From: Charles Sprickman [mailto:spork@inch.com]
Sent: Tuesday, July 31, 2001 9:41 AM
6) Finding a unix ssh that supports 3DES and DES.
I curse those OpenSSH folks for making me have to trudge
through the code
to find out how to get DES working...
6a) Finding a release on CCO that supports 3DES.
You are probably aware, but EFF published the DES crack. I understand that
it is now an issue of cracking DES in less than 12 hours. 3DES is better
but it only amounts to DES with a 128-bit key.
Definitely a limited shelf-live.
> From: Charles Sprickman [mailto:spork@inch.com]
> Sent: Tuesday, July 31, 2001 9:41 AM
> 6) Finding a unix ssh that supports 3DES and DES.
>
> I curse those OpenSSH folks for making me have to trudge
> through the code
> to find out how to get DES working...
>
> 6a) Finding a release on CCO that supports 3DES.
You are probably aware, but EFF published the DES crack. I understand that
it is now an issue of cracking DES in less than 12 hours. 3DES is better
but it only amounts to DES with a 128-bit key.
Definitely a limited shelf-live.
I don't see why we even need to discuss some of these issues to this length.
Telnet = Bad = Plain Text
SSH = Better = Some Sort of Encryption (A Decoder Ring is Still better than
plain text)
Actually, 3DES has a 112 bit effective key. However, although that's only
double the key length, the *difficulty* is a bit more than twice as much.
Assuming a brute-force of a 56-bit key in 12 hours, then a 112 bit key
will take (given the same resources) 2**56 * 12 hours, which is about
864,691,128,455,135,232 hours which works out to 98,709,032,928,668 years,
which is about 4,000 times the current estimated age of the universe.
This analysis of course assumes that the EFF crack is a brute-force,
and not a result of differential cryptanalysis or exploitation of a
flaw in the DES S-boxes or similar. Schneier's 'Applied Cryptography'
lists an attack that's around 2**47 rather than 2**56, assuming you can
get the victim to encrypt several gigabytes of text of your choosing with
his key....
2^128/2^56 * 12hrs = 6.46 * 10^18 years
I take it that you plan on living a lot longer then I do?
You are forgetting about the people
who build hardware just to crack this.
I think the important thing here is
to use good security practices when connecting
to your routers/equipment. The second thing
that is even *more* important is insuring that
your vendor makes it easy to access images
that can use secure connection methods.
- Jared
You are forgetting about the people
who build hardware just to crack this.
No, not really. for each bit of length you add to the key, you double either
the (average) time or the amount of hardware needed to crack it. as the pool
of hardware gets larger, the storage, communications and power requirements
grow in proportion - rapidly leaving only the time component to increase.
assuming you could build a machine 256 times the parallel processing power
of the des cracker, that still only shaves 8 bits off the keylength - and of
course the 56bit cracking machine was only capable of testing 56 bit keys -
so a larger gate array design would be needed further increasing the number
of chips or power of chips needed per parellel testing unit. I am sure if
the NSA had built a city the size of new york as one big computer, with
power stations and staff, just so they can crack *a* key within the lifetime
of its user, someone would have noticed...