On Distributed Communications Series

IX. Security, Secrecy, and Tamper-Free Considerations

IV. Implications for the Distributed Network System

As it will be necessary to pass through very many switching centers in the proposed distributed network, the limitations of link-by-link encryption are strongly felt. A system with several hundred nodes, depending solely upon link-by-link encryption, would probably be considered inadequate except perhaps for the transmission of semiclassified data--data that would probably be sent in the clear today. Further, end-to-end encryption alone is also unsatisfactory, as the heading on each message block would be in the clear.

Thus, the distributed network shall use both link-by-link and end-to-end encryption. Rather than adding boxes to each switching center, the cipher encoder and decoder circuits shall be designed as an integral part of the Switching Nodes and Multiplexing Stations.

Link-by-Link Cryptography in the Distributed Network

The link-by-link crypto used in the distributed network is described in detail in ODC-VII.[1] Identical pseudo-random flip-flop chains exist at adjacent Switching Nodes. A logical operation combines the key and the text; timing is established from a piezoelectric clock. Each sequential Message Block contains a "Crypto Serial Number" in the clear derived from the time base.

Timing is established by shifting the local timing so that incoming Message Blocks arrive synchronized to the "start of Message Block" point of the local counter. Then, the difference between the Crypto Serial Numbers is measured by a digital subtraction and the local timing rate is increased or decreased accordingly. The process is repeated until the link has been pulled into synchronization. Synchronization is automatic for link outages up to at least 12 hours duration.

It is anticipated that the key at each Switching Node will be changed on the order of once per week, or thereabouts. Storage for two alternatively assigned key phases is anticipated to eliminate the need for personnel to be at two or more Switching Nodes at the same time.

It should be emphasized that the link-by-link cryptography serves primarily to keep message headings secret from the eavesdropper.

During the periods in which no valid traffic is being transmitted, a "dummy" or filler stream of bits is sent, not only concealing traffic loading, but also for maintaining the timing synchronization. The dummy stream is created by an electronic noise generator tube feeding several stages of a pseudo-random counter.

The keys used for the link-by-link crypto are in the form of cards, statically read out.

While the crypto stream would be rather hard to "break," it will be seen that comparatively little damage will result should such an event occur.

End-to-End Cryptography in the Distributed Network

The end-to-end crypto built into the Multiplexing Station (see ODC-VIII) is more complicated than that used on the links between the' Switching Nodes (and the links from the Multiplexing Station to the Switching Nodes). The added complexity is due to the fact that Multiplexing Station cryptography must permit any subscriber "to talk" to any other subscriber. As the number of potential subscribers is in the millions, the requirement for key storage can become overwhelming. Therefore, an alternative approach has been chosen of storing at each Multiplexing Station key bases only to other Multiplexing Stations. Since we anticipate a maximum of 1024 Multiplexing Stations, only this number key bases need be stored at each Multiplexing Station. We will also assume that any pair of subscribers will desire connections to be kept open for periods ranging from a few seconds to a full day. Such connections, called "pseudo-circuits," are discussed in detail in ODC-VIII.

The first few Message Blocks in any "conversation" exchange housekeeping information necessary for rapid processing of subsequent Message Blocks. This interchange will require on the order of perhaps two seconds. Every time a new call is placed by a subscriber, the originating Multiplexing Station notes which Multiplexing Station is being called and increments its corresponding stored Serial Call Number for the called Multiplexing Station. This serial number is used by both Multiplexing Stations as a crypto start point for synchronization. Since each Multiplexing Station contains a powerful computing engine, and as one second is a long time in the life of a fast computer, sufficient time and capability exist for creating a new pseudo-random number for each new call with no apparent relationship to the key base used on previous calls. Thus, information concerning one call is of no use whatsoever in breaking subsequent calls. This is important in a system with widespread entry, and even allows civilian traffic to be combined with military traffic without weakening the secrecy protection offered.

Modification of the Derived Key Base

To this point, both Multiplexing Stations are synchronized and are using the same derived key bases. (Means are also included to handle errors and reset (advance only) the counters in the rare event of system malfunction. However, in no circumstance is the same derived key base ever used for more than a single conversation call.) After the setup interval, Message Blocks will arrive at a very high rate. It is necessary to create -a key from the derived key base at a very rapid rate, leaving very little time for processing. As this is a routine continuous operation, a "stamping mill" processor, with a portion of the Multiplexing Station equipment working full time on this operation, is utilized. The Multiplexing Station uses a drum or similar recirculating register to store the key bases, the derived keys, and the Message Blocks. Figure 3 shows the cryptographic processing of a drum operating on incoming encrypted text. The processing scheme used depends primarily upon a very low Message Block error rate at the Multiplexing Stations. Unfiltered errors and lost Message Blocks are expected to be such rare events, that we shall intentionally "knock down" a quasi-circuit if a single bad Message Block slips by the error-detection filters. (It should be understood that such a rigorous response to errors is infeasible in conventional transmission systems because of their relatively high error rates.)

Incoming encrypted text alternately fills one of the two assigned registers while the. other register is simultaneously being read out and "logically-added" to the key base. The clear output text is then stored on one of two alternately assigned registers reserved for this purpose. Meanwhile, the clear text and the incoming text operate upon one another in a controlled manner to produce a new key base, based upon the previous key base used. This procedure may appear to be similar to the conventional "autokey"[2]procedure, but it should be noted that the next key is related to its previous one by a very complex and unknown mathematical operation. Even having the entire encrypted text and a sample of clear text will not facilitate ascertaining subsequent samples of clear text.

