![Graphic link to the Current Issue's table of contents](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/current.gif)
![Graphic link to the Back Issues page with links to each issue](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/backiss.gif)
![Graphic link to the Search page](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/search.gif)
![Graphic link to the Journal Description page](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/journal.gif)
![Graphic link to the Editors page](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/editors.gif)
![Graphic link to the Instructions for Authors](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/author.gif)
![Graphic link to the Handbook of Forensic Services](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/handbook.gif)
![Graphic link to the Links page](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/links.gif)
![Graphic link to the FBI Lab Home Page](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/labhome.gif)
![Graphic link to FBI Publications page (publications listing)](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/lib3.gif)
|
|
![Forensic Science Communications - masthead graphic](https://webarchive.library.unt.edu/eot2008/20080923144416im_/http://www.fbi.gov/hq/lab/fsc/backissu/oldimges/page.gif)
January 2000 Volume 2 Number
1
Analysis of Criminal
Codes and Ciphers
Daniel Olson |
Cryptanalyst Forensic
Examiner
Racketeering Records Analysis Unit
Federal Bureau of Investigation
Washington, DC |
Introduction
For as long as man has had
the ability to communicate, secrecy has been sought. Over the
centuries various methods of secret writing, or cryptography,
have been developed for numerous purposes. The two major categories
of cryptographic systems are ciphers and codes, both of which
are used extensively by criminals to conceal clandestine records,
conversations, and writings.
Cryptology is the scientific study of cryptography and includes
cryptanalytics, which deals with methods of solving cryptographic
systems. This article is an introduction to the variety of secret
writing encountered in law enforcement and describes the role
of FBI cryptanalysts in examining and deciphering these criminal
codes and ciphers.
Back
to the top
Cipher
Systems
Ciphers involve the replacement
of true letters or numbers (plain text) with different characters
(cipher text) or the systematic rearrangement of the true letters
without changing their identities to form an enciphered message.
Cipher systems have been common since ancient times and vary
in degree of complexity and sophistication. The Enigma Cipher
Machine used by the Germans during World War II, for example,
was thought to be unbreakable. Only after the fighting had concluded
did it become known that the Allies had broken the cipher and
had been reading secret German communications throughout the
war.
Criminals have a long history of using cipher systems. During
the Prohibition Era, rum runners in ships off the East and West
Coasts of the United States used a variety of cipher systems,
including advanced cipher machines, to communicate with their
confederates on shore. The United States Coast Guard and the
Department of Commerce pooled their resources to intercept and
decipher the rum runners' messages. In 1969 the Zodiac Killer,
who terrorized California's Bay Area during the 1960s and 1970s,
sent a three-part cipher message to area newspapers explaining
his motive for killing. This complex cipher used more than fifty
shapes and symbols to represent the 26 letters of the alphabet
but was broken in hours by a high school history teacher and
his wife.
Criminals typically use homemade, simple substitution cipher
systems which use a single cipher text character to replace a
plain text character. Those most likely to use such ciphers include
criminals involved in clandestine activities that require incriminating
records, such as drug trafficking, loansharking, and illegal
bookmaking. Incarcerated criminals also use cipher systems to
communicate with cohorts inside and outside of prison.
Back to
the top
Simple Substitution Ciphers
A relatively basic
form of substitution cipher is the Caesar Cipher, named for its
Roman origins. The Caesar Cipher involves writing two alphabets,
one above the other. The lower alphabet is shifted by one or
more characters to the right or left and is used as the cipher
text to represent the plain text letter in the alphabet above
it.
Plain Text |
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z |
A |
Cipher Text |
In this example, the plain text
K is enciphered with the cipher text L. The phrase 'Lucky Dog'
would be enciphered as follows:
Plain Text: |
L |
U |
C |
K |
Y |
D |
O |
G |
Cipher Text: |
M |
V |
D |
L |
Z |
E |
P |
H |
Ciphers can be made more secure
by using a keyword to scramble one of the alphabets. Keywords
can be placed in the plain text, the cipher text, or both, and
any word can be used as a key if repeated letters are dropped.
Here the word SECRETLY (minus the second E) is used as
the plain text keyword.
Plain Text |
S |
E |
C |
R |
T |
L |
Y |
A |
B |
D |
F |
G |
H |
I |
J |
K |
M |
N |
O |
P |
Q |
U |
V |
W |
X |
Z |
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z |
Cipher Text |
It is important to remember
that the cipher text may utilize numbers, symbols, or letter
combinations to represent plain text characters.
Back to
the top
Solving Simple Substitution Ciphers
If the cryptanalyst
knows which language the cipher was written in and has enough
cipher text to work with, simple substitution ciphers can often
be solved easily. Cryptanalysts use the following procedures
when decrypting an unknown cipher:
! The cipher text message is identified
from other
cipher text or plain text on the document.
! The number of different cipher text
characters or combinations are counted to determine if the characters
or combinations represent plain text letters, numbers, or
both letters and numbers.
! Each cipher text character is counted
to determine
the frequency of usage.
! The cipher text is examined for patterns,
repeated
series, and common combinations.
