Information Technology Reference
In-Depth Information
Key Escrow with Tree-Based Access Structure
Martin Schaffer and Peter Schartner
University of Klagenfurt, Austria, Computer Science
ยท
System Security
{
m.schaffer, p.schartner
}
@syssec.at
Abstract.
In this paper we propose a system in which a set of people is
able to confidentially communicate using a common session key. Due to
required governmental surveillance properties, this key will be escrowed
using a multi-party version of the ElGamal cryptosystem. The resulting
shares of the ciphertext are stored over a set of trusted servers to provide
availability and to hamper ciphertext-based attacks. Using a particular
tree-based multi-party decryption, the session key can be reconstructed
by a tree-structured set of escrow agencies without reconstructing the
private ElGamal key and the ciphertext.
1
Introduction
While monitoring people human rights are often neither protected by the govern-
ment nor by other (private) organisations. Focused on this fact, it is very useful
to store the monitored information confidentially. With the help of key escrow
we are able to archive the corresponding key at a trusted third party. In this
simple consideration we quickly find several problems. Firstly, we do not want to
trust one single party that is able to recover the key. As a matter of fact, many
solutions provide well defined access structures to the escrowed key (e.g. secret
splitting/sharing or software solutions). Secondly, the escrow agencies require
the availability of the database in which the key is stored. If we simply build
redundant memories, this problem can be solved, but what happens if the access
structure has been compromised? Another problem arises, if a communication
process, such as a conferencing phone call between several instances, has to be
monitored. For eciency reasons only one key might have been generated in a
fair way among users, but who is responsible for escrowing it?
The proposed key escrow system fulfils the following requirements:
-
Fair distributed (tree-structured) generation of a private key
d
.
-
Fair distributed generation of a session key
k
.
-
Multi-party ElGamal encryption of
k
to provide its confidentiality.
-
Distributed storage of the ciphertext (
c
1
and shares of
c
2
) to provide avail-
ability, to avoid unauthorized encryption if
d
has been compromised and to
hamper several ciphertext-based attacks.
-
Tree-structured multi-party ElGamal decryption over
c
1
and shares of
c
2
.
The proposed system consists of a set
of
l
monitored instances who generate
and encrypt a common session key
k
for a confidential teleconference using multi-
party ElGamal encryption. Furthermore, a set
P
S
of
m
ciphertext-servers exists
V. Gorodetsky, I. Kotenko, and V. Skormin (Eds.): MMM-ACNS 2005, LNCS 3685, pp. 454-459, 2005.
c
