The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.”

No, it’s not true.

This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken widely out of proportion.

Cryptography is safe, and will be for a long time

At the start of WWII, the US armed forces used various means for enciphering their confidential traffic. At the lowest level were hand ciphers. Above that were the M-94 and M-138 strip ciphers and at the top level a small number of highly advanced SIGABA cipher machines.

The Americans used the strip ciphers extensively however these were not only vulnerable to cryptanalysis but also difficult to use. Obviously a more modern and efficient means of enciphering was needed.

At that time Swedish inventor Boris Hagelin was trying to sell his cipher machines to foreign governments. He had already sold versions of his C-36, C-38 and B-211 cipher machines to European countries. He had also visited the United States in 1937 and 1939 in order to promote his C-36 machine and the electric C-38 with a keyboard called BC-38 but he was not successful (1). The Hagelin C-36 had 5 pin-wheels and the lugs on the drum were fixed in place. Hagelin modified the device by adding another pin-wheel and making the lugs moveable. This new machine was called Hagelin C-38 and it was much more secure compared to its predecessor.

In 1940 he brought to the US two copies of the hand operated C-38 and the Americans ordered 50 machines for evaluation. Once the devices were delivered, they underwent testing by the cryptologists of the Army’s Signal Intelligence Service and after approval it was adopted by the US armed forces for their midlevel traffic. Overall, more than 140.000 M-209’s were built for the US forces by the L.C. Smith and Corona Typewriters Company. (2) //

‘Report of interview with S/Sgt, Communications Section 79 Inf Div, 7th Army’. (dated March 1945) (51):

"The US Army code machine #209 was found to be something that hampered operations. It would take at least half hour to get a message through from the message center by use of this code machine and as a result the codes of particular importance or speed, for instance mortar messages, were sent in the clear."

Also, from the ‘Immediate report No. 126 (Combat Observations)’ - dated 6 May 1945 (52): ‘Information on the tactical situation is radioed or telephoned from the regiments to corps at hourly or more frequent intervals. Each officer observer averages about 30 messages per day.………………The M-209 converter proved too slow, cumbersome and inaccurate for transmission of those reports and was replaced by a simple prearranged message code with excellent results’.

This blog is reserved for more serious things, and ordinarily I wouldn’t spend time on questions like the above. But much as I’d like to spend my time writing about exciting topics, sometimes the world requires a bit of what Brad Delong calls “Intellectual Garbage Pickup,” namely: correcting wrong, or mostly-wrong ideas that spread unchecked across the Internet.

This post is inspired by the recent and concerning news that Telegram’s CEO Pavel Durov has been arrested by French authorities for its failure to sufficiently moderate content. While I don’t know the details, the use of criminal charges to coerce social media companies is a pretty worrying escalation, and I hope there’s more to the story.

But this arrest is not what I want to talk about today.

What I do want to talk about is one specific detail of the reporting. Specifically: the fact that nearly every news report about the arrest refers to Telegram as an “encrypted messaging app.”

This phrasing drives me nuts because in a very limited technical sense it’s not wrong. Yet in every sense that matters, it fundamentally misrepresents what Telegram is and how it works in practice. And this misrepresentation is bad for both journalists and particularly for Telegram’s users, many of whom could be badly hurt as a result.

It’s supposed to make the title transfer a breeze and help Californians avoid those tedious trips to the DMV.

Users will soon be able to claim their digital titles via the DMV’s application, track and manage them without getting to the office, according to an Avalanche blog post. The time to transfer vehicle titles drops to a few minutes using blockchain rails in the backend from two weeks via the traditional process, a DMV spokesperson said in an email. //

However, given the recent spate of Microsoft outages and other hacking reports, I am a bit nervous about digitizing without serious hard copy backups. Given how expensive cars have become and how critical having one is to people’s lives and livelihoods, extreme caution should be used before proceeding.

The unintended consequences of this move could be devastating if there are significant issues with the system.

