Gjvik University College

Cryptology 1

The Hagelin M-209 cipher machine

John-Andr Bjrkhaug
2013.10.01

The Hagelin M-209 cipher machine

Abstract
During WW2 cipher machines were extensively used, both by the allied and axis
nations. Most famous is the German Enigma machine. The allied used multiple
machines, but the Swedish M-209 stood out. The fully mechanical, and impressive
complex machinery, was produced in the amazingly amount of 140000 during
WW2, and used by multiple allied nations. This paper will first give a short
introduction to cryptographic rotor machines, describe the history of Boris
Hagelins cipher machines, then discuss details of the M-209s, its mechanical
properties, how its ciphering works, how to use it, and cryptanalysis work done on
it.

The Hagelin M-209 cipher machine

Table of Contents
1

Introduction ......................................................................................................................... 3

Rotor cipher machines ........................................................................................................ 3

History of Hagelin mechanical rotor cipher machines........................................................ 4

The M-209 .......................................................................................................................... 8

3.1.

Ciphering process ........................................................................................................ 9

3.2.

Setup .......................................................................................................................... 10

3.3.

Accessories ................................................................................................................ 11

3.4.

Cryptanalysis ............................................................................................................. 11

Conclusion ........................................................................................................................ 13

Reference .................................................................................................................................. 14

The Hagelin M-209 cipher machine

1 Introduction
The first rotor cipher machines were developed at the end of WW1, including the one that after
some modifications would become the most famous of them all, the Enigma. It was invented
by Arthur Scherbius, and cryptanalyzed at Bletchley Park during WW2. But there was another
less famous rotor machine, which was just as important during WWII, the Swedish Hagelin M209. Produced in a stunning amount of approximately 140000, and used mainly by the US Army
and Navy, but also by other allied nations, like Norway.
This paper will first give a short introduction to cryptographic rotor machines, describe the
history of Boris Hagelins cipher machines, starting in 1925, leading up to the M-209 in WW2,
the successors of this complex little machine, and ending in the 1960s, when the electronic age
was entered. The text will then discuss details of the M-209s, its mechanical properties, how its
ciphering works, how to use it, and at last a part about cryptanalysis work done on it.

2 Rotor cipher machines

In cryptography a rotor machine is a mechanical or electro-mechanical stream cipher machine.
These machines first came into existence in 1915, with the two Dutch naval officers Theo A.
van Hengel and R. P. C. Spengel invention. Little is known about this first machine, and other
of the earliest machines, invented by men like Edward Hugh Hebern in 1917, Arvid Gerhard
Damm in 1919 and Hugo Alexander Koch in 1919. In 1918 Arthur Scherbius filed a patent for
his first rotor machine, and in the early 1920s he had invented the first rotor machine that got
really famous, and still today is the most famous of them all, the Enigma. Used by the Axis
nations, cryptanalyzed and cracked by among others Allan Turing at Bletchley Park during
WW2. Its cryptanalyze work was groundbreaking in the world of computers. The Enigma have
been the theme of multiple books and even a couple of movies.
A cryptographic rotor cipher machines implements a polyalphabetic substitution, with one or
multiple rotors to make the cipher complex. The rotors are often key-wheels, where the initial
cipher key is set, and the wheels turn in a regular or irregular way for each enciphered letter.

The Hagelin M-209 cipher machine

How the key-wheels interact with the enciphering/deciphering process is most often determined
by internal settings in the machine.

