Cryptography in World War II, Lecture notes of Cryptography and System Security

Download Cryptography in World War II and more Lecture notes Cryptography and System Security in PDF only on Docsity! Cryptography omputers are most valuable when they are used to solve problems that humans cannot easily solve for themselves. Charles Babbage, for example, wanted to automate the production of mathematical tables, partly because it was a tedious task, but mostly because the people who undertook the necessary calculations made so many mistakes. Computers, however, are also useful when they solve problems faster than human beings. If you face a situation in which timeliness is essential, you may not be able to wait for results generated at human speeds. In such cases, it may be necessary to develop a technological solution to get the answers you need when you need them. In World War II, the Allies faced precisely this situation. The shipping lanes of the North Atlantic were under such threat from German U-boats that Britain was in danger of being starved into submission. Breaking the U-boat code was a critical turning point in the war and may have changed its outcome. Faced with a code that changed every day, the British had to develop mechanical tools that would allow them to read German military dispatches quickly enough to act on that information. Breaking the German military codes was an early application of cryptography, which is the science of creating and decoding messages whose meaning cannot be understood by those who intercept the message. In the language of cryptography, the message you are trying to send is called the plaintext; the message you actually send is called the ciphertext. Unless your adversaries know the secret of the encoding system, which is usually embodied in some privileged piece of information called a key, intercepting the ciphertext should not make it possible for them to discover the original plaintext version of the message. On the other hand, the recipient, who is presumably in possession of the key, can easily translate the ciphertext back into its plaintext counterpart. C The Navajo code talkers As you will discover in this chapter, cryptography was one of the earliest applications of modern computing. During World War II, a codebreaking team in England, building on earlier work carried out in Poland, developed specialized hardware that was able to break the German Enigma code. Breaking that code was critical to the Allied victory in the battle for control of the Atlantic shipping lanes. World War II offers other cryptographic stories as well—stories that underscore the fact that high technology does not necessarily offer the best solution to the problem of secure communication. In the war against Japan, the United States Marine Corps relied on the Navajo, a Native American tribe from the southwestern United States, to exchange messages over radio channels on which anyone might be listening. Approximately 400 Navajos served as “code talkers” from 1942 to 1945 and played a vital role in the war effort. Howard Connor, signal officer for the 5th Marine Division observed that “were it not for the Navajos, the Marines would never have taken Iwo Jima.” The code talkers did not simply speak Navajo over the radio. Military messages often include words that do not exist in Navajo, along with place names and other words that are hard to translate. If, for example, you wanted to send a message warning of submarines off Bataan, you would have to decide how to express submarine and Bataan, neither of which has a Navajo counterpart. To solve this problem, the code talkers used a variety of strategies. For common military terms, Navajo words were used to provide an appropriate metaphor; submarine, for example, was expressed using the Navajo words for iron fish. Place names were translated using a spelling strategy involving both English and Navajo. To send the word Bataan, for example, the code talkers first spelled it out using English words beginning with the appropriate letters. One possibility looks like this: bear apple tooth axe ant needle The code talker would then substitute the Navajo words and deliver the following message: shush be-la-sana a-woh tse-nill wol-la-chee tsah Navajo code talker at his radio during World War II The native speaker on the receiving end would listen for each word, translate it back from Navajo to English, and then record the initial letters. It is important to note that the spelling scheme used by the code talkers allows many words to stand for the same letter. The three occurrences of the letter a in Bataan are each represented by a different Navajo word, making