Cryptography Reference
In-Depth Information
2. Alice has her Clipper chip create a LEAF and an IV from the session
key, and has the chip load both the key and the IV into its registers
concurrently. She must not create the IV herself — it would mess up the
way the chip works.
3. Alice sends the LEAF together with the IV to Bob. Bob feeds in the
session key, activates his Clipper chip with the value pair obtained, and
the communication can begin.
6.4.2 How to Undermine the Protocol
At first, the method looks watertight. Provided the hardware is 'untouchable',
there is no way to use the chips without transmitting valid LEAFs, which
automatically forwards the valid session key to the two authorities.
Matthew Blaze of AT&T Bell Laboratories published an analysis of how to
outsmart the EES protocol at the beginning of 1994. He used the Clipper or
Capstone chip together with easily modifiable software, which means that he
used the Skipjack algorithm
without
the government being able to eavesdrop.
Rather than analyzing some software or unauthorized opening of a chip, Blaze
looked at the reactions of the chip to different inputs and used known informa-
tion, i.e., he used absolutely legal methods only. The report [Blazeskip] landed
like a bomb.
Blaze's considerations are not as complicated as you may think. We will have
a closer look at them below.
LEAF Under the Magnifying Glass
First of all, Blaze found out more about the structure of LEAF in various
experiments. Figure 6.7 shows the scheme.
The most important detail is the calculation of the 16-bit checksum. It depends
at least on the IV and the 80-bit session key, probably also on the encrypted
session key. Together with the 32-bit unit ID — the chip's serial number — this
produces a block of 128 bits. This block is encrypted using the global family
key. The cipher is the LEAF. Since the global family key cannot be read, an
eavesdropper can't even recover the serial number from the LEAF. Anyway,
this cipher works in a mode that seems to 'mix' all 128 bits.
We can easily understand from the figure why Alice cannot come up with a
false LEAF to a session key and an IV. Blaze took all of this to launch two
possible attacks.
