sign in sign up
<<
Home , Clipper Chip, Skipjack (cipher)

Protocol Failure in the Escrowed Standard

Matt Blaze AT&T Bell Laboratories [email protected] August 20, 1994

Abstract The proposal, called the Escrowed Encryption Stan- dard (EES) [NIST94], includes several unusual fea- The Escrowed Encryption Standard (EES) deflnes tures that have been the subject of considerable de- a US Government family of cryptographic processors, bate and controversy. The EES , popularly known as \Clipper" chips, intended to pro- called \", is itself classifled, and implemen- tect unclassifled government and private-sector com- tations of the cipher are available to the private sec- munications and data. A basic feature of setup be- tor only within tamper-resistant modules supplied by tween pairs of EES processors involves the exchange of government-approved vendors. Software implementa- a \Law Enforcement Access Field" (LEAF) that con- tions of the cipher will not be possible. Although Skip- tains an encrypted copy of the current session key. The jack, which was designed by the US National Security LEAF is intended to facilitate government access to Agency (NSA), was reviewed by a small panel of civil- the cleartext of data encrypted under the system. Sev- ian experts who were granted access to the algorithm, eral aspects of the design of the EES, which employs a the cipher cannot be subjected to the degree of civilian classifled cipher algorithm and tamper-resistant hard- scrutiny ordinarily given to new encryption systems. ware, attempt to make it infeasible to deploy the sys- By far the most controversial aspect of the EES tem without transmitting the LEAF. We evaluated system, however, is key escrow. As part of the crypto- the publicly released aspects of the EES protocols as synchronization process, EES devices generate and ex- well as a prototype version of a PCMCIA-based EES change a \Law Enforcement Access Field" (LEAF). device. This paper outlines various techniques that This fleld contains a copy of the current session key enable cryptographic communication among EES pro- and is intended to enable a government eavesdropper cessors without transmission of the valid LEAF. We to recover the cleartext. The LEAF copy of the ses- identify two classes of techniques. The simplest al- sion key is encrypted with a device-unique key called low communication only between pairs of \rogue" par- the \unit key", assigned at the time the EES device is ties. The second, more complex methods permit rogue manufactured. Copies of the unit keys for all EES de- applications to take unilateral action to interoperate vices are to be held in \escrow" jointly by two federal with legal EES users. We conclude with techniques agencies that will be charged with releasing the keys that could make the flelded EES architecture more to law enforcement under certain conditions. robust against these failures. At , two EES devices are being produced. The simplest, the (also known as the MYK-78), is essentially a drop-in replacement for a 1 Introduction and Background conventional DES [NBS77] chip and relies on key nego- tiation being handled ofi the chip. The other EES de- In April 1993, the Clinton Administration an- vice, the chip (MYK-80), adds built-in sup- nounced a proposed new federal standard symmetric- port for public-key negotiation and digital signatures, key encryption system for the protection of sensitive- with modular arithmetic functions, random number but-unclassifled government and civilian data [Mar93]. generation, and other such features. The interface to the Skipjack cipher is similar to °c 1994. This is a pre-print of a paper to appear at the 2nd that of DES, based on a 64 bit codebook ACM Conference on Computer and Communications Security, Fairfax, VA, November 1994. and supporting FIPS-81 [NBS80] standard modes of operation. Keys are 80 bits in length, as opposed to DES’s 56 bits. The initial application of EES is in stand-alone voice encryption telephone units, such as the AT&T Model 3600 Telephone Security Device. To facilitate 80 bits computer applications such as electronic mail and flle encryption, a version of the Capstone chip will also Session key IV & other variables be available packaged in a standard PCMCIA card. EES PCMCIA cards can be installed easily in many commercially available laptop computers, and SCSI- Skipjack encrypt 16 bit checksum based PCMCIA card readers can connect EES cards (unit key) function to most other computers. The government has spec- ifled a standard application interface library for com- municating with the cards. 