What did the Germans do wrong?
Well, besides the insanity and sub-human behavior seen during the Nazi regime, of course... What did they do wrong in the design and use of the Enigma cryptosystem? They saw themselves as the Master Race, but they certainly didn't understand math or probability.
The Enigma design is, in modern terms, a symmetric block cipher with a one-character block size. While the mapping between cleartext and ciphertext varies with position within the message, there is no cipher feedback or cipher chaining. In other words: for a given initial key setting, the substitution applied at the nth input character is always the same regardless of preceding n-1 input characters.
The Enigma block diagram is below.
This shows a 3-rotor system, the block diagram of a
post-Feb-1942 Naval 4-rotor Enigma should be obvious from here!
XXX indicates a substitution.
The rotors change positions like an odometer — rotor #1
rotates one position per input character.
Rotor #2 rotates one position when rotor #1 reaches its
and rotor #3 rotates one position when rotor #2 reaches its
Any change of one rotor produces a new substitution
of input to output characters.
The plugboard was a set of plugs, one for each letter,
with cables that could be jumpered between letter pairs.
If a cable were plugged between
would be converted to
and vice-versa, in each direction.
If there were no cable inserted into the
plug, then every
would be left alone in each direction.
What may be surprising is that the plugboard contributed
significantly more complexity than the rotors (see the
analysis below for details).
An Enigma key is made up of three setting components:
A selection of rotors in a specific order,
what the Germans called Walzenlage.
The mathematics of this varied with service during
The Army and Air Force selected three rotors
out of a set of five, while in 1 February 1942
the German Navy introduced a system which
selected four rotors out of a set of eight.
- Army / Air Force possible rotor orders = 5*4*3 = 60
- Navy possible rotor orders = 8*7*6*5 = 1680.
The "roll-over" ring setting,
or Ringstellung, for each rotor.
The rotors generally changed position for each
input character, moving as odometer wheels move.
But the ring setting specified where the rollover
- Army / Air Force 3-rotor possible ring settings = 263 = 17,576
- Navy 4-rotor possible ring settings = 264 = 456,976
The plugboard settings, or
If just two letters were jumpered on the plugboard,
B, then every
Awould be changed to
Band vice-versa both before and after being sent through the rotors and reflector. All other letters would be transformed by the rotors and reflector only. Any number of letter pairs from zero through thirteen could be jumpered, or steckered. If you use p plugboard cables, there are this many possible ways to jumper the plugboard:
26!Summing that for all possible values of p, 0 through 13, the Enigma design supports 532,985,208,200,576 possible plugboard jumperings. (see The Cryptographic Mathematics of Enigma, Dr. Ray Miller, Center for Cryptologic History, National Security Agency, 1996)
(26-2p)! * p! * 2p
The number of possible Enigma keys is thus the product of those three numbers:
|Army / Air Force||
But as we will see, the Germans greatly reduced the key space and made brute-force attacks much easier.
Use of the Enigma System
The day's key specified the initial settings as described above. But the user was supposed to select six random characters. The random 3-character indicator setting, or initial rotor settings, and a random 3-character input or message setting. The message preamble started with:
- Callsign, time of origin, and number of characters in the message, sent as cleartext.
- The three-letter indicator setting, sent as cleartext.
- The three-letter indicator, the result of setting the rotors to the indicator setting and encrypting the message setting.
The ciphertext was then generated by setting the rotors to the message setting and typing in the cleartext.
Given the day's key and the received ciphertext, the receiver would:
- Set his rotors to the indicator setting, which was included in the preamble.
- Type in the indicator, which was also included in the preamble. The output would be the message setting.
- Set his rotors to the message setting, and type in the received ciphertext. The output would be the original cleartext.
Weakness in the Cipher Design
The cryptographic weakness in the Enigma design is that
an output character must differ from the
corresponding input character.