After these analyses have
been completed, the cryptanalyst begins to replace cipher text
characters with possible plain text equivalents using known language
characteristics. For example:
! The English language is composed
of 26 letters. However, the nine high-frequency letters E, T,
A, O, N, I, R, S, and H constitute 70 percent of plain text.
! EN is the most common two-letter
combination, followed by RE, ER, and NT.
! Vowels, which constitute 40 percent
of plain text, are often separated by consonants.
! The letter A is often found in the
beginning of a word or second from last. The letter I is often
third from the end of a word.
Using these and many other
known language characteristics, a cryptanalyst can often decipher
a simple substitution cipher with little difficulty.
Back to
the top
Keyword
Number Ciphers
Most criminal ciphers
are used to conceal numbers, especially telephone numbers, addresses,
weights, and money amounts. Keyword number ciphers are the most
common system for encrypting numbers and are used in the same
manner as keyword alphabet ciphers. Normally these keywords are
ten-letter words with no repeat letters.
Plain Text: |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
0 |
Cipher Text: |
B |
L |
A |
C |
K |
H |
O |
R |
S |
E |
Foreign language keywords are
often used. The following is an example of a drug ledger that
used a Spanish keyword cipher:
![enciphered drug ledger](images/bookmaking.gif)
While decrypting
the cipher, the cryptanalyst made the assumption that the letters
represent numbers. If A+A+A = A, as set forth on the right-hand
column, then A must equal 0 or 5. Using the same logic, if A+Q+Q
= A, then Q must equal 5 and A must be 0. The cryptanalyst
continued until the following relationships were established:
Plain Text: |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
Cipher Text: |
A |
T |
S |
|
|
Q |
R |
O |
|
M |
Further analysis
of other cipher text and anagramming the cipher text letters
into an intelligible word revealed the following reverse order
key:
(my orchestra
in Spanish)
Plain Text: |
9 |
8 |
7 |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
Cipher Text: |
M |
I |
O |
R |
Q |
U |
E |
S |
T |
A |
Number ciphers
do not require a keyword. An incarcerated drug dealer in an Arizona
prison sent a letter to a cohort instructing her to mail a shipment
of drugs to the following Georgia address:
Box BFC
GCDI Abercorn Drive
Savannah, GA 31206
The cipher text letters are all within the first nine letters
of the alphabet. If
A is assumed to equal 0, then the following key would
result.
Plain Text: |
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
Cipher Text: |
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
The key can
be verified by checking the resulting street address. If this
key is proved to be invalid, try moving the 0 to the end of the
number series and assume that A = 1 instead. In
this example, the first assumption proved to be correct. The
notation A = 0 was found in the lower right-hand corner of the
prison letter, confirming the key.
Back
to the top
Telephone Keypad Ciphers
A
telephone keypad can be used to create a number cipher that is
more difficult to break than a keyword system.
|
A B C |
D E F |
1 |
2 |
3 |
G H I |
J K L |
M N O |
4 |
5 |
6 |
P Q R S |
T U V |
W X Y Z |
7 |
8 |
9 |
|
|
|
|
0 |
|
|
Using the above
telephone keypad, the criminal can substitute numbers with the
letters corresponding to the telephone button. Numbers 0 and
1 can be substituted with Q and Z (older telephone keypads do
not have the letters Q or Z). The telephone number (202) 324-5678,
for example, could be enciphered any of the following ways:
B Q B |
|
D A G |
|
K M R V |
C Q A |
|
F B I |
|
J N P X |
A Q B |
|
E C H |
|
L O S T |
Telephone keypad
systems may use all 26 letters in the alphabet and thus are easily
confused with enciphered words. Further analysis of the letter
combinations, however, will disprove the possibility that the
cipher text conceals words. Once identified, telephone keypad
ciphers are easily decrypted.
Back
to the top
Masonic
Cipher
The
centuries old Masonic Cipher uses two tic-tac-toe diagrams and
two X patterns to represent the letters of the alphabet. Letters
are enciphered using the patterns formed by the intersecting
lines and dots.
The name Bob
Smith would be encrypted as follows:
Back
to the top
Tic-Tac-Toe
Cipher
A
variation of the Masonic Cipher used to encrypt numbers is the
tic-tac-toe cipher. Using this pattern, each number can be enciphered
with the character that is formed by the intersecting lines surrounding
each number. The 0 is enciphered using an X.
Back
to the top
Code Systems
Ciphers are
created by replacing individual characters of plain text with
cipher text characters. Codes differ from cipher systems in that
code text may represent letters, numbers, words, or phrases.
Codes are typically used to add two elements to communications:
secrecy and brevity. Military and espionage code systems place
the greatest emphasis on secrecy; civilian agencies and corporations
use technical codes for brevity, often with no concern for security.
Criminals use codes for both purposes. Unlike cipher systems
which can be deciphered using set procedures and techniques,
codes cannot be deciphered without some knowledge of what the
writer is attempting to conceal.
