. 33
( 41 .)


• 50% done: 54 days from now. (This is when 1 of the to-
tal keyspace will have been searched by DESCHALL and/or
• Expected date of solution: 73 days from now. (There is a 50%
chance the solution will be found prior to this date, and a
50% chance the solution will be found after this date. This
is the date on which we should expect to have searched 50%
of the remaining keyspace.)
• Probability that a DESCHALL client will ¬nd the key: 79%
• Probability that a SolNET client will ¬nd the key: 21%

Verser™s new model provided a much more comprehensible view of a
di¬cult problem inherently full of uncertainty. The more we could do
to help regular computer users, members of the press, and average
citizens understand what we were doing and what to expect, the better
the chances that they would listen to our point and see the need for
a new standard for data encryption. Verser™s model was a big step in
that direction.
Salvos in the Crypto Wars

Wednesday, May 21
Murray Hill, New Jersey

Bell Labs computer scientist Matt Blaze was well known for his work
in cryptography. Neither was he a stranger to the place where cryptog-
raphy and public policy met head-to-head. Among Blaze™s work was
a 1994 paper entitled, “Protocol Failure in the Escrowed Encryption
Standard,” in which he detailed a pair of attacks against the “Clipper
Chip” cryptography products that were the centerpiece of the Clinton
administration™s key escrow system.
Blaze was updating the ¬nal version of a new report to his personal
Web site, www.crypto.com. His co-authors included some of the most
recognized and respected names in computing and security. A few of
the names were Ross Anderson, professor of security engineering at the
University of Cambridge; Steven M. Bellovin, AT&T Bell Labs distin-
guished member of technical sta¬ and longtime contributor to Internet
security; Whit¬eld Di¬e, longtime critic of short cryptographic keys
and coinventor of public-key cryptography; and Peter G. Neumann,
distinguished computer security researcher and moderator of the pop-
ular RISKS Digest.
Entitled “The Risks of Key Recovery, Escrow, and Trusted Third-
Party Encryption,” the report documented the ¬ndings of the ¬rst thor-
ough consideration of risks and implications of government-designed
key-recovery systems by respected authorities on cryptography and
security.19 Among its observations came a pronouncement that would

230 CHAPTER 32

call into question the feasibility of implementing the Clinton adminis-
tration™s cryptographic policy:

The deployment of a general key-recovery-based encryption in-
frastructure to meet law enforcement™s stated requirements will
result in substantial sacri¬ces in security and cost to the end
user. Building a secure infrastructure of the breathtaking scale
and complexity demanded by these requirements is far beyond
the experience and current competency of the ¬eld.

For four years, the Clinton administration had made strenuous ef-
forts to restrict the deployment and use of cryptography, largely in the
name of making the Internet a safer place”by allowing governments
the ability to police the Net. The ¬rst serious report considering the
likely e¬ect of such a policy was now out, and it argued that the policy
would have exactly the opposite e¬ect intended.
Reaction to the report was swift. The very day of its release, a
statement was issued by Senator Patrick Leahy from Vermont. Leahy,
the ranking Democratic member of the Senate Judiciary Committee,
was working feverishly on legislation that would liberate cryptography
from such tight government regulation. Aside from his own “Encrypted
Communications Privacy Act,” Leahy was chief co-sponsor of the Pro-
CODE bill.
In response to the report issued by Blaze and other respected cryp-
tographers, Leahy wrote:

Last year the National Research Council concluded that ag-
gressive promotion by the U.S. government of global key re-
covery encryption is not appropriate at this time. This new
study by nine world-renowned cryptographers further shows the
real-world problems with the government™s proposal. It is even
clearer now that the time for global key recovery encryption is
still not right, and it may never be right. The U.S. government
acts as though it doesn™t understand the issue.
Many of us fully expect that some users”maybe even many”
will want and voluntarily choose to use key recovery encryption
systems for some purposes. For example, no company wants to
be left without a key to decode important business information
stored in encrypted form on computer discs.
The government apparently already is spending about $8
million on pilot projects to test key recovery systems, and that
Salvos in the Crypto Wars 231

