The year is 1993, and the National Security Agency is scared.
Two years ago, Philip Zimmerman's PGP software first hit Usenet. Since then, it has become the de facto standard among the paranoid for encryption—an encryption which is effectively unbreakable with today's computers. Although the software is primarily used to encrypt e-mail and other text media, one offshoot of PGP, known as PGPfone, can be used with telephone communications.
This presents a problem for the NSA.
Since the early part of the 20th century, the United States government has been using wiretaps to foil criminals: from catching spies during the Great War to collecting evidence against the Mafia in the 1960s, wiretapping has been regarded by the FBI to be "the single most effective technique used by law enforcement to combat illegal drugs, terrorism, violent crime, espionage, and organized crime."
It is easy, then, to see why the government (the NSA and FBI especially) is a little squeamish to discover PGP circling the globe. Now organized crime, drug dealers, terrorists, and pedophiles—the "Four Horsemen of the Infocalypse"—will be free to go about their criminal activity with impunity, since their voice and e-mail communications are absolutely secure. The government needed an encryption standard to which they would have the unfettered access that they had had before 1991, and they needed it now.
And thus Clipper was born.
Clipper (and its e-mail crypto brother, Capstone) was an exercise in key escrow: whenever a telephone call was made over a telephone with a Clipper chip, the chip would encrypt the data stream with a single-session key. This key would then be "split in half," with each half being sent to a different government agency: in this case, the National Institute for Standards and Technology (NIST) and the Department of the Treasury (the agency responsible for maintaining the Secret Service) would be the recipients. If the government could adequately convince these two entities that an individual's phone had been used to commit a crime, then the two halves would be reunited and the calls decrypted. In February 1994, the President officially announced the adoption of Skipjack (the algorithm used for both Clipper and Capstone), and the NSA contracted AT&T to begin producing Clipper-enabled telephones.
So what went wrong? Where are all the Clipper phones?
In May of 1994, Matthew Blaze, a young researcher for Bell Laboratories, decided to respond to the NSA's open call to the crypto community to have a crack at Clipper. His efforts were to be the would-be crypto standard's downfall.
Blaze focused his efforts on a specific part of the Clipper mechanism: the Law Enforcement Access Field (LEAF). The LEAF is critical to the NSA's ability to crack suspicious messages: it contains the encrypted single-session key that is split in two and sent to law enforcement agencies. Blaze was able to modify the LEAF by cracking the 16-bit checksum that protects it—a process that took him less than an hour—and then replacing the legitimate LEAF with gibberish, making the message indecipherable to the government. Blaze hadn't cracked Clipper, but he had rendered it effectively worthless.
With the new standard in tatters, on July 20, 1994, Vice President Gore announced that the government was abandoning Clipper. PGP continued to flourish, used by the honest and wicked alike. And the government's attempts at key escrow fell, at least temporarily, by the wayside.
Sources cited:
Electronic Privacy Information Center. "The Clipper chip." http://www.epic.org/crypto/clipper/ (28 September 2001).
Meeks, Brock N. "Clipping Clipper: Matt Blaze." Wired Sept. 1994: 7.
Singh, Simon. The Code Book. New York: Doubleday, 1999.