The Yaksha security system

Transcription

The Yaksha security system
The
Yal(sha
Security
Heralding future reusabJe security systems,
the Yaksha security infrastructure provides
multiple security functJons~authentJcatJon,
digita signatures, key exchange, and key escrow.
Th
Security System
Ravi Ganesan
"'.
:
."
:.'."
• :.
i'..~:
:
•
.
Hindu methology, Yakshas are "good" demigods who guard the
ates of heaven. They are extremely flexible and have the power to
"ansform themselves into other forms, such as birds and tigers. In
esigning the security infrastructure that will guard the gates
:';:
: :.7:'ii!gi~:~i{÷ :':k.':h':"
""
to
our
"
e m e r g i n g information infrastructure, it is i m p o r t a n t
that we look for similar flexibility. T h e Yaksha security system is a security technology [4, 5] capable of
reusing a single security infrastructure to p e r f o r m
various security f u n c t i o n s - - a u t h e n t i c a t i o n , key
exchange, digital signatures, and key escrow. This
article describes how the Yaksha security system can
be used for key escrow.
It is c o m m o n l y accepted that encrypted c o m m u n i cations and data storage make up an essential comp o n e n t of our e m e r g i n g information infrastructure.
Somewhat m o r e controversial is the concept that certain third p a r t i e s m o t h e r than those c o m m u n i c a t i n g
or storing information---may have a legitimate right.to
seek access to the information without the active
cooperation of the participants. Clearly, encrypting
information being c o m m u n i c a t e d or stored could
put the third parties at a significant disadvantage.
Techniques for providing secure communications
and storage with intentional b a c k d o o r s that allow
legitimate third parties access to the information fall
into the b r o a d category of what may be described as
key escrow systems• T h r o u g h o u t this article, we use the
t e r m authority synonymously with legitimate third party.
When the authority is the government and the participants are citizens, the entire concept is fairly controversial, as has been well documented in the pages of this
magazine [12] and other publications. In this context,
the system that dominates the discussion is the so-called
Escrow Encrypuon Standard or Clipper System [3]. An
COMMUNICATIONS
OF
THE
ACM
Mal°ch 1996/~,ot. 3,),
*~ No. 3
55
analogous (and in our opinion, less controversial) situation exists when the information is owned by an organization or corporation, the participants are employees, and
the third parties are legitimate organizational or corporate authorities. T h e term "corporate key escrow" is
loosely used to describe this situation.
Several key escrow systems have been proposed in recent years, and in this issue of Communications, Denning
and Branstad [3] present an excellent s u m m a r y and taxo n o m y of these various systems. Each of these systems
approaches the problem using a different underlying
technical approach, as well as from what can be described
as a different philosophical stance. T h e Yaksha system has
its own philosophical stance, beginning with a different set
o f assumptions about the requirements than m a n y of the
other systems. T h e article begins with a s u m m a r y of key
requirements driving the design of the system, provides
some necessary background, describes the general system,
shows example applications for telephony, email, and
data storage, and finally summarizes our conclusions.
Requirements
Two c o m m o n l y accepted requirements essentially define
key escrow systems:
• T h e system should provide an authority the ability to
access encrypted information without the cooperation
o f the participants.
• T h e "backdoor" inherent in the system should not be
usable by an unauthorized third party.
Although we view the requirements discussed in the tbllowing paragraphs as important, they are not necessarily
c o m m o n l y accepted.
Requirement: Authorities should have access only to shortterm session keys, not go long-term user secrets. [n most cryptographic systems, each user has a long-term private secret.
In public-key c r y p t o g r a p h y [10], this would be the user's
"private key." In a third-party authentication system [7],
this would be the long-term secret shared between the
user and the third-party server. For communications security, these long-term private secrets are typically used to
negotiate a short-lived session key that in turn is used for
encrypting a given session or conversation. I f a legitimate
authority seeks to eavesdrop on a conversation, one of two
things can happen:
• T h e key escrow system allows the authority to discover
the user's long-term private secret, t h r o u g h which the
authority can learn the session key for a given conversation and proceed to eavesdrop.
• T h e key escrow system allows the authority to recover
the session key for a particular conversation, but not the
long-term private secret. T h e authority can still eavesd r o p successfully, but the long-term private secret is
sale.
