1996-07-25 - Re: Data Sources for DES Breaking

Header Data

From: mpd@netcom.com (Mike Duvos)
To: adam@homeport.org (Adam Shostack)
Message Hash: 8e52f4a06a4edd9aa517128a63b94e8572c01a2a840c4471dce0b9396dd951aa
Message ID: <199607250244.TAA23196@netcom21.netcom.com>
Reply To: <199607250219.VAA03426@homeport.org>
UTC Datetime: 1996-07-25 05:19:12 UTC
Raw Date: Thu, 25 Jul 1996 13:19:12 +0800

Raw message

From: mpd@netcom.com (Mike Duvos)
Date: Thu, 25 Jul 1996 13:19:12 +0800
To: adam@homeport.org (Adam Shostack)
Subject: Re: Data Sources for DES Breaking
In-Reply-To: <199607250219.VAA03426@homeport.org>
Message-ID: <199607250244.TAA23196@netcom21.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain

Adam Shostack <adam@homeport.org> writes:

 > This did not happen when cypherpunk Hal Finney posted a
 > message and challenge; everyone saw that resources were
 > assembled, and the key was cracked.

I think an effort to crack DES differs somewhat from factoring
RSA moduli or breaking 40 bit SSL in that tempting test data is
not everywhere for the taking. It may therefore be somewhat more
difficult for the typical reader to abstract a "what this means
for my data" scenario from the results of such an effort, and we
should expect at least a small amount of FUD from the American
Banking Association, which will recoil in horror at any
suggestion that what they are currently doing is not secure.

If we were preparing to attack something with a very visible
common application, like Unix Crypt(3), I would agree with you
that everyone would understand and see what was happening, just
as people were easily able to understand the notion of capturing
data during an SSL handshake, and pounding on it with large
numbers of CPU cycles.

 > What I see as more likely than 'did/did not' is the
 > Netscape-style assertion that the computer time used cost N
 > million dollars (Ok, NS claimed the compute cycles were
 > worth $10,000.)

Netscape's attempts at damage control were sorely limited by the
fact that the data used for the crack was captured during the
normal operation of their software.  Had Hal done some sort of
known plaintext attack on 40 bit RC4 outside the context of a
specific widely-used application, it is possible that a lot of
time would have been wasted countering the inevitable "this
doesn't apply to us" arguments from various software vendors,
with the general public understanding none of the terminology
used in the debate.  This would definitely have softened the
media impact of the accomplishment.

 > As such, the analysis needs to be presented in light of the
 > fact that 3des would take 3 times as long to encrypt, and
 > take 2**56 times as many dollars worth of compute power to
 > decrypt.  To put that to scale, if the computer power to
 > break des is one cent, the federal debt (5 trillion)
 > wouldn't get you close to breaking 3des.

Correct.  But breaking a real-life example of single DES would be
a nice rejoinder to those who continue to insist, in the face of
strong grumbling by the cryptographic community, that single DES
is a cipher with many more years of useful life left in it.

If this speeds the adoption of second generation ciphers by major
players in the national infrastructure, then it will have been a
useful exercise.

     Mike Duvos         $    PGP 2.6 Public Key available     $
     mpd@netcom.com     $    via Finger.                      $