TICOM Vol. 2 - Notes on German High Level Cryptography

8/4/2019 TICOM Vol. 2 - Notes on German High Level Cryptography

1/103

"' i . ;

WDGAS-14

CHIEli' # AR1JIY SECURITY AGENCY1 May 1946

CRYPTOGRAPHY

Prepared'under the direction of ~ ~

VOLUME 2 - ~ N O T E S ON GERMAN HIGH LEVEL

oo~ : t , .c,m,. /II " " : ' ; ' ~ r ~ . ' " " " ' ! ! I b_OJ ~ , "". "''-l0


2/103

DOClD: 3560816 '

NOTES ON GERMAN HIGH LEVEL CRYPTOGRAPHY AND CRYPTANALYSIS

Chapter I The Paradox of German High-Level Cryptogra.phy-Chapter I I The Enigma Cipher Machine./

Chapter . III Telepr:l.nter CryptogI'aph1c ApparatusChapter IV Cipher Device 41, the C1pher Box, the CipherDisk, and the "Number Printer . I'Chapter V .German CiphonyChapter VI German uI .:a.M." and Rapid' Analytic MachineryChapter VII. Germa.n Cryptanalytic Methods

, ,'- ,-

..

..: .......

. .... , ~ . ~ -

. ,------ - - - . - ~ ~ - - . _ , , - - ' - - - - ~ __ :._ . :_ '.' \ : ~ , . _ ~ : . . i - , - " ~ ~ ~ . : - " / - _ , , , , _ ~ _ . .. ' . : _ ~ J


3/103

DocrD: 3560816_ Volume 2

Chaptel' I The Paradox of Ge:ma.n High-Level CryptographyParagraph

German high-level cryptographic systems wereinsecuJ:,e, 801 though bri l l ian t ly concelved . ' . . .... 1German mili tary cryptographers.had secure cipherdevice3 under development . . . . . . . . 2German se,::urlty studies revealed only theoreticalweaknesses of tnetr cryptography . . . . . . . . . . . . . 3Interrogation of A n g l o ~ A m e r i c a n p r i s o n e r s fai led todisclose German cryptographic weaknesses . . . . . . 4

1. German h i - level cr pto ra hic s stems'were insecure,although brl l iant ly conce ve - - German h gh- eve cryptography "la,s bril11antIy conce!Ved (as wil l be shown in th isvolume) but more bri l l ian t ly conceived cryptanalytic procedures a,nd large expendi t u r e ~ i.n manpo'Yrer and p,r",chinery bythe United States and Br1sish G,overnments, in one of the,~ o s t dramatic chapters of World War I I , accompliahed dailyAf,v.__ SolutiOnf:L,.bf. Gez:man high.,. level systems that cost Germany

, ~ ; . heavUy, .,if they did not, as some believe, bring about actual- defeat . For instance: ,a . The German Air Foree los t the Battle of 'England in, 1 ~ 4 0 , pal:,tly beea..use i t entrustedl bomber-target informationto the insecure A ir Force Enigma. Unknown to and even unsuspected by the Germans, the i r operations from this date

~ _ o J L w e r e constantly embarrassed by the cryptographic insecurityof this lmachine.b. The, German Army suffered ter r i f ic c a s u a ) ~ ~ ~ ~ andlosses, of materiel in Africa and on th e con ti nent because. ---9f_bl'ind.,falth in two of i t s high level mUit;ary cryptographicmachines: the Army Enigma, and the te leprinter cipher attachment "sz-42. tI Both were insecure. 2IThe great" debt England owes itr..crypta.naJ.ysts is to be recorded 1n a history of the Government Code a.nd Cypher School,London l , to be availa.ble in the fa l l of 1946. The statementhere is based on verbal information from intelligence officersand e ryptanalya ts o f the School, and awaits proper documenta-, t i o n .Th i s history will also include data regarding theGerman Army and ~ a v y Enigmas. '2A writt.en report by Brigadier E. T.,Williams, chief in te l l i gence off icer to F ield Marshall Montgomery, 5 October 1945,to be included in the Government Code and Cypher School history, gives specific examples bearing out this statement.


4/103

3560816

c. The German Navy los t a staggering number of submarinefor a silIililar reason: illsecurity of the Enigma, Navy vers ion. 'd. The German Foreeign Office employed three main s y s t e m s ~a l l lnesc:ure. Two of them (the DSl!tsches Satzb,uch unellclphered,and the f\eutsches Satzbuch enciphered by "Floradora,") wererea.d dur1.ng the \.,ar; the third system (a "one time pad," ArmySecurity Agency trigraph "GEE") was read only 1n the l a s tsix months of warJl but gave information of much military valueagainst t;he ,:"apanese.

, 2. German mili tarr cryptogpaj?hers had secure Cipherdevices under development=- I t is a paradox that German highlevel c r ~ r p t o g r a p h y was a "practical" fai lure and at the aametime GerlJlla.n military orypt;ographers had so many secure dev icesin vs.r1o\ls.stages of development.a.. One simple item alone, s. "var1able-notch" rotor, wouldprobably have prevented Anglo-American attempts a t read ing theEnigma ~ ~ t e r 1942, i f i t had been produced in quantity and

.. instal led. This rotor was called " L u e c k e n f u e l l e r w a l z e . " ~3The rea:L truth behind these losses has baen a.nd s t i l l 1s a tthis writing (May 1946) so carefully concealed that theA\. ~ f 9 1 1 o w 1 l t l g ~ . s t a ~ e . m e n t by .A,dmiral Doen1 tz 1n the N \ - ~ ~ e m b e r g t r i a l

.- '" is of c 1ons1derable interest : "The Battle of t.ae Atlantic wasnearly- 'W'on prior to July 1942; when German losses were wi thinreasonable l imits . But they jumped 300 per cent when Alliedaircraf"t, aided by radar; which came l ike an epileptic strOke,were used in the f ight ." He repo:r-ted 640 to 670 submarines and30,000 men los t as a resul t of Brit ish and American action._( See IF 259). A capt!.ured, uns igned, naval report de. ted 1944"evidently sen t to the Navy High Command regarding cipher s e c u r i t ~stated: ." the high degree of efficiency of the enemyOsa1reraft Radar, sO often surprising, has received. remarkableand'-decisive assistance f ~ o m directions based on the results. --Of" the dirac tion .finding sel"vice.", (see IF 142).. I t was never! realized that cryptanalys1s j rather than radar and direction. finding, disc:losed the positions a.nd intentions of the Germansubmar1.nes.f .' . 4M11; I 104 pp 2,3

2--- ._- ~ ~ ~ ~ ~ - - ~ ~ _ .=;i. __


5/103

3560816

~ b. An i r r e g u l a r - d r 1 ~ e Enigma that would have defied a llpresently known methods of' solution, was being developed. Thiswas called "Cipher Device 39" ("Schluesselgeraet 39," abbrevi-a ted "SG--39" i , .c. An improved "cipher teleprinter l1 had been bUilt, in stalled on several circui ts , and used, which prevented easyreading of teleprinter messages in depth; and even i f thisreading in depth was accomplished, the machine remained securea.gainst known methods of atta.ck as far as a ll other messagese n c i p h e l ~ e d by i t were concerned. This was ca.lled "cipherteleprill ter T-52e" ( ' ~ c h ~ , u e s s e l f e r n s c h I - e i b m a s c h i n e T ~ 5 2 e , "a b b r e v i ~ ! . t e d "SFM T -S 2 e " j , t > . I 'd. Appara.tus wa.s being developed .for "crypt izing" aradio t E ~ l e ' p r i n t e r circuit-- that is , for applying a basic cryp tog r a p h ~ c process to the c i rcu l t l t se l f even before any ' in te l l i gence 11' superimposed on the emissions. This 'Was called"cipher attachment 42c" (fiSchluesselzusatz 42c," abbreviated"SZ-42c 'IW ) , Which wa.s to be used With a con:tlnuously opera.ting,crystal-contl'ol-led, synchronized teleprinter 0 '(e. A mechanical, portable, keybo81'd-operated cipher machine, 4 ~ m p l o y l n g an interacting wheel-motion principle appliedto Hagelin-type Wheels, had been developed and bui l t and pa.rt1-,ally distributed, which would have been completely secureagainst r e c o q ~ t r u c t i o n even i f m e s s a ~ e s were read in depth.A_' ' ' ' ' - This 'was ' called nCiPRer Device 41" ( 'Scul,u6sselgeraet 41," a.bbreviiated "SG-4l"). I t was cryptographically superior to . 'i t s m ~ smaller U.S. Army equivalent device, Converter M-209., t . Other devices were also in varying stages of development; these included the "Cipher Box" ("Schluessellc:asten"), andthe "Ci,pher Disk" {"Sehluesselscheibe"}, Which were tvo minia-. ture enciphering devices intended for use by secret agents

'and by the Army.951 '53

~ , - 6 , t 2 ~ I 31. In this document the term "cipher teleprinter"will b employed consistently to designate a teleprinter inwhich the cryptogra.phic mechanism is an in te gr al p ar t ot andi con.ta.ined ~ t h l n the machine i t se l f ; the term "teleprin.ter'cipher' attachment, If to designate an auxilla.ry cryptogra.phicmechanism a s s o ~ i a t e d with the teleprinter but not an integralpart t.hereo.f.

71 57 E 1481 72'91 20 I 96


6/103

3560816

The j ~ o r e g o 1 n g devices nave been studied and are beingstudied b ~ cryptographers and cryptanalysts a t the A:ztmySeourity Agency, and ~ h general opinion is that the Germanswere makl1Jgrapid s tr ides toward great ly tmproving theiroommunica.:l;ions securl ty . ",The "very l eas t that can be said i s that they had somethingdifferent . Their teleprinter devices employed mechanical cIpherWheels, as o p p o ~ e d to the U.S. ~ m and U.S. Navy use of electrically-'iofired cipher wheels ("rotors 1'1) j ~ u . r t h e r m o r e ~ the mechanic,cal wheel arrangements, in their new devices, were highly developed and secure. They also employed interaoting Wheel motions(Wheels mutually controlling one another) f'or several of theircipher-teleprinters, as well as for their SG-41 (Hagelin-typemachine). Mechanical wheels ~ i n t e ~ a e t i n g wheel motions forte leprinter enciphering devices have long been considered byUnlteo S t a ~ e s cryptographers; our developmant along other l ineshas been from choice. None of our present devices uses in te r -acting motion, and the excellent deve19pments of the Germansnot only furnish us greater insight into such possib i l i t ies ,but also increase greatly our store of knowledge.

3. German securi ty studies reveaied only theoz'et1calweaknesses of their e r ~ t o s r a P h l - - German m11Lftary c r y p t o ~ 'a . . . . J r - - g r a p h e r s ' , ~ a l l e d 'to -rea ze that the i r existtfl..g Enigmas' and te leprinter cryptogra.phio a.pparatus were insecure. This wasbecause' they were unable, in the ir security s:tudies,9 to put, for th tho cost ly pract ical effort requirad to solve them. Theirsecuri ty studies vere theoret ical antI' since actual t raff icwas never obtained to r such studies . They were completelywithout l ~ r a o t i o a l knOWledge of how successfully a careful and

d e t a r m i n c ~ d attempt a.t tra.ffic analysis can provide daily "cribs"and othelC" data fo r crypta.nalytic at tack; and they had not advanced s l ~ r i c 1 e n t l y in applied cryptanalysis to r ea liz e th atd e t e ~ 1 n ' 6 d engineering staf.fs can produce items l ike the Pol,lsh--frate:%' F:l'enallA la te r English,e la te r American) "bomba," the U.5 .Navy "du1enna" the Army Security Agency "a.utoscr it che r, " o r theBri t ish "colossus. ft The flashes of 1ntuit ton and inspi ra t ion that aome from doing, as well as theorizing, were denied them.