It is also disturbing to note this move is also part of Governor Gavin Newsom’s plans to even have more control over our lives….under the banner of protections. ///

What about people who don't have smartphones, or computers, or Internet ? What happens when there is actual fraud, how do you unwind that? Do people still get paper backup copies of titles?

Christos T. • June 27, 2024 12:44 AM

@sqall:

In 1947 the US occupation authorities retrieved the files of the German Army’s codebreaking agency, called Inspectorate 7/VI. These had been buried at the end of the war in a camp in Austria.

The list of the documents that were retrieved is available from NARA as TICOM report IF-272 Tab ‘D’:
https://catalog.archives.gov/id/2811501

In page 12 of that report, it says: ‘Technische Erlaeuterung zur maschinellen Bearbeitung von AM 1 Kompromisstextloesungen auf der Texttiefe’.
The translation of that report is TICOM DF-114 ‘GERMAN CRYPTANALYTIC DEVICE FOR SOLUTION OF M-209 TRAFFIC’ and was released by the NSA to NARA in 2011 and copied and uploaded by me to Scribd and Google drive in 2012.

You can find it at NARA: https://catalog.archives.gov/id/23889821

Christos T. • June 26, 2024 12:36 AM

The converter M-209 was the medium level cipher system of the US military in the period 1943-45. The US Army used it at Division level (Division-Regiment-Battalion and even up to Corps) also widely used by the USAAF and US Navy.

The regular solution of the M-209 in the period 1943-45 was an impressive achievement for the German side and also the Japanese had some success from late 1944.

Regarding its cryptosecurity the expert on classical cipher systems George Lasry has stated:
(http://scienceblogs.de/klausis-krypto-kolumne/2018/01/21/top-50-cryptogram-solved/)

‘One comment about the security of the M-209. The claim that the Enigma is more secure than the M- 209 is disputable.

1) The best modern ciphertext-only algorithm for Enigma (Ostward and Weierud, 2017) requires no more than 30 letters. My new algorithm for M-209 requires at least 450 letters (Reeds, Morris, and Ritchie needed 1500). So the M-209 is much better protected against ciphertext-only attacks.

2) The Turing Bombe – the best known-plaintext attack against the Enigma needed no more than 15-20 known plaintext letters. The best known-plaintext attacks against the M-209 require at least 50 known plaintext letters.

3) The Unicity Distance for Enigma is about 28, it is 50 for the M-209.

4) The only aspect in which Enigma is more secure than M-209 is about messages in depth (same key). To break Enigma, you needed a few tens of messages in depth. For M-209, two messages in depth are enough. But with good key management discipline, this weakness can be addressed.

Bottom line – if no two messages are sent in depth (full, or partial depth), then the M-209 is much more secure than Enigma’.

Operation RUBICON THESAURUS
The secret purchase of Crypto AG by BND and CIA

THESAURUS 1 (later: RUBICON), was a secret operation of the German Bundesnachrichtendienst (BND) and the US Central Intelligence Agency (CIA), to purchase the Swiss crypto manufacturer Crypto AG (Hagelin) — codenamed MINERVA — in order to control the company, its algorithms and – indirectly – its customers. From 12 June 1970 2 onwards, Crypto AG was jointly owned by CIA and BND, each with 50% of the shares, and from 30 June 1994 exclusively by the CIA [1]. //

Discover how CIA and BND turned Crypto AG from a simple denial operation into an active measures operation. Learn which roles were played by the Deutsche Treuhand Gesellschaft (KPMG), a Liechtenstein law firm, Siemens, Motorola, NSA and Swedish intelligence. The following story is about — in the words of the CIA — The Intelligence Coup of the Century.

