NSA Backdoors in Crypto AG Ciphering Machines

This story made the rounds in European newspapers about ten years ago -- mostly stories in German, if I remember -- but it wasn't covered much here in the U.S.

For half a century, Crypto AG, a Swiss company located in Zug, has sold to more than 100 countries the encryption machines their officials rely upon to exchange their most sensitive economic, diplomatic and military messages. Crypto AG was founded in 1952 by the legendary (Russian born) Swedish cryptographer Boris Hagelin. During World War II, Hagelin sold 140,000 of his machine to the US Army.

"In the meantime, the Crypto AG has built up long standing cooperative relations with customers in 130 countries," states a prospectus of the company. The home page of the company Web site says, "Crypto AG is the preferred top-security partner for civilian and military authorities worldwide. Security is our business and will always remain our business."

And for all those years, US eavesdroppers could read these messages without the least difficulty. A decade after the end of WWII, the NSA, also known as No Such Agency, had rigged the Crypto AG machines in various ways according to the targeted countries. It is probably no exaggeration to state that this 20th century version of the "Trojan horse" is quite likely the greatest sting in modern history.

We don't know the truth here, but the article lays out the evidence pretty well.

See this essay of mine on how the NSA might have been able to read Iranian encrypted traffic.

Posted on January 11, 2008 at 6:51 AM • 35 Comments

Comments

erlehmannJanuary 11, 2008 7:18 AM

really sensitive information and they were not paranoid enough to demand open implementations ‽

AnonymousJanuary 11, 2008 7:43 AM

@Ben:

"I'm not sure I would pay much attention to anything on inteldaily.com [...]"

That may be so, but the allegations, from a decade ago are nonetheless reported accurately. Feel free to believe what you wish, but in my opinion, you have to be a complete numb-skull to look away from the strange number of coincidences around this business.

Paul CrowleyJanuary 11, 2008 7:57 AM

Now that Iranians are taking part in the open crypto community, can we expect some smart hacker to take apart one of these devices, reverse engineer the algorithm, and find the back door?

BenJanuary 11, 2008 8:10 AM

Dear Anonymous,

Sorry about that, I shall pay more attention to accurately reported allegations and coincidences in future, and less to the facts.

Cheers

Ben

kamperJanuary 11, 2008 8:17 AM

"the article lays out the evidence pretty well"??

There was an incredible amount of information in that article with no references whatsoever. Regardless of whether or not it's true, to me that's a sign that the the author was more interested in a juicy story than summarizing facts.

NicoJanuary 11, 2008 8:54 AM

I don't know how reliable Inteldaily/Ohmynews is, but many of those facts seem to come from the 1996 story in German magazine Der Spiegel ( http://en.wikipedia.org/wiki/Der_Spiegel ), which has a very good reputation for fact-checking. ('"Wer ist der befugte Vierte?"', in Der Spiegel 36/1996, pp. 206-207.)

There is a copy of that article online here: http://jya.com/cryptoag.htm . I have access to the original Spiegel article and just compared the online text briefly, it seems to be an accurate copy.

That site also has an unofficial English translation, which is a bit clumsy but conveys the facts correctly as far as I can see:
http://jya.com/cryptoa2.htm

Anonymous #2January 11, 2008 8:58 AM

Many of these allegations were published about a decade ago. I don't know whether they are true or not, but that doesn't really matter. The story is plausible. For those not personally involved, the lessons that can be learned from it are the same whether the story is true or not, much like Aesop's fables.

sooth_sayerJanuary 11, 2008 9:11 AM

If a dumb bureaucrats thinks all he has to do is pluck down a few thousand dollars to "quietly" plan/coordinate assassinations, they got what they deserved for staying ignorant. Iran was one of the "victims" .. they started suspecting the machines when their complicities in some murders became know.

If you are so paranoid .. let your kids understand science, and create your own NSA.

If I am not wrong this is the 2nd time in the past 2 months Bruce has picked on at 10 years old story .. pray tell what's new.

anon1234January 11, 2008 9:33 AM

I've seen this before, probably in Bamford's "Puzzle Palace" or one of David Kahn's later books.

Carlo GrazianiJanuary 11, 2008 10:00 AM

The story may or may not be true, but that article is very long on hearsay, while scoring near zero on actual technical evidence. There are also some plausibility holes, and conflation of at least two separate alleged conspiratorial actions.