Thus, very high speed processing of Message Blocks with high cryptographic security for 1024 separate subscribers per Multiplexing Station does not appear particularly difficult to accomplish. All the equipment required for these operations is included in the parts breakdown in ODC-VIII.

It should be pointed out that the detailed implementation described may or may not be the precise method used. The present detailed description seeks only to point out that secure cryptographic processing at extremely high data rates appears technically possible. The actual choice, and detailed selection of the cryptographic operators, is left to the appropriate agency at the appropriate time.

Message Block Pre-Filtering Key

In order to prevent interruption of the sequence of Message Blocks arriving at the Multiplexing Station by false Message Blocks, means to detect and eliminate acceptance of "counterfeit" Message Blocks are included. Such false Message Blocks might conceivably be generated by a sophisticated enemy agent who has somehow managed to break the link-by-link crypto.

It will be recalled that the Message Block comprises 1024 bits, of which 128 are reserved for various housekeeping functions. Twenty of these housekeeping bit positions are set aside to act as a Pre-Filter Key.[3] Both the transmitting and receiving Multiplexing Stations generate these keys simultaneously. If, and only if, the incoming Pre-Filtering Key matches the next expected short PreFiltering Key, will the Message Block be accepted for further processing and the crypto key count be advanced. If any Message Block arrives that does not meet this test, it is transmitted to the human intercept position at the receiving Multiplexing Station for intervention checking.

Genealogy of the Keys

A hierarchical development is being employed to create a very long key from a relatively short key base and caution must be exercised. If too long a sequence is generated from a single key base, it might be possible to deduce other keys derived from the same base. Therefore, let us examine the sequence lengths required by this system to insure that they are very much shorter than would reveal the nature of the generator function.

If the active part of the crypto key base used per call is 866 bits, then the longest generated sequence can be as great as 2866, or about 10300.[6]

Generation and Distribution of Keys

A constant supply of key bases is required to keep the distributed network system operating. One possible plan is shown in Fig. 4, in which two major key preparation stations are depicted, one in the East and one in the West. Each such station contains a large general-purpose computer with about six tape units. Separately written, highly complex, random number generating programs are used by each key preparation site. Choice parameters which modify the random number generator are inserted by three individuals at each site working independently. Conventional one-inch magnetic computer tapes, recorded at high speed, are played back into a 1/4" tape duplicator for preparation of the 300-ft spools of 1/4" tape used in the Multiplexing Stations. The one-inch computer tape outputs are also used to drive an off-line card punch to prepare the shorter set of key bases used by the Switching Nodes. The output of each of the two sites' tapes and card duplicating facilities are stored in about twenty geographically distributed sites.

The Switching Node and Multiplexing Station keys are comprised of two parts, one coming from the distribution site prepared by the East unit, and the other part coming from the West unit via different distribution sites. Each member of a two-man team has mechanical key access to only his own part of the key base. Thus, the system is relatively secure from a single enemy agent having access to an entire key base for any unit.

In the next section it will be shown that even if an enemy were, somehow, able to gain access to the full key, he would still probably not be able to reconstruct traffic.

Protection Offered by Semi-Random Path Choice

In the distributed network, each Message Block usually travels by a path distinctly different than that taken by the previous Block. Path selection is determined on a Switching -Node-by-Switching-Node basis. Each Switching Node chooses the "best" path for each Message Block. If the "best" locally connected link is busy or inoperative, the next best link is used; the heavier the network loading, the more circuitous and varied are the paths taken.

It will be recalled that it is impossible to decrypt a stream of Message Blocks unless all preceding Message Blocks have been correctly received. An eavesdropper, even one equipped with both the link-by-link and the end-to-end keys, cannot decipher any "quasi-channel" or stream of Message Blocks unless he has correctly received all previous Message Blocks. Thus, unless the interceptor records all outgoing links from the Switching Node for a single Multiplexing Station and has all keys, he will not be able to decrypt the sequence of Message Blocks.

It will also be recalled that the links used in the system can have a rather poor unfiltered error rate--one error per 1000 Message Blocks.[7] The filtered error rate is extremely low--some five orders of magnitude or so better. This, however, is obtained only by the use of an automatic error detection facility and allowance being made for requests for repeat transmissions. An eavesdropper, even one equipped with all keys, cannot very well ask for repeat transmissions. Thus, he is at a decided disadvantage in deciphering the stream of Message Blocks, because his streams will contain errors.

Further, devices able to record 1.5 million bits per second with an adequately low error rate are on the fringe of 1963 state-of-the-art. Lastly, it will be remembered that all silence periods in voice transmissions greater than about 1/20 sec will be suppressed, making the determination of the sequence of Message Blocks extremely difficult and time consuming (see ODC-VIII).

[1] ODC is an abbreviation of the series title; the number following refers to the particular volume in the series.

[2] Shannon, Claude E., "Communications Theory of Secrecy Systems," Bell Systems Technical Journal, Vol. 28, No. 4, October 1949, p. 668.

[3] Twenty bits are sufficient to detect better than 1,048,575 out of 1,048,576 random fraudulent Message Blocks.

[4] However, the design is based on 1,000,000+.

[5] The highest normally expected data rate per subscriber is:

(19,600 bits/sec)(3600 sec/hr)(24 hr)
= 1.693 x 109 bits per key change
= 1.824 X 106 Message Blocks.

[6] For comparison, recall that there are only about 1080 electrons in the universe.

[7] See ODC-VI for link error rate determination.

Previous chapter
Next chapter