They've decided that we should just trust them...
Date: Wed, 28 Apr 93 17:30:30 PDT
Subject: They've decided that we should just trust them...
Okay, I admit it; this one isn't so much fun...
Here are four of six articles distributed by Keith Bostic on the new
encryption algorithm which is to be produced as the "Clipper Chip." The
#1 - White House-distributed Fact Sheet (4/16/93)
#2 - Dorothy Denning's Revised Technical Summary of (4/21/93)
#3 - Computer Professionals for Social Responsibility response (4/16/93)
#4 - Electronic Freedom Foundation response (4/16/93)
The two articles that I didn't include are the original White House
announcement (pretty long) and Dorothy Denning's original technical summary of
April 19. If you want them, let me know (email@example.com).
From: Keith Bostic <bostic@vangogh.CS.Berkeley.EDU>
#1 - White House-distributed Fact Sheet
Note: The following was released by the White House today
[4/16/93] in conjunction with the announcement of the
Clipper Chip encryption technology.
PUBLIC ENCRYPTION MANAGEMENT
The President has approved a directive on "Public Encryption
Management." The directive provides for the following:
Advanced telecommunications and commercially available encryption
are part of a wave of new computer and communications technology.
Encryption products scramble information to protect the privacy of
communications and data by preventing unauthorized access.
Advanced telecommunications systems use digital technology to
rapidly and precisely handle a high volume of communications.
These advanced telecommunications systems are integral to the
infrastructure needed to ensure economic competitiveness in the
Despite its benefits, new communications technology can also
frustrate lawful government electronic surveillance. Sophisticated
encryption can have this effect in the United States. When
exported abroad, it can be used to thwart foreign intelligence
activities critical to our national interests. In the past, it has
been possible to preserve a government capability to conduct
electronic surveillance in furtherance of legitimate law
enforcement and national security interests, while at the same time
protecting the privacy and civil liberties of all citizens. As
encryption technology improves, doing so will require new,
In the area of communications encryption, the U. S. Government has
developed a microcircuit that not only provides privacy through
encryption that is substantially more robust than the current
government standard, but also permits escrowing of the keys needed
to unlock the encryption. The system for the escrowing of keys
will allow the government to gain access to encrypted information
only with appropriate legal authorization.
To assist law enforcement and other government agencies to collect
and decrypt, under legal authority, electronically transmitted
information, I hereby direct the following action to be taken:
INSTALLATION OF GOVERNMENT-DEVELOPED MICROCIRCUITS
The Attorney General of the United States, or her representative,
shall request manufacturers of communications hardware which
incorporates encryption to install the U.S. government-developed
key-escrow microcircuits in their products. The fact of law
enforcement access to the escrowed keys will not be concealed from
the American public. All appropriate steps shall be taken to
ensure that any existing or future versions of the key-escrow
microcircuit are made widely available to U.S. communications
hardware manufacturers, consistent with the need to ensure the
security of the key-escrow system. In making this decision, I do
not intend to prevent the private sector from developing, or the
government from approving, other microcircuits or algorithms that
are equally effective in assuring both privacy and a secure key-
The Attorney General shall make all arrangements with appropriate
entities to hold the keys for the key-escrow microcircuits
installed in communications equipment. In each case, the key
holder must agree to strict security procedures to prevent
unauthorized release of the keys. The keys shall be released only
to government agencies that have established their authority to
acquire the content of those communications that have been
encrypted by devices containing the microcircuits. The Attorney
General shall review for legal sufficiency the procedures by which
an agency establishes its authority to acquire the content of such
PROCUREMENT AND USE OF ENCRYPTION DEVICES
The Secretary of Commerce, in consultation with other appropriate
U.S. agencies, shall initiate a process to write standards to
facilitate the procurement and use of encryption devices fitted
with key-escrow microcircuits in federal communications systems
that process sensitive but unclassified information. I expect this
process to proceed on a schedule that will permit promulgation of
a final standard within six months of this directive.
The Attorney General will procure and utilize encryption devices to
the extent needed to preserve the government's ability to conduct
lawful electronic surveillance and to fulfill the need for secure
law enforcement communications. Further, the Attorney General
shall utilize funds from the Department of Justice Asset Forfeiture
Super Surplus Fund to effect this purchase.
#2 - Dorothy Denning's Revised Technical Summary
Subject: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP
Date: 21 Apr 93 19:26:15 -0400
Here is a revised version of my summary which corrects some errors
and provides some additional information and explanation.
THE CLIPPER CHIP: A TECHNICAL SUMMARY
Revised, April 21, 1993
On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement. At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys. Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.
The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack." The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES). It supports all 4 DES modes of
operation. The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.
