Crypto '95: Robert Morris
Jim Gillogly
entitled "Non-cryptographic Ways of Losing Information". I hope he writes
it up; until then, here are my notes from his presentation.
Two things he said which I found new and fascinating:
- During the early 1950's many major powers were discouraged by the
tendency of then-modern crypto machines to fail in a way that would send
plaintext instead of ciphertext, and they went to one time pads for most
of their high-level enciphered traffic. Because of key re-use, we were
regularly and routinely reading pieces of that traffic -- not just
VENONA, but many systems from various countries. Sometimes the people
who prepared OTP's would double their profit by selling them to more
than one customer.
- By the middle to late 1960's cryptanalysis became less cost effective
than obtaining the information by other means -- wiretaps and so on.
Morris emphasized and said we should write down these dicta:
-------------------------------------------------------------------------
Never underestimate the attention, risk, money and time that an opponent
will put into reading traffic.
Rule 1 of cryptanalysis: check for plaintext.
-------------------------------------------------------------------------
The real start of modern cryptology should be dated to the Enigma
machines, which typified the new character of the art. Much has been made
of the errors of the German cipher clerks, but egregious as they were, the
errors made by the British cryptographers were vastly worse, and the
American blunders were worse yet. German analysts regularly read and used
Atlantic convoy orders throughout the war -- they were transmitted in an
old code.
One must always assume that the enemy has a copy of the machine/algorithm.
A system that relies on keeping the algorithm secret is eventually doomed
to failure, because it will always be discovered by some means or other.
He sees microphones and antennas everywhere: the telephone line cord is
an antenna; if telephone linemen were working on a pole outside his house
he'd call the police an then find out what they were working on. In an
unspecified country he called Lower Slobbovia (Al Capp, isn't it?) American
troops used encrypted radiophones; when they broke they were taken to local
repair shops to be fixed. When they got home the US engineers were
interested to see the modifications that had been made. He mentioned a
few similar instances, including the lovely carved wooden seal given to
the US Embassy in Moscow to decorate their anteroom. [It's now on view at
the National Cryptologic Museum with the transmitter cavity visible.]
Cordless phones have a range of 5 miles or so. Use of cellular phones is
increasing dramatically, as well as fax and modems.
He discussed the Walker/Whitworth spying case, and said one of his design
criteria is to design systems with Walker in them: it's not good enough to
have a system where everyone must be trusted, but it must also be made
robust against insiders. This may include going to non-paper systems, so
that there are no paper keys that the Walkers of the world can shop to the
other side.
Threats and risks include: overconfidence, carelessness, eavesdropping and
tapping, theft of floppies and other materials, purchase, theft of key
material, burglary and blackmail. Much or most loss is due to insiders.
In the future there will be more radio used for ordinary communications.
Americans are unwilling to pay for secure telephones, but that's not the
case in Europe.
-------------------------------------------------------------------------
Reported by:
--
Jim Gillogly
12 Halimath S.R. 1995, 04:33
Mark W. Eichin
| criteria is to design systems with Walker in them: it's not good enough to
| have a system where everyone must be trusted, but it must also be made
| robust against insiders.
This reminds me of a slide I recently saw Whitfield Diffie use in a
cryptography talk (as an introduction to a course on network
security.) The slide looks roughly like:
eavesdropper
| |
sender ---/ \---- receiver
network
Diffie mentioned that after one talk using this slide, someone
suggested that it was unclear because it made it look like the
eavesdropper was a fundamental component of the network. After some
thought, he concluded that this was exactly the right impression to
give, and has presented the slide that way ever since.
_Mark_ <eic...@cygnus.com>
Cygnus Support
Cygnus Network Security <network-...@cygnus.com>
http://www.cygnus.com/data/cns/
David Sternlight
>Bob Morris (recently retired from NSA) gave a fascinating invited lecture
>entitled "Non-cryptographic Ways of Losing Information". I hope he writes
>it up; until then, here are my notes from his presentation.
After the session, in an outside discussion, he told another interesting
story, about the discovery shortly after WWII that the Russians in Vienna
had their crypto terminals putting signals out not only as intended, but
also on the power line. So we set up a site next door to monitor. As a
cover it was disguised as a Lederhosen warehouse. It became flooded with
tourists, and made a nice profit on the sales. He didn't say whether it
made a "profit" via the power line as well or not.
