[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Short keys * Options, combinations, and negotiations => simplicity

To: perry@piermont.com
Subject: Re: Short keys * Options, combinations, and negotiations => simplicity
From: Kent Crispin <kent@bywater.songbird.com>
Date: Fri, 11 Oct 1996 15:08:49 -0700 (PDT)
Cc: ipsec@TIS.COM
In-Reply-To: <199610111726.NAA18539@jekyll.piermont.com> from "Perry E. Metzger" at Oct 11, 96 01:26:21 pm
Sender: ipsec-approval@neptune.tis.com

Perry E. Metzger allegedly said:
> Robert Moskowitz writes:
> > At 08:05 PM 10/8/96 -0500, Stephen Kent wrote:
[...]
> 
> All cryptography is economics. The point at which you have enough
> security in a commercial environment is easy to define -- breaking
> your codes must cost more than the information protected is worth.
> 
> According to the paper "Minimal Key Lengths for Symmetric Ciphers to
> Provide Adequate Commercial Security"*, by Blaze, Diffie, Rivest,
> Schneier, Shimomura, Thompson, and Wiener, for an initial investment
> of $10Million, a device may be made which will successfully break DES
> keys in six minutes each, at an amortized price of $38. For an
> investment of $300k, one can break the keys in three hours for the
> same amortized price.
> 
> It is clear that for any corporate secret worth more than $38, DES is
> inadequate. 
> 
> If you think an investment of $10 Million, or even $300k, is
> improbable, think again.
[...]
> In other words, any thought that DES is adequate is simply wrong (no
> disrespect intended to Dr. Kent, who I admire). If your information is
> worth more than $38, its worth more than DES. (By the way, the same
> paper places the cost per crack of a 40 bit key at around eight CENTS,
> with an investment of $400 -- "exportable" crypto isn't worthwhile if
> you expect *any* serious attempt at all).

While I find this analysis fairly persuasive, it does leave out an 
important extra cost -- the cost of isolating a converstion worth 
decrypting.  If "valuable" secrets occur in a small fraction of 
intercepted messages, then the cost of finding the secret goes up 
proportionately.  So, if keys are changed frequently, and *all* 
traffic is encrypted, the situation is dramatically different.  It 
would have to be the case, for example, that the *average* value of a 
message was greater than $38, for a 56-bit key to be ineffective.  If 
99% of the messages had a value of 0, then the cost per *useful* key 
would be closer to $3800...

Of course, one expects a higher percentage of value for messages 
flowing from a bank.  But for incidental, opportunistic encryption 
(as John Gilmore put it), 56 bits may be adequate for a year or two.  

-- 
Kent Crispin				"No reason to get excited",
kent@songbird.com,kc@llnl.gov		the thief he kindly spoke...
PGP fingerprint:   B6 04 CC 30 9E DE CD FE  6A 04 90 BB 26 77 4A 5E

Prev by Date: Re: Short keys * Options, combinations, and negotiations => simplicity
Next by Date: RE: Short keys * Options, combinations, and negotiations => simplicity
Prev by thread: Re: Short keys * Options, combinations, and negotiations => simplicity
Next by thread: RE: Short keys * Options, combinations, and negotiations => simplicity
Index(es):
- Main
- Thread