4 October 2000

Corrections and supplements to these topics are invited: jy@cryptome.org

Date: Mon, 02 Oct 2000 19:24:08 -0400
To: coderpunks@toad.com
From: John Young <jya@pipeline.com>
Subject: Re: AES winner?

The AES Q&A notes that the technology will be used to protect non-classified government material. What cryptosystems are used to protect classified information -- that is, either with hardware implementation or with software only? Or are these methods themselves classified?

A book filled with bountiful information on WW2 codebreaking by the US is "Secret Messages: Codebreaking and American Diplomacy 1930-1945," by David Alvarez, University Press of Kansas, 2000 (available on Amazon). [Excerpt on Vatican spying by the US]

US cryptanalytic attacks on allies is especially provocative, including FBI black bag jobs on embassies in DC such as that of the Vatican -- an operation still classified.  [David Alvarez e-mail.] The Vatican is said to have had some of the strongest codes and ciphers at that time, some which were never broken.

Is the Vatican still deploying top of the line crypto? If so, what is the secret to its success? Could it be secret black mass numerology of medieval mathematicians, or due to black robe burgles of North Africans such as the inventor of zero?

Alvarez offers a lot of good stuff on the Brits coaching the Yankees on how to do world-class crypto -- while withholding the best stuff from the freshmen. The US cryptanalysts swear with a grin that they did not attack the Brits' cryptosystems -- back then. Except by way of snooping the Brits' communications with colonies.

From: Anonymous
To: "John Young" <jya@pipeline.com>
Subject: RE: AES winner?
Date: Mon, 2 Oct 2000 18:48:07 -0700

> The AES Q&A notes that the technology will be used
> to protect non-classified government material. What
> cryptosystems are used to protect classified information
>  -- that is, either with hardware implementation or with
> software only? Or are these methods themselves
> classified?

The methods themselves are classified.

The PKCS 11 (Cryptoki) 2.01 specification contains specifiers for two ciphers, BATON and JUNIPER, for which no technical information appears to be publically available (at least with my Internet searching). BATON was mentioned in some Clipper-related testimony [1] as an algorithm which is faster than SKIPJACK and is in some government-market products. (Search for "encryption and baton".)

According to the PKCS 11 spec, each cipher takes 320 bit keys; each key has 160 parity bits. This leads me to believe that the cipher is only implemented by secure hardware, which enforces the correctness of cryptographically-dependant parity bits, preventing any keys from being loaded other than those which have been correctly generated.

The CDSA/CSSM spec [2] includes the names of another classified cipher, MAYFLY, which a Cypherpunk e-mail from 1997 [3] indicates may be a public key cipher.

[1]

http://www.eff.org/pub/Privacy/Key_escrow/Clipper/mcconnell_nsa_clipper_0594.followup

[2]

http://www.opennc.org/onlinepubs/9629299/2_chap03.htm

[3]

http://www.inet-one.com/cypherpunks/dir.1997.11.20-1997.11.26/msg00111.html

Date: Mon, 2 Oct 2000 22:20:09 -0400
From: Steve Furlong <sfurlong@acmenet.net>
To: Multiple recipients of list <cypherpunks@openpgp.net>
Subject: US crypto on classified info

John Young wrote:

> The AES Q&A notes that the technology will be used
> to protect non-classified government material. What
> cryptosystems are used to protect classified information
>  -- that is, either with hardware implementation or with
> software only? Or are these methods themselves
> classified?

Yep, for the higher-classified material, anyway.

And having said that, I'm going to have to weasel out. I don't remember what I can talk about and what's classified. Sorry for my bad memory.

Ta,

SRF, former Captain, MI, US Army

--

Steve Furlong, Computer Condottiere     Have GNU, will travel
   518-374-4720     sfurlong@acmenet.net

Date: Tue, 03 Oct 2000 08:21:57 -0700
To: John Young <jya@pipeline.com>, coderpunks@toad.com
From: David Honig <honig@sprynet.com>
Subject: Re: AES winner?

[Snip Young excerpt]

The NSA has always been rather interested in tamper-resistant, tamper-evident, reverse-engineering-resistant, and self-destructing circuits.  Its evident in their patents, and in the self-destruct policies of certain modules aboard satellite launches (there was some ruckus a few years ago about some chinese post-boom litter-collection..)

And Skipjack was classified (though for public use!) at first.  (For good reason, as civilian analysts later showed.)

If you have the level of physical & NS-based control they do, security-by-obscurity is relatively cheap and occasionally effective, wouldn't you think?  Particularly if they changed algorithms or algorithm parameters (e.g., replace Blowfish's Pi table with another random 4kbyte table) occasionally.

