MIT CS student cracks another 40-bit key

Rohit Khare (khare@pest.w3.org)
Wed, 10 Jan 96 21:54:25 -0500


Netscape breached again

Kim S. Nash

01/08/96
Computerworld

Netscape Communications Corp. suffered another security break-in last week
when an MIT computer science student cracked part of the encryption safeguard
used in the software maker's non-U.S. World Wide Web products.

Although a similar break-in was performed by a student in France last summer,
MIT student Andrew Twyman did it faster and less expensively.

The deed wasn't malicious, but rather an attempt to demonstrate "how quick
and easy it is" to violate the security techniques used in software products
shipped outside the U.S., said Jonas Lee, general manager at Integrated
Computing Engines, Inc. (ICE).

Waltham, Mass.-based ICE supplied the $83,000 Unix workstation Twyman used in
the experiment, along with free computer time. Twyman, who is also a
part-time intern at ICE, declined to comment last week because he was studying
for exams.

The federal government mandates that nothing stronger than an encryption key
of 40 bits be used in products sold outside the U.S. Inside the U.S., however,
products can use 128-bit keys, which are far tougher to decipher.

The policy is a "real thorn in our side," a Netscape spokeswoman said. The
Mountain View, Calif., firm and dozens of other computer vendors continue to
lobby for looser export controls.

The Clinton administration promised last August to develop guidelines by the
end of 1995 for the export of products with a stronger 64-bit key, but no
actual policy revisions have yet materialized [CW, Aug. 21].