Key escrow systems should be designed a r o u n d the latter
approach o f revealing only short-lived session keys. We
believe this is important for several reasons:
• Since the long-term private secret is never revealed to
anyone, it can be reused ~or other functions, such as
S~
March 1996/Vol.39, No. 3 ~ O I 4 M I ~ W l C A ' r l O N I O i l T i l l A C M
digital signatures. In systems in which an authority can
access this long-term secret, reusing the long-term private secret to generate digital signatures gives the authority the power to forge signatures.
• Revealing only session keys, in o u r opinion, provides a
finer level of granularity of control. For instance, in
such systems, one could implement such policies as:
T h e authority can eavesdrop on all o f J o h n Doe's conversations, except those he has with his wife or lawyer;
or T h e corporation can decrypt all of J o h n Doe's files
saved between March 1994 and September 1994, but
not files saved before or after those dates. To our mind,
escrow systems represent a compromise between an
individual's right to privacy and an authority's right to
eavesdrop. Revealing session k e y s - - a s opposed to longterm private secrets--provides m o r e opportunities for
compromise.
• T h e compromise is not permanent. T h a t is, in systems
in which long-term private secrets ave revealed, the
compromise o f the user's secret is permanent. At some
point, the user must get a new private key, or if the key
is e m b e d d e d in a chip in a cellular phone, a new chip.
O n the other hand, revealing session keys does not compromise the long-term integrity o f the p e r m a n e n t secret. So, once the period o f "legal eavesdropping" is
over, the user does not have to be issued a new private
secret.
We note, however, that delivery of session keys to an authority requires the escrow server to be on-line. But we
are not suggesting that the escrow agent inspect the contents o f any messages; in a practical system, it is unlikely
that the agent would have any access to the actual message
stream, and the agent's participation would be limited to
playing a role in setting up the parameters for a session.
While the justification for this requirement is g r o u n d e d
in a debatable philosophical stance, the next requirement
is based on something m o r e c o n c r e t e - - m o n e y .
Requirement: It is ve*~y desirable that the key escrow system
reuse the security infrastructure necessary for other secu,rity fu, nclions, such as key exchange, digital signatures, and authentication.
In theory, it is possible there could be distinct security
infrastructures for different security functions. Examples
include long-term private secrets to:
• Authenticate yourself (prove your identity) to a bank
teller machine;
• Sign a document;
• Perform key exchange for encrypting conversations;
and
• Mlow you to participate in a key escrow system.
T h e problem with such all a r r a n g e m e n t is cost. Each o f
these separate keys has an associated infrastructure for
generating keys, resetting keys when needed, revoking
keys, and so on. From a user perspective, it may well be
the case that the distinct infi-astructures translate into distinct keys to r e m e m b e r or n u m e r o u s smartcards to carry.
Finally, quite apart from cost, multiple systems increase
complexity, which significantly affects the ability to maintain the desired security functionality.
The
Requirement: A key escrow system should be implementable
in either hardware or software, should apply to both computer
communications and telephony, and should be usable both for
citizen-government and for employee-organization situations so it
has universal applicability.
This requirement is important for two reasons:
• As we discussed, reusing security infrastructures is beneficial, and it may not be cost-effective to have multiple
infrastructures for different types of key escrow.
• T h e r e is a clear convergence between telephony and
c o m p u t e r communications, and it will become increasingly impractical to treat these situations differently;
there is little logic, for instance, in treating voice conversations differently from on-line chat.
Is it possible to design a system that meets all these requirements? We believe the answer is yes, and this article
describes one system that attempts to meet most of them.
Yaksha
T h e Yaksha system is based on a variant of the RSA [9]
public-key cryptosystem. In public-key cryptography,
each user has a long-term private secret key and an associated public key. In the RSA system, the private key of user
Alice is a n u m b e r d(, and her public key is a pair of numbers (ea,na). Similarly, user Bob has a private key db and a
public key (et,,nt,). To encrypt a message M, Alice would
typically use some encryption function E and a session key
k to compute a ciphertext C = E(M,k). To send the message to Bob, she would further encrypt the session key k
using Bob's public key and a function known as m o d u l a r
exponentiation, that is K = U ~' m o d nb. She would then
send Bob (C,K). Bob would first recover k using his private
key, that is k = K db mod rib, and can then decrypt the message using a decryption function D, that is M = D(C,k).
