- Email: [email protected]
On the key escrow system without key exchange
Computers and Electrical Engineering 25 (1999) 279±290
www.elsevier.com/locate/compeleceng
On the key escrow system without key exchange Yung-Cheng Lee, Chi-Sung Laih* Department of Electrical Engineering, National Cheng Kung University, 1 University Road, Tainan, 70101, Taiwan Received 1 July 1998; received in revised form 1 November 1998; accepted 1 December 1998
Abstract The key escrow system bridges the gap between privacy and protection against criminal behavior. In this paper, we propose a new key escrow system (NKES) and a partial key escrow system (PKES). Both of the systems have the advantages such as the users need not to perform key exchange beforehand, the sender always generates a true law enforcement access ®eld whenever the information is encrypted, and law enforcement access ®eld cannot be successfully forged. Beside these advantages, the partial key escrow system has delay recovery property, which is essential for user's privacy. # 1999 Elsevier Science Ltd. All rights reserved. Keywords: Key escrow system; Escrow encryption standard; Key recovery; Cryptography
1. Introduction Due to the development of communications and the expansion of the unclassi®ed sensitivity information, the demand for communications with privacy and con®dentiality is essential. It is convenient to use cryptosystems to achieve privacy and con®dentiality in communications. However, the dishonest ones can also use the cryptosystems to conceal their illegal activities, which will endanger the social security. Hence it is necessary to develop a cryptosystem which will meet the requirements of both the social security and privacy communications. In April 1993, the US government announced a new encryption technology called key escrow system (KES) [1]. The objective of KES is to technically bridge the gap between users' * Corresponding author. Tel.: +886-6-275-7575; fax: 886-6-234-5482. E-mail address: [email protected] (C.S. Laih) 0045-7906/99/$ - see front matter # 1999 Elsevier Science Ltd. All rights reserved. PII: S 0 0 4 5 - 7 9 0 6 ( 9 9 ) 0 0 0 1 3 - 0
280
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
privacy and the protection against criminal behavior. This means that the goal of KES is to provide communications in privacy and ensure social security simultaneously. The Escrowed Encryption Standard (EES), announced by US government in 1994, includes a symmetric encryption algorithm SKIPJACK and a key escrow algorithm packed in a tamperfree chip [2,3]. The security of EES depends on the physical protection of tamper-free chips. There is a lot of controversy such as the classi®ed SKIPJACK algorithm since the EES has been announced. The policy of key escrow system includes when to decrypt the message encryption key or message. The government or company always has rules to regulate time and conditions to reveal the message. However, the policy of government or company usually depends on human and will be varied in time. It is dicult to always trust a trustee. That is, due to the altered policy, the keys escrowed today may be revealed in group some day in the future without prediction. This is a nightmare of the users since the message is revealed by the trusted center while the receiver suppose it does not yet. The early recovery will reduce privacy of communications. Moreover, if the intruders obtain the escrowed keys, the message will be recovered immediately. The partial key escrow system has a property of delay recover key or message [4]. That is the investigator must take a long time and make an endeavor to recover message. Thus, if the investigator wants to recover the message immediately, due to the changed policy which makes a secret can be revealed, users have time to response to this drawback, and the disadvantage will be reduced. In this paper, we proposed a new key escrow system and a partial key escrow system. Both of them can be implemented in hardware or software with any well-known cryptosystem. Moreover, the proposed system needs not to interactively perform key exchange beforehand. The paper is organized as follows. Some previous researches about key escrow system are reviewed in Section 2. The proposed new key escrow system and partial key escrow system are presented in Sections 3 and 4, respectively. In Section 5, we discuss the security and features of the proposed scheme. Finally, we make some conclusions in Section 6.
2. Previous results 2.1. The US key escrow system The KES proposed by US government is implemented in a tamper-resistant hardware device with the classi®ed SKIPJACK algorithm. Let the tamper-free device of user A be ChipA. The information stored in this device is IDA, KUA and KF, where IDA denotes the unique identi®er, KUA is the device unique key which is split into two partial keys to be escrowed by two key escrow agents (KEA), KF is the common family key of the group. The methods to generate KU and KF are described in detail in [2]. Suppose user A wants to communicate with B, the encryption/decryption algorithm is described as follows. In the beginning, A ®rst negotiates a session key KS with B, then A inputs message M and KS to ChipA. ChipA generates an initial vector (IV) and a law enforcement access ®eld (LEAF). User A forwards LEAF and IV along with ciphertext (M)KS
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
281
to user B, where (M)KS denotes the message M is encrypted by SKIPJACK with the session key KS. The structure of LEAF is as follows: LEAF KSKUA , UIDA , EAKF ,
1
where EA h UIDA , KS, IV ,
2
and h(. . . ) is a classi®ed one-way hash function. On receiving the message, ChipB decrypts LEAF by using the family key. After EA is veri®ed, ChipB will recover message M with the negotiated session key KS. Thus A and B will communicate in privacy. Suppose that the investigator wants to wiretap a suspicious communication between user A and B. Under law authorization, the investigator uses the family key KF to decrypt LEAF and thereby obtaining IDA. He forwards IDA to key escrow agents for the corresponding partial key components of KUA. By using these two partial key components, the investigator will obtain the device unique key KUA and the session key KS sequentially. Finally, the plaintext will be recovered by using the session key. The security of US key escrow system is totally based on the tamper-free hardware device. By which the system provides communications with escrow features. 2.2. Other key escrow systems He and Dawson [5] introduced an idea of timestamp, such that the investigator does not have access to a particular communication forever after an investigation is held. Micali proposed a fair public key cryptosystem (FPKC) [6], in which the public±private key pair is generated by the user, and the secret key is split into two or more partial keys for the trusted centers. Since the public±private key pair is chosen by the user, the privacy of the secret key can be guaranteed. Kilian and Leighton demonstrated an idea of failsafe key escrow [7]. In their system, the public±private key pair is generated partially by user and escrow agents, respectively. On the key escrow system with software implementation, Desmedt proposed a scheme focused on the traceability of the receiver [8]. However, Knudsen and Pedersen [9] showed that the Desmedt's scheme does not meet the requirements mentioned in [8]. Boyd proposed a software key escrow system with traceability [10]. Users are unable to make use of the scheme while avoiding traceability. However, their scheme needs an on-line server to ensure the property that will increase the computational complexity. Bellare and Goldwaser proposed a veri®able partial key escrow system which provides veri®cation of secret key and its shadows [4]. Through the partial escrow key, the system has delay recovery property. Since veri®cation is applied, the computational complexity is very high.
