Banc of America Article

This is practical against, say, DES, with its 56-bit keys. In fact,
it's been done; see
for an example. But the fact that DES is insecure has been known for
years; it doesn't take a worm to underscore that point. Let's look at
AES or 3DES instead.

Suppose there are 1,000,000,000 infected hosts. Let's further assume
that each one can check a single key in .1 nanoseconds. (That's a gross
exageration, I might add, for a general-purpose machine -- and we're
not talking about 1,000,000,000 NSA code-crackers being infected.)

AES uses 128-bit keys; there are therefore 340282366920938463463374607431768211456
possibilities. Call it 3*10^38. Divide that by 10^9 hosts, and 10^10
tries per second per host. That gives us 3*10^19 tries per second.
There are ~10^5 seconds/day, and 3*10^2 seconds/year, meaning that it
would take 10^12 years for this scenario.

3DES? Well, 3DES may be using 112-bit keys, so we can cut the time by
2^16. Call that 10^5 -- so we'll only have to wait 10^7 years for a
single result....

Yes, with enough CPU and enough time, it's possible to crack modern
ciphers by brute force. But "enough" is quite a large number.

    --Steve Bellovin, (me) (2nd edition of "Firewalls" book)

Just like the insider TCI theft ring at , the easy way out is to just to
skip all that and get access to a leased line from the inside - I'll bet
many financial transactions over a private line aren't even encrypted.