The following paper was distributed at the Key Escrow Encryption
Meeting held on September 6-7, 1995 at NIST.
----------------------------------------------------------------

Key Escrow Issues Meeting, September 6-7, 1995
Discussion Paper #4


               Example Potential Solutions for the
    Draft Export Criteria for Software Key Escrow Encryption

Example solutions to the export criteria are identified below to
help give a better feel for the approaches that implementors may
take to satisfy the criteria.  The information in this paper is
not intended to represent fail-safe, cookie cutter solutions to
the criteria, but only to generate more detailed discussions.  

1.   The product shall use an unclassified encryption algorithm
     (e.g. DES, RC4) with a key length not to exceed 64 bits.

     It is important to understand that key in this context is
     related to the number of bits needed to decrypt a message
     which are not available over the communications channel. 
     For some encryption algorithms the key is defined to be a
     number of bits which are kept secret and a number of bits
     which are transmitted in the clear (message key /
     initialization vector / salt).  This criterion only
     specifies the number of secret bits.

2.   The product shall be designed to prevent multiple encryption
     (e.g. triple-DES).

     One way to do this would be for the encryption program to
     store the ciphertext file name and the first n (e.g. 16)
     bytes of cipher for the last k (e.g. 8) encryptions.  When
     the encryption routine is called, the program checks to see
     if the input file name is in the ciphertext file list or the
     first n bytes of the file match any of the k cipher text
     streams stored.  Likewise, a plaintext header could be
     appended to each ciphertext file which says the file is
     encrypted.  The encryption program would look for this
     header before encryption; if found, the program would not
     proceed with the encryption.  These are just examples of
     what could be done.  Each vendor's constraints will be
     different.

3.   The key required to decrypt each message or file shall be
     accessible through a key escrow mechanism in the product,
     and such keys will be escrowed during manufacture in
     accordance with #10.  If such keys are not escrowed during
     manufacture, the product shall be inoperable until the key
     is escrowed in accordance with #10.

     One way of doing this is for each user to have a Public and
     Private Escrow Key.  The public escrow key is bound in a
     certificate signed by the Escrow Agent(s).  This certificate
     would contain a key ID, the escrow agents's ID and the
     Public Escrow key.  A header of the encrypted message could
     contain this certificate along with the message key,
     encrypted using the Public Escrow key.  If the product is
     not escrowed during manufacture, the software will check to
     see if it has a valid escrow key prior to encrypting
     messages.

4.   The key escrow mechanism shall be designed to include with
     each encrypted message or file, in a format accessible by
     authorized entities, the identity of the key escrow
     agent(s), and information sufficient for the escrow agent(s)
     to identify the key or key components required to decrypt
     that message.

     Following the example for criterion #3, the certificate that
     contained the user's escrow key would also contain the
     identity of the escrow agents holding the corresponding
     private escrow key.

5.   The product shall be resistant to any alteration that would
     disable or circumvent the key escrow mechanism, to include
     being designed so that the key escrow mechanism cannot be
     disabled by a static patch (i.e. the replacement of a block
     of code by a modified block).

     Probably the most important aspect of this criterion is that
     source code for a product should not be available.  Also it
     is important that the cryptography be integrated into the
     application in some nontrivial way.  One way of achieving
     this criterion is for the application to store a hash or
     checksum of the cryptographic code in several places and
     check the cryptographic code several times during its use. 
     One can prevent a static patch by making the hash or
     checksums dependent on a program ID code or something else
     that is unique about that copy of the software.  Perhaps one
     of the best ways to defeat hackers  from "patching around"
     the escrow would be a commitment from vendors to make each
     new release of the software be immune to existing static
     patches and patch programs.

6.   The product shall not decrypt messages or files encrypted by
     non-escrowed products, including products whose key escrow
     mechanisms have been altered or disabled.

     If one follows the steps outlined under criterion #3, a
     receiving program could verify the escrow certificate
     contained in the message header, extract the escrow public
     key, and verify that the encrypted message decryption key is
     also found in the header. If it is not there, decryption
     does not proceed.

7.   The key escrow mechanism allows access to a user's encrypted
     information regardless of whether that user is the sender or
     the intended recipient of the encrypted information.

     The message header could contain the decryption key
     encrypted under both the sender's public escrow key and the
     recipient's public escrow key.  Then access to either the
     sender's or recipient's private escrow key would allow
     access to the decryption key.

8.   The key escrow mechanism shall not require repeated
     involvement by the escrow agents for the recovery of
     multiple decryption keys during the period of authorized
     access.

     If the public and private escrow keys are unique to users,
     then the escrow agents could turn over the private escrow
     keys to the authorized parties.  The private escrow key
     would allow access to keys encrypted with the corresponding
     public escrow key and not require repeated involvement with
     the escrow agents.

9.   In the event any such product is or may be available in the
     United States, each production copy of the software shall
     either have a unique key required for decrypting messages or
     files that is escrowed in accordance with #10, or have the
     capability for its escrow mechanism to be re-keyed and any
     new key to be escrowed in accordance with #10.

     Following the example in criterion #3, the software could
     accept the load of a new escrow certificate.  The software
     could store a "root" public key which is used to verify a
     certificate containing the escrow agent public key which in
     turn is used to sign the individual user's escrow
     certificate.  Hence the header might contain both the escrow
     agent certificate signed by the root and the user
     certificate signed by the escrow agent(s).  Once escrowed,
     the software could store the ID of the escrow agents and not
     accept loads of new escrow keys except from those agents.

10.  The product shall accept escrow of its key(s) only with
     escrow agent(s) certified by the U.S. Government or by
     foreign governments with which the U.S. Government has
     formal agreements consistent with US law enforcement and
     national security requirements.

     Following the example in criterion #9, if the "root"
     authority only signed the certificates of escrow agents
     (foreign and domestic) approved by the U.S. Government then
     only keys escrowed by approved escrow agents will be
     accepted as valid by the software packages.

9/95