282
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
3. The new key escrow system (NKES) There are users, an investigator and a trusted center (TC) in the proposed new key escrow system (NKES). Both users and trusted center have public key and secret key pairs. If necessary, the system may contain more than one trusted centers. In this circumstance, the session key is shared to all trusted centers by secret sharing scheme and will be recovered by some quali®ed trusted centers. The NKES can be implemented in hardware or software. Without loss of generality, we assume that the system is implemented in hardware. The system includes the following three phases: (1) the initialization phase, which includes the management of the keys, the encryption/ decryption algorithms and message stored in the tamper-free device, (2) the communication phase, which describes the process that two users and the corresponding devices must perform for a con®dential communication and (3) the investigation phase, which denotes the process for an investigator to successfully wiretap a suspicious communication. 3.1. The initialization phase Suppose that the tamper-free device of user A is ChipA. For simplicity, we denote ChipA and user A as the same entity. The processor in the device can perform asymmetric and symmetric cryptosystems such as RSA and DES successfully. Suppose that user A wants to send a message M to user B. The secret key and public key of user A are SKA and PKA, respectively. The key pairs of the trusted center are SKTC and PKTC. Besides the cryptographic functions, the following information is stored in the device. IDA , PKA , SKA , KF, where IDA denotes user A's unique identi®er, KF is the common family key for the whole group. 3.2. The communication phase 3.2.1. Message encryption The user A randomly chooses a session key K, which will form the message encryption/ decryption key. The session key K must be updated at every communication. User A inputs M, K and PKB to the device ChipA to generate the corresponding LEAF. The structure of the LEAF is as follows: LEAF K1 , K2 , UIDA , UIDB , TS, AC KF ,
3
where K1 K SKA PKTC ,
4
K2 KkUIDA kUIDB SKA PKB ,
5
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
AC h K, UIDA , UIDB , TS:
283
6
Here, h( . . .) is a public one-way hash function, the symbol 6 denotes the concatenation and K SKA PKTC denotes session key K is encrypted by SKA and PKTC sequentially. Any publickey cryptosystem, such as RSA scheme, can be used to perform both functions successfully. Finally, user A encrypts plaintext with message encryption key KS by using symmetric cryptosystem such as DES or IDEA to obtain ciphertext C. That is C M KS
7
KS f K, K1 , K2 ,
8
and
where f is a function producing an output with bit length equal to that of secret key used in the symmetric block cipher. Note that in the US key escrow system, message M is encrypted by using the session key only. In the proposed system, it is not necessary to interactively perform key exchange for the session key KS. Moreover, the secret key or session key needs not to be escrowed. Finally, the sender A sends ciphertext C along with LEAF to user B. 3.2.2. Message decryption On receiving the message, the receiver ®rst decrypts LEAF to recover K1 and K2. By using SKB and PKA, receiver can obtain session key K from K2. After AC is veri®ed by using Eq. (6), the receiver computes message encryption key KS by Eq. (8). Finally, message M can be recovered by KS. The encryption/decryption algorithm is shown in Fig. 1. If the veri®cation fails then the decryption processes is stopped. 3.3. The investigation/recovery phase The NKES provides solutions for both key escrow and key recovery. That is, through the system, the government can investigate a suspicious communication successfully, and the trusted centers can recover the key which user lost.
Fig. 1. The encryption/decryption phase of the NKES.
284
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
3.3.1. Law enforcement investigation Suppose that the investigator wants to wiretap a suspicious communication. Under law authorization, the investigator forwards LEAF to the trusted center. The trusted center ®rst decrypts LEAF to reveal K1 and K2 by using the family key KF. By using SKTC and PKA, the trusted center can obtain K. With K1, K2 and K, the message encryption key KS can be obtained by using Eq. (8). Finally, the trusted center forwards KS to the investigator. The investigator thereby wiretaps the communication successfully, and a crime may be concealed. The investigation phase is shown in Fig. 2.
3.3.2. Key recovery phase On the other hand, in case of the receiver B lost secret key SKB. Without SKB, user B cannot recover the message. In this case, the receiver asks trusted center for help. He forwards LEAF to the trusted center. After performing an authentication protocol for verifying B's identity, the trusted center will obtain K1 from LEAF. Then K and KS will be obtained sequentially. The trusted center forwards KS to the receiver. By which the message can be recovered by the receiver. The key recovery phase is shown in Fig. 3.
Fig. 2. The investigation phase of the NKES.
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
285
Fig. 3. The key recovery phase of the NKES.