In this scenario, Alice and Bob are using a shared session key k for encrypting communications. Recovering M
from C without knowledge ofk will be very difficult. Such
systems, sometimes known as conventional, or single-key,
cryptography, are very efficient c o m p a r e d to public-key
cryptography. T h e Data Encryption Standard (DES) [10]
is a widely used example. Alice and Bob are, however,
using public-key cryptography to exchange the shared
session key. In o u r example, Alice encrypts the session key
with Bob's public key and sends it to him. Due to the
properties inherent in public-key cryptography, recovering k from K requires knowledge of Bob's private key,
which only he knows.
This system achieves privacy using the conventional
cryptosystem and key exchange using a public key cryptosystem. How does an authority eavesdrop? One approach
would be to split Bob's private key into multiple pieces at
key-generation time and escrow it with multiple agencies.
U p o n getting legal sanction, the authority would collect
the pieces, recreate Bob's private key, and then use it to
recover the session key k. As discussed earlier, at this point
Bob's private key is no longer private. T h e approach Yaksha uses focuses on revealing the session key k to the authority, thus achieving the authority's objective without
compromising the user's long-term private key.
At the heart of our system is an on-line security server,
Yakllha
security
Sysl
henceforth called the Yaksha server, which interacts ~
users to perform various functions. Each user has a ld]
term private secret no one else, including the Y a k s h a
server, knows or can ever reconstruct. This is truly a privaie secret. T h e Yaksha server maintains for each user (or
entity) another long-term private secret. This secret is
known only to the Yaksha server and is never disclosed to
anyone, including the user or authorities. T h e Yaksha
server then interacts with users to perform a n u m b e r of
security functions:
• Providing credentials to authenticate users to other entities;
• Creating j o i n t digital signatures;
• Exchanging session keys in a secure fashion; and
• Acting as a key escrow agent.
This system, which uses a variant of the RSA system,
works as follows: as in the RSA system, user Alice has, as
her public key the pair (e,,,na). Unlike the traditional RSA
system, however, the Yaksha system uses two distinct private keys--Alice's private key, denoted by d,a, and the
Yaksha server's corresponding key for Alice, d e n o t e d by
day. These two new private keys are related to the original
RSA private key da by the mathematical relation d(,, ×
day = d(~ m o d na. For a more complete discussion of this
variant and its security properties, please see [ 1,4, 5]. This
simple, yet powerful, primitive can be used in a variety of
complex ways.
In the Yaksha system, each user i has his or her own
private key dii, and the Yaksha server maintains a corresponding diy. T h e system can now perform several security functions:
Digital Signatures. Ganesan and Yacobi [5] show how
the user can interact with the server to sign a message M.
Namely, user Alice performs S 1 = M (l'' mod na and sends
S1 to the Yaksha server. T h e Yaksha server uses d(,y to
complete the signature, that is S = Sld"y mod na. Now S is
Alice's signature on message M and is indistinguishable
from a regular RSA signature. Such a system is of practical
importance because by using an on-line server for each
signature, we have instant revocation in case a user's private secret is compromised, have a central place to maintain audit trails, and can also (subject to certain restrictions) allow the user's private portion da(, to be a short
memorizable password. T h e last function is critical to implementing digital signatures in an era when smartcards
and smartcard readers are not yet ubiquitous. In [5], it is
mathematically proven that breaking this system is equivalent to breaking RSA, even in the presence of an active
adversary. It is also shown that neither the user nor the
server can use knowledge of its private key to determine
the private key of the other party; hence the degree of
trust in the server is minimized. See [5] for more details.
Authentication. Several authentication protocols are
possible using the Yaksha system; we will not describe any
in detail here. T h e interested r e a d e r is referred to
Ganesan [4], which shows how the Yaksha server can be
integrated into the Kerberos [8] third-party authentication system to remove some of the greatest weaknesses of
the latter.
JILl
UNIC.A'I'IONIli OP TII!
