Firewalls: Re: CISCO network level encryption & key lengths

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: CISCO network level encryption & key lengths
From:	Adam Shostack <adam @ homeport . org>
Date:	Thu, 11 Jul 1996 23:17:38 -0500 (EST)
To:	ckostick @ ashton . csc . com (Chris Kostick)
Cc:	adam @ homeport . org, firewalls @ greatcircle . com
In-reply-to:	<199607120149 . VAA17727 @ mccoy . ashton . csc . com> from "Chris Kostick" at Jul 11, 96 09:49:31 pm

Chris Kostick wrote:

| > 	Several students cracked the SSL RC4-40 implementation in
| > about 30 hours with borrowed cycles on computers around their schools.
| > SSL uses a slick salting mechanism to make brute force attacks like
| > this more difficult.  However, *any* bad guy worth their salt can
| > steal the compute time to do this in university labs, badly secured
| > companies, etc.
| 
| This is kind of the point I'm driving at. Any bad guy won't do this. The 
| bad guys in question here aren't trying to look at love letters. They want
| to steal some serious information if they're going to the trouble of
| attacking an encryption code. Therefore, I don't think the bad guys would
| risk using other peoples machines to do this. Now, I go back to my original
| statement. The people you have to worry about are the big players; 
| governments and large corporations who have enough assets to try and 'crack'
| a packet overnight. If that is who you consider your primary threat then
| 40-bit keys suck raw eggs. If not, then I still feel the data in transit
| is reasonably secure. Feel free to disagree.

	I see your point, and disagree somewhat.  In the case of SSL
v2, there is substantial known plaintext at the start of a message; as
such, bad guys don't have to expose the sensitive information they
want; they only need to put the start of the message out there, and
mail themselves any keys that seem like hits.

	Bad guys will steal cycles for Crack, they'll steal them for
other attacks.  40 bits is not so pitifully weak as say, rot-13, but
is too weak to protect information of value that you're going to spend
cpu cycles encrypting.  (Incidentally, the way rc4 works, using a 40
bit key takes exactly as long as using a 128 bit key, since all the
keys are permuted into a 256(?) bit key in an initial step.)

	The US government needs to reform its export laws; its own NAS
panel says so.  This is because 40 bit keys are too weak for business
use.

| > because md5 doesn't work easily on the very low end fpga systems that
| > they were using.  The Wagner Goldberg paper is entitled 'Architectural
| > Considerations for Cryptanalytic hardware'
| > http://www.cs.berkeley.edu/~iang/isaac/hardware/
| 
| Thank you for the pointer.
sure.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:

Re: CISCO network level encryption & key lengths
From: Chris Kostick <ckostick @ ashton . csc . com>

Indexed By Date	Previous:	Re: Dirty Dogs From: Matthew Keenan <matt @ firstpac . com . au>
Indexed By Date	Next:	[no subject] From: Donald . J . Smith @ cdev . com (Donald J Smith)
Indexed By Thread	Previous:	Re: CISCO network level encryption & key lengths From: Chris Kostick <ckostick @ ashton . csc . com>
Indexed By Thread	Next:	Re: CISCO network level encryption & key lengths From: peter @ baileynm . com (Peter da Silva)