Foiling the Clipper Chip

WHEN SCIENTISTS AT THE ULTRASECRET National Security Agency invented a gadget that encodes digitized data and voice transmissions, the privacy-obsessed didn't exactly beat a path to their door. Sure, the Clipper chip microprocessor seems to generate uncrackable codes. But there is a catch: the government keeps the ""keys'' to the codes, enabling law-enforcement agencies to unscramble transmissions. This makes the electronics industry, and civil libertarians, squirm. Won't customers shun American-made products, with a built-in Clipper chip, in favor of foreign-made phones and computers, whose code keys are not held by Uncle Sam? And might not an unscrupulous G-man, or a wily hacker, surreptitiously obtain the keys and eavesdrop on anything from electronically filed tax returns to e-mailed plans for a corporate takeover?

They needn't worry. The Clipper chip, after all, was invented by the same government whose space satellite vanished en route to Mars and who can't delete dead men from its computerized Social Security rolls. Now computer scientist Matthew Blaze, 32, of AT&T Bell Labs has found that Clipper is flawed, too. Transmissions are probably as impervious to eavesdroppers as the NSA claims. But some communications, says Blaze, can be encoded so that not even the government, decrypting keys in hand, can unscramble them. And that's the problem. With cybercrime on the rise, the Clinton administration has been pushing manufacturers to install the Clipper chip in phones, personal computers and modems so transmissions can be decoded. If a court-authorized wiretap hears only the ""hssssss'' of an encoded transmission, the Clipper chip loses much of its reason for being. ""The NSA may have foisted its worst nightmare on itself,'' says Daniel Weitzner of the Electronic Frontier Foundation, which lobbies for private encryption. ""It's devised a standard that can be subverted by people seeking to avoid law-enforcement surveillance.''

The flaw, finds Blaze, lies in how the encryption system begins a transmission. Say a personal computer contains the souped-up version of the Clipper chip on the Tessera card, which fits laptops and many PCs. Before the computer sends encrypted e-mail, it transmits a 128-bit string that includes the serial number of its encryption device, a number identifying which of myriad codes is being used, and digits that check the first two. Together, these strings are the chip's LEAF (Law Enforcement Access Field). The receiving computer must recognize the LEAF as valid before it can decode the message. The LEAF also tells an authorized wiretapper which key it needs to decrypt the subsequent message. (Two federal agencies hold the keys to Clipper codes, and release them only to law-enforcement officials with a court order for a cybertap.) Armed with the key, agents easily unscramble the message. But, Blaze explains in the draft of a paper obtained by Newsweek, someone who wants to foil eavesdroppers could transmit a rogue LEAF. When the FBI used the LEAF to retrieve the key to the code, it would come up with the wrong one. It would, to be simplistic, substitute A for 1 and B for 2, when in fact the code used Z for 1 and Y for 2. The ""decoded'' message would be gibberish.

Even the NSA agrees with Blaze's analysis. But it emphasizes that the flaw does not apply, for technical reasons, to voice, fax and low-speed data transmissions. Blaze's discovery ""in no way reduce[s] the . . . chips' inherent security,'' said the NSA in a rare statement. It affects only computer-to-computer, e-mail encryption -- which is, nevertheless, a big share of what the government wants to be able to tap. Also, the NSA argues that generating rogue LEAFs is ""not practical in real-world applications.'' But in fact the process would take, on average, only half an hour, so anyone with patience and the ability to download a rogue-LEAF software program could do it, says AT&T security specialist David Maher. But there is a greater worry. ""What else might we find,'' asks IBM's Mark Holcomb, ""if we were allowed to examine'' the encryption code itself? NSA has kept it secret, telling industry that it can't be cracked -- trust us. After Blaze's discovery, that's going to be a lot harder to do.