This is a list of the questions I got from journalists and other people, along with the best answers I can give. You may quote what I'm saying here, but please try to get it right.
If you're writing a news story about this, I would appreciate your sending me a copy of the article. My address is at the bottom of this document.
I have also written a more-or-less chronological account of what's going on.
No. A team composed of Adam Back (in the UK), Eric Young (in Australia), and David Byers (in Sweden) was working on it at the same time as me, and they found the result two hours before I did. Eric and David each scanned one half of the key space, and David got the key on August 15 just before 10:43, while my program found it at 12:23.
Congratulations to Adam, David, and Eric.
I know the journalists ask this question because they think their readers will be interested in it. Why they should be interested is a complete mystery to me. Anyway...
I'm 27 years old. I've been a student in computer science for quite a few years and I finished my PhD this year. My thesis (in french) is available on the web. It has nothing to do with cryptography. Cryptography is only a hobby for me. I'm working at INRIA in the PARA team. My research is on the subject of parallel processing.
For this crack, I was really interested in running all the processes in parallel on many machines. The crypto code itself was really easy to write: I just did some cutting and pasting from already available code.
Note that the Wall Street Journal published an article saying that I'm a student at École polytechnique. This is not true. I was a student at École Normale Supérieure, and I'm now a researcher at INRIA. (I'll repeat it in French: Je ne suis pas un polytechnicien ! Je suis un homme libre !)
When Hal posted his challenge, a group effort was immediately announced to break it in only a few days. I was ready to participate, but the summer holidays apparently disrupted the group's coordination, and after two weeks they still hadn't started. That's when I counted the machines I had access to, and their speeds. I decided to go for it myself when I realized that I could do it in a maximum of 15 days (or 8 days expected time).
In fact, I know now that they were "testing" their program by doing a complete scan of the search space, which found the solution two hours before my program (see above). They were incredibly unlucky, because they started from the wrong end of the search space, so they got the key at the very end of their sweep.
The technique I used doesn't leave much room for surprise. I knew I would get the result in at most 15 days, with an expected average of 8 days. The actual time was the same as the expected time because the result was almost exactly in the middle of the search space. It could have taken only a few minutes (if I was extremely lucky) or the whole 15 days (if I was unlucky). The only way I would not have gotten a result within 15 days was if my program had a bug.
I was a student at ENS, I did my military service (and some teaching) at École Polytechnique, and I've been working at INRIA for 6 years on my PhD. I used the students' machines at both schools, and whatever I had access to at INRIA (the machines of 6 research "projects", a project is about 10 people).
I think it's important to note that some of these (actually) 112 machines are quite old, and I could have done the job just as fast with 30 of the fastest workstation that we have (a DEC alphastation, which cost us little more that $10000). According to some letters I got, a MasPar machine would be about twice as fast. You would get roughly the same speed as I did on a network of 40 to 50 high-end Pentium(R) PCs.
I've received a lot of questions and remarks about the cost of the computing power I used (about 100 MIPS-year).
Not much. Everybody who understands the technical details knew perfectly well that this was doable and even easy. You have to understand what happened exactly. I did not break SSL itself. I did only break one SSL session that used the weakest algorithm available in SSL. If I want to break another session, it will cost another 8 days of all my machines.
I think Netscape will have to ask for permission to export browsers with a stronger algorithm (that would cost them nothing), or hire some programmers outside the US to escape the US export regulations (that would be pretty easy to do).
I have heard that MarketNet (a UK company) is developping a Web browser that uses the more secure protocol. I don't know whether it's an internal product or they plan on selling it. There is also an Australian implementation of SSL, with clients and servers using it.
Hal Finney (who posted the challenge in the first place):
It will be interesting to see what the fallout is from this accomplishment. It should provide ammunition for the current effort by Microsoft and other companies to try to persuade the government to allow the export of full 56 bit DES.
I am a little alarmed by the suggestion that this news could have some marked impact on the Netscape stock price. From our perspective this was certainly an unsurprising result (not to take anything away from Damien and others who worked on it). It is a useful reminder that the things we work on here can have profound consequences.
Joe Buck (who has a good point):
I disagree with your conclusion [about credit cards numbers].
Your credit card number, expiration date, etc, are continually being revealed to minimum-wage clerks all the time, unless you never use the card. A chain is only as strong as its weakest link; it makes no sense to buy an expensive lock when your door has a big enough opening to climb through.
Dietrich J. Kappe:
There could be an article in tomorrow's WSJ about the SSL Challenge. The technical details and facts will surely be mangled.
[Actually, the account in WSJ is not too bad, but they badly overestimate the computing power that I used. And they got my affiliation wrong...]
Sure. Netscape has it now: a protocol that is practically impenetrable. It's only that they're not allowed to export it from the US.
Why should they ? What I did was easy, I was not even the first one to do it, and have long known (and said) it was doable. Besides, I don't need a job. I just got one at INRIA (got it in July).
No. I have nothing to do with Netscape. I have nothing against them either.
The program that I used is pretty easy to write, and it is available from my web page. It is composed of two files: master.c and slave.c. You can crack the encryption as easily as I did if you can get as much computing power.
Has anyone criticised you over breaking the secure session, or has the response been positive because you revealed a flaw in the system?
I didn't get any negative feedback. The session was made and recorded explicitely for the purpose of cracking it, so what I did was neither illegal nor immoral. I didn't really reveal a flaw in the system, either. I only illustrated what has been well-known for some time already. And the only known "flaw" in the system is the U.S. export regulations.
The only "negative feedback" that I got is the factual errors in the articles published by some newspapers: the Wall Street Journal (Jared Sandberg) and the New York Times (John Markoff) said I'm a student at École polytechnique. That's almost defamation :-) The Herald Tribune (also anonymous) is the worst offender. Their article doesn't make much sense. Some papers that got it right are The Independent and the San Jose Mercury News.
The U.S. government might relax its export restrictions. If it does, Netscape will certainly release a new version. If it doesn't, some non-US company will start selling a browser with the more secure protocol.
It depends on what kind of information would go through this Web site. It has been pointed out that Netscape Navigator is still quite safe for credit card numbers, but for really confidential information (like a password that gives access to a bank account, or a stock broker taking orders via the Web), I wouldn't.
No. PGP does not use the same algorithms as SSL, and the key sizes in PGP make a brute force attack completely irrealistic, even with millions of computers.
Exactly how safe PGP is, depending on the length of your public key, is the subject of a lot of speculation in the newsgroups sci.crypt and alt.security.pgp. Not being a cryptography expert, I cannot even begin to guess how hard it is to break PGP (besides the fact that it's way too hard for me), but the consensus seems to be that it's Pretty Good(tm).
All these questions (including this one) are from journalists, except the first one (asked by myself) and the one about PGP (asked by a non-journalist).
First read Eric Raymond's FAQ, How To Become A Hacker. Then read the Jargon file.
INRIA Rocquencourt, projet Para
Domaine de Voluceau
F-78153 Le Chesnay