Horseman Number 3: Osama Used 40 bits

R. A. Hettinga rahettinga at earthlink.net
Thu Jan 17 14:32:50 EST 2002


I wonder if he can sue BillG? :-).

Cheers,
RAH


http://www.newscientist.com/news/news.jsp?id=ns99991804

Weakened encryption lays bare al-Qaeda files

 
17:07 17 January 02
Will Knight

 
Relatively weak encryption appears to have been used to protect files
recovered from two computers believed to have belonged to al-Qaeda
operatives in Afghanistan.

The files were found on a laptop and desktop computer bought by Wall Street
Journal reporters from looters in Kabul a few days after it was captured by
Northern Alliance forces on 13 November. The files provide information
about reconnaissance missions to Europe and the Middle East.

A report in the UK's Independent newspaper indicates that the encryption
used to protect these files had been significantly weakened by US export
restrictions that existed until last year.

The files were reportedly stored using Microsoft's Windows 2000 operating
system and protected from unauthorised access using the Encrypting File
System (EFS), which comes as standard on this platform. They were protected
with a 40-bit Data Encryption Standard (DES), according to the Independent
report. This was the maximum strength encryption allowed for export by US
law until March 2001. All systems are now sold with the standard 128-bit
key encryption, exponentially stronger than 40-bit.

Wall Street Journal reporters say that they decrypted a number of files
using "an array of high-powered computers" to try every possible
combination, or "key" in succession, a process that took five days.


Billions of keys


Brian Gladman, an ex-NATO encryption expert based in the UK, says that
40-bit DES means checking about a billion billion different keys in
succession. This would take the average desktop computer a year, but a
group of powerful machines could perform the feat in a few days, he says.
However, he adds: "If you go much beyond 40 bits it is outside the realm of
possible."

But Gladman says the US should not seek to reintroduce controls on the
export of strong encryption products in light of this evidence. He believes
that export controls would not necessarily stop terrorists and could harm
the security of companies outside the US.

"The internet is already vulnerable and if we do not implement strong
encryption, criminals will get away with murder," Gladman told New
Scientist. "Any efforts to prevent the deployment of this technology will
damage us rather than help."

Gladman says that terrorists can rely on far more elementary techniques to
keep information secret and communicate covertly. These include using
secret code words and anonymous internet cafes.

 
17:07 17 January 02
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list