Cryptographic Security of Codatype Cypher Machine/Letter to David A. Salmon

​

Pursuant to your informal request I have just completed the study of the degree of cryptographic security afforded by the cipher machine known as the Codatype which has been installed in your division by the International Business Machines Corporation for test and determination as to possible usefulness in State Department communications. The following is a summary report of the results of that study and of the conclusions reached therein.

1. It was agreed between us as a preliminary that it is fair to assume that, in actual service, practical considerations would require that a set of plug-board connections remain the same for a whole day's traffic and that only the two-dial setting controlling the initial point of entry of the three commutators and the initial point of entry of the 12-disc program device assembly be changed from message to message within the day's traffic.

2. In this case an enemy cryptoanalytic staff would not know the wiring of the commutators, the positions of the pins on the program device, or the settings of the keying dials. Nevertheless, it can be stated that one day's traffic, if it consisted of say 40 - 50 messages, can be solved, although this solution might require one or two weeks by a well organized cryptoanalytic staff. Its purpose would be not so much to learn the contents of these messages as to reconstruct the cam positions on the discs of program device and wiring of the commutator.

3. When the latter data have been obtained, the analysis of messages of any subsequent day's traffic would be particularly easy and could probably be accomplished within 6 - 8 hours. The purpose of this analysis would be merely to eliminate the effects of the daily change in plug-board connections. (The various dial settings are of no particular consequence in this machine.)

4. When the latter effects have been ascertained, individual messages can be read rapidly, though of course not nearly as rapidly as the machine can decipher them.

5. Based upon the foregoing premises, only 12 messages, all enciphered by the same plug-board arrangement but with different dial ​settings, were requested for study. It was thought that possibly the cam positions on the program device and the wirings of the commutators were the same as had been found from a previous study of the machine, before the addition of the plug-board. Had this been true, the subsequent study would have required less time, but it was soon noted that at least the cam positions had been changed, if not the wirings of the commutators. Upon request, and in order to conform with the assumptions set forth in Par. 1 above, the cipher equivalents of 9,000 consecutive AIs were furnished and from this text the affective cam positions were readily reconstructed. It also developed that the commutator wirings were unchanged and that the internal period for the checking circuit, namely 180 letters, coincided with the external check shown at the end of every 4th line. This indicated that the program device made a complete revolution in 180 letters, whereas before this period was 360.

6. Having the cam positions and the commutator wirings, only one of the 12 messages was selected for detailed study. This was the longest in the set, namely "No. 1130 from Paris August 9, Section One." It contains 9 periods of 180 letters. Applying the principles of solution devised to meet the situation, the plain-text of the first period was recovered and is attached hereto. In this process, some time was lost because of unfamiliarity with necessary procedure. This is always to be expected of an initial solution, but it can now be stated definitely that a second trial would undoubtedly yield solution of such a first period within the time indicated in Par. 2 above. This is hardly sufficient for confidential or secret messages.

7. The following conclusions seem warranted:

a. As regards its mechanico-electrical functioning, the machine appears to be highly reliable, speedy, and efficient.

b. The degree of cryptographic security afforded by the machine is relatively low, and certainly not sufficient for governmental confidential or secret messages.

c. The cryptographic principle upon which this machine is based is quite weak. In a final analysis, it consists of but three primary mixed, reciprocal sequences. It is true that these sequences are brought into play in an irregular manner for an irregular number of sequent letters, and that the complete period is 19,000 letters. But this period is a resultant period; it is relatively very short compared as cryptographic periods go; and even then it is composed of but 18 different types of primary periods of only 180 letters each. The fact that there are two dial settings for each message, one with 25 different positions and the other with 50, is of no serious consequence from a cryptoanalytic viewpoint.

​d. It is doubtful whether anything can be done to eliminate the more or less fatal cryptographic weakness of this model and still retain a machine and cryptographic system which will be practical for the purpose for which intended.