Matching key recovery mechanisms to business requirements

https://doi.org/10.1016/j.cose.2004.08.010Get rights and content

Abstract

This paper addresses the business needs for key recovery as a countermeasure to the threat of losing potentially valuable information. Several requirements essential for a sound key recovery mechanism are described, and the applicability of two main classes of existing key recovery schemes to a corporate environment is examined. Different requirements are identified for key recovery mechanisms for communicated and archived data, and a further study is made of the applicability of existing mechanisms to these two cases.

Introduction

In the information age it has become vital for businesses and organisations to protect their most valuable asset, i.e. the information they possess, from unauthorised access both from outsiders and insiders. Encryption mechanisms are deployed, amongst other countermeasures, for this purpose. Use of these mechanisms, however, might lead to undesirable situations where access to encrypted data is not feasible due to loss of, or inaccessibility to, the encryption keys.

The resulting loss of important information might be very serious. Corporations will typically not wish to tolerate such a loss, especially if the inaccessible data hold potentially valuable information. Key recovery mechanisms (KRMs) can help overcome problems arising when encryption keys are lost, and hence prevent loss of information. KRMs allow authorised parties to retrieve cryptographic keys used for data confidentiality with the ultimate goal of recovering the encrypted data (Denning and Branstad, 1996, Smith et al., 2000).

The term key recovery (KR) or more specifically, key escrow, has attracted much unfavourable publicity mainly because of a number of government proposals for compulsory escrow of all private communications keys, see e.g. The White House (1993). The intention of these proposals was to give governments the ability to decrypt intercepted communications to deal with criminal activities. However, this has been seen by a number of parties as a potential infringement of the rights of individuals and corporations to provide privacy for data stored and communicated electronically.

In a business environment, however, the situation is rather different. A company normally owns its information, and therefore the issues surrounding access to private communications through compulsory key escrow do not arise. KRMs deployed in a corporate environment can be thought of as part of routine disaster recovery planning.

This paper looks at threats that corporate information might face from loss of encryption keys, and at the various scenarios in which these threats might be realised. Based on this analysis, the business need for KR is outlined, and the concomitant requirements for a KRM are described. The applicability of two main types of KRMs to a business environment is then examined, and the pros and cons of these mechanisms when used for communicated and archived data are investigated. The need for this latter distinction arises from the fact that, as discussed below, different KR requirements exist for these two types of data. Note that possible legal requirements for access to business communications are not examined here.

Section snippets

Business needs for key recovery

Protection of information through the use of security mechanisms has become vital for business. Cryptographic keys, including key agreement keys, session keys used for encrypting communication sessions or stored data, and signature keys, are a crucial part of the security infrastructure protecting corporate data. Loss or unavailability of encryption keys will lead to an inability to access the encrypted information, a situation the corporation will typically not wish to tolerate. Within a

Distinguishing between a business environment and law enforcement access

The term key recovery, or more specifically key escrow, has attracted much unfavourable publicity mainly because of a number of government proposals for compulsory escrow of all private communications keys, see e.g. The White House (1993). The intention of these proposals was to give governments the ability to decrypt intercepted communications to deal with criminal activities. However, this has been seen by a number of parties as a potential infringement of the rights of individuals and

Requirements for KRMs deployed in a business environment

Although key recovery mechanisms address problems arising from loss of decryption keys, they should always be deployed with extreme care. If the mechanism is not properly deployed it can seriously weaken security, as KR provides an alternative means of access to encryption keys that may be easier for an attacker to exploit than the original computation process. Thus, the fundamental security requirement for any KRM is that the effort to exploit and break the cryptographic infrastructure with KR

Classification and assessment of existing mechanisms

A variety of KRMs have been proposed by both the commercial sector and academia. Denning and Branstad (1996) give a description of a wide range of KRMs identified as key escrow encryption systems, while Smith et al. (2000) classify the existing KRMs into several types. However, as previously mentioned, KRMs in the information security literature are usually divided into two types: key escrow and key encapsulation mechanisms.

