inlude speial-purpose ryptoproessors, random number generators, and/or a high-integrity lok. Produts that implement a are sometimes alled esrowed enryption uts (or devies). They have also been alled esrow-enhaned or esrow-ebled uts. Assurane. The may provide assurane that s annot irumvent or disable the key esrow mehanisms or other features. A that an be used or modified to heat is alled a rogue. The possibility of rogue s is strongly dependent on the reovery mehanism and implementation. We distinguish between single rogues, whih an interoperate with non-rogues, and dual rogues, whih interoperate only with other rogues. ingle rogues present the greatest threat to emergeny reovery beause they require no ollaboration on the part of the reeiver. ey Esrow omponent The E is responsible for storing all reovery keys and for assisting the D by providing required or servies. It has the following elements: ole in ey Magement Infrastruture. The E ould be a omponent of the key magement infrastruture, whih ould be a single-key infrastruture (e.g., a key distribution enter) or a likey infrastruture. With the latter, the esrow agents ould serve as the li-key ertifiate authorities. Esrow Agents. The esrow agents, also alled trusted parties, are responsible for operating the E. They may be registered with a key esrow enter that oordites their operation or serves as a point of ontat for the or D. Esrow agents are haraterized by: Type of agents. Esrow agents may be entities in the government or ate setor. The former ould restrit use of their servies to government agenies. The latter, whih are used with what are alled ommerial or ate key esrow systems, ould be interl to an organization or to independent ompanies offering ommerial servies, or to trusted third parties. Identifiability. This inludes me and loation. Aessibility. This is determined by the loation of the esrow agents (e.g., loal or foreign) and their hours of operation (e.g., 24 hours a day, 7 days a week). eurity. This refers to how well the E protets against ompromise, loss, or abuse of esrowed keys. It inludes reliability and resilieny, whih is a measure of the trust required of the esrow agents for proteting the esrowed keys from ompromise and for ebling reovery. Aountability. This assures identifiation of an esrow agent that sabotages reovery or that releases keys to uuthorized parties or releases them under uuthorized irumstanes. Liability. This haraterizes the liability of the esrow agents in ase keys are ompromised or beome uvailable. Esrow agents might be bonded to protet against liability. ertified/liensed. This indiates whether the esrow agents are ertified and liensed with a government. To qualify for a liense, esrow agents may be required to meet speified onditions. se of ertified agents may affet exportability. Data eovery eys. With esrowed enryption, all enrypted are bound to esrowed reovery keys that eble aess to the enryption keys. The reovery keys are haraterized by: ranularity of keys. Options inlude: a. Data enryption keys. This inludes session keys, network keys, and file keys. A key distribution enter ould generate, esrow, and distribute suh keys. b. Produt keys. These are unique to a.. ser keys. Normally, these would be liate-key pairs used to establish enryption keys. The E might serve as the s li-key ertifiate authority, issuing a ertifiate for the s li key. d. Master keys. These keys are assoiated with OMMNIATION OF TE AM Marh 996/Vol. 39, No. 3 37
the E and used by multiple s. plitting of keys (seret sharing, threshold shemes). A reovery key an be split into multiple key omponents, with eah omponent held by a separate agent. eys an be split so that all n esrow agents are needed to restore a given key or so that any k out of n for some k, where n is the number of agents, suffies. They an be split using a general monotone aess struture, allowing for the speifiation of arbitrary subsets of esrow agents that an work together to restore a key. Who generates and distributes keys. eys an be generated by the E, the, or a ombition of both. If generated by the, the keys may be split and esrowed using verifiable seret sharing shemes so that the esrow agents an hek the validity of their individual omponents without knowing the origil key. eys may be generated jointly so a annot hide a shadow key in an esrowed key and thereby irumvent the key esrow mehanism. Time of esrow. eys ould be esrowed during ut manufature, system or ut initialization, or registration. If a s ate key (of a li-ate key pair) is esrowed, it ould be esrowed when the orresponding li key goes into the li-key infrastruture and a ertifiate is issued. A might send enrypted only to s with li-key ertifiates signed by approved esrow agents. ey update. ome systems may allow reovery keys to be hanged. uh