As a result of this Slashdot FP, I spent a fair bit of time this afternoon reading up on “Permissive Action Links” or PALs. PALs are the systems which prevent the unauthorized use of nuclear weapons in the U.S. and allied arsenals; they’re the real versions of the ‘arming code’ devices that Hollywood loves so much.
Steven M. Bellovin, a professor at Columbia University in the Computer Science department, has a fascinating page on the topic, excellent not only for its analysis but for the depth of the material it references.
PALs are interesting because they (hopefully) represent the most extreme, highest-stakes use of both physical and electronic security measures. However, in reading about them, it’s easy to see parallels to more mundane scenarios.
Bellovin quotes from Assuring Control of Nuclear Weapons:
There are two basic means of foiling any lock, from an automobile ignition switch to a PAL: the first is to pick it, and the second is to bypass it. From the very beginning of the development of PAL technology, it was recognized that the real challenge was to build a system that afforded protection against the latter threat. … The protective system is designed to foil the probes of the most sophisticated unauthorized user. It is currently believed that even someone who gained possession of such a weapon, had a set of drawings, and enjoyed the technical capability of one of the national laboratories would be unable to successfully cause a detonation without knowing the code.
Does this sound familiar? It should: you could just as easily be describing the hardware design goals of a DRM system like AACS. And why shouldn’t it? A PAL really is just a high-stakes DRM system. The point is to allow access by authorized users who possess a code, while denying others, even if the people you want to deny have access to the whole assembly.
Based on the declassified information available, the PAL consists of a tamper-resistant ‘secure envelope’ or ‘protective skin,’ into which certain arming components are placed. This envelope can be thought of both as a physical and a logical region. It protects the components inside against both physical tampering and remote sensing (X-rays, etc.), as well as informational attacks (brute forcing of the key code, replay attacks); a breach of the envelope results in irreversible disabling of the device. The inputs and outputs from the secure envelope are carefully designed according to the “strong/weak link” principle:
Critical elements of the detonator system are deliberately “weak”, in that they will irreversibly fail if exposed to certain kinds of abnormal environments. A commonly-used example is a capacitor whose components will melt at reasonably low temperatures. The “strong” link provides electrical isolation of the detonation system; it only responds to very particular inputs.
Strong and weak links need not be electromechanical; one could envision similar constructs in modularized software, for instance. In fact, most of the basic concepts of tamper-resistance can be envisioned both literally (as hardware systems; sealed boxes full of pressure and X-ray sensors) and abstractly (modules and their handling of exceptions).
PALs are interesting because they represent the logical conclusion of tamper-resistance systems. It’s my view that if you look at the direction that commercial content-protection systems are going in, and the subsequent cat-and-mouse games with the hacker/cracker community, consumer electronics will begin to increasingly include PAL-like tamperproof elements in the future. Thus, a conceptual understanding of PALs might be exactly the sort of knowledge you’d want to acquire, if your desire was to end-run the inevitable (in my view, given the current climate) next generation of DRM hardware.
Of course, the obvious downside of this is that the same research that a relatively innocent hacker might conduct into the avoidance or circumvention of annoying DRM systems, might also be the same sort of knowledge that you’d need to circumvent the PAL on a nuclear weapon. Regardless of whether this is a valid national security threat, it’s exactly the sort of justification you’d want if your goal was to quash research that was threatening your business (or political-contribution) model. Given the not-infrequent collusion between the industries that benefit from DRM and the government (also c.f. The Attraction of Strong IP by yours truly), I’m not sure this is as farfetched as it might sound.