The DTI proposals seem to insist upon "compulsory key escrow". This is a fatal flaw in their TTP proposals.
This is a complicated topic, and so a road map of the discussion may help you keep your bearings.
Lets start by looking at what "key escrow" is and why some say it would be a desirable thing to have. Then we can see how it is extremely unlikely to achieve the stated aims, viz: it won't work! If the DTI insist upon "compulsory key escrow" then this makes TTPs the custodians of immensely valuable data. This is an extremely serious problem. Now that the pros and cons of "key escrow" are understood, it is possible to try and understand what the DTI is actually proposing, which is generally presumed to be compulsion, but is, regrettably, far from clear. To extend the argument further, there is an alternative to key escrow, or you might agree with my own conclusions that what the DTI apparently wants to achieve will prevent encryption being useful to us all.
Before you start, you might like to review the role of private and public keys in public key encryption systems. You may well then, in my opinion, be somewhat more clued up than the DTI who sometimes give the impression of solely considering other types of cryptography altogether.
In public key cryptography, the sender encrypts a message by combining it with the receivers public key. When it arrives, the private keys are used to decrypt the message. People without the private keys cannot read the message - leastways, not (if the keys are long enough) without spending millions of years in trying.
There are people (quite serious and sober people) who honestly believe that it is the right, even duty, of the State, to be able to know everything which its citizens say or do. Naturally, these people say, they would not exercise this right lightly. To these sort of people it makes perfect sense that the private keys of all of a State's citizens should be available from a central repository and, when necessary, their correspondence should be examined for serious criminal or terrorist behaviour.
I personally reject this view of the role of government, but it is important to understand that this is not a technical issue but a philosophical one. People with a particular world view say "yes of course - the State must be allowed to look at anything", others say "of course not - my privacy is sacrosanct". This sort of dichotomy of views is never going to be settled by rational argument.
Interestingly, the DTI does not attempt to argue at this fundamental level, where one can only agree to disagree. Instead they give rather more specific reasons for access to encrypted traffic, and so these reasons can be weighed for their merit.
The reason that the DTI puts forward for access to private keys is that it is necessary to allow Interception of Communications, so that "criminals" and "terrorists" can be monitored by "law enforcement". Law enforcement is just a cuddly term which makes you think of judges and police sergeants, but it is just as likely to mean men in grey suits from the Security Services.
Terrorists are, of course, extremely wicked people who the State should clearly be targeting, which is undoubtedly why this crime is mentioned explicitly. (You might note that it's not just critics like myself who can stoop to emotive language to get our point across.)
Since the heinous terrorist might not be too keen for just anyone to read his or her messages, the idea is for law enforcement to hold everyone's private keys "in escrow" just in case they are needed. Of course, lots of these keys will be needed, because if the terrorist writes to someone else, the recipients private keys will be needed before the mail can be read. So a surveillance operation will involve the law enforcement people acquiring many private keys, many of which will be of innocent people, who receive entirely innocent messages from the terrorist. The keys will allow the law enforcement officers to read all of the messages to these innocent people. This is rather a different situation to a conventional "phone-tap" of a suspect's line.
Some people will be interesting in voluntary "key escrow" for their private keys. What they want is data recovery - and one way of achieving this is to keep your private keys safely off-site. However, key recovery is not always necessary and there are other ways of ensuring access to the data. For example the latest versions of PGP allow for multiple encryption so that the message is encrypted with other keys as well as the recipients. This means, for example, that your boss can can read mail when you have died or gone to other employment. The important point to note that this is voluntary escrow, it is not compulsory, nor does it need to involve a TTP.
Despite the DTI's belief in this apparent necessity, if you can avoid using a TTP, then escrowing your keys will apparently be optional. The DTI will continue to permit everyone who wishes, to use strong encryption in Closed User Groups.
