28 September 1997
Source: Mail list cryptography@c2.net
To: cryptography@c2.net From: rivest@theory.lcs.mit.edu (Ron Rivest) Date: Sat, 27 Sep 97 21:40:45 EDT Subject: Michael Frese notes a serious flaw in proposed legislation Michael Frese makes the interesting point (below) that proposed crypto legislation mandating plaintext recoverability should, logically, apply to ALL encryption, **including encryption whose purpose is just to implement key recovery itself**. There is nothing in the proposed legislation that would make an exception for such encryption. For example, if my software encryption encrypts message M with symmetric key K, and then appends a trailer that contains K encrypted with the public key of Citibank (my chosen key recovery agent), then doesn't the trailer itself need to have some plaintext recovery feature implemented for it? If not, then why can't I be sending along some secret stuff to Citibank with each trailer (i.e. in addition to the key)? Similarly, if I append two trailers which contain K1 and K2 encrypted respectively with the secret keys of Citibank and ACLU (my two chosen key recovery agents), where the message key K = K1 xor K2 (so that I am using a simple form of ``secret sharing''), then should the FBI have ``immediate access'' somehow to the plaintext of the two trailers (i.e. to K1 and K2)? I note that in this case, K1 may be chosen totally arbitrarily, and then K2 determined as K xor K1, so that I really can send arbitrary messages to Citibank in the trailer. I think this nice example shows how poorly thought through the proposed legislation is... Ron Rivest ============================================================================== Return-Path: <MFrese@aol.com> Date: Sat, 27 Sep 1997 14:00:19 -0400 (EDT) From: MFrese@aol.com To: dee@cybercash.com (donalde.eastlake3rd) Cc: rah@shipwright.com (roberthettinga), rivest@theory.lcs.mit.edu (ronrivest) Subject: Re: Access to Plaintext: An Obvious Consequence Dear Sir, I apologize for the rather flippant tone of the message that Bob forwarded on to you, but I think you will recognize in it the banter of one brother to another. I hope that the following explanation will help. On Mon, 8 Sep 1997 Declan McCullagh's forward "Stewart Baker's analysis of administration crypto-proposal" to fight-censorship-announce@vorlon.mit.edu, included the following comparison of McCain-Kerrey to a "leaked Administration legislative draft on encryption": > -- gone is the section (102) that would prohibit mandatory > third party escrow of keys. In its place is a new section (105) > that would prohibit, after January 1, 1999, the provision of encryption > services in the U.S., or the manufacture for sale or distribution in > the U.S. of encryption products/systems, that do not have a > plaintext recovery feature that may be turned on at the option of the user. > > -- gone is the exclusive emphasis on key recovery as the > technology for assuring plaintext recovery. Instead, this > legislation would require products and systems that permit > immediate decryption without the knowledge or cooperation of the user. Motivated by this, I wrote Bob > If no encryption product can be sold that can't decrypt everything > it encrypts, then no public-key cryptosystems can come to market. > This effectively eliminates the entire range of encryption products > of interest to you. > > Surely, this is clear? and agreed when he suggested that he forward it to a mailing list. Apparently, it was not clear. I will endeavor to make it so. The key phrase is: > ...this legislation would require products and systems that permit > immediate decryption without the knowledge or cooperation of the > user. If this language ever makes it into law, its meaning will be determined in the courts, by judges and juries. We have to understand it as they will, not as the cryptographic community does. And we must expect that this language was written by administration lawyers, with the advice of cryptographic experts and prosecutors. It seems to me that there are two immediate questions: 1. What does it mean that the product must "permit immediate decryption? 2. What messages must it provide this for? I am certain that the meaning of "permit immediate decryption" will be clear to the legal system, once the prosecutor explains it. It will be quite difficult to find a judge or jury that won't believe that this means it must decrypt the message it just encrypted. No problem, you say. I'll just run my message through the symmetric encryption scheme again. But what about the other message? You sent the session key to the recipient of your intended message. You claim that was not a message, only a key, but "One, if by land; two, if by sea." is exactly 256 bits. Again, it will be difficult to find a judge or jury that won't believe that the symmetric key was a message. Of course, if the court insists that you decrypt that message for them using your system you will be unable to do that without the cooperation of the intended recipient. This argument is further strengthened by other language in the draft legislation: the requirement that any system must provide access to plaintext without your knowledge or cooperation. I believe that all of the language of this proposed legislation is intended to make the use or provision of public-key cryptosystems illegal, possibly by an after-passage judicial extension. Without a public-key cryptographic infrastructure, everything you want to do evaporates, including authentication, and all that the beneficial systems that depend on it. That, I believe is precisely the goal of the prosecutors and cryptographic experts who formulated the draft legislation. Sincerely, Michael H. Frese