Tuesday, October 23, 2012

US Military Strip Ciphers

The US Armed forces made extensive use of the strip ciphers M-94 and M-138 in the 1930’s and during WWII. Although authors focus on the SIGABA machine initially only a handful of these were available.  In late 1941 there were around 10.000 M-94 devices, 1.500 M-138 strips and 120 SIGABA. It would take years to build large numbers of cipher machines and during that time it was the strip ciphers that had to hold the line.

Overall about 10.000 M-94 cylinders and 17.000 M-138 strip ciphers were built from the 1920’s till 1944.
The strip ciphers have gotten little publicity but their use was vital for the US forces in WWII, especially in the period 1941-43. The M-94 cylinder was used at division level and was eventually replaced by the M-209 cipher machine. The M-138 (and M-138-A) was used for high level messages by military units and diplomatic attaches. During the war it was replaced by SIGABA but It continued to be available as an emergency system till the 1960’s.

The M-94 cylinder
US reports refer to M-94 as a cylinder cipher while the Germans called it strip, same as the M-138. The cryptographic principle was identical for both systems.

The M-94 was composed of a central spindle on which 25 cylindrical alphabet wheels were inserted. The daily key specified the order of inserting the wheels. Then the user spelled out the message on one line by turning the wheels and chose the cipher text from another line.


The inventors of the cylinder cipher were Thomas Jefferson, Commandant Etienne Bazeries of the French Army, Captain Parker Hitt, USA and Major Joseph Mauborgne, USA.
The M-94 was officially adopted in 1921 and used till 1943 when it was replaced by the M-209 cipher machine. It was undoubtedly a system of limited security but the official history SRH-366 says: ‘It is very easy for us to condemn old devices in the light of later knowledge, and the M-94 looks childishly simple to us now, but let nobody underestimate the good purpose that it did serve at a period when something better than the old Cipher Disk and Playfair were badly needed.

The same report says that about 10.000 M-94 devices were procured from 1921 to 1941.
The M-94 was used extensively in the interwar period. The Navy version was called CSP-488. In 1929/30 it was issued to military and naval attach├ęs. In 1939 units of the Coast-Guard received it. US Army and Army Airforce units used it extensively in the period 1941-43. In 1943 it was declared obsolete.

The M-138 strip cipher

The same cryptographic principle was used by a flat strip device utilizing alphabet paper strips. This consisted of an aluminum frame (or later wooden/plastic) with room for 25 or 30 paper strips. Each strip had a random alphabet. The daily key specified the strips to be inserted and the order that they were to be inserted in.
The plaintext was written vertically at the first column by rearranging the strips. Then another column was selected to provide the ciphertext.
 
Compared to the M-94 the M-138 had the advantage that paper strips were much easier to construct and use than the metal cylinders.

The first flat strip system adopted by the US Army was the M-138 in 1934. It used 25 paper strips. The positions for the paper strips were called ‘channels’.
It was soon replaced by the M-138-A which was a 30 channel system. The first major procurement took place in 1940 with an order for 550 devices. Mass production began in 1942 and the lack of aluminum forced the authorities to use panels built out of plastic and wood. These were given the code designations CSP-845 for plastic and SIGWOWO for wood. The plastic version did not prove satisfactory because heat caused the warping of the panel. The wooden version also proved problematic due to friction of the paper strips on the board. The procurement numbers were 5.000 for CSP-845 and 2.000 for SIGWOWO.

In September 1943 the aluminum shortage was overcome and production of the aluminum version was resumed. Immediately 8.000 were ordered. This order made it possible to recall all plastic and wooden versions.
Total production from 1935 till 1944 was for over 17.000 units.

 
Civilian authorities like the State Department, the Office of Strategic Services, the Treasury Department, the Manhattan Project and others used the M-138-A.

The strip system was also shared with foreign allies such as Brazil, Canada, Costa Rica, France, UK, Italy, Philippines and the USSR.

Security of strip ciphers
The security of the strip ciphers is summarized in SRH-366: ‘The cryptographic strength of the disk or strip cipher lies in the variable factors which it provides, namely, encipherment by a number of different, sliding, mixed alphabets and a possibility of 25 different letters for each letter of plain text. The cryptographic weakness of the strip or disk cipher is the constancy of the interval between the letters of any one plain-text alignment and the letters of its cipher text generatrix ; it is this inherent characteristic which serves as the wedge for all cryptanalytic recovery of this type of system. All security improvements of the device itself and of methods of using it have been designed to prevent cryptanalytic establishment of this constant factor.

