[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Short keys * Options, combinations, and negotiations => simplicity
Perry E. Metzger allegedly said:
> Robert Moskowitz writes:
> > At 08:05 PM 10/8/96 -0500, Stephen Kent wrote:
[...]
>
> All cryptography is economics. The point at which you have enough
> security in a commercial environment is easy to define -- breaking
> your codes must cost more than the information protected is worth.
>
> According to the paper "Minimal Key Lengths for Symmetric Ciphers to
> Provide Adequate Commercial Security"*, by Blaze, Diffie, Rivest,
> Schneier, Shimomura, Thompson, and Wiener, for an initial investment
> of $10Million, a device may be made which will successfully break DES
> keys in six minutes each, at an amortized price of $38. For an
> investment of $300k, one can break the keys in three hours for the
> same amortized price.
>
> It is clear that for any corporate secret worth more than $38, DES is
> inadequate.
>
> If you think an investment of $10 Million, or even $300k, is
> improbable, think again.
[...]
> In other words, any thought that DES is adequate is simply wrong (no
> disrespect intended to Dr. Kent, who I admire). If your information is
> worth more than $38, its worth more than DES. (By the way, the same
> paper places the cost per crack of a 40 bit key at around eight CENTS,
> with an investment of $400 -- "exportable" crypto isn't worthwhile if
> you expect *any* serious attempt at all).
While I find this analysis fairly persuasive, it does leave out an
important extra cost -- the cost of isolating a converstion worth
decrypting. If "valuable" secrets occur in a small fraction of
intercepted messages, then the cost of finding the secret goes up
proportionately. So, if keys are changed frequently, and *all*
traffic is encrypted, the situation is dramatically different. It
would have to be the case, for example, that the *average* value of a
message was greater than $38, for a 56-bit key to be ineffective. If
99% of the messages had a value of 0, then the cost per *useful* key
would be closer to $3800...
Of course, one expects a higher percentage of value for messages
flowing from a bank. But for incidental, opportunistic encryption
(as John Gilmore put it), 56 bits may be adequate for a year or two.
--
Kent Crispin "No reason to get excited",
kent@songbird.com,kc@llnl.gov the thief he kindly spoke...
PGP fingerprint: B6 04 CC 30 9E DE CD FE 6A 04 90 BB 26 77 4A 5E