[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WSJ on SSL Crack



   The Wall Street Journal, August 17, 1995, p. B3.


   French Hacker Cracks Netscape Code, Shrugging Off U.S.
   Encryption Scheme

   By Jared Sandberg


   A computer hacker in France has breached the encryption
   scheme of new Netscape software for navigating the
   Internet, the global computer network. The breach
   underscores flaws in U.S. rules restricting the export of
   more-sophisticated security measures.

   The hacker, a French student at the Ecole Polytechnique,
   cracked the weaker encryption scheme that U.S. government
   policy forces Netscape Communications Corp. to use in a
   foreign version of its Navigator software. Yesterday, he
   posted the results of his efforts on the Internet's
   Cypherpunks discussion group.

   The student took up a challenge issued on July 14 in the
   Cypherpunks group, which is frequented by cryptography
   experts and hackers and mathematicians. He used 120
   powerful computer workstations and two supercomputers to
   crack a piece of information encrypted in Netscape's
   "browser" software. The security is aimed at scrambling
   sensitive financial data to keep credit-card numbers, sales
   transactions and other material safe from breakms.

   The highly sophisticated computers took eight days to break
   the code -- far more power and time than the typical
   illegal hacker would be able to muster for criminal
   pursuits. But the chore nonetheless highlights the
   vulnerabilities that could make customers shy away from
   conducting commerce on the Internet, particularly
   international users who can't get hold of the tougher
   security measures allowed within the U.S.

   The French hacker was able to crack the so-called 40-bit
   encryption scheme in Netscape's overseas version of its
   software. In the U.S., Netscape employs a far more powerful
   design -- 128 bits, a number that refers to length of the
   encoding "key," which is used to scramble data.

   U.S. rules limit Netscape to exporting only 40-bit
   encryption overseas. Yet the 128-bit version takes
   exponentially more power to crack: Compared with violating
   the 40-bit scheme, the 128-bit key would take
   10-to-the-26th-power more time to breach, experts say.
   That's a 1 followed by 26 zeroes, a factor of time that
   makes it all but impossible for hackers to break in.

   Netscape wasn't surprised at the findings. The company said
   it has always known and stated that 40-bit security could
   be breached by "brute force," the use of massive computing
   power to descramble the information.

   "This is a good indication of why the government should
   allow us to ship more secure software," said Mike Homer,
   Netscape's vice president of marketing. "The laws are
   archaic."

   Clinton administration officials have viewed strong
   encryption as a weapon for foreign terrorists, who could
   exchange communications without fear of eavesdropping by
   law enforcement officials.

   That policy, however, has raised the hackles of industry
   executives, who say that without strong encryption abroad,
   the growth of electronic commerce could be significantly
   stunted. Last week, a group of software executives told the
   White House that restrictive export regulations might blunt
   American competitiveness in foreign markets.

   "Netscape security is fine," said Dietrich Cappe, a senior
   partner at Red Planet LLC, an Internet consulting company.
   "As long as the government's export restriction exists,
   commerce is going to be severely hampered." Netscape
   licenses the encryption algorithm from RSA Data Security
   Inc., one of the most prominent software security firms
   that licenses its software to most major software
   companies. "We've warned the government that the level of
   security they allow our customers to export is too weak,"
   said James Bidzos, president of RSA. "Maybe they'll listen
   now."

   Netscape's Mr. Homer noted, however, that the amount of
   effort and computing power, which could cost as much as
   $10,000 in addition to the cost of the machines, don't make
   even breaches of 40-bit security practical from a thief's
   perspective.

   "You'd be better off working in a shoe store, stealing
   credit card numbers for a week." Mr. Homer said.

   [End]