Nelson Minar also started
40 paying attention to the standings
of various teams of participants,
seeing how MIT was doing by
comparison to some other univer-
Around the same time, Colin
Fig. 6. Keys Tested per Day, in Trillions
Hildinger compared our most re-
cent statistics with SolNETā™s.
While we had searched two-tenths of one percent of the DES keyspace
the previous day, SolNet managed to search two-and-a-half-tenths of
one percent in a nearby twenty-four hour period. Because of delays
in getting statistics calculated and published, we wouldnā™t know until
the following dayā”May 3ā”how exactly we would compare. But it was
obvious that DESCHALL and SolNet were running neck and neck.
Keys Clients Domain / University
17.0 Trillion 393 uiuc.edu,
University of Illinois at Urbana-Champaign
7.3 Trillion 372 orst.edu,
Oregon State University
5.9 Trillion 191 mit.edu,
Massachusetts Institute of Technology
5.7 Trillion 203 mtu.edu,
Michigan Technological University
5.4 Trillion 187 cmu.edu,
Carnegie Mellon University
Table 10. Comparison Among Universities, May 2
Although SolNET was closing on our key testing rate, we were still
far ahead in terms of total keys tested and our clients were so much
more eļ¬cient than the SolNET clients. There just wasnā™t any way for
either project to back down at this pointā”SolNET users outside of the
U.S. couldnā™t get to our software, and DESCHALL participants didnā™t
want to run slower key testing software. The only option was to drive
forward, turning up the heat on one another in the process.
Meanwhile, IBMā™s chess-playing computer, Deep Blue, was slated
to play against the worldā™s highest-rated chess player, Garry Kasparov,
in another week. (Deep Blue would go on to win in a highly-contested
match, the ļ¬rst time that a computer ever defeated a reigning chess
champion.) Nate Boyd, from MITā™s Computer Graphics Group, sug-
gested that we try to recruit Deep Blue for cracking keys. Boyd was
joking, but in 1998 the Electronic Frontier Foundation, an online civil
liberty group would fund the development of a DES key-cracking ma-
chine called āDeep Crack,ā a special-purpose computer built for the
sole purpose of cracking DES keys faster than software ever could.
Instead of trying to recruit Deep Blue, Justin Dolske tried to get
some attention for DESCHALL by submitting an article to
comp.os.linux.announce, the same newsgroup that had carried the RC5
announcement that had so recently caused a stir among DESCHALL
participants. Given that the moderators had allowed Mike Driscollā™s
article about the RC5 Bovine eļ¬ort to be released, Dolske thought
that interest in cryptography would be high enough to warrant some
publicity for DESCHALL. Dolskeā™s announcement, just like Driscollā™s
RC5-56 announcement, was simple and to the point: what the DES-
CHALL project is, why it is important, and how to join.
The newsgroup moderators didnā™t seem to agree, and rejected
Dolskeā™s post, on the grounds that they just allowed something about
the RC5 eļ¬ort recently. Even more strangely, after rejecting Dolskeā™s
message, the same moderators allowed for another post for an RC5
eļ¬ort. The moderators never answered questions about their decision,
leaving some to conclude that there was some bias against DES (or in
favor of RC5) eļ¬orts. This little mystery remains.
I could think of no reason to reject Dolskeā™s announcement about
DESCHALL. DES was a real standard, even used in the Linux operat-
ing system. RC5ā™s use was not nearly as widespread, the 56-bit key size
was not a typical conļ¬guration for RC5, and there was no direct con-
nection between the Linux operating system and RC5. The decision to
reject Dolskeā™s post seemed completely arbitrary, and the piece might
have appeared if a diļ¬erent moderator happened to see the submission.
172 CHAPTER 25
After no small amount of concern about if (and when) SolNET was
going to surpass our key search speed, we started taking a harder look
at the numbers in order to get a better grasp on the progress being
made by both projects.
SolNETā™s progress statistics were based on the number of clients
that checked in with the keyserver during a given half-hour period.
