M-209

Last updated
The M-209 M209B-IMG 0553-0559-0560.jpg
The M-209

In cryptography, the M-209, designated CSP-1500 by the United States Navy (C-38 by the manufacturer) is a portable, mechanical cipher machine used by the US military primarily in World War II, though it remained in active use through the Korean War. The M-209 was designed by Swedish cryptographer Boris Hagelin in response to a request for such a portable cipher machine, and was an improvement of an earlier machine, the C-36.

Contents

The M-209 is about the size of a lunchbox, in its final form measuring 3+14 by 5+12 by 7 inches (83 mm × 140 mm × 178 mm) and weighing 6 pounds (2.7 kg) (plus 1 pound (0.45 kg) for the case). [1] It represented a brilliant achievement for pre-electronic technology. It was a rotor machine similar to a telecipher machine, such as the Lorenz cipher and the Geheimfernschreiber.

Basic operation

M209B-IMG 0553-black.jpg

Basic operation of the M-209 is relatively straightforward. Six adjustable key wheels on top of the box each display a letter of the alphabet. These six wheels comprise the external key for the machine, providing an initial state, similar to an initialization vector, for the enciphering process.

To encipher a message, the operator sets the key wheels to a random sequence of letters. An enciphering-deciphering knob on the left side of the machine is set to "encipher". A dial known as the indicator disk, also on the left side, is turned to the first letter in the message. This letter is encoded by turning a hand crank or power handle on the right side of the machine; at the end of the cycle, the ciphertext letter is printed onto a paper tape, the key wheels each advance one letter, and the machine is ready for entry of the next character in the message. To indicate spaces between words in the message, the letter "Z" is enciphered. Repeating the process for the remainder of the message gives a complete ciphertext, which can then be transmitted using Morse code or another method. Since the initial key wheel setting is random, it is also necessary to send those settings to the receiving party; these may also be encrypted using a daily key or transmitted in the clear.

Printed ciphertext is automatically spaced into groups of five by the M-209 for ease of readability. A letter counter on top of the machine indicated the total number of encoded letters, and could be used as a point of reference if a mistake was made in enciphering or deciphering.

The deciphering procedure is nearly the same as for enciphering; the operator sets the enciphering-deciphering knob to "decipher", and aligns the key wheels to the same sequence as was used in enciphering. The first letter of the ciphertext is entered via the indicator disk, and the power handle is operated, advancing the key wheels and printing the decoded letter on the paper tape. When the letter "Z" is encountered, a cam causes a blank space to appear in the message, thus reconstituting the original message with spaces. Absent "Z"s can typically be interpreted by the operator, based on context.

An experienced M-209 operator might spend two to four seconds enciphering or deciphering each letter.

Internal elements

Overview

Inside the casing of the M-209, a much more complicated picture emerges. The six key wheels each have a small movable pin aligned with each letter on the wheel. These pins may each be positioned to the left or right; the positioning of these pins affects the operation of the machine. The left position is ineffective, while the right position is effective.

An intermediate gear unit (center) meshes with gears adjoining each key wheel. Visible to the left of the image are the paper tape and typewheel that print out messages and ciphertext. M209B cypher machine rotors-IMG 0557.jpg
An intermediate gear unit (center) meshes with gears adjoining each key wheel. Visible to the left of the image are the paper tape and typewheel that print out messages and ciphertext.
An inactive pin (red) on the bottom of the left key wheel (light blue) pulls the guide arm (green) back. No pin is blocking the right guide arm, so a spring tilts that guide arm forward. M209 guide arm springs.png
An inactive pin (red) on the bottom of the left key wheel (light blue) pulls the guide arm (green) back. No pin is blocking the right guide arm, so a spring tilts that guide arm forward.
The left guide arm is prevented from interacting with the lugs (purple) on the drum (blue), while the right guide arm is in an effective position, and will push to the left any bars with a lug in that position. M209 guide arm touching lug (1).png
The left guide arm is prevented from interacting with the lugs (purple) on the drum (blue), while the right guide arm is in an effective position, and will push to the left any bars with a lug in that position.

