From: Matt Blaze <mab@research.att.com>
To: cypherpunks@toad.com
Message Hash: c9fe86e070b850d3c99ccb00915f85b5a083246907b686c1e2a141053fa817e1
Message ID: <9402042007.AA25589@big.l1135.att.com>
Reply To: N/A
UTC Datetime: 1994-02-04 20:10:15 UTC
Raw Date: Fri, 4 Feb 94 12:10:15 PST
From: Matt Blaze <mab@research.att.com>
Date: Fri, 4 Feb 94 12:10:15 PST
To: cypherpunks@toad.com
Subject: Followup: Notes on key escrow meeting with NSA
Message-ID: <9402042007.AA25589@big.l1135.att.com>
MIME-Version: 1.0
Content-Type: text/plain
Newsgroups: sci.crypt,talk.politics.crypto,comp.org.eff.talk,alt.privacy.clipper
Subject: Re: Notes on key escrow meeting with NSA
In a recent article, I wrote:
>A group from NSA and FBI met the other day with a group of us at Bell
>Labs to discuss the key escrow proposal. They were surprisingly
>forthcoming and open to discussion and debate, and were willing to at
>least listen to hard questions. They didn't object when asked if we
>could summarize what we learned to the net. Incidentally, the people
>at the meeting seemed to base a large part of their understanding of
>public opinion on Usenet postings. Postings to sci.crypt and
>talk.politics.crypto seem to actually have an influence on our
>government.
>
>A number of things came out at the meeting that we didn't previously
>know or that clarified previously released information. What follows
>is a rough summary; needless to say, nothing here should be taken as
>gospel, or representing the official positions of anybody. Also,
>nothing here should be taken as an endorsement of key escrow, clipper,
>or anything else by the authors; we're just reporting. These notes
>are based on the collective memory of Steve Bellovin, Matt Blaze, Jack
>Lacy, and Mike Reiter; there may be errors or misunderstandings.
>Please forgive the rough style. Note also the use of "~ ~" for
>'approximate quotes' (a marvelous Whit Diffie-ism).
A couple of clarifications and new recollections. Same disclaimers as
above.
The NSA people were asked whether they would consider evaluating
ciphers submitted by the private sector as opposed to simply proposing a
new cipher as a "black box" as they did with Skipjack. They said they
can't do this because, among other things, of the extraordinary effort
required to properly test a new cipher. They said that it often takes
from 8-12 years to design, evaluate and certify a new algorithm, and
that Skipjack began development "~about 10 years ago.~" I asked if we
should infer anything from that about the value of the (limited time
and resource) civilian Skipjack review. They took that with good
humor, but they did say that the civilian review was at least
presented with and able to evaluate some of the results of NSA's
previous internal reviews.
Regarding the scale of the escrow exploitation system, they said that
they did not yet have a final operational specification for the escrow
protocols, but did say that the escrow agencies would be expected to
deliver keys "~within about 2 hours~" and are aiming for "~close to
real time.~" Initially, the FBI would have the decoder box, but
eventually, depending on costs and demand, any law enforcement agency
authorized to conduct wiretaps would be able to buy one. The two
escrow agencies will be responsible for verifying the certification
from and securely delivering the key halves to any such police
department.
As an aside, we've since been informed by a member of the civilian
Skipjack review committee that the rationale for not having the escrow
agency see the actual wiretap order is so that they do not have access
to the mapping between key serial numbers and people/telephones.
Also, on second reading, I wasn't at all clear about the reverse
engineering resistance of the chips. I wrote:
>...they are designed to resist reverse engineering the data in the
>chip without destroying the chip. It is not clear (from the
>information presented at the meeting) whether the chips are equally
>resistant to destructive reverse-engineering to learn the skipjack
>algorithm....
That is, the chips are designed to resist non-destructive reverse
engineering to obtain the unit keys. They do not believe that it is
possible to obtain the unit key of a particular chip without destroying
the chip. They did not present any assertions about resistance to
destructive reverse engineering, such that several chips can be taken
apart and destroyed in the process, to learn the Skipjack algorithm.
Finally, I should have made clear that "Clipper" is more properly
called the "MYK-78T".
-matt
Return to February 1994
Return to “Matt Blaze <mab@research.att.com>”
1994-02-04 (Fri, 4 Feb 94 12:10:15 PST) - Followup: Notes on key escrow meeting with NSA - Matt Blaze <mab@research.att.com>