Clipper takes another hit...
Looks like the Clipper fan club is growing by leaps and bounds... PC/Computing, October 1993 Page 468 (opposite inside back cover). Note: _abc_ indicates italics. Illustration: several computers with keyholes in the screens. Clinton's smiling face rises from the White House, as a long arm reaches out with a key... ----------------------------------------------------------------- Penn Jillette Subterranean Clipper Chip Blues "Phone's tapped anyway." So do it for Dylan and for Jefferson (Airplane, Starship, and Thomas). I'VE NEVER HAD a sip of alcohol, nor any recreational drugs (not one puff to uninhale), but, being 38 years old, I feel I was part of the hippie culture. I was young and rural in the sixties, but my formative years were spent listening to music created by people who chased the muse down many chemical alleys. Top 40 radio blared that the government wasn't to be trusted. Dylan sang "Phone's tapped anyway," and his inflection said that was a bad thing. But even as I was sucking up the culture, my skeptical side said that all the "Tin soldiers and Nixon's coming..." stuff might be a little dramatic. Romanticizing living outside the law, coupled with the physiological effect of drugs, might be making these artists a little paranoid, a little nutty. The joke was kinda on me. Paranoid or not, John Lennon _was_ on Nixon and FBI hate lists, the Vietnam War probably _was_ a very bad idea, and the Watergate break-in and subsequent cover-up really _did_ happen. No government is to be trusted. I could have gotten a stronger lesson from the founding fathers, but they didn't have any records out. "You say you want a revolution?"..."The government that governs least governs best." Clinton is younger than any Rolling Stone (unless they replace Bill Wyman with a new bass player from his ex-wife's generation). It would seem that Bill _Jefferson_ Clinton would share the mistrust of Big Brother that we tapped our collective foot to. But remember, he's not Bob Dylan and Neil Young - he's Kenny G and Fleetwood Mac. Watch him. Willy picked up Bush's evil encryption Clipper Chip fascist football and ran with it ("Meet the new boss - same as the old boss"). The Clipper Chip is supposed to give us more privacy, which we need. An ex-friend of mine taped Madonna talking to her business manager on her cordless phone, and some punk ("punk" in the prison sense) broke into my Internet account and read my mail. The Clipper Chip, which was designed by government engineers, would be used to scramble and decode information so that only the addressee could read it. The government would sell this chip below market value (some people believe they'd be getting something for nothing; some people believe Elvis put syringes in Pepsi), and we'd all have cheap privacy. Oh, by the way ("The large print giveth, the small print taketh away"), the government would keep all the keys so they could eavesdrop on might-be-bad-guys (with a subpoena, of course). _What?!_ The antl-Clipper Chip people sent me megs and megs of reasons why the Clipper Chip sucks (the information on how it works is kept secret, so private scientists wouldn't be able to check for mistakes; trade with other countries would be difficult; how safe could the codes be kept?; and so on). Big cheese computer people yapped against it, and it got shot down the first time around on the legislation front. On the tech front, there is a great cypherpunk ("punk" in the rock and roll sense) alternative called Pretty Good Privacy, which is nongovernment and free. One of my math-hip friends explained public-key encryption to me, and it's pretty thinking; I'll try to explain it in a future column. There was even talk of making private encryption illegal (an evil idea, pure and simple). The more research I did, the simpler it got. You have inalienable rights including life, liberty, and the pursuit of happiness. That's it. We have a right to communicate with anyone we choose without anyone listening in. The government works for us. Power to the people. ----------------------------------------------------------------- Wow. One of the better anti-Clipper flames I've seen so far. Simple and to the point. Repost this one everywhere. Technical question: from what I've read, Clipper is only a single- key system, basically an 80-bit super-DES. So when you hit the SECURE button on your AT&T ClipperPhone, how do the phones exchange session keys? DH exchange or something similar? Is this implemented in the Clipper chip itself, or in external hardware? Is the format standardized? If not, there will be plenty of interoperability problems with the first generation of phones. For that matter, there will probably be problems even if it is standardized. Will it work over a standard phone line? If so, the phone must be using data compression and a 14.4 modem or something. They'd have to use forward error correction, too, because a 1-bit error would cause, upon decryption, at least an 8-byte error burst. That's a very noticeable click at 6-8KHz sampling rate. I haven't been able to get any details. I called Mykotronx and they told me that the app notes weren't ready yet, and offered to put me on a waiting list for them.
