[1997] in cryptography@c2.net mail archive
Re: secret history of the development of PK crypto
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Dec 24 12:12:26 1997
Date: Tue, 23 Dec 1997 23:08:17 -0800
To: Phil Karn <karn@qualcomm.com>, smb@research.att.com
From: Bill Stewart <bill.stewart@pobox.com>
Cc: cryptography@c2.net, mab@crypto.com
In-Reply-To: <199712240447.UAA29040@servo.qualcomm.com>
At 08:47 PM 12/23/1997 -0800, Phil Karn wrote:
>Some time later I read about "permissive action links" (PALs). Based
>on my understanding of how nuclear weapons operate, I began to think
>about ways such things might be designed with cryptography as a
>component.
>Precise timing -- that's the key to my idea for a highly effective
>PAL. First, design the weapon to make the firing sequence as
>inherently complex and critical as possible.
>...
>I'm not sure how public key cryptography is especially helpful here,
>as conventional encryption would work just fine.
Suppose the bomb controller code is in ROM, readable by a cracker
who steals the bomb. [Most of the US warheads were tactical,
i.e. easy to transport to Germany, rather than ICBM-based,
so capture or theft from an army in the field is quite possible.]
Conventional encryption means that the key is present in the controller,
which opens up a risk that the cracker will disassemble it and
send either a correct or incorrect message to the bomb,
causing it to explode or fizzle, both of which would be Bad.
If you use public-key signatures on the message, the controller
can decide to reject the entire message, blocking both attacks,
without leaving enough information in the controller for a cracker,
as well as encrypting the timing information (e.g. make sure only
the Command Authorities and a set of one or more bombs have the public
key, so it's effectively a secret key also.)
You could accomplish the same thing more easily by using a
one-way hash function on a field inside the encrypted message;
if the calculated hash doesn't match the stored value, then reject.
[Non-technical aside: But that wouldn't be as cool,
and you couldn't say "Our bombs are protected by PGP,
developed by anti-nuclear activist Phil Zimmermann"]
Public keys may also provide ways to add multiple signatures
to bombs, though hash signatures can also do that.
Both methods are also convenient for changing keys in the bomb.
In addition to worrying about the information stored in the bomb,
there's the transmission path to worry about.
Public key may be harder to crack than DES+hash variants,
and it's probably easier to keep track of for multiple groups of bombs.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
