Fun_People Archive
28 Apr
They've decided that we should just trust them...

Date: Wed, 28 Apr 93 17:30:30 PDT
To: Fun_People
Subject: They've decided that we should just trust them...

Okay, I admit it; this one isn't so much fun...

    Here are four of six articles distributed by Keith Bostic on the new
encryption algorithm which is to be produced as the "Clipper Chip."  The
articles are:

    #1 - White House-distributed Fact Sheet (4/16/93)
    #2 - Dorothy Denning's Revised Technical Summary of (4/21/93)
    #3 - Computer Professionals for Social Responsibility response (4/16/93)
    #4 - Electronic Freedom Foundation response (4/16/93)

The two articles that I didn't include are the original White House
announcement (pretty long) and Dorothy Denning's original technical summary of
April 19.  If you want them, let me know (


 From: Keith Bostic <bostic@vangogh.CS.Berkeley.EDU>

#1 - White House-distributed Fact Sheet

Note:     The following was released by the White House today
          [4/16/93] in conjunction with the announcement of the
          Clipper Chip encryption technology.

                           FACT SHEET


The President has approved a directive on "Public Encryption
Management."  The directive provides for the following:

Advanced telecommunications and commercially available encryption
are part of a wave of new computer and communications technology. 
Encryption products scramble information to protect the privacy of
communications and data by preventing unauthorized access. 
Advanced telecommunications systems use digital technology to
rapidly and precisely handle a high volume of communications. 
These advanced telecommunications systems are integral to the
infrastructure needed to ensure economic competitiveness in the
information age.

Despite its benefits, new communications technology can also
frustrate lawful government electronic surveillance.  Sophisticated
encryption can have this effect in the United States.  When
exported abroad, it can be used to thwart foreign intelligence
activities critical to our national interests.  In the past, it has
been possible to preserve a government capability to conduct
electronic surveillance in furtherance of legitimate law
enforcement and national security interests, while at the same time
protecting the privacy and civil liberties of all citizens.  As
encryption technology improves, doing so will require new,
innovative approaches.

In the area of communications encryption, the U. S. Government has
developed a microcircuit that not only provides privacy through
encryption that is substantially more robust than the current
government standard, but also permits escrowing of the keys needed
to unlock the encryption.  The system for the escrowing of keys
will allow the government to gain access to encrypted information
only with appropriate legal authorization.

To assist law enforcement and other government agencies to collect
and decrypt, under legal authority, electronically transmitted
information, I hereby direct the following action to be taken:


The Attorney General of the United States, or her representative,
shall request manufacturers of communications hardware which
incorporates encryption to install the U.S. government-developed
key-escrow microcircuits in their products.  The fact of law
enforcement access to the escrowed keys will not be concealed from
the American public.  All appropriate steps shall be taken to
ensure that any existing or future versions of the key-escrow
microcircuit are made widely available to U.S. communications
hardware manufacturers, consistent with the need to ensure the
security of the key-escrow system.  In making this decision, I do
not intend to prevent the private sector from developing, or the
government from approving, other microcircuits or algorithms that
are equally effective in assuring both privacy and a secure key-
escrow system.


The Attorney General shall make all arrangements with appropriate
entities to hold the keys for the key-escrow microcircuits
installed in communications equipment.  In each case, the key
holder must agree to strict security procedures to prevent
unauthorized release of the keys.  The keys shall be released only
to government agencies that have established their authority to
acquire the content of those communications that have been
encrypted by devices containing the microcircuits.  The Attorney
General shall review for legal sufficiency the procedures by which
an agency establishes its authority to acquire the content of such


The Secretary of Commerce, in consultation with other appropriate
U.S. agencies, shall initiate a process to write standards to
facilitate the procurement and use of encryption devices fitted
with key-escrow microcircuits in federal communications systems
that process sensitive but unclassified information.  I expect this
process to proceed on a schedule that will permit promulgation of
a final standard within six months of this directive. 

The Attorney General will procure and utilize encryption devices to
the extent needed to preserve the government's ability to conduct
lawful electronic surveillance and to fulfill the need for secure
law enforcement communications.  Further, the Attorney General
shall utilize funds from the Department of Justice Asset Forfeiture
Super Surplus Fund to effect this purchase.

#2 - Dorothy Denning's Revised Technical Summary

Date: 21 Apr 93 19:26:15 -0400

Here is a revised version of my summary which corrects some errors
and provides some additional information and explanation.


                               Dorothy Denning

                           Revised, April 21, 1993


On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement.  At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys.  Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.


