1994-06-03 - Re: Faster way to deescrow Clipper

Header Data

From: “Perry E. Metzger” <perry@imsi.com>
To: Mike Ingle <MIKEINGLE@delphi.com>
Message Hash: 32da680a5bca24b0d64711062b9c0a4a7a167c217f78da9c49a749e9079333e3
Message ID: <9406031157.AA03771@snark.imsi.com>
Reply To: <01HD2TUJI8NC95Q50V@delphi.com>
UTC Datetime: 1994-06-03 12:06:39 UTC
Raw Date: Fri, 3 Jun 94 05:06:39 PDT

Raw message

From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 3 Jun 94 05:06:39 PDT
To: Mike Ingle <MIKEINGLE@delphi.com>
Subject: Re: Faster way to deescrow Clipper
In-Reply-To: <01HD2TUJI8NC95Q50V@delphi.com>
Message-ID: <9406031157.AA03771@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



Mike Ingle says:
> The attack posted here uses a brute-force search to find a phony LEAF
> which has a valid checksum. Instead, why not just initialize the chip
> with a session key and get the LEAF. Reset the chip and initialize it
> with a different session key, but send the first LEAF instead of the
> second one.

An interesting idea. 

> The LEAF would look good unless you tried to decrypt the
> session key. The wrong-IV problem would remain. The NSA should have
> designed the Clipper so that, if the IV was wrong, the chips would not
> accept the LEAF.

That can't be done, I'm afraid. Its way to difficult to distinguish a
bad IV from line noise nuking the first block of your CBC
conversation.

> They also should have used a much larger (32-bit or even 64-bit) checksum.

Matt suggests precisely that in his paper.

Perry





Thread