Tradecraft: The Book Cipher & Other Old School Techniques

Fort Meade (TFC) – More than 4 days ago, a message was posted in an article on The Fifth Column. Readers were asked to break the cryptogram. At the time of this writing, the message remains unreadable. At least one person with training from the NSA and three hackers associated with the Anonymous collective have made the attempt. It doesn’t use advanced cryptography or anything like that. It didn’t even require a computer. It was made using a multi-layer cipher. The key component of the cipher is a modified book cipher, sometimes called a Beale code.

In this installment of Tradecraft, we will be discussing how to manufacture your own cipher systems. Multiple ciphers will be discussed, and they can be combined to create your own system. You are only limited by your imagination. Some may be asking what about the NSA supercomputers? Can’t they crack it? Maybe. Later this week, a new message will be rendered and we will encourage our readers to tweet it directly to the NSA in the hopes of getting a response.

All forms of encryption are breakable given enough time. The idea behind encryption is to slow the opposition’s access to the message. The strength of encryption needed is determined by who your opposition is, the likelihood of the message being intercepted, the value of the information, and the length of time until the information becomes worthless.

Opposition: Who is trying to gain access to your information? Your girlfriend or boyfriend? A rival company? Your boss? Some third world goon squad? The NSA? Realistically evaluate who will be trying to obtain your information. While many would say “I want the strongest cipher possible”, it quickly becomes burdensome to spend an hour rendering a ciphertext simply to make sure your boss doesn’t know about your fantasy football league. The more complex your cipher, the longer it takes to break. That also means it takes longer to encrypt and decrypt with the key.

Likelihood of intercept: Is your message being transmitted over the internet? Through an onion? Using some standard software based encryption? Is it being delivered via a hand written note through a dead drop? Is it being spoken over a radio? Combined with knowledge of your opposition, evaluating the likelihood of interception can help determine how sophisticated your system needs to be.

Value of information: Does your message contain information related to a planned coup d’etat in Sri Lanka, or does it contain the whereabouts of your diary? How much energy will the opposition expend trying to crack your system?

Expiration date: The modern battlefield changes so quickly that information expires quickly. Obtaining troop locations was a major goal during World War II. Today, knowing that 3 companies of tanks are on the other side of the Rhine means nothing. By the time the information is relayed, they could have been reinforced with paratroopers who were 1000 miles away when the information was collected. This information is now gained through real-time surveillance. If your message contains the date and time of a meeting, the cipher only has to survive until that meeting is completed.

Your cipher needs to protect you from the time the message is transmitted until the time the information is worthless. During that time, the opposition will have to intercept, decrypt, analyze, and exploit the information.

The Book Cipher:

A personal favorite of mine is the book cipher, mainly because of it’s adaptability. This cipher replaces letters or words with numbers indicating their location in a text, called a key. The users determine how the cipher is structured. For example, this article will serve as the key.

The letter “n” could be represented by dozens of different identifiers.

462: The number of characters from the beginning of the page. You could chose to make the number higher by counting spaces.

2,2: Second paragraph, second letter

1,2,2: First page, second paragraph, second letter

96, 2: Ninety-sixth word, second letter

5,2: Fifth line, second letter.

2: The people on both ends of the transmission know to begin at the second paragraph, so it doesn’t have to be represented in the ciphertext.

The instructions known to both the person transmitting the cipher and receiving allow for unlimited options. You could start counting characters on any specific page in the book. You could indicate paragraph and letter from the back of the book. You could use only even pages.  Without knowing the method used, deciphering the text is difficult even if you have the key. Ask those working on the Snowden Cipher, if you don’t believe me.

Choosing a key: The process of choosing a key is important. First, it must be a text both parties will always be able to access. I chose the King James Version of the Bible because it is ubiquitous. It’s in every hotel in the country. It’s in every prison and jail. It’s online. It should always be accessible. Second, it should be long enough to be certain you can encrypt your whole message. Even though the most famous book code used the Declaration of Independence, the general thought is that the longer the text, the better. Given the different methods, the longer a text is, the more options for encryption exist within it. Third, it should be an innocent text. Let’s say a spy during the Cold War was selling secrets to the Soviet Union. Using a copy of The Communist Manifesto as a key would be a poor choice because the spy would have to have access to the text. A CIA officer with a copy of that text would draw attention.

Image Source:

Image Source:

Common pitfalls:

The longer the message, the easier it is to crack if you’re facing advanced opposition. Undoubtedly, the NSA has digital versions of popular texts and can run them against book ciphers. The longer the message, the more points of references they have to break your message.

If multiple messages using the same key and method are intercepted, they can be compared and again provide multiple points of references. You can defeat this by using clear instructions to alter the method slightly each time a message is sent. The first message might start with the third paragraph, while each subsequent message might begin five paragraphs later.

It’s not enough to have the same title, it must be the same edition. If you were to encrypt a text designating page, paragraph, and letter using a hardcover version of The Catcher in the Rye, the recipient can’t use a softcover version to decrypt it.

A book cipher doesn’t have to be a book. It could be a newspaper, website (but remember that will leave a digital footprint), high school year book, or even the marquee outside the local movie theater.

Unclear instructions can make a book cipher worthless. Do you include headings like the “Fort Meade (TFC)” at the top of this article? What about the headline? What happens if the text you’re using doesn’t have a needed letter? It’s best to practice the encryption and decryption sequence several times before going live.

When decrypting, some people may want to count letters using the point of their pencil. Those little marks on the page just told the opposition what the key is.

Destroy all paperwork as soon as possible. Truly destroy it, don’t simply throw it away. If you’re operating at this level, it is safe to assume somebody is gathering intelligence by going through your trash. Burn it completely, crush the ashes, then flush them down the toilet. Make sure you didn’t leave impressions in the next sheet of paper in the pad.

