Full Report
The Business of Secrets: Adventures in Selling Encryption Around the World by Fred Kinch (May 24, 2004) From the vantage point of today, it’s surreal reading about the commercial cryptography business in the 1970s. Nobody knew anything. The manufacturers didn’t know whether the cryptography they sold was any good. The customers didn’t know whether the crypto they bought was any good. Everyone pretended to know, thought they knew, or knew better than to even try to know. The Business of Secrets is the self-published memoirs of Fred Kinch. He was founder and vice president of—mostly sales—at a US cryptographic hardware company called Datotek, from company’s founding in 1969 until 1982. It’s mostly a disjointed collection of stories about the difficulties of selling to governments worldwide, along with descriptions of the highs and (mostly) lows of foreign airlines, foreign hotels, and foreign travel in general. But it’s also about encryption...
Analysis Summary
# Main Topic
Historical analysis of the commercial cryptography market circa 1970s-1982, focusing on the era of uncertainty surrounding encryption strength, proprietary hardware sales, and governmental influence over the industry, as detailed in Fred Kinch's memoirs, *The Business of Secrets*.
## Key Points
- **Pervasive Ignorance:** During the 1970s, both producers and consumers of commercial cryptography lacked certainty regarding the actual security strength of the encryption products being sold and purchased.
- **Datotek Operations:** Fred Kinch's company, Datotek (founded 1969), initially marketed computer-file encryption but pivoted to link encryption (low-speed data, voice, fax) based on market demand.
- **Regulatory Control:** The NSA heavily controlled the fielding of strong cryptography by classifying academic mathematics papers and aggressively enforcing International Traffic in Arms Regulations (ITAR).
- **Internal Security Concerns:** Kinch sold hardware based on logic diagrams featuring four linear shift registers (29, 23, 13, and 7 bits) with variable stepping and a small nonlinear final transformation, which, by modern standards, seems insecure.
- **Competitive Landscape:** The largest competitor to Datotek, the Swiss company Crypto AG, was secretly owned and controlled by the CIA and its West German equivalent.
- **Vulnerability Disclosure:** Datotek only learned they received an expert license because the NSA had already managed to break their systems. A specific example of weak security involved an Argentine sergeant with a "hearing defect" understanding scrambled analog voice until Datotek patched only the Argentine units upon complaint.
- **Security by Trust:** The core security relied entirely on customer trust, as validated technical assurance was non-existent.
## Threat Actors
- **National Security Agency (NSA):** Actively controlled the cryptography market through regulatory blocking (ITAR) and classified promising cryptographic research, even spying on/breaking commercial encryption before granting licenses.
- **Central Intelligence Agency (CIA) / BND (West German equivalent):** Operated a significant competitive entity (Crypto AG) that controlled a major segment of the global encryption market.
## TTPs
- **Market Manipulation:** Utilizing ITAR to block competing foreign or unapproved domestic strong cryptography from entering the market.
- **Intelligence Gathering:** Borrowing or purchasing cryptographic units from vendors (like Datotek) under the guise of evaluation, likely to analyze adversary capabilities or break the encryption schemes.
- **Exploiting Weaknesses:** Allegedly exploiting cryptographic weaknesses in commercial products (implied by gaining licenses only after being able to break the systems).
## Affected Systems
- Commercial cryptographic hardware sold for securing low-speed data, voice, and fax communications during the 1970s.
- Datotek's specific telephone encryptors utilizing four linear shift registers.
## Mitigations
*Note: Since this is a historical summary, mitigations focus on the lessons learned rather than specific contemporary fixes.*
- **Do Not Rely on Secrecy Alone (Key Management):** Kinch carrying physical schematics highlights the danger of relying solely on obscurity for security.
- **Verification over Trust:** Modern cryptography should not be accepted purely on trust; mathematical rigor and public scrutiny are essential (contrasting sharply with the 1970s market).
- **Avoid Single-Sourced Ciphers:** The reliance on proprietary hardware/algorithms without independent validation proved risky.
## Conclusion
The commercial encryption landscape of the 1970s was characterized by high uncertainty, government manipulation, and systemic security reliance on proprietary trust rather than verifiable mathematics. While Datotek's products were supposedly superior to existing electromechanical methods, the entire ecosystem was compromised by intelligence agencies controlling the competitive field and possessing hidden knowledge of existing product flaws. This history underscores the critical maturation required for commercial cryptography to become a trustworthy field.