Record set in cracking 56-bit crypto

SAN JOSE, California--A joint effort between the Electronic Frontier Foundation and Distributed.Net has set a new record for cracking the 56-bit Data Encryption Standard (DES) algorithm--under 23 hours.

That beats a record of 56 hours set in July by EFF's "Deep Crack" machine, a specially built computer for breaking the code. RSA Data Security, which sponsored its third DES-cracking contests, offered $10,000 to anyone who broke DES in under 24 hours. It will pay EFF and Distributed.Net, a worldwide coalition of computer enthusiasts.

Deep Crack and Distributed.Net's network of nearly 100,000 PCs on the Internet won DES Challenge III in 22 hours and 15 minutes.

"When designing secure systems and infrastructure for society, listen to cryptographers, not to politicians," said John Gilmore, the EFF co-founder who headed the Deep Crack project. He said the record time to crack DES should send "a wake-up call" to anyone who relies on DES to keep data private.

RSA sponsors periodic DES-cracking contests to demonstrate that 56-bit encryption, the strongest allowed for export by the U.S. government, is no longer adequate.

Gilmore complained about "mixed signals from the [U.S.] government." Last week, he noted, the National Institute of Standards and Technology [NIST] urged the use of Triple-DES rather than DES for security while the Commerce Department limits encryption exports to products with 56-bit crypto--the kind just broken in the RSA challenge. Triple-DES uses the three separate DES keys, so an attacker would have to break the code three separate times.

RSA president Jim Bidzos, a frequent critic of government crypto policy who has been rather quiet lately, defended DES.

"We came not to bury DES but to praise it," said Bidzos. "DES was a very strong algorithm. But any algorithm, any key size, will eventually run out of life. DES has served well over the last 23 or 24 years."

Paul Kocher, who created the software side of Deep Crack, praised RSA, where he once worked, for sponsoring the DES Challenge.

"RSA has been one of few companies that encourage people to attack systems; and as a result they are one of the most reputable in the industry," said Kocher, president of Cryptographic Research, a consulting firm.

Bizdos called the current policy "simply out of date," adding "industry, businesses, and individuals should be free to use the level encryption they choose. This is the proof--DES is breakable, no question about that."

To break the code, the cryptographic key that encrypted a secret message was parceled out to computers linked via Distributed.Net and to Deep Crack, which EFF built last year for under $250,000. The network was testing 245 billion keys per second when the correct key was found.

Adopted in 1977 by the U.S. government, 56-bit DES is widely used by U.S. government agencies and financial institutions. The government is now mid-way through a lengthy process to create a new standard algorithm called Advanced Encryption Standard or AES with encryption keys of at least 128 bits.

The encrypted message, "See you in Rome [second AES Conference, March 22-23, 1999]," referred to the AES initiative.