
The Clipper Chip - jacquesm
https://en.wikipedia.org/wiki/Clipper_chip
======
CodeWriter23
Thanks for posting this. Throughout this discussion about Apple, The FBI, Tha
All Writs Act, etc. I've been saying we have already had this discussion some
20 years ago and the key point made then is still relevant today. If you
create a key for Government, the Government cannot prevent bad actors from
using those keys.

The only thing of substance to this discussion that has changed since then is
we have multiple robust open source cryptography implementations, which
ensures that if the DOJ can lobby congress to make some laws requiring back
doors or key escrow, that only criminals will have access to robust
cryptography. And it will likely kick off a cryptography arms race, which will
only make their job more difficult than they are saying it is already.

I doubt however the Legislative Branch will give them the laws they want. The
last thing our legislators want is to make it easier for the FBI to spy on
them.

~~~
kazinator
> _The only thing of substance to this discussion that has changed since then
> is we have multiple robust open source cryptography implementation_

We had some decent OSS crypto in the Clipper time frame.

What's changed is that strong crypto is now much more wide-spread in _NON_
open-source consumer products.

Crypto is not just for governments plus a handful of geeks any more. That's
the big change.

~~~
ethbro
In reading the article over lunch, I realized something else changed as well:
the government now has the capability to data mine without human intervention
on a massive scale. (Which I strongly suspect they didn't in the early 90s)

That substantially changes the key escrow argument.

What the NSA et al want is not the ability to decrypt communications, but the
ability to _search_ all communications to generate intelligence. Naturally,
this only works if the stored take is searchable, which encrypted content is
not. (For practical and flexible purposes)

So the very existence of key escrow coupled with the desires of the NSA would
almost mandate that any escrow keys available to the government be used
continuously and automatically to decrypt content into a searchable data
warehouse. Which is why if we allow this then in 5 years or less we're going
to be having the Person of Interest "It's not a violation of your privacy if
only an algorithm is looking at your data" discussion.

Or to quote Strangelove, "Mr. President, it is not only possible, it is
_essential_. That is the whole idea of this machine, you know."

~~~
schoen
> we're going to be having the Person of Interest "It's not a violation of
> your privacy if only an algorithm is looking at your data" discussion

There are signs in the Snowden documents that this view is already pervasive
in the government.

~~~
pdkl95
Not only is it already pervasive in government, this type of dissembling has
also been policy at Google for a long time.

    
    
        LIZ FIGUEROA, (D) State Senator, CA, 1998-06: We walk into this room, and it’s myself
        and two of my staff— my chief of staff and one of my attorneys. And across from us
        was Larry, Sergey, and their attorney.
    
        All of a sudden, Sergey started talking to me. He said, “Senator, how would you feel
        if a robot went into your home and read your diary and read your financial records,
        read your love letters, read everything, but before leaving the house, it imploded?”
        And he said, “That’s not violating privacy.”
    
        I immediately said, “Of course it is. Yes, it is.” And he said, “No, it isn’t.
        Nothing’s kept. Nobody knows about it.” I said, “That robot has read everything.
        Does that robot know if I’m sad or if I’m feeling fear, or what’s happening?”
        And he looked at me and he said, “Oh, no. That robot knows a lot more than that.”
    

(from PBS Frontline's "United States Of Secrets", part 2)

------
aritraghosh007
This was showcased during the last episode of the John Oliver show
[https://youtu.be/zsjZ2r9Ygzw?t=522](https://youtu.be/zsjZ2r9Ygzw?t=522).
Here's what happened : [http://www.nytimes.com/1994/06/12/magazine/battle-of-
the-cli...](http://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-
chip.html?pagewanted=all)

~~~
JetSpiegel
That was a great article, thanks for sharing. This snippet puts things in
perspective:

The agency is really worried about its screens going blank" due to unbreakable
encryption, says Lance J. Hoffman, a professor of computer science at George
Washington University. "When that happens, the N.S.A. -- said to be the
largest employer in Maryland -- goes belly-up. A way to prevent this is to
expand its mission and to become, effectively, the one-stop shop for
encryption for Government and those that do business with the Government."