32 bits 80 bits 16 bits Clipper and Capstone chips are, at present, avail- Unit ID Encrypted Session Key chksum able only for use in approved products that comply with LEAF handling requirements. EES PCMCIA cards, on the other hand, are themselves a stand-alone product, and are to be made generally available \ofi Skipjack encrypt the shelf" in the United States. (global family key) The government has stated that the goal of the EES is to make a strong cipher available for legitimate use without supplying criminals and other adversaries 128 bits with a tool that can be used against American in- LEAF terests or to hide illegal activities from law enforce- ment. Thus the system is intended to be di–cult to deploy without also sending a valid LEAF and thereby Figure 1: LEAF Structure exposing the tra–c to the possibility of government monitoring. In this paper, however, we show that it is possible to construct applications that can enjoy use of the Skipjack cipher but that do not admit law flrst must intercept the LEAF and the tra–c itself enforcement access through the LEAF. For the pur- using conventional data wiretapping technology. The poses of this paper, we consider two classes of \rogue" LEAF is decrypted with the family key, revealing the EES applications: those that can communicate only chip serial number, the unit key-encrypted session key with other rogue systems and those that can success- and the LEAF checksum. The chip serial number is fully interoperate with EES \legal" systems as well. provided, with appropriate authorization, to the two The latter category especially threatens the goals of escrow agencies, which each return half of the unit key the EES program, since such rogue applications would for the given serial number. The two half-unit keys can be operationally equivalent to their legal counterparts be combined (by bitwise exclusive-or) to produce the without being subject to government access. unit key, which the law enforcement agency can then use to decrypt the session key. This session key can 1.1 LEAF Structure and Protocols then be used to decrypt the actual tra–c.

The LEAF is a 128 bit structure containing enough The wiretapping system thus relies on the availabil- information for law enforcement recovery of the ses- ity of the LEAF along with the encrypted tra–c. To sion key with the cooperation of the two agencies hold- force applications to send the LEAF on the same chan- ing the unit key database. The structure contains a nel as the tra–c, EES devices will not decrypt data 32 bit unique unit identifler (the serial number of the until they have received a valid LEAF for the current chip that generated the LEAF), the current 80 bit ses- session key. Presumably, EES devices perform various sion key (encrypted with the device’s unit key) and a integrity checks on received LEAFs prior to accepting 16 bit LEAF checksum. The entire structure is en- them. crypted with a flxed \family key" to produce the flnal LEAF message. All cryptographic operations employ To provide a convenient application interface for symmetric (secret) key techniques. The family key is LEAF management, EES devices generate and load shared by all interoperable EES devices. The family LEAFs along with the FIPS-81 initialization vectors key, the encryption modes used to encrypt the unit (IVs). The devices provide \generate IV" and \load key and the LEAF message, and the details of the IV" functions that operate on 192 bit flelds containing checksum are all secret. Externally, the LEAF is an an unencrypted 64 bit IV concatenated with the 128 opaque 128 bit package. See Figure 1. bit encrypted LEAF. The load IV operation fails if the To decrypt EES tra–c, a law enforcement agency associated LEAF does not pass an integrity check. 1.2 Experimental Observations only the checksum, and the checksum appears at the end of the LEAF in public documents, we can Most details of the LEAF creation method, encryp- conclude that at least one of the following is true: tion modes, and data structures, beyond those men- tioned above, are classifled and are therefore unknown { The LEAF is encrypted with a non-standard to us. In particular, the EES standard does not specify mode in which cleartext in \late" blocks af- the exact mechanism that enforces the transmission of fects the early . the correct LEAF. However, we were able to perform { The LEAF is encrypted with a standard a number of simple experiments on our prototype de- forward-chaining or stream mode but the vices to conflrm and expand our knowledge of LEAF checksum appears in the flrst cipherblock of internals. All experiments were performed at the pro- the LEAF. tocol level through the standard interface and did not { The LEAF is encrypted with a standard involve or direct hardware \reverse en- forward-chaining or stream mode but the gineering." We summarize our observations below. current session IV is itself used to initialize it. LEAF integrity is verifled entirely via redundancy • in the checksum fleld. In general, attempts to The LEAF checksum is, in fact, 16 bits. A brute- load an incorrect LEAF fail. This must be due • force search of the LEAF space for a valid LEAF entirely to the checksum fleld and not through di- requires about 216 operations. See the discussion rect veriflcation of the unit ID or encrypted ses- of interoperable rogue applications below. sion key; the receiving chip