the cryptology of the german intelligence services

8/3/2019 The Cryptology of the German Intelligence Services

1/38


2/38

DocrD 3 5 2 5 8 9 8

Contents of this publ icat ion should not be reproduced, or fur ther disseminated outside the u.s. IntelligenceCommunity without the permission of the Director, NSAlCSS. Inquiries about reproduction and dissemination shouldbe directed to the Office of Cryptologic Archives and History, T54.

1

i.i

.. _ . J


3/38

DOCID: 3 5 2 5 8 9 8

1=8P SEER!' tlM11tA

UNITED STATES CRYPTOLOGIC HISTORY

SERIES IV

World War II

Volume 4

The Cryptology of the

German Intelligence Services (U)

David P. Mowry

This document is classified TOP SECRET UMBRA in it s entirety andcan not be used as a source fo r derivative classification decisions.

OFFICE OF ARCHIVES AND HISTORY

NATIONAL SECURITY AGENCY/CENTRAL SECURITY SERVICE

1989

'Fep SEEREt' tlM11tA


4/38


5/38

DOCID: 3525898f e ' SEeRE' tlM11tA

Foreword

The second part of David Mowry's history of German clandestine activity in SouthAmerica is devoted exclusively to descriptions of the cryptographic systems used by theGerman intelligence organizations and their agents in South America. In fact, thisdetailed report covers German cryptographic systems used ona number of agent circuits inEurope as well. Mr. Mowry's interesting work invites a number of questions aboutGerman cryptography. For example, what does this collection offacts about these systemstell us about the state of German cryptography during World War II? Were these systemson a pa r with those ofthe United States, England, Japan, or more or less advanced? Werethey new, obsolete, innovative, standard? Was there a correlation between the system andthe level of information? And what of German security procedures and practices? Mr.Mowry has provided a valuable service in identifying an d describing these systems.Perhaps future historians will attempt the challenge of answering these more generalquestions. I t is, however, an excellent companion piece for his part one.

Henry F. SchorreckNSA Historian

v I UP SeeR!' tlMBRA


6/38

DOCID: 3525898

TOP SEERET YMIR.t.

The Cryptology of the GermanIntelligence Services

Introduction

Historical records concerning the exploitation ofAxis clandestine traffic in World WarI I ar e few. The following account depends primarily on GC&CS Secret Service Sigint,Volumes I-III, which covers the period 1928-45; "History ofOP-20-GU (Coast Guard Unitof th e Naval Communications Annex )," which coversonly the period 1941 to 30 June 1943and is concerned primarily with administrative matters r athe r than the cryptanalyticeffort itself; and History of Coast Guard Unit #387; 1940-1945. Both the Coast Guard andthe British Government Code &Cipher School (GC& CS) cryptanalytic histories cover theentire war, bu t consist of series of technical reports on the cryptanalytic methods used,with little regard for historical continuity, and little or no traffic analytic information. Inaddition, there is a file of over 10,000 Coast Guard translations of clandestine messages.Because the following is a synthesis ofall ofthe above sources, footnotes have been omittedexcept for information derived from Colonel Albert MacCormack's London trip report andfor th e descriptions of the cryptographic machines developed by Fritz Menzer of th eAbwehr, which ar e taken from TICOM (Target Intelligence Committee) documents. Thisaccount is not to serve as a course in cryptanalysis, but rather as a description ofGermancryptology. The reader is referred to the appropriate histories for details ofanalysis.

Each of th e cryptanalytic agencies at this time used it s own cryptosystem titling andcase notation conventions. Coast Guard system titles consisted of a letter or digraphfollowed by a digit. The letters were "S" for substitution systems, "T" for transpositionsystems, "ST" for substitution followed by transposition, an d "TS" for transposi tionfollowed by subst itut ion. The systems were numbered one-up by type. Case notationsconsisted of a digit, signifying geographic area, followed by a one-up literal serializationwithin area. GC&CS broke th e clandestine network down into 15 groups, notated I to XV.Individual links or "services" received a digital notation so that, for example, Stuttgart-St.

Jean de Luz was notated Xl290 and Paris-Wiesbaden was notated 111/20. Unfortunately,no equation list for the Bri ti sh notation system has been found. Cryptosystems werereferred to by th e link notation. In the following discussion, terminals will be given whenknown.

Code Systems

On 1 January 1940, messages encrypted with a dictionary code were intercepted on theMexico-Nauen commercial circuit. Only 11 letters were used in the transmission: A, C, E,D, H, K, L, N, R, U, and W, with N having the highest frequency. I t was apparent that aletter-for-number substitution was being used, with N as a separator. Anagramming theletters gave th e result:

O U R C H W A L K EN

1 2 3 4 5 6 7 8 9 0 -

Thus, the text

UHHNR LNDAL NURND WCNCK

1 fe p S[RA' U BRA


7/38

DOCID: 3525898

TOP SECRE I UMBRA

became255-38 178-23 164-79 . . .

Three other key words were used during the eft'ective period of the system. All wereeasily recovered. All of th e 1940-41 messages in this system were sent with the addressesSUDAMERIAT, WEDEKIND,SUDAMERO,

orEGMARSUND.

Simi lar traffic was sen t from Chile to BACOCHASE in March 1942, s igned by th eGerman ambassador to Chile. In these messages ten-letter key words were used with theother sixteen letters of th e alphabet serving as separators. Eventually it was determinedthat th e dictionary used was Langenscheidt's Spanish-German Pocket Dictionary. Withthis discovery all messages were completely decrypted.

With the beginning of th e war in Europe, th e Coast Guard was ta sked wit h thecollection of commercial circuits between the Western Hemisphere and Germany. Thiscollection revealed that many Axis-dominated commercial lums in Mexico and Centraland South America were using enciphered commercial codes in their communications withGermany.

The largest group of messages in enciphered commercial code used the Rudolph Mossecode with the let ters of each code group transposed and a monoalphabetic substitution

applied to th e last two letters of th e transposed group. These messages used th e indicatorOPALU as th e lus t group of text (AI group). Traffic was passed to and from SUDAMERO andSUDAMERIAT, Mexico; SUDAMERIAT, Hamburg; an d SUDAMVORST, SUDAMERO, an dSUDAMERIAT, Berlin.

In August 1941, traffic from SOLINGEN in Nauen, Germany, to BOKER in Mexico usedth e same code book with a subtracter ofseven applied to each letter (i.e., EMUAS becameXANTL). Other variations were noted: in 1941, MUENCHIMPO, Hamburg u sed a mixedarrangement of Rudolph Mosse and Peterson codes and other links used Acme, Peterson,Mosse or Alpha codes either enciphered or in combination with one another.

Three other codes were intercepted, two of them designed for encoding stereotypedweather messages. The Dago code (GC&CS terminology), used by German ships in th eBaltic Sea, encrypted figures with a daily-changing key and encoded words with a twoletter code. A slid ing code was used by all of th e German trawlers in the Ijmuiden. Twosliding strips were used with clear values on a fixed table, with single-letter code values onone strip and mononome or dinome code values on th e other. The Al group of eachmessage gave the posit ion of each strip against an index mark and the number ofcharacters in th e message. Circuit IU405's five-letter code used th e InternationalSignalbuch with a simple substitution applied to thefirst character ofeach group.

M O D o ~ p h a b e d c S u b s d t u d o n

Only four monoalphabetic substitution systems were used by th e G erman agentorganization. The lus t of these was initially intercepted on the England-Germany circuitin October 1940. The preamble consisted of two four-letter and two three-letter groupswhich contained the date and t ime of encryption, character count, and serial number,encrypted with a monoalphabetic letter-for-figure substitution. The alphabets used inencrypting both the preambles and the messages were derived from a disk. There weretwo parts to th e disk, each of which carried an alphabet and a series of numbers and couldbe rotated relative to th e other. Each agent was assigned a IlXed key letter. This letter, onth e inner disk, would be se t against the date (mod 26) on the outer disk. Plain values onth e inner disk were then encrypted with cipher values from the outer disk. The numbersin both the preamble and in the text were similarly encrypted. OP-20-GU

Tep SEEREf tJMIR)Ic 2


8/38

DOCID: 3525898T O D SECREt UMIA.:l:

interpreted th e observed phenomena as a Vigenere square with progress through thesquare governed by the date, with a separate key used to encipher numbers in th e text.The underlying plain text was English. The British were notified and it was later learnedthat they had arrested the agent and taken over h is station. (Author's note: This waspossibly th e agent SNOW mentioned in part one.)

Circuit X/203, a ship, used a letter-for-figure substitution for encrypting it s weather

reports which consisted ent irely of figures. Twelve different keys were used. Thepreamble consisted of the Q-signal Q'M' followed by a three-letter group. The first andthird letters of this group were th e equivalents of one and two, respectively, in th e keybeing used.

A third system, referred to by the Bri ti sh as the Wigo cipher, was a dinomicsubstitution without variants sent in five-figure groups. The ZI group ofthe message gavea character count and the ZO identified the substitution set. The users ofthis system werenever identified.