2 History of Hagelin mechanical rotor cipher machines

In 1925, while working for the Swedish company A.B. Cryptograph, Boris Hagelin developed
his first cipher machine, the electromechanical B-21, to compete with the Enigma when the
Swedish General Staff where looking for new cipher machines to purchase. This was based on
the B-18 invented by the companys owner Arvid Gerhard Damm. The B-21 rotor machine had
many similarities with the Enigma, a keyboard for input and light bulbs for output. To avoid
patent infringement Hagelin used totally different ciphering operations. Instead of alphabet
substitution, he used four coding pin-wheels to scramble a 5x5 matrix. The wheels had different
cyclic length, 17, 19, 21 and 23, which made them align after 156009 enciphered letters. More
on the pin-wheels in Chapter 3. One problem with the 5x5 matrix, was that it only allowed for
a 25 letter long alphabet, so the letter W was substituted by VV. The B-21 was considered more
secure than the Enigma, but this was not fact. In 1931 it was broken in less than 24 hours by
Arne Beurling, a young mathematics student, attending a course in general cryptology and
cryptanalysis held by the Swedish Cipher Bureau at the Swedish Navy Staff. Beurling become
more famous in 1942 when he deciphered the German Geheimfernschreiber, also single
handedly, with only a pencil and paper in under two weeks. This caused the Swedish
Government to establish Frsvarets Radioanstalt. [Beckman].
At the end of 1933 the French Army got interested in the B-21, but requested some
modifications. They needed a portable ciphering machine that could print text. Hagelin added
these changes and production of the B-211 started in France. Before the outbreak of WW2,
there were produced approximately 500 machines. The ciphering method was the same pinwheels and matrix as on the B-21. Soon after the beginning of the business with the French,
they inquired Hagelin about the possibilities of a compact portable cipher machine that could
print. Combining the design of the B-21 and a coin changing machine Hagelin had invented a
while before, his first fully mechanical bars and lugs rot cipher machine were invented in 1935,
the C-35. The calculating mechanism in the coin changing machine consisted of a cylindrical
cage made out of horizontal bars. The bars were affected by keys, slid to the left and creating
4

The Hagelin M-209 cipher machine

teeth in a cogwheel in a variable gear. A type wheel was then turned the same number of rounds
as bars in their left position. The keys in the changing machine were switched with pin-wheels,
and the type wheel now carried letters instead of numbers. Hagelin have now built the C-35
ciphering machine with 25 horizontal bars in the cage and five pin-wheels. The cage is also
discussed in detail in chapter 3. The numbers of letters on the wheels were 17, 19, 21, 23 and
25, which made them align after 3900225 enciphered letters.
It was later made several changes to the C-35, making in
more suitable for tactical use, adding one pin-wheel, and
introduce movable lugs on the bars in the cage. The pinwheel and cage changes were made in a direct response to
cryptoanlysis work made by the Swedish cryptoanalyst
Yves Gylden in 1935. The changes led to the model C-36.
The numbers of letters on the wheels were 26, 25, 23, 21,
19 and 17, which made them align after 101405850
enciphered letters.
In 1937 Hagelin travelled to the US, trying to get the

Figur 1: C-35

Government in Washington interested in his ciphering

machines, but was met with very little interest. Right after the war in Europe had broken out in
1939, he once again travelled to the US, trying to sell them his ciphering machine. This time
they were much more interested. William Frederick Friedman, a US Army cryptographer, and
the head of the research divison of the Army's Signal Intelligence Service, suggested certain
changes. After these changes the machine was named M-209 by the US Army, C-38 by Hagelin,
but were most known only by the Hagelin. In 1942 it
was adopted by the US Army, and multiple other allied
nations, including Norway. By the same year it was put
into mass production by the company L. C. Smith &
Corona Typewriters Inc.. In addition to their regular
600 typewriters a day, they now starting putting out as
much as 500 olive-drab Hagelin machines a day. By
1944 there were produced approximately 50000
machines, and by the end of the war approximately
140000. The production was not discontinued before
Figur 2: The Hagelin M-209

The Hagelin M-209 cipher machine

the first half of the 1960s. The initial price was $64. Today collectors buy it for up to several
thousand US dollars.
Hagelin earned millions of dollars in royalties, and became the first and possible only
cryptology millionaire.
The M-209 was first used during the invasion of Africa in November 1942, and did not only
see the battlefields of WW2, it was the standard ciphering machine for tactical use in the US
Armys through the Korean War, which ended in 1954.
Since the M-209 was meant to be used by soldiers in
the field, its size and rugged construction was very
important, but made it unpractical for use in Command
& Control centers. Hagelin therefore developed the
BC-38, which was an electromechanical version of the
fully mechanical M-209. This machine were fitted with
a full QWERTY keyboard which made it more
practical for this use. Like the M-209, the BC-38 also