The headquarters of the former Crypto AG in Steinhausen (ZG) produced cipher machines for decades. The German foreign intelligence service BND and the US CIA secretly bought the company in 1970. They caused many states to be supplied with machines with weaker encryption that could be decrypted by the BND and CIA. The successor company Crypto International AG was most recently based there. The Swiss company was at the center of a suspected espionage affair. In the summer of 2020, the company was closed due to a federal export ban. Since then, the company premises have been abandoned, but the last traces are still visible, and in a few years the factory and administration building, built in 1966, is to be demolished; around 200 apartments are planned on the site. With my photo report in spring 2021, I documented the abandoned building and area before it disappeared.

In 2020 however, the German TV station ZDF revealed that since 1970, the company was jointly owned by the German BND and the American CIA, and since 1994 exclusively by the CIA [28]. It means that for many years, Western intelligence services were able to manipulate the algorithms of Crypto AG's products and read the communications of many of its customers. Although the company also sold unreadable 1 equipment, the list of countries that had access to such secure technology became shorter every year. According to the NSA, all encryption should be readable.

➤ For further details on this topic, please refer to our follow-up story Operation RUBICON.

1. In this context, readable means that the cryptographic algorithms could be broken by the NSA. Also known as friendly. In contrast: algorithms that are not breakable by NSA, are called unfriendly or unreadable.

SIGABA was an electromechanical rotor-based cipher machine developed in the late 1930s in the United States (US) as a joint effort of the US Army and US Navy [1]. At the time it was considered a superior cipher machine, intended to keep high-level communications absolutely secure. It was used throughout WWII and was so reliable that it was used well into the 1950s, after which it was replaced by newer machines like AFSAM-7 (KL-7). As far as we know, SIGABA was never broken.

The Turing-Welchman Bombe was an electro-mechanical device used at Bletchley Park and its outstations during World War II to assist in breaking the Enigma cipher used by the German military.

Based on ideas from a device known as a bomba, designed in Poland by Marian Rejewski as early as 1939, the Turing-Welchman Bombe enabled Bletchley Park to find the daily keys of the Engima machine on a regular basis throughout most of the war.

The British Bombe was designed by Alan Turing with important additions by Gordon Welchman. They were built by the British Tabulating Machine Company in Letchworth, Hertfordshire.

Virtual Bombe is a 3d Turing-Welchman Bombe simulation which can run using just your browser. No install is necessary.

Enigma is the brand name of a series of cipher machines developed in Germany between 1923 and 1945.

A number of these machines were used during World War 2 by the German Army, Navy and Air Force, this website has simulations for both the three rotor Enigma I used by the Heer (Army) and Luftwaffe (Air Force) and the four rotor Enigma M4 used by the Kriegsmarine (German Navy).

The Enigma code was cracked and read initially by the Poles in 1932 with Bletchley Park continuing and expanding on this work where they regularly read the German encrypted messages throughout the war.

Virtual Enigma is a 3d Enigma simulation which can run using just your browser. No install is necessary. It was released on Alan Turing's 109th Birthday 23rd June 2021

Virtual Hagelin M-209

A 3D simulation of the Hagelin M-209 cipher machine

In cryptography, the M-209, designated CSP-1500 by the Navy (C-48 by the manufacturer) is a portable, mechanical cipher machine used by the US military primarily in World War II, though it remained in active use through the Korean War.

The M-209 was designed by Swedish cryptographer Boris Hagelin and manufactured by Smith & Corona in Syracuse (New York, USA). It was based on the C-38 which itself was an improvement of an earlier machine, the C-36.

This software is an accurate simulation of the M-209 Cipher Machine, used by the US Military during World War 2. The M-209, the American licensed version of the Hagelin C-38, was a portable hand operated cipher machine for tactical messages. It had the size of a lunchbox and presented a brilliant mechanical design, developed by the Swedish cryptographer Boris Hagelin.

This simulator, fully compatible with the original cipher machine, enables realistic operation with rotating wheels, setting of wheel pins and drum lugs, combined with authentic graphics. The program comes with a very complete helpfile, containing the manual, the enciphering procedures from the US military and all technical details on the machine.

