A key recovery encryption system (or recoverable encryption system) is an encryption system with a backup decryption capability that allows authorized persons (users, officers of an organization, and government officials), under certain prescribed conditions, to obtain the keys needed to decrypt ciphertext. Access to a decryption key is facilitated by information held by one or more trusted parties plus information attached to the ciphertext. The information held by the trusted parties typically includes special recovery keys. The term key escrow is sometimes used to refer to systems in which the recovery keys are the private keys of users; it is also used synonymously with key recovery. Other terms used include key archive, key backup, and data recovery.

This paper presents a taxonomy for key recovery encryption. The taxonomy is intended to provide a structure for describing and categorizing the recovery mechanisms of complete systems as well as various design options. Table 1 applies the taxonomy to several key recovery products or proposals. The paper is a revision of "A Taxonomy of Key Escrow Encryption," Communications of the ACM, Vol. 39, No. 3, March 1996, pp 34-40.

COMPONENTS

A recoverable encryption system can be divided logically into three main components:

User Security Component (USC). This is a hardware device or software program that provides data encryption and decryption capabilities as well as support for the key recovery function. This support typically includes attaching a data recovery field (DRF) to encrypted data. The DRF may be part of the normal key distribution mechanism.

Recovery Agent Component (RAC). This component, which is operated by key recovery agents, manages the storage and release or use of recovery keys and other information that facilitates decryption. It may be part of a public-key certificate management system or part of a general key management infrastructure.

Data Recovery Component (DRC). This consists of the algorithms, protocols, and equipment needed to obtain the plaintext from the ciphertext plus information in the DRF and provided by the RAC. It is active only as needed to perform a specific authorized data recovery.

These logical components are highly interrelated, and the design choices for one affect the others.

Figure 1 illustrates the interaction of the components. A USC encrypts plaintext data with a key K and attaches a DRF to the ciphertext. The DRC recovers the plaintext using information contained in the DRF plus information provided by the RAC.

Each of these components is described in the following sections.

USER SECURITY COMPONENT

The USC encrypts and decrypts data and performs functions that support the data recovery process. It is characterized by:

Application Domain. A USC can support either or both of the following:

• Communications. This includes both transient communications such as phone calls and general network traffic and non-transient communications such as electronic mail. Emergency decryption is used by law enforcement in conjunction with court-authorized interception of communications, also known as wiretaps.

• Stored data. Stored data can be simple data files or more general objects, including stored electronic mail. Emergency decryption is used either by the owners of the data to recover lost or damaged keys, or by law enforcement officials to decrypt computer files seized under a court order.

• Name and mode of operation.

• Key length.

• Classification. An algorithm may be classified or unclassified. If unclassified, it may be proprietary or public.

Stored Identifiers and Keys. The USC stores identifiers and keys that are used for emergency decryption:

• Identifiers. These can include a user or USC identifier, identifiers for keys, and identifiers for the RAC or recovery agents.

• Keys. These can include keys unique to the USC, keys belonging to its user, or global system keys used by the RAC. They can be public or private. Copies of the keys or their private counterparts may be held with the key recovery agents.

Recovery field and Mechanism. When data are encrypted with a key K, the USC must bind the ciphertext and K to recovery information, normally by attaching a data recovery field (DRF) to the encrypted data. The binding is characterized by:

• Which recovery agents. K can be bound to keys held by the recovery agents of the sender, receiver, or both. The choice affects data recovery.

• Role in key distribution. The DRF and binding mechanism can be integrated with the protocols used to transmit K to the intended recipient. In that case, the sender must transmit a valid DRF in order for the intended recipient to acquire the key.

• Contents of DRF. Normally, the DRF contains K encrypted under one or more recovery keys (e.g., a product key, the public key of the sender or receiver, or a master public key of the RAC). In some cases, only some of the bits of K may be made available through the DRF so that the remaining bits must be determined through brute force. The DRF may also contain information identifying the recovery keys, the RAC or recovery agents, the encryption algorithm and mode, or the DRF creation method. The entire DRF may be encrypted under a family key associated with the DRC in order to protect identifiers transmitted in the DRF. Single-key or public-key cryptography can be used. The length of the DRF can affect the suitability of a particular scheme to certain applications, e.g., radio communications where error rates are high.

