Mirror
/
CyberChef
mirror of https://github.com/gchq/CyberChef.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Page: Lorenz SZ
Pages
Adding a new operation Automatic detection of encoded data using CyberChef Magic Character encoding, EOL separators, and editor features Colossus Contributing Creating a new theme Enigma, the Bombe, and Typex Flow Control Getting started Home Lorenz SZ Multiple Inputs Node API
1 Lorenz SZ
n1474335 edited this page 2019-11-06 13:12:32 +00:00
Table of Contents

Article written by @VirtualColossus

How to use Lorenz SZ40/42

About the Lorenz

The Lorenz SZ40, SZ42A and SZ24B were a range of teleprinter cipher attachment machines developed by C. Lorenz AG in Berlin during World War II. The SZ model name is from the German "Schlüssel-Zusatz" which means cipher attachment.

The Enigma cipher machine was portable enough for front line troops, but it required two operators at each end of the link - one to encipher the message one letter at a time and another to transmit it via Morse code. What was required by the German high command was something faster and even more secure to transmit messages directly between Berlin and the front-line generals. Lorenz built a machine which would attach between two remote teleprinters and automatically encipher and decipher the letters being typed.

It had twelve fixed rotors, each of which had a varying number of switches or cams around the circumference. Five of the twelve rotors generated one new character for each character entered and these were known as the Chi(χ) wheels at Bletchley Park. A second set of five rotors, the Psi(ψ) wheels, generated a second character, but the movement of these was intermittent and controlled by a further two Motor wheels Mu(μ).

Understanding ITA2

A teleprinter sent characters by using a 5-bit code called ITA2 (International Telegraph Alphabet No. 2) and it was these 5 bits of information that were enciphered by adding two pseudorandom characters generated by the rotors on the Lorenz.

Each letter could be represented by a 5-bit code of impulses or their absence. This signal was encoded onto a punched paper tape as a series of holes or no-holes where an impulse was required. Bletchley Park would record these impulses as either an x for a hole or a . for a no-hole impulse. For example, the letter A would be represented by xx··· and the letter B by x··xx. These impulses could be sent over a wired or wireless link.

This gave a total of 32 symbols, which was not enough to encode the alphabet and all the numbers together, so several control codes were available. There were two special control codes to switch between letter and figure modes. Therefore, depending on the last control code sent, the next characters sent would register as either letters or numbers/punctuation.

When writing out the control codes, it was common practice to write the space as either a 9 or a ., the figure shift character as a 5 or +, and the letter shift character as an 8 or -.

To encipher a message, we must first encode it into ITA2. The Lorenz operation can do this for us and we can see its results by following this link or following the instructions below.

Set the Model dropdown menu to SZ40, the Wheel Pattern to No Pattern (this means no enciphering will be done and we'll just see the encoded ITA2 message). Set the Mode to Send, the Input Type to Plaintext and finally, the ITA2 Format to 5/8/9.

Now type the following in the Input section:

ABC123DEF.

You should see the output ABC55QWE88DEF55M. This means send the characters ABC, then the 5 means switch into figure shift mode. You can see that this is sent twice. This was a common practice to make sure the control code was received correctly; a garbled or missing control code would make the message unintelligible. Next are the letters QWE, the top row of a QWERTY keyboard matches the number codes when in figure shift mode (Q=1, W=2, E=3 ... O=9, P=0). Next, the 8 characters are representing the letter shift character followed by DEF and finally, we shift back into figure shift mode to write out our final full stop (the letter M encodes as . in figure shift mode).

If you would rather enter your message directly as ITA2, set the Input Type dropdown to ITA2. Remember, you can only use the letters A-Z and the numbers 3 (LF), 4 (CR), 5, 8, 9 plus a special null character /. If you would prefer to use the other notation for control codes, change the ITA2 Format drop down to +/-/..

How to encrypt/decrypt with Lorenz

Firstly, we will encrypt a message using the Lorenz model SZ42a. Note that the operator would normally not have seen the encrypted string. The Lorenz machine automatically encrypted the entered information and transmitted it to a remote second Lorenz which decrypted back to another teleprinter output. However, the encrypted output was picked up by British Y Stations and sent to Bletchley Park.

We want to send the following message:

THIS IS A TEST TRANSMISSION, FROM A LORENZ SZ42 CIPHER ATTACHMENT, USING CYBERCHEF.

Either click this link to view in CyberChef, or set the Model dropdown menu to SZ42a and the Wheel Pattern to KH Pattern. The wheel pattern is a pre-set pattern of the total of 501 cams on each of the rotors which will each generate a different encryption output.

