15746

神经网络昆斯林的新闻组分类2006

Path: cantaloupe.srv.cs.cmu.edu!magnesium.club.cc.cmu.edu!news.sei.cmu.edu!bb3.andrew.cmu.edu!andrew.cmu.edu!jb7m+
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Newsgroups: sci.crypt
Subject: Ideas on Clipper
Date: Thu, 22 Apr 1993 14:51:57 -0400
Organization: Robotics Institute, Carnegie Mellon, Pittsburgh, PA
Lines: 92
Message-ID: <0fpiZBG00WC70qOKYw@andrew.cmu.edu>
NNTP-Posting-Host: andrew.cmu.edu


I have an idea as to why the encryption algorithm needs to be keep secret,
and some things that i think it implies. (Of course these could all be
wrong.....) 

from 

                     THE CLIPPER CHIP: A TECHNICAL SUMMARY
                               Dorothy Denning
                           Revised, April 21, 1993

.
.
.

The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack."  The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES).  It supports all 4 DES modes of
operation.  The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number (this length is subject to change)
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

.
.
.

ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end.  This key negotiation takes place
without the Clipper Chip.  In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice).  The
telephone security device feeds K and M into the chip to produce two
values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement field , 

which are transmitted over the telephone line.  The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F.  The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

------------------

suppose i knew how the algorithm worked and knew the N for my chip, but
did not know F, then by cryptanalysis i might be able to determine F from
if law enforcement field 
   E[E[K; U] + N; F]
not knowing N would might make this much harder.

Now suppose that I know F, (either legitimately or not),
If I know K (either because I am involved in the conversation, or I know U
for a party in the conversation), I may now be able to determine U for the
other party.

If I know F I can also defeat the law enforcement field, since I could
make my own, with a different K then the one I am using. Knowing F also
allows traffic analysis to be performed. So I might not know what you are
saying but I could know who you are saying it too.

Now I admit that someone trying to compute U will not have lots of
messages to work from, but since we have no way of knowing that the key
generation method does not (deliberately?) generate weak keys, or for that
matter that the published method is in fact used, perhaps the U's will be
chosen from know weak keys for the system.

Obviously the compromise of F would be a disaster, both to law enforcement
for whom this whole thing is designed, and for the people who believe that
it is giving them security. F is but one number, and I sure that alot of
people (more then 1) know what it is (and if some "panel of experts" is
going to check it over for flaws then many more will know F, forget
grinding chips, bribery and blackmail work just fine.

So, am I wrong? Or are these problems.

jon