is just a drop in the bucket. According to the cryptographers™
report “a global key recovery infrastructure can be expected
to be extraordinarily complex and costly.” As Congress exam-
ines the Administration™s proposals for key recovery systems, we
need to ask the questions about how much their proposals will
cost the government, businesses and Internet users who want
the strongest but cheapest security possible for their computer
Federal law enforcement o¬cials contend that their objective
is simple: easy, surreptitious access to both encrypted communi-
cations and encrypted stored data. The experts do not think this
is so simple. The cryptographers™ report observes: “We simply
do not know how to build a secure key management infrastruc-
ture of this size, let alone operate one.” When the experts say
they do not know how to do it, we in Congress should think
twice before legislating encryption commandments that may be
impossible to a¬ord and enforce.

Even while the rules for cryptography regulation were being de-
bated, some companies were using the new Export Administration Reg-
ulation framework so their products could be used globally by American
companies. After the government™s investigation into Phil Zimmermann
over the appearance of his Pretty Good Privacy (PGP) software on the
Internet in 1996, Zimmermann went on to start a company to bring
the system to market. PGP, Inc., based in San Mateo, California,
announced on Wednesday, May 28 that the U.S. Department of Com-
merce had approved the export of its 128-bit encryption software to the
overseas o¬ces of the largest companies in the United States. The only
restriction was that the o¬ces were not located in any of the countries
on the U.S. State Department™s “T-7” list of terror-sponsoring nations,
namely Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria.
This made PGP the only U.S. company currently authorized to ex-
port strong encryption technology not requiring key recovery to foreign
subsidiaries and branches of the largest American companies. Any other
company wishing to export cryptography would have to limit their sys-
tems to the weak 40-bit systems like the one Ian Goldberg defeated in
under four hours, or enter into an agreement with the government to
develop a key recovery or key escrow system”and even then only up
to 56-bit systems could be released.
232 CHAPTER 32

More than half of the Fortune 100 companies already used PGP
domestically to secure their corporate data and communications. PGP
and 128-bit systems like it were preferred by people who wanted to keep
information con¬dential for long periods of time because its strength
against brute-force attacks was simply staggering. Recall that just two
months earlier, Deputy Director of NSA William P. Crowell testi¬ed to
Congress (see chapter 7) that all of the computers in the world in 1997
working on breaking a 128-bit PGP message using brute force would
need 12 million times the age of the universe to ¬nd the key. With
a 56-bit key length, DES was rapidly moving toward falling to brute
force attack with only a few thousand computers over a period of a few
With the announcement, Robert H. Kohn, PGP vice president and
general counsel said that the company “still oppose[d] export controls
on cryptographic software, but this license is a major step toward meet-
ing the global security needs of American companies.”
PGP™s announcement was not the only cryptographic news of the
week. Weekly newspaper Business First in Columbus, Ohio, carried
a “Tech Watch” column, where ongoing developments in technology
would be reported to business readers. John Frees™ Tech Watch col-
umn carried the headline, “Scientist questions standard for encryption
technology.” That column explored the important technical, political,
and business issues at stake, and even published the address for the
DESCHALL Web site.
The business press was not alone in starting to look at the issue of
cryptographic policy. Business leaders themselves were also deeply con-
cerned. On June 4, major computer industry heads openly called upon
President Clinton to drop e¬orts to regulate encryption technology. In
an open letter to the president, Microsoft™s Bill Gates, along with the
heads of Adobe Systems, Autodesk, Bentley Systems, Compaq, Intel,
SCO, Symantec, Claris, Digital Equipment, Lotus Development, Novell
and Sybase said that U.S. competitiveness in electronic commerce was
at stake in the debate.
“Network users must have con¬dence that their communications,
whether personal letters, ¬nancial transactions, or sensitive business
information, are secure and private,” Gates and his colleagues wrote
as members of the industry trade group, Business Software Alliance
Salvos in the Crypto Wars 233

