As Ms. Dorothy Denning explained, this is the intended "interface" between the Clipper and Law Enforcement (taken from her posting to "comp.risks"): 1. Family Key. F is embedded in every Clipper Chip, but like other chip keys, unknown to the people who use them. Only law enforcement will have a decoder box that allows the law enforcement field to be decrypted. Initially, there will be just one box, and it will be operated by the FBI. Read - FBI will have the Family Key (and thus will be able to get all the chip serial numbers, do traffic analysis etc). And later she "corrected" herself, adding: For the same reason as above, it is imperative that law enforcement be able to decode the law enforcement field in order to obtain E[K; U] and then decrypt this to get K. It is completely impractical to go the escrow agents for each conversation. Read - Law Enforcement (local, "global" - whatever) will have that Family Key as well, not only that "one box at FBI"... But it was obvious, wasn't it? 2) Unit Key. It is imperative that law enforcement get U. If they are tapping a line, there may be dozens of calls on that line per day.It would be totally impractical to have to go to the escrow agents to get the session key for each call. It would be impossible to do real-time decryption under that constraint. Read - a) Law Enforcement indeed will have your Unit key (and thus be able to decrypt whetever was sent through your chip, from the day one, till you throw your chip away). b) It's indeed physically possible thus for some corrupted Law Enforcement officials to "collect" the Unit Keys and to do all the bad things with them. c) Nobody seems to be concerned about it. 3) Question about agencies capable of decrypting all the future traffic of once-suspected individual: After a tap has been completed, government attorneys are required to notify the subjects of the electronic surveillance. At that point, the subjects are certainly free to purchase a new device with a new chip, or perhaps the vendors could simply replace the chip. Read - if they won't forget to notify you, that your phone was tapped, feel free to shell another $XXX bucks for a new chip/phone... Keep doing that until either they, or you get tired... 4) Question about whether there's time component in the cipher. Reasons for it - since wiretaps are authorized ONLY for certain time periods with both start and end dates specified, it should not be possible to be able to decrypt the traffic outside of this frame. I am unaware of any time component. Current wiretap laws protect against this. Evidence collected after the warrant has expired can be thrown out in court. In addition, it is illegal for the service provider to implement an intercept after a warrant has expired.With the new technologies,law enforcers will be incapable of executing a tap without the assistance of the service provider. Read - just as we assumed, once your key is compromised (ouch! I mean - disclosed :-), whatever "they" bothered to record, is now open... Well, of course it won't be legal, but then there are many things beyond the law (:-)... 5) Question about potential weakness, which may be lurking behind the "classified" stamp of the algorithm, known thus only to those "cleared" to know. The NSA has a long record of success with crypto, far better than any individual or organization in the public community. In addition, there are plans to bring in expert cryptographers to assess the algorithm. Read - she's ignorant of academia/industry crypto successes? (:-) That's all folks! [For now :-] Regards, Uri. ------------ <Disclaimer>