In the Cold War, US scientist Gus Simmons discovered a serious weakness in a cryptologic disarmament technology. His discovery initiated a new branch of IT security. Nevertheless, nobody seems to know how this weakness worked. The paper Simmons published about it doesn’t contain a detailed description. Does a reader know more?

In the 1970s, the USA and Soviet Union had enough nuclear missiles to blow up the earth several times. At least, in 1979 the two super-powers agreed on an upper limit for the number of their nuclear long-range missiles in the agreement SALT 2.


The Americans accepted in SALT 2 to limit the number of Minuteman intercontinental missiles to 100. The agreement also allowed the US a maximum of 1,000 launch sites for these missiles. This contribution was particularly important for the US military, as they feared a surprise attack by the Soviets that would destroy all Minuteman bases simultaneously. Such an attack appeared to be unrealisitic, if there were 1,000 bases – provided that the Soviets did not know in which bases the 100 missiles were stationed.


The missile shell game

The solution the US military now developed was the so-called “missile shell game”. This solution provided for special trucks to travel back and forth between the launch bases all the time. Sometimes these vehicles loaded a missile and transported it to the next base, sometimes they were only sent on their journey with a dummy freight. Because of the missile shell game, the Soviets never knew where the 100 missiles were. If they found out, this knowledge was outdated after a few dummy transports.

But now an important problem arose. The missile shell game made it very difficult for the Soviets to control whether the Americans really had only 100 missiles. Random checks at the launch sites seemed too inaccurate. The US military therefore commissioned the armaments company TRW to develop a suitable technology in cooperation with the NSA.

The solution now developed was to install a special computer unit in each launch site, the design of which was coordinated by the two superpowers. The computer unit was to be hermetically sealed and equipped with self-destruct mechanisms. Inside there were sensors that could reliably detect the presence of a Minuteman rocket. In addition, the unit contained a transmitter and a crypto module constructed by the Soviets. Finally, each module had a serial number of the launch site stored, the assignment of which was known only to the Americans.

In order to check compliance with SALT 2, the Soviets could initiate a query of each computer unit. In addition, they supplied the Americans another serial number for each base and a further value. The Americans entered these values into the respective cryptographic module and received a cryptographic checksum in addition to the information “missile” or “no missile”. The checksum along with the information about the presence of the missile was sent to the Soviets. If the Soviets queried all 1,000 bases in this way, no more than 100 “missile” responses were to be received, otherwise the Americans would have broken the contract.

This protocol had already been approved by all experts, when it was presented to the US company Sandia. Sandia was involved in the design of the required hardware, but had nothing to do with the crypto itself. Nevertheless, the Sandia employee Gus Simmons, …


… who was an experienced crypto expert, immediately found something he believed was a flaw. Simmons found out: If the Soviets had a suitable method for generating the hash value built into the crypto module, they could encode additional information into the Americans’ answers. In this way, they could let the crypto module transmit information about the missile location, which would have made the missile shell game worthless.

The NSA assumed that Simmons’ method worked in theory, but would have been easy to prevent in practice.


How did it work?

At this point, I would love to explain how the data smuggling method discovered by Simmons worked. Unfortunately, I can’t. I simply don’t understand it. The only source I have is the chapter The History of Subliminal Channels written by Simmons, published in the book Information Hiding (1996), edited by Ross Anderson.


Simmons wrote this text 20 years after he had discovered tthe flaw. Much of the information he provided refers to technolgy of the 1970s. The chapter contains illustrations that are based on original notes Simmons didn’t understand himself any more, when he wrote the chapter.

A reader of this blog, who is apparently famliar with Cold War missiles, even doubts that Simmons told the background story correctly. According to this reader, SALT 2 did not prescribe a reduction of Minuteman missiles at all. Perhaps, Simmons confused the Minuteman with the MX Peacekeeper, another US missile of the time.


Anyway, if anyone can say more about how the communication method described by Simmons worked, I would be very interested.

My first blog post about this topic was published (in German) two and a half years ago. None of my readers could tell me any details about Simmons’s discovery. However, meanwhile my readership has grown and is more international. Perhaps, somebody knows an additional source or understands how Simmons’ attack works.


Subliminal channels

The missile shell game was never used in the end. According to Simmons, the reason for this was not the vulnerability he discovered, but the high costs. What other solution was found to the problem is not clear from his publication.

In any case, Simmons’ discovery of a hidden communication method (a so-called subliminal channel) has inspired numerous computer experts to further research. Subliminal channels (they are an example of steganography) are known today in a wide variety of environments (operating systems, computer networks, communication links, …) with different applications or threats. Simmons himself has published a number of papers on this topic. My book Versteckte Botschaften contains a few examples. As is so often the case in history, a war has driven technological development. In this case it was the Cold War.

Further reading: Censorship manual steganograms partially solved


Subscribe to Blog via Email

Gib Deine E-Mail-Adresse an, um diesen Blog zu abonnieren und Benachrichtigungen über neue Beiträge via E-Mail zu erhalten.

Kommentare (8)

  1. #1 Dampier
    29. September 2018

    Wow. Never heard of this. Intriguing.

  2. #2 Thomas
    29. September 2018

    The link to “Information Hiding” seems to provide only a part of Simmon’s article, hete the complete text (only for mathematicians):

  3. #3 Klaus Schmeh
    29. September 2018

    @Thomas: Thanks for the link! I didn’t know that this chapter is available online.

  4. #4 Klaus Schmeh
    29. September 2018

    Bart Wenmeckers via Facebook:
    If it has anything to do with titan 2 ICBMs then I know someone who may be able to help

  5. #5 Klaus Schmeh
    29. September 2018

    @Bart Wenmeckers: I don’t know of it has, but it is certainly worth a try.

  6. #6 Narga
    30. September 2018

    What I think after going quickly through the article is this: the mistake was to leave the Russians free choice of their crypto algorithm. This was done in order to hopefully learn about Russian cryptography research in the implementation process.

    The information smuggling would then work like this:
    You need to come up with an encryption method that starting from plaintext P can create different encrypted texts that have the (at first surprising) property that they all decode to the same plaintext P when using the same key K to decrypt. The additional information is then: which of the encrypted texts was sent, regardless of what it decrypts to. While someone who decrypts the text will find no additional information.

    This special encryption property cannot be realised with classical symmetric cryptography (hence nobody at NSA complained) but the then rather new asymmetric cryptography allowed to do that. You immediately realise that you can have a set of different encryption keys K_en_1, K_en_2, … from which you choose depending on the hidden information you want to send. But they all work together with one decryption key K_de that gets back the harmless plaintext.

    It can also be understood by looking at how a hash function can have the same output for very different bitstrings and the hidden information is in which bitstring the method creates and is then transmitted.

  7. #7 Thomas
    30. September 2018

    I think Narga has illustrated the key choosing method very well. This Wikipedia article explains how the subliminal message gets hidden using the Digital Signature Algorithm (Simmons refers to the Rabin cryptosystem):
    Instead of using a random signature parameter, the parameter is set according to the subliminal message that is to be transmitted.

  8. #8 Klaus Schmeh
    30. September 2018

    @Narga: Thank you very much for this explanation!
    This means that the Russians could look at the ciphertext in order to find out which algorithm was used. This makes sense.