4


7/103

3560816

A report on naval ciphers dated 10 July 1944, a p ~ a r e n t l ywritten by the Signal Security Agency of the Navy High Command (ODl/4 SKL/I1), sta te d th at solution of the naval Enigmawas concEtlvable, based on "J;he assumption of extraordinarym e c h a n l c l l ~ l outlay on the part of the enemy for cryptographicactlvitiElS though we LOKM/4 SKL/lrJ can conceive of amachine lIrhich would be sui table for this kind of work, wehave n O n E ~ availa.ble or Wldei:" consideration" since the Wholequestion does not yet appear to justify u n ~ ~ r t a . k l n g s ~ c h ad l f f i c u l 1 ~ special constructional problem. n The Brit ish didu n d e r t a k E ~ this prob:em, and were rewarded with astounding---success. . .

4.disclose Germancrypto&aph c weaknesses-- ur ermore, OMreveals that Germany never became ~ w a r e of the Anglo-American. solution of German high grade systems. Not even a hint of thisfact came to them thrOUgh their a.gents, their interrogationsof Anglo-American prisoners of war, or their cryptanalysis.I t may be said that Germany los t the cryptologic war evenbe.fore 1939, in Pl::'and. The Poles invented the "bombs,"a device which la ter , in improved form 1n England and in'AmeriC8,provided daily solutions of the German plugboard____'--':"'--'En1gma. The "bombe" secret was a.lI!1ost revealed when three. . . .decipher,ed German messages were found by the Germans in Poland in < 1939. The Germans became aJ.armed and conducted manyinterrogationsj13 the case was re-opened in 1942 and 1943;but at no time did the Germans learn the real secret of thePoles' success. The Germans became convinced that probablythe Enigma indicator system ha.d been at faul t (as i t partly. had been) and since i t had already been changed in 1940,they wer'e no longer concerned with the suspected solutions.Also, there were intell igence officers who feared that

_ E ~ l 1 g m a . .. ~ , r a f f 1 c was in secu re , but their fears vere based onlyY'oF1nfer'ence and not on direct pzooof. Thus, when the NavyHigh COJIllDand became aJ.armed a t mounting submarine losses,the incr'easing effectiveness of A n g l o - A m e z o 1 ~ a n aizoplane radarv_as blamed, and the Enigma was exonerated.l . ,12IF 142131 12714see footnote number 3 of this volume.

5


8/103

3560816

An lntell1.gence officer attached to the Air Force High Command at the time of the landings in North Africa expresserihis sua,plcdons. to the Chief Signal Officer of the Air 14'01"ce Ja General M a r t i ~ i , and caused him to reduce15"his ear l ier be-l i e f in the 100% sec1.Wlty to 80% securi ty ," but his evidencewas insuftic1ent to cause the Air Force to discontinue useof the Enigma.G e r m l ~ n y ,..raa unable' to cryptanalyze Brit ish and American.high-grad l9 systems carrying c r y p t a n ~ l y t i c operational information aru1 other ULTRA matters between England and America.As a resul t she had no hin t from cryptanalysis tha.t her ownhigh-grade systems were insecuzae.I t is absolutely clear that United States and Brit ishsecurity regula tions appl icable to ULTRA were so good andso closely adhered to by a ll concerned that knOWledge of ourEnigma-solVing and teleprinter-solving operations was kept .f'r'om the .Germans. An interrogation of two of the leadingGerman cr:yptanalysts ll Drs. lIuettenhain and Fricke or the 3ignal Intel.11gance Agency of t h ~ ' 6 s u p r e m e Comma.nd Armed Forces(OKW/Chi)1 revea.led only that: .. IIOne Allied PW in North Africa had sa.id the UnitedStaties and Brit ish operated with a very large joint.pal"k B of I.B.M. machinery, 'but this interrogation was

n e V E ~ r . fo llowed up. No personal i t ies whatever vereknown. 11

"--, -.-..."-

l5IF 516I 84 p 6 6

\


9/103

3560816

Volume 2 .Chapter II The Enigma C i ~ h e r Machine

Pa.ragraph

Enigma c:tphermachine was the backbone of' Germanhigh-level cryptography . " .. " . ." ". 5C o m m ~ r c i a l Enigma was known to be insecure 6"Counter" Enigma. was kn9WD to be insecure 0 7Plugboard Enigma was believed safe i f ' used properly 0. . 8Plugboa.rd Enigma ' ~ a s known to be s olvab le w ith "cribs" 9Theoretical weaknesses of plugboardEn1gma wereunderstood. . 0 .. 0 0 0 0 0 0 Go 0 0 0 0 0 0 0 0 10"Variable-not{.lh n rotorsj.Would probably have madeplugboard Enigma s e c u r e ~ 11Cipher Device 39 would have been secure againstpresent attack . . . oo oo: . o oo.oo . D 12,Enigma development is worthy of study . o 13

\ 5. Enigma c lAAs..!:. machine the b a c k b o D ~ 9 of Germanhigh-level cryptography-- The Enigma ciphermacnine, inf ive a l ~ r e n ~ f o r m s , was used b German commercial firms,_,....by the }Iost Orfice, the Railways, and miscellaneous othere"""'->- German government departments; by the Supreme Command ofthe Armed Forces; by the High Command of the Army, and inArmy communications down through division; by the High Com-mand of the Air Foree, and in Air Foree communications downthrough group and sometimes squadron; by the High Commandot the Navy and in Naval c o m m u n i c ~ t i o n s down th rough sub marine; by Mili tary Intell.1gence (Abwehr), by the ReichSecur1 t ~ Office (Reichss1cherhe i tShaupta.m.t, a ~ b r e v i a tedllRSHA"); and by Mili tary Attaches. .

Thl3 1'1ve main forms 1n which it appeared were called,the-commercial (o r "K Il ) Enigma; the "counter" (or "Zaehl-"'werk") J ~ n i g m a " sometimes cal led the "Abwehr". Enigma. or the"G" Enigma; the plugboard ("steck,er") Enigma; the plugboardwith (pluggable) ref lector-DC 'VStecker mit UmkehrwalzeD tt )Enigma; and the Navy E n i ~ a . The plugboard Enigma with ."variable-notch" ro tors ("Stecker mit L u e : ~ k e n f u e l l e r w a l z e n t f )was to have a ' p p ~ a r e d soon. Another model" C1pher Device }9. ("Schluesselgeraet 39") vas under study. See Chart No. 2-1herewith. .

7


10/103

C o ~ e r c i a l firms j -- Reichspost i.ReichsbahnoYisco. go'\rt. depts 0

Type of How machineend plate would be solvedOClO: 3560816Enigmat:odelCommercial("K" )

Used by ]umber ofrotors N U 1 ! l b ~ r ofnotc}:lespe r rotor1

Type ofreflectorRotor,' notpluggable Notpluggable 4 or 5 le t ter criband catalogue; orrapid analytic

1 " I ' \ ~ , . . h ; r\O,,"W-F (1 )_""J . . . .6& J . ~ " ' . " " & , " V . J 0 ''''''''""''VJduenna or scr it charnot needed )Counter("Zaehlwerk") A ~ l i t a r . r attache JWltil 1943; thenHeich SecurityOffice

1.1ultiplebut fixed notoro Not.pluggable 'Not.plugeable l letter crib andcatalogue; or rapida n a ~ i c machiner,yo(Bomba, duenna, orscritcher no t neededo)

Supreme Coroand 3 fromArnw .. Air l"crce se t of 5Plugboard("Stecker")~ a v yPlugboard Navy standardmachine 3 fromset of 8& 1 from 2

1

5 with 13 with 22 with

Fixed plate:-lot plugL;ableFixed plateNot pluggable

PLUGGABlE

P L U G G A I 3 L ~

Bomba (duenna orscritcher notneeded) ... ..Bombe, duenna, or .\s.critcherPlugboardwith pluggablereflector(Umkehrwalze D)

Just beginning.1:-0 be used byAir Forceo P r o ~posed for ArmedForces and forArmy

3 fromset. of 5 1 . }"ixed platePLUGGABLE PLUGGADlJ:; Duenna or scritcher ..Vr,JtY DIfFICULT.

Plugboard withvariable notchrotors{L u e c k e ~fuellerwalzen)Proposed fo r 3 fromArmed Forces, set ofA ~ Navy, Air 5?

Lultiple, .CllA;:GiADLEand there-fore nonpredictable

Fixed plateP L U G G A D L ~or notpluggable

PJ.UGGADLE Bombe, duenna, orscritcher ( if ata l l possible)

Cipher Device.39 (Schluessel-geraet 39)Pro!JOsed fo rArmed Forces,ArJl\V, Navy, Air

4 variablenotchrotors fromset of ?l::ultiple,changeablejplus Hagel in typedrive

Fixed platePLUGGABLi: P L U G G A B L ~ I Bombe, duenna, orscritcher ( i f ata l l possible) o

Chart No c 2-1


11/103

3560816 6. ."Commercial"'Enigma wa.5 knol,.,n to be lnsecure ...- I t"las well ImOllTn by the Germans that the commercial Enigma ws,snot diffilQult to solve. They, suggested hand methoq.s ':Jf"stripping o ff the f'a.st-movlng rotor ," which were almostidentical v l ~ h our methods and which involved small preparedcatalogues. 20 They fuggested sta t i s t ioal methods using r ap idanalytic machinery.2 They ha.d also 1 n v e s t i g a t e d 2 ~ h e machinemathemat1caJ,ly, from a. "group theory" standpoint. The commercial machine had been, unt i l about 1 9 j 4 ~ sold on the com- .merc1aJ. m,arket by the German f'1rm Which owned the patents anddeveloped them; but soon af ter the Nat.1 accession into powerthe machine wa.s Withdrawn from the market . The Germans furnishedthese machines to the Croat puppet government.23 The Germans .themselves used i t for the i rpos t office, their railroads,and other g o v e r ~ J n e n t , a g e n c i e s . Because of' i t s insecurity,every message e n c i P h ~ ~ e d by 1t 'faa supposed' to be re-encipheredat a second sett ing, a p r o c e d ~ e whioh' i f adopted would .have made the messages quite s e e u ~ e . I t is doubtful i f suchprocedure was g e n ~ r a l l Y oarrie'd out, beca.use of the di r f i -'cul t ies involved. .

7. ItCoullter" Eni a was kno'o1n to be insecure-- The. "counter" Enigma. .soca e beoause i t .incorporated a l e t te rcounter in i t s meohanism) was important because i t introducedm u l t i p l e ~ n o t o h rotors . In general, the more often enoipherA'..../-:tngrotors . in machines of the Enigma class step, the morediff icul t solution becomes, a n d ~ u l t 1 p l e - n o t ~ h rotors b ~ 1 n gabout th1s desirable motion. Even so, t h "cOl..Ulter l t maohinewas known to be solvable by shor t cribs. 2b Regulations werealso ~ ' S u . e d with this mach1ne.to double-encipher each mea-sage. Only aboutlOQ'or the "counter l t machines'were madein ~ ~ l ; t,hey were issued to Germa.n military attaches, withdra.wn in 194}, and issued to Military Intelligence (Abwehr).Some weret also soJ.d to the Dutch government.25 , .

