There is little in the public record that discusses just how Permissive Action Links (PALs) work. This isn't surprising, of course; remarkably little has been published about most technical details of nuclear weapons design. Even so, much more has been published about the so-called "physics package" than about the control aspects. This may be because something that goes bang is sexier, of course. But it may also be because fission and fusion are natural processes that can be studied in the abstract. Someone can reinvent the atom bomb (as, indeed, many have done). A PAL is an engineering artifice, with many possible design choices. Furthermore, the design of a PAL is based on cryptography, and cryptography has always had the aura of the forbidden.
The U.S. military resisted PALs for a long time. Eventually, they were persuaded because of the greater freedom it gave them: in times of tension, they could disperse nuclear weapons to block easy destruction or capture, while still retaining control over their use.
Despite that, they didn't deploy PALs that quickly. In 1974, when an armed quarrel broke out between two members of NATO (presumably Greece and Turkey, though the reference doesn't say), the Secretary of Defense learned that many tactical nukes were not equipped with PALS [R04]. Worse yet, he learned that some military commanders of these nations wanted those nukes.... It took two more years before PALs were completely deployed. Even then, the Pentagon dithered; at ICBM silos within the U.S., the "secret unlock code" was set to 00000000. On the other hand, some PALs were deployed by the time of the Cuban Missile Crisis [GS94], though the deployments did not yet include the Jupiter missiles in Turkey. This fact was of some concern at the time; under President Kennedy's orders, the Joint Chiefs of Staff ordered the U.S. commander in Turkey to destroy the missiles–which, unlike their nuclear warheads, were under Turkish control–rather than let them be launched without his explicit permission. (This might suggest that Alternative I–presumably the highest-priority deployment–specified Germany and/or France.)
PALs are supplemented by "coded switch systems". These are devices that prevent the release or launch of an armed nuclear weapon. For example, when B-1 bombers are on alert, the PALs in their weapons are unlocked before takeoff. But the crew can't use those weapons until they receive an authorization code. (In some planes, the crew can communicate with the PALs from the cockpit. This feature was omitted in the B-1, apparently as a cost-saving measure.)
Given this, it is not surprising that Navy weapons are not protected by PALs. In their normal environment, there is relatively little risk of capture, no foreign nationals have custody, and communications with (especially) submarines is somewhat problematic. Only when the weapons are brought ashore is a PAL activated, and then only for things like nuclear depth charges [B93, SF87]. In place of PALs, an elaborate set of procedures, involving the PA system, several different keys, and the participation of most of the crew is necessary for a nuclear submarine to launch its missiles [C87c]. All that notwithstanding, a use control system, apparently similar to the coded switch systems, has recently been added to the submarine fleet. For that matter, by the early 1970s the insider threat was realized; this was the motivation for the installation of use control systems on the bombers and on the strategic missiles by 1976/7 [B04].
Several different mechanisms are used to prevent accidental detonation. First, there is the "strong link/weak link" principle. Critical elements of the detonator system are deliberately "weak", in that they will irreversibly fail if exposed to certain kinds of abnormal environments. A commonly-used example is a capacitor whose components will melt at reasonably low temperatures. The "strong" link provides electrical isolation of the detonation system; it only responds to very particular inputs. Naturally, this entire subsystem is physically packaged in such a way as to shield critical parts of the weapon from any unwanted electrical energy. A very detailed description of strong and weak links can be found in [PG98].
Bombs are also engineered to fail gracefully. For example, the high-explosive shell is closely matched to the characteristics of the fissile materials in the pit; if anything but the exact proper detonation occurs, there should be no nuclear reaction. The design goal for the safety mechanisms is a probability of less than 10-6 that an accidental detonation at one point in the explosives surrounding the core can cause a detonation equivalent to more than four pounds of TNT, and the probability of an accidental nuclear detonation due to component malfunction be less than 10-9 for normal conditions, and 10-6 for abnormal conditions [H90a] [H90b] [D93].
Advances in computers have permitted the use of three-dimensional models of bomb components. These have shown that earlier two-dimensional models were dangerously misleading. Apparently, the danger was greater than had been appreciated that an accidental explosion could cause dispersal of radioactive materials or even a nuclear yield [H90a] [H90b] [D93].
