Source:
https://scmp.com/article/128736/netscape-code-cracked

Netscape code cracked

A FRENCH university researcher and a group of other computer experts from around the world have successfully broken the code of a single message on the Netscape server program following a challenge issued via the Internet.

The 'break' stirred some controversy in on-line circles last week following a number of newspaper reports that incorrectly covered the story, giving the impression that the entire Netscape system could be cracked with ease.

According to Damien Doligez, who was first reported to have broken the message, nothing could be further from the truth.

Mr Doligez cracked the key to one specific message using 120 high-end computers and eight days of computing time.

One of the biggest blocks to the Internet becoming a truly worldwide market place is the doubts many people have over security. As a result, few people currently want to send credit card information - or any other personal information - over the Internet.

On July 14, a challenge was posted on the Internet to anyone wanting to try to break the code of an encrypted message sent using the Netscape software.

The challenge was said to have been issued to test the software's integrity.

To secure data transmissions, Netscape uses what is called a secure socket layer (SSL) protocol. This is a private key encryption scheme that uses a 40-bit RC4 encryption mode (RC4 being a private key algorithm named after Ronald Rivest, a professor at MIT.) There are many other schemes including 128-bit versions of RC4 but it is illegal in the United States to allow these stronger versions of encryption software to be exported.

The challenge was taken up immediately by computer programmers all over the Net and the message was broken within a fairly short time.

The work was done by 'legitimate' computer specialists, not by a single 'hacker' in the dead of the night. One person who broke the code used more than 100 computers and eight days of computer time.

The most fuss was made over Mr Doligez's work, and he was reported to have cracked the code first while, in fact, he was two hours behind a group of others in Britain, Australia and Sweden.

Experts were well aware from the start that it was not a question of breaking the code, but when it would be broken.

It eventually took 120 computers eight days to crack a single message.

According to experts, this does not in any way invalidate the system being used by Netscape. It would take at least another eight days with the same number of computers to break one more message.

The RC4 40-bit system is sturdy enough for most purposes (including sending credit card information) but it is not by any means the strongest available.

RC4 with 128-bit encryption is estimated to be about one million million times more difficult to break.

In an interview on the Internet, Mr Doligez expressed his surprise at all the fuss.

When asked what he thought the implications of his cracking the code would mean for Netscape, Mr Doligez said: 'The technical implications are almost zero. Everybody who understands the technical details knew perfectly well that this was possible and even easy. You have to understand what happened exactly. I did not break SSL itself. I did only break one SSL session that used the weakest algorithm available in SSL. If I want to break another session, it will cost another eight days of all my machines.'