• Transmission and frequency. Normally, the DRF precedes the ciphertext in a message or file header. With open connections, it may be retransmitted at regular intervals.

• Validation. The DRF may include a recovery authenticator which is verified by the receiver to determine the integrity of the DRF. Alternatively, if public keys are used to create the DRF, the receiver could recompute the DRF and compare the result with the DRF received. With binding cryptography, a third party can validate the recoverability of keys in the DRF.

Interoperability. A USC may be designed to interoperate only with correctly functioning USCs and not with USCs that have been tampered with or that do not support key recovery.

Implementation. A USC may be implemented in hardware, software, firmware, or some combination thereof. Hardware is generally more secure and less vulnerable to modification than software. If classified algorithms are used, they must be implemented in tamper resistant hardware. Hardware implementations may include special purpose crypto processors, random number generators, and/or a high-integrity clock.

Products that implement a USC are sometimes called recoverable encryption products (or devices). They have also been called escrow-enhanced or escrow-enabled products.

Assurance . The USC may provide assurance that users cannot circumvent or disable the key recovery mechanisms or other features. A USC that can be used or modified to "cheat" is called a rogue USC. The possibility of rogue USCs is strongly dependent on the recovery mechanism and implementation. We distinguish between single rogues, which can interoperate with non-rogues, and dual rogues, which interoperate only with other rogues. Single rogues present the greatest threat to emergency data recovery because they require no collaboration on the part of the receiver.

RECOVERY AGENT COMPONENT

The RAC is responsible for storing recovery keys and other information needed for key recovery, and for assisting the Data Recovery Component by providing required data or services. It has the following elements:

Role in Key Management Infrastructure. The RAC could be a component of the key management infrastructure, which could be a single key infrastructure (e.g., key distribution center) or public-key infrastructure. With the latter, the recovery agents could serve as the public-key certificate authorities, or they could be distinct entities.

Key Recovery Agents. The recovery agents, also called trusted parties, are responsible for operating the RAC. They may be registered with a key recovery center that coordinates their operation or serves as a point of contact for the USC or DRC. Recovery agents are characterized by:

• Type of agents. Recovery agents may be entities in the government or private sector. The former could restrict use of their services to government agencies. The latter, which are used with what has been called commercial or private key recovery systems, could be internal to an organization or independent companies that offer commercial services. Independent recovery agents are often referred to as trusted third parties as they are distinct from both the sender and the receiver.

• Identifiability. This includes name and location.

• Accessibility. This is determined by the location of the recovery agents (e.g., local or foreign) and their hours of operation (e.g., full time or 24 hours a day, 7 days a week).

• Security. This refers to how well the RAC protects against compromise, loss, or abuse of recovery information. It includes reliability and resiliency, which is a measure of the "trust" required of the recovery agents for protecting the recovery information from compromise and for enabling data recovery.

• Accountability. This assures identification of an recovery agent that sabotages data recovery or that releases keys to unauthorized parties or under unauthorized circumstances.

• Liability. This characterizes the liability of the recovery agents in case keys are compromised or become unavailable. Escrow agents might be bonded to protect against liability.

• Certified/licensed. This indicates whether the recovery agents are certified and licensed with some government. To qualify for a license, recovery agents may be required to meet specified conditions. In return, they may get certain liability protections. Use of certified agents may affect exportability.

• Granularity of keys. Options include:
  • Data encryption keys. This includes session keys, network keys, and file keys. A key distribution center could generate and distribute such keys.

  • Product keys. These are unique to a USC.

  • User keys. Normally, these would be private components of the public-private keys pairs used to establish data encryption keys. The RAC might serve as the user's public-key certificate authority, issuing a certificate for the user's public key. The term "key escrow" is sometimes restricted to systems of this type.

  • Master keys. These keys are associated with the RAC and used by multiple USCs. The term "key recovery" is sometimes restricted to systems of this type.

