Security news that informs and inspires

Key Escrow By Any Other Name is Still Key Escrow

There are plenty of difficult security problems waiting to be solved and many smart people working on solutions. One problem that’s been resistant to a solution for the better part of 25 years now is finding a method to allow law enforcement or other agencies with legal authority access to an encrypted system.

This concept, known as exceptional access, has been a controversial topic in the security community since its inception and there have been countless attempts over the years to find a workable solution. Some technically oriented solutions have looked good enough on paper (or had enough political backing) to progress to the point of development. The best example is the Clipper Chip system, which relied on a special cryptographic processor that included a method for allowing law enforcement access to encrypted data through a key escrow scheme. Cryptographers and security experts criticized the idea and soon after its publication, Matt Blaze discovered a fatal flaw in the protocol that eventually helped torpedo the scheme.

The latest proposal to emerge comes from Ray Ozzie, a well-known engineer and technologist who helped create Lotus Notes and later was chief software architect at Microsoft. Ozzie’s idea is a modern twist on the key escrow scheme, specifically focused on mobile devices such as phones and tablets that include encrypted storage. The basic idea is that device manufacturers will generate a secret key for each device they make and then store all of those keys in a central vault somewhere. If law enforcement needs to gain access to an encrypted device (presumably with a warrant), the phone can be placed into a special law enforcement mode somehow and the agency can then contact the manufacturer and request the device’s secret key.

Once in the special mode, though, the device would become permanently inoperable for anyone else, an attempt to ensure that an attacker wouldn’t be able to use this mode without wrecking the device. Once the manufacturer gets the proper request from the law enforcement agency, it can go into the vault, retrieve the device’s secret key, and send it to the agency. It’s a relatively simple idea and is similar to other key escrow schemes, with some extra layers on top.

And some extra problems.

All key escrow schemes have one major inherent weakness: the key database. Any large store of secrets is going to be a fat target for attackers, but a database of secret keys that will decrypt any device is the kind of target that attracts the most persistent, well-funded, and terrifying sorts of attackers. This is the most obvious and well-known problem with key escrow plans and there’s really no way around it. Even companies such as Apple and Google that are quite used to protecting secrets likely would want no part of that kind of database. It’s an unnecessary risk.

But the larger problem is that Ozzie’s proposal relies on a secure processor in each device that will handle the law enforcement operations and put the device into the special mode when requested. That processor also would make the phone inoperable for other users once the law enforcement mode is engaged. But there isn’t a processor currently extant that can handle that task. The closest thing that’s in use right now is the secure enclave processor that Apple uses to protect secrets in iOS devices. The SEP is good enough at protecting those secrets that Apple has battled publicly and privately with law enforcement for years about decrypting iOS devices seized during criminal investigations.

But, we know there are at least two companies that have exploits for as-yet-unknown vulnerabilities in iOS that allow them to unlock encrypted devices. As cryptographer Matthew Green points out in his analysis of Ozzie’s proposal, this is a crippling weakness for Ozzie’s scheme.

“The richest and most sophisticated phone manufacturer in the entire world tried to build a processor that achieved goals similar to those Ozzie requires. And as of April 2018, after five years of trying, they have been unable to achieve this goal — a goal that is critical to the security of the Ozzie proposal as I understand it,” Green wrote.

Key escrow is the idea that just won’t die, because it seems to make sense on the surface. Have a trusted party hold the keys until they’re needed. It’s what we do with our money. The banking and vault-building industries have a big head start on the information security industry when it comes to protection, and banks are still robbed all the time. Protecting an asset when everyone knows you’re protecting it raises the degree of difficulty quite a bit.

“Now obviously the lack of a secure processor today doesn’t mean such a processor will never exist. However, let me propose a general rule: if your proposal fundamentally relies on a secure lock that nobody can ever break, then it’s on you to show me how to build that lock,” Green said.