Click for homepage
Chips
Crypto
Phone
NSA
USA
  
SKIPJACK →
  
Clipper Chip
Cryptographic Key Escrow

The Clipper Chip was a cryptographic chipset developed and promoted by the US Government. It was intended for implementation in secure voice equipment, such as crypto phones, and required its users to surrender their cryptographic keys in escrow to the government. This would allow law enforcement agencies (CIA, FBI), to decrypt any traffic for surveillance and intelligence purposes. The controversial Clipper Chip was announced in 1993 and was already defunct by 1996 [1].

The physical chip was designed by Mykotronx (USA) and manufactured by VLSI Technology Inc. (USA). The initial cost for an unprogrammed chip was $16 and a programmed one costed $26.

The image on the right shows the Mykotronx MYK78T chip as it is present inside the AT&T's TSD-3600-E telephone encryptor. The chip is soldered directly to the board (i.e. not socketed) and was thought to be tamper-proof (see below). The AT&T TSD-3600 telephone encryptor was the first and only product that featured the ill-fated Clipper Chip before it was withdrawn.
  

In order to provide a level of protection against misuse of the key by law enforcement agencies, it was agreed that the Unit Key of each device with a clipper chip, would be held in escrow jointly by two federal agencies. This means that the actual Unit Key was split in two parts, each of which was given to one of the agencies. In order to reconstruct the actual Unit Key, the database of both agencies had to be accessed and the two half-Unit Keys had to be combined by bitwise XOR [3].


Skipjack Algorithm
The Clipper Chip used the Skipjack encryption algorithm for the transmission of information, and the Diffie-Hellman key exchange algorithm for the distribution of the cryptographic session keys between peers. Both algorithms are believed to provide good security.

The Skipjack algorithm was developed by the NSA and was classed an NSA Type 2 encryption product. The algorithm was initially classified as SECRET, so that it could not be examined in the usual manner by the encryption research community. After much debate, the Skipjack algorithm was finally declassified and published by the NSA on 24 June 1998 [2]. It uses an 80-bit key and a symmetric cipher algorithm, similar to DES.

 More about Skipjack


Key Escrow
The heart of the concept was Key Escrow. Any device with a Clipper Chip inside (e.g. a crypto phone) would be assigned a cryptographic key, which would be given to the government in escrow. The user would then assume the government to be the so-called trusted third party. If government agencies "established their authority" to intercept a particular communication, the key would be given to that agency, so that all data transmitted by the subject could be decrypted.

The concept of Key Escrow raised much debate and became heavily disputed. The Electronic Frontier Foundation (EFF), established in 1990, preferred the term Key Surrender to stress what, according to them, was actually happening. Together with other public interest organizations, such as the Electronic Privacy Information Center, the EFF challenged the Clipper Chip proposal, saying that it would be illegal and also ineffective, as criminals wouldn't use it anyway.

In response to the Clipper Chip initiative by the US Government, a number of very strong public encryption packages were released, such as Nautilus, PGP and PGPfone. It was thought that, if strong cryptography was widely available to the public, the government would be unable to stop its use. This approach appeared to be effective, causing the premature 'death' of the Clipper Chip, and with it the death of Key Escrow in general.


Weakness
In 1993, AT&T Bell produced the first and only telephone encryptor based on the Clipper Chip: the TSD-3600. A year later, in 1994, Matt Blaze, a researcher at AT&T, published a major design flaw in the Escrowed Encryption System (EES). A malicious party could tamper the software and use the Clipper Chip as an encryption device, while disabling the key escrow capability.

When establishing a connection, the Clipper Chip transmits a 128-bit Law Enforcement Access Field (LEAF). The diagram below shows how the LEAF was established. The LEAF contains infor­mation needed by the intercepting agencies to establish the corresponding encryption key.


To prevent the software from tampering with the LEAF, a 16-bit hash code was included. If the hash didn't match, the Clipper Chip would not decrypt any messages. The 16-bit hash however, was too short to be safe, and a brute force attack would easily produce the same hash for a fake session key, thus not revealing the actual keys [3] . If a malicious user would tamper the device's software in this way, law enforcement agencies would not be able to reproduce the actual session key. As a result, they would not be able to decrypt the traffic.


Interior
Since the Clipper-project has failed, we think it is safe to show you the contents of the chip. Although this is something we would not normally do, this one is too good to be missed. Below, Travis Goodspeed shows us how easy it is to open the package and reverse-engineer a chip [4]. Luckily, according to Kerckhoff's principle, the secret is in the key and not in the device [5].


The black dots along the four edges are the connection pads of the chip. The image was publised on Travis' photostream on Flickr and is reproduced here with his kind permission. Click the image for a hi-res version. Note that this is a large file (18MB) which may take some time to download.


Information on Wikipedia
References
  1. Wikipedia, Clipper chip
    Retrieved June 2009.

  2. Wikipedia, Skipjack (cipher)
    Retrieved June 2009.

  3. Matt Blaze, Protocol Failure in the Escrowed Encryption Standard
    AT&T Bell Laboratories. 20 August 1994.

  4. Travis Goodspeed, Hi-res image of MYK-78 Clipper Chip
    24 April 2009. Image reproduced here by kind permission from the author.

  5. Wikipedia, Kerckhoff's principle
    Retrieved April 2013.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Wednesday 09 February 2011. Last changed: Tuesday, 14 May 2024 - 22:38 CET.
Click for homepage