At 9:58 PM -0500 1/30/2001, Steven M. Bellovin wrote:
>The obituary has, at long last, prompted me to write a brief review of
>Marks' book "Between Silk and Cyanide".  The capsule summary:  read it,
>and try to understand what he's really teaching about cryptography,
>amidst all the amusing anecdotes and over-the-top writing.

I generally agree with what you have to say, but I can't resist 
adding some comments. I liked the book a lot. My review is at

>The main lesson is about threat models.  If asked, I dare say that most
>readers of this mailing list would say "of course keying material
>should be memorized if possible, and never written down".  That seems
>obvious, especially for agents in enemy territory.  After all, written
>keys are very incriminating.  It's obvious, and was obvious to the SOE
>before Marks.  It was also dead-wrong -- accent on the "dead".

I think it is also wrong advice for most civilian users of cryptography today.

>The cipher that agents were taught was a complex transposition, keyed
>by a memorized phrase.  The scheme had several fatal flaws.  The first
>is the most obvious:  a guess at the phrase was easily tested, and if a
>part of the key was recovered, it wasn't hard to guess at the rest, if
>the phrase was from well-known source (and it generally was).

It was a tad worse than that. With long enough effort, a message 
could be broken by cryptoanalytic techniques given no knowledge of 
the key. Each break would reveal a few letters of the Agents poem, 
enabling the Germans to guess the rest, if it was a famous poem, and 
thereby easily break all that agent's traffic. Marks' first response 
was to supply agents with his own poems, which were far less likely 
to be guessed.

>More subtly, doing the encryption was an error-prone process,
>especially if done under field conditions without the aid of graph
>paper.  Per protocol, if London couldn't decrypt the message, the agent
>was told to re-encrypt and re-transmit.  But that meant more air time
>-- a serious matter, since the Gestapo used direction-finding vans to
>track down the transmitters.  Doing some simple "cryptanalysis" -- too
>strong a word -- on garbles permitted London to read virtually all of
>them -- but that was time-consuming, and really pointed to the
>underlying problem, of a too-complex cipher.

I don't agree that cryptanalysis is too strong a word. It sounded 
like Marks developed some fairly sophisticated tools to speed up the 
process.  He had quite an operation going.

>The duress code was another weak spot.  If an agent was being compelled
>to send some message, he or she was supposed to add some signal to the
>message.  But if the Gestapo ever arrested someone, they would torture
>*everything* out of that person -- the cipher key, the duress code,
>etc.  And they had a stack of old messages to check against -- they
>made sure that the duress code stated by the agent wasn't present in
>the messages.  The failure was not just the lack of perfect forward
>secrecy; it was the lack of perfect forward non-verifiability of the
>safe/duress indicators.

The problem with the duress code (Marks calls them "agent security 
checks" -- these were patterned errors that were to be made in each 
message, but omitted after capture) was not that they were recovered 
under torture, tho "worked out keys" would make that even less 
likely. Agents were taught that capture meant torture and death and 
they should reveal everything but their security checks.  By Marks' 
account, most captured agents bravely followed  those instructions.

Philippe Ganier-Raymond gives the German side of the story in "The 
Tangled Web." The German commander was interested in getting the 
Agents to cooperate and did not attempt torture at first.  The 
agents, knowing that their security checks, once sent, would alert 
London to their captured status, generally complied.

The horrifying problem was that SOE management routinely ignored the 
duress codes when they were asserted.  They did not want to believe 
their operation in Holland was so badly compromised and chalked up 
the omitted checks to poor training.  As a result dozens more agents 
and tons of supplies were parachuted into waiting German hands.

Another big lesson for us today is that if you use authentication 
techniques you had better take them seriously and have clear 
procedures in place for what to do when an invalid signature is 
detected.  It calls into question practices like the routine signing 
of plaintext e-mail that is often garbled enough by mail handlers to 
render the signature invalid.  All that does is get people used to 
accepting invalid signatures. Half-hearted security measures may stop 
lesser threats, but can actually increase an organization's 
vulnerability to the most dangerous attackers.

>Marks' solution was counter-intuitive:  give the agent a sheet of
>"worked-out keys", printed on silk.  These were not one-time pad keys;

He did introduce one-time pads later, after he figured out how to do 
them with letters.  Unlike the transposition ciphers,  the minimum 
message size with an OTP was tiny, so operators did not have to stay 
on the air as long. As you point out, he was constantly tuning his 
methods to the threat.

By the way, what was the source of the obituary that started this thread?

Arnold Reinhold

Reply via email to