## A Serious Problem for Key Escrow Schemes?

### by Yongfei Han

Institute of Systems Science

National University of Singapore

*Correspondence is invited on the following problem, posed by Yongfei
Han.*

Suppose users A and B observe regulations and submit their private keys
to the key escrow agents for escrow (No matter how they generate the keys).

Then A and B distribute their session key (SK1) encrypted under that
private, escrowed key. If law enforcement agencies want to read the
messages between A and B, the agencies retrieve the private key from
the key escrow agents to obtain SK1, then decrypt the message.

Suppose A uses SK1 to encrypt a session key (SK2) in terms of a public
agreement and then sends the encrypted SK2 to B, who decrypts it again.
A and B start to communicate using SK2 to encrypt messages.

The method can be continued until A and B use SKn-1 to encrypt SKn and
from now on use SKn to encrypt messages to each other.

If law enforcement agencies intercept messages between A and B when A
and B have used SKn to encrypt them (n>2), how can those agencies
decrypt that traffic? To obtain SKn, they need SK1, SK2, ..., SKn-1.
But they cannot get the set of keys SKi (1*
Key escrow schemes must sort out this problem; otherwise they will
not be able to prevent criminals from using "legal means" to achieve
secret communication.
*

*The author would like to thank the editor for polishing the English.*