[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSA _likes_ strong crypto?



> Date:          Thu, 15 May 1997 15:07:35 -0400
> To:            [email protected]
> From:          Thomas Porter <[email protected]>
> Subject:       Re: NSA _likes_ strong crypto?
> Reply-to:      Thomas Porter <[email protected]>

> At 09:32 AM 5/15/97 -0700, Bill Frantz thoughtfully expounded thus:
> 
> >
> >During a hall discussion at CFP, I heard that people at NSA are changing
> >their opinions about the use of strong crypto in the general community.
> >The reason is the threat of InfoWar and the need for strong crypto in
> >general use to secure the US information infrastructure.
> 
> 
> I realize I may catch it for my numerical ignorance here, but a more
> paranoid type might think that any acquiescence on the part of NSA might be
> due to more relative ease of breaking important traffic than they might
> have possessed in the past.
> 
> Does any one on the list have any ideas on what the Intel mega-pentium
> parallel  processor (touted for nuclear explosion and weather simulations a
> few months back, and noticeably missing any mention of NSA application)
> does to the time estimates for cracking "strong" crypto keys?  I am being
> purposefully vague in my definitions of strong crypto, but I would present
> as my test cases PGP ascii-armor traffic of 2048 key length or plain files
> encrypted with pgp -c option; ie. typical crypto-criminal/narco-terrorist
> fodder.
> 
> How does this strength of encryption compare to whatever might be used to
> "secure the nation's info infrastructure" [Netscape 40 bit!!??] regarding
> cracking time?  Clearly less, but how much less on this type of specialized
> parallel processor?  To put it another way, any swags on how long it would
> take this pentium parallel processor to crack the current DES56 challenge?
> 
> Inquiring (and ignorant) minds want to know,
> 
> Tom Porter                                       [email protected]

1. You must assume that any well-heeled opponent will have built a 
Wiener engine, so the time to brute a DES key can be measured in 
hours, rather than days. A ciphertext-only attack is only a little
harder than a known-plaintext attack.

But that doesn't stop us from doing the calculation anyway.

The fastest DES cracker I'm aware of (Bryddes) currently claims 
615,000 keys/sec on a Pentium 120.

The sandia machine is acheiving 1.06 Tflops with 7264 processors.
The processors are 200 MHz Pentium Pros. (The Mflop rate is lower 
than the MHz rate). They plan to have 9200 of them when it's 
finished.

615k * 200/120 = 1.025Mkps
(it'll actually be a bit higher on a Pro)

1.025M * 9200 = 9.430Gkps

(2^56 = 7.2E16)/9.43E9 = 7.6 Msec

= 88.44 days

Thats a conservative, upper limit, not a SWAG.

Speeds would be much higher on a 64 bit machine. I'm very curious to
see how bitslice DES would run on an MMX Pentium, which has some
64 bit registers.

40 bit encryption is a bad joke = it would take about 2 min on this 
machine for 40 bit DES

Peter Trei
[email protected]




 

Peter Trei
Senior Software Engineer
Purveyor Development Team                                
Process Software Corporation
http://www.process.com
[email protected]