From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: a42a08ef7a3b4e87dda39a2eb4941b425d61dd8a04ba00c7b067aa3344623d57
Message ID: <199508171207.IAA15512@pipe4.nyc.pipeline.com>
Reply To: N/A
UTC Datetime: 1995-08-17 12:07:50 UTC
Raw Date: Thu, 17 Aug 95 05:07:50 PDT
From: John Young <jya@pipeline.com>
Date: Thu, 17 Aug 95 05:07:50 PDT
To: cypherpunks@toad.com
Subject: WSJ on SSL Crack
Message-ID: <199508171207.IAA15512@pipe4.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain
The Wall Street Journal, August 17, 1995, p. B3.
French Hacker Cracks Netscape Code, Shrugging Off U.S.
Encryption Scheme
By Jared Sandberg
A computer hacker in France has breached the encryption
scheme of new Netscape software for navigating the
Internet, the global computer network. The breach
underscores flaws in U.S. rules restricting the export of
more-sophisticated security measures.
The hacker, a French student at the Ecole Polytechnique,
cracked the weaker encryption scheme that U.S. government
policy forces Netscape Communications Corp. to use in a
foreign version of its Navigator software. Yesterday, he
posted the results of his efforts on the Internet's
Cypherpunks discussion group.
The student took up a challenge issued on July 14 in the
Cypherpunks group, which is frequented by cryptography
experts and hackers and mathematicians. He used 120
powerful computer workstations and two supercomputers to
crack a piece of information encrypted in Netscape's
"browser" software. The security is aimed at scrambling
sensitive financial data to keep credit-card numbers, sales
transactions and other material safe from breakms.
The highly sophisticated computers took eight days to break
the code -- far more power and time than the typical
illegal hacker would be able to muster for criminal
pursuits. But the chore nonetheless highlights the
vulnerabilities that could make customers shy away from
conducting commerce on the Internet, particularly
international users who can't get hold of the tougher
security measures allowed within the U.S.
The French hacker was able to crack the so-called 40-bit
encryption scheme in Netscape's overseas version of its
software. In the U.S., Netscape employs a far more powerful
design -- 128 bits, a number that refers to length of the
encoding "key," which is used to scramble data.
U.S. rules limit Netscape to exporting only 40-bit
encryption overseas. Yet the 128-bit version takes
exponentially more power to crack: Compared with violating
the 40-bit scheme, the 128-bit key would take
10-to-the-26th-power more time to breach, experts say.
That's a 1 followed by 26 zeroes, a factor of time that
makes it all but impossible for hackers to break in.
Netscape wasn't surprised at the findings. The company said
it has always known and stated that 40-bit security could
be breached by "brute force," the use of massive computing
power to descramble the information.
"This is a good indication of why the government should
allow us to ship more secure software," said Mike Homer,
Netscape's vice president of marketing. "The laws are
archaic."
Clinton administration officials have viewed strong
encryption as a weapon for foreign terrorists, who could
exchange communications without fear of eavesdropping by
law enforcement officials.
That policy, however, has raised the hackles of industry
executives, who say that without strong encryption abroad,
the growth of electronic commerce could be significantly
stunted. Last week, a group of software executives told the
White House that restrictive export regulations might blunt
American competitiveness in foreign markets.
"Netscape security is fine," said Dietrich Cappe, a senior
partner at Red Planet LLC, an Internet consulting company.
"As long as the government's export restriction exists,
commerce is going to be severely hampered." Netscape
licenses the encryption algorithm from RSA Data Security
Inc., one of the most prominent software security firms
that licenses its software to most major software
companies. "We've warned the government that the level of
security they allow our customers to export is too weak,"
said James Bidzos, president of RSA. "Maybe they'll listen
now."
Netscape's Mr. Homer noted, however, that the amount of
effort and computing power, which could cost as much as
$10,000 in addition to the cost of the machines, don't make
even breaches of 40-bit security practical from a thief's
perspective.
"You'd be better off working in a shoe store, stealing
credit card numbers for a week." Mr. Homer said.
[End]
Return to August 1995
Return to “John Young <jya@pipeline.com>”
1995-08-17 (Thu, 17 Aug 95 05:07:50 PDT) - WSJ on SSL Crack - John Young <jya@pipeline.com>