In the first place, the original Hagelin machines (which were sold up to some time in the '70's, apparently) were, so far as I am aware, mechanical rotor machines, of the same family heritage the Enigma. At the time, the WWII Enigma break was a closely-held secret, so their security was rated more highly than they really deserved. It's likely that NSA and GHQ had efficient attacks on those machines that didn't require any kind of back-door type of collaboration from Hagelin Sr. -- by the mid-fifties, they'd had over a decade of industrial-scale experience in attacking such machines, and a decade of actual digital computing, so presumably they could accomplish considerably more than they had against the Germans (also presumably they were attacking a much lower volume of traffic).

Given this, I would say that documentation of meetings between Hagelin Sr. and Friedman prove nothing. They are just a way of providing some conspiratorial atmospherics to the article, to serve in lieu of evidence.

The more specific "back door" allegations appear to be made against the electronic devices of '70s vintage. Here the evidence is very circumstantial -- settled court case, Iranian suspicions, disgruntled ex-employees. The funny thing is, it shouldn't be necessary to rely on this crap level of evidence to determine whether these machines are secure. If these allegations have been around for a decade, in the era of flourishing public cryptographic expertise, you'd think that some academic cryptographer of the full disclosure school would have grabbed one of these machines and analyzed it. In which case, we would just know. This happens all the time, viz. the Dual_EC_DRBG back door fiasco.

So, maybe there's smoke, but I can't say that the inteldaily.com people have credibly located a fire. Judging by the breathless tone of their reporting, they seem to think that smoke is a fire.

anonymous-8:58amJanuary 11, 2008 10:01 AM

@anon1234 - possibly Bamford's "Body of Secrets", "Puzzle Palace" is about a decade too old.

@Ben - do you have enough references now?


The UK supposedly sold Enigma variants to foreign powers after the war. Same idea. As I recall the CRYPTO AG stuff was seen as newer and better. I also bet the Enigma market dried up after (if not before) "The Ultra Secret" in '74.

References anyone?
Timeline anyone?

Pure speculation on my part but, could it be possible that the switch was engineered?

anonymous-8:58amJanuary 11, 2008 10:24 AM

@Carlo

Has there been new news confirming Dual_EC_DRBG (I read Bruce's blog on it - and will avoid it)?

Although I'd like to think it were true,
I'm not aware of many researchers going after obsolete crypto hardware. Or even if there are many of these machines available for analysis?

There are simulators available like at http://frode.home.cern.ch/frode/crypto/ but I don't know if anyone's analyzed them for this. Or even if the problem was in the algorithm?

@Bruce - hey - this is a re-tread
http://www.schneier.com/crypto-gram-0406.html#1

RFJanuary 11, 2008 10:26 AM

@ the commenters asking why someone in the academic world hasn't found the backdoor: presumably it takes money and elbow grease to reverse-engineer electronic crypto machines. And the "backdoor" may simply be that the cipher is very weak (like GSM A5/1), so there might not be a smoking gun for NSA involvement even if it were reverse-engineered.

Can't say much more because I haven't read all these sources; I don't know if the devices were backdoored either. It could even be that Crypto AG was merely incompetent rather than complicit, or that the Iranians' problem was somewhere other than their crypto machines.

no real health care in third world americaJanuary 11, 2008 11:26 AM

we're just a jar of ants to the government, wake up sheep! nothing but a google earth like sim ant game for big brother. sing along with good old judas priest:

"Up here in space
I'm looking down on you.
My lasers trace
Everything you do.
You think you've private lives
Think nothing of the kind.
There is no true escape

I'm watching all the time.
I'm made of metal
My circuits gleam.
I am perpetual
I keep the country clean.

I'm elected electric spy
I protected electric eye.
Always in focus
You can't feel my stare.
I zoom into you
You don't know I'm there.
I take a pride in probing all your secret moves My tearless retina takes pictures that can prove.

Electric eye, in the sky
Feel my stare, always there's
nothing you can do about it.
Develop and expose
I feed upon your every thought
And so my power grows.
Protected. Detective. Electric eye."

look outside and wave, smile at the sky and spell out NSA in the sand at your favorite beach.

AlanJanuary 11, 2008 12:11 PM

@RF

You are assuming that someone in academia has access to the equipment and can afford it. It is my understanding that these machines are only sold to governments and other high profile clients. They are not something sold in the Best Buy down the street, nor does Consumer Reports publish reviews on them.

darkuncleJanuary 11, 2008 12:15 PM

@erlehmann: in 1952, the phrase "open implementations" would have made no sense whatsoever - Crypto AG started selling these devices to gov't 30 years before the open source meme started to receive any kind of widespread recognition as such.

