Mike Ingle <MIKEINGLE@delphi.com> asked some penetrating questions about Clipper function, that deserve to be brought up again:
Technical question: from what I've read, Clipper is only a single- key system, basically an 80-bit super-DES. So when you hit the SECURE button on your AT&T ClipperPhone, how do the phones exchange session keys? DH exchange or something similar? Is this implemented in the Clipper chip itself, or in external hardware?
The following is based on some very faintly remembered technical data once circulated by D. Denning. I'd be appreciative if anyone can point out where it is located or elaborate on my description below. The Clipper chip does *not* implement key exchange. It is essentially nothing but a low-level encryption device. I would like to see the specifications that are supposedly available or will be soon (I got the impression that E. Hughes got some kind of Clipper specifications at one point, a long time ago). However, as I understand it the chip sends out the law enforcement exploitation field (LEEF) (the beautifully apropos term `exploitation' has now been replaced with Access) along with the encrypted data to the chip pins. Now, two Clipper chips will *not* work in conjuction with each other unless each is fed a valid LEEF from the other. However, since the chip does not accomplish this function (the communication, that is; it does *create* the field), and it is handled outside the chip, there is no guarantee that the system designer does not, for example, encrypt the LEEF in the communications transit, thereby completely sabotaging the `exploitative' tappability of the chip. Hence there is a *very* real possibility that this scheme, or something similar, could be used to gain Skipjack-level encryption without any key escrow complications. I suspect the NSA is *extremely* worried about this. They probably require that the chip purchaser promise to use Clipper in a way that guarantees the LEEF is accessable (plaintext). They may even create a contractual obligation wherein the surrounding device (telephone or whatever) cannot be approved for sale until it passes an NSA endorsed tapping test. (what fun!) I consider this all very plausible and probable. (This would be a neat trick -- use the chip itself to encrypt LEEF fields -- hah! twist an insecure chip into a secure one, and spit in the face of the NSA!) The NSA probably would rather *not* come out with a Clipper type chip because of the above weakness. But this is the absolute lowest level chip they can get away with. There are many applications that would reject a more sophisticated chip -- Clipper is already expensive enough as it is. However, the Capstone chip *does* have key exchange functions built in -- it uses Diffie Hellman, apparently. And I consider it likely that the LEAF field transfer cannot be thwarted in the above way. This is a do-everything chip with exponentiation and the DSA algorithm built in. All these sweet-looking contortions to support `public debate' on the Clipper proposal are rather pathetic given that the Capstone has been in development for many years. Is there really any chance that its production would be derailed by some annoying public comments? I certainly hope so, but it's not a pretty picture. Note that early in the Clipper debate, D. Denning and others were vague on the Capstone and Clipper key exchange function. That's because Clipper didn't have it, and Capstone used Diffie Hellman. Now, as we are so familiar with, PKP holds a iron-fisted, vice-lock grip on *all* public key cryptography. The government is supposedly able to use the patented technology without prior arrangement (I believe this is a qualification of the NSF research grants that led to the patents?) but the chips would still not be able to be used in *commercial* arrangements (the whole point) without a PKP agreement. Hence, it was *absolutely critical* that the government get the *official endorsement* of PKP and a legal arrangement to allow the use of public key cryptography in the Capstone and Clipper arrangements. The wretched announcement was just a matter of time -- what was so surprising was that PKP also got awarded a new iron-fisted, vice-lock grip on the Digital Signature Standard. Apparently, the incredibly lucrative revenues from public key licensing on Clipper and Capstone alone just didn't cut it. Conspiracy theorists can easily believe that this outrageous, scheming arrangement was made *far prior* to its actual announcement (June? I forget), and there is a lot of circumstantial evidence to support this. The NSA's goal with Clipper and Capstone was *commercial* from the *very beginning* -- now *officially* confirmed as at least 3 years! -- and they would be first to make sure it wasn't thwarted by those pesky patents everyone else has to break their shins on. In fact, going just a bit further, there is a lot of circumstantial evidence that PKP is very closely allied with the NSA in various ways. How is it one company has gotten public key patents that were developed at two different universities (Stanford & MIT) and diverse researchers (Diffie, Hellman, Rivest, Shamir, Adleman)?! Why is the government so eager to grant them a critical *new* cryptgraphic algorithm stranglehold with DSA? [key exchange]
Is the format standardized? If not, there will be plenty of interoperability problems with the first generation of phones. For that matter, there will probably be problems even if it is standardized.
About the only company ready for Clipper chips is AT&T, and I think they are using Diffie Hellman key exchange currently with some proprietary algorithms (they have a license on Public Key directly from PKP already) in their secure phones. I suspect any companies that come out with new phone encryption equipment based on Clipper, if any are insane enough to exist, will try to be compatible with the AT&T `standard' (ug). As far as I know AT&T has not published their own key exchange standard used by the phones, however. That is, it is proprietary, and might even be protected by patents of their own! This is a rare occasion where incompatibility is something to beam about!