[kurthr]

I do prefer the idea of storing it on paper... at least it's a little easier to lock up. Even a big camera will only take a few thousand pictures before it fills up, and physical access is a lot easier to enforce.

If we make 2 billion phones a year (Apple itself is just over 200M) and you have a line printer running full blast (66 lines = 1page per sec) you could do Apple with one printer... and the world in 10. It would be a lot of boxes of paper though... about a box an hour.

edit: to be clear I was assuming that almost every dot in the matrix was a valid bit and there were 66 keys per page... 80 or even 132 columns at 7x5 wouldn't be enough for 4096 bits otherwise.

[DoctorOetker]

impressive calculation for the per phone case!

but as I wrote, its not necessary in Ozzie's scheme: Apple only needs to store the single private key. All the phones contain the same public key corresponding to it. All phones encrypt the user passcode to the same public key. When a user tries to unlock his own phone with his correct passcode, the phone encrypts his passcode and arrives at thee same encrypted key, unlocking the phone. When the government seizes the phone, with a special device they have the phone show the encrypted pass code, dump the encrypted GB's of encrypted phone contents, and burn an irreversible efuse in the processor disabling it. They send the encrypted passcode to Apple, who verifies its the government indeed. Apple uses its single private key to decrypt the user passcode. Apple sends this pass code to the government. The government can decrypt the image.

In the proposal there is no need for a massive database of key material. It's nonsense.

(in practice Apple would use treshold crypography, so that at least k out of n private keys each belonging to specially trained and screened employees are necessary to decrypt)

(in practice each phone has a hardcoded random nonce in efuses and instead of encrypting the user passcode, it encrypts [passcode+nonce], otherwise the government could just bruteforce 10^4 encryptions to the public key)

I am only saying that this can be done efficiently, not saying that I agree with the desirability of key escrow. This idea of key escrow is as old as cryptography.

[kurthr]

Totally agree that they only _need_ a single secure key and a BUNCH of insecure nonces. However, if I was forced to keep a key in escrow and wanted it to be secure I'd put a uniquely generated (lots of lava lamps?) key for every one on paper and force anyone who wanted to look them up to do it physically, in person, with paper. Out go the digital public keys, in stay the paper private keys in a well observed building full of a zillion boxes of paper. Most insecure part is still the key generator.

If the feds want to audit, they can... but everyone will see it on video, what boxes they opened, and what pages they (could have) looked at.

I'd hire some magicians for pen testing too.

edit: pi*10^7 sec in a year is a useful approximation

[DoctorOetker]

1) regarding BUNCH: the nonces are random and hence there will be as many as there are phones drawn from suitably large n-bit space, but Apple does not need a local copy of the nonces, if the government requests a decryption and Apple agrees, it will decrypt and find the user pass code and the irrelevant nonce.

2) "and force anyone who wanted to look them up to do it physically, in person, with paper" I dont understand your proposal? If the government wants to decrypt a phone, they should come to Apple in person with what paper? How do you insure that everyone knows when a phone is audited? (Ozzie's proposal or what we read of it in the article does not adress insuring the populace finds out whenever a phone is decrypted). In your scenario the well observed building is operated by Apple or by the populace?

[kurthr]

The idea is that each of the secret keys (not nonces) would be kept on paper in a well observed location, with only the public keys leaving. The building would be operated by whoever is responsible for generating the keys and showing that their keys aren't (hopefully yet) compromised. They could allow the public to observe and perhaps the boxes could be marked with the range of IMEIs/keys contained within. If the cops want to go in and get a key out of a box, they can get a warrant to do it but everyone can know which few hundred thousand phones have been compromised.

It doesn't completely prevent malfeasance... it just makes it a PITA.

[DoctorOetker]

suppose Apple owns the building:

* there is no advantage in having cops come over: either a secret is revealed or it is not. Any information to convince Apple concerning a specific case or phone could just as well be sent over the internet. Allowing them to enter looks like a serious threat vector to me, they could plant things, smuggle things out...

* Either Apple is faithfully reporting each count of the cops unlocking a phone, or it isnt. In the case of requesting over the internet the cops can't bring in devices to look through closed boxes or whatever.

* Is your fear rooted in a perceived sense of insecurity because of the small passcode (4 decimal digits) and the effect that would have on the security of the encrypted(passcode+nonce)? because that is exactly why the random nonce is there, in theory the user could select his own nonce and have it burned in efuse memory, but he would only be able to change the nonce a limited number of times. Then the user can roll as many dice as he wants and xor bits to smithereens ;)

but it all stays crap key escrow, its just a big "Eureka!"-show trial balloon to gauge public acceptance, no?

[kurthr]

The real risk is that whatever the key-holder thinks is air-gapped storage isn't and the whole lot is secretly lost to crackers, state sponsored or not... that's a lot harder to do with 1000 tons of paper.

The point is that even a dedicated party trying to keep the keys safe probably can't do it (for any length of time) on digital media.