Get Bruce Schneier on the case.
A 22-year old Spaniard claims that he's cracked a previously unsolved WWII coded message. Others have claimed this before and there's nothing particularly solid to back up the latest effort, but let's have a look at it anyway. Dídac Sánchez claims that he had cracked the encryption scheme used in the last undeciphered message …
No reason for Bruce to bother with it (though I wouldn't be surprised if he mentions it on his blog - doesn't seem to have yet - since it's getting some press). He and pretty much every reputable cryptography expert have been saying for decades that cryptographic systems which aren't based on solid, published research, including cryptanalysis by experts, are high-risk.
And, of course, we're not in any desperate need of new cryptography algorithms. Any new system needs a compelling advantage to be commercially interesting, and needs some significant difference to be interesting even as a theoretical exercise. That's particularly true for symmetric encryption, where we have algorithms that perform well under all our (published) metrics and have received a lot of scrutiny.1
You can find all sorts of proposals for symmetric algorithms on places like sci.crypt (I contributed to a few back in the day). The vast majority never go anywhere because why do the work? And then there are algorithms which have received competent scrutiny but are less commonly used because they are or were encumbered, or aren't endorsed by big customers, or whatever - like CAST, Twofish, and Camellia.
All the hard problems in cryptography-related areas of IT security are elsewhere.
1There's arguably some room for innovation in stream ciphers, but with the popularity of GCM the motivation for a software-friendly stream cipher is greatly diminished.
Even if he could prove he'd cracked the encryption, there'd be no reason to buy his software. Even if he could prove he'd developed a new type of symmetric cryptographic algorithm with some advantage over the current state of the art, and had implemented it in his software, there'd be no justification for buying it. "New" is not a selling point when it comes to cryptography.
Especially reading this from the contest rules: " If none of the messages coincide with the original text, the notary proved by a certificate indicating the number of proposals received, and the fact that nobody has been able to solve it."
For now I'm trying to decipher the English version of the website. I'm making progress but I am still having trouble with pieces like "Contestants also achieve decipher it and explain how encrypted, remain in reserve, in case the first contestant gather together one of the two requirements to be declared the winner."
I think one of the encryption techniques used in that 4YEO software may be Google Translate...
Now, hearing how he plans to use a text encryption technique to create "a software for encrypting phone calls", as stated o the main page, could be interesting. Or amusing.
As stated on his website:
Thanks to the program 4YEO you can send emails, fully encrypted, secure in the knowledge that only you and the recipient can read its contents. Even if the email is intercepted, it will not be deciphered as it has not been deciphered the message of the Second World War.
If it's a one time pad, that's exactly true.
The logistics of using a one time pad for every communication are... hard. Especially with the requirement that the pad be of greater length than the data it encodes and the recipient having an idential copy of said pad.
But a one time pad is simple enough to use by hand and unbreakable if used correctly
then it's practically impossible for this guy to prove
Completely impossible. An OTP, used correctly, makes all plaintexts of the same length1 equally probable. There's no basis whatsoever for supporting a claim that a given plaintext corresponds to a given ciphertext. You have to have some external channel to confirm it.
1And of course the length can be disguised by various means - abbreviation and reference to external content to shorten it, padding and self-delimiting to lengthen it.
"To date, the intelligence services have been unable to crack this message's code because they were missing the code word, the code book and the encryption method used. After successfully deciphering the method used I have developed a piece of software that I believe is one of the most secure in the world, because I have adapted the British code to the data security required today by new technologies," Sánchez claimed.
roll in the legal vultures
Guy has just admitted to breaching the official secrets act + copyright infringment
black helicopters inbound
Given that GCHQ have known about the message since 2012 - and issued press releases about it - does rather suggest that it's about as secret as the front page of the Daily Mail.
As for the copyright infringement bit, well, I think we'd be talking patents rather than copyright - and they'd have expired in the 60s at the latest...
Stuff protected under the OSA has no time limit. It needs to be positively declassified otherwise it remains secret for ever and a day.
Some bits of WW2 info are still top secret. I've beed to Kew and seen some of the files and noticed where bits are missing. This was in relation to the liberation of Bergen-Belsen. My Father was in the first tranche of Allied Troops to enter the camp.
Signing or not is irrelevant, though nationality is.
That said, it's pointless self-aggrandisement anyway.
They used one-time pads for this encryption.
Make two identical lists of totally random code:value pairs, send one out to the field and keep the other for decoding.
As long as your one-time-pad generation system is truly random with sufficient entropy, and you can keep both pads secure, it is genuinely unbreakable.
Inconvenient though, as once the pads are used up, no more messages until you can get a new one to the other party.
"To demonstrate the security of the 4YEO system, Sánchez has published a message with an identical structure on his website, where he is offering EUR25,000 to anyone who can successfully decipher it."
