Wednesday, February 15, 2017

Crypto Box Challenge Solved by George Lasry

George Lasry
Great news from the Crypto Box Challenge, as George Lasry from Israel solved the final box! He's only the sixth person in more than nine years to complete the challenge. He took on the challenge in 2013 and, after various side tracks, including the completion of the Enigma Challenge, he succeeded cracking that last box.

George Lasry is a one.of-a-kind hobby cryptologist who evolved quickly into a well respected member of the classical cryptology community within a mere three years. It's the amazing story of a man who was searching for a new job in software development. Meanwhile, he wanted to train his programming skills and his interest in the Enigma machine lead him to the crypto challenges on my website. The Crypto Boxes were his first encounter with historical cryptography but the final box however proved a nut too hard to crack.

Giving up was not his cup of tea, so he started experimenting with various cryptanalytic techniques and quickly solved the complete Enigma Challenge with software he developed on his own. In search of new challenges he learnt about many cryptanalytic techniques and implemented various different types and combinations in his ever expanding software. Some other side tracks were the Mystery Twister C3 and the strong Double Transposition Challenge.

Searching a solution to a complex cipher is not simply writing some software to search for the solution or the proper key. It involves the development of complex fast algorithms for an exhaustive search, tailored for a specific problem, in combination with various methods to measure the success of the ongoing process and to proceed on a successful track.

The Crypto Box
He experimented with hill climbing, simulated annealing and used bigrams, trigrams, quadgrams and log quadgrams. A recent paper by Olaf Ostwald and Frode Weierud, Modern Breaking of Enigma Ciphertexts, explained the use of hexagrams. George had excellent results with this technique but the final Crypto Box remained unbroken. George finally solved the stubborn box on 14 February with a variation of simulated annealing, based on James Cowan's "churn" method, and even found three different keys to solve the box.

His journey through classical cryptology also draw the attention of some experts. George teamed up with German researchers and was encouraged to publish his techniques in the renowned Cryptologia journal. He started a PhD thesis and continued to solve various tough crypto challenges. His solution of the Double Transposition cipher caught the eye of people from Google, which eventually lead to his recruitment by Google.

I'm quite pleased to hear from George that my Crypto Box Challenge was his first encounter with classical cryptography and that the website inspired him to experiment with various cryptanalytic techniques, resulting in the successful decryption of the final Crypto Box. Congratulations George!

More about the challenges at Cipher Machines and Cryptology.

Thursday, November 24, 2016

Operation Vula's Secure Communications

Operation Vula was the creation of an underground ANC leadership with supporting secure communications network in South Africa to fight against the apartheid regime. The operation ran from 1988 to 1991 and is also the fascinating story of Tim Jenkin, who played a key role in providing secure communications.

Tim Jenkin today
Tim Jenkin came into contact with the anti-apartheid movement when he visited the African National Congress (ANC) office in London. He was eager to support the fight against apartheid. Jenkin was trained in covert operations and returned to South Africa where he and his good friend Stephen Lee started underground work for ANC in 1975. They ran a propaganda shop but got arrested in 1978 and were sentence to respectively 12 and 8 years imprisonment. Amazingly, they escaped 18 months later from a Pretoria high security prison with keys that Jenkin made out of wood. This gives you an idea of how creative he was. Jenkin left South Africa and made his way to the ANC office in London where he became a trainer for underground operatives.

The ANC leadership had fled to Lusaka in Zambia after many of their leaders and members were jailed or tortured. This left the ANC with no representatives in South Africa. Among the exiled members were ANC president Oliver Tambo, commander of the military wing (MK) Siphiwe Nyanda and ANC strategist Mac Maharaj, whose mission was to revive the freedom movement and ignite revolution in South Africa.

This proved to be a mission impossible because of the problems to communicate and coordinate with the few ANC members that were still in South Africa. In the mid 1980s, communications between London, Lusaka and operatives in South Africa were still protected by manual one-time pad encryption that was too cumbersome for long reports that took many hours up to days to encrypt by hand.

