W previous post, in which I described my journey to the NSA National Criptology Museum, I mentioned that the subject of how atomic warheads are secured is highly interesting to me, so this time we will look at this area of security. I find it hard to imagine situations or environments in which systems' imperfections (both false affirmative and false negative results) could have more serious consequences than erstwhile a decision is made to usage or not to usage atomic weapons. The safeguards must so both authenticate the truthfulness and origin of the orders and leave no area for errors or uncertainty of results.
So let us look at the safety systems for American atomic warheads – here we will find the richest documentation and the longest past of development. The genesis of modern safety systems is related to 1962 memorandum of president John Kennedy. The U.S. atomic arsenal was then located in various parts of the globe, including countries with complicated relations specified as Greece and Turkey, with warheads defending alternatively symbolic American forces. In addition, the tension of the Cold War raised concern about the will of the commanders who could decide for themselves the atomic attack, being convinced that the situation was critical adequate that 1 could not wait to contact Washington. Bearing in head the possibly disastrous effects, Kennedy recommended that the warheads deployed in Europe be protected by the Permissive Link.
Security mechanisms were to warrant compliance with 3 conditions:
- authentication – the decision to usage the weapon had to be taken by the national authority (national command authority), which became a media subject during Donald Trump's presidency).
- environment – weapons should only be detonated under certain environmental conditions – specified as tallness and acceleration in the case of air bombs or warheads carried by intercontinental missiles.
- the intention – the commander liable for the usage of the weapon must clearly confirm the will to usage it.
The PAL components are placed deep in the structure of the head itself and connected with a scope of sensors to limit the ability to know or manipulate the mechanics of operation of systems without damaging the full device. This concept is besides associated with strong and weak connections (strong/weak link) and exemption region (exclusion zone). The off region contains the components essential to detonate the head and protects it from external factors. Strong connections are designed to make only specified signal may enter the exclusion region and origin detonation. If the protection of the exclusion region and strong connections fail, e.g. due to external factors specified as very advanced temperature, detonation should be impossible, as weak connections are designed to be interrupted long before strong connections. Examples include capacitors which must be charged before detonation and intentionally designed to be damaged by advanced temperatures. The interaction of the mechanisms illustrates the pattern of studies on protective mechanisms for detonation of heads by Sandia National Laboratories:
A weak connection is depicted as ice on a stick. In case of harm to the thermal protection layer even having a code or key to a strong link (lock) that will stay functional, it is not adequate to run the head. Strong connections, in turn, are "locks" and "locks", and as with the lock, only 1 unique key should be able to open it, specified strong links are intended to let detonation only if a correct, unique signal is received. The uniqueness of the signal is simply a request due to the request to exclude the anticipation of accidental detonation by random factors (as we might say by fuzzing). Interestingly, the signal pattern and description of ensuring uniqueness were described in publically available documents. A strong link should so be the only ‘place’ where input data is analysed and decision-making – all another elements are either intended to send a signal further or prevent action in case of attempts to breach the integrity of the head,
What the form is taken by the safety itself, which allows operators to arm heads? The first PALs were locks with 3 or 4 digital codes. The four-digit versions made it possible to divide the key between 2 people, so as to enforce the two-person compatibility rule for starting the head. The locks blocked access to parts of the head where the fuses, electrical systems, or mechanisms of the fuse had to be placed. CAT A-CAT F systems were further used:
- CAT A – devices utilized in rocket missiles with a four-digit code, for weapons required external modules connected by the crew.
- CAT B – akin to CAT A, but utilized in bombs. They besides had check functions without weapons and code change.
- CAT C – protected by a six-digit code, besides many faulty attempts permanently disabled the head.
- CAT D – protected by a six-digit code and receiving more than 1 code. In this way, many heads could be armed with 1 code, as well as codes to be utilized during exercise, to disarm the heads, or to choice the power of the head.
- CAT F — akin to CAT D but utilizing a 12-digit code.
Naturally, in order for PAL to fulfil its function and effectively authenticate the codes received, they must be rather complex devices. And interestingly, by relationship erstwhile cryptologists Jim Frazer and Gus Simmons It was the Kennedy Memorandum and the resulting needs that led the NSA to make a public key cryptography. According to Steve Bellovin and based on public information on how PAL works, this explanation is not supported, and the authoritative merging version the creation of specified cryptography with employees of GCHQ is much better documented. As it is/was we will not truly determine, but PAL surely contains cryptographic components, even due to the request to authenticate the signal. In addition, PAL must defend the head even if the unauthorised individual has physical access to the device, so he can usage any imaging and analysis techniques to get information about the system's operation. The mention to the usage of asymmetrical cryptography can be found in the 1984 paper PAL Control Of theatre atomic Weapons. The ACP described there (Asymmetric Crypto PAL) would at that time be in the investigation phase and the first prototypes. According to the description, the advantages of CAP (Code Activated PAL) would be better to defend the codes stored in the device in case of physical analysis of the strategy and its memory, which we could combine with the usage of a private and public key pair.
Although this paper was greatly censored before publication, we can find in it respective (low quality) illustrations depicting elements of PAL:
T1536 for PAL B, D, F-controller utilized by the Air Force and the Navy to change and check the correctness of codes, as well as checking the position of the head (unlocked/locked).
T1535 for PAL B, D, and F – controller utilized by the Air Force and the Navy to block and unlock, as well as checking the position of heads.
T1554 for PAL D and F – controller utilized by the Army and the Navy to block and unlock, as well as checking the position of heads.The method details of the PAL operation are not known, of course, but there were hypotheses about the main assumptions of the device. Steve Bellowin and Phil Karn They assumed that PAL operated on a decoded basis from the key of the detailed time sequence, in specified a way that only an adequate series of detonation charges would lead to a atomic explosion. Another option would be to mix signals with a rotor mechanics akin to that utilized in Enigma. The introduction of the correct code would origin the mechanical elements to be set so that the signal could be sent to the detonator. The above mentioned papers on generating unique signals besides mention that the introduction of code through keyboard does not meet the required standards of certainty and ease of use. Therefore, operators are likely to usage any kind of external memory connected to PAL.
In addition, 2002 Sandia National Laboratories reported about the completion of the CMS (Code Management System) modernisation project. In the publication we can read that the fresh strategy consists of 9 software components and 5 hardware components and allows comprehensive atomic weapons handling including storage, testing, audit, and code changes. Additionally, the cryptographic module contains 3 cryptographic circuits and is the size of a large laptop. CMS supports end-to-end encryption to prevent codes from being intercepted while being transmitted during code change procedure. The information besides reveals the complexity of software, which allegedly consists of 160,000 lines of code, not including comments.
The claim that creating safeguards protecting atomic warheads is simply a hard task is truism. In addition to the apparent complexity of the problem, however, it should be remembered that systems must supply not only safety but besides reliability that guarantees atomic deterrence. In this context, it is crucial to read information that would otherwise be very surprising. For example, that the US Air Force only in 2019 did they quit utilizing eight-inch floppy disks in computers controlling intercontinental ballistic missiles. The problems resulting from the request to reconcile safety, reliability, and simplicity of operation make atomic safety a notable issue for anyone curious in safety engineering.