9

-----------------------


12/103

3560816-----.~ - - - ~

_ 8 . P l u B i b o ~ r d E n l ~ 1rlas_be!ieved ! a f e if' used ~ r q p , e r l l - Plugboa.rd Enigma. " 1 ~ M 3 u'Sed by the Supreme Oommand Armed Forces ..by the f.:rmy S1 -by theA1r Force" c9lld with an addit ional rotor ,by ,the Navy, R s t h e Ubiquitous and " secu re " c iphe r devics"a.ble to carry highest - level t r a f f i c ' n it used properly." I twas also ~ ~ p p l i e d to the Hunga.rians" Rumanians, Finns, a.ndI ta l ians. Investigations by Dr. P i e t s c h ~ of the SignalInte l l igence Agency of the 'Army High Command (oKH/G dNA)showed the safety margin to be 20,000 l e t t e r s a day.30 -froFricke be,lieved t h a t i f the i n s t r u c t i o n s on ~ 1 m u m len.'tth. ofmessages vere followed, "everything would be a l l r i g h t . l T , l _Yet it w'as t r a f f i c in t h i s Enigma, even when "used properly,"which va.s regularly solved da.y ...by-day by the tremendous AngloAmerioaDl cryptanalytic e f f o r t .

9 . P , l u g b o a r d EniW! Yl!s kno\m to be solvable With v'crib,s'. '1..I t 1s a.r.L a.stonishIng fBJCt . t h a t a.lthough German cryptographersknew a t least a s early as 1943, that 1 t w a s theoreticallypossiblel to solve the German Army plugboard Enigma lthel;Levera proper c r i b was available,32 they seemed l i t t l e concernedabout t h i s p o s s i b i l i t y and failed torea11ze tha.t a. pra.cticalsolut ioIl might be based upon i t . This knowledge should havea.roused the,ir most vivid ~ p p r e h e n s 1 o n s but did not, beca.useof lack of imagination regarding the p o s s i b i l i t i e s presentedby the invention, development" and use of special ly designedA ,., h i g h - s p E ~ e d analyt ic machinery. ' ,. In 1944 j L t. R. Hans'-Joachim Frowein of the S1&nal 'S e c u r 1 ~ t y Agency of the Na.vy High Command (OKM/4 SKL/I1) sug-gested un Internationa.l Business Ma.chine ( I .B.M.) method of' so lvtng the plugboard Enigma, given a twenty-five l e t t e r cr1b.33This suggestion was based on a hand method '''h1ch employedsequent:tal tes t ing, or "acritching$" a. method Which was mechanized by the Army Security Agency and incorpora.ted i n th.e" a u t o - s l ~ ~ 1 t c h e r . tt After descr,ib1ng th1s4hand process, L t .Frowein made-the f'ollowing suggestions:}' ? ~ r 9 2 p 231 78311 2032n 58 p 1 ~ 331 38 PP 3-4341 38 p 4

10

c


13/103

DOClD: 3560816. . "In p ra c ti ca l Ho ll er it h [ i .B.MJ machlnerywouldbe uaed With a 3 ...wheel (Army) Enigma, only 1'0,000carda are required The enemy could have produdedthe 70,000 cards a. t the beginning of the war and ' th iscata.logue 'Would have been valid throughout the l i fe ofthe threedwheel Enigma.' The f i r s t Holleri th card sor t -ing process ,.,ould take 200 machine-hours, the second

o n l ~ ' 8 machine-hours, ' and 3"0 on. It ' , .. .

""--_.'"

.'

Thus a to ta l of approximately 220I/B.M. s o r t 6 r ~ h o ~ s. would have been suff ic ien t to t e s t the "crib", to see if itcould break the plugboard machine. Ano1a'ler way of s ta t ingt h i s , 1s tha t 10 sor ters could tes t one crib in one day.Illhls i s not rapid , but 1 t 1s '\'11th in p r a ; a - ~ l c a l 11m!t s . Andth is suggea t lon is only the f l r ~ J , t theoret io 'al answer, n,otthe crlimo!:Lx of a compI,'ehenslve, pract ica l a.ttempt a t solut ion.,Perha.ps the cryptograyhers of ' the 3ignal Intel ' l igenceAgency 01.:" the Supreme C o m m a ~ d Armed Force,S (OKW!ClH) believedtha t it lrou4d be tood1.r r icul t fo r an emamy to obtain thecr ibs necessaryforso lu t1on by L t. Fro'Wtl'1n Ds methods. Possibly they vere too bU$y designing improved apparatus whichthey would put intoef"f 'act "someday." . Cert ai nl y th er e is no .indicat ion in the TICOM i n t e r r o g ~ t l o n s or documents thatc r y p t o ~ a p h e r s of e i ther the Armed Forces or the Army worr ied a.b01J.,t L t. Fro'\'Tein 9 s resu l ts ' when the resul t s w e ~ e shownto tnem. The Na.vy, with a .four-rotor, more nearly secureE n 1 g m a ~ 3%1d take h is resul.t5 somewhat ser1ously. Lt. Froweinsta ted .. _"', >

The act ion taken by the Navy, as indicated_above, was.so-ineffective an answer to the problem raised by Lt. Frawein,thatlt almost mlghtas well not have been taken. Nevertheless" for h is excellent 'Work" L t. Frowein was awarded the Wa.rMerit Ox'oss.

11


14/103

3560816

10. Theoretical weaknesses of lu board. En!understood:-- \ e may not cone u e rom t he ' ack 0 a1 -out' p : r a c t i c a r - e f f ' o l ~ t s to make a worthwhile securi ty study of'the plu.gboard Enigma. that the German military c r y p t o g l ~ a p h e r swere 1D, any way mentally inferior to the Brit ish and Ameriaan

' c r y p t a l l ~ a l y s t s who succeeded aga.inst this Enigma.. Deapi tethat f a ~ c t tha t the Germans discovered every 'veakness' theEnigma had, the i r theoretical studies and conclusions apparentl.y did not impress them. According to Dr. Bugg1schof the ' Signa.J,. Intell:l.gence Agency of the Army High COlDllland(oXH/G dNA), the weaknesses of the plugboard Enigma. were:368. .. Rotor I (the "tast"rotor) moved uniformly., b.. Rotors I I a.nd I I I moved. too seldom.c.. The machine needed mOIle tha.n three r o t ~ r s to be

l t l s e r t E ~ d in it at once. The,t is" the period 26 x 25 wastoo sh ( ) r t . , '", t d.. The machine' needed more than five rotors to be

issued, with i t . That iS i the number of rotor orders, thep e r m u t ~ : l . t i o n B of 5 rotors t:a.ken 3 a t a. time (;.; 60) I was toosmall., . -e. The ref lector was not p l u g g a . b l e ~ , and the "enemy"could :set up the 60 x 262 x 25 alphabets of the machinein i t s unplugged form, p o s s i b l ~ ; proceeding to a solutionfrom tlt lere. ' ,,- D;r. Buggis.ch was so right! Improvement in anyone ofthe foregoing part iculars could easi ly have pushed the plugboard :Enigma beyond the reach of already-straining AngloAmerican oryptanalyt ic f ingers , andposslbly a l t e ~ e d the

c o u r s ~ of the we.za. I f the multiple t u r n ~ o v e r rotors of the"counter" machine had ,been inserted in the p lugboard Enigma"11 ~ ~ rotors had been issued instead of f ive, i f five rotorssimuitaneously could have been used in the machine insteadof' three, if ' the rotors a.lready in i t had been kept moreactive by sUitablemotlons ,or i f a plugga.ble ref,lectorhaa. belen universa.lly adoptied, r e ~ f a ; r , day-by-day solutionwould hardly have been possible .361 31'37A n o i : ~ e r effective security measure would have been to issuenew rotors at' r e g ~ a r i n t e r v a J . s , or vhenever compromise ofthose in use was suspected. Thi s p rocedu re was evidently ,

not considered f a v o ~ a b l y by the Germans, who had so many Enig-,mas in the' f ie ld ,and in use elsewhere, that the chance ofcapture was great , and the number o ~ o t o r s to be replaoed incase o compromise prohibi t ive. Newly wired rotors were "issued at the outset ,0 the war, but these Wirings weI'ekeptt h r ~ : : > u g h o u t the war Without change, on the theo-i,"Y that the Enigma. 1rt&S secupe regardles s of rotor oompromise.

12


15/103

3560816HIDW close the Anglo"-Americans came to lo s'iog out in the i rsolutilon of tne German Army Enigma is a matter to give cryptanalys'ts pause.B:r:Ltish and American cryptanaJ.ysts r eca l l 'With a. shudder ,how dri9.stic an increase in diff '1cul ty resu l t ed trom the in t ro-duction by the German Air Force ot the pluggable ~ e r J . e e t o r ', ("Umkehr'\ola.lze D, II called IIUncle Dick" by the Brit ish) in theSpring of 1945. ,It made completely obso le te th e "bombellmachinery which had been designed and instal led a t so great anexpense foro standard" plugboard-Enigma solution. I t necessita .te d th e development by the U.S. Navy 0:[" a nelY)' mOl'ae complexmachine ca.lled the "duenna," and by the u.a. umy of a ra.dically :ne,,! electl ' ical solveI' oa l led the Itautoscritcher . " Eachof these had to make mill ions of tes ts to establish simultaneously the unknown (end-plate) plugboard and the unknownref lec tor plugging. Only a t r ickle of solutions would haveresulted i f the pluggable ref lec tor had been adopted universa l ly ; and this t r ickle ot solutions would not have containedenough inte l l igence to .furnish the da'ta :for elbs needed inSUbsequent solutions. Thus eV,en the t r ickle would have e v e n t u ~al ly vanished. .Orad1 t mus t be g1van to the I unknown German Air Force

c ~ p t o g r a . p h e r , possibly a member of the Security Grooup of theSignal Intel l igence Service (OKL/Oen Natue/III, Gruppe IV),who brought about the use of "Uncle Dick" thI'oughout the German Air Force in U ~ spring of 1945. I t i s indeed lueky forthe Allies that the c ryptographers o f the Slgnal ln te l l igence. A g e n e ~ r . of the Supreme, Command Armed Forces (OKW/Chi) did notagree with his bel ief 1n the pressing need for addit ionalsecur1 ty . .Dr. FI'1cke ss,1d:38 " I t wa.s not considered importan t,as the plugboarq was the real safeguard." Dr. Huettenha1nsaid 1.0 effect:,]9 "The G.A.F. had introduced t he p luggableref lec tor , but the Army said it was too much trOUble.". 11. "Variable-notch" rotors would. ~ o b a b l l ,ha.ve made

~ l u g b c ~ r d E n 1 ~ a secure-- Daily solution of the plugboard.,.Enlgme. would probably na.va been prevented if the Germans hadintroduced'the variable-notoh ro tor , ( " ~ k u e c k e n t u e l l e r w a l z e " )in 1911'3 as planned. ''1lhis rotor vas designed to "hold ' the securi ty l ine" unt i lthe introduction of Cipher DeVice 39, a Hagelin-type-dr1ve_Enigma. designed in 1939 (as i t s name 1 m p l ~ l e a ) and already past

,- the" -bl.ueprint stage.381 2 ~ I39r 33.

