[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WhiSSLing in the Dark

Netscape Encrypted Data Cracked

Tokyo, Japan, Aug. 18 (NB) -- Two computer users have
managed to break Netscape's Secure Sockets Layer (SSL)
encryption code in response to a challenge posted to the
Internet. But far from scaring people away from using the
system for online purchases, the results could reassure
people of the safety.

In mid July Hal Finney, a US computer user, posted data
in an Internet message that he recorded when he sent an
order, containing a fake name and credit card details, to
Netscape's own computer. Setting a task for the hacking
community, he wrote, "The challenge is to break the
encryption and recover the name and address info I
entered in the form and sent securely to Netscape."

Early this week, news came from Damien Doligez, a French
computer user, that he had cracked the code and revealed
the contents of the message. Several hours later a
message from an American team also claimed the same feat,
actually cracking it two hours earlier than Doligez.

While the results look damaging on the surface, Netscape,
and Doligez, pointed out the amount of computer
processing power needed to hack just one message and the
difficulty in repeating the process.

Roseanne Siino of Netscape told Newsbytes, "The real
issue is whether this compromises security on the net. He
used 120 computers for 8 days just to crack one message."
Siino points out that to break into another message would
require another eight days at the same 120 workstations
and 2 parallel computers.

In home computer terms, Doligez guesses a network of
about 80 Intel Pentium-based machines would be equivalent
to the system he had access to via his workplace, INRIA
in Paris, and computers an Ecole Polytechnique and ENS.

Netscape estimates the total cost of this computing time
at around $10,000, meaning there are many more economical
ways of getting credit cards numbers than hacking into
Netscape SSL messages.

Doligez agrees, writing on his home page: "The technical
implications are almost zero. Everybody who understands
the technical details knew perfectly well that this was
do-able and even easy. You have to understand what
happened exactly. I did not break SSL itself. I did only
break one SSL session that used the weakest algorithm
available in SSL. If I want to break another session, it
will cost another 8 days of all my machines."
The vulnerability of the encryption system is shown by
its international use. The coding system available via
Netscape software from the Internet makes use of a 40-bit
encryption key. A stronger version, using a 128-bit key,
is available to US citizens but restricted from export
outside the United States by government regulations.

Netscape's Siino explained the US government allows
export of the lower security version "because they can
break it."

There are some hopes that this demonstration will help
persuade the US government to lift export restrictions on
some harder-to-crack versions of the code.

Netscape is currently developing a new Secure Courier
code which just encrypts the financial data in the
messages using 56-bit keys. Siino explained, "You can
export over 40-bit keys for a specific application." The
new system should be available early next year.

Many companies working on secure transaction systems hope
the much more secure 128-bit code version of the system
will be available for export eventually. This is said to
be almost unbreakable, requiring a trillion times more
processing power to crack than the 40-bit version.

Internet users can view a copy of the original challenge,
access Doligez's home page with details of his result,
get copies of the program used to crack the code and read
Netscape's response to the news through a special section
at Netscape,


Press contacts : Roseanne Siino, Netscape,
+1-415-528-2619 , Internet email [email protected];
Damien Doligez, Internet email [email protected] ;
Hal Finney, Internet email [email protected])