Chaos Digest Lundi 19 Avril 1993 Volume 1 : Numero 19

Chaos Digest Lundi 19 Avril 1993 Volume 1 : Numero 19

Editeur: Jean-Bernard Condat ([email protected])
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.19 (19 Avril 1993)
File 1--Alertes aux fausses factures d'annuaires France Telecom
File 2--Le "Clipper Chip": rapide descriptif
File 3--Slide presente a la Maison Blanche durant le briefing
File 4--Clipper Chip et le FBI (reprints)
File 5--Piratage France Telecom par un technicien France Telecom

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
[email protected]
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France.

Issues of ChaosD can also be found on some French BBS. Back issues of
ChaosD can be found on the Internet as part of the Computer underground
Digest archives. They're accessible using anonymous FTP from:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.91] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Thu Apr 15 11:47:00 +0200 1993
From: [email protected] (Stephane DUFOUR )
Subject: File 1--Alertes aux fausses factures d'annuaires France Telecom

Depuis plus de deux ans, des vagues de pseudo-factures imitant les
factures de France Telecom, se repandent sur le territoire national. Ces
documents constituent une double tromperie:

* Ils se presentent d'une part comme des factures, alors qu'ils ne
sont censes etre qu'une offre d'abonnement a un service d'annuaire pour la
telecopie, le telex ou le Minitel. Cette presentation visiblement destinee
a abuser les consommateurs est penalement reprehensible et confine a la
tentative d'escroquerie.

* Ils imitent d'autre part d'une facon plus ou moins manifeste les
factures emises par France Telecom, tant en ce qui concerne le nom du
service (France service Minitel, France Telecopie) que la presentation
generale, le logo ou la couleur a dominante bleue. Ceci constitue aussi
une infraction de contrefacon ou imitation illicite.

Des l'apparition de ces fraudes, France Telecom a reagi en portant
plainte chaque fois qu'une nouvelle affaire apparaissait. Il a mis en garde
tous ses abonnes individuellement contre les risques de confusion. Il est
intervenu sur ce sujet a de nombreuses reprises dans les medias et continue
de la faire. Une collaboration etroite a ete etablie avec le parquet de
Paris qui centralise les plaintes et coordonne les differentes enquetes.

France Telecom transmet en particulierles nouveaux "modeles" de factures
des qu'ils lui sont signales. A titre d'exemple, cette cooperation entre
la justice, France Telecom et la Poste a permis en un an d'intercepter sur
commission rogatoire pres de 350 000 plis avant leur distribution et de
bloquer, en liaison avec les banques de nombreux cheques.

L'instruction judiciaire a ete rendue plus difficile par le caractere
international de la fraude qui affecte une bonne partie de l'Europe et
utilise l'Autriche et le Lichtenstein comme plaques tournantes. Toutefois
plusieurs personnes devraient etre traduites devant le tribunal correction-
nel d'ici cet ete.

------------------------------

Date: Wed, 21 Apr 93 19:21:48 EDT
From: [email protected] (Dorothy Denning )
Subject: File 2--Le "Clipper Chip": rapide descriptif
Repost from: RISKS Digest

THE CLIPPER CHIP: A TECHNICAL SUMMARY
Dorothy Denning
Revised, April 21, 1993

INTRODUCTION

On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement. At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys. Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.

CHIP CONTENTS

The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack." The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES). It supports all 4 DES modes of
operation. The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

the Skipjack encryption algorithm
F, an 80-bit family key that is common to all chips
N, a 30-bit serial number (this length is subject to change)
U, an 80-bit secret key that unlocks all messages encrypted with the chip

The chips are programmed by Mykotronx, Inc., which calls them the
"MYK-78." The silicon is supplied by VLSI Technology Inc. They are
implemented in 1 micron technology and will initially sell for about
$30 each in quantities of 10,000 or more. The price should drop as the
technology is shrunk to .8 micron.

ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be). Suppose I call someone and
we both have such a device. After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end. This key negotiation takes place
without the Clipper Chip. In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice). The
telephone security device feeds K and M into the chip to produce two
values:

E[M; K], the encrypted message stream, and
E[E[K; U] + N; F], a law enforcement field ,

which are transmitted over the telephone line. The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F. The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

The ciphertext E[M; K] is decrypted by the receiver's device using the
session key:

D[E[M; K]; K] = M .

CHIP PROGRAMMING AND ESCROW

All Clipper Chips are programmed inside a SCIF (Secure Compartmented
Information Facility), which is essentially a vault. The SCIF contains
a laptop computer and equipment to program the chips. About 300 chips
are programmed during a single session. The SCIF is located at
Mykotronx.

