Crypto crack: E-mail archives may be vulnerable

Summary:The crypto wizards who broke the government's encryption standard in less than three days with a single custom-made workstation said in a press conference on the breakthrough Friday that predictions of the code's demise have been circulating for two decades, and speculated that others with less honorable intentions have already pulled off the same trick.

The crypto wizards who broke the government's encryption standard in less than three days with a single custom-made workstation said in a press conference on the breakthrough Friday that predictions of the code's demise have been circulating for two decades, and speculated that others with less honorable intentions have already pulled off the same trick.

"I'm fairly certain that foreign governments will have built similar machines to this, and are using them to eavesdrop on conversations in the U.S.," said Paul Kocher, a member of the team who helped build the machine for the Electronic Frontier Foundation, during the press conference.



What does the cracking of the Digital Encryption Standard mean for Net privacy? Watch ZDTV's 20-minute interview with John Gilmore, cofounder of the Electronic Frontier Foundation.




While the Data Encryption Standard (DES) encryption algorithm has long been known to be vulnerable to distributed computing efforts involving tens of thousands of computers, never before has the code been cracked with a single PC. Several of the scientists behind the breakthrough said they are confident that it will be a watershed event in the history of government encryption policy.

The Clinton Administration has set strict controls on the export and use of encryption with a longer-than-40-bit key. But the DES technology proven vulnerable in the EFF test had a 56-bit key, trillions of times stronger than 40-bit technology. "While in theory everyone had a sense for 20 years that this could happen, no one before had done this publicly," said Burt Kalisky, chief scientist at RSA Laboratories, another member of the EFF's team. The event "doesn't suggest anything that we weren't expecting to see, but it's good that it's finally been documented," he said.

Whitfield Diffie, the inventor of public key cryptography and one of the most famous names in the encryption software industry, said the EFF's experiment exposes vulnerabilities in DES that might head off potentially disastrous network security breaches -- if government and private sector experts take the threat seriously.

We've only just begun
"Nobody can say now that this can't be done. From an intelligence point of view, now this is real," Diffie said during the press conference. "I don't think this is by any means the end of this," he added. "There are going to be legitimate reasons for attacking DES maybe for decades in the future."

One area of potential vulnerability is large corporations' e-mail archives, he said. As it becomes apparent that 56-bit key encryption can be broken with a single machine for a price of less than $250,000, skilled crackers will work to improve the technology and bring down the price, Diffie said.



Is the government's arguments for export controls on encryption software damaged by this event?





"People will begin going through things like e-mail archives, and the price will come down from tens or hundreds of thousands of dollars to tens or hundreds of dollars," he said.

"I could easily see a situation where someone could do this as a science project in five or six years," said John Gilmore, co-founder of the EFF. But such an attack with a single machine would not work on the much stronger Triple DES algorithm, used in many banking networks, he added.

120 bits of key
"At 90 bits of key, it begins to get tough to do this type of crack. At 120 bits of key, it's pretty much impossible," Gilmore said.

Gilmore reiterated Kocher's allegation that similar machines have probably been built by foreign governments or even the U.S. government. Companies deploying the algorithm "have been aware of this for a long time," he said.

Major DES users "have been actively involved in risk management so they can tell if anyone is doing this to them, detect it, and cut it off," Gilmore said.

Topics: Government, Banking, Networking, PCs, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.