Tales from the SOC: Classic Crypto – The Babington Plot | S1 Ep024

LISTEN NOW

Classic Crypto – The Babington Plot

The terrible price of weak cryptography

If the media player above doesn’t work in your browser,
try clicking here to listen in a new browser tab.

LISTEN IN YOUR FAVORITE APP

Find TALES FROM THE SOC on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app. Or download this episode as an MP3 file and listen offline in any audio or video player.

READ THE TRANSCRIPT

[FX: PHONE DIALS]

[FX: PHONE RINGS, PICKS UP]

ETHEREAL VOICE. Hello, caller.

Get ready for TALES FROM THE SOC.

[FX: DRAMATIC CHORD]

DUCK. Welcome, everybody, to another episode of TALES FROM THE SOC.

I am Paul Ducklin, joined as usual by David Emerson, CTO and Head of Operations at SolCyber.

Hello, David.

DAVID. We’ve got a history lesson today!

DUCK. Yes.

Last episode was entitled Classic Crypto – Operation GUNMAN, which was a tale of derring-do between the KGB and the NSA; USA versus USSR.

And I had a couple of listeners send me messages saying, “Oh, I love the Classic Crypto stuff – you should do more of this.”

David, this time, is going to interview me, because this is on my home turf.

And this time, we are going back 500 years, not just 50 years, to a fascinating tale called The Babington Plot.

And we’re going back to basically Shakespeare’s era and just before.

DAVID. 1586 or 1587 is when our tale concludes?

DUCK. Yes, very abruptly, [SOMBER] with somebody’s head being chopped off.

But I guess we need to start around about the time of Henry VIII.

Famously, Henry VIII and his Six Wives.

“Divorced, beheaded, died; divorced, beheaded, survived.”

Which tells you more about Henry as a king and as a human being.

He was a greedy, self-serving, manipulative, misogynistic, power-crazy, money-crazy, all-powerful monarch.

DAVID. What year is that?

DUCK. Henry reigned from 1509 to․․․ [TRYING TO REMEMBER] 1547.

The big change, the change of England going from being a Roman Catholic country to becoming a Protestant country, happened in the early decades of the 15th century.

The Protestant Reformation was in full flow in continental Europe: Martin Luther, the Diet of Worms, the Peasants’ Revolt; all of that stuff.

And Henry figured, “Hey, I can use this religious platform as a way to advance myself.

If I kick out the Pope, declare Catholics to be heretical, and make myself head of the Church of England, then I can get a divorce from this pesky wife I’ve got who only seems able to give me daughters and no sons.

And I can take all their money and all their property and I can use it to pay off my nobility and do all the warmongering I like.”

So that’s where we are.

DAVID. The real story here is the more things change, the more they stay the same.

DUCK. Yes, there’s always someone who’s prepared to manipulate a cause for their own benefit.

James V was King of Scotland․․․ because, remember, there was no United Kingdom at this point.

England and Scotland were long-standing enemies, and in fact Scotland allied with France.

James V figured, “I’m going to try and conquer England,” so he attacked, but he lost the battle, and he died a month after the battle.

Just six days before he died, his daughter Mary was born.

At six days’ old, she became Mary Queen of Scots, and that is where this whole intrigue starts.

DAVID. What’s the threat here at this point now?

It’s clearly not actually the royal line.

DUCK. Henry hatches this plan.

“What I’ll do is, I’ll get the Regents (they’re the Scottish nobles who are going to act as the monarch until Mary comes of age)․․․

Why don’t you promise her in marriage to my son?”

Because he had a son by then, Edward.

“He’ll be the King of England; she’ll be the Queen of Scotland; that will be fantastic – we will then have a United Kingdom, and just think how powerful it will be!

Oh, by the way, let me do a load of border skirmishes to try and․․․”

DAVID. Yes, you always have to have a load of border skirmishes just in your back pocket.

DUCK. The Rough Wooing, I think was the term that historians gave it.

The Regency in Scotland figured, “This won’t do.”

They packed Mary off to France.

She ended up marrying the guy who became François II, King of France.

Sadly, François II died very young; Mary went back to Scotland, and became Queen.

DAVID. What year is this?

DUCK. That was in the 1560s.