The standard security measures for the M-138-A system were the change of the strips every couple of months and the daily use of 30 strips out a larger number (50-100 depending on the link).
From 1939 50-100 alphabet strips were supplied to each user. Out of these 30 were chosen each day.

Initially there were only 50 available rearrangements for the strips. This meant that during the period of use some days would have the same strip ‘key’. This was changed from August ’42 when a different arrangement was provided for each day.
From 1939 till mid 1942 the alphabet strips were generally replaced after six months. From January ‘42 a change every quarter and later bimonthly was instituted. By August ’43 the strips were changed each month. This important change was first introduced in many systems in August ’42.

Message length was limited to 100 5-letter groups.
During the war these measures were not enough and two important security procedures were adopted.

Split generatrix
The standard procedure was for the user to arrange the strips so that the plaintext message is written in the first column. Then another column is selected as the ciphertext (generatrix). This was changed by having the user select a different cipher column for the first 15 letters and another one for the next 15.

This procedure was used for CONFIDENTIAL messages from January ‘42 till July ‘43 when channel elimination was adopted for both CONFIDENTIAL and SECRET messages.

Channel elimination

The M-138-A had 30 positions in the panel for the paper strips. These panel positions were called channels. In order to increase security 5 of these channels were kept empty. A different set of strips were removed for each message, based on an elimination table. The table specified which of the 30 channels in the panel would be empty. The 5-letter indicator at the start of the message would be used with the table to find out which channels would be empty.

The procedure broke up repetitions in the cipher text. From January ’42 it was required for all SECRET messages.

It was first introduced in some army networks in 1939 and until early 1942 only one elimination table was provided for each network. From January to August 1942 the same channel elimination table was in effect for three months, same as the strips. From August ’42 both the channel elimination table and the strips were changed monthly.
The elimination table was originally of the following type:
 

As a result of security studies in September ’44 a new variable elimination procedure was adopted. The new system allowed for up to 5 channels (not necessarily 5) to be eliminated each time. The five letters of the indicator were matched with the date consecutively. Let’s assume that the date is the 16th and the message indicator is JXCGF. Then from the table J=15th channel, then in the next day (17th) the letter X shows a blank so no channel is emptied, for C we look at the 18th day and see that it is also blank, for G we look at the 19th day which gives the 19 channel and in the 20th day F shows the 26 channel. So the cipher clerk will have to remove the alphabet strips in the positions 15, 19 and 26 of the panel.

 


A 1947 report shows a variation of this system, this time with the daily keys being ‘scrambled’ instead of being written consecutively as in the previous table. However i don’t know if this scheme was adopted by the US authorities.


 
German exploitation of US strip ciphers

M-94 cylinder
The Germans intercepted US traffic enciphered with the M-94 and solved the system cryptanalytically.

The German Army’s signal intelligence agency OKH/In 7/VI created a USA section when the US entered the war against the Axis. Head of the department was Dr Steinberg a member of the mathematical research department. Initially the main effort was to identify the US wireless networks, the call signs and the cipher systems used. The main cipher system used by the Americans at that time was the M-94 cylinder.
The 25 alphabet wheels were supposed to be used in a different order each day but some links used them in the same order for longer periods of time. Dr Steinberg and dr Luzius solved the system by using IBM/Hollerith equipment to find repeats. These always occurred on a distance of 25. According to Luzius: ‘having identified 20 to 30 passages of cypher text as being in depth, they could then solve each column as a simple substitution, and in this they were considerably assisted by stereotyped openings. They solved most of the traffic on this system, but he thought that the contents were generally relatively unimportant. As instances of its use, he quoted meteorological traffic from Greenland and Air Force traffic in the Caribbean’.

The war diary of Inspectorate 7/VI shows that the strip traffic (called ACr2-American Caesar cipher 2) was investigated in early 1942 and the first messages solved in April:




From May reports based on decoded ACr2 messages were issued by Referat 1 and this continued till July 1943, when use of the M-94 was discontinued by the US forces.


