[2671] in Kerberos
Re: New Govt. Key Exchange Protocol..
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Mon Apr 19 15:47:49 1993
From: smb@research.att.com
To: sommerfeld@apollo.hp.com
Cc: bf4grjc@bell-atl.com, kerberos@Athena.MIT.EDU
Date: Mon, 19 Apr 93 15:32:30 EDT
Anyone who has the truth and can verify it is undoubtedly prohibited
by secrecy agreements from giving out enough information to allow for
independant verification that what they're saying is indeed correct.
There have been reposts of messages allegedly from Hellman and
Denning, passing on hearsay and rumour allegedly from the NSA.
No offense to Steve Bellovin, as he probably has passed on postings
closest to the truth, but unless the algorithms are published and
people can verify that the chips function exactly as specified, nobody
but the NSA and the chip manufacturers will be sure of having the true
details. And that's just not going to happen unless people reverse
engineer the chips.
No offense taken. I will note, though, that unless our fine feathered
friends at NSA are doing active attacks on the Internet, I'm reasonably
convinced that the notes I received were indeed from Hellman and Denning.
If nothing else, I've traded messages with both of them on this subject.
(Of course, I don't know if they had any way to verify the identities of
the folks who spoke to them... You are in a maze of twisty little
verification chains, all alike.)
Even so, the rumours I've seen reposted on sci.crypt and other places
indicate that the system appears to have a number of very serious
potential trap doors, including, but not limited to:
- device keys are reportedly a function of the device serial number
and two "seeds", each entered by a representative of an escrow agency;
the key parts are not generated independantly and programmed directly
onto the chips, instead they're put onto a floppy disk.
- all chips contains a copy of a single "master key" which is used to
encrypt the chip's serial number; anyone in posession of the master
key can use it to do traffic analysis on arbitrary messages encrypted
using the system. Anyone with the appropriate tools and a good supply
of these chips could possibly be able to destructively extract the
master key from the chip.
- as the encryption algorithm is unpublished, there is no way to
verify that it isn't a trivial variant of XOR that can be
cryptanalyzed without the cooperation of the escrow agencies.
- Bill
(speaking for only myself, not necessarily my employer here).
Me too -- my employer seems to like this facocteh proposal...
I think the real issue is verifying the chips. Any of these other
points (which, for the most part, I agree with) may be answerable with
more knowledge, and I'll certainly post anything new I learn. But no
matter what we're told, it's going to be a hell of a lot harder to
verify that what's put on the chip actually corresponds to what is
verified.
But all that is irrelevant. The very concept, even if perfectly
implemented, is bad enough. (That, of course, is a political
statement, not a technical one. As a technical person with some
expertise in the field, the most I can do is demonstrate that their
idea is no worse than advertised.)
--Steve Bellovin
