Code breaking by police and intelligence services

Security services in a number of developed countries have computers dedicated to cracking encrypted material sent over the Internet. They don't brag about how fast they can do it, so we have to guess. My latest estimate would be that the American security services need a few seconds for 40 bit encryption, a few minutes for 56 bit, and a few hours for 128 bit.

What's the evidence for this?

Well there isn't any. Or at least not much. A Swedish team managed to crack 256 bit encryption in around two weeks, with far less computing power than is available to the secret services.

But perhaps the main evidence is that the US security services allowed 56 bit encryption to be released for use outside the US a few years ago, but not 128 bit encryption. From this we can draw the rational conclusion that they could comfortably crack 56 bit at that time, but not 128. Otherwise why would they bother to distinguish between the two?

Computers and techniques have improved over the last few years, and now they're less bothered about tightly controlling 128 bit encryption. It's still controlled, but more loosely. We can assume they're now comfortable cracking 128, and can do it within a useful timescale. Months wouldn't be useful, but a few hours would.

Public challenges to break 56 bit encryption have brought results using lots of ordinary computers in parallel. In 1999, the DES crack challenge successfully broke 56 bit encryption in 22 hours.

But the cost of devoting a supercomputer to cracking a message quickly is very high, so it's not something done casually. Unless you're a terrorist, major criminal, spy or possibly a big commercial enterprise in a sensitive area, you're unlikely to have your messages cracked.

Personally, I believe that PGP encryption (a commonly used system) is easily cracked by the security services of most Western countries. I would like to recommend some wonderful French encryption systems, but they seem to have disappeared off the Internet. Strange.

My current recommendation is cryptext, a free 160 bit Australian system, available here, but I think it can be read by the security forces. If you really don't want them to read your files, buy software based on the 448 bit Blowfish system (not available outside the US).

In practice, it's far easier for somebody to install a back door in your computer and read the files direct than it is to crack decent encryption. If you don't want your messages to be read, you have to take many precautions with the computers at both ends.

Improving your computer security

Internet monitoring by authorities