• Splitting of keys (secret sharing, threshold schemes). A recovery key can be split into multiple key components, with each component held by a separate agent. Keys can be split so that all n recovery agents are needed to restore a given key or so that any "k out of n" suffices for some k, where n is the number of agents. They can be split using a general monotone access structure, which allows for the specification of arbitrary subsets of recovery agents that can work together to restore a key.

• Who generates and distributes keys. Keys can be generated by the RAC, the USC, or some combination. If generated by the USC, the keys may be split and escrowed using verifiable secret sharing schemes so that the recovery agents can check the validity of their individual components without knowing the original key. Keys may be generated jointly so that a user cannot hide a "shadow key" in an escrowed key and thereby circumvent the key recovery mechanism.

• Time of archive. Keys could be archived or escrowed during product manufacture, system or product initialization, or user registration. If a user's private key (of a public-private key pair) is escrowed, it could be escrowed when the corresponding public key goes into the public-key infrastructure and a certificate is issued. A USC might send encrypted data only to users with public-key certificates signed by approved recovery agents.

• Key update. Some systems may allow recovery keys to be changed. Such updates could be performed on request or on a regular basis.

• Complete or partial. A portion of a key could be escrowed instead of the complete key. In this case, the unescrowed portion of the key would be determined through a brute force attack when it is needed for data recovery.

• Storage of keys. This could be off-line (e.g., on floppy disks stored in safes or smartcards) or on-line.

Data Recovery Services. The RAC provides services, including release of information, to the DRC. It is characterized by:

• Authorization procedures. The procedures under which persons operating or using the DRC can use the services of the RAC may include establishing proof of identity and legal authority to access the data to be decrypted.

• Services provided. There are several possible options:
  • Release recovery keys. This approach normally is used when the recovery keys are session keys or user or product keys (master keys are not released). The keys might be released with an expiration date, after which they are automatically destroyed.

  • Release derived keys. The RAC releases derivatives of recovery keys, for example, time-bounded keys that enable decryption only of data that had been encrypted during a specific period of time.

  • Decrypt data recovery key or other information. This approach is often used when master public keys are used to encrypt data encryption keys (or other information) in the DRF. The RAC performs the decryption rather than turning over its master private key to the DRC.

  • Perform threshold decryption. Each recovery agent provides a "piece" of a decryption to the DRC, which combines the results to get the plaintext.

• Transmission of data to/from the DRC. This could be manual or electronic.

DATA RECOVERY COMPONENT

The DRC supports recovery of plaintext from encrypted data using information supplied by the RAC and in the DRF. It is characterized by:

Capabilities. These include:

• Timely decryption.

• Real-time decryption of intercepted communications.

• Post-processing. The DRC can decrypt communications that were previously intercepted and recorded.

• Transparency. Decryption is possible without the knowledge of the parties involved.

• Independence. Once the keys have been obtained, the DRC can decrypt using its own resources, that is, independently of the RAC.

Data Encryption Key Recovery. To decrypt data, the DRC must acquire the data encryption key K.

• Access through sender or receiver. A critical factor is whether K can be recovered using data recovery keys associated with the sender, the receiver, or either party. If access is possible only through keys held by the sender's recovery agents, the DRC must obtain key recovery data for all parties transmitting messages to a particular user, possibly precluding real-time decryption, especially if the parties are in different countries and using different recovery agents. Likewise, if access is possible only through keys held by the receiver's recovery agents, real-time decryption of all messages transmitted from a particular user may be impossible. If data recovery is possible using keys held by either set of recovery agents, then the DRC may be able to decrypt intercepted communications both to and from a particular USC in real time. A system may provide this capability for two-way simultaneous communications (e.g., phone calls) by requiring that the same K be used for both ends of the conversation.

• Frequency of interaction with RAC. The DRC may be required to interact with the RAC once per data encryption key or once per USC or user. The former requires an on-line connection between the DRC and RAC in order to support real-time decryption of communications when the session key changes per conversation.