M-209 was a light-weight portable pin-and-lug cipher machine, developed at the beginning of World War II by Boris Hagelin of AB Cryptoteknik in Stockholm (Sweden), and manufactured by Smith & Corona in Syracuse (New York, USA). The machine is designated CSP-1500 by the US Navy and is the US military variant of the C-38, which in turn is an improved version of the C-36 and C-37. A compatible motorised version – with keyboard – is known as BC-38 (later: BC-543). During WWII, the M-209 was known by German cryptanalysts as AM-1 (American Machine #1)). //

The cryptographic strength of the machine was reasonable for its time, but was not perfect. As of early 1943, it was assumed that German codebreakers were able to break an M-209 message in less than 4 hours. 1 Nevertheless, it was considered sufficiently secure for tactical messages which, due to their nature, would be meaningless after several hours. This is why the M-209 was later also used in the Korean War. The M-209 was succeeded in 1952 by the C-52 and CX-52. //

According to them, the effort to break it was impractically high.

It proved however, that American cryptologist William Friedman, had been right all along. He liked the Hagelin machines and had found them to be theoretically unbreakable, but knew that they could be setup in such a way that they became weak and vulnerable to cryptanalytic attacks [8]. British and American codebreakers were able to read the Hagelins from both enemies and allies.

After the war it became clear that the Germans were able to read 10% of the American Hagelin traffic: 6% from cryptanalysis, and 4% from captured keys. But due to the amount of work involved in breaking, the delay between intercept and decrypt was usually 7 to 10 days; too long to be usefull for tactical messages like the ones sent by the US Army. Apparently, the Japanese also understood many of the principles of Hagelin exploitation, but hardly broke Hagelin traffic [8].

For high-level messages, the Americans used a rotor machine — SIGABA — which was similar to Enigma, but much much more advanced. As far as we know, SIGABA was never compromised.

Cold War
Immediately after WWII, in 1947, the NSA started the development of a cryptanalytic machine named WARLOCK I — also known as AFSAF-D79 and CXNK — that was able to solve the Hagelin C-38/M-209 much faster than with hand methods. The machine became operational in 1951 and was used to read the traffic from many countries that were using M-209 or C-38 machines. The US had 'accidentally' released large batches of M-209 machines on the surplus market for as little as US$ 15 and even US$ 2 [8]. Many of these were purchased by South American countries.

What price common sense? • June 11, 2024 7:30 AM

@Levi B.

“Those who are not familiar with the term “bit-squatting” should look that up”

Are you sure you want to go down that rabbit hole?

It’s an instant of a general class of problems that are never going to go away.

And why in

“Web servers would usually have error-correcting (ECC) memory, in which case they’re unlikely to create such links themselves.”

The key word is “unlikely” or more formally “low probability”.

Because it’s down to the fundamentals of the universe and the failings of logic and reason as we formally use them. Which in turn has been why since at least as early as the ancient Greeks through to 20th Century, some of those thinking about it in it’s various guises have gone mad and some committed suicide.

To understand why you need to understand why things like “Error Correcting Codes”(ECC) will never by 100% effective and deterministic encryption systems especially stream ciphers will always be vulnerable. //

No matter what you do all error checking systems have both false positive and false negative results. All you can do is tailor the system to that of the more probable errors.

But there are other underlying issues, bit flips happen in memory by deterministic processes that apparently happen by chance. Back in the early 1970’s when putting computers into space became a reality it was known that computers were effected by radiation. Initially it was assumed it had to be of sufficient energy to be ‘ionizing’ but later any EM radiation such as the antenna of a hand held two way radio would do with low energy CMOS chips.

This was due to metastability. In practice the logic gates we use are very high gain analog amplifiers that are designed to “crash into the rails”. Some logic such as ECL was actually kept linear to get speed advantages but these days it’s all a bit murky.

The point is as the level at a simple logic gate input changes it goes through a transition region where the relationship between the gate input and output is indeterminate. Thus an inverter in effect might or might not invert or even oscillate with the input in the transition zone.

