Single computer breaks 40-bit RC4 in under 8 days

From: glen mccready To: 0xdeadbeef@substance.abuse.blackdown.org Cc: shmigels@cadvision.com Date: Sat, 20 Jan 1996 13:49:11 -0500

anyone for online banking? -glen

Forwarded-by: bostic@bsdi.com (Keith Bostic)
Forwarded-by: daveg@pakse.mit.edu (David Golombek)

MIT Student Uses ICE Graphics Computer

To Break Netscape Security in Less Than 8 Days

Cost to crack Netscape security falls from $10,000 to $584

CAMBRIDGE, Mass., January 10, 1996 -- An MIT undergraduate and part-time
programmer used a single $83,000 graphics computer from Integrated Computing
Engines (ICE) to crack Netscape's export encryption code in less than eight
days. The effort by student Andrew Twyman demonstrated that ICE's advances
in hardware price/performance ratios make it relatively inexpensive -- $584
per session -- to break the code.

While being an active proponent of stronger export encryption, Netscape
Communications (NSCP), developer of the SSL security protocol, has said that
to decrypt an Internet session would cost at least $10,000 in computing time.

Twyman used the same brute-force algorithm as Damien Doligez, the French
researcher who was one of the first to crack the original SSL Challenge.
The challenge presented the encrypted data of a Netscape session, using the
default exportable mode, 40-bit RC4 encryption.  Doligez broke the code in
eight days using 112 workstations.

"The U.S. government has drastically underestimated the pace of technology
development," says Jonas Lee, ICE's general manager.  "It doesn't take a
hundred workstations more than a week to break the code -- it takes one
ICE graphics computer.  This shuts the door on any argument against
stronger export encryption."

Breaking the code relies more on raw computing power than hacking
expertise.  Twyman modified Doligez's algorithm to run on ICE's Desktop
RealTime Engine (DRE), a briefcase-size graphics computer that connects
to a PC host to deliver performance of 6.3 Gflops (billions of floating
point instructions per second).  According to Twyman, the program tests
each of the trillion 40-bit keys until it finds the correct one. Twyman's
program averaged more than 830,000 keys per second, so it would take 15
days to test every key.  The average time to find a key, however, was 7.7
days.  Using more than 100 workstations, Doligez averaged 850,000 keys
per second.ICE used the following formula to determine its $584 cost of
computing power: the total cost of the computer divided by the number of
days in a three-year lifespan (1,095), multiplied by the number of days
(7.7) it takes to break the code.

ICE's Desktop RealTime Engine combines the power of a supercomputer with the
price of a workstation.  Designed for high-end graphics, virtual reality,
simulations and compression, it reduces the cost of computing from $160 per
Mflop (millions of floating point instructions per second) to $13 per Mflop.
ICE, founded in 1994, is the exclusive licensee of MeshSP technology from
the Massachusetts Institute of Technology (MIT).

###

INTEGRATED COMPUTING ENGINES, INC.
460 Totten Pond Road, 6th Floor
Waltham, MA 02154
Voice: 617-768-2300, Fax: 617-768-2301

FOR FURTHER INFORMATION CONTACT:

Bob Cramblitt, Cramblitt & Company 
(919) 481-4599; cramco@interpath.com
 
Jonas Lee, Integrated Computing Engines 
(617) 768-2300, X1961; jonas@iced.com

Note: Andrew Twyman can be reached at kurgan@mit.edu.