• Need for brute force. If the recovery agents return partial keys to the DRC, then the DRC must use brute force to determine the remaining bits.

Safeguards on Decryption. The DRC can use technical, procedural, and legal safeguards to control what can be decrypted. For example, data recovery may be restricted to a particular time period (as authorized by a court order). These safeguards supplement restrictions imposed by the RAC in its release of keys. Authentication mechanisms could be used to prevent the DRC from using the keys it acquires to create and substitute bogus messages.

Acknowledgments

We wish to thank Matt Blaze, Yvo Desmedt, Carl Ellison, Ravi Ganesan, Carmi Gressel, Hans-Joachim Knobloch, David Maher, Silvio Micali, Edward Scheidt, Greg Shanton, and Peer Wichmann for helpful comments on an earlier version of this taxonomy.

Sources

AT&T Crypto Backup. This is a proprietary design for a commercial system which backs up document keys through an archived master key. David P. Maher, "Crypto Backup and Key Escrow," Communications of the ACM, Vol. 39, No. 3, March 1996, pp. 48-53.

Bankers Trust Secure Key Escrow Encryption System (SecureKEES). Employees of a corporation register their encryption devices (e.g., smart card) and private encryption keys with one or more commercial recovery agents selected by the corporation. SecureKEES product literature, CertCo, Bankers Trust Company.

Bell Atlantic Yaksha System. An on-line key security server generates and distributes session keys and file keys using a variant of the RSA algorithm. The server transmits the keys to authorized parties for data recovery purposes. Ravi Ganesan, "The Yaksha Security System," Communications of the ACM, Vol. 39, No. 3, Mar. 1996, pp. 55-60.

Binding Cryptography. This approach allows a third party to validate whether the data encryption key is recoverable from the DRF. E. R. Verheul, B. J. Koops, and H. C. A. van Tilborg, "Binding Cryptography: A Fraud-Detectable Alternative to Key-Escrow Solutions," Computer Law and Security Report, January-February 1997, pp. 3-14.

Blaze's Smartcard-Based Key Recovery File System. This is a prototype smartcard-based key recovery system for use with the Cryptographic File System. A user entrusts a smart card with a file encryption key to a trusted party. Matt Blaze, "Key Management in an Encrypting File System," AT&T Bell Labs.

The Clipper/Capstone Chips. These tamper-resistant chips implement the Escrowed Encryption Standard (EES), which uses the classified Skipjack algorithm. Unique recovery keys, programmed onto each chip, are split between two government agencies and restricted to government use. Dorothy E. Denning and Miles Smid, "Key Escrowing Today," IEEE Communications, Vol. 32, No. 9, Sept. 1994, pp. 58-68. Click here for text version.

Cylink Key Recovery. This proposal uses Diffie-Hellman techniques for integrating key recovery services into a public-key infrastructure. Jim Omura, "Alternatives to RSA Using Diffie-Hellman with DSS," White Paper, Cylink, Sept. 1995.

Desmedt Traceable Ciphertexts. This proposal binds the DRF to ciphertext in such a way that the identity of the receiver can be determined if the receiver can determine the session key. Yvo Desmedt, "Securing Traceability of Ciphertexts - Towards a Secure Software Key Escrow System," Proc. Eurocrypt '95, Saint-Malo, France, May 21-25, 1995, pp. 147-157.

Fortezza Card. This commercially available PC card contains a Capstone chip. A user's public-private encryption keys are stored on the card and can be escrowed with the user's public-key certificate authority.

Fortress KISS: Keep the Invaders (of Privacy) Socially Sane. This proposed system uses tamper-resistant encryption chips and master recovery keys. Carmi Gressel, Ran Granot, and Itai Dror, "International Cryptographic Communication without Key Escrow. KISS: Keep the Invaders (of Privacy) Socially Sane," International Cryptography Institute 1995: Global Challenges.

IBM SecureWay Key Recovery. Random numbers are encrypted under master public keys of the recovery agents and stored in the DRF. These are decrypted for key recovery; information derived from them is then used to decrypt the session key in the DRF. Partial key recovery is possible. "IBM SecureWay Key Recovery Technology," 1997.