~~~
EthanHeilman
> "When that happens, the N.S.A. -- said to be the largest employer in
> Maryland -- goes belly-up. A way to prevent this is to expand its mission

The article is from 1994 and I believe my reaction is as true then as now.

Why can't NSA just switch to doing 90% information-assurance and work to
secure US infrastructure?

Certainly there is more than enough work to go around, if they are looking for
something to do I have some suggestions. The US military isn't really known
for having secure communications or storage systems, maybe NSA should try to
solve that problem (as a plus it is already part of their mission).

Is the claim here that NSA's budget would shrink if all they were doing was
securing US systems and communications against foreign intelligence agencies?
Does Congress consider that task unimportant?

~~~
studentrob
I'm pretty sure they're focused on stopping terrorist attacks like 9/11 from
happening.

Note that the NSA is not asking for Apple to give them a special key to the
iPhone. The FBI is asking for it.

Note that a former NSA director (Hayden) and CIA director (Woolsey) have said
they both support Apple in this case.

~~~
EthanHeilman
I'm reacting to a statement from 1994 in which it was claimed that the NSA
wanted to expand its mission to ensure it could still employ the same number
of people.

>I'm pretty sure they're focused on stopping terrorist attacks like 9/11 from
happening.

That was not NSA's original mission and if congressional testimony is to be
believed, not one NSA is particularly well suited to do. SIGINT/COMINT
targeting the organs of the Soviet Union is a very different game than
interrupting a terrorist plot by a small number of unknown actors.

>Note that a former NSA director (Hayden) and CIA director (Woolsey) have said
they both support Apple in this case.

The FBI's position is so unreasonable that it appears nearly everyone that is
well informed about the issue and isn't currently employed by the US
government supports Apple, but we are talking about the Clipper Chip which was
an NSA program.

------
Zigurd
All of the current wishful thinking by Comey, Obama, Fred Wilson, and others
boils down to "Let's do a variant of the Clipper Chip."

Until the position of the side of the FBI moves off this mark there is not
much to discuss.

~~~
studentrob
I strongly disagree! Until they move off, there is everything to discuss.
_After_ they understand the economic and security impacts of what they are
asking, then we can relax.

We need to be active in the conversation about this. As technologists, we are
the ones who understand the tech side of this issue best, and we should be
reaching out to our representatives and talking to friends and family about
this issue.

There are anti-encryption bills looming, and sitting around waiting for them
to be proposed in Congress after some future terrorist attack is not going to
do us any good.

~~~
ctdonath
_After they understand the economic and security impacts of what they are
asking, then we can relax._

They do understand.

They have different axioms & goals, so their conclusion is different from
yours.

~~~
studentrob
Perhaps. Regardless of which of us is correct, we should still be reaching out
to our representatives and talking to friends and family about this issue.
Unless Obama changes his mind to support encryption, this is a public debate
which will eventually start happening in Congress. It's up to us technologists
to inform others.

------
aburan28
What if instead of the Clipper Chip the NSA/FBI opted to install hardware
'backdoors' that could induce Fault attacks, Side Channel attacks, etc? I just
don't see why the government gave up on the chip so easily

~~~
studentrob
They did find other ways to get what they wanted. It was on a more ad hoc
basis. And there they were focused

There's a video of former NSA/CIA director Michael Hayden talking about the
clipper chip, and how everyone was saying "we're going dark" around that time.
They found other ways to get what they wanted, and that's why both he and
former CIA director James Woolsey do not support the DOJ's position in the
ongoing case against Apple. I can't find the video where he talks about the
clipper chip right now.

~~~
ethbro
There's not really benefit to the NSA/CIA from a Clipper Chip 2.0.

None of the non-US targets they're pursuing would or could be mandated to use
it. And all illegal domestic surveillance aside, foreign intelligence is still
their primary mandate and target.

So in return for no benefit they get a lot of headache. (As you know its use
would find its way into the US government, and suddenly the NSA has to support
it via its defensive mandate)

------
brandmeyer
They underlying cipher Skipjack was also found to be rather weak. Some attacks
were found against reduced-round variants of Skipjack that would have
disqualified an AES or SHA3 candidate.

[https://en.wikipedia.org/wiki/Skipjack_%28cipher%29#Cryptana...](https://en.wikipedia.org/wiki/Skipjack_%28cipher%29#Cryptanalysis)