DAVID. OK, so about 20 years before the end of our story here?

DUCK. Yes, and it quickly went very pear-shaped for Mary.

She married one psychopathic murdering nutter; then she married another – Lord Darnley, with whom she actually had a son, who was to become the King of Scotland.

And then the nobility fell out with her, and she was basically forced to abdicate.

She fought a battle to try and get her power back.

She lost, she was imprisoned, she escaped․․․

Obviously, the thing to do is, run to France!

But she didn’t.

She figured, “You know what, I do have this family connection with the woman who is now the Queen of England, Elizabeth I.

I’m going to go to England and throw myself on her mercy.”

DAVID. And this was her first cousin once removed?

DUCK. Yes, indeed.

But Mary was a committed Roman Catholic – she had been the Catholic Queen of France for two years, don’t forget.

She was charismatic, and she was well-regarded in European royal circles.

On the other hand, Elizabeth was the daughter of Henry VIII and she very much kept up the suppression, the taxation, the persecution of English Catholics, so that they would not be a threat to her political power.

So Elizabeth figured, “Hey, I’ll get one of my noble lords to put you up in his stately home.”

Basically, house arrest.

And that’s where the next 20 years went past, by which time Mary’s son, who was only one year old at the time that she fled Scotland, was now the King of Scotland.

And of course, he had a claim to be King of England as well, and ultimately, he would be.

The King James Bible?

That was James VI of Scotland, also James I of England.

So Mary is basically just stuck.

And that’s when our steganographic/cryptographic hero, as it seemed at the time, entered the picture.

DAVID. So we have a background of high drama.

The players no longer even really know who they’re in the play with at this point.

Let’s just mix in some bad cryptography․․․ what’s next?

DUCK. Yes, Mary’s receiving nothing because she’s just completely isolated.

Occasionally, she’s allowed out to go riding in the grounds; occasionally, she’s allowed to go to Buxton, the famous spa in the North of England, to take the waters.

Eventually, she’s not even allowed that – she’s completely incommunicado.

DAVID. Except for some beer barrels.

DUCK. Yes, that’s right.

DAVID. Was she a drinker?

What’s going on?

DUCK. There was a chap called Gilbert Gifford.

There was this sort of, I suppose, “underground railroad” thing, where people would go from England to the Continent, train as Catholic priests, and then get snuck back into England.

And they would move around among the Catholic nobility, conducting the Catholic mass, promoting the Catholic cause, and waiting for the great counter-reformation to come, when the Roman Catholic Church would be re-established in England.

And Gilbert Gifford was one of these guys.

But it was a very dangerous thing to do.

If you were caught as one of these priests celebrating mass, you were so heretical that you weren’t just executed, you were basically chopped into bits while you were still alive, as a warning to others.

So he seemed the right kind of guy, you can imagine, to communicate with Mary, which he was able to do by finding someone who delivered beer to the castle where she was held, and having these hollowed-out bungs in beer barrels, where they could put messages in.

And he took a whole lot of messages that had come from French supporters, sent them to Mary, brought back the replies.

But, as you know, David, there was a twist in that tale.

DAVID. Well, a Man in the Middle, at the very least.

If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. SolCyber’s lovable mascot Amos provides regular, amusing, and easy-to-digest explanations of cybersecurity jargon, from MitMs and IDSes to DDoSes and RCEs.

Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.

DUCK. Yes, Gifford was perfidious, wasn’t he?

Before he’d even qualified as this priest to come back secretly and promote the Catholic cause, he’d contacted Sir Francis Walsingham, Queen Elizabeth’s spy master, and said, “Hey, I’m doing the pro-Catholic course in Europe at the moment.

I’m about to come back, and I’m available for hire.

I’m not in this for the religion; I’m not in this for any spiritual reason; I’m after the money!”

So he was the ultimate insider threat, and, as you say, the Man in the Middle.

He was the guy who took the messages to be put into the bung; he was the guy who brought the messages when they came back from Mary.

But he handed them over to Sir Francis Walsingham to have a quick look at them․․․

DAVID. So these are in the beer-barrel bung.

They contain messages of support for Mary, so that’s kind-of the hook; that’s what she’s reading.

She likes probably like to read anything when you’re just sitting in a castle drinking.