At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault. Agent 1 enters a secret, random
80-bit value S1 into the laptop and agent 2 enters a secret, random
80-bit value S2. These random values serve as seeds to generate unit
keys for a sequence of serial numbers. Thus, the unit keys are a
function of 160 secret, random bits, where each agent knows only 80.

To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:

R1 = E[D[E[N1; S1]; S2]; S1] .

Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:

R2 = E[D[E[N2; S1]; S2]; S1]
R3 = E[D[E[N3; S1]; S2]; S1] .

R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2. The
rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2
are the key parts that are separately escrowed with the two escrow
agencies.

As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks. The first disk contains a
file for each serial number that contains the corresponding key part
U1. The second disk is similar but contains the U2 values. The third
disk contains the unit keys U. Agent 1 takes the first disk and agent
2 takes the second disk. Thus each agent walks away knowing
an 80-bit seed and the 80-bit key parts. However, the agent does not
know the other 80 bits used to generate the keys or the other 80-bit
key parts.

The third disk is used to program the chips. After the chips are
programmed, all information is discarded from the vault and the agents
leave. The laptop may be destroyed for additional assurance that no
information is left behind.

The protocol may be changed slightly so that four people are in the
room instead of two. The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies.

The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency. One or
both may be independent from the government.

LAW ENFORCEMENT USE

When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line. Let us assume that the tap is in
place and that they have determined that the line is encrypted with the
Clipper Chip. The law enforcement field is first decrypted with the
family key F, giving E[K; U] + N. Documentation certifying that a tap
has been authorized for the party associated with serial number N is
then sent (e.g., via secure FAX) to each of the key escrow agents, who
return (e.g., also via secure FAX) U1 and U2. U1 and U2 are XORed
together to produce the unit key U, and E[K; U] is decrypted to get the
session key K. Finally the message stream is decrypted. All this will
be accomplished through a special black box decoder.

CAPSTONE: THE NEXT GENERATION

A successor to the Clipper Chip, called "Capstone" by the government
and "MYK-80" by Mykotronx, has already been developed. It will include
the Skipjack algorithm, the Digital Signature Standard (DSS), the
Secure Hash Algorithm (SHA), a method of key exchange, a fast
exponentiator, and a randomizer. A prototoype will be available for
testing on April 22, and the chips are expected to be ready for
delivery in June or July.

ACKNOWLEDGMENT AND DISTRIBUTION NOTICE

This article is based on information provided by NSA, NIST, FBI, and
Mykotronx. Permission to distribute this document is granted.

------------------------------

Date: Mon, 19 Apr 93 9:21:53 EDT
From: [email protected] (Clipper Chip Announcement )
Subject: File 3--Slide presente a la Maison Blanche durant le briefing

Note: The following material was handed out a press briefing on the
Clipper Chip on 4/16.

Chip Operation

Microchip
User's Message +----------------------+
------------------> | | 1. Message encrypted
| Encryption Algorithm | with user's key
| |
| Serial # | 2. User's key encrypted
| |--> with chip unique key
| Chip Unique Key |
User's Encryption | | 3. Serial # encrypted
Key | Chip Family Key | with chip family key
------------------> | |
| |
+----------------------+

For Law Enforcement to Read a Suspect's Message

1. Need to obtain court authorized warrant to tap the suspect's telephone;

2. Record encrypted message;

3. Use chip family key to decrypt chip serial number;

4. Take this serial number *and* court order to custodians of disks A and B;

5. Add the A and B components for that serial number = the chip
unique key for the suspect user;

6. Use this key to decrypt the user's message key for
this recorded message;

7. Finally, use this message key to decrypt the recorded message.

------------------------------

Date: Mon Apr 19 12:58:44 -0400 1993
From: [email protected] (Paul Rutkovsky )
Subject: File 4--Clipper Chip et le FBI (reprints)
Copyrights: Warren Publishing, Inc. & San Jose Mercury News, 1993

GOVT. WEIGHS IN ON PRIVACY-VS.-ENCRYPTION DEBATE, WITH ITS OWN TECHNOL OGY

Communications Daily April 19, 1993 p. N/A
ISSN: 0277-0679

Clinton Administration Fri. announced sweeping policy directive
designed to protect privacy of voice and data transmissions using
govt.-developed encryption technology that ensures law enforcement agencies
will have ability to eavesdrop. Encyrption is achieved through use of
"Clipper Chip " that will be built into telephones, computers, fax
machines. Although govt. will adopt new chip as its standard, use in
private sector will be on voluntary basis.

