"In 1995, Eric Young and Tim Hudson posted version 1 of SSLeay to
the Internet. SSLeay (eay for Eric A. Young) is a free cryptographic
library in which Young managed to single-handedly implement the full suite
of cryptosystems used in SSL: the RSA-based security protocol that provides
confidentiality, integrity, and "digital signature" authentication
functions for secure connections, transactions, and file transfers over the
World Wide Web (WWW) recently invented by European programmers.
Since RSA's public key cryptosystem was patented only in the US,
Young was free to offer a full-strength "domestic US" version of the crypto
internationally, while American export regulations forced Netscape and
other US vendors to export browsers and web servers secured with no more
than 40-bit crypto -- a mere fraction of the 56/128-bit cryptographic
strength used in the otherwise identical products sold in the domestic US
market.
When the NSA conceded that, indeed,
there had to be some limit, RSA worked diligently with the US Commerce
Dept.to define that limit and forge concrete guidelines. For a company
which fought a decade-long guerrilla war against the NSA -- during which
the NSA spent millions trying to crush RSA in the marketplace, vigorously
promoting its DSS and Fortezza as a public-key-crypto alternative to RSA's
namesake cryptosystem -- this was an interesting display of confidence. Sun
Microsystems tried a frontal attack on US export controls with a Russian
subsidiary; firms like C2Net and Network Associates ignore the rules and
exploit loopholes in the law to export crypto.
RSA's symmetric crypto "Challenge" contests have had a major impact
on US and international policy and practice. Year by year, they have
systematically destroyed many government-fostered illusions about the
relative security of the restricted-strength cryptosystems which the
Wassenaar coalition of intelligence agencies prefer to be used by citizens
(who are not government officials) and corporate and commercial entities.
RSA's first Challenge contest, launched in January, 1997, saw grad
student Ian Goldberg use an UCLA network of a couple hundred PCs to crack a
40-bit cipher in three and a half hours. At the time, a 40-bit ciphers was
the strongest cryptographic security software the US government would allow
sold overseas without a sale-specific license approved by the NSA.
US export regulations were subsequently changed to allow for the
export of 56-bit DES in commercial products -- but only by those vendors
who promised to design a "key recovery" mechanism into their products, so
as to allow surreptitous third party access to encrypted stored data or
communication links by appropriate, and duely authorized, government agents.
The DES itself was first cracked in June, 1997, by the DESCHALL
network organized by Rocke Verser of Loveland, Colorado. DESCHALL used the
Internet to tap the spare cycles of some 70,000 computers (mostly desktop
PCs) over four months. DESCHALL won a $10,000 award from RSA by decrypting
the message: "Strong cryptography makes the world a safer place."
However, the very scale of the effort involved was used by senior
US intelligence officials to reassure Congress and corporate users that
56-bit crypto was still robust enough for civilian use.
After the Electronic Frontiers Foundation (EFF) built its $220,000
special-purpose DES Cracker ("Deep Crack") and decrypted a DES-enciphered
message in only 56 hours in the July '98 RSA Challenge, the statements of
top NSA and Justice officials to the US Congress and US businessmen --
assuring them that the DES was still robust enough that industry and much
of government could depend upon it -- looked absurd, even deliberately
misleading."
http://cryptome.org/jya/rsa-au-vm.h
"Sweden gives the NSA access to the Baltic underwater cables. Sweden is reported to have been given the codename Sardine"
"Finland is very close to building another cable to Germany via the Baltic Sea, bypassing Sweden."
| ← Previous day | (Calendar) | Next day → |