(all speculation)

"The electron, in my judgment, is the ultimate precision-guided munition."
-John Deutsch, CIA Director

Date: Tue, 03 Oct 2000 11:58:59 -0400
To: coderpunks@toad.com
From: John Young <jya@pipeline.com>
Subject: Classified Crypto

We've received several responses on encryption protection for classified information, and pursued a few leads. Here's a brief summary - for which supplements and corrections are welcome.

NSA has at least three levels of strength for categorizing encryption algorithms, Types 1, 2 and 3, with 1 the strongest.

Type1 examples: BATON, JUNIPER, MAYFLY, CRAYON

Type 2 examples: KEA, SKIPJACK

Type 3 all the rest, roughly, <40 bits.

Type 1 for highest level, and, according to some, the technical details for none of the algorithms are public.

Type 2 details are partially known.

Type 3 details are generally known but some parts may not be public, such as covert access features.

Here are a few URLs for BATON citations:

------------------

http://www.govcomm.harris.com/secure-comm/

[2000]

"Harris Corporation is developing the world's first high-security wireless local area network interface card. The product, known as SecNet-11 (Secure Wireless Local Area Network), is a secure Type 1 encryption (Baton algorithm) wireless network card (PCMCIA) based on the Harris Sierra Encryption Module and the Intersil PRISM II chip set."

------------------

http://www.rainbow.com/mykoweb/myk85.htm

[2000]

Designed and programmed by Mykotronx, Inc., the MYK-85 features a complete 32-bit RISC-based cryptographic processor. The Type 1 government encryption/decryption algorithm, called Baton as well as DES and Triple DES is in hardware. The MYK-85 also implements NIST Digital Signature and Secure Hash Standards.

------------------

http://www.fas.org/spp/military/docops/defense/97_dtos/dtap_dtos/is_dto.htm

[1997]

By FY97, the program will demonstrate secure guards and firewalls at B3 level of service. Multilevel security requirements will be addressed by the insertion of tactical end-to-end encryption device (TEED) hardware into Task Force XXI. TEEDs to support the tactical internet protocol internetwork should be available for user testing in FY97. Following successful development and testing, TEED will be upgraded to support asynchronous transfer mode cell encryption using Baton technology in FY98."

------------------

http://www.ado.army.mil/Brdoc/docs/ADMP/1996/1996/06imple.htm

[1996]

6.4.3 Tactical End-to-End Encryption Device (TEED)

TEED is an encryption device used to provide end-to-end security for Force XXI data users. As long as the MSE/TPN remains at its current SECRET High security level, TEED would be used by:

Unclassified logistics users who need to use the MSE/TPN as a common carrier. IEW users whose security needs exceed the SECRET level of the MSE/TPN.

In the first instance, TEED is used to protect the base-level Secret users from users working at lower classifications. In the second, TEED protects the higher-level Top Secret users from the base network. TEED is designed to protect both of these applications. Further development is needed to produce a TEED that will encrypt ATM and IP traffic. The National Security Agency (NSA) is investigating the new BATON encryption algorithm for this use.

------------------

http://www.totse.com/files/FA032/bits.htm

[1995]

The National Security Agency (NSA) has funded a study to investigate the new BATON encryption algorithm for application to TEED. BATON is an algorithm that will encrypt ATM, as well as IP, traffic. BATON is the encryption technique for the future. The TEED Internet Security Manager (TISM) is being developed to support TEEDs in the field; it will perform remote keying, remote zeroization, auditing, and other security and security-management functions for TEED. Full-scale engineering development (FSED) TEEDs will be IP/ATM-capable. If the POC TEEDs are successful at JWID '95, a possible acquisition scenario would be to provide production funding in FYs 97 through 99. The R&D cost would be amortized over a production lot of 4,500 units. An initial delivery of 200 TEEDs will support the Corps XXI AWE. The acquisition of an additional 4,300 units will allow the Army to acquire the minimum number of TEEDs needed as rapidly as possible (4,500 units represents one TEED at every C3-XA packet switch in the Army). "

------------------

http://c4iweb.spawar.navy.mil/pmw179/DMR_primer.htm

[No date]

The programmable, embedded encryption not only allows interoperability with current legacy encryption, but also allows for a migration path to upgrade our aging encryption algorithms to modern ones such as BATON and CRAYON. The embedded ANDVT option includes MELP voice encoding which is a much better sounding modernization of LPC-10. The embedded ANDVT will automatically drop back to LPC-10 when talking to a legacy ANDVT. The embedded encryption is also compatible with single point black key fill systems that will allow for automating key fill operations.

