Copy Link
Add to Bookmark
Report
NuKE Issue 06-012
================================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "Clipper Chip : New Government Standard? -N
E- or New Government Joke?" Nu
-N uK
Nu By KE
uK NuKE Supporters E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% New Government Standard or Joke? %
Since the beginning of the new year, we have been waiting to hear from NIST
if it will decide whether DES will remain as the standard encryption method
used by federal agencies.
The computer industry would like NIST to adopt the RSA technology, but that
is not likely to happen. One reason; if RSA, a privately developed technology,
becomes the new standard, the government will have to pay royalties for its
use. And _even_ more important, the NSA does not want the government to back
RSA encryption system. Why?
"The NSA dislikes our system because its too hard to break!"
"They clearly don't like what we do, but we're succeeding in spite of that."
Are quoted statements explained by James Bidzos, president of RSA Data Security.
And frankly, this is very true. RSA has been developed in the 1978, more that
15 years ago! After so many years of resisting Public-Key encryption systems,
the government _finally_ endorsed one as a new National Standard!
Unlike RSA, however, the government's DSA (Digital Signature Algorithm) depends
on a single government-issue _prime number_. Where's the trust? I stated this
in the previous info-journal, that the NSA would _never_ introduce an encryption
system that is unbreakable, by them! The `Clipper Chip' uses the known to exist
government's DSA system.
What the government is saying is this: "Take a P! Not any P! this P!" (Read
Article concerning RSA to understand RSA public-key algorithms) What good is it
if we are `tricked' to use a P (prime number(s)) that the government issues? It
only means that the government (NSA) wants the cipher to be, perhaps,
unbreakable to the average public. But if NSA wishes to un-cipher your cipher,
and you are using this government standard, it can _easily_ do so with easy.
Its not that you don't trust anybody, its that you don't trust everybody. And
`everybody' includes the government! Why should we let the government get the
upper hand, again! We got exploited the first time with DES, and now its trying
to do the exact same all over again.
% Clipper Released %
I take into grant that everybody has read the document on the Clipper Chip,
that was release by The White House, office of the press secretary. If not; you
may obtain a copy by calling up a NuKE-NeT system and looking through old
messages posted in the General message base. Or you can get the file via an
anonymous file transfer (ftp site) from csrc.ncsl.nist.gov in directory
/pub/nistnews and via the NIST Computer Security BBS at 301-948-5717.
A copyrighted article in the Friday May 7th, 1993 `Washington Post' describes
a letter sent to President Clinton by 30+ major electronics companies and trade
associations, expressing their concern about the Clipper chip. The article
describes what the Clipper chip is, and explains that it was developed to allow
encryption of voice and fax with a method for law enforcement to listen in when
authorized. It summarizes the key aspects of the chip, and says:
Since the White House proposed the plan three weeks ago, many in the
computer and communications industries have responded with scepticism.
Critics wonder how good the secret government technology really would
be and worry that agencies might abuse it to tap calls without court
orders.
A NIST spokesman said they haven't read the letter yet, but commented that
Clinton has made it clear he wants industry participation.
Signers of the letter include IBM, AT&T, Lotus, Microsoft, McCaw Cellular and
MCI, as well as the ACLU. The article notes the apparent conflict between
AT&T signing the letter and its stated intention to use the chip. AT&T response
was that they're just seeking clarification and do not oppose Clipper.
Lets take into grant on the structure of Clipper and DES. DES differential
cryptanalysis give you an 2^56 (56 bit key) rippling back through 16 stages.
Clipper is said to use 32 rounds, where the key is extended to 2^80 (80 bits).
Current personal computer desktop allows forced attacks of up to 2^50. This
means that 2^80 for brute force key search is clearly unpractical for a few
years to come.
When DES was named as the standard 20 years ago, we clearly knew that the
algorithms relied more on the S-boxes structure than on the key input. Enabling
NSA to have a `backdoor' on DES, and the upper-hand in crypto technology.
Clearly whatever computer power the NSA had 20 years ago, is surely _more_
power or equal power to what most desktop computers can do today. So surely,
an 80 bit key can be easily broken via brute force attacks in perhaps the next
1-2 following years. But does the NSA contain an advantage that can `instantly'
decipher the cipher code? If it depends on the government's DSA issue prime
numbers, certainly that power exists. The movies `Sneakers' hints this issue,
and we regard it as SciFi, fiction, entertainment purposes only! Look deeper,
a lot deeper, isn't it hinting this theory exactly?
