Vor sieben Jahren veröffentlichte der Bundesnachrichtendienst vier verschlüsselte Nachrichten. Drei davon sind bis heute ungelöst.

English version (translated with DeepL)

Vor sieben Jahren berichtete ich zum ersten Mal über eine Reihe von Kryptologie-Webseiten des Bundesnachrichtendiensts (BND). Jörg Drobick, damals wie heute ein Leser dieses Blogs, hatte mich darauf aufmerksam gemacht. Leider sind diese durchaus interessanten Seiten inzwischen aus dem BND-Webauftritt verschwunden. Dies gilt auch für vier kryptologische Rätsel, die der BND dort unter dem nicht gerade reißerischen Titel “Kryptologie – Beispieltexte” veröffentlicht hatte.

BND

Quelle/Source: BND

Hier sind die vier “Beispieltexte” (es handelt sich um Screenshots der Original-Seite des BND):

BND-Challenge-1

Quelle/Source: BND

BND-Challenge-2

Quelle/Source: BND

Die Klartexte zu den ersten drei Rätseln sind laut BND in deutscher Sprache abgefasst, der vierte in (amerikanischem) Englisch.

Nach meinem Artikel von 2014 veröffentlichten meine Leser insgesamt 45 Kommentare, doch keines der vier Rätsel wurde gelöst.

 

Ein zweiter Versuch

2017 berichtete ich ein zweites Mal über die vier BND-Krypto-Rätsel. Dieses Mal legte ich den Schwerpunkt auf dem ersten “Beispieltext”:

UELNW ETTHE CSTEN AGSEZ UCPRL INEIE DISSS CINRA
DUAZN AETTC ÜITWE ADLTG CRSNH FTULD HNIHL EATMA
ZNRHS ÜEBUV TSEAN

Die folgende Häufigkeitsanalyse (erstellt mit CrypTool 2) zeigt, dass die Buchstaben-Häufigkeiten denen der deutschen Sprache entsprechen:

BND-Challenge-Frequency-Analysis

Quelle/Source: CrypTool

Dies spricht stark für eine Transpositions-Chiffre. Blog-Leser Ralf Bülow war der erste, der den Klartext ermittelte. Ihm war aufgefallen, dass das Kryptogramm die gleichen Buchstaben enthielt wie die ersten zwei Sätze des Grundgesetzes:

Die Würde des Menschen ist unantastbar. Sie zu achten und zu schützen ist Verpflichtung aller staatlichen Gewalt.

Blog-Leser Marc fand heraus, dass es sich tatsächlich um eine Transpositions-Chiffre handelte, und zwar um das Doppelwürfel-Verfahren. Die beiden Schlüsselwörter lauten VERFASSUNG und GRUNDGESETZ. Damit war das erste BND-Rätsel gelöst.

 

Ein dritter Versuch

Vor einer Woche erhielt ich eine Nachricht von einem Blog-Leser aus Nürnberg, der fragte, wie es den mit den BND-Challenges stand. Meine Antwort war einfach: Meines Wissens gab es seit Jahren nichts Neues. Die “Beispieltexte” sind also zu einem kryptologischen Cold Case geworden. Auf der BND-Webseite sind sie nicht mehr zu finden.

Doch Cipherbrain hat bekanntlich ein gutes Gedächtnis. Deshalb möchte ich die drei ungelösten “Beispieltexte” heute noch einmal vorstellen. Hier sind sie:

Text 2:

D8 B9 42 86 0B 6C E6 C5 8F 63 41 46 53 B7 99 8F
A8 C8 65 94 F5 98 09 BE B4 63 B1 C3 34 54 09 73
BD C4 AE E4 BF 01 0E 34 F2 A9 0A CF 16 71 A5 DE
98 2B 58 47 1D F6 94 8F A1 DE 2B DD B0 C3 23 B8
B2 2F E6 FA 27 5C 09 73 E5 8D A1 AF

Text 3:

4D 8F 3B 0E 02 31 0C 44 AF E2 03 F0 39 C3 AE A0
A0 A0 40 9C 20 9B 0C 1B 8B C8 42 8E 43 C1 79 39
C6 16 38 A9 A8 2C 7B 9E 67 EC 33 0B 4D AD 96 20
A9 4A 88 59 39 66 83 24 86 54 DB 51 82 52 6A 1A
33 F9 84 32 34 B4 AA 61 75 00 74 6B A1 B0 7D 8D
2A 58 9C 9B 74 01 1B 35 49 03 BE 88 61 D5 7F E0
CA 16 06 03 3D EE 59 04 42 5D 10 5F 79 43 3F 3D
79 09 EA FD EC 8C A7 D0 63 D3 61 75 77 09 9A BB
7B 3F 68 F6 08 54 C5 AB 2D 85 9F 74 42 B3 1A 73
7F 61 84 73 D6 0E 6D BA 7A 29 E0 6A B0 C3 0F

Text 4:

4A 16 17 9B 71 B1 96 6E 5A 55 A2 34 FF C7 46 02
CC 69 3E C1 B6 55 DE 1E A8 47 51 C4 BA 82 3F E0
FE C6 29 7F 74 F7 28 86 97 60 85 75 18 50 F5 B6
60 B9 AF 3A B6 EE 30 D5

Wie man sieht, handelt es sich in allen drei Fällen um Hexadezimalzahlen. Möglicherweise lassen diese sich in Buchstaben oder andere Zeichen umwandeln. Wer eine Idee zur Entschlüsselung dieser drei Kryptogramme hat, möge sich melden. Vielleicht lässt sich dieser Cold Case nach all den Jahren lösen.


