Chalabi Reportedly Told Iran That U.S. Had Code

Everyone under the sun is talking about the NYT story Chalabi Reportedly Told Iran That U.S. Had Code [RSS], which takes to new heights a charge that emerged a few days ago:

Ahmad Chalabi, the Iraqi leader and former ally of the Bush administration, disclosed to an Iranian official that the United States had broken the secret communications code of Iran’s intelligence service, betraying one of Washington’s most valuable sources of information about Iran, according to United States intelligence officials.


The F.B.I. has opened an espionage investigation seeking to determine exactly what information Mr. Chalabi turned over to the Iranians as well as who told Mr. Chalabi that the Iranian code had been broken, government officials said. The inquiry, still in an early phase, is focused on a very small number of people who were close to Mr. Chalabi and also had access to the highly restricted information about the Iran code.

Obviously, a serious charge on a whole host of levels.

The obvious question is why would anyone divulge such an amazingly close secret on to someone outside the inner circle, let alone one without a clearance, let alone a man with Chalabi’s dubious provenance. Matt Yglesias, while joking, is probably close to right: “Chalabi was treated and portrayed as a man whose interests were all-but-identical to those of the United States and, under those circumstances, why wouldn’t you share sensitive intelligence with the future leader of the New Middle East?” Josh Marshall has asimilar reaction. Certainly, it’s plausible. Depending on who the classifiying authority was on this, it was almost certainly criminal for anyone to have shared this with someone without a Top Secret clearance who had not read into the compartmented program. Unfortunately, political appointees often don’t take the clearance process particularly seriously.

Kevin Drum is confident that we’ll find the answer to this one: “Unlike, say, Valerie Plame, the number of people who knew about the Iranian code and had contact with Chalabi has to be fairly small. There’s a real chance they could catch someone.” Not to mention that the incentive is reversed here: it’s clearly in the Administration’s interest to find the leaker.

Rick Lowry notes, “there is one strong reason to disbelieve the allegations–the CIA has been wrong about pretty much everything having to do with Iraq up to this point.” There is that.

Glenn Reynolds observes, “[T]he one thing I’m sure of is that we’re not getting the whole story here, for good or for ill.” Almost certainly, although it’s hard to see what the good might be.

James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.


  1. Bryan says:

    Hey, isn’t this about the point where congressional committees start to be formed?

    It’s going to be a busy summer in Washington.

  2. Jeff G says:

    Possibly a sting?

  3. Hal says:

    “Possibly a sting”

    I think it’s this kind of “anything but reality” thinking that got us into this mess in the first place.

  4. Sam says:

    What I’m wondering is, what the heck code (or more likely, cipher) is Iran using that the NSA can break? There are a number of ciphers publically available which are believed to be secure against any attack that the NSA can mount–the part that people and organizations get wrong is using the ciphers securely.

  5. Jeff G says:

    I call it not jumping to conclusions, Hal, but have it your way, you enormously smug dickhead.

  6. Jeff G says:

    oops, that should say “you enormously smug dirthead.” Sorry for the typo.

  7. Hal says:

    Wow, just hit below the belt right off the bat. Classy. Still, in perfect form with the whole way this debate has been waged. First jump to conclusions based on the information fed to us by frauds. When it doesn’t pan out, beat the crap out of anyone who dares to put 2 and 2 together.


  8. ibejo says:

    Sam –

    There are a number of ciphers publically available which are believed to be secure against any attack that the NSA can mount–the part that people and organizations get wrong is using the ciphers securely

    The only cipher *guaranteed* to be unbreakable is a one-time pad, which brings its own logistical complications (a stolen or lost pad kills the entire batch which must be redistributed). I would not underestimate the abilities of the NSA to break any mathematically generated cipher. Me thinks they are a bit more slick than you thinks they are….not to mention you have no idea what type of backdoors the govt puts in place, nor their ability to simply brute force a cipher. What was once thought impossible (regarding years of required computing power) even two years ago is cake now-a-days…

  9. Dirthead says:

    Looks like unnamed sources are naming names again. Can Woodward be far behind?
    No defender of Chalabi here but it might be nice for us to know who his accuser is so we might judge the veracity of same. But, what the heck, this story is too good to wait for facts! Roll the presses, Deep Throat is back! Cue Dan Rather it’s Showtime!

  10. McGehee says:

    beat the crap out of anyone who dares to put 2 and 2 together

    Thig is, Hal, when you put 2 and 2 together it’s always 22.