Date: Tue, 3 Oct 2000 14:09:20 -0400
From: "Michael H. Warfield" <mhw@wittsend.com>
To: John Young <jya@pipeline.com>
Cc: coderpunks@toad.com
Subject: Re: Classified Crypto

On Tue, Oct 03, 2000 at 11:58:59AM -0400, John Young wrote:

> NSA has at least three levels of strength for categorizing
> encryption algorithms, Types 1, 2 and 3, with 1 the strongest.
>
> Type1 examples: BATON, JUNIPER, MAYFLY, CRAYON
> Type 2 examples: KEA, SKIPJACK
> Type 3 all the rest, roughly, <40 bits.
>
> Type 1 for highest level, and, according to some, the
> technical details for none of the algorithms are public.
>
> Type 2 details are partially known.

Was the SKIPJACK example an "is" or a "was"?  I thought that SkipJack was now released, warts and all, for public view.

Mike

--

Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

[JY: Yes, SKIPJACK has been declassified by the NSA.

From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: coderpunks@toad.com, jya@pipeline.com
Subject: Re: Classified Crypto
Date: Wed, 4 Oct 2000 07:52:50 (NZDT)

John Young <jya@pipeline.com> writes:

>NSA has at least three levels of strength for categorizing encryption
>algorithms, Types 1, 2 and 3, with 1 the strongest.
>
>Type1 examples: BATON, JUNIPER, MAYFLY, CRAYONSnip message.]

There are lots and lots of these things, however only the key and block sizes are generally known.  For example Baton and Juniper which you mention above are 128-bit block ciphers with 320-bit keys of which 160 bits are checksum bits (leading to the suspicion that SHA-1 or something similar is involved in the key creation process), it also means that, Capstone-like, you can't load an unapproved key if you manage to lay your hands on the hardware in some manner.

Other algorithms in this class are Accordion and Saville (possibly PKC's), Keesee and Phalanx (block ciphers from memory, I'd have to go and check the details) and an endless array of stream ciphers.  To add to the confusion there are groups of names following the same pattern which describe complete crypto modules rather than algorithms with the algorithms used being classified, examples are Windster, Tepache, and Foresee. 

The really interesting stuff though is the technology used to protect the crypto modules, which is called Quadrant (cf Tempest for EMI security).  Unfortunately the people who work in this area aren't likely to be presenting papers on it at NISSC, I'm not terribly interested in the algorithms (there are already plenty of those around in the non-classified world) but I'd be really curious as to whether they have any cool tamper-resistance tricks which noone else has thought of yet.

Peter.

To: ukcrypto@maillist.ox.ac.uk
Subject: Re: How Old Is TEMPEST?
Date: Wed, 16 Feb 2000 07:35:57 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

> Mike's remark on telephony are of interest because we have found
> references to the need for at least two types of engineers to address
> TEMPEST effects: a communications specialist for links between
> computers, whether short or long line, and an electronics engineer for
> computer equipment and its innards.

Don't forget the chip designer: power analysis of smartcards is just another angle on the same beast - but is the one that's really driving commercial research right now.

Ross

Date: Tue, 03 Oct 2000 11:29:29 -0700
To: John Young <jya@pipeline.com>
From: Bill Stewart <bill.stewart@pobox.com>
Subject: Re: AES winner?

>Is the Vatican still deploying top of the line crypto?

A few years ago, I think before NAI ate PGP, the PGP folks were negotiating with the Vatican on getting them to use PGP.  Don't know if anything happened.

Thanks!

Bill

Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

Date: Sun, 01 Oct 2000 18:46:19 -0400
From: John Young <jya@pipeline.com>
Subject: Spying on the Holy See
Sender: owner-intelforum@mclean1.his.com

David Alvarez writes of US intercepts of Vatican communications during WW2 in his richly informative "Secret Messages: Codebreaking and American Diplomacy 1930-45." [Excerpt] He mentions as well black bag jobs by the FBI against the Vatican's DC embassy to obtain cryptographic information, and notes these unholy operations remain classified even now. Some of the Vatican's best ciphers were never broken, says Mr. Alvarez, and after strenous efforts to do so, the US Army's SIS eventually abandoned the effort.

This contrasts with, or maybe complements, the report by Gordon Thomas in "Gideon's Spies" [excerpt] on the OSS cultivation of the Vatican during and just after WW2 and the alleged continuation by the CIA of providing the Pope with global intelligence information.

Mr. Alvarez presents a bountiful account of the US spying on its friends and attempting to break ciphers and codes, as did other other nation's cryptanalysis services. As well as various swapping and withholding successful cracks in exchange.

Are there other accounts of spying on friends, buglarizing their embassies, stealing their code and cipher tools? Has this been done to, and by, the US?

Or is the Vatican a unique case? If so, why? Surely not because of its special access to supreme encipherer. And have the unbroken Vatican ciphers been cracked since WW2? What were there strengths?

