Crack Keys in Your Spare Time

September 19, 2000

Moore's Law has had some unintended side effects: What to do with all that raw power sitting next to, on top of, or behind your desktop (or laptop or Mazda Miata). Most people fritter it away on silly things like screen savers, those flying toasters from hell. There are, however, a few, but growing number that are putting idle hardware into "productive" use.

Perhaps you've already heard of SETI@home: The search for little green men (or at least their radio emissions) in the giant haystack that is radio astronomy. Radio telescopes (such as the one at Arecibo Observatory) scan the sky and record vast amounts of undigested data. You replace your screen saver (on Wintel systems) or add a small daemon (for unix) on your machine and the program does what computers are best at: crunch numbers. Instead of flying toasters, you might see a pretty graph or other statistics. If the program finds something "interesting," (Gaussian spikes) it reports back to the main SETI@home server. So far, none of the interesting spikes have turned out to be anything other than naturally occurring phenomena. Oh well, the search continues.

Part of the alure for SETI@home is akin to winning the lottery: being the first person to discover extraterrestrial intelligence (or at least their version of I Love Lucy). The significance of this project is that it harnesses, for little or no cost, an enormous underutilized potential in computing power. Allow me to introduce to you another project that is applying the same principles to other, more down to earth, concerns. was originally established in 1997 to answer the RSA Secret Key Challenge. The first key length was 56 bits long and was solved on October 22, 1997. The next challenge has a 64 bit key. Since each additional bit doubles the search space, the new key is 2^8 times "harder" to crack. As of this writing (27 June 2000), 978 days into the search, a little less than 27% of the keyspace has been checked.

Participating in the challenge is fairly simple. You need to go to the client download site to get the client for your personal machine. Beware of imitations! Evil people could modify these clients to be Trojan horses. Do not download from unauthorized sources! It takes a few minute to configure and you're done. Later on, you can go back to the site, surf over to the statistics page and see how well you're doing. Here's my stats page, in case you're interested. At some point you might be wondering how much load does this add to your machine. Effectively none: The process runs (on unix systems) at priority 19 which translates into "if there's absolutely nothing else going on, run this".

You might be wondering what good it is to crack a key that was created more than 3 years ago. In one way, it should make you more comfortable to engage in commerce on the Internet. Since key creation and use is usually limited to a session of just a few minutes, the odds of anyone breaking in using brute force are infinitesimally small. On the other hand, you should worry about a government (such as ours) that insists on crippling encryption technology to 56 bits or less.

I see some interesting applications of this technology in our future. When even your kitchen appliances will have a general purpose processor and a network connection, why not take advantage of it? While cracking keys may have a certain entertainment value, what good does it do for general society? There are many other number crunching applications that could be aided by spreading the load out to a large number of processors. At least one even has commercial value: Imagine a Pixar@home screen saver that not only displays stills of the latest digital creation, but also does a little bit of rendering for Pixar on the side. This is a marketing coup for the folks working in the Marin Headlands. You would by dying go to the movie just so you can say, "I helped make this movie!" Of course, Pixar would have to build in some safeguards so lonely crackers couldn't insert bogus "chips" into the film (I can see it already: "Rendered by Scr7pt K1ddy. K00l" -- bleh). The Human Genome project could take advantage of a massively parallel computing system, although I'd hope they double (triple or more) check their computations. Any task where you can slice up the problem into very small chunks that don't need to communicate to each other (only with the master server).

On the other hand, software developers are renowned for writing code that pushes the envelope of computing power. Unfortunately, advances in software technique do not follow Moore's Law at all, in fact, if not for the hardware advances, process speed would be about the same as it was 50 years ago (or probably much, much worse). It may turn out that this power gap is a fleeting thing and that hardware power will slow down its breakneck pace, but experts believe that we won't run into those barriers until the 2030's and by then processors will be a million times faster than today's bleeding edge monsters.

A personal plea -- help a poor programmer with a dream

This year (2000), I'm taking off from working behind a desk to explore the world in a small sailboat. My expenses will be quite modest, about $18,000 per year. But, at least for the first year, my income will be $0. Every $1,000 is a month of time before I have to come back to the (un)real world and earn some more cash for the cruising kitty. Here's how you can help (and increase your odds, too):

RSA Labs is offering a US$10,000 prize to the group that wins this contest. The distribution of the cash will be as follows:

All you have to do is join my team! How does this help you? There's strength in numbers after all: the more keys generated by a single entity increases the odds of finding the winning key. I'll share the team winnings in the same way: half goes to the winning contributor and the other half is divided equally among the members. I'll get to keep the other $1,000 for promoting the team and expenses. If one of my own systems generates the winning key, I'll fund a celebration with the team's half of the proceeds (or whatever a majority of the team would like to do with it).

Joining is simple, too. I'm not using the team aggregate, yet, because there are not enough people in my team to support it. Instead, simply use the following config file before running the dnetc client for the first time. This file isn't very special, it just uses my ID instead of you using your own. If you want to make sure that client runs every time you reboot your machine, you can install this init file in your rc.d (init.d, whatever) directory and make it part of your start up process.

So, download, configure and crunch away. Only another 1,000 days left before the entire keyspace is exhausted!

Crack Keys in Your Spare Time - September 19, 2000 - Ken Mayer