At 9:58 PM -0500 1/30/2001, Steven M. Bellovin wrote:
>The obituary has, at long last, prompted me to write a brief review of
>Marks' book "Between Silk and Cyanide". The capsule summary: read it,
>and try to understand what he's really teaching about cryptography,
>amidst all the amusing anecdotes and over-the-top writing.
I generally agree with what you have to say, but I can't resist
adding some comments. I liked the book a lot. My review is at
http://world.std.com/~reinhold/silkandcyanide.html
>
>The main lesson is about threat models. If asked, I dare say that most
>readers of this mailing list would say "of course keying material
>should be memorized if possible, and never written down". That seems
>obvious, especially for agents in enemy territory. After all, written
>keys are very incriminating. It's obvious, and was obvious to the SOE
>before Marks. It was also dead-wrong -- accent on the "dead".
I think it is also wrong advice for most civilian users of cryptography today.
>
>The cipher that agents were taught was a complex transposition, keyed
>by a memorized phrase. The scheme had several fatal flaws. The first
>is the most obvious: a guess at the phrase was easily tested, and if a
>part of the key was recovered, it wasn't hard to guess at the rest, if
>the phrase was from well-known source (and it generally was).
It was a tad worse than that. With long enough effort, a message
could be broken by cryptoanalytic techniques given no knowledge of
the key. Each break would reveal a few letters of the Agents poem,
enabling the Germans to guess the rest, if it was a famous poem, and
thereby easily break all that agent's traffic. Marks' first response
was to supply agents with his own poems, which were far less likely
to be guessed.
>
>More subtly, doing the encryption was an error-prone process,
>especially if done under field conditions without the aid of graph
>paper. Per protocol, if London couldn't decrypt the message, the agent
>was told to re-encrypt and re-transmit. But that meant more air time
>-- a serious matter, since the Gestapo used direction-finding vans to
>track down the transmitters. Doing some simple "cryptanalysis" -- too
>strong a word -- on garbles permitted London to read virtually all of
>them -- but that was time-consuming, and really pointed to the
>underlying problem, of a too-complex cipher.
I don't agree that cryptanalysis is too strong a word. It sounded
like Marks developed some fairly sophisticated tools to speed up the
process. He had quite an operation going.
>
>The duress code was another weak spot. If an agent was being compelled
>to send some message, he or she was supposed to add some signal to the
>message. But if the Gestapo ever arrested someone, they would torture
>*everything* out of that person -- the cipher key, the duress code,
>etc. And they had a stack of old messages to check against -- they
>made sure that the duress code stated by the agent wasn't present in
>the messages. The failure was not just the lack of perfect forward
>secrecy; it was the lack of perfect forward non-verifiability of the
>safe/duress indicators.
The problem with the duress code (Marks calls them "agent security
checks" -- these were patterned errors that were to be made in each
message, but omitted after capture) was not that they were recovered
under torture, tho "worked out keys" would make that even less
likely. Agents were taught that capture meant torture and death and
they should reveal everything but their security checks. By Marks'
account, most captured agents bravely followed those instructions.
Philippe Ganier-Raymond gives the German side of the story in "The
Tangled Web." The German commander was interested in getting the
Agents to cooperate and did not attempt torture at first. The
agents, knowing that their security checks, once sent, would alert
London to their captured status, generally complied.
The horrifying problem was that SOE management routinely ignored the
duress codes when they were asserted. They did not want to believe
their operation in Holland was so badly compromised and chalked up
the omitted checks to poor training. As a result dozens more agents
and tons of supplies were parachuted into waiting German hands.
Another big lesson for us today is that if you use authentication
techniques you had better take them seriously and have clear
procedures in place for what to do when an invalid signature is
detected. It calls into question practices like the routine signing
of plaintext e-mail that is often garbled enough by mail handlers to
render the signature invalid. All that does is get people used to
accepting invalid signatures. Half-hearted security measures may stop
lesser threats, but can actually increase an organization's
vulnerability to the most dangerous attackers.
>Marks' solution was counter-intuitive: give the agent a sheet of
>"worked-out keys", printed on silk. These were not one-time pad keys;
He did introduce one-time pads later, after he figured out how to do
them with letters. Unlike the transposition ciphers, the minimum
message size with an OTP was tiny, so operators did not have to stay
on the air as long. As you point out, he was constantly tuning his
methods to the threat.
By the way, what was the source of the obituary that started this thread?
Arnold Reinhold
