Skip to main content

A security conundrum in Between Silk and Cyanide

One of the advantages of being a fairly public person (having written a book and having a popular-ish blog) is that I have a small coterie of regular correspondents who send me interesting links and thoughts. One of these is a gentleman who sent me a copy of Leo Marks' Between Silk and Cyanide as a gift.

Along with the book came a cryptic note that there was an unsolved mystery in the book. Later I asked him about the mystery which turns out to be this passage:

I've thought about this and am having a hard time coming up with a solution. What could one agent be told that he would not forget but would be unable to recall? Something he could pass on (not in writing) to the other agent, but that if captured and tortured he'd be unable to reveal.

Any clever thoughts?

PS The only thing I got reminded of was this paper: Passwords you’ll never forget, but can’t recall. Perhaps PANDARUS took a photograph (or many photograph) and showed it (them) to MANELAUS. One would have meaning to MANELAUS but not the others, to PANDARUS none would have meaning.


ajuc said…
You mean something that has solution easy to check, but hard to construct?

NPC problems comes to mind. Maybe it was simply very big prime? He could remember enough information about it to identify it when someone would present it to him, but not enough, to make it easy to find that number.
ajuc said…
On the second thought - this depends on knowing large prime that enemy don't know.

Better to just use RSA :)

But this requires our agent to remember huge number.
Terence Eden said…
Post hypnotic suggestion?
irve said…
You cannot recall smells...
conosp said…
Hi, I'm playing guitar, and I know a few songs i can play without looking at the partition. The funny thing is that i'm totally unable to write down the notes out of my head. Only my fingers seem to know the notes. Also, if i try to play the song slowly to pick every note one by one, then i'm not able to play the song anymore. I guess the problem described in that post might use a similar idea.
conosp said…
Hi, I'm playing guitar, and I know a few songs i can play without looking at the partition. The funny thing is that i'm totally unable to write down the notes out of my head. Only my fingers seem to know the notes. Also, if i try to play the song slowly to pick every note one by one, then i'm not able to play the song anymore. I guess the problem described in that post might use a similar idea.
Bryan said…
This comment has been removed by the author.
Bryan said…
This comment has been removed by the author.
rpauli said…
Ear worms.

Recalling the early Hitchcock movie "The 39 Steps" - wouldn't a musical composition fit the bill?

I might read music, play the tune, remember the tune - be be unable to transcribe the musical notes.
Ace Munroe said…
Could it not be a photo that the checker himself does not look at, merely presents to the other agent and asks a question? As he would no longer be in possession of the photo at time of capture there is no way to recreate this situtation
Rob Chevalier said…
A tattoo on the outer eyelid. I suppose that counts as writing though.
The first thing that came to my mind was some sort of pheromone or radioactive tagging. Maybe even a harmless virus that causes one's sweat to contain a molecular tag - again possibly a pheromone.
johnpane said…
I don't think photographs count. If Pandarus is captured he would be found with the photos, and could remember which one Manelaus should recognize.

I think the correct answer is a smell. If it is unique enough, Pandarus would recognize it if Manelaus were able to produce it. Yet he would not be able to remember it, at least with sufficient detail that he could pass on the information to his captors.

(I see someone beat me to this answer.)
Los Thunderlads said…
I think Irve is onto something.
These days, if agent is male, semen/dna. Them days, some tagged substance used to seal the letter.
Jimmy T said…
The password was "Jesus" and they probably gave him something he could not possibly have remembered, so he'd say "Jesus..." instead.
uttiyo said…
This HAS to do with a standard pack of 52 playing cards. I am a math-retard here. Can anyone come up with a way to use this?
AntiRush said…
rpauli, you're thinking of The Lady Vanishes.

In The 39 Steps, the secret is in the mind of "Mr. Memory", who certainly can recall it.
John Gordon said…
Maybe it was a picture, sign or card in a non-latin alphabet or language, such as Arabic, Chinese, Cyrillic or Korean? The image would mean nothing if you don't know the language, but would be easily understood by the recipient.
forensa said…
The answer is "something you know or something you are"...

The point being you don't know what the password is, but ostensibly it's used to authenticate you - so a number of "soft questions" - mother's maiden name, birthplace, all the data you take for granted...