Put simply, if the ciphertext output is
then we know that the cleartext input could not
The ciphertext looks highly random, but it does
leak some information — character by character, it tells
us what the cleartext could not be.
However, this is a very minor weakness, and if the Germans had used the system correctly, the Allies could not have discovered the keys and decrypted the messages.
There were some systematic key design weaknesses, and even more significantly, systematic operational errors. The Nazis had a good cryptographic system, but they did not know how to use it correctly.
As far as strength against brute-force attack, the Enigma would have been adequately strong against the technology available to the Allies if used correctly. The U.S. SIGABA cipher system (also known as the M-134-C, ECM Mark II, CSP 888/889, and ASAM VI) had a much larger key space, 248.4 as commonly used, 295.6 as used on the POTUS-PRIME link between US President Franklin Delano Roosevelt and UK Prime Minister Winston Churchill. There was concern about SIGABA technology falling into Axis hands — not because it would provide any advantage for breaking the SIGABA cipher (see Kerckhoffs' principle) but because it might suggest improvements in the Enigma system.
- SIGABA: Cryptanalysis of the Full Keyspace, Mark Stamp and Wing On Chan, Cryptologia, v31:202-222, 2007
- Cryptanalysis of SIGABA, Wing On Chan, Master's thesis, San Jose State University, 2007, http://www.sjsu.edu/mscs/research/projects/chan_wing-on.pdf
- Cryptanalysis of the SIGABA, M Lee, Master's thesis, University of California Santa Barbara, 2003, http://ucsb.curby.net/broadcast/thesis/thesis.pdf
- "La cryptographie militaire", in Journal des sciences militaries, Auguste Kerckhoffs (1835-1903), vol IX, pp 5-38, Jan 1883, in which he proved that if the security of a cryptosystem relies on the secrecy of the algorithm, it is weak and could be improved.
Key Design Flaw #1
The first key design flaw was that the Germans foolishly decreed that no rotor order should repeat within one month. So, that component of their key was not really random, and the number of possible keys decreased during a month. If an attacker can do enough brute-force work to break keys early in the month, or otherwise discover early keys (espionage, operator error), the required amount of work decreases as the month progresses.
Constraining the key in this way is as foolish as believing that a random system (throwing dice, flipping coins, observing fairly shuffled cards) somehow has a memory of past events! The probability of each random event is independent of previous events, and so today's key should not be constrained by those of the past one to thirty days.
Key Design Flaw #2
Even more significantly, and still on the rotor order, the Germans foolishly decreed that no rotor could occupy the same position two days in a row.
This also made things much easier for the attackers. Consider the Army / Air Force system, where the rotor order was three rotors out of a set of five.
Given free choice of all three rotors,
as the Germans allowed themselves only on the
first day of the month,
- 5 choices for the first rotor.
- 4 remaining choices for the second rotor.
- And 3 remaining choices for the third and final rotor.
However, if it is any day of the month after the
first one, in the German system, your
choices are very limited.
Let's label yesterday's rotor sequence as
123 and the two unused rotors
as 4 and 5.
Today's allowed rotor choices are limited to the
following, where a
redrotor choice violates this rule, and a
grey backgroundindicates an invalid rotor sequence:
Key Design Flaw #3
The Germans always used 10 plugboard cables. This decreased the possible key space by a factor between four and five and significantly simplified an attack by an even greater factor.
Operational Error #1
Recall that the operator was to choose two random 3-character sequences,the indicator setting and the message setting. However, humans are very bad at choosing random sequences. The indicator setting and message setting were often predictable, making a search of the key space significantly easier.
Two common pairs of 3-character "random" sequences were,
as well as
ABC and simple keyboard sequences.
Predictable settings were referred to as "Cillies",
when one German cipher clerk with a girlfriend named Cilia
Operational Error #2
The Germans used predictable cleartext sequences, providing "cribs" or probable known-plaintext attacks.
