Page 13 of The Code Book


  Montgomery and de Grey took the partially deciphered telegram to Admiral Sir William Hall, Director of Naval Intelligence, expecting him to pass the information to the Americans, thereby drawing them into the war. However, Admiral Hall merely placed the partial decipherment in his safe, encouraging his cryptanalysts to continue filling in the gaps. He was reluctant to hand the Americans an incomplete decipherment, in case there was a vital caveat that had not yet been deciphered. He also had another concern lurking in the back of his mind. If the British gave the Americans the deciphered Zimmermann telegram, and the Americans reacted by publicly condemning Germany’s proposed aggression, then the Germans would conclude that their method of encryption had been broken. This would goad them into developing a new and stronger encryption system, thus choking a vital channel of intelligence. In any case, Hall was aware that the all-out U-boat onslaught would begin in just two weeks, which in itself might be enough to incite President Wilson into declaring war on Germany. There was no point jeopardizing a valuable source of intelligence when the desired outcome might happen anyway.

  On February 1, as ordered by the Kaiser, Germany instigated unrestricted naval warfare. On February 2, Woodrow Wilson held a cabinet meeting to decide the American response. On February 3, he spoke to Congress and announced that America would continue to remain neutral, acting as a peacemaker, not a combatant. This was contrary to Allied and German expectations. American reluctance to join the Allies left Admiral Hall with no choice but to exploit the Zimmermann telegram.

  In the fortnight since Montgomery and de Grey had first contacted Hall, they had completed the decipherment. Furthermore, Hall had found a way of keeping Germany from suspecting that their security had been breached. He realized that von Bernstorff, the German Ambassador in Washington, would have forwarded the message to von Eckhardt, the German Ambassador in Mexico, having first made some minor changes. For example, von Bernstorff would have removed the instructions aimed at himself, and would also have changed the address. Von Eckhardt would then have delivered this revised version of the telegram, unencrypted, to the Mexican President. If Hall could somehow obtain this Mexican version of the Zimmermann telegram, then it could be published in the newspapers and the Germans would assume that it had been stolen from the Mexican Government, not intercepted and cracked by the British on its way to America. Hall contacted a British agent in Mexico, known only as Mr. H., who in turn infiltrated the Mexican Telegraph Office. Mr. H. was able to obtain exactly what he needed—the Mexican version of the Zimmermann telegram.

  It was this version of the telegram that Hall handed to Arthur Balfour, the British Secretary of State for Foreign Affairs. On February 23, Balfour summoned the American Ambassador, Walter Page, and presented him with the Zimmermann telegram, later calling this “the most dramatic moment in all my life.” Four days later, President Wilson saw for himself the “eloquent evidence,” as he called it, proof that Germany was encouraging direct aggression against America.

  The telegram was released to the press and, at last, the American nation was confronted with the reality of Germany’s intentions. Although there was little doubt among the American people that they should retaliate, there was some concern within the U.S. administration that the telegram might be a hoax, manufactured by the British to guarantee American involvement in the war. However, the question of authenticity soon vanished when Zimmermann publicly admitted his authorship. At a press conference in Berlin, without being pressured, he simply stated, “I cannot deny it. It is true.”

  Figure 29 “Exploding in his Hands,” a cartoon by Rollin Kirby published on March 3, 1917, in The World.(photo credit 3.3)

  In Germany, the Foreign Office began an investigation into how the Americans had obtained the Zimmermann telegram. They fell for Admiral Hall’s ploy, and came to the conclusion that “various indications suggest that the treachery was committed in Mexico.” Meanwhile, Hall continued to distract attention from the work of British cryptanalysts. He planted a story in the British press criticizing his own organization for not intercepting the Zimmermann telegram, which in turn led to a spate of articles attacking the British secret service and praising the Americans.

  At the beginning of the year, Wilson had said that it would be a “crime against civilization” to lead his nation to war, but by April 2, 1917, he had changed his mind: “I advise that the Congress declare the recent course of the Imperial Government to be in fact nothing less than war against the government and people of the United States, and that it formally accept the status of belligerent which has thus been thrust upon it.” A single breakthrough by Room 40 cryptanalysts had succeeded where three years of intensive diplomacy had failed. Barbara Tuchman, American historian and author of The Zimmermann Telegram, offered the following analysis:

  Had the telegram never been intercepted or never been published, inevitably the Germans would have done something else that would have brought us in eventually. But the time was already late and, had we delayed much longer, the Allies might have been forced to negotiate. To that extent the Zimmermann telegram altered the course of history … In itself the Zimmermann telegram was only a pebble on the long road of history. But a pebble can kill a Goliath, and this one killed the American illusion that we could go about our business happily separate from other nations. In world affairs it was a German Minister’s minor plot. In the lives of the American people it was the end of innocence.

