Cryptology Annual News Update and Vignette

Bill Ricker

for BLU.org

Sept 21, 2022

Cryptology News Bulletins 2021-09 to 2022-08

Certificate Authority Root problems

Let’s Encrypt Root CA Expiration

https://community.letsencrypt.org/t/production-chain-changes/150739

  Rich Pieri via lists.blu.org  Fri, Oct 1, 9:34 PM  
  to discuss  
  Some CA bundles like the one distributed with Sylpheed for Windows
  contains several expired CA certs including the now expired 
  DST Root CA  X3 certificate. 
  This can cause problems with Let's Encrypt certificates
  even though the bundle has the ISRG Root X1 CA cert.

Rot8000

ROT8000 is the Unicode equivalent of ROT13. What’s clever about it is that normal English looks like Chinese, and not like ciphertext (to a typical Westerner, that is).

-Shneier

web app
commentary

not as easy to do in shell or Perl/Python as Rot13 !!

PGP Fit for purpose?

“Why BSI can’t encrypt”.

Sebastian Schinzel @seecurity

“Why BSI can’t encrypt”.
The German Ministry of Information Security (BSI) just leaked one of its PGP private keys. The receiver initially asked for the public key and got the private key as an email attachment.

Don’t treat this as a failure of BSI people. They are good people. It’s more like “PGP is so shitty that even the BSI screws it up badly”.

c/o

Stephan Neuhaus @stephanneuhaus1 Nov 16, 2021

Cryptography is a machine for turning any problem into a key management problem.

deleted so anonymous

PGP is a program which turns cryptography into an arsenal full of foot-guns


Crypto News Feature: Post Quantum Cryptography

What’s Quantum Computing?

Quantum Superposition when used for computing.


Such bits are in quantum superposition of True and False, which is a bug in classical computing but a feature in QC.

This allows non-deterministic algorithms.


Kinds of Quantum Hardware


In theory, algorithms for these hardware types can use non-deterministic parallelism to evade classical performance limits, and in particular, could allow factoring fast enough to be dangerous, provided big enough quantum circuits can be made to work.


We’re discussing PQC before QC?

Yes !

(Chinese Space Agency claimed to have demonstrated?)

What’s the problem?


Every unbreakable cipher has been broken eventually (at least partially1).

20thC RSA and other PKI not guaranteed proof against either of:

Schor’s Algorithm in theory would factor fast on enough quantum circuits but 21 is not a large number yet. (see also Wikipedia.)

Other probabilistic quantum algorithms (Grover, GEECM, Variational Quantum Factoring (VQF)) can do some much bigger numbers (which may just define new class of unsafe primes??), and with classical pre-processing, can use a much smaller number of qubits than the ^obvious^ log2N.

not clear this will ever be able to generally break RSA4096, but it’s not impossible, so prudent to plan for that day.


Generalization of Forward Secrecy


* VENONA: It worked Once!
* We now have a Vacuum Cleaner of Holding (_Greenpeace photo c/o Wikimedia_)

So yes, it can happen again.

Normal Forward Secrecy requires that if e.g. the Host Key is compromised later, any retained cryptograms sent with nonce keys negotiated with the compromised Host Key aren’t also compromised.

This is nice, but we’d also like to protect against advances of technology, e.g. fast factoring or solutions of discrete logs.

This may not be within your threat model, yet, but in dystopian plausible futures, things you’ve already discussed/downloaded might be retroactively illegal/disloyal and oops.


NIST’s Post-Quantum Cryptography Standards

The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. – NIST


and have it ready for use not only before quantum breakthrough but early enough (roughly now) that anyone who wishes to avoid save-intercepts-now-to-break later; although it may already be too late WRTO NSA archive?


NIST PQC Competition

National Institute of Standards & Technology started a multi-round competition, similar to with AES and SHA3 competitions


NIST, the Bureaucracy formerly known as NBS.

This competition was “more brutal” than prior; of 69 candidates, peer cryptanalysis has broken 62. So far.


NIST PQC Selections for 2022

NIST PQC 2022-08-16 July 5th

† and weeks later into Round 4, SIKE was broken. Badly. 1 core-hour.
Well, that was ^further research^.

So when can i play?

The plan is to roll out these new PQC ciphers as additional cipher options in TLS. Soon?

NIST PQC Schedule

Known weaknesses

Isn’t that an unlikely compromise?