Some DESCHALL participants thought that all of SolNETā™s clients
were checking in every half-hour and thus assumed that the statistics
reļ¬‚ected the combined eļ¬orts of the entire project. On May 4, Rocke
Verser pointed out that computers running the client software report-
ing their progress in that half-hour window were most likely reporting
more than one half-hourā™s worth of work; many other clients were busy
testing keys, but did not have any results to report back to the key-
server during that time. Applying the same metric to our own progress,
Verser wrote, āIn the last 60 seconds, 180 DESCHALL clients reported
122 billion keys tested. (Wow! Weā™re testing over 2 billion keys per
second with only 180 clients!)ā
As it turned out, the keyserver numbers were really only useful for
showing how much of a load the keyservers were maintaining. SolNETā™s
keyservers were taking roughly two hits per second from their clients,
whereas the DESCHALL keyserver was taking about three hits per
second from the clients.
Looking at total project speed for comparison, Verser could see that
SolNET was testing just under 2 billion keys per second, whereas DES-
CHALL was testing just over 2 billion keys per second.
Verser correctly concluded that SolNET had more clientsā”more
than three times as many computers running their client softwareā”
but DESCHALL had faster clients.
Unfortunately for SolNET, their numbers turned out to be less im-
pressive then they had intially appeared. Fredrik Lindgren conļ¬rmed
on SolNETā™s DES-Announce mailing list that some machines in Fin-
land were pretending to run SolNET clients, but actually were not.
Basically, someone examined the protocol running between client and
server in order to ļ¬gure out what exactly to send to a keyserver to im-
personate a client. Having ļ¬gured out the protocol between client and
server, the malicious client would simply send a āblock ļ¬nished, but
key not foundā message to a SolNET keyserver, without ever having
tested a single key. The goal of such an attack was to make the key-
server incorrectly record blocks as being tested, potentially preventing
the real key from being found.
This was exactly the kind of thing that everyone involved in dis-
tributed computing eļ¬orts worried about. No one really gets anything
out of an attack like this, but if itā™s easy enough to do, some idiot
somewhere in the world is certain to try it. Lindgren and other Sol-
NET coordinators had their hands full trying to assess the damage and
building a plan for recovery, so they did not bother trying to ļ¬gure out
who was behind it.
Many DESCHALL participants began to ask what we were doing to
prevent this kind of attack on our systems. I raised the issue privately
with Rocke Verser and Justin Dolske; we talked about the problem and
some of the defenses that we had in place, but never directly answered
the questions presented by general participants. If the attackers were
reading DESCHALLā™s lists, we didnā™t want to give them any clues
about what our weak points might be.
SolNET would not be completely undone by this attack, but it was
a setback. The bogus reports came from a particular network on the
Internet, allowing for all of those reports to be discarded, ensuring that
those keys would be tested by another client later. If any legitimate
testing had been done, those would be lost, but the integrity of the
project was critical and it was better to retest a key that had been
tested once than to miss a key that was falsely reported as tested.
While SolNET was recovering from its attack, the DESCHALL team
turned to other issues. Having enabled the basic mechanism for search-
ing for DES keys on thousands of machines, of dozens of types, from
all over the United States and Canada, our project had become quite
visible, and it was possible that the same attackers who targeted Sol-
NET might try to foil us. We did not want just to worry about what
kinds of bad things could happen; we wanted to anticipate the most
likely threats so that we could methodically address them.
Sunday, May 4, 2:20 A.M.
University of Texas at Austin
As DESCHALL participant Seth Johnson read CNET news, he found
an article that discussed a math bug in the Intel Pentium Pro micro-
processor. The article speciļ¬cally described a problem that could cause
some calculations to be done incorrectly. Users wouldnā™t generally no-
tice the problem; it was the kind of obscure thing that only people
performing heavily numerical scientiļ¬c work would ever encounter in a
Ordinarily Johnson would not have been interested in the problem,
since his Macintosh did not use an Intel processor, but now that he was
participating in DESCHALL, he had cause for concern since so much of
what DESCHALL was accomplishing was on Intel processors. If the bug
aļ¬ected the way that DESCHALL ran on Pentium Pro processors, we
might need to throw out huge amounts of completed work to calculate
those key blocks correctly. A problem like that would be a terrible
setbackā”possibly setting us back more than a month.
