40-bit encryption

From Wikipedia, the free encyclopedia

40-bit encryption refers to a key size of forty bits, or five bytes, for symmetric encryption; this represents a relatively low level of security. A forty bit length corresponds to a total of 240 possible keys. Although this is a large number in human terms (about a trillion, nearly two hundred times the world's human population), it is possible to break this degree of encryption using a moderate amount computing power in a brute force attack — that is, trying out each possible key in turn.

On a typical home computer, a 40-bit key can be broken in a little under two weeks, testing a million keys per second. Using free time on a large corporate network or a set of zombie computers would reduce the time in proportion to the number of computers available. With dedicated (and rather expensive) hardware, a 40-bit key can be broken in seconds. The Electronic Frontier Foundation's Deep Crack, built by a group of enthusiasts for US$250,000 in 1998 could break a 56-bit Data Encryption Standard (DES) key in days, and would be able to break 40-bit DES encryption in about four seconds.

40-bit encryption was common in software before 1996, when algorithms with larger key lengths could not legally be exported from the United States without a case-by-case license. As a result the "international" versions of web browsers were designed to have an effective key size of 40 bits when using Secure Sockets Layer to protect e-commerce. Similar limitations were imposed on other software packages, including early versions of Wired Equivalent Privacy. In 1992, IBM designed the CDMF algorithm to reduce the strength of DES against brute force attack to 40 bits, in order to create exportable DES implementations. 40-bit encryption is now considered badly outdated, and virtually all browsers now use 128-bit keys, which are considered strong. Some web servers will not communicate with a client that does not implement 128-bit encryption.

It should also be noted that public/private key pairs used in asymmetric encryption must be much longer than 128 bits for security; see key size for more details.

Languages