The other is "something you are", being facial, fingerprints, retinal, DNA - again, they don't need you to tell them the password, because *you are the password*.
Kevin said…
I recognize baby pictures of myself much more effectively than others do. I can't describe what I looked like accurately enough for somebody else to do this.
Something he can tell, but not recall? Simple: something he doesn't know. Perhaps the message is not the words he says, but is encoded in their arrangement; e.g. that this phrase appears first implies one thing; that he uses this word instead of another word with the same meaning means something else... If the enemy captures him he can tell them the exact phrase he was told, but he has no idea what the actual message is.
Unknown said…
The last part indicates that it's difficult to forget how it works, but the result is something that you probably won't remember. It has to be some easy to determine variable that changes over time, but is impossible to predict. For example, the current hour plus the current minute of their meeting, the previous night's low temperature, and/or the first word of the top headline in the local paper, etc. The identity check is simple, but not something you would remember from day to day. It's precise, but it doesn't have to be passed in writing, and meaningless to an enemy in another location.
Anonymous said…
There are some things in the English language that cannot accurately be convayed, like smells and tastes. We are reduced to offering comparisons - Just look at the wines have to be described by experts for example.

So you could be given a unique smell/taste that you would remember, but be unable to accurately describe to someone else.

However, it was required that "What could one agent be told that he would not forget but would be unable to recall?" - Do you mean "repeat" otherwise it seems to be a contradiction. Also it was required "Something he could pass on (not in writing) to the other agent, but that if captured and tortured he'd be unable to reveal." Only if had access to the original mixture though, could they recreate the smell/taste to pass it on (say a bottle of strawberry, vinegar and mint). I am not sure though this forfills the requirements then?

Playing cards suffer a similar problem. Say you know that a deck when stacked the right way and played through completely in say "21" where all players play house rules (stick on 17, etc.). will result in you winning every round. The trick being that the first player must lead with highest card possible after all the higher cards have been delt to you. That in essence becomes a binary problem, where you only know half the solution, until you need to pass it on, when you would be told about the first player having the highest card left and how many players there needs to be to make it work.

This MIGHT forfil the requirements, but so might any binary solution, as they require one of the agents to "call home" again to get the rest of the answer when passing it on.

Unless this is acceptable, I am not sure there is an answer that forfills the requirements in the strictest sense?

The latter part of the original passage concerns me greatly. It suggests we are all miles away. Smells, numbers and cards can all be varied, so the "challenge-response" could be used many times. Here is is made very clear it can only be used once. This must mean it is based on fixed constants, with NO variables whatsoever. Say shakeing hands with the left hand instead of the right - Once the "trick" is known, it is useless forever as there is only one way of doing it "wrong".

Restating the problem, what is it that I cannot remember unless promted? Yet could tell someone else what (or how to look it up?) it was.

The only solution I can come up with is facetious in the extreme, but is my wedding anniversary...
Unknown said…
perhaps the secret is *how* rather than *what*.

how you respond when you don't know something: but where the focus of attention is on the answer itself.

for example, it would be expected that soe agents would know some things about the soe, but not all things.

an agent could ask another about how x's daughter got into oxford. one part of that may be well known, the other might not. not knowing she went to cambridge could catch you out in a lie: or by letting it slide, the interrogator can learn that the agent knows daughter went to a uni, just not which one.

an impostor wouldn't (necessarily) know they'd made a mistake. a genuine agent might realise it and raise the matter again later.

if the questions are based upon shared cultural knowledge, rather than operational knowledge, it's harder to know what might be asked. a person will be able to answer/respond appropriately to questions about their own background - but having no idea what questions might be asked, can't divulge them to anyone else.

the interrogator doesn't even have to know all the answers to the questions they ask either. just share enough 'common knowledge' to ask the 'right' questions - and in the 'right' way.

thus, it would be possible for the interrogator to give away that they're (potentially) an impostor as well ...

common cultural knowledge is generally *assumed* - you don't have to recall how to eat things, or the nicknames of local sporting teams. you *know*. but if you don't know what questions might be asked, it's hard to learn the 'right' answers.

getting a few wrong ought not to be fatal to self-identity, but getting the wrong ones wrong could be.
Unknown said…
a song can be easily recalled by a person when another person sings it for them and with them, however the words cannot be easily remembered under duress or force. The same applies to melodies and musical notes.
sdf said…
Two thoughts: 1) Pavlovian conditioning - the passage says P was "briefed by signals," but that doesn't necessarily mean P knew he was being briefed. There could be a particular tick or word that is triggered (which would also allow Zone Commanders to use their own "codes"). P could be trained AND tested without even knowing it. 2) A particular, but seemingly innocuous, addition to P's environment - maybe red stripes on his pillow - which would be a constant, but not the sort of thing one would associate with identification. Again, this would allow the Zone Commanders to use their own identifications.
kurtdriver said…
How about a Rorshack test? Assuming that Menelaus has the same response each time he sees it, it would work and Pandarus wouldn't nee to know it.
jared chandler said…
A picture of the agent's mother.
brendan said…
Along the lines of matthewplazin, the agent could be told an arbitrary Shakespearean passage, for example.

