Clipper Chip
Dorothy Denning
denning at cs.cosc.georgetown.edu
Tue Sep 7 12:37:57 PDT 1999
I just had another conversation with NSA to clarify some of the features
of Clipper. Please feel free to distribute this and my other messages
on Clipper.
The name of the encryption algorithm is "Skipjack."
Martin Hellman had written
and the serial number of the unit added to produce a three part
message which will then be encrypted under the system key SK
producing
E{ E[M; K], E[K; UK], serial number; SK}
To which I responded:
My understanding is that E[M; K] is not encrypted under SK (called the
"family key") and that the decrypt key corresponding to SK is held by
law enforcement. Does anyone have first hand knowledge on this?
I was correct in that E[M; K] is not encrypted under SK. However, Skipjack
being a single-key system, there is, of course, not a separate decrypt key
for the family key SK.
The unit key, also called the "chip key," is generated from the
serial number N as follows. Let N1, N2, and N3 be 64 bit blocks
derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
Compute the 64-bit block
R1 = E[D[E[N1; S1]; S2]; S1]
(Note that this is like using the DES in triple encryption mode with
two keys.) Similarly compute blocks R2 and R3 starting with N2 and N3.
(I'm unlear about whether the keys S1 and S2 change. The fact that
they're called seeds suggests they might.) Then R1, R2, and R3 are
concatenated together giving 192 bits. The first 80 bits form K1 and
the next 80 bits form K2. The remaining bits are discarded.
The seeds S1 and S2 do not change. The whole process is performed on
a laptop computer, and S1 and S2 are supplied by two independent people
so that no one person knows both. The same S1 and S2 are used during
an entire "programming session" to generate keys for a stream of serial
numbers. Everything is discarded at the end (the computer could be
thrown out if desired).
The serial number is 30 bits and the values N1, N2, and N3 are formed
by padding the serial number with fixed 34-bit blocks (separate padding
for each value).
The resulting keys K1 and K2 are output onto separate floppy disks, paired
up with their serial number. Each pair is stored in a separate file. The
floppy disks are taken away by two separate people on behalf of the two
escrow agencies.
Dorothy Denning
denning at cs.georgetown.edu
======
>From eff.org!interesting-people-request at netcomsv.netcom.com Mon Apr 19 20:07:50
1993
Posted-Date: Mon, 19 Apr 1993 21:17:27 -0500
From: David Farber <farber at central.cis.upenn.edu>
X-Sender: farber at linc.cis.upenn.edu
Subject: More technical details -- Chipper
To: interesting-people at eff.org (interesting-people mailing list)
Personal note. Denning suggests such firms as
" SRI, Rand, Mitre, the national labs (Sandia, LANL, Los Alamos), Treasury,
GAO" as possible escrow organizations. I personally believe that firms
which get their funding from the government are just too susceptible to
pressure which we have seen historically. It would be best to use
organizations that have a more arms length relationship with the government
so everyone believes the escrows task is being performed properly.
Dave
From: smb at research.att.com (Steven Bellovin)
Subject: More technical details
Date: 19 Apr 93 13:43:46 GMT
Here are some corrections and additions to Hellman's note, courtesy of
Dorothy Denning. Again, this is reposted with permission.
Two requests -- first, note the roles of S1 and S2. It appears to me
and others that anyone who knows those values can construct the unit
key. And the nature of the generation process for K1 and K2 is such
that neither can be produced alone. Thus, the scheme cannot be
implemented such that one repository generates the first half-key, and
another generates the second. *That* is ominous.
Second -- these postings are not revealed scripture, nor are they
carefully-crafted spook postings. Don't attempt to draw out hidden
meanings (as opposed to, say, the official announcements of Clipper).
Leave Denning out of this; given Hellman's record of opposition to DES,
which goes back before some folks on this newsgroup knew how to read, I
don't think you can impugn his integrity.
Oh yeah -- the folks who invented Clipper aren't stupid. If you think
something doesn't make sense, it's almost certainly because you don't
understand their goals.
--Steve Bellovin
-----
Date: Sun, 18 Apr 93 07:56:39 EDT
From: denning at cs.georgetown.edu (Dorothy Denning)
Subject: Re: Clipper Chip
To: (a long list of folks)
I was also briefed by the NSA and FBI, so let me add a few comments to
Marty's message:
The Clipper Chip will have a secret crypto algorithm embedded in
The algorithm operates on 64-bit blocks (like DES) and the chip supports
all 4 DES modes of operation. The algorithm uses 32 rounds of scrambling
compared with 16 in DES.
In addition to the system key, each user will get to choose his
or her own key and change it as often as desired. Call this key
plain old K. When a message is to be sent it will first be
K is the session key shared by the sender and receiver. Any method
(e.g., public key) can be used to establish the session key. In the
AT&T telephone security devices, which will have the new chip, the key
is negotiated using a public-key protocol.
encrypted under K, then K will be encrypted under the unit key UK,
and the serial number of the unit added to produce a three part
message which will then be encrypted under the system key SK
producing
E{ E[M; K], E[K; UK], serial number; SK}
My understanding is that E[M; K] is not encrypted under SK (called the
"family key") and that the decrypt key corresponding to SK is held by
law enforcement. Does anyone have first hand knowledge on this? I
will also check it out, but this is 7am Sunday so I did not want to wait.
The unit key
will be generated as the XOR of two 80-bit random numbers K1
and K2 (UK=K1+K2) which will be kept by the two escrow
The unit key, also called the "chip key," is generated from the
serial number N as follows. Let N1, N2, and N3 be 64 bit blocks
derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
Compute the 64-bit block
R1 = E[D[E[N1; S1]; S2]; S1]
(Note that this is like using the DES in triple encryption mode with
two keys.) Similarly compute blocks R2 and R3 starting with N2 and N3.
(I'm unlear about whether the keys S1 and S2 change. The fact that
they're called seeds suggests they might.) Then R1, R2, and R3 are
concatenated together giving 192 bits. The first 80 bits form K1 and
the next 80 bits form K2. The remaining bits are discarded.
authorities. Who these escrow authorities will be is still to be
decided by the Attorney General, but it was stressed to me that
they will NOT be NSA or law enforcement agencies, that they
must be parties acceptable to the users of the system as unbiased.
Marty is right on this and the FBI has asked me for suggestions.
Please pass them to me along with your reasons. In addition to Marty's
criteria, I would add that the agencies must have an established record
of being able to safeguard highly sensitive information. Some suggestions
I've received so far include SRI, Rand, Mitre, the national labs (Sandia,
LANL, Los Alamos), Treasury, GAO.
When a court order obtains K1 and K2, and thence K, the law
enforcement agency will use SK to decrypt all information
flowing on the suspected link [Aside: It is my guess that
they may do this constantly on all links, with or without a
court order, since it is almost impossible to tell which links
over which a message will flow.]
My understanding is that there will be only one decode box and that it
will be operated by the FBI. The service provider will isolate the
communications stream and pass it to the FBI where it will pass through
the decode box, which will have been keyed with K.
for "the wiretap authorizations." When Levy asked for
the details so he could review the cases as required by
law, the agent told him that his predecessors just turned
over 40-50 blank, signed forms every time. Levi did not
comply and changed the system, but the lesson is clear:
No single person or authority should have the power to
authorize wiretaps
No single person does, at least for FBI taps. After completing a mound
of paperwork, an agent must get the approval of several people on a chain
that includes FBI legal counsel before the request is even taken to the
Attorney General for final approval.
Dorothy Denning
More information about the cypherpunks-legacy
mailing list