[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: News Flash: Clipper Bug?



>Eli Brandt says:

>Its not pre-encryption. He's actually getting around the key escrow
>features and using Skipjack in a secure manner. Its very slick.

I've been saying it can be done for more than a year. I wrote a C model
of some operating code for the chip.  The clipper chip has save and restore
commands that are used to dump and restore the LR register (crypto state).
You keep your own LEAF and feed it back to the chip.  You take the initial
value of the LR register after IV generation and reload, it contains the
IV.  You exchange IVs with the distant end, who has also feed his own
LEAF back to his chip.  You have achieved crypto sync.

The save and restore commands are to allow a single cryptographic algorithm
embodiment to be used for two or more contexts - in the case of a duplex
communications channel - send and receive.

The question should really be how easy it is to subborn a clipper phone
unit.  The TSD 3600 is the only one available at this time.  You need to
be able to capture its programming, either by modifying ROM, exception
handling and additional ROM, etc.

I've been hesitant to buy a couple and try it for several reasons:

1) I'm not sure the key exchange is satisfactory, any TSD 3600 will talk
   to any other.

2) There might be anti-tamper features (re: FIPS Pub 140-1), causing loss
   of crypto variables (say for key exchange).  It might be possible the
   TSD won't operate it all if security features are tripped.  (unlikely,
   when you consider mechanical switches might bounce when one of these
   is thrown is a briefcase).

3) Its potentially a lot of work to capture the instruction stream.  If internal
   ROM is used in something, its probably security locked.  

I could think of a couple of ways to make it harder to break into the code
that operates a clipper chip.