cannot conflrm the correctness of the unit ID or encrypted session key flelds since it does not know the unit ID or 2 Non-interoperable Rogue Applica- unit key of the sender. Therefore, the LEAF must be testable by the receiver based only on known tions information (such as the cleartext session key and IV) included in the checksum computation. First, we consider the problem of constructing a set of applications that use Skipjack to communicate LEAF checksum computation includes (implicitly among themselves without key escrow. We are free to • or explicitly) the current IV. The LEAF changes use any method permitted by the EES processor in- whenever a new IV is generated for a given session terface without regard for standard usage. Since such key. Since the IV is not included directly as one of applications may be restricted to communicating with the LEAF flelds, it must inuence the checksum. other rogue systems, their general utility is somewhat Furthermore, the receiving device refuses to load limited, although they still violate the intent of the the wrong IV for a given LEAF. EES. Several approaches can easily circumvent the law LEAF checksum computation includes the clear- • enforcement access mechanism, with a range of prac- text of the current session key. Attempts to load ticality and tradeofis. a LEAF (and corresponding IV) from a previous session key fail. It is therefore not possible to \re- 2.1 LEAF Obscuring use" a LEAF generated from an old session key, even though the LEAF itself appears internally The simplest approach is to take steps to ensure consistent. that the eavesdropper cannot recover the LEAF or LEAF checksum computation includes other the encrypted tra–c. One option is pre- or post- en- • parts of the LEAF. Attempts to load LEAFs with cryption of the tra–c with another cipher. It is not a single bit inverted anywhere in the 128 bit struc- clear, however, what the attacker gains from doing ture fail. this, since if the second cipher is believed strong there is no need to use Skipjack in the flrst place, and if it is LEAF encryption difiuses its input throughout believed weak it does not protect the tra–c from the • the entire 128 bit structure. The LEAF structure government anyway. or encryption mode is not exactly as specifled in A reflnement on this approach encrypts only the released documents. Generating a new IV for a LEAF. A LEAF encryption scheme could be inte- given session key causes changes across the entire grated into a protocol that produces LEAF. Recall that the EES codebook size is 64 \extra" bits (such as Di–e-Hellman bits, and so encryption of the LEAF involves at [DH76]). Since only 80 bits are required for the Skip- least two block . Since the IV afiects jack session key, 128 of the other bits could be used as a Vernam cipher against the LEAF. Note that 2.2.2 Cipher Block Chaining (CBC) this scheme is not directly implementable with the In CBC mode encryption, the cleartext of each block EES PCMCIA card key exchange protocol, which does is flrst exclusive-ORd (XOR) with the ciphertext of not permit external access to the negotiated key bits. the previous block and then encrypted with the block However, an additional key exchange could be per- cipher function. The flrst block is XORd against formed in software on the host processors. the IV. Decryption reverses the process, applying the Another option is to negotiate keys (and LEAFs) XOR function after the ciphertext has been decrypted out-of-band or in advance. While it is not clear that with the block cipher function. CBC mode is \self- there is any way EES could prevent such an attack, synchronizing" in that decryption can recover from neither is such a scheme very useful in practical ap- missing or damaged ciphertext blocks. Since success- plications. Users would never be able to communi- ful decryption of a block depends only on receiving cate securely without pre-negotiation or the use of a the previous block’s ciphertext, loss of the IV only af- trusted channel. If a trusted channel existed, it could fects the flrst block. LEAF feedback with a new IV, be just as easily used for the tra–c itself. For some ap- therefore, corrupts the flrst block but this can be eas- plications, however, such as bulk flle encryption, pre- ily compensated for by preflxing one \dummy" block negotiated keys may be practical. to the message, to be discarded by the receiver. 