Tuesday, December 20, 2011

French Hagelin cipher machines

During the 1930’s and 40’s the military and civilian authorities of many countries began to purchase and use cipher machines in order to secure their confidential radio traffic. Cipher machines were more secure than the book systems that they replaced and they encoded/decoded faster. The main players in the international market were the well known Enigma machine in its commercial version and the products of Boris Hagelin, mainly the ‘small Hagelin’ C-36 and ‘large Hagelin’ B-21/211.

French Army codes and ciphers

The French military and civilian authorities used for their secret communications several codebooks, both enciphered and unenciphered. Individually these systems did not have a very high degree of security but it seems that the French strategy was to overwhelm enemy codebreakers through the simultaneous use of a large number of different codebooks (1). Additionally, it is possible that the French Army’s cipher bureau overestimated the security of the encipherment procedures used with the codebooks.

The French Army acquired cipher machines in the second half of the 1930’s, specifically the Hagelin models C-36 and B-211. By 1939 there were about 2.000 C-36 and 115 B-211 machines in use. The B-211 was used at the level of Army Corps and by the High Command. The C-36 was used as a mid level cipher for Armies and Divisions in France and N. Africa (2).

The B-211 and C-36 continued to be used by the Free French Forces during the period 1942-45 in N. Africa and Italy. However, from 1943 the C-36 was gradually replaced by the US M-209 cipher machine (3). 

German solution of French Army cryptosystems

According to the available information the B-211 machine proved secure during the period of the Phoney war and the Battle of FranceOn the other hand C-36 machines were captured and by July ’40 that traffic was read (4).

After hostilities ended the cryptanalysts of the German Army’s signal intelligence agency Inspectorate 7/VI (later OKH/GdNA) managed to acquire these cipher machines and they found ways to retrieve the internal settings and read this traffic. Initially their research was only of a theoretical character since no new traffic was being intercepted on these systems. However once the Free French forces of General De Gaulle started using them again in 1942 they were in a position to benefit from their earlier research.

In the case of the C-36 the methods of solution were successful against field traffic in the period 1942-45. Messages of the large Hagelin B-211 however could not be solved. The reason was that the French had anticipated the German efforts to read their codes so they physically modified the B-211.

Thanks to the solution of the C-36 the Germans were able to decode French traffic in North Africa and Italy in the period 1942-44. The Anglo-American authorities however were aware of the insecurity of French codes so they provided the M-209 (American version of Hagelin C-38) to the French forces fighting in Italy. The Germans were also able to read traffic on this system but not as much as they had with the C-36. The M-209 was an inherently more secure cipher machine (6 wheels instead of 5 in the C-36). (5)

Apart from the Army agency In. 7/VI the Signal intelligence agency of the Supreme Command - OKW/Chi seems to have successfully solved the C-36, however not many details are known about their work. The methods of solution are given in Ticom I-45 ‘OKW/Chi Cryptanalytic research on Enigma, Hagelin and Cipher Teleprinter machines’ (6) 
Overview of German exploitation of French cipher machines
Information on the German exploitation of French Hagelin cipher machines is available from various TICOM reports (7) and from the War diary of Inspectorate 7/VI.

A summary is given by colonel Mettig, head of In. 7/VI from November 1941 to June 1943. From TICOM I-78 Interrogation of Oberstlt Mettig on the History and Achievements of OKH/AHA/ln 7/VI, p4 and 9

France
With the opening of the offensive in May 40, the French began to use ciphers in increasing quantities. The Germans soon felt an acute shortage of forward cryptographers and were therefore unable to undertake much work on the French forward ciphers. As a result, the forward units concentrated on the two French cipher machines, the B-211 and C-36. Progress was slow, but as a result of research on two captured C-36 machines, Army Group C was in a position, by Jul 40, to undertake satisfactory reading of the traffic. Likewise it was impossible to break the B-211 machines in time for that information to be of any value. Nevertheless the research undertaken during this period was to justify itself later.



