On Distributed Communications Series
IX. Security, Secrecy, and Tamper-Free Considerations
V. A "Devil's" Advocate" Examination
The secrecy provisions for the distributed network system are not being described in full and complete detail in this Memorandum. For example, some preliminary thinking about methods of extending the zone of full secrecy to individual subscribers remote from the Multiplexing Station has been omitted. One reason for such omissions is the fact that the basics of the problem are still being examined.
A key rationale for writing this Memorandum has been to fulfill the need for a working paper which would impart to the reader a feeling for the detailed secrecy measures necessary in the proposed system and to aid in a subsequent "devil's advocate" examination of the system as a whole. The proposed network must successfully operate in a hostile environment, and therefore the system design should be made always keeping in mind potential system weaknesses. We are concerned lest a clever and determined enemy find in it an Achilles heel. As an acid test, we elicit and encourage a response from the reader who will "don the hat of an enemy agent" and try to discover weak spots in the proposed implementation. Such an enemy is assumed to have a limited number of highly competent cohorts plus all the equipment he can transport. Further, it is assumed that the fundamental human inadequacies of our, or any security clearance system will permit infiltration by some at least minimal number of enemy agents who will gain a complete and detailed understanding of the workings of the system.
Inasmuch as few people have ready access to the crypto keys and since the keys are changed on a short-time basis, it can be assumed that the subversive agent will generally not have access to more than a portion of the key--unless he resorts to force in obtaining the key, thereby tipping his hat.
As more and more about the limitations of the proposed implementation is learned, we plan to add more and more safeguards to complicate the task of the enemy agent, until a point is reached where we can safely say, "It is now unreasonably difficult for an enemy, or a friend, to interfere with the operation of this network."
The rationale for a limitation on the number of cooperating agents in the pay of an enemy lies in the high probability that any locally recruited agent will be, in fact, a double agent. Hence, the number of agents who know of any proposed operation must be limited for fear of revealing the attack plan.