4. The partial key escrow system (PKES) Base on the previous new key escrow system, we also propose a partial key escrow system (PKES). Beside the advantages described in the previous system, this system has an extra bene®t of delay recovery. The system has several trusted centers, who are responsible for recovering the message encryption keys or message if necessary. In this system, one part of session key (short key) is unescrowed, while the other part of session key (long key) is pseudo escrowed by the trustees. The pseudo escrowed key denotes that the partial key is just to be included in LEAF and transmitted along with ciphertext to the receiver instead of really escrowed. That is the long key is not really escrowed by the trusted center while the escrow property is remained. The investigator still can recover the message from LEAF as if the key is really escrowed. The trusted centers will recover the long key when law authorized. The short key will be obtained by the trusted centers by exhausted search through trusted centers' boundless computation power. Since it takes a very long time to reveal the short key, the system has a feature of delay recovery. Moreover, the intruder cannot obtain the short key due to his low computation capability. Thus the privacy of communication will remain. Until now, it is dicult to reveal a key with bit length more than 48 bits. That is, by boundless computation capability, a trusted center can obtain the short key up to 48 bits. Hence it is recommended to choose the short key within 48 bits. The bit length of the short key must enlengthed according to the development of advanced algorithms and high speed computers. The system can be used by a government or large company to eectively wiretap a suspicious communication, while the users do not worry about the immediate access of the
286
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
communication. Moreover, if a user cannot obtain the message due to the loss of his secret key, then the system can reveal the encryption/decryption key for user to recover the message. 4.1. Initialization phase Suppose that there are n trusted centers. The trusted centers need not to perform the system on line. According to (t, n ) secret sharing scheme [11], the partial key is pseudo escrowed to n trusted centers and will be recovered by at least t, t R n, quali®ed trusted centers. Let p be a large prime with 512 bits of length. The session key is K, which is divided into a long key KL and a short key KS. That is K KL KS mod p,
9
where the long key KL is pseudo shared to n trusted centers, the short key KS can only be recovered with exhaustive search by trusted centers. However, the receiver can recover session key easily by the LEAF. 4.2. The message encryption phase The sender ®rst chooses a 512 bits long key KL and a 48 bits short key KS, by which the session key K is obtained from Eq. (9). According to (t, n ) secret sharing scheme, the sender A computes n shadows for the long key KL. That is A chooses a polynomial g(x ) g x g0 g1 x . . . gtÿ1 x tÿ1 mod p,
10
where g0=KL, gi $ [0, p ) for i=[1, t ÿ 1] and gtÿ1 $0. The shadows are si, i $ [1, n ], which is computed by si g i mod p:
11
The shadows are encrypted by SKA and trusted centers' public keys sequentially. The encrypted shadows are: s1 SKA PKTC1 , s2 SKA PKTC2 , . . . , sn SKA PKTCn : Note that the short key KS need not be shared to the trusted centers. Let the binary representation of KS be KS a0 20 a1 21 . . . asÿ1 2cÿ1 ,
12
where ai $ {0, 1} and c = 48. The sender generates a LEAF as follows: LEAF K1 , K2 , UIDA , UIDB , TS, ACKF , where K1, K2 and AC are computed by
13
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
287
K1 f s1 SKA PKTC1 k s2 SKA PKTC2 k . . . k sn SKA PKTCn g,
14
K2 KkUIDA kUIDB SKA PKB ,
15
AC h K, UIDA , UIDB , TS:
16
and
The message encryption/decryption key KS is obtained by KS f K, K1 , K2 ,
17
where f is a function producing an output with bit length equal to that of secret key used in the symmetric block cipher. Finally, the sender encrypts the plaintext with KS and then forwards the ciphertext C along 21,n, are not really with LEAF to the receiver. Note that the encrypted shadow si SKA PKTCi , i= escrowed by the trusted centers, it just be sent to the receiver or trusted centers through LEAF. 4.3. The message decryption phase The receiver B decrypts LEAF by using family key KF to reveal K1 and K2. Through SKB and PKA, the session key K can be recovered from K2. Then the receiver recomputes AC to verify the LEAF to ensure integrity. After AC is veri®ed, the message encryption key KS can be obtained by using Eq. (17). Finally, the message M can be recovered by using KS. 4.4. The investigation/recovery phase On condition of investigator wiretapping a suspicious communication. Under law authorization, the investigator wiretaps the communication and decrypts LEAF to obtain K1 for each trusted center. Each trusted center retrieves the corresponding encrypted shadow from K1, by which true shadows will be recovered. Through Lagrange interpolation method, the long key KL is obtained by the cooperation of at least t trusted centers. That is KL
t t Y X ÿj mod p: si iÿj i1 j1,j6i
18
The short key KS can be obtained by exhaustive search. That is the center can try a key K if it satis®es the following equation: ?
h K, UIDA , UIDB , TSAC:
19
Thus, the exact session key K can be obtained if Eq. (19) is veri®ed. By which KS and message M can be recovered in turn.
288
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
On the other hand, if the receiver B lost his secret key SKB, then he cannot obtain the session key K to recover the message. In this case, the receiver asks trusted centers for help. He ®rst forwards LEAF to the trusted centers. Then as described above, the trusted centers will obtain K1 by using KF, and then session key K can be recovered. Finally, The trusted centers recover KS and forward it to the receiver. By which the receiver can recovered message M. 5. Discussions 5.1. Features of the proposed systems The proposed systems have the following features which is essential for key escrow systems. 1. When law authorized, the message encryption key can be recovered by the investigator or receiver with LEAF. Through the message encryption key, the message can be obtained. Moreover, the message cannot be recovered without true LEAF. 2. The LEAF can be veri®ed by both receivers and trusted centers to ensure the integrity. 3. The systems can be implemented in either hardware or software. In the software implementation, it is assumed that the secret key is kept securely. 4. The systems rely on familiar, tested or proved public cryptographic functions. Thus, the controversy will be reduced. 5. The systems are practical and can be implemented easily. Furthermore, the proposed systems also have the following properties that are not included in other key escrow systems: 1. The session key need not to be escrowed by the trusted centers, hence it will be easy on key management, and the user's secret key will remain secure whenever the session key is recovered. Thus the proposed systems are still secure even if the trusted centers are malicious. 2. The key distribution protocol is included in the systems. The session key is generated only by the sender and included in LEAF. The quali®ed receiver will obtain the session key and message encryption key from LEAF immediately. Thus it needs not to perform key exchange processes beforehand. Therefore, the system is convenient and ecient in use. 3. Any asymmetric and symmetric cryptosystems can be used in our systems. Thus, the commercial cryptosystems such as RSA, DES and IDEA can all be applied to the system. Furthermore, since the success of the system does not depend on any secret algorithms, the controversy on the system will be reduced. 4. The systems provide adequate security service such that users cannot abuse the service. In PKES, besides the advantages of the NKES, it has delay recovery property such that users never fear that the secret will be revealed immediately. The users always have enough time to response the early recovery of the investigation due to the altered policy and the disadvantage caused by the policy alteration will be reduced. Hence the system will ensure the privacy of the key escrow system.