This is logical nonsense. The bad guys use of encryption is rare and isn't stopping them from being caught in other ways. Even if they suddenly embraced crypto, they might do it as a Closed User Group and so they wouldn't escrow their keys. Indeed, even if the government went further, and Closed User Groups were outlawed, these are bad guys! they might just possibly be wicked enough to use un-escrowed keys. There's lots of ways they could hide their naughtiness until they were actually being investigated - and the worst you would prosecute them for would be for using unlicensed encryption. The DTI proposals just do not make sense.
This all comes about because the DTI have a touching faith in the stupidity of the criminal classes; "criminals will often make use of the technology available to them" (annex F). I expect that they also believe that the burglars wander around with bags labelled "swag", and the IRA makes bomb warning phone calls from their living rooms and will therefore be caught by BT's Caller Line Identification technology.
The sensible solution to this logical flaw is to not waste effort on enforcing "escrow" because it will not work. The likely solution - and the paranoid leap at this one - is that the bad guys will be bad, and the government will legislate in stage two to outlaw Closed User Groups. When this drastic step also fails, the State will start to monitor traffic and deem the use of un-escrowed keys as de facto evidence of criminal intent, and start jailing people for this alone.
So we've seen that the bad guys may not escrow their keys, or they may use extra cryptography which makes it very hard indeed to eavesdrop.
However, at the end of the day, encrypting most peoples data is not earth-shatteringly important. It is nice to think today in a non-electronic world that when you put such information in the pillar box no-one steams it open. Crypto gives you the warm feeling that your missive will not be read even if someone opened the letter by mistake because it was delivered next door. But if someone does manage to read your mail, all that happens is they learn something about you that you wish was private. Your cheeks are red for a while, but you'll get over it.
BUT... besides encryption, public key crypto has the other, really neat, feature of providing crypto signatures which allow you to sign electronic documents, time stamp them, send electronic cash around, and provide all sorts of other endorsements. These all, crucially, depend on your private keys staying private.
As soon as your TTP is handed the private keys to your public key identity, this identity will become worthless because you cannot know if it has been compromised. You will never be in a position to stand behind that identity.
Whether TTPs exist or not, your electronic signature is open to repudiation... "Oh calamity, I just published my private key on Usenet, ignore everything I apparently say." but the reverse statement "I really am sure that my word is my bond" cannot be sensibly said in a future where a bureaucracy holds your private keys and may or may not have been handing them out to police forces (and less accountable bodies) up and down the land, and overseas as well...
In principle, and the DTI seem to be envisaging that this is what people will choose to do, you will set up one public key for encryption and another for electronic signatures. The cops (or spooks or whoever) could then decrypt stuff when the politicians said they could, and your signature keys could be kept private, because there would be no requirement to escrow such keys...
The problem is that the way that public key crypto systems currently work means that the keys are identical in form and function. There would be nothing to stop the wicked (or just the confused) from using the signature key to send you things that the 'cops' couldn't read. The other problem is that most current encryption software and services tend to assume a single key for signing and for encryption. It doesn't seem entirely likely that the global players will go out of their way to make special software for a tiny offshore island with funny rules.
However, rather more subtly, I am also trusting the vendor that their security system works. If someone else apart from the vendor knows their crypto secrets then they can watch my traffic to the vendor. Unlike someone stealing cheques from the vendors postroom, this theft is hard to detect.
If the vendor has handed over their private keys to a TTP then not only are they trusting the TTP, but I have to as well.
Arguably, the DTI understand this because their proposals mean that only really really trustable people can become TTPs. But I don't think that you can build systems involving computer software and humans which can be trusted to that extent. It is moot whether the software or the humans are more likely to fail - but forty years of experience with complex computer systems should have taught us all that both will fail eventually.
If the single vendor I dealt with has poor security then my credit card details will leak. There will be a pattern to the information compromised (everyone stung was a customer of Joe's Bookshop) and the security flaw should get fixed eventually.
If a TTP has poor security then my credit card details could leak from any transaction with many many vendors. Any non-greedy (or non-automated) villain is unlikely to create a pattern in their thefts...
