DESCHALL might actually have a shot at solving the challenge.
After reading the press release, she telephoned Rocke Verser and
tracked down a few more sources that could help to estimate the dif-
Spreading the Word 81
ļ¬culty of the problem. She ļ¬nished her article, and it went into the
News.com publication system.
āUsers take crack at 56-bit cryptoā ran on News.com with a lead-
in that clearly set forth the seriousness of our claim, as well as the
diļ¬culty facing us. Macavinta wrote,
Thousands of American and Canadian computer users are work-
ing night and day to prove that the 56-bit encryption standard
set by the United States government is vulnerable. But the eļ¬ort
could take several years.
Our objective was to draw some more attention to the project, bring-
ing in a whole new audience of potential participants. Articles like the
one that CNET ran were critical in these eļ¬orts.
Wednesday, April 9, 5:50 A.M.
Megasoft Online, Columbus, Ohio
Happy to see the success with CNET, I sent a copy of the press release
to my local paper, the Columbus Dispatch. After a long night of working
on DESCHALL, I posted a copy of the press release to the DESCHALL
Web site that I maintained.
DESCHALL GROUP SEARCHES FOR DES KEY
Sets out to prove that one of the worldā™s most popular
encryption algorithms is no longer secure.
COLUMBUS, OH (April 9, 1997). In answer to RSA Data Se-
curity, Inc.ā™s āSecret Key Challenge,ā a group of students, hob-
byists, and professionals of all varieties is looking for a nee-
dle in a haystack 2.5 miles wide and 1 mile high. The ānee-
dleā is the cryptographic key used to encrypt a given mes-
sage, and the āhaystackā is the huge pile of possible keys:
72,057,594,037,927,936 (thatā™s over 72 quadrillion) of them.
The point? To prove that the DES algorithmā”which is
widely used in the ļ¬nancial community and elsewhereā”is not
strong enough to provide protection from attackers. We be-
lieve that computing technology is suļ¬ciently advanced that
a ābrute-forceā search for such a key is feasible using only the
spare cycles of general purpose computing equipment, and as a
result, unless much larger ākeysā are used, the security provided
82 CHAPTER 11
by cryptosystems is minimal. Conceptually, a cryptographic key
bears many similarities to the key of a typical lock. A long key
has more possible combinations of notches than a short key.
With a very short key, it might even be feasible to try every pos-
sible combination of notches in order to ļ¬nd a key that matches
a given lock. In a cryptographic system, keys are measured in
length of bits, rather than notches, but the principle is the same:
unless a long enough key is used, computers can be used to ļ¬gure
out every possible combination until the correct one is found.
In an electronic world, cryptography is how both individuals
and organizations keep things that need to be private from be-
coming public knowledge. Whether itā™s a private conversation or
an electronic funds transfer between two ļ¬nancial institutions,
cryptography is what keeps the details of the data exchange
private. It has often been openly suggested that the US Gov-
ernmentā™s DES (Data Encryption Standard) algorithmā™s 56-bit
key size is insuļ¬cient for protecting information from either a
funded attack, or a large-scale coordinated attack, where large
numbers of computers are used to ļ¬gure out the text of the
message by brute force in their idle time: that is, trying every
Success in ļ¬nding the correct key will prove that DES is not
strong enough to provide any real level of security, and win the
ļ¬rst person to report the correct solution to RSA $10,000.
Many more participants are sought in order to speed up the
search. The free client software (available for nearly every pop-
ular computer type, with more on the way) is available through
the Web site. One simply needs to follow the download instruc-
tions to obtain a copy of the software. Once this has been done,
the client simply needs to be started, and allowed to run in the
background. During unused cycles, the computer will work its
way through the DES keyspace, until some computer cooperat-
ing in the eļ¬ort ļ¬nds the answer.
If you can participate yourself, we urge you to do so. In any
case, please make those you know aware of our eļ¬ort, so that
they might be able to participate. Every little bit helps, and we
need all the clients we can get to help us quickly provide an
answer to RSAā™s challenge.