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
289
5.2. Security considerations Our schemes are based on well-known cryptosystems such as RSA, DES and IDEA and a public one-way function h( . . .). Hence users need not to worry about trap-door problem which will seriously endanger the privacy. Since KF is the same in the whole group, KF may be easily to be revealed. However, even if KF is known by the rogue users or intruders, the scheme can also resist the attacks as follows. 1. If K1 or K2 are masqueraded, then both receiver and investigator cannot verify AC successfully and cannot obtain the exact session key K. Thus, user A cannot communicate successfully with B in privacy and preclude the investigator. 2. If the sender replaces the exact IDA by UID', then the investigator cannot obtain the corresponding escrowed key to recover the session key K. However, the receiver also cannot get the corresponding public key to recover the session key KS. 3. Since the timestamp is included in the LEAF, the system can resist the replay attack. In summary, since the message encryption/decryption key KS, ciphertext and LEAF are combined concretely, the receiver and investigator cannot obtain the exact message encryption/ decryption key without a true LEAF. Therefore, as long as the investigator cannot wiretap the communications successfully, the receiver cannot recover the message, and vice versa. Note that if the users are conspired to preclude the investigator for privacy communications, then the attack always would be success. For example, suppose that the sender and receiver are conspired to use faulty identities IDA ' and IDB ' in LEAF to cheat investigator. Then, without true UID to obtain exact corresponding public key, the investigator cannot decrypt the shadow. However, this case denotes that the users are not in use the system. That is the users are not using this public-key system to obtain message con®dentiality [10]. Attackers use dierent keys to avoid the system cannot be thought of breaking the system. 6. Conclusions In this paper, we propose a new key escrow system which needs not to perform key exchange beforehand and need not to escrow any key. In the proposed system, the sender always sends a true LEAF, hence if the receiver can recover a message then the trusted center can too, and the law authorized investigation can be performed successfully. The system meets the requirements of the key escrow system; it provides communications in privacy and enhances social security simultaneously. Based on the new key escrow system, we also propose a partial key escrow system. Besides the advantages of previous system, the partial key escrow system has delay recovery property, which is essential for privacy communications. Acknowledgements This work was supported by the Institute of Information Industry (III) and Ministry of Economic Aairs (MOEA), Taiwan, The Republic of China, under contract No. 86R59.
290
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
References [1] Denning DE. The US key escrow encryption technology. Computer Communications 1994;17(7):453±7. [2] Denning DE, Smid M. Key escrowing today. IEEE Communications Magazine, 1994: 58±68. [3] National Institute of Standards and Technology. Escrowed Encryption Standard. In: Federal Information Processing Standards Publication (FIPS PUB), 185, 1994. [4] Bellare M, Goldwasser S. Veri®able partial key escrow. In: The Fourth Annual Conference on Computer and Communications Security, ACM, 1997. p. 78±91. [5] He J, Dawson E. A new key escrow cryptosystem. In: Cryptography: policy and algorithms conference, Australia, 1995. p. 105±14. [6] Micali S. Fair public-key cryptosystems. In: Crypto '92. Springer-Verlag, 1992. p. 113±38. [7] Kilian J, Leighton T. Fair cryptosystems, revisited. In: Crypto '95. Springer-Verlag, 1995. p. 208±21. [8] Desmedt Y. Securing traceability of ciphertexts: towards a secure software key escrow system. In: Eurocrypt '95. Springer-Verlag, 1995. p. 147±57. [9] Knudsen LR, Pedersen TP. On the diculty of software key escrow. In: Eurocrypt '96. Springer-Verlag, 1996. p. 237±44. [10] Boyd C. Enforcing traceability in software. In: Proceedings ICICS '97. Springer-Verlag, 1997. p. 398±408. [11] Shamir A. How to share a secret. Communications of the ACM 1979;22(11):612±3. Yung-Cheng Lee was born in Yunlin, Taiwan, Republic of China in 1953. He received his B.Sc. degree from National Kaohsiung Normal University in 1977 and M.Sc. degree from National Taiwan Normal University in 1981, all in industrial education. Currently, he is working toward his Ph.D. degree at National Cheng Kung University. His research interests include network security and cryptography. Chi-Sung Laih received his B.Sc., M.Sc. and Ph.D. degrees, all in Electrical Engineering, from National Cheng Kung University in 1984, 1986 and 1990, respectively. Since September 1986, he has been on the faculty of the Department of Electrical Engineering at National Cheng Kung University, Tainan, Taiwan, and is currently a professor. From August 1993 to January 1997, he was an adjunct research fellow at Engineering and Technology Promotion Center of the National Science Council of the Republic of China. From February 1997, he was the director of Project Management, oce of Research and Development at National Cheng Kung University from June 1997, he was elected as the Chairman of Chinese Cryptology and Information Security Association (CCISA). His research interest include cryptology, information security, error control codes and communication systems. Dr. Laih is a member of IEEE, ACM and IACR. he was the winner of the 1991 Acer Long Term Award for Outstanding M.Sc. Thesis Supervision, the winner of Graduate Team of TI-Taiwan 1994 DSP Design Championship and the winner of 1997 Outstanding Paper Award of CCISA. He also obtained the 1997±1998 and 1999±2000 Outstanding Research Award of the National Science Council of the Republic of China.