The only other monoalphabetic substitution system noted, first intercepted on th eH a m b u r g ~ C a p eSpartel circuit in January 1945, was used to report convoys spotted offCape Spartel . The plain tex t was Spanish and eight substitution systems were used indaily rotation.

Polyalphabetic Substi tut ion

A number of links used variations on Gronsfeld polyalphabetic substitution, where allcipher alphabets were direct s tandard with th e offset from t he plai n componentdetermined by a running key. The maximumoffset, therefore, was nine.

The "French Gronsfelds" used on 11I320 and 11/321 used a flXed 20-long key; while11/335 used daily-changing, v a r i a b l e ~ l e n g t hkeys. No indicators were used.

One variation on Gronsfeld cipher was used by an agent in England to communicatewith his headquarters in occupied France. The system, referred to by the British as th eConstantinople cipher, used the word "Constantinople" to derive th e daily key. Anumerical key was derived in the normal way and then multiplied by the date. Thus, forth e eighth ofthe month

CONS T ANT INO P LE2961213171448101153

x8

23689705371584809224

In October 1941, Rio de Janeiro was intercepted using a seven-alphabet Gronsfeldwith a key of 3141592. Since 3.141592 is the decimal equivalent of th e mathematicalconstant pi, this circuit was dubbed "the pi circuit.;'

The so-called "Dutch Gronsfelds" were not, strictly speaking, true Gronsfelds, sinceth e slide of one alphabet against th e other could exceed nine letters. The term is somewhatjustified, however, by th e fact that th e different shifts of th e slide used in encrypting a

message never differed by more than nine. The key was periodic, based on th e date, withtwo digits always used for th e day and one or two digits for the month. Thus, 2 March wasrepresented by 023 and 25 December by 2512. These figures were converted to letters by adaily-changing key to give a three- or four-letter key. In encipherment, th e fust letter ofth e key in th e cipher component was aligned with A on th e plain component and the fustlet ter or text was enciphered; th e second letter or th e key was aligned with A and the

3 1'e ' SEeREl UMBRA


9/38

DOCID: 3525898

TOP SECRET I::JMBRA

second letter was enciphered, an d so on, repeating th e key as often as necessary.All of th e above used direct standard alphabets. Some other circu its used random

mixed alphabets. The "Spanish Substitutions" used tables offive random cipher alphabetsin various ways, while th e "Bordeaux Substitutions" used tables offive or te n alphabets.The BF cipher used a 21-10ng key to encrypt traffic passed on the N a n t e s - P a r i s ~ S t . - J e a n de-Luz circuit. Keys were changed infrequently an d the traffic could be identif ied by theletters "BF" in th e preamble. The XJ203 circuit , mentioned above, used a ten-alphabetsubstitution for traffic other than weather. T he starting alph ab et was in dicat ed b y anumber in the preamble. That alphabet was then used to encipher the first five letters, thenext alphabet enciphered the next five letters, etc., cycling after the tenth alphabet.

Much l at er, i n 1944-45, th e Shanghai-Canton circuit used a periodic polyalphabeticsystem to pass information concerning ai r traffic between China and India, United Statesai d to China, United States p la ne s a nd e qu ip me nt , an d i nfo rma tion a nd ru mor sconcerning Russia. Each message used five alphabets taken from a 24-alphabet Lat insquare. The alphabets to be used in each case were indicated by a five-letter AlIZOindicator. Each alphabet served as both plain an d cipher component, offset according to akey derived from the date of th e message.

Digraphic Substitution

Two digraphic substitution systems were used. The first , a double-square Playfairsys tem was used according to normal ru les. The second used a Playfair-l ike square inwhich any character from th e same column as th e plain letter could be used as a columncoordinate and any character from th e same row as th e plain letter could be used as a rowcoordinate. Thus, i n the square

NAT I 0l S E C UR Y G B 0F H K MP

Q v Wx Zth e letter P could be represented by 16 different digraphs:

OF UF OF ZF OH UH OH ZH

OK UK OK ZK OM UM OM ZM

As used on th e Cologne-Maastricht circuit, the let te r J was omitted from th e square.The key was chang ed m on th ly, bu t only one key was broken as th e traffic ha d noparticular value. On another circuit , the underlying plain was in French a nd the l et te r Kwas omitted. In this case, ten non textua l letters at the beginn ing of text probablyconstituted a concealed preamble enciphered with a key.

Single Transposition: Columnar

The story of th e vvv TEST-AOR circuit has already been told in part one. In January1941, when th e FBI asked th e Coast Guard for assistance in th e solution o f a group o f

TOP SECRE I UMBRA 4


10/38

DOCID: 3525898

'Fe, SEER!' tJMIRA

messages, examination revealed that they were copies of the traffic being relayed fromGLENN to AOR through VVV TEST. The system was diagnosed as a simple columnartransposition and solved. Traffic on the VVV TEST-AOR c ircuit used a 20-wide key. Therelay traffic turned out to be in two systems: a simple columnar transposition using a 16wide key that was later reversed an d then r ep laced by a 23-wide key; and a grille

transposition which will be described later.In April 1941, Coast Guard intercept operators found another circuit with th e samecharacteristics as the VVV TEST-AOR circuit, using the callsigns REWand PYL. The controlsounded very much like AOR. The A1-A4 groups ofthe messages, enciphered by a numberkey, contained date, t ime, and character count. Traff ic on this circuit read as columnartransposi tion on a 20-wide key. This key was later reversed and still later replaced byanother 20-wide key. In June 1941, Hamburg instructed the outstation Valparaiso to usethe Albatross edition of th e novel South Latitude as a key book. In the use ofthis key bookthe agent was assigned a secret number which, when added to the date and th e number ofthe month, designated the page from which the number key and transposition key were tobe extracted. Dummy letters were inserted in the plain text according to th e transpositionkey for the first 100 letters of text. For example, i f the key began 18, 20, 15, 11, . . . . , t hefirst dummy character was inserted in the 18th position, the second 20 letters af ter that,

the third 15 letters after that, etc. In the second 100 letters, the dummies were placed so asto reflect those in the first 100, making a symmetrical pattern.The Belgium-France-England circuits were similar to the above, except that the keys

varied in length from circuit to circuit , keys were taken from a line of a key page, therewere no dummies, and the key page was given by an indicator inserted in a fixed positionin the message.

Two Hamburg-Rio de Janeiro circuits were sister circuits tha t came up atapproximately the same time. The key books for these circuits were the Albatross editionsof In the Midst of Life an d The Story of Sa n Michele. On one of these circuits th e agent'ssecr et number was added to the da te plus eight time s t he number of the month todetermine the page from which the key was to be extracted. Traffic on the Bremen-RiodeJaneiro circuit had "buried" indicator groups at A4 an d A6. Breakingthese out with a keynumber gave th e date, time, two-figure serial number, an d two-figure key number.

On th e Lisbon-Portuguese Guinea circuit th e AI 0 group contained the key indicatorenciphered with the.key number. Text was inscribed boustrophedonically in columns withdummies at the top ofcolumns 1 and II , in the second position in groups 2 an d 12, in thethird position in 3 and 13, etc. Long messages were broken into 10-deep matrices, eachseparately transposed. On Lisbon-Lourenco Marques the A8bcd (the middle three lettersof th e A8 group) constituted the page indicator to an unknown book. All columns readdownward, with dummies at the top of columns 1 an d 9, in second place in 2 and 10, etc.Messages were transposed in toto, not broken up into multiple matr ices. On the LisbonNorth America circuit th e indicator was in the A5bcd. Key length was 17 an d dummieswere placed at the top ofcolumns 1 and 10, in second position in 2 and 11, etc. The dummypattern was reflected after nine lines. Messages from America began with an internalserial number. The messages on th e Lisbon-Azores circuit carried a character count in thepreamble with the key page given in A7abc and the dummy pattern identified in th e A7de.

In the system used by Stettin-controlled stations, one basic key word provided all thekeys. Key 01 was derived in th e normal manner. For subsequent keys the key word waspermuted cyclically (see fig. 1). Key lengths varied considerably from circuit to circuit .Dummies were placed according to the transposition key as on Hamburg-controlledcircuits. The preamble gave the key number and the character count.

5 TO' S!CR!T tJMIRA


11/38

DOCID: 3525898

TOP SEERETYMIRA

Key Word: A N T E N N E N A N l A G E A N T E N

Key 01 1 9 14 4 10 11 5 12 2 13 8 3 7 6Key 02 9 14 4 10 11 5 12 1 13 8 2 7 6 3Key 03 14 4 9 10 5 11 1 12 8 2 7 6 3 13Key 04 4 9 10 5 11 1 12 8 2 7 6 3 13 14Key 05 9 10 4 11 1 12 8 2 7 5 3 13 14 6Key 06 9 4 10 1 11 8 2 7 5 3 12 14 6 13

Fig. 1. Derivation of Stet tin Transposition Keys

On th e Stuttgart-Libya circuit, th e key word appeared in th e cipher text, inserted oneletter a t a time in prearranged positions, namely:

01 07 13 19 2526 32 38 44 5051 57 63 . . . .