I leave you with a technical summary of the Clipper Chip by Dorothy Denning,
and a EFF analysis of the proposed Clipper Chip. Theses articles are
distributed along the `As-is' basis, as that is how they were both publicly
posted inside Internet Newsgroups. (sci.crypt)
% The Clipper Chip : A Technical Summary %
Newsgroups: sci.crypt
Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY
Date: 19 Apr 93 18:23:27 -0400
Distribution: world
Organization: Georgetown University
The following document summarizes the Clipper Chip, how it is used,
how programming of the chip is coupled to key generation and the
escrow process, and how law enforcement decrypts communications.
Since there has been some speculation on this news group about my
own involvement in this project, I'd like to add that I was not in
any way involved. I found out about it when the FBI briefed me on
Thursday evening, April 15. Since then I have spent considerable
time talking with the NSA and FBI to learn more about this, and I
attended the NIST briefing at the Department of Commerce on April
16.
The document below is the result of that effort.
Dorothy Denning
---------------
THE CLIPPER CHIP: A TECHNICAL SUMMARY
Dorothy Denning
April 19, 1993
INTRODUCTION
On April 16, the President announced a new initiative that will
bring together the Federal Government and industry in a voluntary
program to provide secure communications while meeting the
legitimate needs of law enforcement. At the heart of the plan is
a new tamper-proof encryption chip called the "Clipper Chip"
together with a split-key approach to escrowing keys. Two escrow
agencies are used, and the key parts from both are needed to
reconstruct a key.
CHIP STRUCTURE
The Clipper Chip contains a classified 64-bit block encryption
algorithm called "Skipjack." The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES). It supports all 4 DES modes of
operation. Throughput is 16 Mbits a second.
Each chip includes the following components:
the Skipjack encryption algorithm
F, an 80-bit family key that is common to all chips
N, a 30-bit serial number
U, an 80-bit secret key that unlocks all messages encrypted with
the chip
ENCRYPTING WITH THE CHIP
To see how the chip is used, imagine that it is embedded in the
AT&T telephone security device (as it will be). Suppose I call
someone and we both have such a device. After pushing a button to
start a secure conversation, my security device will negotiate a
session key K with the device at the other end (in general, any
method of key exchange can be used). The key K and message stream
M (i.e., digitized voice) are then fed into the Clipper Chip to
produce two values:
E[M; K], the encrypted message stream, and
E[E[K; U] + N; F], a law enforcement block.
The law enforcement block thus contains the session key K encrypted
under the unit key U concatenated with the serial number N, all
encrypted under the family key F.
CHIP PROGRAMMING AND ESCROW
All Clipper Chips are programmed inside a SCIF (secure computer
information facility), which is essentially a vault. The SCIF
contains a laptop computer and equipment to program the chips.
About 300 chips are programmed during a single session. The SCIF
is located at Mikotronx.
At the beginning of a session, a trusted agent from each of the two
key escrow agencies enters the vault. Agent 1 enters an 80-bit
value S1 into the laptop and agent 2 enters an 80-bit value S2.
These values serve as seeds to generate keys for a sequence of
serial numbers.
To generate the unit key for a serial number N, the 30-bit value N
is first padded with a fixed 34-bit block to produce a 64-bit block
N1. S1 and S2 are then used as keys to triple-encrypt N1, producing
a64-bit block R1:
R1 = E[D[E[N1; S1]; S2]; S1] .
Similarly, N is padded with two other 34-bit blocks to produce N2
and N3, and two additional 64-bit blocks R2 and R3 are computed:
R2 = E[D[E[N2; S1]; S2]; S1]
R3 = E[D[E[N3; S1]; S2]; S1] .
R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2. The
rest are discarded. The unit key U is the XOR of U1 and U2. U1
and U2 are the key parts that are separately escrowed with the two
escrow agencies.
As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks. The first disk contains
afile for each serial number that contains the corresponding key
part U1. The second disk is similar but contains the U2 values.
The third disk contains the unit keys U. Agent 1 takes the first
disk and agent 2 takes the second disk. The third disk is used to
program the chips. After the chips are programmed, all information
is discarded from the vault and the agents leave. The laptop may
be destroyed for additional assurance that no information is left
behind.
The protocol may be changed slightly so that four people are in the
room instead of two. The first two would provide the seeds S1 and
S2, and the second two (the escrow agents) would take the disks
back to the escrow agencies.