www.elsevier.com/locate/compeleceng
On the key escrow system without key exchange Yung-Cheng Lee, Chi-Sung Laih* Department of Electrical Engineering, National Cheng Kung University, 1 University Road, Tainan, 70101, Taiwan Received 1 July 1998; received in revised form 1 November 1998; accepted 1 December 1998
Abstract The key escrow system bridges the gap between privacy and protection against criminal behavior. In this paper, we propose a new key escrow system (NKES) and a partial key escrow system (PKES). Both of the systems have the advantages such as the users need not to perform key exchange beforehand, the sender always generates a true law enforcement access ®eld whenever the information is encrypted, and law enforcement access ®eld cannot be successfully forged. Beside these advantages, the partial key escrow system has delay recovery property, which is essential for user's privacy. # 1999 Elsevier Science Ltd. All rights reserved. Keywords: Key escrow system; Escrow encryption standard; Key recovery; Cryptography
1. Introduction Due to the development of communications and the expansion of the unclassi®ed sensitivity information, the demand for communications with privacy and con®dentiality is essential. It is convenient to use cryptosystems to achieve privacy and con®dentiality in communications. However, the dishonest ones can also use the cryptosystems to conceal their illegal activities, which will endanger the social security. Hence it is necessary to develop a cryptosystem which will meet the requirements of both the social security and privacy communications. In April 1993, the US government announced a new encryption technology called key escrow system (KES) [1]. The objective of KES is to technically bridge the gap between users' * Corresponding author. Tel.: +886-6-275-7575; fax: 886-6-234-5482. E-mail address: [email protected] (C.S. Laih) 0045-7906/99/$ - see front matter # 1999 Elsevier Science Ltd. All rights reserved. PII: S 0 0 4 5 - 7 9 0 6 ( 9 9 ) 0 0 0 1 3 - 0
280
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
privacy and the protection against criminal behavior. This means that the goal of KES is to provide communications in privacy and ensure social security simultaneously. The Escrowed Encryption Standard (EES), announced by US government in 1994, includes a symmetric encryption algorithm SKIPJACK and a key escrow algorithm packed in a tamperfree chip [2,3]. The security of EES depends on the physical protection of tamper-free chips. There is a lot of controversy such as the classi®ed SKIPJACK algorithm since the EES has been announced. The policy of key escrow system includes when to decrypt the message encryption key or message. The government or company always has rules to regulate time and conditions to reveal the message. However, the policy of government or company usually depends on human and will be varied in time. It is dicult to always trust a trustee. That is, due to the altered policy, the keys escrowed today may be revealed in group some day in the future without prediction. This is a nightmare of the users since the message is revealed by the trusted center while the receiver suppose it does not yet. The early recovery will reduce privacy of communications. Moreover, if the intruders obtain the escrowed keys, the message will be recovered immediately. The partial key escrow system has a property of delay recover key or message [4]. That is the investigator must take a long time and make an endeavor to recover message. Thus, if the investigator wants to recover the message immediately, due to the changed policy which makes a secret can be revealed, users have time to response to this drawback, and the disadvantage will be reduced. In this paper, we proposed a new key escrow system and a partial key escrow system. Both of them can be implemented in hardware or software with any well-known cryptosystem. Moreover, the proposed system needs not to interactively perform key exchange beforehand. The paper is organized as follows. Some previous researches about key escrow system are reviewed in Section 2. The proposed new key escrow system and partial key escrow system are presented in Sections 3 and 4, respectively. In Section 5, we discuss the security and features of the proposed scheme. Finally, we make some conclusions in Section 6.
2. Previous results 2.1. The US key escrow system The KES proposed by US government is implemented in a tamper-resistant hardware device with the classi®ed SKIPJACK algorithm. Let the tamper-free device of user A be ChipA. The information stored in this device is IDA, KUA and KF, where IDA denotes the unique identi®er, KUA is the device unique key which is split into two partial keys to be escrowed by two key escrow agents (KEA), KF is the common family key of the group. The methods to generate KU and KF are described in detail in [2]. Suppose user A wants to communicate with B, the encryption/decryption algorithm is described as follows. In the beginning, A ®rst negotiates a session key KS with B, then A inputs message M and KS to ChipA. ChipA generates an initial vector (IV) and a law enforcement access ®eld (LEAF). User A forwards LEAF and IV along with ciphertext (M)KS
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
281
to user B, where (M)KS denotes the message M is encrypted by SKIPJACK with the session key KS. The structure of LEAF is as follows: LEAF KSKUA , UIDA , EAKF ,
1
where EA h UIDA , KS, IV ,
2
and h(. . . ) is a classi®ed one-way hash function. On receiving the message, ChipB decrypts LEAF by using the family key. After EA is veri®ed, ChipB will recover message M with the negotiated session key KS. Thus A and B will communicate in privacy. Suppose that the investigator wants to wiretap a suspicious communication between user A and B. Under law authorization, the investigator uses the family key KF to decrypt LEAF and thereby obtaining IDA. He forwards IDA to key escrow agents for the corresponding partial key components of KUA. By using these two partial key components, the investigator will obtain the device unique key KUA and the session key KS sequentially. Finally, the plaintext will be recovered by using the session key. The security of US key escrow system is totally based on the tamper-free hardware device. By which the system provides communications with escrow features. 2.2. Other key escrow systems He and Dawson [5] introduced an idea of timestamp, such that the investigator does not have access to a particular communication forever after an investigation is held. Micali proposed a fair public key cryptosystem (FPKC) [6], in which the public±private key pair is generated by the user, and the secret key is split into two or more partial keys for the trusted centers. Since the public±private key pair is chosen by the user, the privacy of the secret key can be guaranteed. Kilian and Leighton demonstrated an idea of failsafe key escrow [7]. In their system, the public±private key pair is generated partially by user and escrow agents, respectively. On the key escrow system with software implementation, Desmedt proposed a scheme focused on the traceability of the receiver [8]. However, Knudsen and Pedersen [9] showed that the Desmedt's scheme does not meet the requirements mentioned in [8]. Boyd proposed a software key escrow system with traceability [10]. Users are unable to make use of the scheme while avoiding traceability. However, their scheme needs an on-line server to ensure the property that will increase the computational complexity. Bellare and Goldwaser proposed a veri®able partial key escrow system which provides veri®cation of secret key and its shadows [4]. Through the partial escrow key, the system has delay recovery property. Since veri®cation is applied, the computational complexity is very high.
