Hagelin-Cryptos C-52 cypher machine for sale
J Marquess
As I write, there is less than 24 hours left to bid. It is alas, out
of my league but for anyone interested full details are at:
www.ebay.com and search for item 1072132473
John
Douglas A. Gwyn
> eBay are currently auctioning a Hagelin-Cryptos C-52 cypher machine.
Wow, the bids are already over $4000. My M-209-B cost me only $1000
a few years ago.
In another auction there's an STG61 (CD57 clone) which is a handheld
model that uses the same cryptographic principle; currently "only"
$2500.
lurker
wrote:
The write up said the unit has seen quite a bit of use. Perhaps this
cipher is still protecting something secret. There is a lot of cold
war history that is yet to be told.
I guess there were many different rotor combinations available on
these Enigma clones. The six rotors on this machine each had a prime
number of positions on them. Was this the case with all the rotor
machines?
Michael Amling
The description says it's completely mechanical, no wires. But it's
manufactured by Crypto AG. How does it leak the key to NSA? :)
--Mike Amling
Douglas A. Gwyn
> I guess there were many different rotor combinations available on
> these Enigma clones.
It's not an Enigma clone; it works on a different principle.
lurker
wrote:
I copied some rotor settings from a D57 simulator that is available
for download on the internet. Clearly you are correct this rotor
machine does not have a wireboard or a keyboard that lights up the
selected letters thanks.
I am gathering from looking at the rotor details that some of the
letters reside beside each other on the rotor while others are
seperated by fixed gaps. It looks as though you could swap out old
rotors for rotors with a different gap spacing subset. I am guessing
that might leave one with several different formula for determining
the cipher strength.
31+++--+-+-+-++++-+--++----++++--
47+-++++--+++-+--+-+++---++-++--+-++-----++++---+
41-+-+--++-++--+----++++---+--+-++-++--+-+-
43-+-+--+--+--+---+++-+--+--+-+--+-++-+---++-
29+---++----+--++---+--+--+-+--
37--++--++-+-+--+--+--+-++--+-++--+-+-+
Douglas A. Gwyn
> I am gathering from looking at the rotor details that some of the
> letters reside beside each other on the rotor while others are
> seperated by fixed gaps. It looks as though you could swap out old
> rotors for rotors with a different gap spacing subset. I am guessing
> that might leave one with several different formula for determining
> the cipher strength.
> 31+++--+-+-+-++++-+--++----++++--
> 47+-++++--+++-+--+-+++---++-++--+-++-----++++---+
> 41-+-+--++-++--+----++++---+--+-++-++--+-+-
> 43-+-+--+--+--+---+++-+--+--+-+--+-++-+---++-
> 29+---++----+--++---+--+--+-+--
> 37--++--++-+-+--+--+--+-++--+-++--+-+-+
They're usually called "wheels" for a Hagelin device; "rotors" are
the conductive substitution elements in a Hebern device. Each wheel
has a set of pins that can be manually placed in either an active (+)
or inactive (-) position; that's part of the "key setting". There is
also a cage with rods that contain moveable lugs (usually 2 per rod);
each lug can be manually placed in an inactive position or a position
where it will engage the pins of a particular wheel; the lug settings
are additional keying parameters. The final part of the key is the
initial relative rotational position of each wheel (index symbols
appear in windows of the case). Normally the internal (pin and lug)
settings are changed only once per day while the wheel index changes
with each message. In operation, the cage rotates and whenever a lug
strikes an active pin the cage rod slides out to become the tooth of
a variable-pitch gear; the total number of teeth for the whole cage
determines the amount by which the printing wheel (oops, often the
initial offset of that is another key parameter) advances from the
plaintext letter to the printed cipher letter (or conversely; the
device is reciprocal). There is a ratcheting mechanism that advances
the whole set of wheels after each letter is enciphered, which brings
new pins into play.
These machines are mechanical marvels, but their cryptosecurity is
not great, as was known even around WWII when they were evaluated for
tactical field use. Basically they were fielded because we couldn't
produce anything better in the necessary time frame. The US used
these into the 1950s and various foreign governments used them for
another couple of decades.
There are several articles and a book or two describing methods of
attacking Hagelin devices. Somewhat better attacks are possible,
but have not been published.
