Forwarded From: phreakmoi <hackerelite@deathsdoor.com>
http://www.wired.com/news/news/technology/story/16995.html
RSA: Crack DES in a Day
by Chris Oakes
2:05 p.m. 22.Dec.98.PST
RSA Data Security is trying to drive home a very simple point: The US
government's standard for securing sensitive data from prying eyes is far
too weak.
The encryption technology vendor launched another encryption challenge
Tuesday. RSA's DES Challenge III invites hackers and computer experts to
illustrate the main point repeatedly made by opponents of US encryption
policy.
RSA claims messages and data secured with the Data Encryption Standard, or
DES, can be cracked in a few days. Therefore, it argues, the government
should replace DES with more modern, stronger encryption technology.
The government established the 56-bit DES as a standard in 1977. It claims
that the vast difficulty and expense in cracking DES makes it sufficiently
safe. Allowing the use of stronger encryption, the government maintains,
would only help terrorists and other criminals communicate without
government monitoring.
The export of 128-bit "strong" encryption without "key recovery" is
illegal. Key recovery allows third parties, such as law enforcement, to
retrieve encrypted information. The US policy has long angered privacy
advocates and the computer industry, which is eager to sell its encryption
wares overseas.
"Coordinating this around a public challenge reminds people that [fast DES
cracks] are possible," said Burt Kaliski, chief scientist at RSA Labs.
"This is going to become a more routine sort of occurrence. Letting it be
done in public view calls attention to that."
The winners of RSA's last challenge cracked DES in just 56 hours. So now
RSA is calling on contestants to crack open an encoded message in 24 to 48
hours, and there's money in it for whoever does.
"The target we're looking for is to get down to one day," Kaliski said.
"We've set the threshold so that basically anything less than two days
wins US$5,000, and one day [or less] wins $10,000." RSA: Crack DES in a
Day Page 2 2:05 p.m. 22.Dec.98.PST
RSA's ongoing contests are meant to hammer home the idea that DES is an
ineffective form of encryption for international use, and that much
stronger encryption algorithms must be approved to ensure the security of
data destined for use beyond US shores.
The original DES Challenge in January 1997 was won by a Coloradan, Rocke
Verser. He cracked a DES-encrypted message in 96 days. A year later that
record was halved, when distributed.net -- a project coordinating the idle
processing power of thousands of computers via the Internet -- decrypted a
message in 41 days.
Finally, last July, the Electronic Frontier Foundation won a third
challenge (inexplicably called "DES Challenge II-2"), unlocking a message
in only 56 hours.
The new 24-hour target shows the absurd futility -- and short shelf life
-- of DES, said David McNett, co-founder of distributed.net. "To be down
to a 24-hour time frame within 36 months [of the first challenge] is just
stunning," he said.
"Certainly your adversary could muster more strength than a moderately
funded organization like distributed.net," said McNett. "If you were
Coca-Cola, you want the formula for Coke to stay secret for a long time."
Yet if Coca-Cola -- or anyone else -- has data that needs to be kept
private for longer than 14 days, he said, DES would be woefully
inadequate.
The contest will begin at next month's RSA Data Security conference in San
Jose, California.
Lori Fena, chairwoman of the Electronic Frontier Foundation, said the
contests are very important. "They continually push the envelope as far as
what is considered strong security. They show the great leaps and bounds
that technology takes."
Global Internet policies have to be ahead, not behind, that curve, she
said.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Dec 23 09:57:45 1998