DUCK. [LAUGHS]

DAVID. There’s an analog here.

Is this visiting a website with TLS?

What is the modern-day equivalent, essentially?

DUCK. I don’t think that the messages were being encrypted at this time.

They were just using what we now call steganography.

As far as Mary was concerned, these were letters that had been sent to the French Embassy in the hope that they would be able to get them secretly to her.

For 20 years they hadn’t been able to; suddenly they’re able to send the messages and get and pass on the replies.

DAVID. At the very least, a suspicious channel that has newly opened.

So does this encryption now give Mary the confidence to write things that she would not have written in the plain?

DUCK. It’s not clear whether she had a cipher yet to do encryption.

It doesn’t really matter, because Sir Francis Walsingham, the spymaster guy, had a state-sponsored actor, if you like, in his employ called Thomas Phelippes.

And Phelippes was a master forger.

He could write messages in somebody else’s handwriting, and you wouldn’t tell the difference.

And he just happened to be a master cryptanalyst as well, so if there had been any encryption, he’s sure to have been able to crack it.

Now, the next player enters the plot.

A young, rich, party-animal-around-town called Anthony Babington, who actually is very resentful of the Protestant order, and would like to build a load of conspirators to assassinate Queen Elizabeth.

Which he does – he manages to get six guys on his side.

And who should show up at Anthony Babington’s front door but Gilbert Gifford, apparently the undercover priest who is obviously on Babington’s side.

And, guess what?

Gilbert Gifford just happens to have this steganographic way of communicating with Mary.

Babington and Mary somehow are able to agree on this cipher that gave them, as you say, the confidence to share messages.

Not only were they hidden in the bung of beer barrels, where supposedly no one knew the messages were happening, but if they were intercepted, they wouldn’t give the deal away, or so they thought.

Mary basically hoists herself by her own petard when she replies.

She said, “About the design,” which is apparently is how she described it.

So she didn’t actually use the word murder, or assassination, or whatever.

“Make sure that you spring me from prison first, because otherwise the Queen will be dead, and I’m going to get bumped off.”

DAVID. Any time someone refers to The Design, you know they’re up to no good!

DUCK. [LOUD LAUGHTER]

DAVID. [JOKINGLY] “I have A Design.”

DUCK. So the fact that Mary had said that is pretty incriminating.

DAVID. Right.

DUCK. So she’s bust through the decryption of the message.

Thomas Phelippes – he’s the decryption engine in the Man-in-the-Middle firewall.

DAVID. But even then, it sounds like ultimately this was a faulty pipeline.

You know, even if she’d had, let’s say, a one-time pad, you still had a faulty pipeline where you can’t trust the path, and you don’t have authentication.

DUCK. Mary’s going down, Babington’s going down, but Walsingham and crew figure, “Who are the other six guys?

That’s what we need to know.”

What they did was that they added an addendum to Mary’s message back saying, “By the way, why don’t you tell me who the six guys are?

Because I’ll help you make the best use of these six people.”

DAVID. [LAUGHING] She’s apparently getting a little too eager about The Design at this point.

DUCK. Yes!

Obviously, Babington might suspect, “Why would she asking that?”

But Phelippes was able to forge other people’s handwriting, apparently perfectly.

DAVID. Yes, he’s a master forger.

Partly this succeeds because Walsingham let the traffic flow rather than shutting it down immediately.

What’s the operational security lesson for 2026 at this point, in terms of when to act and when to watch as a defender?

DUCK. Well, I guess the big lesson, David, isn’t it, that cryptography can be your enemy as well as your friend?

And although they weren’t using a Caesar Cipher, they were using a thing called a nomenclator, which has code words, and has a few extra cryptographic tricks.

They had special characters that didn’t just stand for other letters, but stood for full words, like the, this, that; which, when, where, what – all of which, obviously, have annoying combinations of the same letters in English, and are very common.

And, cunningly, they also had characters that didn’t mean anything so that you could just put them in to break up known patterns.

Obviously, they felt that this was more secure than just a basic substitution cipher, but it just wasn’t good enough for someone of the class of Phelippes.

DAVID. And you’ve got a double-agent here.

You’ve got Gifford, who’s a textbook insider threat.

DUCK. Yes.

