Subject: Clipper Chip Most of you have seen the announcement in Friday's NY Times, etc. about NIST (National Institute of Standards & Technology) announcing the "Clipper Chip" crypto device. Several messges on the net have asked for more technical details, and some have been laboring under understandable misunderstandings given the lack of details in the news articles. So here to help out is your friendly NSA link: me. I was somewhat surprised Friday to get a call from the Agency which supplied many of the missing details. I was told the info was public, so here it is (the cc of this to Dennis Branstad at NIST is mostly as a double check on my facts since I assume he is aware of all this; please let me know if I have anything wrong): The Clipper Chip will have a secret crypto algorithm embedded in Silicon. Each chip will have two secret, 80-bit keys. One will be the same for all chips (ie a system-wide key) and the other will be unit specific. I don't know what NIST and NSA will call them, but I will call them the system key SK and unit key UK in this message. The IC will be designed to be extremely difficult to reverse so that the system key can be kept secret. (Aside: It is clear that they also want to keep the algorithm secret and, in my opinion, it may be as much for that as this stated purpose.) The unit key will be generated as the XOR of two 80-bit random numbers K1 and K2 (UK=K1+K2) which will be kept by the two escrow authorities. Who these escrow authorities will be is still to be decided by the Attorney General, but it was stressed to me that they will NOT be NSA or law enforcement agencies, that they must be parties acceptable to the users of the system as unbiased. When a law enforcement agency gets a court order, they will present it to these two escrow authorities and receive K1 and K2, thereby allowing access to the unit key UK. In addition to the system key, each user will get to choose his or her own key and change it as often as desired. Call this key plain old K. When a message is to be sent it will first be encrypted under K, then K will be encrypted under the unit key UK, and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} When a court order obtains K1 and K2, and thence K, the law enforcement agency will use SK to decrypt all information flowing on the suspected link [Aside: It is my guess that they may do this constantly on all links, with or without a court order, since it is almost impossible to tell which links over which a message will flow.] This gives the agency access to E[M; K], E[K; UK], serial number in the above message. They then check the serial number of the unit and see if it is on the "watch list" for which they have a court order. If so, they will decrypt E[K; UK] to obtain K, and then decrypt E[M; K] to obtain M. I am still in the process of assessing this scheme, so please do not take the above as any kind of endorsement of the proposed scheme. All I am trying to do is help all of us assess the scheme more knowledgably. But I will say that the need for just one court order worries me. I would feel more comfortable (though not necessarily comfortable!) if two separate court orders were needed, one per escrow authority. While no explanation is needed, the following story adds some color: In researching some ideas that Silvio Micali and I have been kicking around, I spoke with Gerald Gunther, the constitutional law expert here at Stanford and he related the following story: When Edward Levi became Pres. Ford's attorney general (right after Watergate), he was visited by an FBI agent asking for "the wiretap authorizations." When Levy asked for the details so he could review the cases as required by law, the agent told him that his predecessors just turned over 40-50 blank, signed forms every time. Levi did not comply and changed the system, but the lesson is clear: No single person or authority should have the power to authorize wiretaps (or worse yet, divulging of personal keys). Sometimes he or she will be an Edward Levi and sometimes a John Mitchell. Martin Hellman ======== And, his permission to repost. PLEASE NOTE HIS "RESTRICTION." --jim =======
participants (1)
-
Martin Hellman