The official PGP user's guide
Communications of the ACM
The risks of key recovery, key escrow, and trusted third-party encryption
World Wide Web Journal - Special issue: Web security: a matter of trust
Escrow Encryption Systems Visited: Attacks, Analysis and Designs
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
On the difficulty of software key escrow
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Binding ElGamal: a fraud-detectable alternative to key-escrow proposals
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Securing traceability of ciphertexts: towards a secure software key escrow system
EUROCRYPT'95 Proceedings of the 14th annual international conference on Theory and application of cryptographic techniques
A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
An Analysis of Integrity Services in Protocols
INDOCRYPT '01 Proceedings of the Second International Conference on Cryptology in India: Progress in Cryptology
On the Difficulty of Key Recovery Systems
ISW '99 Proceedings of the Second International Workshop on Information Security
New Key Recovery in WAKE Protocol
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Privacy-enhanced Key Recovery in mobile communication environments
The Journal of Supercomputing
| Hi-index | 0.00 |
Fraud detection for software key recovery schemes means that, without knowing the session key, a third party can verify whether the correct session key could be recovered. This concept and a construction by so-called binding data was introduced by Verheul et al. at Eurocrypt '97 to provide for dishonest users that make simple modifications to messages, e.g., delete the key recovery information, and manipulate the recipient's software such that it decrypts messages even if the key recovery information is incorrect.We show how to break their general construction within their model, in particular without using any other encryption system or any pre-established shared secrets.We conclude that the concept of binding data does not improve the security of software key recovery but illustrates once more its fundamental problem: it does not improve an authorized third party's ability to eavesdrop on serious criminals.