40-bit encryption refers to a (now broken)
key size
In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm (such as a cipher).
Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest known a ...
of forty bits, or five
byte
The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable un ...
s, for
symmetric encryption; this represents a relatively low
level of security
In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of " bits of security" (also security strength ...
. A forty bit length corresponds to a total of 2
40 possible keys. Although this is a large number in human terms (about a
trillion
''Trillion'' is a number with two distinct definitions:
*1,000,000,000,000, i.e. one million 1,000,000, million, or (ten to the twelfth Exponentiation, power), as defined on the long and short scales, short scale. This is now the meaning in bot ...
), it is possible to break this degree of encryption using a moderate amount of computing power in a
brute-force attack
In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that consists of an attacker submitting many possible keys or passwords with the hope of eventually guessing correctly. This strategy can theoretically be ...
, ''i.e.'', trying out each possible key in turn.
Description
A typical home computer in 2004 could brute-force a 40-bit key in a little under two weeks, testing a million keys per second; modern computers are able to achieve this much faster. Using free time on a large corporate network or a
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...
would reduce the time in proportion to the number of computers available. With dedicated hardware, a 40-bit key can be broken in seconds. The
Electronic Frontier Foundation
The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties.
It provides funds for legal defense in court, ...
's
Deep Crack, built by a group of enthusiasts for US$250,000 in 1998, could break a 56-bit
Data Encryption Standard
The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryp ...
(DES) key in days, and would be able to break
40-bit DES encryption in about two seconds.
40-bit encryption was common in software released before 1999, especially those based on the
RC2 and
RC4
In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
algorithms which had special "7-day" export review policies, when algorithms with larger key lengths could not legally be
exported
An export in international trade is a good produced in one country that is sold into another country or a service provided in one country for a national or resident of another country. The seller of such goods or the service provider is a ...
from the United States without a case-by-case license. "In the early 1990s ... As a general policy, the State Department allowed exports of commercial encryption with 40-bit keys, although some software with DES could be exported to U.S.-controlled subsidiaries and financial institutions." As a result, the "international" versions of
web browser
A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...
s were designed to have an effective key size of 40 bits when using
Secure Sockets Layer
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, ...
to protect
e-commerce
E-commerce (electronic commerce) refers to commercial activities including the electronic buying or selling products and services which are conducted on online platforms or over the Internet. E-commerce draws on technologies such as mobile co ...
. Similar limitations were imposed on other software packages, including early versions of
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is an obsolete, and insecure security algorithm for 802.11 wireless networks. It was introduced as part of the original IEEE 802.11 standard ratified in 1997. The intention was to provide a level of security and pr ...
. In 1992,
IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
designed the
CDMF algorithm to reduce the strength of
56-bit DES against brute force attack to 40 bits, in order to create exportable DES implementations.
Obsolescence
All 40-bit and 56-bit encryption algorithms are
obsolete
Obsolescence is the process of becoming antiquated, out of date, old-fashioned, no longer in general use, or no longer useful, or the condition of being in such a state. When used in a biological sense, it means imperfect or rudimentary when comp ...
, because they are vulnerable to brute force attacks, and therefore cannot be regarded as secure.
As a result, virtually all Web browsers now use 128-bit keys, which are considered strong. Most
Web server
A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...
s will not communicate with a client unless it has 128-bit encryption capability installed on it.
Public/private key pairs used in
asymmetric encryption (public key cryptography), at least those based on prime factorization, must be much longer in order to be secure; see
key size
In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm (such as a cipher).
Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest known a ...
for more details.
As a general rule, modern symmetric encryption algorithms such as
AES use key lengths of 128, 192 and 256 bits.
See also
*
56-bit encryption
In computing, 56-bit encryption refers to a key size of fifty-six bits, or seven bytes, for symmetric encryption. While stronger than 40-bit encryption, this still represents a relatively low level of security in the context of a brute force att ...
*
Content Scramble System
The Content Scramble System (CSS) is a digital rights management (DRM) and encryption system employed on many commercially produced DVD-Video discs. CSS utilizes a proprietary 40-bit stream cipher algorithm. The system was introduced around ...
Footnotes
References
*
*
*
{{Refend
Symmetric-key cryptography
History of cryptography
Encryption debate