World War 2 information security: hacking the Enigma

Everyone has heard of the German cipher machine called Enigma, mostly due to the fact its story fascinates all kinds of writers and filmmakers – most recently in the Oscar-nominated

Everyone has heard of the German cipher machine called Enigma, mostly due to the fact its story fascinates all kinds of writers and filmmakers – most recently in the Oscar-nominated film, The Imitation Game, about Alan Turing, the renowned founding father of computing, who was able to crack its code.

During World War II, Turing, as many of his fellow mathematicians (as well as linguists, egyptologists, chess players and even crossword compilers), worked for the so-called Government Code and Cipher School at Bletchley Park, which was Britain’s intelligence and code-breaking center designed to create means of intercepting and deciphering the adversary’s communications.

Enigma was the most sophisticated ciphering machine, securing the Nazi fleet and troops’ communications and was believed to be unhackable. However, cryptanalysts from Poland and Britain managed to find the way to decipher Enigma’s messages, giving the Anti-Hitler coalition a significant advantage (according to Churchill and Eisenhower, ‘the definitive advantage’) in WW2.

To see how Enigma functioned, check out the link or watch it in action on YouTube:

When typing a message, an operator would type a letter on the keyboard, then the resulting signal would be transmitted through the electric grid consisting of several rotors with contact elements, and then a substitute letter would appear on the dashboard, and this letter would then be used in the ciphered message. Rotors would turn after each input, and the next time the same letter would be coded into a different letter.

The creation of the “Bomba” cryptanalytic machine enabled a continuous process of decoding Enigma’s messages. It was the result of incredible scientific and analytical research, as well as some mistakes made by the Germans.

The creation of the “Bomba” cryptanalytic machine enabled a continuous process of decoding Enigma’s messages. It was the result of incredible scientific and analytical research, but at the same time, it stemmed from some mistakes made by the Germans when working with Enigma – as well as from the analysis of the machines and one-time pads procured in the course of raids or special operations when cryptanalysts worked with messages whose source text contained known words.

What are some takeaways of the Enigma story? The machine itself could not amaze anyone today in terms of information security methods. At the same time, there are lessons we can learn from this story:

1. Don’t dwell too much on your technical supremacy. The Nazis had good reasons to consider Enigma unbreakable, but the Allies created their own machine which was powerful enough to analyze possible machine settings and crack the code to decipher the message. It was a real quantum leap for the technology available back then, so it was impossible for the Germans to predict such a development. Now, we know what the “Bomb” machine of today’s cryptography would be: a quantum computer.

 

2. Sometimes, it’s hard to predict what would become the ‘weakest link’ in a well-organized scheme of information protection. The impossibility of a direct match between a letter in a source message and its counterpart in an encrypted message could seem like a meaningless detail, or even an appropriate solution then, but it was a way to mechanically sort out invalid keys: it would be enough to reject all options where at least one letter in the source message was matching a letter in an encrypted message.3. One should always look for an opportunity to make the key a bit more sophisticated. For common users, this recommendation applies to password generation. Back then, an additional rotor in naval modification of the ciphering machine, a.k.a. Naval Enigma, paralyzed the entire cryptanalysts’ think tank for half a year, and only upon obtaining a sample of this modified machine from a sunken submarine were they able to resume the work. As you can see from our password check service, sometimes a single character may significantly increase the time needed to crack your password.

 

4. Human factor plays an important role, even when dealing with sophisticated systems. We cannot be sure the Allies would have broken Enigma eventually, if not for tiny mistakes and rare cases of offhandedness the German operators were responsible for. On the other hand, the ‘human factor’ definition could be applied to the consistent effort with which the German command searched for other reasons for the Allies’ witty shrewdness instead of considering for a moment that Enigma had been compromised.5. Information supremacy is a double-edged sword. One of the most challenging tasks for the Allies’ command was using the information obtained from Enigma’s deciphered messages in a manner which would not compromise the advantage they got by cracking Enigma. Sometimes special operations were organized to masquerade the real reason for success (for instance, letting a plane fly over the theater of operations prior to attacking the escort guard or leaking information about supposed ‘valuable insider’ in the adversary’s intelligence). Sometimes it was necessary to give up on some operations (once, the Allies had to let Coventry be air bombarded by the Germans, as if the command was not aware).

We enhance our technologies and increase computing power day by day, but the basic principles of using and protecting information change at a much slower pace, so there are some useful lessons of the past which are still up-to-date.

But in case Enigma is just another fascinating story for you, we recommend you to watch such movies as Enigma (story by Tom Stoppard) or The Imitation Game (Alan Turing’s biopic), or read Cryptonomicon by Neal Stevenson. Moreover, there are ciphering machine simulators — for examples, this one is based on good old Excel.

Tips

Cybersecure Christmas

Many hacks have started during Christmas holidays. A few simple tips will reduce the chances of your company becoming the next victim.