Mike Ingle <MIKEINGLE@delphi.com> asked some penetrating questions about Clipper function, that deserve to be brought up again:
Technical question: from what I've read, Clipper is only a single- key system, basically an 80-bit super-DES. So when you hit the SECURE button on your AT&T ClipperPhone, how do the phones exchange session keys? DH exchange or something similar? Is this implemented in the Clipper chip itself, or in external hardware?
The following is based on some very faintly remembered technical data once circulated by D. Denning. I'd be appreciative if anyone can point out where it is located or elaborate on my description below. The Clipper chip does *not* implement key exchange. It is essentially nothing but a low-level encryption device. I would like to see the specifications that are supposedly available or will be soon (I got the impression that E. Hughes got some kind of Clipper specifications at one point, a long time ago). However, as I understand it the chip sends out the law enforcement exploitation field (LEEF) (the beautifully apropos term `exploitation' has now been replaced with Access) along with the encrypted data to the chip pins. Now, two Clipper chips will *not* work in conjuction with each other unless each is fed a valid LEEF from the other. However, since the chip does not accomplish this function (the communication, that is; it does *create* the field), and it is handled outside the chip, there is no guarantee that the system designer does not, for example, encrypt the LEEF in the communications transit, thereby completely sabotaging the `exploitative' tappability of the chip. Hence there is a *very* real possibility that this scheme, or something similar, could be used to gain Skipjack-level encryption without any key escrow complications. I suspect the NSA is *extremely* worried about this. They probably require that the chip purchaser promise to use Clipper in a way that guarantees the LEEF is accessable (plaintext). They may even create a contractual obligation wherein the surrounding device (telephone or whatever) cannot be approved for sale until it passes an NSA endorsed tapping test. (what fun!) I consider this all very plausible and probable. (This would be a neat trick -- use the chip itself to encrypt LEEF fields -- hah! twist an insecure chip into a secure one, and spit in the face of the NSA!) The NSA probably would rather *not* come out with a Clipper type chip because of the above weakness. But this is the absolute lowest level chip they can get away with. There are many applications that would reject a more sophisticated chip -- Clipper is already expensive enough as it is. However, the Capstone chip *does* have key exchange functions built in -- it uses Diffie Hellman, apparently. And I consider it likely that the LEAF field transfer cannot be thwarted in the above way. This is a do-everything chip with exponentiation and the DSA algorithm built in. All these sweet-looking contortions to support `public debate' on the Clipper proposal are rather pathetic given that the Capstone has been in development for many years. Is there really any chance that its production would be derailed by some annoying public comments? I certainly hope so, but it's not a pretty picture. Note that early in the Clipper debate, D. Denning and others were vague on the Capstone and Clipper key exchange function. That's because Clipper didn't have it, and Capstone used Diffie Hellman. Now, as we are so familiar with, PKP holds a iron-fisted, vice-lock grip on *all* public key cryptography. The government is supposedly able to use the patented technology without prior arrangement (I believe this is a qualification of the NSF research grants that led to the patents?) but the chips would still not be able to be used in *commercial* arrangements (the whole point) without a PKP agreement. Hence, it was *absolutely critical* that the government get the *official endorsement* of PKP and a legal arrangement to allow the use of public key cryptography in the Capstone and Clipper arrangements. The wretched announcement was just a matter of time -- what was so surprising was that PKP also got awarded a new iron-fisted, vice-lock grip on the Digital Signature Standard. Apparently, the incredibly lucrative revenues from public key licensing on Clipper and Capstone alone just didn't cut it. Conspiracy theorists can easily believe that this outrageous, scheming arrangement was made *far prior* to its actual announcement (June? I forget), and there is a lot of circumstantial evidence to support this. The NSA's goal with Clipper and Capstone was *commercial* from the *very beginning* -- now *officially* confirmed as at least 3 years! -- and they would be first to make sure it wasn't thwarted by those pesky patents everyone else has to break their shins on. In fact, going just a bit further, there is a lot of circumstantial evidence that PKP is very closely allied with the NSA in various ways. How is it one company has gotten public key patents that were developed at two different universities (Stanford & MIT) and diverse researchers (Diffie, Hellman, Rivest, Shamir, Adleman)?! Why is the government so eager to grant them a critical *new* cryptgraphic algorithm stranglehold with DSA? [key exchange]
Is the format standardized? If not, there will be plenty of interoperability problems with the first generation of phones. For that matter, there will probably be problems even if it is standardized.
