Interesting People mailing list archives
Jacking in from the "We Knew It All Along" Port:
From: David Farber <farber () central cis upenn edu>
Date: Sat, 4 Jun 1994 08:19:05 +0200
CyberWire Dispatch // Copyright (c) 1994 // Jacking in from the "We Knew It All Along" Port: Washington, DC -- The key technology underlying the Administration's Tessera "Crypto Card" was fatally flawed from its inception, Dispatch has learned. Government researchers working for the National Security Agency have known for months about the flaw, but purposefully withheld that information from the public, a government official acknowledged today to Dispatch. Cryptographic researchers at the super-secret NSA have known all along that the program used to scramble a key part of the government's Clipper system could be thwarted by a computer savvy user with 28 minutes of free time, according to an NSA cryptographic expert that spoke to Dispatch under the condition he not be identified. "Everyone here knew that the LEAF (Law Enforcement Access Field) could be fucked with if someone knew what they were doing," the NSA expert said. "We knew about the flaw well before it became public knowledge. What we didn't know is how long it would take an outside source to discover the flaw." In essence, the NSA decided to play a kind of high-tech cat and mouse game with a technology being hailed as the most secure in the world. So secure, the White House is asking the public to give up a degree of privacy because there's no chance it can be abused. "We figured [the presense of the flaw] was an acceptable risk," the NSA expert said. "If no one found out, we probably would have fixed it sooner or later," he said. "I can't imagine that we would have let that one slip through." But someone spoiled the end game. A 33-year-old AT&T scientist Matthew Blaze discovered the crack in the White House's increasingly crumbling spy vs. citizen technology. Acting as a kind of beta-tester, Blaze found several techniques that could be used to successfully thwart the LEAF, the encrypted data stream needed by law enforcement officers in order to identify what amounts to a social security number for each Clipper or Tessera chip. Once the LEAF is in hand, law enforcement agents then submit it to the "key escrow agents." These escrow agents are two government authorized agencies that keep watch over all the keys needed to descramble Clipper or Tessera encoded conversations, faxes or data transmissions. Without the keys from these two agencies, the law enforcement agents hear nothing but static. Without the LEAF, the agencies won't cough up the keys. Bottom line: If the LEAF is fucked, so is access to the scrambled communications. What Blaze so eloquently discovered is that someone with a modicum of knowledge could do was jack around with the LEAF, rendering it unusable. What Blaze didn't realize is that he was merely acting as an NSA stooge. But the methods discovered by Blaze, and outlined in a draft paper he'll later present this month during a high brow security shindig known as the Fairfax conference, are cumbersome. "The techniques used to implement (the work arounds) carry enough of a performance penalty, however, to limit their usefulness in real-time voice telephony, which is perhaps the government's richest source of wiretap-based intelligence," Blaze writes in his paper. Notice he says "limit" not "completely render useless." Important distinction. Are there other, faster, more clever ways to circumvent the LEAF? "If there are, I wouldn't tell you," the NSA crypto expert said. Shut Up and Chill Out ===================== The National Institute of Standards and Technology (NIST), the agency walking point for the White House on the Clipper issue, takes these revelations all in stride. Sort of a "shut up and chill out" attitude. The techniques described by Blaze "are very unlikely to be used in actual communications," a NIST spokeswoman said. Does that mean they could never be used? "It's very unlikely." NIST, when confronted with the fact that NSA researchers knew all along that the technology was broken, was unapologetic. "All sound cryptographic designs and products consider tradeoffs of one sort or another when design complexities, costs, time and risks are assessed," the NIST spokeswoman said. The Clipper family of encryption technologies "is no exception," she said. NIST said that the Tessera card "isn't a standard yet, so the process of testing it's integrity is ongoing." The technology in Tess is known as the Capstone chip, which, unlike the Clipper Chip, hasn't yet been accepted as a standard, NIST said. Flaws, therefore, are assumably just part of an ongoing game. The fact that the NSA knew about this flaw when it asked people like Blaze to test it was "just part of the ongoing testing procedure," the spokeswoman said. And if Blaze or some other idea hamster hadn't discovered the flaw? You make the call. What about Clipper? Are there such flaws in it? NIST says "no" because it has already been through "independent testing" and accepted as a standard. If there are flaws there, they stay put, or so it seems. Clipper's My Baby ================= Beyond the high risk crypto games the NSA has decided to play, there's another disturbing circumstance that could torpedo the Clipper before it's given its full sailing orders. This obstacle comes in the form of a patent dispute. Silvio Micali, a scientist at the massachusetts Institute of Technology says the Clipper is his baby. He claims to hold two crucial patents that make the Clipper tick. "We are currently in discussions with Mr. Micali," NIST said. "We are aware of his patent claims and we're in the process of addressing those concerns now," a NIST spokeswoman said. She wouldn't go into details about as to the extent of the talks, but obviously, the government is worried. They haven't flatly denied Micali's claims. If this all sounds like a bad nightmare, you're right. NIST ran into the same problems with its Digital Signature Standard, the technology they've adopted as a means to "sign" and verify the validly of electronic mail messages. Others jumped on the government's DSS standard, claiming they were owed royalties because they held patents on the technology. These discussions are still "ongoing" despite the government's adoption of the standard. The same situation is now happening with Clipper. One could make a case that Yogi Berra is the policy wonk for the Clipper program: "It's like deja vu all over again," Berra once said. So it is, Yogi... so it is. Meeks out...
Current thread:
- Jacking in from the "We Knew It All Along" Port: David Farber (Jun 03)