[Cryptography] Leo Marks' 1998 talk about WW2 SOE code-making and breaking
Steven M. Bellovin
smb at cs.columbia.edu
Wed Jan 21 12:14:01 EST 2026
On 20 Jan 2026, at 9:45, Kent Borg wrote:
> On 1/19/26 3:53 PM, Peter Fairbrother wrote:
>> On 19/01/2026 17:16, Kent Borg wrote:
>>
>>> Question: What is a "worked out key"?
>>
>> "Worked out keys" weren't actually worked out at all, they were
>> randomly generated subkeys similar in use to the non-random subkeys
>> agents worked out from a poem.
>
> Very cool.
>
> So the hierarchy was:
>
> - OTP for regular traffic. Destroy the key material after use, unbreakable.
>
> - WOK if necessary. More compact keys than OTP, possibly easier to use
> than OTP. Somewhat more secure than the poem, familiar procedure.
>
> - Last resort, poem-based. Infinitely compact (memorized key source).
> Required preparation step, ciphertext susceptible to being cracked, SOE
> agent could be tortured to maybe gain access to all ciphertext using
> that poem.
>
I don't recall OTPs being used by the SOE—the problem of keying material
distribution was too great. Instead, they used worked-out keys which were
destroyed after each use.
Before Marks took over, the agents used memorized poems with a duress code
option. This failed badly in practice. For one thing, the Gestapo had access
to books of English poetry. For another, they could torture the poem and the
distress key out of any arrested agent. They could then use the poems to read
old traffic and send fake new traffic with no duress code. Marks realized
this—his real genius wasn't so much cryptologic as really understanding threat
models, and you should read his (excellent) book with that in mind. (Aside: it's
the only book I use professionally that I first learned of from the NY Times
book review… I bought my copy in the gift shop at Bletchley Park.)
Let me give you an example of how he understood threat models. Before he came
along, if London couldn't decrypt a message, they'd radio back and say "re-encrypt
and resend", ignoring a) that SOE agents were generating key schedules from the
poems in places like candle-lit attics and this was at best a mistake-prone
procedure, and b) radio transmission was one of the most dangerous things they
did, since the Gestapo used radio direction-finding vans to find SOE agents.
Marks' solution: if a received message wasn't readable, send it to a cryptanalyst
who could work around the errors.
Marks was the only one who realized that the entire Resistance network in
the Netherlands had been rolled up. How did he know? The messages *always*
came through error-free, because they were encrypted by people at nice desks
in well-lit offices, people who were not afraid of being arrested by the
Gestapo. They even had the luxury of having someone else doing a decryption.
His other big innovation was worked-out keys, which I think of as random key
schedules. These were printed on silk, complete with duress codes—and after
using one, the agent would tear off that strip and destroy it. That would deny
keying material to the Gestapo, and since the duress code was destroyed, too,
they couldn't check if that was used by an agent. The silk was then used as
handkerchiefs, coat linings, and the like, stuff that would pass unnoticed in
a casual pat down. Sure, it was incriminating if found after an arrest, but
we're talking about the Gestapo here—no due process there!
I've been traveling so I haven't had a chance to watch the talk yet, but the
book is very much worth reading.
—Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography
mailing list