Coupling between at least some different stages of the detonation system is by means of a moderately complex digital signal, and not a simple contact closure [C87c]. Again, the intent is to prevent accidents. It is possible that PALs function by decrypting this signal, though that by itself would not achieve the no-bypass design goal.
Bombs are also protected against accidental (and some unauthorized) detonations by "Environmental Sensing Devices" (ESDs) [SF87]. ESDs detect the normal physical environment expected for that weapon. For example, a nuclear warhead in a missile would experience high acceleration, a period of free fall, and then some deceleration. Its ESD is designed to detect those conditions; the warhead is not armed until they occur. Someone who stole the warhead could not detonate it unless the launch system was stolen as well. Of course, in some situations that is a risk, too.
In at least one incident, a nuclear weapon did come very close to accidental detonation. In 1961, a B-52 with two large warheads crashed near Goldsboro, North Carolina; the impact set off the conventional explosives in one of the bombs, and triggered all but one of the safety mechanisms in the other [C87b].
PALs are powered by radioisotope thermoelectric generators [A94]. An RTG provides for very long lifetime with little maintenance required. They work by alpha decay of plutonium-238, a non-fissile isotope. The limiting factor on the lifetime of an RTG is helium buildup.
These locks were in use at least as recently as 1987. In 1981
-- almost 20 years after PALs were invented–about half of the U.S. nuclear
weapons in Europe were still protected by mechanical locks [SF87].
I haven't yet found anything about setting C.R.M.-114 discriminators to "FGD 135", let alone "OPE"...
It is known that PALs work on cryptographic principles. A common supposition is that the arm code is in fact a key that is used to decrypt some of the timing data. Phil Karn made the following suggestion:
It isn't clear that that works. Apart from the possible ease of determining the types of the different explosives, the goal of the implosion is as near-perfect a spherical shock wave as possible. Traditionally, this has been done by covering the sphere of explosives with equally-spaced detonators and triggering them simultaneously. There would not appear to be much room for variation, especially since the tolerance is only about 100 nanoseconds.
A timing-based PAL is much more logical if a non-spherical explosive shell is used. If some of the explosives were thicker, they would have to be fired slightly sooner. This may be desirable even with a spherical arrangement, to achieve higher yield. It is mathematically impossible to have both detonators that are exactly equally spaced and an adequate number of them. Timing variation may compensate for that. Similarly, an asymmetric fissile core would require non-simultaneous detonations. Such a variant is not at all inconceivable. Hansen [H88] reports early experiments with such things. Furthermore, at least one model of a nuclear artillery shell imploded a cylindrical core. (The motivation for such shapes is the geometry plus size constraints on the warhead. The B61 bomb, for example, is only 12" (30 cm) in diameter. This does not leave much room for a sphere of high explosive surrounding a pusher, a tamper, an air gap, and a fissile core.)
During the investigation into alleged Chinese espionage against the U.S. nuclear weapons programs [H99], it was disclosed that modern U.S. hydrogen bombs do, in fact, use a non-spherical core [NYT99]. This is apparently a key technique in building miniaturized warheads. [SH01] states that two-point detonation is used on warheads like the W88.
It does not appear to be feasible to build detonators that have their own delay elements. In fact, the problem all along has been to build detonators that would fire at a predictable time after triggering. Known designs require high current and high voltage; switching this is non-trivial.
Modern bombs use complex electronics. An early attempt by India to test their bomb is rumored to have failed because of an electronics malfunction. Some newer U.S. bombs use microprocessor-based controllers and sequencers, an design choice that would not have been taken without pressing need.
Another possible design principle–this is speculation; no authoritative sources have said this–would be scrambling the wires [CZ89]. Suppose that a group of wires led into a scrambling unit. The scrambling unit would have a set of Enigma-like rotors; only if they were all in the proper position would the proper connections be made. If it were not obvious how the wires should be connected–and if, perhaps, they were embedded in epoxy as they entered and left the unit–it would be very hard to analyze them and hence bypass them. At the very least, there would be a delay of several hours while the circuitry was analyzed.
