Operations performed in converting encrypted messages to
plain text
without initial knowledge of the
crypto-algorithm
and/or key
employed in the encryption. [NIS]
The study of encrypted texts.
Although cryptography is an ancient art, it had not been widely used until late 19th century. And
outside military, real mass application started only with widespread use of personal computers.
Before, say, 1990 outside of government classified systems and military the primary users of encryption
have been financial institutions with their electronic fund transfer operations. The advent of the Internet
in late 80th/early 90th as a cheap vehicle for transferring information electronically to all parts
of the world and its inherent lack of security has inspired the use of encryption as a protection for
sensitive information. As a direct result, new and rather esoteric encryption algorithms has been developed
and put in widespread use to meet those challenges.
One result of the growing economic use of the Internet is the recognition by users and vendors alike
that there is a need to provide a mechanism to protect the confidentiality of Internet users and the
content of their transactions. Here encryption naturally comes to into play.
This page may help students by providing annotated links to the main topics in cryptography algorithms,
including single-key cryptography algorithms, public-key cryptography algorithms, key negotiation algorithms,
message authentication algorithms (digital signatures). Essentially basic information and it can
be found also on any other similar university course pages.
Please note that many of those algorithms represent a new areas of computer science.
In Internet age cryptography is important for the same reasons that photo IDs were important before
and fences were important even before that. Cryptography offers three essential services that protect
internet user and his/her data from theft and fraud. These services are authentication, integrity,
and confidentiality. The latter in view of latest NSA revelations is mostly illusionary
unless you take special measures such as dual layer encryption and steganography. Especially
vulnerable are any data stored in the cloud, especially your address books and emails that are stored
in Web mail accounts such as Gmail, hotmail or Yahoo mail.
There's a saying that "on the Internet, nobody knows you're a dog." And one of the things
that make Internet so attractive, I would say addictive, is the (fake) anonymity it offers. In reality
this anonymity is an illusion. Moreover most of your activities are probably stored for five years or
more. Some are stored probably for life. In other words
you are like a bug under the
microscope.
With the current capabilities of various companies (Google, Facebook, Amazon to name a few) and agencies
to intercept and log your internet communications this anonymity is greatly exaggerated. Email is probably
the most abused type of service. It is routinely intercepted and analyzed. And actually "could email"
is a remote storage that does not belong to you so in no way we can talk seriously about anonymity of
such email.
Transborder communication are the natural, by law, domain of national three letter agencies. For
example all your emails to addresses outside the country are intercepted and stored as a matter of policy.
The US government intercept approximately 1.6 billion messages a day. You also can be pretty sure
that all your email to foreign addresses for the last decade or so is stored somewhere and can be retrieved
and analyzed in case of necessity. Capabilities of modern storage goes into petabytes(1015)
with large government agencies able to store Zettabytes(1021). If we assume that there are
100 millions(108) of active Internet users in the USA (out of 300 million population), then
one just one petabyte storage allows approximately 107 per individual. Ten megabytes is a
lot of storage for compressed text information and corresponds probably to 100 megabytes uncompressed.
If we assume that information is stored for 10 years that's 10 megabytes per year. And this is just
one petabyte, the storage that even a medium income individual can assemble without much problems.
One petabyte is 1000 gigabytes which can be stored on 250 4 GB drives, $200 each. So we are taking
about something like $70K ($50K for drives and, say, $20K for hardware and software for those
drives, assuming 12 drives per server, such as
RB-1200 ($700) ). There
are a number of different 2U cases that feature 12x3.5" hot swap bays (3 vertically x 4 horizontally
-- See Supermicro's SC827)
Any defense from a "fishbowl" effect of such massive storage is based on cryptography or
steganography (you can hide messages and "junk" plaintext with
a side effect of increasing storage requirements.
Snowden revelations also greatly increased the value of non-standard, custom crypto-algorithms.
Now after Snowden revelation we can assume that newer standard crypto algorithms are compromised (it's
still unclear if DEC was compromised, as at the time of its creation the priorities were different).
That means that you need to use "pre-encryption" with non-standard algorithms and additional
key even if your channel is encrypted to ensure privacy of transmission.
With your Web access logs situation is a little bit more fuzzy. If you use particular IP from a particular
provider, it not that difficult to log all your web activity. All your Google searches and all you activity
on Youtube is logged, no question about
it :-). And those logs probably are stored for a very long time. But here we are talking about logs,
and the data you've sent, not the data you retrieve. If you use proxies like anonimizers it's more difficult,
but at the same time it automatically makes your traffic more suspicious and it comes under higher level
of scrutiny. The same is true about usage of PGP for emails. Steganography is much more subtle way to
ensure privacy of your emails that PGP encryption. Using "Aesop language" can be viewed as the simplest
way to apply steganography to your emails.
In any case without cryptography, privacy of your Internet activities is non-existent. The right
assumption is that when you access Internet you are living in a fishbowl.
If you're trying to conduct business you face different problem. Here you need to assure your customers
that "you are you, not some impostor". Customers need to be sure that that they're ordering
from real businesses. Not from a fake sites designed to steal their financial information. Cryptography
also offers a solution to this problem. Certificates are sometimes called "digital IDs," because they
can be used to verify the identity of someone you don't know. This process is called "authentication".
Certificates can be used with another technique, "digital signatures", to ensure that nobody impersonate
you and/or to protect the integrity of data. It's very easy to forge email (although primitive forging
is easy to detect), but it's really hard to forge a digitally signed email message.
The level we discuss this subject is very basic and mainly oriented on CS students of Network
Security course or similar. I would like to stress again that I not specialist in this particular
area, but I hope it still useful for computer science students, especially to students of "Network
Security" course that I used to teach.
Crypto algorithms and compression
Bijective compression means that for any file X, F( F'( X ) ) == X. (F is either the compressor or
decompressor, and F' is its opposite). this defines lossless compression. This type of compression is important in
compressing files and in crypto algorithms.
Custom compression now is often used as a standard first phase of encryption of large chunks of texts. It eliminates redundancy and thus
creates significant additional difficulties for attempts to break particular cipher in many case making them simply impossible
(using salt to make it unique and if a non standard algorithms with no headers is used). It destroys the notion of the dictionary
and of a known
plaintext. Even alphabet used became unknown.
"... Mauro Conti notes that while it's hard for him to explain the specific technical details of the "holes" in the Swiss company's devices which helped the CIA and BND to intercept information, modern surveillance capabilities are even more vast. ..."
"... "There are a lot of ways to add 'backdoors' and 'covert channels' to systems, " he explains. "If well-designed, these are very difficult to be detected even when devices are carefully inspected. Just to cite an example, in recent activities of my research group, we showed the possibility of building a covert channel on a smartphone by using energy consumption modulation – a 'channel' that is far underestimated (and hence not inspected) to be used to 'send out' information in a 'stealthy' way". ..."
Relying on a single firm's devices to ensure national security and transmit state secrets was obviously a bad idea, says Mauro
Conti, full professor in computer science, commenting on the recently exposed collaboration between a Switzerland-based global encryption
company and the US and German intelligence services. The US Central Intelligence Agency (CIA) and Germany's Federal Intelligence
Service (BND)
had covertly run Crypto AG , a Swiss company that made and sold encryption equipment to over 120 countries for decades, making
it possible for American and German spies to crack other nations' top secrets, The Washington Post, German public broadcaster ZDF
and Switzerland's SRF revealed this week.
Switzerland's Neutrality Was Seen as 'Plus' for the Company
For the countries which used Crypto AG's services, including nations in Europe, Africa, the Middle East, Latin America and even
the Vatican, Switzerland's neutrality was an important factor. Nevertheless, Washington's major Cold War rival – the USSR – was never
one of the company's customers. For the countries which used Crypto AG's services, including nations in Europe, Africa, the Middle
East, Latin America and even the Vatican, Switzerland's neutrality was an important factor. Nevertheless, Washington's major Cold
War rival – the USSR – was never one of the company's customers.
"The location of the company was probably considered by some 'a plus' for the company to be trusted. For those, there will probably
be a re-thinking of this bias, but maybe not enough to change the decision that they took", says Mauro Conti, full professor in
computer science, and head of SPRITZ Security and Privacy Research Group.
According to Conti, "rooting the security of an organisation on 'a single' company/device, might also be a bad practice that could
and should have been avoided".
"Keeping information, as well as operations like this, secret is always a 'battle of wits' between entities that have two opposite
goals,", the professor elaborates. "If it has been uncovered for a long time, it just means that who was running it, did it quite
well, and/or that those who were supposed to find this out, did not put in enough effort, including working on the wrong assumptions."
According to reports, the earliest mentions of the clandestine operation in the press go back to 1992 and 1995. On 10 December 1995,
The Baltimore Sun According to reports, the earliest mentions of the clandestine operation in the press go back to 1992 and 1995.
On 10 December 1995, The Baltimore Sun
broke the news that the US
National Security Agency (NSA) "secretly rigged Crypto AG machines" so that American spies could easily decrypt their codes, citing
former company employees and documents. However, the story was resolutely denied by the US and German intelligence services. Responding
to the question as to why it has been found out now, Conti noted laconically that "the battle of wits and capabilities to support
them just turned in favour of the other player". Responding to the question as to why it has been found out now, Conti noted laconically
that "the battle of wits and capabilities to support them just turned in favour of the other player". Responding to the question
as to why it has been found out now, Conti noted laconically that "the battle of wits and capabilities to support them just turned
in favour of the other player".
Frederick Florin Former US National Security Agency (NSA) contractor and whistle blower Edward Snowden is seen on
screen in a control room as he speaks via video link from Russia as he takes part in a round table meeting on the subject of "Improving
the protection of whistleblowers" on March 15, 2019, at the Council of Europe in Strasbourg, eastern France.
Hundred-Percent
Privacy is No Longer Possible
Mauro Conti notes that while it's hard for him to explain the specific technical details of the "holes" in the Swiss company's
devices which helped the CIA and BND to intercept information, modern surveillance capabilities are even more vast. Mauro Conti
notes that while it's hard for him to explain the specific technical details of the "holes" in the Swiss company's devices which
helped the CIA and BND to intercept information, modern surveillance capabilities are even more vast.
"There are a lot of ways
to add 'backdoors'
and 'covert channels' to systems, " he explains. "If well-designed, these are very difficult to be detected even when devices
are carefully inspected. Just to cite an example, in recent activities of my research group, we showed the possibility of building
a covert channel on a smartphone by using energy consumption modulation – a 'channel' that is far underestimated (and hence not
inspected) to be used to 'send out' information in a 'stealthy' way".
Operation Rubicon, which was large in scale, predated the sophisticated data-intercepting activities exposed by former CIA subcontractor
Edward Snowden, who leaked highly classified information about the Operation Rubicon, which was large in scale, predated the sophisticated
data-intercepting activities exposed by former CIA subcontractor Edward Snowden, who leaked highly classified information about the
NSA's programme, code-named
Prism, in 2013 .
Reportedly launched in 2007, Prism allowed the US intelligence community to collect large amounts of data
on Americans and foreign citizens.
Four years later, WikiLeaks released a series of documents
titled Vault 7 which shed light on the CIA's activities and cutting-edge capabilities in performing electronic surveillance and
cyber-warfare. One has to wonder whether there's anything that can guarantee privacy in our time. The professor's answer is "no,
as scary as it might sound" if one means a 100% guarantee.
"It is not just matter of our times, but definitely the digital era definitely helps a lot to expose information, as well as to
retrieve it", Conti underscores. "In addition, underestimating the problem does not help."
"In addition, underestimating the problem does not help."