No. It’s happened.


Lack of randomness failure isn’t just hypothetical, lots of SSH keys got invalidated in 2008 because they were well-known-primes.

(WTF? Yep. Debian packagers applying normal best practices where they shouldn’t even touch had removed the entropy-harvesting because Valgrind and Purify gave “accessing uninitialized memory” warnings. Well yeah, that’s how we harvest entropy! Another problem (mostly solved?) is host key generation at VM start - the VM’s entropy is rather deterministic at that point. Similarly, optimizing compilers removing zeroing memory prior to releasing it can allow keys to leak into the memory pool. Cryptographic software is an ongoing a battle against computer ^science^ that ^knows better^.)

And failure to salt wouldn’t surprise me when non-specialists (applications developers, database programmers, protocol developers) who should stick to packaged PKI use-case libraries (e.g. NaCl) try to use cryptographic primitive routines directly to avoid dependencies.)


History Vignette - Pin&Lug Hagelin Cryptographs (C-3x/M209)

Bletchley Park Podcast

Bletchley Park Podcast E131: It Happened Here: Secrets of the Supermarina 3 (91 min)

November 2021

Many visitors to Bletchley Park are familiar with the story of breaking Enigma and reading German and even Japanese codes. But equally important work was done on Italian ciphers.

Not only were the Code-breakers able to read Italian naval messages, before and during the war, but this information was used to decisive effect in the Battle for North Africa, and the ultimate defeat of Italy in 1943. In this It Happened Here episode, Bletchley Park’s Research Historian Dr David Kenyon reveals the secrets of one of Bletchley Park’s lesser-known decryption successes.

As always, grateful thanks go to Dr Ben Thompson for voicing our archival documents.

Featuring the following contributors from our Oral History Archive:
Mavis Batey
Rozanne Colchester

Swedish Innovation, adopted by several countries

Hagelin M-209-A

Hagelin was put into an existing firm by investor Nobel, and worked synergistically with prior designer.

 perl --MList::Util=reduce -MNumber::Format=:subs -E '
    $n = reduce {$a+$b} (26 , 25 , 23 , 21 , 19 , 17); 
    say format_number($n);'
131
 perl -MList::Util=reduce -MNumber::Format=:subs -E '
    $n = reduce {$a*$b} (26 , 25 , 23 , 21 , 19 , 17); 
    say format_number($n);'
101,405,850

Besides mechanically implementing addition and multiplication with the rotor-cage lugs and variable gear, the pin-wheel actuators interacting with the lugs through the actuator bar were effectively mechanical AND gates; and if the two lugs on an overlapped cage bar were both operative, they were a mechanical OR gate.

Post-war Hagelin/CryptoAG pin-wheel models had further refinements (before going digital) -

Cracking Italian Navy HQ’s Hagelin C38m pinwheel in WW2


Convoy instructions
- should never have been on radio! Did they not have teleprinters from HQ to harbor HQs like a modern military?? - should have been in Enigma or stronger, not Hagelin

BP’s cracking of Italian Navy ENIGMA is well known wrto Afrika Korps supply-chain, but the Navy HQ Hagelin network was also vulnerable and exploited.5 Contrary to ENIGMA-ULTRA legend, this and not other ULTRA sources (e.g. ENIGMA) was the one tracking the Italian convoys to NAF - SuperMarina instructions to ports for which ships were to go in what convoys! (Royal Naval traffic mostly sent as “ZED” not Ultra; ZTG or ZTI: Zed traffic, Teleprinted, German/Italian. So this would be ZTI, ULTRA equivalent but Naval.) Some books get this right, others didn’t.

The Hagelin C-386 is the pin-wheel additive system whose CX-52 successor and digital successor H-460 we discussed in the last two years as CryptoAG RUBICON scandal.

The C38m is the Italian Marina=Navy variant with spacing K instead of Z.

USA/USN and France used C-38/M-209/CSP-1500 for tactical messages. USA expected crackable in 4 hours.

Italian Navy HQ used it for messages whose value lasted longer and were thus exploitable and worth cracking. They may not have thought of it as strategic but it was longer than truly tactical.