282
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
3. The new key escrow system (NKES) There are users, an investigator and a trusted center (TC) in the proposed new key escrow system (NKES). Both users and trusted center have public key and secret key pairs. If necessary, the system may contain more than one trusted centers. In this circumstance, the session key is shared to all trusted centers by secret sharing scheme and will be recovered by some quali®ed trusted centers. The NKES can be implemented in hardware or software. Without loss of generality, we assume that the system is implemented in hardware. The system includes the following three phases: (1) the initialization phase, which includes the management of the keys, the encryption/ decryption algorithms and message stored in the tamper-free device, (2) the communication phase, which describes the process that two users and the corresponding devices must perform for a con®dential communication and (3) the investigation phase, which denotes the process for an investigator to successfully wiretap a suspicious communication. 3.1. The initialization phase Suppose that the tamper-free device of user A is ChipA. For simplicity, we denote ChipA and user A as the same entity. The processor in the device can perform asymmetric and symmetric cryptosystems such as RSA and DES successfully. Suppose that user A wants to send a message M to user B. The secret key and public key of user A are SKA and PKA, respectively. The key pairs of the trusted center are SKTC and PKTC. Besides the cryptographic functions, the following information is stored in the device. IDA , PKA , SKA , KF, where IDA denotes user A's unique identi®er, KF is the common family key for the whole group. 3.2. The communication phase 3.2.1. Message encryption The user A randomly chooses a session key K, which will form the message encryption/ decryption key. The session key K must be updated at every communication. User A inputs M, K and PKB to the device ChipA to generate the corresponding LEAF. The structure of the LEAF is as follows: LEAF K1 , K2 , UIDA , UIDB , TS, AC KF ,
3
where K1 K SKA PKTC ,
4
K2 KkUIDA kUIDB SKA PKB ,
5
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
AC h K, UIDA , UIDB , TS:
283
6
Here, h( . . .) is a public one-way hash function, the symbol 6 denotes the concatenation and K SKA PKTC denotes session key K is encrypted by SKA and PKTC sequentially. Any publickey cryptosystem, such as RSA scheme, can be used to perform both functions successfully. Finally, user A encrypts plaintext with message encryption key KS by using symmetric cryptosystem such as DES or IDEA to obtain ciphertext C. That is C M KS
7
KS f K, K1 , K2 ,
8
and
where f is a function producing an output with bit length equal to that of secret key used in the symmetric block cipher. Note that in the US key escrow system, message M is encrypted by using the session key only. In the proposed system, it is not necessary to interactively perform key exchange for the session key KS. Moreover, the secret key or session key needs not to be escrowed. Finally, the sender A sends ciphertext C along with LEAF to user B. 3.2.2. Message decryption On receiving the message, the receiver ®rst decrypts LEAF to recover K1 and K2. By using SKB and PKA, receiver can obtain session key K from K2. After AC is veri®ed by using Eq. (6), the receiver computes message encryption key KS by Eq. (8). Finally, message M can be recovered by KS. The encryption/decryption algorithm is shown in Fig. 1. If the veri®cation fails then the decryption processes is stopped. 3.3. The investigation/recovery phase The NKES provides solutions for both key escrow and key recovery. That is, through the system, the government can investigate a suspicious communication successfully, and the trusted centers can recover the key which user lost.
Fig. 1. The encryption/decryption phase of the NKES.
284
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
3.3.1. Law enforcement investigation Suppose that the investigator wants to wiretap a suspicious communication. Under law authorization, the investigator forwards LEAF to the trusted center. The trusted center ®rst decrypts LEAF to reveal K1 and K2 by using the family key KF. By using SKTC and PKA, the trusted center can obtain K. With K1, K2 and K, the message encryption key KS can be obtained by using Eq. (8). Finally, the trusted center forwards KS to the investigator. The investigator thereby wiretaps the communication successfully, and a crime may be concealed. The investigation phase is shown in Fig. 2.
3.3.2. Key recovery phase On the other hand, in case of the receiver B lost secret key SKB. Without SKB, user B cannot recover the message. In this case, the receiver asks trusted center for help. He forwards LEAF to the trusted center. After performing an authentication protocol for verifying B's identity, the trusted center will obtain K1 from LEAF. Then K and KS will be obtained sequentially. The trusted center forwards KS to the receiver. By which the message can be recovered by the receiver. The key recovery phase is shown in Fig. 3.
Fig. 2. The investigation phase of the NKES.
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
285
Fig. 3. The key recovery phase of the NKES.
