security lessons from bletchley park and enigma

Franklin Heath Ltd 28 May 2013

Security Lessons from Bletchley Park and Enigma

Image: Bletchley Park Mansion by Antoine Taveneaux

CC BY 3.0

Topics

How the Enigma machine works

How Bletchley Park exploited German mistakes

Five lessons we can draw from this

28 May 2013 2 © Franklin Heath Ltd

CC BY 3.0

The Enigma Machine

Invented by Arthur Scherbius in 1918 Commercially available from 1923 Adopted by German military from 1927

Several variants, notably: Enigma I, German army 1932 Enigma M4, German U-boats 1941

Principally mechanical Battery is used only to illuminate the output letter

Used throughout WWII by German military + agencies Estimated 100,000 machines produced


CC BY 3.0

Enigma Machine Components


Scrambler Rotors and reflector

Output Battery-powered lamps

Input Keys (switch and lever)

Plug Board Static, swaps letters

CC BY 3.0

Enigma Machine Components


Scrambler Rotors and reflector

Output Battery-powered lamps

Input Keys (switch and lever)

CC BY 3.0

Fully Functional Paper Model


CC BY 3.0

Example Enigma Settings Sheet


CC BY 3.0

Enigma Simulator


CC BY 3.0

Enigma Cipher Characteristics

26-letter alphabet Numbers typically spelled out

Reciprocal substitution cipher Operation is its own inverse

Independent of preceding text Message key sets start “state”

Never encrypts a letter as itself Keys are SPDT switches selecting

input or output


CC BY 3.0

Enigma Machine Key Length

4-rotor Enigma M4 2 possible reflectors 672 possible rotor choices 676 possible notch positions 532,985,208,200,576 possible combinations of plugs 456,976 possible starting positions = 221,286,292,668,406,558,235,295,744 possible keys Log2 gives equivalent binary key length: ~88 bits Still export-controlled today!

Yet it could be broken with 70-year old mechanical technology

Key length isn’t the most important characteristic 28 May 2013 10 © Franklin Heath Ltd

CC BY 3.0

Bletchley Park’s “Wicked Uncles”

Senior codebreakers recruited in 1939 Introduced mathematical and mechanised methods

1941 memo delivered to P.M Winston Churchill Response: “Make sure they have all they want on extreme

priority and report to me that this had been done.”


Alan Turing 1912-1954

Gordon Welchman 1906-1985 Hugh Alexander 1909-1974 Stuart Milner-Barry 1906-1995

CC BY 3.0

Types of Breaks into Enigma

Polish Cipher Bureau, 1932 onwards Common start positions (mitigated 1938) Repeated message key (mitigated 1940)

UK GC&CS, 1937 onwards “Rodding” using cribs (mitigated by plug board) Herivel tip, to deduce ring settings Cillies, to deduce message keys Banburismus, to identify likely rotor orders Bombe menus from cribs, to test rotor orders EINS catalogue, to deduce message keys and bigram tables


CC BY 3.0

The Turing-Welchman Bombe


Images Credit: Antoine Taveneaux

CC BY 3.0

Aside: What is This?

Part of the Turing exhibit at the Science Museum “a cryptographic aid used at Bletchley Park”


CC BY 3.0

Lesson 1: Cryptosystems have Subtle Flaws

Long keys do not alone make a strong cryptosystem

Stream ciphers can have unfortunate interactions with themselves (especially reciprocal synchronous ones) Attackers can take advantage of predictable plain text or even

predictable repetitions in otherwise unknown plaintext

Best practice for modern systems seems to be to use block ciphers like AES with chaining modes 2001 break of WEP (“Wired Equivalent Privacy”) exploited use

of duplicate initialisation vectors with RC4 stream cipher


CC BY 3.0

Lesson 2: Plan for Key Compromise

“Pinches” provided a way into new Enigma networks 1940 HMS Gleaner: rotors VI and VII from U-33 1940 HMS Griffin: settings and cribs from armed trawler Polares 1941 HMS Tartar: code books from weather ship Lauenberg 1941 HMS Somali: rotors and code books from armed trawler Krebs 1941 HMS Somali: code books from weather ship München 1941 HMS Bulldog: machine and code books from U-110 1942 HMS Petard: machine and code books from U-559

They had emergency procedures to switch to other settings Modern security systems need to have “renewability” too

for recovery from “class breaks” like the DVD CSS key breach in 1999


CC BY 3.0

Lesson 3: Users Pick Poor Passwords

Many Enigma messages were read by guessing the message key that the operator chose (“Cillies”) AAA BBB, QWE ASD, BER LIN, etc.

This was addressed later in the war by operational procedures Daily settings used as a pseudo-random generator

Cryptographic keys need more entropy than users can supply in the form of a password Salts, nonces, initialisation vectors, etc. You can crack many unsalted MD5 passwords just with Google


CC BY 3.0

Lesson 4: Pick a Good RNG and Trust It

Don’t be tempted to interfere to make it look random

German cipher staff had rules for not repeating rotor order and not plugging adjacent letters

This significantly reduced the number of possible settings that needed to be tried on the Bombe

Many security vulnerabilities in modern systems are due to poor randomness

e.g. Debian OpenSSL vulnerability in 2008


CC BY 3.0

Lesson 5: Don’t Underestimate the Enemy

German high command told Enigma was “unbreakable”

German cryptographers knew it was theoretically breakable, but thought no one would put in that much effort

Bletchley Park’s mathematical approach and production line methods led to industrial-scale cryptanalysis

Modern example: 2009 breaking of GSM A5/1 using precomputed rainbow tables

Used GPUs in a distributed collaborative project


CC BY 3.0

Summary

The Enigma machine cipher is elegant, efficient and has few significant inherent flaws

Bletchley Park benefited greatly from weaknesses in the key establishment procedures and from analysis of traffic for which keys had been compromised

Five lessons: Cryptosystems have subtle flaws Plan for key compromise Users pick poor passwords Pick a good RNG and trust it Don’t underestimate the enemy


security lessons from bletchley park and enigma

Education