DAVID. What detection would essentially translate to the 2026 version of Gifford?

How would you even know that there’s a Gifford in your pipeline?

DUCK. The thing that Gifford had to deal with was: How could he possibly get himself to be believed?

Babington’s going to murder the Queen of England, if you don’t mind, and this chap shows up at his door and said, “Hey, I hear you’re trying to contact Mary Queen of Scots – I’m just the guy!”

He was just a bit of a Frank Abagnale.

DAVID. Charisma!

DUCK. And that’s exactly the same problem we have today with things like Business Email Compromise, isn’t it?

Why would the person send me this message if they weren’t serious?

But if something’s too good to be true?

Maybe Mary could have been a little more cynical․․․

DAVID. She may have known a lot of languages, but she fell for something that today is essentially the domain of fraudulent crime centers.

DUCK. It may be, of course, that her health was failing, and she had been incommunicado for 18 years or whatever.

She may have just figured, “What’s the worst that can happen?”

DAVID. Yes, what is?

I mean, probably what happened is the worst that could happen.

DUCK. I believe she said before she was executed, “I pray that you will make an end of my troubles.”

Maybe she just felt she had nothing to lose.

DAVID. Yes.

What are you threatening her with, death?

She’s going to rot in a prison cell, so․․․

DUCK. Remember, Mary didn’t know that Babington had been asked to give away the other six.

So I guess she figured, “Look, he’s contacted me.

Like, if I’m going down, he’s going down, and vice versa.”

She was unaware of the perfidy that betrayed the other six.

So, yes, very, very hard to defend against that.

Double checks?

If it sounds too good to be true, it is too good to be true?

That’s really all you can do to protect against that, isn’t it?

DAVID. In modern terms, we have weak encryption is worse than none.

We have security through obscurity here.

Of course, we have insider threat.

And in a way, you have then authentication.

All of these have weak authentication along the pipeline.

So, even if you have confidentiality, you may not necessarily have actual authentication of the entire chain.

And today we see that in BGP; we see that in prompt injection – it’s a threat-modeling failure mode.

Any other assumption, based on what you believe are the adversary’s capabilities․․․ which we discussed last time in Project GUNMAN, right?

What you believed were their capabilities, versus what their capabilities could actually be.

Or a certain amount of information that you believe that they should know, rather than the amount that they could know potentially.

You’re not thinking of the model properly.

DUCK. Yes, you said that the Soviets only supplied their diplomatic staff in the US with old-school mechanical typewriters.

But the Soviets allowed the Americans to think, “Oh, it’s because they’re not smart enough to make decent electric typewriters.”

Oh, no, no, no․․․ they knew the risks, because they were exploiting them!

So this one has all these lessons, as you say.

Weak crypto?

You might as well not bother.

I think you’ve mentioned this before.

If you suddenly think, “You know what?

It’s just too hard for me to become HIPAA compliant,”

Well, then, don’t collect it!

In the same way, if you can’t be sure that you are encrypting it properly, find a different way to deal with the data, so the fact that it’s plaintext doesn’t matter.

Stop trading in secrets if you can’t protect them!

DAVID. Yes, you are not obligated to collect things, and you’re not obligated to communicate.

DUCK. Know whom you’re talking to, and talk with them securely.

These days, it’s not a matter of life and death or conspiracies for the majority of us, but it is about things like the safety of our bank accounts; the security of our pensions; the ongoing correct payment of our mortgage; and more.

DAVID. More than ever before, despite the stakes being mostly lower, our beer could be middled!

So from 1586 to 2026, very little has changed.

Thank you, Paul – a wonderful romp through history.

DUCK. [LAUGHS] “Those who cannot remember the past are condemned to repeat it.”

Once again, David.

DAVID. Thank you for listening, everyone.

DUCK. Yes, thanks to all listeners.

If you like this podcast, don’t forget to subscribe so you know when each new episode drops.

Please like and share us on social media – that helps us a lot.

If you listen via a podcast feed, why not leave a comment, or why not leave us a review?

That helps as well.

And remember․․․

Until next time, stay secure.

DAVID. Bye, everyone.

[FX: CALL ENDS]

Catch up now, or subscribe to find out about new episodes as soon as they come out. Find us on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you use your own audio app.

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!