Next, make sure the KT-Schalter option is not ticked, set the Mode to Send, the Input Type to Plaintext and the ITA2 Format to 5/8/9.

Finally type the above message into the Input section - you should receive the Output enciphered message below:

GWG8NUPFZ4VKAKD8DCCXXWKOL3NFU4BPZVD9ISWPFJFLRVERCRFEZ9CWB5EADOIXPYDMXID949CXD34HXWFDVN5O8S39//AHB

As well as setting the wheel patterns on each of the rotors (which was done on a regular schedule), each of the twelve rotors could be rotated around to set a start position which would show as a number in a window in the front of the machine. Changing these alters which letters are generated and therefore changes the enciphered message. This was required to be changed to a new setting before each new message was transmitted.

Try setting the wheels to the following start positions, or click this link to see directly.

ψ1 to 20, ψ2 to 32, ψ3 to 9, ψ4 to 51, ψ5 to 47 M37 to 2, M61 to 18 χ1 to 26, χ2 to 6, χ3 to 29, χ4 to 16 and χ5 to 4

This should change the enciphered output to

P45QAYC84TAP9U5QDZ9GVK5BERHXEZD9Q5H5T5HJW5DD4PULPBBKHXISRBGTSMKPM8EBRNGGM/QZQQJXUUTS9Y899S4XVLWFT

To decipher, we are only expecting an input of ITA2 characters as this would have come directly from a Lorenz cipher machine.

Click this link or set the Wheel Pattern to the BREAM Pattern and set the Mode to Receive. Leave the wheel start positions the same as the settings above. Now paste the following received message into the input.

CH58USOQWRTRIMW/OGXR3Q5P//GDVYO3I4TWE3VTVISYIAGQ5H3ULPI4PASLA4JOINJRK3AMT485KRL3D3VFIXZGDQFKYQA

Your deciphered message should appear as:

HELLO CYBERCHEF USER, IF YOU CAN READ THIS, YOU HAVE RECEIVED A MESSAGE SUCCESSFULLY.

Note how changing just a single start position garbles the message. If you consider changing the start positions and the pin settings, this gives a phenomenal 1 x 10170 combinations.

Advanced settings

There are three models of Lorenz SZ simulated; the SZ40, the SZ42a and the SZ42b but the main difference in each is how the Psi wheels are moved relative to the Motor wheels.

On the SZ40, the motor wheel M61 steps for each letter while the M37 steps only where the M61 wheels' current cam is set to on. When the M37 wheel current cam is set to on, the Psi wheels will step, otherwise they stay still.

On the SZ42a, instead of just using the 37-pin motor wheel setting to tell when the Psi wheels should turn, the setting of the second Chi wheel(No.9) from one position back was also checked. If the 37-pin wheel active setting was off and the limitation value from Chi2(1 back) wheel was on, the Psi wheels would not move. Any other combination would move all the Psi wheels forward one position together.

A further optional limitation, which was based on the fifth impulse from the plaintext character 2 back, was also available. The Plaintext Limitation (Klartextfunktion) represents an additional security measure. This can be turned on or off by setting the checkbox marked KT-Schalter (Klartextfunktion switch).

This means an addition of the plaintext fifth impulse from two characters back to the limitation affecting the Psi wheels' movement. It was used on the SZ42a and SZ42b later in the war but caused issues when used due to radio interference which would cause the message to be garbled on reception. Bletchley Park named this the P5 limitation.

The SZ42b was almost identical to the SZ42a with the further addition of another wheel into the limitation calculation. The limitation value was now set using both the Chi2 wheel, 1 back (wheel 9) and also the Psi1, 1 back (wheel 1). These affected the movement of the Psi wheels as on the SZ42a. The optional P5 (KT-Switch) limitation was also available.

If you really want to customise your pin settings more than just the few supplied, change the Wheel Pattern dropdown to Custom. This will allow you to set each of the pins separately for each of the twelve rotors.

You must enter the specified number of . or x characters for the setting to be valid. A . denotes an off position (0) while an x denotes an on (or 1).

Further Information

If you would like to know more about the Lorenz SZ cipher attachment, or to find out the incredible story of the people and machines that helped to break it at Bletchley Park, please try the following links:

lorenz.virtualcolossus.co.uk - Online simulations including Colossus and the Lorenz SZ40/42.

TNMOC - The National Museum of Computing where you can see working reconstructions of Colossus, the Tunny machine, Heath Robinson & the Bombe plus an actual Lorenz SZ42.

Bletchley Park - The code breaking site where Lorenz was cracked.