From: Adam Shostack <adam@homeport.org>
Date: Mon, 18 Sep 95 21:04:57 PDT
To: cypherpunks@toad.com
Subject: Brute Force and Smart Force
Message-ID: <199509190405.AAA03711@homeport.org>
MIME-Version: 1.0
Content-Type: text/plain



	I think its worth pointing out that instead of taking (arguably) $10,000 
worth of computer time to brute force SSL, Goldberg-Wagner's attack exploits a 
weakness in the system to spend maybe a few dollars to crack it.

	Clever attacks on cryptosystems like this are the bread and butter of 
'practical' cryptanalysis.  It might take until slightly after the heat death 
of the universe to break IDEA or your 2048 bit RSA key, but there exist other 
attacks, and they are the ones which will be exploited.

	(Also, as Robert Morris pointed otut, never underestimate the time, money or 
effort your opponent will put into cryptanalysis.  Cypherpunks, collectively, 
have put a great deal of time, effort, and CPU into proving SSL bogus, and I 
don't think anyone here made any money doing it.)

	Perhaps we should refocus our efforts on attacking PGP, to see if there are 
holes there?  (I'm not suggesting there are, but it would be nice to see some 
code written to extend Crack to phrases, do some more code review, etc.)

Adam

-- 

"It is seldom that liberty of any kind is lost all at once."
					               -Hume