Figur 3: BC-38

have a pure mechanical enciphering/deciphering process. The only electric parts is a motor and
its driving circuit. The motor is only used for driving the mechanical encipher/decipher
method. It can also be used without electricity, by driving the encipher/decipher process by a
handle on the right side, much like on the M-209.
Near the end of WW2, even the Germans showed interest in Hagelins BC machine to replace
the Engima, since it had been broken by the British at Bletchley Park. Since Sweden was neutral
they had no problems with selling to both sides. Germany even started to produce Hagelin
machines under license, and kept doing so into the 1950s. There were also licensed production
in France.
In the end of 1944 and beginning of 1945, Hagelin came with a slightly modified version of the
M-209, the C-446. At first sight there were not many changes, but it had two printers, one for
clear text and one for cipher text, and two locks, one for the operator and one for the offices.
But the most interesting part is that the C-446 also came with a version without the pin-wheels.
Instead it had a reader for one-time pad paper tape, which with truly random keys generated a
cipher which Claude Shannon in his world famous 1949 paper Communication Theory of
Secrecy Systems termed perfect secrecy. Perfect secrecy means that the cipher gives no
additional information about the plaintext, and is unbreakable. The most famous one-time pad
6

The Hagelin M-209 cipher machine

ciphering machine is the Norwegian ETCRRM (Electronic Teleprinter Cryptographic

Regenerative Repeater Mixer) using the Vernam principle, produced by Standard Telefon og
Kabelfabrik in the 1950s, and used on the Washington Moscow hotline during the Cold War.
After WW2 there were even more need for ciphering equipment, and Hagelin made
improvements on his M-209 design, and produced
machines with even more complex algorithms. The CX52 machines developed in 1952, used six changeable
wheels, which was picked from a set of twelve. The
numbers of letters on the wheels were 25, 26, 29, 31, 34,
37, 38, 41, 42, 43, 46 and 47. Five of the wheels had
Figur 4: CX-52

irregular stepping, which made the cipher algorithm

even more secure. The machine also had five more bars in the cage than the M-209, in a total
of 32 bars. The extra five bars controlled the irregular stepping of the pin-wheels. Using the
wheels with twice the numbers of letters than the M-209 wheels, and a special lug configuration
in the cage, made the machine compatible with the M-209, BC-38 and C-446.
A bad design in the irregular pin-wheels stepping made the last of the six wheel move in a way
that it did not contribute very much to the security of the machine. This was fixed in a new
version called the CX-52. The CX-52 came in many different versions including one with a
one-time pad paper tape reader instead of the pin-wheels, and one with Arabic letters.
The CX-52 were Hagelins most successful mechanical cipher machine, both commercially and
technically. It was sold to over 50 countries, and in use even after Hagelin started to produce
fully electronic machines in the 1960s. The CX-52 was used as backup machines during the
cold war into the 1980s, and by some countries all the way into the 1990s.
In 1992, it came into the light that the National Security Agency (NSA) in 1957, only five years
after they were formed, made a deal with Hagelins company, Crypto AG, to place a backdoor
in, among other cipher machines, the CX-52. This backdoor made the NSA able to easily
decrypt messages sent by the Iranian Isalmic regime, Saddam Hussein, Moammar Gadhafi,
Ferdinand Marcos, Idi Amin, and even the Vatican. The backdoor access was also shared with
the British intelligence service Government Communications Headquarters (GHCQ). After this
it was widely accepted that this machine was not more used [OSVDB]. In September 2013 there
was a huge media coverage in connection with the Edward Snowden leakage, that the NSA had
backdoors into communication and cryptology equipment. The press wrote about this as it was
7

The Hagelin M-209 cipher machine

something new, but for over 20 years, it has been known that NSA and GHCQ had a backdoor
into the Hagelin CX-52 machine for 35 years.
If it hadnt been for the backdoor, the CX-52 would still be relative secure to use. Even though
it is based on principles from the 1920s, the CX-52 is very hard to break, even today with the
help of computers.
The CX-52 was the last of Hagelins mechanical pin-wheel cipher machines, but Hagelin and
his company, Crypto AG, continued to produce electronic cipher machines, and communication
equipment. Today Crypto AG is still one of the biggest companies in the world when it comes
to secure communication.