13

. "------


16/103

------------------- --- ---

3560816

,The effect of v a r i a . b l e - n o t ~ rotors in an Enigma wouldhave been to make impossible the fore te l l ing of exact suecess1vle rotor set t ings , "Then preparing to IIbombe" a cr ib .Assumptions would have to be made as to the p resence or absenceof turn-overs of the ltmedium speed" and "slow speed" rotors 3 ateach sliccessive element of t ext . This 'Would have multipl ied thenumber of t r i a l s neoessary to tea t cr:l.bs.ll a.nd thereby reducedthe number ot solutions to the smalL t r ickle which has alreadybeen charaoterized as not b ein g, in a ll probabillty.ll self -sus ta.ining. .The following excerpts from m-inutes or conf'erencesheld by the 8ignal Intell igence Agency of the Supreme CommandArmed Forces (OKW/Chi) o n l ~ 4 D e c e m b e r 1943 and 18 March 1944, .are i n te r es ti ng s ide li gh ts : 0,- a . "Concerning 1 m p ~ o v e m e n t of the E n i ~ a . " Wa Pruet" 7~ r m y Ordnance, Development and Testing Group, Signal B r a n c ~

stated. that the replacement ot a ll rotors by variable-notchrotors required reconstruct ion and time for development.I t wa.s howeveI' possible to exchange one rotor ; the necessaryvarle.blle-notch rotors could be delivered within a reasonable,tlme.l1'b,. "In c o ~ l a . b o r a t ion with lia. Pruet 7 in view of' the '-introduction of. the variable-notch rotor the keying pres-sure ~ : r e q u 1 r e d to e n c i . p h e ~ " . ~ the Enlg;;'7 was reduced by about.1000 gza., a t the f'irm of He'iusoeth &; Ride 0" . .lJ.lecha.nical drawings o f t ha variable-notch rotor are nowin thEI r i les of' the Army Security Agency 0 41 Seve I'al such

r ~ , t o r ~ 1 have been ,9aptured and are availa.ble.J.2. 01 her Device wou1.,d have been secure a alns tpresent a t tae '- - p e r evlce was to e the epitome of_

E n l g m ~ l . perfection. I t wa.s to have everything--end-plate plugboard J) pluggable ref lector : 4 variable-notch roto:l;'s s 3 addedHagelln ...type irregular drive wheels .. and a. simple inter-actingm o t 1 o i : r ~ ' . I t ' las to have a keyboal'd; a.nd it ",as to pr int bothplain and cipher texts , a a rate of 85 words per minute.

j note in Dr. Huettenhainos f 1 ~ e s dated 30 May 1944state


17/103

3560816---,.. --- --_.

e'

liThe model bu i l t by t ~ e ~ e l ~ f o n b a u u. NormalzeltCompany, Frankfurt a . Main 1s being demonstrated inopeI1at lon. The machine essentia l ly sa t is f ies a l l therequirements la id down fo r it. we. f ruef 7 [jrrmy Ordnance,\lDevEllopment and Testing, Signal Branchlhas se t t led ~ h a tfeatures of the machine require improvement. F .A.N. . -(7) in Frankfurt a . Main has been completely destroyed.The machine cannot therefore be expected to go into largescaleproductiol l there, fo r someconslderable time. I t1s t ~ e r e f o r e intended to get an additional productioncent;er a.t once. The Wanderer Company, wh1eh already haswidEI experie nc e o f large scale production, ' i s proposedfor this a.dditional produotion. Dr. Fess o f W a n d e r e r ~ sis 8 ~ a 1 t e d in Planken fo r detailed negotiations on thesubJiect of this production."According to Wa Pruet 7 [J.rmy Ordnance, Developmentand Testing Group" Signa.l B r a n c ~ small scale pI'oductionis e ~ P 1 J r o v e d ."0KW/Chi sees a t the moment no poss ib i l f ty of abresLk ..1n, but exhausterva investigations are s t i l l in

.F P,rogress. .. "On c ~ m p ' l e t 1 0 n or p ~ a n t .at Wa.nderer it is plannedto, !:Lrrange a. f ina l conference there wi th tha units' ,requiI'ing the machines and the specia l committee. The aim1s to begin larg e scale production by the end of 1944. ltN o n E ~ of' the t e s t models of C ~ h e r Device 39 has ever been

r e c e i v e d , . a ~ Army Secur1 ty Agency. Excellent descriptions43Tl-rO. teflt models of Cipher Device 39 were packed in boxes a tTelefonbau,u. Normalze1t, Frankrurt, and the boxes f1plcked

u p ~ b y !l.n Arm". Corporal on March 22, 1945, fo r movement to a.m i l i t a J ~ Y depot at Tauberbischufshe1m." See I-53 p 3. Thesewere n E ~ v e r found. A third, incomplete, machine however was. ca.pturE,d and 18novT a t London Signal Intel l igence Centre.C a p t u r ~ ~ d German Army plugboard Enigmas i commercial Enigmas,counteJ? Enigmas, varial:>le-notch rotors , a.nd pluggable reflector

. w h a e l ' s . ' ; ~ , a r e ava.11 able a t the Army Secur1 'ty Agency museum,howevel:'.

15


18/103

3560816

exis t , however. 44 TIle ma,in elements of th i s device may berepxoesented by the f'o11Q1lring skeleton schematic diagram:

- - . ~/ ' - , . ',/ ' ./ '" .f ...."\ - . . . . . .- - - t l . . - . ~ f. .J.' ..

Varl- Varl- Vari-able able ablenotch notch notch~ o t o r rotor rotor

e'

Reflectorplate , pluggablet,1. . - - -=--- - ., . IIHagelintypedrive,,,heel

, - 4 .....Hagelintypedrivewheel

l 'II- 'IHageliD.Jtype !drive Iwheel ,--,

F-~ E--End pla.te,pluggable

44r _53 : I-57. I t is in teres t ing to note that Cipher Device39 wa.s original ly J ; ; I J ~ a n n e d to hava been i s sued in 1939,""jas i t s name implies. A TICOM report on an in ter rogat ion ofDr.' otto Bugglsch of the Signal In te l l igence Agency of theSupr-em1e Command Armed Fct> ces


19/103

j ~L- 3560816Motion c}ontrols of the va ri ab le -no tch rotors a.re indica. tedh y b r o k ~ ~ n . l ines in the d:J:agram. Sol id l ines to the fiendpla te" : tndicate "{Jirss from keyboard a.nd tape printers 0Note t h ~ l t the f"irst variable ...notch I'otOl'1 r i e v e ~ movesduring E ~ n c t p h e : r m e n t Bet ter cryptographic procedurewould b E not to 8.1101.,. any completely stationar-y ro tor .13. En1es.. develQpme nJ:...1:.s 'VI0I"thl.w'Of' . s ~ ' ! ~ l - - TQ ,recapit tuate , Ge:eman cryptographers throughout the' warused .8. < ~ r y p t o g r a p h i c device known as the uplugboard Elligma.o"lolh1ch h ~ ) , d a high degl:ee of secur1 ty , but "'8.3 insecure

a g a 1 n s ~ d e t e l ' " 1 1 1 ~ ? ~ : ~ ~ r a n d cost ly Ang;J..o-:-American cryptanalysis , . , .This deVice Has ori tbe ' th reshold of alrnqs t complete sec ,uri tYi ' .,through tho int rodtet ion of pll,lggable ref lec tors and/or 'the var,:table-notch' rotors The' pinn acle of Germa.n 'Enigma .development 'l:laS reached. ltfith t h completion of plans fo rCipher Device 39 and the buildill..:g of a. very small numbero f : t ~ s t models., The four. rotors and three' Hagelin wheels"l ~ r e g u ! ~ ~ i n t e ~ a e t i n g motions, and dual ~ n plate p1uggings. '-ot Ciphelr Device 39 would have p:roduced' a. machine that ,.if used properly; would P ~ Q b ~ b l Y have ranked along wlthour own SIGABA for securi ty 5. .

45crypt'emalysts Schauffler ~ r Hati.thal of the Foreign ,Off icElCryp tana ly ti c Sect ion (Pa rs Z S) d l s c u 5 ~ e d tn,econstI 'ue t lQnofa proposed new cipher ma.chine with wi l l iKorn, e ~ 1 n e e r of ' the Enigma/firm Ueimsoeth and Rincke" .Berlin" in February 19420 I t was to be, called "Machine 42"( 'fMasc:hine 42 11 ) and was to be; in. effec t" ,an Army plugboardEnigm8\ with three add1t!onal r oto rs in se rte d l n f r on t ofthe ' p l u g b o a , r , p . - ~ t h a t i s , ' betl..reen the plugboard and the keyand:"l1.ght bank. The f i r s t of these three add it iona l r ot or swastCls tep each time a l e t t e r was enciphered.., and thesecond and thi rd were to be stepped flY notcl1es in the 'custo!rlary Enigma ma.rinel" 0 Traffic in\ such a macQine couldnot ha.V8 been solved .by .normal bombs methods, althougha snec:ial autos'cri ' tcher can be conceived of fo r suchr ead1ng .The practical difficult ies would be tremendous,so tha,t for pract ica l purposes Machine 42 would have beensecure. rota-chine 42n.ever passed the s tags ,of .tiheoret1cal.deveJ:clpment" b e c a . u 8 ~ of engineering' and p r o ~ u l ' e m e n t -....d i f f i cu l t i e s . SeeT-S f o r d e t a , 1 1 s . .

. ,17

, '


20/103

/

356081:6

\\ Volume 2

\

.1 ,

Teleprinter C r ~ t o g r a ~ h 1 c ApparatusPart;.graph

German tElleprtnter cryptographic apparatus was of two ',,' main t ~ y p e s o , ' . . . o . . . . ~ o ~ ~ ..... ~ " " " 14German, t E ~ l e p r i n t e r cryptographic appara.tus enciphered,', ". 'ind1vldual tetetype impulses 0' \ ' , , ~ O ' ~ ' . . . . 15German t E ~ l e p r 1 n t e I ' cryptographic a.pparatus used '-",' .~ "mflchBJlieal w h e e l ~ . . . . : . .. . . . ~ . 1 6. G1phex- H.t ta.chlnent.... were l n ~ e c u r e " ...... ". 0 0 .... .. b 0. . 11i X ' o ' p o ~ e d 3z-42c syncht-onization would have "cryptized'V awhole :rad10 ci rcui t 0 ' . " " . 18.' . I '. . . 'ome cipher telep:t-1ntett3 were secure , ... : 0 ...... ~ .. ~ , ~ : , lQ.Cipher t ~ 2 ) l e p r 1 n t e ! " model T-43 used one"!;tim.e. -cape 00 ~ 20CorJ.Clus,il;)ns.: German te lepr inter cryptographic .apparatus. '\ i s ' ' l ' o J ~ t h y ot deta i led study 0'" ~ i .. q ' ' r ~ . ' ' ,21

. ~ " " . ,t ,. .

14.two main\ a . ' Clpherattach ed to anyb. Ciphermecha.nisms wex-e

,atta.ehments, " ,h leh could be' associated with' ort e l e p r i n t e ~ . .te leprin te rs , in which the cryptograp,h1ci nt eg ra l par ts or the teleprinters. ,

" The cipher atta&hments were called "Sehluesselzu.sae,tze .. "O these, model S Z ~ 4 0 ( l a t e r discarded), and models-Sz-42a andS Z _ 1 ~ 2 b were insecureagainat Anglo-American cryptanalysis",:Model S Z , - 4 2 c ~ w h i c h was designed to "eryptize" the radio ei1;,"cuit"as a whciJ.e,. would probably ha.ve been oompletly s e C U ~ e .. . The!' cipher . te lepr in te rs .were called "5chl.-.uesseli'ernschrelb-maschinein." . Of' these, models T-52a." T-52b, T - 5 2 c ( f l r ~ t model) 11 .and T ~ 5 2 c (second ,model) were insecure a g a l n s t A n g l o - A m e r i c a ~cryptanalysis j and were e m e n t u ~ l y d 1 8 c a r d e . ~ b y the G e ~ m a n s asa result . of their- own sacur l tys tud ies ; models T-tc52d and T-52ecould hClthave been solved by any p ~ e s e n t l y - k n o w r t ' m e t h o d s of ,at tack . The T-43,ras. a.' ft one-ti1me tape l f cipher te lepr in te r and 'l i k e w i s E ~ secure i . f proper tapes' were 1 n s e r t e d ~ and if . certa.ine l e c t r i ( ~ a l elements in the appa.ra.tus were properlyad' j :ustea

, . .18

f'


21/103

. 3560816 ,/ I .

