Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Weeks of Trying, UK Cryptographers Fail To Crack WWII Code

Posted by timothy on from the reopen-bletchley-park dept.

An anonymous reader writes "A dead pigeon discovered a few weeks ago in a UK chimney may be able to provide new answers to the secrets of World War II. Unfortunately, British cryptographers at the country's Government Communications Headquarters (GCHQ) have been unable to crack the code encrypting a message the bird was tasked with sending and say they are confident it cannot be decoded 'without access to the original cryptographic material.'"

27 of 263 comments (clear)

  1. No surprise there by Anonymous Coward · · Score: 5, Insightful

    Given that the original message looks supiciously like it was encoded with a one time pad, it's really not at all surprising that they can't crack it without the relevant pad. Which was probably destroyed a long time ago.

    1. Re:No surprise there by v1 · · Score: 5, Informative

      One time pads are not impossible to crack, provided you have some clues about detecting a successful decoding.

      [ citation needed ]

      Here, let me help you.

      citation

      In cryptography, the one-time pad (OTP) is a type of encryption which has been proven to be impossible to crack if used correctly. Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key (or pad) of the same length as the plaintext, resulting in a ciphertext. If the key is truly random, as large as or greater than the plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key.

      So unless you classify the key as a "clue" (rather than a cluebat) you need to rethink that.

      --
      I work for the Department of Redundancy Department.
    2. Re:No surprise there by jspoon · · Score: 5, Funny

      Grandparent is getting OTP mixed up with ROT13. I do that all the time. It cost me my job once.

    3. Re:No surprise there by BetterSense · · Score: 4, Informative

      No. You reveal that you do not understand one-time pads.

      Given a ciphertext N characters long, there exists a one-time pad that will decrypt that ciphertext to ANY clear text message. So if you have an N-length bit of ciphertext (as it appears these chaps do) and you brute force it and decode an N-length string that 'looks' correct (e.g. "The fleet has launched") that's just great...the problem is that THAT clear text is equally likely to be the correct clear text as any other string of text that long, including all perfectly-structured sentences, with correct pronunciation, containing jargon...in all languages...that long. And if they are salting and/or stuffing the clear text, you don't even have the length as a clue.

    4. Re:No surprise there by BitterOak · · Score: 4, Insightful

      Your citation is incomplete. Key reuse is one way to weaken the encoding without forking over the key itself, though this needs multiple messages encoded with the same key.

      If you've re-used a key, you're no longer using a one time pad. (Hint: Why do you think it's called a one time pad? [emphasis mine])

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    5. Re:No surprise there by l0ungeb0y · · Score: 5, Funny

      Messages small enough to be carried by pigeon were most likely necessarily small

      So you're saying that this message was quite literally a "tweet".

    6. Re:No surprise there by somersault · · Score: 4, Interesting

      Nope..

      it is possible to "decrypt" out of the ciphertext any message whatsoever with the same number of characters, simply by using a different key, and there is no information in the ciphertext which will allow [the reader] to choose among the various possible readings of the ciphertext.

      Got that from this . It's an interesting read. In a message encrypted by a one time pad, even two letters right next to each other may not represent the same letter in the original plaintext..

      --
      which is totally what she said
    7. Re:No surprise there by v1 · · Score: 4, Insightful

      Your citation is incomplete. Key reuse is one way to weaken the encoding

      Please re-read the entire cited text. Pay special attention to "never reused in whole or part"

      (also, even a single re-use can completely compromise all other messages that used a given pad, if the plaintext of a single message encoded with that pad is discovered by other means)

      I'm not a cryptoanalyst, but I play one on TV

      --
      I work for the Department of Redundancy Department.
    8. Re:No surprise there by 0123456 · · Score: 4, Insightful

      You still don't get it.

      You might know that the message is 'The Commies have XXX tanks' where XXX is a number, but if the pad is correctly generated and used, the XXX can decode to any three digit number whatsoever, so that knowledge gives you no information at all.

    9. Re:No surprise there by Jappus · · Score: 4, Informative

      But as stated elsewhere, messages are not random, so the laboratory exercise does not represent the real world.
      When you send a spy in to determine the number of tanks crossing a certain bridge, you don't consider an order for lamb chops and left hand threded eels to be a proper decoding.

      Yes, but you don't understand the fundamental problem of your argument. With an OTP, the sentence "0 tanks crossed" is just as likely as the following:

      "2 tanks crossed"
      "3 tanks crossed"
      "4 tanks crossed"
      [...]
      "144 tanks cross"
      "346 tanks cross"

      And so on and so forth. You can only run a reasonability analysis, if any of those above was less reasonable than the others. So not only would you need to know that there is a spy and that the spy counted tanks (instead of, say, planes or flowerpots), you would also need to know the exact number he counted and that the spy has not counted wrong. You'd also need to know how he phrased the answer.

      In short: You'd need to already know the decoded message to say which decoded message is correct. The reason is very simple: In a One-Time-Pad, the key and message are completely interchangeable. Given only the encrypted text, it is just as hard to find the key as it is to find the original message. This is the ideal property all encryption methods strive for.

