Since I haven't seen this article float through the list, I hope John doesn't mind it being reposted. From: gnu@toad.com (John Gilmore) Newsgroups: alt.politics.org.nsa,comp.org.eff.talk Subject: Why is clipper worse than "no encryption like we have today"? Date: 27 Apr 94 08:50:17 GMT Organization: Cygnus Support, Mt. View, California Mike Tighe <tighe@convex.COM> wrote:
But the NSA is not going to control the keys, are they? I thought it was going to be under the control of two independent agencies. And even if they are leaked, how is that worse then the system we have today, where no keys are required?
It's worse because the market keeps moving toward providing real encryption. If Clipper succeeds, it will be by displacing real secure encryption. If real secure encryption makes it into mass market communications products, Clipper will have failed. The whole point is not to get a few Clippers used by cops; the point is to make it a worldwide standard, rather than having 3-key triple-DES with RSA and Diffie-Hellman become the worldwide standard. We'd have decent encryption in digital cellular phones *now*, except for the active intervention of Jerry Rainville of NSA, who `hosted' a meeting of the standards committee inside Ft. Meade, lied to them about export control to keep committee documents limited to a small group, and got a willing dupe from Motorola, Louis Finkelstein, to propose an encryption scheme a child could break. The IS-54 standard for digital cellular doesn't describe the encryption scheme -- it's described in a separate document, which ordinary people can't get, even though it's part of the official accredited standard. (Guess who accredits standards bodies though -- that's right, the once pure NIST.) The reason it's secret is because it's so obviously weak. The system generates a 160-bit "key" and then simply XORs it against each block of the compressed speech. Take any ten or twenty blocks and recover the key by XORing frequent speech patterns (like silence, or the letter "A") against pieces of the blocks to produce guesses at the key. You try each guess on a few blocks, and the likelihood of producing something that decodes like speech in all the blocks is small enough that you'll know when your guess is the real key. NSA is continuing to muck around in the Digital Cellular standards committee (TR 45.3) this year too. I encourage anyone who's interested to join the committee, perhaps as an observer. Contact the Telecommunications Industry Association in DC and sign up. Like any standards committee, it's open to the public and meets in various places around the country. I'll lend you a lawyer if you're a foreign national, since the committee may still believe that they must exclude foreign nationals from public discussions of cryptography. Somehow the crypto conferences have no trouble with this; I think it's called the First Amendment. NSA knows the law here -- indeed it enforces it via the State Dept -- but lied to the committee. -- John Gilmore gnu@toad.com -- gnu@cygnus.com -- gnu@eff.org Can we talk in private? Join me in the Electronic Frontier Foundation. Not if the FBI and NSA have their way. Ask membership@eff.org how.