Remarks of David Kahn

Commemorating the 50th Anniversary of the

National Security Agency

November 1, 2002

Who'd have thunk that I would ever be here, addressing an NSA audience?

Because when my book, The Codebreakers, was published in 1967, just 35 years and one month ago, it became the subject of a ban on the part of the National Security Agency. A notice was circulated here at Fort Meade and was sent to all NSA outposts worldwide. The book was never to be mentioned. It was never to be acknowledged when the media - or anybody else -- asked about it, as at cocktail parties. Its author was anathema at the NSA. He revealed that America was breaking codes! Hated less only than Martin and Mitchell. And now here he is, speaking at its 50th anniversary. I sometimes feel as if I should hold up that notice the way Harry Truman, after he won in 1948, triumphantly held up that Chicago Tribune with a banner headline shouting: Dewey Beats Truman. Well, Kahn beat NSA.

How did it happen?

The times they have a-changed. The cold war ended. The chief enemy evaporated. And the defense establishment had to find new ways of maintaining its funding. The NSA, the CIA, the NRO had to come out of the shadows. The NSA, smarter than the others, established a National Cryptologic Museum. Putting on display what used to be some of the most closely held secrets of the United States, it tells the public some of the great things that cryptology has done for the nation - the lives it has spared, the treasure it has saved. In this way it wins public support - and, it hopes, public money. It hopes as well to excite young people into becoming future Friedmans, future Canines, perhaps even future Heymans! And part of that effort is to welcome the great unwashed, the great uncleared, the tellers of tales good and bad, into the fold. And so I'm here.

In fact, that part of the effort may be working already. A few years ago the museum held a book-signing for The Codebreakers. It was really flattering. The line stretched out the door to the parking lot. But the greatest thing was that four or five people on that line said to me, as they handed me their books, "Dr. Kahn, you changed my life. I read your book and I decided to go into cryptology." I think there must be very few authors who get that kind of feedback, who have affected people's lives so directly. So something very helpful for NSA and for America has come out of something that NSA first saw as bad but, for reasons not of its own making but that it eventually recognized, now sees as good and welcomes.

But I've been asked here today to talk today about what I have called the death of cryptanalysis. I got the idea from Herbert Yardley, America's first official codebreaker. In his sensational, wonderful 1931 book, The American Black Chamber, he describes, in a deliberately obfuscatory way, the one-time tape cipher machine. Of it he says, "Sooner or later all governments, all wireless companies, will adopt some such system. And when they do, cryptography [he meant cryptanalysis] as a profession, will die." I think there's some truth in that, but it's more nuanced, more complex than the headline phrase "the death of cryptanalysis" says.

In a way, cryptanalysis has been dead for more than half a century now. I'm not talking about the inventors who trumpeted their cipher systems as "unbreakable." Almost everyone who has devised a system called it indecipherable. You can read the claims in the books printed in England and France during the Victorian and Edwardian years and in the National Archives in College Park in the letters of people offering their ciphers to the War and State Departments. But then, during World War I, there began an era of cryptosystems that were indeed unbreakable with the technology of the time. These were the rotor systems - notably the machines of the Californian Edward H. Hebern, who may have had the idea when he was in jail for horse thievery and whose ideas were basically stolen by the U.S. Government and used - with the important improvement of irregularizing the rotors - to make the SIGABAs of World War II, and the famed Enigma of Germany's Arthur Scherbius. Cryptograms enciphered on these machines could not be cryptanalyzed in those years by study of just the ciphertext, no matter how many were available. In other words, any number of those cryptograms could not be solved by pure analysis. Nor could they be solved by exhaustive search - what might today be called brute force. The key space exceeded the capabilities of the technology of the time. So solving Enigma messages, for example, required cribs. The famed bombes worked on the principle of matching a ciphertext with a suspected plaintext to see if this would lead to a possible arrangement of rotors and plugboard connections that would constitute a "legal" key. This would then unlock other messages enciphered with that key. But this method required the help of a plaintext, known or guessed. Pure cryptanalysis was already dead.

Of course, computers would have been able to solve those messages. But computers hadn't been invented yet. And in that lies a lesson to which I shall return.

So pure cryptanalysis was powerless against good cryptosystems as early as World War II. And it is still powerless against good ones today. Many are the cryptosystems offered by the hundreds of commercial vendors today that cannot be broken by any known methods of cryptanalysis. Indeed, in such systems even a chosen plaintext attack, in which a selected plaintext is matched against its ciphertext, cannot yield the key that unlock other messages. In a sense, then, cryptanalysis is dead.