A|N
March 1996/VoL39, No. 3
S
Key
E x c h a n g e . T h e key e x c h a n g e system we describe
h e r e is chosen to m a k e key escrow possible. W h e n Alice
wishes to c o m m u n i c a t e in private with Bob, she first uses
the Yaksha system to n e g o t i a t e a s h a r e d session key. She
does this by s e n d i n g a message to the Yaksha server, exp r e s s i n g h e r desire to c o m m u n i c a t e with Bob. T h e Yaksha
server g e n e r a t e s a r a n d o m session key k a n d c o m p u t e s
C, = k (l'~'×~" m u d na a n d Ct) = k d~'×~ m u d no. It sends Ca to
Alice a n d Cb to Bob. Alice recovers k using h e r own private
key d(,,, that is k = C(,~l"' m u d n(,. Similarly, Bob w o u l d recover k = Ci,a~'~'m u d no. At this point, Alice a n d Bob have
the session key k, a n d the Yaksha server would d e s t r o y its
copy o f the session key, p r e s u m a b l y inside the safe confines o f a t a m p e r - r e s i s t a n t chip. F o r reasons o f brevity, we
gloss o v e r the fact that in practice k w o u l d be e n c o d e d as
p a r t o f a message with a definite s t r u c t u r e a n d a n u m b e r
o f o t h e r attributes, such as the time stamp. This fact has an
i m p o r t a n t implication: W h e n Alice successfully recovers k
from C~,, she has p r o o f that Ca was i n d e e d sent by the
Yaksha server.
Key
Escrow. At the e n d o f the key e x c h a n g e protocol,
the Yaksha server, which g e n e r a t e d the session key, is in a
position to p r o v i d e this key to an authority. This ability
forms the basis by which Yaksha can be used as an escrow
system. Observe, however, that u n d e r no circumstances
can the Yaksha server c o m p r o m i s e the user's l o n g - t e r m
private secret, b e c a u s e the Yaksha server does n o t know
this secret. M o r e details a r e p r o v i d e d in the n e x t section.
In practice, these protocols would be significantly embellished. F o r instance, it is critical that the session key k
he e n c o d e d in a d a t a s t r u c t u r e with p r e d i c t a b l e structure.
It is also likely that the message s t r u c t u r e s will contain
time stamps. We note, however, that the t r a d i t i o n a l n o t i o n
o f public-key certificates [6], which p r o v i d e a m e c h a n i s m
for a u s e r to retrieve a n o t h e r user's public key in a secure
tashion, is c o m p l e m e n t a r y to Yaksha a n d would be used
as p a r t o f the Yaksha system.
Using Yaksha for Key Escrow
T h e following p a r a g r a p h s describe how t h r e e very different key escrow p r o b l e m s can be solved using the s a m e
Yaksha i n f r a s t r u c t u r e . Because o u r goal is to illustrate the
concepts, we do not describe several details, some o f
which have significant security implications.
Telephony
O u r first e x a m p l e is t e l e p h o n y . Since in this m o d e l b o t h
parties a r e on-line at the s a m e time, the key e x c h a n g e
p r o t o c o l d e s c r i b e d previously can be used exactly as
stated. Alice indicates to the Yaksha server a desire for
secure c o m m u n i c a t i o n s with Bob. T h e Yaksha server distributes C,, to Alice a n d Cb to Bob, who each r e c o v e r k a n d
use it for e n c r y p t i n g the conversation. In practice, the
transaction would be t r a n s p a r e n t to the user, who might,
tor instance, simply pick up the p h o n e , dial *007 a n d t h e n
Bob's n u m b e r , a n d n e v e r notice a n y t h i n g else. T h e key
e x c h a n g e a n d o t h e r o p e r a t i o n s would be h a n d l e d as p a r t
o f call set-up, a n d the Yaksha s e r v e r would he j u s t o n e
m o r e o f the m a n y intelligent c o m p u t e r s now a t t a c h e d to
the p h o n e n e t w o r k to p r o v i d e special services.
$8
March 1996/Vol. gg, No. 3 ~ u ~ a r ~ N s
~
Tm acM
W h e n an a u t h o r i t y wishes to tap a p h o n e line, a r e q u e s t
R is signed a n d sent to the Yaksha server• I f it is d e s i r e d
that m u l t i p l e authorities m u s t c o o p e r a t e to tap a line, we
can r e q u i r e that R be s i g n e d by m u l t i p l e authorities. Observe that the authorities a r e themselves p a r t o f the Yaksha system. Each a u t h o r i t y has its own private key dAl, dA2,
. . . . a n d the Yaksha server keeps a c o r r e s p o n d i n g dAly,
dA2y . . . .