3 The M-209

The M-209 is very small, about the size of a lunchbox, measuring only 83 x 140 x 178 mm, and
weighing a little over 3 kg including its rugged case. The small size, its low weight, and the fact
that it is non-electrical, made the M-209 well suited for tactical use on the battlefield. It is no
problem for the machine to survive hard shocks, dust, sand, tropic humidity or arctic cold
[Kahn]. In addition the machine is capable of performing both enciphering and deciphering,
which is a huge plus compared to many other ciphering machines.
The most important parts in the machine is the cage, the key wheels and the guide-arms which
bind them together.
The drum bar cage, also known as the lug cage, but mostly called just the cage, consists of
27 horizontal bars between two disks, which forms a revolving cylinder. Each bar has two
movable lugs which can be placed in eight positions. Two neutral, and six positions which
interacts with the key wheels. Depended on the lug and key wheel pin setting, the individual
bars can slide to the left, and add a cog tooth to the variable gear. The number of bars in their
left position is the same as the offset between the clear text letter and the cipher text letter.

The Hagelin M-209 cipher machine

Six key wheels, which each controls

one guide-arm, have a different number
of letters on its rim, and a pin under
each letter. The number of letters from
left to right are 26, 25, 23, 21, 19 and
17. These numbers are chosen to be
coprime, which means their greatest
common divisor is 1. This causes the
wheels to align after26 25 23 21
Figur 5: M-209s internals. Indicator disk, type wheel, key-wheels with
pins, cage with lugs, guide arms etc. is shown

19 17 = 101 405 850 enciphered

letters, this is also known as a period.

Each letter on each wheel has a movable pin. Setting the pin to the right means that the letter
position is enabled, and to the left for disabled. An enabled letter position will in turn set the
wheels guide arm in its operative position, which determines whether lugs in the cage is
contacted. If a lug is in contact with a guide arm, its bar slide to the left, and interact with the
cogs in the variable gear, as previously mentioned.
The wheels have the following letters:
Wheel 1: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Wheel 2: ABCDEFGHIJKLMNOPQRSTUVXYZ
Wheel 3: ABCDEFGHIJKLMNOPQRSTUVX
Wheel 4: ABCDEFGHIJKLMNOPQRSTU
Wheel 5: ABCDEFGHIJKLMNOPQRS
Wheel 6: ABCDEFGHIJKLMNOPQ

3.1. Ciphering process

When the clear text letter is set on a knop with an indicator disk on the left side of the machine,
the operator turns the power handle of the right side, the cage makes a complete rotation through
all of the 27 bars. If an operative guide arm gets in contact with a lug on a bar, the bar slides to
the left. All the bars that now are in their left position comprise a cog in the gear, which turns
the letter to be enciphered. The letter shift is equal to the number of bars in their left position.
9

The Hagelin M-209 cipher machine

The cipher text letter is then printed on a paper tape. In the case that the machine runs out of
paper tape, the type wheel works as an indicator disk which makes the operator able to read the
enciphered or deciphered letter directly. After one rotation, all the slid bars are retracted to their
original position by a retractor, all the key wheels are advanced one position by another set of
gears, and a locking arm locks the cage to prevent one more enciphering until the indicator disk
is set to the next letter. This means that if the operator is enciphering or deciphering two equal
letters successively he needs to turn the disk back and forth. A skilled operator can run the
machine at 15 to 30 letters a minute.
The cipher used in the M-209 is a variant of the Beaufort cipher, which means that the ciphering
process is an involution, it uses the same algorithm for both enciphering and deciphering.
Encipher: = ( ) 26
Decipher: = ( ) 26
What makes the M-209s ciphering different from the Beaufort cipher, is the system of the cage
and the key wheels, which makes the offset change for each enciphered letter.
The machine has a button on the right side for choosing Encipher (C) or Decipher (D), but this
is only for printing adjustment. Encipher prints the letters in groups of five letters, and
deciphering prints the words with the correct spacing. The letter z is used for as the spacer,
so the word analyze would come out as analy e.

