Thursday, June 17, 2004

Codes And Spies

Security expert Bruce Schneier makes some interesting speculations about Ahmad Chalabi and the Iranian codes. I confess that I haven't been following the story very closely, so parts of Schneier's account are news to me. For example:
Iranian intelligence supposedly tried to test Chalabi's claim by sending a message about an Iranian weapons cache. If the U.S. acted on this information, then the Iranians would know that its codes were broken. The U.S. didn't, which showed they're very smart about this.
If this story is true, then it makes a little more sense to believe that the Iranians doubted Chalabi's honesty enough to discuss it using the putatively broken code - but only a little more sense. There have been multiple historical examples in which governments didn't respond to captured secrets so as not to reveal their ability to break the enemy's codes. If I know that, surely Iranian intelligence did. So why wouldn't the Iranians keep quiet, and attempt to feed the U.S. false information via the compromised code? It's hard to figure out. Schneier's piece reminds us that where espionage is concerned, it's often impossible to tease out all of the lies, half-truths, and hidden motivations.

He also calls attention to a older story which has apparently been widely covered in the European media, and all but ignored in the U.S. It seems that this isn't the first time the U.S. has been caught breaking Iranian codes. During the first Bush Administration, the U.S. revealed encrypted Iranian messages to France, where the murder of a former Iranian prime minister was being investigated. Iran suspected that the leaks arose from problems with their cryptographic equipment, which was made by a Swiss company called Crypto AG. So in 1992, the Iranians arrested a high-placed Crypto AG salesman, claiming that the company had installed backdoors in the encryption systems sold to Iran. The salesman, Hans Buehler, was imprisoned and questioned repeatedly for months, and finally Crypto AG was allowed to ransom him when it became clear that he didn't know anything.

The fact that Buehler didn't know anything didn't mean there was nothing to know. Investigations by the European press uncovered ties between Crypto AG, a supposedly neutral and independent Swiss company, and the German secret service - and then to the U.S. National Security Agency. The article Schneier links to concludes:
Knowledgeable sources indicate that the Crypto AG enciphering process, developed in cooperation with the NSA...involved secretly embedding the decryption key in the cipher text. Those who knew where to look could monitor the encrypted communication, then extract the decryption key that was also part of the transmission, and recover the plain text message. Decryption of a message by a knowledgeable third party was not any more difficult than it was for the intended receiver.
This story definitely raises more questions than it answers. Have the Iranians discovered a U.S.-exploited flaw in their cryptography twice in twelve years? Or is the information Chalabi leaked related to the events of twelve years ago, codes the Iranians have long since replaced? If so, Schneier suggests, the story might have broken now because one side or the other wishes to discredit Chalabi.

A lot of interesting information there, and I'll admit that I don't really have the background to evaluate it. Hopefully someone who does will pick up this ball and run with it.