R. A. Hettinga on Fri, 22 Nov 2002 19:14:38 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> David Kahn Speech at NSA 50th Anniversary

     [orig To: Digital Bearer Settlement List <dbs@philodox.com>, 
      dcsb@ai.mit.edu, cryptography@wasabisystems.com; by way of


Remarks of David Kahn

Commemorating the 50th Anniversary of the

National Security Agency

November 1, 2002
Who'd have thunk that I would ever be here, addressing an NSA audience?

Because when my book, The Codebreakers, was published in 1967, just 35
years and one month ago, it became the subject of a ban on the part of the
National Security Agency. A notice was circulated here at Fort Meade and
was sent to all NSA outposts worldwide. The book was never to be mentioned.
It was never to be acknowledged when the media - or anybody else -- asked
about it, as at cocktail parties. Its author was anathema at the NSA. He
revealed that America was breaking codes! Hated less only than Martin and
Mitchell. And now here he is, speaking at its 50th anniversary. I sometimes
feel as if I should hold up that notice the way Harry Truman, after he won
in 1948, triumphantly held up that Chicago Tribune with a banner headline
shouting: Dewey Beats Truman. Well, Kahn beat NSA.

How did it happen?

The times they have a-changed. The cold war ended. The chief enemy
evaporated. And the defense establishment had to find new ways of
maintaining its funding. The NSA, the CIA, the NRO had to come out of the
shadows. The NSA, smarter than the others, established a National
Cryptologic Museum. Putting on display what used to be some of the most
closely held secrets of the United States, it tells the public some of the
great things that cryptology has done for the nation - the lives it has
spared, the treasure it has saved. In this way it wins public support -
and, it hopes, public money. It hopes as well to excite young people into
becoming future Friedmans, future Canines, perhaps even future Heymans! And
part of that effort is to welcome the great unwashed, the great uncleared,
the tellers of tales good and bad, into the fold. And so I'm here.

In fact, that part of the effort may be working already. A few years ago
the museum held a book-signing for The Codebreakers. It was really
flattering. The line stretched out the door to the parking lot. But the
greatest thing was that four or five people on that line said to me, as
they handed me their books, "Dr. Kahn, you changed my life. I read your
book and I decided to go into cryptology." I think there must be very few
authors who get that kind of feedback, who have affected people's lives so
directly. So something very helpful for NSA and for America has come out of
something that NSA first saw as bad but, for reasons not of its own making
but that it eventually recognized, now sees as good and welcomes.

But I've been asked here today to talk today about what I have called the
death of cryptanalysis. I got the idea from Herbert Yardley, America's
first official codebreaker. In his sensational, wonderful 1931 book, The
American Black Chamber, he describes, in a deliberately obfuscatory way,
the one-time tape cipher machine. Of it he says, "Sooner or later all
governments, all wireless companies, will adopt some such system. And when
they do, cryptography [he meant cryptanalysis] as a profession, will die."
I think there's some truth in that, but it's more nuanced, more complex
than the headline phrase "the death of cryptanalysis" says.

In a way, cryptanalysis has been dead for more than half a century now. I'm
not talking about the inventors who trumpeted their cipher systems as
"unbreakable." Almost everyone who has devised a system called it
indecipherable. You can read the claims in the books printed in England and
France during the Victorian and Edwardian years and in the National
Archives in College Park in the letters of people offering their ciphers to
the War and State Departments. But then, during World War I, there began an
era of cryptosystems that were indeed unbreakable with the technology of
the time. These were the rotor systems - notably the machines of the
Californian Edward H. Hebern, who may have had the idea when he was in jail
for horse thievery and whose ideas were basically stolen by the U.S.
Government and used - with the important improvement of irregularizing the
rotors - to make the SIGABAs of World War II, and the famed Enigma of
Germany's Arthur Scherbius. Cryptograms enciphered on these machines could
not be cryptanalyzed in those years by study of just the ciphertext, no
matter how many were available. In other words, any number of those
cryptograms could not be solved by pure analysis. Nor could they be solved
by exhaustive search - what might today be called brute force. The key
space exceeded the capabilities of the technology of the time. So solving
Enigma messages, for example, required cribs. The famed bombes worked on
the principle of matching a ciphertext with a suspected plaintext to see if
this would lead to a possible arrangement of rotors and plugboard
connections that would constitute a "legal" key. This would then unlock
other messages enciphered with that key. But this method required the help
of a plaintext, known or guessed. Pure cryptanalysis was already dead.

Of course, computers would have been able to solve those messages. But
computers hadn't been invented yet. And in that lies a lesson to which I
shall return.

So pure cryptanalysis was powerless against good cryptosystems as early as
World War II. And it is still powerless against good ones today. Many are
the cryptosystems offered by the hundreds of commercial vendors today that
cannot be broken by any known methods of cryptanalysis. Indeed, in such
systems even a chosen plaintext attack, in which a selected plaintext is
matched against its ciphertext, cannot yield the key that unlock other
messages. In a sense, then, cryptanalysis is dead.

