This item is from the Money Daily list which sends an article and
stock market summary message once per business day.  Subscription info
is at the end.

Related WWW sites are:

http://www.epic.org  Electronic Privacy Information
Center
http://www.iNetZ.com iNetZ Corporation
http://www.rsa.com RSA Data Security
http://www.senate.gov/~kerrey/encrypt/encrypt2.html
Senate Secure Public Networks Act

For an enhanced HTML version of the Money Daily,
visit http://moneydaily.com.

Friday, June 20, 1997

Anatomy of a crack: how a grass-roots effort broke the
encryption code for financial transactions

Alarming, yes, but not yet time to tear up your ATM card

by Lloyd Chrein

At 11:15 Tuesday night, computer programmer Rocke
Verser received the message he'd been waiting to see for
four months: The widely used, U.S. government-endorsed
Data Encryption Standard (DES) had been cracked. A
member of his grass-roots network of 14,000 computer
users had broken the algorithm that protects most of this
country's electronic financial transactions, including
everything from ATM cards to online banking.

While that was good news for Verser, who earned
thousands of dollars in prize money and instant fame, it
offers little solace to the financial institutions -- and
their customers -- now relying on this 20-year-old
encryption standard to protect their money.

"When DES was first approved in 1977 as a national
standard, many people said it would not stand the test of
time, and I think those people have been proven right,"
says Verser, a freelance consultant for Hewlett Packard,
Quarterdeck and others.

Adds Matt Curtin, chief scientist for Megasoft, a team
leader in the effort: "This is proving by example, not by
mathematical calculation, that DES can be broken with
little or no cost. Others could just as easily be attempting
to gain access to multibillion dollar wire transfers."

The story began in February, when Verser responded to
RSA Data Security's $10,000 DES Challenge to "Help crack
the code!" RSA, which installs encryption and
authentication systems worldwide, started the prize
program "to demonstrate the modest level of security in
the encryption technology currently allowed to be
exported under past and current U.S. government policy,"
according to a company release.

Verser developed specialized code-cracking software,
which uses the spare processor power of networked
computers to continuously test 56-bit DES "keys" -- a
system he calls "brute force." But to make his system
work, he needed the network. So he posted a message on
an online bulletin board. During the first month, he
received 20 takers.

But it quickly mushroomed from there. "I never imagined
it would get so large," says Verser. "Some of the first
users decided this was pretty neat, and started spreading
information on other newsgroups and mailing lists, until
the number of users downloading and running the software
was doubling every 11 days. When colleges starting
letting out for summer we became saturated, growing
from 10,000 to 14,000 computers in the last three
weeks."

Participants didn't need any special training or
knowledge, just a functioning Mac, PC or Unix-based
computer with a little power to spare. In fact, the
machine that finally broke the code had a lowly 90 MHz
Pentium processor and 16 megabytes of random access
memory (RAM).

Verser's software ran in the background on these
machines, logging into his Internet site every 90 minutes
to download another one to four billion keys. The extended
group of testers, based in the U.S. and Canada, ran through
as many as 7 billion keys per second at its peak this past
weekend, and scoured about 18 quadrillion keys in all
before the code was cracked. According to RSA, there are
72 quadrillion (72,057,594,037,927,936) possible keys in
the DES system. A competing team, based in Sweden,
managed to get through 10 quadrillion keys.

The lucky number was drawn by Michael K. Sanders of
iNetZ Corporation in Salt Lake City, Utah, a corporate Web
development company. Sanders had been running the
software for two months on 8 desktop machines at the
company. "It was ironic that the least powerful machine
is the one where it happened," he says, noting that the
others were Pentium 200s and 166s. Sanders, who says he
got involved because his company is an online commerce
provider, will receive 40% of the prize money.

After Sanders' machine broke the code, Verser's software
instructed it to send back a message. But when Verser
picked up that message late Tuesday night, he didn't quite
believe it.

"There had been reports from the competition in Sweden
that people were trying to disrupt the effort by sending
bogus information," he says. After mistyping the code the
first time, he tried again, and it came back a match. "My
heart started racing and my hands were shaking. I e-
mailed to RSA, and surprise, surprise, their automated
server answered back in a few seconds, saying,
'Congratulations, you've broken the key.'"

The unencrypted message read: "Strong cryptography
makes the world a safer place."

Despite this week's crack, DES may be around for some
time. On Thursday, the Senate Commerce Committee
passed the Secure Public Networks Act, a data encryption
bill sponsored by Senators John Kerrey (D., Neb.) and John
McCain (R., Ariz.) that advocates the use of a key based on
the 56-bit algorithm.

That doesn't please Verser, who says he has "never done
an online transaction. I do not use an ATM card. I do not
trust them. They are not secure. When bank cards first
came out in the early 1970s I had one for a few years. But
I have not had one since. I do use a credit card, but I would
not put my credit card number on the Internet."

But does this mean the rest of us should now cut up our
cash cards and steer clear of Internet commerce?
"Absolutely not," contends Wayne Madson, an Arlington,
VA-based security consultant and senior research fellow
with the Electronic Privacy Information Center. "Just
because a powerful computer network working over weeks
or months was able to crack some code, is that going to
impact on the security of this country's financial
systems? I say no."

Madson says that the effort it would take to replicate this
break, not to mention the amount of knowledge required to
do it, wouldn't be worth the pay-off. "It would be easier to
develop a contact on the inside of a bank and have them
siphon off funds for you," he says.

In addition, financial institutions, among the largest
users of the DES algorithm, have steadily been increasing
encryption security by using "triple DES", which places
three DES operations back to back. "As far as anyone
knows now, it's a very secure thing to do," allows Verser.

Yet Verser also cautions anyone against denying the
possibility of another crack: "Much of this has to do with
the spread of the Internet. Two years ago, the Internet
was not at the state where you could have gotten 14,000
computers to do this. Now, as we've shown, rounding up
that great a number of people isn't so difficult."

 For more Web-formation, visit:
http://www.epic.org  Electronic Privacy Information
Center
http://www.iNetZ.com iNetZ Corporation
http://www.rsa.com RSA Data Security
http://www.senate.gov/~kerrey/encrypt/encrypt2.html
Senate Secure Public Networks Act


     ------------------------
     SUBSCRIPTION INFORMATION
     ------------------------

TO SIGN UP FOR MONEY DAILY, point your browser to
http://pathfinder.com/money/moneydaily/latest/subscribe.html,
or send an e-mail to [log in to unmask]

TO SIGN OFF FROM THE MAILING LIST, point your browser to
http://pathfinder.com/money/moneydaily/latest/unsubscribe.html
or send an e-mail to [log in to unmask]

For detailed sign-up and sign-off information, send an
e-mail to [log in to unmask]

TO SUBSCRIBE TO MONEY MAGAZINE, just call our toll-free
number, 800-633-9970.


Thank you for signing up for the Money Daily!



People often find it easier to be a result of the past
than a cause of the future!