sign in sign up
<<
Home , Dennis Ritchie

PROCEEDINGS OF THE IEEE, VOL. 67, NO.3, MARCH 1979 404

may contain a hundred thousand or even a million bits. As pointed out by Shannon (,10] , the jo~ of the cryptanalyst becomes more difficult as redundancy IS removed from the message, and codes remove redundancy. :inally, the code operates on relatively large blocks of pla~text (.word~ or phrases) and thereby conceals local information which mIght otherwise provide valuable cryptanalytic clues. Against these strengths it must be said that the key is not well used in a code, since only a very small amount of the code book comes to bear in encoding an individual word or phrase. As a result, codes succumb to frequency analysis under heavy use, and are particularly vulnerable to attack by known plaintext, which becomes more available the longer a code is in service. For these reasons, codes must be changed frequently in order to be secure. Despite their success in some circumstances, codes are not well adapted to modern communications, because they are not easily automated, and because the key (codebook) is not easily changed if compromised. This violates a basic security principle, and was often responsible for code failures. The six keywheels may be regarded as gears with 26,25, 23, 21, 19, and l7 teeth, respectively. Next to each tooth of each F. Hagelin Machine wheel is a pin which can be either extended or retracted. One The Hagelin -48 machine was widely used as an American bit of key is used to set each pin, and we will use the conven- field cipher during World War II, under its military designation tion that an extended pin corresponds to a key bit equal to 1. M-209, and is still in occasional use today (Fig. 4 ). We treat it Once this portion of the key has been set, the key wheels are here because it is one of the few systems whose complete de- set to their initial reference positions. This is facilitated by scription is public knowledge, and because its solution brings labeling the teeth of each gear with as many letters of the out some techniques which are valuable in general. Our de- alphabet as there are teeth, and providing a window over each scription of the solution draws on Kahn's outline of an attack gear that shows which teeth are active (in position to interact [ 23, p. 431] , on unpublished work of Jim Reeds of the Statis- with the cage ). tics Department of the University of California at Berkeley, and At the begining of the encryption process the six windows Robert Morris and Dennis Ritchie of [26] , [27] . will show AAAAAA. The 6 bits which correspond to the A Wayne G. Barker [28] has recently published a book which teeth on each gear determine the first letter of the keystream. has significant overlap with these approaches. After the first character has been enciphered each key wheel Our basic approach is due to Reeds and was first implemented is rotated one position so that the windows show BBBBBB. by Morris and Ritchie. According to their results, one to two Six new bits of key (pins) come into play so the second char- thousand characters of ciphertext suffice and to a large extent acter in the keystream is independent of the first. This holds the language used in the plaintext need not be known a priori! true for the first 17 characters, at which point the windows For the sake of clarity, we have simplified their technique. As show QQQQQQ. The l8th character of the keystream, how- a result, the technique presented here requires substantially ever, is determined by the pins corresponding to teeth more text. At the end of this subsection, we indicate the RRRRRA since the last wheel has finished one complete nature of their improvements. revolution. Thus the l8th character of the keystream is cor- Kahn [23, pp. 427-431] gives a complete mechanical de- related with the first character of the keystream. Similarly scription of the machine. For ease of understanding we delete the 19th is correlated with the second since the windows show some of the mechanical interactions which are not involved in SSSSSB. The 20th is correlated with both the 3rd and lst a mathematical description of the process. since the next to last gear has now also come full cycle and The M-209 combines the plaintext, character by character , the windows show TTTT AC. with the keystream (a long pseudorandom sequence, derived Because 26, 25, 23, 21, 19 and l7 do not contain any com- from the key) to produce the ciphertext in a manner similar mon factors the key wheels return to the AAAAAA position to Vigenere or running key ciphers. The plaintext, the key- only after 26 X 25 X 23 X 21 X 19 X 17 ~ l01-million char- stream, and the ciphertext are all written in a 26-character acters have been enciphered. alphabet, and the plaintext p is subtracted from (rather than In most of what follows, we will treat the cage as a pro- added to) the keystream KS mod-26, to make enciphering grammable READ-ONLY memory (PROM) holding 26 = 64 self-inverse characters. These characters are drawn from the Roman C = KS -p mod-26 alphabet, and are represented by the numbers 0 through 25. and Each six bit group produced by the key wheels is transformed p = KS -C mod-26. into a character by using the six bIts to designate a memory location in the PROM and taking the contents of this location Two major components are required in the keystream as output. generation process: the keywheels, .which generate a long The 1940 vintage M-209 uses a mechanical technique instead pseudorandom sequence of six bit groups and the cage, which of a PROM. This technique restricts the mapping in a way converts the 6-bit groups into characters. The machine is which makes the solution easier. There are 27 bars with 2 lugs keyed by adjustments to both the key wheels and the cage. on each bar. These 2 lugs can be set to any of 8 positions. Six~

