Clipper Chip

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search


This document shows an overview about the Clipper Chip programm, that was started by the U.S. Governtment in the early 90´s.


Clipper Chip

The Clipper Chip is a small Chipset, that was developed by the NSA (National Security Agency) and advertised by the U.S. Government, in the early 90´s. The idea was, that the Chipset would be integrated in Communication devices like telephones or personal computers and to securely encrypt their Communication, while leaving a backdoor for the U.S. Government.


According to official U.S. Government Documents, the origins of the Clipper Chip programm, can be traced to the "Computer Security act of 1987". This Act was meant to ammend legislation of the Year 1949, to create security standards for non-military computer systems. in 1993 The U.S. Government introduced an initiative, that should provide security for communication of non-classified data with a special Chipset, called the Clipper Chip. The goal was to at first equip the DoJ (Department of Justice) with phones containing the Clipper Chip and then extend its use to the US high-tech industry.


The Clipper Chip,uses a special encryption system based on the EES (Escrowed Encryption Standard). It uses the Skipjack-algorithm for encryption of te data and a key-escrow System, as a backdoor for decryption for autorised 3rd parties. Every device manufactured, with a Clipper Chip gets a unique number at the time of manufacturing (unit-id), that is kept, together with the coressponding unit-key in escrow, in 2 Databases of the U.S. Government.


When a Clipper Chip secured device, communicates in safe (encrypted) mode, a LEAF (Law Enforcement Access Field) is exchanged.


Contained within the LEAF is a copy of the unique session-key, with whom control of the enceyption is possible. The session-key itself is encrypted with the device serial number (also known as unit-id), before it is put into the LEAF (As mentioned before, the unit-id is also held in escrow in a Federal DB/as a (unit-id/unit-key) pair). In order to make the device keys secure from hidden tampering, a checksum is in the LEAF. If a LEAF does not pass integrity checks, using the safe mode is not possible.

The encryption and decryption process

Creation of the LEAF

The encryption:

1. The above mentioned LEAF is encrypted with the family-key (a key that is known by the U.S. Gov. and the same for all compatible Clipper Chip secured devices).

2. The LEAF is then used to encrypt the Communication.

The decryption:

Prerequisite: Access to the LEAF, its related Communication and knowledge of the family-key as well as the (unit-id/unit-key) pair is needed.

1. The Leaf is decrypted with the family-key, which reveals: the unit-id, the unit-key encrypted session-key and the LEAF checksum.

2. The unit-key is used to encrypt the session-key.

3. the session-key is used to decrypt the Communication.


The Escrowed Encryption System used in the Clipper Chip had several vulnerabilities, that undermined its purpose,to encrypt communication saefly while giving autorised 3rd parties access. The 1st publicised vulnerabilities were described by Matt Blaze in a paper called "Protocol Failure in the Escrowed Encryption Standard". Where Balze described (alongside a thorough analysis of the encryption techniques used within the Clipper Chip), 2 methods 3rd party decryption could be prevented, while retaining the encryption the Clipper Chip secured devices provide.

Te first technique was simpler and allows encrypted communication between 2 "rouge parties" (both devices were tampered with). By Brute Force attacking the 16Bit long checksum of the LEAF, a valid LEAF, containing invalid keys could be created. This made it possible, that 2 devices that had done this, to communicate, without 3rd parties having the needed encryption keys.

The second more complex, allowed communication between a rogue (tampered) device and a non rogoue device.

There was no easy fix for this, since the Clipper Chip intended the LEAF to contain a max. of 128Bits. This ment strengthening 1 area part of the LEAF left another more vulnerable to Brute Force attacks.

These vulnerabilities and growing public backlash, contributed to the Clipper Chip not being able to gain currency, in civilian industries. This lead to the eventual abandonment of the programm in the late 90s.