Nuclear safeguards – PAL and protection of nuclear warheads

In previous post, in which I described my trip to the NSA National Cryptology Museum, I mentioned that the topic of how nuclear warheads are secured is extremely interesting to me, so this time we will take a look at this area of security. It is difficult for me to imagine a situation or environment in which system failures (both false positives and false negatives) could have more serious consequences than when the decision is made whether or not to use nuclear weapons. Therefore, security measures must both authenticate the truthfulness and source of orders and leave no room for errors or uncertainty of results.

So let's take a look at the systems securing American nuclear warheads - as using this country as an example will provide richest documentation and the longest history of development. The origins of modern security systems are related to President John Kennedy's 1962 memorandum. The US nuclear arsenal was then located in various parts of the globe, including countries with complicated relations such as Greece and Turkey, and the warheads were defended by rather token American forces. Additionally, the tension of the Cold War raised concerns about the scope of authority of commanders who could independently decide to launch a nuclear attack, being convinced that the situation was so critical that they could not wait for contact with Washington. Given the potentially catastrophic consequences, Kennedy ordered that warheads deployed in Europe be secured with permissive link devices.

Security mechanisms were supposed to guarantee meeting three conditions:

1. authentication - the decision to use weapons had to be made by an authorized authority (national command authority, which became a hot topic during Donald Trump's presidency).
2. environment - the weapon should be able to detonate only under certain environmental conditions - such as altitude and acceleration in the case of aerial bombs or warheads carried by intercontinental missiles.
3. intention - the commander responsible for using the weapon must clearly confirm the will to use it.

PAL components are placed deep in the structure of the head itself and connected to a number of sensors so as to limit the possibility of understanding the mechanism of operation of the systems or manipulating them without damaging the entire device. There are also related to this concept strong and weak connections (strong/weak link) and exclusion zone. The exclusion zone contains the components necessary to detonate the warhead and protects it from external factors. Strong connections are designed to make that just a precisely defined signal may enter the exclusion zone and cause detonation. If the exclusion zone protection and stronglinks fail, e.g. due to external factors such as very high temperatures, then detonation should be impossible because the weaklink are designed to break long before the strong connections. Examples include capacitors that must be charged before detonation and are deliberately designed to be damaged by high temperatures. The interaction of the mechanisms is graphically presented in diagram from studies on mechanisms securing warhead detonations by Sandia National Laboratories:

A weaklink is represented as an ice cream bar. If the thermal protection layer is damaged, even having a code or key to a strong link (padlock) that remains operational will not be enough to start the head. Stronglinks, in turn, are "padlocks" and "locks", and just as in the case of a padlock, only one unique key should be able to open it, strong connections are intended to enable detonations only if a correct, unique signal is received. The uniqueness of the signal is a requirement due to the need to exclude the possibility of accidental detonation by random factors (we could say fuzzing :)). Interestingly, the signal pattern and description of ensuring uniqueness were described in publicly available documents. Therefore, a strong link should be the only "place" where input data is analyzed and decisions are made - all other elements are intended to either forward the signal or prevent operation in the event of attempts to violate the integrity of the head.

What the form of the safeguards themselves, which enable operators to arm the warheads? The first PALs were locks with a 3 or 4 digit code. The four-digit versions made it possible to divide the key between two people, so as to enforce the rule of two people agreeing to activate the head. The locks blocked access to the parts of the warhead where fuzes, electrical systems, or fuze mechanisms had to be placed. Systems with the markings CAT A – CAT F were further used:

1. CAT A - devices used in missiles with a four-digit code, required an external module connected by the crew to be armed.
2. CAT B – similar to CAT A, but used in bombs. They also had the functions of checking without arming and changing the code.
3. CAT C – protected by a six-digit code, too many incorrect attempts permanently disabled the warhead.
4. CAT D – secured with a six-digit code and accepting more than one code. In this way, many warheads could be armed with one code, and codes could also be used for use during exercises, to disarm the warheads, or to select the warhead's yield.
5. CAT F – similar to CAT D, but using a twelve-digit code.

Naturally, for PALs to fulfill their role and effectively authenticate received codes, they must be quite complex devices. Interestingly, according to reports former cryptologists Jim Frazer and Gus Simmons it was the Kennedy Memorandum and the resulting needs that resulted in the NSA's creation of public key cryptography. As per Steve Bellovin and based on public information about how PALs work, this theory is not confirmed, and the official version combining the creation of this type of cryptography with GCHQ staff is much better documented. We cannot really determine what was the true story, but PALs certainly contain cryptographic components, if only because of the need to authenticate the signal. Additionally, PAL must protect the head even when an unauthorized person has physical access to the device, so he or she can use any imaging and analysis techniques to obtain information about the system's operation. References to the use of asymmetric cryptography can be found in a document from 1984 PAL Control Of Theater Nuclear Weapons. The ACP (Asymmetric Crypto PAL) described there would be in the research and first prototype phase at that time. As described, the advantages over CAP (Code Activated PAL) would be better protection of the codes stored in the device in the event of attempts to physically analyze the system and its memory, which we could combine with the use of a private and public key pair.

Although this document was significantly censored before publication, we can find several (low quality) illustrations showing PAL elements:

The technical details of how PAL works are of course unknown, but there have been hypotheses about the main assumptions of the device. Steve Bellowin and Phil Karn they assumed that PAL works by deciphering a detailed time sequence from the key, so that only the appropriate sequence of charge detonations will lead to a nuclear explosion. Another option would be mixed signal wires with a rotor mechanism similar to that used in the Enigma. Entering the correct code would set the mechanical elements in such a way that it would be possible to send a signal to the detonator. In the previously mentioned documents regarding the generation of unique signals, we also find annotations that entering the code via the keyboard does not meet the required standards of certainty and ease of use. Therefore, operators are likely using some type of external memory plugged into the PAL.

Additionally, in 2002, Sandia National Laboratories reported on the completion of the project to modernize the CMS (Code Management System) for nuclear weapons. The publication states that the new system consists of nine software and five hardware elements and enables comprehensive handling of nuclear weapons, including storage, testing, auditing and changing codes. Additionally, the cryptographic module contains three cryptographic chips and is the size of a large laptop. CMS supports end-to-end encryption to prevent codes from being intercepted in transit during the code change procedure. The announcement also reveals the complexity of the software, which allegedly consists of 160,000 lines of code, not including comments.

The claim that creating safeguards to protect nuclear warheads is a difficult task is a truism. Apart from the obvious complexity of the problem, it should be remembered that the systems must ensure not only security but also reliability to ensure nuclear deterrence. Information that would otherwise be very surprising should be read in this context. For example, the US Air Force it was only in 2019 that they moved away from using eight-inch floppy disks in computers controlling intercontinental ballistic missiles. The problems arising from the need to reconcile safety, reliability, and ease of use make nuclear weapons security an issue worthy of the attention of anyone interested in security engineering.