BY FRED KINCH | AMAZON | RELEASE DATE 24 MAY 2024
Review by: Security Technologist Bruce Schneier
From the vantage point of today, it's surreal reading about the commercial cryptography business in the 1970s. Nobody knew anything. The manufacturers didn't know whether the cryptography they sold was any good. The customers didn't know whether the crypto they bought was any good. Everyone pretended to know, thought they knew, or knew better than to even try to know.
The Business of Secrets is the self-published memoirs of Fred Kinch. He was founder and vice resident of - mostly sales - at a US cryptographic hardware company called Datotek, from company's founding in 1969 until 1982. It's mostly a disjointed collection of stories about the difficulties of selling to governments worldwide, along with descriptions of the highs and (mostly) lows of foreign airlines, foreign hotels, and foreign travel in general. But it's also about encryption.
Datotek sold cryptographic equipment in the era after rotor machines and before modern academic cryptography. The company initially marketed computer-file encryption, but pivoted o link encryption - low-speed data, voice, fax - because that's what the market wanted.
These were the years where the NSA hired anyone promising in the field, and routinely classified - and thereby blocked - publication of academic mathematics papers of those they didn't hire. They controlled the fielding of strong cryptography by aggressively using the International Traffic in Arms regulation. Kinch talks about the difficulties in getting an expert license for Datotek’s products; he didn’t know that the only reason he ever got that license was because the NSA was able to break his company’s stuff. He had no idea that his larges competitor, the Swiss company Crypto AG, was owned and controlled by the CIA and its West German equivalent. “Wouldn't that have made our life easier if we had known that back in the 1970s?" Yes, it would. But no one knew.
Glimmers of the clandestine world peek out of the book. Countries like France ask detailed tech questions, borrow or buy a couple of units for "evaluation," and then disappear again. Did they break the encryption? Did they just want to see what their adversaries were using? No one at Datotek knew.
Kinch "carried the key generator logic diagrams and schematics" with him - even today it's good practice not to rely on their secrecy for security -- but the details seem laughably insecure: four linear shift registers of 29, 23, 13, and 7 bits, variable stepping, and a small nonlinear final transformation. The NSA probably used this as a challenge to its new hires. But Datotek didn't know that, at the time.
Kinch writes: “The strength of the cryptography had to be accepted on trust and only on trust." Yes, but it's so, so weird to read about it in practice. Kinch demonstrated the security of his telephone encryptors by hooking a pair of them up and having people listen to the encrypted voice. It's rather like demonstrating the safety of a food additive by showing that someone doesn't immediately fall over dead after eating it. (In one absolutely bizarre anecdote, an Argentine sergeant with a "hearing defect" could understand the scrambled analog voice. Datotek fixed its security, but only offered the upgrade to the Argentines, because no one else complained. As I said, no one knew anything.)
In his postscript, he writes that even if the NSA could break Datotek's products, they were "vastly superior to what [his customers] had used previously." Given that the previous devices were electromechanical rotor machines, and that his primary competition was a CIA-run operation, he's probably right. But even today, we know nothing about any other country's cryptanalytic capabilities during those decades.
A lot of this book has a "you had to be there" vibe. And it's mostly tone-deaf. There is no real acknowledgment of the human-rights-abusing countries on Datoteks customer list, and how their products might have assisted those governments. But it's a fascinating artifact of an era before commercial cryptography went mainstream, before academic cryptography became approved for US classified data, before those of us outside the triple fences of the NSA understood the mathematics of cryptography.
Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of over one dozen books—including his latest, A Hacker’s Mind—as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation and AccessNow; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.