From: cme@acm.org
Date: Wed, 27 Sep 95 08:23:32 PDT
To: eb@comsec.com
Subject: Re: The Fortezza random number generator is not trustworthy
In-Reply-To: <199509262156.OAA21527@comsec.com>
Message-ID: <9509271504.AA09830@tis.com>
MIME-Version: 1.0
Content-Type: text/plain


>Date: Tue, 26 Sep 1995 14:56:54 -0700
>From: Eric Blossom <eb@comsec.com>
>

>I was under the impression that a seed for the RNG is loaded into the
>Fortezza at initialization time.  This would make me think that they
>are using a cryptographically strong PRNG.  This would give data that
>appears random, but is completely determined by the initial state.
>
>I suspect that the "seed keys" provided by the two agencies used to
>program the Clipper chips has the same properties.  This makes the
>question about how does the NSA get access to the key escrow database
>moot.  They don't need access.  They know a priori all the unit keys.


My favorite Clipper master key generation algorithm, in the sacrificial
laptop in the Mykotronix vault, is:

	\[ K(n) = H_1(R_1, R_2, n) = H_2( n ) \]

where $H_2$ is a damned good one-way function, as highly classified as
DERD's original description of the PRNG in the chip programming process
indicated, $n$ is the chip's serial number, $R_1$ and $R_2$ are the ranno
seeds provided by NIST and Treasury folks and $K(n)$ is the master key for
chip n.


 - Carl

+--------------------------------------------------------------------------+
|Carl M. Ellison    cme@acm.org    http://www.clark.net/pub/cme		   |
|PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2  |
|  ``Officer, officer, arrest that man!  He's whistling a dirty song.''    |
+---------------------------------------------- Jean Ellison (aka Mother) -+