[Cryptography] Imitation Game: Can Enigma/Tunney be Fixed?
ianG
iang at iang.org
Fri Jan 9 16:56:31 EST 2015
On 7/01/2015 20:23 pm, Ray Dillinger wrote:
> In reviewing the Third Reich's operational record with Enigma,
> it's hard to tell whether they lost the war because of sheer
> stupid arrogance (with the failures of training, overconfidence
> in equipment and procedures, and systematic underestimation of
> opponents that implies), or whether it just seems that way now
> because we have the record of the cryptanalytical progress against
> Enigma which depended so much on those mistakes.
A bit of both. History of WWII suggests that Hitler overrode and
controlled his war effort with more than the normal gusto. Sometimes he
got it right, often he got it wrong.
An example of the former to spectacular effect was the Battle of the
Bulge. By that point, Hitler distrusted the codes and decided to
distribute the orders by motorcycle riders. Result was complete
surprise, although there was low level intel suggesting something was
up, the Allied generals had seemingly gotten used to a diet of clear and
accurate suggestions from on high.
> Does every large-scale military organization make stupid mistakes
> subordinating security to petty officiousness, redundant procedure,
> personal ego, and just plain laziness?
Oh, absolutely. Think of it this way. In every routine battle, one
side will lose, and the search for reasons for failure will be on, for
that side at least. The other side will have as many reasons, but will
be able to sweep them under the carpet due to their "brilliant" victory.
> Is this level of
> operational failure something that people need to design for
> if building systems for military clients?
1883, Kherkhoffs' 6th principle:
"Finally, it is necessary, given the circumstances
that command its application, that the system be
easy to use, requiring neither mental strain nor
the knowledge of a long series of rules to observe."
He was writing about ordinary soldiers, from his experience with the
French Army.
As a segue to today, in an EFF talk at RWC2015, they were talking about
the EFF's CUP or Crypto Usability Prize. Apparently the cutoff point is
3 minutes. If you can't explain how to get in and up and running with
the privacy tool, you're out. I once measured raw users getting up and
going over chat with Skype, it took 3 minutes from start to talking.
Usability is the #1 factor in security.
> I suppose a review would require gathering data about how often
> warrant officers (those who have a warrant on account of expertise
> with some particular crucial field) are overruled by commissioned
> officers (those who are in the chain of command and have
> commissions on account of military training). Seriously, part
> of good military training ought to be a realistic assessment of
> how much to trust nonmilitary training.
Well, it isn't as simple as one class v. another. There are bad warrant
officers as well as bad commissioned officers.
> I mean, imagine a warrant officer cryptography clerk, saying to
> Herman Goering: "Sir, it degrades operational security to repeat
> this same greeting word-for-word with full honorifics etc, at the
> beginning of each message...." Odds of him getting overridden?
> Odds of him being too afraid to even speak up in the first place
> even though he knows it to be true? Odds of him getting punished
> for telling the truth?
Legend has it [0] that fighter ace Adolf Galland told Goering that he
could win the Battle of Britain with a squadron of Spitfires. Goering
was a flake, but Canaris was a wiley fox, and also more on-point for
this particular battle, and would have more likely listened to a noncom.
Having said that, it was early days, nobody had any clue what the
other side was up to, and belief in own side was paramount.
I was told yesterday that during WWII the Germans had some success
parking submarines over undersea cables from UK to US, and using
acoustics to pick up traffic!? Anyone got any references to that?
iang
[0] by which I mean, it's disputed if that actually happened.
More information about the cryptography
mailing list