[2006] in cryptography@c2.net mail archive
Re: secret history of the development of PK crypto
daemon@ATHENA.MIT.EDU (Steve Bellovin)
Thu Dec 25 02:28:52 1997
To: Phil Karn <karn@qualcomm.com>
cc: bill.stewart@pobox.com, cryptography@c2.net
Date: Wed, 24 Dec 1997 18:41:34 -0500
From: Steve Bellovin <smb@research.att.com>
>The most intriguing answer, though, may come from Weisner's memorandum
>in support of NSAM-160. It says that "this equipment ... would
>certainly deter unauthorized use by military forces holding the weapons
>during periods of high tension or military combat". In other words,
>non-repudiation -- a classic use for public key crypto -- was important;
>if a bomb is used, they (or their heirs, or civilization's heirs...)
>want to know who ordered it. Pending declassification of the rest of
I'm not convinced. Simply order the commander to produce a copy of the
(conventional) decryption key after the bomb has been used. If only
the President and Secretary of Defense ordinarily have copies, then
the commander's ability to produce it means he got authorization to
use the weapon. Yes, in theory somebody could steal the President's
"football" and issue false orders -- but this could still happen even
if it contained private RSA keys for signing orders.
Challenging the local commander provides accountability even if the
PAL consisted of nothing more than a hot-wirable electrical
combination lock switch. Sure, the weapon could be fired without the
combination, but the commander still wouldn't be able to produce the
combination when challenged. Perhaps *this* is what Weisner meant by
"deterring" (as opposed to "preventing") "unauthorized use".
This is not to say that public key crypto wouldn't enhance the system.
It would certainly make it easier to issue a limited release or a
series of releases of nuclear weapons, as opposed to issuing a single
command that starts Armageddon. But I see nothing in that memo that
necessarily implies they had public key crypto way back in 1962.
No one ever said they had public key crypto in 1962; even if they had
they had the math, trying to fit the necessary discrete logic into a
tactical nuke back then would have been a challenge. A few years later
is another matter, though. The issue is whether or not NSAM 160 *led
to* the develoment of public key cryptography. More precisely, the
question is how -- we've already been told by two people who Knew that
it did.
My own guess is that the same thing happened at NSA that we see all too
often in the civilian sector, and even on this very mailing list. The
whole question was handed to them, since coded communications were
clearly one way to arm some of the weapons. A bright person took a
look at the entire set of requirements -- including accountability --
and produced a very elegant answer -- public key cryptography. In
reality, though, an ordinary trail of accountability might work equally
well; there may not be a real need for a technical solution.
And maybe there was a strong real need for accountability. In the
context of the times, there was some tension between the military and
the civilian leadership of control of nuclear weapons. In the early
1950's, the AEC had physical custody of them; Curtis LeMay, commander
of SAC (Strategic Air Command), fought against this and eventually got
hold of them. (Bear in mind that LeMay was an advocate of preventive
war -- and since he couldn't get his way on that, he did his best to
provoke the USSR into attacking.) In 1957, a civil and continental
defense committee appointed by Eisenhower committee visited SAC; LeMay
basically ignored it until directly ordered to co-operate. Since
Weisner was a member of that committee, he may have had a different
perspective... (Reference for the paragraph: Richard Rhodes' "Dark
Sun".)
But I think you're misunderstanding the scenario. During times of
tension, the keys would be distributed to successively lower echelons
of command. U.S. strategic doctrine has long assumed that a war would
only start after a period of increasing tension, and not as a BOOB
(bolt out of the blue); there would be ample time to distribute keys as
needed. Weisner makes this very point, in fact. If fighting were to
occur, the necessary officers would most likely have the keys -- but
not the authorization to use them. A digital signature-based scheme
would provide post-war auditing. (I'm assuming, of course, that anyone
who knew what exponentiation was survived the war -- the mine shaft gap
was large enough that only politicians and the like would have been in
them, and they might not even have remembered that the pass phrase to
unlock the remaining nukes was "purity of essence".)
If we want to pursue the generic problem further (you, too, can design
a nuclear warhead command and control system in your spare time -- be
the envy of third world nations!), we can consider the complexity of
selective unlock orders (arm the ICBMs intended to produce EMP,
distribute the pin-down arm codes to the next-lower command echelon,
but withhold the city busters for now), replay protection, etc. Also
bear in mind that Simmons was an expert on various shared control
schemes, at least one of which (Gifford, CACM April 1982) uses public
key technology.