John Savard
wrote, in part:
> The description says it's completely mechanical, no wires. But it's
>manufactured by Crypto AG. How does it leak the key to NSA? :)
The cipher it produces is not, by today's standards, invincibly
strong. The principle on which it operates is described on my web
site, at
lurker
wrote:
>lurker wrote:
Thanks for all the info on this advanced stuff! I am going to go
back to cracking school lockers with the cypherpunks.
David Ross
>
> I guess there were many different rotor combinations available on
> these Enigma clones. The six rotors on this machine each had a prime
> number of positions on them. Was this the case with all the rotor
> machines?
Generally true for the older Hagelin machines. The C-52 has a real
plainjane carry scheme in that every time the machine is stepped, each
rotor moves one notch. All it's rotors must be of different sizes.
The U.S. military's M-209 Converter works the same way, but it's
rotors are smaller than the ones in this C-52.
The later CX-52 machine has a programmable carry scheme - for every
machine step, a given rotor may move zero or one or two or three
notches. I've seen CX-52s with all rotors the same size.
Pretty amazing mechanisms. The same basic pin & lug scheme was used
by Crypto AG in their Telecrypto units, which encrypt/decrypt 50 baud
teletype sigs in real time.
In the Telecrypto units, the lug cage rotates in sync with the 50 baud
teletype signal. The lugs on the cage actuate a leaf switch as the cage
rotates. The leaf switch feeds one coil of a polar relay, which handles
the XOR function.
Dave Ross
lurker
wrote:
I take it these devices were used to increase the complexity of radio
or telegraph signal transmissions primarily. It would be easy to
overide a radio or telegraph signal with one of an adversaries
choosing otherwise.
There seems to be a lot of political bantering about the strengths of
ciphers over longer time periods. Perhaps many of these arguments
would be resolved if the primary purpose of most these ciphers were
seen as authentication for the shorter time of communications period.
I guess that is why they called many of these "field ciphers"?
Paul Pires
lurker <n...@nospam.org> wrote in message news:3c713e0b...@netnews.worldnet.att.net...
stale info if it was decoded after the attack. Athentication seems a liability
since it is assumed. "Just got a message from the boss. It must be him
because I could decrypt it".
I don't know why you think that authentication has a shorter life. Even
after every bad move at Enron is known, tieing it to an individual will have
a value with a far longer life than the content has.
Even so, I'd be surprised if a seperate authentication scheme wasn't
used when it was critical. A word of the day, authorization code or
some-such. Assuming authentication merely on the basis of it being
encrypted seems like a real dumb thing to do.
Paul
lurker
wrote:
A field cipher was only a layer in the communications channel back in
the old days. If you had a plan contingent upon a weather report
then you wanted to *reduce* the chance of a middleman sending you the
wrong weather report.
Same principle still applies for buying something online with a credit
card. In essence you are encrypting your credit card number with
information from the sales event and an additional cryptographic key
that is unique to your PC. In theory this should provide objective
evidence to support or deny a disputed claim.
Media heresay may have nothing to do with the truth. The president of
Enron could be Lee Harvey Oswald for all I know, I have never heard
that the media was held accountable for accurate reporting beyond the
weather forecast.
Paul Pires
lurker <n...@nospam.org> wrote in message news:3c715d6f...@netnews.worldnet.att.net...
This doesn't make sense. If the card number is encrypted with
a number secret to your PC, how could the merchant decrypt it?
If it is a public number why couldn't someone else use it to
impersonate you?
>In theory this should provide objective
> evidence to support or deny a disputed claim.
I strongly dis-agree. This is a liability, not an advantage as it
introduces false trust unless the protocol is specifically designed
to authenticate. You do not have to crack the algorithm to
spoof authentication, therefore the strength of the algorithm
could be non-sequiter to the issue of the quality of authentication.
Take the trite "Bit flipping example from Applied Crypto.
>
> Media heresay may have nothing to do with the truth. The president of
> Enron could be Lee Harvey Oswald for all I know, I have never heard
> that the media was held accountable for accurate reporting beyond the
> weather forecast.
This bears how on the previous discussion?
Paul
>
lurker
>> the old days. If you had a plan contingent upon a weather report
>> then you wanted to *reduce* the chance of a middleman sending you the
>> wrong weather report.
