Breaking into the Enigma and Lorenz networks during World War Two (WW2) was one of the first examples of a large-scale wireless communications network breach. Explore the surprising similarities between a WW2 breach and modern-day cyber security concerns.
Despite the clear advances in technology since World War Two, there are surprising parallels between the work in encryption during WW2 and today.
Decoding Room Hut 6Bletchley Park
In 1939, hundreds of people from different backgrounds were ordered to report to a Victorian mansion in Buckinghamshire.
Testing Bombe results in the Decoding Room, Hut 6 at Bletchley ParkBletchley Park
Against all the odds, what they achieved at Bletchley Park is thought to have shortened the war by at least 2 years.
Their collective task was to break into the different cipher networks used by the Axis for communications, the most well-known of these being Enigma and Lorenz.
As technology develops and expands, it is more important than ever that private and personal information are kept secure.
The stakes are higher than ever before, but the premise remains the same: confidential documents, communications and monetary transfers must be protected by encryption.
Traffic Identification Section Hut 6 at Bletchley ParkBletchley Park
When WW2 codebreakers were working on complex problems, it was often a team effort and a variety of approaches that led to the cryptanalysts’ success.
They were specialists of many fields: linguists, mathematicians, scientists and chess grandmasters amongst others.
A problem would be passed around the hut until it reached someone able to solve it, or to contribute to solving it before passing it on again.
Control Room Hut 6Bletchley Park
Success was not always forthcoming for the codebreakers.
'Work simply came to a standstill if nothing broke for a few days and the whole Hut descended rapidly into the darkest abyss of despair.'
- Stuart Milner-Barry, Hut 6. (Smith 2011)
Enigma Plugboard (1939/1945)Bletchley Park
Bletchley Park's successes helped Allied shipping convoys evade the Wolf Packs with such ease that Admiral Karl Dönitz, in charge of the German U-Boats, knew something was wrong.
Dönitz made the submarine cypher even more secure through a change to the Enigma machine...
A thinner reflector with different wiring added 26 times more settings. German experts were convinced Enigma would now be impenetrable.
Hut 8 was locked out of the cypher for 10 months. 'We knew it was coming. But it was a grim time. We were very much frustrated; the things that we'd hoped to use went bad on us'. (Smith 2011)
4-Rotor Naval Enigma (1939/1945)Bletchley Park
Today, the pattern is the same: flaws in code are exploited before the encryption methods are reviewed and improved.
'The Vigenère cipher was called “le chiffre indéchiffrable,” but Babbage broke it; Enigma was considered invulnerable, until the Poles revealed its weaknesses... Not only do we have to guess which discoveries lie in the future, but we also have to guess which discoveries lie in the present.' (Singh 1999)
As with most encryption systems, there is a component of human interaction within the encryption and decryption processes. When humans take shortcuts for ease of use, make mistakes and stray from protocol, weaknesses are created within the system. The impact of human error, a huge factor in the breach of communications during WW2, still plays a major role in cyber security vulnerabilities to this day.
3-Rotor Enigma Machine (1929/1945) by Shaun ArmstrongBletchley Park
The standard 3-rotor Enigma machine was capable of being set to approximately 103 sextillion possible combinations to create completely different cyphertexts.
Finding the settings for each network, which were reset at midnight every day, was the challenge faced by the codebreakers.
Enigma Setting Sheet (1939/1945)Bletchley Park
To encipher messages, operators matched the machine's settings to the daily key, provided in a code book.
The operator would then type in a sequence of random letters to complete the encipherment settings, before keying in the plaintext message for the machine to encode.
But in May 1940, this practice was abandoned as the Germans recognised that it increased the vulnerability of the code – indeed, it was the repeated triplets of letters that initially enabled the Poles to break Enigma.
Messages were restricted to 250 characters in order to improve security.
Example of intercepted Enigma Traffic (1939/1945)Bletchley Park
German Enigma operators followed strict rule, like using random message keys, used just once.
But they often chose keys that were easier to guess, like three consecutive letters on the keyboard, a word, or the initials of a loved one.
One set of initials, 'CIL', may be the origin of the term 'cillies', meaning predictable message keys.
Often, keys were repeated or left unchanged from one message to the next. So cryptanalysts often tried cillies when looking for the day's Enigma settings, which proved extremely useful.
Mavis Batey née Lever (1921-05-05/2013-11-12)Bletchley Park
The machine had a flaw: no letter could be enciphered as itself. So when users also broke rules, breakthroughs were possible.
“I picked up a message and thought: ‘What has this chap done. There is no L.’ He had sent a dummy message and pressed the L - the only letter missing.”
