Newsgroups: sci.crypt,alt.privacy.clipper
Path: cantaloupe.srv.cs.cmu.edu!das-news.harvard.edu!noc.near.net!howland.reston.ans.net!wupost!uwm.edu!linac!att!att!allegra!ulysses!ulysses!smb
From: smb@research.att.com (Steven Bellovin)
Subject: More technical details
Message-ID: <1993Apr19.134346.2620@ulysses.att.com>
Date: Mon, 19 Apr 1993 13:43:46 GMT
Organization: AT&T Bell Laboratories
Lines: 116

Here are some corrections and additions to Hellman's note, courtesy of
Dorothy Denning.  Again, this is reposted with permission.

Two requests -- first, note the roles of S1 and S2.  It appears to me
and others that anyone who knows those values can construct the unit
key.  And the nature of the generation process for K1 and K2 is such
that neither can be produced alone.  Thus, the scheme cannot be
implemented such that one repository generates the first half-key, and
another generates the second.  *That* is ominous.

Second -- these postings are not revealed scripture, nor are they
carefully-crafted spook postings.  Don't attempt to draw out hidden
meanings (as opposed to, say, the official announcements of Clipper).
Leave Denning out of this; given Hellman's record of opposition to DES,
which goes back before some folks on this newsgroup knew how to read, I
don't think you can impugn his integrity.

Oh yeah -- the folks who invented Clipper aren't stupid.  If you think
something doesn't make sense, it's almost certainly because you don't
understand their goals.

		--Steve Bellovin

-----

Date: Sun, 18 Apr 93 07:56:39 EDT
From: denning@cs.georgetown.edu (Dorothy Denning)
Subject: Re:  Clipper Chip
To: (a long list of folks)

I was also briefed by the NSA and FBI, so let me add a few comments to
Marty's message:

        The Clipper Chip will have a secret crypto algorithm embedded in 

The algorithm operates on 64-bit blocks (like DES) and the chip supports
all 4 DES modes of operation.  The algorithm uses 32 rounds of scrambling
compared with 16 in DES.

	In addition to the system key, each user will get to choose his 
	or her own key and change it as often as desired. Call this key 
	plain old K. When a message is to be sent it will first be 

K is the session key shared by the sender and receiver.  Any method
(e.g., public key) can be used to establish the session key.  In the
AT&T telephone security devices, which will have the new chip, the key
is negotiated using a public-key protocol.
 
	encrypted under K, then K will be encrypted under the unit key UK, 
	and the serial number of the unit added to produce a three part 
	message which will then be encrypted under the system key SK 
	producing

	     E{ E[M; K], E[K; UK], serial number;  SK}

My understanding is that E[M; K] is not encrypted under SK (called the
"family key") and that the decrypt key corresponding to SK is held by
law enforcement.  Does anyone have first hand knowledge on this?  I
will also check it out, but this is 7am Sunday so I did not want to wait.

        The unit key 
	will be generated as the XOR of two 80-bit random numbers K1 
	and K2 (UK=K1+K2) which will be kept by the two escrow 

The unit key, also called the "chip key," is generated from the
serial number N as follows.  Let N1, N2, and N3 be 64 bit blocks
derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
Compute the 64-bit block 

        R1 = E[D[E[N1; S1]; S2]; S1] 

(Note that this is like using the DES in triple encryption mode with
two keys.)  Similarly compute blocks R2 and R3 starting with N2 and N3.
(I'm unlear about whether the keys S1 and S2 change.  The fact that
they're called seeds suggests they might.)  Then R1, R2, and R3 are
concatenated together giving 192 bits.  The first 80 bits  form K1 and
the next 80 bits form K2.  The remaining bits are discarded.

	authorities. Who these escrow authorities will be is still to be 
	decided by the Attorney General, but it was stressed to me that 
	they will NOT be NSA or law enforcement agencies, that they 
	must be parties acceptable to the users of the system as unbiased. 

Marty is right on this and the FBI has asked me for suggestions.
Please pass them to me along with your reasons.  In addition to Marty's
criteria, I would add that the agencies must have an established record
of being able to safeguard highly sensitive information.  Some suggestions
I've received so far include SRI, Rand, Mitre, the national labs (Sandia,
LANL, Los Alamos), Treasury, GAO.

	When a court order obtains K1 and K2, and thence K, the law 
	enforcement agency will use SK to decrypt all information 
	flowing on the suspected link [Aside: It is my guess that 
	they may do this constantly on all links, with or without a 
	court order, since it is almost impossible to tell which links 
	over which a message will flow.] 

My understanding is that there will be only one decode box and that it
will be operated by the FBI.  The service provider will isolate the
communications stream and pass it to the FBI where it will pass through
the decode box, which will have been keyed with K.

	for "the wiretap authorizations." When Levy asked for
	the details so he could review the cases as required by
	law, the agent told him that his predecessors just turned
	over 40-50 blank, signed forms every time. Levi did not
        comply and changed the system, but the lesson is clear: 
        No single person or authority should have the power to
        authorize wiretaps

No single person does, at least for FBI taps.  After completing a mound
of paperwork, an agent must get the approval of several people on a chain
that includes FBI legal counsel before the request is even taken to the
Attorney General for final approval.

Dorothy Denning
