&
Associated Press
Friday, July 17, 1998

Code-breakers crack government-approved encryption standard

by Ted Bridis

WASHINGTON (AP) -- Using the brute force of a single, custom-built computer costing less than $250,000, a team of experts took fewer than three days to crack a widely used method for scrambling sensitive data.

The code-breakers tested 88 billion possible combinations every second for 56 hours until they unlocked a message scrambled using a government-approved method called the Data Encryption Standard.

Two previous attempts at unscrambling similar electronic messages took, respectively, 5 months and 39 days and used many computers working together across the Internet to test each of roughly 72 quadrillion possible unlocking combinations.

The contest to crack the message was sponsored by RSA Data Security Inc. of San Mateo, California, which has fought U.S. export restrictions on virtually unbreakable data-scrambling products stronger than 56 bits, meaning their unlocking key is a sequence of 56 "1"s and "0"s.

The Clinton administration prohibits the exportation of encryption products stronger than 40 bits, although there are no limits on data-scrambling software used domestically.

The message unscrambled read: "It's time for those 128-, 192-, and 256-bit keys."

"This is more evidence that the government's crypto-policy has been overtaken by technology", said Marc Rotenberg, director of the Washington-based Electronic Privacy Information Center. "It's about time to end the limits on strong encryption technology."

The successful computer, using 27 circuit boards each holding 64 computer chips, was built by the Electronic Frontier Foundation, a San Francisco-based nonprofit civil liberties group. It won $10,000 from RSA in the contest.

"EFF has proved what has been argued by scientists for 20 years -- that DES can be cracked quickly and inexpensively", said John Gilmore, a director of the foundation, which he cofounded in 1990. "If a small nonprofit can crack DES, your competitors can, too."

'Bothersome, disquieting'

The breakthrough was big news in the financial industry, which uses encryption to scramble records of credit-card transactions and bank transfers.

Kawika Daguio of the American Bankers Association said banks also use methods other than encryption for security and in some cases use a data-scrambling method called Triple DES that is exponentially more difficult to crack.

"This isn't devastating, but it's resulting in calls from CEOs to ... (chief security officers) all over the country", Daguio said. "Literally, some people got woke up and had to explain where they were.

"It's extremely bothersome, disquieting to a lot of bankers that people would, for whatever reason -- political or financial motivation -- attack a standard that is widely used", he added.

"It makes it perfectly clear that somebody could be and could have been doing this for a number of years", said Whitfield Diffie, a cryptography expert and scientist at Sun Microsystems Inc. "The costs are not very high. Government kept insisting this was nonsense, and this wouldn't work."

Rocke Verser, the cryptographer who led the five-month effort in June 1997 to unscramble a DES-encrypted message using thousands of computers across the Internet, called the three-day effort incredible.

"I was expecting it to be cracked pretty soon, but I had no idea it would be this quick", he said from his home in Colorado. "It may be novel this year, but in two years that kind of custom hardware is going to be even more commonplace. It's certainly within the reach of organized crime and terrorists."


Copyright © 1998 by Associated Press. All Rights Reserved. Reprinted with permission.