PROCEEDINGS OF THE IEEE, VOL. 67, NO.3. MARCH 1979 427

[ 68 J D. Branstad. "Encryption protection in computer data com- [ 741 I. H. Saltzer and M. D. Schroeder. "The protection of Information munications,'. in Proc. 4th Data Communications Symp. (Quebec in computer systems," Proc.IEEE. vol. 63, pp. 1278-1308, Sept. City. Canada), Oct. 7-9, 1975. 1975. [ 69 J W. Diffie and M. E. Hellman, "Multiuser cryptographic tech- [75J L. I. Hoffman, Modem Methods for Computer Security and niques..' in Proc. Nat. Computer Conf. (New York, NY), June Prillacy. Englewood Cliffs, Nl: PrentIce-HaIl1977. 7-10, 1976. ( 70 I "Telecommunications: Compatibility requirements for use of the [ 761 I. A. Scherf, Computer and Data Security: A Comprehensille data encryption standard," Proposed Federal Standard 1026. Annotated Bibliography, M.I. T. Project MAC, MAC TR-122, General Services Administration, Oct. 13, 1977. lan.1974. [71 J S. Lin, Error Correcting Codes. Englewood Cliffs, NJ: Prentice- [ 77] G. . Purdy, " A high security log-in procedure," Commun. Hall, 1970. ACM, vol. 17, pp. 442-445, Aug. 1974. [721 ..Telecommunications: Security requirements for use of the data encryption standard," Proposed Federal Standard 1027, General [78] A. Evans. Ir., W. Kantrowitz, and E. Weiss, "A user authentica- Services Administration, Aug. 25, 1977. tion system not requiring secrecy in the computer," Commun. [731 R. A. De MiI1o, D. P. Dobkin, A. K. Jones, andR. J. Lipton. Eds.. ACM, vol. 17, pp. 437-442. Aug. 1974. Foundations of Secure Computation. New York: Academic [ 79 J Design Altemarilles[or Computer Network Security. NBS Special Press, 1978. Publ. 500-21, 2 vols., Ian. 1978.

Berthold G. Bosch (M'64-SM'67) was born in BNR, Inc., where he is responsible for research on computer and com- Bonn, Germany, on May 30, 1930. He re- munications security. ceived the Dipl.-Ing. degree in electrical engi- neering from Aachen Technical University, Germany, in 1956, the Ph.D. degree from * Southampton University, England, in 1960, the Habilitation from Karlsruhe University, Germany, in 1969, and the D.Sc. degree from Southampton University in 1976. Martin E. HeUman (S'63-M'69-SM'78) received From 1956 to 1957, he held an AEG Foreign the B.E. degree from New York University, Scholarship at the Electronics Department of New York, NY, in 1966, the M.S. and Ph.D. the University of Southampton. During 1958-1960, as a Research degrees from Stanford University, Stanford, Assistant at the same department, he was engagedin work on micro- CA, in 1967 and 1969, respectively, all in elec- wave-tube noise. From 1960 to 1972, he was with AEG-Telefunken, trical engineering. U1m, Germany, where he occupied various posts in the Tube Works Currently, he is an Associate Professor of and in the Research Institute, eventually becoming Head of the Elec- Electrical Engineering at Stanford University, tronics Department in the latter institution. During that time, he car- doing research in cryptography, information ried out and was responsible for work on microwave tubes, parametric theory, and communication theory. He is also amplifiers, microwave semiconductors, and high-rate PCM circuitry. acting as Associate Department Chairman during In 1969, he was made an Adjunct Staff Member (Privat-Dozent) in the 1977-1979. He was an Assistant Professor at Massachusetts Institute of Faculty of Electrical Engineering of Karlsruhe University, and in 1972, Technology Cambridge, from 1969 to 1971, and on the Staff of IBM he became Professor of Electronics at the Ruhr-University, Bochum, T. J. Watson Research Center, Yorktown Heights, NY, from 1968 to Germany, and simultaneously Joint Director of the Institute of Elec- 1969. He is the author of over thirty publications. tronics. During the academic year 1973-1974, he served as Dean of Dr. Hellman is a member of the Information Theory Group's Board the Faculty of Electrical Engineering. His present research interests of Governors and was an Associate Editor of the IEEE Transactions on include devices and integrated circuits for high-speed electronics, inte- Communications. grated optics, and optical communications. He is coauthor (together with R. W. H. Engelmann) of Gunn.Effect Electronics. Dr. Bosch was awarded the A.F .-Bulgin Premium of the British IRE in * 1962 (jointly with W. A. Gambling), and in 1969, he received the An- nual Prize of the Nachrichtentechnische Gesellschaft. He is a member of Verband Deutscher Elektrotechniker, Deutsche Physikalische Gesell- schaft, and of the Administrative Committee of the European Society Geoffrey H. C. New was born in Shrewsbury , for Engineering Education. England, in 1942. He received the B.A. and D.Phil. degrees in at Oxford University . Oxford, England, in 1964 and 1967 respectively. * From 1967 until September 1973 he was a Lecturer at Queen's University;Belfast, North- (M'77) received the B.S. degree ern Ireland, U.K., and has recently moved to in mathematics from Massachusetts Institute of a lectureship at Imperial College, London Uni- Technology, Cambridge, in 1965. versity where he is presently a Reader in Non- Subsequently, he worked on symbolic mathe- linear Optics. For his graduate work at Oxford, matical manipulation at the Mitre Corporation he conducted experiments both on optical rec- in Bedford, MA, and proof of program correct- tification and on third-harmonic generation in gases which was fIrst ob- ness at the Stanford Artificial Intelligence Lab- served at that time. In Belfast, he took part in a research program deal- oratory, Stanford, CA. More recently, he was a ing with various aspects of the generation, measurement, and properties graduate student in the Department of Electrical of ultrashort light pulses. His recent work has been concerned with the Engineering of Stanford University, Stanford, theory of mode-locking in various types of laser and with the theory of CA. He is a member of the Scientific Staff of two-photon resonant frequency mixing processes.