Th e preamble gave a character count, th e middle or first digit of which gave th e position ofan indicator group. For t he purpose of wri ti ng i n th e key word this indicator groupcounted as a textual group an d one of i t s let te r s was a letter of th e key word. The otherfour letters gave th e length o f t he key word enciphered twice, each on a di fferent keynumber.

Single Transposi t ion: Combs and Grilles

The comb transposition system used on Cologne-Rio de Janeiro used th e "Bluejacket"edition o f the King James version of th e Bible as a key source. This circuit used dailychanging callsigns an d th e specific indicator for th e d at e of encryption was g iv en b yincluding th e callsign for that d at e i n t he preamble. This date determined the page of th ekeybook from which th e key was extracted.

Page = 30 X numberofmonth X date X 10

The number "10" above was a secret agent number assigned to this agent for t he y ea r1941. It was changed to "20" in 1942. This gave a page range of 41-401 for 1941 and 51411 for 1942.

Figure 2 illustrates th e encryption process using Genesis 1:1 as key. Inscribed acrossth e top o f the matrix, th e key phrase determined th e order of transposition of columns.Odd numbered columns were extracted from top to bottom, even numbered columns frombottom to top. Written down th e left side of th e matrix, th e position of each le tter o f th ekey phrase in the standard alphabet determined th e length of that line in th e matrix.

In th e case of Hamburg-Sao Paulo, only th e Hamburg terminal was ever heard an donly five messages were read . After th e agent involved was arrested in 1943, i t was

TO P S K I n "MBRA 6


12/38


13/38

DOCID: 3525898

TOil SI!CRI!T tJM11tA

Pagel in Glueck. The key page was determined by adding the agent number to th e day ofth e year.

Only six keys were recovered on Hamburg-Lisbon, an d th e key book, which was ineither Spanish or Portuguese, was never determined.

Grilles were sheets of cardboard divided into squares with some of the squares cu t out.P la in t ex t was written into th e cutout squares horizontally and extracted vertically bykey. Dummy characters were inserted in prearranged squares (see fig. 3a). The grillecould be used directly or in reverse (Le., turned over) an d in anyone of four orientations,giving eight possible positions for anyone grille.

Late in th e autumn of 1940, intercept operators collecting th e Chapultepec-Nauen ILCcircuit intercepted some suspicious traffic from cable address VOLCO in Mexico City toBRAJOB in Berlin. These cable addresses were later changed to GESIK and INTERCIALE. Incontrast to th e commercial code traffic usual ly in tercepted on ILC, this traffic wasevidently transposed German text using low frequency letters as nulls. Further analysisdetermined tha t an overlay of some sort, with two sides, was being used. This overlay ha d135 open cells (27 five-letter groups) with certain cells marked for th e insertion of nulls. Infigure 3, lowercase letters are nulls; th e plain tex t is th e same as in figure 2. Anyone of

1 1 1 14 8 2 5 1 6 3 7 9 3 2 0 1

o E I N E N R V I E R X x WAS C H B v E p R I C H T E T 0 l 0 S M 0 B I lE X 0 l 0 S M O

B I l E m H E k R S T E l ' l T j M 0 N A

T l I C H H U N O E R T T A U SE N D S T U E 9 C K E I N f S F U E NF F . U E N F c M M b . MM U N D H U N O E R T T A U S E NOS T U E

Fig. 3a . Grille Transposition Matrix(Lower case letters ar e dummies)

th e eight corners of th e grille (obverse or reverse) could be placed i n the upper left-handcorner.

Although th e system is technically only a single transposition, the method effectivelyprevented solution by th e normal method of matching columns and anagramming th eresulting rows. Since there were no stereotyped beginnings or endings in this traffic, th e

TOP sECRE I tJMIRA 8

---------. _ - - . _ -


14/38

DOCID: 3525898.OP SECRET tJM11b\

NEMLJ ISMNU HBNKT ULMCV RBSEH

TSUEA NFATE ECDIT OITDF FMEDR

USECM RLEXE NAOTC MTDCI ULKXH

BRRSP LaMaR D FD TT E UU FE ETNHO

IIIEH DLAUN XSEMN ENLBS VXEWTDESHE NGUNS

Fig. 3b . Sample of Grille- Transposed Text.

solution ofsingle messages ofless than 54 groups presented a problem so difficult that notall olthe messages in this system were ever read.

Some traffic in this system was also sent from GLENN to AOR via VVV TEST. The systemwas also discovered being used in secret in k messages carried ou t of Mexico by couriers.These were labeled th e Ma x Code by th e Germans.

In September 1941, Berlin-Rio de Janeiro stopped using simple transposition. Thesystem introduced used th e same type of indicato r as that used on th e BRAJOBVOLCOcircuit: the A3abc identified a key page an d th e A3d identified the upper left corner of th egrille. The gri lle used proved to be th e same as th e BRAJOB-VOLCO grille with 125 opencells vice 135.

Traffic intercepted on th e Madrid-West Mrica circuit also used t he 13X19 grille, bu twith 136 open cells; th e same size grille as used by Paris had 140 open cells. T he LasPalmas-Cisneros grille was only 9X 13 with 88 open cells, while th e grille used on th eBulogne-Ostend-Brussels-Lille circuit was 15 X 21 with 224 open cells.

I t is interesting to note th e degree of security which th e German authorities believedthis system possessed. After th e rup tu re in German-Brazilian relations a nd d ur in g t heperiod of th e German spy roundup in Brazil, German Foreign Office dispatches were sentover th e Madrid-West Mrica circuit in this system, when commercial circuits could no

longer be used.

Aperiodic Polyalphabetic Substi tut ion

These systems were encountered after the roundup of German spies in Brazil.Immediately after th e Brazi lian arres ts , two new circuits were found w hich had thetransmission characteristics of Hamburg-controlled agent communications: dailychanging callsigns, slow transmission speed, and voluminous "ham" chatter. The ciphersystem used was "running key," Le., one in which th e juxtapos.ition of two slidingalphabets is determined by a continuous aperiodic key, usually taken from a book ormagazine. I t was known that th e Germans preferred to equip their agents with systems inwhich th e elements could be memorized an d used in combination with a popular novel or

other innocent book; and i t was hoped that either direct or reverse standard alphabets hadbeen employed for t he p la in an d cipher components. Such proved to be th e case an ddecryption of messages revealed that the new circu it was a Hamburg-Chile one, whichwhile i t did not replace th e previous Hamburg-Chile circuit, reported t he s ame type o finformation. Intercepted traffic contained information on U.S. equipment an d shipmovements. I t was later learned that the Spanish book Sonar la Vida was used for th e

9 TOil SECRE. UMBRA


15/38


16/38

DOCID: 35258981'6' SI!CRET tlMBRA

The 25-long transposition key was made up of 25 consecutive letters from a lengthy keyphrase. The starting point was determined by adding the date and the month.

Substitution was performed after t he p lain text ha d been written into th etransposition matrix, and was based on a fixed substitution key

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2

1 Z 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5G MV W L B CUT S O l Q Y X E 0 J F K APR N H

that is, "G" was th e key for column I, "M" for column 2, etc.The message key letter to be used was determined by subtracting 2 from the date; thus,

on th e s ix th of the month the key letter would be "0," the fourth letter of the alphabet.Two direct standard alphabets were used for encipherment with the message key letter setagainst th e appropriate letter of th e substitution key. In this case, "0" plain would be setagainst "G" cipher for column 1. Substitution for the 1st, 4th, 7th, 10th, etc. letters of thecolumn was normal. For enciphering th e 2nd, 5th, 8th, etc. letters, the plain componentwas moved one space to the right of the ini tial set ting; and for the 3rd, 6th, 9th, etc., theplain component was moved one space to th e left ofthe initial setting. For instance, i f thefirst column read

E

NXBWN

setting "0" plain to "G" cipher would give

Plain: X Y Z ABC 0 E F G H I J K L MN 0 P Q R S TU V WCipher: ABC 0 E F G H I J K L MN 0 P Q R S TU V W X Y Z

and th e column would be enciphered

E HN RX Z

B EW AN P

After th e substitution was performed columns were extracted from the bottom upward.The indicator was in the A3 group with th e A3ad being the first two letters of t hetransposition key.