How It All Began: Russian-Born Émigré & American Cryptologist
While, according to the report, the beginning of the CIA-BND secret collaboration, code-named Operation Rubicon, dates back to
the 1970s, Crypto AG's links to the CIA can be found even deeper in history.
The company's founder, Boris Hagelin, was born in Russia and fled to Sweden after the 1917 Revolution. In the 1930s, he made friends
with William F. Friedman, the leading US cryptanalyst. In 1940 Hagelin moved to the US and started selling portable encryption machines
to the US military.
After the Second World War, Hagelin returned to Europe and established his business in Switzerland. In 1951 he and William Friedman,
who was at the time head of the cryptographic division of the US Armed Forces Security Agency (AFSA) struck an agreement that Hagelin
would sell his devices only to countries approved by the US.
In 1970 Crypto was bought out by the West Germany and American intelligence services. Presumably, at least four countries, namely
Israel, Britain, Sweden and Switzerland knew about the clandestine operation or even had access to intercepted information.
In the early 1990s, BND sold its share in the company to the CIA. In 2018 Crypto AG was liquidated while two other separate entities
emerged – Crypto International and CyOne Security AG.
As Reuters While, according to the report, the beginning of the CIA-BND secret collaboration, code-named Operation Rubicon, dates
back to the 1970s, Crypto AG's links to the CIA can be found even deeper in history.
And the US claims Huawei 5G is a threat to security. From Snowden to encryption devices more information
comes out that the US is the one placing backdoors in devices.
The West has no replacement either for such an intrusive mechanism. Almost all Western info-sharing agreements are now null and
void (or almost there as in the case of the UK) and it is not unusual for teenage kids to run circles around the NSA and other
traffic-monitoring ogres lurking under the bridges of the West.
FeEisi, Huawei is a threat to the US spying ability. They all spy, one way or another and that is expected but what the US/BND
are guilty of needs to be investigated, charges brought and those responsible apprehended to face a special global court.
After WW2 the Brits collected as many Enigma machines as they could get their hands on and
gave them to all the commonwealth countries, and a few others, saying they were un-crackable
all the while knowing that wasn't the case and they could read them like the daily papers.
That's why Enigma was top secret for at least 40 years - some details will likely be kept
secret for ever.
My dad worked on cracking it - got a medal for his work 50 years after the end of WW2.
Didn't let on to anyone until his work was declassified. I had some very interesting
conversations with him towards the end of his life.
He was invited down to Bletchley for the official switch-on when the Colossus rebuild was
finished.
"... However, he adds, "I hope that folks think about their operational security and also about how journalists can protect themselves – and their sources as well." ..."
They're almost invisible but contain a hidden code – and their presence on a leaked
document has sparked speculation about their usefulness to FBI investigators.BBC Future |
Chris Baraniuk
On 3 June, 2017, FBI agents arrived at the house of government contractor Reality Leigh
Winner in Augusta, Georgia. They had spent the last two days investigating a top secret classified
document that had allegedly been leaked to the pres s. In order to track down Winner,
agents claim they had carefully studied copies of the document provided by online news site The
Intercept and noticed creases suggesting that the pages had been printed and "hand-carried out
of a secured space".
In
an affidavit , the FBI alleges that Winner admitted printing the National Security Agency
(NSA) report and sending it to The Intercept. Shortly after a story about the leak was
published, charges against Winner were made public.
At that point, experts began taking a closer look at the document, now publicly available on
the web. They discovered something else of interest: yellow dots in a roughly rectangular
pattern repeated throughout the page. They were barely visible to the naked eye, but formed a
coded design. After some quick analysis , they
seemed to reveal the exact date and time that the pages in question were printed: 06:20 on 9
May, 2017 – at least, this is likely to be the time on the printer's internal clock at
that moment. The dots also encode a serial number for the printer.
These "microdots" are well known to security researchers and civil liberties campaigners.
Many colour printers add them to documents without people ever knowing they're
there.
Dots from a HP Laserjet printer, illuminated with blue light. Credit: Florian
Heise/Wikipedia .
In this case, the FBI has not said publicly that these microdots were used to help identify
their suspect, and the bureau declined to comment for this article. The US Department of
Justice, which published news of the charges against Winner, also declined to provide further
clarification.
In a
statement , The Intercept said, "Winner faces allegations that have not been proven. The
same is true of the FBI's claims about how it came to arrest Winner."
But the presence of microdots on what is now a high-profile document (against the NSA's
wishes) has sparked great interest.
"Zooming in on the document, they were pretty obvious," says Ted Han at cataloguing platform
Document Cloud , who was one of
the first to notice them. "It is interesting and notable that this stuff is out there."
Another observer was security researcher Rob Graham, who published a blog
post explaining how to identify and decode the dots. Based on their positions when plotted
against a grid, they denote specific hours, minutes, dates and numbers. Several security
experts who decoded the dots came up with the same print time and date.
Microdots have existed for many years. The Electronic Frontier Foundation (EFF) maintains a
list of colour printers
known to use them . The images below, captured by the EFF, demonstrate how to decode
them:
These yellow dots, magnified 60 times, were found on a Xerox printout. Credit: Electronic
Frontier Foundation/CC BY 3.0 .
The dots become more easily visible when magnified and photographed under a blue LED
flashlight. Credit: Electronic Frontier Foundation/CC BY 3.0 .
For further clarity, the dots here are annotated. So what does the shape mean? Credit:
Electronic Frontier Foundation/CC BY 3.0 .
The position of the dots reveals the time and date of the printout, and the serial number
of the device. Credit: Electronic Frontier Foundation/CC BY 3.0 .
As well as perhaps being of interest to spies, microdots have other potential uses, says Tim
Bennett, a data analyst at software consultancy Vector 5 who also examined the allegedly leaked
NSA document.
"People could use this to check for forgeries," he explains. "If they get a document and
someone says it's from 2005, [the microdots might reveal] it's from the last several
months."
If you do encounter microdots on a document at some point, the EFF has an online tool that should
reveal what information the pattern encodes.
Hidden Messages
Similar kinds of steganography – secret messages hidden in plain sight – have
been around for much longer.
Slightly more famously, many banknotes around the world feature a peculiar
five-point pattern called the Eurion constellation . In an effort to avoid counterfeiting,
many photocopiers and scanners are programmed not to produce copies of the banknotes when this
pattern is recognised.
The NSA itself points to a fascinating historical example of tiny dots forming messages
– from World War Two. German spies in Mexico were found to have taped
tiny dots inside the envelope concealing a memo for contacts in Lisbon.
At the time, these spies were operating undercover and were
trying to get materials from Germany , such as radio equipment and secret ink. The Allies
intercepted these messages, however, and disrupted the mission. The tiny dots used by the
Germans were often simply bits of unencrypted text miniaturised to the size of a full-stop.
This sort of communication was widely used during WWII and afterwards, notably during the
Cold War. There are reports of agents operating for the Soviet Union, but based undercover in
West Germany and
using letter drops to transmit these messages .
Microdots taped inside the label of an envelope sent by German spies in Mexico City to
Lisbon during World War Two. Credit: Wikipedia .
And today, anyone can try using microtext to protect their property – some companies,
such as Alpha Dot in the UK , sell
little vials of permanent adhesive full of pin-head sized dots, which are covered in
microscopic text containing a unique serial number. If the police recover a stolen item, the
number can in theory be used to match it with its owner.
Many examples of these miniature messages do not involve a coded pattern as with the output
of many colour printers, but they remain good examples of how miniscule dispatches physically
applied to documents or objects can leave an identifying trail.
Some forms of text-based steganography don't even use alphanumeric characters or symbols at
all. Alan Woodward, a security expert at the University of Surrey, notes the example of 'Snow'
– Steganographic Nature Of Whitespace – which places spaces and tabs at the end of
lines in a piece of text. The particular number and order of these white spaces can be used to
encode an invisible message.
"Locating trailing whitespace in text is like finding a polar bear in a snowstorm,"
the Snow website explains .
Woodward points out, though, that there are usually multiple ways of tracing documents back
to whoever printed or accessed them.
"Organisations such as the NSA have logs of every time something is printed, not just
methods of tracking paper once printed," he says. "They know that people know about the yellow
dots and so they don't rely upon it for traceability."
There is a long-running debate over whether it is ethical for printers to be attaching this
information to documents without users knowing. In fact, there has even been a suggestion that
it is a
violation of human rights and one MIT
project has tracked more than 45,000 complaints to printer companies about the
technology.
Still, many believe that the use of covert measures to ensure the secrecy of classified
documents remains necessary in some cases.
"There are things that governments should be able to keep secret," says Ted Han.
However, he adds, "I hope that folks think about their operational security and also about
how journalists can protect themselves – and their sources as well."
For more than half a century, governments all over the world trusted a single company to
keep the communications of their spies, soldiers and diplomats secret.
The company, Crypto AG, got its first break with a contract to build code-making
machines for U.S. troops during World War II. Flush with cash, it became a dominant maker
of encryption devices for decades, navigating waves of technology from mechanical gears to
electronic circuits and, finally, silicon chips and software.
But what none of its customers ever knew was that Crypto AG was secretly owned by the
CIA in a highly classified partnership with West German intelligence. These spy agencies
rigged the company's devices so they could easily break the codes that countries used to
send encrypted messages.
The account identifies the CIA officers who ran the program and the company executives
entrusted to execute it. It traces the origin of the venture as well as the internal
conflicts that nearly derailed it. It describes how the United States and its allies
exploited other nations' gullibility for years, taking their money and stealing their
secrets.
The operation, known first by the code name "Thesaurus" and later "Rubicon," ranks among
the most audacious in CIA history.
"It was the intelligence coup of the century," the CIA report concludes. "Foreign
governments were paying good money to the U.S. and West Germany for the privilege of having
their most secret communications read by at least two (and possibly as many as five or six)
foreign countries."
From 1970 on, the CIA and its code-breaking sibling, the National Security Agency,
controlled nearly every aspect of Crypto's operations -- presiding with their German
partners over hiring decisions, designing its technology, sabotaging its algorithms and
directing its sales targets.
Then, the U.S. and West German spies sat back and listened.
The program had limits. America's main adversaries, including the Soviet Union and
China, were never Crypto customers. Their well-founded suspicions of the company's ties to
the West shielded them from exposure, although the CIA history suggests that U.S. spies
learned a great deal by monitoring other countries' interactions with Moscow and
Beijing.
There were also security breaches that put Crypto under clouds of suspicion. Documents
released in the 1970s showed extensive -- and incriminating -- correspondence between an
NSA pioneer and Crypto's founder. Foreign targets were tipped off by the careless
statements of public officials including President Ronald Reagan. And the 1992 arrest of a
Crypto salesman in Iran, who did not realize he was selling rigged equipment, triggered a
devastating "storm of publicity," according to the CIA history.
But the true extent of the company's relationship with the CIA and its German
counterpart was until now never revealed.
The company's importance to the global security market had fallen by then, squeezed by
the spread of online encryption technology. Once the province of governments and major
corporations, strong encryption is now as ubiquitous as apps on cellphones.
This story is based on the CIA history and a parallel BND account, also obtained by The
Post and ZDF, interviews with current and former Western intelligence officials as well as
Crypto employees. Many spoke on the condition of anonymity, citing the sensitivity of the
subject.
It is hard to overstate how extraordinary the CIA and BND histories are. Sensitive
intelligence files are periodically declassified and released to the public. But it is
exceedingly rare, if not unprecedented, to glimpse authoritative internal histories of an
entire covert operation. The Post was able to read all of the documents, but the source of
the material insisted that only excerpts be published.
The CIA and the BND declined to comment, though U.S. and German officials did not
dispute the authenticity of the documents. The first is a 96-page account of the operation
completed in 2004 by the CIA's Center for the Study of Intelligence, an internal historical
branch. The second is an oral history compiled by German intelligence officials in
2008.