Kilian and Leighton Failsafe Key Recovery. With this proposal, a user's keys are generated jointly by the user and key recovery agents so the user cannot circumvent key recovery. Joseph Kilian and Tom Leighton, "Fair Cryptosystems, Revisited," Proc. CRYPTO '95, pp. 208-221.

Leiberich Time-Bounded Clipper with a Clock. This proposed enhancement to Clipper offers time-bounded data recovery through a clock and date-dependent device unique keys. Otto Leiberich, private communication, June 1994.

Leighton and Micali Key Escrow with Key Agreement. With this proposal, each user has an escrowed private key. Any two users can compute a shared secret key from their own private key and the identifier of the other. Tom Leighton and Silvio Micali, "Secret-Key Agreement without Public-Key Cryptography," Proc. Crypto '93, pp. 208-221.

Lenstra, Winkler, and Yacobi Key Escrow with Warrant Bounds. This proposal allows the escrow agents to release keys that restrict decryption to the communications of a particular user or pair of users during a specific interval of time. Arjen K. Lenstra, Peter Winkler, and Yacov Yacobi, "A Key Escrow System with Warrant Bounds," Proc. Crypto '95, pp. 197-207.

Lotus Notes International Edition (Differential Workfactor Cryptography). Data are encrypted with 64-bit keys, 24 of which are encrypted under a public key of the government and transmitted with the data. The government can obtain the remaining 40 bits through brute force. Lotus Backgrounder, "Differential Workfactor Cryptography," Lotus Development Corp. 1996.

Micali Fair Public Key Cryptosystems. Verifiable secret sharing techniques are proposed whereby users generate, split, and escrow their private keys with escrow agents of their choice as a prerequisite to putting their public keys in the public key infrastructure. Silvio Micali, "Fair Cryptosystems," MIT/LCS/TR-579.c, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, August 1994.

Micali Guaranteed Partial Key-Escrow. Under this proposal, the private keys of users are partially escrowed. The escrow agents verify that the bits in their possession are correct and that only a relatively small number of bits are unescrowed. Silvio Micali, "Guaranteed Partial Key-Escrow," MIT/LCS/TM-537, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, 1995.

Micali and Sidney Resilient Clipper-Like Key Escrow. This proposal allows keys to be split so that recovery is possible even if some of the escrow agents compromise or fail to produce their key components. Silvio Micali and Ray Sidney, "A Simple Method for Generating and Sharing Pseudo-Random Functions, with Applications to Clipper-Like Key Escrow Systems," Proc. Crypto '95, pp. 185-196.

National Semiconductor CAKE. This proposal combines a TIS key recovery system with National's PersonaCardTM. W. B. Sweet, "Commercial Automated Key Escrow (CAKE): An Exportable Strong Encryption Proposal," National Semiconductor, iPower Business Unit, June 4, 1995.

Nechvatal Public-Key Based Key Escrow System. This proposal uses Diffie-Hellman public-key techniques for escrowing keys and for data recovery. James Nechvatal, "A Public-Key Based Key Escrow System," J. of Systems and Software, to appear Oct. 1996.

Nortel Entrust. This commercial product archives user's private encryption keys as part of the certificate authority function and public-key infrastructure support. Warwick Ford, "Entrust Technical Overview," White Paper, Nortel Secure Networks, Oct. 1994.

PC Security Stoplock KE. This is a commercial product that integrates private key recovery into the key management infrastructure. Stoplock Press, PC Security, Ltd., Marlow, Buckinghamshire, UK, Issue 3, Nov. 1995.

Royal Holloway Trusted Third Party Services. This proposed architecture for a public key infrastructure requires that the TTPs associated with pairs of communicating users share parameters and a secret key. Nigel Jefferies, Chris Mitchell, and Michael Walker, "A Proposed Architecture for Trusted Third Party Services," Royal Holloway, University of London, 1995.