The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack."  The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES).  It supports all 4 DES modes of
operation.  The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number (this length is subject to change)
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

The chips are programmed by Mykotronx, Inc., which calls them the
"MYK-78."  The silicon is supplied by VLSI Technology Inc.  They are
implemented in 1 micron technology and will initially sell for about
$30 each in quantities of 10,000 or more.  The price should drop as the
technology is shrunk to .8 micron.


To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end.  This key negotiation takes place
without the Clipper Chip.  In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice).  The
telephone security device feeds K and M into the chip to produce two

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement field , 

which are transmitted over the telephone line.  The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F.  The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

The ciphertext E[M; K] is decrypted by the receiver's device using the
session key:

   D[E[M; K]; K] = M .


All Clipper Chips are programmed inside a SCIF (Secure Compartmented
Information Facility), which is essentially a vault.  The SCIF contains
a laptop computer and equipment to program the chips.  About 300 chips
are programmed during a single session.  The SCIF is located at

At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault.  Agent 1 enters a secret, random
80-bit value S1 into the laptop and agent 2 enters a secret, random
80-bit value S2. These random values serve as seeds to generate unit
keys for a sequence of serial numbers.  Thus, the unit keys are a
function of 160 secret, random bits, where each agent knows only 80.
To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:

        R1 = E[D[E[N1; S1]; S2]; S1] .

Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:  

        R2 = E[D[E[N2; S1]; S2]; S1] 
        R3 = E[D[E[N3; S1]; S2]; S1] .

R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2.  The
rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
are the key parts that are separately escrowed with the two escrow

As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks.  The first disk contains a
file for each serial number that contains the corresponding key part
U1.  The second disk is similar but contains the U2 values.  The third
disk contains the unit keys U.  Agent 1 takes the first disk and agent
2 takes the second disk.  Thus each agent walks away knowing
an 80-bit seed and the 80-bit key parts.  However, the agent does not
know the other 80 bits used to generate the keys or the other 80-bit
key parts.  

The third disk is used to program the chips.  After the chips are
programmed, all information is discarded from the vault and the agents
leave.  The laptop may be destroyed for additional assurance that no
information is left behind.
The protocol may be changed slightly so that four people are in the
room instead of two.  The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies. 

The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency.  One or
both may be independent from the government.


When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line.  Let us assume that the tap is in
place and that they have determined that the line is encrypted with the
Clipper Chip.  The law enforcement field is first decrypted with the
family key F, giving E[K; U] + N.  Documentation certifying that a tap
has been authorized for the party associated with serial number N is
then sent (e.g., via secure FAX) to each of the key escrow agents, who
return (e.g., also via secure FAX) U1 and U2.  U1 and U2 are XORed
together to produce the unit key U, and E[K; U] is decrypted to get the
session key K.  Finally the message stream is decrypted.  All this will
be accomplished through a special black box decoder.


A successor to the Clipper Chip, called "Capstone" by the government
and "MYK-80" by Mykotronx, has already been developed.  It will include
the Skipjack algorithm, the Digital Signature Standard (DSS), the
Secure Hash Algorithm (SHA), a method of key exchange, a fast
exponentiator, and a randomizer.  A prototoype will be available for
testing on April 22, and the chips are expected to be ready for
delivery in June or July.

information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
distribute this document is granted.

#4 - Computer Professionals for Social Responsibility

April 16, 1993									
Washington, DC


	Computer Professionals for Social Responsibility (CPSR) 
today called for the public disclosure of technical data 
underlying the government's newly-announced "Public Encryption 
Management" initiative.  The new cryptography scheme was 
announced today by the White House and the National Institute 
for Standards and Technology (NIST), which will implement the 
technical specifications of the plan.  A NIST spokesman 
acknowledged that the National Security Agency (NSA), the super-
secret military intelligence agency, had actually developed the 
encryption technology around which the new initiative is built.

	According to NIST, the technical specifications and the 
Presidential directive establishing the plan are classified.  To 
open the initiative to public review and debate, CPSR today 
filed a series of Freedom of Information Act (FOIA) requests 
with key agencies, including NSA, NIST, the National Security 
Council and the FBI for information relating to the encryption 
plan.  The CPSR requests are in keeping with the spirit of the 
Computer Security Act, which Congress passed in 1987 in order to 
open the development of non-military computer security standards 
to public scrutiny and to limit NSA's role in the creation of 
such standards.