Each key wheel contains a different number of letters, and a correspondingly different number of pins. From left to right, the wheels have:

This discrepancy is chosen to give the wheel sizes a coprime nature; the end result is that the wheels only align the same way once every 26×25×23×21×19×17 = 101,405,850 enciphered letters (also known as the period). Each key wheel is associated with a slanted metal guide arm that is activated by any pins in the "effective" position. The positions of the pins on each key wheel comprise the first part of the internal keying mechanism of the M-209.

Behind the row of six key wheels is a cylindrical drum consisting of 27 horizontal bars. Each drum bar is affixed with two movable lugs; the lugs can be aligned with any of the six key wheels, or may be placed in one of two "neutral" positions. An effective pin causes its guide arm to tilt forward, contacting the drum. The positioning of the lugs comprises the second part of the internal keying mechanism. Owing to the complexity of setting the internal keying mechanism, it was altered relatively infrequently; changing internal keys once a day was common in practice.

When the operator turns the power handle, the cylindrical drum makes a complete revolution through all 27 bars. If a lug on one of the bars contacts the guide arm of an active key wheel, that bar is slid to the left; lugs in neutral positions, or which do not contact a guide arm, do not affect the position of the bar. All bars that are slid to the left comprise a variable-toothed gear, which in turn shifts the letter to be encoded; the shift is equal to the number of bars protruding to the left. The resulting ciphertext letter is printed onto the paper tape.

After the rotation is complete, a retractor pushes the protruding bars back into place. A set of intermediate gears advances the key wheels by one position, and a locking arm latches into the drum to prevent a second encoding until the indicator disk is adjusted for the next letter.

This system allowed the offset to change for each enciphered letter; without this facility, the enciphering scheme would resemble a very insecure Caesar shift cipher.

Example configuration

Prior to encoding anything using the M-209, the operator must set the machine according to a preset configuration. This configuration includes the settings for each pin on all six of the key wheels, and the position of each lug on the rotating drum; these were typically specified by tables in a secret system publication given to both sender and receiver. The rotational alignment of the key wheels could be chosen by the sender at random, and provided to the receiver via a secure channel of communication.

Each letter on each key wheel is associated with a pin that can be set either to the left or right. A table specifying the setting of these pins might resemble the following:

WheelPin settings
1AB-D---HI-K-MN----ST-VW---
2A--DE-G--JKL—-O--RS-U-X--
3AB----GH-J-LMN---RSTU-X
4--C-EF-HI---MN-P--STU
5-B-DEF-HI---MN-P--S
6AB-D---H--K--NO-Q

Letters that are present in the table for a given key wheel should have their corresponding pin set to the right, or "effective", position. Absent letters, represented by a dash, are set to the left, or "ineffective", position.

The rotating drum has 27 bars, each with two lugs. These lugs can be set to any position 1 through 6, in which case they are aligned with the corresponding key wheel, or they may be set to one of two "0" positions, in which case they are ineffective. A table indicating the lug settings for the drum might look like this:

Bar123456789
Lugs3-60-61-61-54-50-40-40-40-4
Bar101112131415161718
Lugs2-02-02-02-02-02-02-02-02-0
Bar192021222324252627
Lugs2-02-52-50-50-50-50-50-50-5

Bar 1 would have its lugs set in the "3" and "6" positions, bar 2's lugs in the "0" and "6" positions, and so on. Any lug in the "3" position, for example, will be pushed to the side by a guide arm when the currently active pin on key wheel 3 is in an "effective" position.

Finally, the external key is set by rotating the key wheels to either a specific or random sequence of letters. In testing the internal key settings of the M-209, it is customary for the operator to set the key wheels to "AAAAAA", and proceed with encoding a message consisting of nothing but the letter "A." The resulting ciphertext is then compared with a long check string to verify that all of the internal settings have been performed properly. The check string for this particular configuration is:

T N J U W A U Q T K C Z K N U T O T B C W A R W I O

Key wheel pins come into play when they reach the lower part of the key wheel during rotation; it is here that they may contact or release the guide arm that deflects the lugs to the left. The active pin is offset by a particular amount from the letter currently being displayed on the front of the key wheel; when "AAAAAA" is showing on the key wheels, the pins that are in play are those associated with the letters "PONMLK", from left to right.

