KEY CHALLENGE

Late Tuesday evening a person from France posted a news article to the hacker community claiming success at decrypting a single encrypted message that had been posted as a challenge on the Internet sometime on or before July 14, 1994. His response to questions about his posting has also been placed on the Internet.

What this person did is decrypt one message that was encrypted using the RC4 algorithm and a 40-bit key. He used 120 workstations and two parallel supercomputers at three major research centers for 8 days to do so. As many have documented, including Netscape, a single RC4 40-bit encrypted message takes 64 MIPS-years of processing power to break, and this roughly corresponds to the amount of computing power that was used to decrypt the message.

Important points to understand:

1. He broke a single encrypted message. For him to break another message (even from the same client to the same server seconds later) would require *another* 8 days of 120 workstations and two parallel supercomputers. The work that goes into breaking a single message can't be leveraged against other messages. Every message uses a different encryption key.
2. The standard way to judge the level of security of any encryption scheme is to compare the cost of breaking it versus the value of the information that can be gained. In this case he had to use at least $10,000 worth of computing power (ballpark figure for having access to 120 workstations and two parallel supecomputers for 8 days) to break a single message. Assuming the message is protecting something of less value than $10,000, then this information can be protected with only RC4 40-bit security. For information of greater value, currently available RC4 128-bit security should be used.
3. Inside the US, software can support a range of stronger encryption options, including RC4 128-bit, which is 2^88 times harder to decrypt. Meaning that the compute power required to decrypt such a message would be more than 1,000,000,000,000 (trillion) times greater than that which was used to decrypt the RC4 40-bit message. This means that with forseeable computer technology it would be practically impossible.

In conclusion, we think RC4 40-bit is strong enough to protect consumer-level credit-card transactions -- since the cost of decrypting the message is sufficiently high to make it not worth the computer time required to do so -- and that our customers should use higher levels of security, particularly RC4 128-bit, whenever possible. This level of security has been available in the U.S. versions of our products since last April. Because of export controls it has not been available outside the U.S. We would appreciate your support in lobbying the U.S. government to lift the export controls on encryption. If you'd like to help us lobby the government send email to export@netscape.com.

Finally, we'd like to reiterate that all this person has done is decrypt one single RC4 40-bit message. RC4 the algorithm and products which use the algorithm remain as secure as always. If you would like more detailed information about this event or a more thorough technical understanding of the issues involved continue here.