TIARA GNOME- An Episode in the History of Cryptography

TIARA GNOME

Below we can see the captured traffic of a momentous message sent from Tokyo to their Embassy in Washington, DC just prior to the attack at Pearl Harbor.  This HF message was captured, but that did little good to prevent the attack.  “OBESE OVALS” stands for the government office in Tokyo that sent the message.

S352/6 1000S GR265
OBESE OVALS TIARA ..OME
62527 ZTXOD NWKCC MAVNZ XYWEE TUQTC IMNVE UVIWB LUAXR RTLVA
RGNTP CNOIU PJLCI VRTPJ KAUHV MUDTH KTXYZ ELQTV WGBUH FAWSH
ULBFB HEXMY HFLOW D-KWH KKNXE BVPYH HGHEK XIOHQ HUHWI KYJYH
PPFEA LNNAK IBOOZ NFRLQ CFLJT TSSDD OIOCV T-ZCK QTSHX TIJCN
WXOKU FNQR- TAOIH WTATW VHOTG CGAKV ANKZA NMUIN
YOYJF SRDKK SEQBW KIOOR JAUWK XQGUW PDUDZ NDRMD HVHYP NIZXB
GICXR MAWMF TIUDB XIENL ONOQV QKYCO TVSHV NZZQP DLMXV NRUUN
QFTCD FECZD FGMXE HHWYO NHYNJ DOVJU NCSUV KKEIW OLKRB UUSOZ
UIGNI SMWUO SBOBL JXERZ JEQYQ MTFTX BJNCM JKVRK OTSOP BOYMK
IRETI NCPSQ JAWVH UFKRM AMXNZ UIFNO PUEMH GLOEJ HZOOK HHEED
NIHXF XFXGP DZBSK AZABY EKYEP NIYSH VKFRF PVCJT PTOYC NEIQB
FEXME RMIZL GDRXZ ORLZF SQYPZ FATZC HUGRN HWDDT AIHYO OCOOD
UZYIW JROOJ UMUIH RBEJF ONAXG NCKAO ARDIH CDZKI XPR– DIMUW
OMHLT JSOUX PFKGE PWJOM TUVKM WRKTA CUPIG AFEDF VRKXF XLFGU
RDETJ IYOLK BHZKX OJDDO VRHMM UQBFO WRODM RMUWN AYKYP ISDLH
ECKIN LJORK WNWXA DAJOL ONOEV MUQDF IDSPE BBPWR OFBOP AZJEU
USBHG IORCS UUQKI IEHPC TJRWS OGLET ZLOUK KEOJO SMKJB WUCDD
CPYUU WCSSK WWVLI UPKYX GKQOK AZTEZ FHGVP JFEWE UBKLI ZLWKK
OBXLE PQPDA TWUSU UPKYR HNWDZ XXGTW DDNSH DCBCJ XAOOE EPUBP
WFRBQ SFXSE ZJJYA ANMG- WLYMG WAQDG IVNOH KOUTI XYFOK NGGBF

Symmetric Warfare: Using Code Words to Send Unobservable Messages

Using code words in a normal-looking message is a cheap and effective way to communicate. 


Scenario:

Several American businessmen are in Kuala Lumpur, Malaysia trying to get a contract signed for a lucrative mining deal. Mike, the head negotiator, communicates with his iPhone over a 3G GSM network, and he uses his corporate e-mail account via his laptop.

Before he left home he came up with a series of code words to use when he communicates with his boss. This simple and cheap method defeats and misleads national-level eavesdropping, hackers, competitors who eavesdrop, and everyone else who wants to spy on him. Just keep your special word list safe. Beware of thinking that old school is somehow wrong, or that it offers flimsy security. The opposite is true. Flying under the radar is a very good idea these days, and simple is good.  He printed his little code word table on a piece of paper and he hid that paper inside his wallet.