Example encoding

After the M-209 is configured according to the settings above, the machine is ready to encode. Continuing with the example of a known check string, the first letter to be encoded is "A". The operator sets the indicating disk to the letter "A", and turns the power handle.

Since the key wheels are set to the string "AAAAAA", the active pins are "PONMLK"; according to the settings above, pin "P" is ineffective on the first key wheel, pin "O" is effective on the second key wheel, "N" is effective on the third, "M" is effective on the fourth, "L" is ineffective on the fifth, and "K" is effective on the sixth. The guide arms associated with effective pins will tilt forward and contact the rotating drum; in this case, guide arms 2, 3, 4, and 6 will be effective.

Any bar on the drum with a lug in any of those positions will be slid to the left, and that bar will participate in the variable-toothed gear driving the output of the machine. According to the given settings, bars 1, 2, 3, and 5 through 21 will be slid to the left, for a total of 20 bars, or 20 "teeth" on the variable-toothed gear. The encoding for this letter will use a shift of 20.

The M-209 uses a reciprocal substitution cipher or Beaufort scheme; the alphabet used in the plaintext message is mapped to the same alphabet in reverse ( atbash ):

Plaintext alphabet:ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext alphabet:ZYXWVUTSRQPONMLKJIHGFEDCBA

If shifting is not considered, "A" becomes "Z", "B" becomes "Y", "C" becomes "X" and so on. Shifting proceeds in a reverse direction; for instance, a plaintext "P" maps to ciphertext "K"; shifting by three positions, to the left, gives ciphertext "N". The shift is circular, so when a shift steps off the left side, it continues again on the right. This approach is self-inversing, meaning that deciphering uses the same table in the same way: a ciphertext "N" is entered as if it were plaintext; this maps to "M" in the ciphertext alphabet, or "P" after shifting three positions, thus giving the original plaintext back.

Continuing the example above, the initial letter to be encoded was "A", which maps to "Z" in ciphertext. The shift given by the variable-toothed gear was 20; shifting to the left 20 positions gives the final ciphertext letter "T", which is the same as the first digit in the check string.

At the end of the encoding cycle, all six key wheels are advanced by one position. The key wheels will then read "BBBBBB", and the active pins will be "QPONML". A new set of guide arms will interact with the drum, resulting in a different shift for the next encoding operation, and so on.

Security

The security of the M-209 was good for its time, but it was by no means perfect. As with the Lorenz Electric teletypewriter cipher machine (codenamed Tunny by the Allies), if a codebreaker got hold of two overlapping sequences, he would have a fingerhold into the M-209 settings, and its operation had some distinctive quirks that could be exploited. As of early 1943, German code breaking in World War II was able to read 10–30 percent of M-209 messages. [2] It was considered adequate for tactical use and was still used by the US Army during the Korean War.

US researcher Dennis Ritchie has described a 1970s collaboration with James Reeds and Robert Morris on a ciphertext-only attack on the M-209 that could solve messages of at least 2,000–2,500 letters. [3] Ritchie relates that, after discussions with the National Security Agency (NSA), the authors decided not to publish it, as they were told the principle was applicable to machines then still in use by foreign governments. [3]

In 2004, German news site Heise Online published a feature about the German efforts to break the M-209. [4]

Production and usage

The U.S. M-209s were produced at a rate of 400 units per day by Smith Corona Typewriter Company in Groton, NY, starting in 1942. Over 140,000 machines were produced. [5] :427 It gradually replaced the older M-94 tactical cipher.

The German SG-41 was supposed to have been a standard tactical cipher machine, but the Germans had only limited supplies of lightweight metals such as magnesium and aluminum, and it was simply too heavy for tactical use. Menzer also worked on two other cipher machines based on Hagelin technology, including a follow-on to the Enigma, the "SG-39", and a simple but fairly strong handheld cipher machine, the "Schlüsselkasten" ("Code Box"). Neither of these machines reached production. Had the Menzer devices been put into service, they would have certainly caused trouble for Allied cryptanalysts, though they were no more uncrackable than the M-209.

After the war, Hagelin came up with an improved model of the M-209, designated the "C-52". The C-52 featured a period of up to 2,756,205,443; wheels that could be removed and reinserted in a different order; and a printwheel with a mixed alphabet. However, the C-52 was one of the last generation of the classic cipher machines, as by that time the new digital technology was permitting the development of ciphers that were far more secure.