The overlapping accounts expose frictions between the two partners over money, control
and ethical limits, with the West Germans frequently aghast at the enthusiasm with which
U.S. spies often targeted allies.
But both sides describe the operation as successful beyond their wildest projections. At
times, including in the 1980s, Crypto accounted for roughly 40 percent of the diplomatic
cables and other transmissions by foreign governments that cryptanalysts at the NSA decoded
and mined for intelligence, according to the documents.
All the while, Crypto generated millions of dollars in profits that the CIA and BND
split and plowed into other operations.
Crypto's products are still in use in more than a dozen countries around the world, and
its orange-and-white sign still looms atop the company's longtime headquarters building
near Zug, Switzerland. But the company was dismembered in 2018, liquidated by shareholders
whose identities have been permanently shielded by the byzantine laws of Liechtenstein, a
tiny European nation with a Cayman Islands-like reputation for financial secrecy.
Two companies purchased most of Crypto's assets. The first, CyOne Security, was created
as part of a management buyout and now sells security systems exclusively to the Swiss
government. The other, Crypto International, took over the former company's brand and
international business.
Each insisted that it has no ongoing connection to any intelligence service, but only
one claimed to be unaware of CIA ownership.
CyOne has more substantial links to the now-dissolved Crypto, including that the the new
company's chief executive held the same position at Crypto for nearly two decades of CIA
ownership.
A CyOne spokesman declined to address any aspect of Crypto AG's history, but said the
new firm has "no ties to any foreign intelligence services."
Andreas Linde, the chairman of the company that now holds the rights to Crypto's
international products and business, said he had no knowledge of the company's relationship
to the CIA and BND before being confronted with the facts in this story.
"We at Crypto International have never had any relationship with the CIA or BND -- and
please quote me," he said in an interview. "If what you are saying is true, then absolutely
I feel betrayed, and my family feels betrayed, and I feel there will be a lot of employees
who will feel betrayed as well as customers."
The Swiss government this month revoked Crypto International's export license. The
timing of the decision by Swiss authorities was curious. The CIA and BND documents indicate
that Swiss officials must have known for decades about Crypto's ties to the U.S. and German
spy services, but intervened only after learning that news organizations were about to
expose the arrangement.
The histories, which do not address when or whether the CIA ended its involvement, carry
the inevitable biases of documents written from the perspectives of the operation's
architects. They depict Rubicon as a triumph of espionage, one that helped the United
States prevail in the Cold War, keep tabs on dozens of authoritarian regimes and protect
the interests of the United States and its allies.
The papers largely avoid more unsettling questions, including what the United States
knew -- and what it did or didn't do -- about countries that used Crypto machines while
engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.
The revelations in the documents may provide reason to revisit whether the United States
was in position to intervene in, or at least expose, international atrocities, and whether
it opted against doing so at times to preserve its access to valuable streams of
intelligence.
Nor do the files deal with obvious ethical dilemmas at the core of the operation: the
deception and exploitation of adversaries, allies and hundreds of unwitting Crypto
employees. Many traveled the world selling or servicing rigged systems with no clue that
they were doing so at risk to their own safety.
In recent interviews, deceived employees -- even ones who came to suspect during their
time at Crypto that the company was cooperating with Western intelligence -- said the
revelations in the documents have deepened a sense of betrayal, of themselves and
customers.
"You think you do good work and you make something secure," said Juerg Spoerndli, an
electrical engineer who spent 16 years at Crypto. "And then you realize that you cheated
these clients."
Those who ran the clandestine program remain unapologetic.
"Do I have any qualms? Zero," said
Bobby Ray Inman , who served as director of the NSA and deputy director of the CIA in
the late 1970s and early 1980s. "It was a very valuable source of communications on
significantly large parts of the world important to U.S. policymakers."
This sprawling, sophisticated operation grew out of the U.S. military's need for a crude
but compact encryption device.
Boris Hagelin, Crypto's founder, was an entrepreneur and inventor who was born in Russia
but fled to Sweden as the Bolsheviks took power. He fled again to the United States when
the Nazis occupied Norway in 1940.
He brought with him an encryption machine that looked like a fortified music box, with a
sturdy crank on the side and an assembly of metal gears and pinwheels under a hard metal
case.
It wasn't nearly as elaborate, or secure, as the Enigma machines being used by the
Nazis. But Hagelin's M-209, as it became known, was portable, hand-powered and perfect for
troops on the move. Photos show soldiers with the eight-pound boxes -- about the size of a
thick book -- strapped to their knees. Many of Hagelin's devices have been preserved at a
private museum in Eindhoven,
the Netherlands.
Sending a secure message with the device was tedious. The user would rotate a dial,
letter by letter, and thrust down the crank. The hidden gears would turn and spit out an
enciphered message on a strip of paper. A signals officer then had to transmit that
scrambled message by Morse code to a recipient who would reverse the sequence.
Security was so weak that it was assumed that nearly any adversary could break the code
with enough time. But doing so took hours. And since these were used mainly for tactical
messages about troop movements, by the time the Nazis decoded a signal its value had likely
perished.
Over the course of the war, about 140,000 M-209s were built at the Smith Corona
typewriter factory in Syracuse, N.Y., under a U.S. Army contract worth $8.6 million to
Crypto. After the war, Hagelin returned to Sweden to reopen his factory, bringing with him
a personal fortune and a lifelong sense of loyalty to the United States.
Even so, American spies kept a wary eye on his postwar operations. In the early 1950s,
he developed a more advanced version of his war-era machine with a new, "irregular"
mechanical sequence that briefly stumped American code-breakers.
Alarmed by the capabilities of the new CX-52 and other devices Crypto envisioned, U.S.
officials began to discuss what they called the "Hagelin problem."
These were "the Dark Ages of American cryptology," according to the CIA history. The
Soviets, Chinese and North Koreans were using code-making systems that were all but
impenetrable. U.S. spy agencies worried that the rest of the world would also go dark if
countries could buy secure machines from Hagelin.
The Americans had several points of leverage with Hagelin: his ideological affinity for
the country, his hope that the United States would remain a major customer and the veiled
threat that they could damage his prospects by flooding the market with surplus M-209s from
the war.
The United States also had a more crucial asset: William Friedman. Widely regarded as
the father of American cryptology, Friedman had known Hagelin since the 1930s. They had
forged a lifelong friendship over their shared backgrounds and interests, including their
Russian heritage and fascination with the complexities of encryption.
There might never have been an Operation Rubicon if the two men had not shaken hands on
the very first secret agreement between Hagelin and U.S. intelligence over dinner at the
Cosmos Club in Washington in 1951.
The deal called for Hagelin, who had moved his company to Switzerland, to restrict sales
of his most sophisticated models to countries approved by the United States. Nations not on
that list would get older, weaker systems. Hagelin would be compensated for his lost sales,
as much as $700,000 up front.
It took years for the United States to live up to its end of the deal, as top officials
at the CIA and the predecessor to the NSA bickered over the terms and wisdom of the scheme.
But Hagelin abided by the agreement from the outset, and over the next two decades, his
secret relationship with U.S. intelligence agencies deepened.
In 1960, the CIA and Hagelin entered into a "licensing agreement" that paid him $855,000
to renew his commitment to the handshake deal. The agency paid him $70,000 a year in
retainer and started giving his company cash infusions of $10,000 for "marketing" expenses
to ensure that Crypto -- and not other upstarts in the encryption business -- locked down
contracts with most of the world's governments.
It was a classic "denial operation" in the parlance of intelligence, a scheme designed
to prevent adversaries from acquiring weapons or technology that would give them an
advantage. But it was only the beginning of Crypto's collaboration with U.S. intelligence.
Within a decade, the whole operation belonged to the CIA and BND.
U.S. officials had toyed since the outset with the idea of asking Hagelin whether he
would be willing to let U.S. cryptologists doctor his machines. But Friedman overruled
them, convinced that Hagelin would see that as a step too far.
The CIA and NSA saw a new opening in the mid-1960s, as the spread of electronic circuits
forced Hagelin to accept outside help adapting to the new technology, or face extinction
clinging to the manufacturing of mechanical machines.
NSA cryptologists were equally concerned about the potential impact of integrated
circuits, which seemed poised to enable a new era of unbreakable encryption. But one of the
agency's senior analysts, Peter Jenks, identified a potential vulnerability.
If "carefully designed by a clever crypto-mathematician," he said, a circuit-based
system could be made to appear that it was producing endless streams of randomly-generated
characters, while in reality it would repeat itself at short enough intervals for NSA
experts -- and their powerful computers -- to crack the pattern.
Two years later, in 1967, Crypto rolled out a new, all-electronic model, the H-460,
whose inner workings were completely designed by the NSA.
The CIA history all but gloats about crossing this threshold. "Imagine the idea of the
American government convincing a foreign manufacturer to jimmy equipment in its favor," the
history says. "Talk about a brave new world."
The NSA didn't install crude "back doors" or secretly program the devices to cough up
their encryption keys. And the agency still faced the difficult task of intercepting other
government's communications, whether plucking signals out of the air or, in later years,
tapping into fiber optic cables.
But the manipulation of Crypto's algorithms streamlined the code-breaking process, at
times reducing to seconds a task that might otherwise have taken months. The company always
made at least two versions of its products -- secure models that would be sold to friendly
governments, and rigged systems for the rest of the world.
In so doing, the U.S.-Hagelin partnership had evolved from denial to "active measures."
No longer was Crypto merely restricting sales of its best equipment, but actively selling
devices that were engineered to betray their buyers.
The payoff went beyond the penetration of the devices. Crypto's shift to electronic
products buoyed business so much that it became addicted to its dependence on the NSA.
Foreign governments clamored for systems that seemed clearly superior to the old clunky
mechanical devices, but in fact were easier for U.S. spies to read.
German and
American partners
By the end of the 1960s, Hagelin was nearing 80 and anxious to secure the future for his
company, which had grown to more than 180 employees. CIA officials were similarly anxious
about what would happen to the operation if Hagelin were to suddenly sell or die.
Hagelin had once hoped to turn control over to his son, Bo. But U.S. intelligence
officials regarded him as a "wild card" and worked to conceal the partnership from him. Bo
Hagelin was killed in a car crash on Washington's Beltway in 1970. There were no
indications of foul play.
U.S. intelligence officials discussed the idea of buying Crypto for years, but
squabbling between the CIA and NSA prevented them from acting until two other spy agencies
entered the fray.
The French, West German and other European intelligence services had either been told
about the United States' arrangement with Crypto or figured it out on their own. Some were
understandably jealous and probed for ways to secure a similar deal for themselves.
In 1967, Hagelin was approached by the French intelligence service with an offer to buy
the company in partnership with German intelligence. Hagelin rebuffed the offer and
reported it to his CIA handlers. But two years later, the Germans came back seeking to make
a follow-up bid with the blessing of the United States.
In a meeting in early 1969 at the West German Embassy in Washington, the head of that
country's cipher service, Wilhelm Goeing, outlined the proposal and asked whether the
Americans "were interested in becoming partners too."
Months later,
CIA Director Richard Helms approved the idea of buying Crypto and dispatched a
subordinate to Bonn, the West German capital, to negotiate terms with one major caveat: the
French, CIA officials told Goeing, would have to be "shut out."
West Germany acquiesced to this American power play, and a deal between the two spy
agencies was recorded in a June 1970 memo carrying the shaky signature of a CIA case
officer in Munich who was in the early stages of Parkinson's disease and the illegible
scrawl of his BND counterpart.
