<<

. 13
( 41 .)



>>

the success of the recent 48-bit and 40-bit challenges, she thought that
DESCHALL might actually have a shot at solving the challenge.
After reading the press release, she telephoned Rocke Verser and
tracked down a few more sources that could help to estimate the dif-
Spreading the Word 81

¬culty of the problem. She ¬nished her article, and it went into the
News.com publication system.
“Users take crack at 56-bit crypto” ran on News.com with a lead-
in that clearly set forth the seriousness of our claim, as well as the
di¬culty facing us. Macavinta wrote,
Thousands of American and Canadian computer users are work-
ing night and day to prove that the 56-bit encryption standard
set by the United States government is vulnerable. But the e¬ort
could take several years.
Our objective was to draw some more attention to the project, bring-
ing in a whole new audience of potential participants. Articles like the
one that CNET ran were critical in these e¬orts.


Wednesday, April 9, 5:50 A.M.
Megasoft Online, Columbus, Ohio

Happy to see the success with CNET, I sent a copy of the press release
to my local paper, the Columbus Dispatch. After a long night of working
on DESCHALL, I posted a copy of the press release to the DESCHALL
Web site that I maintained.
DESCHALL GROUP SEARCHES FOR DES KEY
Sets out to prove that one of the world™s most popular
encryption algorithms is no longer secure.

COLUMBUS, OH (April 9, 1997). In answer to RSA Data Se-
curity, Inc.™s “Secret Key Challenge,” a group of students, hob-
byists, and professionals of all varieties is looking for a nee-
dle in a haystack 2.5 miles wide and 1 mile high. The “nee-
dle” is the cryptographic key used to encrypt a given mes-
sage, and the “haystack” is the huge pile of possible keys:
72,057,594,037,927,936 (that™s over 72 quadrillion) of them.
The point? To prove that the DES algorithm”which is
widely used in the ¬nancial community and elsewhere”is not
strong enough to provide protection from attackers. We be-
lieve that computing technology is su¬ciently advanced that
a “brute-force” search for such a key is feasible using only the
spare cycles of general purpose computing equipment, and as a
result, unless much larger “keys” are used, the security provided
82 CHAPTER 11

by cryptosystems is minimal. Conceptually, a cryptographic key
bears many similarities to the key of a typical lock. A long key
has more possible combinations of notches than a short key.
With a very short key, it might even be feasible to try every pos-
sible combination of notches in order to ¬nd a key that matches
a given lock. In a cryptographic system, keys are measured in
length of bits, rather than notches, but the principle is the same:
unless a long enough key is used, computers can be used to ¬gure
out every possible combination until the correct one is found.
In an electronic world, cryptography is how both individuals
and organizations keep things that need to be private from be-
coming public knowledge. Whether it™s a private conversation or
an electronic funds transfer between two ¬nancial institutions,
cryptography is what keeps the details of the data exchange
private. It has often been openly suggested that the US Gov-
ernment™s DES (Data Encryption Standard) algorithm™s 56-bit
key size is insu¬cient for protecting information from either a
funded attack, or a large-scale coordinated attack, where large
numbers of computers are used to ¬gure out the text of the
message by brute force in their idle time: that is, trying every
possible combination.
Success in ¬nding the correct key will prove that DES is not
strong enough to provide any real level of security, and win the
¬rst person to report the correct solution to RSA $10,000.
Many more participants are sought in order to speed up the
search. The free client software (available for nearly every pop-
ular computer type, with more on the way) is available through
the Web site. One simply needs to follow the download instruc-
tions to obtain a copy of the software. Once this has been done,
the client simply needs to be started, and allowed to run in the
background. During unused cycles, the computer will work its
way through the DES keyspace, until some computer cooperat-
ing in the e¬ort ¬nds the answer.
If you can participate yourself, we urge you to do so. In any
case, please make those you know aware of our e¬ort, so that
they might be able to participate. Every little bit helps, and we
need all the clients we can get to help us quickly provide an
answer to RSA™s challenge.
Spreading the Word 83

With the CNET article published and a press release on the Web site,
my workday of over twenty-four hours came to an end.




