[2004] in cryptography@c2.net mail archive
Re: secret history of the development of PK crypto
daemon@ATHENA.MIT.EDU (Phil Karn)
Wed Dec 24 18:00:04 1997
Date: Wed, 24 Dec 1997 14:22:39 -0800 (PST)
From: Phil Karn <karn@qualcomm.com>
To: bill.stewart@pobox.com, smb@research.att.com
CC: cryptography@c2.net, karn@qualcomm.com
In-reply-to: <3.0.3.32.19971223230817.007497a0@popd.ix.netcom.com> (message
from Bill Stewart on Tue, 23 Dec 1997 23:08:17 -0800)
Bill Stewart wrote:
>Conventional encryption means that the key is present in the controller,
>which opens up a risk that the cracker will disassemble it and
>send either a correct or incorrect message to the bomb,
>causing it to explode or fizzle, both of which would be Bad.
You misunderstand. The key is *not* present in the bomb before
arming. It has only a plaintext copy of the (conventional) decryption
algorithm and an encrypted copy of the firing sequence. The "nuclear
release" order includes the key to the conventional encryption. The
bomb then decrypts the firing sequence and executes it at the
appropriate time. Without the key, whoever possesses the bomb would
have to guess the firing sequence.
Key-splitting techniques can be implemented in the obvious fashion,
e.g., by XORing two separate key inputs to produce the actual
decryption key. One might be kept by the local commander, the other by
the National Command Authority (i.e., the President and Secretary of
Defense). Make this part as complex as you want.
Steve Bellovin wrote:
>The most intriguing answer, though, may come from Weisner's memorandum
>in support of NSAM-160. It says that "this equipment ... would
>certainly deter unauthorized use by military forces holding the weapons
>during periods of high tension or military combat". In other words,
>non-repudiation -- a classic use for public key crypto -- was important;
>if a bomb is used, they (or their heirs, or civilization's heirs...)
>want to know who ordered it. Pending declassification of the rest of
I'm not convinced. Simply order the commander to produce a copy of the
(conventional) decryption key after the bomb has been used. If only
the President and Secretary of Defense ordinarily have copies, then
the commander's ability to produce it means he got authorization to
use the weapon. Yes, in theory somebody could steal the President's
"football" and issue false orders -- but this could still happen even
if it contained private RSA keys for signing orders.
Challenging the local commander provides accountability even if the
PAL consisted of nothing more than a hot-wirable electrical
combination lock switch. Sure, the weapon could be fired without the
combination, but the commander still wouldn't be able to produce the
combination when challenged. Perhaps *this* is what Weisner meant by
"deterring" (as opposed to "preventing") "unauthorized use".
This is not to say that public key crypto wouldn't enhance the system.
It would certainly make it easier to issue a limited release or a
series of releases of nuclear weapons, as opposed to issuing a single
command that starts Armageddon. But I see nothing in that memo that
necessarily implies they had public key crypto way back in 1962.
Phil
