Cracking Codes

The following is a very brief introduction to a particularly complex topic. Also, although the technology behind code breaking is fairly stable, the very important legal environment is subject to extreme stress and could change significantly.

Methodology

The easiest way to crack a code is to physically steal the key—e.g., copy it from a screen. Don't laugh, it happens all the time. Next easiest is to have some clue as to what it is. A simple way to get a password is to try people's names, addresses, phone numbers, etc. Another way is to check "welcome," or whatever the default for that system is, since many people never change it. The prevalence of this kind of cracking is why system security people insist (and sometimes software requires) that passwords not be English words (or whatever language), that they include both letters and numbers, that passwords expire after a given period of time, and so forth.

When code crackers don't have a clue and can't steal one, they rely on some form or another of brute force. This simply means using the speed of a computer to examine all possible alternatives. Comparing a password to a dictionary is a form of brute force; even a garden variety PC can do this real fast. Of course, most codes are quite complex and cracking is harder than simply comparing a string of characters to a list. However, crackers usually have some idea of how to start. Someone trying to decipher a code like DES will know generally how the encoding works and will be able to design a cracking algorithm specifically for that code. The quality of the cracking algorithm matters a lot. A poorly designed one will never get close; a brilliant one greatly maximizes the chances of success. After the algorithm is designed, the speed of the computers takes over. University students (and other people with a lot of time on their hands) have attacked DES in a massively parallel fashion, using coordinated processing by machines and groups of machines around the world. Remember when students liked to play bridge?

Cryptography is a complex (and fascinating) subject that we can't really deal with here. It's important to know, however, that a critical element in making a code invulnerable to attack is the length of the key. Described in the simplest possible way, the longer in bits the key is, the more possible keys there are and the harder it will be to crack it.

The Role of the U.S. Government

The U.S. government has developed extraordinary expertise in the area of data encryption. The National Security Agency, a.k.a. the Puzzle Palace, is probably (only a few people really know) the biggest purchaser of high-end computers in the world. Throw in some of the smartest people anywhere, and pretty much unlimited amounts of cash, and citizens of the U.S. have a government that can read other governments' mail. Civilian and military leaders in Washington like it that way, and have done everything possible to preserve their special power because they perceive it to be of direct value to national security. As a result, laws have been passed that restrict what kinds of encryption can be sold. So, for example, IBM originally wanted DES to have a 128-bit key, but the U.S. forced a reduction to 64 bits. The U.S. has long attempted to maintain export controls that prohibit U.S. companies from selling encryption software that the NSA can't easily break.

Unfortunately, this generally means that the key is pretty weak and that others (e.g., bored college students) can break it as well. In recognition of this, the feds developed an alternative approach. Companies could market software with a more powerful key, but it had to include a trapdoor that the folks at the NSA could use to break the code if they needed to. The trapdoor is, in effect, a secret key that is known only to the government. In response to concerns about citizens' privacy, the law requires that the trapdoor key not be used except by court order. This type of approach is also called key escrow.

A reasonable person (to be more precise, just a reasonable American citizen) might conclude that the U.S. approach is a fair response to a valid concern. The problem is that in reality, export controls don't prevent people in other countries from getting access to and using very powerful keys—ones that the U.S. won't allow to be exported. There are many companies outside of the U.S. that, in the absence of American competition, are thriving in the software security market. As a result, the U.S. has substantially eased its position.

One reason that the U.S. government has fought so hard to control the kinds of encryption that can be used is that its concern goes beyond the security of data. Perhaps more important is the fact that systems that support digitally encrypted voice communications are now becoming widely available. Depending on the strength of the key, these exchanges could be totally secure. In such a case, law enforcement will lose its most effective means of dealing with criminal conspiracies. In the current environment, organized activities are vulnerable to prosecution largely because of the power of wiretaps. At a minimum, the efforts of the conspirators are substantially encumbered by an inability to use telephones. Criminal conspiracies, by the way, include not only Mafia-type organizations but anything with multiple participants, such as white collar criminals engaged in stock or insurance fraud. While we may rail at government's intrusion into personal privacy, most responsible people will be deeply concerned about the prospect of a world in which criminals can communicate without fear of being intercepted.