Modern Cryptanalysis of Schl¨Usselgerät 41

Modern Cryptanalysis of Schl¨Usselgerät 41

Modern Cryptanalysis of Schlusselger¨ at¨ 41 George Lasry The CrypTool Team [email protected] Abstract 1944 on a few Abwehr networks. Bletchley Park could not decipher its traffic unless multiple mes- The Schlusselger¨ at¨ 41 was an highly se- sages were sent in-depth. Until recently, little was cure encryption machine developed by Fritz known about the inner functioning of the SG-41. Menzer and used from 1944 by the Ab- Several historical documents have been declassi- wehr. Bletchley Park could not decipher fied that provide extensive details about its func- its traffic. In this article, we provide a func- tioning. A small number of SG-41 have survived, tional description of the SG-41 and present and some have been restored. a novel cryptanalytic method to recover the In this section, we provide an overview of the key settings from ciphertext and known- history of the SG-41, as well as a functional de- plaintext. This attack requires extensive scription, and an analysis of its keyspace size. computing power, a testimony to the re- silience of the SG-41 even against modern 2.1 Fritz Menzer and the SG-41 cryptanalysis. We also present an alterna- Fritz Menzer (1908–2005) was the Government tive method, based on acoustic cryptanal- Inspector (Regierungsoberinspektor) of OKW/Chi, ysis, which allows for the recovery of the the cryptographic arm of the Wehrmacht, and later, key settings in minutes. Admiral Canaris, the head of the Abwehr charged him with ensuring the security of the organiza- 1 Overview tion’s communications. Menzer designed and led This article is structured as follows: In Section 2, a the development of several cipher devices, meth- brief overview of the history of the SG-41 is given ods, and procedures, some of which created some and a functional description. Section 3 describes difficulties for British and U.S. codebreakers. In cryptanalysis attempts by Bletchley Park and the a post-war NSA publication, Menzer is described US against the SG-41. In Section 4, we describe as “Cryptologic Inventor Extraordinaire”, and the a novel known-plaintext attack that is feasible but peak of his achievements, however, is most proba- requires extensive computing power, and in Sec- bly the invention of the SG-41, shown in Figure 1 tion 5, a highly-efficient side-channel attack that (Mowry, 1983). relies on acoustic analysis of the device. Finally, Having previously worked on the cryptanaly- in Section 6, we assess the security of the SG- sis of the Enigma and the Hagelin C-36, Menzer 41 compared to other encryption machines of the understood their weaknesses. While much of the 1940s. SG-41 borrows from the Hagelin pin-and-lug de- sign, Menzer introduced some features that pro- 2 The SG-41 – Introduction vided enhanced security (Mowry, 1983). Boris The SG-41 was an encryption machine introduced Hagelin later complained to William Friedman that by Fritz Menzer, Regierungsoberinspektor of OK- the Germans had stolen his design. He had ob- W/Chi, the cryptographic branch of the Wehrma- tained one of the SG-41 machines, wrongly calling 1 cht. While inspired by the Hagelin pin-and-lug it C-41 (Friedman, 1955). devices, the design of the SG-41 incorporated sev- The SG-41 was designed with a keyboard and a eral novel features that significantly enhanced its strip printer to speed up the process of enciphering security. Logistical reasons prevented its produc- 1It is also called C-41 in some U.S. documents (Agency, tion in large volumes, and it was only deployed in 1947). and deciphering (unlike the Enigma that required fully functional (Historica, 2019; Dahlke, 2018). at least two operators, one to type into the key- While the SG-41 is described in several docu- board, and another one to write down the lamps ments (Mowry, 1989; Mowry, 2003; Mowry, 1983; activated). WDGAS-14, 1946), those descriptions are incom- The army ordered 11,000 units in 1942, and a plete, and sometimes conflicting. The most reli- prototype was presented in 1943, but by the end able historical source describing the SG-41 is a of the war, only 1000–1500 had been produced by G.C. & C.S. report titled Secret Service SIGINT the firm Wanderer-Werke in Chemnitz. The chal- Volume II - Cryptographic Systems and Their So- lenges of wartime production and the lack of ma- lutions - Machine Cyphers written by Keith Batey, terial may have prevented its production in higher Mavis Batey, Margaret Rock, and Peter Twinn in volumes. In addition, the device was considered 1945. The authors were part of ISK - Intelligence too heavy - over 13 kg - to be used at the front- Services Knox (headed by Dilly Knox before his lines (Dahlke, 2018; Mowry, 1983). Near the end death in 