1994-06-04 - Re: Black Eye for NSA, NIST, and Denning

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 896e1d8870a3c77470d7272c9c42ce7480ab7763e903cb3c64310f71293bd01e
Message ID: <199406040047.RAA06014@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-06-04 00:45:58 UTC
Raw Date: Fri, 3 Jun 94 17:45:58 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Fri, 3 Jun 94 17:45:58 PDT
To: cypherpunks@toad.com
Subject: Re: Black Eye for NSA, NIST, and Denning
Message-ID: <199406040047.RAA06014@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


It was my understanding from what was posted here and on sci.crypt that
Clipper chips were only going to be given to phone manufactureres who
had an approved design.  This would mean no pre-encryption of messages,
and no hacks to defeat the LEAF block, would be allowed.

It's not clear to me whether the same restrictions apply to the use of
the Tessera plug-in card.  It sounds, from what was posted here, like
Blaze was able to feed sample LEAF's at his card until it accepted one.
Is that correct?  If so, apparently users of such cards have access to
low-level functions which would allow this kind of trick to be used.

Unless there is some way to get a supply of Clipper chips to allow you
to make Clipper-compatible phones which still protect privacy, then
all this theorizing is not too useful.

I am inclined to agree with Deadbeat that if you want to give the
impression that you are using Clipper on your phone calls (to blend in,
to keep a low profile) but at the same time you want the key escrow not
to work, then pre-encryption is a superior strategy to Matt Blaze's
idea.  Matt's trick only hides the session key if both sides are using
it.  And even in that case it appears to require particular key manage-
ment techniques that may not be standard (one side provides the session
key, or it is negotiated but both sides wait 30 minutes to talk).  So it
does seem that some pre-arrangement will be necessary in practice to allow
Blaze's approach to successfully hide the session key.

It's true that the Blaze technique hides the unit id, preventing traffic
analysis.  But that could be a negative.  Playing paranoid, suppose that
Clipper traffic is routinely decrypted with the family key.  Then the
fact that someone is using bogus LEAF's might be evident because the
unit id would change with each call.  Using pre-encryption makes you look
like a good little boy until they bring out the escrowed keys.


(Of course, they're not supposed to troll LEAF's, any more than they're
supposed to break escrow, but I'm assuming that the former will be easier
and more likely than the latter.)

Hal






Thread