Slashdot Mirror
Shamir reveals more about optical 512-bit cracker
MattJ writes "The AP reports that Shamir (the 'S' in RSA) has revealed more details of his optical 512-bit cracking machine, TWINKLE, at a cryptography conference. " It's a pretty darn cool machine, and at only 2 million dollars, it'll be a bargain *grin*!
Most encrypted communication on the net, and virtually all that's automatically negotiated (e.g. the SSL encryption spec your browser uses) consists of both a private and a public key section. RSA is the usual choice for the public key. That key is 512 bits long in your average export-crippled browser. The RSA key -- which is strong and has the public-key exchangeability benefit, is also computationally extremely slow -- RSA is slow, that's just how it is. So rather than encrypting the whole communication with RSA, RSA is used to encrypt another key, that being the secret key for the faster block cipher, typically IDEA, RC5, 3DES or (gods forbid) single-DES. The block ciphers generally use smaller keys because the computation involved in breaking a 128 bit IDEA or DES key is in the general neighborhood of breaking a 1024 bit RSA key; different algorithms, different relative strengths.
So, to summarize, your 56-bit browser crypto is referring to the private-key portion (rc5-56 and des-56). Your RSA is probably using 512-bit public keys; your browser should be able to tell you when you make an SSL connect f you want to check. So don't feel _quite_ so bad, but still, ditch the crippled browser. 56-bit secret-key crypto is too weak for any serious use, and 512-bit RSA, as Mr. S demonstrated, is now likewise.
I expect it's been posted elsewhere, but Navigator/Communicator 4.0x and earlier could be patched easily with a copy of sed(1). 4.5 and later probably could but I haven't worked out how; use Forify for them; it's effective and easy to use.
man, am I good at remembering past stories:
The description of the original device has been posted here (slashdot discussion: here).
an analysis of the device by the RSA Labs has been posted here (related slashdot posting).
Quick! Run, don't walk, and find yourself a copy of Applied Cryptography!!!
Read read read read it! Right before bed every night, and right when you wake up in the morning. Peruse the web in search of information (searches for terms like PGP, RSA, Diffie, Public Key, Key Server, Cryptography, Cryptanalysis, security, privacy and other related terms will probably yield some more helpful info...
Counterpane is probably one of the best places to start. Read the white papers there. Subscribe to the newsletter. Check out the links. You might want to check out RSA as well. They've got a bunch of FAQ's on their website, most of which will answer your questions. You may also want to check out PGP (that link's only if you're not a business... The PDF manual has a lot of info as to how the product works. Verisign will probably have some more information... I haven't been there recently, but i'm sure you can unearth something...
Anyone else want to pile on some more resources for this guy (or girl)?
(That was still a lot less typing than answering all those questions, and will probably supply better information that I could type in an hour...)
... if for no other reason than a lack of information.
:)
A paper from the first announcement of this back in May is available in a couple of places (zipped eps and postscript), as well as an analysis by RSA. see also the RISKS posting.
If you meant just that the design is untried, I suppose this won't convince you, though optical computers of this sort have been build (on a much smaller scale) before. Anyway, we have this thing called "engineering" for figuring out if something's going to work or not.
I don't seen any new information on the web. Can someone from the conference let us know what progress has been made on the design front?
... if for no other reason than a lack of information. With nothing even similar having been built, how can they have such confidence that there won't be major performance-limiting issues with the actual implementation? Just because it works in theory doesn't mean it it will work at the anticipated speed until they actually build it -- so they can't possibly know that it is faster than current devices.
Geeky modern art T-shirts
The 40 or 56 bit keys that some browsers use is for non-public key cyphers like RC4, RC5, DES, etc. Those the the things distributed.net is cracking. The 512, 1024 bit keys are for the RSA public key cypher. It's a totally different algorithm, and comparing a 512 bit RSA key to a 56 bit RC5 key and saying "that 56 bit key must suck" just doesn't make sense. The key sizes aren't comparable. Cracking the 56bit DES challenge took a few days last time, cracking a 56bit RSA key could be done by hand in that time.
