Thursday, March 19, 2020

Crypto AG & Operation RUBICON at Crypto Museum

The Crypto Museum just released the full story about Operation RUBICON, the CIA and BND joint-purchase of Crypto AG, once world leader of secure encryption equipment. The Crypto Museum took part in the investigations with Dutch investigative VPRO radio Argos, and cooperated with various media like the Washington Post and the German ZDF.

They compiled a tremendously detailed page with a wealth of information about the people and organisations involved, the secret agreements with AFSA, NSA, and later CIA and BND, the intelligence operations, legal constructions to disguise the true owners of Crypto AG, the targetted countries and various timelines.

Crypto Museum also provides extensive information about the rigged equipment with links to additional information at their vast website collection. All this based on years of research and many disclosed documents. The RUBICON page is a true treasure trove and historical reference.

Visit the Crypto Museum RUBICON page to learn everything about the Crypto AG spy scandal. If you already visited their RUBICON page before, make sure you refresh the page in your browser, as the page has been expanded quite a bit!

Before you dive into the fascinating Crypto Museum information, Swiss Radio and TV SRF has an excellent intro on the Crypto AG case. You can select English subtitles.


Saturday, March 07, 2020

Podcast Nuggets Episode 5

Click for more podcasts
After a long break, we're at it again. Three podcast nuggets to spoil the ears and mind. Recent news as a starter. The renowned company Crypto AG that turned out to be a CIA & BND subsidiary. Next stop, a talk about how you make it possible for U.S. spooks to operate in Moscow, and finally the former CIA chief of station Moscow about handling their top Russian spy. Almost three hours of fascinating spy mania. Get your headphones, listen very carefully... and watch your back!

NPR - Uncovering The CIA's Operation To Steal State Secrets. Washington Post reporter Greg Miller was one of the investigative journalists who uncovered the truth about the highly respected Swiss company Crypto AG, once world leader of encryption equipment with customers in more than 120 countries. CIA documents revealed that Crypto AG was joint-purchased by the CIA and BND, the West-German Federal Intelligence, as early as 1970. It was the start of the largest ever worldwide compromise of secure communications for many decades. See also my previous posts Crypto AG Fallout and Crypto AG Alternatives.

SPYCAST - Moscow Rules with Jonna Mendez. The story of CIA operations officer Tony Mendez (the real Argo) and his wife Jonna, both experts in disguise who were ground-breaking experts in developing techniques that enables American spies to operate under the noses of the almighty KGB’s countersurveillance. Cloack is the vital part of cloack and dagger. Tony sadly past away in 2019. The book is also a tribute to his work. I recently bought the book The Moscow Rules, and I can highly recommended.

SPYCAST- Conversation with David Rolph. This Former CIA Chief of Moscow station was one of the case officers that handled Adolf Tolkachev, probably the most valuable CIA assets ever in the Soviet Union. The CIA had to operate and have meetings with Tolkachev, despite overwhelming KGB surveillance. If you liked this podcast and want to know more about Tolkachev, you definitely have to read the book The Billion Dollar Spy from David Hoffman (see my book review).  There's More about Tolkachev on this blog.

Tuesday, February 18, 2020

CRYPTO AG Alternatives?

The latest news about insecure Crypto AG equipment, sold not only to foes, but also to some friends, was not that surprising, given the warning signs that popped up in the past. The scale and duration of the operation is a surprise, but it's all part of the game called intelligence collection.

Despite those early red flags, Crypto AG, and its owners CIA and BND, managed to convince customers to maintain confidence in their crypto products. The reputation of the firm and its location in "neutral" Switzerland helped. The question is whether those customers had any choice, or alternatives?

In reality, truly secure communications is all but easy. Communications security is a highly specialised discipline, comprising a whole range of rules, regulations, technical requirements and equipment. Special dedicated equipment can provide such security, but trusting the manufacturer is essential. However, in the field of cryptography, so intertwined with security and intelligence collection, trusting others is not that smart. What are the alternatives? For a start, they are always costly, either in money or in effort.