updates ould be performed on request or on a regular basis. omplete or partial. A portion of a key ould be esrowed instead of the omplete key. In this ase, the unesrowed portion of the key would be determined through a brute fore attak when it is needed for reovery. torage of keys. This ould be off-line (e.g., on floppy disks stored in safes or smartards) or on-line. Data eovery ervies. The E provides servies, inluding release of information, to the D haraterized by: Authorization proedures. The proedures under whih people operating or using the D an use the servies of the E may inlude establishing proof of identity and legal authority to aess the to be derypted. ervies provided. There are several possible options: a. elease reovery keys. This approah is normally used when the reovery keys are session keys or or ut keys ( keys are not released). The keys might be released with an expiration date, after whih they are automatially destroyed. b. elease derived keys. The E releases derivatives of reovery keys, suh as time-bounded keys that eble deryption only of enrypted during a speifi period of time.. Derypt key. This approah is normally used when reovery keys are used to enrypt enryption keys (or keys) in the DF so the E need not release the keys to the D. d. Perform threshold deryption. Eah esrow agent provides a piee of a deryption to the D, whih ombines the results to get the plaintext. Transmission of to and from the D, either manually or eletronially. afeguards for Esrowed eys. The E employs safeguards to protet against ompromise or loss of keys. These an inlude a ombition of tehnial, proedural, and legal safeguards. Examples are auditing, separation of duties, split knowledge, two-person ontrol, physial seurity, ryptography, redundany, omputer seurity, trusted systems, independent testing and validation, ertifiation, areditation, onfiguration magement, and laws with pelties for misuse. Data eovery omponent The D supports reovery of plaintext from enrypted using information supplied by the E and in the DF. It is haraterized by: apabilities. These inlude: Timely deryption. eal-time deryption of interepted ommuniations. Post-proessing. The D an derypt ommuniations previously interepted and reorded. Transpareny. Deryption is possible without the knowledge of the parties involved. Independene. One the keys are obtained, the D an derypt using its own resoures, that is, independently of the E. Data Enryption ey eovery. To derypt, the D must aquire the enryption key in the following ways: Aess through sender or reeiver. A ritial fator is whether k an be reovered using reovery keys assoiated with the sender, the reeiver, or either party. If aess is possible only through keys held by the sender s esrow agents, the D must obtain key esrow for all parties transmitting messages to a partiular, possibly preluding real-time deryption, espeially if the parties are in different ountries and using different esrow agents. Likewise, if aess is possible only through keys held by the reeiver s esrow agents, real-time deryption of all messages transmitted from a partiular may be impossible. If reovery is possible using keys held by either set of esrow agents, the D an derypt interepted ommuniations both to and from a partiular in real time one the key used by that is obtained. A system may provide this apability for two-way simultaneous ommuniations 38 Marh 996/Vol. 39, No. 3 OMMNIATION OF TE AM
A Taxonomy for ey Esrow Enryption ystems (e.g., phone alls) by requiring that the same be used for both ends of the onversation. Frequeny of interation with E. The D may be required to interat with the E one per enryption key or one per or. The former requires an on-line onnetion between the D and the E to support realtime deryption of ommuniations when the session key hanges per onversation. Need for brute fore. If the esrow agents return partial keys to the D, the D must use brute fore to determine the remaining bits. afeguards on Deryption. The D an use tehnial, proedural, and legal safeguards to ontrol what an be derypted. For example, reovery may be restrited to a partiular time period (e.g., as authorized by a ourt order). These safeguards supplement restritions imposed by the E in its release of keys. Authentiation mehanisms ould be used to prevent the D from using the keys it aquires to reate and substitute bogus messages. Aknowledgments We wish to thank Matt Blaze, Yvo Desmedt, arl Ellison, avi anesan, armi ressel, ans- Joahim nobloh, David Maher, ilvio Miali, Edward heidt, reg hanton, and Peer Wihmann for helpful omments on an earlier version of this taxonomy. About the Authors: DOOTY E. DENNIN is a professor of omputer iene at eorgetown niversity. Author s Present Address: eorgetown niversity, Department of omputer iene, 225 eiss iene Building, Washington, D 20057; email: denning@s.georgetown.edu DENNI. BANTAD is Diretor of ryptographi tehnologies at Trusted Information ystems, In. Author s Present Address: Trusted Information ystems, 3060 Washington oad, lenwood, MD 2738; email: dbranstad@tis.om Permission to make digital/hard opy of part or all of this work for persol or lassroom use is granted without fee provided that opies are not made or distributed for profit or ommerial advantage, the opyright notie, the title of the liation and its date appear, and notie is given that opying is by permission of AM, In. To opy otherwise, to relish, to post on servers, or to redistribute to lists requires prior speifi permission and/or a fee. AM 0002-0782/96/0300 $3.50 lossary and oures AT&T rypto Bakup. This is a proprietary design for a ommerial system that baks up doument keys through an esrowed key. ee David P. Maher, rypto Bakup and ey Esrow, in this issue of ommuniations of the AM. Bankers Trust eure ey Esrow Enryption ystem (eureee). Employees of a orporation register their enryption devies (e.g., smartards) and ate enryption keys with one or more ommerial esrow agents seleted by the orporation. ee eureee ut literature, erto, Bankers Trust o. Bell Atlanti Yaksha ystem. An on-line key seurity server generates and distributes session keys and file keys using a variant of the A algorithm. The server transmits the keys to authorized parties for reovery purposes. ee avi anesan, The Yaksha eurity ystem, in this issue of ommuniations of the AM. Blaze s martard-based ey Esrow File ystem. This is a prototype smartardbased key esrow system for use with the ryptographi File ystem. A esrows a file enryption key on a smartard entrusted with an esrow agent. ee Matt Blaze, ey Magement in an Enrypting File ystem, AT&T Bell Laboratories. The lipper/apstone hips. These tamper-resistant hips implement the Esrowed Enryption tandard (EE), whih uses the lassified kipjak algorithm. nique reovery keys, programmed onto eah hip, are split between two government agenies and restrited to government use. ee Dorothy E. Denning and Miles mid, ey Esrowing Today, IEEE ommuniations, Vol. 32, No. 9, ept. 994, pp. 58 68. ylink ey Esrow. This proposal uses Diffie-ellman tehniques for integrating key esrow servies into a li-key infrastruture. ee Jim Omura, Altertives to A sing Diffie-ellman with D, white paper, ylink, ept. 995. Desmedt Traeable iphertexts. This proposal binds the DF to iphertext in suh a way that the identity of the reeiver an be determined if the reeiver an determine the session key. ee Yvo Desmedt, euring Traeability of iphertexts Towards a eure oftware ey Esrow ystem, Proeedings of Eurorypt 95, aint-malo, Frane, May 2-25, 995, pp. 47 57. Fortezza ard. This ommerially available P ard ontains a apstone hip. A s li-ate enryption keys are stored on the ard and esrowed with the s li-key ertifiate authority. Fortress I: eep the Invaders (of Privay) oially ane. This proposed system uses tamper-resistant enryption hips and esrow agent reovery keys. ee armi ressel, an ranot, and Itai Dror, Intertiol ryptographi ommuniation Without ey Esrow. I: eep the Invaders (of Privay) oially ane, Intertiol ryptography Institute 995: lobal hallenges. ilian and Leighton Failsafe ey Esrow. With this proposal, a s keys are generated jointly by the and key esrow agents so the annot irumvent key esrow. ee Joseph ilian and Tom Leighton, Fair ryptosystems, evisited, Proeedings of YPTO 95, pp. 208 22. Leiberih Time-Bounded lipper with a lok. This proposed enhanement to lipper offers time-bounded reovery through a lok and date-dependent devie unique keys. Otto Leiberih, ate ommuniation, June 994. Leighton and Miali ey Esrow with ey Agreement. With this proposal, eah has an esrowed ate key. Any two s an ompute a shared seret key OMMNIATION OF TE AM Marh 996/Vol. 39, No. 3 39
from their own ate key and the identifier of the other. ee Tom Leighton and ilvio Miali, eret-ey Agreement without Publi-ey ryptography, Proeedings of rypto 93, pp. 208 22. Lenstra, Winkler, and Yaobi ey Esrow with Warrant Bounds. This proposal allows the esrow agents to release keys that restrit deryption to the ommuniations of a partiular or pair of s during a speifi time interval. ee Arjen. Lenstra, Peter Winkler, and Yaov Yaobi, A ey Esrow ystem with Warrant Bounds, Proeedings of rypto 95, pp. 97 207. Lotus Notes Intertiol Edition (Differential Workfator ryptography). Data are enrypted with 64-bit keys, 24 of whih are enrypted under a li key of the government and transmitted with the. The government an obtain the remaining 40 bits through brute fore. ee Lotus Bakgrounder, Differential Workfator ryptography, Lotus Development orp., 996. Miali and idney esilient lipper-like ey Esrow. This proposal allows keys to be split so reovery is possible