2.2 LEAF Feedback 2.2.3 Cipher Feed Back (CFB) Another possible approach is to avoid sending the CFB mode uses the result of successive encryption LEAF altogether. Depending on the cryptographic through a shift register (initialized with the IV) as mode this can be surprisingly simple. Recall that a keystream generator. The block encrypt fuction is LEAFs are generated and loaded along with the IV. used to generate the stream, which is XOR mixed with While applications cannot easily force the chip to use the datastream for both encryption and decryption. an externally-chosen IV, they can easily generate a The shift register input is \fed" with the ciphertext new one. Upon negotiation of a session key, the re- stream from previous blocks. The stream depends en- ceiving side of a rogue application can simply generate tirely on the key and the previous blocks of ciphertext. a new IV/LEAF and feed it back to itself, the sender CFB can be implemented based on ECB mode with never having sent the IV/LEAF at all. This still leaves an external shift register and IV. This requires one the problem of IV synchronization. Because IVs can- call to the EES device for each cipherblock. Exper- not be loaded without a LEAF and LEAF checksums iments with this method with a prototype EES card appear to be bound to the IV, sender and receiver have suggest that this method carries a signiflcant band- no way to communicate a directly loadable IV without width penalty, however, since each ECB call to the also communicating the corresponding LEAF. Most card takes about 38ms and a separate call is required cryptographic modes require the sender and receiver for each 8-64 bit block of the stream. to synchronize on the IV. This is not an insurmount- A more e–cient implementation takes advantage able problem, however. It is possible to compose e–- of CFB’s limited error propagation. CFB mode, like cient implementations of each FIPS-81 cryptographic CBC mode, is self-synchronizing, with complete re- mode in terms of other modes without explicitly load- covery from missing or damaged ciphertext once the ing the sender’s IV at the decrypting side. Let us con- shift register has exhausted. CFB can therefore re- sider \LEAF feedback" schemes for each commonly cover from an incorrect IV. The sender can preflx a used cipher mode. \dummy" block to the ciphertext input stream and the receiver can feed back a freshly generated, random IV 2.2.1 Electronic Book (ECB) and employ a bulk CFB block decrypt directly (just as with CBC mode). In ECB mode, there is no IV (or, more properly, the IV does not afiect the cipher in any way). The primitive 2.2.4 Output Feed Back (OFB) block cipher is used directly, without chaining or feed- back from other blocks. LEAF feedback is therefore OFB mode also uses the result of successive encryp- simple { each side generates an IV/LEAF immediately tion through a shift register (initialized with the IV) after the key is negotiated and loaded, and uses ECB as a keystream generator. The block encryption func- mode for communication. The fact that sender and tion is used to generate both the encrypt and decrypt receiver generated difierent IVs does not matter. streams. Subsequent stream values are not afiected by ECB mode is itself vulnerable to a number of well- the data. Note that the entire stream depends on the known attacks and is not considered suitable for gen- key and IV and therefore requires that both sender eral use. and receiver be able to load the same IV to generate the same streams. LEAF feedback cannot therefore non-interactive applications such as electronic mail, use OFB mode directly, since the stream will never flle encryption, fax, etc. recover from an incorrect IV. However, OFB mode A more general approach is to construct a LEAF can be simulated using the ECB block encrypt func- fleld that will be accepted as valid by the receiver but tion and an externally implemented shift register and that does not actually contain the encrypted session stream XOR mixer. The IV must still be sent to the key. receiver (without the LEAF, of course) to initialize the external shift register. This method carries a high 3.1 Brute-Force LEAF Search performance penalty, just as with the manual imple- mentation of CFB mode described above. Recall that the LEAF structure contains three com- A more e–cient method exists to generate an OFB ponents: the unit serial number of the transmitter, the stream, however, using Cipher Feed Back (CFB) mode unit key-encrypted session key, and a 16 bit checksum, to simulate the stream generator for large blocks. The all encrypted as a block under the family key. Because sender generates an IV/LEAF and encrypts with OFB the receiving chip knows only the session key, the IV, mode directly in the standard manner and sends only and the family key, but not the other chip’s unit key the IV to the receiver. Two passes are required on the or serial number, LEAF veriflcation must be entirely receive side. First, the receiver generates a new IV on the basis of the 16 bit checksum. The checksum, and LEAF and encrypts a single block of all zeros with which is presumably based only on the session key, IV CFB mode. Now the receiver can recreate the sender’s and other LEAF data, cannot be extracted from or OFB keystream mask for n blocks by CFB encrypting inserted into a LEAF without knowledge of the fam- n blocks of zeros preflxed with the block created in ily key (and the encryption mode). It is therefore not the previous step XORd with the real IV. The sub- possible for a rogue application to extract the