Key Management

I’ve just read Robert Harris’ book ENIGMA which inspired me to watch the video starring Kate Winslet as plain (!) Hester and to do some digging into the cryptography behind the story. Some background… The Enigma machine was developed in the 1920s to encrypt text for commercial purposes, and was adapted and improved by the German military. Over one hundred thousand of these machines were produced and they were used to encrypt the communication between the military command and field units. One operator keyed the message in and a second transcribed the result which appeared on light bulbs. The encrypted message was then sent via Morse code over a radio link. To decrypt a message the receiver configured his machine the same as the sender’s and typed in the message. The clear text would be read off the light bulbs.

Essentially the device consists of three rotors which move much like an old car speedo each time a letter on the keyboard is pressed. Each rotor transposes a letter into a different one and the pattern doesn’t repeat until 26 x26x26 letters have been pressed. The details are too complicated to include here but for those who are interested there are many web sites. Nerds among you may wish to download a simulator from http://users.telenet.be/d.rijmenants/.

The German military was convinced that the large key space which was about 10 23 or 76 bits in modern crypto parlance would defeat any chance of code breaking. (76 bits is a million times stronger than 1DES which was only phased out in the 1990s.) Poor key management, however, enabled the Allies to crack Enigma and read much of the traffic and thus shorten the war.

Examples of the poor key management abound. For instance, some soldiers always used their girlfriend’s initials rather than a random pattern to set the machine up. The Luftwaffe used a different rotor order each day of the month rather than a random order. As part of the key exchange the initial message always repeated three letters. This leaked valuable information on the rotor order.

Additionally much known plaintext was transmitted such as the full title the message recipient (particularly if he was a senior officer). This allowed for automated attacks using the first electro mechanical computers developed by Alan Turing with help from Polish cryptographers.

The lessons for today are clear. Don’t trust some technically unbreakable system. People and their casual habits are the weak link. Good key management and operational procedures are essential to security.