Re: Black Eye for NSA, NIST, and Denning
At today's talk at MIT (Morris & Unkenholz of the NSA) Morris said several times that the escrow system had to be produced in a hurry, on top of the Skipjack algorithim, which was designed previously and 'sitting in a storeroom.' (boy, I'd like to FOIA that storeroom. :)
Gee, now that mab@research.att.com (Matt Blaze), knows where to find the checksum, and by extension the unit id (Which shows up on labels in photos on the literature from Mykotronx) - providing a known plaintext, maybe someone will start working on the family key? (I won't hold my breath waiting for it to be announced)
David Koontz says:
Gee, now that mab@research.att.com (Matt Blaze), knows where to find the checksum,
Actually, he doesn't. He only knows how long it is, and what went into generating it. That is enough.
and by extension the unit id (Which shows up on labels in photos on the literature from Mykotronx) - providing a known plaintext, maybe someone will start working on the family key?
Skipjack is presumably immune to such attacks except by brute force. I suspect that short of starting to reverse engineer the chip little enough is known to provide information on the plaintext sufficient to even know when you have cracked it. The encryption mode for the LEAF is said to be unusual. All these things bode poorly for such a crack. Perry
Gee, now that mab@research.att.com (Matt Blaze), knows where to find the checksum, and by extension the unit id (Which shows up on labels in photos on the literature from Mykotronx) - providing a known plaintext, maybe someone will start working on the family key?
Matt's attack doesn't require knowing where the checksums and unit IDs are in the LEAF. Nor does it provide any insight into cracking Skipjack itself, which would be required to learn the family key. He simply determined that the chip will accept 1 out of every 65,536 randomly chosen LEAFs, which is a large enough fraction to make a brute force search for one quite practical -- especially since it only need be done once. Phil
Derek Atkins says:
brute force search for one quite practical -- especially since it only need be done once.
actually, it needs to be done once per session key (i.e., when you change the session key, you need to re-issue a LEAF)
However, it can be done in advance, and you can conceivably reuse forged LEAFs. I've come up with what I believe to be a pretty good algorithm to prevent this problem. I would like to patent it so that I can then charge exhorbitant sums of manufacturers should the technique be incorporated in a future EES design. Anyone know where I can find a cheap patent attorney? Perry
"Perry E. Metzger" says:
However, it can be done in advance, and you can conceivably reuse forged LEAFs.
I will point out something that I didn't quite understand myself but have since discussed with Matt Blaze in some detail -- LEAF checksums are tied to session keys. You CAN do this in advance but only if your key exchange will permit you to generate your session keys in advance, too. Obviously, reusing forged LEAFs requrire requires reusing sesison keys. Perry
The format of the LEAF block is public knowledge. Here is how it is formed: [80-bit Session key Ks] [16-bit # ] [32-bit chip ID] [80-bit Unit Key Ku] [80-bit. {Ks}Ku ] [16b {#}Ks] [32-bit chip ID] [128-bit LEAF: {{Ks}Ku {#}Ks ID}Kf (Kf == family key)] Whether or not known plaintext will work is unclear, since you cannot get {#}Ks (you really don't know what it is outside the chip) and you also don't know what # is (it is, according to the NSA, a fixed number in all the chips). Hope this helps. -derek Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) Home page: http://www.mit.edu:8001/people/warlord/home_page.html warlord@MIT.EDU PP-ASEL N1NWH PGP key available
Derek Atkins says:
The format of the LEAF block is public knowledge. Here is how it is formed:
Er, the CONTENT of the LEAF block is approximately known (the method for computing the checksum is not public knowledge, for instance) but there isn't any public data (to my knowledge) on things like what the format of the block actually is. Perry
participants (4)
-
Derek Atkins -
koontzd@lrcs.loral.com -
Perry E. Metzger -
Phil Karn