Further reading: Christoph’s Chaotic Caesar Challenge

Linkedin: https://www.linkedin.com/groups/13501820
Facebook: https://www.facebook.com/groups/763282653806483/

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Kommentare (12)

  1. #1 Howie Munson
    25. August 2021

    Zum Transkript von Text 2: Das “OE” zwischen “01” und “34” in Zeile 3 müßte laut Screenshot ein “0E” sein.

  2. #2 The_Piper
    25. August 2021

    Und vermutlich ein Tippfehler in Text 2 (oops, da war Howie schneller)

    E4 BF 01 OE

    soll wohl E4 BF 01 “NULL” E sein
    anstatt “groß O” E.

    Und mit meinem gefährlichen Halbwissen und einem kleinen C-Programm vermute ich mal, das ist keine einfache Transposition.

    Für Text 2
    62 different values.
    max = 3 (144)
    min = 1 (11)
    144/x’90’/’.’ 3 ####################
    248/x’F8’/’.’ 3 ####################
    026/x’1A’/’.’ 2 ############
    054/x’36’/’6′ 2 ############
    055/x’37’/’7′ 2 ############
    060/x’3C’/’.’ 2 ############
    067/x’43’/’C’ 2 ############
    073/x’49’/’I’ 2 #############
    110/x’6E’/’n’ 2 ############
    137/x’89’/’.’ 2 #############

    Für Text 3
    116 different values.
    max = 4 (22)
    min = 1 (0)
    022/x’16’/’.’ 4 #############
    010/x’0A’/’.’ 3 #########
    036/x’24’/’$’ 3 #########
    048/x’30’/’0′ 3 #########
    071/x’47’/’G’ 3 #########
    147/x’93’/’.’ 3 ##########
    151/x’97’/’.’ 3 ##########
    002/x’02’/’.’ 2 ####
    011/x’0B’/’.’ 2 ####
    014/x’0E’/’.’ 2 ####

    Für Text 4
    52 different values.
    max = 3 (107)
    min = 1 (3)
    107/x’6B’/’k’ 3 ##############
    006/x’06’/’.’ 2 ############
    085/x’55’/’U’ 2 ###########
    003/x’03’/’.’ 1 ####
    005/x’05’/’.’ 1 ####
    014/x’0E’/’.’ 1 ####
    021/x’15’/’.’ 1 ####
    023/x’17’/’.’ 1 ####

  3. #3 Klaus Schmeh
    25. August 2021

    @Howie Munson, The Piper:
    Thanks for the hint, I have corrected the mistake.

  4. #4 Gerry
    26. August 2021

    What is suspicious about Text #2: It has 76 bytes, that is 4 * 19, and the BND’s motto is “LIBERTAS ET SECURITAS”, which is also 19 chars (without the spaces). The XOR of byte 1 and 20 gives the “L” (4C in hex), but the XOR of 2 and 21 also 🙁 and then it gets even worse.
    But maybe someone has another idea of combining the bytes…

  5. #5 The_Piper
    28. August 2021

    @Gerry

    I tried to combine 4 bytes, 1, 20, 39, 57, with AND, OR, XOR, ADD, MULTIPLY, but no result which makes sense either..

  6. #6 The_Piper
    28. August 2021

    …1, 20, 39, 58 of course o.O

  7. #7 Geoffrey Caveney
    New York City
    3. September 2021

    The other issue about the XOR decryption step proposed by Gerry is this: What would the encryption process have been? For example, to encrypt the L (4C in hex) in the first place, how would the author choose between D8+94, B9+F5, or any other hex pair that XOR’s to 4C?

  8. #8 Geoffrey Caveney
    3. September 2021

    I will just toss out a few ideas about possible cipher methods for hexadecimal values. ASCII is a natural assumption to begin with, as there is a history of “ASCII shift” ciphers. For the German messages, ü and ö are absent in 128-character ASCII. They occur in the first 256 characters of Unicode, but it seems inefficient since the vast majority of the additional characters are other vowels with various diacritical marks that are not needed either in German or in English. It seems more efficient to just use 128-character ASCII and write ü as “ue” and ö and “oe”.

    But even half of 128-character ASCII would also be rarely or never needed for purposes of most typical ciphers. The first 32 characters are various control commands, completely useless for a cipher. The next 32 characters are punctuation marks and numerals; they could possibly be included occasionally in a cipher, but hardly enough to justify an entire quarter or third of all possible hexadecimal values in a cipher.