How Broken

  1. Manual break of a depth
  2. Infer settings from key disclosed in longest depth fragment
  3. Read entire message, using Settings and analog hardware
  4. Use settings found to simplify break of other messages

A mix of techniques was used

One very or several merely long messages could be attacked statistically to determine internal settings: first cage lugs, and then pins. Italians wisely limited message size. But strategic use meant long message split into several max-sized parts, sent with same internal settings, so still possible.

Simplest crib, messages starts with equivalent of to: (harborname) HQ or, since Italian has no use for the letter k, K instead of Z is hardwired for plain-text space on C38m, so PERK. For messages replying to Naval HQ, crib is PERKSUPERMARINAK, a nice long crib!

(Unlike Enigma, a letter can represent itself, so cribs not draggable on a single message, only on depths.)

The Italian Navy indicator system if properly used would have been secure.7

French original commission for Hagelin C series was for tactical use, low level on battlefield, short-lived message value, so depths somewhat irrelevant. Italians used it for strategic high command - higher value messages with longer-lasting value, worth depth-cracking; anti-reuse instructions in theory should have been adequate, had they been practical. US used C-38 aka M-209 in tactical use; they saw how much work Brits took to break it in Italian Navy even with poor praxis, and figured it was good enough.

(This touches on previously discussed CryptoAG / CIA-BND RUBICON/MINERVA ^scandal^.8)

Inference: the regular fixed spacing of initial positions - intended to prevent partial depths, since messages were limited to length equal to spacing - reduced the number of possible start positions that needed to be tried to read messages sent with same internal settings as had been found from a depth. This is roughly is reducing entropy of start position from 6 wheels to 4 wheels. Search with fast analogs might be practical, while still too slow if done manually, so thought safe by those without Dollis-Hill?

Talent

Another Bill Tutte, Tommie Flowers & Dollis-Hill Gang at P.O.R.S. legend that is not yet fully understood!

Bill Tutte of BP and the Dorris-Hill Gang for the win, before their latterly-famous “Heath Robinson” and “COLOSSUS” attack on Lorenz.

Tommie Flowers & Sidney Broadhurst of the Post Office Research Station, London (aka Dollis-Hill) were better known in the public for their post-war work on ERNIE1, the Post Office’s Premium Bond Lottery randomizer; and in the UNCLASS Electronics world (IEEE, ITU, etc) for the electronic telephone exchange, 3 years before Bell’s comparable 1ESS was installed in NJ.

ERNIE1 ⇒
T.Flowers



(scroll)

S.W.Broadhurst and Highgate Wood Electronic Exchange racks, 1962. ⇒


Wm.T.Tutte (BP Research Section)

William “Bill” Tutte, who was their chief collaborator in GC&CS Bletchley Park, is now recognized as one of the great minds of Bletchley Park, in the Research Section, the solvers of unsolved problems. He was the first at and master of breaking Hagelin C38m messages in depths of 2, via the cross-riff method, which was necessary to find a stretch of key from which to deduce both the starting position and the internal key of the day.



Within Cryptology circles, they are remembered for Heath Robinson and COLOSSUS that solved TUNNY (Lorenz SZ40,SZ42) using valve (tube) electronics for higher operating speed. Before that, they developed relay-logic & stepper analogs for Enigma, STURGEON (Siemens T52), TUNNY, and Hagelin C-38 machines, that would at a minimum decipher a message whose key was known.

A NIGHTINGALE in the Post Office

NIGHTINGALE codename for a machine

“It is mostly unknown how it functioned.”

“An operator remembered it was like playing a church organ.” (implies both a keyboard and a bank of toggle switches?)

(BP say they may have a photo unlabeled, that has repetition of 6 units, which would be one per rotor, so plausible!)

NIGHTINGALE was the ^analog^ or emulator for Hagelin (later CryptoAG) C38/C38m/M109/CSP 1500/AM-1.


It reportedly had some cryptanalytic features beyond merely being a faster analog, which is partly substantiated by it’s still classified some 75-80 years later.

(US reports on decrypting Hagelin machines are mostly still classified also. Possibly because of RUBICON exploitation of follow-on systems until very recently? Or perhaps (!swag!) possibly too similar to techniques that worked on Linear-feedback 1970s-1990s key generators?)

Extra cryptanalytic support functions may have included crib-dragging or statistics collection.

