Slashdot Mirror

← Back to Stories (view on slashdot.org)

Export-level Encryption Proves Insufficient

Posted by michael on from the forty-bits-is-not-enough dept.

rossjudson writes: "The Independent is running an article about the shoe bomber terrorist. The interesting bit for Slashdot readers is at the bottom -- apparently the 40-bit encryption in the export version of Windows 2000 was cracked by a set of computers using a brute force method. So let's confront the question: Should the US prohibit the export of high-encryption software? Here is a case where the default values (40 bit) clearly helped recover valuable information from a system." There's another article in New Scientist focusing on the encryption issue.

8 of 517 comments (clear)

  1. It doesn't matter because: by Bonker · · Score: 5, Insightful

    Advanced Math Textbook +
    Computer +
    Low-level programming skills =

    High Grade Encryption... Anywhere in the world.

    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
    1. Re:It doesn't matter because: by OverCode@work · · Score: 5, Insightful

      Heh. I implemented Blowfish back in high school, using readily-available information. It didn't require any exceptional level of skill, just a basic knowledge of crypto and the ability to translate an algorithm into code.

      For those who don't know, Blowfish is a very strong cipher that supports up to 448-bit keys.
      Just for kicks, I changed 2 lines of the code and made an "exportable" version with 32-bit keys.

      Crypto export laws are a complete joke. The US does not have a monopoly on strong encryption; it's not as if we are supplying some scare resource to the rest of the world. If a 17 year old geek could implement strong encryption on a laptop in his bedroom, I am fairly certain a ring of terrorists could do the same.

      On the other hand, these laws do cause a considerable hassle for law-abiding organizations that wish to add security to their products. Therefore I believe that these laws are detrimental and should be repealed immediately.

      -John

  2. 40 bit crypto was _desinged_ to be cracked by Hater's+Leaving,+The · · Score: 5, Insightful

    40 bits is nothing, and has been for decades.
    That limit was /chosen/ to be crackable. And in my book, and in the minds of many others, that pretty much disqualifies it from even being called 'crypto'.

    THL.

    --
    Keeping /. cynic density high since the fscking Kwhores/trolls arrived.
  3. Why not? by sql*kitten · · Score: 5, Insightful

    Should the US prohibit the export of high-encryption software?

    Sure, why not? It isn't as if there are any cryptographers in any other countries in the world, is it?

    Legislation is pointless, and even damaging in this case. The cryptography playing field is fairly level. That's not inherently a good or a bad thing; just as al-Queda can encrypt their files, they are equally prevented from intercepting sensitive information by the same technology. If legislation restricts crypto, we will find ourselves in a situation in which the FBI can't crack terrorist comms, yet terrorists can intercept commercial data. Airline security information, oilrig blueprints, whatever.

  4. Empirical evidence no match for clever theory? by mdahlman · · Score: 5, Insightful

    I've just read 50 posts saying that limiting export strength encryption won't stop any non-US people from using higher encryption. I agree that this makes perfect sense. It's completely logical.

    But everyone seems to conveniently ignore the fact that this group DID rely on the export strength encryption that they had available. They DIDN'T use PGP or any one of the myriad of other options for better encryption. Perhaps the premise that a slashdot reader is familiar with other encryption techniques isn't equivalent to the premise that an Al-Qaida member will be familiar with other encryption techniques.

    Any reasonable and complete argument against limiting export strength encryption at least needs to address this fact. One could argue that it is an unusual case, that it won't be repeated, that you don't care if non-US folks have default access to better encryption, etc.

    But arguing that it will never stop anyone from using better techniques seems silly when presented with this case of a group using exactly the default abilities that they were given in Win2k.

  5. 40 bits is useless by Bostik · · Score: 5, Insightful
    [...] this pretty much settles the question for me that 40-bit, even 64-bit just isn't enough.

    Correct. 40-bit keys have no protective value. Remember the article about IBM's crypto chip being broken? (Somebody please provide the link to /. article, I can't at the moment.) In practice, they broke single DES, 56 bits worth of security in a good block cipher. In brute force.

    It took at most 2 days with ~1000 $US worth of gear to find the key. Let's assume that they needed the full 48 hours to get that key broken. Simple math follows:

    48 hours is 48*3600 seconds. It takes this much time to brute-force a 56-bit key. 40 bits is 1/(2^16) times the size of that, hence the time to break a 40-bit key with similar equipment is 48*3600/(2^16) seconds. This is no more than about 2.6 seconds.

    To underline this as clearly as I can: 40-bit keys provide NO security. They may have provided some, at a time - but definetely not for some time now.

    --
    There is no such thing as good luck. There is only misfortune and its occasional absence.
  6. Re:Shoe bomber = idiot by RazzleFrog · · Score: 5, Insightful

    A truly smart person probably wouldn't belive that terrorist action would accomplish their goals.

    I fear that that thought process is what got us into this mess in the first place. We have always assumed that these terrorists were unorganized nutcases running around with bombs attached to themselves.

    And then on 9/11 we found out how organized and intelligent they could be and how ignorant we were. The truth is that there are some scarily intelligent people in these terrorist organizations who are using religious ferver to control otherwise sane individuals.

    "If ignorant both of your enemy and yourself, you are certain to be in peril." - Sun Tzu. The Art of War

  7. True by Greyfox · · Score: 5, Insightful
    When my company started a contract with a software shop in Romania for them to write software for us, corporate policy required all communications to be encrypted. We got PGP and GPG for the various servers, they bought PGP from the PGP International people and our keys were all 1024 bit keys. Nothing to it.

    What the crypto regulations really do is prevent most people in the USA from adopting it. None of the three-letter agencies want everyone encrypting their E-mail or network traffic by default. That simply wouldn't do -- if everyone did it, how would they know who actually has something to hide? So they make it a pain in the ass for software developers to incorporate it into their software and they make it a pain in the ass for most users (Who don't know to go to international sites where you don't have to fill out a form to download the software) to get it.

    The irony is that now they're bitching because the network is so insecure and how a cyber-attack could bring down public utilities and banks and things. Well they're just reaping what they've sown. The network would have tended to cryptographic authentication and tighter security except for the artificial and fundamentally useless restrictions the federal government has put in place.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?