4. The partial key escrow system (PKES) Base on the previous new key escrow system, we also propose a partial key escrow system (PKES). Beside the advantages described in the previous system, this system has an extra bene®t of delay recovery. The system has several trusted centers, who are responsible for recovering the message encryption keys or message if necessary. In this system, one part of session key (short key) is unescrowed, while the other part of session key (long key) is pseudo escrowed by the trustees. The pseudo escrowed key denotes that the partial key is just to be included in LEAF and transmitted along with ciphertext to the receiver instead of really escrowed. That is the long key is not really escrowed by the trusted center while the escrow property is remained. The investigator still can recover the message from LEAF as if the key is really escrowed. The trusted centers will recover the long key when law authorized. The short key will be obtained by the trusted centers by exhausted search through trusted centers' boundless computation power. Since it takes a very long time to reveal the short key, the system has a feature of delay recovery. Moreover, the intruder cannot obtain the short key due to his low computation capability. Thus the privacy of communication will remain. Until now, it is dicult to reveal a key with bit length more than 48 bits. That is, by boundless computation capability, a trusted center can obtain the short key up to 48 bits. Hence it is recommended to choose the short key within 48 bits. The bit length of the short key must enlengthed according to the development of advanced algorithms and high speed computers. The system can be used by a government or large company to eectively wiretap a suspicious communication, while the users do not worry about the immediate access of the
286
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
communication. Moreover, if a user cannot obtain the message due to the loss of his secret key, then the system can reveal the encryption/decryption key for user to recover the message. 4.1. Initialization phase Suppose that there are n trusted centers. The trusted centers need not to perform the system on line. According to (t, n ) secret sharing scheme [11], the partial key is pseudo escrowed to n trusted centers and will be recovered by at least t, t R n, quali®ed trusted centers. Let p be a large prime with 512 bits of length. The session key is K, which is divided into a long key KL and a short key KS. That is K KL KS mod p,
9
where the long key KL is pseudo shared to n trusted centers, the short key KS can only be recovered with exhaustive search by trusted centers. However, the receiver can recover session key easily by the LEAF. 4.2. The message encryption phase The sender ®rst chooses a 512 bits long key KL and a 48 bits short key KS, by which the session key K is obtained from Eq. (9). According to (t, n ) secret sharing scheme, the sender A computes n shadows for the long key KL. That is A chooses a polynomial g(x ) g x g0 g1 x . . . gtÿ1 x tÿ1 mod p,
10
where g0=KL, gi $ [0, p ) for i=[1, t ÿ 1] and gtÿ1 $0. The shadows are si, i $ [1, n ], which is computed by si g i mod p:
11
The shadows are encrypted by SKA and trusted centers' public keys sequentially. The encrypted shadows are: s1 SKA PKTC1 , s2 SKA PKTC2 , . . . , sn SKA PKTCn : Note that the short key KS need not be shared to the trusted centers. Let the binary representation of KS be KS a0 20 a1 21 . . . asÿ1 2cÿ1 ,
12
where ai $ {0, 1} and c = 48. The sender generates a LEAF as follows: LEAF K1 , K2 , UIDA , UIDB , TS, ACKF , where K1, K2 and AC are computed by
13
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
287
K1 f s1 SKA PKTC1 k s2 SKA PKTC2 k . . . k sn SKA PKTCn g,
14
K2 KkUIDA kUIDB SKA PKB ,
15
AC h K, UIDA , UIDB , TS:
16
and
The message encryption/decryption key KS is obtained by KS f K, K1 , K2 ,
17
where f is a function producing an output with bit length equal to that of secret key used in the symmetric block cipher. Finally, the sender encrypts the plaintext with KS and then forwards the ciphertext C along 21,n, are not really with LEAF to the receiver. Note that the encrypted shadow si SKA PKTCi , i= escrowed by the trusted centers, it just be sent to the receiver or trusted centers through LEAF. 4.3. The message decryption phase The receiver B decrypts LEAF by using family key KF to reveal K1 and K2. Through SKB and PKA, the session key K can be recovered from K2. Then the receiver recomputes AC to verify the LEAF to ensure integrity. After AC is veri®ed, the message encryption key KS can be obtained by using Eq. (17). Finally, the message M can be recovered by using KS. 4.4. The investigation/recovery phase On condition of investigator wiretapping a suspicious communication. Under law authorization, the investigator wiretaps the communication and decrypts LEAF to obtain K1 for each trusted center. Each trusted center retrieves the corresponding encrypted shadow from K1, by which true shadows will be recovered. Through Lagrange interpolation method, the long key KL is obtained by the cooperation of at least t trusted centers. That is KL
t t Y X ÿj mod p: si iÿj i1 j1,j6i
18
The short key KS can be obtained by exhaustive search. That is the center can try a key K if it satis®es the following equation: ?
h K, UIDA , UIDB , TSAC:
19
Thus, the exact session key K can be obtained if Eq. (19) is veri®ed. By which KS and message M can be recovered in turn.
288
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
On the other hand, if the receiver B lost his secret key SKB, then he cannot obtain the session key K to recover the message. In this case, the receiver asks trusted centers for help. He ®rst forwards LEAF to the trusted centers. Then as described above, the trusted centers will obtain K1 by using KF, and then session key K can be recovered. Finally, The trusted centers recover KS and forward it to the receiver. By which the receiver can recovered message M. 5. Discussions 5.1. Features of the proposed systems The proposed systems have the following features which is essential for key escrow systems. 1. When law authorized, the message encryption key can be recovered by the investigator or receiver with LEAF. Through the message encryption key, the message can be obtained. Moreover, the message cannot be recovered without true LEAF. 2. The LEAF can be veri®ed by both receivers and trusted centers to ensure the integrity. 3. The systems can be implemented in either hardware or software. In the software implementation, it is assumed that the secret key is kept securely. 4. The systems rely on familiar, tested or proved public cryptographic functions. Thus, the controversy will be reduced. 5. The systems are practical and can be implemented easily. Furthermore, the proposed systems also have the following properties that are not included in other key escrow systems: 1. The session key need not to be escrowed by the trusted centers, hence it will be easy on key management, and the user's secret key will remain secure whenever the session key is recovered. Thus the proposed systems are still secure even if the trusted centers are malicious. 2. The key distribution protocol is included in the systems. The session key is generated only by the sender and included in LEAF. The quali®ed receiver will obtain the session key and message encryption key from LEAF immediately. Thus it needs not to perform key exchange processes beforehand. Therefore, the system is convenient and ecient in use. 3. Any asymmetric and symmetric cryptosystems can be used in our systems. Thus, the commercial cryptosystems such as RSA, DES and IDEA can all be applied to the system. Furthermore, since the success of the system does not depend on any secret algorithms, the controversy on the system will be reduced. 4. The systems provide adequate security service such that users cannot abuse the service. In PKES, besides the advantages of the NKES, it has delay recovery property such that users never fear that the secret will be revealed immediately. The users always have enough time to response the early recovery of the investigation due to the altered policy and the disadvantage caused by the policy alteration will be reduced. Hence the system will ensure the privacy of the key escrow system.
