Netscape Encrypted Data Cracked Tokyo, Japan, Aug. 18 (NB) -- Two computer users have managed to break Netscape's Secure Sockets Layer (SSL) encryption code in response to a challenge posted to the Internet. But far from scaring people away from using the system for online purchases, the results could reassure people of the safety. In mid July Hal Finney, a US computer user, posted data in an Internet message that he recorded when he sent an order, containing a fake name and credit card details, to Netscape's own computer. Setting a task for the hacking community, he wrote, "The challenge is to break the encryption and recover the name and address info I entered in the form and sent securely to Netscape." Early this week, news came from Damien Doligez, a French computer user, that he had cracked the code and revealed the contents of the message. Several hours later a message from an American team also claimed the same feat, actually cracking it two hours earlier than Doligez. While the results look damaging on the surface, Netscape, and Doligez, pointed out the amount of computer processing power needed to hack just one message and the difficulty in repeating the process. Roseanne Siino of Netscape told Newsbytes, "The real issue is whether this compromises security on the net. He used 120 computers for 8 days just to crack one message." Siino points out that to break into another message would require another eight days at the same 120 workstations and 2 parallel computers. In home computer terms, Doligez guesses a network of about 80 Intel Pentium-based machines would be equivalent to the system he had access to via his workplace, INRIA in Paris, and computers an Ecole Polytechnique and ENS. Netscape estimates the total cost of this computing time at around $10,000, meaning there are many more economical ways of getting credit cards numbers than hacking into Netscape SSL messages. Doligez agrees, writing on his home page: "The technical implications are almost zero. Everybody who understands the technical details knew perfectly well that this was do-able and even easy. You have to understand what happened exactly. I did not break SSL itself. I did only break one SSL session that used the weakest algorithm available in SSL. If I want to break another session, it will cost another 8 days of all my machines." The vulnerability of the encryption system is shown by its international use. The coding system available via Netscape software from the Internet makes use of a 40-bit encryption key. A stronger version, using a 128-bit key, is available to US citizens but restricted from export outside the United States by government regulations. Netscape's Siino explained the US government allows export of the lower security version "because they can break it." There are some hopes that this demonstration will help persuade the US government to lift export restrictions on some harder-to-crack versions of the code. Netscape is currently developing a new Secure Courier code which just encrypts the financial data in the messages using 56-bit keys. Siino explained, "You can export over 40-bit keys for a specific application." The new system should be available early next year. Many companies working on secure transaction systems hope the much more secure 128-bit code version of the system will be available for export eventually. This is said to be almost unbreakable, requiring a trillion times more processing power to crack than the 40-bit version. Internet users can view a copy of the original challenge, access Doligez's home page with details of his result, get copies of the program used to crack the code and read Netscape's response to the news through a special section at Netscape, http://home.netscape.com/newsref/std/key_challenge.html Press contacts : Roseanne Siino, Netscape, +1-415-528-2619 , Internet email roseanne@netscape.com; Damien Doligez, Internet email damien.doligez@inria.fr ; Hal Finney, Internet email hfinney@shell.portal.com)