Homepage
Crypto
Index
Enigma
Hagelin
Fialka
Siemens
Philips
Nema
Racal
Motorola
STK
Transvertex
Gretag
HELL
Telsy
TST
AT&T
Tadiran
USA
USSR
UK
Voice
Hand
Mixers
Phones
Spy sets
Burst encoders
Intercept
Covert
Radio
PC
Telex
Agencies
Manufacturers
Donate
Kits
Shop
News
Events
Wanted
Contact
Links
Logo (click for homepage)
Clipper Chip
Cryptographic Key Escrow

The Clipper Chip was a chipset developed and promoted by the US Government. It was intended for the implementation in secure voice equipment, such as crypto phones, and required users to give their cryptographic keys in escrow to the government. This would allow law enforcement agencies to decrypt any traffic for surveillance and intelligence purposes. The controversial Clipper Chip was announced in 1993 and was already defunct by 1996 [1].
 
The physical chip was designed by Mykotronx (USA) and fabricated by VLSI Technology Inc. (USA). The initial cost for an unprogrammed chip was $16 and $26 for a programmed one.

The image on the right shows the Mykotronx MYK78T chip as it is present inside the TSD-3600-E phone encryptor by AT&T. The chip is soldered directly to the board (i.e. not socketed) and was thought to be temper-proof (see below under 'Weakness'). The AT&T TSD-3600 was the first and only telephone encryptor that featured the ill-fated Clipper Chip.
  
Close-up of the Clipper Chip inside the TSD-3600

 
Skipjack Algorithm
The Clipper Chip used the Skipjack encryption algorithm for the transmission of information, and the Diffie-Hellman key exchange algorithm for the distribution of the cryptographic session keys between peers.

The Skipjack algorithm was developed by the NSA and was classed an NSA Type 2 encryption device. The algorithm was initially classified as SECRET, so that it could not be examined in the usual manner by the encryption research community. After much debate, the Skipjack algorithm was finally declassified and published by the NSA on 24 June 1998 {*2}. It used an 80-bit key and a symmetric cipher algorithm, similar to DES. More...
 
Key Escrow
The heart of the concept was key escrow. Any device with a Clipper Chip inside (e.g. a crypto phone) would be assigned a cryptographic key, which would be given to the government in escrow. The user would then assume the government to be the so-called trusted third party. If government agencies "established their authority" to intercept a particular communication, the key would be given to that agency, so that all data transmitted by the subject could be decrypted.

The concept of Key Escrow raised much debate and became heavily disputed. The in 1990 established Electronic Frontier Foundation (EFF) preferred the term Key Surrender to stress what, according to them, was actually happening. Together with other public interest organizations, such as the Electronic Privacy Information Center, the EFF challenged the Clipper Chip proposal, saying that it would be illegal and ineffective.

In response to the Clipper Chip initiative by the US Government, a number of very strong encryption packages were released, such as Nautilus, PGP and PGPfone. It was thought that if strong cryptography was widely available to the public, the government would be unable to stop its use. This approach appeared to be effective, causing the premature 'death' of the Clipper Chip, and with it the death of Key Escrow in general.
 
Weakness
In 1993, AT&T Bell produced the first and only telephone encryptor based on a Clipper Chip: the TSD-3600. In 1994, Matt Blaze, a researcher at AT&T, published a major design flaw in the Escrowed Encryption System (EES). A malicious party could tamper the software and use the Clipper Chip as an encryption device, whilst disabling the key escrow capability.


When establishing a connection, the Clipper Chip transmits a 128-bit Law Enforcement Access Field (LEAF). The above diagram shows how the LEAF was established. The LEAF contained information needed by the intercepting agency to establish the encryption key.

To prevent the software from tampering with the LEAF, a 16-bit hash code was included. If the hash didn't match, the Clipper Chip would not decrypt any messages. The 16-bit hash, however, was too short to be safe, and a brute force attack would easily produce the same hash for a fake session key, thus not revealing the actual keys [3] . If a malicious user would tamper the device's software in this way, law enforcement agencies would not be able to reproduce the actual session key. As a result, they would not be able to decrypt the traffic.
 
Interior
Since the Clipper-project has failed, we think it is safe to show you the contents of the chip. Although this is something we would not normally do, this one is too good to be missed. Below, Travis Goodspeed [4] shows us how easy it is to open the package and reverse-engineer a chip. Luckily, according to Kerckhoff's principle, the secret is in the key and not in the device [5].

Interior of the ill-fated MYK-78 Clipper Chip

The black dots along the four edges are the connection pads of the chip. The image was publised on Travis' photostream on Flickr and is reproduced here with his kind permission. Click the image for a hi-res version. Note that this is a large file (18MB!) which may take some time to download.
 
References
  1. Wikipedia, Clipper chip
    Retrieved June 2009.

  2. Wikipedia, Skipjack (cipher)
    Retrieved June 2009.

  3. Matt Blaze, Protocol Failure in the Escrowed Encryption Standard
    AT&T Bell Laboratories. 20 August 1994.

  4. Travis Goodspeed, Hi-res image of MYK-78 Clipper Chip
    24 April 2009. Image reproduced here by kind permission from the author.

  5. Wikipedia, Kerckhoff's principle
    Retrieved April 2013.

Information on Wikipedia

Further information

Any links shown in red are currently unavailable. If you like this website, why not make a donation?
Copyright 2009-2013, Paul Reuvers & Marc Simons. Last changed: Wednesday, 12 February 2014 - 11:00 CET
Click for homepage