I won’t go into the reasons behind it but it’s down to two basic issues. Firstly the universe is full of noise, secondly it’s full of quantum effects. The two can be difficult to differentiate in even very long term measurements and engineers tend to try to lump it all under a first approximation of a Gaussian distribution as “Addative White Gaussian Noise”(AWGN) that has nice properties such as averaging predictably to zero with time and “the root of the mean squared”. However the universe tends not to play that way when you get up close, so instead “Phase Noise in a measurement window” is often used with Allan Deviation. //

There are things we can not know because they are unpredictable or beyond or ability to measure.

But also beyond a deterministic system to calculate.

Computers only know “natural numbers” or “unsigned integers” within a finite range. Everything else is approximated or as others would say “faked”. Between every natural number there are other numbers some can be found as ratios of natural numbers and others can not. What drove philosophers and mathematicians mad was the realisation of the likes of “root two”, pi and that there was an infinity of such numbers we could never know. Another issue was the spaces caused by integer multiplication the smaller all the integers the smaller the spaces between the multiples. Eventually it was realised that there was an advantage to this in that it scaled. The result in computers is floating point numbers. They work well for many things but not with addition and subtraction of small values with large values.

As has been mentioned LLM’s are in reality no different from “Digital Signal Processing”(DSP) systems in their fundamental algorithms. One of which is “Multiply and ADd”(MAD) using integers. These have issues in that values disappear or can not be calculated. With continuous signals they can be integrated in with little distortion. In LLM’s they can cause errors that are part of what has been called “Hallucinations”. That is where something with meaning to a human such as the name of a Pokemon trading card character “Solidgoldmagikarp” gets mapped to an entirely unrelated word “distribute”, thus mayhem resulted on GPT-3.5 and much hilarity once widely known.

Session is an end-to-end encrypted messenger that minimises sensitive metadata, designed and built for people who want absolute privacy and freedom from any form of surveillance.

Md5Checker is a free, faster, lightweight and easy-to-use tool to manage, calculate and verify MD5 checksum of multiple files/folders (Screenshots):

• Calculate and display MD5 checksum of multiple files at one time.
• Use MD5 checksum to fleetly verify whether files have been changed.
• Load, save, add, remove and update MD5 checksum conveniently.
• It is about 300 KB and does not require any installation (portable).

mustached-dog Seniorius Lurkius
22y
30
Subscriptor
Interestingly enough, "Jia Tan" is very close to 加蛋 in Mandarin, meaning "to add an egg". Unlikely to be a real name or a coincidence. //

choco bo Ars Praetorian
11y
402
Subscriptor++
Performance hit is quite substantial, actually. I have no doubt that this thing would have been detected, eventually. However, it might have happened months from now. Then it would have been everywhere already.

But this is a good thing. A very good thing, actually.

There have been discussions about supply chain attacks, for years. Decades, actually. We used to call it "poisoning the well" many years ago. But no matter how much we talk about it, it was all theoretical. I mean, people even assumed that compilers have been backdoored many years ago. But noone was going to spend this much effort just to show that it was possible and to make people accept the possibility. So not much was really done about it.

Until now.

Now we are already seeing changes being made to OpenSSH that would have not been possible few months ago. Native systemd notification integration is already been developed (since 30th of March), so no need for libsystemd linking anymore. It will take some time to get integrated but it will happen. We are seeing people understanding that there is absolutely no need to have binary blobs in source repositories (except rare cases, of course, but those are going to be audited even more now). Checking source repositories against tarballs have been done before, many times. But obviously it wasn't good enough or often enough. That will change as well. People being dicks to maintainers are going to get greeted with "go fuck yourself" now, without a second thought. It will be extreme but it will be safer. For eternity I was terrified of compiling software myself because every time I invoked "./configure ..." I would think "fuck knows what is going on there right now". I did occasionally check scripts, I would grep for unexpected things but I was aware I'd never detect a very skilled attacker, like this one. Now there is going to be much more checking of autoconf/make/CMake/etc files in source repos. It won't be easy to detect things, but it will be easier. More eyes will be put on sources. For example, I am going to pick a random smaller project and just read the commit history, look for oddities, etc. Not because I expect to find something but I want to see what else should be looked at, etc. Eventually, I might end up with toolset that might help speed this process up. So there will be at least one more set of eyes looking at sources. I imagine that companies/organizations with more resources are going to put tons of effort into automating all this. So yeah, xz backdoor is actually a good thing, in a very bizarre way.

