Gjøvik University College Cryptology 1

The Hagelin M-209 cipher machine

using kappa testing which uses the index of coincidence, a technique invented by William F. Friedman during the 1920s. The same person who gave Hagelin advice on how to improve his C-38, and build the M-209. Under heavy traffic the M-209 could come into situations where the key wheels were in a close enough position so the machine would create overlapping portions of the text. The kappa test uses this overlapping portions, and makes it possible for the cryptanalyst to recover the key-wheel pin and lug settings of the machine.
The Germans managed to get their hands on quite a lot of the M-209 machines, and got familiar with the way it worked. By 1943 they learned that certain settings gave patterns that could disclose the settings of the pins on the key-wheels and lugs in the cage, and making them able to decrypt cipher text from the M-209 with a length of approximately 150 letters. If the cryptanalyst was lucky 35 letters could be enough. Decryption by an adversary was very time consuming, and the extreme number of internal settings, made the US Army still use the M-209 for tactical use not only through WW2, but as mentioned, also through the Korean War. Since it was known to be vulnerable to cryptanalysis, it was limited to tactical use with messages that would be acted on immediately, within the time it would take to decrypt the message, by the receiver
Around 1970 a cryptanalyze of the M-209 was done by Dennis Ritchie, the creator on the C programming language and one the creators of the UNIX operating system, Robert Morris, a contributor to the early versions of UNIX and chief scientist at the NSA in the early 90s, and Jim Reed, a mathematician and hobby cryptologist. The result was a computer program that, in a relatively short time, was able to decrypt about half the texts longer than 2000 characters, and most of the texts with over 2500 characters. In 1974 Robert Morris wrote the crypt program for the Sixth Edition of Unix, based on the M-209 ciphering method.
Ritchie, Morris and Reeds work was written as an article meant to be published in the Cryptologia magazine, but after a dialogue with NSA, their work was never published. Although the NSA didn’t have any interest in the M-209 anymore, there were cipher machines still in use based on the same principles. Their work could then potentially damage governments using this equipment. [Ritchie].
Technology has evolved, and in the late 1990s it was possible with a fast cipher text-only attack with 1000-2000 characters, and a known-plaintext attack with only 50-100 characters [Menezes et al.].

12

The Hagelin M-209 cipher machine