Quoting Martin Helmann as forwarded by Steve Belloving and Phil Karn: she [Denning -sommerfeld] says the message is not double encrypted. The system key (or family key as she was told it is called) only encrypts the serial number or the serial number and the encrypted unit key. This is not a major difference, but I thought it should be mentioned and thank her for bringing it to my attention. This sounds pretty unlikely to me -- if the message isn't double-encrypted, the "tags" could be separated from the ciphertext without too much effort. Of course, it's not clear whether the receiving system checks the serial number, or whether the serial number is factored into E[M;K]; conceivably, those things could be reconstituted on the other end if the receiving wiretap chip needed them.. - Bill