Related Research Articles

<span class="mw-page-title-main">Cipher</span> Algorithm for encrypting and decrypting information

In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

<span class="mw-page-title-main">Enigma machine</span> German cipher machine

The Enigma machine is a cipher device developed and used in the early- to mid-20th century to protect commercial, diplomatic, and military communication. It was employed extensively by Nazi Germany during World War II, in all branches of the German military. The Enigma machine was considered so secure that it was used to encipher the most top-secret messages.

In cryptography, a substitution cipher is a method of encrypting in which units of plaintext are replaced with the ciphertext, in a defined manner, with the help of a key; the "units" may be single letters, pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing the inverse substitution process to extract the original message.

<span class="mw-page-title-main">Transposition cipher</span> Method of encryption

In cryptography, a transposition cipher is a method of encryption which scrambles the positions of characters (transposition) without changing the characters themselves. Transposition ciphers reorder units of plaintext according to a regular system to produce a ciphertext which is a permutation of the plaintext. They differ from substitution ciphers, which do not change the position of units of plaintext but instead change the units themselves. Despite the difference between transposition and substitution operations, they are often combined, as in historical ciphers like the ADFGVX cipher or complex high-quality encryption methods like the modern Advanced Encryption Standard (AES).

<span class="mw-page-title-main">Caesar cipher</span> Simple and widely known encryption technique

In cryptography, a Caesar cipher, also known as Caesar's cipher, the shift cipher, Caesar's code, or Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a left shift of 3, D would be replaced by A, E would become B, and so on. The method is named after Julius Caesar, who used it in his private correspondence.

<span class="mw-page-title-main">Vigenère cipher</span> Simple type of polyalphabetic encryption system

The Vigenère cipher is a method of encrypting alphabetic text where each letter of the plaintext is encoded with a different Caesar cipher, whose increment is determined by the corresponding letter of another text, the key.

<span class="mw-page-title-main">Rotor machine</span>

In cryptography, a rotor machine is an electro-mechanical stream cipher device used for encrypting and decrypting messages. Rotor machines were the cryptographic state-of-the-art for much of the 20th century; they were in widespread use in the 1920s–1970s. The most famous example is the German Enigma machine, the output of which was deciphered by the Allies during World War II, producing intelligence code-named Ultra.

<span class="mw-page-title-main">Lorenz cipher</span> Cipher machines used by the German Army during World War II

The Lorenz SZ40, SZ42a and SZ42b were German rotor stream cipher machines used by the German Army during World War II. They were developed by C. Lorenz AG in Berlin. The model name SZ was derived from Schlüssel-Zusatz, meaning cipher attachment. The instruments implemented a Vernam stream cipher.

A straddling checkerboard is a device for converting an alphanumeric plaintext into digits whilst simultaneously achieving fractionation and data compression relative to other schemes using digits. It also is known as a monôme-binôme cipher.

<span class="mw-page-title-main">Bombe</span> Codebreaking device created at Bletchley Park (United Kingdom)

The bombe was an electro-mechanical device used by British cryptologists to help decipher German Enigma-machine-encrypted secret messages during World War II. The US Navy and US Army later produced their own machines to the same functional specification, albeit engineered differently both from each other and from Polish and British bombes.

<span class="mw-page-title-main">M-94</span> US cryptographic equipment

The M-94 was a piece of cryptographic equipment used by the United States Army, consisting of several lettered discs arranged as a cylinder. It was also employed by the US Navy, under the name CSP 488.

<span class="mw-page-title-main">Cryptanalysis of the Enigma</span> Decryption of the cipher of the Enigma machine

Cryptanalysis of the Enigma ciphering system enabled the western Allies in World War II to read substantial amounts of Morse-coded radio communications of the Axis powers that had been enciphered using Enigma machines. This yielded military intelligence which, along with that from other decrypted Axis radio and teleprinter transmissions, was given the codename Ultra.

<span class="mw-page-title-main">KL-7</span> Rotor encryption machine

The TSEC/KL-7, also known as Adonis was an off-line non-reciprocal rotor encryption machine. The KL-7 had rotors to encrypt the text, most of which moved in a complex pattern, controlled by notched rings. The non-moving rotor was fourth from the left of the stack. The KL-7 also encrypted the message indicator.

