Sidney Markowitz writes:

If that's the case, then 1) How does the second chip find out what the session key is? That's a separate protocol issue; Clipper doesn't do any key exchange itself, though Capstone does. Unless manufacturers are bullied/bribed into using a standard implementation, everyone will probably roll their own.

2) Doesn't the second chip also have to generate and send a LEAF, if for no other reason than to identify itself to the wiretappers, and if so won't that give away the session key if that chip's device is not also hacked?

If you use the same session key for both directions of the conversation, which most Clipperphones probably will, then yes, it's true. That means you can only have private conversations with other people who also care about privacy, which is somewhat appropriate. On the other hand, a big use of Clipper is traffic analysis, and Matt's method *will* prevent them from getting your Clipper serial number from your conversations, though they'll get the number for the other end if they're not also hacking LEAFs. That can be a big win, especially if the other end is a well-known person, like your local cellphone provider or president@whitehouse.gov. However, one danger of doing this for cellphone calls is that they might notice that calls from your cellphone keep having different LEAFs, and suspect that you're a Potential Troublemaker. 3) If all that is needed for this hack is a LEAF with a proper

checksum, why go through the brute force method of generating random LEAFs? Why not just buy (or steal or whatever) another Clippered device that you never use for real communication so the wiretappers have no record of who has that serial number, and get LEAFs from it? For that matter, why can't you obtain one LEAF from listening to anybody's Clippered transmission and use it over and over again?

The LEAF depends on the IV for the session, which depends on the session key. Therefore, it's probably different for each call; otherwise you *could* just reuse someone else's LEAF. (This should be obvious, but I wasn't thinking about it when I first read Matt's paper, though the "but the IV will be wrong so that won't work" had been a sufficient distraction for many of us when CLipper first came out.) Remember that they don't record Clipper chip keys when you buy your Clipperphone - otherwise stealing one would be effective. They record the chip-unique backdoor keys when they make the chip, so they can tap *any* conversation they hear without needing to keep track of who owns what phone. On the other hand, for cellphones, it's *real* easy to find out who uses a given chip, since the phone call setup protocols tell them what phone it's coming from, and they _can_ look that up with the phone company, so they can easily do that correlation. (If the Clipper chips are socketed, you could always swap them for occasional more-paranoid-but-still-tappable calls, but that would probably just annoy them.) Bill