Spreading the Word 83
With the CNET article published and a press release on the Web site,
my workday of over twenty-four hours came to an end.
After a few hoursā™ sleep, I was back online, watching the mailing list,
seeing other participants describe their eļ¬orts to get more publicity
for DESCHALL. All told, local papers in Minnesota, Michigan, Ohio,
Connecticut, California, and Ottowa were contacted by participants in
those areas. Some participants contacted the national technology media
and broadcast media throughout the United States and Canada. It was
a busy day.
In the ļ¬rst half of 1997, few in the mainstream media understood
the signiļ¬cance of the Internet, what kinds of possibilities it presented,
or even why anyone should care about DES. A larger problem was that,
while most reporters were interested, they didnā™t really see a story in
the beginning of an eļ¬ort. If we managed to succeed, however, they
wanted to hear about it.
This reaction was not altogether surprising, but it was frustrating
in light of our early success with CNET. We were very happy with the
coverage that we did getā”even if only CNET picked it up. Thanks to
that one article, we got the attention of new participants, which is just
what we neededā”even if it wasnā™t the worldwide mainstream media
coverage we wanted.
Thursday, April 10, 1:39 A.M.
The Ohio State University, Columbus, Ohio
Justin Dolske looked over RSAā™s Web site, and its description of its
1997 Secret Key Challenge. Noticing a link called āIn the Newsā for
the ļ¬rst time, he clicked on the text. Dolske noted the links to the
articles written about RSAā™s 40-bit and 48-bit challenges being won.
In addition, he saw a link he did not expect to ļ¬nd: one to CNETā™s
April 8 article.
Dolske smiled and ļ¬red oļ¬ a message to the DESCHALL mailing
list. Attracting enough attention for the contest sponsors to notice us
would be important, because anyone ļ¬nding out about the challenges
84 CHAPTER 11
from RSAā™s site would be able to follow links to see that RSAā™s DES
Challenge was being answered.
āNice to see that RSA knows that they may need to get out their
checkbook soon,ā observed Dolske in his e-mail.
As the days went on, we realized that our approach of a simple press
release that individual participants would use to base their own pitches
to local media was a good one. Rather than having a single Associated
Press story (for example) that everyone would run, each paper got to
write its own story about someone from among the readership that
was involved in a very important project dealing with the security of
cryptosystems. The press release provided the necessary background
and the rest of the story was about the involvement and the trials of
the local individuals participating.
This strategy was at its most eļ¬ect when the press release was sent
to university newspapers. Many students pitched stories to their school
papers, and, taking a cue from Carleton Jillsonā™s April 1 message to
the mailing list, would point out their standings in comparison to rival
The Race Is On
The way we in the DESCHALL project saw it, friends didnā™t let friends
have idle computers. This attitude helped us recruit as many partici-
pants as our publicity eļ¬orts did, perhaps even more, and this sort of
informal recruitment was particularly prevalent on college campuses.
Most of our processing power was coming from universitiesā”not really
a surprise, given the kind of cultural diļ¬erences between corporations
that wanted to reduce complexity on their production systems and the
comparatively freewheeling universities where people often run pro-
grams for no other reason than that they could. Further driving the
trend for participation from college campuses was the simple fact that
most students had their own machines in their dorm rooms, and many
large universities provided network to the campus network to dorms.
Students at Worcester Polytechnic Institute (WPI) in Massachusetts
managed to work their way to second place in the per-domain rankings
by running the DESCHALL clients on their own personal computers
in the middle of March. The twenty-four machines that were running
DESCHALL were processing more than 784 billion keys per day. The
Instituteā™s computer lab managers had banned the use of our clients on
their lab machines, so WPI students enlisted the help of their friends
as well as their own personal computers. As the weeks wore on, WPI
students would not be able to keep up with the key testing rates at
Even in early April the processing power that we had harnessed at
universities was massive. On April 8, for example, DESCHALL tested a
total of 24 trillion keys. That was a rate of 277 million each second, for
every second, around the clock in that single day. That rate was roughly
ten times the rate of Ian Goldbergā™s answer to the 40-bit Challengeā”
86 CHAPTER 12
but still just over half the speed of Germano Caronniā™s 48-bit Challenge
Statistical analysis of our key-testing rates was critical, since partic-
ipants wanted to be able to see how the project was progressing overall.
