From: "Bruce M." <brucem@wichita.fn.net>
Date: Wed, 5 Jun 1996 08:24:21 +0800
To: cypherpunks@toad.com
Subject: Cost of brute force decryption
Message-ID: <Pine.BSI.3.91.960604105230.14677A-100000@wichita.fn.net>
MIME-Version: 1.0
Content-Type: text/plain



    Windows NT Magazine ran an article in their May 1996 issue titled 
"Secure Enterprise Email - How Safe is Your Mail System" that goes into 
matters of keeping company email private.  PGP and other means of 
encryption are mentioned along with the following:

	"If you can ensure secrecy either until no one cares about the 
information or so that cracking the code costs more than the information 
is worth, it's 'secure enough.'

	"For example a 40-bit key takes about $10,000 worth of supercomputer 
time and two weeks to crack.  Although this key may be adequate to 
protect my checking account, it's probably not large enough for the 
accounts of a major corporation.

	"A slightly longer key of 56 bits requres millions of dollars to 
crack and should protect the information for years to come.  A 56-bit 
encryption key has 2^56-or 72 quadrillion-possible keys.  With 1,000 
computers, each trying 1,000,000 keys per second, trying them all would 
take 833 days.  On average, you find the key halfway through your search.

    I was curious as to what type of formula was used to determine these 
figures since it wasn't mentioned in the article.  Obviously, the speed 
of the computers, method of cracking and other such factors would be 
important to know.  Could anyone shed some additional light on this for 
me?  Thanks.

                    Bruce M. * brucem@feist.com
        ~---------------------------------------------------~
        "Knowledge enormous makes a god of me." -- John Keats