Faster way to deescrow Clipper
The attack posted here uses a brute-force search to find a phony LEAF which has a valid checksum. Instead, why not just initialize the chip with a session key and get the LEAF. Reset the chip and initialize it with a different session key, but send the first LEAF instead of the second one. The LEAF would look good unless you tried to decrypt the session key. The wrong-IV problem would remain. The NSA should have designed the Clipper so that, if the IV was wrong, the chips would not accept the LEAF. They also should have used a much larger (32-bit or even 64-bit) checksum. --- Mike
Mike Ingle says:
The attack posted here uses a brute-force search to find a phony LEAF which has a valid checksum. Instead, why not just initialize the chip with a session key and get the LEAF. Reset the chip and initialize it with a different session key, but send the first LEAF instead of the second one.
An interesting idea.
The LEAF would look good unless you tried to decrypt the session key. The wrong-IV problem would remain. The NSA should have designed the Clipper so that, if the IV was wrong, the chips would not accept the LEAF.
That can't be done, I'm afraid. Its way to difficult to distinguish a bad IV from line noise nuking the first block of your CBC conversation.
They also should have used a much larger (32-bit or even 64-bit) checksum.
Matt suggests precisely that in his paper. Perry
"Perry E. Metzger" says:
Mike Ingle says:
The attack posted here uses a brute-force search to find a phony LEAF which has a valid checksum. Instead, why not just initialize the chip with a session key and get the LEAF. Reset the chip and initialize it with a different session key, but send the first LEAF instead of the second one.
An interesting idea.
As I've now found out (I forwarded the message to Matt -- his paper wasn't clear on this point) this won't work. As I've said in other messages, session keys are an element of the method used to generate the checksum buried in the LEAF. Perry
Mike:
The attack posted here uses a brute-force search to find a phony LEAF which has a valid checksum. Instead, why not just initialize the chip with a session key and get the LEAF. Reset the chip and initialize it with a different session key, but send the first LEAF instead of the second one. The LEAF would look good unless you tried to decrypt the session key. The wrong-IV problem would remain. The NSA should have designed the Clipper so that, if the IV was wrong, the chips would not accept the LEAF. They also should have used a much larger (32-bit or even 64-bit) checksum.
Because if *your* key really generates the LEAF, then they have your ID in the LEAF, no matter if it is sent properly or not. They might not be able to decrypt the communications, but they still get your ID. If you randomly generate a LEAF that works, odds are that the decrypted value will not be your ID. (If you could consistently choose random blocks such that your ID appears when it is decrypted, I would say that you have found a hole in Skipjack :-) -derek
Cc: cypherpunks@toad.com Date: Thu, 02 Jun 1994 20:01:10 -0400 From: Derek Atkins <warlord@MIT.EDU> ...not be able to decrypt the communications, but they still get your ID. "your ID"? You mean your phone's ID. Goodness gracious, if you were a criminal, you wouldn't go out and steal someone else's Clipper phone, would you? Let's not get too high tech here, just because we have the ability. -russ <nelson@crynwr.com> ftp.msen.com:pub/vendor/crynwr/crynwr.wav Crynwr Software | Crynwr Software sells packet driver support | ask4 PGP key 11 Grant St. | +1 315 268 1925 (9201 FAX) | Quakers do it in the light Potsdam, NY 13676 | LPF member - ask me about the harm software patents do.
This might seem like a naive question, but I'm having a little trouble with the NSA'a logic... they are offering Clipper as an international standard, because an international standard is necessary. However, other forms of encryption will still be legally available. Clipper includes the "wiretapping" feature because the government has the right and the need to look into individual's private correspondence in select circumstances. However, the NSA recognizes that anyone who wants to encode information in ways that can't be wiretapped will be able to do so cheaply and easily (according to their statement in the New York Times piece). Assuming we take the NSA at its word (i.e. that Clipper is only meant to be a voluntary standard , and is not being introduced as an initial step towards a mandatory standard with "wiretapping" capabilities), then why does it make sense to introduce Clipper, rather than go with something like PGP, which has become a defacto international standard already?
Let me preface this with the statement that "this is according to the NSA personnel who spoke at MIT a day ago"... Having said that: The NSA claims that they were asked to design an ecryption algorithm for government use that can be used security by the government but cannot be used against the government. In order to accomplish this (according to the NSA -- see the pattern yet? ;-) they developed a secure algorithm (a-t-t-NSA), but put it in a package such that it cannot be used without the key-escrow system. It is this key-escrow system that provides that functionality that "it cannot be used against the government" (NSA-person's words, not mine). I think the idea was that the government itself cannot operate without a government standard, so the NSA was asked to create one, and they did. They also said that the key escrow system was not designed to catch criminals, but to deter criminals from using the Skipjack encryption algorithm (which they claim has no trap doors, and is very secure). In a private conversation afterwards, I asked about the fact that once the two escrowed keys get discovered, say via a legal wiretap, then my key is no good anymore. They claimed that you can only read the data by using a special box such that this box gets inputs from all the escrow agencies and the law enforcement agency and outputs the conversation, and that you cannot extract the key information from this box. I replied in the standard manner: Show me this box and prove that is has these properties. Their response was, of course, that they could not do so, and that I had to trust them. When I said that I couldn't do that, the NSA employee suggested that I use PGP! :-) Anyways, I hope this sheds a little light (and maybe a little darkness ;-) on the subject. Flames to me personally, please! -derek Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) Home page: http://www.mit.edu:8001/people/warlord/home_page.html warlord@MIT.EDU PP-ASEL N1NWH PGP key available
participants (5)
-
Derek Atkins -
Edward Hirsch -
Mike Ingle -
nelson@crynwr.com -
Perry E. Metzger