May 6, 2005
Colloquium Speaker: Steven Bellovin
Dr. Steven M. Bellovin is a professor of computer science at Columbia University; he joined the faculty there in 2005 after many years at Bell Labs and AT&T Labs Research, where he was an AT&T Fellow. He received a B.A. degree from Columbia University, and an M.S. and Ph.D. in Computer Science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create netnews; for this, he and the other perpetrators were awarded the 1995 Usenix Lifetime Achievement Award. He joined AT&T Bell Laboratories in 1982. He is an AT&T Fellow and a member of the National Academy of Engineering Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs; he was also a member of the information technology subcommittee of an NRC study group on science versus terrorism. He was a member of the Internet Architecture Board from 1996-2002; he was co-director of the Security Area of the IETF from 2002 through 2004.
A PAL -- a "Permissive Action Link" -- is the box that is supposed to prevent unauthorized use of a nuclear weapon. "Unauthorized" covers a wide range of sin, from terrorists who have stolen bombs to insane American military officers to our allies who may have some of their own uses for bombs that are covered by joint use agreements. It's supposed to be impossible to "hot-wire" a nuclear weapon. Is it? There is little in the public record that discusses just how Permissive Action Links (PALs) work. This isn't surprising, of course; remarkably little has been published about most technical details of nuclear weapons design. Even so, much more has been published about the so-called "physics package" than about the control aspects. This may be because something that goes bang is sexier, of course. But it may also be because fission and fusion are natural processes that can be studied in the abstract. Someone can reinvent the atom bomb (as, indeed, many have done). A PAL is an engineering artifice, with many possible design choices. Furthermore, the design of a PAL is based on cryptography, and cryptography has always had the aura of the forbidden. Beyond that, there is the claim that the development of Permissive Action Links led to NSA inventing public key cryptography. This is at variance with the known history of that field, and in particular with the British claim to have invented in 1970. Is there a link? In what way do permissive action links depend on public key crypto? Finally, to those of us in the computer security community, a security mechanism that can't be bypassed is quite attractive. What can we learn from the principles of PAL design?