~~~
jbandela1
I think this shows how confident the NSA was/is in its cryptanalysis. You can
assume that the NSA knew about the 31 round attack before they released it.
The fact that they released it at 32 rounds (exactly the bare minimum number
of rounds to resist attack) and that in the past 25 years, no one has been
able to extend the attack to 32 rounds is in my opinion pretty impressive.
Just like you can't help but admire the prowess of a tightrope walker walking
over the Grand Canyon, in the same vein, the NSA achieving security with
exactly 1 extra round for 25 years is a demonstration of its crypto prowess.

------
gballard
<sigh> Depressing how little has changed in the policy debate, but does give
me the opportunity to pull this out of storage:

[http://i.imgur.com/Plzevno.jpg](http://i.imgur.com/Plzevno.jpg)

[http://i.imgur.com/KlnsFJX.jpg](http://i.imgur.com/KlnsFJX.jpg)

------
kristopolous
I feel like there's good theoretical comp sci work to be done here to show
that this system won't work. I've outlined two open problems below:

APPROACH 1:

Suppose we have a state issued crypto-system F0(Tc) -> Tp. Alice decides to
place another crypto-system F1 on top of that which the state doesn't know
about.

Alice unlocks her phone which runs the state's system F0(Tp) -> T1. However,
T1 is still encrypted by the unauthorized second-tier crypto-system, F1. This
middleware piece of software then runs F1(T1) -> Tp and we have our plaintext.
The state, of course, doesn't have the backdoor keys to F1.

The question is how can one prevent this secondary crypto-system from
existing? And if one can't, doesn't it make F0 merely a useless ornament that
unwraps one cyphertext matryoshka only to reveal another?

APPROACH 2:

idea: any system with a built in guarantee of access by a delegated third
party is in contradiction with some theoretical constraints of a generalized
security system and puts the whole construction in a lowered security 'level'
which had a smaller set of assurances.

Given a user generated token Ku, ciphered text Tc, and plaintext Tp, you have
decryption as a function:

F0(Tc, Kc) -> Tp

This requirement is for another key to exist for the State, Ka such that a
decryption function F1 (which may or may not be the same as F0) yields:

F1(Tc, Ka) -> Tp

Ka is allowed to be a "salted" key on a per device basis so it can vary across
devices as an input to F1.

It does this through another secret function, F2 whose input will be the per-
device salt Ds, and a super-global law enforcement key Kl - our secretly held
master key.

Law enforcement applies the secret key Kl on the Device and generates the
device's master key, Ka by using the Device's Salt:

F2(Ds, Kl) -> Ka

This means that for the law enforcement it's

F1(Tc, F2(Ds, Kl)) -> Tp

Where F1, F2, and Kl are secrets. Tp, Tc, and Ds is known by us and we are
free to change.

Here's the issues:

Kl is global across all devices.

F1() must always work regardless of user generated Ku although Ds is allowed
to change as a function of Ku.

If I can generate as many Tc and Ds as I can, can we show that given a known
F0, F1 and F2 can only be constructed from a exhaustibly reasonable finite
set.

How about the idea that the cost of brute-forcing Kl, the master law
enforcement key, continually decreases as the number of devices that Kl can
open, thus the value of Kl, continually increases? What do the range of those
slopes look like?

~~~
rcthompson
Any otherwise well-designed system with a built in guarantee of access by a
third party is only secure if you can trust that third party. You don't need
to prove any theorems to know that. I don't think anyone is arguing that such
a system is impossible to build, they're arguing that no such trusted third
party exists, and no one who actually cares about keeping a secret would ever
willingly use such a system when alternatives exist.

