[2861] in cryptography@c2.net mail archive
Re: Brute forcing half a Clipper key.
daemon@ATHENA.MIT.EDU (Matt Blaze)
Thu Jun 25 15:51:13 1998
To: "Trei, Peter" <ptrei@securitydynamics.com>
cc: "'Colin Plumb'" <colin@nyx.net>,
"'cryptography@c2.net'" <cryptography@c2.net>
In-reply-to: Your message of "Thu, 25 Jun 1998 10:14:41 EDT."
<D104150098E6D111B7830000F8D90AE80178EF@exna02.securitydynamics.com>
Date: Thu, 25 Jun 1998 14:30:31 -0400
From: Matt Blaze <mab@research.att.com>
ptrei@securitydynamics.com said:
> The bottom line is: Splitting the key in two, and storing the two
> halves in different agencies wouldn't have made people much more
> secure from corrupt government agents, or an 'escrow'
> agency compromised by other criminals or terrorists. With
> half the key and a dozen high-end machines you could brute
> force a complete unit key in a few hours, after
> which all communications from that Clipper chip would be
> compromised.
>
Yes, but that's not how the EES split-key key escrow system worked (at
least according to the specifications that were made public).
The two escrow agent keys halves were bitwise XORed against each other
to recover the unit key. A single agent key half contained no information
by itself (assuming a truely random mask was used to create the XOR split,
etc.)
I think I described this, and other public details of the EES protocol,
in my paper "Protocol Failure in the Escrowed Encryption Standard", which
was published in ACM CCS '94, or via FTP in PostScript form from:
<ftp://ftp.research.att.com/dist/mab/eesproto.ps>
-matt
