Thousands of computers linked over the Internet managed to crack a message coded through 56-bit encryption, a feat that will earn the group $10,000 and give RSA Data Security one more piece of ammunition to use in its ongoing war against export encryption regulations.
Rocke Verser, a programmer in Loveland, Colorado, developed the code-cracking software and led the so-called DESCHALL group to win the RSA-sponsored contest. Using a technique aptly called "brute force," DESCHALL set to crack the code by trying every one of more than 72 quadrillion keys--72,057,594,037,927,936, to be exact--that could fit the DES algorithm.
DES is a government approved algorithm that was developed in the early 1970s by IBM, said Scott Schnell, vice president of marketing at RSA. "DES has served people quite well, but the authors of it did not envision the type of computing power that is available," he said.
The group got 25 percent of the way through the possibilities before Michael Sanders of Salt Lake City cracked the code shortly before midnight on June 18, using a computer with a decidedly ordinary 90-MHz Pentium processor. The quest began in February.
Not coincidentally, the decoded message--"Strong cryptography makes the world a safer place"--reflected why Redwood City, California-based RSA held the contest. The company has been fighting the U.S. government for the past several years over encryption export regulations.
The U.S. government only allows companies to export software containing 56-bit or weaker encryption keys. (In encryption, the higher the bit count, the more secure the program.) Even then, exporting companies have to deposit a key so that federal authorities can crack encrypted software if necessary.
RSA sees the regulations as inane. Not only are foreign companies exporting software into the United States with 56- and 128-bit encryption keys, it argues, but computing power is also rising to the point where 56-bit keys are no longer secure. As a result, the company and others contend, the policy hurts both U.S. manufacturers and consumers.
"This guy had a 90-MHz Pentium. It wasn't some guy with a bank of workstations," Schnell said. "Eighty-bit is the minimum bit encryption we recommend, though we say most should use 128-bit."