I also asked him about the Berlin Wiretap Tunnel, and he said that it
wasn't true that the Sovs were tipped off by a spy, as someone claimed in
a post here, but rather, as reported in the press, that a repairman
stumbled on some wires that didn't belong, and followed them.
David
WHMurray
the
case in Europe.<<<
Robert Morris has been known to be disingenuous. I think that this is one
of those times. Americans are much more anxious to have secure telephones
than our government is anxious for them to have them.
When AT&T planned to bring secure telephones to market for 25 cents on the
NSA dollar, NSA arranged to have DoJ pay them $10M not to do it. Even the
AT&T price is artificially high. It is poetic justice that AT&T took the
money and brought even more secure phones to market.
Our government is, at the very best, ambivalent about secure
communications. Few understand this any better than Robert Morris.
Bill Stewart
>
>>>> Americans are unwilling to pay for secure telephones, but that's not
>>>> the case in Europe.<<<
>Robert Morris has been known to be disingenuous. I think that this is one
>of those times. Americans are much more anxious to have secure telephones
>than our government is anxious for them to have them.
There are different kinds of costs. Non-interoperability is a big cost.
Delay getting products to market is a big cost. Having the government
spend years interfering with your attempts to market products, and losing
the sales you might make by having your phones (and the plans for them that
let you build them offshore) is a very big cost.
>When AT&T planned to bring secure telephones to market for 25 cents on the
>NSA dollar, NSA arranged to have DoJ pay them $10M not to do it. Even the
>AT&T price is artificially high. It is poetic justice that AT&T took the
>money and brought even more secure phones to market.
Only to the extent that most AT&T hardware products are overpriced :-)
Seriously, though, the folks who designed the product did their design work,
amortized their design costs over the estimated volumes their marketing folks
thought they could sell, added the amount of profit they needed to make,
and let their management put the price somewhere between that and whatever
they thought the market would let them get away with.
Bill Stewart
>Not sure exactly where this started but GSM/A5 is even *easier* for a
>government to tap than Clipper since *all* communications are in clear
>through the switch (telco acts as a man-in-the-middle).
That's an inherent problem with earth-based cellphones - for normal calls between
cellphones and non-digital non-cellphones, the switch needs to decrypt and decompress
the call so the vanilla-phone user can understand it. It would be possible to design
the switch and encryption system so that cellphone-to-cellphone calls on the
same switch (rare) or (more difficultly) between switches went unencrypted,
but it would take work and probably not save much money or switch resources.
On the other hand, the big security loss for governments is that they can't
just tap phone calls out of the air (illegal in some countries, but who cares),
and chasing calls between cell sites is a lot of work unless the switches are
set up to make that easy (which they can be without too much effort,
at some risk to internal security). Also, tapping calls at the switch
requires the cooperation of the phone company (though with government-owned
phone companies in most of Europe, that may not require details like warrants.)
Padgett 0sirius
>>>> Americans are unwilling to pay for secure telephones, but that's not
>the case in Europe.<<<
Not sure exactly where this started but GSM/A5 is even *easier* for a
government to tap than Clipper since *all* communications are in clear
through the switch (telco acts as a man-in-the-middle).
A. Padgett Peterson, P.E.
Cybernetic Psychophysicist
Totally Obsessed with TransOceanics
My other car is a Pontiac too
We also walk dogs
PGP 2.7 Public Key Available
Jackie McElroy
about Bob Morris of NSA:
>
> I also asked him about the Berlin Wiretap Tunnel, and he
> said that it wasn't true that the Sovs were tipped off by
> a spy, as someone claimed in a post here, but rather, as
> reported in the press, that a repairman stumbled on some
> wires that didn't belong, and followed them.
While I would certainly never presume to question the authority of
your source I have the utmost respect for Mr. Morris, his technical
expertise, and the agency from which he retired), I do seem to recall
hearing/reading/being told/or otherwise learning of a meeting that
took place around Christmas time in 1953 during which William Harvey
of the CIA met with his British counterparts in London to discuss
planning for the Berlin tunnel. It was my understanding that George
Blake kept the official minutes of that meeting in which all the
details of the operation were discussed.
George Blake, of course, has been recruited as a Soviet asset while
as POW in Korea. If a copy of the minutes of that December meeting
didn't make it to Moscow, certainly we can expect that a summary
of it was reported along from Blake. I don't know that anyone knows
definitively, but it would seem likely that the Russians knew of
the operation.
