Cryptographic Key Escrow
The Clipper Chip was a chipset developed and promoted by the US Government.
It was intended for the implementation in secure voice equipment, such as
crypto phones, and required users to give their cryptographic keys in escrow
to the government. This would allow law enforcement agencies to decrypt any
traffic for surveillance and intelligence purposes.
The controversial Clipper Chip was announced in 1993 and was already defunct by 1996 .
The physical chip was designed by Mykotronx (USA) and
fabricated by VLSI Technology Inc. (USA). The initial cost for an unprogrammed
chip was $16 and $26 for a programmed one.
The image on the right shows the Mykotronx MYK78T chip as it is present
inside the TSD-3600-E phone encryptor by AT&T.
The chip is soldered directly to the board (i.e. not socketed)
and was thought to be temper-proof (see below under 'Weakness').
The AT&T TSD-3600 was the first and only
telephone encryptor that featured the ill-fated Clipper Chip.
The Clipper Chip used the Skipjack encryption algorithm
for the transmission
of information, and the Diffie-Hellman key exchange algorithm for the
distribution of the cryptographic session keys between peers.
The Skipjack algorithm was developed by the NSA and was classed
an NSA Type 2 encryption device.
The algorithm was initially
classified as SECRET, so that it could not be examined in the usual manner by
the encryption research community.
After much debate, the Skipjack algorithm was finally declassified and
published by the NSA on 24 June 1998 .
It used an 80-bit key and a symmetric cipher algorithm, similar to DES.
The heart of the concept was key escrow.
Any device with a Clipper Chip inside (e.g. a
crypto phone) would be assigned a
cryptographic key, which would be given to the government in escrow.
The user would then assume the government to be the so-called
trusted third party.
If government agencies "established their authority" to
intercept a particular communication, the key would be given to that agency,
so that all data transmitted by the subject could be decrypted.
The concept of Key Escrow raised much debate and became heavily disputed.
The in 1990 established Electronic Frontier Foundation (EFF) preferred the
term Key Surrender to stress what, according to them, was actually
happening. Together with other public interest organizations,
such as the Electronic Privacy Information Center, the EFF challenged
the Clipper Chip proposal, saying that it would be illegal and ineffective.
In response to the Clipper Chip initiative by the US Government,
a number of very strong encryption packages were released, such as
Nautilus, PGP and PGPfone. It was thought that if strong cryptography was
widely available to the public, the government would be unable to stop its use.
This approach appeared to be effective, causing the premature 'death' of
the Clipper Chip, and with it the death of Key Escrow in general.
In 1993, AT&T Bell produced the first and only telephone encryptor based
on a Clipper Chip: the TSD-3600.
In 1994, Matt Blaze, a researcher at AT&T, published a major design flaw
in the Escrowed Encryption System (EES). A malicious party could tamper
the software and use the Clipper Chip as an encryption device,
whilst disabling the key escrow capability.
When establishing a connection, the Clipper Chip transmits a 128-bit
Law Enforcement Access Field (LEAF). The above diagram shows how the
LEAF was established.
The LEAF contained information needed by the intercepting agency to
establish the encryption key.
To prevent the software from tampering with the LEAF, a 16-bit hash code
was included. If the hash didn't match, the Clipper Chip would not
decrypt any messages. The 16-bit hash, however, was too short to be safe,
and a brute force attack would easily produce the same hash for a fake
session key, thus not revealing the actual keys
If a malicious user would tamper the device's software in this way,
law enforcement agencies would not be able to reproduce the actual
session key. As a result, they would not be able to decrypt the
Since the Clipper-project has failed, we think it is safe to show you
the contents of the chip. Although this is something we would not normally
do, this one is too good to be missed. Below, Travis Goodspeed  shows us
how easy it is to open the package and reverse-engineer a chip.
Luckily, according to Kerckhoff's principle, the secret is in the key
and not in the device .
The black dots along the four edges are the connection pads of the chip.
The image was publised on
Travis' photostream on Flickr
and is reproduced here with his kind permission. Click the image for a
hi-res version. Note that this is a large file
(18MB!) which may take some time to download.
Any links shown in red are currently unavailable.
If you like this website, why not make a donation?|
© Copyright 2009-2013, Paul Reuvers & Marc Simons. Last changed: Wednesday, 12 February 2014 - 12:00 CET