Long distinctive frequently-appearing words:
- Obergruppenführer, Untersturmbannführer, Obersturmbannführer, and other military ranks.
- Kriegsgefangene (prisoner of war), gefangengenommen, (captured), and other common military terms.
Weather stations that encrypted a message
every day with an identical beginning,
such as the German for:
TODAYS WEATHER IN THE BALTIC SEA WILL BE ...
Similarly, Italian forces in North Africa utilized a
standardized surrender message sent back to Italian
headquarters immediately before surrender,
sent in Italian, of course:
WE WILL DEFEND
THE SACRED SOIL OF AFRICA
WITH OUR LAST DROP OF BLOOD X
LONG LIVE THE KING X
LONG LIVE IL DUCE X
This not only provided a crib, but a message from a field unit of this length was very likely contained the ciphertext for this. Two benefits for Allied forces — a crib for cryptanalysis, and a clear indication that the sending unit was ready to surrender immediately and could be captured without a fight. HFDF (High-Frequency Direction Finding) was crucial to figure out just which unit was done.
Similarly, the daily garrison medical report was useful
Hemorrhoids are a common ailment in desert service,
but they had no code word for that.
So it had to be spelled out,
LE EMORROIDI in Italian,
providing a likely crib.
[For the Italian details see
The SIGINT Secrets,
Nigel West, 1988, ISBN 0-688-07652-1, pg 231.]
Operational Error #3
Stronger systems were deployed incrementally.
When the Navy first introduced the four-rotor Enigma, this meant an additional three rotors with unknown wiring. But the same message would be encrypted both with the four-rotor and three-rotor system, so those vessels and stations without the four-rotor system could receive the message. Since the three-rotor system was broken, this allowed the discovery of the wiring of the three new rotors in the naval 4-rotor system.
Operational Error #4
Identical messages were encrypted with multiple keys.
When submarines surfaced, they typically requested the transmission of all messages sent while they had been submerged. These old messages would be encrypted with this day's key. By matching messages based on character length, this frequently provided a match to a broadcast message that had been broken previously. This provided a complete known-plaintext attack against this day's keys.
Operational Error #5
Some messages were also sent by insecure means, providing known-plaintext attacks.
A prominent example was the provision of much information, including military cables, to the Japanese military attache in Berlin. General Hiroshi Ōshima then encrypted these messages for transmission to Tokyo using a compromised Japanese cipher. Since the Japanese system had been broken, the message could be read from the Berlin-to-Tokyo link. This provided the message itself, which might be of some use on its own, but it was much more useful for its provision of a known-plaintext attack to more easily discover that day's Enigma key.
Allied General George S Marshall described Ōshima as "our main basis of information regarding Hitler's intentions in Europe."
Operational Error #6
Some messages were sent in response to Allied actions, providing partial chosen-plaintext attacks.
The British referred to this as "gardening". The Allies would do something at a specific time and place, like an artillery barrage, the laying of naval mines, an obvious surveillance overflight, etc., in order to get a German unit to report it using that day's code. This revealed code words for specific locations, navigational references, and the cryptographic keys.
Also see how the U.S. enticed the Japanese into reporting on a non-existant problem with water desalination systems on Midway Island, in order to determine the Japanese code word for that island.
The Allies were careful to not make too much use of the ULTRA data, so as not to encourage the Germans to suspect their system had been broken. But even when the U-boat operations in the Atlantic were largely shut down, Dönitz refused to believe that it was because of cryptanalysis — he continued to believe that any communications insecurity was due to espionage.
Espionage and Capture
The Poles had broken an initial 3-rotor Enigma system. A German cipher clerk had sold information to the French, who shared the information with the Poles. The Poles had then worked out the rotor internal wiring through careful mathematical analysis, and were then able to follow initial changes in rotor wiring. Yes, the Nazis were foolish enough to think they could beat the Slavs in a math contest.
There were also some significant captures of cipher hardware and key material during the war.