Here is the code word list for the above scenario:

SPECIAL WORD(s)                                           MEANING

NORTH                                          THE BUSINESS DEAL DID NOT GO THROUGH

SOUTH                                          THE BUSINESS DEAL DID GO THROUGH

EAST                                             THINGS LOOK PROMISING BUT NOT YET COMPLETE

WEST                                             HUGE SUCCESS

NORTHEAST                                 UTTER FAILURE

NORTHWEST                                 WE NEED MORE TIME

NICE PLACE                                   WE ARE BEING WATCHED

GOOD RESTAURANT                    PROBABLY WE ARE NOT WATCHED

CHINESE                                        THEY SIGNED THE CONTRACT SECRETLY WITH US

JAPANESE                                      THEY REFUSED TO SIGN THE CONTRACT

INDIAN                                            THEY SIGNED THE CONTRACT WITH US OPENLY

THAI                                                THEY ARE NOT CORRUPT

WRITE YOU TOMORROW             OTHERS ARE OFFERING PERKS

CALL YOU TOMORROW                WE HAD TO OFFER SOME PERKS

One can then write a misleading message containing special words with special meanings.   So here is the letter Mike writes:

John,

I am very sorry to say that the deal did not go through. We are extremely disappointed by the behavior of their people. Tonight we are going to take a break after all these days of hard work. We are going to that Chinese restaurant west of here that you said is a nice place. Call you tomorrow.

Mike


Come up with traffic that sounds reasonable given the realities of the context. In the scenario above one could expect that a Chinese, Thai, Japanese, or Indian restaurant really does exist west of the speaker’s location. Tell everyone else involved in the business transaction to stay mum over the deal, and tell them to be especially careful over the phone or on the internet. Best practice would be to assure that as few people know about it as possible. Only those who need to know should be told about it.

The message and code word table above is for a specific purpose.  A longer table can be the basis for extended conversations on varying subjects.  Keeping the code word table secret is a priority.  One can write it down, one can print it at home on a small piece of paper, or one could encrypt it with a 4096 bit PGP key and use it on a computer that is never attached to the internet.  This last course of action is the least recommended.

And yes, if the situation is that bad, find a Chinese restaurant west of you and have dinner after you send your fake message.

The point of all this is that simple human means can defeat elaborate mechanical threats.  It does not take high technology to defeat the masters of high technology.  It simply takes a little thoughtful effort.

Symmetric Warfare

Simple Means Can Succeed Against Incredibly Sophisticated Technology

Symmetric systems can sometimes offer unobservability. Sending hidden messages in routine traffic is always going to be possible. Imitating the whole system of routine traffic does not work because the task is too complex for the imitator. For example, a nearly perfect imitation of Skype can be detected very easily. Do not trust providers who promise you security based on the notion that their system fully imitates another system without being subject to attack.  It is better to send an encrypted message via a normal high-volume traffic route, like Skype, instead of using a service that tries to imitate a whole system with its immense complexities. Also, Skype is easy to use. Yahoo! is easy to use too.


Read the following message and try to guess if it holds hidden information:

Dear John and Teresa,
      How are you? I hope everything is going well.  Thanks for having us over! It was really nice to see you. Wow! That was the best barbecued chicken ever. An amazing dinner! I hope we can come back in October. Right now my work is a real headache. Fran is busy too. The kids keep our hands full. Especially Tommy. I hope the kids were not too much problem at dinner. And I am sorry Tommy broke that vase.
      Fran just got a new one. Please accept it. OK? She is going to bring it over next week. Please don’t worry. She is going to be in town for two days next week because of a conference, and it is easy for her to stop by. So give us a call this week if you can.
      Again, it was so fun to see you two again and I am really sorry about the vase. Hope to see you soon myself when work slows down. Things have been hectic. You can imagine. I have to work late just about every night. No time to do anything except get some sleep and show up back at work.
      Gotta run! Take care and see you both soon.

Adolf

There is a plaintext message inside the letter. Count the number of words in each sentence (after the greeting).

36571738846218631935080439527 (Plaintext)
In this system a sentence with 13 words resolves to a three. Ten words resolves to a 0.
Using a code pad somewhat similar to the STASI “TAPIR” the plaintext resolves to the following message:
MINEOWNERWANTSBRIBE
Mine owner wants bribe

So this message was sent in the clear (in plaintext).  That is not the best lifestyle decision.  Someone clever could guess you are communicating this way, and he could go to work to resolve your message by guessing the format of the code pad.  In fact, come to think of it, such an effort could be automated.  Simple code pads would be the most vulnerable.  But there is a solution.