"

Various models of a ll the above machines carried high-levelcommunications -ror the Forele:;n Office, the Air Force , the Navy,t ~ Reich S e c u ~ i t y Office, ana miscellaneous government departments; and practically a l l models v e ~ e used a t some time orother by the Army down through division. . .'.. Land-lines carried most of the te leprinter t raff ic , and .land-line t raffic was, orc.ourse, not 1nterceptJ,ble by the Anglo-:J\mericans. Radio l inks were "beamed transmissions If l-lhichweredif f icul t to intercept; yet certain important Army.radio i inksemploying such transmissions were intercepted. They included,among 'othsl'sJl circui ts between Berlin and each of the following:Athems, SaloIiika.o Rome; BUCharest, BelgraQ.8, French ports, Paris;.Rotterda.nl, and Oslo; they also included circuits among corpsp'reas ( W E ~ h r k z l e l s ) in Germany i t se l f . '. . .From UltrasQurces, i t is known that solved Germa.n te le- . printer nressages gave information'in detai l ouncerning suppl ies .shipped, troop movements, police data,' and agent information. .' Important bat t le order informatiOn w ~ often _obtained, ~ important orders from Hitler. .,The informa.tion transmitted by German teleprinter cryptographic H.pparatus VIas therefore of. utmost i m p o r t a n c ~ to the Anglo-American government and f ield forces during the war from an . \intell igence standpoint. The variOUS machines themselves ares t i l l important, as 'a resul t of TICOM investiga.tions, for thecryptogrl3.phiO features they involve. . . .. Britian cryptanalysta gave th e gener ic cover name llriah'"to a.ny German teleprinter cryptographic machine, the cover name"tunny" to the ciphe% attachmen.ts of the f i r s t typo mentioned 1nparagraph 14, and the cover 14a.me Usturge.on49tQ the cipher te le-printers ; the machines of the second type. " .

15. German te leprinter cryptographic apparatus enciphered /1:ndiv1dua.l .teleprinter imgulees.- A stanaard te leprinter of , .'theso-cal led "star t -s top type transmits seven impulses for each lette:r or chaI'acter sent, as folloW's: a star t impul.se,a set or five distinguishing impulses or lfbauds,".an4 B. stopimpulse. Each of the f'1ve bauds' is either "plus II ' or "minus" ,depending on the character being sent. (ThUS, the set,of ' baudsfor "e" is plus minus minus minus minus, and the .followingsequence of'impulses is sent: . star t , plus minus .minus minus minus,stop.) German. teleprinter cryptographic apparatus, just as4 . .Captur'ed -T-52d/e and SZ-42b apparatus are available 1n theArmy Security Agency Museum.


22/103

3560816'. / "~ s 1 m i l a r machines of othel' ' o ~ 1 g 1 n ' p enciphered such t e ~ e p ; P 1 n t e rt r a r i s m 1 ~ ! s i o n s by enciphering t h a ~ e t1ve lnd iv ldua l bauds. The

" a . p p a ~ a t \ l s did th i s by generat ing a k?y made up O'J; a lengthysequenco of teleprinter c h a r a c t e ~ s " a n d c a ~ s i n g the sets ofbauds corresponding to the succees1ve keying characters to becombtnecls baud by ba.ud, with the ,sets r bauds correspondingto the succeas ive pla in text characters. Combining was aone,according to apr1nc ip le invented in 1918 by an America.n,. .anginaa]? n a ~ e d Vernam, who originated the ' so-cal led "VerIiamHulen that a combination of l ike s igns produced a 1 ! ; ; J . . u ~ " impulse"and a (4)mb1na.tion of unlike signs produced a uminus ti impulse. '.The I '8sult 1fas s of course, a succession of" sets, Qi" :rive baUdsc o r l ~ ~ s p l : > . n d i n g t o the c1be.t. characters. ; In the .German te lepr in te r cipher attachments, th ese c ip he r chara.cters were tr,ans.mitted liithQut , further enolpherment;in the cipher te lepr in te rs ,they u n ~ i e r w e n t , t r a n ~ p o s i t i q n or ~ a u d s within characters asf u r t h e ~ encipherment ? e f ~ ~ e theY,were transmitteq.

16. Germa.n te le tmechan1cal'w ee s ~ eo an os. alp erw ae s were use in a l lGerman t ~ e 1 6 p r i n t e r c;ryptograp1J,1.c appar atus " excep t in the onetime-tape c i p h ~ r t e l ~ p r 1 n t e r < > ' Around i t s periphery,ll each ofthese m,e,ch:'.i')ical wheels had small pins which opezas.ted a switch(or .switches) as the Wheels l"otated. Operation of the switchesgave in effec t the I 'plus" or "minus lf impulses needed to form keycharact,ers. ' I n the , te lepr in te r cipher attachments 8z-40, -42a,and-42b" the I ip1npa t te rns" ot each of' the 'Wheels" '1.e. thesequence' of pins 't.,1 th respect to the i r b,e inginoperab1e or in operable pos1t lons,was changeable s ~ p l y b y manually set t ing theindividua.l pins i nt o e ff ec ti ve ,or' inef fec t iva posl.tions. I n t h eSZ-40 (or iginal modl?l) and in the, cipher te leprinters ( ser iesexcept . ro i ' T-43) Jihe pin patterns 'Were Il;ot varia.ble, and weref ixed at t h time of' thlir manufa.cture. The T-43 used tape and'no cipher wheels.

l 7 ttCipher attachments" l-Tere 1:nsecure-;- The German te le-. pr inter cipher attachments, 01" "tunny" machines, are of' impor ta.nce ,t o ' A n g l o ~ A m e r i c a n cryptographers in showing them what not to do.All of' theactuB.11y bui l t models .of these machines we:re , insecure .Dr. Huettenhain, of' the S ignal In te l l igence ,6gency 'or the SupremeCommand, Armed F'orces, (OD/Chi \ ' tolg. Dr. j)ier11ng that t h e i r ' 'n s e c u r l t ~ was goodj 'or about two years , ,,5> but he eVidently hadrathe,%" high opinion of ,th e 5z-42a. and 5z-42b as used with beamedradio" b ~ c a . u s e he permitted the i r use pas t the two-year m ~ .50E 14 'p 6

20 ,

\ '


23/103

. 3560816

The 8Z-40 (ol'ig1n.al model) had tenmachanic.al cipher wheels:;with :fixed peg patterus. The ten .elements p r o d u c ~ d b ~ t h e ~ e 'wheels combined in pairs to form one sa t or 5 elements:; andthe se t was then used as the k e Y i ~ c h a ~ a c t e r for th e p1aint.ext char'B.cter to be enciphe:red.5. On..1.y 40 of' these machines- ' ; ~ 7 e l " e bu i l t . Dr. Fricke said tha t s ince it had been ascertainedt ha t single meBsages- of 1.1'000 l e t t e rs sent on the SZ:"40 (or,1'"gina l model) could be solved, It ' ' tias decidQd to t n t r o d ' ! l ~ e .machine ~ J ' i . t h an i rregularelemen1f in the wheel motiou. ' This:'was done by introducing the 8z-40 (regularL. whlc h' consisted of12 't..rheels: with changea,1;>le pat tar-ns.!' divided as follo1;rs: 5

" s p r i n g c e ~ e 8 a r " wheel.s, a l l of ltlhich s te pp ed itl unison but iI'X"sguJ.arly, being driven by a pa i r of "vorgelege" (control) wheels; .and 5 "s:paltencaesax,fl "t"heels, a l l of which stepped in unison .8,lCid regularly J' onee fOl" each character encipharedQAnglo ....Psuerican s o l u ~ 1 o I l ~ of messages sent on this machine were accOm=plished hy s t a t l s t 1 ~ a . l ~ a c o v e . r y of the p in p atte rn s of: the] . . , ( ~ g u l a l " l ~ r - s t e p p 1 n g wheels and the ' removal of" thair- et fee t sfrom the cipher texts; this was ' ~ e n folloved by recovery ofthe pin patterns of the 1rregulan ly-s tepp ing Wheels and tPe.. ' :remova.l of the i r effects Dr 0 Huettenhain believed that solut ion c o u J ~ d be o b ~ a : t n e d b y atta.cking the motion 'of .the f ive i r ~ e gular (Uflpringca,esar91) vhee l s f i r s tS) and therefore suggestedthe S Z - 4 ~ ~ a 1 which gave


24/103

'3560816

,.

regulurly-moving ';.:heels f ' i rs t . This made at tack on the i rregularly-amQving wheels possible. The Germans had evolved elabora.te ,p r o : t e c ~ t l o n for, the !roag, of t he i r 'machine.

',18. - p ~ o R o s e d 8Z-42c with SynChI"Onizatlon w ~ u i d have ,I t c r Y : R ~ i z e d W " a whole'pJ1cIioA!.p_cui t..... The S Z - ~ 2 c ' wes' being de- ,signed to llcryptize" a \ihOI"e redio,teJ.epr1riter c i rou i t . 55 ' \Telep:rinters on this cit 'cuit were t'o 'Operate a t a l l t imes, ,t r a n ~ , l i t t i n g a stream of, cha;raacters f"orming an ent i re ly uni,ntel-\ligib:Le' l t m e s s a g e t l " r h ~ n e v e r ' 'bonafide enciphered messages wereriot being sent . An interceptor would not be able, to dist inguishany signals represent ing r ea l ,messages f ~ o m those corresponding

( I ' to unintel l i 'gible 91' ra.ndom sequences of cha .ra cte rs . Therefo rethe number.l1 length, precedence" classif"ication, a.nd t1miIlg.o.fmessages wo-q.ld not be knQ'to1n to enemy in tercept , and the oircui twould be secure against t raff ic a.nalysis . Dr. Vie:lrling of theFeuerstein Laboratory ,1&S developing the c r y ~ t a l con'4rolled .synchronizing apparatus; ca l led OIgle1chlauf'" II which wa.s to keep,the telepr lntggs synchronized, ~ e g a r ~ l e s s of radio fad1ngand'interf 'erence., . . . ,The nonsense-to be tr-ansmitted on the a ir whenevermessages were' not, being sent would actually. be ,,"pure keylt. gener- ,atad ,by the SZ-42c. An. enemy would theretorehave a,great ad- .'- vantage, in trylp.g to crypta.nalyze the. ,sZ' ;'42c., . 'No one ca.n . .s tate a c c ~ r a t e l y what resul ts could have been obtained by_ane n a m ~ " given possession of tens o f thousands of consecutive char,acter's of purekeYJ) but the design 01" the SZ-42c appeared tobe 'secure f o normal-o:peratloIlo The fiveregularl.y-mov1ng ,wheels (spal t ~ n c a ; e s a r s ) ,of the e.ar11er models no longer were tomove regularly or even together; this would have prevented themethclds o f c ry -p tana ly tic a ttack - theretofore used by, the A n g l o ~Ameri.cans. Dr. Huettenhain was probably r igh t in his reportas fc.llows: 57 ' . ' . " "