More provocatively, what is known about the Vatican's current code and cipher capabilities?

I daydream that the holy fathers know secret algorithms of the inventor of zero.

John Young

Intelligence Forum (http://www.intelforum.org) is sponsored by Intelligence
and National Security, a Frank Cass journal (http://www.frankcass.com/jnls/ins.htm)

From: owner-intelforum@mclean1.his.com
Date: Mon, 2 Oct 2000 19:42:39 -0400
Subject: Re: Spying on the Holy See
To: undisclosed-recipients:;

I would like to amend slightly something John Young said in his kind references to my book, "Secret Messages: Codebreaking and American Diplomacy, 1930-45."

I note in the book that the FBI kept the mail of the Vatican's delegation in Washington under close surveillance.  I did not say, because I don't know, how they did this.  The few pages of documents on this matter I managed (via the Freedom of Information Act) to extract from the FBI are silent as to methods. Personally, I doubt FBI agents actually entered the premises of the papal mission.  It is more likely that they gained access to the mail outside the premises or had a source inside the delegation.

During the war the FBI ran "black bag" jobs against an indeterminate number of foreign embassies and consulates.  These operations collected a variety of foreign codes and ciphers.  Arlington Hall, for example, admitted that it would have been very difficult to solve the Spanish high-grade diplomatic cipher without the photographs acquired by the FBI of the additive tapes used to encipher the codebook.  The Bureau regularly "visited" the Spanish embassy to photograph the latest tapes.  The burglaries were so systematized that Arlington Hall would actually inform the FBI when the current tapes were running out so that the Bureau could send its operatives to secure the next series.

As I recall, photographic copies of various codebooks and ciphers (Spanish, Swedish, Portuguese, etc.) are scattered throughout the hundreds of files of the Historic Cryptographic Collection in record group 457 at the National Archives.

Both Arlington Hall and GCCS abandoned the effort against papal ciphers in the summer of 1944 after months.  During the war the Vatican used a half dozen or so ciphers.  The Americans solved only one of these, a low-grade cipher used for routine administrative business.  The British did no better.  The pope's high-grade ciphers resisted attack, at least during the war.  I have seen a message from GCCS to Arlington Hall in 1945 asking if the Americans would like to join the British in taking another whack at the papal ciphers, but I don't know the results of this initiative.

I too would love to learn more about intelligence operations against the Vatican in general, and signals intelligence operations in particular.  When David Kahn interviewed the director of the Russian communications intelligence service a few years ago, the Russian general said that his service had solved only low grade Vatican ciphers and had had no luck against the higher grade systems.  The general commented that the pope's ciphers were much stronger than Italy's systems.

David Alvarez

[See publications.]

Intelligence Forum (http://www.intelforum.org) is sponsored by Intelligence
and National Security, a Frank Cass journal (http://www.frankcass.com/jnls/ins.htm)

Date: Tue, 03 Oct 2000 09:52:37 +0100
From: Ben de Jong <b.de.jong@hum.uva.nl>
Subject: Re: spying on the Holy See
Sender: owner-intelforum@mclean1.his.com

John Young wrote:

>Are there other accounts of spying on friends, buglarizing
>their embassies, stealing their code and cipher tools? Has
>this been done to, and by, the US?

Peter Wright in his memoirs _Spycatcher_ mentions a tapping operation against the French embassy in London around 1960, i.e. the time when De Gaulle blocked British entry into the then EEC. If I remember correctly, this involved burglarizing the embassy building by MI5.

Cees Wiebes recently did research into the history of Dutch sigint during the Cold War and found out, for instance, that the Dutch Sigint organization in the 1960s and 1970s read traffic from the Italian embassy in Moscow. The Italian embassy was then relatively well-informed about internal developments in the USSR and this traffic was therefore of interest to Dutch analysts of Soviet communism. There was no burglary involved in this particular operation, it was mere sigint collection.

In general every state's messages can and will be intercepted if there is a technical possibility. The whole issue of friends vs. enemies is not very relevant in this context. There must be many other examples of states reading their allies' traffic. The Americans of course are not alone in this. I suspect the French probably have also been very active in this field up to the present day.

Ben de Jong

University of Amsterdam

Intelligence Forum (http://www.intelforum.org) is sponsored by Intelligence
and National Security, a Frank Cass journal (http://www.frankcass.com/jnls/ins.htm)

Date: Mon, 02 Oct 2000 18:59:51 -0400
Subject: RE: Spying on the Holy See
From: Timothy Brown <tcb@ga.prestige.net>
Sender: owner-intelforum@mclean1.his.com

John Young mentions:

[Snip]

I'm sure this theory was already explored by the good folks at NSA, but it could be that the Vatican's cryptosystem(s) are based on variations of the Bible.  This brings up several interesting questions to light about the possibility of books as cryptosystem aids; for example, the Bible has several interesting connotations.

