Slashdot Mirror

← Back to Stories (view on slashdot.org)

The First Step to Cypherspace?

Posted by Hemos on from the fun-with-machinery dept.

bughunter writes "Need to encrypt/decrypt your net traffic at up to 6.7 Gigabits per second? Using an ASIC instantiation of DES, pipeline archetecture, and single-cycle key/mode switching, Sandia National Labs has got the hardware you need. They say that this device can actually support almost 10 Gbps, but they haven't tried to run it that fast? and if you used parallel ASICs, you could get to 1 Tbps. And since it's an ASIC, any encryption scheme could be used. Anyone else see where this could lead? " Drool.

8 of 68 comments (clear)

  1. Re:So what. We still don't have PKI by Sangui5 · · Score: 2

    Well, use a nice 1024-bit RSA system to give the other party your DES keys for a start. And if you are worried about a middleman attack, then just arrange to hand off the keys IRL on a floppy.

    But you have to be pretty parinoid to worry about a middleman attack over the internet. If nothing else because it is so decentrilized that guaranteeing interception would be a pain.

  2. Speed of en/decoding is not a problem... by Kaa · · Score: 4

    ...getting people to use encryption routinely is.

    It's not like people don't use encryption because it is too slow. People don't use encryption because

    (1) Both parties must use encryption. If you'd like your e-mail to be encrypted, but your grandma/girlfriend/business partner think you are silly, what do you do? You use plain-text e-mail.

    (2) It's a hassle to set up and use

    (3) People underestimate how easy it is to read other people's e-mail and tend to forget basic stuff such as the fact that your employer *owns* all e-mail on your office computer and has (or could easily have) a log of all the sites on the Web you've visited.

    (4) People do believe in security through obscurity: "There is nothing in my e-mail/browsing/ftping that is of interest to anybody".

    I can go on and on... Really, I don't think that increasing the speed of encryption will help any of the current problems crypto is having. And I don't know why they picked DES to implement into the ASIC -- nowadays DES is pretty useless.

    Kaa

    --

    Kaa
    Kaa's Law: In any sufficiently large group of people most are idiots.
  3. Yeah, but it's DES.. by Nelson+Minar · · Score: 2

    ..and DES is not reasonable security. If anything, this product makes DES less secure.

    Fast encryption is nice. But the real way to advance cypherspace is first through software implementations like IPSEC. Optimize with dedicated hardware later.

  4. it leads down the road to hell by Ender_Stonebender · · Score: 3

    Dedicated encryption hardware. People are going to want this type of thing in lots of hardware. It'll be implement as an ASIC that will divulge a public key to anyone. The U.S. government is not going to like that, because they want it to be nice and easy for their (thought) police to spy on their citizens. So before anything like this goes into mass production, the government will insist that their be a code to get the thing to spit out its private key, and the government will be able to decode our data.

    Paranoia? Certainly. Is it justified? Given what the U.S. government has been like lately, it might be. Time will tell.

    Let's stick to software encryption. You can write your own, which makes it really hard for the government to screw with it.

    -Ender

    --
    Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
  5. Ahem. by joshua@memepool.com · · Score: 2

    ASIC != FPGA. It couldn't run other algorithms.

    An ASIC is typically automatically design and premanufactured based on building-block design; they are not reconfigurable. An FPGA is undifferentiated logic that loads the configuration and interconnections (and thus the logic that it runs) at power-up.

  6. I see where this leads by anticypher · · Score: 2

    IPSEC encryption is starting to take off in a big way in the networking world. Every corporation is looking at getting many Virtual Private Networks set up using IPSEC, and the router manufacturers are taking notice.

    With chips like these, the price for doing dozens or thousands of IPSEC tunnels from a single router gets pretty cheap. So every company starts setting them up next to their firewalls, and every employee working from home over their cable modem gets a nice secure and authenticated connection into the company network.

    Soon, 30% or more of all internet traffic is encrypted, and the intelligence agencies have to go back to intercepting the communications at the point where there is no encryption. So they have to focus attention on the criminals and terrorists, and stop throwing out wide dragnets like they are now. The end effect is that people will have more protection from fascist government agencies.

    The arguments about whether DES is strong enough if it can be broken in 22 hours are kind of stupid. Sure DES can be broken, but if you are using Diffie-Hellman key exchange then your keys are cycled every 8 hours. And if millions of users are using DES, it becomes very difficult to target specific communications with packet captures or taps, and the resources to break a stream make it unlikely the script kiddies will bother.

    This ASIC design is just a research project, the VHDL code should make it into commercial products soon enough, and I don't see why it wouldn't support 3DES at that point.

    So yes, products like this will make encryption more widespread. Slashdot readers already know all the pros and cons of that whole debate, and will probably agree this will be a good thing in the long run.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  7. Key exchange helps a little by anticypher · · Score: 2

    Ooops, I meant that the IPSEC implementation mentioned in RFCs 2401-2412 sets the standard DH key exchange time to 8 hours, easily changeable during the key exchange handshake, shortest time wins.

    Creating a new key every few hours means that only a small amount of your data is compromised when someone cracks your key, not the entire amount of data captured over a period of months or years. The more valuable your data, the more often you want to create new keys if you think you will be the target of a serious cryptanalysis effort. The downside is that DH key exchange is very CPU intensive, so re-keying ever few minutes is probably not a good idea.

    And if you expect bad individuals to be capturing your valuable data for later analysis, and that data can hurt you, then you probably can afford to protect it with more crypto than off the shelf simple DES IPSEC. 3DES is also an option in IPSEC, so pay the extra for vendors who support it, just dont expect the exact same throughput for the price.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  8. So What? This is nothing really new... by signe · · Score: 2

    We've had boxes like this for some time. Hardware black boxes that encrypt/decrypt traffic. Sure, maybe they don't run at 10 Gbps, but speed increases are a matter of course these days.

    Let's keep in mind that this is not a public key system. Sandia's hardware is designed for creating encrypted network connections, using either virtual or physical pipes. (We were going to install similar hardware at one of my previous employers to encrypt 2 connections: one a direct wire to another site, and one a virtual pipe over the Internet to a third site).

    Great, we can encrypt faster. But this doesn't really get us anywhere towards using encryption globally on a daily basis in emails, messaging, etc. We still need a good PKI for something along those lines and I just haven't seen anything that qualifies yet.

    ---

    --
    "The details of my life are quite inconsequential..."