RSA SecureTM. This file encryption product provides data recovery through an archived master public key, which can be split among up to 8 trustees using a threshold scheme. RSA SecureTM, product literature from RSA Data Security, Inc.

Shamir Partial Key Escrow. This is a proposal to escrow all but 48 bits of a long (256-bit) key. These 48 bits, which are generated randomly for each session or file, are determined by brute force during data recovery. Adi Shamir, "Partial Key Escrow: A New Approach to Software Key Escrow," The Weizmann Institute, presentation at NIST Key Escrow Standards meeting, Sept. 15, 1995.

TECSEC VEILTM. This commercial product provides file (and object) encryption. Key recovery is built into the key management infrastructure. Edward M. Scheidt and Jon L. Roberts, "Private Escrow Key Management," TECSEC Inc., Vienna, VA. See also TECSEC VEILTM, product literature.

TESS with Key Escrow. The Exponential Security System supports a general access structure for key recovery. The DRC obtains a particular session key by participating in the key establishment protocol and acquiring the sender's or receiver's private key. Thomas Beth, Hans-Joachim Knobloch, and Marcus Otten, "Verifiable Secret Sharing for Monotone Access Structures," Proc. 1st ACM Conf. on Communication and Computer Security, 1993; Thomas Beth, Hans-Joachim Knobloch, Marcus Otten, Gustavus J. Simmons, and Peer Wichmann, "Towards Acceptable Key Escrow Systems," Proc. 2nd ACM Conf. on Communication and Computer Security, 1994, pp. 51-58.

Threshold Decryption. With threshold decryption, a secret key can be shared by a group of recovery agents in such a way that through collaboration of the agents, information can be decrypted without the agents releasing their individual key components. Yvo Desmedt, Yair Frankel, and Moti Yung, "A Scientific Statement on the Clipper Chip Technology and Alternatives," 1993.

TIS RecoverKey. This is a commercial key recovery system. Key recovery is enabled through master keys held by a Data Recovery Center. Stephen T. Walker, Stephen B. Lipner, Carl M. Ellison, and David M. Balenson, "Commercial Key Recovery," Communications of the ACM, Vol. 39, No. 3, Mar. 1996, pp. 41-47.

For more detailed descriptions of these systems, see also Dorothy E. Denning, "Descriptions of Key Escrow Systems," http://www.cs.georgetown.edu/~denning/crypto/Appendix.html.

Key Recovery System or Approach (* is commercial product)

