The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured "voice and data messages" with a built-in backdoor that was intended to "allow Federal, State, and local law enforcement officials the ability to decode intercepted voice and data transmissions." It was intended to be adopted by telecommunications companies for voice transmission. Introduced in 1993, it was entirely defunct by 1996.
The Clipper chip used a data encryption algorithm called Skipjack to transmit information and the Diffie–Hellman key exchange-algorithm to distribute the cryptokeys between the peers. Skipjack was invented by the National Security Agency of the U.S. Government; this algorithm was initially classified SECRET, which prevented it from being subjected to peer review from the encryption research community. The government did state that it used an 80-bit key, that the algorithm was symmetric, and that it was similar to the DES algorithm. The Skipjack algorithm was declassified and published by the NSA on June 24, 1998. The initial cost of the chips was said to be $16 (unprogrammed) or $26 (programmed), with its logic designed by Mykotronx, and fabricated by VLSI Technology, Inc.
At the heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a cryptographic key, that would then be provided to the government in escrow. If government agencies "established their authority" to listen to a communication, then the key would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone. The newly formed Electronic Frontier Foundation preferred the term "key surrender" to emphasize what they alleged was really occurring.
The Clinton Administration argued that the Clipper chip was essential for law enforcement to keep up with the constantly progressing technology in the United States. While many believed that the device would act as an additional way for terrorists to receive information, the Clinton Administration said it would actually increase national security. They argued that because "terrorists would have to use it to communicate with outsiders — banks, suppliers, and contacts — the Government could listen in on those calls."
There were several advocates of the Clipper chip who argued that the technology was safe to implement and effective for its intended purpose of providing law enforcement with the ability to intercept communications when necessary and with a warrant to do so. One proponent, Howard S. Dakoff, writing in the John Marshall Law Review voiced support for the Clipper chip stating that the technology was secure and the legal rationale for its implementation was sound. Another proponent, Stewart Baker, wrote an opinion in Wired magazine debunking a series of purported myths surrounding the technology.
Organizations such as the Electronic Privacy Information Center and the Electronic Frontier Foundation challenged the Clipper chip proposal, saying that it would have the effect not only of subjecting citizens to increased and possibly illegal government surveillance, but that the strength of the Clipper chip's encryption could not be evaluated by the public as its design was classified secret, and that therefore individuals and businesses might be hobbled with an insecure communications system. Further, it was pointed out that while American companies could be forced to use the Clipper chip in their encryption products, foreign companies could not, and presumably phones with strong data encryption would be manufactured abroad and spread throughout the world and into the United States, negating the point of the whole exercise, and, of course, materially damaging U.S. manufacturers en route. Then-Senators John Ashcroft and John Kerry were opponents of the Clipper chip proposal, arguing in favor of the individual's right to encrypt messages and export encryption software.
The release and development of several strong cryptographic software packages such as Nautilus, PGP and PGPfone was in response to the government push for the Clipper chip. The thinking was that if strong cryptography was freely available on the internet as an alternative, the government would be unable to stop its use.
In 1994, Matt Blaze published the paper Protocol Failure in the Escrowed Encryption Standard. It pointed out that the Clipper's escrow system has a serious vulnerability: the chip transmitted a 128-bit "Law Enforcement Access Field" (LEAF) that contained the information necessary to recover the encryption key. To prevent the software that transmitted the message from tampering with the LEAF, a 16-bit hash was included. The Clipper chip would not decode messages with an invalid hash; however, the 16-bit hash was too short to provide meaningful security. A brute-force attack would quickly produce another LEAF value that would give the same hash but not yield the correct keys after the escrow attempt. This would allow the Clipper chip to be used as an encryption device, while disabling the key escrow capability.:63 In 1995 Yair Frankel and Moti Yung published another attack which is inherent to the design and which shows that the key escrow device tracking and authenticating capability (namely, the LEAF) of one device, can be attached to messages coming from another device and will nevertheless be received, thus bypassing the escrow in real time. In 1997, a group of leading cryptographers published a paper, "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption", analyzing the architectural vulnerabilities of implementing key escrow systems in general, including but not limited to the Clipper chip Skipjack protocol. The technical flaws described in this paper were instrumental in the demise of the Clipper chip as a public policy option. While many leading voices in the computer science community expressed opposition to the Clipper chip and key recovery in general, some supported the concept, including Dorothy E. Denning.
Lack of adoption
The Clipper chip was not embraced by consumers or manufacturers and the chip itself was no longer relevant by 1996; the only significant purchaser of phones with the chip was the United States Department of Justice. The U.S. government continued to press for key escrow by offering incentives to manufacturers, allowing more relaxed export controls if key escrow were part of cryptographic software that was exported. These attempts were largely made moot by the widespread use of strong cryptographic technologies, such as PGP, which were not under the control of the U.S. government.