- Mavis Lever (Smith 2000)
Bombe machineBletchley Park
“We could usually break things when we identified the human error. If the Germans had kept to the rule book ... we wouldn’t have been able to get it out.”
- Mavis Lever (Smith 2000)
In the same way that German human error laid bare their codes, users of today's computers take similar risks.
Many people choose passwords that are easy to remember, include personal information in passwords, or reuse passwords for more than one account.
These factors dramatically reduce password security and make confidential information vulnerable to attack by hackers.
Enigma Rotor (1939/1945) by Elle DunnBletchley Park
Mavis Lever and her team exploited this gift from a lazy Enigma operator and revealed out the new settings.
These principles reflect modern cyber security issues. Complacency over rules for personal data can be exploited easily by attackers.
Lorenz cypher attachment (1939/1945) by Shaun ArmstrongBletchley Park
Another lapse took place with the Lorenz - a teleprinter cipher machine (used by Hitler and the German High Command for high-level communications) designed to be more secure than Enigma.
Intelligence from Lorenz revealed top-secret German policy decisions and tactics to allied commanders.
Teleprinter TapeBletchley Park
Teleprinter characters had of five impulses (or 'bits'). These were punched into teleprinter tape and read and sent by transmitter.
Each letter was obscured by the addition of pseudo-random letters generated by a cipher attachment.
Lorenz Cipher Machine WheelsBletchley Park
‘In August 1941, a German Army operator in Athens sent a 4000-character message to Vienna, but the receiving operator asked for it to be resent. The sender used the same Lorenz machine settings again - a forbidden shortcut - with slightly different content.
Lorenz cypher attachment (1939/1945)Bletchley Park
John Tiltman at Bletchley Park spotted the similarities between messages. This, combined with the fact that both machines had the same start position enabled Tiltman to recover both texts fully.
Codebreakers at Bletchley Park cracked the Lorenz cipher – thought to be unbreakable.
Colussus: Creating a Giant (2013-03-08) by GoogleBletchley Park
Remarkably, given that they'd never seen one, codebreakers and engineers Bill Tutte, Max Newman and Tommy Flowers could visualise the internal workings of Lorenz.
They were able to create another machine that could reveal the day's settings, and developed that machine into the first programmable computer: Colossus.
Over the course of WW2, Bletchley Park accumulated and generated a huge amount of data that all had to be stored, referenced and analysed.
Freeborn Files Room Block CBletchley Park
Experts used Hollerith punch card machines to capture the vast amounts of data accumulated each day.
Developed by American inventor Herman Hollerith to analyse information for the 1890 US census, the machines allowed quick sorting of, and easy access to, important cribs and information.
Block C prior to restoration (2013-12-17)Bletchley Park
Bletchley Park's Block C was purpose-built for Hollerith machines. The system was key to the codebreaking success by recording Enigma decryption information.
The machines and systems, used on an unprecedented scale, were secretly and constantly adapted and improved.
Freeborn Machine Room Block CBletchley Park
This data enabled codebreakers to compare various features and spot patterns or clues in encrypted messages, like call signs or common words, to create useful intelligence.
The challenge to store and catalogue data in a user-friendly way was one that workers at Bletchley Park faced head on.
Coping with huge amounts of data both in volume and velocity is a challenge still faced by the computer industry to this day.
In one six-month period of WW2, 250,000 messages were intercepted and passed to Bletchley Park.
However by comparison, in 2018 it was estimated that over 281 billion emails were being sent daily (Radicati 2018).
Cyber Security Exhibition (2014) by Event CommunicationsBletchley Park
Big Data means collections of information from traditional and digital sources that includes web behaviour, social media interactions, transaction information, financial records and communication channels.
Just as wartime intelligence officers made use of the information decoded at Bletchley Park, today's companies gather and interpret data to inform decisions in areas such as finance and marketing.
VE Day celebration (1945)Bletchley Park
During WW2, the people at Bletchley Park worked tirelessly to intercept Axis communications and help allies understand the enemy's actions.
But today, it's not just the military that puts data online.
People using the Internet in their day-to-day life amass reams of data that's vulnerable to attack.
While cyber security experts work hard to keep our information protected, we all play a role in ensuring our online safety.
Find out more at Bletchley Park.
Nicola Gale, Catherine Holden, Simon Thompson - Bletchley Park & McAfee Security Online Safety Education Officers.
The Radicati Group (2018). Email Market, 2018-2022. Palo Alto, CA :Radicati
Singh, S. (1999). The Code Book. London: Fourth Estate.
Smith, M. (2011). Secrets of Station X. London: Biteback Publishing.