Newsgroups: sci.crypt,alt.privacy.clipper
Path: cantaloupe.srv.cs.cmu.edu!das-news.harvard.edu!noc.near.net!howland.reston.ans.net!zaphod.mps.ohio-state.edu!sdd.hp.com!news.cs.indiana.edu!mvanheyn@cs.indiana.edu
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: More technical details
Message-ID: <4973.735275781@moose.cs.indiana.edu>
Sender: mvanheyn@cs.indiana.edu
Organization: Computer Science Dept, Indiana University
References: <1993Apr19.134346.2620@ulysses.att.com>
Date: Mon, 19 Apr 1993 22:16:21 -0500
Lines: 43

>	encrypted under K, then K will be encrypted under the unit key UK, 
>	and the serial number of the unit added to produce a three part 
>	message which will then be encrypted under the system key SK 
>	producing
>
>	     E{ E[M; K], E[K; UK], serial number;  SK}
>
>My understanding is that E[M; K] is not encrypted under SK (called the
>"family key") and that the decrypt key corresponding to SK is held by
>law enforcement.  Does anyone have first hand knowledge on this?  I
>will also check it out, but this is 7am Sunday so I did not want to wait.

Ok, so there are in fact two distinct components transmitted by the
chip; the real message encrypted with the "conventional" key, and the
serial number and encrypted "conventional" key encrypted with the
(IMHO kind of bogus, as the whole concept of "one key that millions of
people use which can't be changed" doesn't seem reasonable) "family
key".

Suppose I analyze the output of this chip and I'm able to determine
which bits are the encrypted packet which contains the serial number
and session key.  Suppose I also design a simple algorithm based on
this information which takes the data containing the encrypted session
key and twiddles a bit (or several) before it's sent down the line.

Mind you, I'm sure the NSA thought of this along with a dozen other
attacks I can't imagine, and the system is probably somehow designed
so that manipulation of this information will cause a compliant
receiving chip to somehow fail to decrypt successfully.  But how?
What if the two parties agree in advance on some kind of consistent
bit-twiddling scheme, so the decryption chip sees the restored
"proper" bitstream but an eavesdropper gets a E[K; UK] packet that's
wrong?

I suppose this could be easily defeated if the chip "sends" that
information out many times in slightly different ways, making it
effectively impossible to be certain you know all the information
being sent.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
If your theory predicts different outcomes depending on whether you use
discrete mathematics or continuous mathematics, then you've got the wrong
theory.		- Bruce MacLennan