C o r r e s p o n d i n g public keys (eAt,IrA l), ( e A 2 , / ' / A 2 ) ,
• . . exist in t h e system. So it, for instance, certain types o f
taps r e q u i r e the signatures o f a u t h o r i t i e s A 1 a n d A2, the
r e q u e s t sent to the Yaksha s e r v e r can be o f the f o r m (R d~'
m o d nA 1)aA~ rood 7/.A2.T h e Yaksha s e r v e r can a u t h e n t i c a t e
a n d r e c o v e r the r e q u e s t using dA ly, dA2y. . . . a n d the corres p o n d i n g public keys (CAl,nAl), (eA2,nA2) • . . T h e r e q u e s t R
can take on several forms, so, for instance, it may o r d e r
the Yaksha s e r v e r to p r o v i d e session keys for all f u t u r e
conversations Alice carries out, o r it m a y ask for only certain types o f conversations. T h e key p o i n t to note is that
the d e s i g n p r o v i d e s t r e m e n d o u s flexibility, so a wide variety o f u n d e r l y i n g policies can be i m p l e m e n t e d . F u r t h e r ,
the policies can be c h a n g e d easily without h u g e c h a n g e s to
the system. F o r instance, if public policy were to c h a n g e to
r e q u i r i n g four c o o p e r a t i n g a u t h o r i t i e s instead o f two, o r if
the identities o f the a u t h o r i t i e s s h o u l d change, m i n o r
changes to the system p a r a m e t e r s achieve the goal. T h e
fact that c h a n g e s can be m a d e easily m a y n o t be o f g r e a t
theoretical interest, b u t as is often o b s e r v e d in practice, it
is on such m u n d a n e issues as ease o f ability to c h a n g e that
the security o f systems rests.
It is w o r t h o b s e r v i n g that a p a r t o f the system r e q u i r e s
Bob's t e l e p h o n e to r e c o v e r k f r o m Ct, in a fashion t h a t
e n s u r e s p r o o f that Cb was g e n e r a t e d by the Yaksha server.
T h i s observation m e a n s it is possible to p r e v e n t a d i s h o n est (trying to c h e a t the key escrow system) Alice from carr y i n g o u t a secure c o n v e r s a t i o n with an h o n e s t (playing by
the rules) Bob.
Email
We chose email as o u r next e x a m p l e b e c a u s e it has a fund a m e n t a l s t r u c t u r a l difference f r o m t h e p r e v i o u s e x a m p l e
in the r e q u i r e m e n t s , n a m e l y that the u n d e r l y i n g messaging is o f a s t o r e - a n d - f o r w a r d n a t u r e in which the s e n d e r
a n d receiver a r e not b o t h on-line at the s a m e time. C u r r e n t systems [6] for secure email a r e g e n e r a l l y b a s e d on
having t h e s e n d e r , say Alice, s e n d i n g the receiver, say
Bob, the following construct:
{E(M,k), k e~' m u d n~, S, Alice'sCertificate}
T h e c o n s t r u c t has f o u r pieces:
• T h e message M is e n c r y p t e d with a session key k g e n e r a t e d by Alice.
• T h e session key k is e n c r y p t e d with Bob's public key
eb,nb. O n receiving the message, Bob will use his p r i v a t e
key db to r e c o v e r this session key k a n d will then use k to
r e c o v e r 34 from E(M,k).
• Next, a hash, o r f i n g e r p r i n t , H(M), o f the message is
signed by Alice to g e n e r a t e h e r s i g n a t u r e S, t h a t is S =
(H(M)) (l" m u d ha. T h e hash of the message is used in lieu
o f the message itself for reasons, o f efficiency.
• Finally, Alice's certificate (which is simply h e r public
key, in t u r n signed by a universal a u t h o r i t y ) is enclosed.
Tho
Bob can retrieve Alice's public key from her certificate
a n d use it to verify h e r signature o n the hash.
