[imagesource:github/vulacode]

A 33-year-old password that protected the source code to a secure communications system used by the ANC during Operation Vula, has finally been cracked by Cloudflare’s chief technology officer John Graham-Cumming.

Because of this, Tim Jenkin, the system’s inventor and programmer, is now able to release the code he created in the 1980s to assist ANC leaders in negotiating the end of apartheid as open source.

The goal of Operation Vula was to secure a connection between the ANC’s exile headquarters in Lusaka, Zambia, and important figures like Mac Maharaj and Charles Nqakula in South Africa. The ANC was using a simple but undefeated paper-based one-time pad (OTP) system for cryptography, which Jenkin had trained operatives in.

After breaking out of Pretoria Central Prison in 1979 with two other prisoners by reverse-engineering the keys to ten different doors and making duplicates of them out of wood, Jenkin fled to London.

He was detained together with fellow conspirator Stephen Lee after it was discovered that they had been transporting the machinery used to make anti-apartheid leaflet bombs, which they had detonated in and around Cape Town between 1975 and 1978.

Daniel Radcliffe portrayed Jenkin in the 2020 movie Escape from Pretoria.

Jenkin became the ANC’s communications officer in London and developed the OTP-based system for secure communication between operatives and their handlers. While the encryption itself is uncrackable, provided keys are properly randomly generated, one-time pad systems have several other vulnerabilities.

Although one of the first rules of cryptography is “don’t invent your own”, Jenkin said that due to the unique circumstances under which they operated, they could not use cryptographic software that was already available.

Jenkin told MyBroadband in a previous interview that “Even in those days, 25 years before Edward Snowden, there was talk about ‘backdoors’ in encryption software.”

Their cryptography would stay straightforward, but because the majority of the Internet had not yet been created, the entire communications system ended up containing many more moving components than simply the software. Transmitted encrypted communications were converted into a signal that could be captured and played back via a standard phone conversation. This made it simple for agents to get messages on public phones.

A modem may then be used to play the recorded communication back into a computer and decrypt it. To encrypt or decrypt messages, though, keys have to be shared between the two communicating parties.

Per MyBroadband, Jenkin used 1.44MB “stiffy” discs to write random data for this purpose. The encryption software and these keys then have to be given to field agents. A KLM air hostess, Antoinette Vogelsang, helped smuggle the computers, disks, and other equipment ANC operatives in South Africa needed.

In 1989, Operation Vula would achieve its greatest victory — re-establishing secure communications between Nelson Mandela in South Africa and ANC president Oliver Tambo in Lusaka, Zambia.

Graham-Cumming said that he contacted Jenkin to enquire about the existence of any open-sourced versions of the Operation Vula code after becoming interested in it some time ago. Jenkin clarified that the code had only been stored in a password-protected ZIP file upon his return to South Africa in 1991, which is why he hadn’t released it until now.

The necessity to encrypt the code stemmed from the fact that negotiations between the African National Congress (ANC) and the apartheid state were still ongoing and there was no guarantee they would succeed.

Years later, Jenkin noticed he had forgotten the password and attempted to unzip the file.

“I thought I would never forget the password, but when I tried to decode it a few years later, I couldn’t remember it.”

After Graham-Cumming cracked the password, Jenkin uploaded the nearly 40-year-old PowerBASIC code to Github.

“There are lots of interesting details of how these programs work that deserve another longer blog post when I have time. Or a detailed study by someone else.”

“For example, the key material is destroyed after use, the RANDOM.EXE program has multiple ways of making randomness and code to check the distribution of the random bytes created. There’s an emphasis on using the RAM disk for all cryptographic operations.”

[source:mybroadband]