The brand new Clinton White House inherited an NSA program in progress from the first President Bush which resulted in a Presidential
Directive mandating an NSA encryption scheme for all voice, fax and computer communications. This directive was signed on April 15, 1993
with the intent to have "key escrow" encryption replace, and more importantly outlaw, all other public key encryption systems. This would
allow the US government to have access to all private communications from phones, computers, faxes, routers, switches, etc.
Official NSA PR photo, the agency gets a message from above
|
It was only because of two serendipitous developments that the Clinton key escrow Directive is not the law of the land today. Just
after the release of the key escrow algorithm in its first commercial product, a flaw was discovered. The code breakers took advantage of
this window of opportunity to release a public domain encryption program called Pretty Good Privacy or PGP, which was quickly adopted world
wide. In the battle of wits between the code makers and code breakers, this was a major win for the code breakers and especially the US
public.
One of the motivating factors for key escrow was the development of strong encryption algorithms and the 1992 release of the AT&T Telephone
Security Device, the TSD 3600-D. This device provided digital voice encryption using DES, Data Encryption Standard, which was considered a
very strong cipher at the time it was adopted in 1977, even though the NSA negotiated a slight reduction in the key length from 64 to 56 bits.
The concern from the NSA and law enforcement was that terrorists and other criminals could use this device to have secure communications which
were wiretap proof. While the DES algorithm was the accepted standard at the time of the release of the TSD 3600-D, by January of 1999
it was demonstrated to be insecure, mainly because of its short key length, and could be broken in a little over 22 hours.
In response to the TSD 3600-D and the fear of future encryption devices, the NSA designed a "key escrow" algorithm, meaning the keys were stored
in escrow by the US government and used only in case they had due cause and obtained a wiretap warrant. Another view was the key escrow was
another name for a back door access, some preferring to use the term "key surrender" to highlight the true situation. This algorithm was called
Skipjack, which was designed to work on a tamper-proof chip dubbed the Clipper Chip. Two government agencies would split the ownership of the
keys, with the implication that no access would be possible without judicial wiretap authorization.
That restriction was not trusted by everyone at the time and that mistrust proved to be well-founded with the later passage of the Patriot Act,
which essentially allows unfettered government access to private communications. Not only are the checks and balances of judicial review
removed, there is also no public accountability or recourse to court challenge for unjustified government intrusion. The Patriot Act was
quickly passed and signed into law by the second President Bush shortly after the 9-11 terrorist attack, on October 26, 2001. President Obama
signed a four year extension on May 26, 2011. It is ironic or maybe just normal government-speak to call this law the Patriot Act, which was
designed to eliminate the very rights of privacy and habeas corpus that our original founding father patriots fought so hard to protect.
The infamous Clipper chip, made by Mykotronx
|
The Clipper chip was first available in 1993 and AT&T was persuaded to provide it in the TSD 3600, which became the first and only
product to use this ill-fated chip. VLSI Technology fabricated the chip, called the MYK-78T, which was designed by the company Mykotronx. The
TSD 3600-D model with the standard encryption keys was replaced with the new 3600-E model with the Clipper chip. This product had a list price
of $2000 and the US government made the first purchase of 2,000 devices for a discounted price of $1000 each. AT&T manufactured 10,000 of
these devices and never made a second sale. Most of these 10,000 devices were never used but sat on warehouse shelves for years, they are still
available today in brand new condition for $50 each.
The announcement of the Clipper chip was met with an outcry of opposition from privacy rights advocates because of the fear of government
intrusion into the privacy of private citizens and the concern about the potential misuse of this technology. Since the Skipjack encryption
algorithm was classified as secret, there was no peer review process or way to verify the strength of the encryption. Also, the Clipper chip
could not be exported and no one outside the US would want a product with a back door accessible by the US government. US manufacturers felt
they would be at a disadvantage in the worldwide marketplace supporting a non-compatible encryption for the US only.
Matt Blaze
|
It turned out that none of these concerns about the Clipper chip prevented it from being introduced. What stopped it in its tracks was
the discovery by Matt Blaze of a vulnerability in the design of the chip. Blaze worked in the research arm of AT&T and found a way to
disable the ability for law enforcement to recover the keys. This discovery was ironic on two levels. First, Blaze worked for the only company
to incorporate the Clipper chip in a commercial product. Second, the Clipper chip provided a strong voice encipherment which the criminal could
still use for nefarious purposes while exploiting the vulnerability to disable the key recovery function needed by law enforcement to hear his
conversations.
