Student Cracks High-Level Code
The Associated PressWednesday, January 29, 1997; 11:55 pm EST
SAN FRANCISCO (AP) -- It's the most secure encryption code the United States has allowed to be exported -- and it took a graduate student only 3 1/2 hours to break it, industry officials said Wednesday.
``It shows you that any kid with access to computers can crack this kind of cryptography,'' said RSA Data Security Inc. spokesman Kurt Stammberger, whose company had offered the challenge. ``The cryptography software that you are allowed to export is so weak as to be useless.''
The company put its challenge on the Internet Monday, offering $50,000 in prizes to crack various levels of encryption codes with electronic key lengths ranging from 40 to 256 bits.
The federal government, worried about security, has barred exports of codes higher than 40 bits. Devices with larger numbers of bits are stronger and harder to decode.
Last month, the Clinton administration began allowing companies to export encryption devices with 56-bit keys -- but only if they have a way for law enforcement officials to crack the code and intercept the communications. Most computer companies have rejected that demand.
Meanwhile, Ian Goldberg, a University of California-Berkeley graduate student, took on RSA Data Security's challenge by linking together 250 idle workstations that allowed him to test 100 billion possible ``keys'' per hour.
That's like trying every possible combination for a safe at high speed, and many students and employees of large companies have access to such computational power, the school said.
In 3 1/2 hours, Goldberg had decoded the message, which read, ``This is why you should use a longer key.''
Goldberg, who won $1,000 with his effort, says the moral is clear.
``This is the final proof of what we've known for years -- 40-bit encryption technology is obsolete,'' the student said.
That puts software exporters in a quandary, said Stammberger.
Almost all business software now requires built-in encryption, a necessity for any company doing business over the Internet.
But no one will buy U.S. software that can be cracked by a student in 3 1/2 hours, he said.
``You're talking about the U.S. giving up its global dominance in software because of some outdated Cold War spy agencies,'' Stammberger said. ``People in the industry are pretty angry ... The market is enormous, literally in the hundreds of billions of dollars.''
As of Wednesday afternoon, no one had broken any of the codes higher than 40 bits, Stammberger said.