Bruce Schneier is one of life's cool people and the author of Applied Cryptography, the book that introduced me to serious crypto. It took me almost a week to work through it, but I was hooked.
Bruce also does a newsletter on crypto and security more generally. The current issue of the Crypto-Gram has an intriguing item on the mystery of Chalabi and the Iraninan codes. Recall that the US is suppposed to have learned somehow that Chalabi told the Iranians we'd broken their code, possibly because the Iranians themselves mentioned this (disinfo??) in a communication they may have known the US could read:
So now the NSA's secret is out. The Iranians have undoubtedly changed their encryption machines, and the NSA has lost its source of Iranian secrets. But little else is known. Who told Chalabi? Only a few people would know this important U.S. secret, and the snitch is certainly guilty of treason. Maybe Chalabi never knew, and never told the Iranians. Maybe the Iranians figured it out some other way, and they are pretending that Chalabi told them in order to protect some other intelligence source of theirs.
If the Iranians knew that the U.S. knew, why didn't they pretend not to know and feed the U.S. false information? Or maybe they've been doing that for years, and the U.S. finally figured out that the Iranians knew. Maybe the U.S. knew that the Iranians knew, and are using the fact to discredit Chalabi.
The really weird twist to this story is that the U.S. has already been accused of doing that to Iran. In 1992, Iran arrested Hans Buehler, a Crypto AG employee, on suspicion that Crypto AG had installed back doors in the encryption machines it sold to Iran — at the request of the NSA. He proclaimed his innocence through repeated interrogations, and was finally released nine months later in 1993 when Crypto AG paid a million dollars for his freedom — then promptly fired him and billed him for the release money. At this point Buehler started asking inconvenient questions about the relationship between Crypto AG and the NSA.
So maybe Chalabi's information is from 1992, and the Iranians changed their encryption machines a decade ago.
Or maybe the NSA never broke the Iranian intelligence code, and this is all one huge bluff.
In this shadowy world of cat-and-mouse, it's hard to be sure of anything.
Cryptographers are often great people. Counter-intelligence people tend to be professional paranoids, and some are quite mad, because even they can't be sure…
I’m of the opinion that in this as in most instances, the simplest explanation is the best. While supergeniuses like Richard Perle were off yapping that this “most amazing tradecraft error” defied belief, others noted that a quick switch might not be so simple. The NYT had a nice sidebar on this when the news broke (behind the fee wall now; link below).
The money paragraphs:
It’s possible Iran learned its lesson in the 1980s and had a backup system of one-time pads and well-trained homing pigeons ready to go. I lean towards the fool-me-twice argument of normal human fallibility.
Viz http://www.nytimes.com/2004/06/03/politics/03CODE.html “How to Break a Code” by John Schwartz
During WWII, the breaking of the Japanese code led to the victory at Midway. The Chicago Tribune reported that the US had broken Japanese code based on information they had obtained in violation of secrecy agreements. There was a big debate on whether or not to prosecute. Prosecution was seen as confirmation to the Japanese that the story was true. Many in intelligence argued against prosecution for that reason. However, the brass at the top was so insensed they prosecuted anyway.
In this case Chalabi enenmies wanted to get him worse than they worried about any Iranian knowledge of US code breaking.
It’s really impossible to know, but one question is what is meant by “breaking” the Iranian code. It’s probably much less likely that the cryptographic algorithm itself was cracked than that some other security flaw was exploited. (At least with public implementations of cryptography, the algorithm itself is usually by far the strongest point; and academic/commerical cryptography has progressed far enough in the last few decades that it’s reasonable to assume that government and military algorithms and attacks are probably similar in general structure, if not in all details.) So one then wonders where precisely this flaw was — software implementation? physical security? compromised human? This would make a lot of difference as to whether a) the Iranians could respond to it and b) do so without letting the US know that they knew that the US had broken the code. But whatever the truth of this, it’s clear that announcing this is a great way for those who have grown weary of Chalabi to cut him loose permanently. Which means that one should probably take the outrage of those involved with a few grains of salt.
By the way, far be it for me to criticize Schneier on anything touching cryptography, but one part of his article seems to me a little implausible: “The Iranians probably didn’t build their own, but bought them from a company like the Swiss-owned Crypto AG. … It’s possible that the U.S. broke the mathematical encryption algorithms that the Iranians used … It’s also possible that the NSA installed a ‘back door’ into the Iranian machines. This is basically a deliberately placed flaw in the encryption that allows someone who knows about it to read the messages.” No doubt the NSA could do such things in the 1980s, when crypto machines were physical *machines* (which one couldn’t exactly just take apart and reassemble at will), but would any military or government anywhere use commercial (or other) crypto software now unless it was 100% source available and they had examined it line by line with a fine-tooth comb? If not, they really deserved whatever they got.