even if some of the esrow agents ompromise or fail to ue their key omponents. ee ilvio Miali and ay idney, A imple Method for enerating and haring Pseudo-andom Funtions, with Appliations to lipper-like ey Esrow ystems, Proeedings of rypto 95, pp. 85 96. Miali Fair Publi ey ryptosystems. Verifiable seret sharing tehniques are proposed whereby s generate, split, and esrow their ate keys with esrow agents of their hoie as a prerequisite to putting their li keys in the li key infrastruture. ee ilvio Miali, Fair ryptosystems, MIT/L/T- 579., Laboratory for omputer iene, Massahusetts Institute of Tehnology, ambridge, Mass., Aug. 994. Miali uaranteed Partial ey-esrow. nder this proposal, the ate keys of s are partially esrowed. The esrow agents verify that the bits in their possession are orret and that only a relatively small number of bits are unesrowed. ee ilvio Miali, uaranteed Partial ey-esrow, MIT/L/TM- 537, Laboratory for omputer iene, Massahusetts Institute of Tehnology, ambridge, Mass., 995. Natiol emiondutor AE. This proposal ombines a Trusted Information ystem (TI) ommerial ey Esrow (E) with Natiol s Persoard. ee W.B. weet, ommerial Automated ey Esrow (AE): An Exportable trong Enryption Proposal, Natiol emiondutor, ipower Business nit, June 4, 995. Nehvatal Publi-ey Based ey Esrow ystem. This proposal uses Diffie-ellman li-key tehniques for esrowing keys and for reovery. ee James Nehvatal, A Publi-ey Based ey Esrow ystem, Jourl of ystems and oftware, to appear Ot. 996. Nortel Entrust. This ommerial ut arhives s ate enryption keys as part of the ertifiate authority funtion and li-key infrastruture support. ee Warwik Ford, Entrust Tehnial Overview, White Paper, Nortel eure Networks, Ot. 994. P eurity toplok E. This ommerial ut integrates ate key esrow into the key magement infrastruture. ee toplok Press, P eurity, Ltd., Marlow, Bukinghamshire,, Issue 3, Nov. 995. oyal olloway Trusted Third Party (TTP) ervies. This proposed arhiteture for a li key infrastruture requires that the trusted TTPs assoiated with pairs of ommuniating s share parameters and a seret key. ee Nigel Jefferies, hris Mithell, and Mihael Walker, A Proposed Arhiteture for Trusted Third Party ervies, oyal olloway, niversity of London, 995. A eure. This file enryption ut provides reovery through an esrowed li key, whih an be split among up to eight trustees using a threshold sheme. ee A eure, ut literature from A Data eurity, In. hamir Partial ey Esrow. This is a proposal to esrow all but 48 bits of a long (256-bit) key. The 48 bits, generated randomly for eah session or file, are determined by brute fore during reovery. ee Adi hamir, Partial ey Esrow: A New Approah to oftware ey Esrow, The Weizmann Institute, presentation at NIT ey Esrow tandards meeting, ept. 5, 995. TEE VEIL. This ommerial ut provides file (and objet) enryption. Private key esrow is built into the key magement infrastruture. ee Edward M. heidt and Jon L. oberts, Private Esrow ey Magement, TEE In., Vien, Va. ee also TEE VEIL, ut literature. TE with ey Esrow. The Exponential eurity ystem supports a general aess struture for key esrow. The D obtains a partiular session key by partiipating in the key establishment protool and aquiring the sender s or reeiver s ate key. ee Thomas Beth, ans- Joahim nobloh, and Marus Otten, Verifiable eret haring for Monotone Aess trutures, Proeedings of the st AM onf. on ommuniation and omputer eurity, 993; Thomas Beth, ans- Joahim nobloh, Marus Otten, ustavus J. immons, and Peer Wihmann, Towards Aeptable ey Esrow ystems, Proeedings of the 2nd AM onferene on ommuniation and omputer eurity, 994, pp. 5 58. Threshold Deryption. With threshold deryption, a seret key an be shared by a group of esrow agents in suh a way that through ollaboration of the agents, information an be derypted without the agents releasing their individual key omponents. ee Yvo Desmedt, Yair Frankel, and Moti Yung, A ientifi tatement on the lipper hip Tehnology and Altertives, 993. TI ommerial ey Esrow. This is a ommerial key esrow system for stored and file transfers. Data reovery is ebled through keys held by a Data eovery enter. ee tephen T. Walker, tephen B. Lipner, arl M. Ellison, and David M. Balenson, ommerial ey eovery, in this issue of ommuniations of the AM. TI oftware ey Esrow Paralleling lipper. This proposed design is similar to that of lipper, exept that it uses software rather than hardware and li key ryptography for reovery. ee tephen T. Walker, tephen B. Lipner, arl M. Ellison, and David M. Balenson, ommerial ey eovery, in this issue of ommuniations of the AM. For more detailed desriptions of these systems, see also Dorothy E. Denning s Desriptions of ey Esrow ystems at http://www.os.georgetown.edu/ndenning/rypto/appendix.html 40 Marh 996/Vol. 39, No. 3 OMMNIATION OF TE AM