more info from talk at MIT yesterday.
The folks from the NSA said the following about key generation: - each escrow agency provides a "seed key", seed1 and seed2 - the box which programs the chip generates two random keys, random1 and random2 - for each chip programmed during that batch (which is "12 to 14 hours of production"), the box computes a classified deterministic function (U1, U2) = F(serial, random1, random2, seed1, seed2) to generate the unit keys They did *not* explicitly say that the random seeds were destroyed at the end of the production run. Also, someone asked "How do we know that the unit key isn't a hash function of the chip serial number?" The answer was: "You don't". They also confirmed Tom Knight's suspicions about what they're going to do when someone reverse engineers the chip and publishes the Skipjack algorithm & the family key: they've got a patent application filed, under a secrecy order; if the algorithm is published, they'll lift the secrecy order and have the patent issued, and use that to go after anyone making a compatible version. They also had a comment that they considered Blaze's findings to be mostly irrelevant, as the only people who would use it would be persons who *didn't* trust the escrow system, but *did* trust the algorithm... - Bill
Bill Sommerfeld says:
They also had a comment that they considered Blaze's findings to be mostly irrelevant, as the only people who would use it would be persons who *didn't* trust the escrow system, but *did* trust the algorithm...
Since the stated purpose of a voluntary key escrow system is to provide government tested cryptography that cannot be used against the government, Matt's result hurts the STATED purpose of the technology. Naturally they would be unwilling to admit this. Perry
Bill Sommerfeld says:
They also confirmed Tom Knight's suspicions about what they're going to do when someone reverse engineers the chip and publishes the Skipjack algorithm & the family key: they've got a patent application filed, under a secrecy order; if the algorithm is published, they'll lift the secrecy order and have the patent issued, and use that to go after anyone making a compatible version.
Since when can the government patent its work? I thought that works produced by government agencies could not be copyrighted or patented. In any case, they cannot refuse to license a patent, so this isn't real protection anyway. (The hope behind people patenting things they may release in the future is to make it commercially less attractive, not to utterly prevent use.) Perry
Bill Sommerfeld says:
They also confirmed Tom Knight's suspicions about what they're going to do when someone reverse engineers the chip and publishes the Skipjack algorithm & the family key: they've got a patent application filed, under a secrecy order; if the algorithm is published, they'll lift the secrecy order and have the patent issued, and use that to go after anyone making a compatible version.
An interesting variant of this tactic might be for the folks who reverse engineer Clipper/SkipJack to go off and patent it in *other* countries, thus making it impossible to sell or use Clipper outside of the USA. Adam
Excerpts from internet.cypherpunks: 3-Jun-94 Re: more info from talk at .. by Adam Shostack@bwh.harvar
Bill Sommerfeld says:
They also confirmed Tom Knight's suspicions about what they're going to do when someone reverse engineers the chip and publishes the Skipjack algorithm & the family key: they've got a patent application filed, under a secrecy order; if the algorithm is published, they'll lift the secrecy order and have the patent issued, and use that to go after anyone making a compatible version.
An interesting variant of this tactic might be for the folks who reverse engineer Clipper/SkipJack to go off and patent it in *other* countries, thus making it impossible to sell or use Clipper outside of the USA.
Or to just write the software/burn the chips in other countries and freely distribut the code/plans. Either way, the U.S. patent is compromised. Jer darklord@cmu.edu | "it's not a matter of rights / it's just a matter of war finger me for my | don't have a reason to fight / they never had one before" Geek Code and | -Ministry, "Hero" PGP public key | http://www.cs.cmu.edu:8001/afs/andrew.cmu.edu/usr25/jbde/
Adam Shostack says:
An interesting variant of this tactic might be for the folks who reverse engineer Clipper/SkipJack to go off and patent it in *other* countries, thus making it impossible to sell or use Clipper outside of the USA.
That might work. Many other countries follow "first to file" rather than "first to invent". Perry
Date: Fri, 3 Jun 1994 09:57:36 -0400 From: sommerfeld@localhost.medford.ma.us (Bill Sommerfeld) They [The NSA] also had a comment that they considered Blaze's findings to be mostly irrelevant, as the only people who would use it would be persons who *didn't* trust the escrow system, but *did* trust the algorithm... - Bill OOOooooo. I think this means one had better use superencryption of one kind or another with Clipper at all times. Pardon me if this is redundant, but has anybody done any differential analysis of, say, DES (or 3DES) under Clipper, to see if it weakens?
participants (6)
-
Adam Shostack -
Bradley C Wallet -
Eric_Weaver@avtc.sel.sony.com -
Jeremiah A Blatz -
Perry E. Metzger -
sommerfeld@localhost.medford.ma.us