After a few hours™ sleep, I was back online, watching the mailing list,
seeing other participants describe their e¬orts to get more publicity
for DESCHALL. All told, local papers in Minnesota, Michigan, Ohio,
Connecticut, California, and Ottowa were contacted by participants in
those areas. Some participants contacted the national technology media
and broadcast media throughout the United States and Canada. It was
a busy day.
In the ¬rst half of 1997, few in the mainstream media understood
the signi¬cance of the Internet, what kinds of possibilities it presented,
or even why anyone should care about DES. A larger problem was that,
while most reporters were interested, they didn™t really see a story in
the beginning of an e¬ort. If we managed to succeed, however, they
wanted to hear about it.
This reaction was not altogether surprising, but it was frustrating
in light of our early success with CNET. We were very happy with the
coverage that we did get”even if only CNET picked it up. Thanks to
that one article, we got the attention of new participants, which is just
what we needed”even if it wasn™t the worldwide mainstream media
coverage we wanted.


Thursday, April 10, 1:39 A.M.
The Ohio State University, Columbus, Ohio

Justin Dolske looked over RSA™s Web site, and its description of its
1997 Secret Key Challenge. Noticing a link called “In the News” for
the ¬rst time, he clicked on the text. Dolske noted the links to the
articles written about RSA™s 40-bit and 48-bit challenges being won.
In addition, he saw a link he did not expect to ¬nd: one to CNET™s
April 8 article.
Dolske smiled and ¬red o¬ a message to the DESCHALL mailing
list. Attracting enough attention for the contest sponsors to notice us
would be important, because anyone ¬nding out about the challenges
84 CHAPTER 11

from RSA™s site would be able to follow links to see that RSA™s DES
Challenge was being answered.
“Nice to see that RSA knows that they may need to get out their
checkbook soon,” observed Dolske in his e-mail.
As the days went on, we realized that our approach of a simple press
release that individual participants would use to base their own pitches
to local media was a good one. Rather than having a single Associated
Press story (for example) that everyone would run, each paper got to
write its own story about someone from among the readership that
was involved in a very important project dealing with the security of
cryptosystems. The press release provided the necessary background
and the rest of the story was about the involvement and the trials of
the local individuals participating.
This strategy was at its most e¬ect when the press release was sent
to university newspapers. Many students pitched stories to their school
papers, and, taking a cue from Carleton Jillson™s April 1 message to
the mailing list, would point out their standings in comparison to rival
schools.
12
The Race Is On




The way we in the DESCHALL project saw it, friends didn™t let friends
have idle computers. This attitude helped us recruit as many partici-
pants as our publicity e¬orts did, perhaps even more, and this sort of
informal recruitment was particularly prevalent on college campuses.
Most of our processing power was coming from universities”not really
a surprise, given the kind of cultural di¬erences between corporations
that wanted to reduce complexity on their production systems and the
comparatively freewheeling universities where people often run pro-
grams for no other reason than that they could. Further driving the
trend for participation from college campuses was the simple fact that
most students had their own machines in their dorm rooms, and many
large universities provided network to the campus network to dorms.
Students at Worcester Polytechnic Institute (WPI) in Massachusetts
managed to work their way to second place in the per-domain rankings
by running the DESCHALL clients on their own personal computers
in the middle of March. The twenty-four machines that were running
DESCHALL were processing more than 784 billion keys per day. The
Institute™s computer lab managers had banned the use of our clients on
their lab machines, so WPI students enlisted the help of their friends
as well as their own personal computers. As the weeks wore on, WPI
students would not be able to keep up with the key testing rates at
other universities.
Even in early April the processing power that we had harnessed at
universities was massive. On April 8, for example, DESCHALL tested a
total of 24 trillion keys. That was a rate of 277 million each second, for
every second, around the clock in that single day. That rate was roughly
ten times the rate of Ian Goldberg™s answer to the 40-bit Challenge”


