[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Master Key: A Clipper Story



                           MASTER KEY
                           ~~~~~~ ~~~

                         by Infocalypse
                      [email protected]

                       September 21, 2002

This file contains important information regarding the Skipjack
standard encryption system. Please read this file through before
coming to any conclusions. Please do not ask me who I am. I have 
no intention of revealing my identity.

I will start at the beginning. The Skipjack encryption system,
initially known as Clipper, was first publicly announced in mid-
1993. After an initial storm of controversy died down, escrow
agents were selected and the chip went into production in early
1994. Several major hardware vendors used Skipjack, and sales began
to accelerate in the third quarter of 1994 as business users
recognized the advantages of the convenient, inexpensive, and
highly secure system. By the first quarter of 1995, Mykotronx could
no longer keep up with the orders, and demand was still increasing
rapidly.

Several other electronics companies came forward, arguing that they
could manufacture Skipjack chips more cheaply than Mykotronx, in
larger volume, and with at least equal security. The NSA hesitated
to give more companies its classified algorithm, but at the same
time, they certainly did not want Skipjack to die from lack of
available hardware just as it was becoming a standard. After a
delay and threats of restraint-of-trade lawsuits, NIST released a
set of security requirements. Any company which met them could
receive the classified algorithm and make Skipjack chips. Numerous
companies jumped in immediately.

By Christmas 1995, the price of Skipjack chips had fallen sharply.
Secure telephones were rapidly becoming a consumer product, just as
the telecom companies started their Christmas advertising drive.
Remember these slogans?

"This Christmas, Give The Gift Of Privacy. AT&T Secure Telephones!"

"Motorola Secure Cellular Network. Because It's Nobody's Business 
 But Yours!"

The promotion worked - secure phones were the hottest-selling
product of the season. At the start of 1996, there was an installed
base of over ten million, with no end in sight. Companies were
making secure faxes, secure modems, secure LAN's, and secure
microwave systems. The long-awaited crypto revolution had begun,
and NSA was thrilled. Skipjack would soon be used for all types of
business communications as well as telephones - everything which
needed protection could be taken care of with a single solution.

At the time, I was a senior in college and working evenings for a
company which had just received its security clearance. I did not
have access to any classified data; my job was to operate and
maintain their front-end system, which took orders, kept track of
stock, etc. There was a separate, isolated LAN for the classified
work of designing and programming chips. The company tried to
follow all of the technical rules, but the people were hackers and
businesspeople, not spooks. And most security problems are people
problems.

My boss did have a security clearance. He was working late one
Friday on one of the classified machines used to write microcode.
When everyone else had left, he asked me to fix a problem with the
network. That was a violation of security, but I did know more
about networks than he did, and all the classified data was
supposed to be locked up for the weekend. The safe had a time lock,
which could not be opened until Monday.

My boss had made a mistake while he was logged in as root, and he
did an excellent job of hosing the file server. He was not supposed
to have the root password at all. He'd had an argument with his
supervisor about computer access. The supervisor refused to give
him the password, so he stole it. Now his ass was on the line - if
the file server wasn't fixed by the next morning, he was history.
He didn't exactly admit it all at once, but that's what happened.

We took a look at the damage, and began the long, slow job of
recreating the filesystems, reinstalling Unix, restoring the data
from backup tapes, and, most importantly, hiding the evidence. By
8 o'clock, we were both starved. I was doing most of the work - he
was watching, reading manuals, and sweating bullets - so he decided
to go for food.

While waiting for a backup tape to run, I opened the desk drawer
out of boredom, and - whoops! - there was a manual stamped SECRET.
Some programmer was using it to write the microcode for a new low-
power CMOS Skipjack chip, and he hadn't locked it up. After all,
this is a secure building. Nobody without a security clearance is
even allowed in this room, right? So what's the big deal? People
problems! I couldn't resist taking a look, and there was a complete
description of the Skipjack algorithm, among other things, with
each page marked SECRET at the top and bottom. I had about 20
minutes until my boss returned. There was a Xerox machine, warmed
up and ready to go, in the next room. What would you do?

So I stood there, turning pages and hitting the button, listening
to my heart pound, waiting for the click of the outer door as my
boss walked in. I wasn't hungry any more. If I heard that click, I
had just enough time to toss everything behind the copier, run back
to the workstation, and hope to put the manual back later.

But there was no click. By the time my boss returned with a pizza,
the copies were in my car and the manual was in the drawer. My
appetite returned with a vengeance as the adrenaline wore off. By
2 am, the machine was restored to normal. My boss shook my hand and
thanked me, and then I went home and passed out cold.