check- sequent blocks, after CFB encryption, can be XORd sum from a valid LEAF and re-insert into an invalid with the ciphertext (shifted by one block) to recover LEAF, or to damage only the encrypted session key the cleartext. Note that while the XOR mixing must in an otherwise-valid LEAF. be performed separately on the host processor, only A rogue sender could simply use a difierent session two calls to the EES device are required to decrypt an key when generating the LEAF; this LEAF would ap- arbitrary length ciphertext (up to the maximum block pear internally consistent with a valid checksum but decrypt size supported by the devices). would contain the wrong session key. \Old" LEAFs are detected and rejected by the receiving chip, how- ever, apparently by using the cleartext of the session 3 Interoperable Rogue Applications key (rather than the unit-key encrypted session key) in the computation of the LEAF checksum. Since the checksum is only 16 bits in length, how- A more interesting (and useful) class of rogue appli- ever, another attack is possible.1 For any session key cations includes those that can interoperate with \le- and IV, 2112 of the 2128 possible LEAF structures will gal" peers (those that make no efiort to circumvent the appear to have a valid checksum. Because the pro- escrow system), still without allowing law enforcement cess of decrypting a randomly generated LEAF with access. Such applications have much greater utility the family key will tend to randomize the decrypted (and are a much greater threat to the escrow system) bits in the checksum fleld, any randomly generated than non-interoperable rogues, because they have all 128 bit string will have a 1/216 chance of appearing the beneflts of interoperability with other EES devices valid for the current session key and IV. Note that without the risk of exposure to wiretapping. the sending chip, like the receiving chip, has a built- In the previous section, we discussed techniques for in LEAF-testing facility. Once a session key has been rogue applications to communicate with one another negotiated, an attacker can use the local EES device without sending the LEAF. Such applications could to flnd a valid-looking-but-invalid LEAF with an ex- be modifled to adapt their behavior to send the LEAF pected average of 216 trials. This attack appears to be only when communicating with a legal peer. A sim- feasible in practice. ple way to construct such an application is to \test Such a randomly generated LEAF structure will be the water" by sending the peer device a bogus LEAF accepted as valid by the receiving chip and will enable and then, if the exchange fails (because the peer is op- EES communication. The tra–c will not be subject erating legally), sending a valid LEAF. Such a \two to LEAF-based wiretap access, however. When the phase" protocol is not completely satisfactory, how- 1 ever, because it still renders tra–c vulnerable to LEAF The first observation that LEAF checksums may be vulner- able to brute-force spoofing appears have been independently monitoring when communicating with legal applica- made by Ken Shirriff in a posting to the “sci.crypt” Usenet tions. Furthermore, such a protocol cannot work with group on January 27, 1994. wiretapper decrypts the rogue LEAF with the family to applications that use the PCMCIA interface. key, the checksum fleld will appear valid but the unit We implemented this attack for a simple encrypted identifler and encrypted session key flelds will contain flle storage application that we built as a testbed. only random bit strings. Other than the 30-50 minutes of latency added by the LEAF search at encryption time (which is per- 3.2 Experimental Results formed \o†ine" from the user interface), the rogue version is functionally identical to the version that fol- We measured the time to test randomly selected lows the approved interface. In a storage application LEAFs on an EES PCMCIA card. All experiments the LEAF-search delay is almost completely transpar- were conducted with a Mykotronx prototype EES card ent, since most user operation can proceed normally connected through a Spyrus SCSI PCMCIA reader to prior to its completion. In store-and-forward messag- a Sun Sparc-10 host running SunOS 4.1.3. We made ing applications, such as electronic mail, however, the no efiort to optimize the communication with the card LEAF search delays message delivery. Whether this or library, using the standard prototype PCMCIA li- is acceptable depends on the application; additional brary and device drivers as delivered. Recall that computing resources, in the form of EES PCMCIA the EES PCMCIA interface is fairly loosely-coupled cards (perhaps borrowed from nearby idle worksta- to the host processor and supports a more restricted tions) can reduce the delay. It may also be possible set of cryptographic operations than the basic Clip- for messaging applications to precompute session keys per/Capstone chips themselves. Therefore, LEAF- and bogus