1993-04-20 - Another Clipper weakness

Header Data

From: Hal <74076.1041@CompuServe.COM>
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: 4d1250393b13a8581822eb4a9e79e2050522f12565d106c97d23e20effe85a4a
Message ID: <93042015512974076.1041_FHD54-1@CompuServe.COM>
Reply To: _N/A

UTC Datetime: 1993-04-20 15:56:46 UTC
Raw Date: Tue, 20 Apr 93 08:56:46 PDT

Raw message

From: Hal <74076.1041@CompuServe.COM>
Date: Tue, 20 Apr 93 08:56:46 PDT
To: Cypherpunks <cypherpunks@toad.com>
Subject: Another Clipper weakness
Message-ID: <930420155129_74076.1041_FHD54-1@CompuServe.COM>
MIME-Version: 1.0
Content-Type: text/plain

Perry asks about the 30-bit serial number.
Actually, it appears that the unit key UK is a function of the serial
number plus the two 80-bit random numbers input by the escrow agents
when the chips are programmed.  This would prevent an easy guessing
attack as long as these random numbers S1 and S2 are unknown.
The one problem is that S1 and S2 are not changed for each chip, but are
rather kept the same in programming a batch of about 300 chips.  Then
they are supposed to be destroyed.
The potential weakness is that if someone managed to keep a copy of the S1
and S2 values which were used to program all clipper chips (only about 3000
such values for a million chips), then Perry's suggested attack could work.
This would be few enough bits that the unit key could be guessed.
Those who are asked to judge the safety of the system will presumably pay
careful attention to the measures used to insure that S1 and S2 are not
saved.  I don't know how they'll check for NSA micro-cameras in the vault
ceiling, though...