the code much more difficult to break. The Navajo code talkers proved to be much faster than the encryption strategies adopted by the other service branches. A well-trained pair of code talkers could transmit a three-line message in 20 seconds; the fastest encryption machines of the day required 30 minutes to deliver the same message. More importantly, the code-talker strategy proved to be more secure. The Japanese were able to break the codes used by the Army and Army Air Core, but were never able to decipher the messages sent by the Navajo code talkers. On September 17, 1992, the surviving members of the Navajo code talkers were honored at the dedication of a commemorative exhibit at the Pentagon in Washington, DC. 209 Here Legrand, having re-heated the parchment, submitted it to my inspection. The following characters were rudely traced, in a red tint, between the death’s head and the goat: 53‡‡†305))6*;4826)4‡•)4‡);806*;48†8¶ 60))85;1‡(;:‡*8†83(88)5*†;46(;88*96* ?;8)*‡(;485);5*†2:*‡(;4956*2(5*—4)8¶ 8*;4069285);)6†8)4‡‡;1(‡9;48081;8:8‡ 1;48†85;4)485†528806*81(‡9;48;(88;4( ‡?34;48)4‡;161;:188;‡?; “But,” said I, returning him the slip, “I am as much in the dark as ever. Were all the jewels of Golconda awaiting me upon my solution of this enigma, I am quite sure that I should be unable to earn them.” “And yet,” said Legrand, “the solution is by no means so difficult as you might be led to imagine from the first hasty inspection of the characters. These characters, as any one might readily guess, form a cipher . . . such, however, as would appear to the crude intellect of the sailor, absolutely insoluble without the key.” “And you really solved it?” “Readily; I have solved others of an abstruseness ten thousand times greater. Circumstances, and a certain bias of mind, have led me to take interest in such riddles, and it may well be doubted whether human ingenuity can construct an enigma of the kind which human ingenuity may not, by proper application, resolve. In fact, having once established connected and legible characters, I scarcely gave a thought to the mere difficulty of determining their import. “My first step was to ascertain the predominant letters, as well as the least frequent. Counting all, I constructed a table thus: Of the character 8 there are 33 ; " 26 4 " 19 ‡, ) " 16 * " 13 5 " 12 6 " 11 ( " 10 †, 1 " 8 0 " 6 9, 2 " 5 :, 3 " 4 ? " 3 ¶ " 2 —, • " 1 “Now, in English, the letter which most frequently occurs is e. Afterward, the succession runs thus: a o i d h n r s t u y c f g l m w b k p q x z “. . . Let us assume 8, then, as e. Now, of all words in the language, the is most usual; let us see, therefore, whether there are not repetitions of any three characters, in the same order of collocation, the last of them being 8. If we discover a repetition of such letters, so arranged, they will most probably represent the word the. Upon inspection, we find no less than seven such arrangements, the characters being ;48. We may, therefore, assume that ; represents t, 4 represents h, and 8 represents e—the last being now well confirmed. . . . “But, having established a single word, we are enabled to establish a vastly important point; that is to say, several commencements and terminations of other words. Let us refer, for example, to the last instance but one, in which the combination ;48 occurs—not far from the end of the cipher. We know that the ; immediately ensuing is the commencement of a word, and, of the six characters succeeding this the, we are cognizant of no less than five. Let us set these characters down, thus, by the letters we know them to represent, leaving a space for the unknown—t eeth. “Here we are enabled, at once, to discard the th as forming no portion of the word commencing with the first t; since, by experiment of the entire alphabet for a letter adapted to the vacancy, we perceive that no word can be formed of which this th can be a part. We are thus narrowed into t ee, and, going through the alphabet, if necessary, as before, we arrive at the word tree as the sole possible reading. We thus gain another letter, r. . . . “I have said enough to convince you that ciphers of this nature are readily soluble, and to give you some insight into the rationale of their development. . . . It now only remains to give you the full translation of the characters upon the parchment, as unriddled. Here it is: A good glass in the bishop’s hostel in the devil’s seat forty-one degrees and thirteen minutes northeast and by north main branch seventh limb east side shoot from the left eye of the death’s-head a bee-line from the tree through the shot fifty feet out. 210 Gg Paag PPG Pag PP PG PAG