Newsgroups: sci.crypt
Path: cantaloupe.srv.cs.cmu.edu!das-news.harvard.edu!noc.near.net!howland.reston.ans.net!usc!sdd.hp.com!news.cs.indiana.edu!mvanheyn@cs.indiana.edu
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: Clipper chip -- technical details
Message-ID: <19500.735183940@moose.cs.indiana.edu>
Sender: mvanheyn@cs.indiana.edu
Organization: Computer Science Dept, Indiana University
References: <1993Apr18.200737.14815@ulysses.att.com> <1667.Apr1821.58.3593@silverton.berkeley.edu>
Date: Sun, 18 Apr 1993 20:45:40 -0500
Lines: 24

Thus said djb@silverton.berkeley.edu (D. J. Bernstein):
>Short summary of what Bellovin says Hellman says the NSA says: There is
>a global key G, plus one key U_C for each chip C. The user can choose a
>new session key K_P for each phone call P he makes. Chip C knows three
>keys: G, its own U_C, and the user's K_P. The government as a whole
>knows G and every U_C. Apparently a message M is encrypted as
>E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.
>
>The system as described here can't possibly work. What happens when
>someone plugs the above ciphertext into a receiving chip? To get M
>the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
>The only information it can work with is C. If U_C can be computed
>from C then the system is cryptographically useless and the ``key
>escrow'' is bullshit. Otherwise how is a message decrypted?

Given the description of the algorithm given, the only plausible
explantion I can find is that K_P must be agreed to out of bandwidth
in advance by the two parties; i.e. it's a standard shared symmetric
key.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
Security through Diversion: n. Theory which states that the public
availability of good computer games is vital to maintaining system
safety.  Contrast Security through Obscurity.