In Oecember 1942, the Royal Canadian Mounted Police provided the Coast Guard withthe record of a German agent named Janowski who had been arrested in Canada inNovember. Among th e materials turned over were two novels which were to be used togenerate his encryption keys. The agent's number, 28 in this case, added to the number ofthe month and date, gave th e page of th e book to be used. Messages had a five-grouppreamble enciphered with two keys: one for t he f ir st four groups which containedtransmission date, time, character count, and serial number, and the secondfor th e fIfth

11 TOPSECREI tlMBItA


17/38

DOCID: 3525898

yep 5!CR! ' tJMBRA

group which contained the date of encryption. In this system, th e Janowski method (seefig. 4), t he t ex t was first written horizontally into a transposition rectangle and extractedaccording to a 20-long key derived from the first 20 letters reading downward from the topleft-hand corner of the page for the day (see fig. 4a), Subs ti tu tion was performed on

WR V C S L P T H F A S F P A A G MA Q2 1 1 1 1 1 1 1 1 1 1o 5 9 5 6 0 2 8 9 6 1 7 7 3 2 3 8 1 4 4

Fig.4a. Janowski Transposition Key

2 1 1 1 1 1 1 1 1 1 10 5 9 5 6 0 2 8 9 6 1 7 7 3 2 3 8 1 4 4D E I N E N R V I E R X X WA S C H B ER IC H T E T 0 L OS MOB I LEX 0 Lo S MOB I L E HER S TEL L T M 0 NA T L I e H HUN 0 E R T TA U S EN 0

Fig.4b. Transposit ion Rectangle

T WB T MK G K MAT H T M Q T B Q T B1 2 1 1 1 1 1 1 1 1 140259 7 5 8 0 1 6 6 7 1 2 8 3 3 9 4

Fig.4c. Substi tution Key

Fixed Alphabet: ABC 0 E F G H I J K L MN 0 P Q R S TU V W X Y Z

( N 0 P Q R S TU V W X Y Z ABC 0 E F G H I J K L MSlide: ( 1 1 1 1 1 1 2 1 1 1 1

( 1 2 8 3 3 9 4 0 2 5 9 5 7 8 0 1 6 6 7

Column: 1

R

SR

E

Substitution: 1

E

FER

l e p SEER!' tJMBRA

Fig. 4d. Substitution

12


18/38

DOCID: 3525898TOP SEGRA "MIRA

each column separately by means of a subst itut ion key derived from the first 20 lettersreading downward from the top left-hand corner of the page for th e f irst of the month. Thesubst itut ion key was slid against a stationary standard alphabet using as an index theletter in the top left-hand corner ofthe day page. Substitution was column by column withthe key number corresponding to the column number se t against th e index. In f igure 4c,th e strips are se t up for enciphering column 1. Figure 4d shows a sample substitution.

Subsequently, seven circuits were noted using Janowski method with, at most, minorvariations in indicator placement and encipherment procedure: Hamburg-Spain,Hamburg-Gijon (Spain), Hamburg-Madrid, Hamburg-Lisbon, Hamburg-Vigo (Spain),Hamburg-Bordeaux, and Hamburg-Tangier.

On the Hamburg-Spain circuit , Hamburg started off by sending two messages. Twodays later another two messages were sent. When compared it was obvious that the secondtransmission was a repeat of the first with a different encipherment. Further examinationrevealed that both messages of th e first transmission tested for substitution, as did thesecond message ofthe second transmission. The first message of the second transmissiontested for transposition. When the two first messages were superimposed it was found thateach segment of the transposed version equated to a segment of the substituted version.This stripped off the substitution, determined the number of columns, and fixed thecolumn lengths, a ll in one operation. All that remained was the anagramming of onemessage and two keys were recovered simultaneously. This constituted one of the worstbreaches of communications security encountered by th e Coast Guard. Unfortunately, nofurther traffic was passed on this circuit.

Only two variations were noted in the use of Janowski. Hamburg-Gijon used aconstant key for a short time before shifting to book key, and Hamburg-Bordeaux used a16-long key from July to November 1942, at which time th e circuit changed over to th etransposition substitution system previously described. In April and May 1943, HamburgBordeaux again used Janowski, this time with a 22-wide key.

Two versions ofsubstitution with grille transposition were used. The simpler methodused three simple subst itut ion tables for the 1st to the 10th of th e month, the 11th to th e20th, and th e 21st to th e 31st. Normal grilles were used, but th e spaces for dummy letterswere filled with plain text. On th e Madrid-San Sebastian circuit a five-alphabet periodic

substi tu tion was applied to the pla in text which was then wri tt en into the grille an dextracted by key. Later, th e plain text was wri tten into th e grille and extracted by key,after which the substitution was performed. Some of the links that used this system useddummies, others did not. Indicators were the same as for normal grille usage; each circuithad only one substitution table.

Double Transposition

The four circuits using double transposi tion, all in late 1942, were Berlin-Madrid,Berlin-Tetuan (Morocco), Berlin-Teheran, and Berlin-Argentina.

The first system ohhis type successfully solved by th e Coast Guard was intercepted onBerlin-Madrid in late 1942. Inspection revea led that the AlIA2 and ZlIZO groups

contained a repeated enciphered indicator which deciphered as follows:

1. The first three digits ranged under 400, probably indicating the pages of a book.2. The nexttwo digitsrangedlow enough tobe a line indicator.3. TheneJ:trourdigitsconsisted of two pairs, each rangingfrom 10to 30.

4. The last digitwas no t significant.

13 " " SEeRE' UMBRA


19/38

DOCID: 3525898

lQP SECRET liMBRA

It seemed obvious that the two dinomes ranging from 10 to 30 were indicatorsdesignating the length of keys to be selectedfor a double transposition. A search was madefor a message in which th e length of the text equaled th e product of the two keys. Thisconstitutes a classic case for solution since such a situation nullifies the transposition.After initial success in this case, various other cases were also solved in which the messagelengths bore specific relationships to the products of key widths. In November 1943, theindicator was reduced to one numerical group which th e British believed designated thepage number in th e first three digits and the line number in th e last two. A constant fivefigure group was added to this indicator using noncarrying arithmetic. From the line sodetermined, the first four words were selected as first key and the first four words of thenext line were selected as second key. Since no solution for the additive was ever obtained,no traffic in the newer system was ever read.

In traffic on the Berl in-Tetuan circuit the indicator ini tial ly consisted of a singlegroup, giving only the date ofencipherment. This was sufficient because there were onlyseven keys usedfor thefirst transposition, onefor each day of the week, and th e key for thesecond transposition was weekly-changing. On 1 April 1943, the indicator was changed toone similar to the first system used on Berlin-Madrid. On 4 November 1943, the indicatorwas again changed, in th e same fashion as Berlin-Madrid, and solutions ceased. Keys on

this circuit were derived from a German translation ofa British detective story.In the Berlin-Teheran traffic th e dates were sent unenciphered in th e preamble. Theonly o ther possible indicator was a number in the preamble which looked l ike a ser ia lnumber, but which did not ru n in sequence. Although a few messages were solved individually, it was not until the German agent in Teheran was caught in the autumn of1943 andthe record of his interrogation forwarded to the Coast Guard that th e remainder of thetraffic on this circuit could be read. The complete literal key was a six-line verse:

Wer wagt es Rittersman oder KnappZu tangen in diesen Schlund?Einengoldenen Becher werfich hinabVerschlungen schon ha t ibn de r schwarze MundWer mir den Becher kann wieder zeigen-

Er ma g ihn behalten, er is t sein eigen.

[Who will risk it , knight or squireTo faithfully serve in this abyss?I hurl a goldenchalice down,A black mouth engulfs it all around.Bu t whoever makes it againbe shown,

Heshall retain it,for it 'shis own.]

The month determined th e pair of lines from which th e numerical key was derived; thedate determined the number of the let ter in this pai r o f l ines with which the l iteral keystarted; the month then determined the minimum number of letters taken from this pointfor the flrst key; and the month flnally determined the number ofletters transposed fromthe beginning to the end of th e f irst key to give the second key. Figure 5 shows the way inwhich th e month controlled the key. It should be noted that i f after counting th e minimumnumberofletters, the end ofa word had not been reached, the word was completed.