However, strongly encrypted voice channels are still not the predominant mode for current cell phone communications. Secure cell phone devices and smartphone apps exist, but may require specialized hardware, and typically require that both ends of the connection employ the same encryption mechanism. Such apps usually communicate over secure Internet pathways (e.g. ZRTP) instead of through phone voice data networks.
Following the Snowden disclosures from 2013, Apple and Google stated that they would lock down all data stored on their smartphones with encryption, in such a way that Apple and Google themselves could not break the encryption even if ordered to do so with a warrant. This prompted a strong reaction from the authorities, including the chief of detectives for Chicago's police department stating that "Apple['s iPhone] will become the phone of choice for the pedophile". An editorial in the Washington Post argued that "smartphone users must accept that they cannot be above the law if there is a valid search warrant", and after agreeing that backdoors would be undesirable, suggested implementing a "golden key" backdoor which would unlock the data with a warrant. The members of "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption" 1997 paper, as well as other researchers at MIT, wrote a follow-up article in response to the revival of this debate, arguing that mandated government access to private conversations would be an even worse problem now than twenty years ago.
- Bullrun (decryption program)
- Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age by Steven Levy
- Trusted Platform Module
- Hardware backdoor
- "Clipper Chip - Definition of Clipper Chip". computer.yourdictionary.com. Retrieved 2014-01-11. CS1 maint: discouraged parameter (link)
- McLoughlin, Glenn J. (September 8, 1995). "The Clipper Chip A Fact Sheet Update". Congressional Proquest.
- "Clipper Chip". cryptomuseum.com. Retrieved 2014-01-11. CS1 maint: discouraged parameter (link)
- Levy, Steven (June 12, 1994). "Battle of the Clipper Chip". The New York Times.
- Howard S. Dakoff, The Clipper Chip Proposal: Deciphering the Unfounded Fears That Are Wrongfully Derailing Its Implementation,29 J. Marshall L. Rev. 475 (1996)
- Baker, Stewart A. (1994-06-01). "Don't Worry Be Happy". Wired. ISSN 1059-1028. Retrieved 2020-08-09.
- Summary of Encryption Bills in the 106th Congress
- Philip Zimmermann - Why I Wrote PGP (Part of the Original 1991 PGP User's Guide (updated in 1999))
- Blaze, Matt (August 20, 1994). "Protocol Failure in the Escrowed Encryption Standard" (PDF). Proceedings of the 2nd ACM Conference on Computer and Communications Security: 59–67.
- Y. Frankel and M. Yung. Escrow Encryption Systems Visited: Attacks, Analysis and Designs. Crypto 95 Proceedings, August 1995
- The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption
- Denning, Dorothy E. (July 1995). "The Case for Clipper (Clipper Chip offers escrowed encryption)". MIT Technology Review.
- From Clipper Chip to Smartphones: Unlocking the Encryption Debate
- Timberg, Craig; Soltani, Ashkan (December 13, 2013), "By cracking cellphone code, NSA has ability to decode private conversations", The Washington Post, retrieved August 18, 2015,
More than 80 percent of cellphones worldwide use weak or no encryption for at least some of their calls.CS1 maint: discouraged parameter (link)
- "Why can't Apple decrypt your iPhone?". 2014-10-04.
- Craig Timberg and Greg Miller (25 Sep 2014). "FBI blasts Apple, Google for locking police out of phones". The Washington Post. Retrieved 1 Apr 2016. CS1 maint: discouraged parameter (link)
- Editorial Board (3 Oct 2014). "Compromise needed on smartphone encryption". The Washington Post. Retrieved 1 Apr 2016. CS1 maint: discouraged parameter (link)
- Mike Masnick (6 Oct 2014). "Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?". Tech Dirt. Retrieved 1 Apr 2016. CS1 maint: discouraged parameter (link)
- Abelson, Harold; et al. (July 6, 2015). "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications". MIT Computer Science and Artificial Intelligence Laboratory. hdl:1721.1/97690. Cite journal requires
- Clipper chip Q&A
- Clipper chip White House Statement
- The Evolution of US Government Restrictions on Using and Exporting Encryption Technologies (U), Michael Schwartzbeck, Encryption Technologies, circa 1997, formerly Top Secret, approved for release by NSA with redactions September 10, 2014, C06122418
- Oral history interview with Martin Hellman Oral history interview 2004, Palo Alto, California. Charles Babbage Institute, University of Minnesota, Minneapolis. Hellman describes his invention of public key cryptography with collaborators Whitfield Diffie and Ralph Merkle at Stanford University in the mid-1970s. He also relates his subsequent work in cryptography with Steve Pohlig (the Pohlig-Hellman system) and others. Hellman addresses key escrow (the so-called Clipper chip). He also touches on the commercialization of cryptography with RSA Data Security and VeriSign.