Since people tend to prefer easy, they often choose cheap and simple. Today, that’s an application from their app store, or an add-on for their e-mail or browser software. Some diligent distrustful might download actual encryption software and have decent anti-virus software. In general, this creates more problems than solve them, and here’s why.

Normal computers, laptops, tablets and smartphones are absolutely not suitable to run encryption software, despite some vendors claiming otherwise. All these devices have numerous processes running in the background. Plug-ins, add-ons and other unidentified software, often downloaded automatically, for the sake of compatibility, convenience, or at the request of the user.

Software developers who claim their software provides secrecy and privacy on your personal computer or smartphone actually do not know what they are talking about. Not because of incompetence, but simply because they really have no idea of all the processes running before or after installing their software. Often, the user is both cause and problem, with kind assistance of your OSI layers, or Open Systems Interconnection (what's in a name). Seven layers of security nightmare.

Therefore, running crypto software might prevent your wife or neighbour from reading your e-mails, but won’t prevent state actors or professional hackers from doing so. Theoretically it takes far too long to crack strong encryption, but in 95% of the cases they don’t waste time and retrieve your data before encryption.

The most secure solution is off-line encryption on a dedicated computer or device. which is never connected to the security nightmare called Internet. This will make it harder, but not always impossible. Should you use commercial software, proprietary secret encryption algorithms, or develop your own crypto algorithm, and would that be secure?

Various publicly available algorithms are peer-reviewed and pretty secure. They take far too much time to crack, in theory. There are however always actors with more brain power and resources who might discover and exploit a mathematical shortcut. It's important that the user fully understands how the encryption works and can verify its performance, which is very hard. So he just has to trust the manufacturor? What's left?

There’s one type of encryption, truly unbreakable today, and in the future, no matter what technology might arise. Unbreakable because it's an equation with two unknowns, mathematically impossible to solve. It’s called one-time pad (OTP). Hailed in the past for protecting communications for diplomacy, military and intelligence, and still used for special purposes, this encryption method, performed on machines or with pencil and paper, provides secure communications, under the condition that it is implemented properly.

The famous Cold War Washington-Moscow hotline, encrypted with ETCRRM one-time tape machines, is a well known example. The paper version, shown below, was the favorite spy encryption for decades, often used in numbers stations. One-time pad has never been broken, and some erroneous claims are in fact cases of implementation errors.

One-time letter pad booklet with reciprocal encryption table.
Image © Dirk Rijmenants
One-time pad has two main drawbacks, which are however not technically insurmountable: true randomness and key distribution. OTP encryption requires truly random keys, as long as the message, and used only once. This creates logistical issues.

In the heydays of one-time pad, this meant a special courier from the organisation – usually state actors – that securely transports the keys. Secure key logistics is the sole reason why this unbreakable encryption is not generally used today, because secure logistics means costs.

Are costs really a problem? Today’s technology enables easy production and secure physical transport of vast amounts of key material (read bytes) on a small carrier, to provide year-long encryption before fully consumed, making it pretty cheap per byte. It's a question of willing to provide the technical infrastructure and funding. Even quantum key distribution already exists and is operational.

Secure transport might cost more than free exchange of  asymmetric cryptography's public-keys, but costs are relative. Ask Crypto AG customers, both adversaries and friendly states. Their costs for the equipment they bought, the training they received, maintenance and, last but least, the costs and damage caused by their compromised communications... for decades. Extremely expensive in terms of security and possibly also economic losses through industrial espionage.

Crypto AG HC-7845 world's first 1 Gigabit VPN encryption in 2009... can we trust it?
Earlier Cold War Hagelin/Crypto AG machines at the History of Hagelin page.
If they had used one-time pad encryption, common practice until the early 1980s, instead of Crypto AG equipment, it would have been less practical, a bit more costly, but in the end far cheaper than trusting their most critical secrets to outsiders and man-made algorithms with all their flaws, weaknesses and, as history showed, hidden intentional weaknesses. One-time pad, on the other hand, is simple, fast, transparent, easy to verify its proper functioning when applied in machines and yes, less practical.

