Path: cantaloupe.srv.cs.cmu.edu!das-news.harvard.edu!noc.near.net!howland.reston.ans.net!usc!elroy.jpl.nasa.gov!nntp-server.caltech.edu!hal
From: hal@cco.caltech.edu (Hal Finney)
Newsgroups: sci.crypt
Subject: Re: Clipper chip -- technical details
Date: 19 Apr 1993 06:25:40 GMT
Organization: California Institute of Technology, Pasadena
Lines: 19
Message-ID: <1qtgl4INNhli@gap.caltech.edu>
References: <1993Apr18.200737.14815@ulysses.att.com> <1667.Apr1821.58.3593@silverton.berkeley.edu>
NNTP-Posting-Host: alumni.caltech.edu

djb@silverton.berkeley.edu (D. J. Bernstein) writes:

>[Summary elided]
>The system as described here can't possibly work. What happens when
>someone plugs the above ciphertext into a receiving chip? To get M
>the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
>The only information it can work with is C. If U_C can be computed
>from C then the system is cryptographically useless and the ``key
>escrow'' is bullshit. Otherwise how is a message decrypted?

The description of the chip's operation evidently leaves out some of the
key management aspects.  Either the K_P is the secret key corresponding
to a public key which is broadcast at message initiation, or it is the
result of a Diffie-Hellman key exchange or something similar.  Either
way there must be some protocols beyond those described here.  It isn't
clear whether they are implemented in the Clipper wiretap chip or must
be provided by other system components.

Hal Finney