1943) and were responsible for analyzing of 1944, it was deployed on at least three Abwehr Abwehr traffic with its agents and offices world- links, between Berlin, Bordeaux in Southern France, wide. While most of the report is about the crypt- Northern Italy, and Vienna, replacing the Enigma analysis of the Abwehr Enigmas, against which G machines (Batey et al., 1945). ISK had considerable success, the last seven pages of the report are dedicated to a detailed functional description of the SG-41 and to the mostly un- successful attempts by ISK to decipher its traffic (Batey et al., 1945). The focus in this section is on the logical and functional aspects of the SG-41, rather than on its physical design and implementation. Figure 2 shows a functional diagram of the SG-41. The SG-41 enciphers symbols of the A-Z alphabet into symbols of the same alphabet. To encipher, the operator presses a plaintext symbol on the key- board (spaces are represented by the symbol J). The plaintext symbol is encrypted, and the result- ing ciphertext symbol is printed on a paper strip (together with the plaintext symbol). The decryp- tion process is similar: The operator presses a ci- phertext symbol on the keyboard. The encryption process, which is reciprocal, converts back the ci- Figure 1: The SG-41 phertext symbol into a plaintext symbol printed on the paper strip (together with the ciphertext sym- 2.2 Functional Description of the SG-41 bol). Until recently, little was known about the inter- nal mechanism of the SG-41 (Dahlke, 2018; Mu- seum, 2020b; Schmeh, 2004). Recently declas- sified U.S. and British documents, and in partic- ular, a wartime report from Bletchley Park, pro- vide enough details to fully reconstruct the func- tioning of the SG-41 (Batey et al., 1945; Mowry, 1983; Mowry, 1989; Mowry, 2003). While very few devices have survived, most in bad condition, some units are in the hands of museum curators and crypto collectors, who were able to analyze the physical/mechanical design of the SG-41. At least one machine has been restored so that it is Figure 2: The SG-41 - Functional Diagram Figure 3: The SG-41 - Functional Diagram - Pinwheels and Bar Cage The encryption logic is governed by the outputs applies to C2 and T2 for wheel 2, and similarly to of a rotating bar cage with 25 bars, as well as of the other wheels. a set of six rotating pinwheels, as shown in Fig- A full encryption cycle, in which a plaintext sym- ure 3. The pinwheels are numbered 1 to 6, from bol is encrypted (or a ciphertext symbol is decrypted), left to right, and have 25, 25, 23, 23, 24, and 24 and the wheels advance, consists of three stages, pins each, respectively. Each pin can be set to an one of which is optional (Batey et al., 1945): active or an inactive state. Each wheel from 1 to 5 1. An optional pre-encryption stepping stage that affects one or more bars. The pin currently in front occurs before encryption, only if T6 was ac- of the cage determines whether the bar is engaged tive (at the beginning of the cycle). or not. Those pins are denoted as C1 to C5, for wheels 1 to 5, respectively. C6 does not affect the 2. The encryption stage. cage bars, but it affects encryption as described in Section 2.4. 3.A post-encryption stepping stage that always Each bar has a fixed lug positioned in front of occurs after encryption. one of the wheels 1 to 5. In front of wheels 1, The two stepping stages are identical. Each step- 2, 3, 4, and 5, there are 1, 2, 4, 8, and 10 bars ping stage consists of two phases, as follows: with such a fixed lug, respectively. The bar cage performs a full rotation during the encryption of • Wheels 2 to 6 step if the pin affecting step- a single symbol. When a bar has its lug against ping on the wheel on its left was active (at an active pin, it is engaged and it adds one to a the beginning of the stage). For example, if total additive kick, denoted as K (its function is T3 was active, wheel 4 steps. described in Section 2.4). If a bar is not engaged, • All the wheels (1 to 6) step. it does not add to K. Therefore, wheels 1 to 5 may add 1, 2, 4, 8, and 10, to K, respectively. When all This mechanism creates a circular interdepen- the bars are against active pins, and thus, they all dence between the wheels, as illustrated in Fig- are engaged, the total kick is 1 + 2 + 4 + 8 + 10 = ure 4. This circular interdependence means that 25. any wheel may affect the stepping of any other So far, the mechanism of the first five wheels wheel, directly or indirectly, and that there is no and the bar cage is very similar to the Hagelin C- way to know how the wheels step without first de- 35, which also had bars with fixed lugs, and five termining the pin settings of all wheels.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us