>>
>> Same principle still applies for buying something online with a credit
>> card. In essence you are encrypting your credit card number with
>> information from the sales event and an additional cryptographic key
>> that is unique to your PC.
>"Paul Pires" <dio...@got.net> wrote:
>
>This doesn't make sense. If the card number is encrypted with
>a number secret to your PC, how could the merchant decrypt it?
>If it is a public number why couldn't someone else use it to
>impersonate you?
>
lurker <n...@nospam.org>
The term I used was unique not secret. It is all a matter of degree,
you could carry around a dongle with you for better authentication.
Most people are comfortable just relying on their browser
certificates.
>>lurker <n...@nospam.org>
>>In theory this should provide objective
>> evidence to support or deny a disputed claim.
>"Paul Pires" <dio...@got.net> wrote:
>
>I strongly dis-agree. This is a liability, not an advantage as it
>introduces false trust unless the protocol is specifically designed
>to authenticate. You do not have to crack the algorithm to
>spoof authentication, therefore the strength of the algorithm
>could be non-sequiter to the issue of the quality of authentication.
>Take the trite "Bit flipping example from Applied Crypto.
>
lurker <n...@nospam.org>
As long as you can walk into a cyber cafe and enter a credit card
number from the keyboard this will remain an issue.
>>> I don't know why you think that authentication has a shorter life. Even
>>>after every bad move at Enron is known, tieing it to an individual will have
>>>a value with a far longer life than the content has.
>>lurker <n...@nospam.org>
>>
>> Media heresay may have nothing to do with the truth. The president of
>> Enron could be Lee Harvey Oswald for all I know, I have never heard
>> that the media was held accountable for accurate reporting beyond the
>> weather forecast.
>"Paul Pires" <dio...@got.net> wrote:
>
>This bears how on the previous discussion?
>
How are we to implicate Ken Lay beyond a reasonable doubt in any wrong
doings at Enron without an objective authentication? I would expect
authentication would have a longer life. Most important historical
events rely on objective evidence that sometimes is not discovered
for decades or centuries.
Douglas A. Gwyn
> I guess that is why they called many of these "field ciphers"?
There were called "field ciphers" because they were suitable for use
in field conditions, and their security was adequate for protecting
tactical information about a current battle long enough to avoid
exploitation by the enemy during the battle, although not necessarily
for protecting information for a long amount of time.
Douglas A. Gwyn
> Even so, I'd be surprised if a seperate authentication scheme wasn't
> used when it was critical. A word of the day, authorization code or
> some-such. Assuming authentication merely on the basis of it being
> encrypted seems like a real dumb thing to do.
Indeed, to avoid spoofing etc. military systems tend to incorporate
some form of authentication. In the days of Hagelins, it might be
a couple of check digits in the transmitted message header, obtained
from a circular-slide-rule style authentication device or some such.
Paul Pires
lurker <n...@nospam.org> wrote in message news:3c71bdd0...@netnews.worldnet.att.net...
> >>lurker <n...@nospam.org> wrote in message news:3c715d6f...@netnews.worldnet.att.net...
> >>
> >> A field cipher was only a layer in the communications channel back in
> >> the old days. If you had a plan contingent upon a weather report
> >> then you wanted to *reduce* the chance of a middleman sending you the
> >> wrong weather report.
> >>
> >> Same principle still applies for buying something online with a credit
> >> card. In essence you are encrypting your credit card number with
> >> information from the sales event and an additional cryptographic key
> >> that is unique to your PC.
>
> >"Paul Pires" <dio...@got.net> wrote:
> >
> >This doesn't make sense. If the card number is encrypted with
> >a number secret to your PC, how could the merchant decrypt it?
> >If it is a public number why couldn't someone else use it to
> >impersonate you?
> >
>
> lurker <n...@nospam.org>
>
> The term I used was unique not secret. It is all a matter of degree,
> you could carry around a dongle with you for better authentication.
> Most people are comfortable just relying on their browser
> certificates.
I realize that. If it is unique it is either secret or non-secret.
(this is fairly all-inclusive) the example you gave must fit
in one and be accureately covered by one or more
questions above. Answer the question, or not.
