
Least worst golden key - zdw
http://www.tedunangst.com/flak/post/least-worst-golden-key
======
aftbit
>Why would we want to design such a system, given that implementing a golden
key would be a disaster? ... I think having a good escrow plan ready is better
than having none and being forced to design one on the spot.

I disagree with this premise. I think it's dangerous to publicly and
unashamedly discuss how to build a broken system like this, because it reduces
the cost of performing that design in the future.

For example, if you run an online service, you should spend your time building
a system that makes it impossible to spy on your users, not writing an
internal procedure that describes how you would spy on your users if someone
forced you to.

That said, I think the best argument against escrow for those who trust the
FBI is that it will chill innovation and free speech, and push consumers and
businesses to purchase from companies that don't do escrow (because they're
outside the jurisdiction of whoever does it).

------
andrewfong
There's a slippery slope argument here as well -- i.e. once built, the natural
human desire for convenience will slowly erode security features within the
system.

Imagine if someone asked for a way remotely administer a nuclear power plant
over the Internet. It's possible to build a reasonably secure system -- VPN,
one-time passwords, company-issued hardware, etc. But security isn't exactly
intuitive to a lot of people and there are a bajillion ways to screw this up.
So given the dangers involved with a nuclear power plant, the smarter approach
is to simply insist that nuclear power plant control systems be air gapped
from the rest of network rather than to figure out a 'good enough' way to
secure remote access.

------
dullcrisp
I think the question of how to make something reliably accessible, but very
difficult to access covertly is an interesting one.

How about a system where you need n of m pieces of data to obtain a key, for
suitably large n < m. Then you can split your key into m subkeys, and give
each one to a different trusted third party, who would only reveal the key if
presented with a warrant.

Then in order to decrypt the data, the government would have to subpoena, say,
20 out of 40 separate public organizations. It wouldn't be an easy thing to
do, so hopefully they wouldn't do it often (and we would know if they did),
but in extreme cases where someone's life depends on it, and everyone in the
world agrees that it's necessary, it could still be done.

This system could also be made difficult to compromise if every week or so you
would generate a new set of subkeys and send them out to the secret keepers,
who would then delete the old keys they had for you. Then even if someone got
one of the key stores, it would become useless after new keys were sent out,
since all the other keys necessary to use it would be permanently deleted. To
steal a key, someone would have to compromise all n of the key stores at the
same time.

Something like this may even be useful for things that you want to be able to
recover yourself. Say I have my bitcoin wallet stored securely on a flash
drive, but if I lose it, I can get it back through this method by verifying my
identity to say five organizations that I trust. Does anything like this exist
already maybe?

~~~
anon4
You're talking of Shamir's Secret Sharing Scheme (alliterative translations in
other languages left as an exercise to the reader)

It's really neat, actually and can be efficiently and easily implemented just
going from wikipedia's description.

------
spacefight
Dear author, how about a big no?

On which side are you on? Seriously - someone (WaPo) brings up a totally
unaccecptable method and then someone brings up a slightly less unacceptable
method. This sounds to me exactly the way some politics scheme works.

"There’s my least worst idea. A per device backup key, split in pieces, stored
on paper in underground silos."

Again, no thanks. Any form of key escrow is a backdoor.

------
arh68
The paper really isn't _that_ secure. A large fire in a paper archive is only
really a _once every 50 years_ phenomenon, tops. Besides, look at the already-
existing boring-as-hell absolutely-paramount-to-nat'l-security _nuclear
missile program_ to see the grunts running it will be _easy_ social
engineering targets. None of them will care.

Be careful with your wishful thinking.

You want a least worst escrow? How about an escrow where the keys aren't
written down. How about you just restrict your salt to N, N+1, .., M and have
the TLAs brute force it? _Actually_ trust no one.

~~~
mckoss
Great idea. If the assumption is that only a handful of keys will be needed
pet year, it is much less expensive to require the government to brute force a
key solution than storing and securing all the keys.

Just choose a key strength that costs about $10,000,000 to brute force it, and
keep increasing key strength as more efficient methods are found.

~~~
dllthomas
_" Just choose a key strength that costs about $10,000,000 to brute force it,
and keep increasing key strength as more efficient methods are found."_

Wasn't that the approach in the early days of computer crypto? Where keys
bigger than X were verboten?

------
sarciszewski
How about we design our systems such that Law Enforcement (up to and including
the FBI) cannot break into them, and therefore also lock out criminals as
well?

That's what I want to see happen. Key escrow/giving law enforcement a foot in
the door of our personal lives? No thanks.

"But what about criminals? And TERRORISTS?!"

Law enforcement has already been pretty effective at solving crimes without
these capabilities. Statistically, terrorism is a minor risk.

(I would _also_ like this to apply to end-to-end authenticated encryption
between parties as well.)

~~~
cma
Statistically, terrorism makes nations go insane and start huge wars that kill
many more. Not a minor risk.

~~~
FeeTinesAMady
That argument just boils down to "we overreact to terrorism, therefore
terrorism is worth overreacting to", though.