The NSA probably had the most advanced cryptologic research organization in the world but suffered a public humiliation over this colossal
failure. The Clipper chip used a DES-like encryption algorithm with an 80 bit key and Diffie-Hellman key exchange for distribution of session
keys. All this provided a high level of security. The problem is due to the use of a LEAF field, which stands for Law Enforcement Access
Field. This was a 128 bit field which gave the encryption keys for law enforcement, but also had a 16 bit hash field to ensure that the LEAF
was not altered. The Clipper chip was designed to only work if the LEAF was not tampered with, but the 16 bit hash field proved to be too
small. Blaze showed that a brute force attack could alter the escrowed encryption keys needed by law enforcement while generating the same
hash value. So the Clipper chip would work as a strong encryption device but the key escrow function could be disabled.
Before the NSA had time to correct the problem, which would require a complete redesign of the Clipper chip, another major development made
any possible redesign effort too little, too late. This development was the release into the public domain of a strong public key encryption
algorithm facetiously called PGP, or Pretty Good Privacy. PGP was quickly adopted around the world and the Clipper chip died a quiet death
and was finally declassified on June 24, 1998.
Phil Zimmermann
|
The history of PGP gives an interesting sidelight to the Clipper chip story. Phil Zimmermann wrote PGP for personal use and shared it
with a few friends so they could securely send messages and protect files in their anti-nuclear activities. The name was inspired by the
fictional story of Lake Wobegon, which had a grocery store named Ralph's Pretty Good Grocery. PGP used a 128 bit key with a symmetric key
algorithm which Zimmermann also humorously named Bass-O-Matic, after Dan Aykroyd's "Saturday Night Live" skit involving a bass and a blender.
The first release of this software on the internet, including source code, was made on June 5, 1991. By February of 1993, Zimmermann was the
target of a federal criminal investigation for exporting "munitions" without a license. Software encryption was classified as a munition and
export outside of the US carried severe penalties.
Zimmermann was never charged, but came up with a creative solution for future releases of software. He published the source code in a book
which could be purchased for $60, scanned into a computer as text and then compiled for use as a program. His reasoning was that export of
munitions, including encryption software, was illegal but export of a book was protected by the First Amendment. From another country,
someone would buy the book and then post the software on the internet for all to share. This method of circumventing US encryption export
laws was tested and validated in Federal Court by others sending encryption software overseas.
By the late 1990s, laws restricting export of encryption software were liberalized, PGP and other encryption hardware and software were no
longer classified as munitions. Much of the credit for this liberalization, and our current privacy protections from an overzealous Big
Brother government, are due to the efforts of Matt Blaze and Phil Zimmermann.
See the Entire Collection of Cipher Machines
See detailed pictures of the AT&T TSD 3600-E Secure Phone with Clipper Chip
AT&T is the only manufacturer to produce a product with the Clipper chip, here is an example, the AT&T TSD 3600-E Telephone Security
Device. AT&T made about 10,000 secure phones and sold about 2,000 to the US Government before the vulnerability was discovered. These phone
sets were made in 1993 and the 8,000 unsold sets immediately lost their value. The original list price was around $2,000 but this pair of
brand new TSD 3600s were purchased in 2010 for $50 each.
These devices are simple to operate and light and compact enough for use while traveling. They have 3 different modules which plug into
the back of the machine for the different types of handsets supported. The handset is plugged into a jack on the side of the TSD and a
short phone cable connects the TSD back to the now empty jack in the phone where the handset was located. Now you can make a phone call
as usual and when you are ready to "go secure" both parties would agree to turn on their TSD units by pressing the "secure" button. The
only other button on the TSD is the "clear" button to return to unenciphered speech. After pressing "secure", it takes about 10 seconds and
the LCD screen will show that the two TSDs have successfully exchanged keys and are in a secure mode. They will also display a 4 digit code
which can verify for both parties by verbal agreement that there is no man in the middle attack.