(now if you meant to say, "why were they not paranoid enough to demand open implementations" _today_, then yeah, I'd totally agree with you. In 1952, ignorance of such would have been understandable; not so much so in 2008.)

anonymous-8:58amJanuary 11, 2008 12:29 PM

@RF & Carlo the articles say that Crypto AG rigged some existing models of machines. If that's the case a researcher would need to get their hands on one of the tampered machines. Having a simulator or an untampered machine would not help.

I would expect that the machines were destroyed or locked away. I can't see Iran selling them on the open market where their other enemies might be able to obtain and study them (just in case they were sitting on old ciphertext).

@anon1234 - you were right - it seems there was a veiled reference to an NSA Crypto AG arrangement in the Puzzle Palace

XoebeJanuary 11, 2008 1:05 PM

There are a lot of things *unsaid* in this story. You can probably safely figure that it's mostly true. However, consider the following:

- Crypto AG *fires* their salesman and *bills* him for the ransom money they paid? Really? Even Kafka wouldn't have gone that far. There is more to this story.

- Reagan's "slip" is nowhere near definitive enough to cast doubt on any particular process, not was it likely a "slip" anyway. Reagan was no idiot, and everything he and his staff was vetted 9 different ways before it was presented. And of course there is the obvious - that he was lying, and there was no "definitive" evidence at all, and this was another red herring. Besides, "irrefutable" evidence suggests it was corroborated, and that means more than one source of information.

- Security and intel types meet regularly with their vendors and clients. None of those meetings mean a thing, unless we could see a real transcript of what actually happened.

- Doubtless the U.S intel would have *asked* for backdoors. Whether or not they were provided is unknown, and subject to informed speculation.

- It is probably not likely that any of this would have come to light at all if the powers that be didn't want it to come to light. For example - and here I speculate - why fire Buehler? Why not just kill him? Perhaps the whole disgruntled employee thing was a ruse, and the lawsuit was an excuse to deliver misinformation.

-There are likely numerous intelligence holes on both sides of the Iranian-American thing. There was significant American-Iranian intel and security cooperation going back decades. Those personal relationships didn't just evaporate, plus the overthrow of the Shah in 1979 certainly wasn't something that made everybody in the Iranian intel community very happy. There are plenty of opportunities for American intelligence to get access to Iranian data.

Essentially, we in the public find these things out long after they are no longer important. It's unlikely that any of this means anything of immediate importantance. It however, a fascinating and interesting story. It is also a cautionary tale in terms of security.

Know your vendor. Trust nobody.

AnonymousJanuary 11, 2008 2:04 PM

Gee, can you imagine the uproar if some other country tried something like that, especially with a product the US used?

RFJanuary 11, 2008 2:38 PM

@Alan -- right. So it would prob'ly be even harder for an public reverse engineering to happen than I originally suggested.

RFJanuary 11, 2008 2:45 PM

@Alan -- I do kind of want to see Consumer Reports reviews for crypto machines, though. :)

(Disclaimer: I'm joking.)

Niyaz PKJanuary 12, 2008 9:49 AM

I heard this news some months back. But i thought Bruce would have covered the news.
But I think i read it from some other ource, and as Bruce pointed out, the news was pretty convincing.
Who knows if they have back doors in AES, SHA .....

RogerJanuary 13, 2008 6:27 AM

This topic has been discussed in crypto circles for quite some time, and majority opinion seems to be that if the Crypto AG equipment really did have a backdoor, then it was most likely an algorithm with a known weakness. The theory given in this article -- namely, that the hardware was rigged to secretly transmit an obscured copy of the key along with the ciphertext -- is rather improbable. There are a number of reasons for believing this but the simplest is that for about the first 25 years for which they were supposedly doing this, their cipher machines were constructed from relays and rotors which could be, and usually were, regularly dismantled and serviced by their customers' code clerks. Before ultra-miniaturisation, any such hardware gimmick would almost certainly have been found within weeks.

Another issue is that all of these machines were stream ciphers, so there was a 1:1 correspondence in the characters in the plaintext and ciphertext. In the old days, and even to some degree for a while after Crypto AG introduced VLSI electronic systems, it was very common to include counts of characters as an error check. A mismatch in PT and CT sizes would immediately ring alarm bells. As such, there simply was no room to hide a key in the ciphertext.

Bruce SchneierJanuary 13, 2008 8:45 AM

"This topic has been discussed in crypto circles for quite some time, and majority opinion seems to be that if the Crypto AG equipment really did have a backdoor, then it was most likely an algorithm with a known weakness."