I n k e e p i n g with o u r g e n e r a l policy of i n t e g r a t i n g Yaksha
with existing systems (see [4], where Yaksha is a d d e d to
Kerberos) as o p p o s e d to creating a fresh system from
scratch, we a t t e m p t to reuse these constructs to the e x t e n t
possible. We see the system w o r k i n g as fbllows:
• Alice sends the Yaksha server S1 = H(M) 4. a n d indicates that the i n t e n d e d recipient is Bob.
• T h e Yaksha server c o m p u t e s S = Sla'~~ m o d na a n d replies to Alice with the message S, kd,,Ce. m o d na, kd* x~',
m o d nt, T h e first p o r t i o n is simply the completed RSA
signature for Mice o n the message M. T h e second portion is decrypted by Mice using da~ to recover k. Alice
will use this k to e n c r y p t the message M, that is E(M,k).
T h e third p o r t i o n is sent o n to Bob by Alice without
modification.
• So the message Alice sends Bob is: {E(M,k),ka~~×~', m o d
½,S,Alice'sCertificate}. Except for the second field, this is
exactly equivalent to the construct Mice would have sent
Bob in a non-Yaksha system.
• W h e n Bob receives this message, he verifies Alice's sign a t u r e exactly as in a non-Yaksha system, b u t to recover
the session key k he uses dbb, that is k = (kdt~xet' mo d no)dl'l'
m o d rib.
Since the Yaksha server has the session key k, the actual
escrow process is identical to that described in the telephony example. Some a d d e d benefits to this system are that
it is now possible to make each user's private l o n g - t e r m
secret
dii a fairly short, memorizable password; see [4] for
m o r e details. F r o m the s t a n d p o i n t of message structure,
the new system is identical to the existing standards [10].
I n fact, it is worth observing that interoperability between
Yaksha a n d non-Yaksha systems is relatively easy. If Bob is
n o t a part of the system, his c o r r e s p o n d i n g Yaksha key dt~
is simply set to one. Bob will not notice the difference, a n d
the escrow will still work. We reiterate that we are glossing
over some details essential to secure functioning; for instance, the hash sent by Alice to the Yaksha server should
have some specific structure so that the Yaksha server can
authenticate Alice before r e s p o n d i n g .
Encrypted File Storage
As with c o m m u n i c a t i o n s , it is b e c o m i n g increasingly necessary to provide c o m p u t e r users with access to e n c r y p t e d
files or data storage, a n d escrow m e c h a n i s m s are needed.
I n addition to the usual reasons for a n authority to be able
to retrieve this data without the user's cooperation, m o r e
o r d i n a r y reasons, like access to a critical file in a co-worker's absence, also come into play. Using Yaksha to meet
this r e q u i r e m e n t is fairly straightforward; one can think of
countless variations. We describe o n e such possibility,
which assumes the existence of a file server process that is
a n entity i n d e p e n d e n t of the user. T h e system works as
follows:
• Alice sends the Yaksha server the n a m e of the e n c r y p t e d
file server F where she wants to store the file.
• T h e Yaksha server sends Mice a storage key k e n c r y p t e d
Ynkghn
Socui,
ity
with the Yaksha server's key for the file se
k d*~xeF m o d
II F .
• Alice sends the file server the file a n d th
storage key; note Alice does n o t know the . . . . . s~ ,,~y• T h e file server recovers the storage key using its own
private key dFr , encrypts the file with the storage key k,
a n d stores the e n c r y p t e d file E(File,k) a n d the e n c r y p t e d
storage key k d'~×e~ m o d n r.
• W h e n Alice wants the file, she simply sends it a signed
a n d time-stamped request Q, which she signs by interacting with the Yaksha server. T h e file server can verify
the signature o n the request, recover k from E l'~×'' m o d
nF, decrypt the file, a n d send it to Alice.
• W h e n a n authority wants a file, the authority interacts
with the Yaksha server a n d sends a duly signed request
R to the file server. T h e file server uses the public key(s)
of the authority(ies) to verify the signature o n the request, recover the session key, decrypt the file, a n d send
it to the authority.
T h e basic idea is that the file server will only e n c r y p t files
u s i n g a key it gets from Yaksha. It t h e n stores this key in
a n e n c o d e d form with the file itself. Note that in practice
such a system would have provisions for m u t u a l authentication a n d e n c r y p t e d c o m m u n i c a t i o n s between the users
a n d the file servers, a n d most likely would require a
signed hash of the file also be stored. All of these functions
can be achieved by r e u s i n g the Yaksha infrastructure.