It can speed up the process, but so long as it's using a brute force attack, it's possible to up the keysize to gain a reasonable amount of security.
I don't know how long 1024 bit RSA will stand... Which is partially why I use a 4096-bit key. Why should I want to generate new keys 20 years from now and worry that all my old "secure" communications are now visible to prying eyes?
Processors have grown to the point where they can handle larger key sizes with not much inconvience, I simply don't see a reason to use smaller keys, when only delay the inevitable... Yes, it may be overkill these days, but I'm sure at one point people thought that 384 bits was safe, and 512 bits were overkill...
Yes, there were many different architectures of computers back in the 70's. Some were 36 bit (DEC PDP-10), some were 72 bit (Burroughs something), and others had "really big words" of 128 bits. There was no standard, just whatever the engineers decided was big enough.
.02 euros,
Intel and others are just now getting to true 64 bit architecture because they are sticking it all on one chip. That doesn't mean the government had 64 bit chips 30 years ago. They just bought whatever the computer manufacturers made at the time, and I'm sure some of them internally had 64+ bits of bus width or accumulator space.
The U.S. government classified teflon (PTFE) during the war, because it was used to line pipes in uranium extraction equipment. But a french chemist discovered the same thing in 1957, and took out a patent on it, then sold the patent to a frying pan company so they could make non-stick pans. A few years later the U.S. government discovered what was going on when the pans started showing up in department stores and went ape shit.
They made one attempt asking the french government to classify the substance before they realised it was a hopeless cause. The french like to recall this story every time the U.S. tries to get europeans to do things the 'Merkin way. Its the same for encryption.
If Shamir is touting this design, I think it is more to scare people into believing short keys are soon to be crackable, and this will get them to demand much longer keys. The design is very "blue sky", with all the emphasis on optical computing on a very large scale. But if OC takes off in the next few years, then any university with an OC lab could produce a machine like this as a student group project. Then all the short key length RSA protected systems are at risk. Shamir is just trying to bump the key length up to something reasonable for the next decade or so.
my
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I really wish that articles that get displayed in the mainstream press such as this, would take the paragraph or two to remind people of the difference between the different types of encryption.
;) $3,435,973,837 dollars, you could get it back to the 2 day range. And that's only 546 bits... who's using that?!? So everyone is using 1024 bit encryption, we can feel safe to say that until the day arrives where the Fed decides to up our taxes to the 99.9999% range, we're safe...
And if i got it straight, it implied that the machine could break a key in *two days*... So, given MS Excels limitations, and me not wanting to attempt to type in exponents, it would seem to me that a 546 bit RSA key would be breakable within only 94,136,269.5 years... YIKES... I'm scared.
But then, for only
Even then, it'd be several milleniums before they aquired the wealth needed to be able purchase enough of these machines to do the job... And they'ed probably fill up all of Rhode Island!
Just because this machine has the possiblity of rendering 512 bit RSA keys obsolete, it in no way endangers the 128 bit encryption of web browsers/servers (So long as they initiate the key exchange with "at least" 768 bits...)
However, I still don't understand why anyone would use weaker encryption than the strongest available. Such as, recommending 2048-bit PGP keys rather than 4096 bits? If you're taking the time to encrypt your data, surely you can spare a few extra minutes a day to be sure that your data will be safe for an extra 20 years (and that 20 year figure is quite generous!)... Instead, I always see people go "Oh, 512 bits is breakable? Time to change my key to 1024 bits"... Computers are powerful enough these days where you shouldn't need to settle for less than the strongest available.
It seems ludicrious to encrypt data with weaker encryption, most of the time, and stronger encryption only when it's sensitive information. Just by doing that, you're flagging that information as the data that's actually important.