The two agencies agreed to chip in equally to buy out Hagelin for approximately $5.75
million, but the CIA left it largely to the Germans to figure out how to prevent any trace
of this transaction from ever becoming public.
A Liechtenstein law firm, Marxer and Goop, helped hide the identities of the new owners
of Crypto through a series of shells and "bearer" shares that required no names in
registration documents. The firm was paid an annual salary "less for the extensive work but
more for their silence and acceptance," the BND history says. The firm, now named Marxer
and Partner, did not respond to a request for comment.
A new board of directors was set up to oversee the company. Only one member of the
board, Sture Nyberg, to whom Hagelin had turned over day-to-day management, knew of CIA
involvement. "It was through this mechanism," the CIA history notes, "that BND and CIA
controlled the activities" of Crypto. Nyberg left the company in 1976. The Post and ZDF
could not locate him or determine if he is still alive.
The two spy agencies held their own regular meetings to discuss what to do with their
acquisition. The CIA used a secret base in Munich, initially on a military installation
used by American troops and later in the attic of a building adjacent to the U.S.
Consulate, as the headquarters for its involvement in the operation.
The CIA and BND agreed on a series of code names for the program and its various
components. Crypto was called "Minerva," which is also the title of the CIA history. The
operation was at first code-named "Thesaurus," though in the 1980s it was changed to
"Rubicon."
Each year, the CIA and BND split any profits Crypto had made, according to the German
history, which says the BND handled the accounting and delivered the cash owed to the CIA
in an underground parking garage.
From the outset, the partnership was beset by petty disagreements and tensions. To CIA
operatives, the BND often seemed preoccupied with turning a profit, and the Americans
"constantly reminded the Germans that this was an intelligence operation, not a
money-making enterprise." The Germans were taken aback by the Americans' willingness to spy
on all but its closest allies, with targets including NATO members Spain, Greece, Turkey
and Italy.
Mindful of the limitations to their abilities to run a high-tech company, the two
agencies brought in corporate outsiders. The Germans enlisted Siemens, a Munich-based
conglomerate, to advise Crypto on business and technical issues in exchange for five
percent of the company's sales. The United States later brought in Motorola to fix balky
products, making it clear to the company's CEO this was being done for U.S. intelligence.
Siemens declined to comment. Motorola officials did not respond to a request for
comment.
To its frustration, Germany was never admitted to the vaunted "Five Eyes," a
long-standing intelligence pact involving the United States, Britain, Australia, New
Zealand and Canada. But with the Crypto partnership, Germany moved closer into the American
espionage fold than might have seemed possible in World War II's aftermath. With the secret
backing of two of the world's premiere intelligence agencies and the support of two of the
world's largest corporations, Crypto's business flourished.
A table in the CIA history shows that sales surged from 15 million Swiss francs in 1970
to more than 51 million in 1975, or $19 million. The company's payroll expanded to more
than 250 employees.
"The Minerva purchase had yielded a bonanza," the CIA history says of this period. The
operation entered a two-decade stretch of unprecedented access to foreign governments'
communications.
The NSA's eavesdropping empire was for many years organized around three main geographic
targets, each with its own alphabetic code: A for the Soviets, B for Asia and G for
virtually everywhere else.
By the early 1980s, more than half of the intelligence gathered by G group was flowing
through Crypto machines, a capability that U.S. officials relied on in crisis after
crisis.
In 1978, as the leaders of Egypt, Israel and the United States gathered at
Camp David for negotiations on a peace accord, the NSA was secretly monitoring the
communications of Egyptian President Anwar Sadat back to Cairo.
A year later, after Iranian militants stormed the U.S. Embassy and took 52 American
hostages, the Carter administration sought their release in back channel communications
through Algeria. Inman, who served as NSA director at the time, said he routinely got calls
from President Carter asking how the
Ayatollah Khomeinei regime was reacting to the latest messages.
"We were able to respond to his questions about 85 percent of the time," Inman said.
That was because the Iranians and Algerians were using Crypto devices.
Inman said the operation also put him in one of the trickiest binds he'd encountered in
government service. At one point, the NSA intercepted Libyan communications indicating that
the president's brother,
Billy Carter , was advancing Libya's interests in Washington and was on leader
Moammar Gaddafi 's payroll.
Inman referred the matter to the Justice Department. The FBI launched an investigation
of Carter, who falsely denied taking payments. In the end, he was not prosecuted but agreed
to register as a foreign agent.
Throughout the 1980s, the list of Crypto's leading clients read like a catalogue of
global trouble spots. In 1981, Saudi Arabia was Crypto's biggest customer, followed by
Iran, Italy, Indonesia, Iraq, Libya, Jordan and South Korea.
To protect its market position, Crypto and its secret owners engaged in subtle smear
campaigns against rival companies, according to the documents, and plied government
officials with bribes. Crypto sent an executive to Riyadh, Saudi Arabia, with 10 Rolex
watches in his luggage, the BND history says, and later arranged a training program for the
Saudis in Switzerland where the participants' "favorite pastime was to visit the brothels,
which the company also financed."
At times, the incentives led to sales to countries ill-equipped to use the complicated
systems. Nigeria bought a large shipment of Crypto machines, but two years later, when
there was still no corresponding payoff in intelligence, a company representative was sent
to investigate. "He found the equipment in a warehouse still in its original packaging,"
according to the German document.
In 1982, the Reagan administration took advantage of Argentina's reliance on Crypto
equipment, funneling intelligence to Britain during the two countries brief war over the
Falkland Islands, according to the CIA history, which doesn't provide any detail on what
kind of information was passed to London. The documents generally discuss intelligence
gleaned from the operation in broad terms and provide few insights into how it was
used.
Reagan appears to have jeopardized the Crypto operation after Libya was implicated in
the 1986 bombing of a West Berlin disco popular with American troops stationed in West
Germany. Two U.S. soldiers and a Turkish woman were killed as a result of the attack.
Reagan ordered retaliatory strikes against Libya ten days later. Among the reported
victims was one of Gaddafi's daughters. In an address to the country announcing the
strikes, Reagan said the United States had evidence of Libya's complicity that "is direct,
it is precise, it is irrefutable."
The evidence, Reagan said, showed that Libya's embassy in East Berlin received orders to
carry out the attack a week before it happened. Then, the day after the bombing, "they
reported back to Tripoli on the great success of their mission."
Reagan's words made clear that Tripoli's communications with its station in East Berlin
had been intercepted and decrypted. But Libya wasn't the only government that took note of
the clues Reagan had provided.
Iran, which knew that Libya also used Crypto machines, became increasingly concerned
about the security of its equipment. Tehran didn't act on those suspicions until six years
later.
The irreplaceable man
After the CIA and BND acquisition, one of the most vexing problems for the secret
partners was ensuring that Crypto's workforce remained compliant and unsuspecting.
Even while hidden from view, the agencies went to significant lengths to maintain
Hagelin's benevolent approach to ownership. Employees were well-paid and had abundant perks
including access to a small sailboat in Lake Zug near company headquarters.
And yet, those who worked most closely with the encryption designs seemed constantly to
be getting closer to uncovering the operation's core secret. The engineers and designers
responsible for developing prototype models often questioned the algorithms being foisted
on them by a mysterious external entity.
Crypto executives often led employees to believe that the designs were being provided as
part of the consulting arrangement with Siemens. But even if that were so, why were
encryption flaws so easy to spot, and why were Crypto's engineers so routinely blocked from
fixing them?
In 1977, Heinz Wagner, the chief executive at Crypto who knew the true role of the CIA
and BND, abruptly fired a wayward engineer after the NSA complained that diplomatic traffic
coming out of Syria had suddenly became unreadable. The engineer, Peter Frutiger, had long
suspected Crypto was collaborating with German intelligence. He had made multiple trips to
Damascus to address complaints about their Crypto products and apparently, without
authority from headquarters, had fixed their vulnerabilities.
Frutiger "had figured out the Minerva secret and it was not safe with him," according to
the CIA history. Even so, the agency was livid with Wagner for firing Frutiger rather than
finding a way to keep him quiet on the company payroll. Frutiger declined to comment for
this story.
U.S. officials were even more alarmed when Wagner hired a gifted electrical engineer in
1978 named Mengia Caflisch. She had spent several years in the United States working as a
radio-astronomy researcher for the University of Maryland before returning to her native
Switzerland and applying for a job at Crypto. Wagner jumped at the chance to hire her. But
NSA officials immediately raised concerns that she was "too bright to remain
unwitting."
The warning proved prescient as Caflisch soon began probing the vulnerabilities of the
company's products. She and Spoerndli, a colleague in the research department, ran various
tests and "plaintext attacks" on devices including a teletype model, the HC-570, that was
built using Motorola technology, Spoerndli said in an interview.
"We looked at the internal operations, and the dependencies with each step," Spoerndli
said, and became convinced they could crack the code by comparing only 100 characters of
enciphered text to an underlying, unencrypted message. It was an astonishingly low level of
security, Spoerndli said in an interview last month, but far from unusual.
"The algorithms," he said, "always looked fishy."
In the ensuing years, Caflisch continued to pose problems. At one point, she designed an
algorithm so strong that NSA officials worried it would be unreadable. The design made its
way into 50 HC-740 machines rolling off the factory floor before company executives
discovered the development and stopped it.
"I just had an idea that something might be strange," Caflisch said in an interview last
month, about the origin of her suspicions. But it became clear that her probing wasn't
appreciated, she said. "Not all questions appeared to be welcome."
The company restored the rigged algorithm to the rest of the production run and sold the
50 secure models to banks to keep them out of the hands of foreign governments. Because
these and other developments were so hard to defend, Wagner at one point told a select
group of members of the research and development unit that Crypto "was not entirely free to
do what it wanted."
The acknowledgment seemed to subdue the engineers, who interpreted it as confirmation
that the company's technology faced constraints imposed by the German government. But the
CIA and BND became increasingly convinced that their routine, disembodied interference was
unsustainable.
Crypto had become an Oz-like operation with employees probing to see what was behind the
curtain. As the 1970s came to a close, the secret partners decided to find a wizard figure
who could help devise more advanced -- and less detectable -- weaknesses in the algorithms,
someone with enough cryptological clout to tame the research department.
The two agencies turned to other spy services for potential candidates before settling
on an individual put forward by Sweden's intelligence service. Because of Hagelin's ties to
the country, Sweden had been kept apprised of the operation since its outset.
Kjell-Ove Widman, a mathematics professor in Stockholm, had made a name for himself in
European academic circles with his research on cryptology. Widman was also a military
reservist who had worked closely with Swedish intelligence officials.
To the CIA, Widman had an even more important attribute: an affinity for the United
States that he had formed while spending a year in Washington state as an exchange
student.
His host family had such trouble pronouncing his Swedish name that they called him
"Henry," a moniker he later used with his CIA handlers.
Officials involved in Widman's recruitment described it as almost effortless. After
being groomed by Swedish intelligence officials, he was brought to Munich in 1979 for what
was purported to be a round of interviews with executives from Crypto and Siemens.
The fiction was maintained as Widman faced questions from a half-dozen men seated around
a table in a hotel conference room. As the group broke for lunch, two men asked Widman to
stay behind for a private conversation.
"Do you know what ZfCh is?" asked Jelto Burmeister, a BND case officer, using the
acronym for the German cipher service. When Widman replied that he did, Burmeister said,
"Now, do you understand who really owns Crypto AG?"
At that point, Widman was introduced to Richard Schroeder, a CIA officer stationed in
Munich to manage the agency's involvement in Crypto. Widman would later claim to agency
historians that his "world fell apart completely" in that moment.
If so, he did not hesitate to enlist in the operation.