85
86 CHAPTER 12

but still just over half the speed of Germano Caronni™s 48-bit Challenge
project.
Statistical analysis of our key-testing rates was critical, since partic-
ipants wanted to be able to see how the project was progressing overall.
Of more interest to many participants was the breakdown showing each
participating “domain””the group of machines in each organization™s
online name, such as ohio-state.edu or megasoft.com.
Looking at the per-domain statistics allowed participants to see how
much they were contributing by comparison to other organizations.
This turned out to be an excellent way to foster some healthy com-
petition, particularly among universities where rivalries had developed
over the years. Table 3 shows the top participating domains for April
8.

Keys Tested Clients Contributor
4.8 Trillion 278 Oregon State University
2.3 Trillion 182 Rensselaer Polytechnic Institute
1.4 Trillion 25 Rochester Institute of Technology
1.3 Trillion 40 Worcester Polytechnic Institute
1.3 Trillion 196 Ohio State University
Table 3. April 8, Top Contributors per Domain




Wednesday, April 2
Oregon State University, Corvallis, Oregon

Unlike WPI, lab personnel at Oregon State allowed students to run the
DESCHALL clients on machines in the public computer labs. Oregon
State managed to grab the top spot for DESCHALL key searching and
to hold its title for several weeks.
An engineering student there, Adam Haberlach, was largely respon-
sible for Oregan State™s participation. Haberlach had seen a reference
to DESCHALL on a mailing list for the now-defunct DES-Challenge
group. He downloaded the client software in mid-March and ran it on
his laptop at home. Haberlach worked in a test lab run by the Business
Department there with about sixty client machines that had spent a
lot of time doing nothing, so he decided to put the computers to work.
When Haberlach got to work the next day, he promptly installed the
DESCHALL client onto his computer. Later that morning, he managed
The Race Is On 87

to persuade one of his coworkers to install the client on his machine. As
word of the DESCHALL project spread trough Haberlach™s o¬ce, more
and more employees installed the client until nearly all of Haberlach™s
coworkers were participating.
Even after harnessing all of this power, Haberlach wasn™t ¬nished.
In the same building, at the other end of the hallway was a lab with
another 160 machines. Haberlach was eager to install DESCHALL on
all of these machines, because he knew that spring break was imminent
and soon these machines would be spending all of their time running
screen savers. Haberlach approached the management of the larger lab
about running DESCHALL on its machines. Haberlach explained the
importance of DES and the prestige the University might gain from
participating, particularly if they contributed a substantial amount of
computing power or if they found the key. The lab management were
impressed by Haberlach™s arguments and gave him permission to run
DESCHALL on all of the machines in the lab.
Within thirty minutes of the lab being closed, Haberlach and his
group had all of the machines running DESCHALL. Having seen the
impact of these machines on the project overall and the role they played
in taking Oregon State to ¬rst place, lab management started approach-
ing other lab administrators and trying to drum up more support for
the project and for Oregon State™s ranking. By the time DES fell, Ore-
gon State had tested over six trillion keys, making it one of the top ten
institutions in terms of the number of keys tested.




While Haberlach and other DESCHALL enthusiasts were rapidly in-
creasing participation at Oregan State, others were developing new
clients that would allow more people across the country to contribute
to our e¬orts. Several participants had developed programs for Unix
machines that would search for DES keys when the machines were idle
and then pause this search when someone was using the machine. The
end result would be that people who needed to use the computer would
not need to share any of their system™s resources with a piece of soft-
ware like DESCHALL, and that when these computers were not being
used, their spare CPU cycles could contribute large amounts of e¬ort
to the project overall.
88 CHAPTER 12

Friday, April 11
Megasoft Online, Columbus, Ohio

<<

. 13
( 41 .)



>>