The Wall Street Journal, August 17, 1995, p. B3. French Hacker Cracks Netscape Code, Shrugging Off U.S. Encryption Scheme By Jared Sandberg A computer hacker in France has breached the encryption scheme of new Netscape software for navigating the Internet, the global computer network. The breach underscores flaws in U.S. rules restricting the export of more-sophisticated security measures. The hacker, a French student at the Ecole Polytechnique, cracked the weaker encryption scheme that U.S. government policy forces Netscape Communications Corp. to use in a foreign version of its Navigator software. Yesterday, he posted the results of his efforts on the Internet's Cypherpunks discussion group. The student took up a challenge issued on July 14 in the Cypherpunks group, which is frequented by cryptography experts and hackers and mathematicians. He used 120 powerful computer workstations and two supercomputers to crack a piece of information encrypted in Netscape's "browser" software. The security is aimed at scrambling sensitive financial data to keep credit-card numbers, sales transactions and other material safe from breakms. The highly sophisticated computers took eight days to break the code -- far more power and time than the typical illegal hacker would be able to muster for criminal pursuits. But the chore nonetheless highlights the vulnerabilities that could make customers shy away from conducting commerce on the Internet, particularly international users who can't get hold of the tougher security measures allowed within the U.S. The French hacker was able to crack the so-called 40-bit encryption scheme in Netscape's overseas version of its software. In the U.S., Netscape employs a far more powerful design -- 128 bits, a number that refers to length of the encoding "key," which is used to scramble data. U.S. rules limit Netscape to exporting only 40-bit encryption overseas. Yet the 128-bit version takes exponentially more power to crack: Compared with violating the 40-bit scheme, the 128-bit key would take 10-to-the-26th-power more time to breach, experts say. That's a 1 followed by 26 zeroes, a factor of time that makes it all but impossible for hackers to break in. Netscape wasn't surprised at the findings. The company said it has always known and stated that 40-bit security could be breached by "brute force," the use of massive computing power to descramble the information. "This is a good indication of why the government should allow us to ship more secure software," said Mike Homer, Netscape's vice president of marketing. "The laws are archaic." Clinton administration officials have viewed strong encryption as a weapon for foreign terrorists, who could exchange communications without fear of eavesdropping by law enforcement officials. That policy, however, has raised the hackles of industry executives, who say that without strong encryption abroad, the growth of electronic commerce could be significantly stunted. Last week, a group of software executives told the White House that restrictive export regulations might blunt American competitiveness in foreign markets. "Netscape security is fine," said Dietrich Cappe, a senior partner at Red Planet LLC, an Internet consulting company. "As long as the government's export restriction exists, commerce is going to be severely hampered." Netscape licenses the encryption algorithm from RSA Data Security Inc., one of the most prominent software security firms that licenses its software to most major software companies. "We've warned the government that the level of security they allow our customers to export is too weak," said James Bidzos, president of RSA. "Maybe they'll listen now." Netscape's Mr. Homer noted, however, that the amount of effort and computing power, which could cost as much as $10,000 in addition to the cost of the machines, don't make even breaches of 40-bit security practical from a thief's perspective. "You'd be better off working in a shoe store, stealing credit card numbers for a week." Mr. Homer said. [End]