Overview


The widespread use of computers has led to increased accumulations 
of data, collected and stored in computer systems’ data bases and 
communicated from one computer system to another over exposed 
paths through potentially hostile environments.  These data often 
have value, which could be compromised if that data should become 
lost, or damaged, or exposed to an attacker who exploits it for 
his own purpose.  To combat these perceived threats to data, a 
FIPS for data encryption, known as the Data Encryption Standard 
(DES), was adopted.

Following the adoption of the DES as a federal standard, it was 
recognized that methods were needed to generate, store, and 
electronically distribute (DES) keys from one party (a sender) to 
another (a receiver).  However, the need to store and distribute 
keys within and between cryptographic systems also created 
additional opportunities for an adversary to perpetrate attacks 
and acquire the keys.  Hence, additional standards were adopted to 
provide adequate safeguards for the protection of keys during 
periods when these keys are processed by a cryptographic module 
(FIPS 140-1), or stored within the cryptographic system, or 
communicated from one cryptographic system to another.

In the past two decades, the use of encryption has grown steadily, 
and government’s dependence on encryption is certain to grow still 
further as computer applications rely more and more on the 
evolving Internet.  This dependence on encryption, has created a 
heightened concern that access to data could be denied in certain 
cases because keys may become lost or damaged, or that the 
encryption mechanism itself may be misused to prevent access to 
these data by those with a lawful right to do so.  The present Key 
Recovery Standard (KRS) addresses these concerns by providing a 
means for the recovery of keys used to encrypt data, in situations 
where access to these data is required.

The process of enabling key recovery differs from the more 
traditional process of key distribution, since with key 
distribution the parties are known in advance and these parties 
use a common distribution algorithm based on pre-arranged or pre-
established keys.  However, with key recovery, a party desirous of 
enabling key recovery will in most cases not know all the parties 
who may potentially need access to the encrypted data, and who may 
need to recover the key in order to access that data.  Even if all 
these potential parties could be identified, the number of such 
parties may be so large that separately wrapping the key under a 
unique key known to each of these parties would be prohibitive.  
And, it may also be the case that some of these parties do not 
have wrapping keys, or these keys if they exist may not be readily 
known to the party who is desirous of performing the wrapping 
operation.  Moreover, the key recovery process is further 
complicated by the fact that merely wrapping a key under the keys 
of all parties who may potentially need access to the encrypted 
data is insufficient, since this could potentially expose the key 
to parties who never need to access the data or to perform an 
actual key recovery.  There is, in fact, no possible way for one 
party to precisely know in advance the identities of precisely 
those parties, and only those parties, who will at some future 
time require access to the data encrypted with a key.

Currently, the only known practical method for enabling key 
recovery is by employing the services of a key recovery agent.  A 
user desirous of enabling key recovery, accomplishes this by 
encrypting the key, or a portion of a key, or some piece of 
information required in the regeneration of the key, under the 
public key of a key recovery agent.  This avoids the need for the 
user to know, in advance, the parties who may ultimately need 
access the data.  The process of enabling key recovery is 
therefore a process somewhat similar to key distribution except 
that key recovery (unlike key distribution) is facilitated through 
an intermediary called the key recovery agent.  And, key recovery 
uses different techniques for safeguarding the key.  With key 
distribution, additional protection measures can be provided by 
using ephemeral keys or Perfect Forward Secrecy.  However, key 
recovery agents are likely to employ keys that change only 
infrequently, and the number of key recovery agents will be much 
less than the number of users, thus increasing the risk of 
exposure of keys by an adversary who could successfully 
compromised the security of a key recovery agent.

The present KRS provides a number of safeguards to protect the key 
recovery information, and to make the key recovery process a 
secure one.  These include the specification of higher  security 
requirements on the key recovery agents, the use of dual control 
for accessing decrypted key recovery information, and for reducing 
the risk of exposed keys due to the compromise of one key recovery 
agent by making the key recovery process dependent on information 
provided by two or more key recovery agents.

The use of these safeguards is described in a guideline.