PaG PAG Pa Pada a Pa Peagagd PpPpag Prada PPPag pa Pa bUagaG Pagq HHP pa (a) The following coded message is an enciphered version of the opening paragraph from a well-known English novel after removing all spaces and puctuation and then breaking the message into five-letter groups: LESTX KQLEY TQOJX ZEHYT QJQKL IQHST XAALY EXYSE SRYPH LJYPG QYTXK QVLKK QHGLY TYTQQ EHRXV GXJBR SEHSE XXFPR BOKKE XJPQY SHJPA SJQRS EHPTX KQGLY TEXYT LEOLE LYYXR LYHXG EXEXJ YXQSY LYGSR STXAA LYTXK QSEHY TSYBQ SERDX BVXJY Use Poe’s strategy to decipher this message. Remember that the letter frequencies are just an approximation and that E is not always the most common letter. (b) In the Sherlock Holmes mystery, The Adventure of the Dancing Men, by Sir Arthur Conan Doyle, Holmes receives several messages written in what appears to be “a number of absurd little figures dancing across the page upon which they are drawn.” See if you can apply Poe’s techniques to this cipher, which did not stump Holmes for long: woos ERE ER KAR BRE DARE wom EX ABV KY woes BAEK XEBTY moe AK AX woes LEB R ISIN Me SIKH XID LIL wore BORK LISLEN, THA OPPeag pag pa PPP PG Ppa Ppa ppPag Phag HAG Pp pa ba D NPG PG PG Dwg pa Pag Pa PG PG PagAGG PHYPAD  211 In describing the solution to Captain Kidd’s message, Poe offers a general technique for solving monoalphabetic ciphers: calculate the frequency of the letters used in the ciphertext and correlate the appearance of coded sequences with the frequency of letters in English. By guessing that the letters appearing most often in the ciphertext correspond to the most common letters in English, you can usually make a good start toward solving such puzzles. If you try to solve cryptograms on your own, however, it will help you to know that Poe’s list of the most common letters is not in fact correct. Computerized analysis reveals that the most common letters in English are E T A O I N S H R D L U Given that statistical studies of English text were by no means as well developed in Poe’s day, Poe can perhaps be excused for making a few mistakes. What Poe did realize is that solving a monoalphabetic cipher requires a strategy. The Caesar cipher, for example, requires one to check only 25 possibilities before the correct plaintext must appear. In the general case of a letter-substitution cipher, there are 26 possible letters to choose as the coded representation for A, 25 remaining possible letters to choose as the coded representation for B, 24 possibilities for C, and so on, for a total of 26! (26 × 25 × 24 × . . . × 3 × 2 × 1) possible encodings. This number is extremely large, equal in decimal notation to 403,291,461,126,605,635,584,000,000. Even with modern computers, it isn’t feasible to solve this problem by trying every possibility. One needs instead to be more subtle. 11.3 The Enigma machine In many ways, modern computing got its start during World War II. On both sides, the war focused attention on military priorities and made it possible to apply unprecedented levels of resources in an attempt to gain the advantage. The Germans, for example, made enormous investments in missile technology, which led to the development of the V-1 and V-2 rockets that fell with such devastating effect on England during the Blitz. In the United States, the Manhattan Project brought together the leading scientists of the day to develop the atomic bomb. As noted in the introduction to this chapter, the war forced Britain to apply considerable resources to the problem of deciphering messages that the German High Command used to communicate with the army, navy, and air force. Although each service branch used a slightly different technology, all were built upon a common foundation that made it possible for the Allies to break those codes. 214 11.4 The codebreakers In 1938, recognizing the danger of war in Europe, the head of British intelligence purchased an estate about 50 miles northwest of London called Bletchley Park, which became the home of the Government Code and Cipher School. More than 10,000 people worked at Bletchley Park during the war, under the strictest secrecy. The task of breaking Enigma fell to a team of cryptographers at Bletchley Park working under the code name Ultra. The Ultra team employed many of Britain’s best mathematicians, including Alan Turing, the inventor of the Turing machine described in Chapter 8. Despite its enormous complexity, the mathematicians of Ultra managed to break the Enigma code. In fact, they did so several times. Cryptography is in many ways a race between codemaker and codebreaker. The Germans made periodic improvements to the Enigma both before and during the war. With each redesign, the