The word cryptography means secret writing. Cryptography is applied to protect data against unauthorized disclosure, better known as eavesdropping. Currently, a very hot topic in this time of ubiquitous communication and cybercrime. Cryptography aims at secrecy of messages by converting messages into apparent nonsense, into a random sequence of characters, which is unintelligible. Cryptography is not the same as steganography. The latter uses intelligible messages to hide a different, meaningful message. An introduction to cryptography can be found here.

The conversion of a message into a cryptogram –not the puzzle in a newspaper– is called encryption or encipherment. The reverse operation is called decryption or decipherment. The use of cryptography implies the use of a secret key. A cryptographic key is an essential amount of information, that has to be kept secret by the owner, receiver of the secret message. Depending on the cryptographic system used: symmetric or asymmetric, the sender uses the same secret key, or uses a public key that corresponds to the secret key, but does not reveal the secret key. In the asymmetric case, certificates of authenticity and validity are required, giving rise to networks of certification and registration authorities. In any case the management of cryptographic keys is a very important part of cryptographic systems in practice.

CryptografieCryptography has grown into a science. Courses highlighting the different areas of cryptography are given at many universities around the globe. I have been in the privileged position to contribute to the broad area of cryptography by means of courses, lectures, the establishment of a master degree in the security of information technology at the Eindhoven University of Technology (TU/e) in the Netherlands. Also by research contributions with colleagues from Bergen University (UiB) in Norway. Many of my publications can be found here.

In many different projects and product developments with Philips, SafeNet, Banksys, DeltaCrypto and Compumatica in the roles of cryptographer, security architect and senior consultant, I exercised the more practical aspects of cryptography. CryptografieMuch of the R&D involved designing of cryptographic algorithms (mathematics), management systems and method for cryptographic keys, random number generators, integrated circuit electronics (chips) and –often embedded– application software. Many of the security appliances designed were intended for the highest degree of security, national security of state secrets. High grade, high security and high assurance. The picture left shows me in September 2004, operating a UP6317 Secure Telephone from Philips Crypto B.V. A magnificent collection of cryptographic devices with extensive and detailed descriptions can be found at the online Crypto Museum.

There was, however, an other side to the “crypto coin”… Cryptographic applications, appliances and software were considered startegic goods. Therefore, these security goods could not freely be exported to all countries. In order to realise sales abroad, which was a must for a commercially operating company like Philips, the strength of the cryptography had to be reduced. Contrary to everything written and otherwise communicated, this degradation of cryptography was realised in consultation and collaboration with government services and agencies in those days, the former NLNCSA (Netherlands National Communications Security Agency). The security weakening was  implemented in various and often resourceful and innovative ways in cryptographic algorithms and random number generators. An example of such a weakening is the PX-1000 pocket telex, extensively descibed at the site of the Crypto Museum.

And indeed, this was a serious weakening directed by the NSA, the US National Security Agency.  The Dutch radio program Argos on Saturday 20th April 2019 revealed how the NSA changed the algorithm of the PX-1000 pocket telex, a consumer encryption device, with help from multinational electronics giant Philips. An exciting story dating back to 1984.

The Aroflex Cryptography

Aroflex is the name of the cryptographically secured Siemens T-1000 teleprinter by Philips Usfa B.V. Please, see this Aroflex page at the website of the Crypto Museum. It contains a large amount of details about the machine, its history and role within NATO.

Aroflex came in two basic types, one type, denoted by the name Aroflex, intended for use by NATO and allies in NATO countries. The other type was simply named T-1000 CA, and was intended for applications in the non-NATO part of the world. Aroflex machines were sold exclusively by Philips Usfa, whereas the T-1000CA machines were initially sold by Siemens only, but later on also by Philips Usfa.

