[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Another Clipper weakness
Perry asks about the 30-bit serial number.
Actually, it appears that the unit key UK is a function of the serial
number plus the two 80-bit random numbers input by the escrow agents
when the chips are programmed. This would prevent an easy guessing
attack as long as these random numbers S1 and S2 are unknown.
The one problem is that S1 and S2 are not changed for each chip, but are
rather kept the same in programming a batch of about 300 chips. Then
they are supposed to be destroyed.
The potential weakness is that if someone managed to keep a copy of the S1
and S2 values which were used to program all clipper chips (only about 3000
such values for a million chips), then Perry's suggested attack could work.
This would be few enough bits that the unit key could be guessed.
Those who are asked to judge the safety of the system will presumably pay
careful attention to the measures used to insure that S1 and S2 are not
saved. I don't know how they'll check for NSA micro-cameras in the vault
ceiling, though...
Hal