codebreakers had to come up with a new strategy to overcome the enhancements on the German side. When the German navy added a fourth rotor to the Enigma in February 1942, the Allies were unable to read Enigma traffic for ten months. By the end of the war, however, Bletchley Park was able to decipher most encrypted messages in less than a day. Being able to read German military communications was vital to the Allied cause. In 1941, Alan Turing and several of his colleagues wrote directly to Prime Minister Winston Churchill requesting more resources for the decryption effort. Fully aware of the importance of the Ultra project, Churchill replied Make sure they have all they want on extreme priority and report to me that this had been done. Action this day. After the war, Churchill is reported to have told King George VI that “it was thanks to Ultra that we won the war.” The cryptographers at Bletchley owed a considerable debt to the Polish cryptographers Marian Rejewski, Jerzy Różycki, and Henryk Zygalski, who were able to break the Enigma code in 1932. In the process, they also developed many of the cryptographic techniques that would later guide the British effort. Fortunately, the Polish team was able to share its decryption work with the Allies shortly before the German invasion of Poland in 1939 that marked the beginning of the war. The Polish team later made their way to France, where they carried on their cryptographic work along with French colleagues. When France itself was overrun, the Poles again escaped to England. Although the secrecy around the wartime cryptographic work meant that the Polish contribution to codebreaking remained unknown for many years, Bletchley Park now has a monument to commemorate the essential work of these Polish mathematicians. Zygalski, Różycki, and Rejewski 215 11.5 The internal structure of Enigma Before you can understand how cryptographers were able to break the Enigma code, you need to know something about how the machine works. Figure 11-4 shows the internal structure, focusing on the wiring of the rotors and the steckerboard. Each of the three rotors in the Enigma machine has 26 contacts along its left and right sides. Current that comes in at one contact on the rotor is redirected to a contact on the opposite side according to the internal wiring pattern, which is different for each rotor. Each rotor therefore implements a reordering of the letters, which mathematicians call a permutation. The steckerboard also implements a permutation, which is set manually according to the instructions in codebook. The letters at the top of Figure 11-4 indicate the rotor setting. Typing a character on the keyboard automatically advances the rotor on the right, thereby changing the pattern of connections inside the machine. When that rotor has completed a full revolution, the middle rotor advances one step; in much the same way, completing a revolution of the middle rotor advances the rotor on the left. The rotors therefore advance in a fashion reminiscent of the odometer on a car. The right rotor advances 216 on every character and is therefore called the fast rotor. The middle rotor advances once every 26 characters and is called the medium rotor. The left rotor advances only once every 676 (26 × 26) characters and is unsurprisingly called the slow rotor. Figure 11-5 shows what happens if the operator types the letter A on the keyboard. Pressing the key advances the fast rotor, which changes the rotor setting from JLY to JLZ. The Enigma machine then applies a current to the wire leading from the A key at the right edge of the diagram and, at the same time, disconnects the A lamp so that only the encrypted version of the letter appears. The current flows across the steckerboard, then through the three rotors from right to left. It then passes into a circuit element called the reflector, which implements a fixed permutation. From the reflector, the current flows back across the rotors in the opposite direction and then passes through the steckerboard one more time. As shown in the diagram, the current initiated by typing A ends up on the wire labeled K, which causes the K lamp to light. Thus, given the rotor setting JLZ, the ciphertext form of the letter A is K. The encryption patterns generated by the Enigma machine are difficult to break because the machine implements a polyalphabetic cipher in which the encoding 219 If the sender is behaving in his usual way, you suspect that this message contains the plaintext sequence If you can figure out where in the message this sequence occurs, you might then be able to use the pattern of letters to make deductions about the settings