M-209: Security measures

M-209 Home Page

TM 11-380

Indicators

TM 11-380, May 1947, excerpts:

Introduction

The manual of M-209 (TM 11-380) is a right place to store security measures. At each version, these measures have been improved.

After World War II, Americans, through the TICOM project, discovered that Germans read more than 10% of M-209 messages. Then they improve significantly security measures and wrote them in the TM 11-380 1947 version. During Korean War, these measures were in effect.

TM 11-380, 1942

Indicator

The manual describes an indicator system with message key in plain text. The manual adds this sentence: "Additional security may be obtained by enciphering the message indicator".
Remark: The enciphering of message key isn't mandatory but only recommended.

Destruction of converter M-209

Excerpt: "In case it should become necessary to destroy the converter because of imminent danger of capture by the enemy or for any other reason, the destruction will be accomplished in the following manner. First, see that all keying elements are in neutral positions by changing all lug settings to zero and moving all key wheel pins to the left position. Second, see that the machine is rendered unserviceable to the enemy by stamping upon it with a boot heel or by firing into it with a rifle or pistol."

TM 11-380, 1944

Destruction notice

M-209 destruction is no longer presented in an ordinary paragraph, but very clearly (Why, When, How, What) at the first page.

Change of Keys

The 1942 version said that it is necessary to change keys, but in the 1944 version, this necessity is more explicit: "A high degree of cryptographic security is provided when Converter M-209-(*) is used. Systems using Converter M-209-(*), however, can be solved, especially if a large volume of traffic is encipered without changing the arrangement of the keying elements. A daily change in the internal keying elements is advisable, although the frequency of change will depend upon the tactical situation. This is the responsability of the signal or communication officer. Changes in the external keying element are the responsability of the operator alone, and must be made for every message he enciphers. There is no reason for allowing the enemy to "break" a message enciphered with Converter M-209-(*) because the keying elements were not changed often enough. The key wheel alignements should be noted to prevent using the same arrangement of letters for future messages."

Zeroizing the machine

"When the converter is to be closed at the end of the day or a period of operation, the internal keying elements of must be zeroized. First, push all of the key wheel pins to the left or ineffecitve position. Second, move all lugs to the zero positions on the drum bars..."

The objectives of these measures is to have the converter set only when it is in operation. For example, it shouldn't be set when the military unit is moving. Then the probability of enemy capture of an operational converter is lower.

TM 11-380, 1947

In this version, the security measures were significantly improved. A large part of the manual was devoted to this target. Of course, the former measures was keeped (machine destruction, zeroizing, ...).

Danger of a repeated indicator

During World War II, the most important failure of security about M-209 was the enciphering of two messages with the same external key (and then the indicator was repeated). To prevent operator to do that, the new version of manual explains how an enemy can get the plain text from two messages in this situation.

Using a different external key to each message is so important that the operator is been warned of that several times through the manual.

The indicator method

In case of an unit creating its own key-list, it no longer invents or chooses an indicator method. It must exploit the usually method previously descibed in SOI document. In this 1947 version, this method which involves enciphered message key is explained.

Change of Keys

The key list (and then the internal key) must be changed when traffic load is large: one key will not normally exceed 10,000 groups [50,000 letters]. The aim is to limit the probability of overlaps (and so to put messages in depth).

Length of messages

Messages exceeding 100 groups in length must be divided into two or more approximately equal parts so that no parts exceed 100 groups [500 letters].

Key-list making

Some SOI present the actual internal key as the assembly of differents lugs setting and pins setting. The same lugs setting (or pins setting) can appear in many keys. This method to produce key-list is now forbidden. Each internal setting is completely different.

Re-enciphered message

"When a message must be re-enciphered ..., never use the same message indicator or message rotor alignement. When a message has once been transmitted, it will never be re-enciphered unless the enire message is paraphrased according to instructions contained in AR 380-5; a new message indicator and system indicator must be selected."

Destruction of papers

Destroy all printed tapes not pasted to a message blank.

M-209: a cipher machine for tactical use

Converter M-209-(*) will never be used for SECRET traffic except when a system normally authorized for SECRET traffic is not available.

Variations of spacing

"Converter M-209-(*) was originally designed to encipher one Z between each word so that the deciphered text would appear on the tape in word lenghts. As a security mesure, the following variations of this spacing will be used for every message. Between some words, omit the Z; between other words, encipher two Z's; between remaining words space normally (one Z)".

...

"Caution: NEVER USE MORE THAN TWO Z'S BETWEEN WORDS. NEVER USE A DISPRO- PORTIONATE NUMBER OF ANY ONE OF THE VARIATIONS. NEVER CHOOSE CHARACTERISTIC POINTS FOR PLACING ANY ONE OF THE VARIATIONS. (For example, do not consistenly place double Z's before and after an internal address or signature.)"

Dissemination of restricted matter

Nowadays it is easy to get a 1942 or 1944 TM 11-380 manual. But it is very hard to get the 1947 version because the diffusion of this version was restricted. Indeed, it contains confidential informations about security measures of managing M-209.

M-209 Encryption Machine Training Video

There is a Video which explains how to use the M-209. Overall, it corresponds to the principal elements present in the TM 11-380 1947 version. We can see how to cipher and to decipher a message, how to replace tape, how to destruct the machine ... The encrypted indicator system is explained too.

Break up the internal key wheel indicator

"After ciphering or deciphering a message, the last step is to turn the key wheels to break up the internal key wheel indicator."

The advantage of this rule is to prevent the enemy to decrypt a message if he captures the machine and the last encrypted message.

Remark: this rule isn't in 1947 manual, then the Training Video is more recent, perhaps it was made in 1950.

References