3.2. Setup
Before use the operator needs to set the two lugs on each of the 27 horizontal bars in the cage
and enable or disable the pins under each letter on each wheel. This is a complex process that
takes quite a bit of time. These settings are called the internal key. Because of this the settings
was changed relatively infrequently. Once a day was common. The setup was done with the
help of tables, distributed equally to the sender and recipient. An example setup table can be
seen in Table 1.
NR
01
02
03
04
05
06

LUGS
3-6
0-6
1-6
1-5
4-5
0-4

1
A
B
D
-

2
A
D
E
-

3
A
B
-

4
C
E
F

5
B
D
E
F

6
A
B

BAR
01
02
03
04
05
06

D
-

10

1
X
X
-

2
-

3
X
-

4
X
X

5
X
X
-

6
X
X
X
-

The Hagelin M-209 cipher machine

07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

0-4
0-4
0-4
2-0
2-0
2-0
2-0
2-0
2-0
2-0
2-0
2-0
2-0
2-5
2-5
0-5
0-5
0-5
0-5
0-5
0-5

H
I
K
M
N
S
T
V
W
-

G
J
K
L
O
R
S
U
X
-

G
H
I
J
L
M
N
R
S
T
U
X

H
I
M
N
P
S
T
U

H
M
N
P
S

H
K
N
O
Q

07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

X
X
X
X
X
X
X
X
X
X
X
X
-

X
X
X
-

X
X
X
X
X
X
X
X

Plaintext: AAAAAAAAAAAAAAAAAAAAAAAAAA
Cipher: TNJUW AUQTK CZKNU TOTBC WARMI O
Table 1: Example setup sheet [Cryptomuseum]

When the internal settings are set, the operator set the start position on the key-wheels. This is
called the external key, and is changed from message to message. This key is inserted into a
prearranged position in the cipher text, which makes the deciphering operator set his machine
to the correct start position.

3.3. Accessories
On the inside of the top lid, there is
compartments for accessories, see Figure 6. At
the center of the lid there is a paper tape holder,
on the left side there is a screwdriver for
opening the machine when setting the lugs and
pins, a cylinder with blue or purple ink and one
with oil. On the right side there is a pair of
tweezers used for feeding the paper tape through
the printer and removing blocked paper tape.
Figur 6:Accessories inside the M-209s lid

3.4. Cryptanalysis
The security of the M-209 was good for its time, but not perfect. Unlike one other cipher
machine used by the US in WW2, the SIGABA, M-209 cipher texts could be decrypted by hand
relatively easy once the enemy knew the internal mechanics of the machine. This was done
11

The Hagelin M-209 cipher machine

using kappa testing which uses the index of coincidence, a technique invented by William F.
Friedman during the 1920s. The same person who gave Hagelin advice on how to improve his
C-38, and build the M-209. Under heavy traffic the M-209 could come into situations where
the key wheels were in a close enough position so the machine would create overlapping
portions of the text. The kappa test uses this overlapping portions, and makes it possible for the
cryptanalyst to recover the key-wheel pin and lug settings of the machine.
The Germans managed to get their hands on quite a lot of the M-209 machines, and got familiar
with the way it worked. By 1943 they learned that certain settings gave patterns that could
disclose the settings of the pins on the key-wheels and lugs in the cage, and making them able
to decrypt cipher text from the M-209 with a length of approximately 150 letters. If the
cryptanalyst was lucky 35 letters could be enough. Decryption by an adversary was very time
consuming, and the extreme number of internal settings, made the US Army still use the M-209
for tactical use not only through WW2, but as mentioned, also through the Korean War. Since
it was known to be vulnerable to cryptanalysis, it was limited to tactical use with messages that
would be acted on immediately, within the time it would take to decrypt the message, by the
receiver
Around 1970 a cryptanalyze of the M-209 was done by Dennis Ritchie, the creator on the C
programming language and one the creators of the UNIX operating system, Robert Morris, a
contributor to the early versions of UNIX and chief scientist at the NSA in the early 90s, and
Jim Reed, a mathematician and hobby cryptologist. The result was a computer program that, in
a relatively short time, was able to decrypt about half the texts longer than 2000 characters, and
most of the texts with over 2500 characters. In 1974 Robert Morris wrote the crypt program for
the Sixth Edition of Unix, based on the M-209 ciphering method.
Ritchie, Morris and Reeds work was written as an article meant to be published in the
Cryptologia magazine, but after a dialogue with NSA, their work was never published.
Although the NSA didnt have any interest in the M-209 anymore, there were cipher machines
still in use based on the same principles. Their work could then potentially damage governments
using this equipment. [Ritchie].
Technology has evolved, and in the late 1990s it was possible with a fast cipher text-only attack
with 1000-2000 characters, and a known-plaintext attack with only 50-100 characters [Menezes
et al.].