The simplistic encryption idea doesn't fit the newer CAT D and CAT F devices. As noted, those models use multiple codes that can arm different sets of devices. Some PALs have a "training key"–a code that gives a useful response during an exercise, but does not actually unlock the device. At the least, these imply a level of indirection in the key structure. Furthermore, there must be a command channel to allow for changes to the group structure.
At least one source suggests that the actuating mechanism is mechanical, not purely electronic. This would also tend to contradict the design hypothesis given above. The course on PALs doesn't seem to explain such details, either... Feaver [F92] suggests that a possible PAL design principle involves physically moving assorted parts into the proper positions. There is precedent for that–not only were the very first nuclear weapons partially assembled on board the plane, an "automatic insertion" device was later used to mechanize that step [H90a]. (Another early mechanical safety mechanism was a boron-cadmium wire in the center of the pit. The boron and cadmium would, in theory, absorb enough neutrons to damp the chain reaction. To arm the bomb, the wire was withdrawn. This turned out to be problematic on the W47 warhead. When the device had been in storage for a while, the wire tended to break during withdrawal. For a time, much of the U.S. nuclear submarine fleet was armed with defective warheads [H88], until the bomb was redesigned.).
PALs seem to rely on cryptographic principles and tamper-proof design:
An admiral was less convinced of their absolute safety, though this was 10 years earlier:
The Permissive Action Link (PAL) Program consists of a code system and a family of devices integral or attached to nuclear weapons which have been developed to reduce the probability of an unauthorized nuclear detonation... [M76].
We must distinguish between a safety mechanism and a security system. The former is designed to prevent accidental detonations; the latter is designed to resist a determined adversary.
Unique signals are safety mechanisms. The High Energy Weapons Archive says that the current unique signal uses "digital communications and codes". Earlier unique signal generators used a signal of a type that did not occur elsewhere in the weapon, and was unlikely to arise by accident. For example, [S72] describes a train of square waves generated by a wind-up device. [MSC92] describes the unique signal concept in great detail, including the very detailed analyses that went into modern designs. (You can find a mathematical analysis at [C01].) Among the (surprising) conclusions of this analysis are that keyboard input does not meet the safety and reliability requirements–using, say, hexadecimal digits is unsafe; asking the user to type 24 bits is unreliable. (Modern unique signal generators use a 24-bit input, and lock up if an erroneous bit is entered. Some older designs have a "reset" signal, and hence permit multiple tries; these use 47-bit input sequences.) Remarkably, the unique signal is usually considered unclassified [MSC92], which is pretty good evidence that it's not part of a security mechanism.
If a keyboard isn't used, what is? The suggested mechanisms rely on an operator physically inserting something–a ROM key, a bar code, etc.–into a reader.
The safety mechanisms are shown in the following schematic:
(Diagram adapted from [C87c].)
[S72] suggests an alternative scheme, where the human intent signal is passed in series through the environmental sensor. However, the unique signal itself is generated immediately before the strong link.
Drell [D93] strongly supports the notion that PALs protect the digital signal path:
There are several powerful principles here. First and foremost, a bomb will not detonate unless sufficient electricity reaches the detonators. If you can block that–and there are two strong links, either one of which can do so–you've rendered the bomb harmless. Consequently, a good design principle for a PAL is one that blocks the current flow.
It is also reasonable to suspect that the switches are mechanical in operation, rather than electrical. An electrical switch could more easily be closed by accident, if a stray piece of metal were to short-circuit a pair of wires. Furthermore, if the PAL does indeed operate the switch, a rotor-like configuration is ideal. There are many possible settings, and no simple contact closure will produce a current path. In fact, given that Drell notes that each gate has one chance in 103 of failing, it is tempting to conclude that three digits of the PAL code are used to arm each gate. (The environmental sensor gate, then, would be operated by a combination of PAL input and trajectory data.) That is clearly an oversimplification, though; the gates have to resist accidents, including fires and impacts, as well.
