1995-09-23 - The Fortezza random number generator is not trustworthy

Header Data

From: John Gilmore <gnu@toad.com>
To: cypherpunks, gnu
Message Hash: 9cddcdf6e7a219201ea6b817a9138ecedf73c2d7ea3ea38447162aa415ae5156
Message ID: <9509230400.AA19805@toad.com>
Reply To: N/A
UTC Datetime: 1995-09-23 04:00:41 UTC
Raw Date: Fri, 22 Sep 95 21:00:41 PDT

Raw message

From: John Gilmore <gnu@toad.com>
Date: Fri, 22 Sep 95 21:00:41 PDT
To: cypherpunks, gnu
Subject: The Fortezza random number generator is not trustworthy
Message-ID: <9509230400.AA19805@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


> Yes Fortezza cards can be instructed to produce a random number through one
> of its library calls (someday they'll have a real API).  One of the
> diagnostic tools I had tested this function.  What algorithm do they use?
> Haven't a clue.  Sources say that the RNG implementation may vary from vendor
> to vendor (i.e., GTC, Spyrus, Mykotronix, etc.).

A caution.  I believe that CAPSTONE chips inside the Fortezza card are
highly likely to have back doors in them, above and beyond the Clipper
key escrow feature.  In particular, the random number generator is
probably compromised.

Many of the top-secret NSA documents I have received under FOIA about
Clipper say things like:

    "2.  I briefed the Board on the CLIPPER and CAPSTONE chips and
    their capabilities and summarized the recommendations of the
    19 November session:

    [TWO INCHES OF SOLID BLACKOUT]

    "3.  The Policy Board reached consensus on the following points:

	    [TWO LINES BLACKED OUT]

	    a. NSA will provide for the availability from a vendor of
    a single chip which can be programed for law enforcement access
    exclusively through a key escrow "law enforcement exploitation
    field."  The chip will have no trap doors or other methods
    of access.  This chip is called CLIPPER.

    [THREE INCHES OF SOLID BLACKOUT]

Note that they explicitly say "The chip will have no trap doors or
other methods of access" when talking about Clipper, but all
information about Capstone is blacked out.  There's no such guarantee
about Capstone.

The Digital Signature Algorithm embedded in Capstone is the best "host
algorithm" ever seen for subliminal channels.  A subliminal channel is
a means of communication which imparts information but cannot even be
detected by third parties.  By choosing numbers for DSA signatures
that are not completely random, several subliminal channels are
available, which can leak information as part of normal digital
signatures.  This subliminal information can only be read by someone
who knows a secret about how the non-random numbers were generated.
Gus Simmons, who did seminal work on subliminal channels while at
Sandia Labs, wrote a Eurocrypt paper on this a year or two ago.  The
Capstone chip knows private things like your DSA private key, the last
session key you loaded for Skipjack, etc.  So it has info that is
worth leaking to NSA wiretappers.

Now the plot thickens.  I submitted a FOIA request for all information
the NSA had on subliminal channels.  They responded that they had no
information!  We appealed and got the same answer.

However, subliminal channels are clearly part of the crypto literature
and knowledge base.  They were a major concern when Gus designed
nuclear test-ban verification crypto equipment in the '70s.  The ONLY
way NSA can legally claim to have no information on subliminal
channels is if the MERE FACT OF THE EXISTENCE AT NSA of information on
subliminal channels is classified.

In other words, if their information ABOUT subliminal channels is
classified, they can't say they have no documents; they have to say, e.g.
"We have ten documents and they're all classified."  If they have any
documents, they can only legally claim to have no documents if just
confirming the existence of the documents would itself reveal
classified info.  This is called "Glomarizing" and it's named for the
Glomar Explorer, a ship which was secretly used for dredging up code
books from sunken Soviet submarines.  Merely confirming that records
existed on the Glomar would have revealed classified information (i.e.
that the government was involved; the cover story was that a private
company was using it for deep-sea mining experiments).

Apparently, merely confirming that NSA knows anything about subliminal
channels would reveal classified information.

If the mere existence of documents on subliminal channels is
classified, it's probably because they are very actively and very
secretly using them.  And this tends to reinforce my perception that
they are using them in Capstone, the heart of the Fortezza card.

You're free to dismiss all this as paranoid rambling.  However, if you
use a Fortezza card to generate your random numbers, you have no way
to determine how these numbers are being generated.  Are they really
random?  How could you tell?  Would you rather get "random" numbers
from a classified NSA-designed chip that's part of a family designed
to subvert your privacy?  Or would you rather get them from a
third-party product whose design you can actually verify?  I'd prefer
a random number generator where I can pull one "at random" from stock,
take it apart, and verify that it really does what its designers say
it does.

	John Gilmore





Thread