From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 3 Jun 94 05:48:42 PDT
To: sidney@taurus.apple.com (Sidney Markowitz)
Subject: Faster way to deescrow Clipper won't work
In-Reply-To: <9406030758.AA04800@federal-excess.apple.com>
Message-ID: <9406031247.AA03875@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



Allow me to clear up a major misconception here, which I initially
shared. According to Matt, the cleartext of the session key and the IV
are both components that go into the checksum. Therefore, the remote
EES unit CAN determine that you've spoofed them if you attempt a
shortcut like reusing a LEAF generated by another unit. You really
have to test lots of pseudoLEAFs against a test unit that you've
handed a session key to.

Perry

Sidney Markowitz says:
> Could someone please enlighten me on this: It seems from the descriptions
> of the hack to fake a LEAF that 1) When two Clipper chips are going to
> communicate, one of them generates the session key and sends a LEAF to the
> other chip, 2) The second chip recognizes the LEAF as being valid based on
> the validity of the checksum, but does not determine the session key from
> the LEAF.

Correct. However, remember that it tests the checksum against an IV
and session key.

> If that's the case, then 1) How does the second chip find out what the
> session key is?

"It depends". Diffie-Hellman, prearrangement, via a public key
mediated exchange, or anything else that seams reasonable.

> 3) If all that is needed for this hack is a LEAF with a proper
> checksum, why go through the brute force method of generating random LEAFs?

See above -- the problem is that of finding a LEAF with a proper
checksum that corresponds to the session key.

Perry