Inside AT&T TSD-3600E Telephone Security Device (Clipper Chip)
Image by Matt Blaze
Inside the AT&T TSD-3600E Telephone Security Device, an encrypting telephone from 1993 based on the controversial Clipper Chip
The Clipper chip was the flagship component of a controversial National Security Agency-designed "key escrow" cryptography scheme, in which intercepted encrypted traffic could be decrypted easily by law enforcement or intelligence agencies for surveillance purposes. The program was extremely controversial and, in the end, not a success. Aside from the obvious fundamental problems (the security risks of having a large database of citizen’s keys, the need to implement cryptography in expensive secret hardware, etc), the Clipper architecture had technical flaws that made it possible to circumvent the escrow features and preclude the possibility of law enforcement access. (See "Protocol Failure in the Escrowed Encryption Standard" [pdf format], for details.)
AT&T (my employer at the time) was the first (and ultimately only) company to build a commercial product based on the ill-fated system. The AT&T TSD-3600, announced in 1992, was a voice encryption device designed to be installed in a standard telephone (between the phone base and the handset). Calls placed to other TSD-3600-equipped telephones could be automatically digitized (at 4800bps) and encrypted, making eavesdropping on the conversation (by legal or illegal means) effectively infeasible. When the US government learned of AT&T’s plans to market the device, it worried that criminals might used them to thwart wiretaps. Plans for a new encryption system with a wiretap backdoor were hurriedly drawn up by the NSA, and AT&T was persuaded to replace the regular (non-escrowed) DES-based encryption scheme in the original TSD product with the new system, called the Clipper chip. The Clipper-based model TSD-3600E hit the market in 1993. As incentive for AT&T’s cooperation, the government agreed to purchase a significant quantity of Clipper-equipped TSD-3600Es, which sold for over 00 each in quantity.
Hobbled by the controversial key escrow features and the high retail price, the government ended up being the TSD’s only major customer, and even most of the units they bought sat unopened in storage for over ten years. AT&T, for its part, eventually sold off the division that produced the product.
I’m aware of five different TSD-3600 models produced between 1992 and the product’s cancellation, differing in the cipher algorithm used. The TSD-3600D was the original, using standard DES with a 56 bit key. (These were quickly recalled and disappeared from the market after Clipper was announced). The 3600F was an exportable model that used a proprietary 40 bit cipher that, I was told, was "embarassingly" weak even given the short key. The 3600P used a proprietary 56 bit cipher similar to DES (but not inter-operable with the 3600D). The 3600E was the first controversial key escrowed model, with the then-classified Skipjack cipher and key escrow features implemented on a tamper-resistant MYK-78T Clipper chip. A later model, the 3600S, included a Clipper chip but would also downgrade (or upgrade, depending on your opinion of key escrow) to the F or P ciphers when communicating with those models. All five models use a Diffie-Hellman key exchange (768 bit, if I recall correctly) to establish a session key, a 4 character hash of which is displayed on each unit’s LCD. To detect "man-in-the-middle" attacks, users could verify (by voice) that their displayed hashes matched.
This photo shows an open unit with its main circuit board exposed. The MYK-78T Clipper chip is visible in the far right of the board. The gray handset module at the front is a removable part that matches the unit to the audio and electrical levels of particular telephones.
Rodenstock Gerogon 240mm/9, Sinar P, BetterLight Super 6K-HS. Full resolution (6000×8000) version available.
Disclaimer: No emulsions were harmed in the making of this image.