1994-03-28 - Re: Ames/clipper compromised?

Header Data

From: smb@research.att.com
To: sommerfeld@orchard.medford.ma.us (Bill Sommerfeld)
Message Hash: 9b405073d8cd1cbfb83690151b04ace86562edff99c519e7c808f1d034c1044f
Message ID: <9403282337.AA21652@toad.com>
Reply To: N/A
UTC Datetime: 1994-03-28 23:37:52 UTC
Raw Date: Mon, 28 Mar 94 15:37:52 PST

Raw message

From: smb@research.att.com
Date: Mon, 28 Mar 94 15:37:52 PST
To: sommerfeld@orchard.medford.ma.us (Bill Sommerfeld)
Subject: Re: Ames/clipper compromised?
Message-ID: <9403282337.AA21652@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


	 If the algorithm becomes known at this stage in the game, they can
	 probably "easily" generate a modified SKIPJACK algorithm (changing the
	 S-boxes or equivalent), a new family key, and a subtle variation on
	 key generation.  They might not even need to re-spin the chip design
	 if, as they claimed, the critical parts of the algorithm are
	 programmed into the chip after fabrication.

Of course, we now know that changing the DES S-boxes isn't necessarily
easy.  Without knowing the details of Skipjack, we can't even start
to evaluate it.

	 BTW, my guess at the most likely back door is that the unit keys will
	 be generated as a cryptographic function of the serial number and a
	 *small* random number generated for each chip and unknown to the
	 agency.  They would have to search a mere 2**16..2**32 keys once they
	 get the serial number out of the LEEF.  The existance of such a
	 backdoor would be difficult to prove, since there would be no visible
	 evidence for it in the individual chips.  It is also difficult to
	 disprove such a theory because the clipper key generation algorithms
	 are classified.

The review committee will be looking at the key generation mechanism,
according to Steve Kent.  Not as good as publishing it, of course, and
-- if they're honest -- there would seem to be a lot less reason to keep
it secret than there is for Skipjack.  (I don't like Skipjack being
secret, but at least the ostensible reason is quite sensible, given their
motivations.)

A useful exercise for this group might be to compile a list of questions
that they *should* answer if they're playing it straight.  These could
be forwarded to the review committee, too.  If we come up with a good
list, I'm willing to submit it to them.  For that matter, I'll submit
it to one of the gentleman from NSA who gave the Clipper presentation
at Bell Labs.  (But I won't bother sending in ``when did you stop beating
your spousal equivalent unit'' questions; there's no point to doing that
in this venue.)

Question 1:
	What is the unit key generation algorithm?  If it is classified,
	justify the decision with reasoning at least as persuasive as
	the reason Skipjack is classified.

Question 2:
	Ditto for the device serial number.

Any more?





Thread