>
> >>lurker <n...@nospam.org>
> >>In theory this should provide objective
> >> evidence to support or deny a disputed claim.
>
> >"Paul Pires" <dio...@got.net> wrote:
> >
> >I strongly dis-agree. This is a liability, not an advantage as it
> >introduces false trust unless the protocol is specifically designed
> >to authenticate. You do not have to crack the algorithm to
> >spoof authentication, therefore the strength of the algorithm
> >could be non-sequiter to the issue of the quality of authentication.
> >Take the trite "Bit flipping example from Applied Crypto.
> >
>
> lurker <n...@nospam.org>
>
> As long as you can walk into a cyber cafe and enter a credit card
> number from the keyboard this will remain an issue.
No, this is a significantly different issue. The credit card was
your analogy, not mine. You presented an example that does
not authenticate as an example of how simple authentication
is. Credit card purchases do not authenticate the transaction,
just the account. It isn't just weak or trivial, it isn't there at all.
>
> >>> I don't know why you think that authentication has a shorter life. Even
> >>>after every bad move at Enron is known, tieing it to an individual will have
> >>>a value with a far longer life than the content has.
>
> >>lurker <n...@nospam.org>
> >>
> >> Media heresay may have nothing to do with the truth. The president of
> >> Enron could be Lee Harvey Oswald for all I know, I have never heard
> >> that the media was held accountable for accurate reporting beyond the
> >> weather forecast.
>
> >"Paul Pires" <dio...@got.net> wrote:
> >
> >This bears how on the previous discussion?
> >
> How are we to implicate Ken Lay beyond a reasonable doubt in any wrong
>
> doings at Enron without an objective authentication? I would expect
> authentication would have a longer life. Most important historical
> events rely on objective evidence that sometimes is not discovered
> for decades or centuries.
It's getting much clearer now.
Paul
lurker
wrote:
[snip]
>>
>> lurker <n...@nospam.org>
>>
>> The term I used was unique not secret. It is all a matter of degree,
>> you could carry around a dongle with you for better authentication.
>> Most people are comfortable just relying on their browser
>> certificates.
>
>I realize that. If it is unique it is either secret or non-secret.
>(this is fairly all-inclusive) the example you gave must fit
>in one and be accureately covered by one or more
>questions above. Answer the question, or not.
>>
lurker <n...@nospam.org>
Now we are talking about threat model. If I wish to take ridiculous
steps to authenticate something I could have a spacecraft repeatedly
transmit a unique key back to earth as it heads out of the solar
system. The key is not secret, but it provides an objective
authentication.
Judging from your userid you are an electrical engineer and should
clearly understand the difficulties involved in securing computer
equipment. Fortunately the most sensitive classes of receivers are
not available for commercial sale.
[snip]
Paul Pires
lurker <n...@nospam.org> wrote in message news:3c757506...@netnews.worldnet.att.net...
> On Thu, 21 Feb 2002 19:50:24 GMT, "Paul Pires" <dio...@got.net>
> wrote:
> [snip]
> >>
> >> lurker <n...@nospam.org>
> >>
> >> The term I used was unique not secret. It is all a matter of degree,
> >> you could carry around a dongle with you for better authentication.
> >> Most people are comfortable just relying on their browser
> >> certificates.
> >
> >I realize that. If it is unique it is either secret or non-secret.
> >(this is fairly all-inclusive) the example you gave must fit
> >in one and be accureately covered by one or more
> >questions above. Answer the question, or not.
> >>
> lurker <n...@nospam.org>
>
> Now we are talking about threat model. If I wish to take ridiculous
> steps to authenticate something I could have a spacecraft repeatedly
> transmit a unique key back to earth as it heads out of the solar
> system. The key is not secret, but it provides an objective
> authentication.
No, it does not. At least not from the description so far.
>
> Judging from your userid you are an electrical engineer and should
> clearly understand the difficulties involved in securing computer
> equipment.
Nope. Just a newbie.
>Fortunately the most sensitive classes of receivers are
> not available for commercial sale.
> [snip]
>
Put your hat on sideways, turn 90 dgrees and march off.
Hint: The governor played by Charles Durning
http://www.hollywood.com/movies/detail/movie/165271
All my questions are answered.
Thank you,
Paul