USC - User Security Component

RAC - Recovery Agent Component

DRC - Data Recovery Component

App

Alg

Keys

DRF

Imp

Role

Type

Rec Keys

Split

Service

KeysReq

Per

AT&T Crypto Backup

f,c

Ur

pub

pub

S

-

C

master

1,k/n

dec K

S

K

Bankers SecureKEES*

c

U

priv

pub,k

H

-

C

user

k/n

rel KU

S/R

S/R

Bell Atlantic Yaksha

c,f

U

priv

na

-

KMI

C

session

1

rel K

-

K

Binding Crypto

f,c

U

pub

pub

S

-

-

master

k/n

dec K

S/R

K

Blaze File Crypto

f

U

none

na

H

-

C

dir

1

dec file

S

K

Clipper Chip (EES)*

c

C

priv

priv

H

-

G

prod

2/2

rel KU/exp

S

S

Cylink Key Recovery

c,f

U

priv

pub,k

-

PKI

C

user

1,k/n

rel KU

S/R

S/R

Desmedt Traceable

c

U

priv

pub,k

-

-

-

user

-

-

R

R

Fortezza Card*

c,f

C

priv

pub

H

PKI

C

user

1

rel KU

R

R

Fortress KISS

c

U

priv

pub,k

H

-

G

master

2/2

dec KU

S/R

S/R

IBM SecureWay.*

f,c

U

pub

pub

-

-

C

master

k/n

dec g/part K

S/R

K

Kilian/Leighton F-safe

c

U

priv

pub,k

-

-

-

user

k/n

rel KU

-

-

Leiberich TB-Clipper

c

C

priv

priv

H/c

-

G

prod

2/2

rel KU/tb

S

S

Leighton/Micali

-

U

priv

na

-

-

-

prod

-

rel KU/K

S/R

S/R

Lenstra/Winkler/Yacobi

c

U

priv

pub

-

PKI

-

user

k/n

rel KUV/tb

S/R

S/R

Lotus Notes Int'l*

c

U

pub

pub

S

-

G

master

-

dec part K

S

K

Micali Fair Crypto

c

U

priv

pub,k

-

PKI

-

user

k/n

rel KU/tb

R

R

Micali Partial Escrow

-

-

-

-

-

-

-

partial

-

-

-

-

Micali/Sidney Esc.

-

U

priv

priv

-

-

-

user

t/u/n

rel KU

-

-

National CAKE

f,c

U

pub

pub

H

-

C

master

1

dec K

S

S

Nechvatal Public-Key

c

-

pub

pub

-

-

-

prod

n/n

rel KU

S

S

Nortel Entrust*

c,f

Ur

priv

pub,k

H,S

PKI

C

user

1

rel KU

S/R

S/R

PC Sec. Stoplock KE*

c,f

Ur

priv

-

S

KMI

C

system

-

-

-

-

Royal Holloway TTPs

c

U

priv

priv,k

-

PKI

C

user

-

rel KU

S/R

S/R

RSA Secure*

f

Ur

pub

pub

S

-

C

master

k/n

dec K

S

K

Shamir Partial Escrow

-

-

priv

-

-

-

-

partial

-

rel

brute

-

TECSEC VEIL*

f

U

priv

priv,k

S

KMI

C

system

n/n

rel K

S/R

K

TESS w Key Escrow

c

U

priv

na

H

PKI

C

user

any

rel KU

S/R

S/R

ThresholdDecryption

c

U

priv

pub

-

-

-

user

k/n

th-dec K

S?

S?

TIS RecoverKey.*

f,c

U

pub

pub

-

-

C

master

1

dec K

S/R

K

Table 1. Summary Characteristics of Key Recovery Encryption Systems and Approaches.

Key to Table 1.

User Security Component (USC)

• App = application. c = communications, f = files and other stored objects.
• Alg = data encryption algorithm. C = classified, U = unclassified, Ur = proprietary unclassified.
• Keys = stored keys used with key recovery function. priv = private keys and optionally public keys, pub = public keysonly.
• DRF = encryption keys used to compute Data Recovery Field. priv = private keys (and, optionally, pubic keys), pub = public keys, k = DRF also used with key establishment/distribution, na = not applicable.
• Imp = implementation. H = some special hardware required, H/c = hardware with a clock, S = software with optional hardware.

• Role = integration of key recovery into key management infrastructure. KMI = integrated with key management infrastructure, PKI = component of public key infrastructure administered by certificate authorities.
• Type = type of system. C = commercial or private sector recovery agents, G = government agents.
• Rec Keys = keys enabling recovery. dir = file encryption key used with entire directory, master = recovery agent master key, partial = part of user or application key, prod = product unique key, session = session key, system = keys managed by system, user = user key.
• Split = splitting of keys with recovery agents. n/n = n out of n needed for decryption, k/n = k out of n needed using threshold techniques, t/u/n = allows t to conspire and compromise key and n-u to withold.
• Service = service provided to DRC. dec g/part K = decrypt random number g used in decryption of partial K, dec K = decrypt data encryption key K, rel K = release K from escrow, thd-dec K = use threshold decryption, dec KU = decrypt user or product key, rel KU = release KU from escrow, rel KUV = release keys used by pair of users U and V, tb = time bounded keys released, exp = keys released with expiration date.

Data Recovery Component (DRC)

• Keys Req = keys required for decrypting data. S = keys associated with the sender or sender's USC, R = keys associated with the receiver or receiver's USC, S/R = keys associated with either.
• Per = frequency with which DRC must interact with RAC to get keys. K = once per session/file key, S = once per sender, R = once per receiver.

A dash "-" in table denote an open or unspecified element.

Figure 1. Key Recovery Encryption System.