17 Dec
2003
17 Dec
'03
11:17 p.m.
The attack posted here uses a brute-force search to find a phony LEAF which has a valid checksum. Instead, why not just initialize the chip with a session key and get the LEAF. Reset the chip and initialize it with a different session key, but send the first LEAF instead of the second one. The LEAF would look good unless you tried to decrypt the session key. The wrong-IV problem would remain. The NSA should have designed the Clipper so that, if the IV was wrong, the chips would not accept the LEAF. They also should have used a much larger (32-bit or even 64-bit) checksum. --- Mike