A swift calculation on the potential income from compromising a TTP should show you that you can afford to offer the employees (or the writers of the software used) a reasonably serious amount of money...
There's nothing really wrong with key escrow provided that relatively few people take it up (so there is not much to steal), and the locks on the TTP doors are strong. The problems which arises if "key escrow" becomes compulsory is that there would be so much value in the TTPs that no lock would ever be that secure.
Compulsory pooling of private keys in TTPs is a new and totally unnecessary risk.
All the evidence we have from similar schemes like the DVLC in Swansea, the Police National Computer and, indeed, ex-directory telephone numbers is that personal data always leaks from large organisations. You've probably seen one of the exposes on the television where bank records and medical files can be obtained for just a few hundred quid. This information is meant to be secret! that's why the reality that it is not can still be made into prime-time television. It is embarrassing sometimes to see how little money has been needed to bribe the people with access to this information.
Cryptographic keys are of course currently held safe within organisations like banks and within the government itself. The record of how successful this has been is said to be good, but it is poorly documented so it is hard to judge objectively. Experience up to now has been mainly concerned with military or economic secrets where the holders of the keys see their national pride, their freedom or their livelihood to be tied in with the preservation of secrets. Our society expects cypher clerks to die under torture rather than betray their colleagues.
In a world of TTPs, low level employees will be guarding private keys for companies and people they have never heard of. When someone buys them a new fridge or points a gun at their kids then a fair number of them are going to hand the secrets over, and they are going to think that it was morally the right thing to do... Bank managers are told to hand over the keys to the safe because "it's only money" and "we want you back alive".
The trouble is, if the DTI have their way, the TTPs won't just have a few keys to hand over, a few safes full of money, but millions. All those little fish add up. The keys are to be recoverable (and very quickly so checks will be hard to make) by "law enforcement" so it only takes a crooked cop and they will be accessible to the bad guys as well. They are a big fat juicy target.
One certainly hopes that a TTP would have, and the licensing authority would insist upon, complex systems to prevent this sort of thing... but if one could access the keys for half the economy by suborning the employees of a TTP, and be able to decrypt traffic thereafter in an undetectable way... that's a big prize for a criminal group or a corrupt foreign government with the capital to spend on the suborning.
The DTI recognise the risk of loss from TTPs (they have several paragraphs in the consultation paper saying how naughty the TTP would be, and [in effect] how it must be financially strong enough to stand the damages when successfully sued). They can also see that this loss could be a major calamity, and so they are going to allow the banks to stay outside the TTP system!
The only justification given by the DTI for access to private keys is that this will allow criminals and terrorists to be monitored. This is just a pious hope with little foundation in reality. Making "key escrow" compulsory so that all the UK's private keys end up inside TTPs is a major risk to the British economy.
TTPs are to be required to hand over private encryption keys upon the production of a warrant signed by the Secretary of State (para 76). It is envisaged that the keys should be on their way within an hour (para 78). The DTI feels that this is a necessary requirement (para 15) to allow the Interception of Communications Act (that's phone tapping to you and me) to work with electronic mail or with encrypted phone conversations.
Now, to be strictly accurate, the DTI proposal never actually says that they will be requiring people to hand over their private keys to TTPs, it just describes what might happen if you did. This is, to put it mildly, vague in the extreme. Regrettably, despite explicit questions during the consultation phase, the DTI failed to entirely elucidate matters. It seems inconceivable that the DTI don't understand public key encryption... perhaps they think everyone will be using something else ?
Some more clues about what the DTI might actually mean can be found in para 47 where they presage further legislation to access keys not held in the TTPs. Perhaps they admit that without compulsion few people would see the need to hand over their private keys at all ?
If you read the proposals carefully you will see that para 46 suggests that the state will not wish to access privacy keys under the "key escrow" schemes. The proposals also discuss "electronic signatures" at some length (basically indicating that steps will be taken to improve their legal status). Further clarification by the DTI during the consultation phase indicated that they did not want to escrow signature keys, but they were silent when critics pointed out a half dozen different ways of using signature keys (held within the TTP system) to validate encryption keys held outside the TTP system.