This is my guess, too. The NSA's success with rotor machines was a closely guarded secret, because crypto manufacturers continued to sell these machines to many countries around the world.

Bruce SchneierJanuary 13, 2008 8:51 AM

"I heard this news some months back. But i thought Bruce would have covered the news."

I was surprised, too. I wrote about it in passing ten years ago -- before I started the blog -- but that was it.

Frode WeierudJanuary 14, 2008 3:24 AM

This is indeed an old story. It probably carries some truth but which of course never has been proved.

However, one thing I always found curious is that the Swiss banks, the Swiss army and other Swiss government organizations always seemed to use equipment from the Swiss firms Gretag and Brown Boveri (BBC) and never from Crypto AG.

I once asked a Crypto AG employee about this and the answer I got was: "Well, we have shared the market. They supply the domestic market and we do the exports." I always found this a curious form of competition.

Clive RobinsonJanuary 16, 2008 8:33 AM

One of the things that is seldom mentioned about Boris Hagelin's early days.

Boris's original cipher machine was based on a coin counting mechanisum (not rotors like the Enigma). The mechanisum produced a key stream that was added mod to the plain text (the mod was achived simply by rotating the print head round in a similar way to a clock face under the minute hand).

The important thing was that only something like 5% of the keys was even remotly secure for the 1940s the other 95% ranging from poor to totaly inadiquate.

These machines where used by U.S. troops as a field cipher for many years.

One of the reasonings for this was,

1) Current and future enamies on capturing the equipment where either likley to re-use it or copy it's design.

2) Unless they possessed the technical expertesse they where unlikley to know which keys where secure and those that where not.

Therefore on the balance of probability 90% of those signals would be easily broken by the U.S.

Dirk RijmenantsJanuary 30, 2008 4:46 AM

Nice story, but the only thing we still are waiting for are sources and evidence. We could see this from another point of view. NSA had lots of reasons to descredit a foreign crypto manufacturor. The US has a long history of blocking or weakening good cryptography (limiting key sizes, making designs less effective, even in their own country!). Putting Crypto AG in a bad light would surely be in the intrest of NSA and limit the proliferation of quality (?) crypto in the world. The lack of sources, academic proof or any hard evidence whatsoever about the Crypto AG tampering stuff does makes one wonder where the story really came from...

However, rigging the electronic devices still 'could' be possible. But the mechanical machines could be considered as 'open source' since the mechanics are widely known and cryptanalysed (in the case of the CX-52 without succes). You cannot tamper a mechanical design like the CX-52 (which also was higly customable by the costumer) By the way, although pin-and-lug devices like the C series are described as stream ciphers it should be noted that all message procedures on sending messages used random message keys (encrypted starting position of the wheels), ensuring a unique stream for each new message, even when key and CT were identical.

As often, we'll never know the real story. I remember a NSA guy saying "in 99 percent of the cases we even don't need to break anything, we get it before it's encrypted". Knowing which Iranian sent something doesn't have to come from broken or leaked keys. Enough other ways to get information, either by SIGINT or HUMINT.

To some of the Enigma comments above: the Hagelin machines were completely different to the Enigma design and Enigma's security came nowhere near to the CX models. The only rotormachine, produced by Hagelin was the HX-63, wich was far more complex.

Dirk RijmenantsJanuary 30, 2008 5:28 AM

@Bruce,

"This is my guess, too. The NSA's success with rotor machines was a closely guarded secret, because crypto manufacturers continued to sell these machines to many countries around the world."

I agree on the weak algorithm theory, but why do you mention the rotor machines as they were by Hagelin???

The only rotormachine, produced by hagelin, the HX-63, was experimental and only 12 were manufactured. I don't understand why people keep talking about rotor machines, and pull the (cracked) Enigma into this story.

Hagelin never sold rotor machines (for a good reason). He made his fortune before the electronics era with pin-and-lug type machines.

PS: The russian Fialka M-125, an advanced version from the Enigma, which incorporated solutions to all Enigma weaknesses is a good example of why the crypto community stopped using rotor machines ages ago: the Israeli's captured one and learned how to crack it. Hagelin was clever enough to use other devices.

Individual palAugust 14, 2008 2:58 PM

Under my point of view if NSA would have had such a wonderful way to get secret information, never this story would have came out. Intelligent people only can think that this was a gossip to generate fud (fear, uncertainty and doubts) and therefore provoque the crash of this firma. I believe that Crypto AG is still alive and prospering more than 10 years after these presumed events, because intelligent intelligence agencies know about how to judge between reality and conspiration theories.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..