The WIRE-TAP Proposal: Problems with it. The White House sent out a press release on Friday 16 April about a voice encryption chip called the Clipper chip. This has come to be known as the Wiretap chip since it allows any Law Enforcement agency to automatically decrypt any conversations made with it with a search warrant. The LE presents said search warrant to two different escrow agencies to obtain the keys (80 bits long) that automatically decrypts your conversation. The Electronic Frontier Foundation (EFF) and the Computer Professionals for Social Responsibility (CPSR) have both criticized the proposal. There was even a negative article already in Network World (19 Apr 93). The paragraphs that follow are facts and problems I have collected by listening to other discuss the Wiretap chip. Say you wanted to encrypt your talk with someone over a phone. Well, since you and the person you want to talk to both have the Wiretap (Clipper) chip in your phones, you can automatically encrypt your conversation. All fine and good encryption for the consumer. Now, what if you come under investigation by the local constabulary? The get a court order and ask the escrow agencies (non-law enforcement types) for your key. They already have the family key since that is the same in each chip. They now have your specific key. With these two keys, they can decrypt all conversations that you have. This includes conversations that are not legal to wiretap such as attorney-client, doctor-patient and so on. They also have that key for any all future sessions that you use that phone for. Start to see the problem? This part is all legal... Search warrants are even exceedingly easy to get at times. There have been reports of the FBI get groups of 50 signed and blank search warrants from the DoJ. Now, there are other problems. Would you give the IRS keys to your house and filing cabinet as long as they promised that they would only use it under proper authorization? The key length of 80 bits is still considered cryptographically weak. The cryptographic algorithm is also being kept classified. This is not the usual practice. In the cryptographic community, algorithms are public. This way people can be assured there aren't any back doors and that the algorithm can stand on its own strengths, not that of secrecy. It is clear from the description that the plan for key registration would be compromised if the algorithm was made public; anyone could make chips or software that implemented it, using their own keys. These keys, of course, would not be registered. It is not that difficult to reverse engineer a chip these days. It may also be true that the algorithm itself is too weak to be shown to the public. This was true of a digital cellular encryption standard (IS-54B). It is not available to the public and is incredibly weak. Finally, some of the implications behind this announcements are dire. The Wiretap chip could become the market or legislative standard. This could mean that other implementations of cryptographic voice transactions would be very difficult to obtain or would be illegal to obtain. Why would a criminal use the Wiretap chip when they knew it wouldn't encrypt their conversations against the LE agencies? They wouldn't, they would use other encryption technologies. Would this mean that using something other than the Wiretap chip is probable cause and puts you under suspicion? The way the encryption works also allows for ludicrously easy call-tracing. Each chip has a serial number that is transmitted with each message. That serial number is encrypted with the "Family" key. This key is the *same* for every chip. You gain that key and you can track when and for how long any person or groups of people calls *anyone* else. (Easy to do, since any LE agency can gain the 'family' key with a search warrant. It would leak easily into other hands.) One last fishy thing is that AT&T has already (on the same day) announced phones with this chip. This implies (means?) that AT&T has known about this chip for a while. They seem to be more concerned about getting a jump on the competition than producing a product that will actually give their users real security. 'Course, there is the question of collusion between the governement and industry. Only two companies will be allowed to manufacture the chip, VLSI and Mykotronix. Jeff Hendy, director of new product marketing for VLSI, says his company expects to make $50 million of the chip in the next 3 years. (This from the San Jose Mercury News.) Permission is granted to distribute this document to whomsoever you should desire. You may change it only if you send me the changes. Think Free, -- Defeat the Torin/Darren Stalder/Wolf __ Wiretap Chip Internet: dstalder@gmuvax2.gmu.edu \/ PGP2.x key available. Proposal! Bitnet: dstalder@gmuvax Finger me. Write me for Sprintnet: details. Snail: 10310 Main St., Suite 110/Fairfax, VA/22030/USA DISCLAIMER: A society where such disclaimers are needed is saddening.