As I further udnerstand it, the technical reason for the West's
being able to obtain plaintext from encrypted circuits was not
disclosed to the British, hence Blake was not in a position to
compromise that method.
I'm not saying the tunnel was a failure. Certainly from an I & W
perspective, it was not. The communications system of Eastern
Europe being what it was, the Soviet army probably couldn't
have made a move anywhere in Europe without alerting the Western
allies.
OTH, from the Soviet perspective, that may well have reasoned
that it was worth protecting their asset to allow the tunnel to
operate for a while before closing it down. After all, if its
chief benefit was early warning, nothing was lost. After all,
*they* knew they weren't going to attack.
Perhaps the operation might have provided some early warning
of the Soviet move into Hungary in 1956 to crush that country's
rebellion, but by then, of course, the tunnel was no longer
in operation.
I'm not disputing you or your source but since the accurate version
of the tunnel's compromise (assuming for the moment that it was
compromised by Blake) was a counterintelligence matter, is it not
possible that Mr. Morris was never fully informed of the details
of the operations discovery by the East Germans?
Not a flame; just asking.
-jackie
Jackie McElroy
Venice Florida USA
j_mc...@delphi.com
David Sternlight
(Bill Stewart) wrote:
>In article <42gg6m$r...@newsbf02.news.aol.com>, whmu...@aol.com
(WHMurray) says:
>>
>>>>> Americans are unwilling to pay for secure telephones, but that's not
>>>>> the case in Europe.<<<
>>Robert Morris has been known to be disingenuous. I think that this is one
>>of those times. Americans are much more anxious to have secure telephones
>>than our government is anxious for them to have them.
>
>There are different kinds of costs. Non-interoperability is a big cost.
>Delay getting products to market is a big cost. Having the government
>spend years interfering with your attempts to market products, and losing
>the sales you might make by having your phones (and the plans for them that
>let you build them offshore) is a very big cost.
I disagree. There is no right to make and sell products forbidden by law.
If you can't get an export license there is not right to make and export
such products. Therefore the use of "cost" is inaccurate unless you are
talking about crooks who consider crime a "business". "Lost profits
because the proposed products are unlicensable for export" would be more
accurate.
Whether they should be thus illegal or not is a separate topic.
Might as well argue that all that lost business one could have gotten by
peddling cocaine from supermarket shelves is a "cost".
There's a hidden assumption here that's endemic to the "rights" crowd who
think the world owes them a living. That is that if something is illegal,
then the lost profits are somehow the government's fault. The assumption
is that one is somehow "entitled" to those profits of illegal activity and
the government is getting in the way. That modality is an element of what
psychologists have called the "criminal mind".
I repeat: whether they should be thus illegal or not is a separate topic,
and the path to addressing that is clearly provided within the law.
>
>>When AT&T planned to bring secure telephones to market for 25 cents on the
>>NSA dollar, NSA arranged to have DoJ pay them $10M not to do it. Even the
>>AT&T price is artificially high. It is poetic justice that AT&T took the
>>money and brought even more secure phones to market.
>
>Only to the extent that most AT&T hardware products are overpriced :-)
>Seriously, though, the folks who designed the product did their design work,
>amortized their design costs over the estimated volumes their marketing folks
>thought they could sell, added the amount of profit they needed to make,
>and let their management put the price somewhere between that and whatever
>they thought the market would let them get away with.
Exactly. The proper economic analysis for AT&T would reflect the markets
they were legally entitled to sell into. They might also do a conditional
analysis of how much more they might make if they could get ITAR repealed
or get an exemption/export license, but that would not be a "cost" but a
conditional analysis.
David
Padgett 0sirius
>I disagree. There is no right to make and sell products forbidden by law.
>If you can't get an export license there is not right to make and export
>such products.
I agree. The only limits on the sovereign in the USofA are those set forth
in the Constitution as amended. Foreign commerce (in fact any foreign
relations) is clearly within the responsibility of the fed *and must be*.
ITAR may be an inappropriate regulation. It may even be a stupid one. But is
is clearly a legal one that should be enforced.
Now before all of you start jumping on me about the last sentence, leave us
think on this: any law/regulation/whatever that is not enforced weakens
*all* laws. To me, the most idiotic statement I have ever heard from any law
enforcement officer is "selective enforcement". IMNSHO we have wound up with
many bad laws simply because they are not enforced and so are never changed.