But that is not the end of the story. Cryptanalysis may be dead, but there
is - to mix my metaphors - more than one way to skin a cat. Indeed, there
may be more opportunities now than ever before to obtain information from
communications. And that is because there are more communications than ever
before. Just as the telegraph increased opportunities for interception over
couriers, and as the radio increased opportunities over the telegraph, so
email, the internet, and cell phones once again increase the opportunities
for interception.

People cry, optical cable! You can't intercept that! Well, yes and no.
Probably the cable itself can't be bugged. But: First of all, not all
communications can go by optical cable, any more than they could by wire.
Those nonoptical communications are interceptable. Secondly, since fiber
optic cables do not run for thousands of miles, repeaters are necessary.
These, and their electronics, are vulnerable to interception. Finally, a
back hoe operator can "accidentally" dig up a cable and a technician can be
bribed to insert some kind of transmitting bug. The point is that with
optical cable the problems are increased, but not necessarily insuperable.

Moreover, new methods of back-door codebreaking have come into play.
Computers can watch the power fluctuations in a computer chip and tell
when, in the DES for example, the 16 rounds are being executed. Moreover,
as each S box comes into play, the key itself can be read. This of course
requires access but that access can be very brief - only the same time as
needed in making a purchase transaction. The point is that it can be done
and does not need a spy to betray the key.

With real-time log-ins, the differences in the interspace delays - some
elements take longer than others - can enable an interceptor to capture the
key strokes and so obtain the log-in. This worked in the case of a mobster
named Scarfo. The FBI got the password, entered his computer, and obtained
the information that it needed.

The enormous number of computers, which is constantly growing, opens new
opportunities. First of all, the world buys American computers. Many of the
myriad pieces of hardware that go into them can be bugged - if they're not
already being bugged. Of course, the major powers don't need to buy
American computers. They can make their own. This leaves the smaller
nations as potential targets. It may seem as if they do not much matter,
but it must not be forgotten that in World War II one of the most
productive sources of information for both the Allies and the Axis was not
a great power but a neutral: Turkey. Secondly, software is becoming more
complex, and as it does the number of potential security breaches grows.
The number of errors in computer code is proportional to the square of the
size of the program. Many are potential security leaks. In one case, for
example, a command to print a file led to a security breach. The computer
code was so large and so complicated that the flaw was totally overlooked.
Thirdly, the security designer has to plug all the holes; the attacker has
to find only one. And many of the systems in which encryption is embedded
are not perfectly designed, or are, frankly, badly designed. All these
offer opportunities for communications intelligence. Finally, if hackers
and teenagers can design virus that penetrate computers to cause trouble,
cryptanalysts can find ways as well of penetrating computer to extract
information and even of modifying the equipment itself.

The enormous volume of traffic increases the possibility of generating more
and better information from traffic analysis than ever before. This is of
course not as solid as the results of solution, but it can help.

All of these are in the realm of today's possibilities. But the future also
holds opportunities. In 1901, the great mathematician David Hilbert posed
23 problems that mathematicians had to solve. A century later, perhaps half
of them have been solved. Some mathematical problems - and cryptology is
all but totally mathematized today -- may be solved through an imaginative
mixture of information that already exists. One such case is Andrew Wiles's
solution of Fermat's last theorem. He assembled known mathematics to solve
a problem that had defied others for centuries. This can happen in
cryptology as well. An instance is the development of public key, or
asymmetric, cryptography. Though thousands of cryptologists, amateur and
professional, had been thinking about cryptography for years, that idea
never occurred to any of them. Then Whit Diffie and Marty Hellman had it.
More to the point, if you had said to me that it would be possible to have
a cipher system in which the deciphering key was not the inverse but
entirely different from the enciphering key, I would have said that it was
impossible. Yet it turned out to be not only possible, but practicable, and
then wildly successful. The point is that such ideas can come into being.
Many cryptosystems depend upon the difficulty of factoring, or upon the
discrete logarithm problem. Perhaps some day someone will find a fast way
to factor large numbers or to solve the discrete logarithm problem. This
might permit solution of many cryptosystems.

Another thought is that of quantum computing. This would make possible
parallel computing at unprecedented speeds and so fast factoring of large
numbers and thereby the solution of many cryptosystems. Just as the
computers of today would hve been able to break the Enigma cryptograms of
yesterday, so future computers may be able to resolve the enciphered
messages of tomorrow.

These are not NSA ideas. NSA doesn't know or control everything, as shown
by public-key cryptography and the beating NSA took on key escrow and the
fact that U.S. Navy submarines use Microsoft windows.

But though traditional cryptanalysis may be dead, and may have been mostly
a corpse for half a century, other opportunities, perhaps more
opportunities, lie ahead. And NSA is smart. It can learn. Hey, they brought
me here, didn't they?

R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

   For help on using this list (especially unsubscribing), send a message to
   "dcsb-request@reservoir.com" with one line of text: "help".

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net