Distinguishing between communicated and archived data

The above analysis of KRMs in a business environment has not considered the target data. There are certain issues, however, that need to be addressed as far as the target of the KRM is concerned. This arises from the fact that there are different requirements for KRMs for archived data and KRMs for communicated data.

The majority of existing key recovery mechanisms were designed for use with communicated data, and with the objective of giving access to LEAs. Giving user access was typically not

Key recovery mechanisms for communications

The issues surrounding key recovery for communicated and archived data are somewhat different, as previously mentioned. In this section we look at the requirements that surround KRMs for communicated data, and investigate the applicability of the two main categories of KRMs. In the next section a similar analysis is performed for encrypted archived data.

Key recovery mechanisms for archived data

In this section the requirements of KRMs for archived data and the applicability of existing mechanisms are examined.

Conclusions

An analysis has been made of the requirements for KRMs applied in a business environment, and the applicability of existing mechanisms was investigated. As there is no panacea to the key recovery problem, careful analysis of the business needs is necessary to identify appropriate solutions. A further distinction was made between requirements for KRMs for communicated data, and requirements for KRMs for archived data, and it was shown that mechanisms providing KR functionality for communicated

Konstantinos Rantos received his Diploma in Computer Engineering and Informatics in 1996 from the University of Patras, Greece, his M.Sc. in Information Security in 1997 and his Ph.D. (sponsored by Marie Curie Research and Training Grant) in 2001 from Royal Holloway, University of London. Between 1997 and 1999 he was involved in an EU ACTS project concerning security for third generation mobile communications. In 2001 he joined Datacard Group as a smart card security architect until 2003 when

References (20)

  • S. Gupta

    A common key recovery block format: promoting interoperability between dissimilar key recovery mechanisms

    Computers & Security

    (2000)
  • M. Smith et al.

    Cryptographic information recovery using key recovery

    Computers & Security

    (2000)
  • H. Abelson et al.

    The risks of key recovery, key escrow, and trusted third party encryption

  • D.E. Denning

    Information warfare and security

    Addison Wesley

    (1998)
  • D.E. Denning et al.

    A taxonomy of key escrow encryption systems

    Communications of the ACM

    (March 1996)
  • IBM SecureWay

    Towards a framework based solution to cryptographic key recovery

  • N. Jefferies et al.

    Trusted third party based key management allowing warranted interception

  • N. Jefferies et al.

    A proposed architecture for trusted third parties

  • L.R. Knudsen et al.

    In search of multiple domain key recovery

    Journal of Computer Security

    (1998)
  • D.P. Maher

    Crypto backup and key escrow

    Communications of the ACM

    (March 1996)
There are more references available in the full text version of this article.

Cited by (4)

Konstantinos Rantos received his Diploma in Computer Engineering and Informatics in 1996 from the University of Patras, Greece, his M.Sc. in Information Security in 1997 and his Ph.D. (sponsored by Marie Curie Research and Training Grant) in 2001 from Royal Holloway, University of London. Between 1997 and 1999 he was involved in an EU ACTS project concerning security for third generation mobile communications. In 2001 he joined Datacard Group as a smart card security architect until 2003 when he joined Encode S.A. as a security consultant contributing to a number of security related projects. His research interests lie in the areas of public-key infrastructures, smart cards, key management, security protocol design, and telecommunications security.

Chris Mitchell received his B.Sc. (1975) and Ph.D. (1979) degrees in Mathematics from Westfield College, London University. Since joining Royal Holloway in 1990, he helped launch the M.Sc. in Information Security in 1992. His research interests cover information security and the applications of cryptography. He has played an active role in a number of international collaborative projects. He has edited eight international security standards and published well over 160 research papers. He is academic editor of Computer and Communications Security Abstracts, a member of the Editorial Advisory Board for the journals of the London Mathematical Society, and a member of Microsoft's Trustworthy Computing Academic Advisory Board.

View full text