Newsgroups: sci.crypt
Path: cantaloupe.srv.cs.cmu.edu!crabapple.srv.cs.cmu.edu!fs7.ece.cmu.edu!europa.eng.gtefsd.com!howland.reston.ans.net!zaphod.mps.ohio-state.edu!sgiblab!sgigate!sgi!wdl1!phobos!koontzd
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Will FEDs troll for mutilated law enforcement blocks?
Message-ID: <1993Apr22.020102.1669@wdl.loral.com>
Originator: koontzd@phobos
Sender: news@wdl.loral.com
Organization: Loral Rolm Computer Systems
Date: Thu, 22 Apr 1993 02:01:02 GMT
Lines: 121

From Denning:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement block.  

Where the session key is K, and is transmitted encrypted in the unit Key U.
Which along with the serial number N is encrypted in the Family key F.

Presumably the protocol can be recovered (if by nothing else, differential
analysis).

Postulate if you will, a chip (or logic) sitting between the clipper chip
and its communications channel.  The function of this spoof chip is twofold:
    
	1) Transmit Channel

	    The spoof chip XORs the 30 bit encrypted serial number with
	    a secondary keying variable.  This renders the serial number
	    unrecoverable with just the family key

	2) Receive Channel

	    The spoof chip XORs the incoming encrypted serial number
	    with a secondary keying variable (assuming integrity of the
	    law enforcement block is necessary for local operation -
	    checksums, sequence control, etc.).

This has the net result of hiding the serial number.  It is probable theere is
a known plaintext pattern used as a filler in the block containing N (34 bits
as used in generating U, U1,U2) correctness of the law enforcement block
can be determined with only the family key F.  Whereas, no one has proposed
Federal Agencies be denied F, and because they could recover it themselves,
The correctness of the serial number can be tested by examining the pad bits
of N in E[N; F].

The one could selectively alter the law enforcement block as above, but the
mutilation could be detected.  A better approach would be to mutilate the
entire law enforcement block.  If it were done with a group encryption scheme
such as DES or (presumably) Skipjack, the chances the law enforcement block
can be recovered are lessened.

What do you want to bet the transmission protocol can be recognized and the
serial numbers decrypted in a target search?  When digital transmission
becomes widely available, would there be a requirement that clipper protocol
transmissions be refused when containing mutilated law enforcement blocks?

One way to avoid notice, would be to spoof protocol information of the block
containing M, as well as spoofing the law enforcement block.

The goal is to use a secure communications scheme, without redress to 
detection or key K interception (contained encrypted within the law
enforcement block).  The data stream is returned to its original state
for use by the clipper chip (or system) if required, for proper operation.

It is somewhat improbable that the entire protocol will be contained within
the clipper chip, yet likely that sequence of events will be tested for,
requiring a valid law enforcement block to be received before accepting
and decrypting E(M; K);

The spoof chip could be implemented anywhere in the protocols, including
on the resulting serial data stream.  Existing clipper products could
be subborned.  After all, they are high security encryption systems right?

Super encipherment/encryption could allow the chip to be used without
redress to detection of the use of the chip, or disclosure of the serial
number.  Security must be adequate to deny the serial number, which should
not be recoverable by other means.  One can see the use of cut outs for
procurring clipper phones, or once the number of units is high enough,
stealing them.  It would be a mistake on the part of authority, but nice
from a point of privacy, if the serial number N were not associated with
a particular clipper chip or lot of chips through the manufacturing and 
distribution process.  Hopefully the list of known missing or stolen
clipper serial numbers N encrypted with F, and the protocols are not 
sufficient plaintext to attact the super encrypted clipper stream.
This could be further made difficult by altering the temporal and or
spatial relationship of the clipper stream to that of the super encrypted
stream.

Detection of an encrypted stream could tip off the use of the aforementioned
scheme.

******************************************************************************

If you could capture valid law enforcement blocks not your own, and use
them in a codebook sustitution with your own, where they point to a valid
law enforcement block stored in a library utilizing a session key matching
the remainder of the transmission, you could simply out and out lie, yet
deliver to monitoring and/or hostile forces a seemingly valid law enforcement
block.   These captured law enforcement blocks would be used as authenticators,
such as in a manually keyed encryption system.  Fending this off would require
escalation in examining the protocols and blocks in the transmission.

The M code stream  might be independently attacked based on knowledge of
clipper chip protocols as revealed plaintext.  This could be invalidated
by changing the temporal and or spatial relationship of the clipper M stream
and the actual transmitted stream, under the control of a secure key
generator synchronized between endpoints.

The useful life time of captured law enforcement blocks might be limited
based on hostile forces using them as targets following transmission
interception.  You would need a large number of them, but, hey there's
supposed to be millions of these things, right?  Adding time stamps to
the encrypted law enforcement block is probably impractical, who wants
an encryption chip with a real time clock?

*****************************************************************************

The entire idea of the law enforcement block can be invalidated.