Oliver Tambo tasked Siphiwe Nyanda to join MK's Chief of Staff Joe Slovo in starting up Operation Vula. The goal of this extensive operation was to set up a secure covert communications network and to smuggle ANC leaders and weapons into South Africa to install a leadership that would take over command of the underground work. This is where Tim Jenkin comes into play.

Jenkin met Mac Haharaj while training ANC agents on radio communications in Lusaka. Haharaj asked him to set up secure communications between covert operatives in South Africa and the ANC office in London. At that time, Jenkin was experimenting with computer communications. Personal computers were quite a novelty in the 1980s but handyman Jenkin developed one-time pad encryption software that used floppy disks, filled with random data, to serve as key. During encryption, used key bytes were automatically wiped from the disk, making the system unbreakable. The software also increased encryption speed for Vula messages considerably, compared to the slow pen-and-paper system.

Jenkin's office in London, nicknamed GCHQ (after the British Signals Intelligence organisation) served as the main Vula communications hub for messages between London, Lusaka and South Africa. In his computer shack he developed, tested and ran secure communications to cope with the increasing amount of reports from and to the ANC underground leadership.

Tim Jenkin in his communications hub

Jenkin devised a system to convert encrypted message digits into DTMF (dual-tone multi-frequency) telephone dial tones that were then recorded onto cassette tapes for transmission by pay phone later one. They provided ANC operatives with several DTMF tone generators that were disguised as electronic calculators. Later on, they dropped the method of manually keying in the DTMF tones and drastically increased communication speed by  recording the computer modem sound directly to tape.

Conny Braam, a Dutch anti-apartheid activist, became responsible for the Vula logistics. She ran a network of people that supported the entire operation. First task was to get the network running. She had to find someone to travel several times a month between Amsterdam and Johannesburg. Air hostess Antoinette Vogelsang volunteered as courier. Being an air hostess, she didn't had to go through airport checks and could safely smuggle into South Africa the Toshiba laptops and software that secured the network. She also provided the communication hubs with a regular supply of floppy disks, containing new one-time pad keys.

The Dutch Lucia Raadschelders was sent to Lusaka to run a communications hub from a small house in the slums. She also served as contact between Jenkin and ANC headquarters in Lusaka. Janet Love, the ANC underground operative in Johannesburg switched from the slow manual one-time pad encryption to its fast computerised version. Everything was finally up and running. In 1988, Mac Maharaj and Siphiwe Nyanda  were the first Vula leaders to clandestinely infiltrated into South Africa.

Meanwhile, Janet Love's communications hub in Johannesburg was also operational. Tim Jenkin received the first long reports from Mac Maharaj a few weeks later. ANC's freedom movement finally was able to communicate securely with Jenkin's London office as central hub. From then on, Janet Love encrypted all Johannesburg messages and recorded the computer modem sound on cassette tape.

The operative in South Africa chose a random pay phone to call an answering machine in London and played back the tape with the message that he had encrypted and recorded earlier. The London office checked the message and called the operative's pager with a specific code to signal that the message had arrived well. London then relayed this message to, for instance, ANC headquarters in Lusaka.

The London office also used a specific pager code to warn operatives in South Africa that there were messages for them to receive. To retrieve a message, the operative again chose a random pay phone and called another answering machine in London on which the London HQ had recorded an encrypted message from Lusaka or from other operatives.

From the manual encryption of long reports, taking many hours to encrypt and days to get across, they now were able to get a message to London in one or two hours. Jenkin relayed the messages almost real-time back and forth between the ANC headquarter in Lusaka and the operatives in South Africa. The South African security services could not track these messages as they were sent anonymously from randomly chosen pay phones. It would require them to monitor each and every pay phone and even if they managed to intercept such a message, it would merely contain what seemed like unintelligible fax or computer tones, giving them no clue about their purpose.

