X-SciTech

Secret Code Quickly Cracked

July 17, 1998 / 3:16 PM EDT / AP

Using the brute force of a single, custom-built computer costing less than $250,000, experts took less than three days to crack a widely used method for scrambling sensitive data, they announced Friday.

Two previous attempts at unscrambling similar electronic messages took, respectively, five months and 39 days and used many computers working together across the Internet to test each of roughly 72 quadrillion possible unlocking combinations.

The breakthrough attempt tested 88 billion possible combinations every second for 56 hours until it unlocked a message that had been scrambled using a government-approved method, called the Data Encryption Standard.

The contest to crack the message was sponsored by RSA Data Security Inc. of San Mateo, Calif., which has fought U.S. export restrictions on virtually unbreakable data-scrambling products stronger than 56 bits, meaning its unlocking key is a sequence of 56 1s and 0s.

The Clinton administration prohibits encryption products stronger than 40 bits to be exported, although there are no limits on data-scrambling software used domestically.

The message unscrambled: "It's time for those 128-, 192- and 256-bit keys."

"This is more evidence that the government's crypto-policy has been overtaken by technology," said Marc Rotenberg, director of the Washington-based Electronic Privacy Information Center. "It's about time to end the limits on strong encryption technology."

The successful computer, using 27 circuit boards each holding 64 computer chips, was built by the Electronic Frontier Foundation, a San Francisco-based nonprofit civil liberties group. It won $10,000 from RSA in the contest.

"EFF has proved what has been argued by scientists for 20 years, that DES can be cracked quickly and inexpensively," said John Gilmore, a director of the foundation, which he co-founded in 1990. "If a small nonprofit can crack DES, your competitors can, too."

The breakthrough was big news in the financial industry, which uses encryption to scramble records of credit-card transactions and bank transfers. Kawika Daguio of the American Bankers Association said banks also use methods other than encryption for security and in some cases use a data-scrambling method called Triple DES that is exponetionally more difficult to crack.

"This isn't devastating, but it's resulting in calls from CEOs to ... (chief security officers) all over the country," Daguio said. "Literally, some people got woke up and had to explain where they were.

"It's extremely bothersome, disquieting to a lot of bankers that people would, for whatever reason, political or financial motivation, attack a standard that is widely used," he added.

"It makes it perfectly clear that somebody could be and could have been doing this for a number of years," said Whitfield Diffie, a cryptography expert and scientist at Sn Microsystems Inc. "The costs are not very high. Government kept insisting this was nonsense, and this wouldn't work."

Rocke Verser, the cryptographer who led the five-month effort in June 1997 to unscramble a DES-encrypted message using thousands of computers across the Internet, called the three-day effort incredible.

"I was expecting it to be cracked pretty soon, but I had no idea it would be this quick," he said from his home in Colorado. "It may be novel this year, but in two years that kind of custom hardware is going to be even more commonplace. "It's certainly within the reach of organized crime and terrorists."