From: Rich Graves <llurch@networking.stanford.edu>
Date: Sat, 20 Jan 1996 07:07:25 +0800
To: David Golombek <daveg@pakse.mit.edu>
Subject: Re: Single computer breaks 40-bit RC4 in under 8 days
In-Reply-To: <9601190145.AA11333@pakse.mit.edu>
Message-ID: <Pine.ULT.3.91.960118191503.25375E-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


This takes "cracking Netscape security as a new benchmark" to a whole new 
level.

On Thu, 18 Jan 1996, David Golombek wrote:

> MIT Student Uses ICE Graphics Computer
> 
> To Break Netscape Security in Less Than 8 Days

What does this have to do with Netscape? This is about brute-forcing
40-bit RC4.  While Netscape does deserve flogging with a wet noodle down
to the seventh generation for their initial press response, this singling
out Netscape is annoying me a little. 

> While being an active proponent of stronger export encryption, Netscape
> Communications (NSCP), developer of the SSL security protocol, has said that
> to decrypt an Internet session would cost at least $10,000 in computing time.

OK, well, in that case.

> workstations, Doligez averaged 850,000 keys per second.ICE used the
> following formula to determine its $584 cost of computing power: the total
> cost of the computer divided by the number of days in a three-year lifespan
> (1,095), multiplied by the number of days (7.7) it takes to break the code.

This assumes, of however, that collecting encrypted communications,
feeding them to the computer with 100% efficiency, electricity, labor,
etc. are completely free. 

I hope everyone recognizes this as more old news and ICE marketing. In a
fantasy world, the press et al would see this and clamor for the
revocation of ITAR. 

-rich