30 October 1997
Source: Mail list cypherpunks@cyberpass.net

Date: Thu, 30 Oct 1997 09:52:07 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Subject: PGP5.5 = Clipper

There are some remarkable similarities between PGP5.5 and the hugely
unpopular original Clipper chip design.  Both encrypt the
communication key so it can be snooped by third parties thus creating
a backdoor.

I suspect that part of the reason there has been less outcry over
PGP5.5 than for Clipper is that people have a high regard for PGP Inc,
and allow this to lull their fears -- "if PGP Inc have done it, it
can't be evil."  This is really insidious, and it is reprehensible for
PGP Inc to use their reputation capital to give clipper like systems a
positive spin.

PGP5.5 is basically a software implementation of Clipper:

In PGP the backdoor is the second crypto recipient -- the message key
encrypted to the CMRK (Corporate Message Recovery Key) as requested by
the ARR (Additional Recipient Request); in Clipper the backdoor is the
LEAF (Law Enforcement Access Field).

Both systems make attempts to enforce the presense of this backdoor
field: PGP Inc's policy enforcer can be configured to bounce mail not
encrypted to the corporate backdoor key; in Clipper it is the checksum
included in the LEAF which allows the receiving chip to reject LEAFs
which have been tampered with.

Both systems are "optional" -- you don't have to use clipper chips,
they will be "voluntary" (or so the politicians claim), and
governments aren't currently using the backdoor feature of PGP5.5, and
PGP Inc argue this won't happen (we'll see how this works out).

Both systems can be bypassed in very analogous ways: 

They can both be bypassed by super encrypting traffic.

With PGP5.5 the sender can send garbage in the CMRK encrypted field;
with Clipper Matt Blaze found you could brute force the checksum and
send garbage in the LEAF field.

Both systems can be improved to make them harder to bypass, something
one suspects may happen if too many people routinely bypass them, and
law enforcement views this as a problem (which they surely will if
their snooping attempts are foiled -- don't forget Freeh is already on
record calling for mandatory key escrow, and outlawing of non-escrowed

Clipper can be made harder to bypass by increasing the size of the

PGP5.5 can be made harder to bypass by using binding cryptography
(allows untrusted agents to be deputised as policemen in ensuring the
same key is included inside the CMRK field as in the recipients PKE

It is easy for the government snoop to detect cheating with either
system -- they attempt to decrypt the traffic, and find the LEAF/CMRK
field is tampered with, or find the contained message is super

One suspects that an additional 5-year sentence will be given to
people who are detected tampering with snoop fields.  (This is not far
fetched I don't think -- already we have heard proposals for 5-year
additional sentencing for "use of encryption in a crime".  If
non-escrowed encryption is outlawed, surely this is the logical next
step on the part of Freeh, and cohorts).

PGP Inc cries: "oh but we have to meet corporate user requirements".
For corporate disaster recovery of stored data?  For corporate message
snooping?  For either requirement many of us have documented far less
dangerous techniques to enable corporate message snooping, and storage
recovery.  Techniques which aren't likely to be adopted by governments
as their snooping architecture.

PGP should fix this quickly before the reputational damage is
increased by more government statements about the usefulness of
PGP5.5. and CMR.

Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>

Date: Thu, 30 Oct 1997 10:11:51 GMT From: Adam Back <aba@dcs.ex.ac.uk> To: cypherpunks@cyberpass.net Subject: PGP Inc PR cover-up I wonder about the sudden lull in the PGP5.5 CMR argument: have PGP Inc enforced a blanket ban on participation in list discussion of the topic by their employees? Even our anonymous PGP employees posting via remailers on cypherpunks seem to have stopped. PGP Inc seemed to me to be heavily losing the argument where ever employees have spoken on the topic. Unfortunately this doesn't seem to be translating into rejection of the CMR feature, nor of adoption of less dangerous alternatives such as forward secret transport level security, shorter lived encryption keys, and separate storage keys. Perhaps it will take an official government snoop endorsement of PGP5.5 before the danger is acknowledged; by then the damage will have been done. Meanwhile over on ietf-open-pgp: The ietf-open-pgp forum for discussion of development of the now IETF controlled OpenPGP standard seems to have undergone a coup. Cypherpunk Lutz Donnerhacke had pre-empted Rodney Thayer and PGP's Jon Callas draft which had been slow coming by producing a competing draft before them. Lutz's draft was not sympathetic with PGP Inc's CMR, and even included SHOULD features encouraging separate storage keys. John Noerenberg (appointed IETF chair) over-ruled Lutz, and wrested editing of the draft from him, and demonstrated some petty power wielding in over ruling a vote on terminology Lutz had set up -- Lutz had already said he didn't care about the outcome, and just called the vote as a quick way to resolve argument. Now we are waiting for Jon Callas to release the new draft. Wonder whether it will include CMR or not :-) Join in the battle: subscribe by sending email with body "subscribe ietf-open-pgp" to <majordomo@imc.org>. The list address for posting articles is <ietf-open-pgp@imc.org> Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`