A Pocket-Sized Enigma(ish) Machine Made Out Of Paper

Last updated 6 Novemeber 2009.

I actually made this paper enigma machine before the shoe phone, but only finally got around to documenting it.

Aside from a fun spy gimmick (that turns out to be somewhat useful in real-life), the main interest is that it highlights the work that was done by the cryptographers during world war two at Bletchley Park to crack the German codes, and is generally acknowledged as shortening the war by perhaps two years. This work also resulted in some of the early and important advances in computing.

Bletchley Park is now a museum and is in the process of restoring the buildings. Visit them at http://www.bletchleypark.org.uk/.

More photos (and hi-res ones suitable for the press) here.

You can read the instructible here.

Does it really work?

Yes, I use it daily to keep track of all my passwords (more on how I do that in the instructible).

Is it the same as the original enigma machine?

Not quite. I use a 72 position rotors so that I have upper case and lowercase letters, digits, and some punctuation so that I can encipher useful things, including passwords. Also, I have less rotors, and no plug-board (a bit hard to do in paper -- but I am open to ideas). Mine also has a fixed set and order of rotors (although I have made double-sided ones for doing double-engima encryption which doesn't suffer from the major cryptographic weakness of the original where a given letter could not encrypt to itself). The end result is a smaller key space, but much larger number of possible wirings, which is just fine for making a unique one for everybody with a different wiring so that they can safely use it for keeping track of passwords. (By the way, the picture is NOT of the enigma wiring that I use.)

Right, so just what were you thinking, anyway?

I came up with the idea after using an electronic password keeper of the kind that many commercial and defence organisations use. While the electronic ones work, I was frustrated by the limited number of passwords they could store; as a systems administrator of a large computer network 50 passwords just wasn't enough. Also, the battery would go flat at the most inopportune times, and the unit was simply a bit too bulky to carry around all of the time.

So I started thinking about other potential solutions. Having an interest in cryptography, I realised that something like an Enigma machine could solve my problem by allowing me to have a simple password and using the Enigma machine to encrypt it into a good quality random looking password. It also has the advantage of turning a remembered password into what is known as "two factor authentication", where there is something you know (the password), and something you need (the Enigma machine). This means that if someone has only the Enigma machine or only the password, they still can't pretend to be me.

This is similar to what the banks do now with online banking, where they send you an SMS message with a code to enter: you need your internet banking password to login (the something you remember), and you also need your mobile telephone (the something you have).

Of course, the real Enigma machine was made about 70 years ago now, and is a bit bulky, so I put my mind to making a smaller version, and one that was more ideally suited for use as a two-factor authentication system. Then I realised that the old fashion carboard code wheels that used to appear on cereal packets could be easily adapted to provide a much stronger level of security. Indeed, using just three or four well-designed wheels it is possible to obtain similar security to the Enigma codes that were famously used by the Germans during WW2, and equally famously broken by Alan Turing and others at Bletchley Park, reducing the length of the war by perhaps two years.

So this is what I set about doing. I wrote a computer program that could design the code wheels for me, and then assembled a prototype that is just 2.5" in diameter and fits in my wallet. I have been using this as the prime method for retrieving passwords for over 18 months now, and find it more convenient than the electronic device I used previously. This is perhaps surprising given that the electronic device costs perhaps A$100 (50 pounds) per user for a small company, where as my cardboard Enigma machine about 20 cents to make.

The low cost of the device means that it could be a cost-effective two-factor authentication device for internet banking and corporate networks. However, unlike the Germans who transmitted the encrypted messages, allowing them to be intercepted and broken, when used as a password strengthening scheme it is not nearly so easy to break the code. Thus, a 70 year old cipher scheme may find an unexpected new use.

how hard is the code to break? Is it harder than the original enigma machine? If so, by what factor?

Even though we have two fewer rotors than the original Enigma machine, and our rotors are fixed in position, the increase from 26 to 72 positions on the rotors means that my machine has more than 10^140 (that's a 1 followed by 140 zeroes) times as many wiring combinations as the original enigma machine. This assumes that you keep your wiring secret! If you are just using it to keep track of passwords, then it should be fairly easy to keep the wiring secret (read the instructible for a little bit of analysis on this).

If your wiring is not secret, then there are still >300,000 settings, and you could still be using any string as your base password.

If you are using the fast password method, then if someone has your wiring, then it narrows your passwords down to the ~350,000 positions of the device.

However, that is not the whole story, because whereas the Germans insecurely transmitted tens of thousands of messages of perhaps a few hundred letters each, the intended use of my code wheel would be securely transmit only 8 letters at a time, and probably only once per day on average.

Thus it would take hundreds of years to gather the same amount of encrypted data as the team at Bletchley Park had during the war -- and then my machine is still 10^140 times harder to decipher.

So how do I make one for myself?

Check out the instructible here.

When I get the time, I will make a web form that will create a PDF with a unique wiring based on a user-supplied pass-phrase.