Without even leaving the room, Widman sealed his recruitment with a handshake. As the
three men joined the rest of the group at lunch, a "thumbs up" signal transformed the
gathering into a celebration.
Crypto installed Widman as a "scientific advisor" reporting directly to Wagner. He
became the spies' hidden inside agent, departing Zug every six weeks for clandestine
meetings with representatives of NSA and ZfCh. Schroeder, the CIA officer, would attend but
tune out their technical babble.
They would agree on modifications and work up new encryption schemes. Then Widman would
deliver the blueprints to Crypto engineers. The CIA history calls him the "irreplaceable
man," and the "most important recruitment in the history of the Minerva program."
His stature cowed subordinates, investing him "with a technical prominence that no one
in CAG could challenge." It also helped deflect the inquiries of foreign governments. As
Widman settled in, the secret partners adopted a set of principles for rigged algorithms,
according to the BND history. They had to be "undetectable by usual statistical tests" and,
if discovered, be "easily masked as implementation or human errors."
In other words, when cornered, Crypto executives would blame sloppy employees or
clueless users.
In 1982, when Argentina became convinced that its Crypto equipment had betrayed secret
messages and helped British forces in the Falklands War, Widman was dispatched to Buenos
Aires. Widman told them the NSA had probably cracked an outdated speech-scrambling device
that Argentina was using, but that the main product they bought from Crypto, the CAG 500,
remained "unbreakable."
"The bluff worked," the CIA history says. "The Argentines swallowed hard, but kept
buying CAG equipment."
Widman is long-retired now and living in Stockholm. He declined to comment. Years after
his recruitment, he told U.S. officials that he saw himself as "engaged in a critical
struggle for the benefit of Western intelligence," according to the CIA document. "It was,
he said, the moment in which he felt at home. This was his mission in life."
That same year, Hagelin, then 90 years old, became ill on a trip to Sweden and was
hospitalized. He recovered well enough to return to Switzerland, but CIA officials became
worried about Hagelin's extensive collection of business records and personal papers at his
office in Zug.
Schroeder, with Hagelin's permission, arrived with a briefcase and spent several days
going through the files. To visitors, he was introduced as a historian interested in
tracing Hagelin's life. Schroeder pulled out the documents "that were incriminating,"
according to the history, and shipped them back to CIA headquarters "where they reside to
this day."
Hagelin remained an invalid until he died in 1983. The Post could not locate Wagner or
determine whether he is still alive. Schroeder retired from the CIA more than a decade ago
and teaches part-time at Georgetown University. When contacted by a reporter from The Post,
he declined to comment.
The Hydra crisis
Crypto endured several money-losing years in the 1980s, but the intelligence flowed in
torrents. U.S. spy agencies intercepted more than 19,000 Iranian communications sent via
Crypto machines during that nation's decade-long war with Iraq, mining them for reports on
subjects such as Tehran's terrorist links and attempts to target dissidents.
Iran's communications were "80 to 90 percent readable" to U.S. spies, according to the
CIA document, a figure that would likely have plunged into the single digits had Tehran not
used Crypto's compromised devices.
In 1989, the Vatican's use of Crypto devices proved crucial in the U.S. manhunt for
Panamanian leader Manuel Antonio Noriega . When the dictator sought refuge in the
Apostolic Nunciature -- the equivalent of a papal embassy -- his whereabouts were exposed
by the mission's messages back to Vatican City.
In 1992, however, the Crypto operation faced its first major crisis: Iran, belatedly
acting on its long-standing suspicions, detained a company salesman.
Hans Buehler, then 51, was considered one of the company's best salesman. Iran was one
of the company's largest contracts, and Buehler had traveled in and out of Tehran for
years. There were tense moments, including when he was questioned extensively in 1986 by
Iranian officials after the disco bombing and U.S. missile strikes on Libya.
Six years later, he boarded a Swissair flight to Tehran but failed to return on
schedule. When he didn't show, Crypto turned for help to Swiss authorities and were told he
had been arrested by the Iranians. Swiss consular officials allowed to visit Buehler
reported that he was in "bad shape mentally," according to the CIA history.
Buehler was finally released nine months later after Crypto agreed to pay the Iranians
$1 million, a sum that was secretly provided by the BND, according to the documents. The
CIA refused to chip in, citing the U.S. policy against succumbing to ransom demands for
hostages.
Buehler knew nothing about Crypto's relationship to the CIA and BND or the
vulnerabilities in its devices. But he returned traumatized and suspicious that Iran knew
more about the company he worked for than he did. Buehler began speaking to Swiss news
organizations about his ordeal and mounting suspicions.
The publicity brought new attention to long forgotten clues, including references to a
"Boris project" in Friedman's massive collection of personal papers, which were donated to
the Virginia Military Institute when he died in 1969. Among the 72 boxes delivered to
Lexington, Va., were copies of his lifelong correspondence with Hagelin.
In 1994, the crisis deepened when Buehler appeared on Swiss television in a report that
also featured Frutiger, whose identity was concealed to viewers. Buehler died in 2018.
Frutiger, the engineer who had been fired for fixing Syria's encryption systems years
earlier, did not respond to requests for comment.
Michael Grupe, who had succeeded Wagner as chief executive, agreed to appear on Swiss
television and disputed what he knew to be factual charges. "Grupe's performance was
credible, and may have saved the program," the CIA history says. Grupe did not respond to
requests for comment.
Even so, it took several years for the controversy to die down. In 1995, the Baltimore
Sun ran a series of investigative stories about the NSA, including one called " Rigging the
Game ," that exposed aspects of the agency's relationship with Crypto.
The article reported NSA officials had traveled to Zug in the mid-1970s for secret
meetings with Crypto executives. The officials were posing as consultants for a front
company called "Intercomm Associates," but then proceeded to introduce themselves by their
real names -- which were recorded on notes of the meeting kept by a company employee.
Amid the publicity onslaught, some employees began to look elsewhere for work. And at
least a half-dozen countries -- including Argentina, Italy, Saudi Arabia, Egypt and
Indonesia -- either canceled or suspended their Crypto contracts.
Astonishingly, Iran was not among them, according to the CIA file, and "resumed its
purchase of CAG equipment almost immediately."
The main casualty of the "Hydra" crisis, the code name given to the Buehler case, was
the CIA-BND partnership.
For years, BND officials had recoiled at their American counterpart's refusal to
distinguish adversaries from allies. The two partners often fought over which countries
deserved to receive the secure versions of Crypto's products, with U.S. officials
frequently insisting that the rigged equipment be sent to almost anyone -- ally or not --
who could be deceived into buying it.
In the German history, Wolbert Smidt, the former director of the BND, complained that
the United States "wanted to deal with the allies just like they dealt with the countries
of the Third World." Another BND official echoed that comment, saying that to Americans "in
the world of intelligence there were no friends."
The Cold War had ended, the Berlin Wall was down, and the reunified Germany had
different sensitivities and priorities. They saw themselves as far more directly exposed to
the risks of the Crypto operation. Hydra had rattled the Germans, who feared the disclosure
of their involvement would trigger European outrage and lead to enormous political and
economic fallout.
In 1993, Konrad Porzner, the chief of the BND, made clear to CIA Director James Woolsey
that support in the upper ranks of the German government was waning, and that the Germans
might want out of the Crypto partnership. On Sept. 9, the CIA station chief in Germany,
Milton Bearden, reached an agreement with BND officials for the CIA to purchase Germany's
shares for $17 million, according to the CIA history.
German intelligence officials rued the departure from an operation they had largely
conceived. In the German history, senior intelligence officials blame political leaders for
ending one of the most successful espionage programs the BND had ever been a part of.
With their departure, the Germans were soon cut off from the intelligence that the
United States continued to gather. Burmeister is quoted in the German history wondering
whether Germany still belonged "to this small number of nations who are not read by the
Americans."
The Snowden documents provided what must have been an unsettling answer, showing that
U.S. intelligence agencies not only regarded Germany as a target, but monitored German
Chancellor Angela Merkel's cellphone.
Alive and well
The CIA history essentially concludes with Germany's departure from the program, though
it was finished in 2004 and contains clear indications that the operation was still
underway.
It notes, for example, that the Buehler case was "the most serious security breach in
the history of the program," but wasn't fatal. "It did not cause its demise," the history
says, "and at the turn of the century Minerva was still alive and well."
In reality, the operation appears to have entered a protracted period of decline. By the
mid-1990s, "the days of profit were long past," and Crypto "would have gone out of business
but for infusions from the U.S. government."
As a result, the CIA appears to have spent years propping up an operation that was more
viable as an intelligence platform than a business enterprise. Its product line dwindled
and its revenue and customer base shrank.
But the intelligence kept coming, current and former officials said, in part because of
bureaucratic inertia. Many governments just never got around to switching to newer
encryption systems proliferating in the 1990s and beyond -- and unplugging their Crypto
devices. This was particularly true of less developed nations, according to the
documents.
Most of the employees identified in the CIA and BND histories are in their 70s or 80s,
and some of them have died. In interviews in Switzerland last month, several former Crypto
workers mentioned in the documents described feelings of unease about their involvement in
the company.
They were never informed of its true relationship to intelligence services. But they had
well-founded suspicions and still wrestle with the ethical implications of their decisions
to remain at a firm they believed to be engaged in deception.
"Either you had to leave or you had to accept it in a certain way," said Caflisch, now
75, who left the company in 1995 but continues to live on the outskirts of Zug in a
converted weaving factory where she and her family for many years staged semiprofessional
operas in the barn. "There were reasons I left," she said, including her discomfort with
her doubts at Crypto and her desire to be home more for her children. After the latest
revelations, she said, "It makes me wonder whether I should have left earlier."
Spoerndli said he regrets his own rationalizations.
"I told myself sometimes it may be better if the good guys in the United States know
what is going on between these third-world dictators," he said. "But it's a cheap
self-excuse. In the end, this is not the way."
Most of the executives directly involved in the operation were motivated by ideological
purpose and declined any payment beyond their Crypto salaries, according to the documents.
Widman was among several exceptions. "As his retirement drew near, his covert compensation
was substantially increased," the CIA history says. He was also awarded a medal bearing the
CIA seal.
After the BND's departure, the CIA expanded its clandestine collection of companies in
the encryption sector, according to former Western intelligence officials. Using cash
amassed from the Crypto operation, the agency secretly acquired a second firm and propped
up a third. The documents do not disclose any details about these entities. But the BND
history notes that one of Crypto's longtime rivals -- Gretag AG, also based in Switzerland
-- was "taken over by an 'American' and, after a change of names in 2004, was
liquidated."
Crypto itself hobbled along. It had survived the transitions from metal boxes to
electronic circuits, going from teletype machines to enciphered voice systems. But it
struggled to maintain its footing as the encryption market moved from hardware to software.
U.S. intelligence agencies appear to have been content to let the Crypto operation play
out, even as the NSA's attention shifted to finding ways to exploit the global reach of
Google, Microsoft, Verizon and other U.S. tech powers.
In 2017, Crypto's longtime headquarters building near Zug was sold to a commercial real
estate company. In 2018, the company's remaining assets -- the core pieces of the
encryption business started nearly a century earlier -- were split and sold.
The transactions seemed designed to provide cover for a CIA exit.
CyOne's purchase of the Swiss portion of the business was structured as a management
buyout, enabling top Crypto employees to move into a new company insulated from the
espionage risks and with a reliable source of revenue. The Swiss government, which was
always sold secure versions of Crypto's systems, is now CyOne's only customer.
Giuliano Otth, who served as CEO of Crypto AG from 2001 until its dismemberment, took
the same position at CyOne after it acquired the Swiss assets. Given his tenure at Crypto,
it is likely he was witting to the CIA ownership of the company, just as all of his
predecessors in the job had been.
