[Cryptography] When your security is too secure

Jon Callas jon at callas.org
Tue Nov 25 00:53:35 EST 2025 


> On Nov 24, 2025, at 07:29, Henry Baker <hbaker1 at pipeline.com> wrote:
> 
> No wonder that the American nuclear launch code prior to 1977 was "00000000"; the US generals didn't trust the complex system that had been devised.
> 
> https://en.wikipedia.org/wiki/Permissive_action_link

That's a great point and gets smack to the idea that availability is all, but it's not exactly as you describe it. The words you're using, like "trust" don't really apply.

The reason the launch code was zero was because availability is the sine qua non of the system. The whole point of this system is within this mad word of mutual-assured destruction.

The deterrent to someone blowing you up is that you can blow them up in retaliation. Obviously, you don't want to have a rogue launch approver launching on their own; that's why you have dual controls. However, when the decision has been made to launch, you don't want something like a PIN code stopping or even slowing down the launch. You don't want to have someone do a transpose error in the panic of the moment. Wait, wait, is it 112358, or 112385? No, dummy, it's just 12345.

The operational considerations include nervousness in the heat of the moment, and this ends up resembling a related bad idea, that of duress codes. Duress codes have the issue that when someone is genuinely under duress, that's the time they're most likely to make an error, particularly since they have not rehearsed nor practiced that code. 

Imagine a contrived example of a robber taking someone to an ATM and saying, "withdraw it all or I shoot you." One problem is that you have to type the duress code correctly, otherwise, it's just another PIN error. And if the robber knows you typed the duress code, they might just shoot you -- which is not the same, but similar to the missiles coming in before launch.

The nuclear launch code was 000000 because when the decision to launch comes in, you don't want a glitch. You don't want an equivalent to, "nuh, uh, you didn't say Simon Says launch the missiles."

Yes, yes, you are right that complexity is the issue here. The situation is that you don't want to launch until there's been an actual decision, but when that decision is made, there must be zero impediments to executing the decision. (Let us also note that part of the complexity of the situation is that the launch officers must also be skeptical of the incoming order, and that gets into whatever the heck Integrity is.)

	Jon

More information about the cryptography mailing list