by Simson Garfinkel
4:59am 26.Sep.97.PDT Cracking encrypted email just
got much easier - as long as the message was
encrypted with Netscape Navigator or Microsoft's
Outlook Express.
Bruce Schneier, a cryptography consultant based
in Minnesota, has created a Windows 95
screensaver that cracks encrypted email
messages on computers that are otherwise
unused. "On average, it takes 35 days on a 166
MHz Pentium," said Schneier, who is also the
author of the book Applied Cryptography.
The real power of Schneier's program is that it's
designed to work on multiple machines in parallel
over a local-area network. Got an office with a
dozen machines? You can crack a message in a
little less than three days. Got a thousand? Your
wait will be just 50 minutes. The program, which
began as a screensaver that searched for large
prime numbers, will be made available on
Schneier's Web site today.
The program will only crack messages encrypted
with RSA Data Security's S/MIME mail encryption
standard, and at that, only messages that are
encrypted with a 40-bit key. But that's exactly the
encryption that's being offered today by the most
commonly used versions of Netscape Messenger
and Microsoft Outlook Express.
"What really pisses me off is that [these products]
are being marketed as secure," said Schneier.
"The products don't say that they use 40-bit
encryption - be careful. They say this is security."
The S/MIME standard implemented by Netscape
and Microsoft does provide for higher-level security
by using different encryption algorithms. But
Schneier maintains that messages encrypted with
these stronger algorithms cannot be exchanged
between the two vendors' products. "The S/MIME
security standard is really hard to work with," said
Schneier. "None of [the products] interoperate at
any level other than 40-bit RC2."
Schneier says he's releasing his program to
demonstrate the fundamental vulnerabilities in the
S/MIME standard. But S/MIME's maker
disagrees, saying there is no problem using longer
keys.
"Bruce is mistaken," said Scott Schnell, vice
president of marketing for RSA Data Security, the
co-author of the S/MIME specification. "We have
mail messages on file in our interoperability test
lab which demonstrate interpretability between
Outlook Express and Netscape's Messenger
using triple-DES," which has a 168-bit key.
Courtney Macavinta
Reporter || www.news.com || CNET: The Computer Network
p (415) 395-7805 x5218
f (415) 395-9254