PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest     Thursday, 6 May 1993     Volume 02 : Issue 16

          Moderated by Lauren Weinstein (
                Vortex Technology, Topanga, CA, U.S.A.
                     ===== PRIVACY FORUM =====

          The PRIVACY Forum digest is supported in part by the 
              ACM Committee on Computers and Public Policy.

        Clipper Discussions in PRIVACY Forum 
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Where do Clipper keys come from? (John R. Levine)
        Master Keys in Clipper Scheme (Bob Baldwin)
        New NIST/NSA Revelations (David Sobel)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

ALL submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to
"".  All submissions included in this digest represent
the views of the individual authors and all submissions will be considered
to be distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  All PRIVACY Forum materials are also
available through the Internet Gopher system via a gopher server on
site "".

For information regarding the availability of this digest via FAX, please
send an inquiry to, call (310) 455-9300, or FAX
to (310) 455-2364.


   Quote for the day:

                "You Rang?"

                        -- Lurch (Ted Cassidy)
                           "The Addams Family" (1964-1966)

                        -- Maynard G. Krebs (Bob Denver)
                           "The Many Loves of Dobie Gillis" (1959-1963)


Date:    Thu, 6 May 93 21:27 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Clipper Discussions in PRIVACY Forum

Greetings.  Some of the most recent group of submissions for PRIVACY Forum
relating to Clipper were rather heavy on "hard-core" cryptographic details,
or were largely political statements (on both sides of the political fence).
The former really go beyond the scope of this forum, while the latter would
serve mainly to trigger even more highly politicized responses.  I don't
feel that either of these categories would be of too much interest to the
readership at large of PRIVACY Forum.

The Clipper-related messages that I've run in this issue of the digest are
those that I felt would be the most interesting while maintaining the
digest's focus.

A moderator's lot is not a simple one.



Date:    Fri, 30 Apr 93 23:37:35 EDT
From:    John R. Levine <>
Subject: Where do Clipper keys come from?

One of the creepiest aspects of the Clipper proposal, and one that I
haven't seen mentioned except in passing, is the process by which the chip
keys are created.  The chip key is a function of the chip's serial number,
called N in Dorothy Denning's summary, and two master keys called S1 and
S2, which are scambled together deterministically to produce the unit keys
U1 and U2.  The escrow houses keep U1 and U2.  But if you know the S1 and
S2 used to program a chip, you can recompute its keys.

Nobody has said anything about where S1 and S2 come from, and how many
chips are programmed using a particular S1 and S2.  A plausible worst case
scenario is that there is only a single S1 and S2 used for all chips, and
they were helpfully provided by the NSA.  This, of course, makes the whole
key escrow scheme a sham.

I'd think that it would be technically straightforward to use random
numbers (I mean real random numbers, from a radioactive or similar source)
as the U1 and U2.  Either the escrow house representatives could each
bring a random number generator to the programming vault, with the outputs
XOR-ed in case one of them was cheating, or if the generators emit random
bits too slowly, each escrow representative could bring a tape of random
numbers (the well known one-time pad) which is destroyed after being used.

It is hard to see any reason for the Clipper key generation scheme other
than to provide a back door to someone who knows S1 and S2.
John Levine,, {spdcc|ima|world}!iecc!johnl


Date:    Mon, 3 May 93 15:40:26 GMT
From: (Bob Baldwin)
Subject: Master Keys in Clipper Scheme

     When I looked at the details of the key generation scheme for the
Clipper chips which Dorthy Denning described in V02 #14 of the privacy
digest, I noticed that there are also two "master keys", S1 and S2 that
would allow a government agency to decrypt the messages sent by thousands
of machines.
     If I know S1 and S2 and the machine's 30 bit serial number, then I
can compute the secret key, U, for that machine.  Notice that the serial
number is chosen from a conveniently small space 2**30, which is easy to
search exhaustively.  Knowing S1 and S2 allows me to decrypt any message
sent by any machine that was initialized from S1 and S2.
     The key questions (:-) to ask are: what are the guidelines about handling
S1 and S2?  How can a customer know whether S1 and S2 were destroyed?  How
many other machines where made with the same S1 and S2?
                          --Bob Baldwin
                            Los Altos Technologies


Date:    Thu, 6 May 1993 13:09:12 EST
From:    David Sobel <>
Subject: New NIST/NSA Revelations

        Less than three weeks after the White House announced a
controversial initiative to secure the nation's electronic
communications with government-approved cryptography, newly
released documents raise serious questions about the process that
gave rise to the administration's proposal.  The documents,
released by the National Institute of Standards and Technology
(NIST) in response to a Freedom of Information Act lawsuit,
suggest that the super-secret National Security Agency (NSA)
dominates the process of establishing security standards for
civilian computer systems in contravention of the intent of
legislation Congress enacted in 1987.