    10. Re:No surprise there by hawguy · · Score: 4, Insightful

      While that is true, you will note that i said probable content. Yes there are any number of equally valid decodings. However few will make sense in the context in which they were sent.

      The assertion that there are any number of possible decodings only works when you have zero knowledge of expected content, and as such its a tired and juvenile objection.

      It's not that there are "any number of equally valid decodings", but there is every possible decoding. If the word "APPLE" is encypted with a one-time pad into "XYZZY", there are potential one-time pads that will decrypt that string into "APPLE", "IPHONE", "STEVE", "WINMO", "GOOGL", "ANDRD", "SBRIN", "LPAGE", "BILLG", etc.

      How do you know which of those is the "valid decoding"? How does your knowledge of expected content help you?

    11. Re:No surprise there by mysidia · · Score: 5, Informative

      even two letters right next to each other may not represent the same letter in the original plaintext..

      Any cipher worth its salt will have this characteristic.

      A one time pad is a mixing operation; a combination of random data with the plaintext being protected, using an operation that preserves entropy; which means that none of the randomless from the one time pad bits are lost EVEN though the plain message being encrypted is non-random, the result will have exactly as much randomness as the more random of the two bits being mixed, and therefore it is mathematically impossible to discover the value of a single bit of plaintext, without knowing the corresponding bit of one time pad.

      Nor is it possible to determine the value of any single bit of one time pad, without knowing the corresponding plaintext bit.

      Any attack requires discovering the value of the one time pad through an outside source, or exploiting a weakness in the pad, such as key reuse, OR inadequate random number generator used to produce the pad.

      The only thing you can ascertain about the one time pad by looking at the enciphered message, is its maximum potential length, since you can see the number of symbols that are printed on the card, and that will be a finite number.

    12. Re:No surprise there by ceoyoyo · · Score: 4, Insightful

      He's right, you clearly don't understand how one time pads work.

      With a properly used one time pad, ANY message (of the same length) is equally valid. Typically you salt the message with some nonsense or whitespaces too, so any message of length = the length of the encrypted message is possible.

      So you can make up any message you want, gibberish or real words, and you have no idea if it's the real message or not. You cannot use frequency analysis, dictionary attacks, content hints, or anything else against a properly used one time pad.

      You're thinking of simpler encryption algorithms that DON'T use completely random pads. Things like Enigma. If you know something of the content of the message that can help immensely in decrypting those messages, but again, prior knowledge, guesses or whatever have no effect on the security of a properly used OTP.

    13. Re:No surprise there by OneAhead · · Score: 5, Interesting

      Now you're just making a fool of yourself. People already linked you to a wikipedia page that explains in detail why you're wrong, yet you stubbornly refuse to read it (or perhaps you're too daft to understand what it says?)

      Here's a demonstration. From TFA, the secret message is:
      AOAKN HVPKD FNFJU YIDDC
      RQXSR DJHFP GOVFN MIAPX
      PABUZ WYYNP CMPNW HJRZH .
      NLXKG MEMKK ONOIB AKEEQ
      UAOTA . RBQRH DJOFM TPZEH
      LKXGH RGGHT JRZCQ FNKTQ .
      KLDTS GQIRU AOAKN

      My sources are telling me that "AOAKN" is most likely the identifier of the OTP or code page that was used, so the actual content of the message is
      HVPKD FNFJU YIDDC RQXSR
      DJHFP GOVFN MIAPX PABUZ
      WYYNP CMPNW HJRZH NLXKG
      MEMKK ONOIB AKEEQ UAOTA
      RBQRH DJOFM TPZEH LKXGH
      RGGHT JRZCQ FNKTQ KLDTS
      GQIRU

      Being a 1337 cryptography expert, I determined that the code page in the sender's code book started with:
      SBXDZ CUYSG ECWKO CMRSZ
      JRGOH DIRFA JRWEP LFXRK
      OLULB XHHAW UGKLL NUUKT
      JQPKX LMUGR IGRCC AHKCW
      OKMZZ LQOSK PPGNH YPPVW
      NRVDT RNHYD CNCCY RUVJO
      VCNNA
      Don't believe me? Go to this page, copy-paste the above "actual content" in the field that says "input" and the key in the field that says "key", and click decode.

      Oh wait, I was wrong, the real key is:
      ZTLJV VJXRU VERZP YMUND
      PYLYB WBHJV ZUWCR ESJNL
      FMYUI KMCKU HWYID NIJTM
      ZBITS VNBFI TGIWG MLKQS
      RMQLD PWASI AHNAS LHFBN
      PWYUN XRTPM MVDFU HXKMO
      IUUAK

      Allright, I'm just messing with you, it's
      JHVGR QUHCQ YFZAC EILSG
      YVTCW PABZG QALLG HVBDG
      OLAZV LGLAS QJGWZ WHVRY
      YROWQ XBAPU WTIEY UTOHI
      YXZRU ALALV OPGXD USLCW
      YSBDI GNILZ OWTSM TUMCB
      PZANC

    14. Re:No surprise there by __aajfby9338 · · Score: 4, Interesting

      Well, that's a matter of semantics. If you implement a large-scale, properly-designed one-time pad system, but then a pair of lazy and/or ignorant code clerks re-uses individual OTP sheets for some of the traffic between them (contrary to orders and training, of course), then do we say "it's not a one-time pad system", or that "it's a misused one-time pad system"? Either statement might be arguably valid.

