From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
To: sidney@taurus.apple.com
Message Hash: fe074bf3ae8538b3bad4b58f84bb5a4436d46dfe1fbfab1a709a4fec398b7767
Message ID: <9406031646.AA23374@anchor.ho.att.com>
Reply To: N/A
UTC Datetime: 1994-06-03 16:47:33 UTC
Raw Date: Fri, 3 Jun 94 09:47:33 PDT
From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
Date: Fri, 3 Jun 94 09:47:33 PDT
To: sidney@taurus.apple.com
Subject: Re: Faster way to deescrow Clipper
Message-ID: <9406031646.AA23374@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text/plain
Sidney Markowitz writes:
> If that's the case, then 1) How does the second chip find out what the
> session key is?
That's a separate protocol issue; Clipper doesn't do any key exchange
itself, though Capstone does. Unless manufacturers are bullied/bribed into
using a standard implementation, everyone will probably roll their own.
> 2) Doesn't the second chip also have to generate and send a
> LEAF, if for no other reason than to identify itself to the wiretappers,
> and if so won't that give away the session key if that chip's device is not
> also hacked?
If you use the same session key for both directions of the conversation,
which most Clipperphones probably will, then yes, it's true.
That means you can only have private conversations with other people who
also care about privacy, which is somewhat appropriate.
On the other hand, a big use of Clipper is traffic analysis,
and Matt's method *will* prevent them from getting your Clipper
serial number from your conversations, though they'll get the number
for the other end if they're not also hacking LEAFs.
That can be a big win, especially if the other end is a well-known person,
like your local cellphone provider or president@whitehouse.gov.
However, one danger of doing this for cellphone calls is that they
might notice that calls from your cellphone keep having different LEAFs,
and suspect that you're a Potential Troublemaker.
3) If all that is needed for this hack is a LEAF with a proper
> checksum, why go through the brute force method of generating random LEAFs?
> Why not just buy (or steal or whatever) another Clippered device that you
> never use for real communication so the wiretappers have no record of who
> has that serial number, and get LEAFs from it? For that matter, why can't
> you obtain one LEAF from listening to anybody's Clippered transmission and
> use it over and over again?
The LEAF depends on the IV for the session, which depends on the session key.
Therefore, it's probably different for each call; otherwise you *could*
just reuse someone else's LEAF. (This should be obvious,
but I wasn't thinking about it when I first read Matt's paper,
though the "but the IV will be wrong so that won't work" had been
a sufficient distraction for many of us when CLipper first came out.)
Remember that they don't record Clipper chip keys when you buy your
Clipperphone - otherwise stealing one would be effective.
They record the chip-unique backdoor keys when they make the chip,
so they can tap *any* conversation they hear without needing to
keep track of who owns what phone.
On the other hand, for cellphones, it's *real* easy to find out who
uses a given chip, since the phone call setup protocols tell them
what phone it's coming from, and they _can_ look that up with the
phone company, so they can easily do that correlation. (If the Clipper
chips are socketed, you could always swap them for occasional
more-paranoid-but-still-tappable calls, but that would probably just
annoy them.)
Bill
Return to June 1994
Return to “wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)”
1994-06-03 (Fri, 3 Jun 94 09:47:33 PDT) - Re: Faster way to deescrow Clipper - wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)