The Berlin-Argentina circuit was actually a number of circuits o pe ra ti ng i n a ndaround Buenos Aires, s eve ra l o f t he m s imul taneously. A var ie ty o f s ys tems wereemployed on these circuits during th e time they were intercepted, but double transpositionwas the only hand system used. The fll"st such traffic was transmitted in November 1942,but it did not start appearing regularly until January 1943. The Coast Guard had nosuccess with th e system until GC&CS solved a 16 March 1943 message and passed thekeys on to OP-20-GU. The onlyapparent indicator was a preamble number similar to thatfound on Berlin-Teheran. The flrst key was a constant, of which four were used:SONDESCHLUESSEL (probe key), GASGESELLSCHAFT (gas company), SCHAEFFNER

TO' SEERET l::JMBRA 14


20/38


21/38

DOCID: 3525898'fe, SECRET l:IMBItA:

p ABC 0 E F G H I J K L MN 0 P Q R S TU V W x y z

C I :

I I :I I I :

IV:

A N WB K V E G S H e P Y I 0 Q Z L J T MI Y 0 QD IY Q

Q l O Y

F R U 0 xU R 0 XOUR X

X U 0 R

SubstitutionA lphabets

Keyword Transposition Mixed Sequence Using Keyword HIMMELBLAU (sky blue)

K R AFT WAG E N F U E H R E R S C H E I N P RU E FUN G1 Z Z 3 1 1 1 Z 1 Z Z Z 1 1 1 Z 2 Z 1 3 2 17 Z 1 9 7 1 Z Z 4 8 0 8 5 4 3 6 4 6 3 5 7 6 9 1 5 9 8 1 0 0 3

0 E I N E N R V I E R X X WAS C H B E R IC H T E T 0 LOS MOB I LEX 0 LO S MOB I L E HER S TELL T M0 NA T L I e H HUN 0 E R T TA U SE N 0 S TU Ee K E I N S F U E N F F U E N F MMX MM UNO HUN 0 E R TTA U SE N 0 STU E e K E I N S NU L L F U E N F MMX MM

First Transposition Rectangle

B R G Y R Y Z MG R Z U U F A L WE B R Z GWE J U J Y C B L P Y N G CU R Y C B L P Y N G CUE U Z L Jo C C J P ID A J C G WE E T 0 B 0 Z J J A T L 0 0 B L J T 0WS X G Q L K T X Q K K T X Q K P PU P P T Q BE T Q B X Z JJ A T L R Y B L J TR W H R G Y L Y T e e K TR Y K P PU P P

Substitution

J C X T e o K B R B Z U T L J X J Y GET H ZR 0 K Y U P J P C E E B Q P U J G L R Y G K R B U L B P B AT L G J 0 J P R e E X R Z L J P C U Y A T K WOW J B P C QT F N T Q T Z L T Z P A G L B R E C SAY U T Q G MY B P LL e o E Y G C OP Y J P Q R G N WK WWU 0 T K R Z J X U 0o S N

Second Transposition Rectangle

Transposition rectangles for December 18 (12118). Text is inscribed horizontally intothe fIrst rectangle, substitution is made, th e resulting text is inscribed horizontallyinto the second rectangle, and extracted according to th e ABC key.

Fig.S

' f e ' SECRET l:IMBItA: 16


22/38

DOCID: 3 5 2 5 8 9 8

TOp SElkE I UMBRA

shows how the cipher component was changed for the second, sixth, and tenth lines; thethird, seventh, and eleventh lines; and the fourth, eighth, and twelfth lines.

The transposition key was 31-long, usually an easily remembered phrase or compoundword. In the fust rectangle a ll f ir st row squares to th e left of t he column whose keynumber was the same as the da te of encipherment were blocked out and the plain texts tar ted i n t ha t column. I n t he second rectangle the column corresponding to the date andal l first row squares to th e left ofthe column corresponding to th e month were blocked outand the text was started in th e latter column. I f the two numbers were th e same, then thecolumn was not blocked out in the second rectangle an d both rectangles were th e same.Figure 6 shows two rectangles prepared for th e substitution and transposition.

The major weakness of th e system was that once a message was completely solved alltraffic enciphered on the same basic phrase was readable and keys remained in effect forthree to six months.

At about the same time that the ABC Key was introduced on th e Hamburg circuits,other forms of combined double transposition and substitution were introduced on th eBerlin-controlled circuits. Descriptions ofonly two of these, Procedure 62 and Procedure40, ar e available.

Procedure 62 used a 31-long key in which th e key phrase was wri tten out in two lines.

Thefirst

l ine of16 charactershad a space after each letter, with the spaces numbered from1 to 15. The second line was started in the space corresponding to the number of th e monthof encrypt ion and wrapped around. The following i llustrates the procedure, using thephrase LA MUJER MAS HERMOSA EN ESPANA DEL SU R for th e month of April.

1 1 1 1 1 11 2 3 4 5 8 7 8 9 0 1 2 3 4 5

LAM U J E R MAS HE R M0 SSU R A EN E S P A N A 0 E L

The two lines were then merged

L S A U MR U A J E E N REM S A P S A H N E AR 0 ME 0 L S

a n d t h e numerical key derived in the usual manner.In th e fll"st transposition rectangle the column immediately to the left o f t he number

corresponding to the date was blocked out, as were all squares to th e left ofthis column onthe fll"st line. In the second rectangle th e column was not blocked out, bu t the same firstrow squares were. A trivial subst itut ion was appl ied to th e text in th e first rectangle tocamouflage th e letters A and E.

Line1 - Plain

Line 2 - A becameW, E becameF an d vice versa

Line 3- Abecame X, E becameG an d vice versa

Line 4 - A becameY, E becameH an d vice versa

This four-line cycle was repeated throughout the message.Procedure 40 was used on th e Madrid-Ceuta circuit as a back-up system to the cipher

machine normally used. In this procedure substitution took place before t he f ir sttransposition. Both transposition and substitution used th e same key phrase.

17 1'8P S[(RET Y M I "


23/38

DOCID: 3525898

";9P SEER!T UMBRA

For subst itut ion, a keyword mixed sequence derived from the key phrase, in thisexample DONDE MENOS SEPIENSA SALTA LA LIEBRA, was written into a 5 X5 square,omitting the letter J.

1

D O N E M

S P I A L4 T B R e F 2

G H K 0 Uv wx y Z

3

The plain text was divided into five-letter groups an d the following substitution was made,group by group:

The rust letter was replacedby the letter above it in the square.The second letter wasreplacedby the letter toi t s right in the square.The third letter was replaced by the letter below it in the square.Thefourth letter was replaced by the letter to its left. in the square.The fift.b letter was left. plain.

The letter J was left plain in all positions. Thus, MESSAGE would become ZMTLA TM ....In thefirst transposition rectangle all squares in the first l ine to the left ofthe number

corresponding to th e date of encipherment were blocked out. In the second rectangle thesame was done to t he f ir st line squares to the left of the number corresponding to themonth of encipherment.

Th e Kryh a Machine

The Kryha machine was a clockwork-powered mechanical running key enciphermentdevice. Two alphabets were on movable tabs so that the sequences of the plain componentand th e cipher component could be changed at will. The movement of the cipher alphabetdisk was controlled by a cogwheel with 52 holes around th e edge. A plunger on the end of alever served as a detent by dropping into each ofthe holes in succession. These holes couldbe individually covered, thus changing the wheel pattern, and varying th e "kick" witheach step of the wheel. The total kick in one full revolution was prime to 26 so that theperiod of the machine was equal to 26 t imes the to ta l kick. The cryptovar iables of thesystem were therefore the plain sequence, the cipher sequence, the wheel pattern, theinitial setting of th e cogwheel, and the initial setting of the cipher sequence against theplain sequence. The last two variables were changed with each message, the others lessfrequently.

A pair of indicators, enciphered with a multivalued number key, gave the alphabetsetting (the number of the cipher letter se t against 0 plain) in the "ab" positions, and th ecogwheel setting in the "de" positions. The "c" position was a filler.

lOP S[EAE' tJMIRA 18


24/38

DOCID: 3525898TOP SECRET liMBRA

The clockwork-driven Kryha, a popu lar German made ciphermachine that wa s widely used commercially in th e 1930s.

Th e Menzer Devices

When Chief inspector Menzer had b ee n t as ke d by Admiral Canaris with t es ting thesecurity of the Abwehr cryptosystems in 1942, he found them depressingly inadequate Inaddition to th e ABC Key, Procedure 40, an d Procedure 62, he introduced th e c ipher p latea nd t he cipher wheel as field agent cipher devices; an d Cipher Device 41 for use by Abwehrnets within Germany.l

The c iphe r p la te was designed by Menzer specifically for agent use. It consisted of acircular box about th e size o fa shoe pol ish can conta ining three resettable notched wheelsan d a spr ing. On th e top a mi xed alphabet could be written with pencil or grease pencil, 13characters on th e fixed r ing and 13 on th e movable disk. Th e disk wa s rotated to wind th espring for encipherment. Pressing a button on the side would re lease the d is k a nd allow itto rota te unti l stopped by th e notch rings. If th e disk stopped in a position where it s letterswere in phase with those on th e outer ring, the c ip he r v al ue w as read di rect ly. I f th e stopwa s in an intermediate position, the number of the line opposite th e p lain va lue would beread, and the cipher value taken from the cell with that number. 2

19 TOP SECReT t1MBRA


25/38

DOCID: 3525898TOP SECRET tJM8RA

Menzer Device

7 10 II ~

Th e cipher wheel was another hand-operated cipher device designed for agent use. I twas made up of two disks mounted concentrically. Th e lower d is k h ad 52 notches or holesaround its edge into which a pencil or stylus could be inserted to turn th e disk. On th e faceof th e disk were 52 cel ls into which a keyword-mixed alphabet could be inscribed twice,clockwise. The upper disk ha d a d ir ec t s ta nd a rd a lp ha be t inscribed on half of it speriphery, next to a semicircular window that revealed 26 characters of th e mixedsequence on th e lower disk. T he u pp er d isk also ha d a notch cu t into it s edge whichexposed te n of th e holes on th e lower disk. This notch ha d th e numbers 0 to 9 inscribednext

toit , in

a counterclockwisedirection,

sothat when th e

exposedholes were l ined up

w it h t he numbers, the le t ters on th e lower disk were lined up with th e letters on t he u pp erdisk.