"Wa Pruet 7 are a t the moment ,c arr ying out a.reconstruction. in which the f ive righthand Wheels are .driven separately i r regular ly. This e limina .tes a cardinalweakness o:f the SZ 40 and 42, the regular, ~ o v e m e n t o f ' ~ h e.8paltencaesar, and makes ,methods of r e e o n ~ t r u c t i n g thepin arra.ngements ' imposslble." - '

p 18


25/103

/ -

3560816A ful l description of the i n t e r a c t l n g 5 ~ t l o n $ involved in, ~ h 'SZ-42c: can be ~ o u n d in TICOM repo;rts. Br ief ly there were tobe J.O wheels;, Thes.e moved cOllstantly unless interrupteo. ' In te r - ,rupti()n of motion of' wheels 1" 2, 3, ,4, and 5, (which ,.,ere the'

~ p r i n g o a e s a ~ s and w h ~ o h m o v e d l n unison) was aocomplished by 'eact1.oIi of ~ h e e l s , 9 and 1-0; in terrupt ion of whe,el 6 wasaccomplished by Wheels Band 2; or 7by 9 and 3; or 8 by 10 and4; of 9 by,6 and'S; of 10 by 7 and 1 . ' I f it happened tha t a llv h e e l ~ J became stat ionary (t1;lus result ing-in monoa1phabetic, enciPherment). the machine counted to three, a.n.d then Wheels 1through 5 stepped automatically. " I", ~ r h e fi:rm of Lorenz" which 'Was developing SZ-'42c with ,e l e c t ~ o m a g n t l c drive, rather than mechanical, called the i r moqelof t h ~ ~ SZ-42c machine IlsK-44. II They also plB,nned SK-45, Which~ a . s t ~ : > be identica l 't-lith s ~ - 4 4 except r o r an e l ~ v e n t h wheel;the e le ve nth 'l'1heel was to step the machine pa$t "dead spots ,"so thl3.t the counting dev i ceused , l n 5z-,42c ror tha t purposewould not be needed

. :l9!. ~ o m e ' i a i . P ) l a r ~ ~ l e p r 1 , n t e r s l t w e r e secur,ell-- There \leref ive lnain types or \cipner. telepr:t"nters ,develo:ped by. Germancryptographer"s: T"'52 alb, T ~ S 2 c ( f i r s t model), T-S2c (regula.r) ,T-52d p , and T-52e . ,The T-52d(probably) and T-52e (cer ta in ly)were seCU1"e against known methods or attack, but were not aetua.llymuch in use on radio circuits ., . - .All f ive ot the foregoing cipher te lepr in te rs were important.because they introduced a new principle into teleprinter crypto'graphy: that of posit ionally transposing,as a f o ~ m of.s'uperenc1pherment, ,the .five s e p ~ r a t e ba.uds constituting the. se tcorresponding to each e i p h e r , ~ h a r a c t e r , af te r the normal orbasic encipherment had been a . c c o . m p l i s h e d . 5 ~ ,581 '57 ' E 1'4,59A s imilar pr1nc ip le i s the subject of aU .S . patnnt b t 1Mr., ,William F. Friedman of' the Army Secw1ty Agency. TheGer.'man cryptographers, however; b r o u g h t ' i n t o ~ c t u a l use. , the! r t ra t secret t ~ l e p r i n t e r s to employ these principles inpre,ctice." '

23

\ ~ .


26/103

DoctD: ,3560816 \,A ~ c h e m a t i c diagra.m d e m o n ~ t r a t i n g the principles involved

in the two processes of, enclpherment, spbst l tut lon and t ransposit ion, i s shownbe],.ow:4 '

" ,

'Batter.-y Plaln- Key- IJTranspos1t1on" SWitches Clphex,T Text ~ r e x t , Out-

"- Switches Switches PutI

j 1 : : > C ~ s t . - " y faud rX12nd 1- ~ : = X =Baud , ~ . ~ ., ---eiI.iI ./,. .:=>c: :rd "':\t .' .. ,' . It - f : ~ _>_Ba.ud l ' --t :=x.th , " - . ~ .... .Baud I ,. ' . . ' l1. 1J ' l ~ .. X, ~ l C ,th ' - ,"'J +aud -0 e'.

The foregqing diagram i s not e l e c t r l c a ~ l y a c c u r a t e , but'1 t i s accurate in principle . I t . indicates ,: for example, there,8ult of ....enclpherlng the pla;1n.; . textcharacter " e " ~ P l l , l s minusminus mlnusminus) by :the key,.text character "blank'(minusm l r r ~ s minus mlnusminus) and passing the resu l t through a t ransposit ion netvork as. shown, "with a transpos1.t1.ontak1ng. placebebreen the f i r s t and, f i f th bauds _ The result, 1s th e cha ra 'c te r11 t ,II ' , t ' ' '- ' l i t can be demonstrated that' the secur1ty of anyc1pherteleprinter employing the foregoing pt-inclples depends upon themanner o f genera ting the key-text ~ h a r a c t e r s , , the manner of, control l ing the t ransposi t ion switches, and, in addition. whetheror not tbe order of the transposition switches may'bechanged.

24f


27/103

3560816

All of the T-52 series of cipher te leprinters had tenmechanical cipher wheels, and the pegs on each of the,se wheelswere set into permanent peg patterns. In the T - ~ 2 alb model,each of the five key-text switches and the five transpositionswitches was operated by one of the ten mechanical wheels.The ten wheels moved regularly. The transposition s\fitchesthems.elVEl8 could not be interchanged. The ma,ch1ne was in s e c ~ e belcause the sett ings ot the wheels could be a t t a ~ e dindependemtly of one another and s ta t i s t ica l ly . In th eT -52c( f i r s t ) model, each of the five key-text switches was controlledby a glVEtn combina.tion of four of the tan mechanical wheels;eaoh of three of the transposition switches "ras controlled by agiven cOIltlbination of f o ot ten mechanical wheels; each of theremaining two transposition s\rltches was con'trolled by a givencombinatlon of six of the ten mechanical Wheels. The tenwheels moved regularly, and i t is believed that the order ofthe t r a . n l ~ p o s i t i o n switches was not changeable . Fur thermore ,the part:lcular choice the Germans made for the sets of fourWheels tl) be used in controlling the key-text swltches resulted in a limited number of substitution permutation com-bination:3" which made solution possible. This effect waspartiaJ.l:y eliminated in the T-52c (regular moga1) and for thisreason the regula.r T-52c was h a : . ~ d e r to solve 0 Mod'isl T-52d made the order of the transposition Bwitcheschangeable, and while each key-text switch and each transposit ion switch was controlled by only one wheel, the Wheels. them-selves stepped i rregularly. The movement of each wheel wascontrolled by the patterns of two other wheels, and interacting cont:rols resulted. Provision was also made for t heopt ional use or an additional plain-text control of the i r re-g u l a ~ motion. I t is seriously doubted i f this machine couldhave been s o l v ~ d even i t pure key was available from readingmessages in depth, solely b ~ c 8 u s e of the interacting, i r regular motion or the wheels.bl

-. 60Inspectorate 7/VI (In 7/VI) discovered that the T-52c wasbreakable in 1942, and suggested alte ratio ns th at led to theT-52d. I 18 p 11.615 ingl l messages might ha.ve been part ial ly I'ead. by a. cribmatchtng method suggested by Inspectorate 7/V1 (In 7/VI).I 78 p 12.

25


28/103

3560816

Modl3l T-52e had 'Wheel motion identical with that in modelT-52d. I ts order of transposition switches was not changeable"but each o the transposition switches and the key-text switcheswas operl9.ted by the combined pattern of' a set of four Wheelschosenf'or i t from the ten wheels. The T":S2e was thereforealso p r ~ b a b l y secure.Ful:l details concerning, the intera.cting and irregularwheel motions" the transposition of baUds,' and the manner inwhich wbeel patterns were combined to get 6 ~ P l i c a t i o n ofcontrols p are given in TICOM publications.20. C1 her tele r inter model T-4 used one-time" ta e . - The T-43 use a one-time ray tape to supp y the sequence 0keying characters J 'instead of' mechanical cipher ,.,heels a.s inthe otbar 'T-series models. The T-43 was just as secure againstcryptanalysis, therefore" since the key tapes. employed consistedof "random characters."In practice the key tape 'was generated by the running of afifty-meter-long loop of random tape over and over through a.T-52d machine" with the T-52d punching out the key tape as longas desired. The key tape ,..as not random in a true sense, buti t was unpredict.able f"or pra.ctical purposes" and secure."A serious electr ical defect in the T-43 wa.s discovered byradio engineers and corrected. This defect actually had' renderedthe T-41i insecure. I t resulted from the fact that at the insta.ntor encipherment the keying character vas electr ical ly slightlyout . o f .phase with the plain-text character. As a xaesult"minute i.nspection of the cipher characters on an oscilloscopepermitted sepSJ:'ation of the composite cipher characters into. theiz- pl.ain-text and key-text elements--:resulting in a "solution"Without cryptanalysis.OJ The moral from the above story 1splain: there are more ways than one to read a message.21. .Conclusion: Germa.n tele r i n t e rc r to raphic a a ratus iElwort t of deta e stu i l .-- To recap:tu ate, t outhe Angl.o-5er cans w:ere abIe to read German teleprinter t raf f icsent on ,important Army and Air Force l inks as a daily pro- ,cedure, because of the insecurity of the Sz-42a and sz-42b cipherattachments and the Willingness of the Anglo-Americans to buildthe expEtrl,sive machinery necessary fo r so lu tion, (SUCh a.s the .Brit ish "COlOSSUS"), -nevertheless the more recently developedGerman (:ipher-teleprinters (T:- series) were completely secure.

62i 45, I 20" I 3163r 45, . p 15

26


29/103

3560816

The la t ter units were designed along different l ines fromany l ines taken by Anglo-American development of teleprintercryptographic apparatus. They therefore make definite con-tributions to our knowledge. Their main featul"'es were:a. Irregular and interacting wheel motions.b. Use of baud transposition ~ an additional pro-tection, superimposing this on the basic substitutionprocess.Fuz:'thermore, the attempted development of a cipher attach-ment (SZ--42c) for cryptlzing a. rad io c ircu it jl thus protectingi t against t raffic analysis as well as cryptanalys is ; indicatedthat t h e ~ Germans were giving serious thOUght to a l l phases ofthe crYI)tograph1c problem.

27


30/103

3560816

Volume 2Chapter IV Cipher Device 41, the Cipher Box, theCipher Disk, and the "Number Printer ."

Para.graphGerman iCipher Device 41 ~ a a secure Hagelin-typemachine 0 0 0 0 0 0 o . 22Securit:y of C1pha?' Device 41 1ay1n interactingirregular cipher wheel motions . . 23"Oipher Box': 1..ra8 to replace Enigma . 24"Cif.her nisku "ras to be a s imp li .f ica ti on of the'e lp]ler Box 11 0 0 o' Q 0 0 0 0 0 0 0 0 . . . . . . 0 .. . 0 0 0 0 25Foreign Office I1Number Printer" produced' non- -randlDm one-time pads . . . . . . . . 0 26

22. German Ci her Device 41 was a secure Ha el ln- t emachine,a- Cipher Device 1 Sc uease geraet 1 was amechani


31/103

3560816also be reconstructed. As a consequence, no other messageson the same day could be read. This is not usually the case1n other Ha.gelin type machines, i i lcluding the U. ~ : : " Azomy converter M,-209.

