View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
July 19, 1998

EFF CRACKS DES ENCRYPTION IN 56 HOURS

By CBR Staff Writer

A civil-liberties organization in San Francisco has taken only 56 hours to decipher a message secured with the government’s 56-bit Data Encryption Standard (DES). The challenge was posed by RSA Data Security Inc, which holds a decryption contest every six months on January and July. The Electronic Frontier Foundation’s DES Cracker triumphed over internet rival distributed.net, a virtual network of thousands of PCs, servers and supercomputers harnessing spare cycles and communicating over the internet. Distributed cracked RSA’s RC5 algorithm in October 1997 and succeeded in the first DES II challenge in February 1998. But the collective had hardly begun handing out client software to its volunteers when the EFF announced on Wednesday night that it had deciphered the latest message, posted on Monday at 9am. Representatives for the EFF say DES Cracker’s defeat of distributed.net is less significant than its exposure of massive inconsistencies in government policies on strong encryption. Internet users have celebrated distributed.net as a fruitful use of spare processing cycles, but law enforcement officials have placed a very different complexion its activities. In a bizarre inversion of common sense, FBI director Louis Freeh used the example of distributed.net to argue that existing cryptography is too strong to be allowed to proliferate in the private sector. If we hooked together thousands of computers and worked together over 4 months we might, as was recently demonstrated decrypt one message bit, he told Congress in June last year, that is not going to make a difference in a kidnapping case, it is not going to make a difference in a national security case. We don’t have the technology or the brute force capability to get to this information. In June this year Robert Litt, principal associate deputy attorney general, echoed Freeh’s words: For example, decrypting one single message that had been encrypted with a 56- bit key took 14,000 Pentium-level computers over four months; obviously, these kinds of resources are not available to the FBI. Both Litt and Freeh were referring to distributed.net’s success in cracking DES, and both are talking through their hats. Distributed was notable because it exploited unused computing power in an innovative way. DES Cracker demonstrates how immensely more effective and cost-efficient a dedicated codebreaker can be. The machine is based on 1500 Deep Crack chips, designed specifically to break DES, running in parallel and controlled by a PC running Linux. The whole system was built for less than $250,000, and because a lot of that money was spent on research, the EFF estimates the cost of a clone at $50,000. What is alarming about DES Cracker is that cryptographers have known for many years that such a machine can be built. Counterpane Systems CEO Bruce Schneier, who provided test algorithms to the DES Cracker effort, says: This is boring technology, it’s dumb maths, it’s old engineering. The point is that the government has been denying that this can be done. Schneier points out that if a civil liberties group can build a DES Cracker essentially out of spare change, it should be assumed that other groups have already done so. People should realize that this is not the first machine to be built that can do this. It is the first machine whose creators have publicly acknowledged it, he says, we have to assume that the FBI has one, that Russia has one, and that China, Eastern Europe, the UK, Ireland, Israel, India, Pakistan and Australia have them. Any company with anything resembling a budget must have one. Some organized crime syndicates must have one. Now that the EFF has demonstrated how easy DES is to break, Freeh’s continued insistence on its strength starts to look like a kind of de facto key recovery initiative. If enough people believe DES is unbreakable, the FBI will retain its cherished back door. Schneier reiterates what cryptographers have been saying for at least a year: banks, financial institutions and others using cryptographic algorithms in mission-critical applications should consider 90-bit encryption the minimum secure standard. Ironically enough, the content of the message EFF cracked read: It’s time for those 128-, 192- and 256-bit keys.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU