[ISN] Book Review: Brute Force - Cracking the Data Encryption Standard

From: InfoSec News (isn@private)
Date: Fri Sep 09 2005 - 21:27:51 PDT


http://books.slashdot.org/books/05/09/08/1653245.shtml

[ http://www.amazon.com/exec/obidos/ASIN/0387201092/c4iorg  - WK]

Author: Matt Curtin 
Pages: 291 
Publisher: Copernicus Books 
Rating: 9 
Reviewer: Isaac Jones 
ISBN: 0387201092 

Summary: Volunteers working collaboratively over the internet manage
to crack the Data Encryption Standard.

Although I wasn't involved with the DES cracking challenge, I am
friends with the author of this book. I took a Lisp course from Matt
at Ohio State University and I'll be forever grateful that Matt
introduced me to functional programming with a great deal of humor and
enthusiasm. I don't think I've ever seen Matt stay so serious for so
long, but his enthusiasm comes through clearly in this book.

Brute Force can be enjoyed by both nerds and non-nerds interested in
cryptography or codes. Those who have been a part of this or
subsequent DES challenges may be particularly interested in this book.  
Curtin covers some technical details of DES and the brute force attack
that the DESCHALL team used to discover a DES key. He also discusses
the political and historical significance of this event. This is a
fairly technical book, but it goes out of its way to explain
non-obvious technical topics, so one doesn't need a lot of technical
background to understand it.

Curtin briefly explains a lot of stuff: the C programming language,
firewalls, UDP, one-time pads, protected memory, etc., in order to
make this book readable for novices. Although I generally did not need
such explanations, I did not find them annoying or distracting, as
they were fairly brief. In fact, it's fun to read concise explanations
of such topics. Occasionally, Curtin does go into just a little too
much detail. The chapter on Architecture gives an explanation of some
of the many pieces of software that were involved in this effort. This
chapter sometimes gets a bit bogged down with explanations of useful
scripts that folks wrote to analyze data or forward packets through
firewalls.

Brute Force is a very readable and enjoyable book. It is well
organized as a narrative, though it is not chronological; Curtin
presents the background and substance to each aspect of the story
together, rather than chronologically. This can be slightly confusing
sometimes, but I think it improves the over-all flow of the story.

In a way, Curtin gives away the ending to the book at the beginning
(and in the title), but this isn't ancient history, and most readers
will probably already know that DES was defeated by this effort. He
still manages to maintain a good sense of suspense throughout the
book. He presents tables and analysis of the effort, along with
predictions about completion dates that volunteers had made at the
time. Unfortunately, he doesn't tell us whether those tables turned
out to be correct. What percentage of the keyspace was searched by
Macintoshes? How many different kinds of client machines were there in
the end? Did Ohio State University try more keys than Oregon State
University? Which one is the real OSU?

One of the main themes running throughout the book was that of
community. The DESCHALL project was made up of thousands of volunteers
from all over the US. Anyone with some spare CPU cycles could get
involved by downloading the client software. This may remind you of
other distributed computing projects like SETI@home. The community was
further broken down into sub-groups like schools who would compete for
bragging rights. The organization of the DESCHALL project was much
like an open source project, though the key-cracking tools were not
open source. Spreading the Word is a chapter about how people started
to hear about DESCHALL and what the earliest adopters were like. Some
of the tables in a later chapter list the operating system and
hardware that the clients were running, which was a pretty cool
snapshot of the Internet from 1997. It included lots of OS/2 clients,
labs full of SGI machines, and plenty of computers which were only
connected to the Internet via dial-up modems. Special scripts were
developed for such machines so they could phone home when they needed
a new block of keys.

Though the key cracking clients were not open source, they were free
as in beer, at least for Americans. Since such cryptography-related
software could not be exported at the time, this was a US-only effort.  
There was a European team, however, with their own software, called
SolNet, and Curtin keeps us updated on their progress. In fact the
DESCHALL project had an impact on the political debate of this time
with regard to the export and control of cryptographic technologies.  
Curtin gives us interesting periodic updates on the political debate
as the DES cracking story moves forward. Cryptography control was
defeated at that time, but the use of cryptography is a right that
will need continued protection.

The political story of DESCHALL was one aspect of the historical
impact of the project. Another impact was the explosion of volunteer
distributed computing networks after the DESCHALL project, with
SETI@home being one of the most obvious examples. DESCHALL clearly
demonstrated the viability of this kind of computation. Curtin touches
briefly on this here and there, but does not go into detail. I would
like him to more clearly spell out the trends in Internet distributed
computing. I would like to hear that DESCHALL was derived from project
A and that it inspired projects B, C, and D. Was it was the original
Internet distributed computing network? Was it a fad that has abated
in the last few years? Curtin touches on this a bit, but says, "Some
other distributed computing projects like DESCHALL were around," (pg
200.) He says which ones, but doesn't make any claims that DESCHALL
inspired SETI@home, for instance. Perhaps such things are never quite
clear in the free exchange of ideas on the Internet.

The political and community aspects of the story wrap up very nicely.  
Curtin outlines DESCHALL's impact on driving the AES standard, and its
(perhaps much smaller) impact on the debates on key escrow and
encryption exports. Brute Force is a very enjoyable read about an
important event, and I can happily recommend my friend Matt's book to
the Slashdot crowd. My only criticisms can really be summed up by
saying, "I want to hear more."



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org 



This archive was generated by hypermail 2.1.3 : Fri Sep 09 2005 - 22:14:16 PDT