[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Faster way to deescrow Clipper



Sidney Markowitz writes:

> If that's the case, then 1) How does the second chip find out what the
> session key is? 
That's a separate protocol issue; Clipper doesn't do any key exchange
itself, though Capstone does.  Unless manufacturers are bullied/bribed into
using a standard implementation, everyone will probably roll their own.

> 2) Doesn't the second chip also have to generate and send a
> LEAF, if for no other reason than to identify itself to the wiretappers,
> and if so won't that give away the session key if that chip's device is not
> also hacked? 

If you use the same session key for both directions of the conversation,
which most Clipperphones probably will, then yes, it's true.
That means you can only have private conversations with other people who 
also care about privacy, which is somewhat appropriate.

On the other hand, a big use of Clipper is traffic analysis,
and Matt's method *will* prevent them from getting your Clipper
serial number from your conversations, though they'll get the number
for the other end if they're not also hacking LEAFs.
That can be a big win, especially if the other end is a well-known person,
like your local cellphone provider or [email protected].
However, one danger of doing this for cellphone calls is that they
might notice that calls from your cellphone keep having different LEAFs,
and suspect that you're a Potential Troublemaker.

3) If all that is needed for this hack is a LEAF with a proper
> checksum, why go through the brute force method of generating random LEAFs?
> Why not just buy (or steal or whatever) another Clippered device that you
> never use for real communication so the wiretappers have no record of who
> has that serial number, and get LEAFs from it?  For that matter, why can't
> you obtain one LEAF from listening to anybody's Clippered transmission and
> use it over and over again?

The LEAF depends on the IV for the session, which depends on the session key.
Therefore, it's probably different for each call; otherwise you *could*
just reuse someone else's LEAF.  (This should be obvious,
but I wasn't thinking about it when I first read Matt's paper,
though the "but the IV will be wrong so that won't work" had been
a sufficient distraction for many of us when CLipper first came out.)

Remember that they don't record Clipper chip keys when you buy your
Clipperphone - otherwise stealing one would be effective.
They record the chip-unique backdoor keys when they make the chip,
so they can tap *any* conversation they hear without needing to
keep track of who owns what phone.  

On the other hand, for cellphones, it's *real* easy to find out who
uses a given chip, since the phone call setup protocols tell them
what phone it's coming from, and they _can_ look that up with the
phone company, so they can easily do that correlation.  (If the Clipper
chips are socketed, you could always swap them for occasional 
more-paranoid-but-still-tappable calls, but that would probably just 
annoy them.)

			Bill