Don’t leave a pad and pencil next to your key. Ever.

Don’t decrypt or encrypt in the same location multiple times. Surveillance cameras might be set up to watch the process.

Don’t use your laptop to type solutions between steps during the encryption process. A keylogger on your computer could make your cipher meaningless.

Adding layers:

Caesar Cipher: This cipher is one of the oldest, simplest, and easiest to crack. It isn’t sufficient to protect more than high school notes alone. Adding this cipher as an additional layer of protection when combined with other ciphers is useful. The cipher simply shifts each character a set number of places.

If the shift value is 3


The Fifth Column becomes Wkh Iliwk Froxpq

This cipher can be personalized for added security by changing the shift number at set intervals. It could start as a shift 2, but every three letters shift an additional 2 spaces.

Keyword CipherThis is simply a modification of the Caesar Cipher. Instead of using an alphabet in order, it uses an alphabet offset by a keyword. If the keyword chosen is “columnist”, the alphabet would become “columnistabdefghjkpqrvwxyz”. Then simple substitution between the standard alphabet and the keyword alphabet reveals the code.

Using this keyword

The Fifth Column becomes qsm ntnqs lgdref.

This is another cipher that is not sufficient alone, but provides additional protection when used in conjunction with other ciphers.

The One-Time Pad: This cipher is secure. In fact, when used properly, it’s supposed to be literally unbreakable. However, it’s difficult to deploy and requires the sender and the receiver to possess an incriminating pad full of strings of random letters. Braingle describes the process of encryption:

“To encipher a message, you take the first letter in the plaintext message and add it to the first random letter from the one-time pad. For example, suppose you are enciphering the letter S (the 19th letter of the alphabet) and the one-time pad gives you C (3rd letter of the alphabet). You add the two letters and subtract 1. When you add S and C and subtract 1, you get 21 which is U. Each letter is enciphered in this method, with the alphabet wrapping around to the beginning if the addition results in a number beyond 26 (Z).”

If the One-Time Pad provides a key of FDJSKBFEOSLBFDAJKDAEP


You can only use each letter string once.

Letter-Number Cipher: This is literally what is on most childhood decoder rings. It simply replaces letters with numbers. ABC is 123. Just like any other cipher you can personalize it by shifting the number string or randomizing the order of the numbers. With standard ABC/123

The Fifth Column becomes 20-08-05 06-09-06-20-08 03-15-12-21-13-14

If you started with a Book Cipher, this cipher can be used in reverse to generate letter strings from the number strings generated by the Book Cipher.

Building your system: In addition to those above, there are dozens of other ciphers out there. Combining several of them can create a cipher strong enough to create a delay of days or weeks before the opposition is able to read your message.

Imagine your message was encoded using a Book Cipher, then the numbers were converted into a letter string using a reverse Letter-Number cipher which was then placed in a Caesar Cipher only to be then encrypted via a One-Time Pad. The final product would be virtually unbreakable. Both ends of the cipher system are strong ciphers, the transitional ciphers in the middle only serve to further obfuscate the original message.

For this cipher system, a Sunday newspaper would be a great key. It provides a new text to use for the Book Cipher every week and the crossword puzzle can be used to provide the random text strings needed for a One-Time Pad. A newspaper is an innocent enough document to have lying around or even on your person.

Delivery: In the days of instant gratification, the sender’s first response might be to simply email the encoded message to the recipient. This will establish a link between the two people and the message. Patience is a virtue. Stenography is the art of hiding an encoded message in plain sight.


Take a look at this Facebook post:
…. ….  .. …  . …..    .. .  .. ….  .. .  …. ….  .. …    . …  … ….  … .  …. …..  … ..  … …

Now scroll up to the Keyword Cipher. If you remove everything but the capital letters from the post, you have the code generated in the example.

20-08-05 06-09-06-20-08 03-15-12-21-13-14

The code could be hidden in the foreground or the background of a photo posted online. In this case, the “Camera” field is occupied by the code generated by the One-Time Pad. If you click on the image, you’ll see the file name is the generated string of numbers from the Letter-Number Cipher. Above the embedded Facebook post there is a series of barely noticeable dots. That’s a tap code spelling out “The Fifth Column”.

The internet allows infinite possibilities for transmitting codes in plain sight. You are only limited by your imagination and in many cases, this is safer than using heavy computer based encryption because it flies under the radar. They can’t break a code they don’t even know was sent.

But what happens when you’re operating in an environment that doesn’t allow for internet transmission? The dead drop.

A dead drop is a prearranged location that allows information to be passed without those exchanging information needing to see each other. It could be something James Bondish like a hollowed out log or it could be the bulletin board at your local community college. You could post fliers for your missing cat and in the background of the photo is the code.

However, the two of you can’t check the location everyday. Any surveillance effort would notice that, and eventually you’d run into each other. So you need a signal to let the other person know the drop is filled. In the old days, this would have been a chalk mark on a specific lamp post, blinds left open at night, putting the trash out on the opposite side of the driveway as usual, and so on. They have to be things the other person would see during their normal daily activities and things nobody else will notice.

Even if you can’t use the internet to send the messages for whatever reason, you might be able to use it as a signal. Something as simple as two exclamation points on the end of a post on a social media network or just the act of changing your profile photo could be the signal.

When it comes to ciphers and actual human intelligence tradecraft, you are only limited by your imagination.


Wondering where to obtain digital texts of the same edition for a book cipher? Here’s 55,000.
Where can you obtain explanations about other ciphers? Here you will finds tools to use ciphers not discussed in this article, while this site gives you detailed information about how those ciphers work.