LEAFs prior to their use, especially if the testing operations on the PCMCIA card are inherently number of possible recipients is small. We did not slower than the same operations on a more tightly- implement any of these conveniences, however. coupled EES device or on a special-purpose host with In interactive applications such as secure telephony, a built-in EES processor. It is also possible that com- the search time required for LEAF forgery during call munication with the card can be made faster with setup may render the technique impractical. Other the more tightly-coupled PCMCIA interfaces found than parallel processing with additional EES devices, on most laptop computers. The communication time there do not appear to be viable shortcuts for reducing with the card interface dominates the cost of most this search time. If call setup uses a negotiated key operations in the environment we examined; host pro- exchange, the originator cannot generally predict the cessor speed was not a signiflcant determining factor. session key and therefore cannot conduct the LEAF We assume our results to be approximately represen- search in advance. Neither do there appear to be tative of typical implementations in a worst-case en- shortcuts to testing an average of 216 LEAF values. vironment. The formulation of the problem, in which the attacker Our test application required about 38ms to gen- need only discover some session key and corresponding erate (with a pseudorandom generator) a LEAF-size LEAF, seems at flrst blush to admit a so-called \birth- bit string, send it through the PCMCIA library to the day attack" requiring only √216 = 28 trials. However, 16 EES card and check the result. Since, on average, 2 because the LEAF checksum is cryptographically pro- random LEAFs must be generated and tested before tected by the family key, there appears to be no obvi- one with a valid checksum is found, a rogue PCM- ous way to perform the constant-time lookup on the CIA application can search for a valid-looking LEAF checksum required for each probe in such an attack. 16 in 38 2 ms, or 2,490,368 ms, which is about 42 Because no widely-deployed \o–cial" EES PCM- ∗ minutes. CIA applications existed at the time of this writing, 42 minutes obviously adds too much latency to there were no third-party supplied systems available channel setup time to be useful in real-time applica- against which we could exploit LEAF forgery tech- tions such as secure telephone calls. For less interac- niques. We have every reason to believe, however, tive applications, particularly secure electronic mail, that building interoperable rogue versions of any non- fax and flle storage systems, such a delay may be ac- interactive PCMCIA application that implements an ceptable. Furthermore, the attack has almost linear open protocol would be a straightforward matter. speedup with parallel processing. With 60 PCMCIA cards, a valid-looking LEAF could be expected in un- der 45 seconds. Also, it may be reasonable to expect 4 Discussion several orders of magnitude reduction in search time with more direct use of a Capstone or Clipper chip. The EES failure modes described in this paper do Since those devices are not expected to be made avail- not have the same semantic implications as protocol able for unrestricted use outside embedded products failures in the classic sense. None of the methods given (as the PCMCIA cards are), however, it is likely that here permit an attacker to discover the contents of en- practical implementations of this attack will be limited crypted tra–c or compromise the integrity of signed messages. Nothing here afiects the strength of the sys- restrictions could be circumvented easily by using two tem from the point of view of the communicating par- devices on the receiving side, one for LEAF generation ties; indeed, in some sense these techniques increase and one for decryption. the security of EES-based protocols by eliminating the The interoperable LEAF-search method can be LEAF as a source of attack. made less attractive by increasing the time required Instead, these methods attack an unusual aspect to check a LEAF. The ability to do this is limited by of EES requirements { the attempt to enforce access the fact that any reduction in LEAF-checking perfor- for a third party who is not an active participant in mance also degrades the performance of legal applica- any part of EES-based communication. Once the sys- tions. EES PCMCIA cards, on which LEAFs can be tem has been deployed, there is little further that the feasibly searched for, already require approximately third party (the wiretapper) can do to protect its in- 38 ms to load an IV and LEAF. Slowing this to, say, terests. In efiect, the wiretapper actively participates two seconds, would noticeably increase the setup time in the protocol only by providing the narrow interface for legitimate interactive tra–c but only adds a factor to the tamper-resistant EES module that requires that of 50 to