Fortezza: The Next Clipper? (Summer, 1997) ------------------------------------------ By Seraf In recent years, the U.S. Government has pursued a project aimed at secure communications on its new Defense Messaging System (DMS). The requirements have been for a system to serve as the standard for unclassified American military encryption, easily implemented on any system (servers, workstations, mobile units, etc.). The project began in 1991 as the Pre Message Security Protocol, or PMSP. In 1993, the name changed to MOSAIC, and the associated device was introduced as the "Tessera Cryptographic Card." The most recent incarnation of the project now managed by the National Security Agency s MISSI (Multilevel Information Systems Security Initiative) is called Fortezza, and the tiny device that does the dirty work is called the "Fortezza Crypto Card." As we will learn shortly, Fortezza s purpose has grown beyond military encryption, and may pose a threat to our electronic privacy. Fortezza usually takes the form of a PCMCIA card, compatible with a tremendous installed base of personal computer hardware and viable on most any modern computer. Inside, Fortezza embodies a full suite of cryptographic functions for secure communications. It provides symmetric encryption with Skipjack (of Clipper-chip fame), secure key exchange, digital signature, and secure timestamp functions. With all its versatility, MISSI has recommended Fortezza for a number of applications. Security for both the storage and transfer of files is an obvious one. Among the others: authentication of remote network hosts, secure communications with remote hosts, unforgeable (signed) directory services, encrypted web browsing, and secure electronic commerce. Fortezza applications have been developed to interface the unit with SMTP and MIME (Internet mail), ITU X.400, ACP-123 (the Allied Communications Protocol, a superset of X.400), ITU X.500, ASN.1 (ITU s Abstract Syntax Notation), and SDNS (the Secure Data Network System, an NSA standard). Fortezza would blend in with countless other military programs, if it were being used exclusively for government communications. This, however, is not the case. Several companies now manufacture Fortezza cards, and their target is the mass market. Fortezza represents an attempt to implement NSA-breakable cryptographic technology as widely as possible: a strategy we've seen before. The Clipper/Capstone project aimed to make the Clipper chip voluntary, and then to force it as the only option, either by further legislation or market dominance. Fortezza tries to implement this same strategy on an even greater scale. Rather than encrypting only telephone calls with its special brand of so-called security, the NSA is now aiming to dominate cryptography across the public's information frontier. It's rather telling that the heart of Fortezza is the Capstone chip. Skipjack is an algorithm made to be cracked by the NSA. Like DES, it is a good algorithm for its time, but with weaknesses designed to be exploited by those in-the-know. Without a doubt, the Agency has built machines dedicated to cracking Skipjack. A separate algorithm in Fortezza, the Digital Signature Algorithm (DSA), also has potential weaknesses introduced by and for the NSA. The consequences include a government capability to forge digital signatures with Fortezza. These weaknesses aside, Fortezza's key material is supplied and escrowed by something called the Certification Authority (CA), which reports back to the NSA. So, before you even receive your Fortezza card, your key is in a Federal database. The effect is that, when you use Fortezza, (a) the National Security Agency knows your key; and (b) if for some reason it doesn't, it can crack it with relative ease. How can we protect ourselves? The answer is simple stay away from NSA crypto. If we examine the National Security Agency's persistence in introducing tainted cryptosystems and attempting to make them standard, we find that this strategy first appeared with DES in the 1970 s. The Agency has no interest in standardizing cryptography for the good of the public - only for the good of Big Brother. We should all press for the continued right to make our own choices in cryptographic technology, and those choices should be informed ones. Fortunately, NSA technology is relatively easy to spot. All of the available Fortezza products (so far) have proudly proclaimed their Agency endorsement. There are some cryptologic firms with NSA affiliation that doesn't show on the surface, such as Cylink - but we must always be wary of our sources for crypto. Available Products The following products relate to the Fortezza project, and are available to the general public. Every hacker interested in this project should consider the purchase of a Fortezza card for experimentation. It is not a crime to reverse-engineer any of these devices, or to publish the results, unless you are a government employee or contractor involved with Fortezza or its sponsoring entities. Mykotronx, Inc. is the NSA's favorite MISSI contractor. The Mykotronx Capstone MYK-80/82 is the heart of the Fortezza Crypto Card. The IC is a 144-pin TQFP package, with a clock speed of 20MHz. The 32-bit architecture runs at 18 MIPS, and performs Skipjack at up to 20Mb/s. Mykotronx also manufactures the Fortezza Crypto Card and Fortezza ISA Bus Crypto Card. The enigmatic Fortezza PLUS Crypto Card is available as well, and supposedly suitable for classified communications (it is not based on the Capstone chip, but apparently does use Skipjack) this item may be secret. Mykotronx also makes the Cawdaptor, a workstation for central management of Fortezza equipment, and the Mykotronx Communicator Fortezza Modem. Group Technologies Corporation and National Semiconductor also manufacture Fortezza cards. Spyrus designed the original Fortezza crypto card and sells its own. They also make the HYDRA Privacy Card, which implements key exchange, encryption, hashing, and digital signatures. For these functions, it can use either Fortezza algorithms (KEA, Skipjack, SHA-1, and DSA, respectively) or a less governmental set (RSA, [3]DES, MD-5, and RSA, respectively). If a stronger algorithm were substituted for DES in the latter set, it would provide formidable security - the NSA probably pressured Spyrus into using DES. Information Resource Engineering, Inc. manufactures the A400S Fortezza Serial Modem. It is much like a regular 14.4Kbps modem (AT command set, R-232-C interface, etc.), but it offers some Fortezza crypto services. We Are Still Safe With all this talk of government intervention in our lives, it's easy to forget that we can still make our own choices. Nobody is required to use NSA-sanctioned crypto today (other than our own government), and we can keep it that way if we don't start. Putting the NSA's agenda out in the open will, I hope, also help. What options, then, do we have for strong cryptographic technology? IDEA, RSA, and MD-5 are what I use for almost everything. I also trust the recommendations of the Public-Key Cryptography Standard (PKCS), which has been adopted by numerous American corporations. (Information on PKCS can be obtained from RSA Data Security Inc.) The lesson is that there's no shortage of powerful, untainted crypto make an informed decision when choosing your technology, and we'll all be able to enforce our electronic privacy.