"Neither CyOne Security AG nor Mr. Otth have any comments regarding Crypto AG's
history," the company said in a statement.
Crypto's international accounts and business assets were sold to Linde, a Swedish
entrepreneur, who comes from a wealthy family with commercial real estate holdings.
In a meeting in Zurich last month, Linde said that he had been drawn to the company in
part by its heritage and Hagelin connection, a past that still resonates in Sweden. Upon
taking over operations, Linde even moved some of Hagelin's historic equipment from storage
into a display at the factory entrance.
When confronted with evidence that Crypto had been owned by the CIA and BND, Linde
looked visibly shaken, and said that during negotiations he never learned the identities of
the company's shareholders. He asked when the story would be published, saying he had
employees overseas and voiced concern for their safety.
In a subsequent interview, Linde said his company is investigating all the products it
sells to determine whether they have any hidden vulnerabilities. "We have to make a cut as
soon as possible with everything that has been linked to Crypto," he said.
When asked why he failed to confront Otth and others involved in the transaction about
whether there was any truth to the long-standing Crypto allegations, Linde said that he had
regarded these as "just rumors."
He said that he took assurance from the fact that Crypto continued to have substantial
contracts with foreign governments, countries he assumed had tested the company's products
vigorously and would have abandoned them if they were compromised.
"I even acquired the brand name, 'Crypto,' " he said, underscoring his confidence in the
company's viability. Given the information now coming to light, he said, this "was probably
one of the most stupid decisions I've ever made in my career."
The company's liquidation was handled by the same Liechtenstein law firm that provided
cover for Hagelin's sale to the CIA and BND 48 years earlier. The terms of the 2018
transactions have not been disclosed, but current and former officials estimated their
aggregate value at between $50 million and $70 million.
For the CIA, the money would have been one final payoff from Minerva.
You know those wavy lines that some people put above
and below their automatic signature, e-mail address and phone number?
When I wanted to send a private chat using office e-mail I'd make that wavy
automatic signature line using the decorative "widgets" font.
The receiver would take the wavy widgets fonts line and change the font from widget
symbols to "Cyrillic" font and copy paste the cyrillic line into Google Translate and
translate it from Russian into English. And that was my private message.
And to write back he'd just write a message in English, translate it into Russian,
change the Cyrillic font into widgets, make the widgets small like a decorative wavy
line and stick it above and below his automatic signature.
I don't think anyone would think, Hey this decorative wavy signature line might
actually be a coded message in Amharic, Russian or Hebrew, I'll change the font and
into all of the world's alphabets one by one and see.
Your message will be detected as suspicious in 2 seconds because it's a
statistical outlier compared to other comms. If it's ranked as suspicious enough
(when combined with other detection criteria) to land on an analyst's desk,
they'll figure it out in 5 minutes. Use peer-reviewed cryptographic
implementations or go home.
RNGs in CPUs and other devices are useless for true encryption since
they are pseudo-random by definition.
True RNGs are manufactured and
maintained from nuclear sources by a small number of companies mostly
from one single very small country. Surely you can guess it.
There are CPU-integrated HWRNG's using thermal noise. They are not pseudorandom
by definition. There are HWRNG's generating true randomness based on beam
splitters, shot noise, reverse-biased semiconductor junctions, the photoelectric
effect, and more. If you want to share some knowledge, do it.
Numbers derived from the deterministic processes you mention, no matter how
many, are not random and can not be used for high-end encryption or
simulations like the Monte Carlo method.
One of the most important and least
known books of the 20th century was published in the 50s by the RAND
Corporation, titled "A Million Random Digits with 100,000 Normal Deviates".
For decades it was THE source of random numbers used around the Western world.
True random numbers are rare and very hard to obtain because they rely on
measurements of indeterministic processes like atomic decay.
All of the methods I mentioned are nondeterministic and, in proper
implementation, are widely deployed for generating key material. Everyone
with an EECS education has heard of the RAND book.
The article is a click bait (Article says nothing about where Russians hide their C&C servers, only where they hide their URLs), the idea is not new (a variant of steganography, as
foetusinc
noted in his comment below), and probably those
groups are not Russian, but still hiding URL for the control server in spam on some useless social forums
like Britney Spears fan club is pretty clever idea...
According to a
report published Tuesday
by researchers from antivirus provider Eset, a recently discovered backdoor
Trojan used comments posted to Britney Spears's official Instagram account to locate the control
server
... ... ...
The extension will look at each photo's comment and will compute a custom hash value. If the
hash matches 183, it will then run this regular expression on the comment in order to obtain the
path of the bit.ly URL:
(?:\\u200d(?:#|@)(\\w)
Looking at the photo's comments, there was only one for which the hash matches 183. This comment
was posted on February 6, while the original photo was posted in early January. Taking the comment
and running it through the regex, you get the following bit.ly URL:
http://bit.ly/2kdhuHX
Looking a bit more closely at the regular expression, we see it is looking for either @|# or
the Unicode character \200d. This character is actually a non-printable character called 'Zero
Width Joiner,' normally used to separate emojis. Pasting the actual comment or looking at its
source, you can see that this character precedes each character that makes the path of the bit.ly
URL:
smith2155#2hot make loveid to her, uupss #Hot #X
When resolving this shortened link, it leads to
static.travelclothes.org/dolR_1ert.php
,
which was used in the past as a watering hole C&C by the Turla crew.
So spammy social media comments are the new
numbers stations
?
I've assumed for a while that somebody out there must be doing something similar with image steganography,
but leave it to the Russians to come up with something this brilliantly simple.
That's brilliant, and incredibly similar in principle if not execution to
tried and true espionage techniques for communication; codewords in BBC
broadcasts, newspaper ads sending information, etc. Why risk using a central
server which can be eliminated if you can just hide your information in the
incredible amount of simple-to-post, easier-to-read social networking out
there. If you covered enough sites, you'd likely be able to slip in requests
that even a security pro wouldn't be able to pick up. Sure, there are some
people who don't use Facebook, Twitter, Instagram, or Reddit, but there
aren't that many. Combine it with a few regional networking sites and you
could probably hide the traffic in a way that even somebody looking for the
transmissions couldn't find them.
Google has released a new set of tests it
uses to probe cryptographic libraries for vulnerabilities to known attacks
.
The tests can be used against most kinds of crypto algorithms and the company
already has found 40 new weaknesses in existing algorithms. The tests are
called
Project Wycheproof ,
and Google's engineers designed them to help developers implement crypto
libraries without having to become experts. Cryptographic libraries can be
quite difficult to implement and making errors can lead to serious security
problems. Attackers often will look for weak crypto implementations as a means
of circumventing strong encryption in a target app. Among the issues that
Google's engineers found with the Project Wycheproof tests is one in ECDH that
allows an attacker to recover the private key in some circumstances.
The bug is
the result of some libraries not checking the elliptic curve points that they
get from outside sources.
"In cryptography, subtle mistakes can have
catastrophic consequences, and mistakes in open source cryptographic software
libraries repeat too often and remain undiscovered for too long.
Good
implementation guidelines, however, are hard to come by: understanding how to
implement cryptography securely requires digesting decades' worth of academic
literature.
We recognize that software engineers fix and prevent bugs with unit
testing, and we found that many cryptographic issues can be resolved by the
same means," Daniel Bleichenbacher and Thai Duong, security engineers at
Google,
said
in a post
announcing the tool release.
"Encodings of public keys typically
contain the curve for the public key point.
If such an encoding is used in the
key exchange then it is important to check that the public and secret key used
to compute the shared ECDH secret are using the same curve. Some libraries fail
to do this check," Google's
documentation
says.
Ok, so you need to quickly encrypt the contents of you pen drive. The
easiest solution is to compress them using the 7z archive file format, that is
open source, cross-platform, and supports 256-bit encryption using the AES
algorithm.
Linux has LUKS, which can encrypt partitions or do whole-disk encryption.
When you create a new partition, the partition manager will give you the option
to, say, encrypt the /home directory.
Encrypt with Seahorse
The third option that I will show basically utilizes the popular GNU PG tool
to encrypt anything you want in your disk. What we need to install first are
the following packages: gpg, seahorse, seahorse-nautilus, seahorse-daemon, and
seahorse-contracts which is needed if you're using ElementaryOS like I do. The
encryption will be based on a key that we need to create first by opening a
terminal, and typing the following command:
A 36-year veteran of America's Intelligence Community, William Binney resigned from his position
as Director for Global Communications Intelligence (COMINT) at the National Security Agency (NSA)
and blew the whistle, after discovering that his efforts to protect the privacy and security of Americans
were being undermined by those above him in the chain of command.
The NSA data-monitoring program which Binney and his team had developed -- codenamed ThinThread
-- was being aimed not at foreign targets as intended, but at Americans (codenamed as Stellar Wind);
destroying privacy here and around the world. Binney voices his call to action for the billions of
individuals whose rights are currently being violated.
William Binney speaks out in this feature-length interview with Tragedy and Hope's Richard Grove,
focused on the topic of the ever-growing Surveillance State in America.
On January 22, 2015: (Berlin, Germany) – The Government Accountability Project (GAP) is proud
to announce that retired NSA Technical Director and GAP client, William "Bill" Binney, will accept
the Sam Adams Associates for Integrity in Intelligence Award today in Berlin, Germany. The award
is presented annually by the Sam Adams Associates for Integrity in Intelligence (SAAII) to a professional
who has taken a strong stand for ethics and integrity.
http://whistleblower.org/press/nsa-wh...
The US Senate on Friday reauthorized the warrantless wiretapping program started under President
George W. Bush by a 73 to 23 vote, easily evading the several amendments proposed to check its dangerous
surveillance powers.
The FISA Amendments Act of 2008 authorized broad, warrantless surveillance of Americans'
international communications, checked only by a secretive Foreign Intelligence Surveillance Court
that doesn't make it's activities and procedures available to the public.
Even though the government has acknowledged that the secretive program has exceeded its legal
limits, violating Americans' Fourth Amendment constitutional rights, the Obama administration has
aggressively pushed for its full renewal.
When the law was passed in 2008 it amended the Bush administration's initial program and broadened
powers for domestic surveillance. President Obama was a presidential candidate at the time, and warned
that, while he was voting for its passage, it "does not resolve all of the concerns that we have
about President Bush's abuse of executive power."
However, as President Obama has fully embraced the unchecked executive powers and secretive surveillance
capabilities built into the FISA Amendment. And the controversy that the bill conjured in 2008 is
contrasted with the subdued acceptance of it in 2012.
"The Bush administration's program of warrantless wiretapping, once considered a radical threat
to the Fourth Amendment, has become institutionalized for another five years," said Michelle Richardson,
the ACLU's legislative counsel.
Several tame amendment were proposed by Senators Ron Wyden, Rand Paul, and Jeff Merkely to try
and rein in the surveillance program. But they were all rejected, and the Obama administration has
refused to release any further information about it.
"The only thing the public really knows about it so far," writes Julian Sanchez, a policy scholar
at the Cato Institute, "is that it was almost immediately misused, resulting in 'significant and
systemic' overcollection of Americans' purely domestic communications. Subsequent reporting revealed
that the improperly 'overcollected' communications could number in the millions, and included
former president Clinton's private e-mails. So naturally, the Senate is charging ahead toward
the renewal of these sweeping powers without hearings or debate."
As the American for Civil Liberties Union has explained, the Director of National Intelligence
James Clapper says "it isn't even 'reasonably possible' to estimate how many Americans are swept
up in the NSA's expansive dragnet."
The Obama administration, as is usual in cases where they disregard the Constitution, promises
this mass surveillance comes with strong safeguards and accountability. In reality, the war on terrorism
is continuing to be used to justify major infringements on the civil liberties of Americans.