The next day, I woke up around noon and took a look at my loot. The
algorithm strongly resembles DES. It's a highly improved DES, of
course, but the structure is similar. It uses 32 rounds, and an 80-
bit key, and they process the key before using it to eliminate weak
keys. I started coding it at home in C to hack around with, not
having any particular plans as to what I'd do with it. I was just
enjoying the thrill of having something few others had.

The program worked, but it was horribly slow. Skipjack is optimized
for a pipelined hardware implementation, using 32 processing
elements, one for each round. Even a good software implementation
is almost uselessly slow.

Once I had the basic electronic-codebook function working, I
started implementing the rest of the Skipjack protocol around it.
After a month of on-and-off hacking, I had a complete software
clone of a Skipjack chip, which could be assigned any serial number
and device-unique key. Without the family key, however, there was
no way to create a proper LEAF. The version of Skipjack in this
file is much improved, but similar in structure, to the original.

For a long time, that was all I did with it. Without hardware, it
wasn't fast enough for a no-LEAF secure telephone. I scanned the
copies I'd made, encrypted the image files, and made a bonfire with
the paper copies. Not the kind of thing one should keep around.

Then I started experimenting with a programming technique called
genetic algorithms. These are algorithms which evolve their outputs
by creating successively better results. Multiple results are
generated and evaluated, the best are copied, the rest erased. The
remaining ones are then "crossed", simulating sexual reproduction,
and the cycle repeats.

Looking for an application, I decided to see how far a genetic
algorithm could go in attacking Skipjack. At the time, I'd have
been thrilled if it broke one round. What happened next - I didn't
do it! I didn't know then and don't know now how it works.

Using keys as the strings my algorithm would create was no good.
Genetic algorithms make incremental progress; with crypto, if one
bit is off, it's useless. Instead, my strings were programs written
in a little interpreted language, specifically designed for
cryptography. The genetic algorithm would evolve programs. This
approach has been used for various things in the past.

I started out with less than a round, with only the first
transformation of the first round. The genetic algorithm wrote a
program to solve that, no problem. But as I made it harder, using
more of the round, it failed to progress. So I tried something new:
there are programs which clean up spaghetti code, making readable
and usable code out of it. They are used to make 30-year-old Cobol
maintainable. I used one to take the most successful programs which
evolved, clean them up, and add them to the language itself as new
commands. When it got to the second round, the blocks out of which
those programs were built included the most successful methods used
against the first round. This way the program could build on its
own successes.

The computer ran 24 hours a day, and it progressed as far as the
fifth round. I was surprised that it worked at all, but I didn't
know if five rounds was good or bad. There has never been any
public research with Skipjack, but DES is much easier to break if
fewer rounds are used, so I assumed I hadn't really done much.

Before leaving for a weekend, I made several changes to the
program: improvements to the crossover routines, removing old,
nonuseful commands added by the evolver, and code which increased
the difficulty, one piece of one round at a time, each time the
programs were successful. There were a few other changes. There
were also several bugs in the program, including at least one wild
pointer which scrambled some of the evolved functions. How these
bugs affected the ultimate outcome, I don't know. Something like
Frankenstein's lightning, I suppose.

When I got back Sunday evening, I turned on the monitor and
couldn't believe it. It had gone through all 32 rounds - cracked
the code! Impossible, had to be a program bug. So I encrypted some
text using the function I'd written, fed it in, and went to bed.
The next morning, I expected the program to be crashed. Instead,
there was the key. Somehow, I don't have a clue how, the algorithms
evolve to fit each piece of ciphertext. They go down, like a diver
taking treasure from a sunken ship, and pull those patterns to the
surface. I've never been able to trace it. All the data looks
random, but the solution emerges in the end. Much like neural
networks: they can solve a problem, but they can't tell you how
they did it. That's one reason why people don't trust neural nets.

The next day, I kept trying it with different pieces of text.
Imagine opening your trunk and finding it stuffed with cash - I
kept opening it and looking to see if the money was really there.
Sometimes it was faster than others, but it always worked as long
as there was a pattern to the plaintext.

I started acquiring equipment and components. 32 RAM-based logic
array chips, similar to PAL's but using SRAM instead of ROM. One
for each round. These I connected to form the equivalent of a
Skipjack chip, equally fast but fully controllable. A used minivan.
Nonmetallic composites are popular for car bodies - they may stop
a bullet, but radio signals go right through them. No need for
visible antennas on the outside. A new 8-gigabyte hard drive.
Plenty of RAM for a disk cache. A software encryption program - I
wasn't about to use Skipjack, and my hard drive would need
encrypting. A small microwave dish and receiver - they've replaced
cable, carrying TV and all kinds of data transmissions. Encrypted
with Skipjack, of course.

