Strong Encryption Weak, Say Crypto Gurus Washington, D.C., U.S.A., 6 February 1996 -- Strong encryption is weak, reports a group of prominent cryptographers and computer scientists. Their report, released yesterday, is expected to play an important role in coming debates over US policy on exports of software that includes encryption capabilities. Current US policy generally limits exports to encryption using 40-bit keys. On a case-by-case basis, the US has allowed export of software with 56-bit digital encryption standard (DES) encryption. Recently, two French graduate students cracked the 40-bit encryption Netscape was using. The trick took several days, using idle time on the school's computers. The seven experts who wrote the new paper -- "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" -- say the achievement by the students at the Ecole Polytechnique was trivial. "Anyone with a modicum of computer expertise and a few hundred dollars would be able to attack 40-bit encryption much faster," they write. They add that using a field programmable gate array (FPGA) chip, costing about $400 mounted on a card, "would on average recover a 40-bit key in five hours." "A more determined commercial predator," says the paper, "prepared to spend $10,000 for a set-up" using 25 FPGA chips, "can find 40-bit keys in an average of 12 minutes." Moving to a 56-bit DES system doesn't solve the problem, says the paper. "Calculations show that DES is inadequate against a corporate or government attacker committing serious resources. The bottom line is that DES is cheaper and easier to break than many believe." And it is getting easier to crack DES code, says the paper. "At present, it would take a year and a half for someone using $10,000 worth of FPGA technology to search out a DES key. In ten years time, an investment of this size would allow one to find a DES key in less than a week." A serious attack against DES, on the order of $300,000, "could find a DES key in an average of 19 days using off-the-shelf technology and in only three hours using a custom developed chip," say the cryptoanalysts. That's the sort of money a business, or a criminal organization, might be willing to spend to find trade secrets or dip into a flow of financial transactions. A government intelligence agency willing to spend $300 million "could recover DES keys in 12 seconds each," says the paper. "The investment required is large, but not unheard of in the intelligence community. It is less than the cost of the Glomar Explorer, built to salvage a single Russian submarine, and far less than the cost of many spy satellites." What's the proper key length for protection against criminal operations or a prying government? The analysts "strongly recommend a minimum key-length of 90 bits for symmetric cryptosystems." That's far stronger than anything the US government has ever contemplated allowing for export. The paper was written by some of the most prestigious individuals in the field: Matt Blaze, Whitfield Diffie, Ronald Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, and Michael Wiener. Blaze, at AT&T Research, recently demonstrated weaknesses in the government's "Clipper Chip" key escrow system. Diffie, at Sun Microsystems, was a co-creator of public key cryptography. Rivest, at MIT, was one of the inventors of the RSA public-key system and one of the founders of RSA Data Security Inc. Schneier, president of Counterpane Systems, is the author of a leading textbook, Applied Cryptography. Shimomura, at the San Diego Supercomputer Center, last year tracked down outlaw hacker Kevin Mitnick. Thompson heads AccessData's crypto team, which has regular clients that include the FBI and other law enforcement agencies. Wiener, at Bell-Northern Research, wrote an influential 1993 article, "Efficient DES Key Search," which describes how to build a machine to attack DES by brute computational force. The paper grew out of a one-day meeting in Chicago last November, which was supported by the Business Software Alliance. The paper is available on the BSA World Wide Web site, http://www.bsa.org/. --