However, if we talk about vital secure communications, what’s most important? Cheap, easy and insecure, or costly, hard and secure. One lesson throughout history is that real security is never cheap, always requires effort, but pays off. Unfortunatelly, little Joe, big companies and government agencies all want it to be easy and cheap, and they are at the same time addicted to producing and sending ever larger amounts of sensitive information. Weak security? We acutally asked for it, and we got it.

Visit the one-time pad page on Cipher Machines and Cryptology to learn more about the history and use of unbreakable encryption. You want to use encryption that is – clearly – more secure than rigged Crypto AG machines? You can, but only if you strictly follow all the one-time pad rules! Read about it in the Guide to Secure Communications with One-time Pad (pdf). It’s unbreakable, free, transparent and fun, if you have some time to spare.

If you want to know why public-key cryptography solved the key exchange problem but not the actual security of our communications, check out Is One-time Pad History? (pdf). This was written many years ago, and a note was added in 2015 about how reality had surpassed our greatest fears by far. Well, we doubled down on that one again.

Thursday, February 13, 2020


The bombshell news about the rigged Crypto AG equipment is spreading. The renowned Switzerland based crypto firm, a world leader on commercial crypto equipment throughout the Cold War, already came under suspicion in the 1992 Hans Bühler case.

Iran, one of the many countries using Crypto AG equipment, became suspicious after some of their secret communications had leaked. Bühler, a salesman for Crypto AG, was arrested in Iran and imprisoned for nine months. This was a mere the tip of the iceberg.

Six years ago, declassified NSA documents showed a close cooperation between Boris Hagelin, founder of Hagelin Cryptos (later renamed Crypto AG) and his close friend William Friedman. Friedman, a brilliant U.S. cryptologist, already had a career from SIS over AFSA to chief cryptologist for NSA (National Security Agency).

CX-52, the machine that
NSA feared to be unbreakable.
Their 1950's gentlemen's agreement ensured that Boris Hagelin would sell  to "questionable states" only crypto machines of which the message could be decrypted (read) by NSA. The Gentlemen's Agreement seemed to extend into the 1990's, as the Hans Bühler case showed. This cooperation between Crypto AG and NSA was pretty big news in the cryptologic world. NSArchive has more on Hagelin and Friedman.

The current revelations, although more of the same, surpass the old suspicions by far. Journalists from German television ZDF and American news­paper The Washington Post now uncovered the last pieces of the puzzle. The CIA and the BND (Bundesnachrichtendienst, West-German Federal Intelligence Service) joint-purchased Crypto AG and took full control already in 1970.

This enabled the CIA, in coorperation with NSA, to develop unnoticeable weakened crypto equipment, sell these worldwide and eavesdrop on the compromised communications of many countries for decades. Eventually, this intelligence coup, called operation RUBICON, reached such proportions that BND decided to pull out in 1993, making CIA the sole owner of Crypto AG.

Crypto AG was liquidated and sold in 2018, two years before the CIA and BND ownership and operation RUBICON came to light. Two companies independently acquired part of the Crypto AG assets. One company took over the Swiss part and has the Swiss government as only customer. The other company took over the international branch of Crypto AG and also acquired the brand name. The owner  stated that they are a completely different company, until recently unaware of the links between Grypto AG, CIA and BND. They will change their company name.

Crypto Museum, who took part in the investigations in cooperation with the Dutch investigative VPRO radio Argos, has an excellent overview of the case and press coverage and many links to detailed information about Boris Hagelin, Crypto AG and the secret alliance with BND, NSA and CIA. Greg Miller of The Washington Post gave an excellent 37 minutes summary of the Crypto AG spying on NPR podcast.

Update! The Full Operation RUBICON Story just release by Crypto Museum. They compiled an incredibly detailed full story on operation Rubicon with all agreements, timelines, involved persons, agencies and equipment. If you visited that page before, make sure to refresh the page to load all new information.

End of story? Not quite. Apart from the damage to the neutral image of Switzerland, there are many questions that are left open. The documents revealed that Crypto AG not only sold weakened machines to "questionable states" but also to several NATO allies. Among them was Belgium, a diplomatic hotspot with NATO and EU in Brussels.