But that is not the end of the story. Cryptanalysis may be dead, but there is - to mix my metaphors - more than one way to skin a cat. Indeed, there may be more opportunities now than ever before to obtain information from communications. And that is because there are more communications than ever before. Just as the telegraph increased opportunities for interception over couriers, and as the radio increased opportunities over the telegraph, so email, the internet, and cell phones once again increase the opportunities for interception.

People cry, optical cable! You can't intercept that! Well, yes and no. Probably the cable itself can't be bugged. But: First of all, not all communications can go by optical cable, any more than they could by wire. Those nonoptical communications are interceptable. Secondly, since fiber optic cables do not run for thousands of miles, repeaters are necessary. These, and their electronics, are vulnerable to interception. Finally, a back hoe operator can "accidentally" dig up a cable and a technician can be bribed to insert some kind of transmitting bug. The point is that with optical cable the problems are increased, but not necessarily insuperable.

Moreover, new methods of back-door codebreaking have come into play. Computers can watch the power fluctuations in a computer chip and tell when, in the DES for example, the 16 rounds are being executed. Moreover, as each S box comes into play, the key itself can be read. This of course requires access but that access can be very brief - only the same time as needed in making a purchase transaction. The point is that it can be done and does not need a spy to betray the key.

With real-time log-ins, the differences in the interspace delays - some elements take longer than others - can enable an interceptor to capture the key strokes and so obtain the log-in. This worked in the case of a mobster named Scarfo. The FBI got the password, entered his computer, and obtained the information that it needed.

The enormous number of computers, which is constantly growing, opens new opportunities. First of all, the world buys American computers. Many of the myriad pieces of hardware that go into them can be bugged - if they're not already being bugged. Of course, the major powers don't need to buy American computers. They can make their own. This leaves the smaller nations as potential targets. It may seem as if they do not much matter, but it must not be forgotten that in World War II one of the most productive sources of information for both the Allies and the Axis was not a great power but a neutral: Turkey. Secondly, software is becoming more complex, and as it does the number of potential security breaches grows. The number of errors in computer code is proportional to the square of the size of the program. Many are potential security leaks. In one case, for example, a command to print a file led to a security breach. The computer code was so large and so complicated that the flaw was totally overlooked. Thirdly, the security designer has to plug all the holes; the attacker has to find only one. And many of the systems in which encryption is embedded are not perfectly designed, or are, frankly, badly designed. All these offer opportunities for communications intelligence. Finally, if hackers and teenagers can design virus that penetrate computers to cause trouble, cryptanalysts can find ways as well of penetrating computer to extract information and even of modifying the equipment itself.

The enormous volume of traffic increases the possibility of generating more and better information from traffic analysis than ever before. This is of course not as solid as the results of solution, but it can help.

All of these are in the realm of today's possibilities. But the future also holds opportunities. In 1901, the great mathematician David Hilbert posed 23 problems that mathematicians had to solve. A century later, perhaps half of them have been solved. Some mathematical problems - and cryptology is all but totally mathematized today -- may be solved through an imaginative mixture of information that already exists. One such case is Andrew Wiles's solution of Fermat's last theorem. He assembled known mathematics to solve a problem that had defied others for centuries. This can happen in cryptology as well. An instance is the development of public key, or asymmetric, cryptography. Though thousands of cryptologists, amateur and professional, had been thinking about cryptography for years, that idea never occurred to any of them. Then Whit Diffie and Marty Hellman had it. More to the point, if you had said to me that it would be possible to have a cipher system in which the deciphering key was not the inverse but entirely different from the enciphering key, I would have said that it was impossible. Yet it turned out to be not only possible, but practicable, and then wildly successful. The point is that such ideas can come into being. Many cryptosystems depend upon the difficulty of factoring, or upon the discrete logarithm problem. Perhaps some day someone will find a fast way to factor large numbers or to solve the discrete logarithm problem. This might permit solution of many cryptosystems.

Another thought is that of quantum computing. This would make possible parallel computing at unprecedented speeds and so fast factoring of large numbers and thereby the solution of many cryptosystems. Just as the computers of today would hve been able to break the Enigma cryptograms of yesterday, so future computers may be able to resolve the enciphered messages of tomorrow.

These are not NSA ideas. NSA doesn't know or control everything, as shown by public-key cryptography and the beating NSA took on key escrow and the fact that U.S. Navy submarines use Microsoft windows.

But though traditional cryptanalysis may be dead, and may have been mostly a corpse for half a century, other opportunities, perhaps more opportunities, lie ahead. And NSA is smart. It can learn. Hey, they brought me here, didn't they?