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
289
5.2. Security considerations Our schemes are based on well-known cryptosystems such as RSA, DES and IDEA and a public one-way function h( . . .). Hence users need not to worry about trap-door problem which will seriously endanger the privacy. Since KF is the same in the whole group, KF may be easily to be revealed. However, even if KF is known by the rogue users or intruders, the scheme can also resist the attacks as follows. 1. If K1 or K2 are masqueraded, then both receiver and investigator cannot verify AC successfully and cannot obtain the exact session key K. Thus, user A cannot communicate successfully with B in privacy and preclude the investigator. 2. If the sender replaces the exact IDA by UID', then the investigator cannot obtain the corresponding escrowed key to recover the session key K. However, the receiver also cannot get the corresponding public key to recover the session key KS. 3. Since the timestamp is included in the LEAF, the system can resist the replay attack. In summary, since the message encryption/decryption key KS, ciphertext and LEAF are combined concretely, the receiver and investigator cannot obtain the exact message encryption/ decryption key without a true LEAF. Therefore, as long as the investigator cannot wiretap the communications successfully, the receiver cannot recover the message, and vice versa. Note that if the users are conspired to preclude the investigator for privacy communications, then the attack always would be success. For example, suppose that the sender and receiver are conspired to use faulty identities IDA ' and IDB ' in LEAF to cheat investigator. Then, without true UID to obtain exact corresponding public key, the investigator cannot decrypt the shadow. However, this case denotes that the users are not in use the system. That is the users are not using this public-key system to obtain message con®dentiality [10]. Attackers use dierent keys to avoid the system cannot be thought of breaking the system. 6. Conclusions In this paper, we propose a new key escrow system which needs not to perform key exchange beforehand and need not to escrow any key. In the proposed system, the sender always sends a true LEAF, hence if the receiver can recover a message then the trusted center can too, and the law authorized investigation can be performed successfully. The system meets the requirements of the key escrow system; it provides communications in privacy and enhances social security simultaneously. Based on the new key escrow system, we also propose a partial key escrow system. Besides the advantages of previous system, the partial key escrow system has delay recovery property, which is essential for privacy communications. Acknowledgements This work was supported by the Institute of Information Industry (III) and Ministry of Economic Aairs (MOEA), Taiwan, The Republic of China, under contract No. 86R59.
290
Y.-C. Lee, C.S. Laih / Computers and Electrical Engineering 25 (1999) 279±290
References [1] Denning DE. The US key escrow encryption technology. Computer Communications 1994;17(7):453±7. [2] Denning DE, Smid M. Key escrowing today. IEEE Communications Magazine, 1994: 58±68. [3] National Institute of Standards and Technology. Escrowed Encryption Standard. In: Federal Information Processing Standards Publication (FIPS PUB), 185, 1994. [4] Bellare M, Goldwasser S. Veri®able partial key escrow. In: The Fourth Annual Conference on Computer and Communications Security, ACM, 1997. p. 78±91. [5] He J, Dawson E. A new key escrow cryptosystem. In: Cryptography: policy and algorithms conference, Australia, 1995. p. 105±14. [6] Micali S. Fair public-key cryptosystems. In: Crypto '92. Springer-Verlag, 1992. p. 113±38. [7] Kilian J, Leighton T. Fair cryptosystems, revisited. In: Crypto '95. Springer-Verlag, 1995. p. 208±21. [8] Desmedt Y. Securing traceability of ciphertexts: towards a secure software key escrow system. In: Eurocrypt '95. Springer-Verlag, 1995. p. 147±57. [9] Knudsen LR, Pedersen TP. On the diculty of software key escrow. In: Eurocrypt '96. Springer-Verlag, 1996. p. 237±44. [10] Boyd C. Enforcing traceability in software. In: Proceedings ICICS '97. Springer-Verlag, 1997. p. 398±408. [11] Shamir A. How to share a secret. Communications of the ACM 1979;22(11):612±3. Yung-Cheng Lee was born in Yunlin, Taiwan, Republic of China in 1953. He received his B.Sc. degree from National Kaohsiung Normal University in 1977 and M.Sc. degree from National Taiwan Normal University in 1981, all in industrial education. Currently, he is working toward his Ph.D. degree at National Cheng Kung University. His research interests include network security and cryptography. Chi-Sung Laih received his B.Sc., M.Sc. and Ph.D. degrees, all in Electrical Engineering, from National Cheng Kung University in 1984, 1986 and 1990, respectively. Since September 1986, he has been on the faculty of the Department of Electrical Engineering at National Cheng Kung University, Tainan, Taiwan, and is currently a professor. From August 1993 to January 1997, he was an adjunct research fellow at Engineering and Technology Promotion Center of the National Science Council of the Republic of China. From February 1997, he was the director of Project Management, oce of Research and Development at National Cheng Kung University from June 1997, he was elected as the Chairman of Chinese Cryptology and Information Security Association (CCISA). His research interest include cryptology, information security, error control codes and communication systems. Dr. Laih is a member of IEEE, ACM and IACR. he was the winner of the 1991 Acer Long Term Award for Outstanding M.Sc. Thesis Supervision, the winner of Graduate Team of TI-Taiwan 1994 DSP Design Championship and the winner of 1997 Outstanding Paper Award of CCISA. He also obtained the 1997±1998 and 1999±2000 Outstanding Research Award of the National Science Council of the Republic of China.