As the BSA letter began to circulate, FBI director Louis Freeh tes-
ti¬ed before the Senate Judiciary Committee. He said that Congress
must give FBI “the capability to deal with current and future tech-
nology” by increasing the Bureau™s electronic surveillance authority.
Freeh™s testimony described how unbreakable encryption would “allow
drug lords, terrorists, and even gangs to communicate with impunity.”
Freeh then outlined his support for the kinds of controls sought by
the Clinton administration and opponents to the SAFE Act. He said
that key recovery or escrow systems must be put in place”going so far
as to argue that these must be required even for domestic use.
What Freeh did not address is how making “unbreakable encryp-
tion” illegal would stop drug lords, terrorists, and gangs from using it,
or why Congress could expect that people already committing crimes
would be inspired not to commit the crime of encrypting their commu-
In their letter to President Clinton, the computer executives said
governments should not impose import or export controls on encryp-
tion products nor “attempt to force use of government-mandated key
management infrastructures.” This position was in agreement with the
analysis of the risks of key escrow systems detailed two weeks earlier
by Matt Blaze and his colleagues.
As more weighed in on the debate, the lines hardened: business and
technology experts demanded free cryptography, while the government
demanded the ability to read encrypted electronic messages.
New Competition

By June 1, our principal rival in the race to defeat DES had recovered
from the bug in its client software. SolNET released new clients and
within a week, participants had upgraded, resulting in a recovery to a
key testing rate of nearly 2.2 billion keys per second. In the meantime,
DESCHALL had increased to over 4.2 billion keys per second. But we
were in for a surprise.
With the late-May appearance of Sun Microsystems on our list of
sites contributing processing power, speculation was growing about the
absence of several other large technology companies. Attention focused
especially on one of Sun™s biggest competitors, Silicon Graphics, Inc.,
known simply as SGI.
On June 3, Sun™s John Falkenthal posted some details of a rumor
that he heard involving SGI™s attempts to ¬nd the DES key, apparently
hoping that someone else might be able to ¬ll in the details. In addition
to having an internal project of its own, Falkenthal wrote, SGI™s e¬ort
rumored to be ahead of DESCHALL. He didn™t know anything more”
how far ahead, when it had started, or its key testing rate.
If an e¬ort were seriously underway at SGI, it could very well have
been ahead of DESCHALL. As a premier developer of high-end com-
puting equipment, SGI had tremendous computing power available on
its in-house machines. Furthermore, SGI would have the talent needed
to create heavily optimized clients for various models of SGI computers.
Even in 1997, all of SGI™s computers were 64-bit machines and would
have had the potential for extremely fast clients. SGI clients could have
been running for months at speeds that DESCHALL clients were just
beginning to see, and it could have thousands of fast, high-end ma-
chines at work. We had nowhere near enough information to guess just

236 CHAPTER 33

how many machines they were using, just how fast their clients were,
or how far along they were, but we could guess that SGI might really
be the front-runner by a large margin that would be hard to close.
Like any company with hot technology, SGI was usually pretty anx-
ious to show o¬ what it could do, which is why its absence in a contest
like RSA Data Security Inc.™s was so noticeable. A secret internal SGI
team working on the contest was certainly plausible and would explain
why neither DESCHALL nor SolNET received support from inside of
The most interesting detail of the rumor was that although SGI was
ahead of DESCHALL in total keys tested, we were actually sustaining a
higher key testing rate. So even if the rumor turned out to be true, SGI
might not be the front-runner forever, and DESCHALL could overtake
Not long after Falkenthal™s message was posted, a follow-up was
sent to the DESCHALL mailing list. A DESCHALL participant using
the name “Stunt Borg” posted that he asked a friend of his at SGI
about the rumored e¬ort and soon after received a ¬rsthand account
of SGI™s private DES Challenge project. “There is quite a campaign
internally,” reported the SGI employee whose name was removed from
the message. E-mail noti¬cations were being widely distributed, Web
pages were put up internally, and even a pop-up window announcing
the project was sent to all internal users. A survey was even issued to


. 33
( 41 .)