[Dec 11, 2011] San Francisco Team Solves DARPA Shredder Challenge by Elizabeth Montalbano
I you do not anybody to read particular document don't shred, burn.
12/05/11 | InformationWeek
A San Francisco-based programming team pieced together five shredded documents in 33 days
to win the U.S. Defense Advanced Research Projects Agency's (DARPA's) Shredder Challenge.
The three programmers used custom computer-vision algorithms to assemble the complex puzzles
comprised of documents, which were shredded into more than 10,000 pieces. The team spent nearly 600
hours creating the algorithms, designing them to suggest fragment pairings.
The programmers were then able to manually verify the pairings to piece together the documents,
which had Antonio Prohias, the creator of the Spy vs. Spy comic strip, as their common, running theme.
DARPA organizers were surprised not only that all of the puzzles were solved, but in a relatively
short time.
"Lots of experts were skeptical that a solution could be produced at all, let alone within
the short time frame," says DARPA's Dan Kaufman.
He says the most effective approaches combined computational tools, crowdsourcing, and "clever
detective work."
[Dec 11, 2011] Cryptographers Believe 'Size Does Matter' to Stay Safe Online by Royal
Holloway
12/02/11 | University of London
Royal Holloway, University of London researchers are analyzing the Transport Layer Security (TLS)
system to identify weaknesses. The TLS system is designed to ensure the security and safety of online
personal information, but vulnerabilities were found in version 1.0 of the system. The researchers
say that TLS version 1.2 offers improved security.
"Our analysis of TLS version 1.2 gives us higher confidence that the data we share online will
be kept safe, secure, and private," says Royal Holloway professor Kenny Paterson. TLS encrypts messages
as they are transmitted across the Internet, keeping personal data insulated against attack. The
researchers have found only one vulnerability in the latest version of TLS. "There is still scope
for a 'distinguishing attack' against TLS 1.2, where an attacker could tell whether a user has sent
a 'yes' or a 'no' during a transaction, for example," Paterson says.
However, he notes that this kind of attack is considered theoretical, and it is very unlikely
that it would actually arise in practice. TLS uses a Message Authentication Code (MAC) tag to help
provide security, and for the Royal Holloway attack to work, the MAC tag would need to be small.
I doubt that this is promising as described, but something along those lines (with predefined set
of equivalencies) can be developed further. Consider instructions equivalencies as some kind of bit
mask that can be applied to any of the program strings
Netizens with extreme privacy needs got a new tool for their cyber utility belts recently with
the release of an application that lets users hide secret messages in virtually any executable computer
program, without changing the program's size or affecting its operation.
The tool is called "Hydan," an old English word for the act of hiding something, and it's part
of a research project by Columbia University computer science masters student Rakan El-Khalil, who
showed off the program to a small group of open-source programmers and hackers gathered at the second
annual CodeCon conference in San Francisco on Sunday.
Hydan is a novel development in the field of steganography -- the science of burying secret
messages in seemingly innocuous content. Popular stego programs operate on image and music
files, where a secret missive can be hidden without altering the content enough to be perceived by
human senses. But because they contain instructions for a computer's processor, executable files
are less forgiving of tampering. Improperly changing a single bit of executable code can render an
application completely unusable.
El-Khalil's research focused on redundancies in the Intel x86 instruction set -- places
where at least two different instructions are effectively the same. Each choice between two
redundant options can represent a single bit of data. "The problem with program binaries is there
is just not a lot of redundancy in them," said El-Khalil.
He found some of that useful redundancy in the instructions that tell the computer to add or subtract.
A computer instruction to add the number 50 to another value, for example, can be replaced with
an instruction to subtract the number -50 instead. Mathematically, the instructions are the same.
In choosing between the two, a stego program can get one bit of covert storage out of each addition
or subtraction operation in the executable -- without changing the way the application runs, or adding
a single byte to its size. "If we use a scenario in which addition is zero, and subtraction is one,
we can just go through and flip them as needed," El-Khalil explained.
El-Khalil concedes that the method is imperfect -- an application that's been impressed
with a secret message has considerably more "negative subtractions" than an unadulterated program,
making it easy to pick out through a statistical analysis. Hydan could also break programs
that are self-modifying or employ other unconventional techniques. And it's less efficient than stego
programs for image and sound files: good steganography for a JPEG file can hide one byte of storage
in 17 bytes of image, while Hydan's ratio is one byte of storage to 150 bytes of code.
Future versions of Hydan
will boost that capacity by finding different places to code data, such as in the order of a program's
functions, and the order in which arguments are passed to those functions. For now, the application
is still powerful enough to secretly stash the United States Constitution and the Declaration of
Independence in a single copy of Microsoft Word.
Beyond the covert uses, the technology could be used to attach a digital signature to an application,
or to embed an executable with a virtual watermark.
Discussion: That question isn't what you think. A better way of phrasing it would be "How
ambiguous is your design?". Flexibility in an abstract crypto design is a Good Thing.
Ambiguity in a specification is a Bad Thing. Unfortunately, a cryptographer's flexibility is
an implementer's ambiguity, or more bluntly an implementer's nightmare. An example
of this is IPsec's IKE, which is so flexible/ambiguous that no two people can agree on what it should
look like. As a result, even after years of work, there are still implementations that can't
(or barely) interoperate, and even when they interoperate it's often only because implementers figured
out what the other side was doing and adapted their code to match it.
Resolution: Once you've impressed everyone with the power and flexibility of your design, provide
a sketch of a simple, straightforward, easy-to-get-right profile that implementors can work with.
This is a standard feature of protocol specifications, either done explicitly (MUST/SHOULD/MAY) or
implicitly when everyone ignores all but the most simple, straightforward part
of the specification. Another way of looking at this is that if implementors are going to ignore
much of your design in order to make implementation practical, you want to be the one deciding which
bits get used and which don't.
See also: Question G.
Question I: How big a problem are you really solving?
Discussion: Many problems pointed out in crypto papers are relatively insignificant to non-cryptographers,
or can be fixed with a trivial update of existing code rather than by changing the crypto design.
For example, the "correct" solution to various attacks (real and theoretical) on PKCS #1
v1.5 padding is for implementors to switch to something better such as OAEP, Simple
RSA, PSS, or whatever they're wearing in Santa Barbara this year. However, since the problem
can also be resolved with "Don't do that, then", it's easier to stick with an existing solution
rather than re-engineering everything to use a new protocol (see the Final Thoughts for a
longer discussion on this).
Resolution: Unlike cryptographers, implementors probably won't appreciate the advantages of a
design secure in the IND-CCAn+1 model where the previous was only IND-CCAn if it requires a complete
redeployment of all of their products. Don't expect to see a new design widely adopted any time soon
unless (a) it's being deployed in a greenfields development or (b) you've found a hole
exploitable in O(1) time by an army of script kiddies.
Since graduating in theoretical physics and electrical engineering some 30+ years ago I have had
an interest in cryptography and this has developed with the advent of progressively more powerful
home computers. In recent years I have played with a number of algorithms where I have taken
a particular interest in the techniques involved in making algorithms go as fast as possible.
Public-Key Crypto-systems Using Symmetric-Key Crypto-algorithms
Bruce Christianson, Bruno Crispo, and James A. Malcolm
Abstract. The prospect of quantum computing makes it timely to consider the future of public-key
crypto-systems. Both factorization and discrete logarithm correspond to a single quantum measurement,
upon a superposition of candidate keys transformed into the fourier domain. Accordingly, both these
problems can be solved by a quantum computer in a time essentially proportional to the bit-length
of the modulus, a speed-up of exponential order.
At first sight, the resulting collapse of asymmetric-key crypto-algorithms seems to herald the
doom of public-key crypto-systems. However for most security services, asymmetric-key crypto-algorithms
actually offer relatively little practical advantage over symmetric-key algorithms. Most of the differences
popularly attributed to the choice of crypto-algorithm actually result from subtle changes in assumptions
about hardware or domain management.
In fact it is straightforward to see that symmetric-key algorithms can be embodied into tamper-proof
hardware in such a way as to provide equivalent function to a public-key crypto-system, but the assumption
that physical tampering never occurs is too strong for practical purposes. Our aim here is to build
a system which relies merely upon tamper-evident hardware, but which maintains the property that
users who abuse their cryptographic modules through malice or stupidity harm only themselves, and
those others who have explicitly trusted them.
If you're mathematically minded, the actual downloadable
primality.pdf is worth
reading.
So what does this actually mean for cryptography? First, a little background.
Many of the popular common crypto algorithms work because of "something to do with prime numbers".
Most security books are about that vague. So math research about primes could have interesting effects
on our field. But is being able to determine whether a number is prime quickly going to be able to
help or hinder us? Let's look at the RSA algorithm as
an illustrative example. (It lost its patent a few years back, so it's okay to discuss now.)
... ... ...
Public key crypto algorithms such as RSA depend on
there being two keys used to encrypt and decrypt a message. (Hence, the "generate a key pair" step
you see when setting up many applications that use cryptography.) Every user has a complimentary
set made up of a private key and a public key. Anything encrypted with the private key can be decrypted
with the public key, and anything encrypted with the public key can be decrypted with the private
key. Only you should have a copy of your private key, but anyone can have your public key because
it's, well, public. If someone encrypts traffic with your public key, it doesn't matter to you because
only you can decrypt it.
So, you're probably thinking, if I have a message to send to Jane, I want to encrypt it. I can't
encrypt it with my public key, because she doesn't have my private key to decrypt it. So I'll encrypt
it with my private key, and she can decrypt it with my public key. Right? Not quite, but this is
a really common mistake. Sure, Jane can decrypt the message with your public key. But so can anyone
else. What you need to do is encrypt the message with Jane's public key, so that only Jane's private
key (which only Jane should have) can decrypt it.
So, the RSA algorithm says this:
Take two large prime numbers.
When multiplied together, they have a product N.
Find two numbers E and D, such that:
When E is multiplied by D, that should be equal to one mod (p-1)(q-1).
What this boils down to is that E and N have to be relatively prime.
They can't share any common components.
8 and 9 are relatively prime. When broken down as much as possible,
8 = 2 x 2 x 2
9 = 3 x 3
Nothing in common.
8 and 20 are not relatively prime.
8 = 2 x 2 x 2
20 = 2 x 2 x 5
They have 2 in common, so they're not relatively prime.
If E and D are chosen correctly, then let's make C the ciphertext and P the plaintext.
C = M to the E power mod N
M = C to the D power mod N
So, something encrypted with N and E (the public key) can be solved for M -- decrypted into the
plaintext. Something encrypted with N and D (the private key) can be solved for the ciphertext C.
And since E and D fit together in a defined mathematical relationship as above, you cannot automatically
deduce one from the other, but can encrypt and decrypt. The beauty of the modulus is that it's a
one way operation. You know what the remainder is, but you'll have to try brute-forcing it to figure
out whether it's C multiplied by one with a remainder of three, by two with a remainder of three...
by forty thousand with a remainder of three... [grin] That takes a lot of time.
So, back to our original point. Being able to quickly determine whether a number is prime -- what
effect does that have on all this? Well, one of the weakest points about
RSA and other public key algorithms is that their large
prime numbers are only probably prime. It's really hard to tell whether a number with eight
zillion digits is actually prime or not -- you have to try dividing it by every prime number up to
half of its value or so. That's very time consuming. Since those of us that use
PGP, etc., don't want to wait too long for our keys to be
generated, the RSA algorithm picks values for P and
Q that are very likely to be prime, but that's not known for certain.