AT&T Fri. became first company to announce publicly support of
Clipper Chip . "We believe it will give our customers far greater
protection in defeating hackers or eavesdroppers in attempting to intercept
a call," said AT&T Vp Secure Communications Systems Edward Hickey. Govt.
already has purchased some evaluation units from AT&T with Clipper Chip
installed, said Raymond Kramer, acting dir. of National Institute of
Standards & Technology (NIST). Govt. expects to purchase "well over the
thousands" of such Clipper Chip units, he said, but he couldn't give
figures for how many it might buy from AT&T. AT&T spokesman said products
with Clipper Chip included will be available commercially in 2nd
quarter.

President Clinton Thurs. signed Top Secret National Security Directive
outlining details of privacy and encryption policy review. Review will
bring together industry and govt. experts under direction of National
Security Council in attempt to resolve long-running controversy on right of
businesses and citizens to protect all forms of communication and govt.
right to conduct lawful investigations. Review will take 3-4 months, NIST's
Kramer said.

Law enforcement agencies are concerned about rising popularity of
digital encryption methods. Multinational businesses, worried about
economic espionage, increasingly are incorporating encryption technology
for all communications. Law enforcement agencies have voiced growing
concern that if they don't move quickly to enact laws assuring them access
to encrypted and digital communications, they will be at decided
disadvantage in attempting to thwart criminal acts. FBI spokesman James
Kallstrom acknowledged that "not many" criminals today are using encryption
to skirt law, but putting methods in place now to assure means of
intercepting such communications "is vital" to law enforcement's mission.

Encryption program will be available to any vendor that wants to
manufacture chips, Kramer said. However, company that developed and
designed chip under sole-source contract from National Security Agency
(NSA) -- Mykotronx, Torrance, Cal. -- has solid lead on market. Kramer
acknowledged job was handed to it with NSA's full approval of
noncompetitive bid contract. He defended noncompetition aspect: "We went
out and found the only company capable of delivering this technology." He
said govt. has been using Clipper Chip technology for "a while now in
classified applications," but declined to say how long it had been in use
before White House announcement.

Each chip will have 3 unique "keys" issued to it. When manufactured, 2
of those keys will be sent to govt. and will be held by "escrow agents."
For law enforcement agency to be able descramble transmissions, it first
must get court order that allows keys held in escrow to be released. Only
when those keys are used in tandem can law enforcement agencies unscramble
codes and listen in on conversations. Attorney Gen.'s office will "make all
arrangements with appropriate entities to hold keys," White House said.
Those escrow keys could be held by private organizations, govt. agencies or
others, Kramer said. But only 2 entities will be chosen and will be
responsible for administering data base that will store keys. Attorney
Gen.'s office is expected to select escrow key holders "within a couple of
weeks," Kramer said.

Plan already is drawing fire from civil liberties groups and privacy
advocates. Electronic Frontier Foundation (EFF) said White House acted
"before any public comment or discussion has been allowed." It said
Administration will use "its leverage to get all telephone equipment
vendors to adopt" technology. EFF criticized govt.'s sole-source contract,
saying there may be other companies that have better encryption technology,
and because encryption algorithm is classified, it can't be tested. "The
public will only have confidence in the security of a standard that is open
to independent, expert scrutiny," EFF said. Privacy experts are concerned
that because Clipper Chip was developed under NSA contract, it might
have "backdoor" known only to NSA that would allow agency to crack code and
bypass court order. Kramer disagreed: "There is positively no backdoor to
this technology."

Because use of Clipper Chip is entirely voluntary, businesses and
private users -- including criminals -- are free to choose other means of
encryption, leaving govt. and law enforcement agencies with dilemma they
now face. FBI 's Kallstrom acknowledged criminals still could thwart
investigations if they used non- Clipper Chip products, "but most
criminals aren't so smart."

Ability of govt. to eavesdrop on Clipper Chip -equipped devices
still doesn't solve broader problem: Ability to wiretap conversations
moving across digital telecommunications lines. That problem is being
addressed separately by FBI 's controversial digital wiretap legislation
that has failed to find congressional sponsor and is languishing in Justice
Dept., waiting for support of Attorney Gen.

+++++

U.S. SCHEME TO EAVESDROP ELECTRONICALLY RAISES CONCERNS CIVIL LIBERTARIANS,
INDUSTRY GROUP WANT PUBLIC INPUT INTO 'KEY' PLAN
San Jose Mercury News (SJ) - Saturday, April 17, 1993
By: RORY J. O'CONNOR, Mercury News Staff Writer
Edition: Morning Final Section: Business Page: 11D

Civil libertarians and a major computer industry group raised concerns
Friday about how much protection a Clinton administration plan would afford
private electronic communications, from cellular telephone calls to
computer data.