the time required by the o†ine rogue LEAF a LEAF be loaded prior to executing a decrypt opera- searcher (who could compensate with as much parallel tion. Our attacks thwart the wiretapper by using that processing as desired). interface in unexpected ways. Alternatively, EES devices could limit the number In considering countermeasures to these attacks, it of incorrect LEAFs they will accept (perhaps self- is useful to divide the properties of the EES system destructing after some threshold has been reached), into three somewhat overlapping categories: or could impose a longer delay before returning the Fundamental. This category includes the prop- result of an attempt to load an invalid LEAF. These • erties of any key escrow system in a particular approaches are di–cult to engineer reliably, however, application domain (e.g., widely available compo- and greatly increase the vulnerability of the system nents, FIPS-81 compatibility, identiflable LEAFs, to denial-of-service attacks by an adversary who can etc.). These properties cannot be changed with- inject noise into a receiver’s datastream. out afiecting the applicability of the system. A more robust solution increases the size of the LEAF checksum to 32 or 64 bits, making exhaustive Architectural. The basic properties of the system • search infeasible. Since there is no \extra room" in the decided upon early in the design process (e.g., the existing 128 bit LEAF package, any increase in check- size of the LEAF fleld, the crypto-synchronization sum size would necessitate either increasing the LEAF protocol, etc.). Changing the architecture re- size or reducing the size of the other LEAF flelds. In- quires re-engineering of a signiflcant fraction of creasing the size of the LEAF package to, say, 192 system components. bits would provide room for an additional 64 bits of checksum redundancy but would would likely require Implementation. The characteristics of the ac- signiflcant re-engineering of many existing EES com- • tual EES devices and software. These can be ponents, from the processors themselves to the pro- changed by replacing or modifying the compo- tocols and applications that use them. Within the nents in question. constraints of the 128 bit package, checksum size can In this paper we have focused primarily on weak- increase only at the expense of either the unit ID or nesses that are either fundamental or that arise from encrypted session key flelds. The 32 bit unit ID fleld the EES architecture. In particular, we did not at- appears to be at the minimum possible size given the tempt to discover or exploit \bugs" in the prototype intended scope of the EES program (a previous ver- EES devices. sion of the LEAF with a 25 bit unit ID was considered It is not clear that it is possible to construct an inadequate [NIST94a]). It may be possible to use bits EES system that is both completely invulnerable to all from the encrypted session key fleld to increase the kinds of exploitation as well as generally useful. Let checksum size, at some expense in law enforcement us consider modiflcations to the EES interface that wiretap access performance. If only 64 bits of the en- frustrate the various attacks. crypted session key were included in the LEAF, the Non-interoperable applications are particularly wiretapper could exhaustively search for the remain- hard to prevent, since they are free to use the EES in- ing 16 bits at decrypt time. Such a search, with prop- terface in any way they choose. LEAF feedback tech- erly optimized hardware, would likely add at most a niques can be discouraged by having devices recognize few seconds to the decrypt time and would enable 32 (and refuse to accept) locally-generated LEAFs. This bit LEAF checksums within the existing LEAF size would make the EES system di–cult to deploy in legit- constraints. imate secure storage applications, however, and such Finally, a more drastic approach, which thwarts non- interoperable as well as interoperable rogues, is to \pirate" cable TV descramblers, cellular telephone sharply restrict the availability of EES devices to those access codes, and copy-protected PC software sug- users and applications that are trusted not to abuse gests that rogue modiflcations to circumvent controls them. PCMCIA cards, being inherently portable, on widely-deployed systems tend to emerge quickly would need to be handled with particular care to avoid even when moderate safeguards against such modi- their use by unauthorized individuals. Of course, it is flcations are present. EES PCMCIA-based systems not at all clear that such restrictions could be made appear to be particularly vulnerable to such abuse be- efiective or consistent with the goals of the EES pro- cause the interface to the system is controlled com- gram, which aims to make the system widely available pletely in software on the user’s host computer. The to the public. barriers to constructing a rogue software system are much smaller than those to modifying and deploying