[1132] in cryptography@c2.net mail archive
Re: Better DES challenge update
daemon@ATHENA.MIT.EDU (C Matthew Curtin)
Tue Jul 1 14:49:24 1997
Date: Sun, 29 Jun 1997 23:16:20 -0400 (EDT)
From: C Matthew Curtin <cmcurtin@research.megasoft.com>
To: Matt Blaze <mab@crypto.com>
Cc: Eli Brandt <eli@gs160.sp.cs.cmu.edu>, cryptography@c2.net
In-Reply-To: <199706292244.SAA03650@crypto.com>
Reply-To: cmcurtin@research.megasoft.com
>>>>> "Matt" == Matt Blaze <mab@crypto.com> writes:
Eli> This is a solution to the second problem, right? From the response
Eli> to DESCHALL's success, the first seems more pressing. The general
Eli> response I saw was "three months and *how* many computers?".
Matt> Agreed. The first problem is more serious.
This is probably agreed all around.
In retrospect, the mistake that we made in our press is that we didn't
give any estimates on how quickly we could have accomplished the same
thing with a modest investment in FPGA or ASIC equipment directly in
the press release in order to demonstrate the magnitude of the
problem. (Oops. Sorry.)
All of us know that some anonymous and other "experts" have downplayed
the risks involved (usually falling back to such lame things as the
use of dynamic session keys and -- even worse -- the practical
impossibility of having 14,000 PCs on a financial network that could
be dedicated to cracking keys... duh). But not all of the press has
been that bad.
Some of the press has dug deeper into the issue. MSNBC, for example,
has a much better article than most at
http://www.msnbc.com/news/82211.asp?NewGuid= The article actually
starts to ask the questions about how much work it would take to do
brute-force attacks against DES for illicit purposes.
Also, the coverage that we did get was enough to get me on the air
with G. Gordon Liddy's radio show. I was interrupted before I could
get to the really scary numbers (how fast ASIC-based machines could do
it with a few hundred million to blow), but I was able to get the
point across that the job could be done in minutes or seconds
depending on the attacker.
Eli> Okay, so maybe I'm getting a bit ahead of myself. How much design
Eli> work would have to be done first?
Matt> Frankly, I don't understand why someone hasn't done this
Matt> already.
I'm going to take a wild guess and say that it's probably a
combination of a lack of desire to put that much money up front, and a
relatively small amount of FPGA expertise available, as compared to
general purpose computer software developers.
You're right, of course, in that the cost of FPGA is getting low
enough that we just might start seeing these things soon.
But, even at your $50,000 figure, that's still $40,000 more than what
was being offered by RSADSI. And how many folks would have a use for
it once they got bored with searching for keys? How many have enough
of a use to justify to management a $40k expenditure? Maybe one could
crack^H^H^H^H^H recover keys commercially for a brief while, long
enough to pay the machine off?
--
Matt Curtin Chief Scientist Megasoft Online cmcurtin@research.megasoft.com
http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself
Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm
