Mafia Boss Using Crook Crypto Captured

boggis writes "Discovery is running a story on Bernardo Provenzano, the recently arrested 'boss of bosses' of the Sicilian Mafia. He apparently wrote notes to his henchmen using a modified form of the Caesar Cipher, which was easily cracked by the police and resulted in further arrests of collaborators. Discovery's cryptography expert describes it as a code that 'will keep your kid sister out'."

Substituion Cipher?

[Whiney Mac Fanboy]

God, he used a simple (rot3) substitution Cipher, with not even a Vigenère keyword and didn't expect it to get broken?

People have been using frequency analysis [wikipedia.org] for over a thousand years to crack substitution ciphers!

Not very smart

[AKAImBatman]

He apparently wrote notes to his henchmen using a modified form of the Caesar Cipher

To put that into computer terms, he ROT13ed the text. This sort of cipher was used by Caesar not because it was secure, but because most people couldn't read. Even those that could read undoubtedly lacked sufficient education to consider a cryptoanalysis of the text. But if someone does consider a cryptoanalysis, it is incredibly easy to break this cipher.

Simply substituting the first letter with each letter of the alphabet allows for a brute force attempt at decoding by then replacing the rest of the letters with the exact same offset used on the first character. This method ensures that the message will be decrypted even if the alphabet has additional characters. (Either for purposes of obfuscation or additional information.) The only method that can be used to prevent an attacker from using this simple decoding method (you don't even need a computer!) is to mangle the alphabet somehow. For example, if the alphabet is backwards an attacker would have more trouble decrypting the cipher. Even then, however, a simple statistical analysis on the occurance of the letters would quickly decrypt the message and reveal the secret alphabet used.

That being said, this particular mobster was smart enough to realize that a simple cipher like this would be insufficient to deter a decoder. So he attempted to confuse would-be attackers by using a number code to obscure names. I imagine that he thought that attackers would assume that he was using a codebook to keep track of the assigned names. Unfortunately (for him), his 8th grade education was obviously insufficient for him to know that his number sequences are very similar to compression techniques. Anyone with experience would note that the codes were far too long, and that the number 1 appeared quite often. Its appearance suggests that its a "trigger" for interpreting the next number differently.

So there you have it, security through obscurity does not work.

Re:If only..

[Ckwop]

Or you could try the one in Cryptonomicon. The details elude me, but I recall it being something like RC4 with a deck of cards.

This was a cipher called Solitaire, which was created by Bruce Schneier. It has been horribly broken.

Simon

Re:Not very smart

[AKAImBatman]

Minor correction to myself: The article seems to suggest that he was 8 years old when he dropped out of school, not in 8th grade.

Kahn Do.

[Anonymous Coward]

Snort some Kahn [amazon.co.uk]. You'll love it. Might be a bit redundant if you've just read Singh, but when you get the urge to reread Singh, go Kahn instead.

Re:How many letters are in the alphabet?

[yppasswd]

Perhaps. Or, more probably, Italian alphabet only has 21 letters [unilang.org]. As a side note, you live in US, don't you?

Re:If only..

[Redwin]

Considering ancient cyphers, if I remember correctly the ancient Chinese used to write messages Ceaser cypher style messages on fabric that had to be wrapped around a pole. The pole had to be the exact length and thickness or the text wouldn't align up and the decyphering process couldn't be started. If anyone was stopped, they could hand over the fabric covered in text and it would be meaningless without knowing what kind of pole was used to algin everything up.

Re:If only..

[gbobeck]

For more information concerning the solitaire encryption algorithm, see either http://www.schneier.com/solitaire.html [schneier.com] or read Cryptonomicon.

To see all of the problems concerning the solitaire algorithm, see http://www.ciphergoth.org/crypto/solitaire/ [ciphergoth.org]

Cryptography is not the important point

[VincenzoRomano]

The (poor) cryptography used by Bernardo Provenzano [wikipedia.org] (more accurate infos in the Italian page [wikipedia.org]) was meant to be used only by himself to avoid possible sneakes by his waiters. That was enough.
The important point is that he managed to stay at large, not as a fugitive, in the neighbourhood of Corleoni (Sicily, Italy) for almost 43 years without being noticed or identified and while still heading at full steam the Cosa Nostra [wikipedia.org]!
So, as far as security and privacy is concerned, a good design can make poor technology rock!

Solitaire

[Kadin2048]

Do you have any information on the break? I just did some searching and couldn't find anything about it. At the bottom of Bruce Schneier's page on Solitaire [schneier.com] there is a link to an article Problems with Bruce Schneier's "Solitaire" [ciphergoth.org] by Paul Crowley, but it's dead. Is this what you're referring to?

(The article does exist in the Internet Archive at
http://web.archive.org/web/20050206214237/http://w ww.ciphergoth.org/crypto/solitaire/ [archive.org]
It does describe what sound like they might be some problems with the randomness of the keystream, but it doesn't seem like a complete break. Sorry for pasting the address, but Slashdot doesn't seem to like IA links much.)

Anyway, I'd be curious in knowing what the problems with it are.

Re:Showing your hand: word to the wise-guys

[Cthefuture]

There was an American mobster a few years ago who did something using PGP, and the only way the FBI were able to crack it was to bug his keyboard

Well we don't know if that's the only way they had of breaking it. It was probably one of the easiest though. Often the weakest part of any cryto algorithm isn't the algorithm. It's cheaper and faster to go for the soft targets first.

Re:If only..

[Anonymous Coward]

i think it was ancient greeks using this trick.
http://www.resonancepub.com/homecrypto.htm [resonancepub.com]