Own a Pair of Clipper Chips

The AT&T TSD was an early 1990s telephone encryption device. It was digital. Voice quality was okay. And it was the device that contained the infamous Clipper Chip, the U.S. government's first attempt to put a back door into everyone's communications.

Marcus Ranum is selling a pair on eBay. He has the description wrong, though. The TSD-3600-E is the model with the Clipper Chip in it. The TSD-3600-F is the version with the insecure exportable algorithm.

Posted on May 5, 2016 at 6:31 AM • 15 Comments


Paul RenaultMay 5, 2016 7:05 AM

"Marcus Ranum is selling a pair on eBay. He has the decryption wrong, though."

Uh, I think that it's the Clipper chip which has the decryption wrong. What Marcus has, I'm guessing, is the description wrong. ;->

Renato GolinMay 5, 2016 10:36 AM

+Paul, if the device has a back-door, then he also has the decryption wrong. :)

zMay 5, 2016 10:42 AM

The ironic thing is that as bad as the Clipper chip was, it was probably better than our current default of no voice encryption at all. Sure the gov could eavesdrop on the Clipper chip, but now they don't even have to demand an escrow key.


BradMay 5, 2016 12:46 PM

I guess everyone knows Marcus Ranum is using a buggy version of the Lastpass extension give the weird lastpass javascript appended to the auction description.

Who?May 5, 2016 1:50 PM

Is the clipper chip weak yet? Perhaps no one at the NSA remembers right now how its backdoor works!

Peter ShenkinMay 5, 2016 10:06 PM

@Paul Renault. That sounds like something Korzybsky would say....

Hugh NoMay 5, 2016 11:22 PM

Actually, the CLIPPER chip was not an "attempt to put a back door into everyone's communications." It was an attempt to design a secure phone for government use that wouldn't help bad guys who happened to get ahold of the devices. Unfortunately, folks who assumed what Bruce stated apparently gave the idea to a few in government who then thought that they should go ahead and implement that. This is not at all what the designers had in mind (according to a talk given by them many years ago).

Nick PMay 5, 2016 11:34 PM

@ Hugh No

The word of crypto opponents during the Crypto Wars vs Bruce's word. I'll side with Bruce until I see something stronger. Meanwhile, a declassified CIA document we discussed a while back shared everyone's position from LEO's to NSA. They were all anti-crypto for non-government unless backdoors existed with NSA still anti-crypto. They all pushed for escrow option which private sector didn't care about either way and only academics in cryptography/security resisted.

Parallel ConstructionMay 6, 2016 4:26 AM

Bruce, since we are talking about "a backdoor in everyone's communications", this is relevant:


Turns out the FBI has been informing cops that to hide parallel construction arising from Stingray use, they are to basically 'recreate' (in reality, FABRICATE - 'evidence laundering') the means by which they acquired the data:

A recently disclosed document shows the FBI telling a local police department that the bureau’s covert cell-phone tracking equipment is so secret that any evidence acquired through its use needs to be recreated in some other way before being introduced at trial.


The official notice, dated September 2014, said such information “may not be used as primary evidence in any affidavits, hearings or trials. This equipment provides general location information about a cellular device, and your agency understands it is required to use additional and independent investigative means and methods, such as historical cellular analysis, that would be admissible at trial to corroborate information concerning the location of the target obtained through the use of this equipment.”


“This is the first time I have seen language this explicit in an FBI non-disclosure agreement,” Nate Wessler, a staff attorney with the American Civil Liberties Union’s Speech, Privacy, and Technology Project, wrote in an email to The Intercept. “The typical NDAs order local police to hide information from courts and defense attorneys, which is bad enough, but this goes the outrageous extra step of ordering police to actually engage in evidence laundering,”

“Instead of just hiding the surveillance, the FBI is mandating manufacture of a whole new chain of evidence to throw defense attorneys and judges off the scent. As a result, defendants are denied their right to challenge potentially unconstitutional surveillance and courts are deprived of an opportunity to curb law enforcement abuses,” Wessler continued.

Thus, another conspiracy theory has become conspiracy fact - authorities will make shit up on the fly to hide their unconstitutional methods to nail any criminals they like.

Don't forget the DEA specialist unit - the Special Operations Unit (SOD) - was also exposed to be doing the same back in 2014. Effectively they would use data picked up by dragnet surveillance by partners including the NSA, FBI, CIA etc, feed it through to the DEA and phony up the investigation to make it look like drug dealers were picked up by random stops, drug dog searches and other traditional methods.


A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.


The undated documents show that federal agents are trained to "recreate" the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant's Constitutional right to a fair trial. If defendants don't know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence - information that could reveal entrapment, mistakes or biased witnesses.


"Remember that the utilization of SOD cannot be revealed or discussed in any investigative function," a document presented to agents reads. The document specifically directs agents to omit the SOD's involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony. Agents are instructed to then use "normal investigative techniques to recreate the information provided by SOD."

Clive RobinsonMay 6, 2016 4:41 AM

@ Hugh No,

It was an attempt to design a secure phone for government use that wouldn't help bad guys who happened to get ahold of the devices.

Err no, that is at best a "spin" on what was going on. The secure phone that was,in GI at the time used DES and despite what the NSA tried to pretend DES was on it's last legs. Because the NSA had reduced the key space in the original DES design, and had further limited export crypto to 40bits equivalent even on DES (see IBM patent for how that worked).

The political preasure was not just from Bruce or one or two others, it was also from the government security sector as well, the NSA was backed into a corner and had to do something.

The story behind Capstone and skipjack is still clasified and will no doubt remain so untill long after we are dead. However various people have put together their own carefull assumptions about what was done.