To my way of thinking, any law that cannot be enforced should be
automatically repealed. Any law that the citizenry finds intolerable if
enforced should be repealed but that is another issue.
The current and proposed laws on cryptography that I have seen are
essentially unenforceable or only "selectively enforcable". I am not sure
which is worse. Good crypto is available to anyone who wants it. Crypto
that is not determinable (that word was carefully chosen) or provable to be
crypto is a bit more difficult but achievable.
Radar detectors are a similar case. Most are easily visible to an officer
because they are mounted on the windshield. They do not have to be. Radar
detectors are essentially passive devices and do not need to radiate (that
many do is again non-essential). Laws governing their use are generally
somewhat vague and convoluted because of this.
Again IMNSHO, Congress could possibly make a law that "all electronic
communications shall be in a form understandable by the average citizen".
Would possably stand a constitutional test (though not a religious one).
-might even be enforcable. However financial institution, cable TV
services, WWW maintainers, and cell phone providers would all line up
solidly against it. (Am not a laywer. Have been advised to always include
this statement somewhere. 8*(
But we come back to the original premise: such a law could not be enforced
since it is possible through prior arrangement that "Mary had a little lamb"
could be interpreted as a commentary on creative obstetrics and
genetic manipulation rather than advocation of animal husbandry as a leisure
occupation.
Crypto is language. It is a way of communicating that can carry thoughts.
That it is difficult to understand by the uninitiated is not and cannot be
the responsibility of the sender or we would have to outlaw Navajo and
EBCDIC. English is *much* more difficult than PGP. OTPs and book codes must
be very confusing to ITAR (or are they exempt because they are one byte
codes, just a different one for each letter ?). Unwitting OTPprovider codes
can be more difficult to break than any cipher yet fully automatic. Haven't
seen those (except from Tom Clancy), yet. Nothing difficult about it, just
take the HBO1 feed beginning with the first sync pulse after 10:06:21.15 am
EST and grab x Mb of data for today's OTP (leaving out synchs & predictable
stuff). Given cesium clocks or Secur-ID cards, this is not difficult.
Problem with politicians in general and some of the laws we have is more one
of "You can lead a horticulture..."
WHMurray
(Bill Stewart) writes:
>On the other hand, the big security loss for governments is that they
can't
>just tap phone calls out of the air.....
You got it, but in the US that would be a huge loss. Here, it is legal to
listen in on almost anything that goes over the airways; you may be
forbidden to act on it, but you may listen. Law enforcement is not
forbidden to act on what they here. While they cannot use it as evidence,
if thay attribute it to "a confidential informant," then they can use it
to get a warrant.
>>>(illegal in some countries, but who >cares),<<<
>and chasing calls between cell sites is a lot of work unless the switches
are
>set up to make that easy (which they can be without too much effort,
>at some risk to internal security).
In the US it is a matter of law that they must satisfy the attorney
general or she can shut them down.
> Also, tapping calls at the switch
>requires the cooperation of the phone company (though with
government-owned
>phone companies in most of Europe, that may not require details like
>warrants.)
Again, here it is a matter of law that the AG can force cooperation. In
theory she must have a warrant. In practice she has so many other ways to
make life difficult for them that they will bend over backwards to be
agreeable.
>
>
WHMurray
m...@austin.ibm.com
: In article <42ikb4$8...@ixnews6.ix.netcom.com>, stew...@ix.netcom.com
: (Bill Stewart) writes:
: >On the other hand, the big security loss for governments is that they
: can't
: >just tap phone calls out of the air.....
: You got it, but in the US that would be a huge loss. Here, it is legal to
: listen in on almost anything that goes over the airways; you may be
: forbidden to act on it, but you may listen. Law enforcement is not
: forbidden to act on what they here. While they cannot use it as evidence,
: if thay attribute it to "a confidential informant," then they can use it
: to get a warrant.
Not quite true. The Electronic Communications Act of 1986, made it
illegal to listen to cellular frequencies and subsequent amendments have
made it illegal to listen to cordless phone frequencies. In addition,
it (the ECA) made it illegal to sell or import for sale scanners capable
of recieving cellular frequencies or scanners which could be easily
modified to receive said frequencies
Mike
--
------------------------------------------------------------------------------
Michael H. Moran | Standard Disclaimer: The content of
m...@austin.ibm.com | this posting is independent of
Commercial Performance | official IBM position.
IBM Corporation, Austin, Texas |