23. Securitx of C i . . e . ~ _ Device 41 la.x in inte!B.cting,i r regu la r . Cil::!er-Wheel motions-- The se cu rity of Cipher Device 41 came rom the in te rac t lngand l r r e g ~ 1 a r movements ofi t s cipher wheel s .Her's again i s demonstrated the German capacity to makesecure lnprac t1ce an o th erw ise not too secure machine, byemploy1n,g the principles of in teract ing and irregula.r movlB-ments of' v h e ~ l s . "The, enciphering pr incip les of Cipher Device 41 may bedescribed as follows:a . I t had 6 meclianical Hagelin-type "pin" 'Wheels,"Pl'tme" to each other. In cryptographic p arlan ce, th e f i r s tf ive of these wheels had "kicks" o f 1"2 ,4 ,8 ,, and 10 re - .spective1ly. W h e ~ l 6 made these "kicks" posit ive or negative.b. The encipher ing cycle (one turn of the hand crank)consisted or three elements, as follow s:"Elelment 1 ." This element of the cycle took place i fand o n l ~ ' if ' wheel 6 had a.n active peg 1n the "motion indexposi t ion." . I f wheel 6 had such an act ive peg, then a l l thefollOWing events occurred: Wheel 1 moved one step. Each ofthe reIIlBLining four wheels moved one s tep , unless the wheelto i t s l e f t had an active pin in. i t s "motion index posi t ion,"in which cas.e each such wheel ~ o v e d t ~ < I ~ O steps ."Element 2." A key "kick" was generated, which was thesum of l3Lll the ' kicks of wheels which had active pegs in the"kick index posi t ions." This was so unless wheel 6 had ani n a c t l v e ~ pagg in the "kick index posi t ion," in which case thekey kicl1: which resul ted was equal to "25 minus the sum ofthe k i c ~ : s " of the whee'ls with active pegs. This key kickwas in e ~ r f e c t the "key text" or "key Character" Which was"added" to .the plain text character in encipherment. .Enc i p h e r m e ~ n t took place a t th i s point .. "EJ.ement 3." This element of the cycle was ident icalin p r i n c ~ i p l e ' to Element l, except tha t it occurred whetheror not \Theel 6'had an act ive peg in the "motion index positioO:W The purpose of this element was to insure some changein the ,rheel posl t ions before the encipherment or the nextl e t t e r (>1' tex t . i f any.

29


32/103

3560816

W'hEln one compares the foregoing i r regular and interact ingmotions ot the wheels, and the use o f o cc as io na l n eg ativ e kicks,wi th thEI simple regular motion and simple regular kick addi tiODof the u s ~ a l Hagelin-type maohine l the rea.son fo r the fa.r h:tgherorder 01' securi ty ot Cipher Device 41 i s indeed apparent . ,In 1945 the Bri t i sh had intercepted certa in t ra f f ic en Qciphered by Gez:.ma.n agents with Cipher Device 41., Several messages WElre read because of improper ~ e c h a n i c a . l working of oneot the D!achines. The ~ c h i n e I t s e l f ~ however; was not solvedtherebYJ and remained a mystery unt i l cap tu re r evea led i t s cons t ruc t i (m.' I t i s believed by invest igators that the mechanical designsor the Cipher Device 41 was poor but tha t i t s faul t s could probably bEl corrected by improved engineering. Mechanical pro- 'blemsiI l a l l l ikel ihood prevented i t s wider and ear l i e r use bythe GarDlans. "Cipher Device "41-Z" was a modificat ion of th e sta nd ardmodel 41. I t was designed to encipher ten f igures l n s t e a d 7 ~ rtwent y- t' i ve le tt er s , f or use by the German Weather Bureau_A Dlodel of Ciphe r Dev1ce41 whl'}h would be more compactandwoul.d eliminate the typewriter keyboard was also underc o h s i d e x ~ a t i o n J for use by f ront l ine troops 0

24.. " C i ~ h e r Box" va.s to rep lace E n 1 ~ a - - A mechanicaldevice, ' made out or aluminum and weighing "':;/4potLnds, wasbeing' d E ~ v e l o p s d " which involved cryptographic principles .en, t i re ly new to Garman cryptography. I t was hoped to use thisdevice 1 ~ rs;glace the Enigma in the German Army above the levelot diviflion21 .5 I t was called the "Cipher Box" ("Schluesselkasten") ~ ~ made use or the cryptographic principle of sl idings t r ips 0 j

_Lt .. Col. Mettig" ot the S ignal Intel l igence Agency ot t h Supreme COlllDiB.nd, Armed Forces (OKW/Chi) reported as follows:"""Field t es t s had been so successful a.nd had brOUght out thehandiriefls' and speed ot operat ion of the machine so cle arly , th ati ts intx 'oduct1on into the f ie ld army vas ordered. As the RBBA(Reich ' Security or i tce ) had a lre ad y g ot in ahead with the orderto r 70,000 i tems, mass production was introduced." The massproduc t j ~ o n va.s scheduled to have produced a t leas t one thousanddevices by October 1945 and to reach a ra te of 10,000 permonth b ~ January 1946.72D 59 p 257 : ~ I 96741 20,151 96 }O


33/103

3560816

No,cipher Box has ever been c a p t u r e d ~ and the descriptions are not sufficiently deta ile d to do more than revealthe crypt1ogra.phic principles involvg" leaving the mechanicsfor the imagination. Fricke stated"( that " i t consisted ofa small b,ox in the top of which was inserted a. slide rule."He descrl1bed the sl ide rule as consisting of tvo mixed alphabets which were written in by pencil with each key change .Half of the f i r s t mixed alpha.bet was written on the upper base ,Part of the s lid e ru le , the remaining halt of' thealphabet on the upper sl ide part of the s lid e r ule . Halfof the 'second mixed alphabet was written on the lower basepart of the sl ide rule $ the remaining half' of the "alphabeton the lo'wer sl ide pa.rt of the slid e r ule . The two alphabets were so written in that When the halves of the f i r s t(upper) a.lphabet were in phase wit,l:l each otheri theha.1vesof the second (lower) alphabet were out of pha.se, and viceversa.The drawing below i l lustra tes with sample alphabets theway this may have been done:

C :ZAKBLwr H ~ G ~N J l ~ S 1 ovx P U ' fN J : YQS r ovxp tr l ',

.BX.A L C D E G M. '1" K J B )A i, (1D E C 1"1 T KJn if \1. H p t y 'il 1 S If i _.,

Encipherment of a le t te r was accomplished by readingorf the l e t te r opposite i t on the s lid e r ule . Th,"s va.s tobe choseIl from whichever alphabet was "in phase" a t the time. ot enc1pl'lerment. I n the roregoing dra.wing" the cipher equl;"valent o f plain text " In a t the sett ing shown would be "A"a.nd the oipher equivalent of plain text "A" would be "I."Thus t h e J ~ e resulted exactly 26 possible reciprocal encipher-.ing a l p h ~ l . b e t s . ,Any sl iding-st r ip device is secure i f the success ivesettings of thesl idlng str ip are unp redic tab le . Secur ityor the C:Lpher'Box therefore had to rest primarily in themanner ~ successively sett ing tbe sl ide. ' Dr. Fricke saidthis was done as follows:"Under the sl ide were three Hagel in type Wheelson J , e p a . r a t ~ ues" in a plane perpendicular to that ot31


34/103

3560816

the sl ide. Each had a different period, around 26. (Thepin settings ,rere changeable)" The slide was pulled to theright against the action'of a spring, and upon release arovethe wheels. I t did not come to res t unti l at a reading posit ion of ~ a wheels on one side the pins were a ll active, '01'nti l a t ,another reading position on the other side theywere a l l inactive"77There were 26 stopping places possible,bu t no s tep zero ."Dr :Liebknecht of th.e Army Ordnance( DeveloPIDnt andT.esting Group, Signal Branch (We. Pruet 7 J stated: O( ." ."The tongue (sl ide) or the instrument wa.s shovedby hand to the r ight as far as i t would go, therebyputting a spring inside the Cipher Box under tension"By means o f p ress ing a blocking notch on the top ofthe Cipher Box, one causes the sliding tongue to moveback varying step lengths into the Cipher Box."

.t .

171 20. 'A cryptograph called the M-40, invented ~ InspectorMenzer of the S i g ~ a l Intelligence Agency of the Supreme Com-ma.nd Ar'med Forees (OKW/Chi), also employed three Hagelintype wheels for alphabet selection. This device was c o n ~side1"edl 1"easonaply secure but was never adopted. I t cori-. siated of a cylinder with 39 horizontal bars arranged aroundi t s peI'lphery,; the cyl1nderrotated in steps equal to oneplus the sum of the kicks given i t by the three Hagelin-typewheels.. The Hagelin-type Wheels had changea.ble pins. Nor-mal all)habetic sequences , each start ing however with a dif ferent le t ter of the normal alphabet J were permanently inscribecl on 26 of' the 29 bars; the reme.1ning 3 bars co"ntalned19dummy positions. It These bar.s. represented the plain componentsof enciphering alphabets of Which the common cipher componentwas o n E ~ mixed sequence written in by pencil on a fixed str ip,so fast,ened on the base of the device that the bars of thec y l i n d l ~ r could rotate' into juxta.position with ' i t . The devicewas cr;rptograph1cally equivalent to a pair o sliding str ips,withtl:le plain component a. normal alphabet, With the cipherc o m p o n c ~ n t a mixed alphabet" With the stepping contrc11.ed i r -r e g ~ a l t ' l y by Hagelin-type wheels, and vi th dumniy le t te r s 'throvn into the cipher text whenever a "dummy bar" came intopositi,on. See 1-118 for ful ler details . The C i p h e ~ B o x wasan l m p ; ~ o v e m e n t over the M-40, 1n that the small sl ide-ruleconstruction a.ccomplished nea.rly :the same l'esul ts as the la.rge.cylind,er construction, the Cipher Box had two "reading pos1t ions" fo.r the H a g e l i n ~ t y p e wheels instead of just one, andthere 'was provision to r two mixed alphabets to be inscrlbeOinstead of JUBt one.

781 57 P 9 32


35/103

3560816

, Nowhere in TIeOM was i t recorded whether or not theslide was pUlled to the r ight atter each encipherment, oronly when. necessary.Ser1.ous study or this device has not been undertaken asyet a t the Army Becur! ty Agency. However" the Germans fe l tthat it ~ I a s most secure. Lt. Col. Mett1g stated a.s follows: 79"The cryptographic security of this machine 1s veryhigh and was considered superior to that of the Enigma.The safety margin for the daily cipher was calculated int.htot neighborhood of 40 J 000, to 50,,000 le t tel 's, ' W h ~ r e a swith the'Enigma this margin was 20,,000 l e t t e r s . " ~ O

25. "Cipher Disk" was to be a simplification of.theIlCipher I ~ o x . h __ The Cipher BoX, small a.s i t vas, was the largerof twomtnra ture c ipher devices . 'The smaller device vas calledthe C i p h E ~ r Disk ("Schluesselschelbe.") DrSlLlebknecht gave.TICOM itfi best descr ip tion of this device. ,He said: '

e'"lfOberinspaktor Menzer designed this machine foragents. The machine was no.t to exceed' in size a shoe

p o l ~ L s h ' can. The encod1ngprinciple was s1milar to thatof 1 ~ h e Cipher Box. The equipment (consisted) of a.r o t l ~ t a b l e inner disk and a stationary frame. The diskand rrame h a d ~ o be prOVided with scrambled alphabets s1mil a ~ , to the Cipher Box. In operation the inner disk wasrotl3.ted against the frams, and thereby 1n a manner similarto the Cipher Box, put a spring under tension. By meansot ;9, pressure and blocking notCh, the disk is returnedin 'various step lengths back toward i ts original pos1-

, ~ t g n . l n contrast to the Cipher Box, in thiS machineonl'1 control (wheels) with fixed notches were to be used.In ' the design, th ree con trol Wheels to be set.from the 'outSide_ere to be included. The number or notches wasto 'be determined once a.na for a l l for each pair of devices(one for the agent and' one fo r c entral office). Forth is , a hand punch was thOUght of to r punching the notches .",791 9680See also D 57 p 4. '811 57 P 9.