Each chip includes the following components:
the Skipjack encryption algorithm
F, an 80-bit family key that is common to all chips
N, a 30-bit serial number (this length is subject to change)
U, an 80-bit secret key that unlocks all messages encrypted with the chip
The chips are programmed by Mykotronx, Inc., which calls them the
"MYK-78." The silicon is supplied by VLSI Technology Inc. They are
implemented in 1 micron technology and will initially sell for about
$30 each in quantities of 10,000 or more. The price should drop as the
technology is shrunk to .8 micron.
ENCRYPTING WITH THE CHIP
To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be). Suppose I call someone and
we both have such a device. After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end. This key negotiation takes place
without the Clipper Chip. In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.
Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice). The
telephone security device feeds K and M into the chip to produce two
E[M; K], the encrypted message stream, and
E[E[K; U] + N; F], a law enforcement field ,
which are transmitted over the telephone line. The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F. The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.
The ciphertext E[M; K] is decrypted by the receiver's device using the
D[E[M; K]; K] = M .
CHIP PROGRAMMING AND ESCROW
All Clipper Chips are programmed inside a SCIF (Secure Compartmented
Information Facility), which is essentially a vault. The SCIF contains
a laptop computer and equipment to program the chips. About 300 chips
are programmed during a single session. The SCIF is located at
At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault. Agent 1 enters a secret, random
80-bit value S1 into the laptop and agent 2 enters a secret, random
80-bit value S2. These random values serve as seeds to generate unit
keys for a sequence of serial numbers. Thus, the unit keys are a
function of 160 secret, random bits, where each agent knows only 80.
To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:
R1 = E[D[E[N1; S1]; S2]; S1] .
Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:
R2 = E[D[E[N2; S1]; S2]; S1]
R3 = E[D[E[N3; S1]; S2]; S1] .
R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2. The
rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2
are the key parts that are separately escrowed with the two escrow
As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks. The first disk contains a
file for each serial number that contains the corresponding key part
U1. The second disk is similar but contains the U2 values. The third
disk contains the unit keys U. Agent 1 takes the first disk and agent
2 takes the second disk. Thus each agent walks away knowing
an 80-bit seed and the 80-bit key parts. However, the agent does not
know the other 80 bits used to generate the keys or the other 80-bit
The third disk is used to program the chips. After the chips are
programmed, all information is discarded from the vault and the agents
leave. The laptop may be destroyed for additional assurance that no
information is left behind.
The protocol may be changed slightly so that four people are in the
room instead of two. The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies.
The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency. One or
both may be independent from the government.
LAW ENFORCEMENT USE
When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line. Let us assume that the tap is in
place and that they have determined that the line is encrypted with the
Clipper Chip. The law enforcement field is first decrypted with the
family key F, giving E[K; U] + N. Documentation certifying that a tap
has been authorized for the party associated with serial number N is
then sent (e.g., via secure FAX) to each of the key escrow agents, who
return (e.g., also via secure FAX) U1 and U2. U1 and U2 are XORed
together to produce the unit key U, and E[K; U] is decrypted to get the
session key K. Finally the message stream is decrypted. All this will
be accomplished through a special black box decoder.
CAPSTONE: THE NEXT GENERATION
A successor to the Clipper Chip, called "Capstone" by the government
and "MYK-80" by Mykotronx, has already been developed. It will include
the Skipjack algorithm, the Digital Signature Standard (DSS), the
Secure Hash Algorithm (SHA), a method of key exchange, a fast
exponentiator, and a randomizer. A prototoype will be available for
testing on April 22, and the chips are expected to be ready for
delivery in June or July.
ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. This article is based on
information provided by NSA, NIST, FBI, and Mykotronx. Permission to
distribute this document is granted.
#4 - Computer Professionals for Social Responsibility
April 16, 1993
COMPUTER PROFESSIONALS CALL FOR PUBLIC
DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE
Computer Professionals for Social Responsibility (CPSR)
today called for the public disclosure of technical data
underlying the government's newly-announced "Public Encryption
Management" initiative. The new cryptography scheme was
announced today by the White House and the National Institute
for Standards and Technology (NIST), which will implement the
technical specifications of the plan. A NIST spokesman
acknowledged that the National Security Agency (NSA), the super-
secret military intelligence agency, had actually developed the
encryption technology around which the new initiative is built.
According to NIST, the technical specifications and the
Presidential directive establishing the plan are classified. To
open the initiative to public review and debate, CPSR today
filed a series of Freedom of Information Act (FOIA) requests
with key agencies, including NSA, NIST, the National Security
Council and the FBI for information relating to the encryption
plan. The CPSR requests are in keeping with the spirit of the
Computer Security Act, which Congress passed in 1987 in order to
open the development of non-military computer security standards
to public scrutiny and to limit NSA's role in the creation of
CPSR previously has questioned the role of NSA in
developing the so-called "digital signature standard" (DSS), a
communications authentication technology that NIST proposed for
government-wide use in 1991. After CPSR sued NIST in a FOIA
lawsuit last year, the civilian agency disclosed for the first
time that NSA had, in fact, developed that security standard.