1) It is available in several different versions in almost every city in the world.

2) It is inherently random.  While the text is known, the versions are possessed of subtle differences.  The chapters are presented in different order.  The verses are numerically keyed, also in several different variations.

3) The lack of analyzable ciphertext by the crypto community at large (unless it was before my time) and the general secrecy around the Holy See precludes knowledge of capabilities.

These things do not make it unique among cryptosystems, but the keying method (if the theory is true) certainly begins to present several unique challenges totally seperate from understanding the method of cipherment.

Then there are several obvious, more mundane items.

1) The Vatican has incredible material wealth.

2) They have several thousand loyal subjects who are united by a common goal.

3) They have several significant advances in infrastructure, both from the fact that they have been around several hundred years and have had a need to pass messages for most of that time, certainly in a secure sense, and from the position that they are an independent nation, which certainly would give them the ability to negotiate as any independent nation would on a technological basis.

Compared to the rest of the free world (and not-so-free world), I would surmise that with the exception of the far eastern countries, nobody has been doing it longer.

Then again, my views are probably pretty narrow.  This could be a subject better suited for discussion on cypherpunks.

Timothy Brown

Intelligence Forum (http://www.intelforum.org) is sponsored by Intelligence
and National Security, a Frank Cass journal (http://www.frankcass.com/jnls/ins.htm)

Secret Messages: Codebreaking and American Diplomacy 1930-1945, David Alvarez, University Press of Kansas, 2000 (available on Amazon).

[pp. 177-181.]

The communications of the Vatican, the world's smallest state, had always tempted American signals intelligence. Like most other capitals, Washington was convinced that the Vatican had unparalleled access to information from all parts of the globe and that the messages of papal representatives were rich in political and military intelligence. Like most other capitals, Washington was wrong in this belief, but that did not divert American intelligence from its plans. As early as the spring of 1942, the Vatican figured prominently among the sigint priorities of army intelligence, but operations were postponed as qualified personnel were required on more pressing problems. For some time after the United States' entry into the war, the FBI ran the only active American program against papal communications. In a clandestine operation whose details remain classified to this day, the bureau, suspecting (incorrectly) that Axis intelligence agents in North America used the papal diplomatic pouch to communicate with their controllers in Europe, placed the mail of the papal delegation in Washington under surveillance.65 The situation at Arlington Hall changed in September 1943 when, after the Italian armistice and the occupation of Rome by German forces, encrypted Italian diplomatic traffic virtually disappeared from the airwaves. Several analysts were shifted from the now idle Italian section to a newly formed Vatican section.

The effort against papal ciphers was cloaked in particular secrecy for fear of the domestic political consequences should Catholics or congressional representatives from heavily Catholic constituencies learn that the US. government was eavesdropping on the confidential communications of the Holy Father. Senior officers probably also feared offending the many Catholics who worked at Arlington Hall. The word Vatican did not appear on any organizational charts or in any internal correspondence. Like a handful of other supersensitive projects, the Vatican problem was known only by a code word based on colors. According to this scheme, the unit working papal ciphers was designated "Gold Section." In other problems the cryptosystems were identified by trigraphs in which the first two letters were an abbreviation of the country and last letter indicated the particular system in the sequence in which it had been taken up by the cryptanalysts. Thus, the Spanish desk would be working SPA and SPE, while the Turkish group might be studying TUA and TUB. To obscure the source of the traffic from unindoctrinated staff, Vatican ciphers were assigned the innocuous digraph KI, a label that gave no hint of the target's identity.66

During the war the Vatican used several cryptosystems, each designated by a color. Gold Section first attacked the CIFRARIO ROSSO (RED Cipher), a low-grade cipher that had been in service since the early 1930s and was considered insecure by the Vatican. With the help of GCCS (which had been studying papal traffic since October 1941 and had recovered almost three thousand groups of RED), Arlington Hall was soon able to read most traffic in this system.67 It was Arlington's (and Berkeley Street's) only success against the Vatican. Neither the British nor the Americans made much progress against the pope's high-grade ciphers. The analysts in Gold Section were surprised at the sophistication of the cryptosystems.68 Explaining their lack of success, they noted that "the difficulties encountered showed that considerable intelligence was matched against the analysts'," concluding that they were dealing with "a cryptographer of no mean ability." The effort against papal ciphers was also undermined by the complete absence of compromised cryptographic materials. The papal Secretariat of State distrusted the security of the diplomatic pouch and preferred to distribute new cryptosystems to its posts by the hand of priest-couriers (usually papal diplomats traveling to their posts), who never allowed the cipher to leave their person. Papal diplomats also exercised strict communications discipline and kept their telegraphic traffic to a minimum. Consequently, relatively few messages were intercepted. The attack against the system known to Arlington Hall as KIH, a special cipher used by the Vatican to communicate with its representative in Washington,was constrained by the fact that after a year of surveillance only forty-six messages thought to be in this system had been intercepted, far too few to help the cryptanalysts. In the summer of 1944 Arlington Hall simply gave up on Vatican ciphers and transferred the Gold Section staff to other operations.69

Ironically, the codebreakers abandoned the effort precisely when policy makers were increasingly desperate for reliable intelligence on the Vatican. In the last year of the war Washington worried about the Vatican's posture on a range of important issues, including the political shape of the postwar world, the projection of Soviet influence into Eastern Europe, and the reorganization of Italy's government. After the liberation of Rome in June 1944, American intelligence intensified its operations against the Vatican. However, agents working on the fringes of the papal administration were largely ineffectual. As we shall see, the most important source became a serious embarrassment when his reports proved to be fabrications. Signals intelligence would normally have supplemented human intelligence and provided a check on suspect agent reports. Because Vatican ciphers resisted every attack, American intelligence not only lacked direct insight into papal diplomacy but also was forced to rely on unreliable sources.70

The special security surrounding Arlington Hall's attack against papal communications had a negative (though unintended) impact on another American intelligence operation targeted against the Vatican. The CIFRARIO ROSSO, the one papal cipher the codebreakers were able to read, was a low-grade system that usually carried traffic concerned with minor administrative, ecclesiastical, and charitable affairs. It was, however, the only cipher available to Monsignor Paolo Marella, the pope's representative in Tokyo. Apparently, during the war, the papal Secretariat of State was never able to arrange a secure channel for sending new, improved ciphers to its man in Japan. Most, if not all, of Marella's messages to Rome were read by Arlington Hall. These messages contained little of intelligence value, since Marella knew that his cipher was antiquated and entrusted nothing important to its security.71 At the time that Arlington Hall was studying papal messages, another American intelligence agency, the Office of Strategic Services, was also operating against the Papacy. In the fall of 1944 the OSS station in Rome began to receive information from a source (code-named Vessel) inside the Vatican who apparently had access to the files of the pope's Secretariat of State. Among the documents provided by Vessel were copies of telegrams from Monsignor Marella detailing political and economic conditions inside Japan, speculating on Japanese policy toward Russia, and discussing the possibility of papal mediation of the Pacific War. These reports from an informed observer at the very heart of the Japanese Empire were considered so valuable that OSS sent them directly to the White House. Unfortunately, it was all a hoax.

There was no source inside the Vatican, and the documents were forgeries. In its eagerness to penetrate the secrets of the Vatican, OSS had fallen victim to the fertile imagination and skillful pen of Virgilio Scattolini, journalist, film critic, pornographer, and the most brazen intelligence fabricator of the Second World War. From his flat near the Piazza di Spagna, Scattolini had been concocting spurious "intelligence" and selling it to gullible "clients" since 1939; OSS was only the latest in a series of victims that included various intelligence services, embassies, banks, and newspapers. OSS might have been spared embarrassment if it had had closer relations with the codebreaking service, now renamed the Signal Security Agency (SSA). Arlington Hall was reading Monsignor Marella's messages from Tokyo at the same time that OSS was purchasing Vessel reports that purported to be verbatim copies of the same messages. A comparison of the decrypted messages with the purchased versions would have immediately exposed the latter as forgeries. Unfortunately, OSS knew nothi,ng of Arlington Hall's work against papal communications. Rela-tions between the codebreakers and the covert operators were distinctly cool, especially after the "Lisbon affair," in which an ill-considered OSS operation against the code room of the Japanese embassy caused Tokyo to consider changing its ciphers. The work against Vatican communications also was too sensitive to be shared with other agencies, especially one as notorious for leaks and misadventures as OSS, As a result, one American intelligence service swooned over elaborately detailed reports from the pope's delegate in Tokyo, while another held proof that those reports were forgeries.72

__________

65. Memorandum for the Director from Edward Tamm, 28 September 1942, and "Allegations of the Misuse of the Washington Papal Embassy Diplomatic Pouch" [date and author deleted by censor], documents released to the author by the FBI under the provisions of the Freedom of Information Act.

66. See, for example, the reports for 8 October and 5 November 1943 in SSA, B-111 Weekly Reports, October-December 1943, box 1114, HCC.