33


36/103

3560816

According to Met't1g: 82"The security investigations on this machine byDr. Huettenhain and Lt. Dr. Stein proved 50 successfultha.t; it was decided to employ the C1phexa Disk as enciphering equipment to r forwa.rd (Army) units and indeed for f'orward of Regt HQ,."

In Dr. HuettenheinGs records was found the following, dated21 April 1 9 4 4 : ~ ' ."The Chiffrier department requires 00 10,000Cipher Disks and 20, 000 sets ea.ch of 3 pin disc blanks. 'I

a',, ,The Army Security Agency has as yet made no seriousstudy of this device, but i t . 1s believed tha t it has only

l i m l ~ e d s e c ~ r i t y .26. F o r e i ~ n Office "Number Printer" Rr0duced non ... ran

dam one-time pa s -- A report on G ~ r m a n cryptographic machineswould not be eomplete 'unless l t mentioned the "Number Printer"(ltNumerierwerklt ) of the Foreign Office Cryptographic Section(Pel's ZChl). This device printed "one-time pads." ,Thesewere used to encipher the Diplomatic Code Book (DeutschesSatzbuch,}j the system was called "GEE" a.t the Army SecurityAgency and was solved in th e w inter of 1944-450C r ~ p t a n a l y s t s believe tha t a "one-time pad" 1s eryptographice,ll.y 100% secure l i t i t is made up of randomaddit lveor key.' The emphasis must be on the frandom'" as yel l as onthe nOnEI-time.-" The German Foreign Office Cryptographic Section (PElrs 2Chi} ';'l:t3l'looked the "random" when they made use ofthe Number P r l n ~ e r .ThEt Number Printer looked almost exactly l ike a largeprinting "Job press." The type bed carried 240 small w h e e l s ~similar to the wheels on a rubber da.te stamp. Each wheelcarried a sequence or ten digi ts around i ts periphery. Thewheels ~ f e r e indiVidually remova.ble and interchangeable, asvel l as interchangeab le 1n groups. Each time the preas operated, it printed a ,sheet of paper with 240 numbers on i t .".(8 line:3 of 6 groups of 5 digi ts ) 0 The press could be adjusted 'to print up to thir ty sheets of paper identically,but was usual ly adjus ted to print two sheets identically,one she,at ot which became So page in a one-time fQsend" pad..while ~ n duplicate became a. page 1n the corresponding onetime "receive" pad. ,Before printing the next set of' two


37/103

3560816sheets, the machine proceeded to turn a l l the 240 wheels upone notch except such wheels as were a t the moment keptfrom turning by special mechanical means. The cryptographiclaws governing exactly wh1.:;h wheels paused in their m o v e ~ments, when and hoW' o t t e n ~ were extremely simple. In princ i p l e ~ this was accomplished by what might be termed "!!.2!!-turnover notches."These laws were discoverable by cryptanalysis. The resul t was that , while each page containednumbers, t.ha. t were random so far as that page alone was concerned, any given position on such a page was related to 'the same posit ion on a l l the succeeding pages, and thisnon-random property permitted reconstructing sequences involved OIl. the printing wheels. Shutfling of the sheetsbefore binding into pad forms, of course, added to the cryptanal-rats i! dlff1cul t ies , but did not p revent recovery and.almos t l ( ) ~ reading of messages. . '

No number Printer has ever been C p _ ~ ) t u r e d l ' B ~ TICOMdocumentl! contain descFlptions of ea.l'ly models, 8 ~ - 1 2 8 2 . Captured fi les ot the Foreign Office show tha.t

Number Printer apparatus was purchased from the G ~ r m a nfirms l ~ a s c b h e n t a b r 1 k Otto K r e b s ~ and Clemens Mueller, 1n1925# 1927; and 1933. See D.51 .p 4. 8imilar number printerapparatus was offered for sale to the Brit ish Governmenton 14 ,June 1932 by the Engl1sh rtrm Loranco L t d ~ , Engineers,by a Mr. Lorant ll who described the apparatus, showed photographs, and stated th at his firm, (Loranco Ltd.) had suppliedNumber P rinters to the German Government in 1925, 1928, and\19::;2. According to Mr. Lorant, the a.pparatus was for print -ing g1.ven numbers of copies of cipher. telegrams, although' t t bec,ame immediately a.pparent to the Brit ish Governmentrepres,entatives tha t i t s real purpose was the, generatingof ,pages of random addi t ives . Mr. Lorant s ta ted that Ger,man Gc)vernment had printed 2,000,000 pages Without a breakdown, and that they kept, a.n additional set of 250 spa.re "w h e e l ~ J from which to cho'ose: The Brit ish Government askedMr. L()rant to submit p r i c e s ~ but a.pparently subsequentlylos t in teres t in his apparatus. The'connection betweenthe Brit ish firm Loranco Ltd.; Engineers, and theGenmani'lrms., l s not known a t this time.

}5


38/103

3560816

VOLUME 2Chapter V G e ~ m a n C1phony

< Paragraph',German enciphered speech apparatus was ~ ~ u c e e s s t u l . 27Experiments showed frequency ,inversion inseeure . ~ 28Noise s u p f ~ r l m p o s i t i o n gave bad quality 29'"Time scrambling" vas inseeure.o . . . . . . o o 30"Big Bul1(Urig Block" proved too dif , t icul t to control . 31"Litt le Building Block" combined noise super-.. imposition and .frequeney inversion . 0, 32Hopes cen'tared on synthetic speech enciphered by. "triple vobbllng" . . 0 0 -; 0 ' 0 0 '. 0 " . 0 II 0 0 '" ct o. '3Conelusions: Germans, had no usable ciphony machines. 34

27. German enoiphered speech apparatus vas unsuccessful.-Telephone or radioPhonetX"ansmlssion of'intelligencej sw1ftly,laecuratelY3 and securely, has been a goal of cryptanalYststor many years. Stich speech encipherment i s oalled "ciphony."German experiments With ciphonywere singularly uns u c c e ~ s f u l . , N o satlsractory ciphony method W Q developeda t any' ti.me. 90 , ' " ,

.. ,Dr. Werner Llebkilecht; of the Ar,' Ordnance; Development and Testing Group.; Signal Branch "Wa P:ruef' 7") ,where ciphony experiments vere undertaken, stated:91"if' a process giving Uhintell1gible speech vasarr:l.ved at , then unfortunately i t always happened

thatlthe speech quali ty af'terunscrambling was nol o ~ ~ e r acceptable; and tne prooess of scramblingvas theref'oreunacceptable." 'S p e 4 ~ c h enclpherment experiments vere carried out bythe fol l l)vlng saven German commercial :flrmsfrom 19}7 to1940:

90 I 57911 5736


39/103

e-

3560816

1. Siemena and Halake, Berlin.2. Deutsche Telefon und Kabelwerke, Berlin.3. Sueddeutsehe Apparate Fabr iken , Berl in .4. A. E. G., Berlin. ,( "Allgemeine ElektrlscheGesellaehaf"t")5.'J:lelef'unken, Berlin.6. 'Dr; Vierling, Techn1scheHoehschule,Hanover.1. F'abrik C. Lorenz Aktleng...,li ,ellschaf't,Berlin, Muelhausen,'Thuer.In 1943 only Telefunken and Dr. Vierling worked on speechenciphering, and from 1944 on, only Dr., V i e r 1 1 ~ , a t hiaiJlboratorium Feuerstein ("Firestone Ls.bol'atoryl'l) a tE b e r m a n n s t a d t ~ G e ~ m a n y o ,, Dr. Vierl ing 's laboratory was eaptured almost . intactby TICOM, because of' Dl'. Vierling'aorders on the eve of'B u r ~ e n d e r that none of his expensive equipment vas to be 'destroyed. Ciphony and o ther varied electronic researcpeswere 1n progress at the t lmeof ' surrender. Two ArmySecurity .Agency ciphon)' engineers vere dispatched toEbermannstadt to exploi t the German, elphony research, inconjunction 'With U. S. Navy and Brit ish engineers. As aresult of' this exploitation, plus 1 n t e ~ r o g a t i o n s or otherGerma.n en.g1neers elsewhere i t i s believed ,the Germanciphony picture is fully known a t least as far as conoernsthe i r lat,est experiments.. Six main ciphony methods had been developed by GermanengineerEI. These methods vere called:

a Frequency inversion.b. Noise superimposition.c. Time scrambling. 'd. "Lit t le Building Block. Iteo "BlgBullding Block."f . Triple wobb11ng.Each m e t h ~ d in tUrn promised to prove less unsuccessful than

i t s predecessor.28. E x p e r ~ m e n t 8 showed freguency inversion Inseeure.--Methods of' frequency inversion usuall) ' reqUire that .speech frequencies {from 250 cycles per second to 2,750cycles) be bea t aga inst a "carr1er" frequency or about3,000 cycles. ,The resultant trequencies are the

differences 1n frequencies; these differences aretransmitted. Thus, 8. low speech frequency of say 300 .37


40/103

3560816

ecycles would be t ransmitted as a high frequencl of2,700 cyc:lea (or 3,000 cyclesmlnus 300 cycles) whereasa. high speech .frequenoy would be sent as a low one.

. The German inverter a p p a r a t u s ~ which eVidentlyY01"kedaJlong such l ines, vas "a large egulpment of thesize of !L . field telephone {insta.l lation) used in thef ie ld since the outbreak of the var. This set wasc o n s 1 d e r E ~ d safe and encouraged careless and insecureconversation. In rea l i ty it was. possible with anordinary receiyer to re e es tab l ish the impulses normally.rPheeauipment vas l therefore withdrawn from uni ts in1942. d92 " . .There are no other important references to frequency1nvel'sloll, and a.s it 1s considered insecure by mostt:nglneerlJ everywhere it 1s l ikely that no fur ther experimentl3 vere carr ied out by the Germans along simplel T i V e X ' ~ , i o J l l ines

. . 29 . Noise s ~ p e r i m p o s i t i o n g"ave bad Qua11tx:.--Method.s o.f noise superlmposi t lon requIre tha t tne super:I.mpoaed noise f requenci es cover the speech frequencybandwidth; so that the noise can mask out the speechoAt the r t ~ c e i v i n g end a noise i s applied exact ly equal tothat .appl ied a t the sending end$) exactly- 180 degrees outof p h a s e : ~ so that the noise componea ti s cance lled and clearspeech. ~ f 3 m a i n s . _ ..' . O. lLorenz, Berlin, experimented with th i s method from1937 to .1939, and found tha t f requency dis tor t ion overtransmisislon l ine

TICOM Vol. 2 - Notes on German High Level Cryptography

Documents

Transcript of TICOM Vol. 2 - Notes on German High Level Cryptography