[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape security

Mr. Shank - I'm a bit disappointed by your posting about the RC4-40 crack.

>Late Tuesday evening a person from France posted a news article to the
>hacker community claiming success at decrypting a single encrypted message
(You could have used his name, and use of the term "hackers" to the press
tends to be interpreted as a negative...)  Anyway, as to content:

>What this person did is decrypt one encrypted message that used RC4-40 for
>encryption. He used 120 workstations and two parallel supercomputers for 8
>days to do so.
"Two" parallel supercomputers?  You can't really call the Encore Multimax
or the Sequent B8000 a supercomputer - both of them together are slower than
the HP workstation.  The KSR gets closer to supercomputer territory, but
it's only
cracking keys about six times as fast as the faster DEC Alpha (which Damien
only had one of); it increased his horsepower about 20% for two days.

Now, I can see calling a MasPar a "parallel supercomputer"; another effort
at the SSL challenge got the answer about 2 hours before Damien's did,
and used about 4 days of spare time on the MasPar.  Last time I looked,
a MasPar was selling for about $150K, though I don't know how big the one
used on SSL was.  At that price, you could have your own for ~$500/day,
and ripping off $2000 on a credit card isn't tough in today's automated world.
Next year - computer time costs half as much.

Yes, it's still cheaper to get good credit card numbers by scamming carbons
at a mall clothing store or yuppie restaurant, but computer networks let
criminals run their scams wholesale, putting the public at risk both from
organized criminals with their own equipment and any dishonest college
student or office worker who's got a roomful of idle computers to use at night.

Trading off the cost of breaking security vs. the value to be gained is
a good start - lots of people have $2000 of credit limit left on their cards,
and most people have more than $0 left.

> This level of security has been available in the
>U.S. versions of our products since last April. Because of export controls
>it has not been available outside the U.S. We would appreciate your support
>in lobbying the U.S. government to lift the export controls on encryption.
>If you'd like to help us lobby the government send email to
>[email protected]

Thanks for working on this!

                                Bill Stewart

==================== The list of computers ===========================
type                  speed (keys/s)    number     notes
- --------------------------------------------------------
DEC (alpha)           18000-33000        34
DEC (MIPS)            2500-7500          11
SPARC                 2000-13000         57
HP (HPPA/snake)       15000              3
Sony (R3000)          1100-4000          3
Sun 3                 600                2
Sequent B8000         100 x 10           1         (1)
Multimax (NS532)      600 x 14           1         (1)
KSR                   3200 x 64          1         (1) (2)

1.  These are multiprocessor machines
2.  The KSR spent only about 2 days on this computation.

The total average searching speed was about 850000 keys/s,
with a maximum of 1350000 keys/s (1150000 without the KSR).
#                                Thanks;  Bill
# Bill Stewart, Freelance Information Architect, [email protected]
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281

	   "The fat man rocks out
	Hinges fall off Heaven's door
	   "Come on in," says Bill"    Wavy Gravy's haiku for Jerry