X

Users take crack at 56-bit crypto

Thousands of American and Canadian computer users are working day and night to crack a 56-bit encryption code.

CNET News staff
3 min read
Thousands of American and Canadian computer users are working night and day to prove that the 56-bit encryption standard set by the United States government is vulnerable. But the effort could take several years.

The users are working together to win an RSA Data Security prize of $10,000 for the first person to crack the government's 56-bit data encryption standard. RSA, which dominates the encryption toolkit market, is prompting people to crack the security standard set by the government to demonstrate that the standard is not sufficiently secure.

RSA and many other encryption vendors would like the government to raise the standard to approve key lengths of 128-bits. Key length determines how difficult it is to crack the encrypted data.

Revised U.S. export regulations for encryption that went into effect in January say that encryption vendors can only export technology based on 56-bit algorithms. The rules have been aggressively fought by manufacturers, that say the regulations stifle the ability of U.S. software companies to compete globally. The RSA-sponsored contest is only the latest demonstration against the government's policy.

Contract computer programmer Rocke Verser of Loveland, Colorado, is leading the virtual team of computer users trying to crack the 56-bit code.

Verser developed software to test the code and has been hosting it on a server since early February. Participants, who are eligible under the U.S. regulations, can get crypto "building blocks" from the North American Crypto Archive in order to test the code.

Over the last three days, about 2,000 users in Canada and the United States tested the code at 257 million keys per second. They are trying to find one key in 72,057,594,037,927,936 that will unlock the code, Verser said. This is analogous, he says, to finding a specific piece of straw in a haystack 1.37 miles high and 1.37 miles in diameter.

A European team based in Switzerland cracked a 48-bit encryption code in less than two weeks in February. Two weeks before that, University of California at Berkeley graduate student Ian Goldberg cracked a 40 bit code in less than 4 hours.

Because the number of possible solutions goes up exponentially with a bigger code, it could take a lot longer to crack the government's 56-bit standard. "On average, you're going to have to search half of the 'hay stack' to find the key. At the rate we were going over the weekend, it would take about 4.5 years to search half the hay stack," Verser estimated.

Eric Brewer, the Berkeley computer science professor who oversaw Goldberg's effort to break the 40-bit code, estimated in January that it could take up to 22 years to break the 56-bit code when testing at 100 billion key combinations an hour.

Verser wants 60 percent of the $10,000 if the code is cracked on his server with his software. He said the user who actually finds the winning key can ask RSA for the remaining $4,000.

Verser, who wrote his first encryption code in 1977 while at Kansas State University, says however that his motives are political, not financial.

"I would like to demonstrate to the government and public at large that the silly bit limits on crypto are ineffective and greatly increase the cost of U.S. companies who want to do business," he said. "Often it keeps them out of the market entirely.

"All who are participating are doing it for their own reasons, some for a technical challenge and some for money. But I think the majority are doing it because they believe in our right to privacy and that cryptography is the only way to achieve it in this day and age," Verser added.

The government did grant a special license to Open Market to export 128-bit encryption, but only because the company convinced the government that its technology is used only to protect especially sensitive financial data.