Cryptography Reference
In-Depth Information
block is 'garbage' and start their actual communication from the second
block onwards.
•
Things are similar with the CFB mode; it also recovers after a few blocks
encrypted wrongly.
•
Only the OFB mode causes damage beyond repair due to a wrong IV. If,
for some reason, Bob can receive in OFB mode only, then Alice has to
operate her chip in ECB mode and implement the OFB cipher externally
via software.
Surprisingly simple, isn't it? Cryptological knowledge is actually required only
for the handling of faulty IVs. Nevertheless, one has to get on to the idea first!
Now you might say that all of this can be easily prevented: Bob's chip can use
the global family key to decrypt the LEAF and find that the LEAF originates
from himself. It shouldn't be a big deal for the chip to reject its own LEAFs.
That's exactly the remedy Blaze suggested.
But even Blaze underestimated Bob's slyness. The thing is that Bob bought
himself two chips, feeding the second with the LEAF that the first chip created.
There is no way for the second chip to know that the first chip is also Bob's.
You might end up thinking that data or phone communication without LEAF
should be punished. Well, even that won't bother Alice and Bob much. They
precede their message with another valid LEAF. The fact that the eavesdropping
investigator hears noise instead of voice can be easily explained; they simply
say that their devices are running a test (or has some key escrow center made
a mistake? Let's hope not!).
The fact is that as long as Clipper and Capstone don't use better protocols
(at least with cleverer ciphering modes), you can exchange Skipjack-encrypted
messages without the government learning the keys you use.
Unnoticed Fraud
The second attack against the protocol is launched from a different situation:
Bob works under third-party control so that he cannot use Clipper or Cap-
stone in a way that allows him to mount the first attack (LEAF feedback).
Bob is supposed to receive Alice's message with a LEAF that belongs to the
session key and the IV, but that doesn't actually contain an encrypted session
key yet.