~~~
vegedor
Well, what says you are not overreacting over privacy concerns? Both scenarios
paint a hypothetically hyperbolic picture.

~~~
emsy
The government already took your privacy but terorism probably hasn't affected
you directly yet. One threat is real, the other is more virtual.

------
jdechko
Where does it stop though. FBI, NSA, CIA will all want access. And local LE.
And the UK, France & Germany. Then Russia will want it. And with the inroads
finally made in China, Apple might have to share or risk being left out of the
worlds largest market again. Of course the key is completely insecure now and
we are left vulnerable to hackers and potential corporate espionage.

the simple truth is that any back door, whether secured with a golden key or
not can be broken in to

~~~
natch
"Can be broken into" is a red herring. Bad laws, bad governments, and rogue
government actors are an even better reason not to have escrow.

------
wyager
Planning such an awful system gives it false legitimacy.

"Look, guys, I'm not saying New Earth Creationism is right; I'm just saying we
should have all our scientists talk about it and find arguments in favor of
New Earth Creationists."

~~~
natch
Thank you, this is the exact problem with the article.

It's not well written.

It doesn't propose a good system.

And yet sadly it succeeds in advancing the bad side of the argument, just by
spreading FUD.

------
titanomachy
The proposed scheme would carry substantial expense compared to a single key.
If Apple (for example) hosts the escrow keys, then who pays that cost? Who has
the right incentives to build a very costly but more secure system?

I'm not saying it wouldn't be a good use of money, but it might make it
difficult to build support for the idea. A cheaper solution which preserves
much of the security would be to use cryptographic key-sharing rather than
physical sharding. The escrow keys would still be created uniquely on a per-
device basis, but now Apple, the FBI, and the Justice Department must each
provide a fragment of the key. Perhaps the system could be designed to release
keys only when provided with a valid warrant requesting a specific key... but
this would probably require warrants to be better digitized.

~~~
bostik
> _The proposed scheme would carry substantial expense compared to a single
> key. If Apple (for example) hosts the escrow keys, then who pays that cost?
> Who has the right incentives to build a very costly but more secure system?_

I understood that was the whole point.

If you're going to build a key escrow mechanism that isn't prone to universal,
zero-effort abuse, there are going to be all kinds external factors that need
to be considered.

Ted's article lays out the requirements to show _just how bad_ the idea of key
escrow is, including the measures that would be necessary to make it
acceptably insecure. (Key escrow is - and remains - defective by design.)

------
rabbyte
I love the approach that some perspectives consider this a problem waiting for
a solution so we should at least try to be inventive and consider
possibilities. The problem is everything about this is contingent upon
perspective and there are too many to have a solution that captures all
concerns. When your category is "Every Person In The World", or the not-so-
tiny pool that is "Apple Customers", the only solution that fits all would be
one that empowers the individual because it shifts off the burden of competing
perspectives.

The problem is compounded by the fact a golden key scenario only works with
the current web services model we've become dependent upon. What happens when
encryption is the default everywhere all the time and computation is performed
by blind services or smart contracts mapped together over a trustless network
a la bitcoin style? Everything about the experience could feel the same with
the exception being control over your data is shifted from a third party to
you.

One possible solution would be to establish computational governance. At least
at that point you have a communal opt-in which gets you away from the problem
of perspective. In the same way all motorists agree to a set of rules for a
given area, you could be given access to use services if you agree to a set of
policies. One such policy would be to have access to your data shared to a
third party if a reasonable process is followed (a dumb example would be if a
majority of your peers agree that you should be investigated). Probably
another can of worms but at least then we're operating from a workable
premise.

------
alricb
Keys on paper? If you're going to go through that kind of trouble, at least
use golden metal plates, Book of Mormon-style.

------
downandout
None of this matters. If (when) Apple/Google choose or are forced to implement
backdoors, then smart people that care about privacy will confine their
communications to apps that do not have them. Apps also have the added benefit
of not exposing activities to phone companies that will readily turn records
over to law enforcement. Even a simple web chat app accessed via Tor browser
on a mobile device would bypass nearly all of our concerns about backdoors,
pen registers, etc.

------
inlined
I'm surprised how infrequently this is viewed from the monetary position. We
would embargo a phone with a known back door for China's law enforcement
because we tend not to trust their government. Similarly, nobody trusts ours.
A law requiring unfettered US government access to US designed hardware would
possibly remove us from that sector of the global economy.

~~~
bren2013
Generally, when you backdoor hardware, you don't let people know it's
backdoor'ed.

~~~
judk
The discussion at hand is about a proposal to mandate backdoors in cell phones
/ OSes designed by US companies. Not a secret.

------
natch
>Let’s try building the best escrow system we can, and then point out all the
faults that remain.

No, let's not.

Key escrow is the magical happy pill for people who think that governments and
other "trusted" organizations are incapable of:

* creating bad laws

* harboring rogue officials

* making mistakes

* becoming tyrannical, dictatorial, abusive, or corrupt

------
pronoiac
I threw out "encryption doesn't kill people, people kill people" before, and
it's feeling apt, due to police militarization and gun fetishes.

