Featured Research

from universities, journals, and other organizations

Experimental Break-Ins Reveal Vulnerability In Internet, UNIX Computer Security

Date:
January 14, 1999
Source:
Duke University
Summary:
Duke University computer science researchers found that using an experimental computer, they could "crack"within an average 3.75 hours the encryption that protects such privately held information as credit card account numbers on the Internet.

DURHAM, N.C. - Duke University computer science researchers found that using an experimental computer, they could "crack"within an average 3.75 hours the encryption that protects such privately held information as credit card account numbers on the Internet.

With the same equipment and "brute force" technique, Gershon Kedem, a Duke associate computer science professor, and graduate student Yuriko Ishihara of Nagano, Japan, were also able to compromise many of the more commonplace passwords that guard access to UNIX-based computer networks.

Ishihara conducted the research for her masters thesis. For more information on their technique, access their Duke website at http://kedem.cs.duke.edu/CipherFlow/index.html.

According to Kedem, computer-savvy criminals, governments, or companies embarked on industrial espionage could design, build and test even better computers to target such codes for $6 million to $10 million. Copies of such machines could subsequently be manufactured for little as $60,000, he estimated.

The pair's experimental break-ins were done with a powerful graphics computer called PixelFlow, designed by computer scientists at the University of North Carolina at Chapel Hill.

The fact that such a machine - while itself experimental but not designed to decipher secret codes -- could so easily penetrate popular security systems underscores the vulnerability of current computer encryption standards, Kedem said in an interview.

"This is a particularly serious security threat," added Kedem, whose interests include computer security and cryptography. "Statements that computer products are encrypted, and therefore are secure, should certainly be viewed with a very large grain of salt."

Kedem said Internet browsers such as Netscape Navigator and Microsoft Internet Explorer use 40-bit series of digits as the secret solutions for unraveling encrypted information. "Bit" is an abbreviation for "binary digit," the standard unit of computer information.

The identity of a solution - called the "key" - is supposed to be known only to the sender and receiver of a scrambled communication. Software manufacturers have been using the 40-bit key standard to comply with United States export restrictions, even though they know the U.S. government has powerful-enough technology to decipher it, he said.

Kedem and Ishihara proved the 40-bit key is vulnerable to more than government sleuthing by subjecting the 40-bit key to an attack with the "massively parallel" PixelFlow computer. The 18-board PixelFlow configuration they used satisfies the requirement for this type of "brute force" cryptoanalysis because it harnessed 147,456 separate processing units, all executing the same set of instructions at the same time, Kedem said.

"If you have a very fast computer like this one, you can either try and search all the possible keys and see if you can find one that matches, or at least you can search a large enough numbers of possible keys that your probability of finding the right one is reasonably high," he explained.

In the case of a 40-bit key, the total number of possibilities is 2 to the power of 40 - 2 multiplied by itself 40 times - which is 1,099,511,627,776 different combinations of 0 or 1 binary digits, he said.

The UNIX password, a more-formidable challenge, allows users to specify up to 5,132,188,731,375,620 combinations of letters, numbers or symbols. "The machine we had access to doesn't quite have enough computing power," Kedem acknowledged. "I think it would take us almost a year to break a UNIX password outright.

"But it turns out that we didn't really have to try all possible passwords, as long as we tried all likely passwords."

The most secure passwords are made up of truly random combinations, but "people are not very good at remembering a lot of random symbols from the keyboard," he added. "So most passwords are letters, usually lower case, or maybe one or two digits or punctuation marks.

"An important fact to remember is that PixelFlow was built with early-1990s technology," he said. "If that machine were reimplemented in today's technology, we could probably crack a 56-bit key in less than 10 hours."

Kedem said the United States government just announced a new policy allowing the export of encryption technology with 56-bit keys. But most banks and Internet browsers, he added, currently use shorter 40-bit private keys like those he and Ishihara cracked.

The private keys they targeted were specified by the RC4 encryption algorithm that comes with popular browser software, he said.

Kedem emphasized that PixelFlow's processors "were not designed with encryption in mind," Kedem noted. "They were designed to do graphics. So they are missing some instructions that would have made them much more effective for doing cryptography.

"It should be very easy to build a massively parallel machine specifically for brute force cryptoanalysis that would make any encryption algorithm now commonly used totally insecure," he predicted.

"I would say that anything less than 80-bit keys probably could be broken," he added, noting that governments and some other security minded organizations already use still longer keys that will be immune from brute force attacks for the foreseeable future.

"It would take $6 million to $10 million dollars to develop such a machine, but the cost of each unit might end up being just $60,000 to $100,000," Kedem said. For that outlay, some unscrupulous entity with access to cash "could crack a lot of codes in practice today in the commercial world," he speculated.

Kedem said he decided to use PixelFlow to test the security of on-line encryption at the suggestion of John Poulton, a UNC-Chapel Hill computer science professor who is a major architect of the graphics computer, built in collaboration with the Hewlett-Packard Corp.


Story Source:

The above story is based on materials provided by Duke University. Note: Materials may be edited for content and length.


Cite This Page:

Duke University. "Experimental Break-Ins Reveal Vulnerability In Internet, UNIX Computer Security." ScienceDaily. ScienceDaily, 14 January 1999. <www.sciencedaily.com/releases/1999/01/990114074705.htm>.
Duke University. (1999, January 14). Experimental Break-Ins Reveal Vulnerability In Internet, UNIX Computer Security. ScienceDaily. Retrieved September 15, 2014 from www.sciencedaily.com/releases/1999/01/990114074705.htm
Duke University. "Experimental Break-Ins Reveal Vulnerability In Internet, UNIX Computer Security." ScienceDaily. www.sciencedaily.com/releases/1999/01/990114074705.htm (accessed September 15, 2014).

Share This



More Computers & Math News

Monday, September 15, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Microsoft to Buy 'Minecraft' Maker for $2.5B

Microsoft to Buy 'Minecraft' Maker for $2.5B

AP (Sep. 15, 2014) Microsoft will acquire the maker of the long-running hit game Minecraft for $2.5 billion as the company continues to invest in its Xbox gaming platform and looks to grab attention on mobile phones. (Sept. 15) Video provided by AP
Powered by NewsLook.com
Manufacturer Prints 3-D Car In Record Time

Manufacturer Prints 3-D Car In Record Time

Newsy (Sep. 15, 2014) Automobile manufacturer Local Motors created a drivable electric car using a 3-D printer. Printing the body only took 44 hours. Video provided by Newsy
Powered by NewsLook.com
What $2.5B Deal Could Mean For Microsoft, 'Minecraft'

What $2.5B Deal Could Mean For Microsoft, 'Minecraft'

Newsy (Sep. 15, 2014) While Microsoft looks to be expanding its mobile business, the creators of "Minecraft" are stepping aside. Video provided by Newsy
Powered by NewsLook.com
Frustration As Drone Industry Outpaces Regulation In U.S.

Frustration As Drone Industry Outpaces Regulation In U.S.

Newsy (Sep. 14, 2014) U.S. firms worry they’re falling behind in the marketplace as the FAA considers how to regulate commercial drones. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins