Re: SKIPJACK Replacement

Jeffrey Walton wrote:
Paul Rubin wrote:
Jeffrey Walton writes:
Are there any replacements for SKIPJACK? Preferably with 128 bits of
security.  Though I'm not a fan of key escrow, I find a need on
occassion (when someone requests the functionality).

That's a misunderstanding of Skipjack, which is a fairly boring block
cipher.  It doesn't have any particular key escrow features.  Key escrow
was a feature of the Clipper and Fortezza chips, that implemented
Skipjack.  Maybe you're really asking is whether there's a replacement
for the Clipper chip.  The answer is no, at least not in that form.

Thanks. Personally, I never used SKIPJACK, though I know (thought?)
its was an integral part of an escrow/recovery system.

Paul has it right: Skipjack is just a block cipher. The cipher was
part of a key escrow system, but that doesn't make key escrow part of
the cipher.

No particular examples come to mind. On occasion, someone will express
concern that they would like to read an employee/user/contractor's
encrypted data on a organization's device. The same folks usually like
to know there is something with a governmental stamp of approval.

As Peter suggested, I've used  Shamir's secret sharing in a 2 of 3
scheme (where the software itself is a share owner).

Where the software itself is a share owner? I'm not sure what that
means, but it doesn't sound like anything good.

If you just want "the organization" to be able to read messages among
it's employees, the basic shape of a solution is pretty simple. The
organization holds a key pair and publishes the public key. To escrow
some key, simply encrypt it under the organization's public key and
disclose that ciphertext.

In the crypto literature you can find more sophisticated variants. In
particular, employees can prove that the key in use is properly
escrowed, so that the organization can verify compliance without going
so far as to recover keys or decrypt messages.I don't know what the
current state of the art is, but for the start look up Silvio Micali's
"fair cryptosystem".

--Bryan Olson

Relevant Pages