[Cryptography] When your security is too secure

Steven M. Bellovin smb at cs.columbia.edu
Wed Nov 26 11:00:55 EST 2025 

On 25 Nov 2025, at 0:53, Jon Callas wrote:

>
>> On Nov 24, 2025, at 07:29, Henry Baker <hbaker1 at pipeline.com> wrote:
>>
>> No wonder that the American nuclear launch code prior to 1977 was "00000000"; the US generals didn't trust the complex system that had been devised.
>>
>> https://urldefense.com/v3/__https://en.wikipedia.org/wiki/Permissive_action_link__;!!BDUfV1Et5lrpZQ!Q7acfGSMnotmg-fEgUC91ojvzeKDdWAAueCocs99RoueXvrWVZyfNdCaLS4uNJjO4kFIBjv512F9XA$ That's a great point and gets smack to the idea that availability is all, but it's not exactly as you describe it. The words you're using, like "trust" don't really apply.
>
> The reason the launch code was zero was because availability is the sine qua non of the system. The whole point of this system is within this mad word of mutual-assured destruction.
>
There's a bit more to it than that. Many more details are at https://www.cs.columbia.edu/~smb/nsam-160/pal.html, but a lot of the resistance was political: senior generals didn't like or trust Kennedy, who was president when the decision to deploy permissive action links or use control switches was made. They regarded him as too young and inexperienced, and too politically liberal, and thought that his order was a reflection of his distrust in the US military. In fact, and as the historical record makes very clear, the original order was rooted in concerns about the host country for foreign-deployed weapons and concerns about bases with US nukes being overrun by Warsaw Pact forces (including Spetsnatz teams) before the nuclear weapons could be used or evacuated.

The decision to deploy coded switch use control systems on domestic missile systems was intended to provide technical control against possible misbehavior by US missile launch officers. This wasn't the senior officers—they had access to the code numbers—but the actual people charged with launching the missiles. The older technical mechanism for protection was the two-key requirement: two separate keys, several meters apart, had to be turned within a very few seconds of each other. But from what I've read, every launch control officer independently figured out how to bypass that: fasten a spoon to one key, attach a string to it, and then turn one key while pulling on the string.

Eventually, Bruce Blair blew the whistle to Congress and real code numbers were used.



        --Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list