Newsgroups: sci.crypt
Path: cantaloupe.srv.cs.cmu.edu!crabapple.srv.cs.cmu.edu!fs7.ece.cmu.edu!europa.eng.gtefsd.com!howland.reston.ans.net!ux1.cso.uiuc.edu!news.cso.uiuc.edu!usenet
From: usenet@news.cso.uiuc.edu (Net Noise owner)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2
Date: Tue, 20 Apr 1993 21:36:28 GMT
Message-ID: <C5sxCt.J5E@news.cso.uiuc.edu>
References: <1993Apr19.182327.3420@guvax.acc.georgetown.edu> <PMETZGER.93Apr20065402@snark.shearson.com>
Organization: University of Illinois @ Urbana/Champaign
Lines: 32

The only way to view this method of generating unit keys is as a back-door.
What else can you call a key deterministically generated from the serial
number?


 To generate the unit key for a serial number N, the 30-bit value N is
   first padded with a fixed 34-bit block to produce a 64-bit block N1.
   S1 and S2 are then used as keys to triple-encrypt N1, producing a
   64-bit block R1:

	   R1 = E[D[E[N1; S1]; S2]; S1] .

   Similarly, N is padded with two other 34-bit blocks to produce N2 and
   N3, and two additional 64-bit blocks R2 and R3 are computed:  

	   R2 = E[D[E[N2; S1]; S2]; S1] 
	   R3 = E[D[E[N3; S1]; S2]; S1] .

   R1, R2, and R3 are then concatenated together, giving 192 bits. The
   first 80 bits are assigned to U1 and the second 80 bits to U2.  The
   rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
   are the key parts that are separately escrowed with the two escrow
   agencies.


What happens is that the need for the Escrow houses is completely eliminated.
Or should I say, the need to _access_ the Escrow houses to decrypt the data.
The houses will still serve a real purpose as far as generating the illusion
of protection, and small-town cops won't be let in on the "secret", so they
will still go through the motions of going to the Escrow houses, but the fact
is __the Federal government CAN and WILL build a chip which generates the unit
keys from the encrypted serial number!__  'Nuff Said.