The person to be checked knows this passage well, and can recite it. The checker knows it well enough to recognize it when recited correctly, but could not possibly recite it himself.
Natanael said…
"Tacit knowledge".

Motor skills (doing a fancy trick with a bike could be one) or other skills that an individual can learn but not teach so accurately that it can be perfectly copied, that also can not be imitated well enough.

But that also means that the identifier must have the corresponding tacit knowledge for how to recognize the right person, he must have seen him to the task his own way *many* times.
Frank said…
Some kind of challenge-response thing comes to mind. Especially if the use of a photograph is "allowed".

You can always remember the general motive/scene of a photograph; but details only to a specific level unless you know what to look at.

The challenge has to be dynamic, ie. something "random" the challenger could ask if he has a copy of the photo.

Challenge: "How many apples are visible on the second branch of the tree on the left?"

or: "What object do you see 3.5 cm from the top, 2.1 cm from the left?"

You might remember the answer you have given, but that is useless since you don't know what question you will be asked next time.

This can even be used to "encrypt" informtation: "Multiply the number of enemies you saw with the number of people wearing black shoes of the picture".

Effectively just like the MD5 Challenge-Response protocol.
DrKayT said…
Perhaps Manelaus and Pandarus were married to each other for a very long time.
S.A.M. said…
If they're checking in physical proximity, it could be as simple as writing something on the agent's back, where he couldn't see it.
BenN said…
How about using muscle-memory? Like typing a password - you can take the letters off the keys and still type in your password - have the guy remember a sequence of key presses (on a randomises keyboard layout), but not the characters on those keys. He'll be able to reproduce the message on another keyboard, but won't be able to tell the enemy how to arrange the keys on that keyboard.
Anonymous said…
A possible solution: The Spymaster going to France learns a number of poems. When he trains a WT operator, he teaches him one of these poems for identity checks. On the WT Ops first transmission, he transmits, encoded, the first word of his poem. SOE then responds with say 3 numbers (e.g.3,7,15); and the WT Operator replies with the words of the poem corresponding to those numbers. SOE can test for correctness, knowing the poem by its first word.
Now the spymaster in France knows the poems, but he doesn't know what identity check the WT operator used. Even if he reveals the poem, (preferably with a few mistakes) the Germans have to decode the WT Operators inbound traffic to get the numbers that were sent by SOE.
That's the verbal version. A better approach is to have the poems in unmarked envelopes,(actually wrapped silk, so they cant be read) and the spymaster gives the WT a random silk, and the WT op learns the poem, & destroys the silk, but doesn't reveal it to the spymaster. Then the spymaster knows nothing.

Popular posts from this blog

Your last name contains invalid characters

My last name is "Graham-Cumming". But here's a typical form response when I enter it:

Does the web site have any idea how rude it is to claim that my last name contains invalid characters? Clearly not. What they actually meant is: our web site will not accept that hyphen in your last name. But do they say that? No, of course not. They decide to shove in my face the claim that there's something wrong with my name.

There's nothing wrong with my name, just as there's nothing wrong with someone whose first name is Jean-Marie, or someone whose last name is O'Reilly.

What is wrong is that way this is being handled. If the system can't cope with non-letters and spaces it needs to say that. How about the following error message:

Our system is unable to process last names that contain non-letters, please replace them with spaces.

Don't blame me for having a last name that your system doesn't like, whose fault is that? Saying "Your last name …

All the symmetrical watch faces (and code to generate them)

If you ever look at pictures of clocks and watches in advertising they are set to roughly 10:10 which is meant to be the most attractive (smiling!) position for the hands. They are actually set to 10:09.14 if the hands are truly symmetrical. CC BY 2.0image by Shinji
I wanted to know what all the possible symmetrical watch faces are and so I wrote some code using Processing. Here's the output (there's one watch face missing, 00:00 or 12:00, because it's very boring):

The key to writing this is to figure out the relationship between the hour and minute hands when the watch face is symmetrical. In an hour the minute hand moves through 360° and the hour hand moves through 30° (12 hours are shown on the watch face and 360/12 = 30).
The core loop inside the program is this:   for (int h = 0; h <= 12; h++) {
    float m = (360-30*float(h))*2/13;
    int s = round(60*(m-floor(m)));
    int col = h%6;
    int row = floor(h/6);
    draw_clock((r+f)*(2*col+1), (r+f)*(row*2+1), r, h, floor(m…

Importing an existing SSL key/certificate pair into a Java keystore

I'm writing this blog post in case anyone else has to Google that. In Java 6 keytool has been improved so that it now becomes possible to import an existing key and certificate (say one you generated outside of the Java world) into a keystore.

You need: Java 6 and openssl.

1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.

2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).

3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jks containing the certificate/key you need.

For the sake of completeness here's the output of a full session I performe…