Back
to the top
Sports
Bookmaking Codes
Illegal
bookmaking operations require detailed business records to record
wagers placed, game lines and outcomes, bettor names, and account
balances. On the basis of these record-keeping needs, bookmakers
typically make extensive use of codes. Brevity is the main purpose
for the codes, but the codes also provide an element of secrecy.
Some bookmaking operations rely on specialized codes known only
to the bookmaker and his clerks, but many bookmaking codes are
well known among bookmakers throughout the United States.
The following are examples of how a sports bookmaking operation
can encode a losing $1000 wager on the Dallas Cowboys plus 6
½ points:
K100 is a coded
account designation representing a bettor. The hyphen (-) after
the numeral 6 indicates the line at 6 ½. The X indicates
a multiplication by 5, thus 200X = $200 X 5, or $1000. The L
indicates a losing wager.
Dave-Cowboys |
+6' |
Dime |
-1100 |
Here the name
of the bettor is given. The apostrophe after the six indicates
the half point in the line. Dime means a $1,000 wager.
No win or lose indicator is present. Instead the bookmaker notes
the amount owed by the bettor for the losing wager.
In this example,
the team name is substituted by its unique rotation number. Team
rotation numbers are assigned on a weekly basis and can be found
in sports schedules. The bookmaker dropped the 00 in the wager
amount, thus the 10 represents a $1000 wager.
Boys is a slang name
for the Dallas Cowboys. The 200T indicates 200 X 5 as in the
first example. The X indicates a losing wager.
Team names are substituted by code numbers in the above sports
wagers. The arrows indicate over or under wagers on the total
score of the game. The bookmaker has dropped the zeros to conceal
the true amounts of money wagered: the numeral 1 indicates a
$100 wager and the ½ indicates a $50 wager.
Back
to the top
Horse Race Bookmaking Codes
Horse wagering codes
differ from sports wagers, because the terminology and information
requirements are unique. A wager on horse #4, Lucky Star, in
the third race at Pimlico Track could be written as follows.
P/3 |
#4 |
5-2-2 |
W |
4.2/2.3/1.9 |
P/3 indicates the third race
at Pimlico, and #4 is the horse number. The 5-2-2 indicates a
$5 wager to win and $2 wagers to place and show. The W indicates
the horse won. The dollar amounts indicate payoff amounts for
the win, place, and show.
Here the code BP represents
the bettor. Pim-3 indicates the track and race. X5X denotes a
$5 wager to place. No wager is made on the win or show positions.
Back to
the top
Numbers Bookmaking Codes
Numbers
wagers indicate the number drawing, the bettor, the number wagered
on, and the amount and type of wager.
Here account
TICCO placed a $2 combination wager on number 435 on the midday
lottery drawing.
Back
to the top
Drug
Codes
Drug
records normally consist of dates, accounts, units, prices, and
sometimes drug types. Drug traffickers often use codewords to
disguise their activity, and these are limited only by the imagination
of the drug trafficker. Typically different codewords are used
in conversation to differentiate between drug types. For example,
the code white indicates cocaine, and green indicates marijuana.
Back
to the top
Pager
Codes
Pager
codes are popular among street drug dealers and are often used
by regular drug customers to communicate with sellers. The following
is an example of a series of coded pager messages between a drug
purchaser and a seller.
772 111 |
The code 772
is the identity of the customer inquiring about the price of
one ounce of cocaine. |
007 1150 |
The code 007
is the identity of the seller, and the price for one ounce is
$1150. |
772 222 432 |
Account 772
wants to purchase two ounces of cocaine, and the seller is asked
to call 772's cell telephone number (432 is the telephone number
prefix). |
Pager codes
can also be used by traffickers who are transporting drugs over
long distances.
The code 823
is the identity of a drug courier traveling on Interstate 95
at Exit 12. The code 333 indicates everything is fine. If the
driver wanted to communicate that he or she had been delayed
by vehicle repairs or stopped by police, the code 999 (stopped
for repairs) or 911 (under arrest) could be used.
Back
to the top
Conclusion
The ciphers
and codes presented are examples of the many cryptographic systems
used by criminals. Many of the ciphers and codes in this article
can be easily decrypted, but in some instances, deciphering a
code or cipher requires special training.
The Racketeering Records Analysis Unit (RRAU) of the Federal
Bureau of Investigation's Laboratory in Washington, DC, is staffed
with qualified cryptanalysts who have specialized training in
the areas of cryptanalysis, drug trafficking, money laundering,
and racketeering activities. The services of RRAU are available
to assist federal, state, and local law enforcement agencies
in the analysis of clandestine business records relating to illegal
gambling, drug trafficking, money laundering, loansharking, and
prostitution. RRAU examiners and analysts are available for expert
testimony, pretrial advice and assistance, and on-site examinations
and consultations. For additional information, contact the RRAU
at the following:
Federal Bureau
of Investigation
Racketeering Records Analysis Unit
Room 4712
935 Pennsylvania Avenue, NW
Washington, DC 20535
Telephone: (202) 324-2500
Facsimile: (202) 324-1090
E-mail: labrrau@fbi.gov
Back
to the top
FORENSIC SCIENCE COMMUNICATIONS JANUARY 2000 VOLUME 2 NUMBER
1 |