Of more interest to many participants was the breakdown showing each
participating ādomaināā”the group of machines in each organizationā™s
online name, such as ohio-state.edu or megasoft.com.
Looking at the per-domain statistics allowed participants to see how
much they were contributing by comparison to other organizations.
This turned out to be an excellent way to foster some healthy com-
petition, particularly among universities where rivalries had developed
over the years. Table 3 shows the top participating domains for April
Keys Tested Clients Contributor
4.8 Trillion 278 Oregon State University
2.3 Trillion 182 Rensselaer Polytechnic Institute
1.4 Trillion 25 Rochester Institute of Technology
1.3 Trillion 40 Worcester Polytechnic Institute
1.3 Trillion 196 Ohio State University
Table 3. April 8, Top Contributors per Domain
Wednesday, April 2
Oregon State University, Corvallis, Oregon
Unlike WPI, lab personnel at Oregon State allowed students to run the
DESCHALL clients on machines in the public computer labs. Oregon
State managed to grab the top spot for DESCHALL key searching and
to hold its title for several weeks.
An engineering student there, Adam Haberlach, was largely respon-
sible for Oregan Stateā™s participation. Haberlach had seen a reference
to DESCHALL on a mailing list for the now-defunct DES-Challenge
group. He downloaded the client software in mid-March and ran it on
his laptop at home. Haberlach worked in a test lab run by the Business
Department there with about sixty client machines that had spent a
lot of time doing nothing, so he decided to put the computers to work.
When Haberlach got to work the next day, he promptly installed the
DESCHALL client onto his computer. Later that morning, he managed
The Race Is On 87
to persuade one of his coworkers to install the client on his machine. As
word of the DESCHALL project spread trough Haberlachā™s oļ¬ce, more
and more employees installed the client until nearly all of Haberlachā™s
coworkers were participating.
Even after harnessing all of this power, Haberlach wasnā™t ļ¬nished.
In the same building, at the other end of the hallway was a lab with
another 160 machines. Haberlach was eager to install DESCHALL on
all of these machines, because he knew that spring break was imminent
and soon these machines would be spending all of their time running
screen savers. Haberlach approached the management of the larger lab
about running DESCHALL on its machines. Haberlach explained the
importance of DES and the prestige the University might gain from
participating, particularly if they contributed a substantial amount of
computing power or if they found the key. The lab management were
impressed by Haberlachā™s arguments and gave him permission to run
DESCHALL on all of the machines in the lab.
Within thirty minutes of the lab being closed, Haberlach and his
group had all of the machines running DESCHALL. Having seen the
impact of these machines on the project overall and the role they played
in taking Oregon State to ļ¬rst place, lab management started approach-
ing other lab administrators and trying to drum up more support for
the project and for Oregon Stateā™s ranking. By the time DES fell, Ore-
gon State had tested over six trillion keys, making it one of the top ten
institutions in terms of the number of keys tested.
While Haberlach and other DESCHALL enthusiasts were rapidly in-
creasing participation at Oregan State, others were developing new
clients that would allow more people across the country to contribute
to our eļ¬orts. Several participants had developed programs for Unix
machines that would search for DES keys when the machines were idle
and then pause this search when someone was using the machine. The
end result would be that people who needed to use the computer would
not need to share any of their systemā™s resources with a piece of soft-
ware like DESCHALL, and that when these computers were not being
used, their spare CPU cycles could contribute large amounts of eļ¬ort
to the project overall.
88 CHAPTER 12
Friday, April 11
Megasoft Online, Columbus, Ohio