        The released material concerns the development of the
Digital Signature Standard (DSS), a cryptographic method for
authenticating the identity of the sender of an electronic
communication and for authenticating the integrity of the data in
that communication.  NIST publicly proposed the DSS in August 1991
and initially made no mention of any NSA role in developing the
standard, which was intended for use in unclassified, civilian
communications systems.  NIST finally conceded that NSA had, in
fact, developed the technology after Computer Professionals for
Social Responsibility (CPSR) filed suit against the agency for
withholding relevant documents.  The proposed DSS was widely
criticized within the computer industry for its perceived weak
security and inferiority to an existing authentication technology
known as the RSA algorithm.  Many observers have speculated that
the RSA technique was disfavored by NSA because it was, in fact,
more secure than the NSA-proposed algorithm and because the RSA
technique could also be used to encrypt data very securely.

        The newly-disclosed documents -- released in heavily censored
form at the insistence of NSA -- suggest that NSA was not merely
involved in the development process, but dominated it.  NIST and
NSA worked together on the DSS through an intra-agency Technical
Working Group (TWG).  The documents suggest that the NIST-NSA
relationship was contentious, with NSA insisting upon secrecy
throughout the deliberations.  A NIST report dated January 31,
1990, states that

     The members of the TWG acknowledged that the efforts
     expended to date in the determination of a public key
     algorithm which would be publicly known have not been
     successful.  It's increasingly evident that it is
     difficult, if not impossible, to reconcile the concerns
     and requirements of NSA, NIST and the general public
     through using this approach.

        The civilian agency's frustration is also apparent in a July
21, 1990, memo from the NIST members of the TWG to NIST director
John W. Lyons.  The memo suggests that "national security"
concerns hampered efforts to develop a standard:

     THE NIST/NSA Technical Working Group (TWG) has held 18
     meetings over the past 13 months.  A part of every
     meeting has focused on the NIST intent to develop a
     Public Key Standard Algorithm Standard.  We are
     convinced that the TWG process has reached a point where
     continuing discussions of the public key issue will
     yield only marginal results.  Simply stated, we believe
     that over the past 13 months we have explored the
     technical and national security equity issues to the
     point where a decision is required on the future
     direction of digital signature standards.

An October 19, 1990, NIST memo discussing possible patent issues
surrounding DSS noted that those questions would need to be
addressed "if we ever get our NSA problem settled."

        Although much of the material remains classified and withheld
from disclosure, the "NSA problem" was apparently the intelligence
agency's demand that perceived "national security" considerations
take precedence in the development of the DSS.  From the outset,
NSA cloaked the deliberations in secrecy.  For instance, at the
March 22, 1990, meeting of the TWG, NSA representatives presented
NIST with NSA's classified proposal for a DSS algorithm.  NIST's
report of the meeting notes that

     The second document, classified TOP SECRET CODEWORD, was
     a position paper which discussed reasons for the
     selection of the algorithms identified in the first
     document.  This document is available at NSA for review
     by properly cleared senior NIST officials.

In other words, NSA presented highly classified material to NIST
justifying NSA's selection of the proposed algorithm -- an
algorithm intended to protect and authenticate unclassified
information in civilian computer systems.  The material was so
highly classified that "properly cleared senior NIST officials"
were required to view the material at NSA's facilities.

        These disclosures are disturbing for two reasons.  First, the
process as revealed in the documents contravenes the intent of
Congress embodied in the Computer Security Act of 1987.  Through
that legislation, Congress intended to remove NSA from the process
of developing civilian computer security standards and to place
that responsibility with NIST, a civilian agency.  Congress
expressed a particular concern that NSA, a military intelligence
agency, would improperly limit public access to information in a
manner incompatible with civilian standard setting.  The House
Report on the legislation noted that NSA's

     natural tendency to restrict and even deny access to
     information that it deems important would disqualify
     that agency from being put in charge of the protection
     of non-national security information in the view of many
     officials in the civilian agencies and the private

While the Computer Security Act contemplated that NSA would
provide NIST with "technical assistance" in the development of
civilian standards, the newly released documents demonstrate that
NSA has crossed that line and dominates the development process.

        The second reason why this material is significant is because
of what it reveals about the process that gave rise to the so-
called "Clipper" chip proposed by the administration earlier this
month.  Once again, NIST was identified as the agency actually
proposing the new encryption technology, with "technical
assistance" from NSA.  Once again, the underlying information
concerning the development process is classified.  DSS was the
first test of the Computer Security Act's division of labor
between NIST and NSA.  Clipper comes out of the same
"collaborative" process.  The newly released documents suggest
that NSA continues to dominate the government's work on computer
security and to cloak the process in secrecy, contrary to the
clear intent of Congress.

        On the day the Clipper initiative was announced, CPSR
submitted FOIA requests to key agencies -- including NIST and NSA
-- for information concerning the proposal.  CPSR will pursue
those requests, as well as the pending litigation concerning NSA
involvement in the development of the Digital Signature Standard.
Before any meaningful debate can occur on the direction of
cryptography policy, essential government information must be made
public -- as Congress intended when it passed the Computer
Security Act.  CPSR is committed to that goal.

David L. Sobel
CPSR Legal Counsel
(202) 544-9240


End of PRIVACY Forum Digest 02.16

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.