More about last Netscape SSL cracking

Rohit Khare (khare@pest.w3.org)
Wed, 31 Jan 96 18:14:36 -0500


Once more, thanks to Arthur.

Begin forwarded message:

Resent-Date: Mon, 29 Jan 1996 14:39:39 -0500
Date: Mon, 29 Jan 1996 14:39:32 -0500 (EST)
From: Arthur Secret <secret@vl.w3.org>
To: w3t@w3.org
Subject: More about last Netscape SSL cracking
Resent-From: w3t@w3.org
X-Mailing-List: <w3t@w3.org> archive/latest/692
X-Loop: w3t@w3.org
Sender: w3t-request@w3.org
Resent-Sender: w3t-request@w3.org

The crack is old news (Jan 10), but the cost analysis might be of
interest.

Arthur

------- start of forwarded message (RFC 934 encapsulation) -------
Clipped from Privacy Digest:
>MIT Student Uses ICE Graphics Computer To Break Netscape Security in
>Less Than 8 Days: Cost to crack Netscape security falls from $10,000
>to $584
>
>CAMBRIDGE, Mass., January 10, 1996 -- An MIT undergraduate and
>part-time programmer used a single $83,000 graphics computer from
>Integrated Computing Engines (ICE) to crack Netscape's export
>encryption code in less than eight days. The effort by student Andrew
>Twyman demonstrated that ICE's advances in hardware price/performance
>ratios make it relatively inexpensive -- $584 per session -- to break
>the code.
>
>While being an active proponent of stronger export encryption, Netscape
>Communications (NSCP), developer of the SSL security protocol, has said
>that to decrypt an Internet session would cost at least $10,000 in
>computing time.
>
>Twyman used the same brute-force algorithm as Damien Doligez, the
>French researcher who was one of the first to crack the original SSL
>Challenge. The challenge presented the encrypted data of a Netscape
>session, using the default exportable mode, 40-bit RC4 encryption.
>Doligez broke the code in eight days using 112 workstations.
>
>"The U.S. government has drastically underestimated the pace of
>technology development," says Jonas Lee, ICE's general manager. "It
>doesn't take a hundred workstations more than a week to break the code
>-- it takes one ICE graphics computer. This shuts the door on any
>argument against stronger export encryption."
>
>Breaking the code relies more on raw computing power than hacking
>expertise. Twyman modified Doligez's algorithm to run on ICE's Desktop
>RealTime Engine (DRE), a briefcase-size graphics computer that connects
>to a PC host to deliver performance of 6.3 Gflops (billions of floating
>point instructions per second). According to Twyman, the program tests
>each of the trillion 40-bit keys until it finds the correct one.
>Twyman's program averaged more than 830,000 keys per second, so it
>would take 15 days to test every key. The average time to find a key,
>however, was 7.7 days. Using more than 100 workstations, Doligez
>averaged 850,000 keys per second.ICE used the following formula to
>determine its $584 cost of computing power: the total cost of the
>computer divided by the number of days in a three-year lifespan
>(1,095), multiplied by the number of days (7.7) it takes to break the
>code.
>
>ICE's Desktop RealTime Engine combines the power of a supercomputer
>with the price of a workstation. Designed for high-end graphics,
>virtual reality, simulations and compression, it reduces the cost of
>computing from $160 per Mflop (millions of floating point instructions
>per second) to $13 per Mflop. ICE, founded in 1994, is the exclusive
>licensee of MeshSP technology from the Massachusetts Institute of
>Technology (MIT).
>
>###
>
>INTEGRATED COMPUTING ENGINES, INC.
>460 Totten Pond Road, 6th Floor
>Waltham, MA 02154
>Voice: 617-768-2300, Fax: 617-768-2301
>
>FOR FURTHER INFORMATION CONTACT:
>
>Bob Cramblitt, Cramblitt & Company
>(919) 481-4599; cramco@interpath.com
>
>Jonas Lee, Integrated Computing Engines
>(617) 768-2300, X1961; jonas@iced.com
>
>Note: Andrew Twyman can be reached at kurgan@mit.edu.
>
David Petraitis
------- end -------