by Jake Wengroff
Crypto is considered a bearer asset — anyone who holds the private key owns it. This has naturally caused headaches for those interested in buying, storing and trading their crypto assets: As crypto moves through various wallets, exchanges and platforms, there is a risk that cybercriminals can find a way to gain unlawful access and steal investors’ credentials and private keys, even though they cannot hack the underlying blockchain or ledger.
Various “hot” and “cold” wallet options exist, but the idea of having a third party hold investors’ private keys has gained traction in recent years. Such key escrow solutions are actually nothing new, and it’s a good idea to revisit the background of such technologies to understand if they make a good fit in the new world of crypto assets.
Key Escrow: Encryption Held by a Third Party
Encryption keys held by a third party are common. Microsoft Windows, for example, has methods to encrypt entire drives with the option to have encryption keys automatically stored as part of an organization’s Active Directory infrastructure.
It’s also important to note that there are two types of encryption: symmetric and asymmetric. In symmetric encryption, both the public key and private key are one and the same. This might seem safer, but it’s often considered redundant, as the same level of risk exists whether an investor or organization is protecting two keys or one key in the same location.
This is why crypto assets are usually stored with asymmetric encryption. This security model has the public key already distributed in several places, removing the need to store the public key in any one place because it is already so accessible.
“But the private key, which is the one that does the decrypting, is the one that does the digital signatures — that’s the important one that nobody should have their hands on,” explains Professor Messer, a CompTIA Security+ certification provider. “It makes sense to get an additional copy of that decryption key and have it already as part of something that you are escrowing or storing away.”
Criticism of Key Escrow
The security of key escrow has been challenged by the IT community for some time. More than 20 years ago, public interest technologist Bruce Schneier pointed to the risks, and questioned the utility and potentially high cost of key escrow and “trusted third-party” encryption requirements.
“Increasing the number of people with authorized access to the critical infrastructure and to business data will increase the likelihood of an attack, whether through technical means, by exploitation of mistakes or through corruption,” noted Schneier in a 1998 paper titled, “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption.”
Further, Schneier believed that the key recovery requirements could make encryption “cumbersome or expensive,” with the effect of “discouraging or delaying the deployment of cryptography in increasingly vulnerable computing and communications networks.”
The Need for a Market-Driven Solution to Storing Crypto Keys
While Schneier’s opinions were formed long before the birth of Bitcoin and cryptocurrencies, they do raise the issue of complexity and cost. Today’s crypto investors require security, but they also demand speed and accessibility. As such, solutions are needed to deliver privacy and safety without compromising the need to buy, sell and trade digital assets.
Buying and selling crypto via exchanges and storing them in wallets is fraught with risk. Again, once a cybercriminal obtains the crypto asset’s private key, that criminal becomes the presumed owner.
The industry needs market-driven solutions that can keep up with the ever-complex marketplace of crypto assets. TransitNet is creating the industry’s first third-party title registry that demonstrates proof of ownership of crypto assets, to add a layer of protection for investors in digital currencies, NFTs, and other crypto assets.
Join the forefront of the new crypto infrastructure.
Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, Jake covers such topics as security, mobility, e-commerce and the Internet of Things.
Schneier on Security – The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption
ProfessorMesser.com – Key Escrow – CompTIA Security+ SY0-401: 6.1