1993-08-04 - Clipper Key generation

Header Data

From: “L. Detweiler” <ld231782@longs.lance.colostate.edu>
To: cypherpunks@toad.com
Message Hash: d0a891631401f2507eaca7371b236524a14fb1a1751b2b7d92604492f8f0ce34
Message ID: <9308040749.AA22749@longs.lance.colostate.edu>
Reply To: N/A
UTC Datetime: 1993-08-04 07:49:58 UTC
Raw Date: Wed, 4 Aug 93 00:49:58 PDT

Raw message

From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Wed, 4 Aug 93 00:49:58 PDT
To: cypherpunks@toad.com
Subject: Clipper Key generation
Message-ID: <9308040749.AA22749@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


The Clipper key generation is almost too bizarre to contemplate. In the
recent Denning article we still have the fantastically implausible (or
at least unimaginable) indication that it is all done on a `laptop
computer'. She left out the indication that it is destroyed. Only one
implausibility at a time.

Anyway, there are various aspects that don't entirely make sense, or
seem to indicate some kind of ulterior design constraints. I would like
to hear speculation on what the design constraints were.

In particular, they could just let the key generator site create random
keys. But then there would be accusations that they are encoding secret
information or something, and the appearance is too much like `we will
know all the keys' irrespective of key escrow agencies. 

So we have this picture of the two escrow agencies entering in
information into the initial system that determines the final unit key,
two 80 bit values.  This means the escrow agencies could theoretically
combine keys and reproduce the entire process to recompute the unit key
and prove that the key generation as described is actually taking
place. It also makes it look like the key originates completely from
outside sources. But wait! The generation site (read: NSA in capital
letters) supplies the `starting serial number'. That is, it is
completely at the discretion of the NSA to determine the serial number.
Now, given that this should be random and contain no extra information,
wouldn't we all feel a bit more comfortable if the key escrow agencies
also supplied it, or that it was based on their input? What could be
put in the serial number that is useful?  There are 64 bits to play
with here and the two keys are 160. Denning says that it is `padded' --
almost a Freudian slip.

The key generation process is rather interesting. It clearly is not
`cryptographically secure' in the sense that it relies on the security
of an algorithm for protection against abuse. This makes me think of
the following problem, which I wonder how has been explored in the literature:

consider it the Clean Key Generation problem. How can a chip be
programmed such that no one ever has the complete key all at once? I
would like to see the chip go through two stages: in the first stage
the first agency plugs in their half of the secret key, in the second
stage the second key agency does so, and the ability for either to read
the other is impossible. This would guarantee there is no illicit
archival. In fact, the centralized key generation in the scheme seems
so absolutely preposterous, because it is not `cryptographically
secure', it is only `NSA-assured-secure' (hey, a new category of
communications security!) What is the assurance that the facility is `safe'?

Alternatively, it would be very useful to devise some cryptographic or
technological scheme whereby a chip could be programmed at a
centralized location based on the input from multiple escrow agencies,
but the complete key is never available to the programmers. Seems like
a real catch-22, but then again so is public key cryptography (need to
ruminate on this one some more).

of course, these are all just theoretical ramblings and not to be taken
in any way of endorsement of key escrow...





Thread