12

The Hagelin M-209 cipher machine

4 Conclusion
The Hagelin M-209 was a very advanced ciphering machine, ahead of its time. The fact that it
was fully mechanical, was an amazing achievement. In addition the M-203 was very small,
rugged and able to perform both enciphering and deciphering which made it perfect for tactical
use. But one thing to think about today, is how much work it was to change the internal
ciphering key, compared to how easily this can be done on todays crypto equipment. I cant
imagine how frustrating this could be for soldiers in the field, with bullets flying around them.
But I guess this was the reason keys most often were changed once a day.
The machine built on principles from the early 1920s, and was improved to the last rotor
machine from Boris Hagelin, the CX-52, which still today is hard to decrypt by an adversary.
One interesting thing today, after the Snowden leakage on NSA backdoors, is that they already
had backdoors as early as in 1957 in the CX-52.

13

The Hagelin M-209 cipher machine

Reference
[Beckman]

B. Beckman, Codebreakers: Arne Beurling and the Swedish Crypto

Program During World War II, American Mathematical Society, 2002

[Cryptomuseum] Crypto AG, Hagelin Cipher Machines,

http://www.cryptomuseum.com/crypto/hagelin/index.htm
[Hafner]

K. Hafner, J. markoff, Cyberpunk: Outlaws and hackers on the computer

fronter, ., Simon & Schuster, 1995

[Hagelin]

B. Hagelin, The Story of Hagelin Cryptos, 1981

[Johnson]

B. Johnson, Kryptografi, Tapir Forlag, 2001

[Kahn]

D. Kahn, The Codebreakers, 2nd ed., Simon & Schuster, 1996

[Menezes et al.]

A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied

Cryptography, CRC Press, 1996

[OSVDB]

95427 : Crypto AG Multiple Hagelin Cipher Machine NSA Backdoor

Encryption Compromise, http://www.osvdb.org/show/osvdb/95427

[Rice]

R. Rice, The M-209 Cipher Machine, 2010,

http://derekbruff.org/blogs/fywscrypto/files/2010/11/Rice-Essay-2.pdf

[Rijmenants]

M-209 simulator, http://users.telenet.be/d.rijmenants/en/m209sim.htm

[Ritchie]

D.M. Ritchie, Dabbling in the Cryptographic World--A Story, 2000,

http://cm.bell-labs.com/who/dmr/crypt.html

[Trappe et al.]

W. Trappe, L.C. Washington, Introduction to Cryptography with Coding

Theory, 2nd ed., Pearson Prentice Hal, 2006

[Wikipedia1]

Arne Beurling, http://en.wikipedia.org/wiki/Arne_Beurling

[Wikipedia2]

Beaufort cipher, http://en.wikipedia.org/wiki/Beaufort_cipher

[Wikipedia3]

Boris Hagelin, http://en.wikipedia.org/wiki/Boris_Hagelin

[Wikipedia4]

Enigma machine, http://en.wikipedia.org/wiki/Enigma_machine

[Wikipedia5]

M-209, http://en.wikipedia.org/wiki/M-209

[Wikipedia6]

National Security Agency,

http://en.wikipedia.org/wiki/National_Security_Agency

[Wikipedia7]

William F. Friedman, http://en.wikipedia.org/wiki/William_F._Friedman

Permission to use pictures from cryptomuseum.com given by Paul Reuvers 09.03.2013

14