Steven M. Bellovin gave a fascinating talk yesterday on a subject he knows nothing about. Okay, I should rephrase that. Bellovin knows everything you can know about his subject without actually knowing anything, but he’s careful to point out that he doesn’t really know, or else he couldn’t have given the talk. This conundrum will be easier to understand if I mention the subject: Bellovin’s presentation was on the security arrangements for authorizing the use of U.S. nuclear weapons. He has pieced together his information entirely from open sources, without any access to classified documents. (But many of the open sources are open only because Bellovin and his colleague Matt Blaze have filed requests under the Freedom of Information Act to obtain them.)
The specific security device at issue here is known as a Permissive Action Link, or PAL. It is the mechanism that is supposed to stop a nuclear weapon from being armed or launched without the explicit orders of the National Command Authority (a phrase that covers the President, the Secretary of Defense and perhaps others). Early nuclear weapons had no such special interlocks. If you could get physical possession of a bomb or a warhead, and you knew how to trigger it, there was nothing but common sense to stop you from setting it off. It was only in 1962 that President Kennedy signed an order directing the military to develop and install PALs, and the task was not completed until sometime in the 1970s. Very little has been published about how the locks work.
Bellovin, whose field is computer security and networking (“and why the two don’t get along”), became interested in PALs because of a connection with a murky episode in the history of cryptography. The idea of public-key cryptography—which revolutionized the field and is now a very widely used technique—first became known to the world at large in 1976, when Whitfield Diffie and Martin Hellman published and patented a cryptographic protocol based on the mathematics of discrete logarithms. But there were always rumors that related methods had been invented earlier in the “black” community of classified research. In 1997, declassified documents revealed that a similar idea had been discovered before 1970 at the British Government Communications Headquarters—GCHQ, the descendant of Alan Turing’s famous cryptographic skunk works at Bletchley Park. In the U.S., according to Bellovin, Admiral Bobby Ray Inman, director of the National Security Agency in the 1970s, claimed that public-key methods were known there a decade before Diffie and Hellman published their work. And in 1993, Jim Frazer, a recently retired NSA official, mentioned that the basis for the NSA’s invention of public-key ciphers was a document titled National Security Action Memorandum 160, or NSAM-160. This was President Kennedy’s 1962 directive on PALs.
At the time, NSAM-160 was still classified, but Bellovin and Blaze initiated a declassification review and eventually received a copy, along with a supporting memorandum written by Jerome Weisner, Kennedy’s science advisor. A scanned version of the memo is available online at Bellovin’s web site.
Even with access to NSAM-160 and a number of other declassified documents, Bellovin has not reached any definite conclusions about the nature of the PAL or its cryptographic technology, but he has formed some hypotheses. First of all, he thinks it unlikely that public-key cryptosystems ever had a direct role in the PAL itself. The early models were mechanical or electromechanical combination locks. More-recent versions incorporate microprocessors, but there is still no obvious need for elaborate cryptographic protocols. The key that ultimately gets dialed into the device is a number of either 6 or 12 digits, much too small to be secure in a public-key system.
A more-plausible idea is that public-key methods were developed to distribute the PAL keys to far-flung military bases. (Diffie and Hellman originally presented their idea as a “key exchange” protocol.)
Another hypothesis is even more intriguing. Bellovin asks whether the rumored cryptographic innovation at NSA in the 1960s might have been the invention of digital signatures, which are distinct from public-key ciphers but closely related. A digital signature is designed not to hide the content of a message but rather to establish its provenance or authenticity. This is obviously a major concern in managing nuclear armaments. Those who have their finger on the trigger want to know that a launch order really does come from the National Command Authority. And in the aftermath of such a folly, the survivors (if any) might like to know who is to be held accountable.
Whatever the mechanism of the PAL, Bellovin says, he really hopes that it works.
(I heard Bellovin speak at the University of North Carolina at Chapel Hill. Slides from his earlier talks on the same theme—and even an MP3 recording—are listed among his publications, along with texts on Permissive Action Links and the Prehistory of Public Key Cryptography that cover much of the same material. Bellovin, who spent many years at Bell Labs, is now at Columbia University. Early in his career he was one of the three originators of the Usenet newsgroup system—which, years before blogging came along, was a medium of personal expression open to anyone with a net connection.)