Referat France
This section lost a lot of its importance after the campaign of 1940. It concentrated on watching the communications of the VICHY Government which was supposed to inform the Germans of their cipher procedures. Breaches of regulations committed by the French were reported to the Disarmament Commission at WIESBADEN and rectified. The retention of captured French documents and the further investigation of the French cipher machines C-36 and B-211 justified itself in that the initial de Gaullist WT traffic in NORTH AFRICA for 1942-43 was undertaken through those methods. It was possible to read all these techniques at the start but how far the success was maintained during 1943 PW cannot say.



These statements can be verified from the war diary of Inspectorate 7/VI.

Hagelin C-36 and C-38 (M-209)
The monthly reports show that in 1941 the C-36 device was extensively investigated and methods of solution found. The methods were refined to the extent that even small messages could be solved.

Report of May 1941:

Report of June 1941:


According to the Army cryptanalyst dr Otto Buggisch (8) the methods of solution were:

C-36 - The theoretical analysis of this in 1940 developed two theoretical methods.
1) Based on frequency of K. as word separator.

2) Statistical - various, depending on the most usable feature of the traffic, low, high letters, etc. The studies made by B. et al. were used by Oberinsp. Kuehn to forestall the introduction of the device into the German Army, as advocated by Major JUNG.
B. says the statistical method was later used in practice and needed 300 letters. He makes general statements about considerable later success with C-36, from 1942 on. (Not pinned down on this.)

In late 1942 French radio traffic on the link Algeria-Morocco was identified as being enciphered on the C-36 and thanks to the previous studies these messages were solved. In German reports the French C-36 was identified as procedure F-19.
Report of December 1942:


In January the internal settings of the C-36 and the indicator system were changed but in February they were solved and for the period March - December 1943 the process could be read continuously with the results communicated quickly to KONA 7 (Kommandeur der Nachrichtenaufklärung - Signals Intelligence Regiment), based in Italy.

Report of May 1943:



By the summer of ’43 KONA 7 could handle the solution of the C-36 with In. 7/VI only processing corrupted messages that did not decode properly. The traffic solved was from N. Africa and had the indicators xab and fva. In October 1943 messages between Algiers and Corsica were also read. In December the traffic dropped off and the Germans suspected that the US M-209 cipher machine had been introduced in French networks.

They weren’t wrong, since according to a British report (9) in early 1944 the US military supplied M-209 machines to the French Forces fighting in Italy. The M-209 was much harder to solve than the C-36 since the internal settings could only be retrieved by finding messages in depth.


However the C-36 continued to be used by French forces and their traffic could be solved. In the first half of 1944 a new indicator procedure hindered the German efforts and messages had to be attacked individually. Information on the new indicator is given by Buggisch in TICOM I-92 ‘Final Interrogation of Wachtmeister Otto Buggisch (OKH/In 7/VI and OKW/Chi), p3
3. Complications in C36. Buggisch could recall no ‘complicated enciphering device’, unless he had meant to refer to the new indicator method introduced in January of 1944. The old indicator system, changed in its details in 1942, had been a letter substitution table, which had been simple. The new system was based on numbers, but he could give no details. Relative internal settings continued to be recovered and a high percent of the traffic solved on cribs and statistics (for any message over 400 letters) until the indicator system was broken in the late summer of 1944. About the same time in 1944 the French had adopted a system of sending internal settings by mean of an ordinary sentence for each wheel, of which the first so many non repeating letters gave the active lug positions. This system was first reported in a broken code message; the knowledge that it existed was of academic interest only, as no keys wore gained from other systems.