The DTI's approach to integrity keys is presumably driven by the OECD proposals which do discuss integrity keys. I think that the UK would have some problems if their proposals did not treat them specially. That's why in Annex E (which is demonstrating how the UK proposals fit in with the OECD material) para 10 specially indicates that the UK legal framework will not give the authorities the ability to fabricate evidence...
If integrity keys had to be "escrowed" then the UK would have difficulty interworking with other jurisdictions where proper safeguards for this type of key had been put into place.
The DTI's difficulty [[and yet again, as throughout all the issues relating to the consultation document, it is the special properties of public key systems which is making a nonsense of their proposals]], is that there is no practical difference in current shipping public key software between signing keys and privacy keys.
If I publish my signing key then you can check my signature. However, you can also send me something which has been encrypted using that key. Watchers will not be able to read it, even if my "official" privacy key is escrowed with a TTP. Unless I am remarkably honest and refuse to read what has been sent me using the "wrong" key, there is a secure private channel set up between us.
Does this mean that the DTI will propose that the private keys for integrity keys will have to go into the TTP, but it will be unlawful for people to ask for them unless someone wickedly uses them as privacy keys when writing to me... ?
... or are the DTI going to propose that they should not be escrowed at all - at which point what's the point of escrowing the other ones ? The "criminals" and "terrorists" they are so afraid of will just learn to use the integrity keys "by mistake". No need to bother with closed user groups, or special systems for distributing keys, just use the normal systems!
So, you're probably now as confused as I am. Are the DTI proposing compulsory key escrow ?
I think they are, because a TTP could never meet its obligation to provide the private keys in an hour if it did not hold them, so it will be unable to accept public keys without their accompanying private keys.
I think that the DTI does indeed intend that keys which are never used for encryption should not be obtainable, even under warrant. They probably think this is a suitable safeguard, and imagine that people will have two key sets, one for signing and one for privacy. Unfortunately which one people use for writing to me is their choice and not mine. So, a few forged emails using the "wrong" key should then make it fairly easy for "law enforcement" to persuade the Secretary of State that my signing key should be handed over.
At present, investigators can still track the paper which flows in and out as orders and payments. When this too becomes electronic and, thanks to strong crypto, unreadable then their ability to measure what is going on is going to become much harder.
This needs to be tackled (unless anyone is advocating reducing tax rates on business to zero). However, it does not actually require that private keys are handed over by everyone automatically - merely that provision is made for them to be made available to investigators upon demand. The law may perhaps make that compulsory at the present... but tidying this up to make it clear would surely do no harm, and it is strange that the DTI makes no proposals in this area.
The Labour Party seem to be making proposals along these lines, explicitly rejecting invisible decrypting of material, but looking towards judicial warrants to compel the decryption of material when this is necessary.
The presence of private keys for signature keys within these TTPs will make those signatures worthless. Placing signature keys into the TTPs will ensure that the Bad Guys can use them for encryption.
The perception that TTPs are unsafe places for private keys will prevent many people who currently use encryption from endorsing them. The existing user community will not "sign-up" to the new scheme but will bad mouth it from the sidelines. This will lead to confusion and will seriously damage the TTP industry.
It will therefore become a neglected technology, used only by multinationals and people operating in particular technology areas like, say, defence contractors. In fact it will end up completely irrelevant to most peoples lives - just like most of the other DTI technology initiatives of the past few decades :(
The State has, for the past few decades, had unrivalled access to communications between its citizens. The arrival of cheap computing power and the invention of public key cryptography has brought that era to an end. If the State wants to hold back the tide then it can do so, but the price we will pay is that we will not get secure electronic communications, the state will be monitoring everything we do in cyberspace, and we will not be able to rely upon digital signatures.
In the next century where these technologies are going to be vital, it is not going to be possible to use them with confidence in the UK.
HTML problems? mailto: webmaster@happyday.demon.co.uk