Newsgroups: sci.crypt,alt.privacy.clipper
Path: cantaloupe.srv.cs.cmu.edu!das-news.harvard.edu!noc.near.net!howland.reston.ans.net!ux1.cso.uiuc.edu!uwm.edu!linac!att!att!allegra!ulysses!ulysses!smb
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper chip -- technical details
Message-ID: <1993Apr19.052005.20665@ulysses.att.com>
Date: Mon, 19 Apr 1993 05:20:05 GMT
References: <1993Apr18.200737.14815@ulysses.att.com> <1667.Apr1821.58.3593@silverton.berkeley.edu>
Organization: AT&T Bell Laboratories
Lines: 20

In article <1667.Apr1821.58.3593@silverton.berkeley.edu>, djb@silverton.berkeley.edu (D. J. Bernstein) writes:
> Short summary of what Bellovin says Hellman says the NSA says: There is
> a global key G, plus one key U_C for each chip C. The user can choose a
> new session key K_P for each phone call P he makes. Chip C knows three
> keys: G, its own U_C, and the user's K_P. The government as a whole
> knows G and every U_C. Apparently a message M is encrypted as
> E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.
> 
> The system as described here can't possibly work. What happens when
> someone plugs the above ciphertext into a receiving chip? To get M
> the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
> The only information it can work with is C. If U_C can be computed
> from C then the system is cryptographically useless and the ``key
> escrow'' is bullshit. Otherwise how is a message decrypted?

Via K_P, of course.  Nothing was said about where K_P comes from.  It's
the session key, though, and it's chosen however you usually choose
session keys --- exponential key exchange, shared secret, RSA, etc.
But however you choose it, the chip will apparently emit the escrow
header when you do.
