security lessons from bletchley park and enigma
DESCRIPTION
Presented at DC4420 in London. A brief review of how the Enigma machine works, how it was broken, and how security people keep making similar mistakes today.TRANSCRIPT
Franklin Heath Ltd 28 May 2013
Security Lessons from Bletchley Park and Enigma
Image: Bletchley Park Mansion by Antoine Taveneaux
CC BY 3.0
Topics
How the Enigma machine works
How Bletchley Park exploited German mistakes
Five lessons we can draw from this
28 May 2013 2 © Franklin Heath Ltd
CC BY 3.0
The Enigma Machine
Invented by Arthur Scherbius in 1918 Commercially available from 1923 Adopted by German military from 1927
Several variants, notably: Enigma I, German army 1932 Enigma M4, German U-boats 1941
Principally mechanical Battery is used only to illuminate the output letter
Used throughout WWII by German military + agencies Estimated 100,000 machines produced
28 May 2013 3 © Franklin Heath Ltd
CC BY 3.0
Enigma Machine Components
28 May 2013 4 © Franklin Heath Ltd
Scrambler Rotors and reflector
Output Battery-powered lamps
Input Keys (switch and lever)
Plug Board Static, swaps letters
CC BY 3.0
Enigma Machine Components
28 May 2013 5 © Franklin Heath Ltd
Scrambler Rotors and reflector
Output Battery-powered lamps
Input Keys (switch and lever)
CC BY 3.0
Fully Functional Paper Model
28 May 2013 6 © Franklin Heath Ltd
CC BY 3.0
Example Enigma Settings Sheet
28 May 2013 7 © Franklin Heath Ltd
CC BY 3.0
Enigma Simulator
28 May 2013 8 © Franklin Heath Ltd
CC BY 3.0
Enigma Cipher Characteristics
26-letter alphabet Numbers typically spelled out
Reciprocal substitution cipher Operation is its own inverse
Independent of preceding text Message key sets start “state”
Never encrypts a letter as itself Keys are SPDT switches selecting
input or output
28 May 2013 9 © Franklin Heath Ltd
CC BY 3.0
Enigma Machine Key Length
4-rotor Enigma M4 2 possible reflectors 672 possible rotor choices 676 possible notch positions 532,985,208,200,576 possible combinations of plugs 456,976 possible starting positions = 221,286,292,668,406,558,235,295,744 possible keys Log2 gives equivalent binary key length: ~88 bits Still export-controlled today!
Yet it could be broken with 70-year old mechanical technology
Key length isn’t the most important characteristic 28 May 2013 10 © Franklin Heath Ltd
CC BY 3.0
Bletchley Park’s “Wicked Uncles”
Senior codebreakers recruited in 1939 Introduced mathematical and mechanised methods
1941 memo delivered to P.M Winston Churchill Response: “Make sure they have all they want on extreme
priority and report to me that this had been done.”
28 May 2013 11 © Franklin Heath Ltd
Alan Turing 1912-1954
Gordon Welchman 1906-1985 Hugh Alexander 1909-1974 Stuart Milner-Barry 1906-1995
CC BY 3.0
Types of Breaks into Enigma
Polish Cipher Bureau, 1932 onwards Common start positions (mitigated 1938) Repeated message key (mitigated 1940)
UK GC&CS, 1937 onwards “Rodding” using cribs (mitigated by plug board) Herivel tip, to deduce ring settings Cillies, to deduce message keys Banburismus, to identify likely rotor orders Bombe menus from cribs, to test rotor orders EINS catalogue, to deduce message keys and bigram tables
28 May 2013 12 © Franklin Heath Ltd
CC BY 3.0
The Turing-Welchman Bombe
28 May 2013 13 © Franklin Heath Ltd
Images Credit: Antoine Taveneaux
CC BY 3.0
Aside: What is This?
Part of the Turing exhibit at the Science Museum “a cryptographic aid used at Bletchley Park”
28 May 2013 14 © Franklin Heath Ltd
CC BY 3.0
Lesson 1: Cryptosystems have Subtle Flaws
Long keys do not alone make a strong cryptosystem
Stream ciphers can have unfortunate interactions with themselves (especially reciprocal synchronous ones) Attackers can take advantage of predictable plain text or even
predictable repetitions in otherwise unknown plaintext
Best practice for modern systems seems to be to use block ciphers like AES with chaining modes 2001 break of WEP (“Wired Equivalent Privacy”) exploited use
of duplicate initialisation vectors with RC4 stream cipher
28 May 2013 15 © Franklin Heath Ltd
CC BY 3.0
Lesson 2: Plan for Key Compromise
“Pinches” provided a way into new Enigma networks 1940 HMS Gleaner: rotors VI and VII from U-33 1940 HMS Griffin: settings and cribs from armed trawler Polares 1941 HMS Tartar: code books from weather ship Lauenberg 1941 HMS Somali: rotors and code books from armed trawler Krebs 1941 HMS Somali: code books from weather ship München 1941 HMS Bulldog: machine and code books from U-110 1942 HMS Petard: machine and code books from U-559
They had emergency procedures to switch to other settings Modern security systems need to have “renewability” too
for recovery from “class breaks” like the DVD CSS key breach in 1999
28 May 2013 16 © Franklin Heath Ltd
CC BY 3.0
Lesson 3: Users Pick Poor Passwords
Many Enigma messages were read by guessing the message key that the operator chose (“Cillies”) AAA BBB, QWE ASD, BER LIN, etc.
This was addressed later in the war by operational procedures Daily settings used as a pseudo-random generator
Cryptographic keys need more entropy than users can supply in the form of a password Salts, nonces, initialisation vectors, etc. You can crack many unsalted MD5 passwords just with Google
28 May 2013 17 © Franklin Heath Ltd
CC BY 3.0
Lesson 4: Pick a Good RNG and Trust It
Don’t be tempted to interfere to make it look random
German cipher staff had rules for not repeating rotor order and not plugging adjacent letters
This significantly reduced the number of possible settings that needed to be tried on the Bombe
Many security vulnerabilities in modern systems are due to poor randomness
e.g. Debian OpenSSL vulnerability in 2008
28 May 2013 18 © Franklin Heath Ltd
CC BY 3.0
Lesson 5: Don’t Underestimate the Enemy
German high command told Enigma was “unbreakable”
German cryptographers knew it was theoretically breakable, but thought no one would put in that much effort
Bletchley Park’s mathematical approach and production line methods led to industrial-scale cryptanalysis
Modern example: 2009 breaking of GSM A5/1 using precomputed rainbow tables
Used GPUs in a distributed collaborative project
28 May 2013 19 © Franklin Heath Ltd
CC BY 3.0
Summary
The Enigma machine cipher is elegant, efficient and has few significant inherent flaws
Bletchley Park benefited greatly from weaknesses in the key establishment procedures and from analysis of traffic for which keys had been compromised
Five lessons: Cryptosystems have subtle flaws Plan for key compromise Users pick poor passwords Pick a good RNG and trust it Don’t underestimate the enemy
28 May 2013 20 © Franklin Heath Ltd