Matt Blaze's Clipper attack -- details

Perry E. Metzger perry at imsi.com
Thu Jun 2 12:24:30 PDT 1994



smb at research.att.com says:
> The LEAF contains a 32 bit unit id, an 80-bit session key encrypted
> with the per-device secret key, and a 16 bit checksum.  The whole thing
> is encrypted with the family key.  The checksum field is based on both
> the session key and the IV.

I'll point out that Matt concluded this based on empirical analysis of
LEAFs and IVs, no available documentation describes the nature of the
checksum. (More kudo's to Matt).

BTW, LEAF/IV pairs are manipulated by Tessera as a single operation. I
suppose this is, in retrospect, a big hint.

The observation that non-synchronized IVs pose little or no problem
was also another "damn; that should have been obvious" that Matt
picked up on and no one else got. I suppose the fact that the NSA
folks mixed the IV into the checksum meant that they thought
non-synchronized IVs would be more significant than they are.

Perry

PS Matt, you now have 14 more minutes of fame remaining. :-)






More information about the cypherpunks-legacy mailing list