Various methods of key generation were used. On Chilean circuits an l l- let ter keyword was numbered as for a transposition key, with th e f ir st d ig it o f two-digit numbersdropped. Th e key was extended by appending a two-digit group count an d a four-digit timegroup

A N T 0 F O G A S T A1 6 0 7 4 8 5 2 9 1 3 1 2 1 4 4 0

On other circuits a Fibonacci sequence of 100-125 digits would be generated throughvarious manipula tions o f th e d at e, t ime, a nd a ge nt number. I f th e message was longer

than th e key, th e latter would be reversed a s m an y t im es as n ec es sa ry. K ey generationtab les were also used.

Th e key const i tuted the input to an autoclave. After al igning th e alphabets accordingto an indicator in th e message, a stylus was inser ted in th e hole corresponding to t he f ir stke y digit, a nd t he lower disk was rotated clockwise until th e s tylu s was stopped by th e en dof th e notch. The p lain tex t letter was then found on th e upper d i sk an d it s c ipher va lueread off of th e lower disk. Th e stylus wa s then placed in the hole corresponding to th e

TOP S!CR!T tJM81tA 20


26/38

DOCID: 3525898

TOP SECRET UMBRA

second digit of ke y an d t he s ame procedure was repeated for th e second letter of text . Thusth e true key at an y point in th e cipher was equal to th e su m o f a ll t he previous key inputs. 3

T he C ip he r Device 41 wa s a cipher machine invented b y M en ze r in 1941 w hi ch w asb as ed on Hagel in enciphermen t bu t included a mechanism fo r v ar ia bl y s te pp in g t heHagelin wheels. The Cipher Device 41 ha d si x pi n wheels that were mutually prime. Th efirst five wheels ha d kicks of 1, 2, 4, 8, an d 10, respectively; th e sixth wheel mad e t he sekicks positive or negative. The enciphering cycle (encipherment ofone letter) consisted ofthree elements:

1. This took place i fand only if t h e s ix th key wheel ha d an active pi n in the "motion indexposition." I f th is were th e case, then al l o f t he following occurred: Wheel 1 moved ones te p a nd each o f t h e r emai ni ng four wheels moved one s te p u nl es s t he wheel to it s lefthad an active pin in th e "motion index posi tion," in which case it would move twosteps.

2. A ke y kick was generated w hi ch w as t he sum of t he k ic ks of wheels which ha d activep in s i n t he "kick index position." If, however, th e sixth wheel ha d an active pin in th e"kick index position," th e key k ick would be 25 min u s t he s um o f al l of th e other kicks.In o ther words, under such a circumstance, th e key would complement itself.

3. This was identical to Step 1, except th at i t occurred whether or not Wheel 6 ha d anactive pi n in th e "motion index position." In this step, Wheel 6 also stepped one or twopositions, depending on th e state of Wheel 5.

Menzer Device SG-41 . A successful encipherment system,bu t of limited use due t o i ts heavy weight.

21 lO P $I!!(RET l:JMIUM


27/38

DOCID: 3525898t o P SECkE!T tJMBRA-

The orig ina l specifica tions cal led for a light weight, durable machine to be used bymilitary units forward of division. Menzer designed i t to pr ovi de a cipher t ap e an d to bekeyboard-operated to improve th e speed of encipherment. As a resu lt of the keyboardoperation, he was able to redesign th e arrangement oflet ters on th e print wheels to flattenth e cipher frequency count. 4

Because of the wart ime shortages of a luminum and magnesium th e machine ended upweighing between 12 an d 15 kilograms, too heavy for field use. Removal o f t he keyboardwould have l igh tened th e machine, bu t the redesign of th e print wheels prevented theirbeing used directly for encipherment . Production stopped because no one knew what to do.About 1,000 machines had been constructed an d were distributed to t he A bw eh r whichbegan using them on circuits with in Europe in 1944. 5

GC&CS read a number of Cipher D ev ice 41 messages t hr ou gh d ep th r ea din gtechniques, bu t even after some of the machines ha d been captured an d examined, no onecould postulate a theory of cryptanalytic attack. A 1947 WDGAS-71 repor t sta ted that i f amechanically reliable machine could be built embodying th e same principles as the CipherDevice 41, i t would undoubtedly be a v al ua bl e a ss et . T he report noted that because of thekey complementing characteristic of the machine, statistical tests di d no t seem to offer an yparticular promise for solution. 6

T h e Co as t Guard Solu t ion of Enigma: The Commercial Machine

In January 1940, Coast Guard intercept operators collected a suspicious circuit usingth e calls MA N V NDR, RDA V MAN, a nd t he like, transmitting one to five encrypted messagesa day. I t soon became apparent that a ll m es sa ge s intercepted were in f lu sh d ep th ,although th e method ofencipherment was a s y et unknown.

Attempts to so lve th e f ir st twen ty or thirty messages in depth m et w it h no successbecause of badly garbled copy an d lack of an y definite evidence as to t he u nd er ly in glanguage. By th e time sixty or seventy messages ha d accumulated, however, i t seemedcertain that the language was German and that a word separa tor had been used.

In the progress ive development ofthe plain cipher equivalences for each position of the

depth, it was observed that no plain letter was represented by i ts el f i n t he c ipher tex t an dthat the p la in c iphe r equivalences with in each alphabet were reciprocal. This, toge therwith th e l anguage , seemed ample ju st i fi cat ion for assuming that th e traffic ha d beenencrypted on an Enigma cipher machine. Th e Coast Guard Intelligence Unit ha d a modelof th e commercial version of the machine, together with t he o ri gi na l manufacturer 'sinstructions and suggestions for it s use. These instructions included the practice of using"X" as a word separator, and ofrepresenting numbers by their equivalent letters as shownon th e keyboard of the machine

1 2 3 4 5 6 7 8 9 0Q W E R T Z U l O P

After almost fully recovering th e first 32 alphabets, th e Coast Guard cryptanalystsdeveloped a technique for stripping off the effect o f t he reflector an d then of successive

wheels, resulting in a complete solution of the mach ine with a ll wirings. Th e wiring recovered i n t hi s solution later pr oved to be kn own w ir in g, bu t the Coast Guard recovery ofwiring assumed to be unknown was achieved without prior knowledge of an y solution ortechnique. This is believed to be t he f ir st i ns ta nc e of Enigma wiring recovery in th eUnited Sta tes. I t should be noted that t he i ni ti al approach to th e problem wa s anadaptation of the procedure used in the solution ofthe Hebern machine.

TOil !lI!eJtE'f t J M B ~ 22


28/38

DOCID: 3525898I UP 5!fRET 1:1MIIRA

F ro m t he equivalent wir ings o f the two outside wheels, th e Signal Intell igence Service(SIS) identified them a s t he a ct ua l ones furnished in t he old commercial Enigma machine,an d th e Navy la ter identified th e traffic as Swiss a rm y. W it h resp ect to th e numbers onthe ac tua l wheels, th e wheel order used wa s 1-3-2 (left to right, as one faces the machine).

The Coast Guard Solution of Enigma: The Green Machine 7

A s ta ti on u si ng t h e call TQ12 wa s f ir st h ea rd o n 10 October 1942 on 10,415 kHz. Th estation sent c al ls on ly u p to 30 October, when a message was int ercept ed . The messagepreamble was 2910/301/66. TQ12 was bel ieved to be l in ke d w it h a s ta ti on u si ng t he callT1M2 on 11,310 kHz. On 12 November 1942, it was learned from bearings taken by th eFC C that TQ12 wa s in Europe an d T1M2 was in South America. This was confi rmed by th eRadio Security Service eRSS) at a radio intelligence meeting on 17 November on t h e b as isof Hamburg-Bordeaux t ra ff ic which was being read by GC&CS. The Bordeaux terminalha d been instructed to monitor t he c ir cu it a nd to a ss is t i n c as e o f difficulty. Station TQ12also used th e call RSE, which was believed to be th e alternate control in Bordeaux.

Enigma with extra rotors

23 ;Q P SIiCRIi; I:IM8RA


29/38

DOCID: 3525898TOP SECRET l:JMBIbII

During October an d December 1942, 28 messages were intercepted from TQI2. Thisseries of messages ha d several duplicate message numbers (two 315s, three 316s, etc.) Themessages were tested for depth and a lthough th e coincidence rate was defin itely aboverandom, i t was rather poor. I t was assumed , there fo re , that m ost o f th e messages wereencrypted on the s ame key, but that th e duplicate message numbers were poss ib leevidence of different keys. Actually, a ll messages t ur ne d o ut to h av e b ee n e nc ry pt ed on

th e same key. Th e poor coincidence rate was a result of th e inclusion of several practicemessages in the ser ie s. These pract ice messages contained a shor t tex t a t th e beginningan d were filled ou t to average l eng th with dummy text.

