[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clipper specifics



Mike Ingle <[email protected]> asked some penetrating questions
about Clipper function, that deserve to be brought up again:

>Technical question: from what I've read, Clipper is only a single-
>key system, basically an 80-bit super-DES. So when you hit the
>SECURE button on your AT&T ClipperPhone, how do the phones exchange
>session keys? DH exchange or something similar? Is this implemented
>in the Clipper chip itself, or in external hardware? 

The following is based on some very faintly remembered technical data
once circulated by D. Denning. I'd be appreciative if anyone can point
out where it is located or elaborate on my description below.

The Clipper chip does *not* implement key exchange. It is essentially
nothing but a low-level encryption device. I would like to see the
specifications that are supposedly available or will be soon (I got the
impression that E. Hughes got some kind of Clipper specifications at
one point, a long time ago). However, as I understand it the chip sends
out the law enforcement exploitation field (LEEF) (the beautifully
apropos term `exploitation' has now been replaced with Access) along
with the encrypted data to the chip pins. 

Now, two Clipper chips will *not* work in conjuction with each other
unless each is fed a valid LEEF from the other. However, since the chip
does not accomplish this function (the communication, that is; it does
*create* the field), and it is handled outside the chip, there is no
guarantee that the system designer does not, for example, encrypt the
LEEF in the communications transit, thereby completely sabotaging the
`exploitative' tappability of the chip.

Hence there is a *very* real possibility that this scheme, or something
similar, could be used to gain Skipjack-level encryption without any
key escrow complications. I suspect the NSA is *extremely* worried
about this. They probably require that the chip purchaser promise to
use Clipper in a way that guarantees the LEEF is accessable
(plaintext). They may even create a contractual obligation wherein the
surrounding device (telephone or whatever) cannot be approved for sale
until it passes an NSA endorsed tapping test. (what fun!) I consider
this all very plausible and probable. (This would be a neat trick --
use the chip itself to encrypt LEEF fields -- hah! twist an insecure
chip into a secure one, and spit in the face of the NSA!)

The NSA probably would rather *not* come out with a Clipper type chip
because of the above weakness. But this is the absolute lowest level
chip they can get away with. There are many applications that would
reject a more sophisticated chip -- Clipper is already expensive enough as it is.

However, the Capstone chip *does* have key exchange functions built in
-- it uses Diffie Hellman, apparently. And I consider it likely that
the LEAF field transfer cannot be thwarted in the above way. This is a
do-everything chip with exponentiation and the DSA algorithm built in.
All these sweet-looking contortions to support `public debate' on the
Clipper proposal are rather pathetic given that the Capstone has been
in development for many years. Is there really any chance that its
production would be derailed by some annoying public comments? I
certainly hope so, but it's not a pretty picture.

Note that early in the Clipper debate, D. Denning and others were vague
on the Capstone and Clipper key exchange function. That's because
Clipper didn't have it, and Capstone used Diffie Hellman. Now, as we
are so familiar with, PKP holds a iron-fisted, vice-lock grip on *all*
public key cryptography. The government is supposedly able to use the
patented technology without prior arrangement (I believe this is a
qualification of the NSF research grants that led to the patents?) but
the chips would still not be able to be used in *commercial*
arrangements (the whole point) without a PKP agreement. 

Hence, it was *absolutely critical* that the government get the
*official endorsement* of PKP and a legal arrangement to allow the use
of public key cryptography in the Capstone and Clipper arrangements.
The wretched announcement was just a matter of time -- what was so
surprising was that PKP also got awarded a new iron-fisted, vice-lock
grip on the Digital Signature Standard. Apparently, the incredibly
lucrative revenues from public key licensing on Clipper and Capstone
alone just didn't cut it.

Conspiracy theorists can easily believe that this outrageous, scheming
arrangement was made *far prior* to its actual announcement (June? I
forget), and there is a lot of circumstantial evidence to support this.
The NSA's goal with Clipper and Capstone was *commercial* from the
*very beginning* -- now *officially* confirmed as at least 3 years! --
and they would be first to make sure it wasn't thwarted by those pesky
patents everyone else has to break their shins on. In fact, going just
a bit further, there is a lot of circumstantial evidence that PKP is
very closely allied with the NSA in various ways. How is it one company
has gotten public key patents that were developed at two different
universities (Stanford & MIT) and diverse researchers (Diffie, Hellman,
Rivest, Shamir, Adleman)?! Why is the government so eager to grant them
a critical *new* cryptgraphic algorithm stranglehold with DSA?

[key exchange]
>Is the format
>standardized? If not, there will be plenty of interoperability
>problems with the first generation of phones. For that matter, there
>will probably be problems even if it is standardized.

About the only company ready for Clipper chips is AT&T, and I think
they are using Diffie Hellman key exchange currently with some
proprietary algorithms (they have a license on Public Key directly from
PKP already) in their secure phones. I suspect any companies that come
out with new phone encryption equipment based on Clipper, if any are
insane enough to exist, will try to be compatible with the AT&T
`standard' (ug). As far as I know AT&T has not published their own key
exchange standard used by the phones, however. That is, it is
proprietary, and might even be protected by patents of their own! This
is a rare occasion where incompatibility is something to beam about!