http://www.nytimes.com/1994/06/02/us/flaw-discovered-in-federal-plan-for-wiretapping.html

June 2, 1994

Flaw Discovered in Federal Plan for Wiretapping

By JOHN MARKOFF

A computer scientist at AT&T Bell Laboratories has discovered a basic flaw in the technology that the Clinton Administration has been promoting as a way to allow law enforcement officials to eavesdrop on electronically scrambled telephone and computer conversations.

Someone with sufficient computer skills can defeat the Government's technology by using it to encode messages so that not even the Government can crack them, according to the Bell Labs researcher, Matthew Blaze.

For more than a year, the Clinton Administration has been advocating the encoding technology as the best way to insure the privacy of telephone and computer conversations while retaining the traditional right of law-enforcement officials to use court-authorized wiretaps to eavesdrop on the conversations of suspected criminals or terrorists.

The technology, based on what is known as the Clipper chip, has been widely criticized by communications executives and privacy-rights advocates, who fear its Big Brother potential. The industry also fears foreign customers might shop elsewhere, shunning equipment to which Washington keeps a set of electronic keys.

But now Dr. Blaze, as a result of his independent testing of Clipper, is putting forth perhaps the most compelling criticism yet: the technology simply does not work as advertised. Dr. Blaze detailed his findings in a draft report that he has been quietly circulating among computer researchers and Federal agencies in recent weeks and which he made available on Tuesday to The New York Times.

"The Government is fighting an uphill battle," said Martin Hellman, a Stanford University computer scientist who has read Dr. Blaze's paper and who is himself an expert in data encryption, as the field is known. "People who want to work around Clipper will be able to do it."

But the National Security Agency, the Government's electronic spying agency, which played a lead role in developing the technology, said yesterday that Clipper remained useful, despite the flaw uncovered by Dr. Blaze. Agency officials do not dispute the flaw's existence.

"Anyone interested in circumventing law-enforcement access would most likely choose simpler alternatives," Michael A. Smith, the agency's director of policy, said in a written statement in response to a reporter's questions. "More difficult and time-consuming efforts, like those discussed in the Blaze paper are very unlikely to be employed."

Since announcing the Clipper coding technology 13 months ago, White House and Justice Department officials have argued forcefully that it is a necessary information-age tool for law enforcement officials.

The Clinton Administration intends to use Clipper, which it is trying to promote as an industry standard, for the Government's sensitive nonmilitary communications. The Federal Government is the nation's largest purchaser of information technology.

But industry executives have resisted adopting Clipper as a standard for several reasons. Because the underlying mathematics of the technology remain a classified Government secret, industry officials say there is no way to be certain that it is as secure as encoding techniques already on the market.

They also fear that Clipper's electronic "backdoor," which is designed for legal wiretapping of communications, could make it subject to abuse by the Government or unscrupulous civilian computer experts, who might eavesdrop without first obtaining a court order and the electronic "keys" that are to be held in escrow by two Government agencies.

Industry executives have also worried that making Clipper a Federal Government standard would be a first step toward prescribing the technology for private industry or requiring that it be included in sophisticated computing and communications devices that are to be exported.

Dr. Blaze said that the flaw he discovered in the Clipper design would not permit a third party to break a coded computer conversation. But it would enable two people to have a secret conversation that law enforcement officials could not unscramble. And that could render Clipper no more useful to the Government than present coding technology.

Circumventing Surveillance

"Nothing I've found affects the security of the Clipper system from the point of view of people who might want to break the system," Dr. Blaze said in a telephone interview yesterday. "This does quite the opposite. Somebody can use it to circumvent the law-enforcement surveillance mechanism."

Dr. Blaze said that several simple changes to the Clipper design could correct the flaw, but that they might be difficult to adopt because they would require the Government to start over in designing the Clipper.

The Government has already ordered telephones with the Clipper chip, and it is designing another Clipper-based device, called the Tessera card, for use in personal computers.

Dr. Hellman at Stanford said that the Government was counting on most crooks and terrorists not to go to the trouble of modifying the Clipper design -- if they used it at all.

He cited the example of the Reagan Administration aide Oliver North, who he said was both intelligent and security conscious. Yet Federal investigators in the Iran-Contra inquiry obtained back-up tapes of his electronic mail messages that he had ignored.

One computer scientist who has been a proponent of the Clipper plan and who is familiar with Dr. Blaze's paper said that the flaw would not immediately subvert the system.

"I don't think this undermines the Clipper," Dorothy Denning, a computer scientist at Georgetown University and part of a team chosen by the Government to evaluate the technology, said. "But it's good to know what the vulnerabilities are."

Clipper was designed by researchers at the National Security Agency in cooperation with computer scientists at the National Institute of Standards and Technology, a civilian agency that is responsible for setting computer standards for nonmilitary Government applications.

The Clipper chip is known as an "escrowed encryption system." It is designed so that law enforcement officials wishing to eavesdrop on Clipper-encoded communications must present a court warrant and a special number -- or key -- generated by a Clipper chip to two separate Government escrow agencies. Both portions are required for decoding.

Wrong Key Generated

The flaw found by Dr. Blaze exploits the technology feature of the Clipper system that creates what is known as the Law Enforcement Access Field, or LEAF, which includes the number key that can later be used by law enforcement officials to generate the second key number.

To defeat the system, Dr. Blaze programmed a "rogue" unit to test thousands of separate LEAF's. Once he found a valid key, he inserted it in place of the one that would be generated by a Clipper device. Later, if law enforcement officials attempted to use it for decoding, it would not unlock this particular message.

The weakness in the Clipper plan is the second significant defect to be discovered recently in a product developed by National Security Agency engineers. In April N.S.A. scientists found a flaw in a technique called the Secure Hash Algorithm used to check the authenticity of documents sent over a computer network.

Chart: "Keeping Secret Messages Secret"

The Government's "Clipper" technology is intended to secure the privacy of telephone and computer conversations by scrambling them, but also retain law-enforcement agencies' right to use wiretaps. But an industry scientist has discovered a way to keep private messages truly private -- even from the Government.

HOW THE CLIPPER TECHNOLOGY IS SUPPOSED TO WORK

1. Before an encoded message can be sent, A Clipper computer chip assigns and tests a scrambled group of numbers called a LEAF - for Law Enforcement Access Field. The LEAF includes the chip's serial number, a "session key" number that locks the message and a "checksum" number that verifies the validity of the session key.

2. With a warrant to wiretap, a law-enforcement agency like the F.B.I. could record the message and identify the serial number of a Clipper chip. It would then retrieve from custodial agencies the two halves of that chip's decoding key.

3. Using both halves of the decoding key, the F.B.I. would be able to unscramble the session-key number, thus unlocking the messages or data that had been protected.

HOW THE CLIPPER TECHNOLOGY IS FLAWED

1. Taking advantage of design imperfections, people trying to defeat the system could repeatedly alter the LEAF until it erroneously passed the "checksum" verification, despite an invalid session-key number.

2. The F.B.I. would still be able to retrieve a decoding key, but it would prove useless.

3. Because the decoding key would not be able to unscramble the invalid session key, the message would remain locked.