In mid-July 1998, John Gilmore and Paul Kocher used a homemade supercomputer, worth barely US$250,000, to crack the U.S. government’s encryption standard. Gilmore and Kocher cracked the Data Encryption Standard (DES) encryption algorithm in 56 hours, beating a network of almost 20,000 computers including desktop workstations to multimillion-dollar supercomputers working together.
The U.S. government has long insisted that it is impossible for terrorists or criminals to crack DES. As recently as a month earlier, Robert Litt, principal associate deputy attorney general, argued that even the FBI couldn’t crack DES. Gilmore set out to create a computer—built around a set of custom microprocessors he called “Deep-Crack”—from readily available spare parts merely to prove that it could be done. His project was sponsored by the Electronic Frontier Foundation (EFF).
“EFF has proved what has been argued by scientists for twenty years, that DES can be cracked quickly and inexpensively,” Gilmore told Wired News. “Now that the public knows, it will not be fooled into buying products that promise real privacy but only deliver DES. This will prevent manufacturers from buckling under to government pressure to ‘dumb down’ their products, since such products will no longer sell.”
The homemade computer, controlled by an off-the-shelf personal computer executed billions of keys before decrypting the message: “It’s time for those 128-, 192-, and 256-bit keys.”
Six months later, in mid-January 1999, a collaborative effort between the EFF and Distributed.Net cracked the 56-bit algorithm in less than 23 hours, retrieving the encrypted message, “See you in Rome [second AES Conference, March 22-23, 1999].” Distributed.Net marshalled the idle processing time of a network of almost 100,000 personal computers along with EFF’s “Deep-Crack” to break the code. The collaborative effort was capable of generating and testing 245 billion keys per second.
Meanwhile, the Clinton administration continues its campaign against the export of strong cryptography products. Three days before the DES Challenge, Clinton administration officials met with Silicon Valley executives in an attempt to win converts. Representative Zoe Lofgren (D-California) announced at the meeting that she would reintroduce legislation to prohibit restrictions on the export of strong cryptography.
Support for the Clinton administration’s position continues to erode. Foreign technology executives, for example, point to the fact that an international agreement announced last year to stifle the spread of strong cryptography tools will probably have little effect. The Wassenaar diplomatic agreement, between the United States and 32 western countries, would require special export permits for mass-market software that contains encryption technology. The requirement can be easily sidestepped by simply issuing blanket permits, something some foreign executives say they may be forced to pursue in order to gain economic parity.
The Wassenaar agreement allows unregulated distribution of software with no more than 64-bit encryption technology. Previous U.S. policy prohibited export of any cryptography that utilized keys greater than 56-bits. In 1998, the Canadian government allowed Entrust Technologies to export its strong cryptography software. “We actually believe that most countries will just issue blanket permits,” Entrust Technologies president John Ryan told the New York Times in a January 16, 1999 article.
France is one of the few European countries that regulate encryption, and indications are that it may be liberalizing its policy to promote ecommerce as well.
During the same period in mid-January 1999, the Indian Defense Research and Development Organization warned its citizenry to avoid American encryption products because it is convinced the U.S. government is intent on facilitating espionage by supporting only weak cryptography.