Newsgroups: sci.crypt
Path: cantaloupe.srv.cs.cmu.edu!crabapple.srv.cs.cmu.edu!bb3.andrew.cmu.edu!news.sei.cmu.edu!fs7.ece.cmu.edu!europa.eng.gtefsd.com!gatech!swrinde!elroy.jpl.nasa.gov!ames!pacbell.com!att-out!att!att!allegra!ulysses!ulysses!smb
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Once they get your keys....
Message-ID: <1993Apr24.170116.18456@ulysses.att.com>
Date: Sat, 24 Apr 1993 17:01:16 GMT
References:  <930424031634.176183@DOCKMASTER.NCSC.MIL>
Organization: AT&T Bell Laboratories
Lines: 43

In article <930424031634.176183@DOCKMASTER.NCSC.MIL>, Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
> About 50 people so far have asked, "Once the FBI gets your Clipper keys,
> won't they be able to read all your future and past traffic?"
> 
> There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
> anyone else who might be able to give us an authoritative answer.
> This is troubling.
> 
> Didn't NSA think about this?  Or is it a feature, and they thought we
> wouldn't notice?
> 
> I would have thought that by now they would have responded with something
> of the form, "Well, that won't be a problem because ...."

Don Alvarez posted a good partial solution to this problem to
comp.risks.  I'll present my variant on it instead, since I feel it's a
bit stronger against some likely attempts to cheat.  depends on the
protocol that's followed for reading traffic.  Briefly, the cops get a
wiretap warrant, and record the call.  They then notice the encryption
and the disclosure header.  It, along with a copy of their warrant, is
sent to the FBI, or whoever it is who holds the family key.  The
F-holder decrypts the header, and sends the serial number N and the
encrypted session key U[K] to the escrow agents.  They, in turn, use U1
and U2 to recover K, and send that to the local police.

Note how this solves the problem of wiretapping forever.  Neither the
cops nor the FBI ever see U, so they can't read other traffic.  Every
request must be validated by both the FBI and the escrow agents.  The
cops and the FBI together can't cheat, since they don't have U.  (I
regard that as a likely pairing of folks who might try to beat the
system.  It's to prevent this that I modified Alvarez's scheme.)  The
escrow agents can't read the conversation, since they don't have it;
all they have is N and U[K].  And the police don't even see N.

It's harder to see how to block decryption of old, warrantless,
wiretaps.  There is one protection -- you have to persuade the escrow
agents that the call is current.  But that's not nearly as strong.
There are approaches I can see that might work, involving sequences of
data on an unalterable medium, complete with cryptographic protection
against insertion onto a new medium.  But I don't have anything yet
that isn't too complex for comfort, or too hard to install in the real
world.  The NSA might have an answer; they may or may not be smarter
than me, but I've been working on this for a week, and they've had years.