Th e lessons learned from solving the commercial Enigma were applied, toge ther withth e improved techniques learned from th e B ri ti sh , a nd th e machine was solved. Wh eelmotion patterns were similar to the Enigmas used by German agents in Europe which ha dbeen solved by the British prior to th e appearance ofTQI2. Decrypted texts showed that th ecircuit was between Berlin and Argentina.

On 11 January 1943, messages were transmitted with external s er ia l n um be rs 3 22328. I t was possible to align these in dep th by stepping each successive message oneposition to th e right, producing a ten- let ter repeat in messages 322 an d 327. The completepla in tex t was quickly reconstructed . Two later s et s o f messages sent in June an d Julyconfirmed th e method used on this circuit for determining monthly r in g s et ti ng s an dnormal positions.

The Coas t Gu a r d Solution of Enigma: The R e d M a ch in e

The first mention ofthis machine appeared in message number 145 from Argentina toBerlin on 4 November 1943. This message was sent on th e "Green" circui t an d encryptedon th e "Green" Enigma. The message read

THE TRUNK TRANSMITTER WITH ACCESSORIES AND ENIGMAARRIVED VIA RED. THANK YOU VERY MUCH. FROM OUR MESSAGE150 WE SHALL ENCIPHER WITH THE NEW ENIGMA. WE SHALL GIVETHE OLD DEVICE TO GREEN. PLEASE ACKNOWLEDGE BY RETURNMESSAGE WITH NEW ENIGMA. [s]LUNA

On th e same day, th e "Red" section sent message number 98 9 stat ing tha t anadditional Enigma machine ha d arrived. This messa ge had been e nc ry pt ed w it h th eKryha machine which th e Coast Guard ha d solved.

On 5 November 1943 , Berlin sent message number 585 to t he "Gr ee n" section mArgentina:

RE YOUR 145: NEW ENIGMA IS INTENDED FOR RED ONLY.

The following day, Berlin sent message number 917 to th e "Red" section:

INTERN 86. THE NEW ENIGMA WHICH ARRIVED TOGETHER WITHTRUNK TRANSMITTER IS FOR RED. IT IS A BIRTHDAY SURPRISE FORLUNA.

On the same day, 6 November, the "Red" section i n A rg en ti na s en t message number991 requesting a ke y for th e new Enigma, asking that it be sent vi a th e "Blue" ke y(unsolved) an d n ot v ia the "Red" Kryha key. The mes sa ge w en t o n to sa y that they wereconstantly making a fundamental blunder in transmitting a new key by m ea ns o f t he oldone.

rQPSeeREI UMBRA 24


30/38

DOCID: 3525898

Berlin replied to this message on 9 November, asking the "Red" sec tion to be patientfor a few more days until a k ey for th e new Enigma could be forwarded.

At this point there ensued a considerable amount of confusion regarding methods oftransmission of key, settings for th e "Red" Enigma, an d settings for th e "Red" Kryha, al l ofwhich wa s finally resolved by 14 December. Once the Germans got their encryption procedures squared away, th e Coast Guard solved th e "Red" Enigma by normal methods.

Th e Coast Guard Solution of Enigma: The Berlin-Madrid Machine

About 5 Ma y 1944, th e Berlin-Madrid circuit stopped using double transposition an dbegan using Enigma. An examination ofthe t ra ff ic on a single da y revealed that messagesfrom the same transmitting agent could be superimposed in depth by us e of th e time group.Fo r example, a message having a preamble encipherment time of 1410 would be i n p ha sewith a message encrypted at 1400 hours from th e eleventh letter of th e latter message.T hi s w as similar to one method previously encountered on the Berlin-Argentina circuit,where a secret daily-changing number was added to th e encryption time an d th e machinewas then stepped that number ofpositions forward from th e basic key for the day.

After determining the indicator system being used, th e various Enigmas used by theSecurity Service group, of which th e Berl in-Madrid circui t was a part, were considered.O nl y fo ur machines ha d been employed by this group: th e "Green," th e "Red," acombination of "Red" wheels an d a "Green" reflector, an d th e so-called "M" machine.Assuming that th e traffic was encryp ted on one of th e known machines, a considerablet im e wa s expended on guesses i n d ep th (the depth of an y s eries of messages was neverenough to y ie ld a solut ion by that method alone), followed by running menus on th e slidingGRENADE an d checking the r esu lt ing h i ts in the uncribbed depth.

This method eventually r ea d t he s ys te m on a depth of twelve. Th e successful cribswere easily expanded an d th e full text recovered. Th e machine involved employed the"Red" wheels an d the "Green" reflector. The only other time this type of usage wa sencountered was when the instructions for th e "Red" machine were first sent to Argentina.

The Coast Guard Solution of Enigma: The Hamburg-Bordeaux Stecker

I n t he period immediately preceding th e change from hand to machine system, severalHamburg-Bordeaux messages were solved w hi ch p ro ve d to be reencipherments ofunidentified cipher texts. These ha d a short pla intext internal preamble giving a serialnumber, letter count, an d a cover name to identify th e encrypted traffic.

An analysis of the p lain texts of messages encrypted in the old system showed thatsome type of radio intercept ac tiv ity was involved. From this information i t was deducedthat th e Bordeaux end of th e circuit acted as a s or t o f monitoring a nd r el ay s ta ti on whichlistened in to cer ta in outsta tions for th e Hamburg control an d furnished Hamburg withthe texts of outstation messages which Hamburg ha d failed to receive.

Further information was secured through a reencryption sent by Bordeaux. Te ngroups of a message were sent ; th e transmission wa s interrupted and la ter a message wassent which repeated the te n groups with some of the le tter s changed. The changed lettershad been subs t ituted in a manner which suggested that a stecker had been employed an dthat one o r p er ha ps two wires ha d been improperly plugged. Th e combination of the

25 TQP SECRET tJMBR'A


31/38

DOCID: 3525898TOP SECRET l:JMBRA

s tecke r and the three- le tte r indicator found on the t ra iI ic s trong ly suggested the use of th eGerman Service wheels.

The ne xt step in the analysis was th e identification of th e traffic reencrypted in th elast days of the old hand system. This proved to be tr af fic from th e FBI-controlledHamburg-New York circuit. By examining message l engths and t ransmission times, itwas then possible to f ind days on which Bordeaux had reencryp ted New York tr af fi c by

machine an d relayed it to Hamburg. Correct message placement suppl ied cribs whichwere tried on the Bombe a nd t he machine was solved. I t proved to be using Service wheels1, 2, an d 3 with a fixed "Bruno" reflector and adapter.

From a security standpoint, the conditions under which this c ircuit operated exhibitedan almost complete abandonment of good cryptographic practices. Not only did th eGermans us e their most secure cryptomachine to retransmit low-grade traffic, but thesettings used were those employed on Spanish Abwehr nets. Furthermore , there wereindications that the Germans were aware that the New York circuit was con trol led - yetth e reencryption of this low-grade traffic was permitted. This was also the only exampleknown to th e Coast Guard of th e Service machine being employed for elandestine traffic.

The Bri t ish Effor t

Clandestine traffic worked by th e British fell into three cryptographic segments calledISK (Illicit Series Knox), ISOS (Illicit Services Oliver Strachey), an d ISTUN (Illicit SeriesTUNNEY). Two sections at Bletchley Park were solely engaged on clandestine: SectionISK was who lly cryptanalytic, an d Section ISOS did crypt wo rk on al l traffic o th er t ha nISK an d ISTUN. ISOS also was the intelligence and dist ribut ing cen te r for t he e nt ir eclandestine output. ISTUN was broken by th e TUNNEY Section under Prit.chard whichhandled al l TUNNEY traffic, including clandestine. 8

Bletchiey Park

Tap SECRET l:JMBRA 26


32/38


33/38

DOCID: 3525898TOP SECRET UI'v18R:A

TUNNEY

Th e ISK machine was introduced a t the end of 1940 an d was first broken by th e Britishon Christmas Day, 1941. 10

Th e ISOS Sec tion was established at the en d of 1939 an d by mid-1943 was readingabout 150 i l lic it radio circuits. Th e traffic consisted o f a wide variety of transposition an dsubstitution ciphers, with th e traffic usually in German but including considerableSpanish an d French an d occasionally many othe r languages. All RSS groups, except VIII,XII, XIV, an d XVI carried only Abwehr t ra ff ic . Groups VIII an d XVI were Italian SecretIntelligence an d were n ot h an dl ed by ISOS bu t by Bletchley Park's Research Section.Group XIII wa s I SK an d ISOS traffic o f t he Security Service; Group XIV carried Abwehrtraffic, both ISK an d ISOS, an d d ip loma tic t raffic . Group XIII ISOS tra ff ic was doubletransposition. Groups I an d XV used s imple transposit ion; Gr oup XIV ISOS incl ud ed avarie ty of substitution and double transposition. 11

In 1943 t he a ve ra ge daily ISOS traffic intake was 150-200 messages per day. Allincoming traffic was sorted i n t he ISOS Section Registry Room into RSS groups an d sent tothe appropr iate sections, al l three of which s en t t he ir decodes back to the ISOS Registry

Room, which handed decodes to the Watch Room. The Watch Room ran 24 hours , witheight people usually on duty except on th e graveyard shift when there was only one. Th eWatch Room t ra ns la te d a nd a men de d th e t ext s which w ere often severely garbled.Messages then went to typists who made sixteen English copies an d also German copies forcertain users. Th e Watch Room kept a file of r ec en t b ac k traffic in German, and theRegistry Room kept a complete back file i n E ng li sh . As of June 1943, GC&CS ha dproduced 115,000 clandestine serial numbers, of w hic h a little over half were ISOS type.

