[2670] in Kerberos
Re: New Govt. Key Exchange Protocol..
daemon@ATHENA.MIT.EDU (sommerfeld@apollo.hp.com)
Mon Apr 19 15:29:25 1993
Date: Mon, 19 Apr 93 15:04:23 -0400
From: sommerfeld@apollo.hp.com
To: bf4grjc@bell-atl.com
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: Ganesan's message of Mon, 19 Apr 1993 12:31:57 -0500 (EDT),
From: bf4grjc@socrates.MIT.EDU (Ganesan)
Date: Mon, 19 Apr 1993 12:31:57 -0500 (EDT)
Reply-To: bf4grjc@bell-atl.com
Does anyone have any DETAILS on the new Clinton Admin.key exchange
protocol??
Anyone who has the truth and can verify it is undoubtedly prohibited
by secrecy agreements from giving out enough information to allow for
independant verification that what they're saying is indeed correct.
There have been reposts of messages allegedly from Hellman and
Denning, passing on hearsay and rumour allegedly from the NSA.
No offense to Steve Bellovin, as he probably has passed on postings
closest to the truth, but unless the algorithms are published and
people can verify that the chips function exactly as specified, nobody
but the NSA and the chip manufacturers will be sure of having the true
details. And that's just not going to happen unless people reverse
engineer the chips.
Even so, the rumours I've seen reposted on sci.crypt and other places
indicate that the system appears to have a number of very serious
potential trap doors, including, but not limited to:
- device keys are reportedly a function of the device serial number
and two "seeds", each entered by a representative of an escrow agency;
the key parts are not generated independantly and programmed directly
onto the chips, instead they're put onto a floppy disk.
- all chips contains a copy of a single "master key" which is used to
encrypt the chip's serial number; anyone in posession of the master
key can use it to do traffic analysis on arbitrary messages encrypted
using the system. Anyone with the appropriate tools and a good supply
of these chips could possibly be able to destructively extract the
master key from the chip.
- as the encryption algorithm is unpublished, there is no way to
verify that it isn't a trivial variant of XOR that can be
cryptanalyzed without the cooperation of the escrow agencies.
- Bill
(speaking for only myself, not necessarily my employer here).