      Or maybe all of your code clerks properly use each sheet once and then immediately destroy it, but the factory that produced the keying materials messed up and included duplicate sheets mixed into some of the books, resulting in compromise of the system. Which has actually happened, by the way. You might say that it wasn't actually an OTP system, or you might say it was an OTP system in which implementation mistakes were made which compromised some of the traffic. Those mistakes may have been unintentional errors or deliberate acts by undercover agents to weaken the system, but the folks who designed and oversaw the system intended to deploy a proper OTP system and thought that they were doing just that.

      Or maybe you create an OTP system, distribute good keying material without blunders like repeated pages, but then an undercover agent runs out of keying material, has no way to obtain more, and then must choose between stopping communication, communicating in plaintext, or re-using OTP sheets to get critical information through and hoping that the adversaries don't detect the situation. I lean towards calling this situation "not OTP", but it's still a matter of semantics.

    15. Re:No surprise there by gadzook33 · · Score: 5, Interesting

      Actually I read something interesting about WWII One Time Pads. Apparently the pads were generated by women (typically) drawing ping pong balls out of a hopper and writing down the letters. The problem was if they drew the same letter multiple times in a row, they might put it back thinking that it wasn't "random" enough. Of course, in doing so they changed the distribution of letters to no longer be uniform. My understanding is that this very quickly erodes the cryptographic integrity of the one-time pad to the point where you can start to look for the plaintext based on letter frequency. I'm not saying that's applicable here (and I have to imagine the cryptographers would have looked at this) but interesting nonetheless.

    16. Re:No surprise there by Anonymous Coward · · Score: 5, Funny

      That last batch activated my copy of Windows XP.

    17. Re:No surprise there by Anonymous Coward · · Score: 4, Interesting

      Actually I read something interesting ...

      By 'something interesting' you must mean Neal Stephenson's Cryptonomicon. I agree, it is quite an interesting book. One of my favorites in fact.

    18. Re: No surprise there by grumbel · · Score: 4, Interesting

      A clue does not help you a bit. The only thing you can get out of a OTP is the maximum length of the message, but not the minimum or actual length,. Everything else is completely arbitrary and depends completely on the key. You can literally decode all possible messages with that maximum length out of that encrypted sequence with the right key. All Twitter posts ever written, all messages passed around in WWII, a whole bunch of Haiku's and what ever else you want you can get out of that sequence with the right key. That encoded sequence is essentially just random junk without the original key. The only clue that brings you to the original message is the original key used to decrypt it.

  2. Cracked! by Anonymous Coward · · Score: 4, Funny

    I just installed windows XP using the first row.

  3. Easy! by Anonymous Coward · · Score: 5, Funny

    Wenn ist das Nunstück git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput!

    1. Re:Easy! by Anonymous Coward · · Score: 5, Funny

      Wenn ist das Nunstück git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput!

      HHAHAHAHAHAHAHAHAHAHAHAHA!

      *dies*

  4. Its worse than that. by Anonymous Coward · · Score: 5, Interesting

    My Aunt was a radio communication specialist in the channel islands where they communicated with the underground and later the anti Nazis within the third reich. My Dad was involved in counter espionage within Great Britton. They were both recruited by the Canadian military and then trained by the combined British and Canadian military intelligence division long before the US joined in.

    Not only was key info done with one time cipher it also used specialist language. For instance the word pie after decryption might be construed to be to mean supplies. Only the individuals who were taught the language could decode it and no more than a few individual agents sending info from within Germany or France used the same code specific language.

    If the pigeon corpse was from D Day then it would have been really early in the landing. As the beach head was secured the code receiving specialist people moved in to undisclosed places in Normandy. Are they absolutely certain the pigeon was from D Day? If not it may have been from other sources as my aunt told me there was some underground agents using them before 1944...Some even in the Dieppe region!

  5. Re:lol by Anonymous Coward · · Score: 5, Funny

    Really, Mr. Ballmer, you need to take some anger management classes.

  6. Re:Weeks by Deadstick · · Score: 5, Informative

    You would seem to miss the point. Here's a message encrypted with a one-time pad: WXYZ. Want to brute-force it? OK, try all the permutations of four letters that can exist in the OTP (36^4 of them, if the pad accommodates English letters and digits). Spoiler alert: One of those permutations will yield LOVE. Another will yield HATE. Which one is the correct message?

  7. What if that is the one time pad? by LordZardoz · · Score: 4, Interesting

    What if that is not an encrypted message, but the encryption key for a message?

    I am not a cryptography expert, but I suppose there would be no way to discern the two right?

    If it is the key and not a message, than no amount of decryption effort would matter.

    END COMMUNICATION

  8. Re:It's not ROT13 by marcosdumay · · Score: 5, Funny

    What did you run twice? The XOR one time pad or the ROT-13?

    --
    Rethinking email