About the only company ready for Clipper chips is AT&T, and I think they are using Diffie Hellman key exchange currently with some proprietary algorithms (they have a license on Public Key directly from PKP already) in their secure phones. I suspect any companies that come out with new phone encryption equipment based on Clipper, if any are insane enough to exist, will try to be compatible with the AT&T `standard' (ug). As far as I know AT&T has not published their own key exchange standard used by the phones, however. That is, it is proprietary, and might even be protected by patents of their own! This is a rare occasion where incompatibility is something to beam about!
As I recall from a note from Denning some months back, the bits of the LEEF (Law Enforcement Exploitation Field, its original and far more descriptive name) are spread out among the ciphertext in some unspecified way precisely to make it difficult or impossible to remove. Damn. Now I remember one of the points I meant to make in my NIST comments, but forgot: if the LEEF is added periodically to the ciphertext stream, that implies that the ciphertext data rate must be greater than the plaintext rate. And that precludes just dropping the Clipper chip into existing synchronous communication systems such as our CDMA digital cellular telephone system without *major* system redesign. Everything in our system is designed around four specific fixed frame "rates", specifically 16, 40, 80 or 171 bits every 20 ms: the vocoder, which generates these "frames", the CDMA modem, the Viterbi decoder, everything. Encryption that simply performs a 1-to-1 mapping between plaintext and ciphertext would be easy to add to this system. But an encryption chip that has to add something to each frame to encode an LEEF is useless to me. Anybody know if there is a "reply comments" cutoff date for the Clipper proposal? Under the rules that usually govern this sort of thing, if you can find someone else's comments on file that address the point you make, you can usually file "reply comments" that address this point beyond the original due date -- as long as it arrives by the "reply comments" date (usually a month or two later). Phil
From: "L. Detweiler" <ld231782@longs.lance.colostate.edu> *create* the field), and it is handled outside the chip, there is no guarantee that the system designer does not, for example, encrypt the LEEF in the communications transit, thereby completely sabotaging the `exploitative' tappability of the chip.
Hence there is a *very* real possibility that this scheme, or something similar, could be used to gain Skipjack-level encryption without any key escrow complications. I suspect the NSA is *extremely* worried about this.
Their spokesagency, NIST, has said that it will be illegal to encrypt on top of Skipjack or to mung the LEEF. Pre-encryption is not mentioned, AFAIK, and would be borderline impossible to detect anyway. As I see it, this is already a restriction on non-Skipjack encryption, issued in the same document that assured us that no such thing is being considered. It's a special case, to be sure, but it clearly asserts a government power to restrict the means and manner of private encryption performed entirely within the United States. This is a key issue, IMO. Eli ebrandt@jarthur.claremont.edu
I said:
Their spokesagency, NIST, has said that it will be illegal to encrypt on top of Skipjack or to mung the LEEF.
Checking the relevant document again, I think this is wrong: -------------------- Federal Information Processing Standards Publication XX 1993 XX Announcing the Escrowed Encryption Standard (EES) [blah blah] The security equipment shall ensure that the LEAF is transmitted in such a manner that the LEAF and ciphertext may be decrypted with legal authorization. No additional encryption or modification of the LEAF is permitted. [...] -------------------- I remembered this text out of context. Correctly interpreted, it looks like it's just a specification for devices implementing the (voluntary, natch) Escrowed Encryption Standard. Sorry about that. Eli ebrandt@jarthur.claremont.edu
participants (4)
-
Eli Brandt -
karn@qualcomm.com -
L. Detweiler -
Mike Ingle