TOP SECRET liMBItA 28


34/38

DOCID: 3 5 2 5 8 9 8TOil S!CRI!'f tJMBItA

One serial number frequently contained one or several messages, averaging about two perserial number. During 1942 GC&CS produced 61,267 serial num be rs, and the dailyaverage rose from 101 to 209. 1808, 18K, and ISTUN were circulated twice daily (each in aseparate series) to M16, to the three service ministr ies, to MI5 and RS8. Group XIII wascirculated separately twice daily, under the title "1808ICLE," to the same recipients, plusthe London Office of the Chief o f the Secret Service. In addi tion, the following specialseries were circulated:

1. ISMEW traffic from th e Bilbao-Biarritzcircuit, covering th e movementsof oreboats, wentto MEW in addition to usual customers;

2. ISBA, conta iningal l messages referr ingto Bri tish agents abroad, went only to MI6;3 . TUNNEY traff ic , re ferring to OF ofBritishtransmitters, went only to MI-8;4. Paris to Stuttgart traffic, referring to White Russians who listened in on Paris to Russian

radio telephone conversations, wascirculatedonlyto th e office ofCSS;5. Norwe gian t ra ff ic went to th e usual customers; an d6. The Intel lige nc e B ra nc h of [80S kept indexes of persons an d places; studied organization

of th e Abwehr an d Security Service, abbreviations, vocabulary, an d cover names. Its tudied ISOS for c ribs into ISK an d both for c ribs into Enigma or other traffic. Itmaintained liaison with th e r e c i ~ i e n t sof the o u tp u t an d studied the entire output for th ebenefit ofthe section as a whole. 1

In 1943 most of the IS08 traffic was in Groups II and VII, with a considerable amountin Group I, an d a lit tle in Group III. The principal topics of the messages were 13

1. Chetnik and Partisan operations in Yugoslavia;2. Naval observations from S pa in a nd P ort ug al o f Iberian harbors, G ib ra lt ar , a nd t he

Eastern Mediterranean;3. Ag ent s r epo rts f rom Spanish Morocco on the situation in North Africa;4. M il it ary developme nt s in Turkey an d th e Near Eas t, including disposition of Turkish

forces and arrivals of British missions;5. RedCross act iv it ies inGreece;6. Ship mov eme nts in the North Sea an d off th e Scandinavian coast;7. Military intelligence about Russian troop movements;8. General arrangements for carrying on espionage;9. Slipping agents through to their destination;

10. Admin is trat ive;11. Service messageson radio communications an d use of ciphers.

Almost al l 18K traffic was in Groups II an d XIV and occasionally Group VII. Theprincipal subjects were 14

1. Naval observations from Spain an d Spanish Morocco;2. Admin is trat ive;3. Naval observations in the Nea r East;4. British troop movements in th e Nea r East;5. M il it arya ct iv ity in Turke y;6. Naval activity in the Black Sea;7. Partisan and Chetnik warfare in Yugoslavia;8. O rga ni za ti on of communists in Yugoslavia;9. Slipping agents into Turkey;

10. Russian military movements;11. C ondi tions in Iran;12. Mil itarysupplies from th e Alliesto Turkey;13. Inquiries about th e loyalty and reliability ofindividuals.

29 le p !!CREi UMBRA


35/38

DOCID: 3525898lO P SECkEl UMBRA

ISTUN traffic was not intercepted by RSS bu t by the non-Morse intercept station atKnockholt and, therefore, did not carry RSS group numbers bu t was entirely Abwehrtraffic. The great bulk of th e messages was between Berlin and Greece and included muchinformation on suspected individuals, some messages on German propaganda to Arabcountries, and a little on enterprises ofBranch 11. 15

ISOSICLE messages were transmitted between Berlin and Lisbon, Istanbul, Sofia,

Madrid, Bucharest, Helsinki, Switzerland, Budapest, Tetuan, Paris , Marseilles, an dunknown locations. This was traffic of the Security Service, and was very different fromAbwehr traffic, much more diplomatic and political. The principal topics were 18

1. The Finnish political situation;2. F in nish b ro ad cast s to Eston ia emb ar rass in g to t he G er ma ns b ec au se of "underlying

democratic ideology" an d because the Germans ha d forbidden the Estonians to listen toforeign radio;

3. Italian activities in Corsica, which seemed to foreshadow Italian attempt at colonizationan d annexation;

4. Jewish problem in Bulgaria;5. The t roubl es of th e American army in Algiers;6. Economic warfare p lans;7. Adminis trat ive;8. Communicationsservice.

The reliability of information contained in Abwehr and Security Service traffic variedwidely, from completely inaccurate to substantially accurate. Intelligence reports wereoften prepared by paid agents and had to be assessed in that light. 17

TO' S!CR!T t'JMIItA 30

- - - - - - - - - - - -


36/38

DOCIO: 3525898

Abteilung

Abwehr

Abwehrleitstelle (AIst)

Abwehrstelle (Ast)

Allgemeine SS

Amt

Grundstellung

Gruppe

Hauptabteilung

Kriegsorganization (KO)Meldekopf(MK)

Nebenstelle (Nestor Anst)

Oberinspektor

Oberkommando Wehrmacht (OKW)

Oberkommando des Heeres

Reich

Reichsfuehrer

Reichssieherheitshauptamt (RSHA)

Schluesselgeraet

Schluesselrad

Schluesselscheibe

Schutzstaffel (SS)

Sicherheitsdienst (SD)

Sicherheitspolizei (SiPo)

Sondeschluessel

Untemehmen

Verfahren

Wehrkreis

Zahlschluessel

19 P SECReT UMBRA

Glossary

Branch

Counterintelligence

Counterintelligence Control Post

Counterintelligence Post

GeneralSS

Department

Setting

Group

Bureau

Combat OrganizationMessage Center

BranehPost

ChiefInspector

High Command of th e Armed Forces

Army High Command

The nation

Leader of the Reich

Reich Security Administration

Crypto Device

CipherWheel

Cipher Plate

The SS t Blackshirts (lit . "Protection Squad")

Security Service

Security Police

Probe Key

(Special) Operation

Procedure

Military District

Key Number

31 'reP SECRET l:IMBM


37/38

DOCID: 3525898lap SEEREl tJMBItA

NOTES

1. 79/49frOPSEC/A8-14, TICOM DF174, "Description of Contacts of Fritz Menzer with American an d SovietAuthorities and Summary ofCareer ," p. 21.'ff 'Set-2. 79/49frOPSEC/A8-14, p.33; and 33/51frOPSEC/AFSA-14, R-2,"Schluesselscheibe 50" (May 1951). (TSC)3. LCDR L.A. Griffiths, RNVR, GC&CS Secret Service Sigint, Vol. III, pp. 111-15. (.lfBer4. WDGA8-14's European Axis Sigrud Intelligence in World War II as Revealed by TICOM Investigations an dOtherPrisoner of War Interrogations an d Captured Material, Principally German, Vol. II, p. 29.l'TS6+-5. Ibid., p. 2 9 . ~6. TICOM DF-19, "Cipher Device-41" (10 January 1944); Memorandum from Frank W. Lewis, WDGA8-71, toCOL Solomon Kullback, WDGAS-70, "Study of the C41 Cipher Device" (4 March 1947); an d GC&CS SecretService Sigint, Vol. II, p p . 1 6 5 - 7 1 . ~7. The descriptives "Red" and "Green" were applied by traffic analysts to Enigma to designate different circuitsserving two different groups of agents. In addition, the set-ups on the two machines differed.8. COL Alfred MacCormack's report on his trip to London, May-June 1943,p. 42. t't'Set-9. Ibid., pp. 4 2 - 4 3 . ~10. Ibid., p. 4 3 . ~11. Ibid., pp. 44-45. ~12.lbid.,pp. 4 4 - 4 7 . ~

13. Ibid., pp. 4 7 - 4 8 . ~14. Ibid., pp. 4 8 - 4 9 ~ )15. Ibid., p. 49. ~16. Ibid., pp. 49-50 . ffSer17. Ibid., p. 50:'ff'SeT

T54-0CT 89-Y:2-22S22: 33 19P SECRET YMBAA


38/38

DOCID: 3 5 2 5 8 9 8 TOP SECRET

'1115 Beel::lMEPU eepUAINS eeBEWeRB MATERhteL

the cryptology of the german intelligence services

Documents