Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security

New report reveals vulnerability in security 20

jgalun writes "An article on ScienceDaily reports on building machines, for $60,000, that can break 56bit keys in 10 hours. Anything under 80 bits is vulnerable. Meanwhile, most banks are using 40 bit protection and the US is restricting export of greater than 56 bit encryption software. " This doesn't surprise me that much, remembering the "Deep Crack" machine that conquered DES-II-2.
This discussion has been archived. No new comments can be posted.

New report reveals vulnerability in security

Comments Filter:
  • by gavinhall ( 33 )
    Posted by holobyte:

    A note for you guys at the top:

    This isn't about cracking UNIX passwords. This is about the encryption algorithms used by web browsers for ssl, among tons of other applications encryption has.

    In my opinion, it has ALWAYS been well known that this could be done.

    128 bits isn't even that much, however 4096 (RC5) bit is more than enough security for the general application.

    Anyone who knows security knows that 40-56 bit is just nowhere near enough.

    Not news to me.
  • I'm in the US, and I've worked on contracts with Swiss banks to impliment 128 bit IDEA encryption. (We sell this to other banks too) Getting the permissions to export this was possibal in 1994, five years ago. You can export any encryption from the US, there is just a catch - it needs to go to orginizations that the US goverment trusts.

    I don't know what all banks use of course, and there was 56 bit encryption avaiable to them (regular DES was included in the same model, maybe they use that for speed though IDEA is standard in banking) There seems to be the misconception on /. that it is impossibal to export anything more then 40 bit encryption. That is not true, you just need to get permission, something that common people probably won't get.

  • If the figures in the article are correct, you would need to purchase and utilize about 684,291 30GB hard drives to store every conceivable 8-character-or-less password.

    You'd have to more than double that number in order to fit the encrypted versions in there as well.

    My calculations were very basic and quick, but the end result should be in the right ballpark.

    And of course, where SALTs are used (all Unix systems) or anything that can affect the encrypted output (most systems), you will need to multiply this number by a few orders of magnitude.

    Of course I might be missing something here...
  • http://kedem.cs.duke.edu/CipherFlow/ index.html [duke.edu]
    Looks like no new mathematical things here--just applying SIMD to cryptanalysis. Kewl idea, but no new algorithmic problems.
  • The Electronic Frontier Foundation [eff.org] built custom chips to crack DES by brute force. It took them $250000 and a few months to design the whole thing. I forget how long it took them to crack a DES key, but it wasn't very long.

    They wrote a nice-to-read book about it all. It's online somewhere on replay.com [replay.com]. An excellent read. I'm surprised that UNC guy didn't mention it.

    The scary thing is that $250000 or $60000 is pocket change for the NSA guys. I don't want to know how long it takes them to break DES keys.
  • Since I don't actually know anyone at Slashdot, although I did twice e-mail Rob (once asking if he knew someone I know at Hope College and once asking for contact info for Black Light Media), I really don't think that was it. It could just be they read my submission first. I'm not sure how they handle submissions, but perhaps someone else read your submission (let's say yours was first) and didn't think it was worth posting, but then someone else read mine and that person thought that it was worth posting.

    Don't assume conspiracies, they're almost never true.
  • Think they were trying to prove (the rather obvious notion) that a generic computer used for rendering or other mathematical calculations could be effectively used for cryptanalysis.
    The 'science news' article seems to (as most journals do) completely miss the point. Following the link gets to the goals of the research which, while not particularly novel, is not what was reported.
    I think it's pretty damn obvious that any computer which can crunch numbers can do good cryptanalysis, but I guess there are some people out there who think specialized hardware is the only way to go?
  • Hell, for $10 million dollars, I can bribe someone to give me the information I need. The point is there is no such thing as total security, only relative levels of such. If I throw enough money and processing power at a problem, it's a safe bet it can be solved eventually. But of what value is that encrypted information once it is cracked? If it's time sensitive, is that info still valid? Was it worth the resources consumed to get it? If they want my credit card information that bad, I'd be happy to sell it for the bargain price of a cool million.
  • Yet another reason why I love my 448 bit blowfish. Anyone care to calculate how many of those 60Grand crackers it would take to brute force 448bits in 10 hours? ehehe... not likely.
  • There are a couple of errors in this article. First, export versions of the more popular browsers have 40-bit encryption; domestic versions have 128-bit. Although with this increase in cracking speed, I sort of wonder for how many years even 128-bit encryption will be secure - that's the size the AES hopes to formalize in another 2-3 years. Will the crackers outpace the encryptors?

    Second, it's my understanding that most (if not all) banks now use Triple DES. This gives them an effective key length of over 100 bits; maybe someone can chime in with the _right_ number. Banks are safe for now.
  • Will anyone trust 56 bit keys when a general purpose machine can break them this easily?
  • What's this bs about being able to crack unix passwords?!? Yeah, running the encryption algorithm on a list of common passwords can crack some of them, but thats *old*. And a fast machine isn't going to be able to directly crack them because UNIX uses a large salt value.
  • Many encryption schemes are based on the difficulty of factoring numbers. I suspect a primes lookup table would allow for faster decryption - does anyone know if this method is used by the NSA or others to do bulk decryption of data.

Your own mileage may vary.

Working...