This is all my personal point of view. INRIA published an
official press release (no longer available on-line).
On July 14, 1995, Hal posted his SSL
challenge: a record of a "secure" Netscape session
encrypted with the RC4-128-EXPORT-40 algorithm.
I succeeded in cracking the challenge, but I was only the second one to find the key and
read the contents of his session.
If you're a journalist, be sure to read my
conference. If you have more questions,
don't send me email, it's way too late now.
This is a more-or-less chronological account of what happened:
The SSL protocol was designed to protect confidential data
sent by Web browsers. It has an option for weak encryption, to
comply with the requirements of the US government for exportable
- July 14, 1995: Hal posted his challenge in a short version and a detailed
- August 15, 1995: I posted my original
announcement. I also have a revised
- August 16, 1995: I learned that David Byers and Eric Young, working
with Adam Back, had cracked the challenge about two hours before
me. Adam has a
description of their
- August 17, 1995: Netscape sent their official
response. I don't agree with their $10,000 figure, and they
badly underestimate the cost of breaking RC4-128
(the US-only version of their system).
Still, I do agree with their conclusion.
- The cypherpunks are putting together a
ring" to see how fast this can get: they will decrypt example
sessions as fast as possible (I expect only about one day per
session), by using a lot of machines all over the Internet.
- August 19, 1995: Hal posted a
challenge to cypherpunks for the "key cracking ring" to
- The key cracking ring started working on this new challenge on
August 24, 1995, at 18:00 GMT, and got the result in
than 32 hours.
- September 4, 1995: Communications Week International
wrote that I "enlisted a number of other engineers worldwide to
crack the code again - in just 32 hours". This is not
true. I did participate in the effort, but the credits
for organizing it should go to Adam Back and
- September 17, 1995: Ian Goldberg and David Wagner broke the pseudo-random
number generator of Netscape
Navigator 1.1. They get the session key in at most a few hours on
a single workstation.
code is available by ftp.
You can get more details on a
written by Laurent Demailly.
- September 20, 1995: Community ConneXion is awarding
original T-shirts to people who
- June 4, 1996: Le
Monde, a french newspaper, published a
paper with a somewhat garbled story about the Internet, that
ends by implying "Damien Rodriguez" is a pirate. I found
15 factual errors in that article.
-- Thomas Jefferson
The man who reads nothing at all is better educated than the man who
reads nothing but newspapers.
- August 9, 2000: I'm still getting some mail about this, but I've
stopped replying. All this is not interesting anymore (to me, at least).
- You can get the source of the program
that I used to break the challenge.
- A few people also have equivalent programs, for example Andrew
Roos and Piete Brookes.
- There is a lot of research in cryptology being done at INRIA
(projects ALGO and CODES),
polytechnique, and École
- You may want to know more about the ITAR (International Traffic in
Arms Regulations), which prevent Netscape from exporting their
more secure system. See the EFF ITAR export
archive or John Gilmore's crypto
- The RSA-129
crack used about 50 times more computing power than I did for the
- Cryptographic software is export-restricted by the US government
even if it didn't originate from the US (i.e. if imported, it
cannot be reexported). Yet, you can find strong cryptography in
the form of PGP (all over the world),
and SSLeay (in
- A UK company, MarketNet,
already has a server with 128-bit security.
- There are serious restrictions on the use of
- Tim May's Cyphernomicon
is a list of frequently asked questions (with answers) about
- the WWW consortium
- my own web page
- Some articles reporting this story are also available on the Web.
Here is a game: spot the errors in these articles and report
them to their authors.
- It should be noted that both MD5 and RC4, two of the (very good)
cryptographic components of SSL, were designed by Ron Rivest, of
- For a good introduction to the field of cryptology, read the
information about cryptography (in German).
- A good Web page on
"Just remember, in 10 years no one will care. In fact most people
probably don't care right now."
-- Conrad E. Muller