Also, I can't hunt all the references at the moment but I believe it was certificate (not the SSH key) that is used as a vector of attack, because certs are checked early and no configuration options will disable that check, while it wouldn't be the case with keys. A change to OpenSSH has already been suggested so OpenSSH will only get more secure because of this and one less vector of attack is now available.

Amount of skill and time/effort invested in this is mind blowing. I don't think people outside security really comprehend the skill/time involved here, this was insanely well executed attack. My first thought was "This had to be TURLA" because it was insanely smart and whoever did this had lots of patience. This does not (and will not) happen often.

So yeah, we were incredibly lucky that a Postgres developer caught it early.

However, it is mind blowing how many times security incidents have been detected by looking at CPU/RAM usage on systems, it is really no surprise that this is how xz backdoor got detected.

Clive Robinson • March 28, 2024 6:04 AM

@ OldGuy, ALL,

Re : Chain of history

How we get from your,

“Then boss forgot his password, didn’t want to pay to get it unlocked, and turned me loose on it. Turned out their security consisted of XOR’ing every byte written to disk with the same hardcoded 8-bit value.”

To,

https://www.cnet.com/news/privacy/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/

And how history is being rewritten by AI agents etc.

Your comment brings back a memory from nearly a quarter of a century ago. With ElcomSoft’s Dmitry Sklyarov being arrested and as it later turned out illegally detained and coerced by the FBI on behalf of Adobe Systems and their P155 P00r security in their e-book reader that used what sounds like exactly the same encryption system,

“Dmitry Sklyarov the 27 year old Russian programmer at the center of this case was released from U. S. custody and allowed to return to his home in Russia on December 13 2001”

https://www.eff.org/cases/us-v-elcomsoft-sklyarov

Interestingly, searching around shows that slowly bit by bit write ups on,

1, What Dmitry had presented at Defcon-9 about the truly bad state of e-book software.
2, The fact he was arrested on behest of Adobe for embarrassing them publicly about the very poor security in their e-book system
3, The fact it was even Adobe Systems or their product
4, The unlawful behaviour of US authorities
5, The names of FBI and DoJ people involved
6, The fact Dmitry was a PhD researcher.
7, A jury found both Dmitry and Elcomsoft entirely innocent on all charges brought against them.

Is getting “deleted from history” or made difficult to find, via the likes of DuckDuckGo and Microsoft AI based Search engines…

The case was quite famous at the time as it showed the FBI was not just “over reaching” but actively trying to crush legitimate academic research. With even the usually non political and non feather ruffling “Nature” making comment,

https://www.nature.com/articles/35086729

And how speaking “truth unto power” can have consequences,

‘https://www.linux.com/news/sklyarovs-defcon-presentation-online-supporters-reputation-bonfire/

Much of which is what got repeated by the Massachusetts Government against the three students and the RfID “Charlie Card”.

Clive Robinson • March 28, 2024 6:41 AM

@ OldGuy, ALL,

I forgot to add the all important,

https://en.citizendium.org/wiki/Snake_oil_(cryptography)

Which tells you,

‘One company advertised “the only software in the universe that makes your information virtually 100% burglarproof!”; their actual encryption, according to Sklyarov, was “XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte”. Another used Rot 13 encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.
‘

You can see why your comment triggered my memory ancient memory 😉