Former Stasi Cryptologists work for NATO

R&S Elcrodat 4-2

Archives from the former East-German Ministerium für Staatssicherheit (MfS), better known as the Stasi, have already shown the excellent skills of their SIGINT (Signals Intelligence) department HA III. Little was known about what happened with all those most capable experts after the fall of the Berlin Wall and the collapse of the former German Democratic Republic...until now.

The German magazine Der Spiegel now revealed that cryptologists from the former East-German central cipher bureau ZCO (Zentralen Chiffrierorgan), were secretly recruited by the German Federal Office for Information Security BSI (Bundesamt für Sicherheit in der Informationstechnik ). They are now employed at Rohde & Schwarz SIT GmbH, a front company for the secret recruiting operation and a subsidiary of the renowned German communications and security firm Rohde & Schwarz.

The Stasi cryptologists had already proved very successful in both making and breaking codes during the Cold War era. They managed to break several encryption systems, including the secure communications of the West-German Foreign Intelligence Agency BND (Bundesnachrichtendienst). The last thing the German government wanted, after the dissolving of East-Germany in 1990, was the exodus of Stasi crypto expertise to other countries. The defection of these cryptologists and a compromise of Western encryption technology to rogue states would be a nightmare. It was decided to recruit them, whatever it takes.

Rohde & Schwarz SIT became both a surreptitious employment pool for former Stasi crypto experts and a most successful subsidiary of Rohde & Schwarz, in both commercial and security point of view. SIT took over Siemens' cryptology division and employs many of Germany's top mathematicians. They are specialised in Information and Communications Security, offer encryption for numerous analog and digital systems, and are currently an important supplier of high security crypto equipment for NATO.

Or how a former enemy of NATO (and partner of the Soviets) became a vital part of NATO's communications security. At the end, the secret operation prevented critical crypto expertise to go awalk and provided experienced mathematicians for BSI's crypto bureau. A win-win situation.

Let's just hope that none of these Stasi cryptologists are still serving their old mentor, the former KGB 8th Main Directorat Communications and Cryptography (now absorbed by Russia's SIGINT agency FAPSI). I'm sure the German Federal Intelligence BfV (Bundesamt für Verfassungsschutz) has them all checked thoroughly. Nevertheless, recruiting old enemies is a hazardous undertaking (see Heinz Felfe), and far-sighted Russian Intelligence has a splendid record in long-term planning regarding former Soviet states (see Hermann Simm).

The full story, in English, can be read on the website of Der Spiegel. Do also visit Rohde & Schwarz  Cyber Security (SIT). On the splendid SAS- und Chiffrierdienst website you will find more information about the East-German Zentralen Chiffrierorgan (ZCO), and plenty of info and images of Stasi encryption equipment (click its "Technik" link at the lower left). See also the blog posts Stasi SIGINT capabilities and Russia's FAPSI (former counterpart/sister agency of the former ZCO).

Operation Ivy Bells

Both the United States and the former Soviet Union ran numerous aggressive Signals Intelligence (SIGINT) operations against each other during the Cold War era. A most spectacular one was operation Ivy Bells, a top secret joint operation between the US Navy, the Central Intelligence Agency (CIA) and the National Security Agency (NSA). Ivy Bells enables the eavesdropping on high level communications of the Soviet Pacific Fleet.

Chatter Under the Sea

Communications cables were, and still are, an interesting target for intelligence agencies. The 1953 Berlin Tunnel operation is a well-known example of the tapping of a land cable. Especially in the pre-satellite era, undersea cables were the only method of high-volume communications between continents or islands. In the early 1970's, the US discovered the existence of such an undersea cable in the Sea of Okhotsk, in the north-east of the Soviet Union.

Sea of Okhotsk (east of Russia)

The cable connected the Soviet naval submarine base in Kamchatsky, north-east of the Kuril Islands, with Vladivostok Fleet headquarters in the south-west. Both bases played an important role in the Soviet Pacific Fleet communications.

Although a very attractive intelligence target, the Sea of Okhotsk was Soviet territorial waters, forbidden for foreign ships and heavily protected. The Soviets also carried out many surface and subsurface naval exercises in these waters. An attractive target but far from friendly environment. Despite the high risks to a SIGINT operation in that area, US intelligence could not pass this opportunity and started a most complex top secret operation to tap into the Okhotsk cable.

USS Halibut in Hostile Waters

In October 1971, the nuclear submarine USS Halibut (SSGN-587) entered the Sea of Okhotsk in search of the cable. Saturation divers with special rebreather equipment eventually found the cable at a depth of 400 feet (120 m) and installed a 3 feet (1 m) long tapping device, which was wrapped around the cable to register the signals by induction. This avoided the need for piercing through the cable.

