On July 14, Hal posted his SSL challenge: a record of a "secure" Netscape session encrypted with the RC4-128-EXPORT-40 algorithm.

I succeeded in cracking the challenge, but I was only the second one to find the key and read the contents of his session.

If you're a journalist, be sure to read my virtual press conference. If you have more questions, feel free to send me some e-mail: Damien.Doligez@inria.fr.

This is a more-or-less chronological account of what happened:

• The SSL protocol was designed to protect confidential data sent by Web browsers. It has an option for weak encryption, to comply with the requirements of the US government for exportable software.
• July 14: Hal posted his challenge in a short version and a detailed version.
• August 15: I posted my original announcement. I also have a revised version.
• August 16: I learned that David Byers and Eric Young, working with Adam Back, had cracked the challenge about two hours before me. Adam has a description of their achievement.
• August 17: Netscape sent their official response. I don't agree with their $10,000 figure, and they badly underestimate the cost of breaking RC4-128 (the US-only version of their system). Still, I do agree with their conclusion.
• The cypherpunks are putting together a "key cracking ring" to see how fast this can get: they will decrypt example sessions as fast as possible (I expect only about one day per session), by using a lot of machines all over the Internet.
• August 19: Hal posted a second SSL challenge to cypherpunks for the "key cracking ring" to tackle.
• The key cracking ring started working on this new challenge on August 24, at 18:00 GMT, and got the result in less than 32 hours.
• September 4: Communications Week International wrote that I "enlisted a number of other engineers worldwide to crack the code again - in just 32 hours". This is not true. I did participate in the effort, but the credits for organizing it should go to Adam Back and Piete Brooks.
• September 17: Ian Goldberg and David Wagner broke the pseudo-random number generator of Netscape Navigator 1.1. They get the session key in at most a few hours on a single workstation. Their code is available by ftp. You can get more details on a web page written by Laurent Demailly.
• September 20: Community ConneXion is awarding original T-shirts to people who Hack Netscape or Microsoft.
• June 4, 1996: Le Monde, a french newspaper, published a paper with a somewhat garbled story about the Internet, that ends by implying "Damien Rodriguez" is a pirate. I found 15 factual errors in that article.

  The man who reads nothing at all is better educated than the man who reads nothing but newspapers.

  -- Thomas Jefferson

Related topics

• You can get the source of the program that I used to break the challenge.
• A few people also have equivalent programs, for example Andrew Roos and Piete Brookes.
• There is a lot of research in cryptology being done at INRIA (projects ALGO and CODES), École polytechnique, and École Normale Supérieure.
• You may want to know more about the ITAR (International Traffic in Arms Regulations), which prevent Netscape from exporting their more secure system. See the EFF ITAR export archive or John Gilmore's crypto export page.
• The RSA-129 crack used about 50 times more computing power than I did for the SSL challenge.
• Cryptographic software is export-restricted by the US government even if it didn't originate from the US (i.e. if imported, it cannot be reexported). Yet, you can find strong cryptography in the form of PGP (all over the world), and SSLeay (in Australia).
• A UK company, MarketNet, already has a server with 128-bit security.
• There are serious restrictions on the use of cryptography in France.
• the cypherpunks
• Tim May's Cyphernomicon is a list of frequently asked questions (with answers) about cryptography.
• Netscape
• the WWW consortium
• my own web page
• Some articles reporting this story are also available on the Web. Here is a game: spot the errors in these articles and report them to their authors.
  • San Jose Mercury News (no mistakes as far as I can tell)
  • HPCwire
  • Komputery i Biuro (if you can read Polish; I cannot).
  • Le Devoir (in French).
• It should be noted that both MD5 and RC4, two of the (very good) cryptographic components of SSL, were designed by Ron Rivest, of RSA Laboratories.
• For a good introduction to the field of cryptology, read the sci.crypt FAQ.
• Some information about cryptography (in German).
• A good Web page on cryptography.

"Just remember, in 10 years no one will care. In fact most people probably don't care right now."