Schneier on Security
A blog covering security and security technology.
« Identifying People from Mobile Phone Location Data |
| Security Awareness Training »
March 26, 2013
The NSA's Cryptolog
The NSA has published declassified versions of its Cryptolog newsletter. All the issues from Aug 1974 through Summer 1997 are on the web, although there are some pretty heavy redactions in places. (Here's a link to the documents on a non-government site, in case they disappear.)
I haven't even begun to go through these yet. If you find anything good, please post it in comments.
Posted on March 26, 2013 at 2:15 PM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There is a hilarious "How Things Have Changed" column in Vol. III, Nos. 6 - 7 - June - July 1976 (pdf page 27)
It (disapprovingly) quotes a sexist January 1960 article "On The Selection of Cryptanalysts":
"Quite apart from the fact that the subject matter as such is foreign to a woman's mentality, it must be added that it is extremely difficult for most women to engage in work about which no work must be spoken"
National Security Agency, Central Security Service, 12 March 2013 // Dear Mr. Young, This responds to your request of 18 February 2008 to have all issues of Cryptolog reviewed for declassification. … we trust you will be pleased with the release of this collection."
We've networked our computers, creating some painful security headaches, but we have created possibilities for a new
analytic reach across problems and great
opportunities for doing things we haven't
even thought of yet against targets we don't yet know about
Cryptolog 28 - March 1977
"Examples of this uneven nature of data dis-
tribution are quite pronounced now and will be
greatly exaggerated when the IBM storage sys-
tem called OAK is added to the present IBM
370/168 complex. With its 169 billion byte
storage and "virtual disk" concepts, it is
bound to lead to a large imbalance in storage
of data throughout the general purpose system."
That's like 157 Gigabytes of storage on virtual disks, 30 years before harddisks in the same order of magnitude were available for the public.
Jesus, talk about a bad UI (Feb. 1982 issue):
"For example, in one area which I won't name, users were at one time instructed by their supervisors NOT to make use of a major set of information support files designed specifically for their work, by an in-house computer support element in their own organization. Why? Because it was so difficult to get logged on, to frame a request, and to complete viewing responses without making an error. A user error caused the system to be locked up, preventing all users from getting at other things they needed until operations could be called to get the files closed and the user logged out."
I downloaded it, some pretty interesting stuff especially considering the new stuff is from the 90s. there is even a sction on IW that seeks out HUMINT for hardware specs.
I see in the summer 1997 edition the lead article is an interview with "Ski", with the rest of the name redacted. A quick search on Google shows at http://www.cryptologicfoundation.org/content/... that it is almost certainly Mr. Norbert "Ski" Szymanowski. Hmm, why redact the full name when "Ski" is a better unique identifier? Aren't NSA supposed to understand this sort of stuff?
The Fall 1995 version has some interesting reviews of books about Information Warfare.
"Amazon has launched a new "CloudHSM" service. Oxymoron of the year?"
Not necessarily. It's probably an effective solution for their stated use cases. And I've always been a fan of that HSM vendor's tech.
@Mr Art on 1960s sexism:
Amusingly the Bletchley Park counterexample which disproves "it is extremely difficult for most women to engage in work about which no work [word?] must be spoken" was evidently unknown to that writer - precisely because thousands of women had not spoken.
The Bletchley Park counterexample is even more amusing given that the author was a former officer of the German Army working on crypto during WWII. Maybe if the German crypto arm had been less sexist, they would have done better in the war.
Albert wrote: "That's like 157 Gigabytes of storage on virtual disks, 30 years before harddisks in the same order of magnitude were available for the public."
"OAK" was the IBM 3850 Mass Storage System (MSS), and was available to the public (at least to large companies who could afford it) in the mid 70s, so in that respect NSA doesn't seem to have been far ahead of the commercial world. I still have a tape cartridge from one, and they show up on eBay from time to time.
@MW I think they truly meant work, i.e., since the title was "On the selection of cryptanalysts", it would be hard for women to engage in work which they couldn't talk about outside of work (or even inside of work depending on the classification of the data). Meaning that women would not be able to be good cryptanalysts b/c they wouldn't be able to keep their mouths shut outside of work, but in a nicer way.
The review of Eurocrypt 1992 (in March 1994 issue) is quite remarkable. Here some excerpts:
"Three of the last four sessions were of no value whatever, and indeed there was almost nothing at Eurocrypt to interest us (thisis good news!). The scholarship was actually extremely good; it's just that the directions which external cryptologic researchers have taken are remarkably far from our own lines of interest"
"There were no proposals of cryptosystems, no novel cryptanalysis of old designs, even very little on hardware design. I really don't see how things could have been any betterfor our purposes. We can hope that the absentee cryptologists stayed away because they had no new ideas, or even that they've taken an interest in other areas of research."
"Perhaps it is beneficial to be attacked, for you can easily augment your publication list by offering a modification."
"This result has no cryptanalytic application, but it serves to answer a question which someone with nothing else to think about might have asked"
"The allegation (almost certainly correct) that certain public-key systems might be implemented more securely by using elliptic curves has produced the predictable spate of papers on elliptic curves. We were fortunate to have only two such talks on the current agenda"
This one is of particular interest: "Of course, while throughout we refer to the extremely popular algorithm as "RSA," it was in fact first conceived by GCHQ's CliffCocks, following the introduction of "nonsecret encryption" ideas (Note: now known as "public-key cryptosystems") by James Ellis, also of GCHQ. This poorly kept secret has never been acknowledged publicly, and is still CONFIDENTIAL."
Cryptolog 135 (Spring '97) has an interesting paragraph in an article about the new Information Age.
"Second, the public reaction to this new age has a direct relationship to the National Security
Agency and the way we do business. At the beginning of the Industrial Age, the public centered in on
industrialists and/or capitalists as being "the problem." Labor unions were created and child labor laws
were enacted to curb their power. In today's Age, the public has centered in on government as "the prob-
lem." Specifically, the focus is on the potential abuse of the Government's applications of this new infor-
mation technology that will result in an invasion of personal privacy. For us, this is difficult to understand.
We are "the government," and we have no interest in invading the personal privacy of U.S. citizens."
We are NSA.
Lower your shields and surrender your ships.
We will add your biological and technological distinctiveness to our own.
Your culture will adapt to service us.
Resistance is futile.
I worked at NSA for 7+ years during the 90's and this really brings back some memories.
After reading the first sentence of Michael's comment (see above) on the review of Eurocrypt 1992, which appears in the March 1994 issue, I knew who had written that review. But, it looks like the author's name is redacted, so apparently, the general public is not supposed to know who wrote it. Yet, the author's initials appear at the top of p. 19...
@Michael (Mar 27, 4:14): Cliff Cocks is already mentioned on Wikipedia in the RSA article; apparently this particular information was declassified back in 1998.
@Jeremy: yes, and his Hungarian-American wife is called Donna. Seems slightly sloppy!
Say, there is a remarkable article in <redacted>.
Re: J.H.Boob's comments: the author's wife's 1st name appears on p.19, too, as is the fact that she is Hungarian-American.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.