ietf-openpgp
[Top] [All Lists]

recent article

1997-09-26 10:48:35

                     by Simson Garfinkel 
                     4:59am  26.Sep.97.PDT Cracking encrypted email  just
                     got much easier - as long as the message was
                     encrypted with Netscape Navigator or Microsoft's
                     Outlook Express. 

                     Bruce Schneier, a cryptography consultant based
                     in Minnesota, has created a Windows 95
                     screensaver that cracks encrypted email
                     messages on computers that are otherwise
                     unused. "On average, it takes 35 days on a 166
                     MHz Pentium," said Schneier, who is also the
                     author of the book Applied Cryptography. 

                     The real power of Schneier's program is that it's
                     designed to work on multiple machines in parallel
                     over a local-area network. Got an office with a
                     dozen machines? You can crack a message in a
                     little less than three days. Got a thousand? Your
                     wait will be just 50 minutes. The program, which
                     began as a screensaver that searched for large
                     prime numbers, will be made available on
                     Schneier's Web site today. 

                     The program will only crack messages encrypted
                     with RSA Data Security's S/MIME mail encryption
                     standard, and at that, only messages that are
                     encrypted with a 40-bit key. But that's exactly  the
                     encryption that's being offered today by the most
                     commonly used versions of Netscape Messenger
                     and Microsoft Outlook Express. 

                     "What really pisses me off is that [these  products]
                     are being marketed as secure," said Schneier.
                     "The products don't say that they use 40-bit
                     encryption - be careful. They say this is security." 

                     The S/MIME standard implemented by Netscape
                     and Microsoft does provide for higher-level security
                     by using different encryption algorithms. But
                     Schneier maintains that messages encrypted with
                     these stronger algorithms cannot be exchanged
                     between the two vendors' products. "The S/MIME
                     security standard is really hard to work with," said
                     Schneier. "None of [the products] interoperate at
                     any level other than 40-bit RC2." 

                     Schneier says he's releasing his program to
                     demonstrate the fundamental vulnerabilities in the
                     S/MIME standard. But S/MIME's maker
                     disagrees, saying there is no problem using longer
                     keys. 

                     "Bruce is mistaken," said Scott Schnell, vice
                     president of marketing for RSA Data Security, the
                     co-author of the S/MIME specification. "We have
                     mail messages on file in our interoperability test
                     lab which demonstrate interpretability between
                     Outlook Express and Netscape's Messenger
                     using triple-DES," which has a 168-bit key. 

Courtney Macavinta 
Reporter || www.news.com || CNET: The Computer Network
p (415) 395-7805 x5218                                    
f  (415) 395-9254





<Prev in Thread] Current Thread [Next in Thread>