The obituary has, at long last, prompted me to write a brief review of 
Marks' book "Between Silk and Cyanide".  The capsule summary:  read it, 
and try to understand what he's really teaching about cryptography, 
amidst all the amusing anecdotes and over-the-top writing.

The main lesson is about threat models.  If asked, I dare say that most 
readers of this mailing list would say "of course keying material 
should be memorized if possible, and never written down".  That seems 
obvious, especially for agents in enemy territory.  After all, written 
keys are very incriminating.  It's obvious, and was obvious to the SOE 
before Marks.  It was also dead-wrong -- accent on the "dead".

The cipher that agents were taught was a complex transposition, keyed 
by a memorized phrase.  The scheme had several fatal flaws.  The first 
is the most obvious:  a guess at the phrase was easily tested, and if a 
part of the key was recovered, it wasn't hard to guess at the rest, if 
the phrase was from well-known source (and it generally was).  

More subtly, doing the encryption was an error-prone process, 
especially if done under field conditions without the aid of graph 
paper.  Per protocol, if London couldn't decrypt the message, the agent 
was told to re-encrypt and re-transmit.  But that meant more air time 
-- a serious matter, since the Gestapo used direction-finding vans to 
track down the transmitters.  Doing some simple "cryptanalysis" -- too 
strong a word -- on garbles permitted London to read virtually all of 
them -- but that was time-consuming, and really pointed to the 
underlying problem, of a too-complex cipher.

The duress code was another weak spot.  If an agent was being compelled 
to send some message, he or she was supposed to add some signal to the 
message.  But if the Gestapo ever arrested someone, they would torture 
*everything* out of that person -- the cipher key, the duress code, 
etc.  And they had a stack of old messages to check against -- they 
made sure that the duress code stated by the agent wasn't present in 
the messages.  The failure was not just the lack of perfect forward 
secrecy; it was the lack of perfect forward non-verifiability of the 
safe/duress indicators.

Marks' solution was counter-intuitive:  give the agent a sheet of 
"worked-out keys", printed on silk.  These were not one-time pad keys; 
rather, they were the numeric indicators for the transposition.  This 
avoided the guessable phrases; more importantly, it eliminated the most 
trouble-prone part of the encipherment, the conversion of the key 
phrase to a numeric version.  The authentication codes were a function 
of part of the key.  Agents were instructed to destroy each "WOK" after 
use; this provided not just forward secrecy, but also stop the 
Gestapo from verifying any statements about the duress code.  

Why silk?  Because it was easily concealed in coat linings and the 
like, and wouldn't be detected in a casual street-frisk.  Sure, if the 
Gestapo was really suspicious, they'd find it.  So what?  This is the 
*Gestapo*; if they were really suspicious, it didn't matter much if you 
weren't guilty, because you'd be in no shape to appreciate their failure 
to find anything.  We joke about rubber hose cryptanalysis; the SOE 
agents had to contend with the real thing.  And real agents had enough 
other incriminating stuff lying around that unused keys didn't matter.

There's more, but the basic lesson is clear:  understand the *real* 
threat model you face before you design any sort of security system.  
The SOE didn't, and that cost the life of many agents.

                --Steve Bellovin,

Reply via email to