Weakened encryption could help the enemy to read those messages, and that's exactly what the Soviets did. They also shared that knowledge, as documented in BStU files (German federal Stasi archives). The Soviets had excellent cryptologists, but even Cuba provided the East-German Stasi with info on cryptanalysis and decryption of Crypto AG equipment from various South American and Western European countries. Not quite a testimony of quality for Crypto AG, but that was their intention. More on compromised Crypto AG merchandise at SAS Chiffrierdienst (translated).

Insecure NATO members' equipment might well have leaked sensitive information to the Russians. The BND left operation RUBICON just a few years after the Berlin wall came down. Was it because they discovered in seized Stasi files that the Russians & friends could read Crypto AG messages from friends and foes? And CIA wasn't worried? Just collateral damage? The murky world of crypto  where even former Stasi cryptologists work for NATO. So many connected dots.

On my website you will find more on Hagelin-Cryptos and Crypto AG.

The whole mess reminds us of Organisation Gehlen, the post-war West-German intelligence and predecessor of the BND. Organisation Gehlen was kindly assisted by the US Army, who de facto ran it as a department. The CIA took over from 1949 until 1956, when Gehlen dissolved in the new BND, not coincidentally the era of the gentlemen's agreement.

The cooperation between the BND and U.S. intelligence was naturally and had many advantages, so close to the Iron Curtain. Already before the end of World War II, U.S. military TICOM teams rounded up scientists that could be useful. One of them was Oscar Vierling, prolific physicist and engineer with his Feuerstein Laboratory. His research proved interesting for various German and American post-war organisations.

Vierling's crypto research and work for ZfCh, the German central cryptologic service, eventually ended when he (willingly or not) sold the rights for his crypto equipment  to... you guessed, Crypto AG predecessor Hagelin Cryptos, who's founder Boris Hagelin already had an alliance with William Fiedman. This might have been the wisest decision ever that saved Vierling's firm from becoming a CIA subsidiary. More about the Feurstein Laboratory on this post.

The close cooperation between German and American intelligence also had its drawbacks. A most damaging case was Heinz Felfe, a Nazi SS officer with the SD Sicherheitsdienst (Foreign Intelligence branch of the SS). He was recruited by British Intelligence who quickly dropped him on suspicion of working for the Soviets.

Eventually, Felfe was recruited by, of all places, the Counter-Intelligence section of the Gehlen Organization (read CIA subsidiary). Felfe, in reality a Soviet spy, caused enormous damage to Western Intelligence. More about Felfe's devastating escapades in this post.

Wednesday, February 12, 2020

Legacy Edition Cipher Machines and Cryptology

After running Cipher Machines and Cryptlogy for sixteen years, I decided to create a Legacy Edition of my website. The original site remains active and updated, but the Lagacy Edition ensures that all information and downloads remain accessible in the future, whatever may come. Hold your horses, I'm going nowhere, and planning to live another 50 years, at least!

You can stick to the original site without problem. Know that, in contrast to the original, the Legacy Editions isn't easily found by Google yet, so make sure to bookmark the Lagacy Edition. Over the years, my website has also been archive by the Internet Archive (shoutout to founder Brewster Kahle) but not all pages might be up-to-date.

Cipher machines and Cryptology Legacy Edition, just like the real thing!

The idea came after an unexpected flirt with the eternal on my bike (that's at least what I was told later). Hence the long period of inactivity. No worries, I'm back on track now and will continue to write stuff and update the website. I did realize that, if you don't want to vanish without a trace, you should take precautions for any digital traces on the web that you would like to keep sharing with family or friends.

After so many years, millions of visits and downloads, all the kind people who contacted me, some of which spent so much precious time on the various crypto challenges, and the many interesting people I got to know, I just have to leave some traces.

A Google account is a good place to start. Their Inactive Account Manager makes sure that Google knows what to do when your account becomes inactive. You can let Google notify different people, including a message from you, what those persons should do with your data, photos, blogs, and whether Google should keep or delete all your stuff on the web. Other companies have similar solutions for your legacy.

Nothing to leave on the internet? Then still backup, backup, backup and share your backups to keep them safe!