67. Minutes of the Third Meeting of Directing Subcommittee of Research Section, 24 October 1941, HW 14/21, PRO.

68. The system known to Arlington Hall as KIF was a one-part, three-letter code of twelve to fifteen thousand groups. It was enciphered with twenty-five keys, each consisting of a combination of substitution tables and random mixed alphabets, and each using different nulls. Each papal nunciature (embassy) had a unique set of sixteen of these twenty-five keys and would use them on particular days of the month. A nuncio (ambassador) might begin a telegram in the assigned key for the day but then shift, as many as eight times, to other keys in the course of the message.

69. "Cryptographic Codes and Ciphers: Vatican Code Systems," box 1284, HCC.

70. For American intelligence operations against the Vatican, see David Alvarez, "A Few Bits of Information: American Intelligence and the Vatican, 1939-1945" (paper presented at the conference "FDR, the Vatican, and the Roman Catholic Church in America," 7-9 October 1998, Franklin D. Roosevelt Library, Hyde Park, New York).

71. The Vatican had become aware of the CIFRARIO ROSSO's insecurity no later than the spring of 1940. This cipher was certainly read by American, British, German, and Italian signals intelligence, and probably by Finnish and Hungarian.

72. For the Vessel affair, see Alvarez, "A Few Bits of Information."

Gideon's Spies: the Secret History of the Mossad, by Gordon Thomas, Thomas Dunn, New York, 1999.

[pp. 224-27.]

In 1945, the wartime Office of Strategic Services (OSS)-the forerunner to the CIA-had been welcomed into the Vatican, in the words of Tames Tesus Angleton, the head of the OSS Rome station, "with open arms." Pope Pius XII and his Curia asked Angleton to help the Church's militant anti-Communist crusade by getting the Italian Christian Democratic Party into power. Angleton, a practicing Catholic, used all the considerable resources at his disposal to bribe, blackmail, and threaten voters to support them. He had been given full access to the Vatican's unparalleled informationgathering service through Italy; every curate and priest reported on the activities of Italian Communists in their parishes. When the Vatican had assessed the information, it was passed to Angleton, who sent it on to Washington.

There it was used to support the now deeply entrenched State Department fear that the Soviet Union presented a real and longterm threat to the West. Angleton was told to do anything that would stop the wartime resistance activists of Italy's Con-imunist Party from taking over. Like the pope, Angleton was haunted by the specter of a worldwide Communist threat that would split the globe into two systems-capitalism and socialism- which could never peacefully coexist. Stalin had himself said no less.

The pope was convinced that the Italian Communists were at the spearhead of a campaign to destroy the Church at every opportunity. The regular meetings between Pius and the pious Angleton became sessions where the bogey of Communism loomed ever larger. The pope urged Angleton to tell the United States it must do all possible to destroy the threat. The pontiff who represented peace on earth became an enthusiastic proponent of U.S. foreign policy which lei to the cold war.

By 1952, the Rome station of what was now the CIA was being run by another devout Catholic, William Colby-who went on to mastermind the CIA's activities in Vietnam. Colby had established a powerful network of informers within the Secretariat of State and every Vatican congregation and tribunal. He used them to help the CIA fight Soviet espionage and subversion across the globe. Priests regularly reported to the Vatican what was happening. In countries like the Philippines, where Communists were trying to make inroads into what had long been a devout Catholic nation, the CIA was able to launch effective counterattacks. The pope saw the violence as necessary and shared the view that if the United States did not perform what he once called "sad, but necessary actions," the world would have to endure decades of further suffering.

In 1960, the CIA achieved another breakthrough when Milan's Cardinal Montini-three years later to become Pope Paul V1gave the CIA the names of priests in the United States deemed by the Vatican to be still soft on Communism. The cold war was at its peak; paranoia ran rife in Washington. The FBI hounded the priests, and many left the country, heading for Central and South America. The CIA had a substantial slush fund, called "project money," used to make generous gifts to Catholic charities, schools, and orphanages to pay for the restoration of church buildings the Vatican owned. All-expenses-paid holidays were given to priests and nuns known to be staunchly pro-American. Italian cardinals and bishops received cases of champagne and hampers of gourmet delicacies in a country still recovering from the food shortages of World War II. Successive CIA station chiefs were regarded by the Vatican as being more important than America's ambassadors to Italy.

When John XXIII was elected supreme pontiff in 1958, he stunned the Curia (the Vatican civil service) by saying that the crusade against Communism had largely failed. He ordered the Italian bishops to become "politically neutral." The CIA was frantic when Pope John ordered its free access to the Vatican must stop. The Agency's panic increased when the CIA learned the pope had begun to nurture the seeds of an embryonic Ostpolitik and started a cautious dialogue with Nikita Khrushchev, the Soviet leader. For the CIA's station chief in Rome, "the Vatican was no longer totally committed to the American system. The Holy See is hostile and we must from now on see its activities in that light."