Hypothesis: Given one valid starting position from the current set of (indicator → starting position) on Net’s monthly codesheet, search through starting positions offset by n×500 from there for trial decrypt, checking for statistics suggesting natural language instead of gibberish? Is NIGHTINGALE even enough faster than manual C-38 that it could do on average 100k (=N/500) starting positions multiplied by enough steps to get statistics? That’s not near USA’s 4 hours unless steppers are faster than i think! Maybe they were wired to detect a very short crib e.g. “PERK” in first 4 positions?

Bauer states “Messages of 1000 characters are in any case at risk, since automatically decryption techniques for the M-209, for example, work well with messages of about 800 characters or more (pure cryptanalysis …)” and that thus US had max length 500 allowed 9

Stepper Relays aka Uniselector

NIGHTINGALE was built with telecoms Stepper Relays aka Uniselectors, Stepper switches, Steppers.

Steppers could be used as inside-out rotors, when rotors were used as ROMs.


Enigma’s custom-wired rotors were effectively dynamic ROMs,
mechanically rotated like an odometer to scramble the contents
and effectively multiply the size of the ROM.

Eventually someone at pretty much each great-power cryptology bureau
figured out that telephony Uniselectors could be wired on the outside (instead of rotors wired on the inside), more simply, and operate faster and more reliably. (Although that makes swapping wiring harder.)


Uniselector Stepper Switches / Stepper Relays were ubiquitous in pre-electronic electro-mechanical automated telephone exchanges (1927 how-to silent movie)


(and are why the old dial phones dialed, generating a pulse-train to step an activated stepper N steps).



As noted previously, how NIGHTINGALE was built has not been declassified. Yet. We infer that it used Uniselectors as the other machines of its class and origin did. We are told it had some cryptanalytic functions beyond fast emulation, but know not whether related to breaking or setting.

(From TICOM10, we know that the Germans were capable of breaking US C-38 traffic as well. It was thought that they should be able to break in 4 hours, so US relegated it to tactical use. In reality, German exploitation was much slower and only when keys captured or messages were sent “in depth”, in error. They had some custom breaking machinery but mostly used IBM Hollerith punch-card electric accounting machines / tabulating machines, which were also used at USN Station HYPO and USA/NSA VENONA. General purpose, reprogramable, but not as fast as BP’s special-purpose analyzers. German statements in TICOM suggest their fast-analog of M-209 (equivalent to NIGHTINGALE) would be useful for detecting depths also, and they had a device that could solve settings given 5 messages in depth with cribs (stylized beginning etc)DF 114, TICOM # 2785; USA had a separate machine for finding coincidences, the Index of Coincidence (IC) machine. )

Bibliography & Footnotes

YouTube of this presentation will be linked here

Prior talks in this series - most talks have slides &/or YouTube attached, sometimes extras. Alas the YouTube audio pre-pandemic wasn’t great, BLU needs a donation of a wireless clip-on mike if we ever return to Hybrid/In-Person meetings. Or we all need to wear a wired or BT headset while presenting in person? if i can get a stealth stage headset that would be better visuals!

News and Focus sections have embedded links.

Good security news streams are https://www.schneier.com/crypto-gram/ and https://isc.sans.edu/, the latter being less cryptologic focus.

History section general references


  1. See our prior discussions of GEE, VENONA for breaks of One Time Pad↩︎

  2. DSA-1571-1 openssl predictable random number generator (CVE-2008-0166) (Schneier)↩︎

  3. Supermarina = Navy HQ; ^Super^ as in Superior, Above, Supervisory over the Navy.↩︎

  4. Not actually Caesar; Self-reciprocal Beaufort, C=K-P & P=K-C, reversed standard alphabet↩︎

  5. Regia Marina Italiana 1940-1943 Naval situation and impact.↩︎

  6. CryptoMuseum M-209/C-38 page↩︎

  7. More information on Indicators as used by Allies and Italian Navy: Hagelin serie C: Indicators ( these m209 pages cover all C-38 users and variants including M209 and C38m, looking at national Indicator Systems, including C38m Supermarina. )↩︎

  8. See our prior discussion of CryptoAG RUBICON/MINERVA in 2020 (and minor mention 2021)↩︎

  9. Bauer, op.cit., p.191-192↩︎

  10. TICOM (Target Intelligence Committee) was like PAPERCLIP (collecting science/weapons papers and scientists) but for Intelligence/crypto/maths. (wikipedia, declass archive, archived I-45 inter alia)↩︎

  11. See above footnote on SuperMarina.↩︎