I presume that Hellman meant to say "K1 and K2, and thence UK" in place of "K1 and K2, and thence K" at least it makes sense that way. A later posting from Hellman (I think) emmended the description of the transmitted message from E{ E[M; K], E[K; UK], serial number; SK} to E[M; K], E{ E[K; UK], serial number; SK} If you know SK then you can compute (E[K; UK], serial number) Then knowing UK (= K1+K2) you can compute K from which you get M via E[M; K].
Please excuse some questions from a somewhat crypto-naive person, but I'd like to try to understand this thing a little better so I don't make any stupid goofs if I talk about it. I presume that we can simply consider this 'universal' key as if it didn't exist? Well, actually, I suppose it prevents 'joe average' from getting the serial number, but certainly not foreign agents or any criminal who has motivation to get it(*). After all, a secret known by more than one person will not remain a secret long, and this one is going to be known by thousands. Why even bother with it? It seems like it just adds compute overhead that could be better used for other things. (* I assume the TLAs get it legally) The fact that the serial number is effectively in the clear then means that traffic analysis attacks can glean information for anyone who can get at the phone lines, yes? Even if the states were to outlaw caller id, these tapper phones would reintroduce that level of traceability. Even worse, in some ways, since your tapper 'identity' goes with you if you change phone numbers as long as you keep your old phone. Finally, can anyone explain to me how this thing /works/, at the simple 'this is what you do with this key' level of description of how RSA works? I can't figure out how two phones can communicate with each other without compromising one key or another, since RSA does /not/ seem to be involved in this (there is no public key registry, right?) Sorry if this is a dumb question . . . -- david david@staff.udc.upenn.edu
It occurred to me that the "clipper chip" makes it easier for the government to tap voice telephone trunks & do traffic analysis. Current long-haul phone technology uses out-of-band signalling on different, reportedly encrypted, trunks, so to make any sense out of the data trunks you also have to listen in on the signalling trunks and correllate what you record there with what you record off the data trunks. With the wiretap chip in place, all they need to do is to "surf" the data trunks looking for the encrypted serial number of the devices they're interested in. Depending on what the encryption tag blocks *really* look like, you might not even need SK in order to do traffic analysis. Even if the tag blocks are built with confounders and similar randomness included to discourage ciphertext matching, the SK can be found in *every single chip* and it's only a matter of time before someone gets it, either by electron microscope or by bribing some of the hundreds of people likely to have access to the key. - Bill
participants (3)
-
Bill Sommerfeld -
david@staff.udc.upenn.edu -
norm@netcom.com