If those numbers aren't actually prime, then there may be different solutions for the equations
other than the ones that are supposed to work. So, someone might be able to decrypt a message without
having the matching key -- they'd just need a matching key, if there were more than
one. (That's what could happen if P and Q aren't prime.) If the new algorithm can determine whether
P and Q are really prime and they're not for a given key pair, that could lead to a weakness in
RSA. But if that's the case,
RSA and other algorithm authors could modify their software
to use the new algorithm to ensure that P and Q really are prime, and that would defeat that sort
of attack.
There's a lot of sound and fury at the moment about this article, and many people are freaking
out about it, but I don't think it's anything to worry about. Mathematicians haven't fully satisfied
themselves yet that it's a good tester for primes -- I don't think we'll be seeing exploit code in
the near future.
Here are speed benchmarks for some of the most popular hash algorithms and symmetric and asymmetric
ciphers. All were coded in C++ or ported to C++ from C implementations, compiled with Microsoft Visual
C++ 6.0 SP4 (optimize for speed, blend code generation), and ran on a Celeron 850MHz processor under
Windows 2000 SP 1. Two assembly routines were used for multiple-precision addition and subtraction.
The first challenge of building a secure application is authentication. Let's look at some
examples of authentication from everyday life:
At an automated bank machine, you identify yourself using your bank card. You authenticate
yourself using a personal identification number (PIN). The PIN is a shared secret, something
that both you and the bank know. Presumably, you and the bank are the only ones who know
this number.
When you use a credit card, you identify yourself with the card. You authenticate yourself
with your signature. Most store clerks never check the signature; in this situation, possession
of the card is authentication enough. This is true when you order something over the telephone,
as well; simply knowing the credit card number is proof of your identity.
When you rent a movie at a video store, you prove your identity with a card or by saying your
telephone number.
Authentication is tremendously important in computer applications. The program or person you communicate
with may be in the next room or on another continent; you have none of the usual visual or aural
clues that are helpful in everyday transactions. Public key cryptography offers some powerful tools
for proving identity.
In this chapter, I'll describe three cryptographic concepts that are useful for authentication:
Message digests produce a small "fingerprint" of a larger set of data.
Digital signatures can be used to prove the integrity of data.
Certificates are used as cryptographically safe containers for public keys.
A common feature of applications, especially custom-developed "enterprise" applications, is a
login window. Users have to authenticate themselves to the application before they use it. In this
chapter, we'll examine several ways to implement this with cryptography.[1]
In the next section, for instance, I'll show two ways to use a message digest to avoid transmitting
a password in cleartext from a client to a server. Later on, we'll use digital signatures instead
of passwords.
http://www.clarios.com/ Clarios is a company
that provides open source security development tools and software applications for use by enterprises.
The components at the heart of Clarios's products are in use in thousands of enterprise applications
today, at the world's largest corporations.
Welcome to the Elliptic Curve Cryptosystem Classroom. This site provides an intuitive introduction
to Elliptic Curves and how they are used to create a secure and powerful cryptosystem. The first
three sections introduce and explain the properties of elliptic curves. A background understanding
of abstract algebra is required, much of which can be found in the Background Algebra section. The
next section describes the factor that makes elliptic curve groups suitable for a cryptosystem though
the introduction of the Elliptic Curve Discrete Logarithm Problem (ECDLP). The last section brings
the theory together and explains how elliptic curves and the ECDLP are applied in an encryption scheme.
This classroom requires a JAVA enabled browser for the interactive elliptic curve experiments and
animated examples.
Elliptic curves as algebraic/geometric entities have been studied extensively for the past 150
years, and from these studies has emerged a rich and deep theory. Elliptic curve systems as applied
to cryptography were first proposed in 1985 independently by Neal Koblitz from the University of
Washington, and Victor Miller, who was then at IBM, Yorktown Heights.
Many cryptosystems often require the use of algebraic groups. Elliptic curves may be used to form
elliptic curve groups. A group is a set of elements with custom-defined arithmetic operations on
those elements. For elliptic curve groups, these specific operations are defined geometrically. By
introducing more stringent properties to the elements of a group, such as limiting the number of
points on such a curve, creates an underlying field for an elliptic curve group. In this classroom,
elliptic curves are first examined over real numbers in order to illustrate the geometrical properties
of elliptic curve groups. Thereafter, elliptic curves groups are examined with the underlying fields
of Fp (where p is a prime) and F2m (a binary representation
with 2m elements).
CRC Press has generously given us permission to make all chapters available for free download.
Please read this
copyright
notice before downloading any of the chapters.
Dynamical systems are often described as ``unpredictable" or ``complex" as aspects of their
behavior may bear a cryptic relationship with the simple evolution laws which define them. Some
theorists work to quantify this complexity in various ways. Others try to turn the cryptic nature
of dynamical systems to a practical end: encryption of messages to preserve their secrecy. Here
some previous efforts to engineer cryptosystems based on dynamical systems are reviewed, leading
up to a detailed proposal for a cellular automaton cryptosystem.
Cryptosystems constructed from cellular automaton primitives can be implemented in simply constructed
massively parallel hardware. They can be counted on to deliver high encryption/decryption rates
at low cost. In addition to these practical features, cellular automaton cryptosystems may help
illuminate some foundational issues in both dynamical systems theory and cryptology, since each
of these disciplines rests heavily on the meanings given to the intuitive notion of complexity.
Mercy - block encryption algorithm
Mercy is a fast block cipher operating on 4096-bit blocks, designed specifically around the needs
of disk sector encryption. It takes a 128-bit parameter representing the block number being encrypted,
so that saving the same plaintext to different blocks results in different ciphertexts. Mercy was
presented at Fast Software Encryption 2000.
SFS, a disk block encryption
tool by Peter Gutmann.
Ciphers by Ritter, including several
patent-encumbered large block ciphers.
These lectures contain the base introductory material used for this course. After these lectures,
the student will be familiar with the underlying concepts of advanced operating systems.
The Enigma was one of the best of the new electromechanical cipher machines produced for
the commercial market in the 1920s. Hugo Koch, a Dutchman, conceived of the machine in 1919. Arthur
Scherbius first produced it commercially in 1923. Impressed by its security, which was based on
statistical analysis, the German government acquired all rights to the machine and adapted it
to the needs of its new, modern military forces. It became the standard cipher machine of the
military services, of German agents, and of the secret police. It was also used at all echelons
from high command to front-line tactical units including individual airplanes, tanks, and ships.
An ordinary three-wheel Enigma with reflector and six plug connections generated the following
number of coding positions:
Given this statistical capability, proper communications procedures and practices, and the
fact that solving the Enigma on a timely basis would require rapid analytic machinery which did
not exist, the Germans regarded the Enigma as impenetrable even if captured. The Germans, however,
did not always practice proper communications security, and, more importantly, the Allies, even
in 1938-39, were on the verge of creating the necessary cryptanalytic machinery which would unlock
the Enigma's secrets. The evolution of this technology and its application were major contributing
factors to the ultimate Allied victory in World War II.
Click
here for a perl script which carries out a two-rotor (plus one reflecting rotor) encipherment
of plain text. This two-rotor machine has the transposition property of the actual Enigma --
namely, to decipher, run the cipher text through the script again.
RSA security and
swordfish -- film includes the right elements: clandestine federal agencies, an unbreakable government
network, and the world's best hacker, who's on parole for breaking into and disabling the FBI's Carnivore
spyware, and who's recruited by a suave megalomaniac who just might be a terrorist as well ;-)
vnunet.com Crackers swallow Swordfish
bait Warner Brothers has released a worm to promote its Hollywood hackfest film Swordfish, starring
Hugh Jackman as a Kevin Mitnick style hacker alongside Halle Berry and John Travolta.
The viral marketing campaign revolves around a Flash game infested with techie throwaway words
in which the user must guide a "worm" through a "computer system" to collect "nodes" and "crack"
a password within 60 seconds.
Jokes Magazine
Employee Review January 25, 2000 (The classic crypto joke)
My boss asked me for a letter describing my partner Bob Smith, and this is what I wrote:
Bob Smith, my assistant programmer, can always be found
hard at work in his cubicle. Bob works independently, without
wasting company time talking to colleagues. Bob never
thinks twice about assisting fellow employees, and he always
finishes given assignments on time. Often Bob takes extended
measures to complete his work, sometimes skipping
coffee breaks. Bob is a dedicated individual who has absolutely no
vanity in spite of his high accomplishments and profound
knowledge in his field. I firmly believe that Bob can
be classed as a high-caliber employee, the type which cannot
be dispensed with. Consequently, I duly recommend that Bob
be promoted to executive management, and a proposal will
be executed as soon as possible.
S.D. - Project Leader
Shortly afterward I sent the following follow-up note: That bastard Bob was reading over my shoulder
while I wrote the report sent to you earlier today. Kindly read only the odd numbered lines (1, 3,
5, etc.) for my true assessment. Regards,
The Last but not LeastTechnology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
FAIR USE NOTICEThis site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
You can use PayPal to to buy a cup of coffee for authors
of this site
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society.We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
Stay Connected on the Go with Breaking News Alerts Get the Microsoft News App for your phone, on iOS and Android No thanks Download now msn news powered by Microsoft News
Angels pitcher goes off on cheating Astros
NATO to expand Iraq training in response
Shania Twain on finding love again
How to make a big increase in retirement
SD nixes hat over logo's resemblance to
Parents fall asleep during newborn's
Trista Sutter has surgery after
US on track for first $1T budget deficit since
Junkyard Sterling kit car to receive LS4 swap
People are clamoring to get a tattoo from
This hotel has a room with a $200K mattress
Report claims Mya secretly married last
Chevy vs. Dodge vs. Ford: Which is the
Americans claim this dinner idea is most
Baltimore shooting leaves 2 officers
The 5/20 rule is the nutrition principle
GOP senators say Trump shouldn't
Anna Faris confirms engagement, wants
Unranked in preseason, these 7 teams now
'The intelligence coup of the century': For decades, the CIA read the encrypted communications of allies and adversaries Greg Miller 1 day ago
Angels pitcher goes off on cheating Astros
NATO to expand Iraq training in response to Trump
© Fotosearch/Getty Images The U.S. Army's Signals Intelligence Service was headed by William Friedman, center, in the mid-1930s. Other members, from left: Herrick F. Bearce, Solomon Kullback, U.S. Army Capt. Harold G. Miller, Louise Newkirk Nelson, seated, Abraham Sinkov, U.S. Coast Guard Lt. L.T. Jones and Frank B. Rowlett. The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.
© Provided by The Washington Post
© Provided by The Washington Post The German spy agency, the BND, came to believe the risk of exposure was too great and left the operation in the early 1990s. But the CIA bought the Germans' stake and simply kept going, wringing Crypto for all its espionage worth until 2018, when the agency sold off the company's assets, according to current and former officials.
© Jahi Chikwendiu/The Washington Post Crypto's sign is still visible atop its longtime headquarters near Zug, Switzerland, though the company was liquidated in 2018.
© Jahi Chikwendiu/The Washington Post Juerg Spoerndli is an electrical engineer who spent 16 years working at Crypto. Deceived employees said the revelations about the company have deepened a sense of betrayal, of themselves and customers.
© Bettmann/Bettmann Archive Boris Hagelin, the founder of Crypto, and his wife arrive in New York in 1949. Hagelin fled to the United States when the Nazis occupied Norway in 1940. A denial operation
Windows 7 Is Dead: What You Need To Do Now To Stay Safe... Ad Top 10 Antivirus
YOU MAY LIKEAd taboolaBorn Before 1955? Don't Buy Medicare Experts In Saving
Enter Any Name, Wait 105 Seconds, See Truthfinder
The Most Successful Lawyers in Budd Lake DID U KNOW Reviews