The best way to send this message is to not send plaintext.  Send ciphertext.


Send an unobserved and unbreakable message with a random symmetric key

Gestapo 2.0 has arrived to your world, and you want to foil them.

1.  Decide on your message.

Message:        Go to the synagogue

2.  Use a code pad like the one below:

Gnome Code Pad 2

3.  Convert your message into numbers using the code pad.

65378378667557106536541

4.  Use a one-time-pad key designated by the greeting:

“Hey!”

“Hey!” equals key:

15423 89479 30985 95704 35770 95893 07814 10585 98524 24782 94553 89265 84302 52941

Both you and your correspondent have this key prior to the message being sent.  So you want to hide your one-time-pad keys.  You have to be careful that the Gestapo does not find your keys, but the huge advantage is that your message is not subject to computational attack.  They can look at it forever with a planet full of computers, but this will do no good at all.

5.   Add the plaintext to the key without carrying over.

Here is your ciphertext:

70791 16235 05456 91230 898

6.  Write your letter (Each sentence will have the number of words as in the ciphertext. Seven words, then 10 or 20, seven again, etc.  Contractions count as one word):

Hey!

My trip to Berlin was really fun.  The people there are so sophisticated and friendly and relaxed.  I walked around downtown all day long.  I have to tell you that it is beautiful.  Really!

Gosh.  Berlin has so many good restaurants.  Cheap too.  It was fun.  I want to go back.  One thing that stood out to me was how clean everything was, not just the restaurants, but the streets too. It is a vibrant city. I just love it. Maybe we can go together? I really enjoy the cosmopolitan atmosphere.

How have you been doing with your new studies?  Ok?  How’s Ben?  He’s so funny.  I hope that he can help you with your school.  I know he is a bright, diligent student.  Why not ask him again to help you out?

Maybe I’ll see you in a couple weeks!

Arthur


So you see that this method takes some time to create the story, to encrypt the message hidden in the story, and then to decrypt it.  Using a code table might be faster and easier for some messages.  Also, one can come up with one’s own methods based on the idea of hiding ciphertext in a normal-looking letter.  Both you and your correspondent need to have the prearranged set of keys, and the code pad.

One of the lessons here is that low-tech means can achieve high-end results.  If both correspondents destroy their key to this message after it is used, destroy it completely, then that is another plus.

Plaintext Injection Against Vernam Cipher

The Vernam Cipher key:

1.  Must be random.     2.   Must not be reused.    3.  Must not be compromised.   4.  Must be as long as the ciphertext.

Does plaintext injection into Vernam Cipher messages promise to reveal any important information about the key?  If an adversary can get you to put certain words into your message, then does that present a problem?  Does the collector gain any information about your key?

Even if:

1.  The ciphertext is captured complete

2.  The language of the message is known (which reveals frequency of digraphs and trigraphs and grammar)

3.  The message is not padded

4.  The format of the message is known (along with headers and Russian Copulation)

5.  The plaintext injection is certain to have occurred repeatedly over many messages

6.  The amount of presumed key code is large

None of these factors will help break the key as long as the key is truly random.

But if the key is weak such as being a passage from a book, then the weak key can become readily apparent, and any of the factors listed above will just accelerate the exposure.

The Prevelance of DNS Cache Poisoning in Many Developing Countries

How to Prevent DNS Spoofing

DNS cache poisoning (DNS spoofing) means you are being redirected to an IP address other than the one you intended to go to because the DNS name server you are using has been successfully attacked.  Your new destination may look exactly like your intended destination.  Downloading malware at the fake site is a common next step for the victim.

The main problem is that ISPs in many developing countries do their DNS resolution on the cheap, or they do not know how to properly set it up (or both).  Software that could prevent problems like DNS spoofing is often not bothered with.  Sometimes the ISP just does not care.

What can one do?  Use Mozilla and the WorldIP add-on.  WorldIP actually warns you of attacks like this as they happen.  Use HTTPS Everywhere.  If your destination site has HTTPS, then you can check to see that a valid certificate was issued to the owner of the website you are visiting.  Use a VPN.  VyprVPN is a good choice.  If you are at home in a developed country prior to taking a foreign trip, then have VyprVPN set up on your computer before you go venturing out into the wilds of the unknown.  VyprVPN, with its own NAT Firewall and DNS servers, will assure that you do not fall victim to DNS cache poisoning while traveling.