	CPSR previously has questioned the role of NSA in 
developing the so-called "digital signature standard" (DSS), a 
communications authentication technology that NIST proposed for 
government-wide use in 1991.  After CPSR sued NIST in a FOIA 
lawsuit last year, the civilian agency disclosed for the first 
time that NSA had, in fact, developed that security standard.  
NSA is due to file papers in federal court next week justifying 
the classification of records concerning its creation of the 

	David Sobel, CPSR Legal Counsel, called the 
administration's apparent commitment to the privacy of 
electronic communications, as reflected in today's official 
statement,  "a step in the right direction."  But he questioned 
the propriety of NSA's role in the process and the apparent 
secrecy that has thus far shielded the development process from 
public scrutiny.  "At a time when we are moving towards the 
development of a new information infrastructure, it is vital 
that standards designed to protect personal privacy be 
established openly and with full public participation.  It is 
not appropriate for NSA -- an agency with a long tradition of 
secrecy and opposition to effective civilian cryptography -- to 
play a leading role in the development process." 

	CPSR is a national public-interest alliance of computer 
industry professionals dedicated to examining the impact of 
technology on society.   CPSR has 21 chapters in the U.S. and 
maintains offices in Palo Alto, California, Cambridge, 
Massachusetts and Washington, DC.  For additional information on 
CPSR, call (415) 322-3778 or e-mail <>.

#3 - Electronic Freedom Foundation

                       April 16, 1993


       The Clinton Administration today made a major announcement 
on cryptography policy which will effect the privacy and security of 
millions of Americans.  The first part of the plan is to begin a 
comprehensive inquiry into major communications privacy issues 
such as export controls which have effectively denied most people 
easy access to robust encryption as well as law enforcement issues 
posed by new technology.

       However, EFF is very concerned that the Administration has 
already reached a conclusion on one critical part of the inquiry, before 
any public comment or discussion has been allowed.  Apparently, the 
Administration is going to use its leverage to get all telephone 
equipment vendors to adopt a voice encryption standard developed 
by the National Security Agency. The so-called "Clipper Chip" is an 
80-bit, split key escrowed encryption scheme which will be built into 
chips manufactured by a military contractor.  Two separate escrow 
agents would store users' keys, and be required to turn them over 
law enforcement upon presentation of a valid warrant.  The 
encryption scheme used is to be classified, but they chips will be 
available to any manufacturer for incorporation into their 
communications products.

       This proposal raises a number of serious concerns .

       First, the Administration appears to be adopting a solution 
before conducting an inquiry.  The NSA-developed Clipper chip may 
not be the most secure product. Other vendors or developers may 
have better schemes. Furthermore, we should not rely on the 
government as the sole source for Clipper or any other chips.  Rather,
independent chip manufacturers should be able to produce chipsets 
based on open standards.

       Second, an algorithm can not be trusted unless it can be tested. 
Yet the Administration proposes to keep the chip algorithm 
classified.  EFF believes that any standard adopted ought to be public 
and open.  The public will only have confidence in the security of a 
standard that is open to independent, expert scrutiny.  

       Third, while the use of the split-key, dual-escrowed 
system may prove to be a reasonable balance between privacy and 
law enforcement needs, the details of this scheme must be explored 
publicly before it is adopted.  What will give people confidence in the 
safety of their keys?  Does disclosure of keys to a third party waive 
individual's fifth amendment rights in subsequent criminal 

       In sum, the Administration has shown great sensitivity to the 
importance of these issues by planning a comprehensive inquiry into 
digital privacy and security.  However, the "Clipper chip" solution 
ought to be considered as part of the inquiry, not be adopted before 
the discussion even begins.



The 80-bit key will be divided between two escrow agents, each of 
whom hold 40 bits of each key.  Upon presentation of a valid 
warrant, the two escrow agents would have to turn the key parts 
over to law enforcement agents.  Most likely the Attorney General 
will be asked to identify appropriate escrow agents.  Some in the 
Administration have suggested one non-law enforcement federal 
agency, perhaps the Federal Reserve, and one non-governmental 
organization.  But, there is no agreement on the identity of the agents 

Key registration would be done by the manufacturer of the 
communications device.  A key is tied to the device, not to the person 
using it.


The Administration claims that there are no back door means by 
which the government or others could break the code without 
securing keys from the escrow agents and that the President will 
be told there are no back doors to this classified algorithm.  In order 
to prove this, Administration sources are interested in arranging for 
an all-star crypto cracker team to come in, under a security 
arrangement, and examine the algorithm for trap doors.  The results 
of the investigation would then be made public.


In order to get a market moving, and to show that the government 
believes in the security of this system, the feds will be the first big 
customers for this product.  Users will include the FBI, Secret Service, 
VP Al Gore, and maybe even the President. 


Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel +1 202 544 3077

[=] © 1993 Peter Langston []