HACKERS SMASH U.S. GOVERNMENT ENCRYPTION STANDARD

sameer sameer at c2.net
Wed Jun 18 19:07:42 PDT 1997



C2Net Software, Inc.
1212 Broadway
Oakland, CA 94612
510-986-8770

For Immediate Release

	  HACKERS SMASH U.S. GOVERNMENT ENCRYPTION STANDARD

Oakland, California (June 18, 1997)-The 56-bit DES encryption
standard, long claimed "adequate" by the U.S. Government, was
shattered yesterday using an ordinary Pentium personal computer
operated by Michael K. Sanders, an employee of iNetZ, a Salt Lake
City, Utah-based online commerce provider. Sanders was part of a
loosely organized group of computer users responding to the "RSA
$10,000 DES Challenge." The code-breaking group distributed computer
software over the Internet for harnessing idle moments of computers
around the world to perform a 'brute force' attack on the encrypted
data.

"That DES can be broken so quickly should send a chill through the
heart of anyone relying on it for secure communications," said Sameer
Parekh, one of the group's participants and president of C2Net
Software, an Internet encryption provider headquartered in Oakland,
California (http://www.c2.net/). "Unfortunately, most people today
using the Internet assume the browser software is performing secure
communications when an image of a lock or a key appears on the
screen. Obviously, that is not true when the encryption scheme is
56-bit DES," he said.

INetZ vice president Jon Gay said "We hope that this will encourage
people to demand the highest available encryption security, such as
the 128-bit security provided by C2Net's Stronghold product, rather
than the weak 56-bit ciphers used in many other platforms."

Many browser programs have been crippled to use an even weaker, 40-bit
cipher, because that is the maximum encryption level the
U.S. government has approved for export. "People located within the US
can obtain more secure browser software, but that usually involves
submitting an affidavit of eligibility, which many people have not
done," said Parekh. "Strong encryption is not allowed to be exported
from the U.S., making it harder for people and businesses in
international locations to communicate securely," he explained.

According to computer security expert Ian Goldberg, "This effort
emphasizes that security systems based on 56-bit DES or
"export-quality" cryptography are out-of-date, and should be phased
out. Certainly no new systems should be designed with such weak
encryption.'' Goldberg is a member of the University of California at
Berkeley's ISAAC group, which discovered a serious security flaw in
the popular Netscape Navigator web browser software.

The 56-bit DES cipher was broken in 5 months, significantly faster
than the hundreds of years thought to be required when DES was adopted
as a national standard in 1977. The weakness of DES can be traced to
its "key length," the number of binary digits (or "bits") used in its
encryption algorithm. "Export grade" 40-bit encryption schemes can be
broken in less than an hour, presenting serious security risks for
companies seeking to protect sensitive information, especially those
whose competitors might receive code-breaking assistance from foreign
governments.

According to Parekh, today's common desktop computers are tremendously
more powerful than any computer that existed when DES was
created. "Using inexpensive (under $1000) computers, the group was
able to crack DES in a very short time," he noted. "Anyone with the
resources and motivation to employ modern "massively parallel"
supercomputers for the task can break 56-bit DES ciphers even faster,
and those types of advanced technologies will soon be present in
common desktop systems, providing the keys to DES to virtually
everyone in just a few more years."

56-bit DES uses a 56-bit key, but most security experts today consider
a minimum key length of 128 bits to be necessary for secure
encryption. Mathematically, breaking a 56-bit cipher requires just
65,000 times more work than breaking a 40-bit cipher. Breaking a
128-bit cipher requires 4.7 trillion billion times as much work as one
using 56 bits, providing considerable protection against brute-force
attacks and technical progress.

C2Net is the leading worldwide provider of uncompromised Internet
security software. C2Net's encryption products are developed entirely
outside the United States, allowing the firm to offer full-strength
cryptography solutions for international communications and
commerce. "Our products offer the highest levels of security available
today. We refuse to sell weak products that might provide a false
sense of security and create easy targets for foreign governments,
criminals, and bored college students," said Parekh. "We also oppose
so-called "key escrow" plans that would put everyone's cryptography
keys in a few centralized locations where they can be stolen and sold
to the highest bidder," he added. C2Net's products include the
Stronghold secure web server and SafePassage Web Proxy, an enhancement
that adds full-strength encryption to any security-crippled "export
grade" web browser software.

# # #

Pentium is a registered trademark of Intel Corporation.

Netscape and Netscape Navigator are registered trademarks of Netscape
Communications Corporation

Stronghold and SafePassage are trademarks of C2Net Software, Inc.







More information about the cypherpunks-legacy mailing list