Tom Knight is correct that the key generation process is a good place to hide a weakness. If I remember correctly, the chip's key is generated directly from it's ID number by padding it with 160 random bits and encrypting the whole mess. 80 bits of the result becomes the key. Obviously, if you can keep a copy of the 160 bits of padding, then you can regenerate the chip's local key without calling up the key-escrow fascility. Apparently, an early document said that each collection of padding would be used for a batch of 300 chips. So if you can keep a list of these padding bits, then you're set... (Disclosure: This data came from the hip, not from documents.) -Peter