of the Enigma machine. If these deductions allow you to determine the rotor pattern and the wiring of the steckerboard, you have broken the Enigma code for that day. Aligning the crib with the ciphertext The first challenge in implementing the known-plaintext attack consists of figuring out where in the ciphertext the suspected crib might occur. Fortunately, many of the potential positions for the crib can be ruled out simply by taking note of the fact that the Enigma machine never translates a letter to itself. For example, the crib cannot occur at the beginning of the ciphertext because the letter N would have to map to itself in the fourth character position, as would the letter E a bit further on, as shown in the following diagram: The codebreakers at Bletchley used the word crash to refer to positions at which a letter in the ciphertext matches its counterpart in the crib. The first step in the decryption process is to slide the crib under the ciphertext until no crashes occur. Figure 11-7 on the next page shows what happens if you carry out this process for every possible alignment of the crib and ciphertext. There are only two possible alignments that produce no crashes, which arise from shifting the crib five and six characters to the right, respectively. If the crib is correct, it must be in one of those two positions. After eliminating the alignments ruled out because of crashes, the cryptographers at Bletchley would then try each of the possible alignments to see whether any of the remaining possibilities gave rise to a consistent rotor setting. Deducing the rotor setting Once you have a possible alignment, you can use the patterns of letters in the crib and the ciphertext to make inferences about the rotor setting. The basic idea is that only certain settings of the rotors will produce the pairings of letters you see between the crib and the appropriate region of the ciphertext. If you could use that information to eliminate all but a few of the possibilities, you could then check those settings by hand. 220 FIGURE 1 Crashes that rule out certain alignments between the crib and the ciphertext UAE/N\F VRLBZPWM/E\PM IH KEI EBESONDER\E/NEREIGNI 0 7 a a fe x 7 = e KWRAXQEZ oO oO m x 7 = e KWRAXQEZ INEBESONDERENEREIGN oO o AG neecsabencweneren x 7 = ca x = a > x 2 m N BESOND m z m a m a z oO oO m Neve oecouodaewcnens AM m z m x 7 = cay x = a > x 2 m N UAENFVRL/B\Z PWMEPMIHFSR J KEINE\B/ESONDERENEREIGNISSE UAENFVRLBZPWM/E\PMIHFSRJXFMJKWRAXQEZ KEINEB UAENFVRLBZPWMEPMIHF S/R\J X FM J KWRA X Q/E\Z KEINEBESONDE 8 UAENFVRLBZPWM/E\PMIHFSRJXFMJKWRAXQEZ KEIN\E/;BESONDERENEREIG SSE z  221 If there were no steckerboard, this process would be entirely straightforward. What you are looking for is a rotor setting that transforms some portion of the ciphertext back into the crib. Suppose, for example, that you assume that the crib appears at an offset of 5, as shown in the first boxed possibility in Figure 11-7. What you then need to do is find some setting of the rotors at which typing in gives you back Carrying out this analysis manually would certainly be time-consuming, but there are only 1,054,560 possible arrangements and settings for the rotors. If all 10,000 people at Bletchley Park—working in parallel—were able to test one of these settings every minute, you would find the solution in less than two hours. Of course, given the resources available to Bletchley Park under Churchill’s designation of “extreme priority,” it would not have been necessary to divert all of Bletchley’s personnel to test the configurations. Given the technology of the time, it was possible to build a mechanical device to step through the 1,054,560 arrangements and settings of the rotors, checking for a match. Unfortunately, the existence of the steckerboard rules out this simple strategy. Even if you find the right rotor settings, typing in won’t regenerate the crib, because the letters are transformed by the connections on the steckerboard. If testing all possible arrangements of the rotors takes two hours, adding in the complexity of trying all 216,751,064,975,576 steckerboard wirings means that the process would take on the order of 10 billion years, which is a rough approximation of the age of the universe. The critical insight that allowed the allies to break Enigma is that certain patterns in the letter pairings between the crib and the ciphertext are independent of the steckerboard. Consider, for example, the circled pairs of letters in the presumed alignment at offset 5: The numbers below the characters keep track of the index of the character in the crib, beginning—as is conventional in computer science—at index position 0.