RE: Security Use Requirements

[RJ Atkinson <rja@inet.org>]

At 16:48 07/02/01, Joshua Tseng wrote:

>While we're on the topic of security, my source (Schnieder)
>indicates that in 1995, it takes 3.5 hrs average to brute-force
>single DES.  They also estimated that by 2000, the CPU power
>available would reduce that time to an average of 21 minutes. 
>On the other hand, with 128-bit keys (and 3DES has 168-bit keys) 
>would still require on the  10**17 years.

        I'm assuming you meant Schneier.  It isn't just time;
it is both time and capital cost.  You omitted the cost
portion of the graph (Schneier, 2nd Edition, page 153, table 7.1).
For 3.5 hours in 1995, the hardware cost was $1E9.  Most folks
don't have ready access to hardware with that capital cost.
The book estimates (same page, just above the table) that
to get to the 3.5 hour mark in 2000, the hardware cost would
be around $1E6.  There is probably some real data on what the
EFF DES box cost and its brute-force rate, but this entire
paragraph is mostly sidebar to the main point that some kind
of security is needed.

>This attack doesn't need to happen real-time.  All I need is
>a sniffer, and I could do all the attacks offline.  Once I have
>the key(s), all your data is mine.

        How often does the key change ?  How many keys do you 
have to break brute-force to get the interesting data ?  
How much data can you steal with a given key ? 

Good key management practices are an important part of security.  

>Regardless, your point is well taken.  Some encryption is better
>than nothing--in MOST cases.

        Thanks.

Cheers,

Ran