The NSA has a charter that encorages schizophrenic behaviour in that it is responsible for both securing US Gov communications and breaking any and all foreign communications it can. When drawn up it was probably not realised that there would fairly quickly be no real difference between Government communications and civil communications. This has got worse due to the driver of various US political entities claiming to "shrink Government", and all that realy happens is government work just gets outsourced into the greedy maws of a favourd few. With this the need to communicate securely and what was once only government communications spreads further and further into the civilian sector, as the numbers on TS clearences and soaring government spending indicates.

The NSA had further been pushed towards the edge by the requirment of having to be consulted by NIST and the debacal that followed DES. Which several old NSA,hands have commented on in an almost public manner. Put simply you can see from the original DES entrants just what level civilian crypto was at, and life at the NSA must have appeard rosy. After the Data Encryption Standard was released by NIST civilian crypto took a very very large leap forward. An assumption made by NSA/NIST that quickly became clear was wrong was that DES was only going to be "hardware only". You can see in the DES design the deliberate use of primatives that are easy and fast under hardware but awkward and slow under software, to try and keep it that way. However various people (including myself) felt that the price and hassle of DES chips was a good enough reason to develop software versions of DES on the likes of the AMD Z80. I had developed an earlier design around 1983 using AMD PAL's and 2900 bitslices to get around the 40bit limits, but it was to expensive for the few customers that had a need. However with just a couple of changes it gave rise to a basic DES cracker, but was far to slow. This in turn gave rise to a paper design which showed that with a small by gov budget terms (~£8million), you could crack a DES key within three weeks max. All of which must have been well understood by the NSA that them lied through it's teeth for the next decade or two. Untill 98 when the EFF following a similar idea spent a quater of a million dollars and actually built a DES cracker for real and took around three days to brut force a DES key (look up "EFF Deep Crack" for the details).

The Capstone project came from what was fairly obviously an "interanal only" project that arose from the DES fiasco, as to the viability of getting things back under control.

This unknown project gave rise to the SkipJack algorithm. You can look up what others have to say about it, but one thing is clear is it was designed to be extreamly fragil in it's design in a multitude of ways. That is if you make even tiny apparently insignificant changes to the design it's strength falls from around eighty bits to under fourty bits a trick which both the British and US crypto community had done with machine ciphers prior to the NSA (look up Sigba and what went on with Crypto AG in Zug Switzerland and have a careful read of "Spycatcher").

Whilst SkipJack can be seen as the result of many man years of carefull design, other parts of Capstone appear on the face of it "ham fisted" specificaly the very weak LEAF which Mat Blaze found and publicised.

But was it ham fisted? That rather depends on your view point. If you consider the LEAF and the accompanying Key Escrow as a "backdoor" only then the answer is "yes". However if you look at that backdoor and the Key Escrow as a vulnerability "for them" but "not for us" it starts to make a lot more sense as a design choice. It's known that various parts of the US Gov run "covert / deniable" operations, the very public Olly North - Fawn Hall Iran-Contra affair is proof enough of that. The LEAF failing when viewed as a "backdoor in the backdoor" to alow deniable communications to LEO's and other Gov agencies makes a lot of sense and is inline with the ethos of the Skipjack design.

Unfortunatly it was the LEAF failing that was the real death nell in Capstone, when that became public at the time it did it brought into question the NSA's competence to be able to do what they were telling politicians. Their credability was gone and nobody wanted to have anything to do with Capstone, it had become "a career killer".

Unfortunately it has had repercussions we are still feeling today as the FUD over "the four horsemen of the Internet" and the Middle East has swung the pendulum the other way back in their favour. Thus the IC is "making hay while the sun shines" because they know full well the pendulum will swing back again.

But what the public does not appear to get a grip on is that pendulum is part of a "ratchet". That is when it swings against the IC the bad they have previously done, is not fully undone, thus they bide their time taking "three steps forward, for every two they are forced back". Untill people get that, the net will continue to close around society, and we only have to look back to the 1920s/30s to see where that leads. As is often noted, "Those that fail to study history, are forced to relive it". But we also have to remember technology is also a ratchet, and when used for bad, it makes the pendulum swing even further in that direction than it does for good, hence the famous observations of "The price of freedom is eternal vigilance" and "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants". The need for the latter is because the citizens do not practice the former, and alow not just the bad into power, but also the good to be cut down by the authoritarian followers of the bad.

JonMay 6, 2016 5:44 AM

I'm not sure the debate really matters. The point is the USA government (particularly the NSA) was making a big point of insisting only on crippled encryption that they could break, either by key escrow or by bad algorithms.


Pond RipplesMay 13, 2016 5:14 AM

The NSA and US gov have determined which companies succeeded at times, by controlling which technologies being developed into products would fail commercially. Lotus' encryption for documents was banned from export, while Microsoft's competing office product was allowed for export as it couldn't keep foreign business documents secure.

Voice encryption was also long kept out of public hands, enabling the US along with allied governments to continue to secretly tap citizen's telephone lines, or even bug their homes and offices, without the need for warrants in case of lawyer/client confidentially or other inconvenient areas of privacy protected by law such as private exchanges between husband and wife.

XkeyScore though has left such primitive technologies almost quite redundant when compared with it's flexible and scalable system. Expansion of it's capabilites is available at any time by leveraging the powerful plug-in support for any of the other current surveillance tools or data analysis platforms, plus any future technologies in development like quantumn computing. Getting to grips with just what types of data this application is capable of monitoring and analysing, how expansive it's reach and power, would be a wise idea.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.