  The Holy Grail of Cryptography

  The First World War saw a series of victories for cryptanalysts, culminating in the decipherment of the Zimmermann telegram. Ever since the cracking of the Vigenère cipher in the nineteenth century, codebreakers had maintained the upper hand over the codemakers. Then, toward the end of the war, when cryptographers were in a state of utter despair, scientists in America made an astounding breakthrough. They discovered that the Vigenère cipher could be used as the basis for a new, more formidable form of encryption. In fact, this new cipher could offer perfect security.

  The fundamental weakness of the Vigenère cipher is its cyclical nature. If the keyword is five letters long, then every fifth letter of the plaintext is encrypted according to the same cipher alphabet. If the cryptanalyst can identify the length of the keyword, the ciphertext can be treated as a series of five monoalphabetic ciphers, and each one can be broken by frequency analysis. However, consider what happens as the keyword gets longer.

  Imagine a plaintext of 1,000 letters encrypted according to the Vigenère cipher, and imagine that we are trying to cryptanalyze the resulting ciphertext. If the keyword used to encipher the plaintext were only 5 letters long, the final stage of cryptanalysis would require applying frequency analysis to 5 sets of 200 letters, which is easy. But if the keyword had been 20 letters long, the final stage would be a frequency analysis of 20 sets of 50 letters, which is considerably harder. And if the keyword had been 1,000 letters long, you would be faced with frequency analysis of 1,000 sets of 1 letter each, which is completely impossible. In other words, if the keyword (or keyphrase) is as long as the message, then the cryptanalytic technique developed by Babbage and Kasiski will not work.

  Using a key as long as the message is all well and good, but this requires the cryptographer to create a lengthy key. If the message is hundreds of letters long, the key also needs to be hundreds of letters long. Rather than inventing a long key from scratch, it might be tempting to base it on, say, the lyrics of a song. Alternatively, the cryptographer could pick up a book on birdwatching and base the key on a series of randomly chosen bird names. However, such shortcut keys are fundamentally flawed.

  In the following example, I have enciphered a piece of ciphertext using the Vigenère cipher, using a keyphrase that is as long as the message. All the cryptanalytic techniques that I have previously described will fail. None the less, the message can be deciphered.

  This new system of cryptanalysis begins with the assumption that the ciphertext contains some common words, such as the. Next, we ra
ndomly place the at various points in the plaintext, as shown below, and deduce what sort of keyletters would be required to turn the into the appropriate ciphertext. For example, if we pretend that the is the first word of the plaintext, then what would this imply for the first three letters of the key? The first letter of the key would encrypt t into V. To work out the first letter of the key, we take a Vigenère square, look down the column headed by t until we reach V, and find that the letter that begins that row is C. This process is repeated with h and e, which would be encrypted as H and R respectively, and eventually we have candidates for the first three letters of the key, CAN. All of this comes from the assumption that the is the first word of the plaintext. We place the in a few other positions, and, once again, deduce the corresponding keyletters. (You can check the relationship between each plaintext letter and ciphertext letter by referring to the Vigenère square in Table 9.)

  We have tested three the’s against three arbitrary fragments of the ciphertext, and generated three guesses as to the elements of certain parts of the key. How can we tell whether any of the the’s are in the right position? We suspect that the key consists of sensible words, and we can use this to our advantage. If a the is in a wrong position, it will probably result in a random selection of keyletters. However, if it is in a correct position, the keyletters should make some sense. For example, the first the yields the keyletters CAN, which is encouraging because this is a perfectly reasonable English syllable. It is possible that this the is in the correct position. The second the yields BSJ, which is a very peculiar combination of consonants, suggesting that the second the is probably a mistake. The third the yields YPT, an unusual syllable but one which is worth further investigation. If YPT really were part of the key, it would be within a larger word, the only possibilities being APOCALYPTIC, CRYPT and EGYPT, and derivatives of these words. How can we find out if one of these words is part of the key? We can test each hypothesis by inserting the three candidate words in the key, above the appropriate section of the ciphertext, and working out the corresponding plaintext:

  If the candidate word is not part of the key, it will probably result in a random piece of plaintext, but if it is part of the key the resulting plaintext should make some sense. With APOCALYPTIC as part of the key the resulting plaintext is gibberish of the highest quality. With CRYPT, the resulting plaintext is cithe, which is not an inconceivable piece of plaintext. However, if EGYPT were part of the key it would generate atthe, a more promising combination of letters, probably representing the words at the.

  For the time being let us assume that the most likely possibility is that EGYPT is part of the key. Perhaps the key is a list of countries. This would suggest that CAN, the piece of the key that corresponds to the first the, is the start of CANADA. We can test this hypothesis by working out more of the plaintext, based on the assumption that CANADA, as well as EGYPT, is part of the key:

  Our assumption seems to be making sense. CANADA implies that the plaintext begins with themee which perhaps is the start of the meeting. Now that we have deduced some more letters of the plaintext, ting, we can deduce the corresponding part of the key, which turns out to be BRAZ. Surely this is the beginning of BRAZIL. Using the combination of CANADABRAZILEGYPT as the bulk of the key, we get the following decipherment: the meeting is at the ????.

