[Cryptography] Imitation Game: Can Enigma/Tunney be Fixed?

Jon Callas jon at callas.org
Thu Jan 8 14:13:42 EST 2015

Hash: SHA256

On Jan 7, 2015, at 12:23 PM, Ray Dillinger <bear at sonic.net> wrote:

> Does every large-scale military organization make stupid mistakes
> subordinating security to petty officiousness, redundant procedure,
> personal ego, and just plain laziness?  


Dear me, it's the blinking *Military*! Admittedly it was the Allied forces in that war that gave us the term "SNAFU," as well as the tired joke about "military intelligence" but that's true everywhere. 

I offer as an example, this wonderful book:

"The Man Who Broke Napoleon's Codes" by Mark Urban. (Link not given because you can do that as well as I.)

You'll see there all the same human failures being made, but with code books etc. in the Napoleonic Wars.

I also offer up another classic, also a WWII one, but this book along with the above have been instrumental in my educcation:

"Between Silk and Cyanide: A Codemaker's War, 1941-1945" by Leo Marks.

Heck, while I'm at it, one more:

"The Story of Magic, Memoirs of an American Cryptologic Pioneer" by Frank Rowlett.

Sadly, that latter one is out of print and copies I found are spendy -- US$90 or more. I would argue, though that if you really want to understand capabilities, it's important.

The reason is that PURPLE -- the Japanese (handwave, handwave) Enigma-equivalent -- was broken by people who not only didn't speak the language but didn't have the character sets in common. Reading about that is really important, especially Post-Snowden.

It's also interesting that the Japanese OPSEC was so good that there are no surviving intact PURPLE machines, only the PURPLE-equivalents built by the cryptanalysts. They seem to have been seduced by belief in good OPSEC (which is the opposite of what usually happens) and continued using PURPLE even after the Germans told them it was broken, and even used it for a time after the end of the war (!). For what it's worth, the Russians also broke PURPLE.

It's also worth looking at because of the value of so-called "third-party intelligence" (in this case, the Allies got information about German things because they Japanese talked about them, thinking they were secure).

As Holmes said, "There is nothing more deceptive than an obvious fact."

> Is this level of
> operational failure something that people need to design for
> if building systems for military clients?


Misuse-resistant crypto is *the* frontier. There are some nice things being done in algorithms themselves, but I think they need to be backed up with software design in many levels of the system stack. They crypto has to survive a programmer who read a crypto book. They're the worse ones of all. They've been deceived by all the new facts they learned most of all.


Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii


More information about the cryptography mailing list