hardware-based rogue products, and the development 5 Conclusions and proliferation of software modiflcations is very dif- flcult to regulate in the presence of open standards The EES attempts to balance the seemingly con- and communications networks. icting goals of making widely available a strong cryp- tographic system while also ensuring government ac- cess to encrypted tra–c. Rogue applications defeat 6 Acknowledgments EES by making use of the cipher without the govern- ment \back door." Whether rogues threaten the vi- Steve Bellovin, Whitfleld Di–e, Joan Feigenbaum, ability of the EES program depends on whether they Peter Honeyman, Steve Kent, Jack Lacy, Tom Lon- can be easily deployed for a signiflcant fraction of the don, Dave Maher, Andrew Odlyzko, Rob Pike, Jim tra–c in their target application areas. Reeds, Mike Reiter and Bruce Schneier ofiered innu- We have identifled two classes of rogues. The most merable comments that have greatly improved this pa- general, those that can take unilateral action to inter- per. The suggestion to use bits from the encrypted operate with legal EES systems, are potentially the session key to augment the checksum size arose from most damaging to the EES program. These applica- discussions with Steve Bellovin. We would like to es- tions are functionally similar to their non-rogue coun- pecially acknowledge the generous assistance of vari- terparts and have all the advantages of general inter- ous individuals at NSA in providing us with prototype operability without the risk of wiretapping. The tech- EES PCMCIA cards and technical data. We are par- niques used to implement them do carry enough of ticularly grateful for the spirit of openess and colle- a performance penalty, however, to limit their useful- giality displayed by the members of NSA in reviewing ness in real-time voice telephony, which is perhaps the these results. government’s richest source of wiretap-based intelli- The author remains, of course, solely responsible gence. The second class, those that can interoperate for any errors in this paper. only with other rogue devices explicitly designed to thwart the LEAF, are also the easiest to implement The name \Tessera" is a trademark of Tessera, Inc., and the hardest to prevent. Devices in this class are which neither produced nor licensed the government- not as great a threat to the EES program as those in supplied EES PCMCIA cards to which we refer in this the former class because they do not conform to o–- paper. We know of no connection between Tessera, cial interoperability standards. However, if the pop- Inc. and the EES program. Previous references to ulation of legal devices is substantially smaller than EES PCMCIA cards as \Tessera cards" appear to have that of rogue devices in a particular market, lack of been made in error. legal interoperability may not be a signiflcant disad- vantage. It is worth noting that, with EES PCMCIA cards, 7 Postscript a rogue system can be constructed with little more than a software modiflcation to a legal system. Fur- Some of the results in this paper are based on ex- thermore, while some expertise may be required to periments conducted with pre-release prototype EES construct a rogue version of an existing system, it is PCMCIA cards and software obtained from NSA. The likely that little or no special skill would be required production version of the EES PCMCIA system will to install and operate the modifled software. In par- likely exhibit difierent performance characteristics and ticular, one can imagine \patches" to defeat key es- have a difierent interface from the version we exam- crow in EES-based systems being distributed over net- ined. The reader is cautioned to view any experimen- works such as the Internet in much the same way that tal results presented here as a \proof of concept" and other software is distributed today. Experience with not as representative of the exact performance of the flnal system. We understand that NSA intends to in- corporate features to discourage these attacks into fu- ture versions of EES devices.

References

[DH76] W. Di–e and M. E. Hellman. New di- rections in cryptography. IEEE Trans. on Information Theory, November 1976.

[Mar93] J. Markofi. Communications plan to bal- ance government access with privacy. New York Times, April 16, 1993.

[NBS77] National Bureau of Standards. , Federal Information Processing Standards Publication 46, Gov- ernment Printing O–ce, Washington, D. C., 1977.

[NBS80] National Bureau of Standards. Data En- cryption Standard Modes of Operation, Federal Information Processing Standards Publication 81, Government Printing Of- flce, Washington, D.C., 1980.

[NIST94] National Institute for Standards and Tech- nology. Escrowed Encryption Standard, Federal Information Processing Standards Publication 185, U.S. Dept. of Commerce, 1994.

[NIST94a] National Institute for Standards and Tech- nology. Technical Fact Sheet on Blaze Re- port and Key Escrow Encryption. June 15, 1994.