|
This paper is about how to keep data for a finite time, and then make it
unrecoverable after that. It is difficult to ensure that data is completely
destroyed. To be available before expiration it is desirable to create
backup copies. Then absolute deletion becomes difficult, because even after
explicitly deleting it, copies might remain on backup media, or in swap
space, or be forensically recoverable. The obvious solution is to store the
data encrypted, and then delete the key after expiration. The key is
somewhat easier to manage, because it is smaller, but there is still the
issue of needing to make the key reliably available for some time, and then
reliably destroyed. It is difficult enough for a user to manage one key,
much less different keys for different data expiration times. The user
could keep each key on a tamper-proof smart card with no copies, but then
the data will be lost prematurely if the user loses the smart card. And
smart cards are expensive. So the idea in this paper is to concentrate all
the key management expense and expertise in one place, a server we call an
"ephemerizer" The ephemerizer creates keys, makes them available for
encryption, aids in decryption, and destroys the keys at the appropriate
time. The design in this paper ensure that even if a client.s machine gets
compromised, and everything in stable storage (including long term user
keys) is stolen, any data that has expired before the compromise remains
unrecoverable.
The paper starts with a description of an existing commercial scheme, and
presents improvements to that scheme to eliminate the necessity for
per-message state. Then it presents a new approach, based on public keys,
and presents an initial design, and then a more efficient version using a
new concept closely related to blind signatures, that we call "blind
decryption".
|
