C:\UTIL\HOT METAL PRO\gifs\40bitrsa.htm

[ Reuters New Media]

Thursday January 30 2:50 PM EST

California Student Unscrambles Internet Code

BERKELEY, Calif. - As the White House and the Internet community battle over U.S. encryption laws, a University of California graduate student says he broke a code said to have the strongest encryption that U.S. law allows to be exported without restrictions.

It took him a mere three and a half hours, he said.

"It shows how silly the export restrictions are because 40-bit key length is ridiculously weak," Ian Goldberg, a graduate student of computer science at the University of California at Berkeley, told Reuters.

The 40-bit encrypted message was published Tuesday morning by RSA Data Security, a software firm in Redwood City, Calif., which developed encryption widely used on the Internet, as a challenge to code breakers.

RSA, owned by Security Dynamics Technologies, is one of dozens of companies trying to get the U.S. government to loosen its restrictions on the export of encryption, which currently prohibit U.S. firms or citizens from putting encrypted code of more than 40-bits of length on the Internet unless the government is supplied a code key.

U.S. law allows encryptions of up to 56-bits if the government is given a key to the code, which it will hold in escrow in case a national security need arises.

The government has argued that distribution of encryption codes outside of the United States would impede its ability to fight drug trafficking and political terrorism. Congress is considering bills to loosen these restrictions.

But Internet users and Internet technology companies argue that the restrictions impede electronic commerce and widespread use of the Internet for many private business transactions. Because the Internet has no national borders, anything posted on it by a U.S. based company would be considered exporting.

Goldberg used about 250 computer workstations networked together to test various computations to break the code, which the university said would be resources pretty commonly available to people in university settings.

At a data security and encryption conference being held here this week by RSA Data Security, people said Goldberg's break of the code is proof that U.S. laws need changing.

"Nobody in that room's going to trust 40-bit (cryptography) any more," said Peter Trei, senior software engineer at Process Software, of Framingham, Mass., as he nodded towards the San Francisco auditorium where 2,500 people were attending a cryptography conference hosted by RSA.

The gathering included some of the world's leading experts on cryptography, and a number of panelists in presentations were openly critical of the White House policy of prohibiting export of strong cryptography.

Cryptography experts said the government policy must enable businesses to stay ahead of the capabilities of computer hackers, but that current standards do not allow this to be exported, which also can limit Internet distribution.