[Cryptography] how to detect breakage -- lures etc.??

Arnold Reinhold agr at me.com
Mon Dec 30 15:51:56 EST 2019

On Sun, 29 Dec 2019 01:44 John Denker asked:

>  What is "best practice" for detecting breakage
>  of a supposedly-secure communication system? ...

What is your organization going to do if you do detect breakage? In “Between Silk and Cyanide,” Leo Marks describes teaching OSS radio operators to make certain mistakes in Morse code transmissions if the operator were compromised. After he noticed those mistakes being made by agents parachuted into Holland, his management refused to believe him and many more agents were sent to that country, only to be caught and eventually executed by the Germans. 

There are many other stories of warnings about possible failures of communications security being ignored, Allied convoy codes were broken by the Germans, despite warnings, until an intercepted Enigma message made reference to the breakage, providing incontrovertible proof. US communications were exploited by the North Vietnamese, yet commanders refused to believe that was possible until a complete North Vietnamese COMINT unit was captured (Boak Lectures. There are neat examples of captured NVA intelligence reports in the National Cryptologic Museum.)

If your organization has an active security team, they might find time to investigate and patch specific weaknesses, but if the failure is system wide, is senior management  prepared to make massive and expensive changes? 

More broadly, don’t we already have enough evidence that most computer-based products have exploitable weakness that are not publicly known and could be used for coordinated attacks by hostile nations or large terror groups? How many organization have backup plans for dealing with a situation where all their computer-based systems are crashed or rendered untrustworthy? 

Arnold Reinhold

P.S. Minor historical note: Since you brought up Enigma security, I’ve often wondered why the Germans didn’t give their Enigma operators better guidance on picking random indicators. The U.S. ECM-2 manual suggests using ordinary playing cards as a random character source. I recently found out, while visiting the U-505 exhibit at the Chicago Museum of Science, that the by-far most popular German card game was Skat, which is played with a 32 card deck. That may have made the use of playing cards a less obvious possibility than with the 52 = 2*26 card decks used by the Allies.

More information about the cryptography mailing list