Flaws in the Clipper Chip

From p. 60 of the June 13, 1994 Newsweek:

... The Clipper chip, after all, was invented by the same government whose space satellite vanished on route to Mars and who can't delete dead men from its computerized Social Security rolls. Now computer scientist Matthew Blaze, 32, of AT&T Bell Labs has found that Clipper is flawed, too ...

The flaw, finds Blaze, lies in how the encryption system begins a transmission. Say a person computer contains the souped-up version of the Clipper chip on the Tessera card, which fits laptops and many PCs. Before the computer sends encrypted e-mail, it transmits a 128-bit string that includes the serial number of its encryption device, a number identifying which of myriad codes is being used, and digits that check the first two. Together, these strings are the chip's LEAF (Law Enforcement Access Field) . The receiving computer must recognize the LEAF as valid before it can decode the message. The LEAF also tells an authorized wiretapper which key it needs to decrypt the subsequent messages. (Two federal agencies hold the keys to Clipper codes, and release them only to law-enforcement officials with a court order for a cybertap.) Armed with the key, agents easily unscramble the message. But, Blaze explains in the draft of a paper obtained by Newsweek, someone who wants to foil eavesdroppers could transmit a rogue LEAF. When the FBI used the LEAF to retrieve the key to the code, it would come up with the wrong one. It would, to be simplistic, substitute A for 1 and B for 2, when in fact the code used Z for 1 and Y for 2. The "decoded" message would be gibberish. Even the NSA agrees with Blaze's analysis. But it emphasizes that the flaw does not apply, for technical reasons, to voice, fax and low-speed data transmissions. Blaze's discovery "in no way reduce[s] the chip's inherent security," said the NSA in a rare statement. It affects only computer-to-computer, e-mail encryption -- which is, nevertheless, a big share of what the government wants to be able to tap. Also, the NSA argues that generating rogue LEAFs is "not practical in real-world applications." But in fact the process would take, on average, only half an hour, so anyone with patience and the ability to download a rogue-LEAF software program could do it, says AT&T security specialist David Maher. But there is a greater worry. "What else might we find," asks IBM's Mark Holcomb, "if we were allowed to examine" the encryption code itself? NSA has kept it secret, telling industry that it can't be cracked -- trust us. After Blaze's discovery, that's going to be a lot harder to do.

I've lost the author and date of the following commentary:

Presumably, Clipper cannot distinguish between a data stream that actually represents audio data, and a stream that has already been pre-encoded. The result is that the Clipper-processed data stream would look like a valid sequence of data. And, in fact, it would be valid. The only problem is, the government would, at best, only be able to decrypt the outermost code. This destroys the utility of Clipper (from the standpoint of the NSA) not only for "high speed" and e-mail encryption, but also for the kinds of low speed data (voice, fax) that Blaze's new technique is not claimed to work for.

We should not be complacent, however. Clipper, if it does nothing else bad, is bad because it identifies the source of a particular data stream. To an organization like the NSA, that is extraordinarily valuable information, even if the data can't be decoded. What they really want is for cellular telephones and PCS's (Personal Communication System) to identify themselves, so that they can trace users.

[Editor's note: Since the above was written, "reverse 911" has been built into cellphones so that they are traceable.]