Mac Maharaj succeeded in setting up covert communications with the imprisoned Nelson Mandela through his lawyers. By then, the South African government held secret talks with Mandela, who they believed to be clueless about the situation in the country. Little did they know that Mandela was in direct contact with ANC president Oliver Tambo and a well organised underground leadership. In fact, without realising it, the apartheid regime was negotiating directly with the ANC. When Nelson Mandela was released from prison in February 1990, the Vula operation continued underground to protect the actual leadership and its communications with Mandela.

The operation was eventually compromised in July 1990 after the police followed Siphiwe Nyanda and discovered encryption disks and plain messages in a Vula hide-out. Mac Maharaj, Siphiwe Nyanda and six other Vula members were arrested and imprisoned. Others fled the country or went into hiding. Despite this setback, Tim Jenkin was able to reboot the Vula network within 24 hours. All Vula members eventually received amnesty as part of the political transition that lead to the end of apartheid.

Tim Jenkin's story is an amazing example of people with no background in intelligence, espionage trade craft or secure communications who used their creativity to set up an ingenious international secure network that changed South Africa's history. It should be noted that their communications system, which was quite novel and therefore secure in the 1980s, would pose serious risks in today's world with advanced signals intelligence capabilities, ranging from hacking computers to extensive electonic surveillance and geolocation.

Tim Jenkin's story of operation Vula is published at the ANC website (alternative link here). More details about the encryption systems and equipment at the web page How the ANC sent encrypted messages. Below an excellent eNCA documentary about operation Vula. Additionally, you can watch a NGC documentary of Tim Jenkin's escape from Pretoria prison.

Sunday, November 13, 2016

Tatjana J. van Vark at Secret Communications 2

The Crypto Museum and the Foundation for German Communication and Related Technologies again teamed up to present their second Secret Communications exhibit. This unique and meanwhile international event brings together the finest pieces of historical crypto and covert radio equipment, some of which has never been on public display before (non-exhaustive list here). I visited the opening day, but the collection can be visited two three (!) more days in the coming weeks. Due to its immense success, there will be an additional exhibit on January 14!

This year, they have the honour of receiving Tatjana Joëlle van Vark, a Dutch lady who is impossible to introduce in a few words. On November 12 she gave a demonstration of her amazing hand-crafted Cryptograph machine and we were fortunate to talk with her. She will give a second demonstration on December 3.

Although inspired by the German Enigma Machine, the Cryptograph is quite different and more complex in mechanical design. Her machine includes encryption of letters, digits and punctuations, a printer and paper tape puncher and reader.

Tatjana explains the mechanics of the Cryptograph

Some call it a Super Enigma, but I prefer to see it more as a piece of art work. Tatjana is a lady that strives for perfection and beauty. The sophistication and attention to detail are a crucial part of all her projects and the hallmark of her work and philosophy. From the tiniest metal parts, over tidy packed wiring to the shiny instrument panels, it all breaths perfection.

The Cryptograph. An art work of electro-mechanical design and beauty

Personally, I believe that somewhere along the line we lost the desire to create beauty in every-day items. Everyone knows those old radios, from little design pieces to beautiful wood crafted receivers, but also the gracious curves of kitchen machines and other household items, all produced with excellent and durable materials. This craftsmanship and design has almost become a lost art. Sadly, today's products in simple plastic boxes are often a hymn to cheap mass production.

Not so with Tatjana J. van Vark! Her projects arise from her imagination and are shaped and developed solely in her mind. She doesn't use technical drawings or plans and works straight from her memory! She has what we can call a beautiful mind, supplemented with skilled hands that put raw materials into all kinds of precision parts, assembled into devices that are no longer simply functional objects but true pieces of art. The true art of creating things.

The Cryptograph printer. Perfection as only to be found in scientific instruments

Talking about Enigma, Tatjana is above all an enigmatic person. Her interest in scientific instruments as a child evolved into scientific work for technology firms, government and military. Her work includes such a wide range of science and technology that can only be explained by her drive to understand and learn all and everything. Power systems, electronics, telephone switching, instruments for the pharmacy industry, aircraft avionics, radar and weapons control, navigational equipment, optics. You name it, she did it.