  In order to find the final word of the plaintext, the location of the meeting, the best strategy would be to complete the key by testing one by one the names of all possible countries, and deducing the resulting plaintext. The only sensible plaintext is derived if the final piece of the key is CUBA:

  Table 9 Vigenère square.

  So, a key that is as long as the message is not sufficient to guarantee security. The insecurity in the example above arises because the key was constructed from meaningful words. We began by randomly inserting the throughout the plaintext, and working out the corresponding keyletters. We could tell when we had put a the in the correct place, because the keyletters looked as if they might be part of meaningful words. Thereafter, we used these snippets in the key to deduce whole words in the key. In turn this gave us more snippets in the message, which we could expand into whole words, and so on. This entire process of toing and froing between the message and the key was only possible because the key had an inherent structure and consisted of recognizable words. However, in 1918 cryptographers began experimenting with keys that were devoid of structure. The result was an unbreakable cipher.

  As the Great War drew to a close, Major Joseph Mauborgne, head of cryptographic research for the U.S. Army, introduced the concept of a random key-one that consisted not of a recognizable series of words, but rather a random series of letters. He advocated employing these random keys as part of a Vigenère cipher to give an unprecedented level of security. The first stage of Mauborgne’s system was to compile a thick pad consisting of hundreds of sheets of paper, each sheet bearing a unique key in the form of lines of randomly sequenced letters. There would be two copies of the pad, one for the sender and one for the receiver. To encrypt a message, the sender would apply the Vigenère cipher using the first sheet of the pad as the key. Figure 30 shows three sheets from such a pad (in reality each sheet would contain hundreds of letters), followed by a message encrypted using the random key on the first sheet. The receiver can easily decipher the ciphertext by using the identical key and reversing the Vigenère cipher. Once that message has been successfully sent, received and deciphered, both the sender and the receiver destroy the sheet that acted as the key, so that it is never used again. When the next message is encrypted, the next random key in the pad is employed, which is also subsequently destroyed, and so on. Because each key is used once, and only once, this system is known as a onetime pad cipher.

  The onetime pad cipher overcomes all previous weaknesses. Imagine that the message attack the valley at dawn has been enciphered as in Figure 30, sent via a radio transmitter and intercepted by the enemy. The ciphertext is handed to an enemy cryptanalyst, who then attempts to decipher it. The first hurdle is that, by definition, there is no repetition in a random key, so the method of Babbage and Kasiski cannot break the onetime pad cipher. As an alternative, the enemy cryptanalyst might try placing the word the in various places, and deduce the corresponding piece of the key, just as we did when we attempted to decipher the previous message. If the cryptanalyst tries putting the at the beginning of the message, which is incorrect, then the corresponding segment of key would be revealed as WXB, which is a random series of letters. If the cryptanalyst tries placing the so that it begins at the seventh letter of the message, which happens to be correct, then the corresponding segment of key would be revealed as QKJ, which is also a random series of letters. In other words, the cryptanalyst cannot tell whether the trial word is, or is not, in the correct place.

  In desperation, the cryptanalyst might consider an exhaustive search of all possible keys. The ciphertext consists of 21 letters, so the cryptanalyst knows that the key consists of 21 letters. This means that there are roughly 500,000,000,000,000,000,000,000,000,000 possible keys to test, which is completely beyond what is humanly or mechanically feasible. However, even if the cryptanalyst could test all these keys, there is an even greater obstacle to be overcome. By checking every possible key the cryptanalyst will certainly find the right message—but every wrong message will also be revealed. For example, the following key applied to the same ciphertext generates a completely different message:

  Figure 30 Three sheets, each a potential key for a onetime pad cipher. The message is enciphered using Sheet 1.

  If all the different keys could be tested, every conceivable 21-letter message would be generated, and the cryptanalyst would be unable to distinguish between the right one and all the others. This difficulty would not have arisen had the key been a series of words or a phrase, because the incorrect messages would almost certainly have been associated with a meaningless key, whereas the correct message would be associated with a sensible k
ey.

  The security of the onetime pad cipher is wholly due to the randomness of the key. The key injects randomness into the ciphertext, and if the ciphertext is random then it has no patterns, no structure, nothing the cryptanalyst can latch onto. In fact, it can be mathematically proved that it is impossible for a cryptanalyst to crack a message encrypted with a onetime pad cipher. In other words, the onetime pad cipher is not merely believed to be unbreakable, just as the Vigenère cipher was in the nineteenth century, it really is absolutely secure. The onetime pad offers a guarantee of secrecy: the Holy Grail of cryptography.

  At last, cryptographers had found an unbreakable system of encryption. However, the perfection of the onetime pad cipher did not end the quest for secrecy: the truth of the matter is that it was hardly ever used. Although it is perfect in theory, it is flawed in practice because the cipher suffers from two fundamental difficulties. First, there is the practical problem of making large quantities of random keys. In a single day an army might exchange hundreds of messages, each containing thousands of characters, so radio operators would require a daily supply of keys equivalent to millions of randomly arranged letters. Supplying so many random sequences of letters is an immense task.