The simplicity of the design carries with it a corresponding price, however: it implies a lot of reliance on the protective barrier. Someone who could breach the barrier without activating the safety mechanisms could indeed bypass both the PAL and the environmental sensors. Furthermore, this barrier must also be resistant to enemy attempts to induce bomb failures. To give just one example, X-rays, which could be used in an attempt to probe the barrier, are one form of threat that the protective structure senses [C87c], and hence one that could presumably lead to a self-destruct sequence. But X-rays have also been considered as a defensive measure against nuclear weapon attacks. Indeed, bombs release much of their energy as X-rays [R95].
If this guess at a design is correct, the rotor settings are the actual
cryptographic key. Presumably, these are rarely changed–one would
have to open the sealed environment to do so. But the settings could
be encrypted in an external PAL key; this in turn could easily be
changed by a microcomputer embedded inside the bomb's protective
Another possibility is changing the timing of the "initiator". The initiator supplies the initial neutrons to start the chain reaction; in a modern bomb, this is done by an electronic device. Hansen [H88] notes that this is a critical parameter, and can act as a failsafe device. But it isn't clear that this is reliable enough to be use for PALs; there is a moderately high probability of of neutrons being present from spontaneous fission, especially of Pu-240. A chain reaction started by stray neutrons wouldn't have nearly as high a yield, but it would still be significant. (In a related vein, Hansen also notes that the timing of the injection of a deuterium-tritium "booster" into the center of the pit is critical to the yield of the weapon. If this timing is controlled by the PAL, the enabling code can vary the damage done by the weapon, as mentioned earlier.)
Given that earlier PALs seem to work by interrupting the high voltage supply, it is tempting to try to build on this principle but with stronger cryptographic backing. Bombs get their high voltage detonation current from a bank of capacitors; these in turn are charged from batteries. A typical battery-driven charging circuit–as is incorporated into ordinary electronic flash units–works by pulsing the battery's DC output and feeding that into a transformer. The output of the transformer is fed to the capacitors. Suppose that the frequency of the pulses is controlled by a microprocessor, with a narrow bandpass filter between its output and the transformer. The pulse frequency would have to be just right for the charging circuit to work. Better yet, have several filters switched in and out of the circuit by the microprocessor, which of course would switch the pulse frequency accordingly. If the timing and frequency information were encrypted using the PAL as a key, it would be improbable that the capacitor would be charged. One could add a few more wrinkles, such as a computer-controlled drain circuit and closely matching the battery's maximum output to the necessary charge values.
It is quite unclear if this scheme can be made to work. If nothing else, the circuit is quite involved, and would require careful analysis. Furthermore, the high-voltage circuit components are of necessity outside the tamper-resistant barrier; it might be too easy to wire around them. Finally, building a high-voltage power supply is a relatively easy task; an enemy who gained possession of a nuclear weapon might be able to replace those circuits entirely.
Finally, actual sections of microprocessor code could be encrypted. If the essential detonation sequence is complex enough, and in particular if it relies on decisions made by the microprocessor in response to actual conditions in the bomb, this would be a powerful defense. The unknown question, of course, is whether or not an adequate yield could be obtained by a much simpler control mechanism. Also note that the decryption key would have to be present in the actual code. Suitable reverse engineering of the code would reveal this key.
It is reasonably probable that public key cryptography is not used directly. No known public key cryptosystem uses keys as short as 6 or 12 digits. (Of course, the lack of any visible plaintext or ciphertext might thwart most cryptanalysts...) Feaver [F92] repeatedly points out the difference between the enabling message–the PAL unlock code–and the authorization message–the message from the National Command Authority authorizing the use of nuclear weapons.
[WR708] says that a protoype PAL based on public key cryptography has been built, but that it has not been deployed. No further details are given in the non-redacted portion.
Public key cryptography might be used in the overall command and control system. The code values carried by the President are identification and authentication information, not PAL codes themselves [B93]. (There have been accidents with the custody of these, too. Carter's codes were left in some clothing that was sent to the dry cleaners; Reagan's were inadvertently taken by the FBI (with his clothing) when he was in the hospital following the assassination attempt [F92].)
There is a reasonably clear statement about the basic design principles of these codes in a Congressional hearing:
How do the people down the chain of command, who are the recipients of the Presidential order, know that the order, in fact, has come from the President, rather than an impostor?
