Clipper Chip

From Embedded Lab Vienna for IoT & Security
Revision as of 16:42, 20 December 2021 by SOhnewith (talk | contribs)
Jump to navigation Jump to search

Summary

This document shows an overview about the Clipper Chip programm, that was started by the U.S. Governtment in the early 90´s.

Description

ALT
Clipper Chip

The Clipper Chip is a small Chipset, that was developed by the NSA (National Security Agency) and advertised by the U.S. Government, in the early 90´s. The idea was, that the Chipset would be integrated in Communication devices like telephones or personal computers and to securely encrypt their Communication, while giving the U.S. Government the possibility to decrypt the communication. This was done by the use of a Key Escrow Algorithm.

Origin

According to official U.S. Government Documents, the origins of the Clipper Chip program, can be traced to the "Computer Security act of 1987". This Act was meant to ammend legislation of the Year 1949, to create security standards for non-military computer systems. in 1993 The U.S. Government introduced an initiative, that should provide security for communication of non-classified data with a special Chipset, called the Clipper Chip. The goal was to at first equip the DoJ (Department of Justice) with phones containing the Clipper Chip and then extend its use to the US high-tech industry.

Functionality

For the encryption of the communication the Clipper Chip uses the Skipjack-algorithm. For the key escrow, the Escrowed Encryption Standard was used.

Skipjack Algorithm

The Skipjack algorithm is a blockcipher with a blocksize of 64 bit. The key length was 80 bit. It supported modes of operation are Output Feedback Mode(OFB), Cipher Feedback Mode(CFB), Electronic Code Book(ECB) and Cipher Block Chaining(CBC). The key exchange was done with a Diffi Hellmann algorithm. It was developed by the NSA and declared secret. This prohibited civilian experts from analysing the algorithm. Skipjack should replace the DES algorithm that was the standard at the time and was consiedered to be not secure anymore.

Escrowed Encryption Standard

The most important feature of the Clipper Chip was the possibility to retrieve the session key. This should allow law enforcement agencies to encrypt communication that was obtained for example via wiretaping. The Clipper Chip needed that both parties send a Law Enforcement Access Field(LEAF) with every communication. Agencies that were authorized could then retrieve the key from the LEAF and decrypt the communication.


The LEAF

For the construction of the LEAF, the following information was needed:

  • Unit ID: an unique identifier for each Clipper Chip
  • Session key: the key that was used to encrypt the communication
  • additionaly a 16 Bit cheksum was added at the end of the LEAF

The session key was encrypted with an unit key, the whole LEAF itself was the also encrypted with a family key. The unit key was split in two parts and each part was stored at one of the two escrow agencies.

When a Clipper Chip secured device, communicates in safe (encrypted) mode, a LEAF (Law Enforcement Access Field) is exchanged.

ALT
The LEAF

Contained within the LEAF is a copy of the unique session-key, with whom control of the enceyption is possible. The session-key itself is encrypted with the device serial number (also known as unit-id), before it is put into the LEAF (As mentioned before, the unit-id is also held in escrow in a Federal DB/as a (unit-id/unit-key) pair). In order to make the device keys secure from hidden tampering, a checksum is in the LEAF. If a LEAF does not pass integrity checks, using the safe mode is not possible.

The encryption and decryption process

ALT
Creation of the LEAF

The encryption:

1. The above mentioned LEAF is encrypted with the family-key (a key that is known by the U.S. Gov. and the same for all compatible Clipper Chip secured devices).

2. The LEAF is then used to encrypt the Communication.


The decryption:

Prerequisite: Access to the LEAF, its related Communication and knowledge of the family-key as well as the (unit-id/unit-key) pair is needed.

1. The Leaf is decrypted with the family-key, which reveals: the unit-id, the unit-key encrypted session-key and the LEAF checksum.

2. The unit-key is used to encrypt the session-key.

3. the session-key is used to decrypt the Communication.

Vulnerability

The Escrowed Encryption System used in the Clipper Chip had several vulnerabilities, that undermined its purpose,to encrypt communication saefly while giving autorised 3rd parties access. The 1st publicised vulnerabilities were described by Matt Blaze in a paper called "Protocol Failure in the Escrowed Encryption Standard". Where Balze described (alongside a thorough analysis of the encryption techniques used within the Clipper Chip), 2 methods 3rd party decryption could be prevented, while retaining the encryption the Clipper Chip secured devices provide.

Te first technique was simpler and allows encrypted communication between 2 "rouge parties" (both devices were tampered with). By Brute Force attacking the 16Bit long checksum of the LEAF, a valid LEAF, containing invalid keys could be created. This made it possible, that 2 devices that had done this, to communicate, without 3rd parties having the needed encryption keys.


The second more complex, allowed communication between a rogue (tampered) device and a non rogoue device.

There was no easy fix for this, since the Clipper Chip intended the LEAF to contain a max. of 128Bits. This ment strengthening 1 area part of the LEAF left another more vulnerable to Brute Force attacks.

These vulnerabilities and growing public backlash, contributed to the Clipper Chip not being able to gain currency, in civilian industries. This lead to the eventual abandonment of the programm in the late 90s.

References

Retrieved from "https://wiki.elvis.science/index.php?title=Clipper_Chip&oldid=8690"