USS Halibut (source U.S. Navy)

The signals were recorded on tapes that were recovered on a regular basis. To its surprise, NSA discovered that the Soviets felt so confident about the security of the undersea cable that the majority of the communications were unencrypted. Needless to say that the gained intelligence was invaluable. Due to its success, Bell Laboratories was asked to develop a new tapping device that could capture more lines simultaneously from the cable and could record for several months.

The Soviets Caught on Tape

The new ingenious tap, which was installed the next year, measured 20 feet (6 m), weighed 6 tons and had a nuclear electrical power source. Each month, the USS Halibut divers retrieved the recording tapes and installed new ones. Back in the US, the tapes were analyzed by the NSA and processed for further use in the intelligence community. It proved to be a spectacular intelligence coup. The tapes provided a front seat view on Soviet naval operations.

The 20 feet 6 tons tapping device for the Soviet cable in the Sea of Okhotsk

Operation Ivy Bells' success led to further operations to install more advanced tapping devices onto other Soviet undersea cables across the world. Several other submarines were brought into the operation to install taps and retrieve recordings.

Betrayal from Within

The operation lasted for a decade, until surveillance satellites showed several Soviet war ships on top of the Okhotsk tap. A US submarine later discovered that the tapping device had disappeared. As it turned out in 1985, the top secret operation was betrayed in 1981 by Ronald Pelton, a former NSA employee. Nonetheless, US intelligence retrieved an enormous quantity of military information during the ten years of tapping the undersea cables, giving them an important advantage in the Cold War.

More about Operation Ivy Bells on Military.com, on Special Operations Com (Internet Archive) and on Everything2. On AboutSubs you'll find more on the heroic USS Halibut (SSGN-587) and there's a 1960 video on USS Halibut on New Zealand History. The closed-circuit rebreather equipment, used by the saturation divers during operation Ivy Bells, was still classified at the time. See detailed photos of their GE Mk 10 equipment. FAS published the interception capabilities 2000 report, which includes information on subsea cables and submarine cable interception.

The Berlin Tunnel story on this blog explains the daring Cold War American-British joint-operation operation to tap into Soviet communications lines in the eastern part of berlin.

Below a short video about Operation Ivy Bells and a documentary about the use of submarines for espionage.

 

The Secret Mission to Tap Soviet Undersea Cables - Operation Ivy Bells


BLIND MAN'S BLUFF, The History Channel Documentary

One-time encryption in Today's World

Miniature one-time pad
© Dirk Rijmenants

One-time pad encryption is a most basic encryption algorithm where a truly random key is applied on the same amount of data. This type of encryption, invented 93 years ago, is mathematically unbreakable.

There's no way to crack it with current or future computer power, simply because it is mathematically impossible. Although this sounds impressive, there are some drawbacks. The key must be truly random, must be as long as the actual data that should be encrypted, and you can use a particular key only once. The consequence is a cumbersome key distribution with associated security problems.

Before we go any further, I must point out here that we're going to talk about modern one-time encryption applications, not the pencil-and-paper spy craft a shown in the picture. Neither is this article about small one-time passwords or one-time keys which are only valid for a single encryption session with some algorithm under control of that key, and certainly not about the many snake-oil applications that pretend to be unbreakable because they claim to be using one-time encryption, while they actually are not. Remember: key as long as the data, truly random and used only once. There's no way around these three conditions without messing up the unbreakable part (although many wrongly claim to have a solution)!

So, cumbersome key distribution is where the mathematicians, or crypto-experts as you like, come in the play. In 1973, they invented asymmetric encryption which solves the problem of key distribution. Symmetric encryption requires the same key for encryption and decryption, and all people involved need a copy of that same key. With asymmetric public key cryptography however, you have key pairs that consist of a public key for encryption which you can share openly with everybody, and a private key for decryption that you keep secret. This solves the problem of key exchange. Since the invention of asymmetric key encryption, many crypto experts are buzzing around that it is the holy grail. Well...not quite.

Their system has nothing to do with the message security, only with the - unproven - key exchange security. Unfortunately, asymmetric encryption is not suitable for the encryption of large amounts of data. Hence, we only use it to encrypt a random key. Next, the actual data is encrypted with a traditional symmetric encryption algorithm, under control of that key. Finally, we send the complete package, encrypted key and encrypted data, to the recipient. Key distribution problem solved! What actually happened is that they took traditional symmetric algorithms, of which they are not really sure whether they are secure (they are not, as they are deterministic), but hey, they found an easy/lazy way to exchange the keys for those traditional algorithms. Problem solved. Doooh!?

