1994-03-28 - Re: Ames/clipper compromised?

Header Data

From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
To: phantom@u.washington.edu
Message Hash: 300a784e334a2949f2f718e45d2e80254e67167013e7abdcee7ddf7b1f1d5248
Message ID: <9403281936.AA22601@anchor.ho.att.com>
Reply To: N/A
UTC Datetime: 1994-03-28 19:37:57 UTC
Raw Date: Mon, 28 Mar 94 11:37:57 PST

Raw message

From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
Date: Mon, 28 Mar 94 11:37:57 PST
To: phantom@u.washington.edu
Subject: Re:  Ames/clipper compromised?
Message-ID: <9403281936.AA22601@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text/plain


> sommerfeld@orchard.medford.ma.us (Bill Sommerfeld) :
> 
> >BTW, my guess at the most likely back door is that the unit keys will
> >be generated as a cryptographic function of the serial number and a
> >*small* random number generated for each chip and unknown to the
> >agency.  They would have to search a mere 2**16..2**32 keys once they
> >get the serial number out of the LEEF.  The existance of such a
> >backdoor would be difficult to prove, since there would be no visible
> >evidence for it in the individual chips.  It is also difficult to
> >disprove such a theory because the clipper key generation algorithms
> >are classified.

Key generation is one of the obvious backdoors; the wrinkle of making the
random number space from the keymasters small enough to search is interesting,
especially because they only need one key per batch to validate whether 
they've got the right guess.

My original reaction to the version described by Dorothy Denning
was that it wouldn't be very hard to *steal* the key-generating keys 
the keymasters bring to the key-generation charade in the vault, 
either physically or by leaking them out in generated keys or something.
Now that they've announced they're changing the script for the charade,
who knows how easy it will be?  They've certainly announced no plans for
validation of the key-generation software design or implementation.

Matt Thomlinson writes:
> I just read a paper that might apply to this type of backdoor; it was by
> someone at RSA, with the title "..RSA's trapdoor can be broken". I'll 
No, that's a different argument; it's (name forgotten) vs Kaliski,
where the proposed method turns out to take as much work as factoring and
therefore doesn't rate as a backdoor.

		Bill Stewart





Thread