176 CHAPTER 26
Since the new problem aļ¬ected relatively few applications, Johnson
didnā™t want to create panic, but he did want to know whether this was
a serious concern for DESCHALL.
Fortunately, the integrity of the DESCHALL results was not af-
fected. As it turned out, the bug was limited to the ļ¬‚oating-point unit
of the microprocessor, where operations on āļ¬‚oating-pointā numbersā”
numbers with decimals like 3.141592654ā”would be handled.
Since computing DES keys was done by working with 56-bit bi-
nary numbers and never performing any division operations that could
leave a remainder, DESCHALL software had no need for ļ¬‚oating-point
operations, using only integerā”āwhole numberāā”operations.
While that particular processor bug did not aļ¬ect DESCHALL, it
did give us cause to think about some potential setbacks. Among those
concerns were the possibility of long-term network outages making the
keyserver unreachable and our potential vulnerability to attacks from
malicious clients reporting bogus results back to the keyserver.
In general, a network outage wasnā™t likely to be a big problem.
A DESCHALL client would work through the keys assigned by the
keyserver. Once it was ļ¬nished, it would attempt to report an update to
the keyserver and to request a new block of keys to test. If the keyserver
could not be reached, the client would simply resend its request at a
later time. If some of the clients have to wait for a few minutes, this
isnā™t a big problem, but if the keyserver is oļ¬„ine for a longer period of
time, the impact grows quite a bit.
Assume for the purposes of illustration that the typical DESCHALL
client needs to talk to the keyserver every other hour. Also assume that
the other participating clients were started at evenly-distributed points
throughout any two-hour window. A network outage of ļ¬fteen minutes
would mean that the keyserver would be unavailable to respond to
clients during a time when one-eighth of the total number of clients
needed to check in. A thirty-minute outage would idle one-quarter of
our clients for some period of time. After two hours, virtually the en-
tire project would be at a standstill, with almost all clients waiting to
connect to the keyserver. Given our key testing rate at the beginning
of May, that would mean that 7.2 trillion keys per hour would not be
In reality, clients would not be started to evenly, but the assumptions
above demonstrate a critical point of the actual project: with less than
a half-day of unavailability, the worldā™s fastest distributed computer
would grind to a halt.
The concern about malicious clients reporting bad results back to
the server was one that came up on the Coderpunks mailing list, an
oļ¬shoot of the Cypherpunks list. While Cypherpunks dealt with polit-
ical, economic, and cultural issues as well as technical concerns about
cryptography, Coderpunks focused speciļ¬cally on the implementation
of cryptosystems. Many Coderpunks readers were watching all of the
RSA Secret Key Challenge contest projects, and more than a few were
participating in one of the projects.
After a discussion of various ways to deal with the problem, Coder-
punks subscribers concluded that the only sure way was to verify each
of the test results. Trying to ļ¬nd the right key among 256 was hard
enough. Checking each key twice was less appealing. However, if the
author of a malicious client was smart enough, there was no other sure
way of knowing that we were dealing with good results.
DESCHALL clients did have some safety features built in, though,
and thus was not wholly vulnerable. Although we did not reveal this
in detail to the DESCHALL mailing list, DESCHALL client devel-
opers knew that DESCHALL clients werenā™t going to be too easy to
spoof. āHalf-matches,ā (see Chapter 13) for example, were reported,
and some number of half-matches would be expected over a set of a
certain size, so if Rocke Verser noticed a change in the expected half-
matches, that could indicate that someone was reporting bogus results
to the keyserver. Still, in spite of the precautions that we had taken, a
determined attacker would be nearly impossible to stop. We really were
just hoping that we could make it more diļ¬cult than it was worth.
Another problem that could arise would be if a client could somehow
prevent a ākey foundā message from being reported back to the server.
The client could, for example, get a key block, disconnect from the
network, and test the keys oļ¬„ine. Normally, if the client found the key,
it would send a message back to the keyserver. A malicious participant
might prevent his client from giving the ākey foundā message to the