The current 56-bit Data Encryption Standard is not as secure as believed, the Electronic Frontier Foundation revealed today in an attempt to raise the ante in the political standoff with U.S. government officials trying to limit the strength of encryption approved for export.
"The news is not that a DES cracker can be built--we've known that for years," said Bruce Schneier, president of Counterpane Systems and advocate of easing government crypto export restrictions. "The news is that it can be built cheaply using off-the-shelf technology and minimal engineering, even though the Department of Justice and the FBI have been denying that this was possible."
The Electronic Frontier Foundation built a machine for $220,000 that took three days to crack the DES code. The previous record was 39 days, according to the Foundation. The group's executives said that now that the research is done, a duplicate machine can be built for as little as $50,000.
More coverage on CNET Radio
What makes the feat even more interesting is that the Foundation cracked 56-bit DES using a standard personal computer, outfitted with custom chips. The government has claimed that a network of expensive, powerful computers would be needed to crack the code.
The Electronic Frontier Foundation said the "cracker" consists of an ordinary personal computer with a large array of custom "Deep-Crack" microprocessors. Software in the personal computer instructs the custom chips to begin searching for the key and functions to interface with the user. The software periodically polls the chips to find any potentially interesting keys that they have located.
The group said a single DES-Cracker chip could find a key by searching for many years. One thousand DES-Cracker chips can solve the same problem in one-thousandth of the time. One million DES-Cracker chips could theoretically solve the same problem in about a millionth of the time. The actual machine EFF built contains about 1,500 chips.
The code creates a key to decipher information. Key recovery is at the center of a long-standing debate about the U.S. crypto export policy. Privacy advocates and the industry alike oppose mandatory key-recovery features in export products because they say the systems present the possibility that law enforcement or unauthorized parties could gain access to scrambled data without due process or permission.
On the flip side, law enforcement has held its ground that unfettered export of encryption will lead to terrorists and criminals using the technology to cover their tracks. But proponents of free encryption, without mandated spare keys, contend that strong encryption already is available around the world.
EFF executives said the machine was designed to counter the claim made by U.S. government officials that to decrypt one message would either take multimillion-dollar networks of computers months, or is impossible.
"This will prevent manufacturers from buckling under government pressure to dumb down their products since such products will no longer sell," said Barry Steinhardt, EFF executive director. "If a small nonprofit can crack DES, your competitors can too. Five years from now some teenager may well build a DES cracker as her high school science fair project."
The machine works much like an Internet search engine such as Yahoo or Excite. It combs the encryption for the right combination of 56 1s and 0s. Once the combination is assembled a message can be read. In the case of the RSA contest, the winner of which received $10,000, the message was "It's time for those 128-, 192-, and 256-bit keys."
"Producing a workable policy for encryption has proven a very hard political challenge," said John Gilmore, the Foundation's cofounder and project leader in a prepared statement. "When the government won't reveal relevant facts, the private sector must independently conduct the research and publish the results so that we can all see the social tradeoffs involved in policy choices."