[Cryptography] Imitation Game: Can Enigma/Tunney be Fixed?

ianG iang at iang.org
Fri Jan 9 16:56:31 EST 2015

On 7/01/2015 20:23 pm, Ray Dillinger wrote:

> In reviewing the Third Reich's operational record with Enigma,
> it's hard to tell whether they lost the war because of sheer
> stupid arrogance (with the failures of training, overconfidence
> in equipment and procedures, and systematic underestimation of
> opponents that implies), or whether it just seems that way now
> because we have the record of the cryptanalytical progress against
> Enigma which depended so much on those mistakes.

A bit of both.  History of WWII suggests that Hitler overrode and 
controlled his war effort with more than the normal gusto.  Sometimes he 
got it right, often he got it wrong.

An example of the former to spectacular effect was the Battle of the 
Bulge.  By that point, Hitler distrusted the codes and decided to 
distribute the orders by motorcycle riders.  Result was complete 
surprise, although there was low level intel suggesting something was 
up, the Allied generals had seemingly gotten used to a diet of clear and 
accurate suggestions from on high.

> Does every large-scale military organization make stupid mistakes
> subordinating security to petty officiousness, redundant procedure,
> personal ego, and just plain laziness?

Oh, absolutely.  Think of it this way.  In every routine battle, one 
side will lose, and the search for reasons for failure will be on, for 
that side at least.  The other side will have as many reasons, but will 
be able to sweep them under the carpet due to their "brilliant" victory.

> Is this level of
> operational failure something that people need to design for
> if building systems for military clients?

1883, Kherkhoffs' 6th principle:

     "Finally, it is necessary, given the circumstances
     that command its application, that the system be
     easy to use, requiring neither mental strain nor
     the knowledge of a long series of rules to observe."

He was writing about ordinary soldiers, from his experience with the 
French Army.

As a segue to today, in an EFF talk at RWC2015, they were talking about 
the EFF's CUP or Crypto Usability Prize.  Apparently the cutoff point is 
3 minutes.  If you can't explain how to get in and up and running with 
the privacy tool, you're out.  I once measured raw users getting up and 
going over chat with Skype, it took 3 minutes from start to talking.

Usability is the #1 factor in security.

> I suppose a review would require gathering data about how often
> warrant officers (those who have a warrant on account of expertise
> with some particular crucial field) are overruled by commissioned
> officers (those who are in the chain of command and have
> commissions on account of military training). Seriously, part
> of good military training ought to be a realistic assessment of
> how much to trust nonmilitary training.

Well, it isn't as simple as one class v. another.  There are bad warrant 
officers as well as bad commissioned officers.

> I mean, imagine a warrant officer cryptography clerk, saying to
> Herman Goering: "Sir, it degrades operational security to repeat
> this same greeting word-for-word with full honorifics etc, at the
> beginning of each message...."  Odds of him getting overridden?
> Odds of him being too afraid to even speak up in the first place
> even though he knows it to be true?  Odds of him getting punished
> for telling the truth?

Legend has it [0] that fighter ace Adolf Galland told Goering that he 
could win the Battle of Britain with a squadron of Spitfires.  Goering 
was a flake, but Canaris was a wiley fox, and also more on-point for 
this particular battle, and would have more likely listened to a noncom. 
  Having said that, it was early days, nobody had any clue what the 
other side was up to, and belief in own side was paramount.

I was told yesterday that during WWII the Germans had some success 
parking submarines over undersea cables from UK to US, and using 
acoustics to pick up traffic!?  Anyone got any references to that?


[0] by which I mean, it's disputed if that actually happened.

More information about the cryptography mailing list