    Rather, the hex values that we really need are the letters of the alphabet, which make up the majority of ASCII hex values with first hex digit 4,5,6,7. Even this is redundant since the 6-7 series is just the lower-case version of the capital letter 4-5 series, but the redundancy would have no effect on the efficiency of the cryptographic system.

    Thus, I propose that the most efficient system for a hexadecimal value cipher based on ASCII would be to compress — at some stage of the process, not necessarily the first step — all hex values into the 64 values from 40 to 7F. This step itself would be a simple process: 00=40=80=C0 ; 3F=7F=BF=FF ; and so on for each value in between.

  9. #9 Geoffrey Caveney
    3. September 2021

    Another problem with “Libertas et securitas” as the message of Text 2 is that the motto is in Latin, but the challenge specified that the first 3 messages are written in German.

  10. #10 Gerry
    4. September 2021

    Geoffrey, good idea, but there is a problem: 2 * 2 * 19 * 8 bit is not divisible by 6, and also not by 5 (if we assume there is only text, which needs only 26 values < 32 = 2^5).
    @The_Piper: what a pity!

  11. #11 Geoffrey Caveney
    4. September 2021

    I don’t think divisibility by 6 or by 5 or by anything is necessarily required, at least not for Text 2 and Text 4 according to my analysis. I can transform Text 2 into a text with precisely 30 distinct letter values by my method, which happens to be the number of letters in the complete German alphabet with ä, ö, ü, and ß included. I can also transform Text 4 into a text with only 25 distinct letter values by my method, so that the standard English alphabet covers it.

    For simplicity, I can just convert every hexadecimal two-digit value into the 32 values from 40 through 5F (that is, all values with 4 or 5 as the first digit) in the following natural way: “even” first digits 0,2,4,6,8,A,C,E all become 4, and “odd” first digits 1,3,5,7,9,B,D,F all become 5.

    For Text 2, it so happens that the values 40 and 5B are absent after this conversion. Conveniently, they occur immediately before and after the values of the 26 standard capital letters from 41=A to 5A=Z. Then the last four values 5C, 5D, 5E, and 5F can conveniently represent the four additional German letters ä, ö, ü, and ß.

    In this way I can logically convert the entire Text 2 into a ciphertext with the 30 German letters. Here is the result:

    XYBFKLFEOCAFSWYO
    HHETUXIüTCQCTTIS
    öDNDßANTRIJOVQEü
    XKXGöVTOAüKöPCCX
    ROFZGäISEMAO

    To give a couple examples to illustrate the process, in the first two-digit hexadecimal value D8, the first digit is “odd”, so D8=58, and in ASCII 58=X. And in the last two-digit hex value AF, the first digit is “even”, so AF=4F, and in ASCII 4F=O.

    I set the values of the 4 extra German letters in order: 5C=ä, 5D=ö, 5E=ü, 5F=ß. Examples in Text 2: The first value in the third line is BD, B is “odd”, so BD=5D, and 5D=ö. The last value in the third line is DE, D is “odd”, so DE=5E, and 5E=ü.

    Now we have a standard German ciphertext with 76 German letters, which we simply need to figure out how to solve like any ciphertext.

  12. #12 Geoffrey Caveney
    4. September 2021

    To follow up on the German ciphertext I obtained for Text 2 by the process I described, I have begun to look into possible decryptions of this ciphertext. I observe that if it is a Vigenere cipher, a keyword length 10 is a natural fit since “O” would occur 4 times at the 6th letter of a length 10 key, and “T” would occur 3 times at the 10th letter of the key. The overall Index of Coincidence is thus quite high using the Kasiski test with period 10, around 0.075, close to that of typical German plaintext.

    But I find that the decryption process is still difficult! I am not very familiar with German-language cryptography, but an overview of online resources for German Vigenere decryption indicates that the more typical process is to just use the 26-letter English alphabet and write the extra letters as “AE”, “OE”, UE”, and “SS”. But in the case of Text 2, we would need the full 30-letter alphabet with all the letters included in the tabula recta Vigenere tableau for encryption and decryption. So typical existing German Vigenere decryption programs may not work, since the shift from a 26-letter to a 30-letter alphabet changes the results completely.

    If they just used the regular alphabetical order for the alphabet in the tabula recta Vigenere tableau, decryption might not be so difficult. But several trial tests indicate to me that this appears to be unlikely. Thus we may be dealing with a keyed alphabet with an unknown keyword to create the Vigenere tableau, and then the other keyword with 10 letters to perform the encryption/decryption. In general it is quite difficult to decipher a Vigenere with an unknown keyed alphabet, and here moreover we only have 76 letters to work with, only 7 or 8 for each of the 10 keyword letters, and we have the unusual 30-letter alphabet as well.

    Hopefully someone with more experience with German-language Vigenere cipher cryptanalysis and decryption can use some of this information to make some progress on Text 2!

    Here is my German ciphertext for Text 2 again, this time in rows of 10 letters each to make the period-10 patterns clearer and more convenient to work with:

    XYBFKLFEOC
    AFSWYOHHET
    UXIüTCQCTT
    ISöDNDßANT
    RIJOVQEüXK
    XGöVTOAüKö
    PCCXROFZGä
    ISEMAO