[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSA Chief Counsel in Wired, to appear on AOL



>From: "Jim Sewell" <[email protected]>
>
><In mail Richard Johnson said:>
>>
>[.. the public sector]
>>    drafts along behind the government, adopting government standards on
>>    the assumption that if it's good enough for the government's
>>    information, it's good enough to protect industry's.
>
>   But Clipper NEVER claimed to be good enough for the government's info!
>   As far as I know the description was that it was to be used for "sensitive
>   but not classified info" and as such it's not good enough for the REAL
>   secrets.

In the interest of keeping weak arguments from being battered down latter,
it is entirely possible that the cryptographic algorithm used in clipper
(SKIPJACK) is identical to that found in the CCEP type 1 devices (KG-84,
STU-IIIs, KY-57/8s, etc.).

What may make the clipper chip unsuited for classified traffic is that it
is not type 1 certified (control processor code reviewed, failure mode
analysis, etc.) and does not require centralized key distribution - the
clipper chips have the ability to have the correct Cryptographic Check
Word (CCW) read back when attempting to load a home grown key,  Type 1
devices simply go to an error state, insisting that only 'state sponsored'
keys be used.  What is involved is the encryption of a known plaintext
pattern, the resulting ciphertext is subsampled (3 bytes), which is the
CCW.  (It is almost a certainty that if the crypto algorithm in clipper
were identical, that the plaintext values are different.)

The lack of rigidly checked hardware implementations, and screening of
the keys could be the major differences between a clipper chip and one
for classified traffic.  One of the CCEP crypto modules is supposed to
have unit IDs embedded in transmissions, and most of them do remote
rekeying, which may have been subborned for the remainder of the LEAF.
The check word in the LEAF fits in nicely with checking the validity
of a new key received from the distant end.  The unit ID is required
for a centralized key distribution scheme.

In other words it may not be that the cryptographic algorithm is not
good enough to protect classified data, rather that the key selection
process and hardware implementation are not certified for classified data.

One can image that this could be told to certain elected representatives
in classified briefings, and used to discount this one argument, and by
extension other arguments.  One should be willing to stipulate that the
cryptographic algorithm is not the weakness, rather that the escrow aspect
is what is objectionable.