Al Qaeda crypto reportedly fails the test

Steven M. Bellovin smb at research.att.com
Mon Aug 9 19:10:36 EDT 2004 

In message <41153C1F.9020808 at av8n.com>, John Denker writes:

>Here's a challenge directly relevant to this group:  Can you
>design a comsec system so that pressure against a code clerk
>will not do unbounded damage?  What about pressure against a
>comsec system designer?
>

That is, of course, one of the primary goals of perfect forward secrecy 
-- to ensure that old messages are not readable when an endpoint is 
compromised. 

More generally, let me refer people to "Between Silk and Cyanide", the 
best description I know of the intersection between cryptosecurity and 
the real world.  To oversimplify, the resistance agents in occupied 
Europe were originally using a cipher whose key was derived from a 
poem.  THe poems were guessable; beyond that, converting the poem into
the actual key was a time-consuming, error-prone process.  The result 
was a lot of garbled messages which had to be retransmitted.  Apart 
from the cryptographic significance, the retransmissions gave the 
Gestapo's direction finders a better shot at finding the radio.

Leo Marks realized the problems.  The poems were used so that the 
agents didn't need to have written keying material -- we'll all agree 
that that's a good idea.  But it was misguided -- the Gestapo could, 
would, and did torture the key from people.  Beyond that, they tortured 
the "duress signal" -- the variant to the message to show that it was 
being sent under pressure -- and verified that the recorded traffic did 
not contain that signal.

Instead, Marks issued so-called "worked-out keys" -- pieces of silk 
with the actual encryption keys printed on them.  After using a key, it 
would be burned, thus achieving forward secrecy.  The duress code went 
with it, denying that check to the Gestapo, too.  And it didn't matter 
that much that the agent had the keying material -- silk could sewn 
into a coat lining or the like, or it would feel like a handkerchief, 
which protected the possessor against a casual pat-down.  If the 
Gestapo really suspected you, you were probably dead, anyway; the extra 
incriminating evidence was a minor problem.  Besides, Marks' scheme 
tremendously reduced the garbles, which reduced the need for dangerous 
retransmissions, thus protecting the agents even more.

Marks' was also one of the first to realize that the Germans had rolled 
up a resistance ring in the Netherlands, and were sending messages that 
purported to be from the agents.  His clue?  The messages were too 
perfect; the Gestapo had plenty of time to get the encryption correct.
They weren't doing it furtively, under stress in poor conditions...

In other words, he understood the threat model.  (I should point here 
to Kerckhoffs' 6th principle: in effect, make the system easy to use 
under the actual circumstances.  (In this case, it conflicts with his 
3rd principle, which says not to use written keys.  See 
http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual 
articles.)

		--Steve Bellovin, http://www.research.att.com/~smb


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list