Skipjack Algorithm


The two current implementations of the Escrowed Encryption Standard provides a high level of reverse engineering protection. This note give a general description of some of this protection. However, neither a complete description nor a detailed description are provided. Such descriptions would provide assistance to someone intent on reverse engineering the implementations. This is not desirable by the developers, implementors and users of the standard.

A "Write Once" memory is provided in the MYK-78 and MYK-80 devices. The size of this memory differs between the two devices. Among other things, this memory is used to store the unique device identifier, the family key, and the device unique key. In addition, parts of the SKIPJACK cryptographic algorithm and the LEAF Creation Method are contained in this memory. This memory cannot be read outside the device with any known reverse engineering technique. Once written during the deice "programming" phase under control of the Key Escrow Agents, it can neither be overwritten (ie., modified) nor read externally. This memory is produced from non-metallic "links" that are established or not established based on a "1" or "0" written by the device programming equipment. The final step of "programming" is to destroy electrically the path used for "programming." The non-metallic "links" cannot be investigated externally to determine the pattern of "1" and "0"s that were written.

A second reverse engineering protection integrated into the two devices involve "ghost logic." This is additional logic circuits, data paths, storage elements, etc. that are randomly or intentionally placed in the active logic to deter reverse engineering. The appear to have a logical function but do not participate in the true functions of the devices.

A third reverse engineering protection involve false heat dissipation methods. Device functions can be partially analyzed through heat dissipation during operation. Generating heat over or in non-functioning parts of the logic deters this type of analysis.

While new logic analysis tools may be developed in the future, the reverse engineering protection included in the two devices is considered to be state-of-the-art. The costs associated with getting a single bit or a single logic circuit can be estimated but it is difficult to estimate the total cost of getting a complete description of the major algorithms from reverse engineering. Many reverse engineering techniques also destroy the device. Thus many devices are consumed when doing a complete analysis. If each device is unique, (e.g. the device unique key), this makes getting and using such information more difficult that that which is common to a large number of devices.

NIST Technical Document - Undated.

Does the encryption algorithm endorsed by the Administration contain a "trap door" or "back door," which could allow an agency or entity of the Federal government to crack the code?

A - NO.

Raymond G. Kammer - Acting Director NIST 4/28/93

"The most serious concern is that the scenario regarding the use of the "exploitable" chip could surface publicly during the transition period or shortly after the Clinton administration arrives, but before they approve the proposed overall solution. If that happened, it might result in their being pushed toward disavowing the prior Bush Administration approach in order to avoid the controversy, rather than the Clinton administration moving forward with us in a consolidated effort to convince Congress and the public of the merits of our position."

J. R. Davis FBI/DOJ 12/23/92

"Devices using the EES (CAPSTONE and CLIPPER), which implement the classified SKIPJACK algorithm, must be programmed. The chip programmer is a device provided by the National Security Agency (NSA). There is no assurance, without scrutiny, that all keying material introduced during the chip programming is not already available to the NSA. Thus, not only do the key escrow agents have a decryption capability,the NSA also retains this capability."

Benita A. Cooper - NASA Associate Administrator for Management Systems and Facilities


"It is anticipated the costs for "Clipper Chip" based hardware products will be competitive with other hardware-based solutions. The chip itself is expected to be no more than $26/each (in quantity) to product manufacturers. As the technology gains acceptance and production costs are minimized, it is anticipated that the cost of the chip will fall correspondingly."

Raymond G. Kammer - Acting Director NIST 4/28/93

"AT&T has advised that the unit cost to the Government of the TSD 3600 device, employing either DES or "Clipper" chip encryption. would be approximately $1,000."

Feb. 9, 1993 Letter To George Tenet on CLIPPER.



As data networks expand and as the requirements to support geographically widespread networks increase, there will be an increased demand for the development of faster speed transmissions to benefit from these high speed networks. As a result, users will be able to take advantage of these high speed data highways to transmit increased amounts of data associated with video, high volume data retrieval, and other high speed data services. These types of data services are typically used by large commercial, banking and Government institutions. Because of the sensitive banking data and personal information, there is a need to utilize encryption. By way of example, major inter-bank data transmissions typically utilize DES-based or comparable encryption.

High speed transmissions today typically run in the range of 10-50 Mbit/sec (10-50 million bits per second). At these data rates, hardware based encryption is the only feasible approach to data security. In this regard, the "Clipper" technique offers a suitable solution. In its current configuration, "Clipper" is designed to run at speeds of 10 Mbits/sec and if necessary, it can easily be engineered to run at speeds up to 100 Mbits/sec.