Please create an account to participate in the Slashdot moderation system


Forgot your password?
This discussion has been archived. No new comments can be posted.

Cracking PGP In the Cloud

Comments Filter:
  • by slim (1652) <john.hartnup@net> on Tuesday November 03, 2009 @06:45AM (#29961650) Homepage

    I was under the impression that crypto like PGP was based on stuff which would (in theory) take millions of years to crack even with every machine on earth dedicated to it?

    Yes, but the search space is significantly lower if you assume an password that's 1-8 latin alphanumeric characters, as this exercise did.

    It's still 122 days on 10 VMs. One tenth of that on 100VMs.

  • by slim (1652) <john.hartnup@net> on Tuesday November 03, 2009 @07:17AM (#29961830) Homepage

    No, they've been approached by a client who's forgotten the password they used. The client's told them they used 1-8 alphanumerics in the password.

    In this case, the mapping to a binary key is irrelevant to the size of the brute forcing task.

  • by psp (7269) on Tuesday November 03, 2009 @07:20AM (#29961842)

    you'd need 28 characters chosen in a true random fashion (think scrabble tiles
    pulled out of a hat) to actually achieve a strength of 128-bit, that matches a
    128-bit crypto or hash algorithm.

    Scrabble tiles would be an exceptionally bad choice.

  • Re:Pointless (Score:3, Insightful)

    by jim.hansson (1181963) on Tuesday November 03, 2009 @07:55AM (#29962004) Homepage
    every hacker worth ther salt [has|knows how to download] precomputed rainbow tables for so easy things, and it does not
  • by frozentier (1542099) on Tuesday November 03, 2009 @08:21AM (#29962136)

    such passwords are OK for low-priority stuff but not, if say, the NSA is after you ;-)

    If the NSA is after you, I would think the strength of your passwords is the least of your worries.

  • by julesh (229690) on Tuesday November 03, 2009 @08:48AM (#29962280)

    I looked at EC2 for raw processing power earlier this year (my company needs to train a lot of neural nets) and it just isn't worth it, unless you only need the power short term. A high-performance EC2 node gives you 8 cores running at (very roughly) the equivalent of a 2GHz P4, and costs $0.68/hr == about $460 per month, which is only a little less than what an equivalent box (probably a 2.83GHz Core 2 Quad or similar) would cost you. Put power to run that box down at about $0.05 per hour and you can build your own local cluster of equivalent performance for around the same amount of money as you'll save in your first month and a half of operation.

  • by Slashdot Parent (995749) on Tuesday November 03, 2009 @11:18AM (#29963676)

    Don't forget other cosets: cooling, system administration, datacenter space, backups, racks, switches, KVMs, UPSs, network administration, maintenance, etc.

    No question EC2 is expensive if you plan on fully-utilizing that hardware. But that's why it's called the Elastic Compute Cloud, not the Static Compute Cloud. If your computational needs are static, EC2 is most definitely the wrong tool for the job.

  • by fbjon (692006) on Tuesday November 03, 2009 @12:29PM (#29964692) Homepage Journal
    Take a look at the rainbow table you described. ASCII and length 256? That's 256^256, i.e. huge. Even if you restrict yourself to a modest subset of 70 characters (easily typable), and no more than 10 characters in length (too short in many cases), you need to store about 2.8 * 10^18 passwords. Just the MD5 hashes for a table like that would take up over 40000 petabyte.
  • Re:Pointless (Score:3, Insightful)

    by Fulcrum of Evil (560260) on Tuesday November 03, 2009 @06:25PM (#29969454)

    In most cases, a 9-char password is some 96 times (number of printable characters) harder than an 8-char password,

    I'd believe 30 -40, but not 96. Most people are going to use letters and a small number of punctuation, and I'd wager that testing half of that will get you 90% of the possible choices. If it's just english words, I'll go with 16 as the multiplier, just given the info content of most english.

The more data I punch in this card, the lighter it becomes, and the lower the mailing cost. -- S. Kelly-Bootle, "The Devil's DP Dictionary"