[Cryptography] On 40-bit encryption

Peter Trei petertrei at gmail.com
Sun Aug 24 13:37:22 EDT 2014 

On Sat, 23 Aug 2014 11:04:43 -0400,  Sandy Harris <sandyinchina at gmail.com>
wrote:

On Tue, Aug 19, 2014 at 5:43 PM, Dave Horsfall <dave at horsfall.org> wrote:

>> OK, call me a newbie (which basically I am), but I'm baffled by something
>> that's popped up in a couple of threads here, ...
>>
>> It then got relaxed, apparently because the "enemy" already have strong
>> crypto so it was pointless.

> I'd say the main reason for the relaxation in the US was the Bernstein
case
> Dan Bernstein (grad student at Berkeley, later prof at U Illinois),
supported
> by the EFF, sued the US government arguing that, since code can be
> read and discussed by humans, it qualifies legally as speech, so export
> restrictions on source code are an unconstitutional restriction on free
> speech. He won in the first court & again on appeal. There is an archive
> of case documents with links to related cases:
> http://cr.yp.to/export.html <http://cr.yp.to/export.html>

> At that point, the government changed their regulations -- moved the
> controls from the State dep't to Commerce and allowed export of
> "public domain" code, provided the Commerce dep't is notified. As
> I see it, they were scrambling to salvage anything they could and
> desperately trying to avoid having the Bernstein case make it to
> the Supreme Court and perhaps overturn the regulations completely.

> The EFF says the requirement for notification is still unconstitutional,
> but I have not heard of any court case over that.

"Success has many fathers, while failure is an orphan."

There were a lot of factors.

Another one, which I was personally involved in, was the demonstration that
40 and
56 bit bit encryption was insecure.

Members of the 'cypherpunks' mailing list organized a distributed brute
force of a
40 bit key in 1995. It took about 300 PCs, and three weeks.

This was important, because it gave the lie to government claims that 40
bits
was 'good  enough'. All of a sudden, the international market dropped out
from
under US software exporters of secured products. This threw market forces
to the side of stronger keys - 40 bit crypto became a laughingstock, and its
use clearly did not meet due diligence.

The USG response, within a few months, was to up the limit to 56 bits -
single DES. The RSA Secret Key Challenges were the response. Single
DES was first brute forced over several months in early 1997, and by 2000
this was done in under 24 hours.

Soon after, the export restrictions were eased.

The challenges were hardly the only reason, but they provided an easy to
understand and impossible to deny proof that software engineers and
purchasers could put in front of their managers, and which corporate
management could present to the government.

pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140824/ef01a9f5/attachment.html>

More information about the cryptography mailing list