~~~
kristopolous
I'm interested in the argument line that would be "Ok, let's assume you are
impeccably honest, infallible, and have unwavering integrity and unstealable
secrets ... even under those laughable, impossible conditions, it's _still_ a
terrible idea because of the following..." and go from there.

~~~
quadlock
The perfect recipient would still have to be sent backdoors from many
creators. Many more people would be handling the secret, each one a target to
be social engineered into handing it over. I imagine when a more typical
backdoor is made, very few people even know it exists let alone know the key
to open it. Mandate backdoors and everyone knows they exist so more people
will work to find and crack them. They would be very high value targets. Once
opened, a backdoor would take a lot of work and expense to be closed, if you
even know it had been opened.

~~~
kristopolous
Yes, the whole idea is about as plausible as this april fools joke:
[https://en.wikipedia.org/wiki/Evil_bit](https://en.wikipedia.org/wiki/Evil_bit)
... but it's been put forth and implemented too many times for comfort.

Each time these silly systems like DVD-CSS broke down and became worthless or
like DIVX, were widely panned and rejected by the consumer.*

Showing how this will always and forever be the case at a more fundamental
level to stop trying this deadbeat idea with different gift-wrapping would be
great.

* Even in MP3, you have bits 29 and 30 which are for copyright. What were they thinking? people would re-implement /bin/cp to look for that and fail if the bit is set? Really? AAC has something similar. silly.

~~~
ashmud
If all the vendors participate in the scheme, it works?

Ex: SCMS copy bit

[https://en.wikipedia.org/wiki/Serial_Copy_Management_System](https://en.wikipedia.org/wiki/Serial_Copy_Management_System)

------
DenisAyumu
Didn't know about this. Good timing.

------
VonGuard
Sneakers had the best Clipper Chip ever, and in the 90's!

------
njharman
Man the war against oppression / totalitarianism never ends.

Back in 1994 when David Letterman's top-ten lists were still a thing and
funny, before instant make a t-shirt websites, I tried to bring attention and
defeat the Clipper Chip by printing, selling and eventually giving away "Top
10 reasons to Say No to Clipper" shirts. My 15min of Internet fame (back when
that was a saying).

excerpt from usenet post
[http://archives.scovetta.com/pub/textfiles/digest/cpd/v5_045...](http://archives.scovetta.com/pub/textfiles/digest/cpd/v5_045.txt)

The front has a "Big Brother Inside" Logo, and a chip with the word "clipper".

The back has the following top-ten list (possibly with changed order or slight
wording/spelling/grammer corrections);

"Top 10 reasons to Say No to Clipper"

    
    
      #1  "Can't trust Clinton not to read McDonalds recipes for Big Mac secret sauce."
      #2  "We all know its just so the FBI can get free phone sex."
      #3  "The spies at NSA will get eyestrain reading all of Santa's mail."
      #4  "Because a policeman's job is only easy in a Police State."
      #5  "The Clipper chip will cause it to be slightly less convenient to plan protests, revolutions, conspiraces, and bake sales."
      #6  "The 4th Amendment was a pretty good idea. Read it."
      #7  "If the Feds listened to my conversations they would be too bored and sleepy to defend our country."
      #8  "Responsibility and Government don't mix. See #10"
      #9  "It will get the stupid crooks out of the way for the government sponsored ones."
      #10  "If they learn how unhappy we are with the government they might start shutting down BBS's, killing off divergent religious groups, illegalizing art, conducting radioactive tests with us, censoring books, and keeping files on us.
    

btw #10 is all things US government had done. big bro inside was play on intel
inside logo of the era
[http://erik.co.uk/hackerpix/bigbro.gif](http://erik.co.uk/hackerpix/bigbro.gif)

~~~
mrupvote
this is crazy :))