She explained to me that you can create anything, as long as you learn enough and think enough about it. Now that's the spirit of a true explorer. I can only end with admitting being really jealous of that lady's talents.

You will have another chance to meet Tatjana J. van Vark and her Cryptograph on the last day of the Secret Communications exhibition on December 3. If you can't make it to the exhibition, then you should visit Tatjana J. van Vark's website and her amazing collection of home brew instruments with many amazing photos (make sure to click each image for more details) or visit her page at the Craftsmanshipmuseum. The short documentary Myth of a Magistra (incl subtitles) shows some of her extraordinary work.

Much more to discover at Secret Communications 2

More information about the unique Secret Communications 2 exhibition, its amazing list of displayed items and directions to its location near Amsterdam in the Netherlands at this link. Be advised that roadworks are in progress near the exhibition and alternative directions are available.

Monday, October 10, 2016

Jack Barsky's KGB Radiograms and Family Tales

Commercial SW radio. A Spy's
favourite tool to receive messages
Jack Barsky's espionage career was a quite remarkable one with a surprising ending. Barsky was born as Albrecht Dittrich in East Germany. He was scouted by the Stasi, recruited and trained by the KGB and sent to the United States as a so-called illegal under the false identity of Jack Barsky. In contrast to intelligence officers that operate under official cover (often pretending to be embassy personnel), illegals do not enjoy diplomatic protection if they are caught. They usually stay low-profile and only have contact to their agency through their handler, a career intelligence officer. Illegals are often regarded as the elite of spies but their live, although quite risky, is usually all but glamorous or exciting.

Barsky's spying career lasted from 1978 until 1988, when his cover was blown. He refused KGB orders to return to East Germany, where he had a wife and son, and chose to stay with his American wife and daughter. Amazingly, the KGB bought his excuse that he had contracted AIDS and allowed him his final years in the United States (where he happily lives and works in good health since). Eventually, the FBI tracked him down thanks to information from the vast collection of documents that KGB archivist Vasili Mitrokhin smuggled out of the Russia in 1992. Barsky, already inactive for several years, decided to cooperate with the FBI. He was extensively debriefed on KGB spy techniques and in return has never been indicted or put on trial.

Illegal agent's one-time pad
booklet and microdot reader
Source: Canadian SIS
Jack Barsky is one more source that confirmed the use of one-way shortwave communications by intelligence organisations, known as numbers stations. Every Thursday evening Barsky tuned his shortwave radio to a predetermined frequency and listened for a so-called radiogram from the KGB. Barsky believes that his radiograms were broadcast from Cuba. These radiograms contain operational instructions that were encrypted into digits and sent in groups of five. His radiograms could take an hour to receive and write down and up to three hours to decrypt. Anyone could hear the message, you had no idea who was actually listening and no one could decrypt or read it. When encrypted with a one-time pad, this pen-and-paper system is proven unbreakable.

The Americans: fiction and
real-life spy stories interwoven
You can watch Jack Barsky's two-part interview in which talks about the radiograms in part one (alternative video at dailymotion). Slate's TV Club has a Podcast about season four of the TV series The Americans (spoiler alert) where Jack Barsky tells about his life as an illegal in the United States and the similarities and differences with the illegals in The Americans (Soundcloud link). The Guardian also has a long article on Barsky. An excellent Spiegel TV documentary follows Jack Barsky in 2014 on his first trip into Germany in 30 years, as he explains how he became a KGB spy. The actual life of Jack Barsky as an illegal may not be that spectacular and full of action, compared to Phillip and Elizabeth Jennings in The Americans, but the work of illegals can take quite a toll on their personal life.

