In 1994, a Norwegian company called Telenor developed a Web browser called Opera that was marketed as being the speediest and most standards compliant of any browser, supporting such standards as 128-bit encryptionÂ—strong, unbreakable encryption. The United States government, however, permits for export only a weaker bit encryption version than 128. In fact, before 1998 any cryptographic products exported from the U.S. for general use could not use more than 40-bit symmetric encryption and 512-bit asymmetric encryption and still meet legal requirements. The reason for this restriction was that the 40-bit key size was known to be vulnerable to crack exploits.
An event that occurred in 1995 illustrates why stronger encryption is important. On July 14, 1995, Hal Finney, a co-developer of the PGP encryption standard, submitted a challenge to the cryptographic community to try breaking an encrypted web browsing session (using the 40bit SSL protocol). One month later, a French student named Damien Doligez posted the solution to the challenge. He had used an idle network with 120 computers to conduct a brute-force search on the 40-bit SSL key used in Â“the challenge.Â” The brute-force search took the studentÂ’s network eight days to detect the key. Some time later, another group met the challenge in only 32 hours. The reason for the time difference in meeting the challenge is that computers become faster and cheaper as time goes on, with a rough measure being that computer power increases 10 times every five years.
In more recent times, public groups have constructed brute-force computers to meet similar challenges. In 1998, for example, a group backed by the EFF constructed Â“Deep Crack,Â” a DES-cracking engine. For a cost of about $210,000, the group constructed a computer able to brute-force crack a 56-bit DES key in three days or fewer. (The possible number of keys in the 56-bit keyspace is 2^56 or about 72,057,590,000,000,000; the possible number of keys in a 40-bit keyspace is 2^40 or about 1,099,511,000,000.) If the DES-cracker engine of EFF were to be applied to a considerably smaller 40-bit key space, it would take only about four seconds to crack the key.
Finally, asymmetric cryptography, also known as public-key cryptography, can be subjected to brute-force attack challenges. Likely the most famous of these was the RSA Crypto Challenge that took place in August 1999. The challenge involved the factoring of the pair of prime numbers in a 512-bit RSA key. The challenge was solved in just over five months by using 292 computers connected to the Internet.
As a result of this important 1999 challenge, RSA Labs now recommend that at least 768-bit encryption be used for security purposes. Many security experts believe that clandestine government agencies with large budgets have built devices such as Â“Deep CrackÂ”Â—a security nightmare for persons wary of the governmentÂ’s capability to discover their secrets, to say the least.