EXPORTABLE CRYPTOGRAPHY TOTALLY INSECURE: CHALLENGE CIPHER BROKEN IMMEDIATELY January 28, 1997 - Ian Goldberg, a UC Berkeley graduate student, announced today that he had successfully cracked RSA Data Security Inc.'s 40-bit challenge cipher in just under 3.5 hours. RSA challenged scientists to break their encryption technology, offering a $1000 award for breaking the weakest version of the code. Their offering was designed to stimulate research and practical experience with the security of today's codes. The number of bits in a cipher is an indication of the maximum level of security the cipher can provide. Each additional bit doubles the potential security level of the cipher. A recent panel of experts recommended using 90-bit ciphers, and 128-bit ciphers are commonly used throughout the world, but US government regulations restrict exportable US products to a mere 40 bits. Goldberg's announcement, which came just three and a half hours after RSA started their contest, provides very strong evidence that 40-bit ciphers are totally unsuitable for practical security. "This is the final proof of what we've known for years: 40-bit encryption technology is obsolete," Goldberg said. The US export restrictions have limited the deployment of technology that could greatly strengthen security on the Internet, often affecting both foreign and domestic users. "We know how to build strong encryption; the government just won't let us deploy it. We need strong encryption to uphold privacy, maintain security, and support commerce on the Internet -- these export restrictions on cryptography must be lifted," Goldberg explained. Fittingly, when Goldberg finally unscrambled the challenge message, it read: "This is why you should use a longer key." Goldberg used UC Berkeley's Network of Workstations (known as the NOW) to harness the computational resources of about 250 idle machines. This allowed him to test 100 billion possible "keys" per hour -- analogous to safecracking by trying every possible combination at high speed. This amount of computing power is available with little overhead cost to students and employees at many large educational institutions and corporations. Goldberg is a founding member of the ISAAC computer security research group at UC Berkeley. In the Fall of 1995, the ISAAC group made headlines by revealing a major security flaw in Netscape's web browser.