Al Qaeda crypto reportedly fails the test
Steven M. Bellovin
smb at research.att.com
Mon Aug 9 19:10:36 EDT 2004
In message <41153C1F.9020808 at av8n.com>, John Denker writes:
>Here's a challenge directly relevant to this group: Can you
>design a comsec system so that pressure against a code clerk
>will not do unbounded damage? What about pressure against a
>comsec system designer?
>
That is, of course, one of the primary goals of perfect forward secrecy
-- to ensure that old messages are not readable when an endpoint is
compromised.
More generally, let me refer people to "Between Silk and Cyanide", the
best description I know of the intersection between cryptosecurity and
the real world. To oversimplify, the resistance agents in occupied
Europe were originally using a cipher whose key was derived from a
poem. THe poems were guessable; beyond that, converting the poem into
the actual key was a time-consuming, error-prone process. The result
was a lot of garbled messages which had to be retransmitted. Apart
from the cryptographic significance, the retransmissions gave the
Gestapo's direction finders a better shot at finding the radio.
Leo Marks realized the problems. The poems were used so that the
agents didn't need to have written keying material -- we'll all agree
that that's a good idea. But it was misguided -- the Gestapo could,
would, and did torture the key from people. Beyond that, they tortured
the "duress signal" -- the variant to the message to show that it was
being sent under pressure -- and verified that the recorded traffic did
not contain that signal.
Instead, Marks issued so-called "worked-out keys" -- pieces of silk
with the actual encryption keys printed on them. After using a key, it
would be burned, thus achieving forward secrecy. The duress code went
with it, denying that check to the Gestapo, too. And it didn't matter
that much that the agent had the keying material -- silk could sewn
into a coat lining or the like, or it would feel like a handkerchief,
which protected the possessor against a casual pat-down. If the
Gestapo really suspected you, you were probably dead, anyway; the extra
incriminating evidence was a minor problem. Besides, Marks' scheme
tremendously reduced the garbles, which reduced the need for dangerous
retransmissions, thus protecting the agents even more.
Marks' was also one of the first to realize that the Germans had rolled
up a resistance ring in the Netherlands, and were sending messages that
purported to be from the agents. His clue? The messages were too
perfect; the Gestapo had plenty of time to get the encryption correct.
They weren't doing it furtively, under stress in poor conditions...
In other words, he understood the threat model. (I should point here
to Kerckhoffs' 6th principle: in effect, make the system easy to use
under the actual circumstances. (In this case, it conflicts with his
3rd principle, which says not to use written keys. See
http://www.petitcolas.net/fabien/kerckhoffs/index.html for the actual
articles.)
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list