SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    At 16:48 07/02/01, Joshua Tseng wrote:
    
    >While we're on the topic of security, my source (Schnieder)
    >indicates that in 1995, it takes 3.5 hrs average to brute-force
    >single DES.  They also estimated that by 2000, the CPU power
    >available would reduce that time to an average of 21 minutes. 
    >On the other hand, with 128-bit keys (and 3DES has 168-bit keys) 
    >would still require on the  10**17 years.
    
            I'm assuming you meant Schneier.  It isn't just time;
    it is both time and capital cost.  You omitted the cost
    portion of the graph (Schneier, 2nd Edition, page 153, table 7.1).
    For 3.5 hours in 1995, the hardware cost was $1E9.  Most folks
    don't have ready access to hardware with that capital cost.
    The book estimates (same page, just above the table) that
    to get to the 3.5 hour mark in 2000, the hardware cost would
    be around $1E6.  There is probably some real data on what the
    EFF DES box cost and its brute-force rate, but this entire
    paragraph is mostly sidebar to the main point that some kind
    of security is needed.
    
    >This attack doesn't need to happen real-time.  All I need is
    >a sniffer, and I could do all the attacks offline.  Once I have
    >the key(s), all your data is mine.
    
            How often does the key change ?  How many keys do you 
    have to break brute-force to get the interesting data ?  
    How much data can you steal with a given key ? 
    
    Good key management practices are an important part of security.  
    
    >Regardless, your point is well taken.  Some encryption is better
    >than nothing--in MOST cases.
    
            Thanks.
    
    Cheers,
    
    Ran
    
    


Home

Last updated: Tue Sep 04 01:05:33 2001
6315 messages in chronological order