Newsgroups: sci.crypt,alt.privacy.clipper
Path: cantaloupe.srv.cs.cmu.edu!crabapple.srv.cs.cmu.edu!bb3.andrew.cmu.edu!news.sei.cmu.edu!cis.ohio-state.edu!zaphod.mps.ohio-state.edu!howland.reston.ans.net!noc.near.net!uunet!mcsun!chsun!bernina!caronni
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: More technical details
Message-ID: <1993Apr19.162936.7517@bernina.ethz.ch>
Sender: news@bernina.ethz.ch (USENET News System)
Organization: Swiss Federal Institute of Technology (ETH), Zurich, CH
References: <1993Apr19.134346.2620@ulysses.att.com>
Date: Mon, 19 Apr 1993 16:29:36 GMT
Lines: 107

In article <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Here are some corrections and additions to Hellman's note, courtesy of
>Dorothy Denning.  Again, this is reposted with permission.
>
>Two requests -- first, note the roles of S1 and S2.  It appears to me
>and others that anyone who knows those values can construct the unit
>key.  And the nature of the generation process for K1 and K2 is such
>that neither can be produced alone.  Thus, the scheme cannot be
>implemented such that one repository generates the first half-key, and
>another generates the second.  *That* is ominous.
>
>Second -- these postings are not revealed scripture, nor are they
>carefully-crafted spook postings.  Don't attempt to draw out hidden
>meanings (as opposed to, say, the official announcements of Clipper).
>Leave Denning out of this; given Hellman's record of opposition to DES,
>which goes back before some folks on this newsgroup knew how to read, I
>don't think you can impugn his integrity.
>
>Oh yeah -- the folks who invented Clipper aren't stupid.  If you think
>something doesn't make sense, it's almost certainly because you don't
>understand their goals.
>

This is an addition (posted with permission) to some tech. details of
cliper. They enligthen ??? the use of S1 and S2 for keygeneration.
-------------------------------------------
Date: Mon, 19 Apr 93 08:51:57 EDT
From: denning@cs.cosc.georgetown.edu (Dorothy Denning)
Subject: Re:  Clipper Chip

I just had another conversation with NSA to clarify some of the features
of Clipper.  Please feel free to distribute this and my other messages
on Clipper.

The name of the encryption algorithm is "Skipjack."

Martin Hellman had written

                and the serial number of the unit added to produce a three part
                message which will then be encrypted under the system key SK
                producing

                     E{ E[M; K], E[K; UK], serial number;  SK}

To which I responded:

        My understanding is that E[M; K] is not encrypted under SK (called the
        "family key") and that the decrypt key corresponding to SK is held by
        law enforcement.  Does anyone have first hand knowledge on this?

I was correct in that E[M; K] is not encrypted under SK.  However, Skipjack
being a single-key system, there is, of course, not a separate decrypt key
for the family key SK.

        The unit key, also called the "chip key," is generated from the
        serial number N as follows.  Let N1, N2, and N3 be 64 bit blocks
        derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
        Compute the 64-bit block

                R1 = E[D[E[N1; S1]; S2]; S1]

        (Note that this is like using the DES in triple encryption mode with
        two keys.)  Similarly compute blocks R2 and R3 starting with N2 and N3.
        (I'm unlear about whether the keys S1 and S2 change.  The fact that
        they're called seeds suggests they might.)  Then R1, R2, and R3 are
        concatenated together giving 192 bits.  The first 80 bits  form K1 and
        the next 80 bits form K2.  The remaining bits are discarded.

The seeds S1 and S2 do not change.   The whole process is performed on
a laptop computer, and S1 and S2 are supplied by two independent people
so that no one person knows both.  The same S1 and S2 are used during
an entire "programming session" to generate keys for a stream of serial
numbers.  Everything is discarded at the end (the computer could be
thrown out if desired).

The serial number is 30 bits and the values N1, N2, and N3 are formed
by padding the serial number with fixed 34-bit blocks (separate padding
for each value).

The resulting keys K1 and K2 are output onto separate floppy disks, paired
up with their serial number.  Each pair is stored in a separate file.  The
floppy disks are taken away by two separate people on behalf of the two
escrow agencies.

Dorothy Denning
denning@cs.georgetown.edu

--------------------------------------------------------
I am sure more technical detail will be known when time goes by.
Please remark, that in posting this, I do not automatically agree
with it's contents and implications. So don't swamp my mailbox :-)

I just think this is an valuable addition to the less than technical
discussion that is rising here. And, no, I don't mind if you call
S1 and S2 'backdoor', as I could imagine the key-generation process
working without these seeds and the dependency of K1,K2 from the
Serial-Number.


Friendly greetings,

	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F
