Jump to content

40-bit encryption: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m Fix refs and/or minor fixes
m Undid revision 483439034 by Rich Farmbrough (talk) - WP:CITEVAR, along with an edit restriction violation
Line 1: Line 1:
{{Use mdy dates|date=July 2011}}
{{Use mdy dates|date=July 2011}}

'''40-bit encryption''' refers to a [[key size]] of forty bits, or five [[byte]]s, for [[symmetric encryption]]; this represents a relatively low level of security. A forty bit length corresponds to a total of <math>2^{40}</math> possible keys. Although this is a large number in human terms (about a [[1000000000000 (number)|trillion]], nearly two hundred times the world's human population), it is possible to break this degree of encryption using a moderate amount of computing power in a [[brute force attack]] &mdash; that is, trying out each possible key in turn.
'''40-bit encryption''' refers to a [[key size]] of forty bits, or five [[byte]]s, for [[symmetric encryption]]; this represents a relatively low level of security. A forty bit length corresponds to a total of <math>2^{40}</math> possible keys. Although this is a large number in human terms (about a [[1000000000000 (number)|trillion]], nearly two hundred times the world's human population), it is possible to break this degree of encryption using a moderate amount of computing power in a [[brute force attack]] &mdash; that is, trying out each possible key in turn.


A typical home computer in 2004 could [[Brute-force attack|brute-force]] a 40-bit key in a little under two weeks, testing a million keys per second; modern computers are able to achieve this much faster. Using free time on a large corporate network or a [[botnet]] would reduce the time in proportion to the number of computers available.<ref name=Schneier/> p.&nbsp;154 With dedicated hardware, a 40-bit key can be broken in seconds. The [[Electronic Frontier Foundation]]'s [[Deep Crack]], built by a group of enthusiasts for US$250,000 in 1998, could break a 56-bit [[Data Encryption Standard]] (DES) key in days,<ref>https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker</ref> and would be able to break 40-bit DES encryption in about two seconds.<ref name =Schneier>Schneier, Bruce. ''Applied Cryptography'', Second Edition, John Wiley & Sons, 1996. ISBN 0-471-11709-9</ref> p.&nbsp;153
A typical home computer in 2004 could [[Brute-force attack|brute-force]] a 40-bit key in a little under two weeks, testing a million keys per second; modern computers are able to achieve this much faster. Using free time on a large corporate network or a [[botnet]] would reduce the time in proportion to the number of computers available. <ref name=Schneier/>p.154 With dedicated hardware, a 40-bit key can be broken in seconds. The [[Electronic Frontier Foundation]]'s [[Deep Crack]], built by a group of enthusiasts for US$250,000 in 1998, could break a 56-bit [[Data Encryption Standard]] (DES) key in days,<ref>https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker</ref> and would be able to break 40-bit DES encryption in about two seconds.<ref name =Schneier>Schneier, Bruce. ''Applied Cryptography'', Second Edition, John Wiley & Sons, 1996. ISBN 0-471-11709-9</ref>p. 153