Observe that we require the file server process to have a
l o n g - t e r m private secret key dFr , which it must keep in
persistent storage. We anticipate that in a practical system,
this key a n d the functions p e r f o r m e d with it will h a p p e n
inside the safe confines of a tamper-resistant chip. Using a
tamper-resistant chip is n o t particularly onerous, especially since we do n o t r e q u i r e the storage key for each file
to be stored inside the chip. Several variations on this
t h e m e are possible.
Conclusions
T h e Yaksha system requires the presence of an on-line
server. I n the c u r r e n t climate of cheap a n d ubiquitous
c o m m u n i c a t i o n s , this is (in almost all cases) not a problem.
I n telephony, for example, on-line servers that provide
intelligent services are already ubiquitous. Also consider
that today, most credit-card transactions result in access to
r e m o t e c o m p u t e r systems. T h u s , a s s u m i n g the existence
of a n on-line service seems to be reasonable; we also ass u m e that the Yaksha server itself will be m a i n t a i n e d in a
secure fashion. We expect the use of tamper-resistant
chips to play a significant role here. For instance, we expect that the Yaksha server's portions of user keys div will
be e n c r y p t e d u s i n g some sort of master key, which veould
itself always be stored inside a tamper-resistant chip, a n d
that all the functions p e r f o r m e d will h a p p e n inside this
chip. Given that today's technology allows for systems
where every user has a tamper-resistant chip, we do not
believe it is too o n e r o u s for a few servers to have such
chips.
T h e question t h e n arises: Can colluding cheaters defeat
the Yaksha key escrow system? T h e answer is yes; we do
n o t know of any key escrow system that d e t e r m i n e d colCOMMUNICATION| ~
THE ACM March 1996/Vol.39, No. 3
$9
CALL FOR PAPERS
N
Third IEEE International'Symposium on
Requirements Engineering
J a n u a r y 5-8, 1997 * Annapolis, Maryland, USA
The ! 997 symposium will be held in four exquisite 18th-century
inns clustered in the beautiful colonial seaport of Annapolis on
the scenic shores of Chesapeake Bay. It will bring together
researchers and practitioners for an exchange of ideas and
experiences, The program will consist of invited talks, paper
presentations, panels, tutorials, working groups, demonstrations,
and a doctoral consortium. The program will also include a
parallel industrial track with presentations on industry problems
and experiences, transferable technology, and commercial tools.
Papers describing original research in requirements engineering
are invited. Symposium organizers extend a special invitation for
paper submission and participation to researchers and practitioners working in high assuranee, safety-critical and missioncritical systems, and formal approaches to requirements.
Authors should submit six (6) copies of each full paper (no
email or FAX) to the Program Chair. Papers must not exceed
6000 words and must be accompanied by full contact information including name, address, email address, and telephone and
FAX numbers. Authors should also submit the title, abstract, and
classifications of each paper by email to the Program Chair a
month before the paper is due along with full contact information. All papers must be classified according to the symposium
classification scheme. For a full call for papers, including the
classification scheme, contact the Program Chair, use anonymous
FTP from cs.toronto.edu (/dist/ISRE97/CFP), or see the WWW
page at http://www.itd,nrl.navy.mil/conf/lSRE97. Developers or
researchers wishing to present in the industrial track should
submit an abstract to the Industrial Chair. Students interested in
presenting at the doctoral consortium should send an extended
abstract to the Doctoral Consortium Chair by Sept. 15, 1996.