Donald Heithfield and Tracy Foley lived a seemingly ordinary life with their two sons Tim and Alex until their house was raided by the FBI in 2010. To their children's surprise, Donald and Tracy, whose real names were Andrei Bezrukov and Elena Vavilova, turned out to be members of a Russian spy ring in the United States, controlled by the illegals department of the SVR, the Russian Foreign Intelligence Service. Eventually, Canadian born Tim and Alex were deported with their parents to Russia in one of the biggest spy swaps ever. Their life as they knew it ended instantly. They received Russian passports and had to build a whole new life. The fascinating story of Tim and Alex was published last May in The Guardian.

Andreas and Heidrun Anschlag, the spy couple arrested in German in 2011, also had a grown up daughter. Her life was undoubtedly also turned upside down by the spying career of her parents. But spies are not the only ones to pay a high personal price. The wives and children of defectors often suffered the same consequences. When Igor Gouzenko, a GRU officer (military intelligence) and cipher clerk at the Soviet embassy to Canada decided to defect, taking along most sensitive intelligence documents, this also changed the life of his wife and child dramatically. The interview with his wife and the story of his daughter who, as a child, never new that her father was not the man she believed him to be, are striking examples of the price for living a fabricated live. Remember, think twice before you start a spy career when you're a family man!

Further reading: numbers stations, one-time pad and Cold War signals.

Thursday, February 11, 2016

Castle Feuerstein Laboratorium

There are many stories, some more fiction than others, about mysterious Nazi laboratories in dark castle dungeons where SS scientists perform all kinds of occult experiments. Return to Castle Wolfenstein and Mortyr are some well known PC games that portrait the Nazi obsession with the Ahnenerbe, the occult and paranormal experiments. Wewelsburg, the elite SS school and a center for archaeological excavations, is probably the most sinister of all.

What if I told you that scientists, lead by Dokter Oskar Vierling, worked in a secretive laboratorium in Castle Feuerstein. Does this sound to you like a sequel to Castle Wolfenstein? Not quite! Burg Feuerstein, located in Ebermannstadt, close to Nürnberg (Eng. Nuremberg), was all but fiction. A physicist in a mysterious laboratorium, how could that possibly relate to cryptology and intelligence? Exactly!

Feuerstein was an important target of TICOM, a secret Allied project to capture German scientists and seize SIGINT stations,  cryptographic and communications equipment, just before Germany surrendered. The mission of TICOM (Target Intelligence Committee) was to collect as much as possible German science and technology, preferably before Soviet forces got their hands on it. To achieve this, TICOM sent fast-moving special teams to pre-determined valuable locations inside the collapsing Germany, sometimes ahead of Allied troops.

Burg Feuerstein in Ebermannstadt

Is there a better way to hide a secret laboratorium than to build a typical Frankischen Schweiz style castle on top of a mountain in plain sight? It was so obtrusive that no one would suspect its purpose. Castle Feuerstein was build from scratch in 1941 by Dr Vierling with private funds. He was a physicist, electronics engineer and professor in high-frequency technology and electroacoustics. Laboratorium Feuerstein started its research in 1942 and developed experimental communications systems. At its peak, Feuerstein housed 200 staff and workers. TICOM only learned about Feuerstein's existence from decoded intercepts that referred to its research.

The scientists, lead by Dr Vierling, worked on a variety of projects, including high speed transmitters for covert agents, receivers, wave traps, accurate filter design, speech scramblers, voice frequency spectography, teleprinter cipher (crypto) attachments, improvements on cipher machines, a synchronisation system for the Lorenz SZ42 cipher teleprinter, acoustics and filter components for acoustic torpedoes, anti-radar coating for submarines, a night fighter control system, various frequency generators and an electronic calculator to solve sine and cosine equations. They were a busy bunch!

Dr. Oskar Vierling
Just before the German collapse, Dr Vierling was ordered to relocate his speech projects to Berchtesgaden in the Bavarian Alps and to destroy all other projects and equipment. Vierling, however, had other plans with his Feuerstein legacy. Once the Nazi's were off to Berchtesgaden with the speech equipment, he stored the most valuable equipment and plans in a large bomb proof walk-in vault, hidden behind a false wall in Feuerstein. There, he awaited the end of the war.