NSA is due to file papers in federal court next week justifying
the classification of records concerning its creation of the
David Sobel, CPSR Legal Counsel, called the
administration's apparent commitment to the privacy of
electronic communications, as reflected in today's official
statement, "a step in the right direction." But he questioned
the propriety of NSA's role in the process and the apparent
secrecy that has thus far shielded the development process from
public scrutiny. "At a time when we are moving towards the
development of a new information infrastructure, it is vital
that standards designed to protect personal privacy be
established openly and with full public participation. It is
not appropriate for NSA -- an agency with a long tradition of
secrecy and opposition to effective civilian cryptography -- to
play a leading role in the development process."
CPSR is a national public-interest alliance of computer
industry professionals dedicated to examining the impact of
technology on society. CPSR has 21 chapters in the U.S. and
maintains offices in Palo Alto, California, Cambridge,
Massachusetts and Washington, DC. For additional information on
CPSR, call (415) 322-3778 or e-mail <firstname.lastname@example.org>.
#3 - Electronic Freedom Foundation
April 16, 1993
INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY
The Clinton Administration today made a major announcement
on cryptography policy which will effect the privacy and security of
millions of Americans. The first part of the plan is to begin a
comprehensive inquiry into major communications privacy issues
such as export controls which have effectively denied most people
easy access to robust encryption as well as law enforcement issues
posed by new technology.
However, EFF is very concerned that the Administration has
already reached a conclusion on one critical part of the inquiry, before
any public comment or discussion has been allowed. Apparently, the
Administration is going to use its leverage to get all telephone
equipment vendors to adopt a voice encryption standard developed
by the National Security Agency. The so-called "Clipper Chip" is an
80-bit, split key escrowed encryption scheme which will be built into
chips manufactured by a military contractor. Two separate escrow
agents would store users' keys, and be required to turn them over
law enforcement upon presentation of a valid warrant. The
encryption scheme used is to be classified, but they chips will be
available to any manufacturer for incorporation into their
This proposal raises a number of serious concerns .
First, the Administration appears to be adopting a solution
before conducting an inquiry. The NSA-developed Clipper chip may
not be the most secure product. Other vendors or developers may
have better schemes. Furthermore, we should not rely on the
government as the sole source for Clipper or any other chips. Rather,
independent chip manufacturers should be able to produce chipsets
based on open standards.
Second, an algorithm can not be trusted unless it can be tested.
Yet the Administration proposes to keep the chip algorithm
classified. EFF believes that any standard adopted ought to be public
and open. The public will only have confidence in the security of a
standard that is open to independent, expert scrutiny.
Third, while the use of the split-key, dual-escrowed
system may prove to be a reasonable balance between privacy and
law enforcement needs, the details of this scheme must be explored
publicly before it is adopted. What will give people confidence in the
safety of their keys? Does disclosure of keys to a third party waive
individual's fifth amendment rights in subsequent criminal
In sum, the Administration has shown great sensitivity to the
importance of these issues by planning a comprehensive inquiry into
digital privacy and security. However, the "Clipper chip" solution
ought to be considered as part of the inquiry, not be adopted before
the discussion even begins.
DETAILS OF THE PROPOSAL:
The 80-bit key will be divided between two escrow agents, each of
whom hold 40 bits of each key. Upon presentation of a valid
warrant, the two escrow agents would have to turn the key parts
over to law enforcement agents. Most likely the Attorney General
will be asked to identify appropriate escrow agents. Some in the
Administration have suggested one non-law enforcement federal
agency, perhaps the Federal Reserve, and one non-governmental
organization. But, there is no agreement on the identity of the agents
Key registration would be done by the manufacturer of the
communications device. A key is tied to the device, not to the person
CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS
The Administration claims that there are no back door means by
which the government or others could break the code without
securing keys from the escrow agents and that the President will
be told there are no back doors to this classified algorithm. In order
to prove this, Administration sources are interested in arranging for
an all-star crypto cracker team to come in, under a security
arrangement, and examine the algorithm for trap doors. The results
of the investigation would then be made public.
GOVERNMENT AS MARKET DRIVER
In order to get a market moving, and to show that the government
believes in the security of this system, the feds will be the first big
customers for this product. Users will include the FBI, Secret Service,
VP Al Gore, and maybe even the President.
FROM MORE INFORMATION CONTACT:
Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel +1 202 544 3077
© 1993 Peter Langston