A lock won't protect you for very long if you leave a description of how you created the combination lying around for determined thieves to see. The same is true for software encryption technology, as Netscape Communications Corp. is learning.
The company's highly touted security system was cracked in less than a minute by two University of California, Berkeley graduate students - not because of a flaw in the technology itself, but instead in the way Netscape implemented it.
The Mountain View company admitted to the flaw and said it would issue a new version of its software that corrects the problem by the end of the week.
Encryption is the technique that's used to scramble a message so outsiders can't read it. Netscape, whose initial public offering of stock last month caused a sensation on Wall Street, has long boasted that the encryption it built into its software would make the ordinarily freewheeling Internet safe for shopping, banking and similar commercial services that are one day promised for it.
Netscape sells a ``browser'' program that allows Internet users to easily view the contents of the tens of thousands of computers that are hooked up to the global network.
Netscape's encryption technology, licensed from RSA Data Security Inc. of Redwood City, relies on combining two numbers that are both large and random. If the software is designed properly, an encrypted message would be unlikely to be deciphered even if trillions of computers spent centuries on the task.
Instead, one of the numbers was generated by Netscape's software based on a number of items that were easy for Goldberg and Wagner to discover, such as the time and date that an individual message sent by Netscape software had been created.
Knowing how Netscape generated the supposedly random numbers gave Goldberg and Wagner enough clues that they could break the encryption system using a single desktop computer.
Netscape said that the new version would use a different method of generating the random number, and would increase from 30 bits to 300 bits the internal number used to generate the final random number, or ``key,'' that is part of the secure message.
Those laws limit to 40 bits in length the keys that companies such as Netscape can use in the versions of their software that they sell abroad.
By contrast, the key in the domestic version of Netscape's software has 128 bits. The number of times longer it would take to crack a 128-bit key than a 40-bit key would be represented by a 1 followed by more than 80 zeroes.
How They Broke The Code
Two UC Berkeley students have figured out a way to break the code used by the popular internet browser Netscape to encrypt sensitive transactions on-line. Here's how they did it:Finally, The Key to the Key:
(128-bit encrypted key 0011101011100110101010001010010101110111001101010100010100101011110111001101010100010100101011110111001101010100010100101011110) - Knowing how the starting-point number was created significantly reduced the other possible components of the formula -- and the students found they were able to break the 30-bit code in a matter of seconds using a standard computer work station.