Bearing this in mind I just love David Boak's (NSA) magnificent quote: "the ‘approved’ systems have simply been shown to adequately resist whatever kinds of crypto-mathematical attacks we, with our finite resources and brains, have been able to think up. We are by no means certain that the [opponent] equivalent can do no better". This says a lot, if not all.

How secure their asymmetric encryption might be, it doesn't change the fact that the actual data is encrypted with a traditional symmetric encryption algorithm and that's not a question of so-called insurmountable mathematical problems to crack asymmetric encryption, but a question of cryptanalysis of man-made algorithms, prone to weaknesses (not to mention mathematical shortcuts, back doors or bluntly faulty application). By the way, didn't Auguste Kerckhoffs and Claude Shannon learned us that, if we don't know how to break it, it isn't unbreakable, and any system that reduces a large secret (the data) to a smaller secret (a key) is deterministic and will never be unbreakable,

What happened is that, by focusing on the practical advantages of asymmetric key encryption and welcoming its large scale application and commercialization, many mathematicians lost track of what really matters: message security. They say that one-time encryption is rendered superfluous in the era of asymmetric encryption. Just because it's less practical? By saying this, they actually prove themselves wrong, as the one has nothing to do with the other. They solved the key distribution problem and not the message security problem.

One time encryption, on the other hand, solves the message security perfectly (isn't that what we really need) but has a nasty key distribution issue. It would have been nice if those wizz kids solved that one! Well, maybe they did, but just don't tell us... but I doubt that. Cryptography is always a balancing between effort (comfort), costs and security. You can favor one of those - a bit - to the prejudice of the others, for a particular situation, but you can't say that comfort is better than security, and should never nibble on security in favor of comfort, when security is important.

Modern crypto algorithms provide reasonable but practical security and privacy, essential to our economy and everyday life. Sure, it made our lives easier and how else could we do all those things like buying on the Internet, using credit cards on-line, and many other things. But let us be serious, the combination of traditional encryption algorithms and asymmetric key algorithms provides nothing more or less than 'reasonable' security, and it will never provide real security or long term security.

But what is worse, is that the general public has become blinded by today's easy encryption systems and their commercial success. They don't realize that real privacy and security comes with a price called "effort & discipline", not to be confused with, and unfortunately incompatible with "easy-to-use". This might not be essential to the average man in the street, but it does matter if we talk about a company's production secrets, trade secrets or political activism, to name a few.

Some experts argue that the distribution of large quantities of keys, inherent to one-time encryption, is impractical. However, today’s electronics are capable of generating large numbers of truly random keys, and current one-time encryption software can process large quantities of data at high speed. Current data storage technology such as USB sticks, DVD’s, external hard disks or solid-state drives enable the physically transport of enormous quantities of truly random keys.

Actual sensitive communications are often limited to a small number of users. In such cases, one-on-one communications with the associated key distribution, possibly in configuration with a star topology to connect multiple users, is no longer really a practical problem, especially considering the security benefits (this quote will not be popular with cryptologists, but it is true).

By using a co-called sneakernet (transferring data on removable media by physically couriering), you can reach a throughput (amount of data per unit time) of one-time key material that is greater than what a network can process on data that must be encrypted. In other words, it could take a few hours to get a terabyte of key material, stored on an external drive, by car to someone, but it will take days or even weeks to consume that amount of keys on a broadband network.

A terabyte sized key can easily encrypt you e-mail traffic for a year, including attachments (you just try to send or receive a terabyte of data, most Internet providers won’t even offer such amount of traffic). Therefore, if security is preferred above practical key distribution, and physical key exchange is possible beforehand, then one-time pad is the right choice. Some commercial firms offer such one-time encryption solutions, mostly to government and defense agencies, and for good reasons.

Conclusion: yes, public key algorithms are useful and have earned their place in the market of reasonably secure large scale communications, and yes, one time encryption will stay the preferred solution when unconditional security is required. Stop comparing apples and oranges, we need both! And for anyone who states that one-time encryption is history, I have one advice: provide the actual mathematical proof that your asymmetric system and accompanied symmetric algorithm are safe, today and tomorrow (I can with one-time encryption). Bring it on, Bruce!

I wrote a paper called Is One-time Pad History, about one-time encryption and the illusions of modern computer cryptography. More about the history of one-time pad on my website. On Mils Electronic, a key technology company, there's more about one-time encryption (pdf) and secure message exchange (pdf).