<span class="mw-page-title-main">C-52 (cipher machine)</span> 1950s cipher machines by Crypto AG

The (Hagelin) C-52 and CX-52 were cipher machines manufactured by Crypto AG starting 1951/1952. These pin-and-lug type cipher machines were advanced successors of the C-38/M-209. The machine measures 8+12 by 5+38 by 4+38 inches. The device is mechanical, but when combined with an electric keyboard attachment, the B-52, the resultant system is termed the BC-52. The B-52 is larger, measuring 12+12 by 8+12 by 6+38 inches.

In cryptography, the clock was a method devised by Polish mathematician-cryptologist Jerzy Różycki, at the Polish General Staff's Cipher Bureau, to facilitate decrypting German Enigma ciphers. The method determined the rightmost rotor in the German Enigma by exploiting the different turnover positions. For the Poles, learning the rightmost rotor reduced the rotor-order search space by a factor of 3. The British improved the method, and it allowed them to use their limited number of bombes more effectively.

The Beaufort cipher, invented by some Giovanni Sestri in early 18th century but widely attributed to Sir Francis Beaufort, is a substitution cipher similar to the Vigenère cipher, with a slightly modified enciphering mechanism and tableau. Its most famous application was in a rotor-based cipher machine, the Hagelin M-209. The Beaufort cipher is based on the Beaufort square which is essentially the same as a Vigenère square but in reverse order starting with the letter "Z" in the first row, where the first row and the last column serve the same purpose.

<span class="mw-page-title-main">Alberti cipher</span> Polyalphabetic substitution encryption and decryption system

The Alberti Cipher, created in 1467 by Italian architect Leon Battista Alberti, was one of the first polyalphabetic ciphers. In the opening pages of his treatise De componendis cifris he explained how his conversation with the papal secretary Leonardo Dati about a recently developed movable type printing press led to the development of his cipher wheel.

The Chaocipher is a cipher method invented by John Francis Byrne in 1918 and described in his 1953 autobiographical Silent Years. He believed Chaocipher was simple, yet unbreakable. Byrne stated that the machine he used to encipher his messages could be fitted into a cigar box. He offered cash rewards for anyone who could solve it.

Turingery or Turing's method was a manual codebreaking method devised in July 1942 by the mathematician and cryptanalyst Alan Turing at the British Government Code and Cypher School at Bletchley Park during World War II. It was for use in cryptanalysis of the Lorenz cipher produced by the SZ40 and SZ42 teleprinter rotor stream cipher machines, one of the Germans' Geheimschreiber machines. The British codenamed non-Morse traffic "Fish", and that from this machine "Tunny".

Cryptanalysis of the Lorenz cipher was the process that enabled the British to read high-level German army messages during World War II. The British Government Code and Cypher School (GC&CS) at Bletchley Park decrypted many communications between the Oberkommando der Wehrmacht in Berlin and their army commands throughout occupied Europe, some of which were signed "Adolf Hitler, Führer". These were intercepted non-Morse radio transmissions that had been enciphered by the Lorenz SZ teleprinter rotor stream cipher attachments. Decrypts of this traffic became an important source of "Ultra" intelligence, which contributed significantly to Allied victory.

References

  1. "Dossier : Le Converter M209: chiffreur - déchiffreur". us-militaria.com. 1 January 2014. Archived from the original on 1 January 2014.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  2. Army Security Agency, European Axis Signal Intelligence in World War II, Volume I, Synopsis. DOC ID 3560861.
  3. 1 2 Ritchie, Dennis M. (5 May 2000). "Dabbling in the Cryptographic World — A Story". Nokia Bell Labs.
  4. Schmeh, Klaus (September 23, 2004). "Als deutscher Code-Knacker im Zweiten Weltkrieg" [As a German code-breaker in World War II]. Heise Online (in German). Retrieved March 26, 2019.
  5. Kahn, David (1967). The Codebreakers: The Story of Secret Writing. New York: The Macmillan Company. ISBN   978-0-684-83130-5. OCLC   59019141

Further reading