"Phooey": a pre-eminent cryptographer responds to Ray Ozzie's key escrow system

I have a lot of respect for ex-Microsoft Chief Software Architect Ray Ozzie, but when I saw that he'd taken to promoting a Clipper-Chip-style key escrow system, I was disheartened — I'm a pretty keen observer of these proposals and have spent a lot of time having their problems explained to me by some of the world's leading cryptographers, and this one seemed like it had the same problems as all of those dead letters.

But Ozzie knows more about software engineering than I do, so I wondered if he'd made some kind of breakthrough that I wasn't grasping.


Johns Hopkins cryptographer Matthew Green (previously) has written a very long and thorough piece on the problems with Ozzie's proposal. The two highlights are:

1. This requires every phone manufacturer (including little ones overseas) to maintain perfect, eternal, literal physical vaults full of cryptographic keys that are of limitless value to every government and criminal syndicate in the world. That's the problem we have with Certificate Authorities, but unlike SSL keys, these keys could never be recalled or replaced. If that vault was ever breached, every phone whose keys was in it would be insecure, forever.

2. This also requires the creation of a secure coprocessor similar to the one Apple tried to make, and it, too, would have to last for, say, 100 years without a single vulnerability being discovered it (major, multiple vulns in Apple's Secure Vault were discovered in five years, and the company that found and weaponized the bugs had its sourcecode stolen and is being blackmailed for a king's ransom in Bitcoin at the moment). This processor doesn't exist and Ozzie has not provided any details on how you'd make one.

The tldr is that this Key Escrow system works fine, provided you have access to a perfect processor that no one knows how to make, and provided that hundreds of companies never, ever make a single physical security mistake, when they are being targeted by adversaries with (literally) hundreds of millions of dollars to throw at the problem — and they have to be error-free even after they go out of business.

So, once you have this perfect and eternal unobtanium in hand, you can do some pretty great stuff. But if you get any of this even the tiniest bit wrong, you visit catastrophe on millions or even billions of people. You can make things that work really well, if you don't care how they fail.

While this mainly concludes my notes about on Ozzie's proposal, I want to conclude this post with a side note, a response to something I routinely hear from folks in the law enforcement community. This is the criticism that cryptographers are a bunch of naysayers who aren't trying to solve "one of the most fundamental problems of our time", and are instead just rejecting the problem with lazy claims that it "can't work".

As a researcher, my response to this is: phooey.

Cryptographers — myself most definitely included — love to solve crazy problems. We do this all the time. You want us to deploy a new cryptocurrency? No problem! Want us to build a system that conducts a sugar-beet auction using advanced multiparty computation techniques? Awesome. We're there. No problem at all.

But there's crazy and there's crazy.

The reason so few of us are willing to bet on massive-scale key escrow systems is that we've thought about it and we don't think it will work.

A few thoughts on Ray Ozzie's "Clear" Proposal
[Matthew Green/A Few Thoughts on Cryptographic Engineering]