Buggisch spoke especially of the successful solution of C36 in 1943, on de GAULLE traffic to CORSICA. He also said that the Southern France landings were largely given away as to date and strength of force by broken C36 traffic.
In June and July 1944 the indicator system was completely solved and the traffic of the previous months decoded. The statement by Buggisch on operation Dragoon can be confirmed in part by British report HW 40/7 ‘German Naval Intelligence successes against Allied cyphers, prefixed by a general survey of German Sigint’, p29

In the Mediterranean area the Germans continued to derive a certain amount of information from low grade French traffic. On 11th August, 1944 a German Army B reports seen in Special Intelligence quoting a Free French signal, thought to be made in Hagelin, which gave details of the allocation of shipping space for the eminent Allied landing in Southern France. The time lag in issue was only about 10 hours, and on the basis of this B-report the German Admiral commanding South coast of France was warned on 14th August of the probability of a landing in his area in the near future.


The German army’s codebreakers continued to solve the C-36 settings till the end of the war.

Hagelin B-211
The ‘large Hagelin’ B-211 was also investigated by the Germans and in December 1941 a breakthrough was made in the solution of the device.

Report of December 1941:


In 1942 research continued and frequency counts were made on the solved messages from past traffic. However in late 1942, when French traffic from N.Africa was intercepted, only C-36 messages could be solved. The reasons were that only a small number of B-211 messages were intercepted and that the French B-211 had been modified in some way. The investigations on the B-211 (called procedure F-20 in the German reports) continued in 1943 and they were carried out at Referat F - Forschung (Research department).
Report of May 1943:

Eventually the German codebreakers reached the conclusion that they could only solve this traffic if they had access to a large volume of messages or captured cipher material.
Report of August 1943:

Hagelin B-211 traffic continued to be investigated during the war but no messages were solved. According to a US report from October 1944 the modified B-211 had a high level of security for the reasons identified by the German codebreakers, specifically the modifications made on the device and the low level of traffic (10).



Conclusion
In conclusion we can say that the French did not fare well in the cryptologic field during WWII .The Germans considered their methods outdated and the Anglo-Americans were constantly irritated by their security compromises (11). 




During the 1930’s and up to the Battle of France their high level codes were read by the Germans (12). In N.Africa and Italy their low and mid level codes compromised Allied plans. Moreover it seems that they continued to use weak cryptosystems even after the end of the war up to the 1960’s (13).
The best thing that can be said about the French is that although they lost the cryptologic war by facilitating the Polish success with the Enigma they fatally compromised the basis of German communications

Notes:
(1). TICOM report DF-187B, p6 and SRH-349 ‘The Achievements of the Signal Security Agency (SSA) in World War II’, p31

(2).  ‘Bulletin de l’ARCSI’ article: Bulletin N°3 1975: Essai d'historique du Chiffre (Add. N°3).

(3). ‘Bulletin de l’ARCSI’ article: Bulletin N°4 1976: Essai d'historique du Chiffre (N°5).

(4). Various TICOM reports including I-78

(5). Various TICOM reports, War diary of Inspectorate 7/VI


(7). TICOM reports I-18, I-23, I-45, I-58, I-78, I-92, I-160


(9). British national archives HW 40/258 ‘Enemy Sigint successes against Allied communications

(10). NARA - RG 457 - Entry 9032 - box 1432 - NR4779 ‘Hagelin use by French’

(11). British national archives HW 40/258 ‘Enemy Sigint successes against Allied communications


(13). Histoire de la machine Myosotis


Solution of the Hagelin C-36 at OKW/Chi:

The Hagelin C-36 cipher machine was not a secure device and it seems that in the 1930’s the codebreakers of OKW/Chi (codebreaking department of the Armed Forces High Command) developed methods of solving it.

According to the NSA report ‘Regierungs-Oberinspektor Fritz Menzer: Cryptographic Inventor Extraordinaire’, p21 in 1936 Fritz Menzer developed two methods for solving the C-36.

Also in TICOM report I-31, p7 dr Huttenhain (chief cryptanalyst of OKW/Chi) stated that the French C-36 type could be solved cryptanalytically (without the use of stereotyped beginnings).

Unfortunately, there is no information on the work they did on the C-36 during the late 1930’s and in 1940. Considering their statements on the security afforded by the device it is possible that at OKW/Chi some French Hagelin C-36 traffic was solved during that time.

No comments:

Post a Comment