19 June 1997
Source: http://www.msnbc.com/news/81218.asp

MSNBC News, June 19, 1997

Brute-force attack cracks 56-bit crypto

By Alan Boyle

        Tens of thousands of computers, working together in a coordinated effort over four months, have cracked a code created with the widely used 56-bit DES standard for data encryption.

        The DESCHALL project, organized by computer consultant Rocke Verser, earned a $10,000 prize from RSA Data Security for deciphering the company’s encrypted message late Tuesday. Beyond the monetary reward, organizers of the effort said the achievement also may spark second thoughts among governmental agencies, financial institutions and other businesses that use the DES standard. If you're a large multinational corporation with a billion-dollar secret, or if you operate the fed funds wire, I think you should think twice about whether DES is sufficient to secure that transaction,” Verser said.

        The DES crack also comes just as lawmakers are debating what sorts of limits should be put on data encryption. The Clinton administration has proposed loosening export limits so that 56-bit products can be sold abroad, but the DESCHALL achievement may strengthen the hand of those who argue that the 56-bit standard is too low.

        Verser emphasized that DESCHALL was no lone project, but rather a huge volunteer effort: At its peak, the task involved an estimated 14,000 computers checking mathematical combinations to find RSA’s secret code, and in all about 78,000 computers were enlisted in the campaign.

        Verser was the guiding force behind a software program that enabled the thousands of computer users to check myriad millions of combinations in a coordinated way. The actual key was found by Michael Sanders of INetX Corp. in Salt Lake City, using a 90mHz Pentium computer with 16 megabytes of RAM. At the time of the discovery, almost a quarter of the 72 quadrillion possible combinations had been checked.

        The end game was really quite sudden and unexpected,” Verser said. The Colorado consultant said he was “shaking like a leaf” as he verified the secret key and sent the answer on to RSA for verification.

        RSA Data Security, which markets encryption technology, is sponsoring 11 contests to crack various levels of encryption. In the case of the DES challenge, the coded message read: “Strong cryptography makes the world a safer place.”

        Scott Schnell, vice president of marketing at RSA, confirmed that the DESCHALL project was successful.

        "It's probably one of the most significant milestones in the history of cryptanalysis,” Schnell said, because DES is so widely used to encode sensitive electronic data.

        He noted that the crack came even as Congress was considering whether to follow the Clinton administration’s lead on encryption policy — a regulatory approach that some industry groups and Internet activists say could compromise the future of electronic commerce.

        “What this crack illustrates is just how out of touch with the realities of technology in the real world the administration’s proposals are,” Schnell said.

        Under the terms of the DESCHALL project, Verser will receive $6,000 of the $10,000 prize, and Sanders will get the remaining $4,000.

        Schnell pointed out that several RSA challenges remained to be cracked, including codes using RSA’s variable RC-5 encryption standard. But it was unclear whether DESCHALL would ask its legions of computer users to re-up for another project.

        “For the immediate future we’re probably going to worry about making T-shirts,” said project spokesman Matt Curtin, who is also chief scientist at Megasoft Online. “I expect that we’ll probably move on to something else.”