Castle Feuerstein was used as a German Army hospital at the time the TICOM team arrived. They rounded up the scientists and Dr Vierling proved very willing to cooperate with TICOM. Vierling and his group rushed to restore the laboratory and continued their work on selected projects under control of TICOM investigators.

NSA's declassified AXIS SIGINT in WWII, Vol II, Notes on German High Level Cryptography and Cryptanalysis contains some interesting crypto related info. The Lorenz SZ-42c cipher teleprinter with synchronisation, named SK-44 and SK-45, would generate and send a continuous pseudo-random five-bit stream. The receiver mixed its identical stream, by XOR-ing, with the incoming stream, resulting in nothing to print, since (K ⊕ K) = 0. When sending a message, the plain teleprinter message was mixed into the stream. The receiver mixed, as usual, the received signal with its own stream, which results in canceling out the stream and the original plain message being printed instantly, since (K ⊕ M) ⊕ K = M.

An eavesdropper would not know if or when the random stream contained an actual message or how long it was, thus effectively preventing traffic analysis. The U.S. Army Security Agency (ASA) suggested that analysis of the continuous mostly non-message-carrying pseudo-random stream, generated by the  SZ-42c, might compromise the machine's secret key settings. This would enable them to predict the stream and decipher all message that follow. The principle of continuous random stream was also used in the 1950s on the more advanced U.S. KWR-37 JASON and KWT-37 Fleet Broadcast crypto system.

Speech scrambling research by Dr Vierling's team produced little result. In 1943, only Dr Vierling and Telefunken still worked on ciphony (encrypted voice) and from 1944 on only Dr Vierling. At war ends, Feuerstein's research on ciphony focused on synthetic speech, encrypted by triple wobbling. The speech was separated in eight frequency bands. These were encrypted in a three stage ring wobbling (shifting the frequencies up and down) where the stage was split in half and these halves wobbled separately. However, speech quality after de-wobbling was very bad and ASA considered the German scientists several years away from developing any usable ciphony.

More details about the Feuerstein laboratory and Dr Vierling's work is available in chapter VIII, page 37 from Volume 8 Miscellaneous (alternative link here) of NSA's declassified files on European Axis Signal Intelligence in World War II. The rebuild of the lab under control of TICOM is described the Interim Report on Laboratorium Feuerstein (first pages are double, start reading from page 5) from the NARA archive. Another excellent source is the TICOM Archive. These documents contain enough inspiration for a few Wolfenstein sequels.

The importance of Feuerstein for TICOM is shown in ASA documents. The Temporary Duty Report of Mr William Friedman, the renowned U.S. cryptologist, is a resume of his tour in Germany from July to September 1945, in cooperation with TICOM. Vierling's Laboratorium, noted as important TICOM target, was one of the sites he visited in July 1945. NSA has a few more documents related to Dr Vierling.

After the war, Prof Dr Oskar Vierling continued working at his 1941 established firm VIERLING GmbH but relocated to Ebermannstadt, a mere kilometer from Castle Feuerstein. He had quite a prolific career, developing crypto machines, covert radio transmitters, eavesdropping devices, radio direction finding and various measuring and test equipment. He worked for Organisation Gehlen (post-war West-German intelligence), its successor the Bundesnachrichtendienst (foreign intelligence), the Zentralstelle für Chiffrierwesen (central cryptologic service) and the Deutsche Bundespost. From the 1930s until the 1950s he was also an important pioneer in the development of electronic and electro-acoustic instruments.

Due to legal restrictions on crypto export, Dr Vierling sold the rights for his crypto equipment to Crypto AG's predecessor Hagelin Cryptos. NSA archives show that Dr Vierling developed crypto machines in cooperation with ASA and NSA, at least until 1953 (see here and here). These documents show that ASA supplied tranistors for Vierling's crypto research. Transistors were quite novel in 1953 and their use in crypto equipment pretty unique.

Vierling's firm is currently still located in Ebermannstadt. Today, Burg Feuerstein is a catholic youth center.