CIA analysts in Washington prepared exhaustive assessments with such grandiose titles as The Links between the Vatican and Communism. In the late spring of 1963, the Rome station reported that the Holy See was to establish full diplomatic relations with Russia. The CIA's director, John McCone, flew to Rome and bulldozed his way into a meeting with Pope John, saying he had come at the insistence of America's first Catholic president, John F. Kennedy. McCone told the pontiff that the Church "must stop this drift toward Communism. It is both dangerous and unacceptable to dicker with the Kremlin. Communism is a Trojan horse as the recent leftwing victories in the Italian national elections indicate. In office the Communists have dismantled many of the policies Catholic parties supported."

For ten full minutes, McCone spoke in this blunt manner without interruption. Silence finally settled over the audience chamber in the Apostolic Palace. For a moment longer the old pope studied his tall, ascetic visitor. Then, speaking softly, John explained that the Church he led had an urgent duty: to end abject poverty and the denial of human rights, to close down the slum dwellings and the shantytowns, to end racism and political oppression. He would talk to anybody who would help him do that -- including the Soviets. The only way to meet the challenge of Communism was to confront it with reasoned argument.

McCone, unable to contain his anger any longer -- "I had not come to debate" -- said the CIA had ample evidence that, while the pope pursued his detente with Moscow, Communism was persecuting priests through the Soviet Bloc, Asia, and South America: Pope John realized that was all the more reason to seek a better relationship with the Soviets. Defeated, McCone returned to Washington convinced that Pope John was "softer on Communism than any of his predecessors."

John's not unexpected death -- he had a rapidly progressing cancer -- was greeted with relief by McCone and President Kennedy.

When Montini of Milan became Paul VI in late 1963, Washington relaxed. Two days after his inauguration, the pope received Kennedy in private audience. Outside, McCone strolled through the Vatican gardens like a landowner who had returned home after a long absence.

Paul's long pontificate was blighted on the personal front by his declining health and, on the international stage, by the Vietnam War. He came to believe that the escalation President Lyndon Johnson had ordered in 1966 was morally wrong and that the Holy See should be given the role of peacemaker. Three months after Richard Nixon came into the Oval Office, he flew to Rome to meet the pope. The president told him he proposed to increase America's commitment in Vietnam. Once more the CIA found itself out of favor in the Vatican.



All this, Zvi Zamir had learned from his Washington katsa. Now, on this brilliantly sunny morning on January 10, 1973, as he and his two colleagues were driven into the Vatican to check the security arrangements for Golda Meir's visit, Zamir hoped it would result in Mossad taking the place of the CIA in the Vatican's long flirtation with the intelligence world.

Waiting for them outside the Apostolic Palace was the head of Vatican security, a tall, pinch-faced man wearing a dark blue suit, the uniform of the Vigili, the Vatican security service. For several hours he had taken them on a tour of the small city-state, checking possible places where an Arab gunman could hide before trying to assassinate Golda Meir. Unknown to the Vatican security chief, Zvi Zamir was also looking for places where Mossad could plant bugging devices once it had established a working relationship with the Holy See. Zamir flew back to Tel Aviv satisfied with the city-state's security presentations. More important, he believed he had detected a softening in the attitude of the Holy See toward Israel.

David Alvarez: Selected Publications

Books

Articles

[Thanks to John Mcartney on Intel Forum:]

Stephen Budiansky, BATTLE OF WITS: THE COMPLETE STORY OF CODEBREAKING IN WORLD WAR II, Free Press, Oct 2000.

" ... The revelations of Stephen Budiansky's dramatic history include how Britain tried to manipulate the American codebreakers and monopolize German Enigma code communications; the first detailed published explanations of how the Japanese codes were broken; and how the American codebreaking machines worked to crack the Japanese, the German, and even the Russian diplomatic codes.  .....  Budiansky brings to life the unsung codebreaking heroes of this secret war: Joseph J. Rochefort, an intense and driven naval officer who ran the codebreaking operation in "The Dungeon," a dank basement at Pearl Harbor, that effectively won the Battle of Midway; Alan Turing, the eccentric father of the computer age, whose brilliant electromechanical calculators broke the German Enigma machine; and Ian Fleming, whose daredevil espionage schemes to recover codebooks resembled the plots of the 007 novels he later wrote.  ....  Budiansky, a Harvard -- trained mathematician, demonstrates the mathematical insight and creativity of the cryptographers by showing step-by-step precisely how the codes were broken."  --Publisher's book description

Budiansky's Dec 1999 article below is about Pearl Harbor.

http://www.defensedaily.com/reports/PRObudiansky.htm