PC Security for People Who Only Speak a Little English

Hello!

Do you like Windows?  Windows is an operating system.  Windows comes in several versions.  Windows XP was very popular.  But now Windows XP is no longer supported.  The Windows family of operating systems is still the most widely used in the world.

Do you take any precautions to protect your privacy?  Do you use an anti-virus program?  Do you know how to protect your PC?

Do you know your computer?

What operating system do you use?  What browser do you use?  What search engine do you like most?  Is your computer 32-bit or 64-bit?  How much RAM do you have?  How big is your hard drive?  How many CPUs does your computer have?

If you choose to use Windows, then make sure to do the following things:
1.  You should disable the Guest account unless you need it.  If you do not know how, then do not worry.  Complete step 4.
2.  Make sure that automatic updating occurs.  Go to Control Panel/Windows Updating (in Windows 7), and make sure automatic updating is turned on.
3.  Choose an anti-virus program.  AVG is a good choice, but you have to pay for it.  Some anti-virus programs are free.  Avast is free, and many people like to use it.
4.  Download the Microsoft Baseline Security Analyzer and run it.  This program is free, and it is very helpful because it tells you about problems with your computer.  It also shows you how to fix those problems.
5.  Use the AVG program called PC Tune Up and run it. This program will tell you about possible security weaknesses in your system, if they are present. PC Tune Up and MBSA can work together to give you a clear picture about your computer’s security.  PC Tune Up will also make your computer run faster and more efficiently.
6.  Disable Windows Internet Explorer.  Windows Internet Explorer is the most targeted browser in the world.
7.  Use Mozilla and the following add-ons: Ghostery, Adblock Plus, World IP, Modify Headers , NoScript Security Suite, HTTPS Everywhere, and DuckDuckGo (HTTPS/SSL).  Mozilla does not collect your personal information.  The add-ons help your computer stay safe.  They also protect your privacy.
8.  Take a small piece of dark tape and put it over your camera, or find another way to cover it (without hurting the lens).
9.  Think if you need to use a VPN (Virtual Private Network). This may slow down your connection, but it may not. It will give you a very high level of privacy, but no anonymity. VyprVpn is a good choice. Use the 256-bit encryption option, and choose a server in Switzerland, Sweden, or Iceland.  This will protect your privacy as you browse.
10.  Make sure that the Windows Malicious Software Removal Tool is present and updated on your system. Run it. Watch to see if it runs and finishes properly. This program is very helpful.  It is also free.  But do not use it as a substitute for an anti-virus program.  You still need to use an anti-virus program like Avast or AVG.
11.  Consider to use the TOR network if you want anonymity while browsing.

Everyone likes the internet, right?  We use it every day.  Learn to take care of your personal computer.  Remember that 100% security is not possible on the internet, but you can do a lot to make your computer very safe.

New Words

Operating system- the software you use to manage your computer

Versions- different kinds of basically the same thing

Supported- the company helps to fix problems

Widely used- used by many people in many places

Precautions- things you do to prevent problems

Privacy- that no one else is watching what you do

PC- personal computer

Browser- the software that searches the internet

RAM-  Random Access Memory.  This is data storage for processing.

Hard Drive- This is where you store your data to keep it.

CPU- Central Processing Unit.  This is the brain of your computer.

Anonymity- no one knowing who you are

Guest- someone who uses your computer.  You can give that person an account.  But the Guest account system can be a big problem.

Updating- getting new things that help your computer

Security Weaknesses- a problem that could make your computer less safe

Add-ons- small programs that you can add to your browser

VPN- Virtual Private Network.  A private tunnel to your destination.  It is not physical like a single wire going all the way from your computer to another.  It is more like a channel.

Connection- two things linked together

Encryption- encoding a message so no one can understand it except the intended person or persons

Present- there

Properly- works as it should work

TOR Network- a computer network designed to provide anonymity.  It has its own browser that uses HTTPS Everywhere.