So, er, how do we know he hasn't just posted random gibberish on his site and claimed it is actually encrypted text? Such an encryption scheme would indeed be undecipherable.
Whether code phrases or encrypted content, counterintelligence will likely know they have a message of some value anyway.
If the message is just code phrases, they'll know they need to get or reverse-engineer* the code book.
If the message is encrypted as well, they'll have to decrypt it before even finding out that they need a code book.
The more layers they have to go through, the less likely they'll figure out what that value is.
* By, for example, capturing conversations and correlating them with events.
The more layers they have to go through, the less likely they'll figure out what that value is.
You must be the kind of person who keeps your dog on three leashes, one of them electronic.
Once your sergeant( carrying lots of paper, matches and suspiciously many books by Jane Austin as well as a OTP) has applied all the useless layers he will be holed, have "volunteered" to help the SS with their enquiries or the value of your message will be zero.
Unless the algorithm is trivial (e.g. ROT13), any attempt to decipher can only be contemplated if there are some known details about the plaintext or algorithm. What language the plaintext is in, for example, or some idea of the algorithm. In most cases several examples of encrypted messages are required in order to make comparisons and perform statistical analysis (e.g. on letter frequencies). So a one-off encrypted message is highly likely to be uncrackable, but if the algorithm is in common use it becomes a far easier task (especially if the algorithm is known via reverse engineering the encryption/decryption program).
The present commonly used encryption algorithms (AES, DES etc.) have had a great deal of effort put into them to ensure that the encrypted output is not susceptible to statistical analysis or other code-breaking techniques even though the algorithm is known, and there is no similarity (apart from length if random padding is not used) between 2 encrypted versions of the same plaintext encrypted with a different key, and the key cannot be determined even if both the plaintext and ciphertext are available to the code breaker (which they frequently are).
None of the encryption techniques used in pre-computer times were anything like as strong (except OTP encryption which is logistically impractical for most purposes). I would be very surprised if an individual has come up with a strong encryption method based on a WW2 technique. "Enigma" ciphertext would have been easily brute-forced by a modern laptop PC, and it was very advanced for its time.
"Are "book" codes easy to crack? The ones where each end uses an agreed edition of a common book and the coding references a word/letter by page, paragraph, line, word/letter offset numbers."
It depends on how the book is kept. If it's based on something you have to carry with you, if you're caught they can use the book in your possession to try to decipher the code. Things that are too common (like newspapers) are also risky as the enemy may well have one of these and will try it as a matter of course.
With "book" codes, a lot depends on the discipline of the person writing the coded message. If they do as they're supposed to, and refrain from repeating the same reference too often, then they're pretty good. But if they get lazy and start using the same reference for a particular word - maybe an uncommon word that they can't avoid repeating - then the code becomes much easier to crack.
(That's one reason why they've fallen out of favour - they're inherently labour-intensive, and only really robust when used by experts.)
"IP over Avian Carriers (RFC 1149) is an Internet protocol for the transmission of messages via homing pigeon." (https://en.wikipedia.org/wiki/Homing_pigeon also the following:)
"In September 2009, a South African IT company based in Durban pitted an 11-month-old bird armed with a data packed 4GB memory stick against the ADSL service from the country's biggest internet service provider, Telkom. The pigeon, Winston, took an hour and eight minutes to carry the data 80 km (50 miles). In all, the data transfer took two hours, six minutes, and fifty-seven seconds—the same amount of time it took to transfer 4% of the data over the ADSL." (ibid)
In the 1970s a South African computer centre experimented with a state-of-the art Remote Job Entry terminal for printing and card reading - running at 1200bps. The link was between there and an office about a mile away. The existing system was a guy on a bicycle with a classic large grocery delivery basket on the front. The bicycle won by a handsome margin.
Dont forget the Bastard Telecom affect!!
Dig up road and snap cable
F*ck Something up on a Friday
Exchange can cope with the occasional hot weather, and melts (yes it has happened), AKA as the Bent Rails or Leaves on the Track effect.
etc etc etc.....
As an amateur code breaker who has gone after Dorabella, the original Pigeon Cipher and Kryptos K4 (Ok, I'm still going after K4), all to no avail, this amuses me.
OTP codes ARE incredibly hard to crack for one critical reason. Their strength lies in the brevity of the message they portray. The shorter the message, the harder they are to break. Might be OK for posting gibberish to Twitter (which is mostly gibberish anyway) but for anything longer, you're going to get collisions. A lot of them.
Might as well just give the spooks the keys to the kingdom whilst you're at it.
Talk about an algorithm for the modern age.
No, the true strength of the one-time pad is that it's literally impossible to determine the actual message without foreknowledge of it. The reason being a properly-used OTP cipher can actually be deciphered into ANY message of the same or shorter length. The ONLY determining factor in OTP is the pad itself.
Biting the hand that feeds IT © 1998–2019