Moderately Technical Information about the Clipper Chip


For more information on encryption in general, see our Encryption FAQ

If you are interested in a very detailed description of the chip, then click here.

What the Hell is the Clipper Chip?

Clipper is an encryption chip developed and sponsored by the U.S. government as part of the Capstone. Announced by the White House in April, 1993, Clipper was designed to balance the competing concerns of federal law-enforcement agencies with those of private citizens and industry. The law-enforcement agencies wish to have access to the communications of suspected criminals, for example by wire-tapping; these needs are threatened by secure cryptography. Industry and individual citizens, however, want secure communications, and look to cryptography to provide it.

Clipper technology attempts to balance these needs by using escrowed keys. The idea is that communications would be encrypted with a secure algorithm, but the keys would be kept by one or more third parties (the escrow agencies), and made available to law-enforcement agencies when authorized by a court-issued warrant. Thus, for example, personal communications would be impervious to recreational eavesdroppers, and commercial communications would be impervious to industrial espionage, and yet the FBI could listen in on suspected terrorists or gangsters.

Clipper has been proposed as a U.S. government standard; it would then be used by anyone doing business with the federal government as well as for communications within the government. For anyone else, use of Clipper is strictly voluntary. AT&T has announced a secure telephone that uses the Clipper chip.

The Clipper chip contains an encryption algorithm called Skipjack, whose details have not been made public. Each chip also contains a unique 80-bit unit key, which is escrowed in two parts at two escrow agencies; both parts must be known in order to recover the key. Also present is a serial number and an 80-bit family key, the latter is common to all Clipper chips. The chip is manufactured so that it cannot be reverse engineered; this means that the Skipjack algorithm and the keys cannot be read off the chip.

When two devices wish to communicate, they first agree on an 80-bit session key. The method by which they choose this key is left up to the implementer's discretion; a public-key method such as RSA or Diffie-Hellman seems a likely choice. The message is encrypted with the key and sent; note that the key is not escrowed. In addition to the encrypted message, another piece of data, called the law-enforcement access field (LEAF), is created and sent. It includes the session key encrypted with the unit key, then concatenated with the serial number of the sender and an authentication string, and then, finally, all encrypted with the family key. The exact details of the law-enforcement field are classified.

The receiver decrypts the law-enforcement field, checks the authentication string, and decrypts the message with the key K.

Now suppose a law-enforcement agency wishes to tap the line. It uses the family key to decrypt the law-enforcement field; the agency now knows the serial number and has an encrypted version of the session key. It presents an authorization warrant to the two escrow agencies along with the serial number. The escrow agencies give the two parts of the unit key to the law-enforcement agency, which then decrypts to obtain the session key. Now the agency can use this key; to decrypt the actual message.

Click on icon to go back to debate.

Click on icon to go back to abstract.

Click on icon to go to Sources and Acknowledgements.