No Subject

Martin Hellman hellman at
Tue Sep 7 12:37:57 PDT 1999

Subject: Clipper Chip

Most of you have seen the announcement in Friday's NY Times,
etc. about NIST (National Institute of Standards & Technology)
announcing the "Clipper Chip" crypto device. Several messges
on the net have asked for more technical details, and some have
been laboring under understandable misunderstandings given
the lack of details in the news  articles. So here to help out
is your friendly NSA link: me. I was somewhat surprised Friday
to get a call from the Agency which supplied many of the missing
details. I was told the info was public, so here it is (the cc of this
to Dennis Branstad at NIST is mostly as a double check on my
facts since I assume he is aware of all this; please let me know
if I have anything wrong):

The Clipper Chip will have a secret crypto algorithm embedded in 
Silicon. Each chip will have two secret, 80-bit keys. One will be the 
same for all chips (ie a system-wide key) and the other will be unit 
specific. I don't know what NIST and NSA will call them, but I will 
call them the system key SK and unit key UK in this message. 
The IC will be designed to be extremely difficult to reverse so 
that the system key can be kept secret. (Aside: It is clear that 
they also want to keep the algorithm secret and, in my opinion, 
it may be as much for that as this stated purpose.) The unit key 
will be generated as the XOR of two 80-bit random numbers K1 
and K2 (UK=K1+K2) which will be kept by the two escrow 
authorities. Who these escrow authorities will be is still to be 
decided by the Attorney General, but it was stressed to me that 
they will NOT be NSA or law enforcement agencies, that they 
must be parties acceptable to the users of the system as unbiased. 
When a law enforcement agency gets a court order, they will 
present it to these two escrow authorities and receive K1 and 
K2, thereby allowing access to the unit key UK.

In addition to the system key, each user will get to choose his 
or her own key and change it as often as desired. Call this key 
plain old K. When a message is to be sent it will first be 
encrypted under K, then K will be encrypted under the unit key UK, 
and the serial number of the unit added to produce a three part 
message which will then be encrypted under the system key SK 

     E{ E[M; K], E[K; UK], serial number;  SK}

When a court order obtains K1 and K2, and thence K, the law 
enforcement agency will use SK to decrypt all information 
flowing on the suspected link [Aside: It is my guess that 
they may do this constantly on all links, with or without a 
court order, since it is almost impossible to tell which links 
over which a message will flow.] This gives the agency access to 

     E[M; K], E[K; UK], serial number

in the above message. They then check the serial number 
of the unit and see if it is on the "watch list" for which they 
have a court order. If so, they will decrypt E[K; UK] to obtain K, 
and then decrypt E[M; K] to obtain M.

I am still in the process of assessing this scheme, so please do 
not take the above as any kind of endorsement of the proposed 
scheme. All I am trying to do is help all of us assess the scheme 
more knowledgably. But I will say that the need for just one court 
order worries me. I would feel more comfortable (though not 
necessarily comfortable!) if two separate court orders were 
needed, one per escrow authority. While no explanation is
needed, the following story adds some color: In researching
some ideas that Silvio Micali and I have been kicking around,
I spoke with Gerald Gunther, the constitutional law expert
here at Stanford and he related the following story: When
Edward Levi became Pres. Ford's attorney general (right
after Watergate), he was visited by an FBI agent asking
for "the wiretap authorizations." When Levy asked for
the details so he could review the cases as required by
law, the agent told him that his predecessors just turned
over 40-50 blank, signed forms every time. Levi did not
comply and changed the system, but the lesson is clear: 
No single person or authority should have the power to
authorize wiretaps (or worse yet, divulging of personal
keys). Sometimes he or she will be an Edward Levi
and sometimes a John Mitchell.

Martin Hellman

And, his permission to repost.  PLEASE NOTE HIS "RESTRICTION."

More information about the cypherpunks-legacy mailing list