Admiral Miller: We have incorporated in the release process not only the order to do the job, but an elaborate, highly secure, coded authentication system, where you not only get the order, but you get an authentication that the order is valid.
That prevails all the way down the line, actually almost to the weapon itself. In some instances, that technique exists right at the weapon [M76].
A counter-argument against use of digital signatures for such purposes is their length. Some of the radio systems used or contemplated for Emergency Action Messages (EAMs) are extremely low bandwidth. Extremely Low Frequency (ELF) radio is restricted to about one bit per minute after error correction; Very Low Frequency (VLF) operates at "slow teletype speeds" [C87a].
The actual PAL codes are in fact fairly widely disseminated, though not to the level of individual weapons commanders. The authorization codes are much more tightly held, though the extent of the delegation is classified. Recently declassified documents confirm that the president has in fact delegated such authority.
There is clearly a place here for sophisticated key management techniques. Cotter suggests that such are used [C87c]:
My guess is that the CAT A, B, C, and D PALs were, in effect, electromechanically-operated devices similar to the rotor mechanism described earlier. Most likely, they interrupted the high voltage path. They were definitely electromechanical, and I doubt very much that mid-60's technology would have permitted an electronic encryption-based design.
CAT F is at least partially electronic. ([H88] says that modern PALs are microelectronic in nature.) The design principle appears to be control of the detonator current, coupled with the tamper-resistant barrier. I have found no evidence to support any of the hypotheses involving encrypted code or timing information. These remain the best bet for an inherently safe PAL design, however, and Cotter [C87c] does hint that CAT F–unlike earlier models–is inherently impossible to bypass. He also says "electronic information processing based on cryptological techniques was incorporated in the coded switch and controller circuitry." It seems plausible that control of the D-T pump timing and the initiator are encrypted timing signals; doing so would be very straight-forward, and would provide a strong control over total yield of a stolen bomb, if not necessarily over actual detonation.
Security in the prototype was provided by inaccessibility; the new box is buried deep inside the bomb, so you'd have to disassemble and reassemble the bomb to bypass it.
Here's the crucial text from the memo:
A small electronic or electromechanical coded receiver (decoder) would be installed in the weapon in a relatively inaccessible location. This decoder would be connected by a cable to a connector in an accessible part of the weapon, such as on the warhead protective cover or near one of the access doors. A particular, resettable coded signal would be required through this connector to operate the decoder. The output switch of the decoder would interrupt critical arming circuits at any time prior to operation, and would complete these circuits only upon receipt of the proper coded signals.
The critical arming circuits to be interrupted would be the inverter to converter circuits and the nuclear arming circuits in capsule type weapons, the high voltage safety switch circuits in high voltage thermal battery type weapons, and the converter input circuits in chopper-converter type weapons.
This makes more sense than my notion of interrupting the current from the high voltage source to the detonators, for several reasons. First, in older bombs there were many detonators — the Mk-5 bomb, for example, used 92-point detonation. Interrupting the detonation via a PAL would thus require 92 controlled switches. This is impractical.
It might work for a modern two-point bomb, though; you interrupt one detonator wire, and rely on the one-point safety property to prevent any nuclear yield. Still, if there's still an X-unit it has a very undesirable property: it's possible to arm the bomb without the PAL. That's a dangerous state; a bomb is much safer if unarmed.
One section of The Swords of Armageddon, available online, notes that environmental sensing devices also interrupt the arming path. (It also notes the existence of "motor-driven rotary safing switches which isolate power sources in a weapon from the firing components", perhaps partially confirming another speculation of mine.)
This suggests one of two possibilities. First, and most intriguing, the design of PALs may be so closely tied to the design of nuclear weapons that revealing the former gives hints on the latter. Nothing I've seen supports this theory, but it is possible. Second, the incremental risk if a U.S. nuclear weapon is compromised by another nuclear power is comparatively small. But a non-nuclear power–or group–would benefit greatly from anything that improved their odds of using someone else's bombs.
If, however, my guesses about the design are correct, PALs per se have little that is sensitive. But the tamper-resistant skin is another matter.
This document is about 650 slides for a one-week course on all aspects of nuclear weapons. The copy I received was heavily redacted.
Updated 05 Jul 18