(3 of 5)
The fourth key, a purple one, was called the captain's indicator-panel key, or CIP key. The commander would insert it into a large gray metal box in the command and control center just forward of the conn. The CIP key was one of the last that had to be turned to complete electronic circuits and activate the weapons system.
In the Nebraska's missile-control center, behind where Freeland stood during a launch, sat three heavy safes, painted tan, stacked one on top of the other. On the front of each safe were two combination locks, and inside each safe were stored copies of the CIP key. The safes were guarded in the missile center 24 hours a day by two sailors, and an alarm sounded throughout the sub when someone tried to open them.
No one on board had the combination to these safes. Those numbers came in the third part of the emergency-action message that Thorson and Davis translated. The final electronic link needed to launch the missile would come from shore.
The fourth element of the message contained a row of randomly arranged numbers and letters for the Sealed Authenticator System code, one of the most closely held secrets in the U.S. government. A Trident has to have some way of being absolutely sure that the launch order radioed to it is legitimate. The crew has to be confident that the emergency-action message actually comes from the President, that a hostile country or a rogue American general or simply an impostor hasn't broken into the defense-communications network and transmitted a phony order to start World War III. The Sealed Authenticator System code is the final step a Trident would take to verify that the order is for real.
The supersecret National Security Agency produces the sas codes. Agency machines stamp the same computer-generated code of randomly arranged letters and numbers on two plastic cards. The machine then seals each card in a shiny metal foil. The code cards are nicknamed sas cookies because they look like wafer bars wrapped in tinfoil. The machine was specially built to do all the stamping and sealing itself, so no human eyes ever see the numbers and letters printed on the cards.
One of the sealed cards is placed aboard the Trident. Its twin, with the identical numbers and letters, is kept by the Strategic Command. When stratcom's generals drafted the emergency-action message to launch nuclear weapons, they would break open the sealed card and print its authentication code in the order. At the other end, the Trident captain could break open the card he had and compare the code on it with the arrangement of numbers and letters in the message. If the two codes matched, the captain could be certain that he had a valid launch order.
Thorson and Davis finished deciphering the message. If this had been a real launch, they would have opened a safe above a crypto vault along the room's port bulkhead, which stored the sas cookies. The sealed authentication codes were delivered to the Nebraska under tight security. Even if a spy managed to steal one, it wouldn't do him much good. Each cookie is specially manufactured so that if someone unwrapped one to copy its code, the card could not be resealed and put back into the batch. The Nebraska also kept boxes full of the cards on board. If terrorists hijacked a batch of the cards on land, the Navy would simply send out a radio message to the sub to use other boxes with cards.
The SAS safe was actually two safes in one. The outer door, with a combination lock to it, opened to an inner door with another combination lock. Behind the second door were stacked the cookies. Thorson had the combination for one of the locks; Davis had the combination for the other.
Thorson and Davis took the emergency-action message to the conn. Lieutenant Commander Alan Boyd, Volonino's executive officer, summoned the two young officers forward. This EAM was "a valid nuclear-control order that authorizes the release of three of Nebraska's missiles." Thorson read off the target coordinates. The sub was being ordered to begin with a limited nuclear strike.