By this time, mid-1997, Skipjack had already gone global. Most of
the money transferred around the world moves by Skipjack. Almost
all large corporations use it for their voice, data, and fax
networks. It has been designed into the lowest levels of the new
Information Superhighway under construction, and has replaced RIPEM
as the official privacy standard on the Internet.

Each country keeps escrows for all chips manufactured and used
within its borders. These are used for national law enforcement.
The United Nations has a master escrow, containing all of the keys
in the world. This is used to police international terrorism, arms
and drug trafficking, etc. There are, of course, very strict rules
governing when and to whom the UN will release keys.

This system works very well. It has put the squeeze on drug money
like nothing that came before it, because the large cash
transaction stands out in a world of electronic money. All major
crimes are difficult - the Mafia is nearly extinct. ATM and credit
card fraud are almost a thing of the past - the Skipjack smart card
has replaced the mag stripe and the card number. New phones have a
slot, rather than a built-in chip, allowing people to carry their
identities wherever they go.

I didn't counterfeit electronic money - that would eventually be
noticed, and besides, I'm not a thief. Nor did I secretly transfer
money to myself. I just drove to New York, one of many places where
information worth billions of dollars moves everyday over microwave
beams. Then I parked in the path of one, turned on my inverter -
connected to four marine batteries; running out of power during a
hot intercept is highly annoying - and powered up my scanner.
Having cracked the family key, I could quickly extract the serial
number from each transmission. The hardest part is deciding what,
out of the gigabytes flowing by, to tap. Once I choose a
transmission, I feed it to the genetic algorithm. If I get anything
interesting, I keep that serial number, and I know to tap that chip
again when I see the serial number.

Perhaps I intercept the draft of your lousy quarterly earnings
report, bouncing from one suit to another as they try to cover
their asses. Then I sell your company short. Or if I intercept good
sales figures, I buy your stock. Sometimes I buy options, although
it's easier to lose your shirt that way. They aren't all winners -
the market reacts strangely sometimes - but enough of them are to
make me a millionaire in a couple of years. Besides, it wouldn't
work if all my picks were accurate. Someone would get suspicious.

I've really made very poor use of my luck. A corporation could have
practically taken over the world. But it would have been detected
eventually. By keeping it small and being careful, I've been
successful. For the last five years, I've lived as a parasite,
feeding on information and using it to my advantage. For a while,
I went through a voyeuristic phase, driving down the freeway,
tapping phone calls at random. That didn't stay interesting for
very long; most phone calls are boring.

So why am I revealing this now? Why would I give up my master key?
Not willingly, I assure you. But I feel that I have no choice.
Recently, there have been two unexplained crimes: large amounts of
money have been electronically transferred from corporate accounts,
simply vanishing. In both cases, the police have suspected an
inside job. MIS and finance managers were arrested - and released,
because there was absolutely no evidence against them. There was,
in fact, no evidence at all. The money was just gone.

The police may suspect an inside job, but I think otherwise. I am
very familiar with such crimes, because I spent much of that first
year planning them, thinking about how they could be accomplished.
Someone else, I am convinced, has discovered the master key. I
would suspect an organization, not an individual. Either they have
corrupted the escrow system, or they have cracked the code too. And
they do not intend to stop at personal wealth. From an offshore
base, they could, in one day of frantic activity, hold the world
economy hostage. Or they could drain us more slowly, over a period
of a few weeks. The thefts were intended to provide them with
capital and experience for what could be the greatest heist in the
history of money.

So what can I do to prevent this? I could go to the NCPI - the
National Cryptography and Privacy Institute, formerly the NSA - and
show them my system. They might throw me in the slammer for
espionage and securities fraud. More likely, they would make me a
deal - my freedom for my silence - and begin the long process of
designing a new encryption algorithm. But they would not believe me
when I told them that someone else had also cracked the code. The
idea is almost too horrible for them to contemplate - the whole
world runs on Skipjack - and without convincing evidence, there is
no way they would believe me. I don't have any convincing evidence.

Action has to be taken now, before it's too late, and there's only
one way to cause that. Tell the secret. Publish the algorithm,
publish the method of breaking it, and of course, publish this
file, so people will understand why I did what I did. I will be
flamed, called every name in the book and some that will be made up
for the occasion. They may try to hunt me down. There will be chaos
for a few days, maybe a few weeks. The world financial system will
grind to a halt, as programmers work frantically around the clock.
Software cryptography will have to be quickly installed, until a
new hardware system can be designed. For now, incompatibility will
return, efficiency will be reduced, and a lesson will be learned.
Hopefully, the NCPI will not make the same mistake twice.
Hopefully, they won't classify the algorithm next time.

                    --==<< Infocalypse >>==--

         (Binary file transmission follows this message)