RSA Laboratories

7.12 What is key recovery?

One of the barriers to the widespread use of encryption in certain contexts is the fact that when a key is somehow ``lost'', any data encrypted with that key becomes unusable. Key recovery is a general term encompassing the numerous ways of permitting ``emergency access'' to encrypted data.

One common way to perform key recovery, called key escrow, is to split a decryption key (typically a secret key or an RSA private key) into one or several parts and distribute these parts to escrow agents or ``trustees''. In an emergency situation (exactly what defines an ``emergency situation'' is context-dependent), these trustees can use their ``shares'' of the keys either to reconstruct the missing key or simply to decrypt encrypted communications directly. This method was used by Security Dynamics' RSA SecurPC product.

Another recovery method, called key encapsulation, is to encrypt data in a communication with a ``session key'' (which varies from communication to communication) and to encrypt that session key with a trustee's public key. The encrypted session key is sent with the encrypted communication, and so the trustee is able to decrypt the communication when necessary. A variant of this method, in which the session key is split into several pieces, each encrypted with a different trustee's public key, is used by TIS' RecoverKey.

Dorothy Denning and Dennis Branstad have written a survey of key recovery methods [DB96].

Key recovery first gained notoriety as a potential work-around to the United States Government's policies on exporting ``strong'' cryptography.To make a long story short, the Government agreed to permit the export of systems employing strong cryptography as long as a key recovery method that permits the Government to read encrypted communications (under appropriate circumstances) was incorporated. For the Government's purposes, then, ``emergency access'' can be viewed as a way of ensuring that the Government has access to the plaintext of communications it is interested in, rather than as a way of ensuring that communications can be decrypted even if the required key is lost.

Key recovery can also be performed on keys other than decryption keys. For example, a user's private signing key might be recovered. From a security point of view, however, the rationale for recovering a signing key is generally less compelling than that for recovering a decryption key; the recovery of a signing key by a third party might nullify non-repudiation.

Top of the page