  11. Bryan C says:

    Hal’s omniscience aside, it could be a sting. Obviously if you suspect someone of passing juicy nuggets of sensitive information then providing them with something juicy is the first step.

  12. Hal says:

    McGehee, do you do this professionally or is it just a hobby?

    Look guys, it has already been reported that the CIA has solid evidence of the leak – they do not doubt what has happened. Now we learn how the CIA got this evidence and it’s not like there’s a trail of bread crumbs we need Sherlock Holmes to figure out. . .

    Sure, it could be a clever sting operation of inverse, twisted, “now you have me right where I want you” brilliance, but it also could be a clever distraction from the horror of the newly discovered butt itching ray Iran developed. Really, keeping an open mind is speculating about possibilities that at least have some relationship to the known facts. Speculating about things there is absolutely zero evidence for is poor reasoning designed only to try to pull back the curtain from Toto’s mouth.

    The technical term, I believe, is “Red Herring”.

  13. Sam says:

    ibejo, brute forcing a good modern block cipher like AES (the Advanced Encryption Standard) is essentially impossible in any reasonable time. 128-bit AES has a keyspace of 2^128 or about 3×10^38. The universe is only about 3×10^17 seconds old, so if you had a cracker which could try a key every nanosecond, you would need 500 billion of them running since the beginning of time to have a 0.5 probability of hitting a key by now. The only hope for brute force in the future is quantum computing.

    AES was designed by two Belgians and vetted by scores of cryptographers. The NSA wasn’t involved in the design and only had an advisory role in NIST’s selection of Rijndahl for AES.

  14. ibejo says:

    Sam: Not being a cryptographer, the following still sounds somewhat ominous:

    Let’s start from the beginning. A few months ago, Courtois and Pieprzyk posted a paper outlining a new attack against Rijndael (AES) and Serpent. The authors used words like “optimistic evaluation” and “might be able to break” to soften their claims, but the paper described a better-than-brute-force attack against Serpent, and possibly one against Rijndael as well.

    Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and then using an innovative technique to treat the terms of those polynomials as individual variables. This gives you a system of linear equations in a quadratically large number of variables, which you have to solve. There are a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier. (This is a gross oversimplification of the paper; read it for more detail.)

    The attack depends much more critically on the complexity of the nonlinear components than on the number of rounds. Ciphers with small S-boxes and simple structures are particularly vulnerable. Serpent has small S-boxes and a simple structure. AES has larger S-boxes, but a very simple algebraic description. (Twofish has small S-boxes, too, but a more complex nonlinear structure. No one has implemented the attack against Twofish, but I’m not willing to stand up and declare the cipher immune.)

    These are amazing results. Previously, the best attacks worked by breaking simplified variants of AES using very impractical attack models (e.g., requiring immense amounts of chosen plaintext). This paper claimed to break the entire algorithm, and with only one or two known plaintexts. Moreover, the first cipher broken was Serpent: the cipher universally considered to be the safest, most conservative choice.

    Bottom line- there will always be new and different ways evolving for breaking codes. Computing power will continue to zip along (moore’s law) and theoretical physics (your ref to quantum computing) will continue to push the abilities. Crypto makes messages harder to read – not impossible. If you have the time (or a method to shrink the time to a point that the info is still useful), you’ll eventually break it down. We always have and will continue to do so. Just saying the NSA *probably* has some capabilities we can’t even dream about….

  15. Hal says:

    They could have broken the key exchange mechanism, which renders any worry about how long it would take to break AES moot. Or they could have placed a clever virus in their compilers and/or numerical code libraries which feeds select data back to its masters. They could have just got some Iranian intelligence agent drunk one night and stole his public key from his USB keychain.

  16. Y2Kbug says:

    Tonight on the O’Reilly Factor (8PM EST on FOX news), will be a discussion on a link between Sadam and al Qaeda.

  17. Sam says:

    ibejo: I’m not a professional cryptographer, but I do have an interest in the area. I am aware of (but not following very closely) the paper you mention.

    Hal mentions more practical ideas on attacking a system. Real attacks on real systems usually focus on things other than the cipher. Well, except for groups which try to do crypto and security without any actual crypto and security experts. DVD, GSM phones, 802.11b “WiFi”, and Bluetooth all come to mind as recent systems which were broken because non-experts tried to build security systems.

  18. ibejo says:

    Sam: We’re in agreement 😉 Easiest way to “break a code” is by getting the comm clerk on your payroll by using a hooker