6.2.4 What is Clipper?
Clipper chip technology was proposed by the U.S. Government during the mid-1990s, but is no longer being actively promoted for general use. The Clipper chip contains an encryption algorithm called Skipjack (see Question 6.2.3). Each chip contains a unique 80-bit unit key U, which is escrowed in two parts at two escrow agencies; both parts must be known in order to recover the key. Also present is a serial number and an 80-bit ``family key'' F; the latter is common to all Clipper chips. The chip is manufactured so that it cannot be reverse engineered; this means that the Skipjack algorithm and the keys cannot be recovered from the chip.
As specified by the Escrowed Encryption Standard, when two devices wish to communicate, they first agree on an 80-bit ``session key'' K. The method by which they choose this key is left up to the implementer's discretion; a public-key method such as RSA or Diffie-Hellman seems a likely choice. The message is encrypted with the key K and sent (note that the key K is not escrowed.) In addition to the encrypted message, another piece of data, called the law-enforcement access field (LEAF, see Question 7.13), is created and sent. It includes the session key K encrypted with the unit key U, then concatenated with the serial number of the sender and an authentication string, and then, finally, all encrypted with the family key. The exact details of the law-enforcement access field are classified. The receiver decrypts the law-enforcement access field, checks the authentication string, and decrypts the message with the key K.
Now suppose a law-enforcement agency wishes to ``tap the line.'' It uses the family key to decrypt the law-enforcement access field; the agency now knows the serial number and has an encrypted version of the session key. It presents an authorization warrant to the two escrow agencies along with the serial number. The escrow agencies give the two parts of the unit key to the law-enforcement agency, which then decrypts to obtain the session key K. Now the agency can use K to decrypt the actual message. Further details on the Clipper chip operation, such as the generation of the unit key, are sketched by Denning [Den93].
Matt Blaze, AT&T, showed that it is possible to modify the LEAF in a way such that law enforcement cannot determine where the message originally came from [Bla94].
The Clipper chip proposal aroused much controversy and was the subject of much criticism. Unfortunately, two distinct issues became confused in the large volume of public comment and discussion.
First there was controversy about the whole idea of escrowed keys. It is essential for the escrow agencies to keep the key databases extremely secure, since unauthorized access to both escrow databases could allow unauthorized eavesdropping on private communications. In fact, the escrow agencies were likely to be one of the major targets for anyone trying to compromise the Clipper system. The Clipper chip factory was another likely target. Those in favor of escrowed keys saw it as a way to provide secure communications for the public at large while allowing law-enforcement agencies to monitor the communications of suspected criminals. Those opposed to escrowed keys saw it as an unnecessary and ineffective intrusion of the government into the private lives of citizens. They argued that escrowed keys infringe their rights of privacy and free speech. It will take a lot of time and much public discussion for society to reach a consensus on what role, if any, escrowed keys should have.
The second area of controversy concerned various objections to the specific Clipper proposal, that is, objections to this particular implementation of escrowed keys, as opposed to the idea of escrowed keys in general. Common objections included: the key escrow agencies will be vulnerable to attack; there are not enough key escrow agencies (the current escrow agents are NIST and the automated systems division of the department of treasury [DB95]); the keys on the Clipper chips are not generated in a sufficiently secure fashion; there will not be sufficient competition among implementers, resulting in expensive and slow chips; software implementations are not possible; and the key size is fixed and cannot be increased if necessary.
Micali [Mic93] has proposed an alternative system that also attempts to balance the privacy concerns of law-abiding citizens with the investigative concerns of law-enforcement agencies. He called his system fair public-key cryptography. It is similar in function and purpose to the Clipper chip proposal but users can choose their own keys, which they register with the escrow agencies. Also, the system does not require secure hardware, and can be implemented completely in software. Desmedt [Des95] has also developed a secure software-based key escrow system that could be a viable alternative. There have been numerous other proposals in the cryptographic community over the last few years; Denning and Branstad give a nice survey [DB95].