The administration Friday said it would begin using technology developed
by the government's National Institute of Standards and Technology to
balance two competing interests: the desire of citizens to keep their
conversations private and the need for law enforcement agencies to monitor
those conversations after getting a court order.

The technology that enables this is a computer chip called the Clipper
Chip that scrambles a telephone call or computer message using a secret
algorithm, or formula.

But each chip also comes with a pair of electronic "keys" that could be
used by law enforcement agencies to decipher the secret messages generated
by the chip.

The Clinton proposal calls for one key to be held by each of two separate
"trusted" third parties, who would release them to law enforcement agencies
that obtained legal authority to intercept the communications. Both keys
would be needed to decipher a message.

The Electronic Frontier Foundation, a not-for-profit civil liberties
group, praised the administration for considering the issue. But it
criticized the lack of public input into the plan.

"They've announced a big inquiry with public input, but they've reached a
conclusion before they started," said Daniel J. Weitzner, staff counsel for
the Washington-based foundation.

Although the administration's plan calls only for equipping government
telephones with the security devices, some groups are concerned the plan
might become a standard for all manner of electronic communication before
the public has a chance to debate its merits.

"I don't want to sound too stridently opposed to this," said Ken Wasch,
executive director of the Software Publishers Association (SPA) in
Washington. "But... we feel blindsided."

The SPA was discussing data security issues with Clinton administration
officials but had not expected any White House action until August,
said Ilene Rosenthal, general counsel.

Besides the lack of initial hearings, both groups said they had two major
concerns about the Clinton plan:

(box) Because the algorithm itself is secret, the groups say it is
impossible for the public to discern if it is truly secure. Users can't be
certain government spy agencies have not hidden a "back door" in the
software that will allow them to read anything they want.

"So far there hasn't been a credible explanation about why the algorithm
has to be secret," Weitzner said.

(box) The administration hasn't decided who will be the escrow agents,
and it seems unlikely any government agency, corporate entity or other
organization would be deemed trustworthy by every user.

Even assuming all concerned can agree on who will hold them, civil
libertarians are concerned that the keys, by giving law enforcement
agencies access to individuals' private communications, might pose a threat
to constitutional protections against self-incrimination.

Washington sources who requested anonymity suggested the White House
might have drafted its plan quickly because of concern over sales of an
AT&T device that encrypts phone calls using an older standard, Data
Encryption Standard. The sources said law enforcement officials feared the
device would create an explosion in secured telephone traffic that would
severely hamper their efforts to wiretap calls.

American Telephone & Telegraph announced Friday it would adapt the $1,200
product, called the Telephone Security Device, to use the Clipper Chip
by the end of this fiscal quarter. AT&T makes a related device, which
encrypts voice and computer data transmissions, that could be converted to
the Clipper technology, said spokesman Bill Jones.

Jones said he wasn't aware of any concern by the government over the
current model of the Telephone Security Device, which has been sold to
government and business customers.

At least one company was quite pleased with the plan: San Jose chip maker
VLSI Technology, which will manufacture the Clipper chips for a
Torrance company that is selling them to the government and to AT&T.

VLSI, which invented a manufacturing method the company said makes it
difficult to "reverse engineer" the chip or discern the encryption scheme,
expects to make $50 million in the next three years selling the device,
said Jeff Hendy, director of new product marketing for the company.

------------------------------

Date: Thu Apr 15 11:47:00 +0200 1993
From: createuraltern.com (Fabien Pigere )
Subject: File 5--Piratage France Telecom par un technicien France Telecom
Copyright: Elsevier Science Publishers Ltd., 1992

ADDING TO CHAOS
Network Monitor March, 1992
ISSN: 0953-8402 WORD COUNT: 121
PUBLISHER: Elsevier Advanced Technology Publications

France Telecom was in the news again recently after a technician was found
guilty of aiding hackers to gain information about using international
network connections.

The technician worked for Intelcom France, an FT subsidiary which manages
the international transit node (NTI) for France Telecom networks.

According to the police the technician "played a determine role" in the
leak of NTI access codes notably to the Chaos Computer Club France.

Jean-Bernard Condat of the CCCF denied the accusation that his organization
which he says specializes in the security of information systems, received
the access codes from the technician.

The Chaos Computer Club began life in Germany and has played a twilight
role, half supporting hackers and half finding security loopholes ignored
or hidden by suppliers and operations.

INDUSTRY: Telecommunications (TL)

------------------------------

End of Chaos Digest #1.19
************************************