[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strong Crypto Weak




Strong Encryption Weak, Say Crypto Gurus


Washington, D.C., U.S.A., 6 February 1996 -- Strong
encryption is weak, reports a group of prominent
cryptographers and computer scientists. Their report,
released yesterday, is expected to play an important role
in coming debates over US policy on exports of software
that includes encryption capabilities. 

Current US policy generally limits exports to encryption
using 40-bit keys. On a case-by-case basis, the US has
allowed export of software with 56-bit digital encryption
standard (DES) encryption. 

Recently, two French graduate students cracked the 40-bit
encryption Netscape was using. The trick took several
days, using idle time on the school's computers. 

The seven experts who wrote the new paper -- "Minimal Key
Lengths for Symmetric Ciphers to Provide Adequate
Commercial Security" -- say the achievement by the
students at the Ecole Polytechnique was trivial. 

"Anyone with a modicum of computer expertise and a few
hundred dollars would be able to attack 40-bit encryption
much faster," they write. They add that using a field
programmable gate array (FPGA) chip, costing about $400
mounted on a card, "would on average recover a 40-bit key
in five hours."

"A more determined commercial predator," says the paper, 
"prepared to spend $10,000 for a set-up" using 25 FPGA
chips, "can find 40-bit keys in an average of 12
minutes."

Moving to a 56-bit DES system doesn't solve the problem,
says the paper. "Calculations show that DES is inadequate
against a corporate or government attacker committing
serious resources. The bottom line is that DES is cheaper
and easier to break than many believe." 

And it is getting easier to crack DES code, says the
paper. "At present, it would take a year and a half for
someone using $10,000 worth of FPGA technology to search
out a DES key. In ten years time, an investment of this
size would allow one to find a DES key in less than a
week."

A serious attack against DES, on the order of $300,000,
"could find a DES key in an average of 19 days using
off-the-shelf technology and in only three hours using a
custom developed chip," say the cryptoanalysts. That's
the sort of money a business, or a criminal organization,
might be willing to spend to find trade secrets or dip
into a flow of financial transactions. 

A government intelligence agency willing to spend $300
million "could recover DES keys in 12 seconds each," says
the paper. "The investment required is large, but not
unheard of in the intelligence community. It is less than
the cost of the Glomar Explorer, built to salvage a
single Russian submarine, and far less than the cost of
many spy satellites."

What's the proper key length for protection against
criminal operations or a prying government? The analysts
"strongly recommend a minimum key-length of 90 bits for
symmetric cryptosystems." That's far stronger than
anything the US government has ever contemplated allowing
for export.

The paper was written by some of the most prestigious  
individuals in the field: Matt Blaze, Whitfield Diffie,
Ronald Rivest, Bruce Schneier, Tsutomu Shimomura, Eric
Thompson, and Michael Wiener. 

Blaze, at AT&T Research, recently demonstrated weaknesses
in the government's "Clipper Chip" key escrow system.
Diffie, at Sun Microsystems, was a co-creator of public
key cryptography. Rivest, at MIT, was one of the
inventors of the RSA public-key system and one of the
founders of RSA Data Security Inc.

Schneier, president of Counterpane Systems, is the author
of a leading textbook, Applied Cryptography. Shimomura,
at the San Diego Supercomputer Center, last year tracked
down outlaw hacker Kevin Mitnick. 

Thompson heads AccessData's crypto team, which has
regular clients that include the FBI and other law
enforcement agencies. Wiener, at Bell-Northern Research,
wrote an influential 1993 article, "Efficient DES Key
Search," which describes how to build a machine to attack
DES by brute computational force.

The paper grew out of a one-day meeting in Chicago last 
November, which was supported by the Business Software
Alliance. The paper is available on the BSA World Wide
Web site, http://www.bsa.org/. 

--