From: smb@research.att.com
To: mischu, matt, reeds, lacy, don, gong@csl.sri.com, karn
Message Hash: 3405b36bd3d0be8bdd72618d58856db6d131053790163d4731b48454b7dd2f3f
Message ID: <9304181217.AA17562@qualcomm.com>
Reply To: N/A
UTC Datetime: 1993-04-18 12:17:07 UTC
Raw Date: id AA02705sendmail 5.67/QC-subsidiary-2.1 via SMTPSun, 18 Apr 93 05:17:07 -0700 for karn
From: smb@research.att.com
Date: id AA02705sendmail 5.67/QC-subsidiary-2.1 via SMTPSun, 18 Apr 93 05:17:07 -0700 for karn
To: mischu, matt, reeds, lacy, don, gong@csl.sri.com, karn
Subject: technical information on Clipper
Message-ID: <9304181217.AA17562@qualcomm.com>
MIME-Version: 1.0
Content-Type: text/plain
------- Forwarded Message
Return-Path: ISL.Stanford.EDU!hellman
Received: by research.att.com; Sun Apr 18 02:06 EDT 1993
Received: by inet.att.com; Sun Apr 18 02:06 EDT 1993
Received: by ISL.Stanford.EDU (4.1/25-eef) id AA22827; Sat, 17 Apr 93 23:05:23 PDT
Date: Sat, 17 Apr 93 23:05:23 PDT
From: "Martin Hellman" <hellman@isl.stanford.edu>
Message-Id: <9304180605.AA22827@ISL.Stanford.EDU>
To: DAVIDNEWMANPC@mcimail.com, NORMILE.J@applelink.apple.com,
adw@research.att.com, amo@research.att.com, bach@cs.wisc.edu,
berson@sri.com, biham@cs.technion.ac.il, branstad@st1.ncsl.nist.gov,
brassard@iro.umontreal.ca, burt@rsa.com, carl@joe.math.uga.edu,
caronni@nessie.cs.id.ethz.ch, clipper@csrc.ncsl.nist.gov,
denning@cs.cosc.georgetown.edu, diffie@eng.sun.com,
eor@ISL.Stanford.EDU, erdmann@leland, fahn@cs,
gfung%ccm.UManitoba.CA@cornellc.cit.cornell.edu, gill@ISL.Stanford.EDU,
gormish@ISL.Stanford.EDU, infort%czheth5a.BITNET@forsythe.stanford.edu,
jeffr@sco.com, jhwang@ISL.Stanford.EDU, jim@rsa.com,
jwarren@well.sf.ca.us, jwolf@ucsd.edu, kurlberg@leland,
langford@ISL.Stanford.EDU, lenstra@flash.bellcore.com, markoff@nyt.com,
matt@rsa.com, merkle@xerox.com, minnieho@ISL.Stanford.EDU,
mitran@asic.sc.ti.com, ovseev@ippi.msk.su, rivest@theory.lcs.mit.edu,
roche@ISL.Stanford.EDU, rotenberg@washofc.cpsr.org,
scholtz@jimmie.usc.edu, shamir%wisdom.bitnet@forsythe,
smb@research.att.com, taher@rsa.com, voois@ISL.Stanford.EDU,
welch@irving.usc.edu, wesel@ISL.Stanford.EDU
Subject: Clipper Chip
Most of you have seen the announcement in Friday's NY Times,
etc. about NIST (National Institute of Standards & Technology)
announcing the "Clipper Chip" crypto device. Several messges
on the net have asked for more technical details, and some have
been laboring under understandable misunderstandings given
the lack of details in the news articles. So here to help out
is your friendly NSA link: me. I was somewhat surprised Friday
to get a call from the Agency which supplied many of the missing
details. I was told the info was public, so here it is (the cc of this
to Dennis Branstad at NIST is mostly as a double check on my
facts since I assume he is aware of all this; please let me know
if I have anything wrong):
The Clipper Chip will have a secret crypto algorithm embedded in
Silicon. Each chip will have two secret, 80-bit keys. One will be the
same for all chips (ie a system-wide key) and the other will be unit
specific. I don't know what NIST and NSA will call them, but I will
call them the system key SK and unit key UK in this message.
The IC will be designed to be extremely difficult to reverse so
that the system key can be kept secret. (Aside: It is clear that
they also want to keep the algorithm secret and, in my opinion,
it may be as much for that as this stated purpose.) The unit key
will be generated as the XOR of two 80-bit random numbers K1
and K2 (UK=K1+K2) which will be kept by the two escrow
authorities. Who these escrow authorities will be is still to be
decided by the Attorney General, but it was stressed to me that
they will NOT be NSA or law enforcement agencies, that they
must be parties acceptable to the users of the system as unbiased.
When a law enforcement agency gets a court order, they will
present it to these two escrow authorities and receive K1 and
K2, thereby allowing access to the unit key UK.
In addition to the system key, each user will get to choose his
or her own key and change it as often as desired. Call this key
plain old K. When a message is to be sent it will first be
encrypted under K, then K will be encrypted under the unit key UK,
and the serial number of the unit added to produce a three part
message which will then be encrypted under the system key SK
producing
E{ E[M; K], E[K; UK], serial number; SK}
When a court order obtains K1 and K2, and thence K, the law
enforcement agency will use SK to decrypt all information
flowing on the suspected link [Aside: It is my guess that
they may do this constantly on all links, with or without a
court order, since it is almost impossible to tell which links
over which a message will flow.] This gives the agency access to
E[M; K], E[K; UK], serial number
in the above message. They then check the serial number
of the unit and see if it is on the "watch list" for which they
have a court order. If so, they will decrypt E[K; UK] to obtain K,
and then decrypt E[M; K] to obtain M.
I am still in the process of assessing this scheme, so please do
not take the above as any kind of endorsement of the proposed
scheme. All I am trying to do is help all of us assess the scheme
more knowledgably. But I will say that the need for just one court
order worries me. I would feel more comfortable (though not
necessarily comfortable!) if two separate court orders were
needed, one per escrow authority. While no explanation is
needed, the following story adds some color: In researching
some ideas that Silvio Micali and I have been kicking around,
I spoke with Gerald Gunther, the constitutional law expert
here at Stanford and he related the following story: When
Edward Levi became Pres. Ford's attorney general (right
after Watergate), he was visited by an FBI agent asking
for "the wiretap authorizations." When Levy asked for
the details so he could review the cases as required by
law, the agent told him that his predecessors just turned
over 40-50 blank, signed forms every time. Levi did not
comply and changed the system, but the lesson is clear:
No single person or authority should have the power to
authorize wiretaps (or worse yet, divulging of personal
keys). Sometimes he or she will be an Edward Levi
and sometimes a John Mitchell.
Martin Hellman
------- End of Forwarded Message
Return to April 1993
Return to “smb@research.att.com”
1993-04-18 (id AA02705sendmail 5.67/QC-subsidiary-2.1 via SMTPSun, 18 Apr 93 05:17:07 -0700 for karn) - technical information on Clipper - smb@research.att.com