Two Crypto’s

As can be read on the website of the Crypto Museum, the cryptography used by the two types are quite different, even in the hardware electronics used, i.e. the use of two different integrated circuits OQ4406 and OQ4407. The latter was derived from its predecessor 4406 by a relatively simple mask modification, which effectively erased part of the circuit. This modification was also a very low cost operation.

The technics
The cryptographic algorithm of the T-1000CA was commonly referred to as the Beroflex algorithm. Each machine type would be available in many cryptographic variants. These variants were mainly based on values of fixed bits in the daily key and message key settings, and the number of initialization cycles. Both algorithms comprise eight sections, which used to be called ‘wheels’ in the old days, with so called shift registers and Boolean circuitry. Each section can store sixteen key bits and implements a shift register of length five. Hence, the secret key that can be stored has a total length of 128 bits. One kind of Aroflex variants has the possibility to set, at production time, the order in which the 8 sections influence each other. An example of a machine with this order permutation is the UA8116/04, also known as ‘Politieflex’. The cryptogram produced by the telex encryption devices is neatly formatted in lines with at most 10 five letter groups and has a cryptographic preamble, aka message key, of 10 five letter groups. The first five groups show a five times repeated single five letter group, containing 25 random bits. These 25 bits are used together with 31 fixed bits to initialize the registers in the cryptographic algorithm in the so called alfa-mode. The second part of the message key consists of a five times repeated five letter group, encrypted with the daily key. Because of this encryption, this second part cannot (easily) be distinguished from the cipher text itself, at least not with Aroflex… With the exception of one variant, Beroflex machines exhibit a statistical bias in the second part of the message key.  This is a useful property to inform the cryptanalyst about the machine type that produced the cryptogram! Besides, encryption of redundant text (the 5 times repeated five letter group) is a bad idea in cryptography, as it provides the cryptanalyst with a means to check the correctness of the guessed key bits or other parameters.

Strong and weak
The cryptographic strengths of both machine types differ by magnitudes! The Aroflex uses a 96 bit cryptographic key (the daily key), derived from 24 telex alphabet characters a…z. In addition it has 32 fixed key bits, which are stored in two sections. These fixed key bits are optionally customer unique. Assuming absence of any exploitable weaknesses, the cryptanalyst would have to launch an exhaustive key search of 2^96 (79,228,162,514,264,337,593,543,950,336 combinations), totally out of reach for any computer or special purpose hardware in those days.  Beroflex uses only 90 bits of the 24 character daily key, and additionally 38 fixed key bits: two sections and one bit in the remaining six sections. A major difference, however, is that the internal state of the Beroflex algorithm is independent of the daily key setting, whereas the Aroflex internal state does depend on the 96 key bits! To get some dependency on daily key bits, Beroflex has a special mixing mode, called beta-mode. However, this mode makes use of only 24 generated key stream bits. Consequently, this is the only unknown parameter the cryptanalyst has to find out by exhaustively trying all 2^24 (= 16,777,216) combinations and check the second part of the message preamble for equality of the five groups of five characters. One has to solve a linear set of equations for at most 16.7 million combinations to find this solution. Way back in 1980, this was a task that would take considerable time on existing computers. Therefore, a special chip and hardware was designed for the agencies to speed up these calculations and facilitate the decipherment of any T-1000CA encrypted text.

Business and backdoor

The Aroflex machines could only be sold to NATO partners and friendly allies. The T-1000CA was sold to many countries , governments, police forces and companies around the globe, thereby giving agencies access to a huge amount of sensitive ‘encrypted’ information, exchanged over the world wide telex network. Also, it enabled companies like Philips Usfa and Siemens to realize more sales and so compensate the considerable investments in the development of the machines. It remains, however, hard to imagine that the Dutch agencies did not have any active involvement in the development of Beroflex. B after A, a relatively sophisticated weakening of a high grade, NATO approved cryptographic algorithm. No commercial company would go through such an effort itself, with the risk of being exposed, resulting in total loss of trust and deprived from further sales.

Still more to come…soon on ‘Chinaflex’