Ironically they found instructions for the M-94 (Field Manual FM 11-5) in a Berlin library after they solved it cryptanalytically.
From spring ’42 traffic from the US to Africa, Ireland, Britain, Caribbean area, Iceland and Greenland was read. Mettig, head of the Army agency in 1941-43, says that in 1942 the contents had to do with transfers and promotions.

The USAAF Northern route ferry traffic (indicator URSAL) was also exploited by the Luftwaffe’s Chi Stelle from summer ’42 till December 1943.

M-138 strip cipher
A US strip system used in the Pacific area in 1942 (indicator DUPYH) was received from the Japanese and read for a year by the German Navy’s B-Dienst. TICOM report I-197 states that it was read thanks to the compromise of the strips and the ‘eliminator tables’, which would make it a flat strip system.

A USAAF M-138 link was solved by Voegele, chief cryptanalyst of the Luftwaffe in the West.
The USAAF Southern Route ferry traffic strip system with indicator CENEB was read from November ’42 till 1943 when channel elimination was employed.  This strip originally used the split generatrix system. From ‘European Axis Signal Intelligence in World War II’ vol2:

According to Dr. Ferdinand Voegele, Chief Section B, of the Signal intelligence Agency of the Air Force High Command (OKL/LN abt 350), a strip cipher of the United States Army Air Force South Atlantic Ferry Command was solved before 1943. He wrote:
‘It was quite evident from the cipher text that there was a break after each 15 letters.... Accordingly an analysis was made on the basis of groups of 15 letters with the assistance of I. B. M. machines. A depth of 80 passages of parallel construction was needed to reconstruct the 100 strips, 30 of which were valid in any one day.... The system was read as long as it was used. In 1943 a new difficulty presented itself. While 30 strips were still valid on any one day the encipherer could arbitrarily remove any five of the strips to encipher any one message... . After-about six weeks; some of these messages were also deciphered. However, at the same time the volume of this type of traffic began to decline so that finally the analysis work had to be discontinued.’

Techniques employed by Voegele and his assistants are not known. Decipherment by about six weeks of some of the later messages, when strip elimination was employed, may have been accomplished by the skilful use of cribs. It is interesting to note that soon after strip elimination had been introduced, ‘the analysis work had to be discontinued’.
This report makes it seem like Voegele is making excuses when he says that the traffic declined considerably. The truth is that the traffic was actually reduced. The Brits had become aware through Enigma decrypts that this traffic was intercepted and forwarded to Berlin so they naturally assumed that it was being exploited currently. They notified the Americans so that the strips were changed and some of the traffic was sent through an RAF system.

The Germans had more success with the M-138-A used by the State Department.
Sources: SRH-366 ‘History of Army Strip Cipher devices’, TICOM reports I-12, I-76, I-78, I-112, I-113, I-119, I-127, I-154, I-197, I-211, ‘European Axis Signal Intelligence in World War II’ volumes 1,2,4,5  , ‘The Achievements of the Signal Security Agency (SSA) in World War II’, ‘German analysis of converter M-209 - POW interrogations’, ZIP/D-S/G.9 ‘Enemy success with US strip ciphers’, war diary of Inspectorate 7/VI

Pics: M-94 and M-138 pics found through Wikipedia commons user Raul654

6 comments:

  1. I used that M-138-A on DD-688 in Korea ?

    They had a typewriter version of it

    ReplyDelete
    Replies
    1. Are you sure it's the same system? If it was a cipher machine then it wasn't the M-138 strip cipher.

      Delete
    2. no I am not positive what it was, but it was the strip machine
      I just went in to find problem ET could not find.
      I was torpedo man

      Delete
  2. In Korea it was more likely the KL-7 cipher machine, which looked and acted like a small typewriter. Most of the system has been declassified, and there are a couple of great simulators available.

    ReplyDelete
  3. I repaired one of these machines in Korea era, on DD88 2100 DD
    It was in our crypto room main machine we used in offshore Korea

    ReplyDelete
  4. That Korea machine was a strip machine of some kind on DD688
    It was not the KL7 unless it used those strips. That was main thing I noticed. But I do not no what it was...

    ReplyDelete