pgp5.5 = clipper

Adam Back aba at dcs.ex.ac.uk
Thu Oct 30 03:27:43 PST 1997




There are some remarkable similarities between pgp5.5 and the hugely
unpopular original clipper chip design.  Both encrypt the
communication key so it can be snooped by third parties thus creating
a backdoor.

I suspect that part of the reason there has been less outcry over
pgp5.5 than for clipper is that people have a high regard for PGP Inc,
and allow this to lull their fears -- "if PGP Inc have done it, it
can't be evil."  This is really insidious, and it is reprehensible for
PGP Inc to use their reputation capital to give clipper like systems a
positive spin.

pgp5.5 is basically a software implementation of clipper:

In PGP the backdoor is the second crypto recipient -- the message key
encrypted to the CMRK (Corporate Message Recovery Key) as requested by
the ARR (Additional Recipient Request); in clipper the backdoor is the
LEAF (Law Enforcement Access Field).

Both systems make attempts to enforce the presense of this backdoor
field: PGP Inc's policy enforcer can be configured to bounce mail not
encrypted to the corporate backdoor key; in Clipper it is the checksum
included in the LEAF which allows the receiving chip to reject LEAFs
which have been tampered with.

Both systems are "optional" -- you don't have to use clipper chips,
they will be "voluntary" (or so the politicians claim), and
governments aren't currently using the backdoor feature of pgp5.5, and
PGP Inc argue this won't happen (we'll see how this works out).

Both systems can be bypassed in very analogous ways: 

They can both be bypassed by super encrypting traffic.

With pgp5.5 the sender can send garbage in the CMRK encrypted field;
with clipper Matt Blaze found you could brute force the checksum and
send garbage in the LEAF field.

Both systems can be improved to make them harder to bypass, something
one suspects may happen if too many people routinely bypass them, and
law enforcement views this as a problem (which they surely will if
their snooping attempts are foiled -- don't forget Freeh is already on
record calling for mandatory key escrow, and outlawing of non-escrowed
crypto).

Clipper can be made harder to bypass by increasing the size of the
checksum.

pgp5.5 can be made harder to bypass by using binding cryptography
(allows untrusted agents to be deputised as policemen in ensuring the
same key is included inside the CMRK field as in the recipients PKE
field).

It is easy for the government snoop to detect cheating with either
system -- they attempt to decrypt the traffic, and find the LEAF/CMRK
field is tampered with, or find the contained message is super
encrypted.  

One suspects that an additional 5 year sentence will be given to
people who are detected tampering with snoop fields.  (This is not far
fetched I don't think -- already we have heard proposals for 5 year
additional sentencing for "use of encryption in a crime".  If
non-escrowed encryption is outlawed, surely this is the logical next
step on the part of Freeh, and cohorts).


PGP Inc cries: "oh but we have to meet corporate user requirements".
For corporate disaster recovery of stored data?  For corporate message
snooping?  For either requirement many of us have documented far less
dangerous techniques to enable corporate message snooping, and storage
recovery.  Techniques which aren't likely to be adopted by governments
as their snooping architecture.

PGP should fix this quickly before the reputational damage is
increased by more government statements about the usefulness of
pgp5.5. and CMR.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`







More information about the cypherpunks-legacy mailing list