The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency. One or
both may be independent from the government.
LAW ENFORCEMENT USE
When law enforcement has been authorized to tap an encrypted line,
they will first take the warrant to the service provider in order
to get access to the communications line. Let us assume that the
tap is in place and that they have determined that the line is
encrypted with Clipper. They will first decrypt the law
enforcement block with the family key F. This gives them E[K; U]
+ N. They will then take a warrant identifying the chip serial
number N to each of the key escrow agents and get back U1 and U2.
U1 and U2 are XORed together to produce the unit key U, and E[K; U]
is decrypted to get the session key K. Finally the message stream
is decrypted. All this will be accomplished through a special
black box decoder operated by the FBI.
ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. All information is based
on information provided by NSA, NIST, and the FBI. Permission to
distribute this document is granted.
-------------------------------------------------------------------------------
% EFF Analysis of the Clipper Chip %
April 16, 1993
INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY
PROPOSAL
The Clinton Administration today made a major announcement
on cryptography policy which will effect the privacy and security of
millions of Americans. The first part of the plan is to begin a
comprehensive inquiry into major communications privacy issues
such as export controls which have effectively denied most people
easy access to robust encryption as well as law enforcement issues
posed by new technology.
However, EFF is very concerned that the Administration has
already reached a conclusion on one critical part of the inquiry, before
any public comment or discussion has been allowed. Apparently, the
Administration is going to use its leverage to get all telephone
equipment vendors to adopt a voice encryption standard developed
by the National Security Agency. The so-called "Clipper Chip" is an
80-bit, split key escrowed encryption scheme which will be built into
chips manufactured by a military contractor. Two separate escrow
agents would store users' keys, and be required to turn them over
law enforcement upon presentation of a valid warrant. The
encryption scheme used is to be classified, but they chips will be
available to any manufacturer for incorporation into their
communications products.
This proposal raises a number of serious concerns .
First, the Administration appears to be adopting a solution
before conducting an inquiry. The NSA-developed Clipper chip may
not be the most secure product. Other vendors or developers may
have better schemes. Furthermore, we should not rely on the
government as the sole source for Clipper or any other chips. Rather,
independent chip manufacturers should be able to produce chipsets
based on open standards.
Second, an algorithm can not be trusted unless it can be tested.
Yet the Administration proposes to keep the chip algorithm
classified. EFF believes that any standard adopted ought to be public
and open. The public will only have confidence in the security of a
standard that is open to independent, expert scrutiny.
Third, while the use of the split-key, dual-escrowed
system may prove to be a reasonable balance between privacy and
law enforcement needs, the details of this scheme must be explored
publicly before it is adopted. What will give people confidence in the
safety of their keys? Does disclosure of keys to a third party waive
individual's fifth amendment rights in subsequent criminal
inquiries?
In sum, the Administration has shown great sensitivity to the
importance of these issues by planning a comprehensive inquiry into
digital privacy and security. However, the "Clipper chip" solution
ought to be considered as part of the inquiry, not be adopted before
the discussion even begins.
DETAILS OF THE PROPOSAL:
ESCROW
The 80-bit key will be divided between two escrow agents, each of
whom hold 40 bits of each key. Upon presentation of a valid
warrant, the two escrow agents would have to turn the key parts
over to law enforcement agents. Most likely the Attorney General
will be asked to identify appropriate escrow agents. Some in the
Administration have suggested one non-law enforcement federal
agency, perhaps the Federal Reserve, and one non-governmental
organization. But, there is no agreement on the identity of the agents
yet.
Key registration would be done by the manufacturer of the
communications device. A key is tied to the device, not to the person
using it.
CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS
The Administration claims that there are no back door means by
which the government or others could break the code without
securing keys from the escrow agents and that the President will
be told there are no back doors to this classified algorithm. In order
to prove this, Administration sources are interested in arranging for
an all-star crypto cracker team to come in, under a security
arrangement, and examine the algorithm for trap doors. The results
of the investigation would then be made public.
GOVERNMENT AS MARKET DRIVER
In order to get a market moving, and to show that the government
believes in the security of this system, the feds will be the first big
customers for this product. Users will include the FBI, Secret Service,
VP Al Gore, and maybe even the President.
FROM MORE INFORMATION CONTACT:
Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel
Internet Address: eff@eff.org
===============================================================================