IMPORTANT
April 1, 1996:
May 1, 1996:
July 1, 1996:
September 1,
DATES:
Title, abstract, and classifications due
Full papers, industry abstracts due
Notification of acceptance
1996: Camera-ready copy due
FOR MORE INFORMATION, CONTACT:
Connie Heitmeyer, General Chair
Code 5546, Naval Research Lab, Wash., DC 20375
(202) 767-3596; heitmeyer@itd.nrl.navy.mil
John Mylopoulos, Program Chair
Dept. Computer Sci., Univ. of Toronto, 6 King's College
Rd., Rm 283, Toronto, Ontario Canada M5S 3H5
(416) 978-5180; fax (416) 978-1455
jm @ cs.toronto.edu
Stuart Faulk, Industrial Chair
Kaman Sciences; (202) 404-6292
faulk@itd.nrl.navy.mil
Myla Archer, Doctoral Consortium Chair
Naval Research Lab; (202) 404-6304
archer @itd.nrl.navy.mil
Sponsored by
~
1"-,lIEEE
L,,OMPUTER
SOCIETY
~0YEARS OF SERVICE * 1 9 ~ 6-1 9 9 6
4 ~
IEI~E
l u d i n g cheaters c a n n o t defeat. T h e i n t e n t here, as in similar systems, is to m a k e it difficult to cheat. We believe this
issue is probably a dd r e ssab l e at the level o f d e t e c t i n g
c h e a t i n g a nd d e n y i n g service to cheaters. T h i s is practical
in m a n y situations, a l t h o u g h an e x p l a n a t i o n o f the techniques is b e y o n d the scope o f this article.
T h e system we describe can be used f or m a n y d i f f e r e n t
p r o b l e m d o m a i n s , such as secure transmission o f movies
o r software b e t w e e n i n f o r m a t i o n p r o v i d e r s an d set-top
boxes in users' homes. T h e key p o i n t in o u r m i n d is that
the Yaksha system is a single versatile security infrastructure that can be r e u s e d for m y r i a d security functions.
While n o t e m p h a s i z e d today, the security in f ra s tr uc ture s
that will thrive in the f u t u r e will h a v e the attribute o f
b e i n g reusable.
Finally, we reiterate that flexibility is the single most
i m p o r t a n t factor in a key escrow system. Successful key
escrow systems r e p r e s e n t a c o m p r o m i s e b e t w e e n an individual's rights a nd an a u t h o r i t y ' s right to know. T h e Yaksha system p r o v i d e s a flexible alternative that can be
a d a p t e d to m a n y situations.
Acknowledgment
I w o u l d like to t ha nk D o r o t h y D e n n i n g for h a n d l i n g this
article for this special section a n d for h e r c o n t i n u i n g interest in this work.
References
1. Boyd, C. Digital Multisignatures, Cryptographyand Coding. Clarendon Press, Oxford, 1989. H.J. Beker and F.C. Piper, Eds.
2. Denning, D. To tap or not to tap. Commun. ACM 36, 3 (Mar.
1993).
3. Denning, D., and Branstad, D. A taxonomy for key-escrow
encryption systems. Connmun. ACM 39, 3 (Mar. 1996).
4. Ganesan, R. Yaksha: Augmenting Kerberos with public-key
cryptography. In Proceedings of the Internet Society Symposium
on Network and Distributed Systems Security, (Feb.) 1995.
5. Ganesan, R., and Yacobi, Y. A secure joint signature and key
exchange system. Bellcore TM-24531, Oct. 1994.
6. Kent, S. Privacy Enhancement for Internet Electronic Mail:
Part II: Certificate Based Key Management, Internet RFC
1422, Feb. 1993.
7. Needham, R.M., and Schroeder, M.D. Using encryption for
authentication in large networks of computers. Commun.
ACM 21, I2 (Dec. 1978).
8. Neuman, B.C., and Ts'o, T. Kerberos: An authentication service for computer networks. IEEE Commun. (Sept. 1994).
9. Rivest, R., Shamir, A., and Adelman, L. On digital signatures
and public-key cryptography. Commun. ACM 27, 7 (July
1978).
10. Schneier, B. Applied Cuptography: Protocols, Algorithms and
Source Code in C. Wiley, New York, 1994.
About the Author:
RAVI GANESAN is Vice President for Information Technology
at Bell Atlantic and is with The Johns Hopkins University. Author's Present Address: Bell Atlantic, 1320 North Courthouse
Road, Arlington, VA 22304; email: ravi.ganesan@bell-atl.com
IEEE ComputerSocietyTC on Software Engineering
In cooperation with
ACM SIGSOFT,IFIPWG 2.9 (SoftwareRequirements)
6Q
March1996/Vo1.39,No. 3 C O M M , U l a ~ . A 1 t l O l ~
¢HUM
~M
©ACM 0002-0782/96/0300 $3.50