40-bit encryption was common in software released before 1996, when algorithms with larger key lengths could not legally be [[export of cryptography|exported]] from the United States without a case-by-case license.<ref name=Schneier/><ref>[http://www.au.af.mil/au/awc/awcgate/crs/rl30273.pdf Encryption Export Controls], Jeanne J. Grimmett, Congressional Research Service report RL30273, 2001 "In the early 1990's ... As a general policy, the State Department allowed exports of commercial encryption with 40-bit keys, although some software with DES could be exported to U.S.-controlled subsidiaries and financial institutions."</ref> p.&nbsp;615 As a result, the "international" versions of [[web browser]]s were designed to have an effective key size of 40 bits when using [[Secure Sockets Layer]] to protect [[e-commerce]]. Similar limitations were imposed on other software packages, including early versions of [[Wired Equivalent Privacy]]. In 1992, [[IBM]] designed the [[CDMF]] algorithm to reduce the strength of [[56-bit encryption|56-bit]] DES against brute force attack to 40 bits, in order to create exportable DES implementations.
40-bit encryption was common in software released before 1996, when algorithms with larger key lengths could not legally be [[export of cryptography|exported]] from the United States without a case-by-case license.<ref>[http://www.au.af.mil/au/awc/awcgate/crs/rl30273.pdf Encryption Export Controls], Jeanne J. Grimmett, Congressional Research Service report RL30273, 2001 "In the early 1990's ... As a general policy, the State Department allowed exports of commercial encryption with 40-bit keys, although some software with DES could be exported to U.S.-controlled subsidiaries and financial institutions." </ref><ref name=Schneier/>p.615 As a result, the "international" versions of [[web browser]]s were designed to have an effective key size of 40 bits when using [[Secure Sockets Layer]] to protect [[e-commerce]]. Similar limitations were imposed on other software packages, including early versions of [[Wired Equivalent Privacy]]. In 1992, [[IBM]] designed the [[CDMF]] algorithm to reduce the strength of [[56-bit encryption|56-bit]] DES against brute force attack to 40 bits, in order to create exportable DES implementations.


==Obsolescence==
==Obsolescence==
Line 17: Line 18:


==References==
==References==
{{Reflist}}
{{reflist}}


[[Category:Key management]]
[[Category:Key management]]

Revision as of 01:50, 23 March 2012

40-bit encryption refers to a key size of forty bits, or five bytes, for symmetric encryption; this represents a relatively low level of security. A forty bit length corresponds to a total of possible keys. Although this is a large number in human terms (about a trillion, nearly two hundred times the world's human population), it is possible to break this degree of encryption using a moderate amount of computing power in a brute force attack — that is, trying out each possible key in turn.

A typical home computer in 2004 could brute-force a 40-bit key in a little under two weeks, testing a million keys per second; modern computers are able to achieve this much faster. Using free time on a large corporate network or a botnet would reduce the time in proportion to the number of computers available. [1]p.154 With dedicated hardware, a 40-bit key can be broken in seconds. The Electronic Frontier Foundation's Deep Crack, built by a group of enthusiasts for US$250,000 in 1998, could break a 56-bit Data Encryption Standard (DES) key in days,[2] and would be able to break 40-bit DES encryption in about two seconds.[1]p. 153

40-bit encryption was common in software released before 1996, when algorithms with larger key lengths could not legally be exported from the United States without a case-by-case license.[3][1]p.615 As a result, the "international" versions of web browsers were designed to have an effective key size of 40 bits when using Secure Sockets Layer to protect e-commerce. Similar limitations were imposed on other software packages, including early versions of Wired Equivalent Privacy. In 1992, IBM designed the CDMF algorithm to reduce the strength of 56-bit DES against brute force attack to 40 bits, in order to create exportable DES implementations.

Obsolescence

All 40-bit and 56-bit encryption algorithms are obsolete because they are dangerously vulnerable to brute force attacks, and therefore cannot be regarded as secure. As a result, virtually all web browsers now use 128-bit keys, which are considered strong. Some web servers will not communicate with a client unless it has a 128-bit encryption capability installed on it.

It should also be noted that public/private key pairs used in asymmetric encryption (public key cryptography) must be much longer than 128 bits for security; see key size for more details.

As a general rule, modern encryption algorithms such as AES use key lengths of 128, 192 and 256 bits.

See also

References

  1. ^ a b c Schneier, Bruce. Applied Cryptography, Second Edition, John Wiley & Sons, 1996. ISBN 0-471-11709-9
  2. ^ https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker
  3. ^ Encryption Export Controls, Jeanne J. Grimmett, Congressional Research Service report RL30273, 2001 "In the early 1990's ... As a general policy, the State Department allowed exports of commercial encryption with 40-bit keys, although some software with DES could be exported to U.S.-controlled subsidiaries and financial institutions."