Would an encryption scheme that generates an extra key to be securely stored offsite be a safe backdoor?

In addition to the points mentioned by Lucas Kauffman I would elaborate on point two:

2.This algorithm generates one extra unique decryption key when used. This key is then sent via a secure channel (i.e. HTTPS or equivalent) to an NGO with the sole duty of guarding these keys. As soon as the tool gets confirmation that it is delivered, the tool securely deletes this key.

What would stop someone from implementing the algorithm but omitting the part where the second key gets sent to the NGO? Such an implementation would still output the normal key, making it completely compatible with other users of the cryptosystem.

The only way to do this would be to make the algorithm closed source and safeguard its implementation from reverse engineering through intense obfuscation. But nobody in the security community who isn't completely out of their mind would ever trust an algorithm which isn't open to public peer review.

Also keep in mind that the people law enforcement wants to find are those who are already breaking the law. Criminals would have no qualms to encrypt their information with any of the other cryptosystems which are currently available, even when doing so is declared illegal. Unless, of course, the punishment for using non-government-approved encryption software is just as harsh as the punishment for terrorism, murder or abuse of a minor, but that would be hard to justify IMO.

That means you would create an expensive key escrow infrastructure and put a legal shackle on millions of citizens and companies regarding the software they are allowed to use without affecting any of the people you actually want to affect.


Would an encryption scheme that generates an extra key to be securely stored offsite be a safe backdoor?

No. Simply no. A backdoor is never considered safe.

What you are describing is commonly known as a key escrow.

Note that there have been issues with key escrows:

On a national level, this is controversial in many countries due to technical mistrust of the security of the escrow arrangement (due to a long history of less than adequate protection of others' information by assorted organizations, public and private, even when the information is held only under an affirmative legal obligation to protect it from unauthorized access), and to a mistrust of the entire system even if it functions as designed. Thus far, no key escrow system has been designed which meets both objections and nearly all have failed to meet even one.

As per your statement:

  1. A new algorithm is developed with equal security as the current standards. In effect, the algorithm that replaces AES would be just as hard to crack as AES if you do not know the key.

Unless the algorithm has extensively been under scrutiny from the cryptographic community or several independent knowledgeable parties (read: proper academic cryptographers with extensive experience in creating and validating cryptography) this is a very bold statement.

This algorithm generates one extra unique decryption key when used. This key is then sent via a secure channel (i.e. HTTPS or equivalent) to an NGO with the sole duty of guarding these keys. As soon as the tool gets confirmation that it is delivered, the tool securely deletes this key. The key is always different and strong enough that brute-forcing is not feasible. In addition, the encryption software will require a usable connection to the NGO via internet when the encryption is started to ensure that the key can be sent.

Why would you use HTTPS to send the key, rather than encrypting the key with the NGO's public key? I would use an additional step where the key is encrypted prior to transmitting it over HTTPS.

  1. Once the key arrives, it is stored in an offline, airgapped database that can only be accessed in a single room with rigorous safety. In addition, the database and the machine it is located have tamper protection, similar to tamper protection on bank transports: any access that's out of the ordinary, like too many requests within a certain period or too many faulty requests, and the machine gets wiped.

Unless you are properly storing this in a specially designed HSM this does not seem sufficient. This protection mechanism might not be enough in case a person removes hard drives or uses a direct memory attack (in case you are running a regular server).

  1. When a legitimate law enforcement organization has need of a key to decrypt, it sends a formal request to the NGO. The NGO first analyzes the request based on the importance of the request. the NGO allows decryption when the suspect is strongly incriminated by other evidence, and only in the case of terrorism, murder or abuse of a minor (which are probably the only widely accepted reasons for public opinion).

Someone who willingly will use a known backdoored algorithm and then commit a crime, using the algorithm to protect their secret is not really smart.

  1. If the NGO allows decryption, a trusted employee of the NGO goes to the room the database is accessible from and downloads the key on a read-only medium with similar tamper protection as the database. This medium is then handed over to the law enforcement organization that originally requested it. At this point, normal law enforcement will take over.

This is the biggest issue with key escrows. The trust part is very important and the pitfall of most escrows. The trusted party should definitely be more than one person. A single person should under no circumstances be able to access the key, a multi-eye mechanism of at least 3 to 5 people should be in place.

Suggested Reading:

"Key Escrow from a Safe Distance" -- Matt Blaze
"What is the difference between Key Escrow and a Recovery Agent?" -- Security Stack Exchange
"The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption" -- Schneier, et al.


I think that a word combo "Safe Backdoor" needs medical attention ;) There's NO "GOOD NGO" and NO UNCORRUPTED GOVERNMENTS - Ed Snowden proved it in depth and in full. The answer to this question is an old Apple's official statement, that said : "it's technically impossible to create a key that will work only in a hands of good guys and in a rightful situations"